Individuals Accredited by the Department of Veterans Affairs Using Veterans Benefits Administration Information Technology Systems To Access VBA Records Relevant to a Claim While Representing a Claimant Before the Agency
| Citation | 85 FR 9435 |
| Published date | 19 February 2020 |
| Record Number | 2020-03196 |
| Court | Veterans Affairs Department |
Federal Register, Volume 85 Issue 33 (Wednesday, February 19, 2020)
[Federal Register Volume 85, Number 33 (Wednesday, February 19, 2020)]
[Proposed Rules]
[Pages 9435-9441]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-03196]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF VETERANS AFFAIRS
38 CFR Parts 1 and 14
RIN 2900-Q81
Individuals Accredited by the Department of Veterans Affairs
Using Veterans Benefits Administration Information Technology Systems
To Access VBA Records Relevant to a Claim While Representing a Claimant
Before the Agency
AGENCY: Department of Veterans Affairs.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Veterans Affairs (VA) proposes to amend its
regulations addressing when VA will allow individuals and organizations
who are assisting claimants in the preparation, presentation, and
prosecution of their claims before VA to use Veterans Benefits
Administration's (VBA) information technology (IT) systems to access VA
records relevant to a claim. This rulemaking addresses who is
permitted, and under what circumstances, to directly access VA's claim
records through those IT systems during representation of a VA claimant
in a claim for VA benefits, but is not intended to address the larger
issues involving who may access VA records more generally.
Further, the proposed amendments would outline appropriate behavior
while using VBA's IT systems to access VA records and the consequences
of mishandling such access for attorneys, agents, or representatives of
a VA-recognized service organization.
DATES: VA must receive comments on or before April 20, 2020.
ADDRESSES: Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to: Director, Office of
Regulation Policy and Management (00REG), Department of Veterans
Affairs, 810 Vermont Ave. NW, Room 1064, Washington, DC 20420; or by
fax to (202) 273-9026. (This is not a toll-free telephone number.)
Comments should indicate that they are submitted in response to ``RIN
2900-AQ81--Individuals Accredited by the Department of Veterans Affairs
Using Veterans Benefits Administration Information Technology Systems
to Access VBA Records Relevant to a Claim While Representing a Claimant
Before the Agency.''
All comments received will be available for public inspection in
the Office of Regulation Policy and Management, Room 1064, between the
hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except
holidays). Please call (202) 461-4902 for an appointment. (This is not
a toll-free telephone number.) In addition, comments may be viewed
online through the Federal Docket Management System (FDMS) at http://www.Regulations.gov.
FOR FURTHER INFORMATION CONTACT: Glen Wallick, Senior Management and
Program Analyst, Appeals Management Office, Department of Veterans
Affairs, 810 Vermont Avenue NW, Washington, DC 20420, 202-530-9408
(this is not a toll-free number).
SUPPLEMENTARY INFORMATION: This proposed rule would amend 38 CFR parts
1 and 14 to clarify one of the methods that an individual providing
representation on a claim may use to access a claimant's records now
that VA has transitioned to primarily using electronic records relevant
to a claim for VA benefits. Specifically, this proposed rule clarifies
how attorneys, agents, or representatives of a VA-recognized service
organization who are accredited pursuant to 38 CFR 14.629, as well as
designated to provide representation in a claim pursuant to 38 CFR
14.631, may access records relevant to their client's claim through
VBA's IT systems. The purpose of this rulemaking is to ensure that
claimants for VA benefits receive responsible, qualified services from
VA-accredited attorneys, agents, or representatives of a VA-recognized
service organization when seeking VA benefits, including ensuring that
those individuals providing representation have appropriate access to
VA records relating to their client's claim; that VA claimants
understand who may access their claim records when they designate an
attorney, agent or service organization to provide representation; that
attorneys, agents, or representatives of a VA-recognized service
organization before VA take care to adequately protect their client's
privacy; and that VA meets its IT security obligations while providing
access to its information systems to individuals who are not VA
employees or contractors (non-VA users). The statutory authority for
proposed Sec. Sec. 1.600 through 1.603 is 38 U.S.C. 5721 through 5728.
Because the ``security of Department information and information
systems is vital to the success of the mission of the Department,'' it
is statutorily mandated that VA ``establish and maintain a
comprehensive Department-wide information security program to provide
for the development and maintenance of cost-effective security controls
needed to protect Department information, in any media or format, and
Department information systems.'' 38 U.S.C. 5722(a). In establishing
its Department-wide information security program, Congress has
entrusted to the VA information owners that oversee the system or
systems to ``determin[e] who has access to the system or systems
containing sensitive personal information, including types of
privileges and access rights.'' 38 U.S.C. 5723(d)(2).
Veteran and claimant information may be closely associated, such as
when the Veteran is also the claimant, but not all claimants before VA
are Veterans, such as a Veteran's surviving spouse or child who may be
entitled to VA benefits in some circumstances. These non-Veteran
dependent claimants may file benefit claims under the claim number VA
assigned to the Veteran whose military service renders them potentially
eligible for benefits. Accordingly, this proposed rule addresses the
requirements for IT systems access regardless of whether the
representation is in a claim for VA benefits submitted by a Veteran,
survivor, or family member, provided that the claim record is
maintained electronically in a system that is configured for external
access.
Under 38 U.S.C. 5701(a) and (b), ``files, records, reports, and
other papers and documents pertaining to any claim'' before VA are
generally ``confidential and privileged,'' but VA ``shall make
[[Page 9436]]
disclosure'' of the same ``[t]o a claimant or duly authorized agent or
representative of a claimant'' in most circumstances. See also 5 U.S.C.
552a (Privacy Act). Under 38 U.S.C. 501(a), VA has authority ``to
prescribe all rules and regulations that are necessary or appropriate
to carry out the laws'' it administers.
The information security requirements to which VA must adhere are
complex and rigorous, and drawn from such sources as 38 U.S.C. Chapter
57, Subchapter III, Information Security; the Federal Information
Security Modernization Act of 2014 (FISMA), 44 U.S.C. Chapter 35,
Subchapters II and III; the E-Government Act of 2002, 44 U.S.C.
Chapters 1 and 36; VA Handbook 6500, Risk Management Framework for VA
Information Systems--Tier 3: VA Information Security Program; VA
Directive 6500, VA Cybersecurity Program; OMB Circular A-130, Managing
Information as a Strategic Resource; and the National Institute of
Standards and Technology, Special Publication 800-53.
VA's effort to modernize the claims processing system has required
a change to storing records relevant to benefit claims before the
agency and processing such claims in electronic form, currently
utilizing the Veterans Benefits Management System (VBMS) information
system, from storing claimant's records in paper files. Other systems,
such as Caseflow, are not document repositories, but may provide
information regarding the current status of the claim or appeal, such
as whether it is pending the development of evidence, pending a
decision, etc. In an effort to provide increased access to claimant's
records, VA must change its policies and procedures to ensure
compliance with Federal IT system security and privacy safeguards
applicable to VA. This rule-making addresses non-VA users, and how and
when attorneys, agents, or representatives of a VA-recognized service
organization may directly access VBA information systems rather than an
offline copy of those records on behalf of their clients, as provided
under 38 CFR part 1 implementation of 38 U.S.C. 5701, 38 U.S.C. 7332,
and 5 U.S.C. 552 and 552a. The experiences of VA claimants, the
individuals providing representation before VA, and the agency during
the years since the transition to VBMS warrants a reexamination and
clarification of the terms and processes related to how attorneys,
agents, or representatives of a VA-recognized service organization may
have direct system access to VBA's claim records. Indeed, a VA-
accredited attorney petitioned VA to initiate a rulemaking for purposes
of clarifying whether attorney support staff could gain access to VBMS
in the same manner as the attorney of record in the claim. Noting an
inconsistency between current 38 CFR 1.600 through 1.603, which
prescribe VA's longstanding policy on access to certain IT systems for
purposes of representing a claimant before the VBA, and a note to
current 38 CFR 14.629 stating that certain support staff may qualify
for access, VA agreed to initiate this rulemaking.
VA has a duty to protect the privacy of VA claimants, ensure the
security, confidentiality, integrity, and availability of its
information systems and ensure that VA claimants receive competent and
qualified representation on their benefits claims. It additionally
endeavors to provide attorneys, agents, or representatives of a VA-
recognized service organization more convenient access to the records
they need to adequately represent claimants. Therefore, VA proposes to
amend certain regulations in 38 CFR parts 1 and 14 to strike an
appropriate balance between these duties and goals and seeks public
comment on those amendments.
Part 1--General Provisions
Section 1.600 Purpose
The proposed amendments to 38 CFR 1.600, 1.601, 1.602, and 1.603
would clarify how an individual who has been accredited by VA as an
attorney, agent, or representative of a VA-recognized service
organization may directly use VBA IT systems to access the VA records
for claimants who have designated that service organization, attorney,
or agent to provide representation on their claim. These proposed
changes are important because, as VA has enhanced its IT capabilities,
claims folders are becoming increasingly digital rather than paper
based. VA currently allows attorneys, agents, and representatives of a
VA-recognized service organization to use internal VBA IT systems to
access VA records relevant to their client's claims in some cases. In
an effort to ensure that non-public Veteran information is protected in
new electronic media, VA proposes to update its regulations governing
direct use of VBA's IT systems that contain claimants' records.
Accordingly, the proposed amendments outline the limitations on and
qualifications for direct access to VBA's IT systems, proper use of
such access, and revocation of direct access if an individual misuses
it.
Current 38 CFR 1.600 prescribes the purpose of Sec. Sec. 1.601 to
1.603, which is to provide when and under what circumstances VA will
allow accredited attorneys, agents, or representatives of a VA-
recognized service organization access to certain VBA IT claim systems.
VA proposes to clarify existing regulatory text and to update these
regulations to ensure that they reflect current VA policy and are
correctly phrased to govern access to VBA's current and future IT
systems via which VA may provide records access to attorneys, agents,
or representatives of a VA-recognized service organization. Further, VA
proposes to confirm the general policy in current Sec. 1.600 through
1.603, which limits external access to VBA's IT systems to the
attorneys, agents, or representatives of a VA-recognized service
organization designated to provide representation on the claim. This
limitation continues to be necessary because the individuals are
provided direct access to VBA IT systems in at least some
circumstances, and via those systems to the claimant's electronically
stored records. While VA has concluded that this level of access is
appropriate for those who assist claimants in their complex VA benefit
claims, it also must comply with legal obligations to protect claimant
privacy and maintain secure and reliable information systems. As such,
VA proposes to continue limiting read-only electronic access to claim
records to the attorney or agent that is designated by the claimant as
the attorney or agent of record, or, if a claimant designates a service
organization to provide representation on the claim, to the
representatives of that service organization. VA proposes to not grant
access to any individual who is not accredited by VA and is not
designated to provide representation pursuant to 38 CFR 14.631. While
it is undeniable that continuing a policy of allowing direct electronic
access to VA systems for any individual poses privacy and security
risk, which VA must carefully manage, VA views limiting access to only
those individuals who are accredited by VA and designated to provide
representation pursuant to Sec. 14.631 as striking an appropriate
balance between ensuring that claimants have the claims assistance they
need and maintaining private information in secure, reliable
information systems.
VA holds accredited representatives, attorneys and agents to a high
standard of conduct when they hold power of attorney for a claimant.
When a claimant designates an accredited individual they give VA
permission to
[[Page 9437]]
disclose private information to that person or organization. Under
Sec. 14.632 VA requires that accredited attorneys, agents and
representatives maintain a claimants privacy by not disclosing, without
the claimant's authorization, any information provided by VA for
purposes of representation. This, in addition to the requirements for
continuing education and/or training on a regular basis, character and
fitness assessments, and other certifications found in Sec. 14.629,
gives VA the assurance that these individuals will maintain the
claimants' privacy while also minimizing the risk to the security of
VA's IT systems.
Limiting access to this group of individuals also gives VA a means
to remediate any mishandling of claimant information or misuse of the
systems access through termination of accreditation, which may include
notifying all agencies, courts, and bars to which an agent or attorney
is admitted to practice pursuant to Sec. 14.633.
VA also proposes to update Sec. 1.600 through 1.603 by deleting
the unnecessary reference to ``remote'' access to records in electronic
systems in the undesignated center heading preceding these regulatory
sections in the Code of Federal Regulations, as such external access is
by nature remote. The requirements of Sec. 1.600 et seq. will apply to
any direct online system access to VBA information systems by an
attorney, agent, or representative of a VA-recognized service
organization, whether via the internet or while utilizing a point of
access located in a VA facility. VA also proposes to replace the
reference to ``disqualification'' in Sec. 1.600(a)(3) with ``denial''
and ``revocation,'' which more closely reflects the rules proposed in
Sec. 1.603. Denial would refer to VA's decision to not grant an
applicant privileges to directly access VBA IT systems or not to permit
access to a specific claimant's claims file. Revocation would refer to
the removal of access privileges to VBA's IT systems or the removal of
the ability to access a specific claimant's claims file.
Paragraph (b)(4) would be revised to clarify that an attorney,
agent, or representative of a VA-recognized service organization may be
able to upload information and evidence regarding a claimant to VA's
electronic records system for that claimant, with proper authorization
to do so. However, the IT systems into which an attorney, agent, or
representative of a VA-recognized service organization may upload
records do not allow a record to be modified once submitted and, even
if that ability were mistakenly provided, attorneys, agents, or
representatives of a VA-recognized service organization are not allowed
to modify existing records pursuant to the proposed rule. Hence, VA may
continue to correctly speak of ``read only'' access to the VA claims.
The proposed rule would also revise most of Sec. 1.600(c) to
remove references to antiquated IT systems and commands. To ensure VA's
regulations stay current regardless of future IT developments, and to
allow VA flexibility to provide access to only those IT systems which
are necessary to providing representation while minimizing risk to IT
system integrity and privacy should VA develop new systems in the
future, VA proposes to describe affected IT systems more generally in
paragraph (c).
Section 1.601 Qualifications for Access
As noted above, VA proposes to continue the policy prescribed in
current Sec. 1.601, which limits electronic access to VA's claims
records directly through VBA's IT systems to individuals who are both
accredited and designated to provide representation on the claim. In
this regard, VA proposes no change to the general qualifications for
VBA IT systems access in current Sec. 1.601 except adding that the
applicant must comply with all security requirements deemed necessary
by VA to ensure the integrity and confidentiality of the data and VBA's
information technology systems, which may include personal identity
verification and passing a background suitability investigation. When
an individual directly accesses a VBA IT system to access VA
information as provided under these regulations, they are a user of VA
information and information systems. Title 38 U.S.C. 5723(f)(1)
requires that all users of VA information or information systems comply
with all Department information security program policies, procedures,
and practices. VA is required to implement NIST Federal Information
Processing Standard 201, Personal Identity Verification (PIV) of
Federal Employees and Contractors, which establishes the minimum
requirements for a Federal personal identity verification system that
meets the control and security objectives of Homeland Security
Presidential Directive-12 [HSPD-12], including identity proofing,
registration, and issuance. NIST Special Publication 800-63-3, Digital
Identity Guidelines, applies the requirements of HSPD-12 to all
transactions for which digital identity or authentication are required,
regardless of the constituency (e.g. citizens, business partners,
government entities).
VA proposes to remove current Sec. 1.601(a)(2) regarding systems
access during representation before a Federal appellate court because
these court proceedings occur outside of VA's administrative process
and the record in an appeal is compiled according to the rules of the
court. See, e.g., Court of Appeals for Veterans Claims, Rules of
Practice and Procedure 10. VA's longstanding practice is that the
attorney representing VA on the appeal before the Court of Appeals for
Veterans Claims will disclose the record directly to the claimant's
attorney pursuant to the claimant's authorization and work with the
claimant's attorney regarding any dispute that may arise as to the
preparation of that record pursuant to rules of that court. As such,
attorneys representing before the Court of Appeals for Veterans Claims
do not need access to VBA IT systems. Granting such access would
unnecessarily expand VA's IT security risk because VA cannot readily
limit the access within the IT systems to only those claims records
relevant to the appeal. An unaccredited attorney representing solely
before a Federal court lies outside of the processes through which VA
accredits individuals and associates them with their respective
claimants. In rare instances that unaccredited attorneys might dispute
the record before the court and ask to review the complete claims
folder, VA's Office of General Counsel would coordinate within VA to
ensure compliance with any court order.
VA also proposes to amend paragraph (b) by striking references to
``hardware, modem, and software,'' and replacing these terms with a
more general advance VA approval requirement that is less subject to
technical obsolescence.
Finally, VA proposes to amend paragraph (c) by requiring an
attorney, agent, or representative of a VA-recognized service
organization with access privileges to VBA IT systems to acknowledge,
among other things prescribed in the current paragraph, VA's Rules of
Behavior and the consequences of breach of the requirements. As noted
above, VA also proposes to replace the term ``disqualification'' in
paragraph (c) with ``revocation,'' to better reflect the text of Sec.
1.603 regarding revocation of access.
Section 1.602 Utilization of Access
Current Sec. 1.602 prescribes the rules applicable to attorneys,
agents, or representatives of a VA-recognized service organization who
are authorized by VA to access VA systems for purposes of claims
assistance, to
[[Page 9438]]
include specific usage, training, and inspection requirements. VA
proposes to generally maintain these rules with updates to reflect
current systems and practice. Proposed amendments include clarifying
that access to the ``automated claims records'' referenced in current
Sec. 1.602 is more accurately described as ``read-only electronic
access to the VA records.'' VA also proposes to replace ``password''
with ``account'' or ``logon credentials'' throughout the regulation.
In paragraph (b), VA proposes to clarify that VA must approve the
annual training required to gain access to, or continue to access,
VBA's IT systems. Also, consistent with the limitation on access to
only the attorney or agent of record, or to the representatives of the
service organization of record, VA proposes to clarify that references
in current regulations to ``individual or organization'' mean those
individuals who are accredited by VA to provide claims assistance as an
attorney, agent, or representative of a VA-recognized service
organization.
Section 1.603 Revocation and Reconsideration
Current Sec. 1.603 prescribes the circumstances under which VA may
``revoke'' access to VBA IT systems for an attorney, agent, or
representative of a VA-recognized service organization and specifically
delegates this authority to a VA Regional Office Director. Current
provisions recognize that claimants who cancel or supplant the
delegation of a service organization, service organization
representative, attorney, or agent remove the entitlement of access to
their records as a matter of law under the Privacy Act, 5 U.S.C. 552a,
and 38 U.S.C. 5701 and 7332. However, VA must notify the attorney,
agent, or representative of a VA-recognized service organization, as
well as the representative's service organization if VA revokes access,
unless VA must first temporarily suspend such access prior to a final
determination because VA believes it necessary to protect its systems
or the data therein. The current regulation also requires VA personnel
to report a revocation to a state licensing authority, such as an
attorney's state bar or other licensing authority, if warranted by the
conduct of the attorney, agent, or representative of a VA-recognized
service organization. VA proposes to amend Sec. 1.603 to generally
update the regulation consistent with current practice and systems and
clarify the circumstances under which VA may deny or revoke privileges
of an attorney, agent, or representative of a VA-recognized service
organization to access VBA's IT systems or deny or revoke access to a
specific claimant's claims records.
As noted above, VA proposes to revise the section's title,
currently ``Disqualification,'' to read ``Revocation and
reconsideration,'' which more closely reflects its topic and text in
proposed Sec. 1.603. Given the national oversight of access to VA
systems and the national practice of many attorneys, agents, or
representatives of a VA-recognized service organization, VA also
proposes to modify references in Sec. 1.603 to ``Regional Office'' and
``Regional Office Director,'' and instead prescribe the actions that
may be taken by VA in circumstances that warrant potential revocation
in a manner that acknowledge others within the agency may be required
to respond. VA would also remove paragraph (b)(3) because, as proposed,
Sec. 1.600 through 1.603 would no longer name the types of records or
data that an attorney, agent, or representative of a VA-recognized
service organization may access. VA proposes to revise paragraph (b)(4)
to clarify that records might belong to claimants who seek to receive
benefits, and not, as currently stated, beneficiaries who, by
definition, are already receiving VA benefits.
VA proposes to amend paragraph (c) to cover both denials and
revocations. Specifically, VA proposes to add subparagraphs (1) through
(5), which discuss the framework for requesting reconsideration of
denials or revocations of access. Electronic access to claimant records
is not a right and any request for such access is not a benefit claim
that is subject to appeal. Proposed Sec. 1.600(d)(3) would generally
restate and continue current Sec. 1.600(d)(2), which provides,
``Sections 1.600 through 1.603 are not intended to, and do not . . .
[c]reate, and may not be relied upon to create, any right or benefit,
substantive or procedural, enforceable at law against the United States
or the Department of Veterans Affairs.'' However, VA will reconsider
initial denials or revocations of electronic access upon written
requests by affected attorneys, agents, or representatives of VA-
recognized service organizations. Such individuals would have 30 days
from VA's notice of denial or revocation to submit such requests with
any information they believe relevant to VA's decision to deny or
revoke access. The Director of the VA regional office or center with
jurisdiction would review the denial or revocation, any new information
submitted by the individual seeking access, describe the relevant
facts, make a new decision, and provide written notification to the
affected individual, as well as the Office of General Counsel.
In addition, we are proposing a technical correction to Sec. Sec.
1.600 through 1.603. Consistent with direction from the Office of
Federal Register, VA has proposed to place the statutory authorities
for Sec. Sec. 1.600 through 1.603 in the introductory portion of 38
CFR part 1 as opposed to a parenthetical immediately following each
individual section. Finally, regarding the reporting requirements in
current paragraph (d), VA proposes to amend these provisions to require
reporting to VA's Office of General Counsel when the facts and
circumstances regarding a denial or revocation of access indicate
potential misconduct of the attorney, agent, or representative of a VA-
recognized service organization that may call into question his or her
competence or qualifications for VA accreditation.
PART 14--Legal Services, General Counsel, and Miscellaneous Claims
Section 14.629 Requirements for Accreditation of Service Organization
Representatives; Agents; and Attorneys
Current Sec. 14.629 implements VA's authority under 38 U.S.C. 5902
and 5904 to accredit attorneys, agents, or representatives of VA-
recognized service organizations for the purpose of assisting claimants
in the preparation, presentation, and prosecution of veterans benefits
claims. VA does not propose any substantive changes to the
accreditation provisions in this section. However, current Sec.
14.629(c) addresses who is permitted, and under what circumstances, to
assist an attorney of record in providing representation on a claim.
Subparagraph (c)(3) specifically indicates that legal interns, law
students, and paralegals may assist the attorney of record in the
representation of a claimant before VA pursuant to the claimant's
consent. The attorney of record may also disclose information obtained
from VA for the purpose of representation to the legal interns, law
students, and paralegals pursuant to the claimant's consent, see 38 CFR
14.632(c)(10), but a note that follows current Sec. 14.629 goes
further than that and states that legal interns, law students, and
paralegals, as well as veterans service organization support staff, may
``qualify for read-only access to pertinent Veterans Benefits
Administration automated claims records'' under Sec. 1.600 through
1.603 of this chapter. VA added this note in a 2003 final rule stating
only that it was intended to ``promote consistency with regulations and
practice'' at the time, specifically with respect to individuals
[[Page 9439]]
working under the supervision of the claimant's designated
representative.'' 68 FR 8541, 8543. It is notable that VA IT systems
did not include electronic copies of evidence at the time of the 2003
Federal Register notice.
This note has never meant that VA would always provide support
staff at a service organization or legal interns, law students, or
paralegals with access to VBA IT systems. Nevertheless, the note may
have caused confusion and contributed to inconsistent application of
current Sec. 1.600 through 1.603 as VA has transitioned to primarily
keeping claimant records in electronic form rather than paper.
Accordingly, VA proposes to remove this note, consistent with the
clarification of its policy under this proposed rule. Indeed, VA's
proposed regulations and current practice of limiting systems access to
claimants' accredited attorneys, agents, or representatives of a VA-
recognized service organization, would be inconsistent with allowing
support staff at service organizations or legal interns, law students,
or paralegals to electronically access VA records. Under this proposed
rule, VA would ensure that only accredited attorneys, agents, or
representatives of a VA-recognized service organization have privileges
to access VBA's IT systems. Furthermore, a VA-accredited attorney or
agent would have access to records only if the claimant appointed that
individual as the attorney of record or agent of record for his or her
claim. In the case of a service organization, VA would provide access
only to the representatives of that service organization. VA would only
grant access to the attorney of record, the agent of record, or the
representatives of the service organization of record regardless of
whether any other individuals are assisting the attorney of record in
the representation of the claimant's case, or are serving on the
support staff of the attorney, agent, or veterans service organization.
Although general access to inspect or receive a copy of a
claimant's record is governed by privacy laws and regulations
applicable to VA and to the Federal government more generally, there is
no statute or regulation creating a right to electronically access VA's
internal IT systems or mandating that individuals who may view a record
must be allowed to do so via any particular IT system. This is
consistent with current Sec. 1.600(d), which VA proposes to modify in
this rulemaking. VA's policy of limiting access to VA's IT systems to
VA-accredited attorneys, agents, or representatives of a VA-recognized
service organization, and limiting access within those systems only to
the claims files in which the attorney or agent has been designated to
provide representation under 38 CFR 14.631, or to the representative of
a service organization that has been designated to provide
representation pursuant to the claimant's power of attorney under 38
CFR 14.631, is reasonable given VA's overarching responsibility to
protect Veterans' privacy, maintain IT security according to Federal
requirements, and control administrative burden and costs.
Executive Orders 12866, 13563, and 13771
Executive Orders 12866 and 13563 direct agencies to assess the
costs and benefits of available regulatory alternatives and, when
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, and other advantages; distributive impacts;
and equity). Executive Order 13563 (Improving Regulation and Regulatory
Review) emphasizes the importance of quantifying both costs and
benefits, reducing costs, harmonizing rules, and promoting flexibility.
The Office of Information and Regulatory Affairs has determined that
this rule is not a significant regulatory action under Executive Order
12866. VA's impact analysis can be found as a supporting document at
http://www.regulations.gov, usually within 48 hours after the
rulemaking document is published. Additionally, a copy of the
rulemaking and its impact analysis are available on VA's website at
http://www.va.gov/orpm/, by following the link for ``VA Regulations
Published From FY 2004 Through Fiscal Year to Date.'' This rule is not
an Executive Order 13771 regulatory action because this rule is not
significant under Executive Order 12866.
Regulatory Flexibility Act
The Secretary hereby certifies that the adoption of this rule would
not have a significant economic impact on a substantial number of small
entities as they are defined in the Regulatory Flexibility Act, 5
U.S.C. 601-612. This rule might have an insignificant economic impact
on an insubstantial number of small entities, generally law firms that
have individual attorneys who are accredited by VA for purposes of
representing VA benefit claimants. VA believes the impact to be minimal
because, as stated in the preamble, its overarching policy and practice
has been to grant access to designated representatives, as opposed to
supporting staff, and access to VA systems is optional and not a
prerequisite to representing any claimant before the Department. VA's
proposed rule simply clarifies this longstanding practice. Therefore,
pursuant to 5 U.S.C. 605(b), this rulemaking would be exempt from the
initial and final regulatory flexibility analysis requirements of 5
U.S.C. 603 and 604.
Unfunded Mandates
The Unfunded Mandates Reform Act of 1995 requires, at 2 U.S.C.
1532, that agencies prepare an assessment of anticipated costs and
benefits before issuing any rule that may result in the expenditure by
State, local, and tribal governments, in the aggregate, or by the
private sector, of $100 million or more (adjusted annually for
inflation) in any 1 year. This rule would have no such effect on State,
local, and tribal governments, or on the private sector.
Paperwork Reduction Act
This proposed rule contains no provisions constituting a collection
of information under the Paperwork Reduction Act of 1995 (44 U.S.C.
3501-3521).
List of Subjects
38 CFR Part 1
Administrative practice and procedure, Archives and records,
Cemeteries, Claims, Courts, Crime, Flags, Freedom of information,
Government contracts, Government employees, Government property,
Infants and children, Inventions and patents, Parking, Penalties,
Postal Service, Privacy, Reporting and recordkeeping requirements,
Seals and insignia, Security measures, Wages.
38 CFR Part 14
Administrative practice and procedure, Claims, Courts, Foreign
relations, Government employees, Lawyers, Legal services, Organization
and functions (Government agencies), Reporting and recordkeeping
requirements, Surety bonds, Trusts and trustees, Veterans.
Signing Authority
The Secretary of Veterans Affairs approved this document and
authorized the undersigned to sign and submit the document to the
Office of the Federal Register for publication electronically as an
official document of the Department of Veterans Affairs. Pamela Powers,
Chief of Staff, Department of Veterans
[[Page 9440]]
Affairs, approved this document on November 5, 2019, for publication.
Jeffrey M. Martin,
Assistant Director, Office of Regulation Policy & Management, Office of
the Secretary, Department of Veterans Affairs.
For the reasons set forth in the preamble, VA proposes to amend 38
CFR parts 1 and 14 as follows:
PART 1--GENERAL PROVISIONS
0
1. The authority citation for part 1, is amended to read as follows:
Authority: 38 U.S.C. 501, and as noted in specific sections.
Sections 1.600-1.603 Also issued under 38 U.S.C. 5721-5728.
0
2. Amend the undesignated center heading preceding Sec. 1.600 by
removing the word ``Remote''.
0
3. Amend Sec. 1.600 by:
0
a. Revising paragraph (a)(1).
0
b. Amending paragraph (a)(2) by removing ``claimants''' and adding in
its place ``service organization,'' and adding after
``representatives'' the words, ``attorneys and agents.''
0
c. Revising paragraph (a)(3).
0
d. Revising paragraphs (b), (c),(d)(1) and (2).
0
e. Adding paragraph (d)(3).
The revisions and addition read as follows:
Sec. 1.600 Purpose.
(a) * * *
(1) When, and under what circumstances, VA will grant attorneys,
agents, and representatives of a VA-recognized service organization the
ability to access records through Veterans Benefits Administration's
(VBA) electronic information technology (IT) systems that contain
information regarding the claimants whom they represent before VA;
(2) * * *
(3) The bases and procedures for denial or revocation of access
privileges to VBA IT systems of an attorney, agent, or representative
of a VA-recognized service organization for violating any of the
requirements for access.
(b) VBA will provide access to VBA IT systems under the following
conditions. VBA will provide access:
(1) Only to an attorney, agent, or representative of a VA-
recognized service organization who is accredited pursuant to part 14
of this chapter and who is approved to access VBA IT systems under
Sec. Sec. 1.600 through 1.603;
(2)(i) For a representative of a VA-recognized service
organization, only to the records of VA claimants who appointed the
service organization as the organization of record to provide
representation on their claims, or
(ii) For an attorney or agent, only to the records of VA claimants
who appointed the attorney or agent as the attorney or agent of record
on their claims;
(3) Solely for the purpose of representing the individual claimant
whose records are accessed in a claim for benefits administered by VA;
and
(4) On a read-only basis, an attorney, agent, or representative of
a VA-recognized service organization authorized to access VBA IT
systems under Sec. Sec. 1.600 through 1.603 will not be permitted to
modify the data, to include modifying any existing record. However,
such an attorney, agent, or representative of a VA-recognized service
organization may upload documents as permitted by VA IT policy
regarding submittal of new documents.
(c) Privileges to access VBA IT systems may be granted by VBA only
for the purpose of accessing a represented claimant's electronically
stored claims files pursuant to applicable privacy laws and
regulations, and as authorized by a claimant's power of attorney under
38 CFR 14.631.
(d) * * *
(1) Waive the sovereign immunity of the United States;
(2) Create, and may not be relied upon to create, any right or
benefit, substantive or procedural, enforceable at law against the
United States or the Department of Veterans Affairs; or
(3) Create or establish a right to electronic access.
0
4. Revise Sec. 1.601 to read as follows:
Sec. 1.601 Qualifications for access.
(a)(1) An applicant for access to VBA IT systems for the purpose of
providing representation must be:
(i) A representative of a VA-recognized service organization who is
accredited by VA under Sec. 14.629(a) of this chapter through a
service organization and whose service organization holds power of
attorney for one or more claimants under Sec. 14.631 of this chapter;
or
(ii) An attorney or agent who is accredited by VA under Sec.
14.629(b) of this chapter and who holds power of attorney for one or
more claimants under Sec. 14.631 of this chapter.
(2) To qualify for access to VBA IT systems, the applicant must
comply with all security requirements deemed necessary by VA to ensure
the integrity and confidentiality of the data and VBA IT systems, which
may include passing a background suitability investigation for issuance
of a personal identity verification badge.
(3) VA may deny access to VBA IT systems if the requirements of
paragraphs (a)(1) or (2) of this section are not met.
(b) The method of access, including security software and work-site
location of the attorney, agent, or representative of a VA-recognized
service organization, must be approved in advance by VA.
(c) Each attorney, agent, or representative of a VA-recognized
service organization approved for access must complete, sign, and
return a notice provided by VA. The notice will specify any applicable
operational and security requirements for access, in addition to the
applicable VA Rules of Behavior, and an acknowledgment that the breach
of any of these requirements is grounds for revocation of access.
0
5. Revise Sec. 1.602 to read as follows:
Sec. 1.602 Utilization of access.
(a) Once VA issues to an attorney, agent, or representative of a
VA-recognized service organization the necessary logon credentials to
obtain read-only access to the VA records regarding the claimants
represented, access will be exercised in accordance with the following
requirements. The attorney, agent, or representative of a VA-recognized
service organization:
(1) Will electronically access VA records through VBA IT systems
only by the method of access approved in advance by VA;
(2) Will use only his or her assigned logon credentials to obtain
access;
(3) Will not reveal his or her logon credentials to anyone else, or
allow anyone else to use his or her logon credentials;
(4) Will access via VBA IT systems only the records of claimants
who he or she represents;
(5) Will access via VBA IT systems a claimant's record solely for
the purpose of representing that claimant in a claim for benefits
administered by VA;
(6) Is responsible for the security of the logon credentials and,
upon receipt of the logon credentials, will destroy the hard copy so
that no written or printed record is retained;
(7) Will comply with all security requirements VA deems necessary
to ensure the integrity and confidentiality of the data and VBA IT
systems; and
(8) Will comply with each of the standards of conduct for
accredited individuals prescribed in Sec. 14.632 of this chapter.
(b)(1) A service organization shall ensure that all its
representatives provided access in accordance with these regulations
receive annual training approved by VA on proper security or annually
complete VA's Privacy and Security Training.
(2) An attorney or agent who is granted access will annually
[[Page 9441]]
acknowledge review of the security requirements for the system as set
forth in these regulations, VA's Rules of Behavior, and any additional
materials provided by VA.
(c) VBA may, at any time without notice:
(1) Inspect the computer hardware and software utilized to obtain
access and their location;
(2) Review the security practices and training of any attorney,
agent, or representative of a VA-recognized service organization
granted access under these regulations; and
(3) Monitor the access activities of an attorney, agent, or
representative of a VA-recognized service organization. By applying
for, and exercising, the access privileges under Sec. 1.600 through
1.603, the attorney, agent, or representative of a VA-recognized
service organization expressly consents to VBA monitoring access
activities at any time for the purpose of auditing system security.
0
6. Amend Sec. 1.603 by:
0
a. Revising the section heading
0
b. Revising paragraph (a).
0
c. Revising paragraphs (b) introductory text and (b)(2).
0
d. Removing paragraph (b)(3).
0
e. Redesignating paragraph (b)(4) as (b)(3) and revising the newly
redesignated (b)(3).
0
f. Redesignating paragraph (b)(5) as (b)(4).
0
g. Redesignating paragraph (b)(6) as (b)(5) and revising the newly
redesignated (b)(5).
0
h. Amend paragraph (c) and by adding paragraphs (c)(1) through (5).
0
i. Revising paragraph (d).
0
j. Removing paragraph (e).
The revisions read as follows:
Sec. 1.603 Revocation and reconsideration.
(a) VA may revoke access of an attorney, agent, or representative
of a VA-recognized service organization to a particular claimant's
records because the individual or organization no longer represents the
claimant, and, therefore, the claimant's consent is no longer in
effect.
(b) VA may revoke the access privileges of an attorney, agent, or
representative of a VA-recognized service organization either to an
individual claimant's records or to all claimants' records via the VBA
IT systems, if the individual:
(1) * * *
(2) Accesses or attempts to access data for a purpose other than
representation of an individual claimant;
(3) Accesses or attempts to access data on a claimant who he, she,
or the service organization does not represent;
(4) Accesses or attempts to access a VBA IT system by a method that
has not been approved by VA; or
(5) Modifies or attempts to modify data in the VBA IT systems
without authorization.
(c) VA will notify the attorney, agent, or representative of a VA-
recognized service organization of the denial of access under Sec.
1.601(a)(3) or revocation of access under paragraph (b) of this
section. If VA denies or revokes access privileges for a service
organization representative, VA will notify the service organization(s)
through which the representative is accredited of the denial or
revocation of access.
(1) The denial or revocation of access by a VBA regional office or
center of jurisdiction is a final decision. The attorney, agent, or
representative of a VA-recognized service organization may request
reconsideration of a denial or revocation of access by submitting a
written request to VBA. VBA will consider the request if it is received
by VBA not later than 30 days after the date that VA notified the
attorney, agent, or representative of a VA-recognized service
organization of its decision.
(2) The attorney, agent, or representative of a VA-recognized
service organization may submit additional information not previously
considered by VA, provided that the additional information is submitted
with the written request and it is pertinent to the prohibition of
access.
(3) VA will close the record regarding reconsideration at the end
of the 30-day period described in paragraph (c)(1) of this section and
furnish the request, including any new information, submitted by the
attorney, agent, or representative to the Director of the VA regional
office or center with jurisdiction over the final decision.
(4) VA will reconsider access based upon a review of the
information of record as of the date of its prior denial or revocation,
with any new information submitted with the request. The decision will:
(i) Identify the attorney, agent, or representative of a VA-
recognized service organization,
(ii) Identify the date of VA's prior decision,
(iii) Describe in detail the facts found as a result of VA's review
of its decision with any new information submitted with the
reconsideration request, and
(iv) State the reasons for VA's final decision, which may affirm,
modify, or overturn its prior decision.
(5) VA will provide written notice of its final decision on access
to:
(i) The attorney, agent, or representative of a VA-recognized
service organization requesting reconsideration, and
(ii) if the conduct that resulted in denial or revocation of the
authority of an attorney, agent, or representative of a VA-recognized
service organization to access VBA electronic IT systems merits
potential inquiry into the individual's conduct or competence pursuant
to Sec. 14.633 of this chapter, the VBA regional office or center of
jurisdiction will immediately inform VA's Office of General Counsel in
writing of the fact that it has revoked the individual's access
privileges and provide the reasons why.
(d) VA may immediately suspend access privileges prior to any
determination on the merits of a revocation where VA determines that
such immediate suspension is necessary to protect, from a reasonably
foreseeable compromise, the integrity of the system or confidentiality
of the data in VBA IT systems.
PART 14--LEGAL SERVICES, GENERAL COUNSEL, AND MISCELLANEOUS CLAIMS
0
7. The authority citation for part 14 continues to read as follows:
Authority: 5 U.S.C. 301; 28 U.S.C. 2671-2680; 38 U.S.C. 501(a),
512, 515, 5502, 5901-5905; 28 CFR part 14, appendix to part 14,
unless otherwise noted.
Sec. 14.629 [Amended]
0
8. Amend Sec. 14.629 by removing the Note.
[FR Doc. 2020-03196 Filed 2-18-20; 8:45 am]
BILLING CODE 8320-01-P
