2020-03196. Individuals Accredited by the Department of Veterans Affairs Using Veterans Benefits Administration Information Technology Systems To Access VBA Records Relevant to a Claim While Representing a Claimant Before the Agency  

  • Start Preamble

    AGENCY:

    Department of Veterans Affairs.

    ACTION:

    Proposed rule.

    SUMMARY:

    The Department of Veterans Affairs (VA) proposes to amend its regulations addressing when VA will allow individuals and organizations who are assisting claimants in the preparation, presentation, and prosecution of their claims before VA to use Veterans Benefits Administration's (VBA) information technology (IT) systems to access VA records relevant to a claim. This rulemaking addresses who is permitted, and under what circumstances, to directly access VA's claim records through those IT systems during representation of a VA claimant in a claim for VA benefits, but is not intended to address the larger issues involving who may access VA records more generally.

    Further, the proposed amendments would outline appropriate behavior while using VBA's IT systems to access VA records and the consequences of mishandling such access for attorneys, agents, or representatives of a VA-recognized service organization.

    DATES:

    VA must receive comments on or before April 20, 2020.

    ADDRESSES:

    Written comments may be submitted through http://www.Regulations.gov; by mail or hand-delivery to: Director, Office of Regulation Policy and Management (00REG), Department of Veterans Affairs, 810 Vermont Ave. NW, Room 1064, Washington, DC 20420; or by fax to (202) 273-9026. (This is not a toll-free telephone number.) Comments should indicate that they are submitted in response to “RIN 2900-AQ81—Individuals Accredited by the Department of Veterans Affairs Using Veterans Benefits Administration Information Technology Systems to Access VBA Records Relevant to a Claim While Representing a Claimant Before the Agency.”

    All comments received will be available for public inspection in the Office of Regulation Policy and Management, Room 1064, between the hours of 8:00 a.m. and 4:30 p.m., Monday through Friday (except holidays). Please call (202) 461-4902 for an appointment. (This is not a toll-free telephone number.) In addition, comments may be viewed online through the Federal Docket Management System (FDMS) at http://www.Regulations.gov.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Glen Wallick, Senior Management and Program Analyst, Appeals Management Office, Department of Veterans Affairs, 810 Vermont Avenue NW, Washington, DC 20420, 202-530-9408 (this is not a toll-free number).

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    This proposed rule would amend 38 CFR parts 1 and 14 to clarify one of the methods that an individual providing representation on a claim may use to access a claimant's records now that VA has transitioned to primarily using electronic records relevant to a claim for VA benefits. Specifically, this proposed rule clarifies how attorneys, agents, or representatives of a VA-recognized service organization who are accredited pursuant to 38 CFR 14.629, as well as designated to provide representation in a claim pursuant to 38 CFR 14.631, may access records relevant to their client's claim through VBA's IT systems. The purpose of this rulemaking is to ensure that claimants for VA benefits receive responsible, qualified services from VA-accredited attorneys, agents, or representatives of a VA-recognized service organization when seeking VA benefits, including ensuring that those individuals providing representation have appropriate access to VA records relating to their client's claim; that VA claimants understand who may access their claim records when they designate an attorney, agent or service organization to provide representation; that attorneys, agents, or representatives of a VA-recognized service organization before VA take care to adequately protect their client's privacy; and that VA meets its IT security obligations while providing access to its information systems to individuals who are not VA employees or contractors (non-VA users). The statutory authority for proposed §§ 1.600 through 1.603 is 38 U.S.C. 5721 through 5728. Because the “security of Department information and information systems is vital to the success of the mission of the Department,” it is statutorily mandated that VA “establish and maintain a comprehensive Department-wide information security program to provide for the development and maintenance of cost-effective security controls needed to protect Department information, in any media or format, and Department information systems.” 38 U.S.C. 5722(a). In establishing its Department-wide information security program, Congress has entrusted to the VA information owners that oversee the system or systems to “determin[e] who has access to the system or systems containing sensitive personal information, including types of privileges and access rights.” 38 U.S.C. 5723(d)(2).

    Veteran and claimant information may be closely associated, such as when the Veteran is also the claimant, but not all claimants before VA are Veterans, such as a Veteran's surviving spouse or child who may be entitled to VA benefits in some circumstances. These non-Veteran dependent claimants may file benefit claims under the claim number VA assigned to the Veteran whose military service renders them potentially eligible for benefits. Accordingly, this proposed rule addresses the requirements for IT systems access regardless of whether the representation is in a claim for VA benefits submitted by a Veteran, survivor, or family member, provided that the claim record is maintained electronically in a system that is configured for external access.

    Under 38 U.S.C. 5701(a) and (b), “files, records, reports, and other papers and documents pertaining to any claim” before VA are generally “confidential and privileged,” but VA “shall make Start Printed Page 9436disclosure” of the same “[t]o a claimant or duly authorized agent or representative of a claimant” in most circumstances. See also 5 U.S.C. 552a (Privacy Act). Under 38 U.S.C. 501(a), VA has authority “to prescribe all rules and regulations that are necessary or appropriate to carry out the laws” it administers.

    The information security requirements to which VA must adhere are complex and rigorous, and drawn from such sources as 38 U.S.C. Chapter 57, Subchapter III, Information Security; the Federal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C. Chapter 35, Subchapters II and III; the E-Government Act of 2002, 44 U.S.C. Chapters 1 and 36; VA Handbook 6500, Risk Management Framework for VA Information Systems—Tier 3: VA Information Security Program; VA Directive 6500, VA Cybersecurity Program; OMB Circular A-130, Managing Information as a Strategic Resource; and the National Institute of Standards and Technology, Special Publication 800-53.

    VA's effort to modernize the claims processing system has required a change to storing records relevant to benefit claims before the agency and processing such claims in electronic form, currently utilizing the Veterans Benefits Management System (VBMS) information system, from storing claimant's records in paper files. Other systems, such as Caseflow, are not document repositories, but may provide information regarding the current status of the claim or appeal, such as whether it is pending the development of evidence, pending a decision, etc. In an effort to provide increased access to claimant's records, VA must change its policies and procedures to ensure compliance with Federal IT system security and privacy safeguards applicable to VA. This rule-making addresses non-VA users, and how and when attorneys, agents, or representatives of a VA-recognized service organization may directly access VBA information systems rather than an offline copy of those records on behalf of their clients, as provided under 38 CFR part 1 implementation of 38 U.S.C. 5701, 38 U.S.C. 7332, and 5 U.S.C. 552 and 552a. The experiences of VA claimants, the individuals providing representation before VA, and the agency during the years since the transition to VBMS warrants a reexamination and clarification of the terms and processes related to how attorneys, agents, or representatives of a VA-recognized service organization may have direct system access to VBA's claim records. Indeed, a VA-accredited attorney petitioned VA to initiate a rulemaking for purposes of clarifying whether attorney support staff could gain access to VBMS in the same manner as the attorney of record in the claim. Noting an inconsistency between current 38 CFR 1.600 through 1.603, which prescribe VA's longstanding policy on access to certain IT systems for purposes of representing a claimant before the VBA, and a note to current 38 CFR 14.629 stating that certain support staff may qualify for access, VA agreed to initiate this rulemaking.

    VA has a duty to protect the privacy of VA claimants, ensure the security, confidentiality, integrity, and availability of its information systems and ensure that VA claimants receive competent and qualified representation on their benefits claims. It additionally endeavors to provide attorneys, agents, or representatives of a VA-recognized service organization more convenient access to the records they need to adequately represent claimants. Therefore, VA proposes to amend certain regulations in 38 CFR parts 1 and 14 to strike an appropriate balance between these duties and goals and seeks public comment on those amendments.

    Part 1—General Provisions

    Section 1.600 Purpose

    The proposed amendments to 38 CFR 1.600, 1.601, 1.602, and 1.603 would clarify how an individual who has been accredited by VA as an attorney, agent, or representative of a VA-recognized service organization may directly use VBA IT systems to access the VA records for claimants who have designated that service organization, attorney, or agent to provide representation on their claim. These proposed changes are important because, as VA has enhanced its IT capabilities, claims folders are becoming increasingly digital rather than paper based. VA currently allows attorneys, agents, and representatives of a VA-recognized service organization to use internal VBA IT systems to access VA records relevant to their client's claims in some cases. In an effort to ensure that non-public Veteran information is protected in new electronic media, VA proposes to update its regulations governing direct use of VBA's IT systems that contain claimants' records. Accordingly, the proposed amendments outline the limitations on and qualifications for direct access to VBA's IT systems, proper use of such access, and revocation of direct access if an individual misuses it.

    Current 38 CFR 1.600 prescribes the purpose of §§ 1.601 to 1.603, which is to provide when and under what circumstances VA will allow accredited attorneys, agents, or representatives of a VA-recognized service organization access to certain VBA IT claim systems. VA proposes to clarify existing regulatory text and to update these regulations to ensure that they reflect current VA policy and are correctly phrased to govern access to VBA's current and future IT systems via which VA may provide records access to attorneys, agents, or representatives of a VA-recognized service organization. Further, VA proposes to confirm the general policy in current § 1.600 through 1.603, which limits external access to VBA's IT systems to the attorneys, agents, or representatives of a VA-recognized service organization designated to provide representation on the claim. This limitation continues to be necessary because the individuals are provided direct access to VBA IT systems in at least some circumstances, and via those systems to the claimant's electronically stored records. While VA has concluded that this level of access is appropriate for those who assist claimants in their complex VA benefit claims, it also must comply with legal obligations to protect claimant privacy and maintain secure and reliable information systems. As such, VA proposes to continue limiting read-only electronic access to claim records to the attorney or agent that is designated by the claimant as the attorney or agent of record, or, if a claimant designates a service organization to provide representation on the claim, to the representatives of that service organization. VA proposes to not grant access to any individual who is not accredited by VA and is not designated to provide representation pursuant to 38 CFR 14.631. While it is undeniable that continuing a policy of allowing direct electronic access to VA systems for any individual poses privacy and security risk, which VA must carefully manage, VA views limiting access to only those individuals who are accredited by VA and designated to provide representation pursuant to § 14.631 as striking an appropriate balance between ensuring that claimants have the claims assistance they need and maintaining private information in secure, reliable information systems.

    VA holds accredited representatives, attorneys and agents to a high standard of conduct when they hold power of attorney for a claimant. When a claimant designates an accredited individual they give VA permission to Start Printed Page 9437disclose private information to that person or organization. Under § 14.632 VA requires that accredited attorneys, agents and representatives maintain a claimants privacy by not disclosing, without the claimant's authorization, any information provided by VA for purposes of representation. This, in addition to the requirements for continuing education and/or training on a regular basis, character and fitness assessments, and other certifications found in § 14.629, gives VA the assurance that these individuals will maintain the claimants' privacy while also minimizing the risk to the security of VA's IT systems.

    Limiting access to this group of individuals also gives VA a means to remediate any mishandling of claimant information or misuse of the systems access through termination of accreditation, which may include notifying all agencies, courts, and bars to which an agent or attorney is admitted to practice pursuant to § 14.633.

    VA also proposes to update § 1.600 through 1.603 by deleting the unnecessary reference to “remote” access to records in electronic systems in the undesignated center heading preceding these regulatory sections in the Code of Federal Regulations, as such external access is by nature remote. The requirements of § 1.600 et seq. will apply to any direct online system access to VBA information systems by an attorney, agent, or representative of a VA-recognized service organization, whether via the internet or while utilizing a point of access located in a VA facility. VA also proposes to replace the reference to “disqualification” in § 1.600(a)(3) with “denial” and “revocation,” which more closely reflects the rules proposed in § 1.603. Denial would refer to VA's decision to not grant an applicant privileges to directly access VBA IT systems or not to permit access to a specific claimant's claims file. Revocation would refer to the removal of access privileges to VBA's IT systems or the removal of the ability to access a specific claimant's claims file.

    Paragraph (b)(4) would be revised to clarify that an attorney, agent, or representative of a VA-recognized service organization may be able to upload information and evidence regarding a claimant to VA's electronic records system for that claimant, with proper authorization to do so. However, the IT systems into which an attorney, agent, or representative of a VA-recognized service organization may upload records do not allow a record to be modified once submitted and, even if that ability were mistakenly provided, attorneys, agents, or representatives of a VA-recognized service organization are not allowed to modify existing records pursuant to the proposed rule. Hence, VA may continue to correctly speak of “read only” access to the VA claims.

    The proposed rule would also revise most of § 1.600(c) to remove references to antiquated IT systems and commands. To ensure VA's regulations stay current regardless of future IT developments, and to allow VA flexibility to provide access to only those IT systems which are necessary to providing representation while minimizing risk to IT system integrity and privacy should VA develop new systems in the future, VA proposes to describe affected IT systems more generally in paragraph (c).

    Section 1.601 Qualifications for Access

    As noted above, VA proposes to continue the policy prescribed in current § 1.601, which limits electronic access to VA's claims records directly through VBA's IT systems to individuals who are both accredited and designated to provide representation on the claim. In this regard, VA proposes no change to the general qualifications for VBA IT systems access in current § 1.601 except adding that the applicant must comply with all security requirements deemed necessary by VA to ensure the integrity and confidentiality of the data and VBA's information technology systems, which may include personal identity verification and passing a background suitability investigation. When an individual directly accesses a VBA IT system to access VA information as provided under these regulations, they are a user of VA information and information systems. Title 38 U.S.C. 5723(f)(1) requires that all users of VA information or information systems comply with all Department information security program policies, procedures, and practices. VA is required to implement NIST Federal Information Processing Standard 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, which establishes the minimum requirements for a Federal personal identity verification system that meets the control and security objectives of Homeland Security Presidential Directive-12 [HSPD-12], including identity proofing, registration, and issuance. NIST Special Publication 800-63-3, Digital Identity Guidelines, applies the requirements of HSPD-12 to all transactions for which digital identity or authentication are required, regardless of the constituency (e.g. citizens, business partners, government entities).

    VA proposes to remove current § 1.601(a)(2) regarding systems access during representation before a Federal appellate court because these court proceedings occur outside of VA's administrative process and the record in an appeal is compiled according to the rules of the court. See, e.g., Court of Appeals for Veterans Claims, Rules of Practice and Procedure 10. VA's longstanding practice is that the attorney representing VA on the appeal before the Court of Appeals for Veterans Claims will disclose the record directly to the claimant's attorney pursuant to the claimant's authorization and work with the claimant's attorney regarding any dispute that may arise as to the preparation of that record pursuant to rules of that court. As such, attorneys representing before the Court of Appeals for Veterans Claims do not need access to VBA IT systems. Granting such access would unnecessarily expand VA's IT security risk because VA cannot readily limit the access within the IT systems to only those claims records relevant to the appeal. An unaccredited attorney representing solely before a Federal court lies outside of the processes through which VA accredits individuals and associates them with their respective claimants. In rare instances that unaccredited attorneys might dispute the record before the court and ask to review the complete claims folder, VA's Office of General Counsel would coordinate within VA to ensure compliance with any court order.

    VA also proposes to amend paragraph (b) by striking references to “hardware, modem, and software,” and replacing these terms with a more general advance VA approval requirement that is less subject to technical obsolescence.

    Finally, VA proposes to amend paragraph (c) by requiring an attorney, agent, or representative of a VA-recognized service organization with access privileges to VBA IT systems to acknowledge, among other things prescribed in the current paragraph, VA's Rules of Behavior and the consequences of breach of the requirements. As noted above, VA also proposes to replace the term “disqualification” in paragraph (c) with “revocation,” to better reflect the text of § 1.603 regarding revocation of access.

    Section 1.602 Utilization of Access

    Current § 1.602 prescribes the rules applicable to attorneys, agents, or representatives of a VA-recognized service organization who are authorized by VA to access VA systems for purposes of claims assistance, to Start Printed Page 9438include specific usage, training, and inspection requirements. VA proposes to generally maintain these rules with updates to reflect current systems and practice. Proposed amendments include clarifying that access to the “automated claims records” referenced in current § 1.602 is more accurately described as “read-only electronic access to the VA records.” VA also proposes to replace “password” with “account” or “logon credentials” throughout the regulation.

    In paragraph (b), VA proposes to clarify that VA must approve the annual training required to gain access to, or continue to access, VBA's IT systems. Also, consistent with the limitation on access to only the attorney or agent of record, or to the representatives of the service organization of record, VA proposes to clarify that references in current regulations to “individual or organization” mean those individuals who are accredited by VA to provide claims assistance as an attorney, agent, or representative of a VA-recognized service organization.

    Section 1.603 Revocation and Reconsideration

    Current § 1.603 prescribes the circumstances under which VA may “revoke” access to VBA IT systems for an attorney, agent, or representative of a VA-recognized service organization and specifically delegates this authority to a VA Regional Office Director. Current provisions recognize that claimants who cancel or supplant the delegation of a service organization, service organization representative, attorney, or agent remove the entitlement of access to their records as a matter of law under the Privacy Act, 5 U.S.C. 552a, and 38 U.S.C. 5701 and 7332. However, VA must notify the attorney, agent, or representative of a VA-recognized service organization, as well as the representative's service organization if VA revokes access, unless VA must first temporarily suspend such access prior to a final determination because VA believes it necessary to protect its systems or the data therein. The current regulation also requires VA personnel to report a revocation to a state licensing authority, such as an attorney's state bar or other licensing authority, if warranted by the conduct of the attorney, agent, or representative of a VA-recognized service organization. VA proposes to amend § 1.603 to generally update the regulation consistent with current practice and systems and clarify the circumstances under which VA may deny or revoke privileges of an attorney, agent, or representative of a VA-recognized service organization to access VBA's IT systems or deny or revoke access to a specific claimant's claims records.

    As noted above, VA proposes to revise the section's title, currently “Disqualification,” to read “Revocation and reconsideration,” which more closely reflects its topic and text in proposed § 1.603. Given the national oversight of access to VA systems and the national practice of many attorneys, agents, or representatives of a VA-recognized service organization, VA also proposes to modify references in § 1.603 to “Regional Office” and “Regional Office Director,” and instead prescribe the actions that may be taken by VA in circumstances that warrant potential revocation in a manner that acknowledge others within the agency may be required to respond. VA would also remove paragraph (b)(3) because, as proposed, § 1.600 through 1.603 would no longer name the types of records or data that an attorney, agent, or representative of a VA-recognized service organization may access. VA proposes to revise paragraph (b)(4) to clarify that records might belong to claimants who seek to receive benefits, and not, as currently stated, beneficiaries who, by definition, are already receiving VA benefits.

    VA proposes to amend paragraph (c) to cover both denials and revocations. Specifically, VA proposes to add subparagraphs (1) through (5), which discuss the framework for requesting reconsideration of denials or revocations of access. Electronic access to claimant records is not a right and any request for such access is not a benefit claim that is subject to appeal. Proposed § 1.600(d)(3) would generally restate and continue current § 1.600(d)(2), which provides, “Sections 1.600 through 1.603 are not intended to, and do not . . . [c]reate, and may not be relied upon to create, any right or benefit, substantive or procedural, enforceable at law against the United States or the Department of Veterans Affairs.” However, VA will reconsider initial denials or revocations of electronic access upon written requests by affected attorneys, agents, or representatives of VA-recognized service organizations. Such individuals would have 30 days from VA's notice of denial or revocation to submit such requests with any information they believe relevant to VA's decision to deny or revoke access. The Director of the VA regional office or center with jurisdiction would review the denial or revocation, any new information submitted by the individual seeking access, describe the relevant facts, make a new decision, and provide written notification to the affected individual, as well as the Office of General Counsel.

    In addition, we are proposing a technical correction to §§ 1.600 through 1.603. Consistent with direction from the Office of Federal Register, VA has proposed to place the statutory authorities for §§ 1.600 through 1.603 in the introductory portion of 38 CFR part 1 as opposed to a parenthetical immediately following each individual section. Finally, regarding the reporting requirements in current paragraph (d), VA proposes to amend these provisions to require reporting to VA's Office of General Counsel when the facts and circumstances regarding a denial or revocation of access indicate potential misconduct of the attorney, agent, or representative of a VA-recognized service organization that may call into question his or her competence or qualifications for VA accreditation.

    PART 14—Legal Services, General Counsel, and Miscellaneous Claims

    Section 14.629 Requirements for Accreditation of Service Organization Representatives; Agents; and Attorneys

    Current § 14.629 implements VA's authority under 38 U.S.C. 5902 and 5904 to accredit attorneys, agents, or representatives of VA-recognized service organizations for the purpose of assisting claimants in the preparation, presentation, and prosecution of veterans benefits claims. VA does not propose any substantive changes to the accreditation provisions in this section. However, current § 14.629(c) addresses who is permitted, and under what circumstances, to assist an attorney of record in providing representation on a claim. Subparagraph (c)(3) specifically indicates that legal interns, law students, and paralegals may assist the attorney of record in the representation of a claimant before VA pursuant to the claimant's consent. The attorney of record may also disclose information obtained from VA for the purpose of representation to the legal interns, law students, and paralegals pursuant to the claimant's consent, see 38 CFR 14.632(c)(10), but a note that follows current § 14.629 goes further than that and states that legal interns, law students, and paralegals, as well as veterans service organization support staff, may “qualify for read-only access to pertinent Veterans Benefits Administration automated claims records” under § 1.600 through 1.603 of this chapter. VA added this note in a 2003 final rule stating only that it was intended to “promote consistency with regulations and practice” at the time, specifically with respect to individuals Start Printed Page 9439working under the supervision of the claimant's designated representative.” 68 FR 8541, 8543. It is notable that VA IT systems did not include electronic copies of evidence at the time of the 2003 Federal Register notice.

    This note has never meant that VA would always provide support staff at a service organization or legal interns, law students, or paralegals with access to VBA IT systems. Nevertheless, the note may have caused confusion and contributed to inconsistent application of current § 1.600 through 1.603 as VA has transitioned to primarily keeping claimant records in electronic form rather than paper. Accordingly, VA proposes to remove this note, consistent with the clarification of its policy under this proposed rule. Indeed, VA's proposed regulations and current practice of limiting systems access to claimants' accredited attorneys, agents, or representatives of a VA-recognized service organization, would be inconsistent with allowing support staff at service organizations or legal interns, law students, or paralegals to electronically access VA records. Under this proposed rule, VA would ensure that only accredited attorneys, agents, or representatives of a VA-recognized service organization have privileges to access VBA's IT systems. Furthermore, a VA-accredited attorney or agent would have access to records only if the claimant appointed that individual as the attorney of record or agent of record for his or her claim. In the case of a service organization, VA would provide access only to the representatives of that service organization. VA would only grant access to the attorney of record, the agent of record, or the representatives of the service organization of record regardless of whether any other individuals are assisting the attorney of record in the representation of the claimant's case, or are serving on the support staff of the attorney, agent, or veterans service organization.

    Although general access to inspect or receive a copy of a claimant's record is governed by privacy laws and regulations applicable to VA and to the Federal government more generally, there is no statute or regulation creating a right to electronically access VA's internal IT systems or mandating that individuals who may view a record must be allowed to do so via any particular IT system. This is consistent with current § 1.600(d), which VA proposes to modify in this rulemaking. VA's policy of limiting access to VA's IT systems to VA-accredited attorneys, agents, or representatives of a VA-recognized service organization, and limiting access within those systems only to the claims files in which the attorney or agent has been designated to provide representation under 38 CFR 14.631, or to the representative of a service organization that has been designated to provide representation pursuant to the claimant's power of attorney under 38 CFR 14.631, is reasonable given VA's overarching responsibility to protect Veterans' privacy, maintain IT security according to Federal requirements, and control administrative burden and costs.

    Executive Orders 12866, 13563, and 13771

    Executive Orders 12866 and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, and other advantages; distributive impacts; and equity). Executive Order 13563 (Improving Regulation and Regulatory Review) emphasizes the importance of quantifying both costs and benefits, reducing costs, harmonizing rules, and promoting flexibility. The Office of Information and Regulatory Affairs has determined that this rule is not a significant regulatory action under Executive Order 12866. VA's impact analysis can be found as a supporting document at http://www.regulations.gov, usually within 48 hours after the rulemaking document is published. Additionally, a copy of the rulemaking and its impact analysis are available on VA's website at http://www.va.gov/​orpm/​, by following the link for “VA Regulations Published From FY 2004 Through Fiscal Year to Date.” This rule is not an Executive Order 13771 regulatory action because this rule is not significant under Executive Order 12866.

    Regulatory Flexibility Act

    The Secretary hereby certifies that the adoption of this rule would not have a significant economic impact on a substantial number of small entities as they are defined in the Regulatory Flexibility Act, 5 U.S.C. 601-612. This rule might have an insignificant economic impact on an insubstantial number of small entities, generally law firms that have individual attorneys who are accredited by VA for purposes of representing VA benefit claimants. VA believes the impact to be minimal because, as stated in the preamble, its overarching policy and practice has been to grant access to designated representatives, as opposed to supporting staff, and access to VA systems is optional and not a prerequisite to representing any claimant before the Department. VA's proposed rule simply clarifies this longstanding practice. Therefore, pursuant to 5 U.S.C. 605(b), this rulemaking would be exempt from the initial and final regulatory flexibility analysis requirements of 5 U.S.C. 603 and 604.

    Unfunded Mandates

    The Unfunded Mandates Reform Act of 1995 requires, at 2 U.S.C. 1532, that agencies prepare an assessment of anticipated costs and benefits before issuing any rule that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more (adjusted annually for inflation) in any 1 year. This rule would have no such effect on State, local, and tribal governments, or on the private sector.

    Paperwork Reduction Act

    This proposed rule contains no provisions constituting a collection of information under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3521).

    Start List of Subjects

    List of Subjects

    38 CFR Part 1

    • Administrative practice and procedure
    • Archives and records
    • Cemeteries
    • Claims
    • Courts
    • Crime
    • Flags
    • Freedom of information
    • Government contracts
    • Government employees
    • Government property
    • Infants and children
    • Inventions and patents
    • Parking
    • Penalties
    • Postal Service
    • Privacy
    • Reporting and recordkeeping requirements
    • Seals and insignia
    • Security measures
    • Wages

    38 CFR Part 14

    • Administrative practice and procedure
    • Claims
    • Courts
    • Foreign relations
    • Government employees
    • Lawyers
    • Legal services
    • Organization and functions (Government agencies)
    • Reporting and recordkeeping requirements
    • Surety bonds
    • Trusts and trustees
    • Veterans
    End List of Subjects

    Signing Authority

    The Secretary of Veterans Affairs approved this document and authorized the undersigned to sign and submit the document to the Office of the Federal Register for publication electronically as an official document of the Department of Veterans Affairs. Pamela Powers, Chief of Staff, Department of Veterans Start Printed Page 9440Affairs, approved this document on November 5, 2019, for publication.

    Start Signature

    Jeffrey M. Martin,

    Assistant Director, Office of Regulation Policy & Management, Office of the Secretary, Department of Veterans Affairs.

    End Signature

    For the reasons set forth in the preamble, VA proposes to amend 38 CFR parts 1 and 14 as follows:

    Start Part

    PART 1—GENERAL PROVISIONS

    End Part Start Amendment Part

    1. The authority citation for part 1, is amended to read as follows:

    End Amendment Part Start Authority

    Authority: 38 U.S.C. 501, and as noted in specific sections. Sections 1.600-1.603 Also issued under 38 U.S.C. 5721-5728.

    End Authority Start Amendment Part

    2. Amend the undesignated center heading preceding § 1.600 by removing the word “Remote”.

    End Amendment Part Start Amendment Part

    3. Amend § 1.600 by:

    End Amendment Part Start Amendment Part

    a. Revising paragraph (a)(1).

    End Amendment Part Start Amendment Part

    b. Amending paragraph (a)(2) by removing “claimants'” and adding in its place “service organization,” and adding after “representatives” the words, “attorneys and agents.”

    End Amendment Part Start Amendment Part

    c. Revising paragraph (a)(3).

    End Amendment Part Start Amendment Part

    d. Revising paragraphs (b), (c),(d)(1) and (2).

    End Amendment Part Start Amendment Part

    e. Adding paragraph (d)(3).

    End Amendment Part

    The revisions and addition read as follows:

    Purpose.

    (a) * * *

    (1) When, and under what circumstances, VA will grant attorneys, agents, and representatives of a VA-recognized service organization the ability to access records through Veterans Benefits Administration's (VBA) electronic information technology (IT) systems that contain information regarding the claimants whom they represent before VA;

    (2) * * *

    (3) The bases and procedures for denial or revocation of access privileges to VBA IT systems of an attorney, agent, or representative of a VA-recognized service organization for violating any of the requirements for access.

    (b) VBA will provide access to VBA IT systems under the following conditions. VBA will provide access:

    (1) Only to an attorney, agent, or representative of a VA-recognized service organization who is accredited pursuant to part 14 of this chapter and who is approved to access VBA IT systems under §§ 1.600 through 1.603;

    (2)(i) For a representative of a VA-recognized service organization, only to the records of VA claimants who appointed the service organization as the organization of record to provide representation on their claims, or

    (ii) For an attorney or agent, only to the records of VA claimants who appointed the attorney or agent as the attorney or agent of record on their claims;

    (3) Solely for the purpose of representing the individual claimant whose records are accessed in a claim for benefits administered by VA; and

    (4) On a read-only basis, an attorney, agent, or representative of a VA-recognized service organization authorized to access VBA IT systems under §§ 1.600 through 1.603 will not be permitted to modify the data, to include modifying any existing record. However, such an attorney, agent, or representative of a VA-recognized service organization may upload documents as permitted by VA IT policy regarding submittal of new documents.

    (c) Privileges to access VBA IT systems may be granted by VBA only for the purpose of accessing a represented claimant's electronically stored claims files pursuant to applicable privacy laws and regulations, and as authorized by a claimant's power of attorney under 38 CFR 14.631.

    (d) * * *

    (1) Waive the sovereign immunity of the United States;

    (2) Create, and may not be relied upon to create, any right or benefit, substantive or procedural, enforceable at law against the United States or the Department of Veterans Affairs; or

    (3) Create or establish a right to electronic access.

    Start Amendment Part

    4. Revise § 1.601 to read as follows:

    End Amendment Part
    Qualifications for access.

    (a)(1) An applicant for access to VBA IT systems for the purpose of providing representation must be:

    (i) A representative of a VA-recognized service organization who is accredited by VA under § 14.629(a) of this chapter through a service organization and whose service organization holds power of attorney for one or more claimants under § 14.631 of this chapter; or

    (ii) An attorney or agent who is accredited by VA under § 14.629(b) of this chapter and who holds power of attorney for one or more claimants under § 14.631 of this chapter.

    (2) To qualify for access to VBA IT systems, the applicant must comply with all security requirements deemed necessary by VA to ensure the integrity and confidentiality of the data and VBA IT systems, which may include passing a background suitability investigation for issuance of a personal identity verification badge.

    (3) VA may deny access to VBA IT systems if the requirements of paragraphs (a)(1) or (2) of this section are not met.

    (b) The method of access, including security software and work-site location of the attorney, agent, or representative of a VA-recognized service organization, must be approved in advance by VA.

    (c) Each attorney, agent, or representative of a VA-recognized service organization approved for access must complete, sign, and return a notice provided by VA. The notice will specify any applicable operational and security requirements for access, in addition to the applicable VA Rules of Behavior, and an acknowledgment that the breach of any of these requirements is grounds for revocation of access.

    Start Amendment Part

    5. Revise § 1.602 to read as follows:

    End Amendment Part
    Utilization of access.

    (a) Once VA issues to an attorney, agent, or representative of a VA-recognized service organization the necessary logon credentials to obtain read-only access to the VA records regarding the claimants represented, access will be exercised in accordance with the following requirements. The attorney, agent, or representative of a VA-recognized service organization:

    (1) Will electronically access VA records through VBA IT systems only by the method of access approved in advance by VA;

    (2) Will use only his or her assigned logon credentials to obtain access;

    (3) Will not reveal his or her logon credentials to anyone else, or allow anyone else to use his or her logon credentials;

    (4) Will access via VBA IT systems only the records of claimants who he or she represents;

    (5) Will access via VBA IT systems a claimant's record solely for the purpose of representing that claimant in a claim for benefits administered by VA;

    (6) Is responsible for the security of the logon credentials and, upon receipt of the logon credentials, will destroy the hard copy so that no written or printed record is retained;

    (7) Will comply with all security requirements VA deems necessary to ensure the integrity and confidentiality of the data and VBA IT systems; and

    (8) Will comply with each of the standards of conduct for accredited individuals prescribed in § 14.632 of this chapter.

    (b)(1) A service organization shall ensure that all its representatives provided access in accordance with these regulations receive annual training approved by VA on proper security or annually complete VA's Privacy and Security Training.

    (2) An attorney or agent who is granted access will annually Start Printed Page 9441acknowledge review of the security requirements for the system as set forth in these regulations, VA's Rules of Behavior, and any additional materials provided by VA.

    (c) VBA may, at any time without notice:

    (1) Inspect the computer hardware and software utilized to obtain access and their location;

    (2) Review the security practices and training of any attorney, agent, or representative of a VA-recognized service organization granted access under these regulations; and

    (3) Monitor the access activities of an attorney, agent, or representative of a VA-recognized service organization. By applying for, and exercising, the access privileges under § 1.600 through 1.603, the attorney, agent, or representative of a VA-recognized service organization expressly consents to VBA monitoring access activities at any time for the purpose of auditing system security.

    Start Amendment Part

    6. Amend § 1.603 by:

    End Amendment Part Start Amendment Part

    a. Revising the section heading

    End Amendment Part Start Amendment Part

    b. Revising paragraph (a).

    End Amendment Part Start Amendment Part

    c. Revising paragraphs (b) introductory text and (b)(2).

    End Amendment Part Start Amendment Part

    d. Removing paragraph (b)(3).

    End Amendment Part Start Amendment Part

    e. Redesignating paragraph (b)(4) as (b)(3) and revising the newly redesignated (b)(3).

    End Amendment Part Start Amendment Part

    f. Redesignating paragraph (b)(5) as (b)(4).

    End Amendment Part Start Amendment Part

    g. Redesignating paragraph (b)(6) as (b)(5) and revising the newly redesignated (b)(5).

    End Amendment Part Start Amendment Part

    h. Amend paragraph (c) and by adding paragraphs (c)(1) through (5).

    End Amendment Part Start Amendment Part

    i. Revising paragraph (d).

    End Amendment Part Start Amendment Part

    j. Removing paragraph (e).

    End Amendment Part

    The revisions read as follows:

    Revocation and reconsideration.

    (a) VA may revoke access of an attorney, agent, or representative of a VA-recognized service organization to a particular claimant's records because the individual or organization no longer represents the claimant, and, therefore, the claimant's consent is no longer in effect.

    (b) VA may revoke the access privileges of an attorney, agent, or representative of a VA-recognized service organization either to an individual claimant's records or to all claimants' records via the VBA IT systems, if the individual:

    (1) * * *

    (2) Accesses or attempts to access data for a purpose other than representation of an individual claimant;

    (3) Accesses or attempts to access data on a claimant who he, she, or the service organization does not represent;

    (4) Accesses or attempts to access a VBA IT system by a method that has not been approved by VA; or

    (5) Modifies or attempts to modify data in the VBA IT systems without authorization.

    (c) VA will notify the attorney, agent, or representative of a VA-recognized service organization of the denial of access under § 1.601(a)(3) or revocation of access under paragraph (b) of this section. If VA denies or revokes access privileges for a service organization representative, VA will notify the service organization(s) through which the representative is accredited of the denial or revocation of access.

    (1) The denial or revocation of access by a VBA regional office or center of jurisdiction is a final decision. The attorney, agent, or representative of a VA-recognized service organization may request reconsideration of a denial or revocation of access by submitting a written request to VBA. VBA will consider the request if it is received by VBA not later than 30 days after the date that VA notified the attorney, agent, or representative of a VA-recognized service organization of its decision.

    (2) The attorney, agent, or representative of a VA-recognized service organization may submit additional information not previously considered by VA, provided that the additional information is submitted with the written request and it is pertinent to the prohibition of access.

    (3) VA will close the record regarding reconsideration at the end of the 30-day period described in paragraph (c)(1) of this section and furnish the request, including any new information, submitted by the attorney, agent, or representative to the Director of the VA regional office or center with jurisdiction over the final decision.

    (4) VA will reconsider access based upon a review of the information of record as of the date of its prior denial or revocation, with any new information submitted with the request. The decision will:

    (i) Identify the attorney, agent, or representative of a VA-recognized service organization,

    (ii) Identify the date of VA's prior decision,

    (iii) Describe in detail the facts found as a result of VA's review of its decision with any new information submitted with the reconsideration request, and

    (iv) State the reasons for VA's final decision, which may affirm, modify, or overturn its prior decision.

    (5) VA will provide written notice of its final decision on access to:

    (i) The attorney, agent, or representative of a VA-recognized service organization requesting reconsideration, and

    (ii) if the conduct that resulted in denial or revocation of the authority of an attorney, agent, or representative of a VA-recognized service organization to access VBA electronic IT systems merits potential inquiry into the individual's conduct or competence pursuant to § 14.633 of this chapter, the VBA regional office or center of jurisdiction will immediately inform VA's Office of General Counsel in writing of the fact that it has revoked the individual's access privileges and provide the reasons why.

    (d) VA may immediately suspend access privileges prior to any determination on the merits of a revocation where VA determines that such immediate suspension is necessary to protect, from a reasonably foreseeable compromise, the integrity of the system or confidentiality of the data in VBA IT systems.

    Start Part

    PART 14—LEGAL SERVICES, GENERAL COUNSEL, AND MISCELLANEOUS CLAIMS

    End Part Start Amendment Part

    7. The authority citation for part 14 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 5 U.S.C. 301; 28 U.S.C. 2671-2680; 38 U.S.C. 501(a), 512, 515, 5502, 5901-5905; 28 CFR part 14, appendix to part 14, unless otherwise noted.

    End Authority
    [Amended]
    Start Amendment Part

    8. Amend § 14.629 by removing the Note.

    End Amendment Part End Supplemental Information

    [FR Doc. 2020-03196 Filed 2-18-20; 8:45 am]

    BILLING CODE 8320-01-P

Document Information

Published:
02/19/2020
Department:
Veterans Affairs Department
EntryType:
Proposed Rule
Action:
Proposed rule.
Document Number:
2020-03196
Dates:
VA must receive comments on or before April 20, 2020.
Pages:
9435-9441 (7 pages)
SectionNoes:
1.600,1.601,1.602,1.603,14.629
Topics:
Administrative practice and procedure, Archives and records, Cemeteries, Claims, Courts, Crime, Flags, Foreign relations, Freedom of information, Government contracts, Government employees, Government property, Inventions and patents, Lawyers, Legal services, Organization and functions (Government agencies), Parking, Penalties, Postal Service, Privacy, Reporting and recordkeeping requirements, Seals and insignia, Security measures, Surety bonds, Trusts and trustees, Veterans, Wages
PDF File:
2020-03196.pdf
CFR: (2)
38 CFR 1
38 CFR 14