38 CFR § 1.602 - Utilization of access.
(a) Once VA issues to an attorney, agent, representative of a VA-recognized service organization, affiliated support-staff person, or individual authorized by the General Counsel under § 14.630 of this chapter the necessary logon credentials to obtain basic claims status information and read-only access to the VA records regarding the claimants represented, access will be exercised in accordance with the following requirements. The attorney, agent, representative of a VA-recognized service organization, support-staff person, or individual authorized by the General Counsel under § 14.630 of this chapter:
(1) Will electronically access VA records through VA IT systems only by the method of access approved in advance by VA;
(2) Will use only his or her assigned logon credentials to obtain access;
(3) Will not reveal his or her logon credentials to anyone else, or allow anyone else to use his or her logon credentials;
(4) Will access via VA IT systems only the records of claimants whom he or she represents or is authorized to assist in representing;
(5) Will access via VA IT systems a claimant's records solely for the purpose of representing or assisting in the representation of that claimant in a claim for benefits administered by VA;
(6) Is responsible for the security of the logon credentials and, upon receipt of the logon credentials, will destroy the hard copy so that no written or printed record is retained;
(7) Will comply with all security requirements VA deems necessary to ensure the integrity and confidentiality of the data and VA IT systems; and
(8) Will, if accredited or authorized by the General Counsel under § 14.630 of this chapter, comply with each of the standards of conduct for accredited individuals prescribed in § 14.632 of this chapter.
(b)
(1) A VA-recognized service organization shall ensure that all its representatives and support-staff personnel provided access in accordance with these regulations receive annual training approved by VA on proper security or annually complete VA's Privacy and Security Training.
(2) An attorney, agent, affiliated support-staff person of an attorney or agent, or individual authorized by the General Counsel under § 14.630 of this chapter who is provided access in accordance with these regulations will annually acknowledge review of the security requirements for the system as set forth in these regulations, VA's Rules of Behavior, and any additional materials provided by VA.
(c) VA may, at any time without notice:
(1) Inspect the computer hardware and software utilized to obtain access and their location;
(2) Review the security practices and training of any attorney, agent, representative of a VA-recognized service organization, support-staff person, or individual authorized by the General Counsel under § 14.630 of this chapter provided access in accordance with these regulations; and
(3) Monitor the access activities of an attorney, agent, representative of a VA-recognized service organization, support-staff person, or individual authorized by the General Counsel under § 14.630 of this chapter. By applying for and exercising the access privileges under §§ 1.600 through 1.603, the individual expressly consents to VA monitoring access activities at any time for the purpose of auditing system security.