5101:1-1-03 Disclosure of recipient information, nondiscrimination, and treatment of information received from the internal revenue service and social security administration.  

5101:1-1-03                 Disclosure of recipient information, nondiscrimination, and treatment of information received from the IRS and social security administration.

(A)Confidential records

All information and records concerning a recipient of disability assistance (DA) pursuant to Chapter 5115. of the Revised Code, Ohio works first (OWF) pursuant to Chapter 5107. of the Revised Code, and prevention, retention and contingency (PRC) pursuant to Chapter 5108. of the Revised Code are confidential. No information regarding applicants, recipients, or former recipients of any of the programs listed in this paragraph is to be released to anyone except as provided in sections 5101.26 to 5101.28 of the Revised Code or as otherwise delineated in this rule pursuant to section 5101.30 of the Revised Code.

(B)Allowable disclosure of information

In accordance with section 5101.30 of the Revised Code and in addition to sections 5101.27 and 5101.28 of the Revised Code, recipient information and records for any of the programs identified in paragraph (A) of this rule may be released to the following entities identified in paragraphs (B)(1) to (B)(10) of this rule. However, only the minimum information necessary to fulfill the need for the sharing of information as allowed by this rule may be released:

(1)A provider of services or assistance connected with the programs identified in paragraph (A) of this rule. Access to information under this paragraph is limited to information that is essential for the provider to render services or assistance or to bill for services or assistance rendered. Providers receiving this information may not use this information except for the purpose set out in this paragraph and are subject to penalties set out in Section 5101.99 of the Revised Code for unauthorized use of the information.

(2)Any private contractor, grantee, or other state or county entity, performing administrative or other duties on behalf of the Ohio Department of Job and Family Services (ODJFS) or a county department of job and family services (CDJFS) when in compliance with paragraphs (B)(3)(a) to (B)(3)(d) of this rule. Access under this paragraph includes but is not limited to exchange of information pursuant to section 307.987 of the Revised Code. Information that can be accessed under this paragraph is limited only to information needed for completion of the administrative or other duties on behalf of ODJFS or CDJFS:

(a) There must be a signed, written agreement with the contractor, grantee, or entity, that establishes the purpose and scope of duties to be performed for ODJFS or CDJFS.

(b) The agreement shall contain language that the contractor, grantee, or

entity may not use the information received pursuant to the agreement for purposes other than those set out in the written agreement.

(c) The agreement shall include language which establishes that the contractor, grantee, or entity is bound by relevant Ohio confidentiality laws and ODJFS rules; and, that disclosure of the information by the contractor, grantee, or entity in a manner not authorized by the rules is a breach of the contract and a violation of sections 5101.27 and 5101.99 of the Revised Code.

(d)If sharing of information (including eligibility information) pursuant to the contract involves information related to medical eligibility or medical coverage under the DA program set forth in Chapter 5115 of the Revised Code, the following additional language is required to be included in the contract:

(i) The   contractor   will   use   safeguards   to   prevent   unauthorized uses/disclosures of the information.

(ii) The contractor will report any authorized uses/disclosures of the information to ODJFS or the CDJFS, whichever contracts with the contractor (contractee).

(iii) The  contractor  will  provide  the  obligations  contained  in  the contract to all subcontractors/agents.

(iv) The contractor will share all information received pursuant to the contract with the contractee.

(v) If an individual seeks information of which they are the subject, seeks amendment of that information or an accounting of disclosures of the information which the contractor is holding as a result of this contract, the contractor shall immediately refer the individual to the CDJFS and notify the CDJFS of the request.

(vi) The contractor shall make available its internal practices, books and records relating to use and disclosure of information about individuals which were received pursuant to this contract to the CDJFS and ODJFS upon request, and to the United States Department of Health and Human Services (HHS) for the purpose of determining the states compliance with the Health Information Portability and Accountability Act (HIPAA) and regulations and amendments promulgated by HHS for the purpose of implementing HIPAA.

(vii) Upon termination of the agreement required by the provisions set forth in this rule, the contractee shall require that the contractor do

one of the following :

(a) Return all information received about individuals pursuant to the agreement and retain no copies of the information, except as directed by the contractee or required by law. Any information that the contractor retains must be extended the same protections set forth in the written agreement for as long as the information is maintained by the contractor; or

(b) Destroy all information received about individuals pursuant to the agreement and keep no copies of the information except as directed by the contractee or required by law. If the contractor or its agent destroys the information, the contractor shall provide documentation evidencing such destruction to the CDJFS.

(3) The U.S. department of health and human services except for DA information unless release of the DA information is in response to an inquiry by HHS involving the Health Insurance Portability and Accountability Act.

(4) An employer for purposes of claiming tax credit under Public Law 94-12, the Tax Reduction Act of 1975 or claiming some other type of payment from any governmental entity in connection with a program that provides payments to employers for hiring and employing public assistance recipients. An employer may access only the recipient information that is essential for claiming the tax credit or payment. Use of the recipient information by the employer shall be only for the purpose set out in this paragraph and unauthorized use of the information shall be subject to penalties set out in section 5101.99 of the Revised Code.

(5) Third parties, such as health insurers, requesting social security numbers for the purpose of determining the existence of health care coverage that may be liable to pay all or part of medical bills. Third parties receiving information may not use the information except for the purposes set out in this paragraph and are subject to penalties set out in section 5101.99 of the Revised Code for unauthorized use of the information.

(6) Any state licensing or certification authority while performing their statutory duties of conducting or assisting with investigations, prosecution or civil or criminal proceedings against medicaid providers, provided that any such licensing or certification authority agrees to be bound by the same rules and regulations regarding recipient confidentiality that binds ODJFS. To ensure agreement of confidentiality, these information requests and responses will be conducted solely between the requesting authority and the appropriate office within ODJFS.

(7) A county child support enforcement agency (CSEA) when requesting relevant information needed to secure child support pursuant to paragraph (C) of rule 5101:1-3-10 of the Administrative Code.

(8) State and local offices of women, infants and children (WIC), child and family health services (CFHS), and the children with medical handicaps program (CMH). The information shared is limited to eligibility information for specific individuals or assistance groups receiving services from WIC, CFHS and/or CMH.

(9) Public children services agencies (PCSAs) when the CDJFS is to report known or suspected instances of child abuse and neglect of a child receiving OWF, or DA or when the PCSA needs information in order to conduct an assessment/investigation of a report of alleged child abuse or neglect, as delineated in rule 5101:2-39-51 of the Administrative Code. Instances of abuse and neglect situations exist when a child experiences physical or mental injury, sexual abuse, or exploitation, or negligent treatment or maltreatment under circumstances which indicate that the child's health or welfare is threatened.

(C)Requirements regarding protection of the recipient's right to control personal data

The following requirements must be explained at the time of application for assistance or services and are included to protect the recipient's right to control personal data.

(1) Whenever a recipient of any of the programs identified in paragraph (A) of this rule is asked to supply personal data to the CDJFS or ODJFS, the legal requirements for providing or not providing such data must be explained to him.

(2) Upon the request of any recipient of any of the programs identified in paragraph (A) of this rule, the CDJFS must make all data collected about that individual available to the individual. Medical, psychiatric or psychological information may not be released to the individual or his legal guardian if the CDJFS has reason to believe that its release may have an averse effect on the individual.

If the CDJFS has reason to believe that the release of medical, psychiatric or psychological information may have an adverse effect, the CDJFS shall release this information to a physician, psychiatrist or psychologist designated by the individual. Once the individual provides expressed and informed consent, the CDJFS will send this information to the designated medical provider. The medical provider will then determine whether the information should be disclosed to the recipient.

In addition, the agency must supply an interpretation of the data if it is not

readily understandable. If the individual feels that the data is incomplete or inaccurate, the individual has the right to include additional information in the individual's files.

(3) Upon any request for individual data through compulsory legal process, the recipient of any program identified in paragraph (A) of this rule, must be immediately informed of such request. In addition, the department must inform the court of the statutory and regulatory provisions against disclosure of information, if state or federal law precludes the release of the information. If the court still seeks the information, and if the information is not protected by any other privilege recognized by law, the agency will furnish the specified information to the court itself along with ODJFS policies for safeguarding that information. At the same time, the agency must notify the individual that the information has been furnished to the court and must supply duplicate copies to that individual of the information so furnished.

(4) Pursuant to division (D) of section 5101.27 of the Revised Code, ODJFS and the CDJFS may release information about a recipient of any of the programs listed in paragraph (A) of this rule, if the recipient gives voluntary, written consent in compliance with section 5101.27 of the Revised Code.

(D)Nondiscrimination

CDJFS are responsible for rendering assistance without discrimination on account of race, color, religion, national origin, gender, sexual orientation, disability, age or political beliefs, in a manner consistent with the United States constitution, Social Security Act, Civil Rights Act, and the Constitution of the state of Ohio, and policies of ODJFS.

(E)Release of Information

A signed JFS 07341 "Applicant/Recipient Authorization for Release of Information" shall be obtained whenever the CDJFS requests information from a third party. The CDJFS shall use the JFS 03607 "Medical Information Release Form" when the information is medical in nature or the JFS 06907 "LEAP-Learning, Earning, and Parenting Program School Information Release Form" when requesting attendance and educational information for LEAP program participants. A copy of any signed release must be included in the individual's file.

(F) Confidentiality requirements for information from the social security administration (SSA)

(1) The SSA sends information to the ODJFS about RSDI and SSI beneficiaries who are applicant for or recipients of any of the programs listed in paragraph (A) of this rule. ODJFS displays this information to the CDJFS using the CRIS-E data exchange screens, DEBB (RSDI) and DESX (SSI). The ODJFS

state verification and exchange system (SVES) provides electronic interface with the SSA. The interface allows the transfer of Title II (SSA retirement, survivors, disability, and health insurance benefits), Title XVI (supplemental security income), and benefit earnings exchange record (BEER) information about employment (whether or not the individual is a participant of RSDI and/or SSI). SVES replaces the paper transaction request, third party query (TPQY) between the state of Ohio and the SSA. The SSA limits use and disclosure of this SSA information.

(2) The Privacy Act of 1974 allows SSA to release information to ODJFS and CDJFS without a release of information from the beneficiary only as long as the information is for a "routine use" and for specified programs. Every use or disclosure of SSA information which is not routine or is not for an approved, specified program requires the prior written permission of the beneficiary or the SSA, respectively.

(a) The routine uses and approved programs for RSDI obtained from the bendex system ("Beneficiary and Earnings Data Exchange") are: to determine eligibility for and administer Ohio works first (OWF), disability assistance (DA), food stamps, Title XX social services, Title IV-E, child support, and energy assistance.

(b) The routine uses and approved programs for SSI benefits obtained from the state data exchange (SDX) and SVES are: to determine eligibility for and administer OWF, food stamps, DA, energy assistance, Title XX social services, Title IV-E, child support, and interim assistance.

(G)Disclosure, confidentiality, and physical safeguarding of SSA and IRS information

(1) Whenever ODJFS or the CDJFS discloses SSA information received from the SSA to someone who is not an employee of ODJFS or a CDJFS, it must do so only for a routine use of an approved program. Additionally, it must disclose only the information needed to accomplish the purpose of the routine use.

(2) ODJFS may disclose SSA information to another state agency, provided it is for routine use for an approved program and only the needed information is disclosed.

(3) Although ODJFS and the CDJFS may obtain SSA information without a release of information from the beneficiary, they must keep a record any time they disclose this information to anyone who is not an employee of ODJFS or a CDJFS. This is true even though the disclosure is for a routine use.

(a) The required record of disclosure of SSA information must be kept in the individual case record and also in a central CDJFS file.

(b) The case record notation and the central file must contain the date of

disclosure, the information disclosed, the purpose of the disclosure, and the person to whom the information was disclosed. For the case record, the CDJFS must enter the notation about the disclosure. For the central file, the CDJFS must maintain separate records, for each source of data disclosed.

(c) The record of disclosure must be retained for five years or the life of the application, whichever is longer. The disclosure records are subject to inspection by the SSA.

(4) The internal revenue service (IRS) sends unearned income information received from 1099 forms filed with that agency to ODJFS regarding applicants and recipients of any of the programs listed in paragraph (A) of this rule. This federal tax information is displayed on the CRIS-E screen data exchange inquiry resource/unearned income (DERS).

(5) Internal revenue code (IRC) section 6103 allows the disclosure of tax return information to federal, state and local agencies by the IRS for use in their OWF and food stamp programs. The return information is disclosed solely for the purpose of, and to the extent necessary in, determining eligibility for, or the correct amount of benefits under the specified programs.

(6) IRS return information may not be disclosed to, exchanged with, or utilized by any other state agency. ODJFS and CDJFS employees who are entitled to access tax return information generally must not disclose this information to any party outside the agency other than the taxpayer to whom the information relates or the taxpayer's duly appointed representative who has the explicit authority to obtain tax return information.

(7) To the extent that disclosure of IRS information is necessary to verify eligibility for and the correct amount of benefits, including past benefits, such disclosure may be made only when there is no other means of verifying the unearned income information, and only to the extent necessary to verify the unearned income information.

(a) All ODJFS and CDJFS employees with access to IRS return information must have disclosure awareness training for safeguarding requirements and must be advised on an annual basis of IRS penalty provisions.

(b) A permanent system of standardized record keeping must be maintained by the CDJFS which documents requests for, and disclosure of return information. If redisclosure is authorized, the information disclosed outside the agency must be recorded on a separate list which reflects to whom the disclosure was made, what was disclosed, why and when it was disclosed.

(8) ODJFS and the CDJFS must physically protect SSA and IRS information from

unauthorized access. The physical record number of SSA and IRS information required to be safeguarded include, but are not limited to, the following:

(a) Benefit earnings exchange record (BEER) information which contains federal wage information obtained from the SSA master earnings file;

(b) IRS information return master file which contains returns filed by payers of income such as dividends, interest and retirement income.

(9) ODJFS and the CDJFS must:

(a) Limit access to the data to only those employees and officials who need it to perform their official duties in connection with the approved programs.

(b) Store data in an area that is physically safe from access by unauthorized persons.

(c) Store and process magnetic tapes, screen prints and any electronic data in CRIS-E or any other computer system used in such a way that information cannot be retrieved by unauthorized persons.

(d)Advise all personnel who will have access to the data of the confidential nature of the information, the safeguards required, and the criminal and civil sanctions for noncompliance contained in federal and state statutes.

(e) Permit the SSA and internal revenue service to make onsite inspections to ensure that adequate safeguards are being maintained.

(f)Ensure that when interactive interviews using the CRIS-E system occur in the presence of an assistance group member who is not the subject of the confidential information, the computer screen is adjusted in such a manner that the visual screen is not exposed to that individual.

Replaces:                                 5101:1-1-03

Effective:                                04/01/2003 R.C. 119.032 review dates:                           04/01/2008

CERTIFIED ELECTRONICALLY

Certification

03/21/2003

Date

Promulgated Under:   119.03

Statutory Authority:   5101.26, 5101.27, 5101.28,

5101.30, 5101.99, 5107.05,

5115.05

Rule Amplifies:           5101.26, 5101.27, 5101.28,

5101.30, 5101.572, 5107.99

Prior Effective Dates: 1-1-74, 1-1-76, 1-1-83,

10-1-84 (emer.), 12-27-84,

7-1-85 (emer.), 9-29-85;

1-18-86, 8-1-86 (emer.),

10-3-86, 10-1-88 (emer.),

12-20-88, 7-14-89 (emer.),

10-1-89, 1-1-90 (emer.),

3-22-90, 4-7-90, 10-1-90,

10-10-91 (emer.), 12-20-91,

1-1-93, 1-1-94 (emer.),

1-30-94, 1-1-96 (emer.),

10-11-96 (emer.), 11-1-96,

1-1-97, 7-1-97, 10-1-97

(emer.), 12-30-97, 7-1-97,

7-1-98, 11-1-98, 7-1-99,

11-1-2002