[Federal Register Volume 85, Number 33 (Wednesday, February 19, 2020)]
[Proposed Rules]
[Pages 9435-9441]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-03196]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS

38 CFR Parts 1 and 14

RIN 2900-Q81


Individuals Accredited by the Department of Veterans Affairs 
Using Veterans Benefits Administration Information Technology Systems 
To Access VBA Records Relevant to a Claim While Representing a Claimant 
Before the Agency

AGENCY: Department of Veterans Affairs.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Veterans Affairs (VA) proposes to amend its 
regulations addressing when VA will allow individuals and organizations 
who are assisting claimants in the preparation, presentation, and 
prosecution of their claims before VA to use Veterans Benefits 
Administration's (VBA) information technology (IT) systems to access VA 
records relevant to a claim. This rulemaking addresses who is 
permitted, and under what circumstances, to directly access VA's claim 
records through those IT systems during representation of a VA claimant 
in a claim for VA benefits, but is not intended to address the larger 
issues involving who may access VA records more generally.
    Further, the proposed amendments would outline appropriate behavior 
while using VBA's IT systems to access VA records and the consequences 
of mishandling such access for attorneys, agents, or representatives of 
a VA-recognized service organization.

DATES: VA must receive comments on or before April 20, 2020.

ADDRESSES: Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to: Director, Office of 
Regulation Policy and Management (00REG), Department of Veterans 
Affairs, 810 Vermont Ave. NW, Room 1064, Washington, DC 20420; or by 
fax to (202) 273-9026. (This is not a toll-free telephone number.) 
Comments should indicate that they are submitted in response to ``RIN 
2900-AQ81--Individuals Accredited by the Department of Veterans Affairs 
Using Veterans Benefits Administration Information Technology Systems 
to Access VBA Records Relevant to a Claim While Representing a Claimant 
Before the Agency.''
    All comments received will be available for public inspection in 
the Office of Regulation Policy and Management, Room 1064, between the 
hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except 
holidays). Please call (202) 461-4902 for an appointment. (This is not 
a toll-free telephone number.) In addition, comments may be viewed 
online through the Federal Docket Management System (FDMS) at http://www.Regulations.gov.

FOR FURTHER INFORMATION CONTACT: Glen Wallick, Senior Management and 
Program Analyst, Appeals Management Office, Department of Veterans 
Affairs, 810 Vermont Avenue NW, Washington, DC 20420, 202-530-9408 
(this is not a toll-free number).

SUPPLEMENTARY INFORMATION: This proposed rule would amend 38 CFR parts 
1 and 14 to clarify one of the methods that an individual providing 
representation on a claim may use to access a claimant's records now 
that VA has transitioned to primarily using electronic records relevant 
to a claim for VA benefits. Specifically, this proposed rule clarifies 
how attorneys, agents, or representatives of a VA-recognized service 
organization who are accredited pursuant to 38 CFR 14.629, as well as 
designated to provide representation in a claim pursuant to 38 CFR 
14.631, may access records relevant to their client's claim through 
VBA's IT systems. The purpose of this rulemaking is to ensure that 
claimants for VA benefits receive responsible, qualified services from 
VA-accredited attorneys, agents, or representatives of a VA-recognized 
service organization when seeking VA benefits, including ensuring that 
those individuals providing representation have appropriate access to 
VA records relating to their client's claim; that VA claimants 
understand who may access their claim records when they designate an 
attorney, agent or service organization to provide representation; that 
attorneys, agents, or representatives of a VA-recognized service 
organization before VA take care to adequately protect their client's 
privacy; and that VA meets its IT security obligations while providing 
access to its information systems to individuals who are not VA 
employees or contractors (non-VA users). The statutory authority for 
proposed Sec. Sec.  1.600 through 1.603 is 38 U.S.C. 5721 through 5728. 
Because the ``security of Department information and information 
systems is vital to the success of the mission of the Department,'' it 
is statutorily mandated that VA ``establish and maintain a 
comprehensive Department-wide information security program to provide 
for the development and maintenance of cost-effective security controls 
needed to protect Department information, in any media or format, and 
Department information systems.'' 38 U.S.C. 5722(a). In establishing 
its Department-wide information security program, Congress has 
entrusted to the VA information owners that oversee the system or 
systems to ``determin[e] who has access to the system or systems 
containing sensitive personal information, including types of 
privileges and access rights.'' 38 U.S.C. 5723(d)(2).
    Veteran and claimant information may be closely associated, such as 
when the Veteran is also the claimant, but not all claimants before VA 
are Veterans, such as a Veteran's surviving spouse or child who may be 
entitled to VA benefits in some circumstances. These non-Veteran 
dependent claimants may file benefit claims under the claim number VA 
assigned to the Veteran whose military service renders them potentially 
eligible for benefits. Accordingly, this proposed rule addresses the 
requirements for IT systems access regardless of whether the 
representation is in a claim for VA benefits submitted by a Veteran, 
survivor, or family member, provided that the claim record is 
maintained electronically in a system that is configured for external 
access.
    Under 38 U.S.C. 5701(a) and (b), ``files, records, reports, and 
other papers and documents pertaining to any claim'' before VA are 
generally ``confidential and privileged,'' but VA ``shall make

[[Page 9436]]

disclosure'' of the same ``[t]o a claimant or duly authorized agent or 
representative of a claimant'' in most circumstances. See also 5 U.S.C. 
552a (Privacy Act). Under 38 U.S.C. 501(a), VA has authority ``to 
prescribe all rules and regulations that are necessary or appropriate 
to carry out the laws'' it administers.
    The information security requirements to which VA must adhere are 
complex and rigorous, and drawn from such sources as 38 U.S.C. Chapter 
57, Subchapter III, Information Security; the Federal Information 
Security Modernization Act of 2014 (FISMA), 44 U.S.C. Chapter 35, 
Subchapters II and III; the E-Government Act of 2002, 44 U.S.C. 
Chapters 1 and 36; VA Handbook 6500, Risk Management Framework for VA 
Information Systems--Tier 3: VA Information Security Program; VA 
Directive 6500, VA Cybersecurity Program; OMB Circular A-130, Managing 
Information as a Strategic Resource; and the National Institute of 
Standards and Technology, Special Publication 800-53.
    VA's effort to modernize the claims processing system has required 
a change to storing records relevant to benefit claims before the 
agency and processing such claims in electronic form, currently 
utilizing the Veterans Benefits Management System (VBMS) information 
system, from storing claimant's records in paper files. Other systems, 
such as Caseflow, are not document repositories, but may provide 
information regarding the current status of the claim or appeal, such 
as whether it is pending the development of evidence, pending a 
decision, etc. In an effort to provide increased access to claimant's 
records, VA must change its policies and procedures to ensure 
compliance with Federal IT system security and privacy safeguards 
applicable to VA. This rule-making addresses non-VA users, and how and 
when attorneys, agents, or representatives of a VA-recognized service 
organization may directly access VBA information systems rather than an 
offline copy of those records on behalf of their clients, as provided 
under 38 CFR part 1 implementation of 38 U.S.C. 5701, 38 U.S.C. 7332, 
and 5 U.S.C. 552 and 552a. The experiences of VA claimants, the 
individuals providing representation before VA, and the agency during 
the years since the transition to VBMS warrants a reexamination and 
clarification of the terms and processes related to how attorneys, 
agents, or representatives of a VA-recognized service organization may 
have direct system access to VBA's claim records. Indeed, a VA-
accredited attorney petitioned VA to initiate a rulemaking for purposes 
of clarifying whether attorney support staff could gain access to VBMS 
in the same manner as the attorney of record in the claim. Noting an 
inconsistency between current 38 CFR 1.600 through 1.603, which 
prescribe VA's longstanding policy on access to certain IT systems for 
purposes of representing a claimant before the VBA, and a note to 
current 38 CFR 14.629 stating that certain support staff may qualify 
for access, VA agreed to initiate this rulemaking.
    VA has a duty to protect the privacy of VA claimants, ensure the 
security, confidentiality, integrity, and availability of its 
information systems and ensure that VA claimants receive competent and 
qualified representation on their benefits claims. It additionally 
endeavors to provide attorneys, agents, or representatives of a VA-
recognized service organization more convenient access to the records 
they need to adequately represent claimants. Therefore, VA proposes to 
amend certain regulations in 38 CFR parts 1 and 14 to strike an 
appropriate balance between these duties and goals and seeks public 
comment on those amendments.

Part 1--General Provisions

Section 1.600 Purpose

    The proposed amendments to 38 CFR 1.600, 1.601, 1.602, and 1.603 
would clarify how an individual who has been accredited by VA as an 
attorney, agent, or representative of a VA-recognized service 
organization may directly use VBA IT systems to access the VA records 
for claimants who have designated that service organization, attorney, 
or agent to provide representation on their claim. These proposed 
changes are important because, as VA has enhanced its IT capabilities, 
claims folders are becoming increasingly digital rather than paper 
based. VA currently allows attorneys, agents, and representatives of a 
VA-recognized service organization to use internal VBA IT systems to 
access VA records relevant to their client's claims in some cases. In 
an effort to ensure that non-public Veteran information is protected in 
new electronic media, VA proposes to update its regulations governing 
direct use of VBA's IT systems that contain claimants' records. 
Accordingly, the proposed amendments outline the limitations on and 
qualifications for direct access to VBA's IT systems, proper use of 
such access, and revocation of direct access if an individual misuses 
it.
    Current 38 CFR 1.600 prescribes the purpose of Sec. Sec.  1.601 to 
1.603, which is to provide when and under what circumstances VA will 
allow accredited attorneys, agents, or representatives of a VA-
recognized service organization access to certain VBA IT claim systems. 
VA proposes to clarify existing regulatory text and to update these 
regulations to ensure that they reflect current VA policy and are 
correctly phrased to govern access to VBA's current and future IT 
systems via which VA may provide records access to attorneys, agents, 
or representatives of a VA-recognized service organization. Further, VA 
proposes to confirm the general policy in current Sec.  1.600 through 
1.603, which limits external access to VBA's IT systems to the 
attorneys, agents, or representatives of a VA-recognized service 
organization designated to provide representation on the claim. This 
limitation continues to be necessary because the individuals are 
provided direct access to VBA IT systems in at least some 
circumstances, and via those systems to the claimant's electronically 
stored records. While VA has concluded that this level of access is 
appropriate for those who assist claimants in their complex VA benefit 
claims, it also must comply with legal obligations to protect claimant 
privacy and maintain secure and reliable information systems. As such, 
VA proposes to continue limiting read-only electronic access to claim 
records to the attorney or agent that is designated by the claimant as 
the attorney or agent of record, or, if a claimant designates a service 
organization to provide representation on the claim, to the 
representatives of that service organization. VA proposes to not grant 
access to any individual who is not accredited by VA and is not 
designated to provide representation pursuant to 38 CFR 14.631. While 
it is undeniable that continuing a policy of allowing direct electronic 
access to VA systems for any individual poses privacy and security 
risk, which VA must carefully manage, VA views limiting access to only 
those individuals who are accredited by VA and designated to provide 
representation pursuant to Sec.  14.631 as striking an appropriate 
balance between ensuring that claimants have the claims assistance they 
need and maintaining private information in secure, reliable 
information systems.
    VA holds accredited representatives, attorneys and agents to a high 
standard of conduct when they hold power of attorney for a claimant. 
When a claimant designates an accredited individual they give VA 
permission to

[[Page 9437]]

disclose private information to that person or organization. Under 
Sec.  14.632 VA requires that accredited attorneys, agents and 
representatives maintain a claimants privacy by not disclosing, without 
the claimant's authorization, any information provided by VA for 
purposes of representation. This, in addition to the requirements for 
continuing education and/or training on a regular basis, character and 
fitness assessments, and other certifications found in Sec.  14.629, 
gives VA the assurance that these individuals will maintain the 
claimants' privacy while also minimizing the risk to the security of 
VA's IT systems.
    Limiting access to this group of individuals also gives VA a means 
to remediate any mishandling of claimant information or misuse of the 
systems access through termination of accreditation, which may include 
notifying all agencies, courts, and bars to which an agent or attorney 
is admitted to practice pursuant to Sec.  14.633.
    VA also proposes to update Sec.  1.600 through 1.603 by deleting 
the unnecessary reference to ``remote'' access to records in electronic 
systems in the undesignated center heading preceding these regulatory 
sections in the Code of Federal Regulations, as such external access is 
by nature remote. The requirements of Sec.  1.600 et seq. will apply to 
any direct online system access to VBA information systems by an 
attorney, agent, or representative of a VA-recognized service 
organization, whether via the internet or while utilizing a point of 
access located in a VA facility. VA also proposes to replace the 
reference to ``disqualification'' in Sec.  1.600(a)(3) with ``denial'' 
and ``revocation,'' which more closely reflects the rules proposed in 
Sec.  1.603. Denial would refer to VA's decision to not grant an 
applicant privileges to directly access VBA IT systems or not to permit 
access to a specific claimant's claims file. Revocation would refer to 
the removal of access privileges to VBA's IT systems or the removal of 
the ability to access a specific claimant's claims file.
    Paragraph (b)(4) would be revised to clarify that an attorney, 
agent, or representative of a VA-recognized service organization may be 
able to upload information and evidence regarding a claimant to VA's 
electronic records system for that claimant, with proper authorization 
to do so. However, the IT systems into which an attorney, agent, or 
representative of a VA-recognized service organization may upload 
records do not allow a record to be modified once submitted and, even 
if that ability were mistakenly provided, attorneys, agents, or 
representatives of a VA-recognized service organization are not allowed 
to modify existing records pursuant to the proposed rule. Hence, VA may 
continue to correctly speak of ``read only'' access to the VA claims.
    The proposed rule would also revise most of Sec.  1.600(c) to 
remove references to antiquated IT systems and commands. To ensure VA's 
regulations stay current regardless of future IT developments, and to 
allow VA flexibility to provide access to only those IT systems which 
are necessary to providing representation while minimizing risk to IT 
system integrity and privacy should VA develop new systems in the 
future, VA proposes to describe affected IT systems more generally in 
paragraph (c).

Section 1.601 Qualifications for Access

    As noted above, VA proposes to continue the policy prescribed in 
current Sec.  1.601, which limits electronic access to VA's claims 
records directly through VBA's IT systems to individuals who are both 
accredited and designated to provide representation on the claim. In 
this regard, VA proposes no change to the general qualifications for 
VBA IT systems access in current Sec.  1.601 except adding that the 
applicant must comply with all security requirements deemed necessary 
by VA to ensure the integrity and confidentiality of the data and VBA's 
information technology systems, which may include personal identity 
verification and passing a background suitability investigation. When 
an individual directly accesses a VBA IT system to access VA 
information as provided under these regulations, they are a user of VA 
information and information systems. Title 38 U.S.C. 5723(f)(1) 
requires that all users of VA information or information systems comply 
with all Department information security program policies, procedures, 
and practices. VA is required to implement NIST Federal Information 
Processing Standard 201, Personal Identity Verification (PIV) of 
Federal Employees and Contractors, which establishes the minimum 
requirements for a Federal personal identity verification system that 
meets the control and security objectives of Homeland Security 
Presidential Directive-12 [HSPD-12], including identity proofing, 
registration, and issuance. NIST Special Publication 800-63-3, Digital 
Identity Guidelines, applies the requirements of HSPD-12 to all 
transactions for which digital identity or authentication are required, 
regardless of the constituency (e.g. citizens, business partners, 
government entities).
    VA proposes to remove current Sec.  1.601(a)(2) regarding systems 
access during representation before a Federal appellate court because 
these court proceedings occur outside of VA's administrative process 
and the record in an appeal is compiled according to the rules of the 
court. See, e.g., Court of Appeals for Veterans Claims, Rules of 
Practice and Procedure 10. VA's longstanding practice is that the 
attorney representing VA on the appeal before the Court of Appeals for 
Veterans Claims will disclose the record directly to the claimant's 
attorney pursuant to the claimant's authorization and work with the 
claimant's attorney regarding any dispute that may arise as to the 
preparation of that record pursuant to rules of that court. As such, 
attorneys representing before the Court of Appeals for Veterans Claims 
do not need access to VBA IT systems. Granting such access would 
unnecessarily expand VA's IT security risk because VA cannot readily 
limit the access within the IT systems to only those claims records 
relevant to the appeal. An unaccredited attorney representing solely 
before a Federal court lies outside of the processes through which VA 
accredits individuals and associates them with their respective 
claimants. In rare instances that unaccredited attorneys might dispute 
the record before the court and ask to review the complete claims 
folder, VA's Office of General Counsel would coordinate within VA to 
ensure compliance with any court order.
    VA also proposes to amend paragraph (b) by striking references to 
``hardware, modem, and software,'' and replacing these terms with a 
more general advance VA approval requirement that is less subject to 
technical obsolescence.
    Finally, VA proposes to amend paragraph (c) by requiring an 
attorney, agent, or representative of a VA-recognized service 
organization with access privileges to VBA IT systems to acknowledge, 
among other things prescribed in the current paragraph, VA's Rules of 
Behavior and the consequences of breach of the requirements. As noted 
above, VA also proposes to replace the term ``disqualification'' in 
paragraph (c) with ``revocation,'' to better reflect the text of Sec.  
1.603 regarding revocation of access.

Section 1.602 Utilization of Access

    Current Sec.  1.602 prescribes the rules applicable to attorneys, 
agents, or representatives of a VA-recognized service organization who 
are authorized by VA to access VA systems for purposes of claims 
assistance, to

[[Page 9438]]

include specific usage, training, and inspection requirements. VA 
proposes to generally maintain these rules with updates to reflect 
current systems and practice. Proposed amendments include clarifying 
that access to the ``automated claims records'' referenced in current 
Sec.  1.602 is more accurately described as ``read-only electronic 
access to the VA records.'' VA also proposes to replace ``password'' 
with ``account'' or ``logon credentials'' throughout the regulation.
    In paragraph (b), VA proposes to clarify that VA must approve the 
annual training required to gain access to, or continue to access, 
VBA's IT systems. Also, consistent with the limitation on access to 
only the attorney or agent of record, or to the representatives of the 
service organization of record, VA proposes to clarify that references 
in current regulations to ``individual or organization'' mean those 
individuals who are accredited by VA to provide claims assistance as an 
attorney, agent, or representative of a VA-recognized service 
organization.

Section 1.603 Revocation and Reconsideration

    Current Sec.  1.603 prescribes the circumstances under which VA may 
``revoke'' access to VBA IT systems for an attorney, agent, or 
representative of a VA-recognized service organization and specifically 
delegates this authority to a VA Regional Office Director. Current 
provisions recognize that claimants who cancel or supplant the 
delegation of a service organization, service organization 
representative, attorney, or agent remove the entitlement of access to 
their records as a matter of law under the Privacy Act, 5 U.S.C. 552a, 
and 38 U.S.C. 5701 and 7332. However, VA must notify the attorney, 
agent, or representative of a VA-recognized service organization, as 
well as the representative's service organization if VA revokes access, 
unless VA must first temporarily suspend such access prior to a final 
determination because VA believes it necessary to protect its systems 
or the data therein. The current regulation also requires VA personnel 
to report a revocation to a state licensing authority, such as an 
attorney's state bar or other licensing authority, if warranted by the 
conduct of the attorney, agent, or representative of a VA-recognized 
service organization. VA proposes to amend Sec.  1.603 to generally 
update the regulation consistent with current practice and systems and 
clarify the circumstances under which VA may deny or revoke privileges 
of an attorney, agent, or representative of a VA-recognized service 
organization to access VBA's IT systems or deny or revoke access to a 
specific claimant's claims records.
    As noted above, VA proposes to revise the section's title, 
currently ``Disqualification,'' to read ``Revocation and 
reconsideration,'' which more closely reflects its topic and text in 
proposed Sec.  1.603. Given the national oversight of access to VA 
systems and the national practice of many attorneys, agents, or 
representatives of a VA-recognized service organization, VA also 
proposes to modify references in Sec.  1.603 to ``Regional Office'' and 
``Regional Office Director,'' and instead prescribe the actions that 
may be taken by VA in circumstances that warrant potential revocation 
in a manner that acknowledge others within the agency may be required 
to respond. VA would also remove paragraph (b)(3) because, as proposed, 
Sec.  1.600 through 1.603 would no longer name the types of records or 
data that an attorney, agent, or representative of a VA-recognized 
service organization may access. VA proposes to revise paragraph (b)(4) 
to clarify that records might belong to claimants who seek to receive 
benefits, and not, as currently stated, beneficiaries who, by 
definition, are already receiving VA benefits.
    VA proposes to amend paragraph (c) to cover both denials and 
revocations. Specifically, VA proposes to add subparagraphs (1) through 
(5), which discuss the framework for requesting reconsideration of 
denials or revocations of access. Electronic access to claimant records 
is not a right and any request for such access is not a benefit claim 
that is subject to appeal. Proposed Sec.  1.600(d)(3) would generally 
restate and continue current Sec.  1.600(d)(2), which provides, 
``Sections 1.600 through 1.603 are not intended to, and do not . . . 
[c]reate, and may not be relied upon to create, any right or benefit, 
substantive or procedural, enforceable at law against the United States 
or the Department of Veterans Affairs.'' However, VA will reconsider 
initial denials or revocations of electronic access upon written 
requests by affected attorneys, agents, or representatives of VA-
recognized service organizations. Such individuals would have 30 days 
from VA's notice of denial or revocation to submit such requests with 
any information they believe relevant to VA's decision to deny or 
revoke access. The Director of the VA regional office or center with 
jurisdiction would review the denial or revocation, any new information 
submitted by the individual seeking access, describe the relevant 
facts, make a new decision, and provide written notification to the 
affected individual, as well as the Office of General Counsel.
    In addition, we are proposing a technical correction to Sec. Sec.  
1.600 through 1.603. Consistent with direction from the Office of 
Federal Register, VA has proposed to place the statutory authorities 
for Sec. Sec.  1.600 through 1.603 in the introductory portion of 38 
CFR part 1 as opposed to a parenthetical immediately following each 
individual section. Finally, regarding the reporting requirements in 
current paragraph (d), VA proposes to amend these provisions to require 
reporting to VA's Office of General Counsel when the facts and 
circumstances regarding a denial or revocation of access indicate 
potential misconduct of the attorney, agent, or representative of a VA-
recognized service organization that may call into question his or her 
competence or qualifications for VA accreditation.

PART 14--Legal Services, General Counsel, and Miscellaneous Claims

Section 14.629 Requirements for Accreditation of Service Organization 
Representatives; Agents; and Attorneys

    Current Sec.  14.629 implements VA's authority under 38 U.S.C. 5902 
and 5904 to accredit attorneys, agents, or representatives of VA-
recognized service organizations for the purpose of assisting claimants 
in the preparation, presentation, and prosecution of veterans benefits 
claims. VA does not propose any substantive changes to the 
accreditation provisions in this section. However, current Sec.  
14.629(c) addresses who is permitted, and under what circumstances, to 
assist an attorney of record in providing representation on a claim. 
Subparagraph (c)(3) specifically indicates that legal interns, law 
students, and paralegals may assist the attorney of record in the 
representation of a claimant before VA pursuant to the claimant's 
consent. The attorney of record may also disclose information obtained 
from VA for the purpose of representation to the legal interns, law 
students, and paralegals pursuant to the claimant's consent, see 38 CFR 
14.632(c)(10), but a note that follows current Sec.  14.629 goes 
further than that and states that legal interns, law students, and 
paralegals, as well as veterans service organization support staff, may 
``qualify for read-only access to pertinent Veterans Benefits 
Administration automated claims records'' under Sec.  1.600 through 
1.603 of this chapter. VA added this note in a 2003 final rule stating 
only that it was intended to ``promote consistency with regulations and 
practice'' at the time, specifically with respect to individuals

[[Page 9439]]

working under the supervision of the claimant's designated 
representative.'' 68 FR 8541, 8543. It is notable that VA IT systems 
did not include electronic copies of evidence at the time of the 2003 
Federal Register notice.
    This note has never meant that VA would always provide support 
staff at a service organization or legal interns, law students, or 
paralegals with access to VBA IT systems. Nevertheless, the note may 
have caused confusion and contributed to inconsistent application of 
current Sec.  1.600 through 1.603 as VA has transitioned to primarily 
keeping claimant records in electronic form rather than paper. 
Accordingly, VA proposes to remove this note, consistent with the 
clarification of its policy under this proposed rule. Indeed, VA's 
proposed regulations and current practice of limiting systems access to 
claimants' accredited attorneys, agents, or representatives of a VA-
recognized service organization, would be inconsistent with allowing 
support staff at service organizations or legal interns, law students, 
or paralegals to electronically access VA records. Under this proposed 
rule, VA would ensure that only accredited attorneys, agents, or 
representatives of a VA-recognized service organization have privileges 
to access VBA's IT systems. Furthermore, a VA-accredited attorney or 
agent would have access to records only if the claimant appointed that 
individual as the attorney of record or agent of record for his or her 
claim. In the case of a service organization, VA would provide access 
only to the representatives of that service organization. VA would only 
grant access to the attorney of record, the agent of record, or the 
representatives of the service organization of record regardless of 
whether any other individuals are assisting the attorney of record in 
the representation of the claimant's case, or are serving on the 
support staff of the attorney, agent, or veterans service organization.
    Although general access to inspect or receive a copy of a 
claimant's record is governed by privacy laws and regulations 
applicable to VA and to the Federal government more generally, there is 
no statute or regulation creating a right to electronically access VA's 
internal IT systems or mandating that individuals who may view a record 
must be allowed to do so via any particular IT system. This is 
consistent with current Sec.  1.600(d), which VA proposes to modify in 
this rulemaking. VA's policy of limiting access to VA's IT systems to 
VA-accredited attorneys, agents, or representatives of a VA-recognized 
service organization, and limiting access within those systems only to 
the claims files in which the attorney or agent has been designated to 
provide representation under 38 CFR 14.631, or to the representative of 
a service organization that has been designated to provide 
representation pursuant to the claimant's power of attorney under 38 
CFR 14.631, is reasonable given VA's overarching responsibility to 
protect Veterans' privacy, maintain IT security according to Federal 
requirements, and control administrative burden and costs.

Executive Orders 12866, 13563, and 13771

    Executive Orders 12866 and 13563 direct agencies to assess the 
costs and benefits of available regulatory alternatives and, when 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, and other advantages; distributive impacts; 
and equity). Executive Order 13563 (Improving Regulation and Regulatory 
Review) emphasizes the importance of quantifying both costs and 
benefits, reducing costs, harmonizing rules, and promoting flexibility. 
The Office of Information and Regulatory Affairs has determined that 
this rule is not a significant regulatory action under Executive Order 
12866. VA's impact analysis can be found as a supporting document at 
http://www.regulations.gov, usually within 48 hours after the 
rulemaking document is published. Additionally, a copy of the 
rulemaking and its impact analysis are available on VA's website at 
http://www.va.gov/orpm/, by following the link for ``VA Regulations 
Published From FY 2004 Through Fiscal Year to Date.'' This rule is not 
an Executive Order 13771 regulatory action because this rule is not 
significant under Executive Order 12866.

Regulatory Flexibility Act

    The Secretary hereby certifies that the adoption of this rule would 
not have a significant economic impact on a substantial number of small 
entities as they are defined in the Regulatory Flexibility Act, 5 
U.S.C. 601-612. This rule might have an insignificant economic impact 
on an insubstantial number of small entities, generally law firms that 
have individual attorneys who are accredited by VA for purposes of 
representing VA benefit claimants. VA believes the impact to be minimal 
because, as stated in the preamble, its overarching policy and practice 
has been to grant access to designated representatives, as opposed to 
supporting staff, and access to VA systems is optional and not a 
prerequisite to representing any claimant before the Department. VA's 
proposed rule simply clarifies this longstanding practice. Therefore, 
pursuant to 5 U.S.C. 605(b), this rulemaking would be exempt from the 
initial and final regulatory flexibility analysis requirements of 5 
U.S.C. 603 and 604.

Unfunded Mandates

    The Unfunded Mandates Reform Act of 1995 requires, at 2 U.S.C. 
1532, that agencies prepare an assessment of anticipated costs and 
benefits before issuing any rule that may result in the expenditure by 
State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100 million or more (adjusted annually for 
inflation) in any 1 year. This rule would have no such effect on State, 
local, and tribal governments, or on the private sector.

Paperwork Reduction Act

    This proposed rule contains no provisions constituting a collection 
of information under the Paperwork Reduction Act of 1995 (44 U.S.C. 
3501-3521).

List of Subjects

38 CFR Part 1

    Administrative practice and procedure, Archives and records, 
Cemeteries, Claims, Courts, Crime, Flags, Freedom of information, 
Government contracts, Government employees, Government property, 
Infants and children, Inventions and patents, Parking, Penalties, 
Postal Service, Privacy, Reporting and recordkeeping requirements, 
Seals and insignia, Security measures, Wages.

38 CFR Part 14

    Administrative practice and procedure, Claims, Courts, Foreign 
relations, Government employees, Lawyers, Legal services, Organization 
and functions (Government agencies), Reporting and recordkeeping 
requirements, Surety bonds, Trusts and trustees, Veterans.

Signing Authority

    The Secretary of Veterans Affairs approved this document and 
authorized the undersigned to sign and submit the document to the 
Office of the Federal Register for publication electronically as an 
official document of the Department of Veterans Affairs. Pamela Powers, 
Chief of Staff, Department of Veterans

[[Page 9440]]

Affairs, approved this document on November 5, 2019, for publication.

Jeffrey M. Martin,
Assistant Director, Office of Regulation Policy & Management, Office of 
the Secretary, Department of Veterans Affairs.

    For the reasons set forth in the preamble, VA proposes to amend 38 
CFR parts 1 and 14 as follows:

PART 1--GENERAL PROVISIONS

0
1. The authority citation for part 1, is amended to read as follows:

    Authority: 38 U.S.C. 501, and as noted in specific sections. 
Sections 1.600-1.603 Also issued under 38 U.S.C. 5721-5728.

0
2. Amend the undesignated center heading preceding Sec.  1.600 by 
removing the word ``Remote''.
0
3. Amend Sec.  1.600 by:
0
a. Revising paragraph (a)(1).
0
b. Amending paragraph (a)(2) by removing ``claimants''' and adding in 
its place ``service organization,'' and adding after 
``representatives'' the words, ``attorneys and agents.''
0
c. Revising paragraph (a)(3).
0
d. Revising paragraphs (b), (c),(d)(1) and (2).
0
e. Adding paragraph (d)(3).
    The revisions and addition read as follows:


Sec.  1.600  Purpose.

    (a) * * *
    (1) When, and under what circumstances, VA will grant attorneys, 
agents, and representatives of a VA-recognized service organization the 
ability to access records through Veterans Benefits Administration's 
(VBA) electronic information technology (IT) systems that contain 
information regarding the claimants whom they represent before VA;
    (2) * * *
    (3) The bases and procedures for denial or revocation of access 
privileges to VBA IT systems of an attorney, agent, or representative 
of a VA-recognized service organization for violating any of the 
requirements for access.
    (b) VBA will provide access to VBA IT systems under the following 
conditions. VBA will provide access:
    (1) Only to an attorney, agent, or representative of a VA-
recognized service organization who is accredited pursuant to part 14 
of this chapter and who is approved to access VBA IT systems under 
Sec. Sec.  1.600 through 1.603;
    (2)(i) For a representative of a VA-recognized service 
organization, only to the records of VA claimants who appointed the 
service organization as the organization of record to provide 
representation on their claims, or
    (ii) For an attorney or agent, only to the records of VA claimants 
who appointed the attorney or agent as the attorney or agent of record 
on their claims;
    (3) Solely for the purpose of representing the individual claimant 
whose records are accessed in a claim for benefits administered by VA; 
and
    (4) On a read-only basis, an attorney, agent, or representative of 
a VA-recognized service organization authorized to access VBA IT 
systems under Sec. Sec.  1.600 through 1.603 will not be permitted to 
modify the data, to include modifying any existing record. However, 
such an attorney, agent, or representative of a VA-recognized service 
organization may upload documents as permitted by VA IT policy 
regarding submittal of new documents.
    (c) Privileges to access VBA IT systems may be granted by VBA only 
for the purpose of accessing a represented claimant's electronically 
stored claims files pursuant to applicable privacy laws and 
regulations, and as authorized by a claimant's power of attorney under 
38 CFR 14.631.
    (d) * * *
    (1) Waive the sovereign immunity of the United States;
    (2) Create, and may not be relied upon to create, any right or 
benefit, substantive or procedural, enforceable at law against the 
United States or the Department of Veterans Affairs; or
    (3) Create or establish a right to electronic access.
0
4. Revise Sec.  1.601 to read as follows:


Sec.  1.601  Qualifications for access.

    (a)(1) An applicant for access to VBA IT systems for the purpose of 
providing representation must be:
    (i) A representative of a VA-recognized service organization who is 
accredited by VA under Sec.  14.629(a) of this chapter through a 
service organization and whose service organization holds power of 
attorney for one or more claimants under Sec.  14.631 of this chapter; 
or
    (ii) An attorney or agent who is accredited by VA under Sec.  
14.629(b) of this chapter and who holds power of attorney for one or 
more claimants under Sec.  14.631 of this chapter.
    (2) To qualify for access to VBA IT systems, the applicant must 
comply with all security requirements deemed necessary by VA to ensure 
the integrity and confidentiality of the data and VBA IT systems, which 
may include passing a background suitability investigation for issuance 
of a personal identity verification badge.
    (3) VA may deny access to VBA IT systems if the requirements of 
paragraphs (a)(1) or (2) of this section are not met.
    (b) The method of access, including security software and work-site 
location of the attorney, agent, or representative of a VA-recognized 
service organization, must be approved in advance by VA.
    (c) Each attorney, agent, or representative of a VA-recognized 
service organization approved for access must complete, sign, and 
return a notice provided by VA. The notice will specify any applicable 
operational and security requirements for access, in addition to the 
applicable VA Rules of Behavior, and an acknowledgment that the breach 
of any of these requirements is grounds for revocation of access.
0
5. Revise Sec.  1.602 to read as follows:


Sec.  1.602  Utilization of access.

    (a) Once VA issues to an attorney, agent, or representative of a 
VA-recognized service organization the necessary logon credentials to 
obtain read-only access to the VA records regarding the claimants 
represented, access will be exercised in accordance with the following 
requirements. The attorney, agent, or representative of a VA-recognized 
service organization:
    (1) Will electronically access VA records through VBA IT systems 
only by the method of access approved in advance by VA;
    (2) Will use only his or her assigned logon credentials to obtain 
access;
    (3) Will not reveal his or her logon credentials to anyone else, or 
allow anyone else to use his or her logon credentials;
    (4) Will access via VBA IT systems only the records of claimants 
who he or she represents;
    (5) Will access via VBA IT systems a claimant's record solely for 
the purpose of representing that claimant in a claim for benefits 
administered by VA;
    (6) Is responsible for the security of the logon credentials and, 
upon receipt of the logon credentials, will destroy the hard copy so 
that no written or printed record is retained;
    (7) Will comply with all security requirements VA deems necessary 
to ensure the integrity and confidentiality of the data and VBA IT 
systems; and
    (8) Will comply with each of the standards of conduct for 
accredited individuals prescribed in Sec.  14.632 of this chapter.
    (b)(1) A service organization shall ensure that all its 
representatives provided access in accordance with these regulations 
receive annual training approved by VA on proper security or annually 
complete VA's Privacy and Security Training.
    (2) An attorney or agent who is granted access will annually

[[Page 9441]]

acknowledge review of the security requirements for the system as set 
forth in these regulations, VA's Rules of Behavior, and any additional 
materials provided by VA.
    (c) VBA may, at any time without notice:
    (1) Inspect the computer hardware and software utilized to obtain 
access and their location;
    (2) Review the security practices and training of any attorney, 
agent, or representative of a VA-recognized service organization 
granted access under these regulations; and
    (3) Monitor the access activities of an attorney, agent, or 
representative of a VA-recognized service organization. By applying 
for, and exercising, the access privileges under Sec.  1.600 through 
1.603, the attorney, agent, or representative of a VA-recognized 
service organization expressly consents to VBA monitoring access 
activities at any time for the purpose of auditing system security.
0
6. Amend Sec.  1.603 by:
0
a. Revising the section heading
0
b. Revising paragraph (a).
0
c. Revising paragraphs (b) introductory text and (b)(2).
0
d. Removing paragraph (b)(3).
0
e. Redesignating paragraph (b)(4) as (b)(3) and revising the newly 
redesignated (b)(3).
0
f. Redesignating paragraph (b)(5) as (b)(4).
0
g. Redesignating paragraph (b)(6) as (b)(5) and revising the newly 
redesignated (b)(5).
0
h. Amend paragraph (c) and by adding paragraphs (c)(1) through (5).
0
i. Revising paragraph (d).
0
j. Removing paragraph (e).
    The revisions read as follows:


Sec.  1.603   Revocation and reconsideration.

    (a) VA may revoke access of an attorney, agent, or representative 
of a VA-recognized service organization to a particular claimant's 
records because the individual or organization no longer represents the 
claimant, and, therefore, the claimant's consent is no longer in 
effect.
    (b) VA may revoke the access privileges of an attorney, agent, or 
representative of a VA-recognized service organization either to an 
individual claimant's records or to all claimants' records via the VBA 
IT systems, if the individual:
    (1) * * *
    (2) Accesses or attempts to access data for a purpose other than 
representation of an individual claimant;
    (3) Accesses or attempts to access data on a claimant who he, she, 
or the service organization does not represent;
    (4) Accesses or attempts to access a VBA IT system by a method that 
has not been approved by VA; or
    (5) Modifies or attempts to modify data in the VBA IT systems 
without authorization.
    (c) VA will notify the attorney, agent, or representative of a VA-
recognized service organization of the denial of access under Sec.  
1.601(a)(3) or revocation of access under paragraph (b) of this 
section. If VA denies or revokes access privileges for a service 
organization representative, VA will notify the service organization(s) 
through which the representative is accredited of the denial or 
revocation of access.
    (1) The denial or revocation of access by a VBA regional office or 
center of jurisdiction is a final decision. The attorney, agent, or 
representative of a VA-recognized service organization may request 
reconsideration of a denial or revocation of access by submitting a 
written request to VBA. VBA will consider the request if it is received 
by VBA not later than 30 days after the date that VA notified the 
attorney, agent, or representative of a VA-recognized service 
organization of its decision.
    (2) The attorney, agent, or representative of a VA-recognized 
service organization may submit additional information not previously 
considered by VA, provided that the additional information is submitted 
with the written request and it is pertinent to the prohibition of 
access.
    (3) VA will close the record regarding reconsideration at the end 
of the 30-day period described in paragraph (c)(1) of this section and 
furnish the request, including any new information, submitted by the 
attorney, agent, or representative to the Director of the VA regional 
office or center with jurisdiction over the final decision.
    (4) VA will reconsider access based upon a review of the 
information of record as of the date of its prior denial or revocation, 
with any new information submitted with the request. The decision will:
    (i) Identify the attorney, agent, or representative of a VA-
recognized service organization,
    (ii) Identify the date of VA's prior decision,
    (iii) Describe in detail the facts found as a result of VA's review 
of its decision with any new information submitted with the 
reconsideration request, and
    (iv) State the reasons for VA's final decision, which may affirm, 
modify, or overturn its prior decision.
    (5) VA will provide written notice of its final decision on access 
to:
    (i) The attorney, agent, or representative of a VA-recognized 
service organization requesting reconsideration, and
    (ii) if the conduct that resulted in denial or revocation of the 
authority of an attorney, agent, or representative of a VA-recognized 
service organization to access VBA electronic IT systems merits 
potential inquiry into the individual's conduct or competence pursuant 
to Sec.  14.633 of this chapter, the VBA regional office or center of 
jurisdiction will immediately inform VA's Office of General Counsel in 
writing of the fact that it has revoked the individual's access 
privileges and provide the reasons why.
    (d) VA may immediately suspend access privileges prior to any 
determination on the merits of a revocation where VA determines that 
such immediate suspension is necessary to protect, from a reasonably 
foreseeable compromise, the integrity of the system or confidentiality 
of the data in VBA IT systems.

PART 14--LEGAL SERVICES, GENERAL COUNSEL, AND MISCELLANEOUS CLAIMS

0
7. The authority citation for part 14 continues to read as follows:

    Authority: 5 U.S.C. 301; 28 U.S.C. 2671-2680; 38 U.S.C. 501(a), 
512, 515, 5502, 5901-5905; 28 CFR part 14, appendix to part 14, 
unless otherwise noted.


Sec.  14.629  [Amended]

0
8. Amend Sec.  14.629 by removing the Note.

[FR Doc. 2020-03196 Filed 2-18-20; 8:45 am]
 BILLING CODE 8320-01-P