ODJFS eManuals > Legal Services > Public Records and Confidentiality Laws > III. Federal & State Confidentiality Laws and Regulations

prev page next page

print get notified of updates to this manual

III. Federal and State Confidentiality Laws

As stated in Part I of this memorandum, any record identified as a "public record" must be released upon request. RC §149.43(A)(1) excepts records from being designated as "public records" when there is a federal or state law which prohibits the release of the record or labels it as confidential. The following is a list of federal and state laws which make certain records or information confidential or prohibit their release. The federal and state statutes have been grouped according to program or subject matter.

A.GENERAL

1.TAX RETURN INFORMATION

Internal Revenue Code (IRC) Section 6103 (26 USC 6103) states that all income returns and return information shall be confidential, and that no officer or employee of any state, any local child support enforcement agency, or any local agency administering a public assistance, unemployment, or medical assistance program shall disclose any return or return information obtained by him/her in the course of his/her work responsibilities. IRC Section 7213 (26 USC 7213) makes unlawful disclosures a felony offense, and IRC Section 7431 (26 USC 7431) permits civil damages to be imposed on individuals who make unlawful disclosures.

In addition, 42 USC 664 allows the interception of federal tax refunds in order to satisfy child support obligations. 26 USC 6103 and IRS publication 1075 outline strict requirements for the handling of this information by state agencies operating child support programs.

OAC rule 5101:1-1-36(G): This cash assistance rule references section 1137 of the Social Security Act, which requires that ODJFS develop an Income & Eligibility Verification System (IEVS). Ohio's IEVS is integrated into Ohio Benefits, which allows ODJFS to obtain information from its own office of unemployment insurance operations (OUIO) and the social security administration (SSA). Under IEVS, ODJFS matches public assistance applicant/recipient social security numbers with OUIO's wage records and unemployment compensation records, as well as SSA's benefit earnings exchange records, and Supplemental Security Income (SSI) and Retirement, Survivors, Disability Insurance (RSDI) benefit information provided by SSA. If the source of any tax data contained in matched information is SSA, or some other federal agency, the information is considered federal tax information (FTI). Match information for IEVS which contains FTI must be protected from disclosure to unauthorized persons. The rule states that computer screen printouts or copies of letters mailed or received regarding FTI must be safeguarded. The rule requires that FTI not be commingled within the assistance group case record, because if it is commingled, the entire assistance group case record must be safeguarded in the same way as FTI, and labeled as SSA-provided FTI. The rule then sets out under what circumstances and to whom the Federal Tax Information can be released. 12/1/18.

OAC rule 5101:4-7-09: Rule pertains to use of IEVS in food assistance program. Rule says that, in general, unemployment compensation benefit information, SSI and social security data from the SSA are verified upon receipt, whereas county agencies must independently verify IRS information, and federal and state wage information obtained from SSA and the state unemployment office. The rule also specifies the types of independent verification that can be done, and the actions that county agencies must take when information is received as a result of data exchange agreements. Paragraph (G) restricts county usage of IEVS information to program administration (i.e., determining assistance group's eligibility or ineligibility for SNAP, and the amount of SNAP), and Paragraph (J) says that IEVS match information may only be disclosed as permitted in OAC rule 5101:4-1-13. Paragraph (K) requires that ODJFS and the county agencies keep a record for at least three years, or during the active life of the application (whichever is longer) of any release of confidential IEVS information (e.g., federal tax information (FTI), including SSA match data) to any non-ODJFS or non-county agency employee. County/state workers must record the disclosure(s) in the applicant's case file, and the county must keep track of it in BENDEX. Paragraph (I) says that matches containing FTI are confidential, must be safeguarded as required in OAC rule 5101: 4-1-13, must be stored in a place physically safe from access by unauthorized individuals, and cannot be commingled with the rest of the case record. 6/1/22.

OAC rule 5101:9-9-25 outlines federal tax return information safeguarding procedures, which are intended to maintain confidentiality of taxpayer data; and, OAC 5101:9-9-25.1 does the same for county agencies. 10/4/21.

OAC Rule 5101:9-9-26: Ohio rule that implements IRS Publication 1075 provision requiring individuals who are given access to federal tax information (FTI) to undergo FBI and BCI fingerprint checks to identify suitability issues associated with access to FTI, as well as validate their eligibility to lawfully work in the United States. An initial background check must be successfully completed for all final candidates, current employees, current or prospective intermittent employees, county agency contractor/contract employees, or temporary service personnel to determine suitability to access FTI, and reinvestigation must occur every five years from the date it was initially determined, for individuals remaining in a position with access to FTI. 4/1/23.

OAC rule 5101:12-1-22: ODJFS Office of Child Support rule regarding safeguarding of federal tax information (FTI) received from the IRS. See also 26 USC 6103 and IRS Publication 1075. 11/1/22.

OAC rule 5101:12-1-22.1: ODJFS Office of Child Support procedure for conducting county CSEA visits and requiring county CSEA self-inspection, to verify FTI is being properly safeguarded. 11/1/22.

2.SOCIAL SECURITY NUMBERS

As a result of growing problems of identity theft and intrusions on personal privacy, this section on Social Security numbers was added to the Manual, as a reminder to all government employees of the importance of safeguarding the confidentiality of all social security numbers in the possession of state and local government. Unless specifically authorized by law, there should be no public disclosure of SSNs of government employees, public assistance applicants/recipients, child support clients, unemployment insurance claimants, workforce development participants, private sector employers/businesses/contractors, and participants in any other program administered by ODJFS or a county DJFS which collects and maintains social security numbers (SSNs) and related data. The Internal Revenue Code, 26 USC 6109(d), states that an SSN is issued to an individual for tax identification purposes.

5 USC § 552 (public information) and 5 USC § 552a (the Privacy Act of 1974) are the federal counterparts of the Ohio public information and privacy laws.

5 USC § 552(b) lists exemptions to the federal Freedom of Information Act, including matters that are specifically exempted from disclosure by statute ((b)(3)) and trade secrets and commercial or financial information obtained from a person ((b)(4)).

5 USC § 552a(a)(8),(e),(o) & (p): This statute does not prohibit release of the Social Security numbers but creates an individual expectation of privacy by requiring that any federal government agency that requests an individual to disclose his Social Security number to inform that individual whether that disclosure is mandatory or voluntary, under what authority the number is solicited, and what use will be made of it. Also requires that non-federal agencies (like ODJFS) enter into matching agreements with source agencies (like the Social Security Administration), to independently verifying matched information, and to notify applicants for and recipients of financial assistance of their right to contest the findings of any match that results in adverse action. Please note that public assistance, child support and children services records and portions of daycare records are not public records pursuant to other federal and state statutes. Social Security numbers would also not be public records under those laws. Social Security numbers contained in personnel files have been determined by the Ohio Supreme Court to not be public records pursuant to a Constitutional right of privacy. In addition, ORC 149.43(A)(1)(dd) exempts disclosure of social security numbers to the public, and ORC 1347.12 requires notification to individuals if their social security numbers are accessed from any government system without authorization, and/or used or redisclosed inappropriately. Requests for release of Social Security numbers in other situations (e.g., provider information) should be analyzed on a case by case basis. Also cited as Sections 7(a) and (b) of the Privacy Act of 1974.

7 USC 2011-2036, Section 1137(a) of the Social Security Act (42 USC 1320b-7), and 42 CFR 435.910, authorize the collection and use of Social Security numbers in the Food Assistance and Medicaid programs. (See also OAC Rules 5101:1-1-03 and 5101:1-3-09). Social Security Numbers can be used to determine eligibility and verify information.

7 USC 2018(c) and 7 CFR 278.1(q): Limit access to and disclosure of food assistance retailer information, such as identities of store owners and personnel, and specific proprietary data. While information can be used for administration of food assistance program, special provisions apply to employer identification numbers (EINs) and federal employer identification numbers (FEINs). The disclosure of SSNs and EINs is limited to qualifying Federal agencies or instrumentalities which otherwise have access to SSNs and EINs based on law and routine use. Release of information under this CFR provision is limited to information relevant to the administration or enforcement of the specified laws and regulations, as determined by FNS.

29 USC 3141(i)(3), the Workforce Innovation and Opportunity Act (WIOA), requires compliance with 20 USC 1232g (and the corresponding regulations in 34 CFR part 99), the Family Educational Rights and Privacy Act of 1974 (FERPA), which was enacted to protect student privacy rights in education records, and applies to all public and private educational institutions that receive federal educational funds. FERPA requires safeguards to protect against the disclosure of personal identifying data regarding students.

42 USC 405(c)(2)(C)(viii)(I): Social security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law, enacted on or after October 1, 1990, are confidential and non-disclosable.

20 CFR 603.4 and 20 CFR § 603.9: Require state unemployment compensation (UC) agencies to establish procedures to protect the confidentiality of information against unauthorized access, disclosure or redisclosure. 20 CFR 603.5 authorizes state unemployment compensation agencies to share wage and claim data with certain requesting agencies, but only for the purpose of verifying eligibility for, and the amount of, benefits. These provisions also apply to the State Wage Interchange System (SWIS), which is an interstate data exchange system that facilitates the exchange of UC wage records for use by participating states in assessing and enhancing the performance of various programs identified in the Workforce Innovation and Opportunity Act (WIOA).

42 CFR 435.910: Requires Medicaid applicants to furnish state Medicaid agency with their social security number. But, agency must advise applicant of legal authority for requesting SSN, and how the agency will use the SSN (i.e., verifying income, eligibility, and amount of assistance); assist applicant in obtaining an SSN or other evidence if they do not have one; and not delay services to an otherwise eligible individual.

RC § 149.45: Defines “personal information” to include social security numbers, driver’s license numbers, state identification numbers, state and federal taxpayer identification numbers, financial account numbers, and credit and debit card numbers, which are all exempt from treatment as public record under RC 149.43(A)(1)(dd). Also prohibits public offices from making Social Security numbers available to the general public on the Internet without first redacting, encrypting or truncating the SSN. In addition, an individual may ask a public office or employee to redact/remove the individual's federal tax ID number, driver's license number and bank account number (and protective services workers, prosecutors, and other designated public service workers can also ask that their residential and familial information be redacted) from any public website. The public office must, within five business days of receiving a request to do so, either redact the personal (and sometimes residential/familial) information from internet postings, or explain to the requester why the redactions are impracticable. A public office or employee is not liable in damages in a civil action for any harm an individual sustains as a result of including the individual's personal information on the Internet, unless the public office or employee acted with malicious purpose, in bad faith, or in a wanton or reckless manner.

RC § 1347.12: Sets forth procedures for public entities, except for HIPAA-covered state entities, when they become aware of electronic security breaches, which often include names and social security numbers (see also AG's authority to investigate breaches in 1347.191; and penalties that court can impose in 1349.192). 9/29/15.

RC § 5101.181and RC § 5101.182: State that the director of job and family services, county director of job and family services, county prosecutors, attorney general, auditors of state or any agent or employee of those officials having access to information or documents received as a result of a Social Security number match of public assistance recipients and Ohio income tax records, workers compensation records, state retirement records, and state personnel records may not divulge information from these matches except to determine overpayments, audits, investigations, prosecution, or in accordance with a proper judicial order. Any person violating these sections shall be disqualified from acting as an agent or employee or in any other capacity under appointment or employment of any state or county board, commission, or agency.

OAC rule 5101:1-1-03: Makes all information and records collected, received or maintained by ODJFS or a CDJFS concerning an applicant for, or recipient or former recipient of, OWF or PRC (TANF) benefits confidential. The rule describes under what general circumstances the information can be released, the forms needed to authorize information releases, and procedures to follow if information is requested through court process, including immediately notifying the recipient of the request and informing the court of the laws and regs prohibiting disclosure. Also restricts ODJFS and county DJFS use of retirement, survivors and disability insurance (RSDI), supplemental security income (SSI), and benefit earnings exchange records (BEER) information from the Social Security Administration (SSA) to “routine use” and requires approval from beneficiary or SSA for non-routine use. Also requires that disclosures of SSA-provided information to non-ODJFS/CDJFS employees be recorded, even when it is a routine use, and that the records be retained for five (5) years. Federal tax information (FTI) and unearned income information provided by the Internal Revenue Service (IRS) is only to be used for determining TANF and SNAP eligibility and the amount of benefits, and can only be shared with the subjects of the information and their duly appointed representatives with explicit authority to obtain tax return information. Disclosure awareness training for state/county employees with FTI access, standardized record-keeping for requests and disclosures of FTI, and special safeguarding and access limits for SSA and IRS data are also described in the rule. 2/1/22.

OAC rule 5101:1-3-09: Describes the social security number requirement for the Ohio Works First (OWF) cash assistance program. 2/1/22.

OAC rule 5101:4-3-22(H): Sets out the acceptable purposes for utilizing a SNAP/Food Assistance recipient's social security number. 1/1/23.

3.VOTER REGISTRATION

RC § 111.42: Allows victims of domestic violence, stalking, human trafficking, rape, or sexual battery to apply to the Ohio Secretary of State for an address designated by the Secretary of State, to serve as that individual’s mailing address, and to thereby shield their actual address from being accessed or viewed by the general public. This law affects ODJFS and county agency collection and treatment of client, employee and contractor addresses. However, RC §111.43(E)(1)(b)(iv) allows participants to complete a form authorizing the Secretary of State to disclose confidential address and other information for verification purposes, including to public assistance program administrators. Paragraph (E)(3) prohibits redisclosure of information. 4/29/22.

RC § 3503.10(E)(4): Sets forth requirements for designated public agencies (e.g., county DJFS) to assist individuals with voter registration, including keeping certain information confidential, such as the identity of the public agency through which a person registered to vote, or updated his/her voter registration, or declined to register to vote. Purpose is to avoid divulging that a particular registered voter is an applicant for/recipient of either public assistance, or some other service/benefit administered by/through ODJFS and its county counterparts, which would violate recipient confidentiality. 9/26/2003.

4.AUDITS

2 CFR 200.337: Non-federal entities must give the federal inspector general, comptroller, awarding agency, and pass-through entity timely and reasonable access to any records or personnel the non-federal entity has, that are pertinent to the federal award, for the purpose of audits, examinations, interviews, excerpts, and transcripts. However, the federal awarding agency, pass-through entity and authorized representative should only be given access to the true names of crime victims in extraordinary and rare circumstances, and not for “routine monitoring.” 11/12/20.

2 CFR 200.338: While non-federal entities are not generally subject to federal FOIA requirements (5 USC 552), federal awarding agencies cannot place restrictions on the non-federal entity’s disclosure of its records to the public, except for personally identifiable information and other information contained in those records that would be considered exempt/confidential. 11/12/20.

RC §121.22(D)(2)&(D)(12): Exempts the following meetings from the open meetings (Sunshine laws) requirements-(1) Audit conferences between ODJFS audit staff and officials of the public office (county DJFS or CSEA) being audited, and (2) Audit conferences between the state auditor/independent CPA and officials of the public office (ODJFS) being audited. 4/7/23.

RC §5101.37(D): Makes audit reports, working papers and other audit-related records non-public, until they are formally released by ODJFS. 9/29/11.

B.FOOD ASSISTANCE/SUPPLEMENTAL NUTRITION ASSISTANCE PROGRAM (SNAP)

Federal Laws and Regulations:

7 USC 2015(d)(4): Requires states to implement an employment and training program.

7 USC 2018(c): Limits access to and disclosure of information provided to ODJFS and counties by retail food stores and wholesale food concerns, such as income and sales tax filings, purchase invoices, EBT equipment records, and transaction and redemption data provided through EBT system. Information can only be used for administration of the food assistance program (SNAP) and women, infants and children (WIC) program, and related investigations and enforcement. See also 7 CFR 278.1(q), which reiterates that ownership information and sales and redemption data may be used for SNAP/WIC program administration, investigation and enforcement, but imposes additional restrictions on which parties may access, use and disclose employer identification numbers (EINs) & social security numbers (SSNs), and for what purposes.

7 USC 2020(e)(8): Requires that states have safeguards in place to protect information obtained from SNAP applicant households, and lists what uses and disclosures are permissible, and to which parties, for what purposes, and under what conditions information about food assistance applicants and recipients may be disclosed.

7 CFR § 272.1(c): Restricts the release of information obtained from food assistance applicants/recipients to specific persons and situations. They are: (1) persons directly connected with the administration or enforcement of the Food Assistance Act; other federal assistance programs and federally-assisted State programs providing assistance on a means tested basis to low income individuals; and, general assistance programs that are subject to the joint processing requirements in 7 CFR §273.2(j)(2); (2) persons directly connected with the administration or enforcement of programs required to participate in the State Income Eligibility Verification System (IEVS), to the extent SNAP information is useful in verifying eligibility or benefit amounts under those [other] programs; (3) persons directly connected with verification of immigration status of aliens applying for SNAP through the Systematic Alien Verification for Entitlements (SAVE) program, to the extent needed to identify the individual for verification purposes; (4) persons directly connected with administration of Title IV-D child support, and to assist federal HHS employees in verifying eligibility for Disability benefits under Titles II and XVI of the SSA; (5) employees of federal comptroller for audit purposes; (6) local, state or federal law enforcement officials in connection with Food Assistance Act violations (must be in writing and contain identity of individual requesting information, authority to do so, violation being investigated, and identity of person being investigated) or (7) if assistance group (AG) member is fleeing to avoid prosecution or custody for a crime that would be classified as a felony or who is violating a condition of probation or parole (in which case AG member's address, SSN and photo may be released to law enforcement, but only after law enforcement officer provides the name of the individual being sought); (8) local educational agencies administering the national school lunch or breakfast program, for purposes of certifying the eligibility of school-aged children for receipt of free meals, based on their receipt of SNAP; and (9) written request from food assistance recipient or authorized representative except for information concerning the nature or status of a pending criminal prosecution or the identity of informants. It should also be noted that the persons receiving the information must protect the information from unauthorized disclosure to other persons. General information that does not identify specific food assistance applicants or recipients are "public records" and must be made available to the general public upon request.

7 CFR § 273.2(f)(4): states "When talking with collateral contacts, State agencies should disclose only the information that is absolutely necessary to get the information being sought. State agencies should avoid disclosing that the household has applied for SNAP benefits, nor should they disclose any information supplied by the household…or suggest that the household is suspected of any wrong doing."

State Statutes and Rules:

RC § 5101.26: Sets out definitions of terms for confidentiality purposes. Effective 9/29/11, 10/01/11 and 9/29/13, various amendments separated "medical assistance recipient" from the definition of "public assistance recipient" by defining "public assistance" as "financial assistance or social services that are provided under a program administered by [ODJFS] or a county agency…" and stating that ““Public assistance” does not mean medical assistance provided under a medical assistance program, as defined in 5160.01 of the Revised Code.”

RC § 5101.27: Sets out confidentiality requirements for all non-medical public assistance (PA) programs, including OWF, PRC, and child care subsidies. Section (C) requires ODJFS to release the minimum information necessary about a public assistance recipient who receives publicly funded child care, to the Ohio Department of Health or tuberculosis control unit, for purposes directly connected to a public health investigation related to RC 3301.531 or 5104.037, but only if ODJFS is unable to timely obtain voluntary, written authorization from the recipient and to the extent permitted by federal law. ODJFS must immediately notify the public assistance recipient of any release of their information that is based on Section (C). 4/12/21.

RC § 5101.272: RC §5101.272:Sets out what elements public assistance recipients must include in a written authorization form, to allow ODJFS and/or county DJFSs to disclose recipient information to third parties and the recipient’s legal counsel, as described in RC 5101.27(D) and (E). The release authorization provisions for medical assistance recipients are in RC 5160.46.

OAC rule 5101:4-1-13: Paragraph (C) governs the disclosure of SNAP/Food Assistance information. This section reflects RC Chapter 1347, 7 USC 2020(e)(8) and 7 CFR §272.1. Paragraph (D) requires that parties receiving information under (C) adequately protect it from unauthorized access and redisclosure. Paragraphs (D) and (E) state that IEVS information and FTI data are subject to additional federal safeguarding requirements imposed by the SSA and IRS, including IRS Pub. 1075; that federal and state wage and unemployment benefit information must only be used to determine SNAP eligibility and benefit amounts; and that SNAP assistance group information must not be recorded by SSA and IRS staff. 3/1/23.

OAC rule 5101:4-2-09(I)(2): States that a release signed by a SNAP/Food Assistance applicant or recipient is not necessary when a CDJFS is attempting to secure verification from collateral sources for food assistance eligibility purposes. However, the county agency should disclose only the information that is absolutely necessary to get the information being sought and avoid disclosing that the assistance group (AG) has applied for SNAP. No information provided by the AG may be disclosed to the collateral contact, and there must be no suggestion that the AG has provided any incorrect information. Paragraph (J) cites OAC rule 5101:4-7-09 as governing the release of Income & Eligibility Verification System (IEVS) information. 9/1/21.

OAC rule 5101:4-3-07(I): Requires a county agency to report to ODJFS, when an applicant or recipient is “known to be an illegal alien,” as determined by findings or conclusions made as part of a formal determination by the U.S. citizenship and immigration services (USCIS) under U.S. DHS. 2/1/21.

OAC rule 5101:4-3-22(H): Sets out the acceptable administrative purposes for utilizing a SNAP/Food Assistance recipient's social security number. 1/1/23.

OAC 5101:4-7-08: Requires county DJFSs to use the Office of Child Support’s national directory of new hires and state directory of new hires to ensure that all employment has been reported, verified and used appropriately when determining SNAP eligibility. After receiving an alert of a new hire match in the statewide automated eligibility system, the county agency must contact the assistance group to obtain verbal and documentary verification of employment and income.

OAC rule 5101:4-7-09: Rule pertains to use of IEVS in food assistance program. In general, unemployment compensation benefit information, SSI and social security data are verified upon receipt, whereas county agencies must independently verify IRS information, federal wage information obtained through the Benefit Earnings Data Exchange (BENDEX) from SSA, and state wage information obtained from the state unemployment office. The rule also specifies the types of independent verification that can be done, and the actions that county agencies must take when information is received as a result of data exchange agreements. Paragraph (G) restricts county usage of IEVS information to program administration (i.e., determining assistance group's eligibility for SNAP, the amount of SNAP, and SNAP investigations and prosecutions), and Paragraph (J) says that IEVS match information may only be disclosed as permitted in OAC rule 5101:4-1-13. Paragraph (K) requires that ODJFS and the county agencies keep a record of any release of confidential IEVS information (federal tax information (FTI), including SSA match data) to any non-ODJFS/county agency employee, for at least three years, or during the active life of the application (whichever is longer). County/state workers must record details of the disclosure(s) in the applicant's case file, and the county must keep track of it in BENDEX. Paragraph (I) says that matches containing FTI are confidential, must be safeguarded as required in OAC rule 5101:4-1-13, must be stored in a place physically safe from access by unauthorized individuals, and cannot be commingled with the rest of the case record. 6/1/22.

OAC rule 5101:4-8-30(F): Requires safeguarding of tax information used for the SNAP/Food Assistance Treasury Offset Program (TOP). 3/1/20.

OAC rule 5101:9-22-15: This ODJFS internal management rule defines “personal information” and states that release of personal information is governed by exemptions to public records listed in RC 149.43(A), the Personal Information Systems Act (RC Chapter 1347), and dozens of federal and state laws and regulations like the ones listed in this Manual that make applicant, recipient, and participant information confidential or non-public. The rule also requires that individuals who are authorized to access and use personal information in ODJFS-maintained systems take reasonable precautions to protect the personal information from unauthorized use, disclosure, modification or destruction, and take role-based and job-specific security and privacy training; that aggregate data be masked in accordance with Section III of IPP 3002; that privacy impact assessments be completed for new and existing systems containing personal information, to ensure that the appropriate level of privacy and security measures are in place; and that data breaches and exposures be reported to the chief inspector, chief privacy officer, and chief information security officer. Disciplinary action can be imposed for intentional violations by employees, and questions regarding permissible and impermissible disclosures can be addressed to agency legal counsel. 3/24/22.

C.TEMPORARY ASSISTANCE for NEEDY FAMILIES (TANF) and/or CASH ASSISTANCE

(Ohio Works First & Prevention, Retention and Contingency)

Programs established in Ohio under Title IV-A include all programs that are funded in part with the federal Temporary Assistance for Needy Families (TANF) block grant established by Title IV-A of the Social Security Act, 110 Stat. 2113 (1996), 42 U.S.C. 601, as amended. These programs include Ohio Works First (OWF) established and administered in accordance with Chapter 5107 of the Revised Code, the Prevention, Retention and Contingency (PRC) Program established and administered in accordance with Chapter 5108 of the Revised Code. There are also Title IV-A programs established by the General Assembly or Governor’s Executive Order that are administered or supervised by ODJFS pursuant to section 5101.801 of the Revised Code that are not considered “assistance,” and are instead classified as “benefits” or “services”.

Federal Laws and Regulations:

42 USC § 602(a)(1)(A)(iv): Requires the states under TANF to take such reasonable steps as the State deems necessary to restrict the use and disclosure of information about individuals and families receiving assistance under the program attributable to funds provided by the Federal Government.

42 USC § 608(a)(9)(B): Requires the states to furnish a federal, state or local law enforcement officer, upon the request of the officer, with the current address of any TANF recipient if the law enforcement officer needs the address to conduct the officer's official duties and the location or apprehension of the recipient is within such official duties. However, the officer must furnish the state agency or county agency with the name of the recipient.

45 CFR § 205.50: Use or disclosure of information concerning applicants and recipients of financial assistance under Title IV-A (funded with TANF) is limited to purposes directly connected with: (1) administration of the plan or program; (2) investigations, prosecutions, or criminal or civil proceedings conducted in connection with the administration of any such plans or programs; (3) the administration of any other federal or federally assisted program which provides assistance, in cash or in kind, or services, directly to individuals on the basis of need; (4) information to the Employment Security Agency as required by law; (5) audits conducted in connection with the administration of any such plan or program, by a government entity authorized by law to conduct such audits; (6) administration of a state unemployment compensation program; and (7) reporting to the appropriate agency or official information on known or suspected child abuse or exploitation, or negligent treatment or maltreatment of a child receiving aid under circumstances which indicate that the child's health or welfare is threatened.

Information to be safeguarded includes at least: (1) names and addresses of applicants and recipients and amounts of assistance provided; (2) information related to a person's economic and social conditions; (3) evaluation of information concerning a particular individual; and (4) medical data. Release or use of information concerning applicants or recipients is restricted to those persons who are subject to standards of confidentiality comparable to those of the agency administering the financial assistance program. Generally, notice and consent of an individual is required to release information to an outside source. Courts must also be informed of statutory provisions, rules, and policies against disclosure when recipient or applicant information is subpoenaed. This provision also applies to IV-E information.

ODJFS and/or the county agency may provide the address of a recipient to state or local law enforcement upon request, if law enforcement first provide the state or local agency with the recipient’s name and social security number, and satisfactorily demonstrate that the recipient is a fugitive felon (as defined by the State), the location or apprehension of such felon is within the law enforcement officer’s official duties, and the request is made in the proper exercise of those duties.

State Statutes and Rules:

RC § 307.983: Each board of county commissioners is required to establish a plan of cooperation with the county family services agencies and workforce development entity serving the county specifying how such agencies will exchange information and coordinate and enhance services and assistance to individuals and families.

RC § 307.987: To the extent permitted by federal law and regulations and state law and rules, contracts entered into by the board of county commissioners, plans of cooperation, regional plans of cooperation, a transportation work plan, and procedures established for providing services to children who are frequently relocated, shall permit the exchange of information needed to improve services and assistance to individuals and families and the protection of children. A private or government entity receiving such information shall be bound by the same standards of confidentiality as the entity that provides the information. Amended 3/24/21.

RC § 4123.27: Allows the sharing of recipient specific information related to OWF and PRC with the Bureau of Workers’ Compensation for matching purposes. BWC may only share names and SSNs of public assistance recipients who are also receiving workers’ comp, and the amount of workers’ comp, with the State Auditor. Statute also appears to permit sharing with the Governor, Attorney General and select or standing committees of the General Assembly.

RC § 5101.181: As part of the procedure for the determination of overpayments charged to a recipient of public assistance, the director of ODJFS shall furnish quarterly the name and Social Security number of each individual who receives public assistance to the Director of Administrative Services, the Administrator of the Bureau of Workers’ Compensation, and each of the state's retirement boards. These entities will in turn notify the state auditor as to whether such individual is receiving wages or benefits, and the amount. The Auditor of State and the Attorney General or their designees may examine any records whether in computer or printed format, in the possession of the Director of ODJFS or any CDJFS director. Safeguards restrict access to such records to purposes directly connected with an audit or investigation, prosecution, or criminal or civil proceeding conducted in connection with the administration of the programs, and compliance with rules of ODJFS restricting the disclosure of information regarding recipients of public assistance is required. The state auditor then determines whether an overpayment of public assistance occurred and thereafter notifies ODJFS.

RC § 5101.182: For purposes of determining overpayments, the statute permits ODJFS to report recipient names and SS #s to the tax commissioner, who then reports to the state auditor which recipients filed tax returns, and how much gross income the recipients received. The director of ODJFS, directors of CDJFS, county prosecutors, Attorney General, Auditor of State, or agent or employee of those officials having access to tax returns, or reports of amounts of federal adjusted gross income, names or addresses or other tax information of recipients of public assistance furnished by the tax commissioner for investigatory purposes under this section, shall not divulge or use any such information except for the purpose of determining overpayments of public assistance, or for an audit, investigation, or prosecution, or in accordance with a proper judicial order.

RC § 5101.273: RC §5101.272:Permits ODJFS to disclose public assistance recipient information to HHS and neighboring states to actively participate in a PA reporting information system. Eff. 9/29/13.

RC § 5101.28: Upon the request of ODJFS or a county DJFS, law enforcement agencies are required to verify whether a public assistance recipient is a fleeing felon or in violation of probation or parole. Upon the request of law enforcement, CDJFS and ODJFS must share information regarding recipients of OWF and PRC (but not medical assistance or services) with law enforcement agencies as defined in RC § 5101.26, for the purpose of investigations, prosecutions and criminal and civil proceedings that are within the scope of the law enforcement agency's official duties, as well as to the State Auditor's Office for statutory audit purposes. However, 45 CFR 205.50 only permits agencies administering TANF to disclose the recipient’s address; and, only if law enforcement provide the state or county DJFS with the name of the recipient, whatever other identifying information is needed to retrieve the recipient’s address, and satisfactorily demonstrate that the individual is a fleeing felon, that apprehension of the individual is within their official duties, and that the officer is properly exercising those duties.

RC §5101.30: Gives ODJFS authority to adopt rules in accordance with Chapter 119 of the Revised Code implementing sections 5101.26 to 5101.30 of the Revised Code and governing the custody, use, disclosure and preservation of the information generated or received by ODJFS, county agencies, other state and county entities, contractors, grantees, private entities, or officials participating in the administration of public assistance programs.

RC § 5101.80: ODJFS is the single state agency for the administration and supervision of the administration of all Title IV-A programs. No county or state agency administering a Title IV-A program may establish, by rule or otherwise, a policy governing a Title IV-A program that is inconsistent with a Title IV-A program established, in rule or otherwise, by ODJFS.

OAC rule 5101:1-1-36: This cash assistance rule references section 1137 of the Social Security Act, which requires that ODJFS develop an Income & Eligibility Verification System (IEVS). Ohio's IEVS is integrated into Ohio Benefits, which allows ODJFS to obtain information from its own office of unemployment insurance operations (OUIO) and the social security administration (SSA). Under IEVS, ODJFS matches public assistance applicant/recipient social security numbers with OUIO's wage records and unemployment compensation records, as well as SSA's benefit earnings exchange records (BEER), and SSI and RSDI benefit information provided by SSA to ODJFS’ state verification exchange system (SVES). If the source of the matched information is SSA, or some other federal agency, the information is considered federal tax information (FTI). Match information for IEVS which contains federal tax data must be protected from disclosure to unauthorized persons. The rule states that computer screen printouts or copies of letters mailed or received regarding FTI must be safeguarded in accordance with federal and state law and IRS Publication 1075. The rule requires that FTI not be commingled within the assistance group case record, because if it is commingled, the entire assistance group case record must be safeguarded in the same way as FTI, and labeled as SSA-provided FTI. See also OAC rules 5101:9-9-25, 5101:9-9-25.1, and 5101:9-9-26 for FTI restrictions. IEVS data is available to ODJFS and county DJFS employees for determining past and current eligibility. Aside from that IEVS data can only be released to the subject of the information, and details of all disclosures to non-ODJFS/CDJFS employees must be recorded and retained for five (5) years, including in the assistance group record and the county’s central file of IEVS disclosures. 12/1/18.

OAC rule 5101:1-3-10: Requires the CDJFS to collect and report various types of data regarding an assistance group to the CSEA.

OAC rule 5101:2-33-28: Requires PCSAs to engage in joint planning and sharing of information with CDJFS in certain circumstances, including for families receiving OWF. However, CDJFS is required to keep child abuse/neglect information that it receives in a separate file, not in the CDJFS’ case record, to help maintain confidentiality. 8/1/20.

D.MEDICAL

NOTE: THE INFORMATION IN THIS SECTION MAY NOT BE CURRENT OR ACCURATE. The Ohio Department of Medicaid (ODM) administers or oversees the administration of Medicaid-related assistance programs in Ohio. Therefore, to obtain the most current information regarding applicable federal and state confidentiality laws that apply to medical assistance records, contact ODM (legal@medicaid.ohio.govor mcdlegal@medicaid.ohio.gov) or visit Medicaid.Ohio.gov.

1.MEDICAID

Federal Laws and Regulations:

42 USC § 1396a(a)(5): State and local governments must perform Medicaid eligibility function, not private contractor. See also State Medicaid manual, Sections 2905 and 2909(B) & (C).

And, 42 USC 1396a(a)(7) requires state agencies to provide safeguards that restrict use or disclosure of information about Medicaid applicants/recipients to purposes directly connected with (a) state plan administration and (b) the exchange of information necessary to verify certification of children's eligibility for free or reduced school breakfast/lunch. State agencies are bound by these requirements, as further interpreted in 42 CFR 431.300 to 431.307, which require that use and disclosure of applicant and recipient info only be permitted when directly connected to the administration of the State Plan.

Also, 42 USC 1320b-7 allows ODJFS to operate IEVS as part of Ohio Benefits, but IEVS data is provided to us by the U.S. Treasury Dept. under 26 USC 6103(I)(7), and only entities covered by 26 USC 6103 can access IEVS/ Ohio Benefits.

42 USC § 1396r-8(b)(3)(D): Information disclosed by manufacturers or wholesalers in relation to the best price for outpatient drugs is confidential and shall not be disclosed by the Secretary of HHS or Veterans Affairs, or by the state (ODJFS/ODM) or its contractor, in a form which discloses the identity of a specific manufacturer or wholesaler, prices charged for drugs by such manufacturer or wholesaler, except as the Secretary of HHS determines to be necessary to carry out related regulations, and to permit the Comptroller General, Director of the Congressional Budget Office (CBO), Medicare Payment Advisory Commission, and Medicaid Payment & Access Commission to review the information.

42 CFR Part 2: Serves to protect patient records created by federally assisted programs for the treatment of substance use disorders (SUD), and lists restrictions on redisclosure.

42 CFR § 431.10: Single state agency must perform Medicaid administrative function. See also Chapter 2 of the State Medicaid Manual.

42 CFR § 431.300: Access to, and use and disclosure of, Medicaid information of applicants and beneficiaries (recipients) must be safeguarded by the state, so that it is restricted to purposes directly connected with the administration of the Medicaid program.

42 CFR § 431.301 & SSA §1902(a)(7): requires state's Medicaid plan to provide safeguards that restrict the use or disclosure of information concerning applicants/recipients to purposes directly connected with plan administration. 42 CFR Part 431, Subpart F.

42 CFR § 431.302: Says that purposes directly related to state plan administration of the Medicaid program include: (1) establishing eligibility; (2) determining the amount of medical assistance; (3) providing services for beneficiaries (recipients); & (4) conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to plan administration.

42 CFR § 431.305: Specifies the types of Medicaid information that must be safeguarded, including: (1) names and addresses; (2) medical services provided; (3) social and economic conditions or circumstances; (4) agency evaluation of personal information; (5) medical data, including diagnosis and past history of disease or disability; (6) any information received for verifying income eligibility and amount of medical assistance payments (income information received from the SSA or IRS must be safeguarded according to the requirements of the agency that furnished the data); (7) any information received in connection with the identification of legally liable third party resources under RC §433.138, and (8) social security numbers.

42 CFR § 431.306: Requires ODM to establish rules governing the release and use of Medicaid information and persons who receive the information must be subject to a confidentiality standard comparable to those of the state. These regulations require notification and the obtaining of permission from the subject of the information before responding to a request for information from an outside source unless there is an emergency situation wherein the subject of the information must be notified immediately after the release, or the information is used to verify income and determine eligibility. Section (f) requires that, pursuant to a court subpoena of a person's Medicaid information, the court must be informed of applicable statutory provisions, policies, and regulations restricting disclosure of information. Sections (g) and (h) require data exchange agreements if information is shared in certain situations.

42 CFR § 435.904: While "initial processing" of Medicaid applications may be contracted out to non-employees, initial processing excludes evaluating Medicaid application information and supporting documents, as well as making eligibility determinations. Only state/county employees can make eligibility determinations. State/county contractors can only do "initial processing", which excludes eligibility determinations.

42 CFR § 435.945: Requires the Ohio Department of Medicaid to verify Medicaid eligibility and the amount of medical assistance payments. Requires that the eligibility and medical assistance payment information be supplied to other agencies in the state, agencies in other states and to federal programs for programs listed in 42 CFR §435.948(a) (AFDC, Medicaid, State-administered supplementary payment programs under Section 1616(a) of the Act, SWICA, Unemployment Compensation, Food Assistance, and any state program administered under a plan approved under Title I, X, XIV or XVI); child support enforcement program under Title IV-D; SSA for old age, survivors and disability benefits under title II; and in relation to SSI benefits under Title XVI. The regulation requires that applicants and persons being redetermined for eligibility be informed that the agency will obtain and use information available to it to verify income and eligibility or for other purposes directly connected to the State plan. This regulation also requires written agreements with other agencies before releasing data or requesting data from other agencies, and requires that all agreements include provisions for safeguarding and limiting the use and disclosure of information.

42 CFR § 483.315(i): Specifies under what circumstances data from the federal Resident Assessment Instrument (RAI) for long term care facilities can be released.

45 CFR § 95.621: Provides that State agencies are responsible for the security of all automated data processing systems involved in administration of HHS programs, and requires establishment of a security plan that includes policies and procedures on physical security of ADP resources, personnel security, and software and data security. Also requires state agencies to conduct biennial review and evaluation of physical and data security operating procedures and personnel practices.

45 CFR § 160 Subpart A, B and C: These are the general provisions of the Health Insurance Portability and Accountability Act (HIPAA) which define certain terms, speak to applicability of the Act and relationship of the Act to state laws. HIPAA-covered entities include health plans, and the definition of ‘health plan’ includes state Medicaid programs.

45 CFR Part 164, Subparts A, C and E: These are the security and privacy regulations governing covered entities’ and their business associates’ use, disclosure, and safeguarding of protected health information (PHI) and electronic PHI (ePHI). Subpart C (known as the security rule) sets forth administrative, technical and physical standards for protecting ePHI, and Subpart E (known as the privacy rule) sets forth privacy standards for use and disclosure of PHI.

State Statutes and Rules:

RC § 109.85: Authorizes JFS to seek assistance from AG's Office in Medicaid fraud investigations, but does not prohibit county prosecutors from investigating and prosecuting Medicaid fraud.

RC § 173.20: Gives the Department of Aging Long Term Care Ombudsman, under certain circumstances and unless prohibited by law, access to any records, including medical records of a nursing facility resident that are reasonably necessary for investigation of a complaint.

RC § 173.22: Makes the investigation files of the Department of Aging Long Term Care Ombudsman non-public and allows disclosure of the records only at the discretion of the state ombudsman, the regional program maintaining the records, or by court order.

RC § 339.81: States that any information, data and reports regarding a case of tuberculosis that are furnished to, or procured by, a county or district TB control unit or the Dept. of Health, shall be confidential and used only for statistical, scientific, and medical research for the purpose of controlling TB in Ohio. No physician, hospital or other entity furnishing information, data or reports pursuant to this chapter shall by reason of such furnishing be deemed to have violated any confidential relationship, be held to answer for willful betrayal of a professional confidence, or be held liable in damages to any person.

RC §§ 2305.24 and 2305.251: Concerns confidentiality of information furnished pursuant to hospital utilization review, peer review & quality assurance review. These statutes may be marginally relevant if ODJFS obtains these records through Medicaid related reviews and subpoenas are issued which may encompass this information.

RC § 3701.028: No person or government entity receiving certain information from the Health Department relating to the program for medically handicapped children and of programs funded with funds received from the "Maternal and Child Health Block Grant" Title V of the "Social Security Act," 95 Stat. 818 (1981), 42 U.S.C.A.§701, as amended, may release that information without the consent of the subject of the information or the subject's guardian (if the subject is a minor) except as necessary to administer the program for medically handicapped children or other programs funded with money received from the "Maternal and Child Health Block Grant," coordinate the provision of services under the programs with other state agencies and city and general health districts, or coordinate payment of providers. The records that are subject to this statute are: records that pertain to medical history, diagnosis, treatment, or medical condition; reports of psychological diagnosis and treatment and reports of social workers; and reports of public health nurses.

RC § 3701.243: Prohibits state or local governments that acquire certain AIDS related information while providing any health care services from disclosing or compelling another to disclose the information unless the release falls within exceptions contained in sections 3701.243 or 3701.248. The information protected under Section 3701.243 is: the identity of a person on whom an HIV test in performed; the results of an HIV test that would identify a person or the identity of a person who has been diagnosed with AIDS or an AIDS-related condition. 4/6/23.

RC § 3701.74: Allows patients, their representatives, and other authorized persons the right to examine or obtain copies of the patient’s medical records from the patient’s health care providers. If a health care provider fails to furnish the requested records, the person making the request may initiate a civil action against the health care provider, to enforce their right to access the records. 4/6/23.

RC §3701.741: Requires health care providers and medical records companies to provide state and county DJFS with one free copy of medical records upon their request. Also says how much copy charges can be. 9/29/13.

RC § 3701.75: Governs use of e-signatures for any health care records maintained by the Department of Health, and requires that each state department adopt a policy on usage.

RC § 3701.9310: Information, data, and records about a decedent, which is collected for use and maintained by the Ohio violent death reporting system including, but not limited to, medical records, coroner investigative records, and laboratory reports, are confidential. This information is also not subject to a subpoena, discoverable, or admissible in civil or criminal proceedings (see 3701.9311). However, the director of Health may adopt rules and establish standards and procedures to make this information available to researchers (see 3701.9312).

RC § 3798.02: For purposes of eliminating barriers to the adoption and use of electronic health records and health information exchanges, the legislative intent in enacting ORC Chapter 3798 is to make state law governing a covered entity's use and disclosure of protected health information (PHI) no more stringent than the HIPAA privacy rule, and to supersede any judicial/administrative rulings that are inconsistent with ORC Chapter 3798.

RC § 3798.03: A covered entity must make PHI it maintains available to the subject of the information or to his/her personal representative, in accord with 45 CFR 164.524, and a covered entity must maintain administrative, technical & physical safeguards to protect the privacy of PHI, in accord w 45 CFR 164.530(c).

RC § 3798.04: A covered entity is prohibited from using or disclosing PHI in a manner inconsistent with 45 CFR 164.502; or without an authorization that is valid under 45 CFR 164.508 &, if applicable, 42 CFR part 2, except as permitted under Subchapter C of Subtitle A of CFR Title 45.

RC § 3798.07: Whenever a covered entity discloses PHI to a health information exchange without a valid authorization, the covered entity must comply with applicable federal disclosure laws for PHI, written requests from the individual or his/her representative, and state laws governing a minor's receipt of medical care and to make his/her own medical decisions. However, Section (B) says that any added requirements in (A) do not supersede certain state laws, rules and codes, which may require either disclosure or confidentiality. So, conflicts between Section (A) and Section (B) are resolved in favor of Section (B). 10/17/19.

RC § 3798.10: Authorizes/requires the Director of the Ohio Department of Medicaid to adopt rules regarding a standard [release] authorization form for the use & disclosure of PHI by Ohio covered entities. A person or government entity can accept a form other than the one the Director prescribes, as long as it meets all the requirements specified in 45 C.F.R. 164.508 and, if applicable, 42 C.F.R. part 2.

RC § 3798.12: Section (A) says that ORC Chapter 3798 supersedes all other ORC sections, OAC rules, guidances, orders and ordinances, when it comes to the confidentiality, privacy, security, or privileged status of PHI maintained in, or transacted or accessed through a health information exchange, EXCEPT for those specified in Section (B).

RC § 3798.13: Requires Ohio’s Medicaid Director to adopt rules regarding the criteria a person must meet to be considered a minor, when he/she is mentally/physically disabled and under the age of 21.

RC § 5101.26: Sets out definitions of terms for confidentiality purposes. Effective 9/29/11, 10/01/11 and 9/29/13, various amendments separated "medical assistance recipient" from the definition of "public assistance recipient" by defining "public assistance" as "financial assistance or social services that are provided under a program administered by [ODJFS] or a county agency…" and stating that "Public assistance does not mean medical assistance provided under a medical assistance program, as defined in 5160.01 of the Revised Code…"

RC § 5160.39: Third party insurers or insurance programs which may be liable to pay all or part of the medical costs of a Medicaid applicant/recipient may give or receive confidential information regarding such applicants/recipients, upon request of the Ohio Department of Medicaid (ODM). ODM must limit its use of information gained from such third parties to purposes directly connected with the administration of the Medicaid program and the child support program authorized by Title IV-D of the Social Security Act. No third party may disclose to other parties or make use of any information regarding recipients of medical assistance that the third party receives from ODM.

RC § 5160.45: Sets out confidentiality requirements for all medical assistance programs and limits disclosures to purposes directly connected with administration of a medical assistance program, and to the recipient, or his/her own authorized representative, legal guardian or attorney, if the recipient's attorney has obtained a release authorization that meets the requirements of RC 5160.46.

RC § 5160.46: Sets out the required elements of a release authorization form allowing the disclosure of medical assistance recipient specific information. See also 45 CFR 164.508(c), which contains 8 elements required in any HIPAA-compliant release, including (a) identifying the information being sought in a specific, meaningful way; (b) providing an expiration date or event that relates to the purpose of disclosure; and (c) informing the individual of her/his/their right to revoke. 9/29/13.

RC § 5160.48: Requires the Medicaid director to set out in administrative code rules procedures for the release of information.

RC § 5162.03: For the purpose of section 1902(a)(5) of the Social Security Act and 42 USC 1396a(a)(5), the Ohio Department of Medicaid is the single state agency for the supervision of the administration of the Medicaid program. As the single state agency, ODM shall comply with 42 CFR 431.10(e) and all other federal requirements.

RC § 5163.40: Healthy Start Program applications must require no more info than is necessary for making Healthy Start eligibility determinations.

RC § 5164.341(E): BCII report on independent Medicaid HCBS Waiver providers is not public and may only be released to subject of check or their representative, Medicaid staff if needed for purposes of program administration, Medicaid department's designee, individual receiving or deciding whether to receive home & community-based services from the subject of the check, and court or other necessary individual involved in a case dealing with a denial or termination of a provider agreement related to the criminal records check, or civil or criminal action regarding the Medicaid program.

RC § 5164.342(H): Report of criminal records check on waiver agency employees and job applicants is not public and may only be released to subject of check or their representative, chief administrator of agency requesting check, Ohio Department of Medicaid staff for program administration purposes, Director of Aging if waiver agency is also a community-based long-term care provider or subcontractor, individual receiving or deciding whether to receive home & community-based services from the subject of the check, and court or other necessary individual dealing with case involving employment, UC, or civil or criminal action regarding Medicaid program.

RC § 5164.756: States that information shared with the Ohio Department of Medicaid by drug companies in relation to determining drug rebates are not public records, and shall be treated as confidential by the Dept.

RC § 5165.88: Provides that, unless required by court order or needed for other limited purposes specified in RC 5165.88, ODJFS and any contracting agency shall not release the identity of any resident of a nursing facility; the identity of any individual who submits a complaint about a nursing facility; the identity of any individual who provides the department or agency with information about a nursing facility and has requested confidentiality; or any information that would reasonably tend to disclose the identity of any individual described previously. Also says that records containing information concerning the aforementioned persons are non-public records under RC §149.43.

RC § 5302.221: Medicaid estate recovery program administrator must create a form and provide it to Ohio county recorders offices. County recorders must then ensure that a copy of the form is provided to the beneficiary of a transfer on death designation (or the beneficiaries representative) prior to recording the realty transfer. Beneficiaries who indicate on the form that the deceased owner or predeceased spouse were on Medicaid, or who do not know if they were on Medicaid, must submit the completed form to the administrator of the Medicaid estate recovery program. 4/6/17.

OAC Rule 5160-1-32: This rule pertains to "safeguarding & releasing [Medicaid] information". 1/13/17.

OAC rule 5160:1-1-04: This rule pertains to "Medicaid: Income & Eligibility Verification System (IEVS)."

OAC rule 5160-1-08(M): In conjunction with ORC 5160.37, requires Medicaid consumer to notify ODM prior to initiating any action against a liable third party. And, if a Medicaid consumer or individual acting on the behalf of a consumer, requests a financial statement (a claim) from a Medicaid provider for services paid by or billed to ODM, the rule requires the Medicaid provider to (1) require that the Medicaid consumer or representative make the request in writing; (2) notify ODM immediately after receiving a written request, and forward a copy of the request for financial statements to the ODM bureau of claims operations, (3) release the financial statement to the Medicaid consumer or representative within 30 days of receiving the written request, and (4) put specific language regarding ODM's right of recovery on any records released to either the Medicaid consumer or individual acting on his/her/their behalf. 9/16/19.

OAC rules5160-45-07 and 5160-45-08: Sets forth the process and requirements for criminal records checks of current and prospective employees of agency and non-agency (or independent) providers of home and community-based services (HCBS). Paragraph (D) of both rules says that reports of any criminal records checks conducted by BCII in accordance with these rules are not public records for purposes of ORC 149.43, and shall only be made available to individuals listed in the rules. 4/1/18.

OAC rule 5101:6-50-07: Allows, when an RC Chapter 119 hearing has been requested, discovery of any matter that is not privileged or confidential and that does not involve an action under RC Chapters 5103 and 5104 (certification of children’s residential facilities and child day care licensing).

2.HIPAA: Health Insurance Portability and Accountability Act of 1996 (45 CFR Parts 160 and 164)

HIPAA is a federal law that governs covered entities’ and their business associates’ uses and disclosures of protected health information or PHI.

45 CFR 160.103 defines "covered entity" as health plans, health care clearinghouses, and health care providers that transmit any health information in electronic form in connection with a covered transaction.

45 CFR 160.103 also defines "business associate" as:

(i)A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

(ii)A person that offers a personal health record to one or more individuals on behalf of a covered entity.

(iii)A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

The Ohio Department of Medicaid (ODM) is considered a "covered entity" as a Health Plan for the Medicaid program, the Children Health Insurance Programs (CHIP) and the Refugee Medical Program (RMP). Among other things, HIPAA restricts the release of protected health information (PHI) possessed by covered entities like ODM to third parties, and requires covered entities to release PHI to the subject of the PHI or her/his/their personal representative upon request. SSA and state DDS (Disability Determination Services) agencies are not covered entities, but health care providers performing consultative examinations (CEs) for SSA and DDS are subject to Privacy Act of 1974 and may be "covered entities". See HIPAA and the Social Security Disability Programs - Information for CE Providers (ssa.gov).

Subsequent to the July 1, 2013 creation of ODM, certain support offices within ODJFS, including the Office of Information Services (OIS) and Bureau of State Hearings, continued to perform services for ODM, and staff within those offices have likely continued to be HIPAA-covered when working on Medicaid-related matters. Moreover, ODJFS and ODM jointly supervise county departments of job and family services in their administration of the SNAP, TANF and Medicaid programs (which all utilize a statewide database named Ohio Benefits), and most CDJFS’s access, utilize and transmit PHI electronically.

Penalties for Non-compliance

HIPAA permits the Department of Health and Human Services, Office of Civil Rights (HHS OCR) to assess criminal and civil penalties for failure to protect PHI (See 42 USC 1320d-5 - 42 USC 1320d through 1320d-9) and civil penalties for failure to release PHI to the subject of the PHI or guardian of the subject of the PHI. See also Section IV of this Manual for applicable penalties.

Release of Information

RC 5160.45(D) and OAC 5160-1-32 specify the conditions under which information regarding Medicaid applicants and beneficiaries may be released. Generally, HIPAA would preempt state law, however under 45 CFR 160.203, state law is not preempted when it is more stringent than the standards and requirements of HIPAA. Federal and state Medicaid laws and regulations are more stringent than HIPAA with respect to the release of Medicaid applicant and recipient information to third parties. CHIPS I and II are under the same restrictions as Medicaid through RC §5160.45 and RC §5160.46.

Breach Notification

Each state must include in all contracts, a documented process to report improper use or disclosure of PHI. Notification of a security incident within Ohio Benefits should be immediately reported by the contractor to state staff, who in turn must report it immediately to the CMS Director of Division of State Systems.

Under 45 CFR Part 164, subpart D, HIPAA breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E, which compromises the security or privacy of the protected health information.

45 CFR 164.404(b) says that unless notification would impede law enforcement (see 45 CFR 164.412) notice to each individual whose PHI has been unlawfully accessed, acquired, used or disclosed must be made within 60 days. And, under 45 CFR 164.404(c) and (d), the notice must be in writing, include certain standard information, and be sent by first class mail to their last know address or, if agreed upon by the individual, electronic mail. If there is insufficient or outdated contact information, then "substitute notice" is permitted. Phone notice may be used in addition to the aforementioned methods, when the circumstances are urgent and there is an imminent risk of misuse of unprotected PHI.

45 CFR 164.408(c): Requires that covered entities, following the discovery of a breach of unsecured PHI involving fewer than 500 individuals, maintain a log or other documentation of each such breach and, within 60 days after the end of the calendar year, notify the HHS Secretary of all breaches that occurred during the preceding calendar year, as specified on the HHS website. For breaches involving 500 or more individuals, covered entities must notify the HHS Secretary "contemporaneously" with when they notify each individual whose PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach, which notice must be provided no later than sixty (60) days from the date the breach is discovered (see 45 CFR 164.404(a)). Notification to HHS Secretary and individuals affected by the breach may be delayed if law enforcement notifies the covered entity or business entity that notification would impede a criminal investigation or cause damage to national security (see 45 CFR 164.412).

42 USC 17901 to 17953: Federal laws on Health Information Technology (or HITECH). The HITECH breach notification provisions in 42 USC 17932 (HITECH §13402) are similar to the provisions in 45 CFR 164.404 and 164.408.

Per RC 5160.45 and OAC 5160-1-32, ODM is requiring each CDJFS to comply with certain portions of the HIPAA privacy requirements since these agencies have access to eligibility information and PHI for the medical programs cited above. For instance, 45 CFR 164.512(e) requires notice to the subject of the information that a subpoena for their information has been received, and also requires the party in receipt of the subpoena to make reasonable efforts to obtain a qualified protective order prior to release of any HIPAA-protected information. 45 CFR 164.512(f) describes the circumstances under which certain PHI may be disclosed by a covered entity to law enforcement. And, 45 CFR 164.514(b)(2) contains requirements for de-identifying an individual, including not identifying him/her to within the last two digits of his/her zip code (depending on the population size in a particular geographic area). 45 CFR 164.514(d) says that only the amount reasonably necessary to accomplish the purpose of the disclosure may be shared, in order to comply with any lawful disclosure request.

HIPAA security regulations can be found in 45 CFR 164, Subparts A & E, and set standards for the electronic transmission of PHI.

E.Child Welfare

(Adoption/Foster Care/Abuse-Neglect/PCSA/Child Fatality)

Federal Laws and Regulations:

42 USC §671(a)(8): Requires that all State plans involving foster care and adoption assistance provide safeguards which restrict the use or disclosure of information concerning individuals assisted under the State plan.

42 USC §671(a)(20)(B)(iii): Requires that all state plans have in place safeguards to prevent the unauthorized disclosure of information in any child abuse and neglect registry maintained by the State, and to prevent any such information obtained pursuant to this subparagraph from being used for a purpose other than conducting background checks in foster or adoptive placement cases.

42 USC §5106a(b)(2)(B)(viii): Federal grants for child protective services require a State plan to be coordinated with a State plan under Title IV, Part B of the Social Security Act (42 USC 621, et seq.), including an assurance (among other assurances) in the form of a certification by the Governor that the State is enforcing a state law, or has in effect and is operating a statewide program, relating to child abuse and neglect that includes methods to preserve the confidentiality of all records in order to protect the rights of the child and of the child's parents or guardians. The methods to preserve the confidentiality can include that reports and records made and maintained pursuant to the purposes of this Act only be made available to individuals who are the subject of the report; federal, state, or local government entities, or any agency of such entities having a need for such information in order to carry out its responsibilities under law to protect children from abuse and neglect; child abuse citizen review panels; child fatality review panels; a grand jury or court upon a finding that information in the record is necessary for the determination of an issue before the court or grand jury; and other entities or classes of individuals statutorily authorized by the state to receive such information pursuant to a legitimate State purpose. Last amended 1/7/19.

42 USC §5106a(b)(2)(B)(x): The state plan required by 42 USC 5106a(b)(1) also must include provisions which allow for public disclosure of the findings or information about the case of child abuse or neglect which has resulted in a child fatality or near fatality.

42 USC §5106a(c)(4)(B)(i): Members and staff of a state-established citizen review panel related to child abuse and neglect, child fatalities or foster care shall not disclose to any person or government official any identifying information about any specific child protection case with respect to which the panel is provided information and shall not make public other information unless authorized by state statute.

42 USC §5106a(c)(5)(A): Requires that each state that establishes a citizen review panel provide the panel access to information on cases that the panel desires to review if such information is necessary for the panel to carry out its functions.

42 USC §5106a(c)(6): Requires that each citizen review panel prepare and make available to the public, on an annual basis, a report containing a summary of the activities of the panel, and recommendations to improve the child protection services system at the state and local levels. Within six months thereafter, the appropriate State agency shall submit a written response to the recommendations.

45 CFR §205.50: The restrictions set out in this regulation were the same ones that restricted the release of TANF applicant, recipient and former recipient information. This regulation requires that the State plan for financial assistance under Title IV-A restrict the use and disclosure of information concerning applicants and recipients, to purposes directly connected with: (1) the administration of the plan or program; (2) investigations, prosecutions, or criminal or civil proceedings conducted in connection with the administration of any such plans or programs; (3) the administration of any other federal or federally assisted program which provides assistance, in cash or in kind, or services, directly to individuals on the basis of need; (4) information to the Employment Security Agency as required by law; (5) audits conducted in connection with the administration of any such plan or program, by a government entity authorized by law to conduct such audits; (6) administration of a state unemployment compensation program; and (7) reporting to the appropriate agency or official information on known or suspected child abuse or exploitation, or negligent treatment or maltreatment of a child receiving aid under circumstances which indicate that the child's health or welfare is threatened.

Information to be safeguarded includes at least: (1) names and addresses of applicants and recipients; (2) information related to a person's economic and social conditions; (3) evaluation of information concerning a particular individual; and (4) medical data. Release or use of information concerning applicants or recipients is restricted to those persons who are subject to standards of confidentiality comparable to those of the agency administering the financial assistance program. Generally, notice and consent of an individual is required to release information to an outside source. Courts must also be informed of statutory provisions, rules, and policies against disclosure when a recipient or applicant information is subpoenaed.

45 CFR §1355.21: Requires that each state plan for Titles IV-E and IV-B of the Social Security Act provide for safeguards on the use and disclosure of information which meet the requirements contained in 42 USC 671(a)(8), as well as the provisions in 45 CFR §1355.30.

45 CFR §1355.30(p)(3): Requires that safeguarding of IV-E (foster care and adoption) and IV-B (child welfare) information adhere to restrictions set out in 45 CFR §205.50 (see above).

45 CFR §1355.41: Requires states to collect and report information on the characteristics and experiences of a child in foster care, adoption, and guardianship to the HHS Administration for Children & Families (ACF) on a semi-annual basis, in a format specified by ACF.

45 CFR 1356.30: Prohibits ODJFS from approving or issuing a license to a prospective foster or adoptive parent, or from claiming federal financial participation for any foster care maintenance or adoption payments, if ODJFS finds, based on a criminal records check, that the prospective foster or adoptive parent has been convicted of certain types of felonies.

State Statutes and Rules:

RC §109.57(H): Information obtained by a government entity or person under section 109.57 of the Revised Code is confidential and shall not be released or disseminated.

RC §109.5721: Addresses Bureau of Criminal Identification & Investigation (BCII) fingerprint database on individuals employed by, licensed by, or approved for adoption by a government agency, and says that a public office that elects to receive notice of any arrest, conviction or guilty plea of an individual whose name is retained in the fingerprint database, may use that information solely to determine the individual's eligibility for continued employment with the public office, to retain licensure issued by the public office, or to be approved for adoption by the public office, but is otherwise confidential. Fingerprint impressions and BCII results are not transferrable, and individuals must be reprinted when seeking employment with, licensure by, or approval for adoption by a different participating public office or private party. The Ohio Attorney General must promulgate rules for expungement or sealing of records of individuals who are no longer employed, granted licensure, or approved for adoption by the participating public office or private party. (Amended 9/29/2017).

RC §121.22(D)(5): Exempts meetings of a child fatality review board from the Open Meetings (Sunshine law) requirement.

RC §121.37(A)(2)(c): Records identifying individual children maintained by the Family and Children First Cabinet council are confidential and shall be disclosed only as provided by law.

RC §149.43(A)(1)(d): Excludes records pertaining to adoption proceedings from being treated as public record.

RC §149.43(A)(1)(e): Excludes information contained in the putative father registry from being treated as public record.

RC §149.43(A)(1)(f): Excludes certain adoption-related records listed in RC §3107.52(A) from being treated as public record.

RC §149.435: Prohibits law enforcement personnel from disclosing identifying information about a delinquent child or arrestee in a routine factual report, when the child is also an abused child (except in certain limited circumstances).

RC §307.627: Allows child fatality review boards access to summary information from: PCSAs, PCPAs, agencies that provide services specifically to a child or family, law enforcement agencies, or other public or private entity that provided services to a child whose death is being reviewed by the board. The board can also access or request certain confidential abuse and neglect investigatory records that are described in 2151.421(I)(4). The board members must preserve the confidentiality of any records received pursuant to this statute. If the death of a child is being investigated or the prosecutor is seeking to prosecute someone for causing the death of a child, the board is not entitled to the prosecutor's information unless the prosecuting attorney agrees to provide it.

RC § 307.628: Immunizes from civil liability an individual or public or private entity providing information, documents, or reports to a child fatality review board for any injury, death, or loss to person or property that otherwise might be incurred or imposed as a result of providing the information, documents, or reports to the review board.

RC §1347.08(E)(2) & (F)(2): Excludes access to the putative father registry by the subject, and to criminal law enforcement investigatory records or trial preparation records by the subject, the subject's guardian, or an attorney authorized by the subject.

RC §2151.141: States that if a complaint is filed with respect to a child pursuant to Section 2151.27 which alleges that a child is abused, neglected, or dependent, any individual or entity listed in RC §2151.14(D)(1), that is investigating the abuse, neglect or dependency, has custody of the child, is preparing a social history for the child, or is providing any services for the child, may request records concerning the child from a PCSA, PCPA, probation dept., law enforcement agency or prosecuting attorney. Any individual or entity receiving a records request under this statute must provide them, unless release of the information is prohibited by law. If the individual or entity receiving the records request determines that it cannot release the requested information, it must file a motion in the court where the complaint was filed setting out its reasons for not complying with the request, so that the court can rule on whether or not the records can be disclosed.

RC §2151.142: Makes confidential the residential address of each officer or employee of a public children services agency or a private child placing agency who performs official responsibilities or duties described in RC §2151.14, RC §2151.141, RC §2151.33, RC §2151.353, RC §2151.412, RC §2151.413, RC §2151.414, RC §2151.415, RC §2151.416, RC §2151.417, RC §2151.421, §§2151.4220 to 2151.4234 or another section of the Revised Code and to the residential address of persons related to that officer or employee by consanguinity or affinity. Any such addresses must be redacted if contained in records containing information subject to release under RC §149.43. The residential address must be disclosed to a journalist if certain requirements are met (See RC §2151.142(D)). 5/30/22.

RC §2151.421: Certain professionals (listed in the statute) must report, and others may report, cases of child abuse/neglect to the public children services agency (PCSA) or peace officer in the county in which the child resides, or in which the abuse or neglect is occurring or has occurred. The county PCSA must investigate, in accordance with Paragraph (G), any reports made pursuant to this statute. Except as otherwise stated in (I)(1), a report made under this section is confidential. Paragraph (N) allows sharing of specified information from an investigation (e.g., allegations, alleged perpetrator and disposition) with designated officials of an out-of-home care entity when the abuse and neglect is alleged to have occurred in that entity. Paragraph (M) makes mandatory reporters liable for compensatory and exemplary damages to the child for failing to report abuse/neglect of the child; and allows person bringing civil action on child's behalf to use other reports of abuse/neglect in the civil action, provided that identifying information about the alleged child victims and persons making the reports are redacted from the other reports. 5/30/22.

RC §2151.423: Requires PCSA to disclose confidential investigatory information obtained pursuant to RC 2151.421 or 2151.422, to federal, state or local governmental entities, including any appropriate military authority, responsible for protecting children from abuse/neglect. Information disclosed pursuant to this section is confidential and is not subject to disclosure pursuant to ORC sections 149.43 or 1347.08 by the agency to whom the information was disclosed. The agency receiving the information must maintain the confidentiality of information disclosed. 9/29/21.

RC §2151.86: Requires that the appointing or hiring officer of any entity that appoints or employs any person responsible for a child's care in an out-of-home care setting request that BCII conduct a criminal records check on all persons under final consideration for appointment or employment. The statute also requires a BCII check on all prospective adoptive parents and prospective foster caregivers, and all adults residing with them. Records checks must be conducted every four years. The report of any criminal records check conducted by BCII pursuant to this statute is not a public record for purposes of RC §149.43 and shall not be made available to any person other than the person who is the subject of the criminal records check or that individual’s representative; the entity requesting the criminal records check or its representative; ODJFS, a county DJFS, or a public children services agency; and any court, hearing officer, or other necessary individual involved in a case dealing with the denial of employment, final order of adoption, or foster home certificate.

RC §3107.031: Allows adoptive parents to receive copy of their own home study from the assessor, except for opinions of third parties. It is possible this statute could also be used to withhold or redact any psychological evaluations and other records of a sensitive nature that are provided to the assessor by individuals other than the applicant.

RC §3107.034: Requires adoption agency or attorney who arranges an adoption to ask ODJFS to check the Central Registry of another state, whenever either the prospective adoptive parent or another adult member of the household has resided in another state within five years immediately prior to the date on which a criminal records check is requested pursuant to RC §2151.86. The adoption agency or attorney arranging the adoption shall review the results of the check prior to finalization of adoption, and consider it in the same way as they would a summary report of a search of SACWIS, created as part of the home study pursuant to RC §3107.033. The summary report from SACWIS provided pursuant to RC 3107.033 should include a chronological list of abuse and neglect determinations or allegations of which the person seeking to adopt is subject, and in regard to which a public children services agency determined that abuse/neglect occurred, was unable to determine that abuse/neglect occurred, or initiated an investigation that is still pending. The summary report from SACWIS shall NOT contain information about abuse/neglect that the PCSA concluded did NOT occur, or the identity of the person or entity that reported (or participated in the reporting of) abuse/neglect, or information prohibited from being disseminated by, or interfering with eligibility under, CAPTA. The statute also requires ODJFS to check the Ohio Central Registry upon the request of its out-of-state counterparts. 8/14/08.

RC §3107.063: Lists the parties who can request a search of the putative father registry, to whom information can be disclosed, and what to include in the notifications.

RC §3107.17: No person or governmental entity shall knowingly reveal any information contained in a paper, book, or record pertaining to an adoption that is part of the permanent record of a court or maintained by the department of job and family services, an agency, or attorney without the consent of a court. The section also requires that ODJFS prescribe a form that permits individuals identified in the section, to request the court’s permission to inspect the social or medical histories of the biological parents, to the extent they are kept in the court’s permanent record. 3/20/15.

RC § 3109.051(H): States that a non-residential parent is entitled to access any record related to their child as the residential parent, unless a court determines that such access would not be in the child’s best interest, in which case the court shall specify the terms and conditions under which the non-residential parent is to have access. Keepers of child records who fail to comply with the court’s order will be in contempt.

RC § 3705.09(G): Provides that when a birth certificate is changed to add a father's name once paternity is established, the old birth certificate and supporting documentation which prompted issuing the new birth certificate is sealed and cannot be released without a court order.

RC § 3705.12 through RC 3705.126: Sets out guidelines for having the department of health prepare a new birth certificate for an individual who is adopted. The statute says that upon the issuance of the new birth record, the original birth record shall cease to be a public record. 3/20/15.

RC § 3705.23: Excludes the "information for medical and health use only" section of the birth certificate from the certified copy of the birth record, unless specifically requested by the subject of the birth record, either of the subject’s parents or guardian, a lineal descendant, or a federal or state government criminal prosecutor or investigator. The information may also be released pursuant to court order, or by authorization of the state registrar if done in accordance with health department rule.

RC §§5101.13 through 5101.134: Authorizes Statewide Automated Child Welfare Information System (SACWIS) to replace Central Registry and sets forth what and to whom SACWIS data can be disclosed. Expressly makes information contained in or obtained from SACWIS confidential and not subject to disclosure pursuant to sections 149.43 or 1347.08 of the Revised Code. ODJFS and public children services agencies (PCSAs) are permitted to access and utilize SACWIS for purposes of assessment, investigation and services to children and their families, as well as for purposes permitted under federal or state law and rule. 8/14/08.

RC § 5101.27: Sets out confidentiality requirements for all non-medical public assistance (PA) programs, including OWF, PRC, and child care subsidies. 4/12/21.

RC § 5101.29: When contained in a record held by ODJFS or a county agency, excludes from classification as public records the names and other identifying information regarding: (A) children enrolled in or attending a child day-care center or home subject to licensure or registration under RC Chapter 5104; (B) children placed with an institution or association certified under RC §5103.03 of the Revised Code; (C) persons who make an oral or written complaint to ODJFS or other state or county entity responsible for enforcing RC Chapter 5103 or 5104, regarding an institution, association, child day-care center, or home subject to licensure or registration; and (D) foster caregivers and prospective foster caregivers, including the foster caregiver application and home study. However, the identity of a foster caregiver along with other details must be disclosed, when he/she has had a foster care certificate revoked pursuant to RC Chapter 5103, or is indicted or convicted of any prohibited offense listed in RC §2151.86.

RC §5101.80(E): Requires authorized representative of ODJFS, CDJFS or state agency administering a Title IV-A program, including the kinship permanency incentive program, to have access to all records and information bearing thereon for the purposes of investigations conducted pursuant to RC §5101.80. Authorized representatives of government entities and private, not-for-profit entities administering projects funded with Title IV-A demonstration program funds, shall have similar access for purposes of project-related investigations.

RC § 5153.111(A) & (D): Public children services agency (PCSA) directors must ask BCII to conduct a criminal records check on all prospective employees applying for employment with the agency that would require the employee to be responsible for the care, custody, or control of a child. The report of any criminal BCII check pursuant to this statute is not a public record and cannot be made available to any person other than the applicant who is the subject of the criminal records check or the applicant’s representative, the PCSA requesting the criminal records check or its representative, and any court, hearing officer, or other necessary individual involved in a case dealing with the denial of employment to the applicant.

RC § 5153.17: County public children services agencies (PCSAs) must keep records of investigations, and of the care, training and treatment afforded children, and all other records required by ODJFS confidential. These records, however, shall be open to inspection by ODJFS, the director of the county department of job and family services, and other persons upon written permission of the executive PCSA director.

RC § 5153.171: Requires the county PCSA director to confer with the county prosecutor in relation to a request for information about a child who was under eighteen years of age, who was a resident of the county served by the agency at the time of the child's death and whose death may have been caused by abuse, neglect, or other criminal conduct. If the county prosecutor intends to prosecute a person for causing the child's death, the prosecuting attorney decides what information may be released, if any. The prosecutor is required to notify the PCSA director of the intent to prosecute and the determination of what information may be released. The director may only release the information designated by the prosecutor. If the prosecutor does not intend to prosecute a person for causing a child's death, the prosecutor shall notify the PCSA director who shall release the information described in RC § 5153.172, except as provided in RC § 5153.173. This statute shields the PCSA director from civil liability or criminal prosecution if the PCSA director releases information authorized by RC 5153.171 in good faith.

RC § 5153.172: Notwithstanding RC §2151.421, RC §3701.243 and RC §5153.17 or any other section of the Revised Code pertaining to confidentiality and unless precluded by RC § 5153.173, the PCSA Director shall disclose about a deceased child: the child's name, summary report of abuse or neglect reports made pursuant to RC §2151.421 of which the child was subject, final disposition of the report or status of the investigation, services provided to or purchased for the child by the PCSA, and actions taken by PCSA in response to the report of child abuse and neglect. Names of the parties who reported the abuse/neglect, names of parents and siblings of the child; contents of psychological, psychiatric, therapeutic, clinical or medical reports or evaluations regarding the child; witness statements; police or other investigative reports; or any other information other than stated in this statute are prohibited from being released pursuant to this statute.

RC § 5153.173: A common pleas court can provide an order to stop the release of information required to be released pursuant to RC §5153.172 upon a motion by the PCSA which alleges that disclosing this information would not be in the best interest of a deceased child's sibling or another child residing in the deceased child's household.

OAC rule 5101:1-1-03(B)(6): CDJFS can share with a PCSA the minimum information necessary to fulfill the need for the sharing, when the CDJFS is required to report instances of known or suspected child abuse/neglect of a child receiving OWF or PRC, or when the PCSA needs information to conduct an assessment or investigation of an allegation of child abuse or neglect, as described in OAC rule 5101:2-33-28(G)(2). 2/1/22.

OAC rule 5101:2-7-04: A foster caregiver must maintain a record on each foster child and the rule specifies what must be included in these records. The rule then goes on to preclude the foster caregiver from disclosing or knowingly allowing the disclosure of any information regarding the foster child or the foster child's family to persons not directly involved in the foster child's care and treatment on an official basis.

OAC rule 5101:2-33-21: Makes referrals, assessments, investigations, and provision of services related to child abuse/neglect/dependency reports and families in need of services confidential, including identity of referent/reporter or any person providing information during an assessment or investigation. Also specifies what, under what circumstances and to whom confidential child welfare information may be shared by a PCSA. 8/1/20.

OAC rule 5101:2-33-23(B): Makes all case records that are prepared, maintained or kept by the PCSA confidential, and releasable only in accordance with 5101:2-33-21. 8/15/20.

OAC rule 5101:2-33-28: Requires PCSAs to engage in joint planning and sharing of information with CDJFS in certain circumstances. However, identity of person reporting abuse/neglect or of person providing information during the assessment/investigation, may not be shared with the CDJFS, and any child abuse/neglect information that is permitted to be shared must be kept in a separate file, not in the CDJFS’ case record, to help maintain confidentiality. 8/1/20.

OAC rule 5101:2-33-70: Requires ODJFS to establish and maintain Ohio SACWIS in accordance with 42 USC 674(a)(3)(C). The rule also describes the types of data that PCSAs, private child placing agencies (PCPAs) and private non-custodial agencies (PNAs) must enter into Ohio SACWIS and the residential treatment information system (RTIS), and to whom and for what purposes SACWIS data may be accessed and used. Also covers access to and use of SACWIS/RTIS by juvenile court subgrantees of ODJFS for the purposes of Title IV-E reimbursement, and local public entities (LPEs) operating qualified residential treatment programs (QRTPs). 10/1/22.

OAC rules 5101:2-36-03(AA)(6) & 5101:2-36-04(W)(6): Both rules require, in certain circumstances (alleged intra-familial abuse/neglect and specialized assessments and/or investigations), that the PCSA notify the child's non-custodial parent of the receipt of the child abuse/neglect report, as well as the report disposition and case decision. 6/17/18.

OAC rule 5101:2-42-90: Requires PCSAs and PCPAs to share specified child-related information with potential caregivers, prior to placing a child in substitute care or respite care. Also has provisions for sharing information with boards of education for school districts and juvenile courts, and for inclusion in individual child care agreements when children are placed in substitute care settings. 5/1/21.

OAC rule 5101:2-48-09(O)(10): The PCSA, PCPA, and PNA must document that each person seeking adoption approval has completed preservice training prior to approval of the home study, including sharing with the prospective adoptive parent information about the child’s commission of a violent crime, prior to placement with the adoptive parent. 2/1/22.

OAC rule 5101:2-48-19: Governs the release and transfer of adoptive home studies by and to PCSAs, PCPAs, PNAs or comparable agencies within and outside of Ohio. 3/1/21.

OAC rule 5101:2-48-20: Governs the release of birth parent and sibling identifying and non-identifying information to an adopted person or the adoptive parents, as well as the release of adoptive parent and sibling identifying and non-identifying information to the birth parent or birth sibling. 2/1/21.

OAC rule 5101:2-48-21: Paragraph (D) requires a child study inventory (CSI) to be shared with a PCSA, PCPA or PNA assisting in the adoptive placement of a child, as well as with the adoptive parents, prior to the adoptive placement. Paragraph (E) states that for newborns placed from the hospital into an adoptive home, the PCSA or PCPA must provide a copy of the CSI to adoptive parents within 30 days of placement. 5/1/21.

OAC rule 5101:2-48-22: Sets out what PCSAs, PCPAs and PNAs must include in an adoptive family case record. 5/1/22.

OAC rule 5101:2-48-23: Governs the preservation of adoptive child case records and sets out under what circumstances the record can be released or reviewed. 2/1/21.

OAC rule 5101:6-50-07: When an RC Chapter 119 hearing has been requested, allows discovery of any matter that is not privileged or confidential, except in cases involving actions under RC chapters 5103 and 5104 (foster caregiver, private non-custodial agency (PNA), and private child placing agency (PCPA) certification, & child day care licensing), and records referenced in RC §5101.29 (identifying information about children enrolled in child day care, children placed in an institution, and persons making complaints about child day care centers or homes), in which instances no discovery is permitted, unless parties agree to it. 1/1/19.

OAC rule 5101:9-9-39: Allows ODJFS to access and use information contained in systems (such as SACWIS) that are controlled or maintained by or for the benefit of ODJFS, for purposes of ODJFS program administration (which includes federal reporting and oversight requirements). Disclosures may be subject to a written agreement, and any release of information shall preserve the confidential nature of it. 8/18/16.

F.ADULT SERVICES

State Statutes and Rules:

RC §5101.63(F): Written and oral reports of suspected abused, neglected or exploited adults, and subsequent investigatory records, are confidential and are not considered public records pursuant to RC §149.43. The information shall only be made available upon request to the adult who is the subject of the report, and to legal counsel for the adult. Name and identifying information of person who made the report may be redacted if including that information would create risk of harm to that individual or to the subject of the report. 4/4/23.

RC §5101.61(B): Gives ODJFS director authority to adopt rules governing county departments' implementation of adult protective services, as defined & described in ORC 5101.60 to 5101.71. 9/29/18.

OAC rule 5101:2-20-04(G): Makes adult protective services case records confidential. 10/1/21.

OAC rule 5101:2-20-05: Makes records pertaining to referral, assessment, and investigation of adult abuse/neglect/exploitation confidential, and all information in the statewide adult protective services information system (SAPSIS) confidential. The rule also permits limited disclosures, including for administrative purposes, to the subject of the information and/or his/her legal counsel upon request, and to the court pursuant to a court order and under limited circumstances. 10/1/21.

G.CHILD DAY CARE

State Statutes and Rules:

RC § 5104.013(A), (F) & (L): Requires ODJFS to have BCII conduct criminal background checks on owners, licensees, administrators, job applicants and employees of child day-care centers, type A and type B family day-care homes and any adults who reside in the homes, approved child day camps, and licensed preschool and school child programs that provide publicly-funded child care. In-home aides are also required to undergo BCII criminal records checks. In addition, child day camps, other than approved child day camps, shall request that BCII conduct a criminal records check of any individual who applies to for employment and for existing employees every five years. Any BCII report completed pursuant to this statute is confidential and shall not be made available to any person other than the subject of the criminal records check or the subject’s representative, the director of job and family services, the director of a county department of job and family services, and any court, hearing officer, or other necessary individual involved in a case dealing with a denial of licensure, approval or certification related to the search. ODJFS shall in turn notify the licensed child day care center, licensed home, approved child day camp, licensed preschool program or licensed school child program of any person who is ineligible for employment. The statute also requires that ODJFS conduct a search of SACWIS for abuse/neglect reports related to the aforementioned parties. BCII checks and SACWIS searches musty typically be conducted every 5 years after the initial check. 10/17/19.

RC § 5104.038: The administrator of each child day-care center shall maintain enrollment, health, and attendance records for all children attending the center and health and employment records for all center employees. The records shall be confidential except that they shall be disclosed by the administrator to the director of ODJFS upon request for the purpose of administering and enforcing this chapter and rules adopted pursuant to this chapter. Neither the center nor the licensee, administrator, or employees of the center shall be civilly or criminally liable in damages or otherwise for records disclosed to the ODJFS director by the administrator pursuant to this division. It shall be a defense to any civil or criminal charge based upon records disclosed by the administrator to the director of ODJFS that the records were disclosed pursuant to this division. 1/1/14.

OAC rule 5101:2-12-09: Requires criminal records checks of owners, administrators, employees, and staff members of child care centers applying for licensure or employment, and every five years thereafter.

OAC rule 5101:2-12-10(C)(3): Requires owners and administrators of licensed child care centers to provide their staff with copies of their own training documentation within 5 business days of their staff member’s request, or at the time of separation for records not verified in the Ohio professional registry (OPR). 10/29/21.

OAC rule 5101:2-12-15(D): Requires that licensed child care centers treat as confidential any children’s records they collect, including child enrollment and health records, medical statements, and medical/physical care plans, and only disclose them to ODJFS for purposes of administering ORC chapter 5104 and OAC chapter 5101:2-12. In addition, immunization records must be made available for review by the Ohio Department of Health, for purposes of disease outbreak control and immunization level assessment. 10/29/21.

OAC rule 5101:2-12-16(G)(4): If a child is transported from a child care center for emergency treatment by anyone other than a parent, requires that the child’s health and medical records accompany the child. 10/29/21.

OAC rule 5101:2-13-03: (G)(5) requires that the county agency provide a copy of the inspection report to anyone who submits a request to the county agency, but only after the county agency has removed all confidential information from the report. Paragraph (I) makes licensing inspection records public. 5/15/22.

OAC rule 5101:2-13-07(C): Requires licensed family child care providers to ensure that all employees and child care staff members create or update their individual profile in the Ohio professional registry (OPR), create an employment record on or before the first day of employment, including date of hire, and update their individual profiles or employment records in OPR within five (5) calendar days of a change, including updates to contact information and positions or roles. Providers must also maintain records of each current employee and child care staff member for at least 3 years after the staff member’s departure (including the staff member’s scheduled days and hours, group assignments, and end date of employment). Employment records related to staff members are confidential, except when requested by the county agency or ODJFS for purposes of administering RC Chapter 5104 and OAC Chapter 5101:2-13. 10/29/21.

OAC rule 5101:2-13-09: Requires criminal records checks of all staff members, employees, substitutes, and adult residents of licensed type A and type B home providers (collectively referred to as family child care providers) and those applying for a license to become a family child care provider. Records check must be done at time of license application or prior to first day of employment and, every 5 years thereafter. The rule applies to even records of convictions that have been sealed. 9/29/19.

OAC rule 5101:2-13-10(F)(3): Requires family child care providers to give their staff copies of their own training documentation within 5 business days of their staff member’s request, or at the time of separation for records not verified in the Ohio professional registry. 10/29/21.

OAC rule 5101:2-13-15(D): Children’s records (including attendance and medical records) required to be kept by licensed family child care providers shall be confidential, except they shall be available to ODJFS and the county agency for purposes of administering RC Chapter 5104 and OAC 5101:2-13. Immunization records shall be subject to review by the Ohio Department of Health for disease outbreak control and immunization level assessment purposes. 10/29/21.

OAC 5101:2-13-26(B): Paragraphs (B)(1) and (B)(2) describe the types of documentation that the county agency must maintain regarding licensed family child care providers; (B)(2) and (B)(3) specify the retention period for those documents; (B)(4) prohibits county agencies from disclosing (a) identifying information about complainants, witnesses and those to whom confidentiality has been reasonably promised, (b) any information, when such information would disclose the identity of one to whom confidentiality has been reasonably promised, and (c) provider medical records that pertain to the provider’s condition, when generated in the process of medical treatment; and, (B)(5) through (B)(8) specify what information the county agency must share with the PCSA, law enforcement, provider, and ODJFS. 10/29/21.

OAC rule 5101:2-14-03: Requires criminal background checks of all certified in-home aides. Rule even applies to records of convictions that have been sealed. 10/29/21.

OAC rule 5101:2-14-06(F): Makes all information collected about in-home aides (IHAs) by county agencies confidential, except to ODJFS for purposes of monitoring review of its certification program and investigating complaints involving county agencies, and to the PCSA and law enforcement for purposes of investigating alleged child abuse and neglect. Any information disseminated about IHAs must be documented, including the date of dissemination, to whom, and the reason. 10/29/21.

OAC rule 5101:2-14-07(B)(4): Requires that inspection reports be kept on file at the county agency, and that a copy of the JFS 01642 “In-Home Aide Assurances”, with confidential information removed, be released to anyone upon request. 10/20/19.

OAC rule 5101:6-50-07: When an RC Chapter 119 hearing has been requested, allows discovery of any matter that is not privileged or confidential and that does not involve an action under RC Chapters 5103 and 5104 (foster caregiver, PNA, and PCPA certification, and child day care licensing only permit discovery if parties stipulate). Information designated as non-public in RC §5101.29 is also not discoverable for purposes of an RC Chapter 119 hearing. 1/1/19.

H.CHILD SUPPORT

Federal Laws and Regulations:

42 USC §653: Addresses confidentiality of the Federal Parent Locator System and to whom the information may be released (authorized person, as defined in the statute). Section (j)(8) allows HHS Secretary to disclose employer information from the National Directory of New Hires to state unemployment agencies, for the purposes of UC administration.

42 USC §654(26): Requires the state to protect confidential child support information.

42 USC §654a: Paragraph (d) requires the ODJFS Office of Child Support (OCS) to establish & implement safeguards for child support automated data systems, to ensure system integrity, accuracy and completeness, and to restrict access to and use of information contained therein. OCS must have written policies that (1) permit access to and use of child support data by state agency personnel, but only to the extent necessary to administer the child support program; and (2) specify the data that may be used for particular program purposes, and the personnel permitted to access such data. Federal law also requires system controls to ensure strict adherence to policies, routine monitoring of access through such methods as audit trails to detect and guard against unauthorized access and use, and training of state and local agency staff and contractors on access restrictions, penalties and security procedures. (45 CFR 307.13 is very similar to this provision).

45 CFR § 235.70: Allows county departments of job and family services to send a copy of the Title IV-A (cash assistance) case record and other relevant information to a CSEA.

45 CFR § 302.35: Requires the state child support agency to maintain a parent locator service (PLS) to provide location information to authorized persons for authorized purposes that are listed in the CFR.

45 CFR § 303.15: Allows use of the Federal Parent Locator Service (FPLS) for enforcing any state or federal law with respect to the unlawful taking or restraint of a child or making or enforcing a child custody or visitation determination. This information is given to the IV-D agency pursuant to an agreement with federal office of child support enforcement. Access to FPLS information is limited to child custody or visitation or parental kidnapping cases. After information is requested from FPLS and then sent to a requestor, the IV-D agency must destroy any confidential records and information related to the request.

45 CFR § 303.21: Requires state and county child support agencies to safeguard and restrict disclosure of information relating to a specified individual or an individual who can be identified by reference to one or more factors specific to him or her, including but not limited to the individual's Social Security number, residential and mailing addresses, employment information, and financial information. However, (d) says upon request, the ODJFS Office of Child Support may disclose: (1) confidential information to state agencies as necessary to assist them in carrying out their responsibilities under plans and programs funded under titles IV, XIX, or XXI of the Social Security Act (SSA), as well as SNAP including (i) Any investigation, prosecution or criminal or civil proceeding conducted in connection with the administration of any such plan or program; and (ii) Information on known or suspected instances of physical or mental injury, sexual abuse or exploitation, or negligent treatment or maltreatment of a child under circumstances which indicate that the child's health or welfare is threatened; and, (2) information in the state directory of new hires (SDNH), pursuant to sections 453A and 1137 of the SSA for purposes of income and eligibility verification. However, authorized disclosures under (1) and (2) above shall not include confidential information from the National Directory of New Hires or the Federal Case Registry, unless authorized under 45 CFR §307.13 or unless it is independently verified information. No financial institution data match information may be disclosed outside the administration of the IV-D program and no IRS information may be disclosed, unless independently verified or otherwise authorized in Federal statute. States must have safeguards in place as specified in SSA section 454A(d) and (f).

45 CFR § 303.30: Requires IV-D agency to obtain IV-A or IV-E information not supplied by the agencies holding it (including whether non-custodial parent has health insurance), and provide that information timely, efficiently, and cost-effectively to the state Medicaid agency.

45 CFR § 303.69: Allows U.S. attorneys and federal agents to request information directly from federal parent locator service, for purposes of parental kidnapping or child custody case. Request must be submitted in writing and contain required statements.

45 CFR § 303.70: Requires state child support agencies to have procedures for submissions to the State or Federal parent locator service (PLS) for the purpose of locating parents, putative fathers, or children for the purpose of establishing parentage or establishing, setting the amount of, modifying, or enforcing child support obligations; for the purpose of enforcing any Federal or State law with respect to the unlawful taking or restraint of a child or making or enforcing a child custody or visitation determination as defined in section 463(d)(1) of the Social Security Act (42 USC 663), or for the purpose of assisting State agencies to carry out their responsibilities under title IV-D, IV-A, IV-B, and IV-E programs. Only the central State PLS may make submittals to the Federal PLS for the purposes specified above. The regulation also requires Title IV-D agency director or designee to attest annually to limited uses of federal/state PLS and to whom information will be disclosed; specifies what data elements about parents, non-parents, and putative fathers must be included in submittals; and requires that PLS information be treated as confidential and safeguarded.

45 CFR §307.13: Addresses security and confidentiality for computerized support enforcement systems in operation after October 1, 1997. Requires that State child support agencies have safeguards to protect integrity, accuracy, completeness, access to, and use of computerized support enforcement system data, including written policies regarding access to data by agency personnel and sharing with others. Certain information contained in SETS can be released in connection with SSA Titles IV (including IV-D child support), XIX (Medicaid) and XXI (child health assistance), but the regulation places limits on the disclosure of NDNH, FCR, financial institution and IRS information outside the IV-D program & requires audit trails and staff training.

State Statutes and Rules:

RC §149.43 (A)(1)(e): Excludes information contained in the putative father registry from being considered as public record when held by ODJFS or a CSEA.

RC § 149.43(A)(1)(o): Excludes new hire records provided by employers to ODJFS for child support purposes under RC § 3121.894 from being considered as public records.

RC §3107.063: Sets forth the procedure to be used by a biological mother, adoption attorney, PCSA, PCPA, and PNA for requesting that ODJFS search the putative father registry to determine whether a man is registered as the minor's putative father. 3/23/15.

RC § 3121.76: Limits the use of information received by ODJFS from a financial institution

through an agreement pursuant to the statute to purposes of establishment, modification, or enforcement of a child support order. Such information is not a public record. 3/22/01.

RC § 3121.84: Requires ODJFS Office of Child Support (OCS) to make comparisons of information in the case registry with information in OCS’ birth registry and new hires directory, and to provide reports of information in the registry to other federal and state governmental entities, as specified in state administrative rules and consistent with Title IV-D.

RC §3121.898: New Hire data shall only be used for the purposes set forth in 42 USC 653a, including locating individuals for purposes of establishing paternity; establishing, modifying and enforcing support orders; and verifying eligibility for Title IV-A programs (like OWF and PRC), Medicaid, Unemployment Compensation (UC), Food Assistance (FS) and employment security programs administered by ODJFS.

RC § 3121.899: New hire information shall not be considered public records and shall be accessed, used, and disclosed as specified in ODJFS’ administrative rules. ODJFS may share information in new hire reports with any county child support enforcement agency, any county department of job and family services, and ODJFS staff (including Employment Security program staff), but only for purposes specified in RC § 3121.898; and with the Bureau of Workers’ Compensation for their program administration.

RC § 3123.89: Requires that ODJFS develop and implement a real time data match program with the state lottery commission and its agents to identify obligors who are subject to a final enforceable determination that they are in default of a child support order, requires county CSEAs to issue an intercept directive to the state lottery commission, including the name and social security number of the obligor and amount of arrearages owed, and requires the lottery commission to deduct the amount of arrearages from the lottery prize award and send it to the ODJFS Office of Child Support. 3/23/22.

RC § 3123.92: Requires any CSEA administering a court or CSEA enforceable finding of default against an obligor to contact at least one consumer reporting agency in the State and provide to the consumer reporting agency the obligor's name, address, and social security number or other identification number and any other identifying information concerning the obligor.

RC §3123.93: Allows consumer reporting agencies to obtain certain information maintained by the ODJFS Office of Child Support regarding obligors.

RC § 3123.95 et seq. Authorizes and sets forth requirements for the establishment and use by ODJFS of a poster program, to display photos of obligors who are delinquent in their support payments, for purposes of increasing collections.

RC§ 3123.954: Precludes a county CSEA from providing the address or other personal information of an obligee to the ODJFS Office of Child Support Enforcement when the CSEA submits the name of the obligor to be included on a poster. See also RC § 3123.95 et seq., RC § 3123.957 and OAC rules 5101:12-50-65 and 5101:12-50-65.1, for provisions regarding the office of child support's poster program.

RC § 3125.08: Requires that ODJFS adopt rules that limit access to and use of SETS information to the extent necessary to carry out administration of the child support program; monitoring, identifying and preventing unauthorized access; informing personnel with access of applicable requirements, penalties and security procedures; and establishing penalties for violations.

RC § 3125.16: Allows each obligor and obligee under a support order to review all records related to support orders held by CSEAs and any other information maintained by the CSEA, except to the extent prohibited by state or federal law.

RC §3125.49: Precludes ODJFS Office of Child Support and county CSEA from using social security numbers made available by the Ohio Department of Health’s office of vital statistics for any purpose other than child support enforcement.

RC § 3125.50: Prohibits all persons, including county CSEAs, from releasing information concerning applicants for and recipients of child support services, except as permitted under rules promulgated by ODJFS. Statute also prohibits the ODJFS Office of Child Support and county CSEAs from redisclosing information collected from any officer or entity of the state or any political subdivision of the state that would aid the CSEA in locating an absent parent; any information concerning the employment, compensation, and benefits of any obligor or obligee subject to a support order; name and address of any obligor or obligee subject to a support order and the obligor's employer in the customer records of a public utility; and home address and income information obtained from the Ohio Department of Taxation, except as provided by rules promulgated by ODJFS.

OAC rule 5101:12-1-20: Contains definitions of terms used in OAC Rules 5101:12-1-20.1 and 5101:12-1-20.2. The rule allows case participants to request their own information by providing proper identification; requires that individuals other than the case participant (including PCSAs) submit written requests; and mandates that individuals, courts, and agents of the United States with access to case record information (including in SETS) maintain the confidentiality of the information and safeguard it, regardless of the medium in which it is kept. Information can only be disclosed as permitted in child support rules, and often limited to performing functions necessary for carrying out the child support program. 4/1/18.

OAC rule 5101:12-1-20.1: Describes the requirements for the use, protection and dissemination of information that is collected and maintained by the ODJFS Office of Child Support or a county CSEA in the performance of support enforcement program functions. Rule sets forth if, when, to whom, and under what circumstances an individual’s case record information (including parent locator service (PLS) and national directory of new hire (NDNH) data) may be disclosed. Paragraph (C) allows non-PLS information to be disclosed for administration of child support, SNAP, OWF, Medicaid and foster care; federal, state, and local audits; and, to report to an appropriate child welfare agency or official, suspected or known instances of abuse, exploitation, or neglect of a child who is the subject of a child support order. 4/1/18.

OAC rule 5101:12-1-20.2: Requires that child support enforcement agencies safeguard confidential participant (obligor and obligee) information received from the Ohio department of taxation and ODJFS Office of Unemployment Insurance Operations. Rule describes the procedures county agencies must follow to safeguard information. 4/1/18.

OAC rule 5101:12-1-22: ODJFS Office of Child Support rule regarding safeguarding of federal tax information (FTI) received from the IRS. See also 26 USC 6103 and IRS Publication 1075. 11/1/22.

OAC rule 5101:12-1-22.1: ODJFS Office of Child Support procedure for conducting county CSEA visits and requiring county CSEA self-inspection, to verify FTI is being properly safeguarded. 11/1/22.

OAC rule 5101:12-10-90(C): States that new hire reports are not considered public records for purposes of section 149.43 of the Revised Code, and that ODJFS may only disclose new hire reports to entities described in RC 3121.898 and 3121.899. 6/1/21.

OAC rule 5101:12-20-10: Sets forth which parties are authorized to obtain an individual’s current residential address or place of employment from the Federal Parent Locator Service. Also provides details on how requests must be made and when a court order is required. 1/1/17.

OAC rules 5101:12-50-65 & 12-50-65.1: Authorizes and sets forth requirements for ODJFS Office of Child Support and county child support enforcement agencies to implement poster program, displaying photos of delinquent obligors, to increase collections. 3/1/17.

OAC rule 5101:12-55-10: Financial Institution Data Match (FIDM) is an optional program that allows county child support enforcement agencies to enforce and collect final and enforceable determinations of default from child support obligors’ financial accounts. 2/11/19.

I.UNEMPLOYMENT COMPENSATION (UC) BENEFITS & UNEMPLOYMENT INSURANCE (UI) TAX

Federal Laws and Regulations:

26 USC 3301 to 3311: Federal Unemployment Tax Act (FUTA) laws are codified here. 26 USC 3304(a)(16)(C) requires state unemployment program to establish safeguards to ensure that any wage and unemployment compensation information that is shared (including with state Title IV-A and IV-D programs) only be used for authorized purposes.

29 USC § 49b (b): Requires State unemployment compensation (UC) and employment services offices to share data with State offices running TANF, Food Assistance and Child Support programs, such as the amount of UC benefits being paid to individuals, their most recent home address, and if they have refused an offer of employment.

42 USC § 503(a)(1) and (8): Require that state law provide for such methods of administration as are found by the Secretary of Labor to be reasonably calculated to insure full payment of unemployment compensation when due and restricts expenditure of all money received by the State solely for the purposes and in the amounts found necessary by the Secretary of Labor for the proper and efficient administration of state unemployment compensation law.

These sections have been interpreted by the Department of Labor as requiring that employer, wage, and claim information be treated as confidential and used only for administration of the unemployment insurance tax and compensation program, with few exceptions (see 20 CFR 603.4).

42 USC §1320b-7(a)(5) and (a)(6): Requires the establishment of an Income and Eligibility Verification System (IEVS) between listed programs with adequate safeguards to assure that information is made available only to the extent necessary to assist in the valid administration of the programs, only exchanged with agencies authorized to receive such information, & adequately protected against unauthorized disclosure; and that notification is provided to applicants and recipients that information in the system will be shared with other agencies, and reimbursement is made to agencies providing the information for the cost of providing it.

20 CFR Parts 601 to 625: Source of federal unemployment regulations, including Trade Adjustment Assistance in Part 618.

20 CFR §603.2: Defines unemployment terms such as "wage information," "claim information," and "requesting agency."

20 CFR §603.3: Subpart B includes 20 CFR 603.3 through 603.12, and all pertain to implementation of federal UC and FUTA (Federal Unemployment Tax Act) confidentiality requirements, including mandating that states create uniform minimum UC safeguards and data sharing agreements, as outlined in SSA §303 (42 USC 503) and FUTA (26 USC §3304(a)(16)).

20 CFR §603.5: Sets forth exceptions to UC confidentiality that are mostly discretionary. However, the federal exceptions can only be followed if authorized by state law, including RC §4141.21, and disclosure does not interfere with the efficient administration of State UC law.

20 CFR §603.6: Sets forth mandatory disclosures requiring State Unemployment Insurance Agencies (SUIAs) to share certain UC claim and/or UI tax and wage information with federal agencies administering public works/assistance through employment, as well as with food and cash assistance programs and HUD, for purposes of determining eligibility for those programs, with CSEA for establishing and collecting child support, and with U.S. Departments of Labor and Education for purposes of evaluations conducted under WIOA section 116(e)(4).

20 CFR 603.8: Except as specified in section (b) of the regulation, prohibits state UC agencies from using unemployment grant funds to pay for the cost of making UC information disclosures that are not directly connected to UC program administration. Also requires state UC agencies to seek payment in advance or reimbursement to cover the cost of such disclosures.

20 CFR Part §603.9: Under this regulation, for certain types of disclosures, state unemployment compensation (UC) agencies must require recipients of information to comply with the following measures (and others not listed in this summary) to preserve confidentiality and prevent unauthorized access or disclosure: 1) use information only for purposes authorized by law and consistent with an agreement that meets the requirements of section 603.10; 2) store information in a place physically secure from unauthorized access; 3) store and process electronic information in a way that unauthorized persons cannot obtain it by any means; 4) instruct all personnel with access of the confidentiality requirements and sanctions for unauthorized disclosure; and, have the contracting party sign an acknowledgment that personnel have been so instructed; and (5) maintain an auditable system.

20 CFR 603.11: Requires state unemployment agencies to notify claimants and employers of how their information will be used, with what parties it will be shared, and for what purposes.

20 CFR §§603.20 through 603.23: These regulations describe mandatory Income and Eligibility Verification System (IEVS) disclosures to requesting agencies.

20 CFR §677.175 & WIOA §116(i)(2): Require state workforce education and training programs to use quarterly wage records to measure the progress of the state on performance accountability measures.

State Statutes and Rules:

RC §4141.162: Requires the establishment of IEVS, specifies the programs to be included in the system, and provides that the requirements of RC § 4141.21 and any sanctions imposed for improper disclosure of such information apply to the redisclosure of information under this section. The section also requires the adoption of rules to include specific requirements including notification to applicants and recipients that information in the system may be shared with other agencies, that information is made available only to the extent necessary to assist in the valid administration of the programs, and that information is adequately protected from unauthorized disclosures. Amended effective 9/29/13.

RC § 4141.21: Except as provided in RC§4141.162 (IEVS), and subject to RC § 4141.43 (cooperation with certain state, federal and other agencies), information maintained by or furnished to ODJFS or UCRC by employers or employees pursuant to RC Chapter 4141 is for the exclusive use and information of ODJFS and UCRC in the discharge of their respective duties and is not open to the public and cannot be used in any action or proceeding or be admissible in evidence in any action other than one arising under RC Chapter 4141 or RC §5733.42. All of the information and records necessary or useful in the determination of any particular claim for benefits or necessary in verifying any charge to an employer's account under RC §§ 4141.23 to 4141.26, shall be available for examination and use by the employer and the employee involved. 9/30/21.

[In Freed vs. Grand Court Lifestyles, 100 F. Supp. 2d 610 (Dec. 21, 1998), the Federal Court overruled OBES's Motion to Quash in part, and sustained the Motion in part. Three conditions on releasing UC claimant data to the former employer were listed in Freed, in which the claimant had filed an ADA-based discrimination suit against the former employer in federal court:

(1)There must be a federal questions involved, before release will be required. If it's only a federal diversity issue involving questions of state law, then no disclosure is required, as RC §4141.21 still applies, and is not abridged by Federal Rule of Evidence 501.

(2)Only personal information provided to ODJFS by the UC claimant may be released to the claimant's former employer. (Note: The federal court looked at only the facts of this particular case, and the usefulness to the Defendant of UC data (the receipt of which implied that the plaintiff could work) to their defense of an ADA claim (in which obtaining proof of receipt of UC benefits would actually undermine the requesting party's argument that the plaintiff/UC claimant was too disabled to work), and balanced the policy interests served by recognizing state's privilege against the policy interests served by allowing access to the requested information. The facts of other cases may not warrant application of Freed, and/or may not warrant disclosure of UC claimant data.)

(3)Any discoverable records should be issued under seal, and with written assurances that the documents be maintained as confidential and only be utilized for the limited purposes of defending the federal civil suit filed by the claimant].

[But, see AG Opinion 2010-029, which says JFS may provide BWC with certified copies of UC records, for use in BWC civil and criminal cases, and JFS may allow its representative to testify regarding those records at BWC trial]

RC § 4141.22: No person shall disclose any information maintained by or furnished to ODJFS or UCRC by employers or employees unless such disclosure is permitted by RC §4141.22. Information obtained by ODJFS and UCRC under RC Chapter 4141 that pertains to the transactions, property, business, or mechanical, chemical, or other industrial process of any person, firm, corporation, association, or partnership is prohibited from divulged by current and former employees of ODJFS, UCRC, county family services agencies, and workforce development agencies. 9/30/21.

RC § 4141.43: Provides the director of ODJFS with discretionary authority to disclose information to various agencies, including but not limited to the bureau of workers compensation, IRS, United States employment service, and the railroad retirement board. Basis for RC 4141.43 and other UC confidentiality statutes lies in SSA §§303(a)(1), (a)(7), (c)(1), (d), (e), (h) & (i). 9/29/17.

RC § 5733.42(E): Financial statements and other information submitted by an applicant to ODJFS for an employee training tax credit, and any other information taken for any purpose from such statements or information, are not public records. However, ODJFS, the tax commissioner, or the superintendent of insurance may make use of the statements and other information for purposes of issuing public reports or in connection with court proceedings concerning tax credits allowed under this section and RC §§ 5725.31 and RC 5729.07. 4/12/21.

OAC 4141-16-01, 4141-16-02, & 4141-16-03: These IEVS-related rules require that ODJFS disclose wage and claim information to authorized agencies under an agreement, when needed by those agencies to verify eligibility for and/or the amount of benefits. The agreement with authorized agencies must include provisions to prevent unauthorized access to and disclosure of confidential information. See also 20 CFR 603.22 and RC 4141.162. 11/12/18.

OAC rule 4141-43-01: Governs the exchange and disclosure of wage, claim, employer, employment and training, and other confidential information to state departments, other governmental agencies, or service providers, and certain nongovernmental agencies for research. All disclosures under this rule must be for purposes of providing and improving employment and training services. This rule strictly prohibits redisclosure of the information received by third parties. 7/27/18.

OAC rule 4141-43-02: Sets out under what circumstances wage, claim, and/or employment and training information furnished to or maintained by ODJFS pursuant to RC Chapter 4141, can be shared with county departments of job and family services, state and county child support enforcement agencies, and governmental agencies administering employment and training and public assistance programs. The rule also permits the sharing of certain information with civil and criminal prosecuting authorities. 4/1/20.

J.WORKFORCE DEVELOPMENT

1.THE WORKFORCE INNOVATION AND OPPORTUNITY ACT (WIOA)

29 USC 3141(i)(2): Requires that the Office of Unemployment Insurance Operations share wage information for purposes of WIOA performance reporting requirements.

29 USC 3141(i)(3): WIOA requires compliance with the Family Educational Rights and Privacy Act of 1974 (FERPA), which is codified in 20 USC 1232g and the corresponding regulations in 34 CFR part 99. FERPA was enacted to protect student privacy rights in education records, and applies to all public and private educational institutions that receive federal educational funds. FERPA requires safeguards to protect against the disclosure of personal identifying data regarding students.

29 USC § 3245(a)(4): Part (A) of this section requires that certain WIOA records maintained by ODJFS be made available to the public upon request. Part (B) excepts from treatment as public record any information, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy, and trade secrets, or commercial or financial information, that is obtained from a person and is privileged or confidential.

29 USC §3341: Nothing in WIOA shall be construed to supersede the privacy protections afforded parents and students under section 444 of the General Education Provisions Act (20 U.S.C. 1232g); and nothing in WIOA shall be construed to permit the development of a national database of personally identifiable information (PII) regarding individuals who have received WIOA or Title IV services. 7/22/14.

20 CFR 677.175: Requires use of unemployment’s quarterly wage information, to the extent permitted under federal and state law, for WIOA performance reporting.

20 CFR 677.230(e): Governor and designated state agency must facilitate eligible training provider matches with OUIO’s wage records for performance reporting.

20 CFR 683.220: Requires recipients and subrecipients of WIOA and Wagner-Peyser funds to have internal control structures and written policies in place that provide safeguards to protect personally identifiable information and other sensitive information. Internal controls include evaluating and monitoring recipient’s and subrecipient’s compliance with federal and state laws and regulations, including WIOA, and taking prompt corrective action when noncompliance is identified.

29 CFR §38.41: Requires each state WIOA recipient (&/or local workforce development area, per the state plan) to collect and maintain data and records that will help U.S. DOL’s Civil Rights Center (CRC) determine whether the recipient is in compliance with the non-discrimination and equal opportunity provisions of WIOA section 188. The system and format used to maintain records must be designed to allow the state recipient and CRC to conduct statistical and other quantifiable data analyses to verify state’s compliance. Information and records about applicants, registrants, eligible applicants/registrants, participants, terminees, employees and applicants for employment must be stored in a manner that ensures confidentiality and can only be used for purposes of recordkeeping and reporting to CRC, determining eligibility for WIOA programs and activities, and determining a recipient’s compliance with non-discrimination requirements. Each WIOA recipient must also keep (and submit to CRC upon request) logs of complaints alleging discrimination in relation to WIOA programs or activities. The logs must include complainant names, addresses and other identifying information and complaint details. Any information in the logs that could lead to the identification of a particular individual as having filed a complaint must be kept confidential.

34 CFR § 99.30(a): This is a FERPA regulation and provides that with certain exceptions, "[t]he parent or eligible student shall provide a signed and dated written consent before an educational agency or institution discloses personally identifiable information from the student's education records." Personally identifiable information includes but is not limited to the student's name; a personal identifier, such as a student's social security number; other information that, alone or in combination, would allow a reasonable person to identify the student with reasonable certainty; or information requested by a person who the educational agency reasonably believes knows the identity of the student to whom the record relates. (34 CFR § 99.3).

RC § 307.983: Each board of county commissioners is required to establish a plan of cooperation among county workforce development agencies specifying how such agencies will exchange information and coordinate and enhance services and assistance to individuals and families.

OAC rule 4141-43-01: Allows the use and disclosure of wage information, claim information, employment and training information and employer information maintained by ODJFS for the purpose of providing or improving employment and training. 7/27/18.

OAC rule 4141-43-02: Sets out under what circumstances wage, claim and/or employment and training information maintained by ODJFS can be shared with county departments of job and family services, state and county child support enforcement agencies, and governmental agencies administering employment and training and public assistance programs. 4/1/20.

Workforce Innovation and Opportunity Act (WIOA) Section 116(i) (same as 29 USC 3141(i)): Requires state workforce agencies to utilize quarterly wage reports to ascertain their progress on state and local performance accountability measures, and consistent with state law. Requires that DOL make arrangements, consistent with state law, to ensure that the wage records of any state are available to any other state to the extent that such wage records are required by the state in carrying out the state plan or completing the annual performance report described in subsection (d).

OAC rule 5101:11-7-02(D): Makes the identities of those filing or assisting with apprenticeship-related complaints confidential, except for purposes of carrying out EEO requirements and disclosures made with the permission of the person in question. 10/1/20.

2.LABOR MARKET INFORMATION

Any information provided to, or obtained, accessed or used by the Office of Workforce Development’s Labor Market Information unit (LMI), is governed by the same confidentiality laws and regulations, and security, retention and destruction policies as the underlying information.

In addition, data LMI receives from the Federal Bureau of Labor Statistics may also be subject to the Confidential Information Protection and Statistical Efficiency Act (CIPSEA) of 2002 (44 USC 3561, et seq., especially 44 USC 3571 and 3572), Privacy Act (5 USC 552a), Nationwide Workforce and LMI System (29 USC 49l-2), and Trade Secrets Act (18 USC 1832).

3.EMPLOYMENT SERVICES (Including Wagner-Peyser)

29 USC 49l-2: Prohibits officers, employees, and agents of the federal government from (1) using information furnished to them for statistical purposes, for any other purpose; and, (2) publishing or making any media transmittal of information concerning individual subjects that might identify them, directly or indirectly, without the consent of the individual or agency that is the subject of the information. Also makes statistical information about individual subjects immune from legal process, so that it cannot be admitted as evidence, or used for any purpose in any action, suit, or other judicial or administrative proceeding.

20 CFR 653.110: Aggregate data collected pursuant to 20 CFR 653.109, such as the total number of migrant and seasonal farmworkers (MSFWs) contacted through outreach, referred to or placed in jobs, and registered for career services, their median earnings, and the percentage in unsubsidized employment, must be disclosed to the public within 10 business days of the receipt of a written request for such data. However, intra-agency memoranda and reports between ODJFS and DOL-ETA that contain mostly statements of opinion, rather than facts, may be withheld from the public, provided that the requestor is informed of the reason for withholding in writing. And, information and documents may also be withheld if their disclosure would constitute a clearly unwarranted invasion of personal or employer privacy, as long as the rationale for non-disclosure is provided in writing to the requesting party. In Ohio, no personally identifiable information about MSFWs or workforce participants is shared with the general public, on the basis that disclosure of such information would constitute a clearly unwarranted invasion of personal privacy.

20 CFR 655.63: Says that U.S. DOL will maintain a publicly accessible electronic file showing all employers that have applied for temporary non-agricultural labor certifications (for H2B visas), the number of workers requested, the dates filed & decided, and the outcome.

20 CFR 658.411(a)(3): The identity of complainants and any persons who furnish information relating to, or assisting in, an investigation of a job services complaint to ODJFS shall be kept confidential to the maximum extent possible, consistent with applicable law and a fair determination of the complaint. Requires that copy of completed Job Services complaint submission be given to the complainant(s) and the appropriate Complaint System representative.

RC 4141.21: Except as provided in RC 4141.162(IEVS), and subject to RC 4141.43 (cooperation with certain state, federal and other agencies), information maintained by or furnished to the director of ODJFS or UCRC by employers or employees pursuant to RC Chapter 4141 (employment services law) is for the exclusive use and information of ODJFS and UCRC in the discharge of their duties and shall not be open to the public or used in any court in any action or proceeding pending therein, or be admissible in evidence in any action other than one arising under RC Chapter 4141 or RC 5733.42. All of the information and records necessary or useful in the determination of any particular claim for benefits or necessary in verifying any charge to an employer's account under RC sections 4141.23 to 4141.26, shall be available for examination and use by the employer and the employee involved.

RC § 4141.43: Provides the director of ODJFS with discretionary authority to disclose information to various agencies, including but not limited to the bureau of workers’ compensation, IRS, United States employment service, and the railroad retirement board.

OAC rule 4141-43-01: Sets guidelines for the use and disclosure of wage information, claim information, employment and training information, and employer information.

K.STATE HEARINGS

Federal Regulations:

7 CFR 273.15(p)(1) & (q)(5): Requires that hearing decisions related to Food Assistance be made available to the public, provided that names, addresses and other information that would identify household members are kept confidential. This regulation also requires that the Food Assistance/SNAP assistance group or its representative be given access to all documents and records to be used at the state hearing at a reasonable time prior to the state hearing as well as at the state hearing. But, names of individuals who have provided information about the household without its knowledge, and the nature and status of pending criminal cases, must be protected from release. State agencies must provide households with a free copy of relevant portions of the case file, upon their request.

45 CFR 205.10(a)(19): Requires that hearing decisions related to IV-A be made available to the public with identifying information of the IV-A assistance group kept confidential.

State Rules:

OAC rule 5101:6-5-01(F) & (G): Gives individuals requesting a state hearing and their authorized representative access to their case file, and to any other documents and records the local agency intends to use at the state hearing. The rule also sets out the procedure for requesting and issuing subpoenas during the state hearing process. 4/1/23.

OAC rule 5101:6-7-01(G): Allows the public to inspect all state hearing decisions, subject to applicable disclosure safeguards. The implication of this rule is that an appellant's identity is not subject to disclosure, but the decision itself (with appellant and household members’ identifying information redacted) is available as a public record upon request. 4/1/23.

OAC rule 5101:6-8-01(K): Allows the public to inspect all administrative appeal decisions, subject to applicable disclosure safeguards. The implication of this rule is that an appellant's identity is not subject to disclosure, but the decision itself (with appellant/household members’ identifying information redacted) is available as a public record upon request. 4/1/23.

OAC rule 5101:6-20-16(H): Allows inspections of administrative disqualification decisions subject to applicable disclosure safeguards. The implication of this rule is that an appellant's identity is not subject to disclosure but the decision itself (with identifying information of appellant & household members redacted) is available as a public record upon request. 3/1/19.

OAC rule 5101:6-50-07: When RC Chapter 119 hearing has been requested, allows discovery of any matter that is not privileged or confidential and that does not involve actions under RC Chapters 5103 and 5104 (certification of children’s residential facilities and child day care licensing). 1/1/19.

L.MISCELLANEOUS

Federal Laws and Regulations:

29 CFR § 825.500(g): Records and documents relating to medical certifications, recertifications or medical histories of employees or employee's family members, created for purposes of the Family Medical Leave Act (FMLA) shall be maintained as confidential medical records in separate files/records from the usual personnel files. If the Genetic Information Nondiscrimination Act (GINA) of 2008 is applicable, records created for FMLA containing family medical history or genetic information shall be maintained in accordance with Title II of GINA (29 CFR 1635.9), which permits information to be disclosed consistent with FMLA confidentiality requirements. And, if the Americans with Disabilities Act (ADA) or the Americans with Disabilities Amendments Act of 2008 (ADAA) is also applicable, such records shall be maintained in conformance with ADA confidentiality requirements except: (1) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodation; (2) First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment, and (3) Government officials investigating compliance with FMLA (or other pertinent law) shall be provided relevant information upon request.

29 CFR § 1630.14(b), (c) and (d): This is a part of the regulations related to the Americans with Disability Act and addresses medical examination information received from employees, either voluntarily as part of an agency health program or mandatory examinations needed due to business necessity. This section requires that employers keep this information in separate forms and medical files and keep them confidential. This regulation allows the release of this information to supervisors and managers in relation to necessary restrictions on the work or duties of the employee and necessary accommodations; first aid and safety personnel, when appropriate, if the disability might require emergency treatment; and government officials investigating compliance with the regulation.

State Statutes and Rules:

RC §9.01: Sets out the standards for copying and preserving records for specified purposes onto different format or medium. Gives the copies the same effect of law as the original record(s). 9/26/03.

RC §9.28: Materials submitted to a public office in response to a competitive solicitation are not public until after the public office announces the award of the contract. 4/6/17.

RC § 9.312: A state agency may request additional financial information from a low bidder on a contract (in addition to a surety licensed to do business in Ohio). This additional financial information to show financial responsibility is confidential except under proper order from the court, and is not a public record under RC §149.43. 11/2/18.

RC §102.03(B): Prohibits current and former public official or employee from disclosing or using, without proper authorization, any confidential information the public official or employee acquired in the course of their official duties, when the confidential designation is warranted and preserving confidentiality is necessary to the proper conduct of government business. Statute is part of revolving door restriction that prohibits former public employees from representing private sector clients in front of their former public sector employer. 4/4/23.

RC §124.88: Records of the identity, diagnosis, prognosis, or treatment of any person that are maintained in connection with the employee assistance program (EAP) are not public records under RC §149.43 and shall be disclosed without written permission of the subject of the record only to medical personnel to the extent necessary to meet a bona fide medical emergency or to qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but the personnel shall not directly or indirectly identify any person who is the subject of the record in any report of the research, audit, or evaluation or in any other manner. Records may also be disclosed pursuant to court order, if good cause is shown and certain safeguards are in place. 9/29/13.

RC §125.071: Affords some protections for the procurement process until the contract is awarded and the process is completed. 10/25/95.

RC §§ 131.02 & 131.022: Both say private entity to which ODJFS claims are sold, conveyed or transferred, shall be bound by all federal and corresponding state confidentiality requirements concerning the information included in the sale, conveyance or transfer. 9/30/21 and 6/30/06.

RC § 145.27(A), (B) & (D)(4): Sets out what public employee and public assistance recipient information held by the Public Employee Retirement System (PERS) is confidential. 1/7/13.

RC § 149.431: Makes financial records required to be kept by any governmental entity or agency and any nonprofit corporation or association (except a charitable trust corporation organized under RC Chapter 1719 or 3941) related to contracts or agreements with the federal government, unit of state government, or a political subdivision or taxing unity of the state, public records as defined in (A)(1) of RC §149.43 and subject to the requirements of division (B) of that statute. The law also states that information directly or indirectly identifying a present or former individual patient or client or her/his diagnosis, prognosis, or medical treatment, treatment for a mental or emotional disorder, treatment for a developmental disability, treatment for drug abuse or alcoholism, or counseling for personal or social problems is not a public record. It states that release of the financial records can be deferred for a reasonable amount of time if at the time a request for release is made a patient or client whose confidentiality might be violated by the release of records is being provided confidential professional services. The law also does not require a nonprofit corporation or association that receives both public and private funds in fulfillment of a contract, to keep as public records the financial records of any private funds expended in relation to the performance of services.

RC § 149.40: States that public offices shall only create: records that are necessary for the proper documentation of the organization, functions, policies, decisions, and procedures of the office; records of essential transactions; and, records necessary for the protection of the legal and financial rights of the state and persons directly affected by the agency’s activities.

RC § 149.433: Excludes from treatment as public record infrastructure records of public offices, public schools, and chartered nonpublic schools; infrastructure records of a private entity that is submitted to the public office for use by that public office, if certain criteria described in the statute are met; and security records of public offices. This section is useful for protecting data obtained from surveys and audits, when the data is obtained to improve infrastructure/security. One exception is the notification school boards are required to issue to the public under RC 2923.122(D)(1)(d), informing them that the board has authorized one or more persons to go armed within a school operated by the board, whenever such authorization is given. 9/12/22.

RC § 149.434: Requires that each public office maintain a database or list of names of public officials and employees elected to or employed by that public office, and that such information be made available to the public upon request. 9/30/21.

RC § 1306.23: Records that would disclose or may lead to the disclosure of records or information that would jeopardize the state's continued use or security of any computer or telecommunication devices or services associated with electronic signatures, electronic records, or electronic transactions are not public records for purposes of RC §149.43.

RC §§ 1333.61 through 1333.69: These statutes define and preclude the release of trade secrets. If records in the possession of a public office are marked as trade secret, and are the subject of a records request, party making assertion may need court injunction - RC §1333.65.

RC §1347.12: Sets forth procedures for public entities when they become aware of electronic security breaches. See also definitions in RC §1347.01, AG's investigatory authority in RC §1349.191, and penalties in RC § 1349.192). 9/29/15 & 2/7/06.

RC § 4701.19(B): Exempts from treatment as public records statements, records, schedules, working papers, and memoranda made by a certified public accountant or public accountant incident to or in the course of performing an audit of a public office or private entity. However, reports submitted by the accountant to the client are not exempt from treatment as public records. 3/30/99.

RC §5101.46(D): Requires ODJFS to prepare a report every federal fiscal year on the use of Title XX social services grant funds, and to make it available for public inspection. 10/12/16.

OAC 5101:9-9-38: This county electronic data usage rule prohibits county family services agencies (CFSAs) from downloading, matching, scraping or extracting data or data elements from any ODJFS system where the data owner is the Internal Revenue Service, Social Security Administration, or other federal or state entity, without first obtaining express written permission from the data owner. ODJFS can only authorize the download, scrape or extract of data where ODJFS is the data owner. Division (C) states that a CFSA employee may download, match, scrape or extract data from ODJFS systems, including SETS, Ohio Benefits, SACWIS, OWCMS, and CCIDS, if it is directly related to the employee's job functions or duties, but only if such job functions or duties are directly related to the administration of a program the county agency is administering for ODJFS. Division (D) describes the process for obtaining ODJFS approval for data usages not covered by Division (C), including submitting a data request to the ODJFS deputy director for the program responsible for the data, completing an ODJFS Privacy Impact Assessment form, assisting in drafting a data sharing agreement when needed, and obtaining ODJFS Legal and Office of Information Services review and approval. 11/1/20.

top