III. Federal & State Confidentiality Laws and Regulations

As stated in Part I of this memorandum, any record identified as a "public record" must be released upon request. RC §149.43(A)(1) excepts records from being designated as "public records" when there is a federal or state law which prohibits the release of the record or labels it as confidential. The following is a list of federal and state laws which make certain records or information confidential or prohibit their release. The federal and state statutes have been grouped according to program or subject matter.

A.       GENERAL

1.       TAX RETURN INFORMATION

Internal Revenue Code (IRC) Section 6103 (26 USC 6103) states that all income returns and return information shall be confidential, and that no officer or employee of any state, any local child support enforcement agency, or any local agency administering a public assistance program shall disclose any return or return information obtained by him/her in the course of his/her work responsibilities. IRC Section 7213 (26 USC 7213) makes unlawful disclosures a felony offense, and IRC Section 7431 (26 USC 7431) permits civil damages to be imposed on individuals who make unlawful disclosures.

In addition, 42 USC 664 allows the interception of federal tax refunds in order to satisfy child support obligations. 26 USC 6103 and IRS publication 1075 outline strict requirements for the handling of this information by state agencies operating child support programs.

OAC rule 5101:1-1-36(G): This cash assistance rule references section 1137 of the Social Security Act, which requires that ODJFS develop an Income & Eligibility Verification System (IEVS). Ohio's IEVS is integrated into CRIS-E, which allows ODJFS to obtain information from its own office of unemployment compensation (OUC) and the social security administration (SSA). Under IEVS, ODJFS matches public assistance applicant/recipient social security numbers with OUC's wage records and unemployment compensation records, as well as SSA's benefit earnings exchange records, and SSI and RSDI benefit information provided by SSA. If the source of the matched information is SSA, or some other federal agency, the information is considered federal tax information (FTI). Match information for IEVS which contains federal tax data must be protected from disclosure to unauthorized persons. The rule states that computer screen printouts or copies of letters mailed or received regarding FTI must be safeguarded. The rule requires that FTI not be commingled within the assistance group case record, because if it is commingled, the entire assistance group case record must be safeguarded in the same way as FTI, and labeled as SSA-provided FTI. The rule then sets out under what circumstances and to whom the Federal Tax Information can be released. (Amended effective 3/1/13).

OAC rule 5101:4-7-09: Rule pertains to use of IEVS in food assistance program. Rule says that, in general, unemployment compensation benefit information, SSI and social security data are verified upon receipt, whereas county agencies must independently verify IRS information, and federal and state wage information obtained from SSA and the state unemployment office. The rule also specifies the types of independent verification that can be done, and the actions that county agencies must take when information is received as a result of data exchange agreements. Paragraph (G) restricts county usage of IEVS information to program administration (i.e., determining assistance group's eligibility or ineligibility for SNAP, and the amount of SNAP), and Paragraph (K) says that IEVS match information may only be disclosed as permitted in OAC rule 5101:4-1-13. Paragraph (L) requires that ODJFS and the county agencies keep a record for at least five years, or during the active life of the application (whichever is longer) of any release of confidential IEVS information (e.g. federal tax information (FTI), including SSA match data) to any non-ODJFS or non-county agency employee. County/state workers must record the disclosure(s) in the applicant's case file, and the county must keep track of it in BENDEX. Paragraph (J) says that matches containing FTI are confidential, must be safeguarded as required in OAC rule 5101: 4-1-13, must be stored in a place physically safe from access by unauthorized individuals, and cannot be commingled with the rest of the case record. (Amendment effective 2/10/11).

OAC Rule 5101:9-9-25 outlines federal tax return information safeguarding procedures, which are intended to maintain confidentiality of taxpayer data; and, OAC 5101:9-9-25.1  does the same for county agencies. Both rules were updated in May of 2016. 

2.       SOCIAL SECURITY NUMBERS

As a result of growing problems of identity theft and intrusions on personal privacy, this section on Social Security numbers was added to the Manual, as a reminder to all government employees of the importance of safeguarding the confidentiality of all social security numbers in the possession of state and local government. Unless specifically authorized by law, there should be no public disclosure of SSNs of government employees, public assistance applicants/recipients, child support clients, unemployment insurance claimants, workforce development participants, private sector employers/businesses/contractors, and participants in any other program administered by ODJFS or a county DJFS which collects and maintains social security numbers (SSNs) and related data. The Internal Revenue Code, 26 USC 6109(d), states that an SSN is issued to an individual for tax identification purposes.

5 USC § 552 (public information) and 5 USC § 552a (the Privacy Act of 1974) are the federal counter-parts of the Ohio public information and privacy laws.

5 USC § 552(b) lists exemptions to the federal Freedom of Information Act, including matters that are specifically exempted from disclosure by statute ((b)(3)) and trade secrets and personal information obtained from a person ((b)(4)).

5 USC § 552a(e),(o) & (p)This statute does not prohibit release of the Social Security numbers but creates an individual expectation of privacy by requiring that any federal government agency that requests an individual to disclose his Social Security number to inform that individual whether that disclosure is mandatory or voluntary, under what authority the number is solicited, and what use will be made of it. Also requires that non-federal agencies (like ODJFS) enter into matching agreements with source agencies (like the Social Security Administration), to independently verifying matched information, and to notify applicants for and recipients of financial assistance of their right to contest the findings of any match that results in adverse action. Please note that public assistance, child support and children services records and portions of daycare records are not public records pursuant to other federal and state statutes. Social Security numbers would also not be public records under those laws. Social Security numbers contained in personnel files have been determined by the Ohio Supreme Court to not be public records pursuant to a Constitutional right of privacy. Requests for release of Social Security numbers in other situations (e.g. provider information) should be analyzed on a case by case basis. Also cited as Sections 7(a) and (b) of the Privacy Act of 1974.

7 USC 2011-2036, Section 1137(a) of the Social Security Act, and 42 CFR 435.910, authorize the collection and use of Social Security numbers in the Food Assistance and Medicaid programs. (See also OAC Rules 5101:1-1-03 and 5101:1-3-09). Social Security Numbers can be used to determine eligibility and verify information.

7 USC 2018(c) and 7 CFR 278.1(q). Limit access to and disclosure of food assistance retailer information, such as identities of store owners and personnel, and specific proprietary data. While information can be used for administration of food assistance program, special provisions apply to employer identification numbers (EINs) and federal employer identification numbers (FEINs). The disclosure of SSNs and EINs is limited to qualifying Federal agencies or instrumentalities which otherwise have access to SSNs and EINs based on law and routine use. Release of information under this CFR provision is limited to information relevant to the administration or enforcement of the specified laws and regulations, as determined by FNS.

29 USC 2871(f)(3)3141(i)(3), the Workforce Investment ActWorkforce Innovation and Opportunity Act (WIAWIOA), requires compliance with 20 USC 1232g (and the corresponding regulations in 34 CFR part 99), the Family Educational Rights and Privacy Act of 1974 (FERPA), which was enacted to protect student privacy rights in education records, and applies to all public and private educational institutions that receive federal educational funds. FERPA requires safeguards to protect against the disclosure of personal identifying data regarding students, which includes SSNs. Under FERPA, schools can only give info to the Department of Education, not the Department of Labor, making cross-matching of SSNs problematic. A state educational authority may obtain state unemployment insurance (UI) wage record data from the state UI agency and conduct the computer match through its employees or contractors under its direct control in order to determine the employment status of students. Additionally, educational agencies and institutions may disclose information from the student's education records, such as the SSN, if the student is an "eligible student" (student over the age of 17, or a student who is attending a postsecondary institution at any age) and has provided prior written consent for the disclosure. (See January 30, 2003 Key Policy Letter signed by Sec. of Education). WIOA was enacted 7/22/14.  Some provisions took effect 7/1/15, and others took effect, or will take effect, in subsequent years.

42 USC 405(c)(2)(C)(viii)(I). Social security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law, enacted on or after October 1, 1990, are confidential and nondisclosable.

20 CFR § 603.7: Requires state unemployment compensation (UC) agencies to establish procedures to protect the confidentiality of information against unauthorized access, disclosure or redisclosure. 20 CFR 603.5 authorizes state unemployment compensation agencies to share wage and claim data with certain requesting agencies, but only for the purpose of verifying eligibility for, and the amount of, benefits. Both these provisions apply to the Wage Record Interchange System (WRIS), which is an interstate data exchange system that facilitates the exchange of UC wage records for use by participating states in assessing and enhancing the performance of various programs identified in the workforce investment actWorkforce Innovation and Opportunity Act (WIAWIOA).

42 CFR 435.910: Requires Medicaid applicants to furnish state Medicaid agency with their social security number.  But, agency must advise applicant of legal authority for requesting SSN, and how the agency will use the SSN (i.e., verifying income, eligibility, and amount of assistance); assist applicant in obtaining an SSN or other evidence if they do not have one; and not delay services to an otherwise eligible individual. 

RC § 149.45:Defines “personal information” to include social security numbers, driver’s license numbers, state identification numbers, state and federal taxpayer identification numbers, financial account numbers, and credit and debit card numbers, which are all exempt from treatment as public record under RC 149.43(A)(1)(dd). Also prohibits public offices from making Social Security numbers available to the general public on the Internet without first redacting, encrypting or truncating the SSN. In addition, an individual may ask a public office or employee to redact/remove the individual's federal tax ID number, driver's license number and bank account number (and public employees engaged in criminal law enforcement can also ask that their residential and familial information be redacted) from any public website. The public office must, within five days of receiving a request to do so, either redact the personal (and sometimes residential/familial) information from internet postings, or explain to the requestor why the redactions are impracticable. A public office or employee is not liable in damages in a civil action for any harm an individual sustains as a result of including the individual's personal information on the Internet, unless the public office or employee acted with malicious purpose, in bad faith, or in a wanton or reckless manner.

RC § 5101.181 and RC § 5101.182: State that the director of Job and Family Services, district director of Job and Family Services, county director of job and family services, county prosecutors, attorney general, auditors of state or any agent or employee of those officials having access to information or documents received as a result of a Social Security number match of public assistance recipients and Ohio income tax records, workers compensation records, state retirement records, and state personnel records may not divulge information from these matches except to determine overpayments, audits, investigations, prosecution, or in accordance with a proper judicial order. Any person violating these sections shall be disqualified from acting as an agent or employee or in any other capacity under appointment or employment of any state or county board, commission, or agency.

RC § 1347.12: Sets forth procedures for public entities, except for HIPAA-covered state entities, when they become aware of electronic security breaches (see also definitions in 1347.01; AG's authority to investigate breaches in 1347.191; and penalties that court can impose in 1349.192).

OAC rule 5101:1-1-03: Disclosure of recipient information, Nondiscrimination, and treatment of information received from the IRS and SSA: addresses the release of OWF, PRC, TANF and DFA information held by ODJFS or a CDJFS specific to an applicant, recipient or former recipient. This is an extremely important rule and should be consulted when this type of information is requested by any third party. The rule describes under what general circumstances the information can be released, exceptions to the general requirements, what is required in information releases, and procedures to follow if information is requested through court process. Also contains provisions on the use, protection and redisclosure of client-specific data received by ODJFS and CDJFS from the SSA and IRS. (Amendments took effect 10/01/10).

OAC rule 5101:1-3-09: Describes the social security number requirement for the Ohio Works First (OWF) cash assistance program.

OAC rule 5101:4-3-22(G): Sets out the acceptable purposes for utilizing a SNAP/Food Assistance recipient's social security number.

3.       VOTER REGISTRATION

RC § 3503.10(E)(4): Sets forth requirements for designated public agencies (e.g. county DJFS) to assist individuals with voter registration, including keeping certain information confidential, such as the identity of the public agency through which a person registered to vote, or updated his/her voter registration, or declined to register to vote. Purpose is to avoid divulging that a particular registered voter is an applicant for/recipient of either public assistance, or some other service/benefit administered by/through ODJFS and its county counterparts, which would violate recipient confidentiality. (Effective 09/2003).

RC § 111.43: House Bill 359 allows victims of domestic violence, human trafficking, and sexual assault to apply to the Ohio Secretary of State for an address designated by the Secretary of State, to serve as that individual’s mailing address, and to thereby shield their actual address from being accessed or viewed by the general public.  This law took effect on 9/8/16, and affects ODJFS and county agency collection and treatment of client, employee and contractor addresses.

4.       AUDITS

RC §121.22(D)(2)&(D)(12): Exempts the following meetings from the open meetings (Sunshine laws) requirements-(1) Audit conferences between ODJFS audit staff and officials of the public office being audited, and (2) Audit conferences between the state auditor/independent CPA and officials of the public office being audited. (Amendment was included in HB 153 by 129th General Assembly, and took effect 9/29/11).

RC §5101.37(D): Makes audit reports, working papers and other audit-related records non-public, until they are formally released by ODJFS. (Amendment was included in HB 153 by 129th General Assembly, and took effect 9/29/11).

B.       MEDICAL

NOTE: THE INFORMATION IN THIS SECTION MAY NOT BE CURRENT OR ACCURATE. The Ohio Department of Medicaid (ODM) administers or oversees the administration of Medicaid-related assistance programs in Ohio.  Therefore, to obtain the most current information regarding applicable federal and state confidentiality laws that apply to medical assistance records, contact ODM (legal@odm.ohio.gov) or visit ODM’s website.

1.       Medicaid, Disability Medical Assistance, CHIP I and II, and Refugee Medical Assistance.

Federal Laws And Regulations:

42 USC § 1396a(a)(5): State and local governments must perform Medicaid eligibility function, not private contractor. See also State Medicaid manual, Sections 2905 and 2909(B) & (C).

And, 42 USC 1396a(a)(7) requires state agencies to provide safeguards that restrict use or disclosure of information about Medicaid applicants/recipients to purposes directly connected with (a) state plan administration and (b) the exchange of information necessary to verify certification of children's eligibility for free or reduced school breakfast/lunch. Since CRIS-E contains Medicaid recipient data, a non-ODJFS/non-CDJFS agency that conducts solely SNAP/food assistance fraud investigations cannot have direct access to CRIS-E.

Also, 42 USC 1320b-7 allows ODJFS to operate IEVS as part of CRIS-E, but IEVS data is provided to us by the U.S. Treasury Dept. under 26 USC 6103(I)(7), and only entities covered by 26 USC 6103 can access IEVS/CRIS-E.

42 USCA § 1396r-8(b)(3)(D): Information disclosed by manufacturers or wholesalers in relation to the best price for outpatient drugs is confidential and shall not be disclosed by the Secretary of HHS or ODJFS in a form which discloses the identity of a specific manufacturer or wholesaler, prices charged for drugs by such manufacturer or wholesaler, except as the Secretary of HHS determines to be necessary to carry out related regulations, and to permit the Comptroller General and Director of the Congressional Budget Office (CBO) to review the information.

Social Security Act (SSA) § 1902(a)(7): State agencies are bound by these requirements, as further interpreted in 42 CFR 431.300 to 431.307, which require that use and disclosure of applicant and recipient info only be permitted when directly connected to the administration of the State Plan.

42 CFR § 2.1:  Sets out circumstances under which a patient's drug abuse and or treatment information can be released and prohibitions against redisclosure.

42 CFR § 431.10:  Single state agency must perform Medicaid administrative function. See also Part II of the State Medicaid Manual.

42 CFR § 431.300: Access to, and use and disclosure of, Medicaid information of applicants and recipients must be safeguarded by the state, so that it is restricted to purposes directly connected with the administration of the Medicaid program.

42 CFR § 431.301 & SSA §1902(a)(7): requires state's Medicaid plan to provide safeguards that restrict the use or disclosure of information concerning applicants/recipients to purposes directly connected with plan administration. 42 CFR Subpart F.

42 CFR § 431.302: Says that purposes directly related to state plan administration of the Medicaid program include: (1) establishing eligibility; (2) determining the amount of medical assistance; (3) providing services for recipients; and (4) conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to the administration of the plan.

42 CFR § 431.305: Specifies the types of Medicaid information that must be safeguarded, including: (1) names and addresses; (2) medical services provided; (3) social and economic conditions or circumstances; (4) agency evaluation of personal information; (5) medical data, including diagnosis and past history of disease or disability; (6) any information received for verifying income eligibility and amount of medical assistance payments (income information received from the SSA or IRS must be safeguarded according to the requirements of the agency that furnished the data); (7) any information received in connection with the identification of legally liable third party resources under RC §433.138, and (8) social security numbers.

42 CFR § 431.306: Requires ODJFS to establish rules governing the release and use of Medicaid information and persons who receive the information must be subject to a confidentiality standard comparable to those of the state. These regulations require notification and the obtaining of permission from the subject of the information before responding to a request for information from an outside source unless there is an emergency situation wherein the subject of the information must be notified immediately after the release, or the information is used to verify income and determine eligibility. Section (f) requires that, pursuant to a court subpoena of a person's Medicaid information, the court must be informed of applicable statutory provisions, policies, and regulations restricting disclosure of information. Sections (g) and (h) require data exchange agreements if information is shared in certain situations.

42 CFR § 435.904: While "initial processing" of Medicaid applications may be contracted out to non-employees, initial processing excludes evaluating Medicaid application information and supporting documents, as well as making eligibility determinations. Only state/county employees can make eligibility determinations. State/county contractors can only do "initial processing", which excludes eligibility determinations.

42 CFR § 435.945: Requires the Ohio Department of Medicaid to verify Medicaid eligibility and the amount of medical assistance payments. Requires that the eligibility and medical assistance payment information be supplied to other agencies in the state, agencies in other states and to federal programs for programs listed in 42 CFR §435.948(a)(6) (AFDC, Medicaid, State-administered supplementary payment programs under Section 1616(a) of the Act, SWICA, Unemployment Compensation, Food Assistance, and any state program administered under a plan approved under Title I, X, or XIV); child support enforcement program under Title IV-D; SSA for old age, survivors and disability benefits under title II; and in relation to SSI benefits under Title XVI. The regulation requires that applicants and persons being redetermined for eligibility be informed in writing how the information collected will be used. This regulation also requires written agreements with other agencies before releasing data or requesting data from other agencies and sets out what must be in those agreements.

42 CFR § 483.315(i): Specifies under what circumstances data from the federal Resident Assessment Instrument (RAI/MDS+) for long term care facilities can be released.

45 CFR § 95.621: Provides that State agencies are responsible for the security of all automated data processing systems involved in administration of HHS programs, and includes establishment of a security plan that outlines how software and data security will be maintained. Also requires state agencies to conduct biennial review and evaluation of physical and data security operating procedures and personnel practices.

45 CFR § 160 Subpart A, B and C: These are the general provisions of the Health Insurance Portability and Accountability Act (HIPAA) which define certain terms, speak to applicability of the Act and relationship of the Act to state laws. The definitions include Medicaid as subject to the Act.(However, the term "HIPAA" probably is not used anywhere in the CFR).

45 CFR Part 164, Subparts A, C and E: These are the security and privacy regulations concerning HIPAA. (See Part IV). Subparts C and E adopt the security and privacy standards in Public Law 104-91, which State agencies are required to comply with pursuant to Part II of the State Medicaid Manual.

State Statutes And Rules:

Sub SB 126 - Exempts state agency from requirement that it disclose or give notice of unauthorized access to personal info, if the agency is a HIPAA-covered entity.

RC § 109.85: Authorizes JFS to seek assistance from AG's Office in Medicaid fraud investigations, but does not prohibit county prosecutors from investigating and prosecuting Medicaid fraud.

RC § 173.20: Gives the Department of Aging Long Term Care Ombudsman, under certain circumstances and unless prohibited by law, access to any records, including medical records of a nursing facility resident that are reasonably necessary for investigation of a complaint.

RC § 173.22: Makes the investigation files of the Department of Aging Long Term Care Ombudsman confidential and allows disclosure of the records only at the discretion of the state ombudsman, the regional program maintaining the records, or by court order.

RC § 191.04(C)(1): Any state agency that uses or discloses personally identifiable protected health information, shall use or disclose that information only as permitted or required by state and federal law.

RC § 191.06: The executive director of the Office of Health Transformation may facilitate the coordination of operations and exchange of information between state agencies, for purposes of modernization of the Medicaid program, streamlining health & human services programs, and improving the quality, continuity and efficiency of health care and health care support systems. Also requires that initiatives involving PHI data exchanges between state agencies be published on OHT's website; that operating protocols be established; and that, when necessary, federal Medicaid waivers be sought by the ODJFS Director.

RC § 339.81: States that any information, data and reports regarding a case of tuberculosis that are furnished to, or procured by, a county or district TB control unit or the Dept. of Health, shall be confidential and used only for statistical, scientific, and medical research for the purpose of controlling TB in Ohio. No physician, hospital or other entity furnishing information, data or reports pursuant to this chapter shall by reason of such furnishing be deemed to have violated any confidential relationship, be held to answer for willful betrayal of a professional confidence, or be held liable in damages to any person.

RC §§ 2305.24 and 2305.251: Concerns confidentiality of information furnished pursuant to hospital utilization review, peer review & quality assurance review. These statutes may be marginally relevant if ODJFS obtains these records through Medicaid related reviews and subpoenas are issued which may encompass this information.

RC § 3701.028: No person or government entity receiving certain information from the Health Department relating to the program for medically handicapped children and of programs funded with funds received from the "Maternal and Child Health Block Grant" Title V of the "Social Security Act," 95 Stat. 818 (1981), 42 U.S.C.A.§701, as amended, may release that information without the consent of the subject of the information or the subject's guardian (if the subject is a minor) except as necessary to administer the program for medically handicapped children or other programs funded with money received from the "Maternal and Child Health Block Grant," coordinate the provision of services under the programs with other state agencies and city and general health districts, or coordinate payment of providers. The records that are subject to this statute are: records that pertain to medical history, diagnosis, treatment, or medical condition; reports of psychological diagnosis and treatment and reports of social workers; and reports of public health nurses.

RC § 3701.243: Prohibits state or local governments that acquire certain AIDS related information while providing any health care services from disclosing or compelling another to disclose the information unless the release falls within exceptions contained in sections 3701.243 or 3701.248. The information protected under Section 3701.243 is: the identity of a person on whom an HIV test in performed; the results of an HIV test that would identify a person or the identity of a person who has been diagnosed with AIDS or an AIDS-related condition.

RC §3701.741: Allows state and county DJFS to receive free copy of medical records from health care providers and medical records companies. Also says how much copy charges can be. Statute was further amended 9/29/13.

RC § 3701.75: Governs use of e-signatures for any health care records maintained by the Department of Health, and requires that each state department adopt a policy on usage.

RC § 3701.9310: Information, data, and records about a decedent, which is collected for use and maintained by the Ohio violent death reporting system including, but not limited to, medical records, coroner investigative records, and laboratory reports, are confidential. This information is also not subject to a subpoena, discoverable, or admissible in civil or criminal proceedings (see 3701.9311). However, the director of Health may adopt rules and establish standards and procedures to make this information available to researchers (see 3701.9312).

RC § 3798.02: For purposes of eliminating barriers to the adoption and use of electronic health records and health information exchanges, the legislative intent in enacting ORC Chapter 3798 is to make state law governing a covered entity's use and disclosure of protected health information (PHI) no more stringent than the HIPAA privacy rule, and to supersede any judicial/administrative rulings that are inconsistent with ORC Chapter 3798.

RC § 3798.03: A covered entity must make PHI it maintains available to the subject of the information or to his/her personal representative, in accord with 45 CFR 164.524, and a covered entity must maintain administrative, technical & physical safeguards to protect the privacy of PHI, in accord w 45 CFR 164.530(c).

RC § 3798.04: A covered entity is prohibited from using or disclosing PHI in a manner inconsistent with 45 CFR 164.502; or without an authorization that is valid under 45 CFR 164.508 &, if applicable, 42 CFR part 2, except as permitted under Subchapter C of Subtitle A of CFR Title 45.

RC § 3798.06: A covered entity is prohibited from disclosing PHI to a health information exchange without the authorization described in ORC 3798.04(A), unless (A) the disclosure is to an approved health information exchange; (B) the covered entity is a party to a valid participation agreement with the approved health information exchange that meets the requirements of rules adopted under ORC 3798.16; (C) the disclosure is consistent with all procedures established by the approved health information exchange; AND (D) prior to the disclosure, the covered entity furnishes to the individual or individual's personal representative a written notice that complies with rules adopted under ORC 3798.16 (A)(3).

RC § 3798.07: In addition to the requirements of RC 3798.06, whenever a covered entity discloses PHI to a health information exchange without a valid authorization, the covered entity must comply with applicable federal disclosure laws for PHI, written requests from the individual or his/her representative, and state laws governing a minor's receipt of medical care and to make his/her own medical decisions. However, Section (B) says that any added requirements in (A) do not supersede certain state laws, rules and codes, which may require either disclosure or confidentiality. So, conflicts between Section (A) and Section (B) are resolved in favor of Section (B).

RC § 3798.08: Shelters a covered entity from civil liability, criminal prosecution, and professional disciplinary action arising out of or relating to PHI access or disclosure to/from a health information exchange, when the covered entity acts in conformity with the preceding ORC 3798 sections.

RC § 3798.10: Authorizes/requires the ODJFS director, in consultation with the Office of Health Transformation, to adopt rules regarding a standard [release] authorization form for the use & disclosure of PHI by Ohio covered entities. A person or government entity can accept a form other than the one the Director prescribes, as long as it meets all the requirements specified in 45 C.F.R. 164.508 and, if applicable, 42 C.F.R. part 2.

RC § 3798.12: Section (A) says that ORC Chapter 3798 supersedes all other ORC sections, OAC rules, guidances, orders and ordinances, when it comes to the confidentiality, privacy, security, or privileged status of PHI maintained in, or transacted or accessed through a health information exchange, EXCEPT for those specified in Section (B). Very similar to ORC 3798.07.

RC § 3798.13: Requires ODJFS to adopt rules regarding the criteria a person must meet to be considered a minor, when he/she is mentally/physically disabled and under the age of 21.

RC § 3798.14: Requires ODJFS director to adopt rules regarding the standards the director must use to approve health information exchanges operating in Ohio. The rules may include procedures for access to and use and disclosure of PHI maintained by or on an approved health information exchange, as well as breach notification procedures.

RC § 3798.16: Requires ODJFS director to adopt rules specifying content of agreements governing: a covered entity's disclosure of/access to PHI to/from a health information exchange; notice requirements to individuals prior to a covered entity's disclosure of PHI to an approved health information exchange; documentation required to verify that appropriate notice was provided to the individual; process for individuals to submit written requests to covered entities restricting the disclosure of PHI to a health information exchange; standards a covered entity must use to determine if, and to what extent, to comply with the individual's request; and, the purposes for which a covered entity may access and use PHI from a health information exchange. Section (B) permits covered entities to provide written notice to individuals in the covered entity's notice of privacy practices, and specifies what must be included in such notices.

RC § 4123.27: Allows the sharing of information about recipients of OWF, PRC, Medicaid and DA with the Bureau of Workers Compensation for matching purposes. The statute precludes the Bureau of Workers Compensation from sharing public recipient information with anyone or other agencies except the State Auditor, Governor, Attorney General and select or standing committees of the General Assembly.

RC § 5101.26: Sets out definitions of terms for confidentiality purposes. Effective 9/29/11, 10/01/11 and 9/29/13, various amendments separated "medical assistance recipient" from the definition of "public assistance recipient" by defining "public assistance" as "financial assistance or social services that are provided under a program administered by [ODJFS] or a county agency…" and stating that "Public assistance does not mean medical assistance provided under a medical assistance program, as defined in 5160.01 of the Revised Code…"

RC § 5101.27:  Sets out confidentiality requirements for all non-medical public assistance (PA) programs, including OWF, PRC, DFA, (ORC Chapter 5115 repealed eff. 12/31/17) and child care subsidies. (Amendments effective 12/31/17).

RC § 5101.271: [Renumbered as 5160.45 effective 9/29/13].

RC § 5101.272: RC §5101.272:Sets out the required elements of a release authorization form allowing the disclosure of non-medical public assistance recipient specific information, as defined in RC 5101.27. The release authorization provisions for medical assistance recipients are in RC 5160.46.

RC § 5101.273: RC §5101.272:Permits ODJFS to disclose public assistance recipient information to HHS and neighboring states to actively participate in a PA reporting information system. Eff. 9/29/13.

RC § 5101.31 [Renumbered as 5164.756 effective 9/29/13]:

RC § 5101.572 [Renumbered as 5160.39 effective 9/29/13]:

RC § 5111.01 [Renumbered as 5162.03 effective 9/29/13]:

RC § 5111.013(B)(1)[Renumbered as 5163.40 effective 9/29/13]:

RC § 5111.033(E)[Renumbered as 5164.342 eff. 9/29/13]:

RC § 5111.034(F)[Renumbered as 5164.341 effective 9/29/13]:

RC § 5111.61[Renumbered as 5165.88 effective 9/29/13]:

RC § 5112.21[Renumbered as 5168.13 eff. 9/29/13]:

RC § 5160.39[Renumbered from 5101.572 eff. 9/29/13]:  Third party insurers or insurance programs which may be liable to pay all or part of the medical costs of a Medicaid applicant/recipient may give or receive confidential information regarding such applicants/recipients, upon request of the Ohio Department of Medicaid (ODM). ODM must limit its use of information gained from such third parties to purposes directly connected with the administration of the Medicaid program and the child support program authorized by Title IV-D of the "Social Security Act. No third party may disclose to other parties or make use of any information regarding recipients of medical assistance that the third party receives from ODM.

RC § 5160.45 [Renumbered from 5101.271 effective 9/29/13]:  Sets out confidentiality requirements for all medical assistance programs and limits disclosures to purposes of Medicaid administration, and to the recipient, or his/her own authorized representative, legal guardian or attorney, if the recipient's attorney has obtained a release authorization that meets the requirements of RC 5160.46.

RC § 5160.46:  Sets out the required elements of a release authorization form allowing the disclosure of medical assistance recipient specific information. See also 45 CFR 164.508(c), which contains 8 elements required in any HIPAA-compliant release, including (a) identifying the information being sought in a specific, meaningful way; (b) providing an expiration date or event that relates to the purpose of disclosure; and (c) informing the individual of his/her right to revoke. (Effective 9/29/13).

RC § 5162.03 [Renumbered from 5111.01 eff. 9/29/13]: For the purpose of section 1902(a)(5) of the Social Security Act and 42 USC 1396a(a)(5), the Ohio Department of Medicaid is the single state agency for the supervision of the administration of the Medicaid program. As the single state agency, ODM shall comply with 42 CFR 431.10(e) and all other federal requirements.

RC § 5163.40 [Renumbered from 5111.013 eff. 9/29/13]: Healthy Start Program applications - must require no more info than is necessary for making Healthy Start eligibility determinations.

RC § 5164.341(E) [Renumbered from 5111.034 eff. 9/29/13]: BCII report on independent Medicaid HCBS Waiver providers is not public and may only be released to subject of check or his/her representative, Medicaid staff if needed for purposes of program administration, Medicaid department's designee, individual receiving or deciding whether to receive home & community-based services from the subject of the check, and court or other necessary individual involved in a case dealing with a denial or termination of a provider agreement related to the criminal records check, or civil or criminal action regarding the Medicaid program.

RC § 5164.342(H) [Renumbered from 5111.033(E) eff. 9/29/13]: Report of criminal records check on waiver agency employment applications is not public and may only be released to subject of check, agency requesting check, Ohio Department of Medicaid staff for program administration purposes, Director of Aging if waiver agency is also a community-based long-term care provider or subcontractor, individual receiving or deciding whether to receive home & community-based services from the subject of the check, and court or other necessary individual dealing with case involving employment, UC or Medicaid program issues.

RC § 5164.756 [Renumbered from 5101.31 eff. 9/29/13]: States that information shared with the Ohio Department of Medicaid by drug companies in relation to determining drug rebates are not public records, and shall be treated as confidential by the Dept.

RC § 5165.88 [Renumbered from 5111.61 eff. 9/29/13]: Provides that, without a court order, ODJFS and any contracting agency shall not release the identity of any resident of a nursing facility; the identity of any individual who submits a complaint about a nursing facility; the identity of any individual who provides the department or agency with information about a nursing facility and has requested confidentiality; or any information that would reasonably tend to disclose the identity of any individual described previously. Also says that records containing information concerning the aforementioned persons are non-public records under RC §149.43.

RC § 5168.13 [Renumbered from 5112.21 eff. 9/29/13] Except as specifically required by RC §5168.01 to RC §5168.14 of the (Hospital Care Assurance Program), information filed under those sections shall not include any patient-identifying material. Information that includes patient-identifying material is not a public record under section 149.43 of the Revised Code, and no patient-identifying material shall be released publicly by the department of medicaid or by any person under contract with the department who has access to such information. Repealed 10/16/15.

RC § 5302.221: Prohibits real estate from being transferred via a transfer on death deed until the beneficiary has completed and signed a form stating whether or not the deceased property owner or the deceased property owner's spouse was subject to Medicaid estate recovery program, and whether the real estate was part of the estate. County recorders must ensure that the form prescribed by the administrator of the Medicaid estate recovery program is properly completed prior to recording the realty transfer. (Effective 9/29/13).

OAC Rule 5101:1-37-01.15160-1-32: This rule pertains to "safeguarding & releasing [Medicaid] information". (Effective 1/13/17).

OAC rule 5101:1-37-03.15160:1-1-04:  This rule pertains to "Medicaid: Income & Eligibility Verification System (IEVS)."

OAC rule 5101:1-38-01.5 ("Medicaid: Certificate of Creditable Coverage & [HIPAA] Privacy Notice"). Together, these rules address the release of Medicaid, DA medical, refugee medical program and CHIPS I and II recipient-specific information held by ODJFS or a CDJFS. These rules are extremely important and speak to contractor situations and provide additional authority to release information beyond those circumstances set out in RC §5101.27. They also require nondiscrimination in the delivery of medical assistance programs and set out certain safeguards and security for information received from the social security administration. Rescinded 1/1/14

OAC rule 5101:1-39-06: Cites federal law requiring the Social Security Administration to share resource transfer information of individuals applying for Supplemental Security Income. The rule then allows ODJFS to share this information with the CDJFS within which county the subject of this information resides. Renumbered 5160:1-3-06, which was rescinded 1/15/15.

OAC rule 5101:3-1-08(L)5160-1-08(L): In conjunction with ORC 5101.58 5160.37, requires Medicaid consumer to notify ODJFS prior to initiating any action against a liable third party. And, if a Medicaid consumer or individual acting on the behalf of a consumer, requests a financial statement (a claim) from a Medicaid provider for services paid by ODJFS, the rule requires the Medicaid provider to (1) notify the ODJFS Bureau of Consumer & Operational Support, and (2) put specific language regarding the ODJFS's right of recovery on any records released to either the Medicaid consumer or individual acting on his/her behalf. Effective 8/2/11.

OAC rule 5160-26-08(D)(4): No information or text that identifies the addressee as a Medicaid recipient may appear on the outside of any managed care plan (MCP) or MCP subcontractor mailing. Rescinded 7/1/17.

OAC rules 5101:3-45-07& 5101:3-45-08 5160-45-07(D)(9) and 5160-45-08(D)(5): Sets forth the process and requirements for criminal records checks of current and prospective employees of agency and non-agency providers of home and community-based services (HCBS) waivers. Paragraph (D) of both rules says that reports of any criminal records checks conducted by BCII in accordance with these rules are not public records for purposes of ORC 149.43, and shall only be made available to individuals listed in the rules. (Amended effective 1/1/14 and 1/1/13).

OAC rule 5101:6-50-07: Allows, when a RC Chapter 119 hearing has been requested, discovery of any matter which is not privileged or confidential except in cases involving actions under RC Chapters 5103 and 5104 (child day care licensing and children's residential licensing).

OAC rule 5101:9-22-15: This is the ODJFS internal management rule related to the Personal Information Systems Act (Chapter 1347). See Part II of this Manual.

2.       HIPAA: Health Insurance Portability and Accountability Act of 1996 (45 CFR Parts 160 and 164)

HIPAA is a federal law addressing many issues in the area of medical services. One portion of the Act addresses the privacy of certain medical, eligibility and claims information (protected health information).

45 CFR 160.103 defines "covered entity" as health plans, health care clearinghouses, and health care providers that transmit any health information in electronic form in connection with a covered transaction (see HIPAA transactions rule). 45 CFR 160.103 also defines "business associate" as a person or entity that, on behalf of a covered entity, performs or assists in the performance of a function or activity that involves the use or disclosure of PHI.

The Ohio Department of Medicaid (ODM) is considered a "covered entity" as a Health Plan for the Medicaid program, the Disability Medical Assistance (DMA) program, the Children Health Insurance Programs (CHIP) and the Refugee Medical Program (RMP). Essentially, HIPAA restricts the release of Protected Health Information (PHI) possessed by covered entities including ODM to third parties and requires covered entities under most circumstances to release PHI to the subject of the PHI or his/her guardian upon request. SSA and DDS (Disability Determination Services) are not covered entities, but health care providers performing consultative examinations (CEs) for SSA and DDS are subject to Privacy Act of 1974 and are "covered entities". See 45 CFR 164.520.

Subsequent to the July 1, 2013 creation of ODM, certain support offices within ODJFS, including the Office of Information Services (OIS) and Bureau of State Hearings, continued to perform services for ODM, and staff within those offices might have continued to be HIPAA-covered when working on Medicaid-related matters.  Moreover, ODJFS and ODM jointly supervise county departments of job and family services, and most CDJFS’s access, utilize and transmit PHI electronically. HIPAA assesses criminal and civil penalties for failure to protect PHI from improper release and civil penalties for failure to release PHI to the subject of the PHI or guardian of the subject of the PHI. HIPAA also precludes release of PHI to third parties without an authorization signed by the subject or the subject's guardian unless release is allowed pursuant to exceptions set out in the regulations. The regulations set out an extensive procedure for documentation of certain types of release requests and responses; requires that privacy notices be provided to all participants in each health plan; require a privacy official be designated; require that a complaint, accounting for release and a restriction request procedure be set up by the Health Plan; and requires training for all employees of the Health Plan in relation to privacy policies.

Each state must include in all contracts, a documented process to report breach of privacy or security of PHI. Notification of a breach should be immediately reported by the contractor to state staff, who in turn must report it immediately to the CMS Director of Division of State Systems. 45 CFR 164.404(c) says that unless notification would impede law enforcement (see 45 CFR 164.412) notice to each individual whose PHI has been unlawfully accessed, acquired, used or disclosed must be made within 60 days. And, the notice must be in writing and include certain standard information, unless there is insufficient or outdated contact information, in which case "substitute notice" is permitted. Phone notice is required in addition to written notice, when the circumstances are urgent and there is an imminent risk of misuse of unprotected PHI.

45 CFR 164.408(c): Requires that covered entities, following the discovery of a breach of unsecured PHI involving fewer than 500 individuals, maintain a log or other documentation of each such breach and, within 60 days after the end of the calendar year, notify the HHS Secretary of all breaches that occurred during the preceding calendar year, as specified on the HHS website. For breaches involving 500 or more individuals, covered entities must notify the HHS Secretary "contemporaneously" with when they notify each individual whose PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach, which notice must be provided no later than sixty (60) days from the date the breach is discovered (see 45 CFR 164.404(a)). Notification to HHS Secretary and individuals affected by the breach may be delayed if law enforcement notifies the covered entity or business entity that notification would impede a criminal investigation or cause damage to national security (see 45 CFR 164.412).

42 USC 17901 to 17953: Federal laws on Health Information Technology (or HITECH). The HITECH breach notification provisions in 42 USC 17932 (HITECH §13402) are very similar to the provisions in 45 CFR 164.404 and 164.408.

By statute and rule, ODJFS is requiring each CDJFS to comply with certain portions of the HIPAA privacy requirements since these agencies have access to eligibility information (PHI) for the medical programs cited above. For instance, 45 CFR 164.512(e) requires notice to the subject of the information that a subpoena for their information has been received, and also requires the party in receipt of the subpoena to make reasonable efforts to obtain a qualified protective order prior to release of any HIPAA-protected information. And, 45 CFR 164.514(b)(2) contains requirements for de-identifying an individual, including not identifying him/her to within the last two digits of his/her zip code (depending on the population size in a particular geographic area). 45 CFR 164.514(d) says that only the 'minimum necessary' information may be shared, in order to comply with any lawful disclosure request.

More importantly, it must be noted that HIPAA is preempted by any federal or state law that has more restrictive privacy requirements. The Medicaid federal/state laws and regulations are more restrictive towards release of Medicaid PHI than HIPAA. CHIPS I and II, DMA and RMP are under the same restrictions as Medicaid through RC §5160.45 and RC §5160.46.

The federal government also published HIPAA security regulations, which apply only to the electronic transmission of PHI but also affect privacy. Implementation of these regulations by ODJFS continue to affect a number of ODJFS's statewide automated systems.

For a summary of HIPAA Privacy regulations and links to the actual regulations you can go to: http://hipaa.ohio.gov/privacyrule/guideindex.htm. See also 42 USC 1320d; 45 CFR 164, Subparts A & E; and Public Law 104-191. Specifically, 45 CFR §164.530(J)(1) requires a 6-year record retention period.

C.       TEMPORARY ASSISTANCE to NEEDY FAMILIES (TANF) and/or CASH ASSISTANCE

(Ohio Works First, Refugee Financial Assistance, Disability Financial Assistance, & Prevention, Retention, and Contingency)

Programs established in Ohio under Title IV-A include all programs that are funded in part with the federal Temporary Assistance for Needy Families (TANF) block grant established by Title IV-A of the Social Security Act, 110 Stat. 2113 (1996), 42 U.S.C. 601, as amended. These programs include Ohio Works First (OWF) established and administered in accordance with Chapter 5107 of the Revised Code, the Prevention, Retention, and Contingency (PRC) Program established and administered in accordance with Chapter 5108 of the Revised Code, and any other program established by the General Assembly or Executive Order issued by the Governor that is administered or supervised by ODJFS pursuant to section 5101.801 of the Revised Code. Other cash assistance programs for which ODJFS is responsible include Disability Financial Assistance (DFA) and the Refugee Cash Assistance (RCA) program.

Federal Laws And Regulations:

42 USC § 602(a)(1)(A)(iv): Requires the states under TANF to take such reasonable steps as the State deems necessary to restrict the use and disclosure of information about individuals and families receiving assistance under the program attributable to funds provided by the Federal Government.

42 USC § 608(a)(9)(B): Requires the states to furnish a federal, state or local law enforcement officer, upon the request of the officer, with the current address of any TANF recipient if the law enforcement officer needs the address to conduct the officer's official duties and the location or apprehension of the recipient is within such official duties.

However, the officer must furnish the state agency or county agency with the name of the recipient.

45 CFR § 205.50: Use or disclosure of information concerning applicants and recipients of financial assistance under Title IV-A (funded with TANF) is limited to purposes directly connected with: (1) administration of the plan or program; (2) investigations, prosecutions, or criminal or civil proceedings conducted in connection with the administration of any such plans or programs; (3) the administration of any other federal or federally assisted program which provides assistance, in cash or in kind, or services, directly to individuals on the basis of need; (4) information to the Employment Security Agency as required by law; (5) audits conducted in connection with the administration of any such plan or program, by a government entity authorized by law to conduct such audits; (6) administration of a state unemployment compensation program; and (7) reporting to the appropriate agency or official information on known or suspected child abuse, or negligent treatment or maltreatment of a child receiving aid under circumstances which indicate that the child's health or welfare is threatened.

Information to be safeguarded includes at least: (1) names and addresses of applicants and recipients; (2) information related to a person's economic and social conditions; (3) evaluation of information concerning a particular individual; and (4) medical data. Release or use of information concerning applicants or recipients is restricted to those persons who are subject to standards of confidentiality comparable to those of the agency administering the financial assistance program. Generally, notice and consent of an individual is required to release information to an outside source. Courts must also be informed of statutory provisions, rules, and policies against disclosure when a recipient or applicant information is subpoenaed. This provision also applies to IV-E information.

ODJFS and/or the county agency may provide the address of a recipient to state or local law enforcement upon request, if law enforcement first provide the state or local agency with the recipient’s name and social security number, and satisfactorily demonstrate that the recipient is a fugitive felon (as defined by the State), the location or apprehension of such felon is within the law enforcement officer’s official duties, and the request is made in the proper exercise of those duties.

State Statutes And Rules:

RC § 307.983: Each board of county commissioners is required to establish a plan of cooperation among county family services agencies specifying how such agencies will exchange information and coordinate and enhance services and assistance to individuals and families.

RC § 307.987: To the extent permitted by federal law and regulations and state law and rules, contracts entered into by the board of county commissioners, plans of cooperation, regional plans of cooperation, and procedures established for providing services to children who are frequently relocated shall permit the exchange of information to improve services and assistance to individuals and families and the protection of children. Any private or government entity receiving such information shall be bound by the same standards of confidentiality as the entity that provides the information.

RC § 4123.27: Allows the sharing of recipient specific information related to OWF and PRC and DFA with the Bureau of Workers Compensation for matching purposes. The statute precludes the Bureau of Workers Compensation from sharing public assistance recipient information with anyone or other agencies except the State Auditor, Governor, Attorney General and select or standing committees of the General Assembly.

RC § 5101.181: As part of the procedure for the determination of overpayments charged to a recipient of public assistance, the director of ODJFS shall furnish quarterly the name and Social Security number of each individual who receives public assistance to the Director of Administrative Services, the Administrator of the Bureau of Workers Compensation, and each of the state's retirement boards. These entities will in turn notify the state auditor as to whether such individual is receiving wages or benefits, and the amount. The Auditor of State and the Attorney General or their designees may examine any records whether in computer or printed format, in the possession of the Director of ODJFS or any CDJFS director. Safeguards restrict access to such records to purposes directly connected with an audit or investigation, prosecution, or criminal or civil proceeding conducted in connection with the administration of the programs and compliance with rules of ODJFS restricting the disclosure of information regarding recipients of public assistance is required. The state auditor then determines whether an overpayment of public assistance occurred and thereafter notifies ODJFS.

RC § 5101.182: For purposes of determining overpayments, the statute permits ODJFS to report recipient names and SS #s to the tax commissioner, who then reports to the state auditor which recipients filed tax returns, and how much gross income the recipients received. The director of ODJFS, directors of CDJFS, county prosecutors, Attorney General, Auditor of State, or agent or employee of those officials having access to tax returns, or reports of amounts of federal adjusted gross income, names or addresses or other tax information of recipients of public assistance furnished by the tax commissioner for investigatory purposes under this section, shall not divulge or use any such information except for the purpose of determining overpayments of public assistance, or for an audit, investigation, or prosecution, or in accordance with a proper judicial order.

RC § 5101.26: Sets out definitions of terms for confidentiality purposes. Effective 9/29/11, 10/01/11 and 9/29/13, various amendments separated "medical assistance recipient" from the definition of "public assistance recipient" by defining "public assistance" as "financial assistance or social services that are provided under a program administered by [ODJFS] or a county agency…" and stating that "Public assistance does not mean medical assistance provided under a medical assistance program, as defined in 5160.01 of the Revised Code…"

RC § 5101.27: Sets out confidentiality requirements for all non-medical public assistance programs including OWF, DA financial, Food Assistance, PRC, and other Title IV-A programs. (Amended effective 12/31/17).

RC § 5101.271 [Renumbered as 5160.45].

RC § 5101.272: RC §5101.272:Sets out the required elements of a release authorization form allowing the disclosure of non-medical public assistance recipient specific information. The release authorization provisions for medical assistance recipients are in RC 5160.46.

RC § 5101.28: Requires CDJFS and ODJFS to share information regarding recipients of OWF, DFA and PRC (but not medical assistance or services) with law enforcement agencies as defined in RC § 5101.26, for the purpose of investigations, prosecutions and criminal and civil proceedings that are within the scope of the law enforcement agency's official duties, as well as to the State Auditor's Office for statutory audit purposes.  Law enforcement must provide the state or county DJFS with the name of the recipient, along with whatever other identifying information is needed to retrieve the recipient’s address. 

RC §5101.30: Gives ODJFS authority to adopt rules in accordance with Chapter 119 of the Revised Code implementing sections 5101.26 to 5101.30 of the Revised Code and governing the custody, use and preservation of the information generated or received by ODJFS, county agencies, other state and county entities, contractors, grantees, private entities, or officials participating in the administration of public assistance programs.

RC § 5101.80: ODJFS is the single state agency for the administration and supervision of the administration of all Title IV-A programs. No county or state agency administering a Title IV-A program may establish, by rule or otherwise, a policy governing a Title IV-A program that is inconsistent with a Title IV-A program established, in rule or otherwise, by ODJFS.

OAC rule 5101:1-1-03: Disclosure of recipient information, nondiscrimination, and treatment of information received from the IRS and SSA: addresses the release of OWF, PRC, TANF and DFA information held by ODJFS or a CDJFS specific to an applicant, recipient or former recipient. This is an extremely important rule and should be consulted when this type of information is requested by any third party. The rule describes under what general circumstances the information can be released, exceptions to the general requirements, what is required in information releases, and procedures to follow if information is requested through court process. Also contains provisions on the use, protection and redisclosure of client-specific data received by ODJFS and CDJFS from the SSA and IRS. (Amendments took effect 02/01/16).

OAC rule 5101:1-1-36(G): This cash assistance rule references section 1137 of the Social Security Act, which requires that ODJFS develop an Income & Eligibility Verification System (IEVS). Ohio's IEVS is integrated into CRIS-E, which allows ODJFS to obtain information from its own office of unemployment compensation (OUC) and the social security administration (SSA). Under IEVS, ODJFS matches public assistance applicant/recipient social security numbers with OUC's wage records and unemployment compensation records, as well as SSA's benefit earnings exchange records, and SSI and RSDI benefit information provided by SSA. If the source of the matched information is SSA, or some other federal agency, the information is considered federal tax information (FTI). Match information for IEVS which contains federal tax data must be protected from disclosure to unauthorized persons. The rule states that computer screen printouts or copies of letters mailed or received regarding FTI must be safeguarded. The rule requires that FTI not be commingled within the assistance group case record, because if it is commingled, the entire assistance group case record must be safeguarded in the same way as FTI, and labeled as SSA-provided FTI. The rule then sets out under what circumstances and to whom the Federal Tax Information can be released. (Amended effective 3/1/13).

OAC rule 5101:1-3-10: Requires the CDJFS to collect and report various types of data regarding an assistance group to the CSEA.

OAC rule 5101:9-22-15: This is the ODJFS internal management rule related to the Personal Information Systems Act (Chapter 1347). See Part II of this Manual.

D.       FOOD ASSISTANCE/SUPPLEMENTAL NUTRITION ASSISTANCE PROGRAM (SNAP)

Federal Laws and Regulations:

7 USC 2018(c) & 7 CFR 278.1(q): Limits access to and disclosure of food assistance retailer information, such as identities of store owners and personnel, and store-specific proprietary data. While information can be used for administration of the food assistance program, special provisions apply to employer identification numbers (EINs) & Federal EINs (FEINs). USDA-FNS letter issued 12/21/10 reminds states about sharing requirements.

7 USC 2020(e)(8): Sets out requirements for states in releasing applicant, recipient and former recipient's food assistance information.

7 CFR § 272.1(c): Restricts the release of information obtained from food assistance applicants/recipients to specific persons and situations. They are: (1) persons directly connected with the administrative enforcement of the Food Assistance Act; (2) persons connected with other federal assistance programs providing assistance on a means tested basis to low income individuals; (3) general assistance programs which are subject to the joint processing requirements in 7 CFR §273.2(j)(2): (4) persons connected with the administrative or enforcement of the Income Eligibility Verification System (IEVS); (5) persons directly connected with Title IV-D child support; (6) employees of Federal Health and Human Services to verify eligibility or benefits; (7) employees of federal comptroller for audit purposes; (8) local, state or federal law enforcement officials in connection with Food Assistance Act violations (must be in writing and contain identity of individual requesting information, authority to do so, violation being investigated, and identity of person investigated) or if assistance group (AG) member is fleeing to avoid prosecution or custody for a crime that would be classified as a felony or who is violating a condition of probation or parole (in which case AG member's address, SSN and photo may be released to law enforcement); and (9) written request from food assistance recipient or authorized representative except for information concerning the status of a pending investigation or the identity of informants. It should also be noted that the persons receiving the information must protect the information from unauthorized disclosure to other persons. General information that does not identify specific food assistance recipients are "public records" and must be made available to the general public upon request.

7 CFR § 273.2: Language was deleted from the previous version of this regulation, which required oral or written notification to a food assistance recipient when a third party collateral contact was made by an agency for eligibility purposes. However, (f)(4) still says: "When talking with collateral contacts, State agencies should disclose only the information that is absolutely necessary to get the information being sought. State agencies should avoid disclosing that the household has applied for food [assistance], nor should they disclose any information supplied by the household…or suggest that the household is suspected of any wrong doing."

State Statutes and Rules:

RC §2913.46: Procedure for illegal use of SNAP/Food Assistance card and receipt of benefits. (Statute was revised, effective 9/30/11).

RC §5101.26: Sets out definitions of terms for confidentiality purposes. Effective 9/29/11, 10/01/11 and 9/29/13, various amendments separated "medical assistance recipient" from the definition of "public assistance recipient" by defining "public assistance" as "financial assistance or social services that are provided under a program administered by [ODJFS] or a county agency…" and stating that "Public assistance does not mean medical assistance provided under a medical assistance program, as defined in 5160.01 of the Revised Code…"

RC §5101.27: Sets out confidentiality requirements for all non-medical public assistance programs including OWF, PRC, Disability Financial Assistance, Refugee Cash, and Food Assistance. Any conflict between this state statute and the federal food assistance laws and regulations referenced in this manual, must be resolved in favor of the law or regulation that affords the greatest amount of confidentiality protection to the applicant/recipient. Moreover, specific food assistance confidentiality requirements are set out in detail in the OAC rules. (Amended effective 12/31/17).

RC §5101.272: Sets out the required elements to be contained in a consent form allowing the release of non-medical public assistance recipient specific information. (Amended effective 9/29/11). The release authorization provisions for medical assistance recipients are now in RC 5160.46 (Renumbered effective 9/29/13).

OAC rule 5101:4-1-13(A)(7): Governs the disclosure of SNAP/Food Assistance information. This section reflects RC Chapter 1347, 7 USC 2020(e)(8) and 7 CFR §272.1. (Rule last revised 09/01/10 to delete (A)(3), which previously required counties to post "And Justice for All" posters).  (Amended effective 3/1/17).

OAC rule 5101:4-2-09(I)(2): States that a release signed by a SNAP/Food Assistance applicant or recipient is not necessary when a CDJFS is attempting to secure verification from collateral sources for food assistance eligibility purposes. However, the county agency should disclose only the information that is absolutely necessary to get the information being sought and avoid disclosing that the assistance group (AG) has applied for food assistance. No information provided by the AG may be disclosed to the collateral contact, and there must be no suggestion that the AG has provided any incorrect information. References OAC rule 5101:4-7-09 as governing the release of Income & Eligibility Verification System (IEVS) information. (Amended effective 10/1/15).

OAC rule 5101:4-3-07(I): Requires a county agency to report to ODJFS, when an applicant or recipient is “known to be an illegal alien,” as determined by findings or conclusions made as part of a formal determination by the U.S. citizenship and immigration services (USCIS) under U.S. DHS.  (Amendment took effect 6/15).

OAC rule 5101:4-3-08: Requires a county agency to report to the ODJFS food assistance section, if the county agency determines that (1) an illegal alien has applied for/received food assistance, or (2) a non-citizen is unlawfully present in the United States. The rule also distinguishes between 'ineligible aliens' and 'illegal aliens'. (Amendment took effect 03/01/10). Rescinded 6/1/15 and moved to 5101:4-3-07(I).

OAC rule 5101:4-3-22(G): Sets out the acceptable purposes for utilizing a SNAP/Food Assistance recipient's social security number. (Amendment effective 9/1/12).

OAC 5101:4-7-08: Governs how the Office of Child Support’s new hire reports can and should be used by the county DJFS for SNAP eligibility purposes.

OAC rule 5101:4-7-09: Rule pertains to use of IEVS in food assistance program. In general, unemployment compensation benefit information, SSI and social security data are verified upon receipt, whereas county agencies must independently verify IRS information, and federal and state wage information obtained from SSA and the state unemployment office. The rule also specifies the types of independent verification that can be done, and the actions that county agencies must take when information is received as a result of data exchange agreements. Paragraph (G) restricts county usage of IEVS information to program administration (i.e., determining assistance group's eligibility or ineligibility for SNAP, and the amount of SNAP), and Paragraph (K) says that IEVS match information may only be disclosed as permitted in OAC rule 5101:4-1-13. Paragraph (L) requires that ODJFS and the county agencies keep a record for at least five years, or during the active life of the application (whichever is longer) of any release of confidential IEVS information (e.g. federal tax information (FTI), including SSA match data) to any non-ODJFS or non-county agency employee. County/state workers must record the disclosure(s) in the applicant's case file, and the county must keep track of it in BENDEX. Paragraph (J) says that matches containing FTI are confidential, must be safeguarded as required in OAC rule 5101: 4-1-13, must be stored in a place physically safe from access by unauthorized individuals, and cannot be commingled with the rest of the case record. (Amendment effective 8/1/17).

OAC rule 5101:4-8-30(R)(F): Requires safeguarding of tax information used for the SNAP/Food Assistance Treasury Offset Program (TOP). Tax information may only be used as needed for the administration of TOP and collection of food assistance debt, and "shall be protected from overt and inadvertent disclosure". (Amended 8/1/14).

OAC rule 5101:9-22-15: This is the ODJFS internal management rule related to the Personal Information Systems Act (Chapter 1347). See Part II of this Manual.

E.       Child Welfare

(Adoption/Foster Care/Abuse-Neglect/PCSA/Child Fatality)

Federal Laws and Regulations:

42 USC §671(a)(8): Requires that all state plans involving foster care and adoption assistance provide safeguards which restrict the use or disclosure of information concerning the programs under Title IV-B.

42 USC §671(a)(20)(B)(iii): Requires that all state plans have in place safeguards to prevent the unauthorized disclosure of information in any child abuse and neglect registry maintained by the State, and to prevent any such information obtained pursuant to this subparagraph from being used for a purpose other than conducting background checks in foster or adoptive placement cases.

42 USC §674: Describes federal payments to states for foster care and adoption assistance, and permits/requires imposition of sanctions against states for violations of 42 USC 670, et seq.

42 USC §5106a(b)(2)(A)(viii): Federal grants for child protective services require a state plan to be coordinated with a state plan under Title IV-B of the Social Security Act, including an assurance (among other assurances) that the state has developed methods to preserve the confidentiality of all records in order to protect the rights of the child and of the child's parents or guardians. The methods to preserve the confidentiality can include that reports and records made and maintained pursuant to the purposes of this Act only be made available to individuals who are the subject of the report; federal, state, or local government entities, or any agency of such entities having a need for such information in order to carry out its responsibilities under law to protect children from abuse and neglect; child abuse citizen review panels; a grand jury or court upon a finding that information in the record is necessary for the determination of an issue before the court or grant jury; and other entities or classes of individuals statutorily authorized by the state to receive such information pursuant to a legitimate state purpose.

42 USC §5106a(b)(2)(A)(x): The state plan required by 42 USC 5106(b)(2)(A) also must include provisions which allow for public disclosure of the findings or information about the case of child abuse or neglect which has resulted in a child fatality or near fatality.

42 USC §5106a(c)(4)(B)(i): Members and staff of a state-established citizen review panel related to child abuse and neglect, child fatalities or foster care shall not disclose to any person or government official any identifying information about any child protective case with respect to which the panel is provided information and shall not make public other information unless authorized by state statute.

42 USC §5106a(c)(5)(A): Requires that each state that establishes a citizen review panel provide the panel access to information on cases that the panel desires to review if such information is necessary for the panel to carry out its functions.

42 USC §5106a(c)(6): Requires that each citizen review panel prepare and make available to the public, on an annual basis, a report containing a summary of the activities of the panel.

45 CFR §205.50: The restrictions set out in this regulation were the same ones that restricted the release of Aid for Dependent Children applicant, recipient and former recipient information. This regulation requires that the State plan for financial assistance under Title IV-A restrict the use and disclosure of information concerning applicants and recipients, to purposes directly connected with: (1) the administration of the plan or program; (2) investigations, prosecutions, or criminal or civil proceedings conducted in connection with the administration of any such plans or programs; (3) the administration of any other federal or federally assisted program which provides assistance, in cash or in kind, or services, directly to individuals on the basis of need; (4) information to the Employment Security Agency as required by law; (5) audits conducted in connection with the administration of any such plan or program, by a government entity authorized by law to conduct such audits; (6) administration of a state unemployment compensation program; and (7) reporting to the appropriate agency or official information on known or suspected child abuse, or negligent treatment or maltreatment of a child receiving aid under circumstances which indicate that the child's health or welfare is threatened. The regulation also requires states to impose sanctions for unauthorized use or disclosure.

Information to be safeguarded includes at least: (1) names and addresses of applicants and recipients; (2) information related to a person's economic and social conditions; (3) evaluation of information concerning a particular individual; and (4) medical data. Release or use of information concerning applicants or recipients is restricted to those persons who are subject to standards of confidentiality comparable to those of the agency administering the financial assistance program. Generally, notice and consent of an individual is required to release information to an outside source. Courts must also be informed of statutory provisions, rules, and policies against disclosure when a recipient or applicant information is subpoenaed. This provision also applies to IV-E information.

45 CFR §1340.14(i): This regulation requires that the State provide by statute that records concerning reports of child abuse and neglect be confidential and that their disclosure be a criminal offense (see RC §§ 2151.141, 2151.421 and §2151.99). This regulation specifies certain circumstances where release of the records would be acceptable but only if the state authorizes it through statute. This regulation permits Ohio to be more restrictive with abuse/neglect information than what is set out in the regulation itself. Section was removed and reserved 3/30/15.

45 CFR §1355.21: Requires that each state plan for Titles IV-E and IV-B of the Social Security Act provide for safeguards on the use and disclosure of information which meet the requirements contained in 42 USC 671(a)(8), as well as the provisions in 45 CFR §1355.30.

45 CFR §1355.30(p)(3): Requires that safeguarding of IV-E (adoption) and IV-B (child welfare) information adhere to restrictions set out in 45 CFR §205.50 (see below).

45 CFR §1355.40: Sets forth conditions for receipt of SACWIS funds, and requires states to collect and report foster care and adoption data to the HHS Administration for Children & Families (ACF).

45 CFR 1356.30(f): Prohibits ODJFS from approving or issuing a license to a prospective foster or adoptive parent, or from claiming federal financial participation for any foster care maintenance or adoption payments, if ODJFS finds, based on a criminal records check, that the prospective foster or adoptive parent has been convicted of certain types of felonies.

State Statutes and Rules:

RC §109.57(H): Information obtained by a government entity or person under section 109.57 of the Revised Code is confidential and shall not be released or disseminated.

RC §109.5721: Addresses Bureau of Criminal Identification & Investigation (BCII) fingerprint database on individuals employed by, licensed by, or approved for adoption by a government agency, and says that a public office that elects to receive notice of any arrest, conviction or guilty plea of an individual whose name is retained in the fingerprint database, may use that information solely to determine the individual's eligibility for continued employment with the public office, to retain licensure issued by the public office, or to be approved for adoption by the public office, but is otherwise confidential. (Amended 08/2008).

RC §121.22(D)(5): Exempts meetings of a child fatality review board from the Open Meetings (Sunshine law) requirement.

RC §121.37(A)(2)(c): Records identifying individual children maintained by the Family and Children First Cabinet council are confidential and shall be disclosed only as provided by law.

RC §149.43(A)(1)(d): Excludes records pertaining to adoption proceedings from being considered as public record.

RC §149.43 (A)(1)(e):  Excludes information contained in the putative father registry from being considered as public record.

RC §149.43(A)(1)(f): Excludes certain specific adoption-related records listed in RC §3107.42 (see below) from being considered as public record.

RC §307.627: Allows child fatality review boards access to summary information from PCSAs, PCPAs, agencies that provide services specifically to a child or family, law enforcement agencies, or other public or private entity that provided services to a child whose death is being reviewed by the board. The board also can access confidential abuse and neglect investigatory records. The board must preserve the confidentiality of any records received pursuant to this statute. If the death of a child is being investigated or the prosecutor is seeking to prosecute someone for causing the death of a child, the board is not entitled to the prosecutor's information unless the prosecuting attorney agrees to provide it.

RC § 307.628: Immunizes from civil liability an individual or public or private entity providing information, documents, or reports to a child fatality review board for any injury, death, or loss to person or property that otherwise might be incurred or imposed as a result of providing the information, documents, or reports to the review board.

RC §1347.08(E)(2) & (F)(2): Excludes access to the putative father registry by the subject, and to criminal law enforcement investigatory records or trial preparation records by the subject, the subject's guardian, or an attorney with written permission from the subject.

RC §2151.141:  States that if a complaint is filed with respect to a child pursuant to Section 2151.27 which alleges that a child is abused, neglected, or dependent, any individual or entity listed in RC §2151.14(D)(1), that is investigating the abuse, neglect or dependency, has custody of the child, is preparing a social history for the child, or is providing any services for the child, may request records concerning the child from a PCSA, PCPA, probation dept., law enforcement agency or prosecuting attorney. Any individual or entity receiving a records request under this statute must provide them, unless release of the information is prohibited by law. If the individual or entity receiving the records request determines that it cannot release the requested information, it must file a motion in the court where the complaint was filed setting out its reasons for not complying with the request, so that the court can rule on whether or not the records can be disclosed.

RC §2151.142: Makes confidential the residential address of each officer or employee of a public children services agency or a private child placing agency who performs official responsibilities or duties described in RC §2151.14, RC §2151.141, RC §2151.33, RC §2151.353, RC §2151.412, RC §2151.413, RC §2151.414, RC §2151.415, RC §2151.416, RC §2151.417, or RC §2151.421 or another section of the Revised Code and to the residential address of persons related to that officer or employee by consanguinity or affinity. Any such addresses must be redacted if contained in records containing information subject to release under RC §149.43. The residential address must be disclosed to a journalist if certain requirements are met (See RC §2151.142(D)).

RC §2151.421: Certain professionals (listed in the statute) must report, and others may report, cases of child abuse/neglect to the County Children Services Board or CDJFS that exercises the children services function. The County Children Services Board or CDJFS must investigate any reports made pursuant to this statute. Any report made under this section is confidential. Paragraph (N) allows sharing of specified information from an investigation (e.g. allegations, alleged perpetrator and disposition) with designated officials of an out of home care entity when the abuse and neglect is alleged to have occurred in that entity. In 2004 County Mental Retardation Board employees were added to the list of required reporters. In 2005, references were added to child advocacy centers (CACs) and interagency agreements between PCSAs and CACs regarding abuse investigations. Effective 09/21/06, respite care providers, homemaker service providers and employees of home health agencies were added to the list of mandatory reporters. Effective 08/14/08, SB 163 added employees of a CDJFS who are professionals, and who work with children and families, as mandatory reporters. Effective 04/07/09, HB 280 added provisions (see Paragraphs (H)(1) and (M)) that make mandatory reporters liable for compensatory and exemplary damages to child for failing to report abuse/neglect of the child; and allows person bringing civil action on child's behalf to use other reports of abuse/neglect in the civil action, provided that identifying information about the alleged child victims and persons making the reports are redacted from the other reports. Effective 10/06/09, SB 79 substituted the term "developmental disabilities" for "mental retardation" wherever it appeared. Effective 9/29/11, HB 153 added a definition of "investigation" that means the public children services agency's response to an accepted report of child abuse or neglect through either an alternative response or a traditional response.

RC §2151.423: Requires PCSA to disclose confidential investigatory information obtained pursuant to RC 2151.421 or 2151.422, to federal, state or local governmental entities responsible for protecting children from abuse/neglect. Information disclosed pursuant to this section is confidential and is not subject to disclosure pursuant to section 149.43 or 1347.08 of the Revised Code by the agency to whom the information was disclosed. The agency receiving the information shall maintain the confidentiality of information disclosed pursuant to this section. (Part of SB 238, 126th General Assembly, which took effect 09/21/06).

RC §2151.86:  Requires that the appointing authority or hiring officer of any entity that employs any person responsible for a child's care in an out-of-home care setting have a criminal background check completed by BCII on all prospective employees. The statute requires a BCII check on all prospective adoptive parents and prospective foster parents. The report of any criminal records check conducted by BCII pursuant to this statute is not a public record for the purpose of RC §149.43 and shall not be made available to any person other than the applicant, prospective adoptive parents, or prospective foster parents who is the subject of the criminal records check or his representative; the entity requesting the criminal records check or its representative; the state department of Job and Family Services, a county department of job and family services, or a public children services agency; and any court, hearing officer, or other necessary individual involved in a case dealing with the denial of employment to the applicant or the denial of consideration as an adoptive parent or foster parent.

RC §3107.031: Allows adoptive parent to receive copy of his/her own home study from the assessor, except for opinions of third parties. It is possible this statute could also be used to withhold or redact any psychological evaluations and other records of a sensitive nature that are provided to the assessor by individuals other than the applicant.

RC §3107.034: Requires adoption agency or attorney who arranges an adoption to ask ODJFS to check the Central Registry of another state, whenever either the prospective adoptive parent or another adult member of the household has resided in another state within five years immediately prior to the date on which a criminal records check is requested pursuant to RC §2151.86. The adoption agency or attorney arranging the adoption shall review the results of the check prior to finalization of adoption, and consider it in the same way as they would a summary report of a search of SACWIS, created as part of the home study pursuant to RC §3107.033. The summary report from SACWIS provided pursuant to RC 3107.033 should include a chronological list of abuse and neglect determinations or allegations of which the person seeking to adopt is subject, and in regards to which a public children services agency determined that abuse/neglect occurred, was unable to determine that abuse/neglect occurred, or initiated an investigation that is still pending. The summary report from SACWIS shall NOT contain information about abuse/neglect that the PCSA concluded did NOT occur, or the identity of the person or entity that reported (or participated in the reporting of) abuse/neglect, or information prohibited from being disseminated by, or interfering with eligibility under, CAPTA. The statute also requires ODJFS to check the Ohio Central Registry upon the request of its out-of-state counterparts. (Enacted 09/21/06 and amended 08/14/08).

RC §3107.063: Sets forth method of disclosing data located in the putative father registry.

RC §3107.17: No person or governmental entity shall knowingly reveal any information contained in a paper, book, or record pertaining to a placement under RC §5103.16 or to an adoption that is part of the permanent record of a court or maintained by the department of job and family services, an agency, or attorney without the consent of a court. The section also prescribes ODJFS' authority to regulate the adoptive parent's or adoptive child's access to biological information of the natural parent. This statute should be considered in conjunction with RC 3107.42 when adoption records are requested. Amended effective 3/20/15.

RC § 3107.42:  Declares certain specific adoption records (file of releases, indices to the file of releases, withdrawals of releases, probate court and agency adoption records) non-public records under RC §149.43, and prohibits them from being inspected or copied even by the person adopted. This statute should be considered in conjunction with RC §3107.17 when adoption records are requested.  Repealed effective 3/20/15.

RC § 3109.051(H):  Sets out under what circumstances a keeper of a record related to a particular child may preclude access to the record when access is requested by a non-custodial parent.

RC § 3705.09(G):  Provides that when a birth certificate is changed to add a father's name once paternity is established, the old birth certificate and supporting documentation which prompted issuing the new birth certificate is sealed and cannot be released without a court order. All copies of the previous birth certificate held by a vital statistics registrar must be destroyed.

RC § 3705.12 through RC 3705.126:  Sets out guidelines for having the department of health prepare a new birth certificate for an individual that is adopted. The statute states that upon the issuance of the new birth record, the original birth record and any index references shall cease to be a public record. Amended and new provisions enacted effective 3/20/15

RC § 3705.23:  Makes information contained in the "information for medical and health use only" portion of the birth certificate confidential, and only allows release of this information pursuant to court order, or for statistical or research purposes under requirements set out by the Ohio Department of Health pursuant to rule.

RC §§5101.13 through 5101.134:  Authorizes Statewide Automated Child Welfare Information System (SACWIS) to replace Central Registry and sets forth what and to whom SACWIS data can be disclosed. (SB 238, effective 09/21/06). Expressly makes information contained in or obtained from SACWIS confidential and not subject to disclosure pursuant to sections 149.43 or 1347.08 of the Revised Code. ODJFS and public children services agencies (PCSAs) are permitted to access and utilize SACWIS for purposes of assessment, investigation and services to children and their families, as well as for purposes permitted under federal or state law and rule. (Enacted 09/21/06 and amended 08/14/08 by SB 163).

RC § 5101.27: Sets out confidentiality requirements for all non-medical public assistance programs.

RC § 5101.271: [Renumbered as 5160.45 effective 9/29/13].

RC § 5101.29: When contained in a record held by ODJFS or other state or local entity responsible for enforcing Chapter 5104, excludes from classification as public records the names and other identifying information regarding: (A) children enrolled in or attending a child day-care center or home subject to licensure, certification, or registration; (B) children placed with an institution or association certified under section 5103.03 of the Revised Code (the definition of "institution or association" in RC §5103.02 includes family foster homes); (C) persons who make an oral or written complaint to ODJFS or the county agency responsible for enforcing Chapter §5104, about a child day-care center or home subject to licensure, certification, or registration; and (D) foster caregivers and prospective foster caregivers, including the foster care application and home study (effective 05/14/08). However, the identity of a foster caregiver along with other details must be disclosed, when he/she is indicted or convicted of any prohibited offense listed in RC §2151.86.

RC §5101.80(E): Requires authorized representative of ODJFS, CDJFS or state agency administering a Title IV-A program, including the kinship permanency incentive program, to have access to all records and information bearing thereon for the purposes of investigations conducted pursuant to RC §5101.80.

RC § 5153.111(A) & (D): The executive director of a PCSA is required to have a criminal BCI check done on all prospective employees applying for employment with the agency which require the employee to be responsible for the care, custody, or control of a child. The report of any criminal BCI check pursuant to this statute is not a public record under RC §149.43 and cannot be made available to any person other than the applicant who is the subject of the criminal records check or his representative, the public children services agency requesting the criminal records check or its representative, and any court, hearing officer, or other necessary individual involved in a case dealing with the denial or employment to the applicant.

RC § 5153.17: County children services boards or county departments of job and family services performing the children service function, must keep records of investigations and all other records required to be kept by ODJFS confidential. These records, however, shall be open to inspection by ODJFS, the director of the county department of job and family services, and other persons upon written permission of the executive secretary.

RC § 5153.171:  Requires the Director or Executive Secretary of a PCSA to confer with the county prosecutor in relation to a request for information about a child who was under eighteen years of age, who was a resident of the county served by the agency at the time of the child's death and whose death may have been caused by abuse, neglect, or other criminal conduct. If the county prosecutor intends to prosecute a person for causing the child's death, the prosecuting attorney decides what information may be released, if any. The prosecutor is required to notify the PCSA Director or Executive Secretary of the intent to prosecute and the determination of what information may be released. The Director or Executive Secretary may only release the information designated by the prosecutor. If the prosecutor does not intend to prosecute a person for causing a child's death, the prosecutor shall notify the Director or Executive Director of the PCSA who shall release the information described in RC § 5153.172, except as provided in RC § 5153.173. This statute shields the Director or Executive Secretary of a PCSA from civil liability or criminal prosecution if the Director or Executive Secretary of the PCSA, in good faith, released information authorized in accordance with RC §5153.171.

RC § 5153.172: Notwithstanding RC §2151.421, RC §3701.243 and RC §5153.17 or any other section of the Revised Code pertaining to confidentiality and unless precluded by RC § 5153.173, the PCSA Director shall disclose about a deceased child: the child's name, summary report of abuse or neglect reports made pursuant to RC §2151.421 of which the child was subject, final disposition of the report or status of the investigation, services provided to or purchased for the child by the PCSA, actions taken by PCSA in response to the report of child abuse and neglect. Names of the parties who reported the abuse/neglect, names of parents and siblings of the child; contents of psychological, psychiatric, therapeutic, clinical or medical reports or evaluations regarding the child; witness statements; police or other investigative reports; or any other information other than stated in this statute are prohibited from being released pursuant to this statute.

RC § 5153.173: A common pleas court can provide an order to stop the release of information required to be released pursuant to RC §5153.172 upon a motion by the PCSA which alleges that disclosing this information would not be in the best interest of a deceased child's sibling or another child residing in the deceased child's household.

OAC rule 5101:1-1-03(B)(6): CDJFS can share with a PCSA the minimum necessary information needed to accomplish the need for sharing, about a recipient of DFA, OWF or PRC benefits, when the CDJFS knows or suspects child abuse/neglect has occurred. (Amendments took effect 10/01/10).

OAC rule 5101:2-5-09.1(P): Sets out to whom a Bureau of Criminal Identification and Investigation (BCII) report completed for Private Children Placing Agency (PCPA) or Public Children Services Agency (PCSA) employment purposes or for foster caregiver applicants seeking certification may be made available.

OAC rule 5101:2-7-04: A foster caregiver must maintain a record on each foster child and the rule specifies what must be included in these records. The rule then goes on to preclude the foster caregiver from knowingly allowing the disclosure of any information regarding the foster child or the foster child's family to persons not directly involved in the foster child's care and treatment on an official basis.

OAC rule 5101:2-33-21: Makes contents of abuse/neglect reports, assessments and investigations confidential, including identity of referent/reporter, and specifies what, under what circumstances and to whom confidential information may be shared by a PCSA. (Last amended 7/1/14 to streamline and incorporate 5101:2-33-22 and 5101:2-33-24)

OAC rule 5101:2-33-22:Makes child abuse/neglect and other information in SACWIS confidential, and specifies to whom and for what purpose this data can be released. (Last amended 1/15/11. Replaced OAC rule 5101:2-34-381). (Rescinded and moved to OAC 5101:2-33-21, effective 7/1/14.  OAC 5101:2-33-24 was also rescinded and moved to 5101:2-33-21).

OAC rule 5101:2-33-23(B): Makes all case records that are prepared, maintained or kept by the PCSA confidential, and releasable only in accordance with 5101:2-33-21. (Eff. 7/1/14).

OAC rule 5101:2-33-28: Requires PCSAs to engage in planning and joint sharing of information with CDJFS in certain circumstances. However, identity of person reporting abuse/neglect may not be shared with the CDJFS, and any information that is permitted to be shared must be treated with special precautions, to help maintain confidentiality. (Amended 7/1/14).

OAC rule 5101:2-33-70: Requires ODJFS to establish and maintain SACWIS in accordance with 42 USC 674(a)(3)(C). The rule also describes the types of data that PCSAs must enter into SACWIS, and to whom and for what purposes SACWIS data may be accessed and used. 9/1/17.

OAC rules 5101:2-36-03(AA)(6) & 5101:2-36-04(W)(6): Both rules require, in certain circumstances (alleged intra-familial abuse/neglect and specialized assessments and/or investigations), that the PCSA notify the child's non-custodial parent of the receipt of the child abuse/neglect report, as well as the report disposition and case decision. (Both rules amended effective 10/1/17).

OAC rule 5101:2-42-90: Allows the release by PCSAs or PCPAs of certain records to potential care givers prior to placing a child in a substitute care setting. Also has provisions for sharing information with schools and juvenile courts, and for inclusion in individual child care agreements. (Amended 9/1/15).

OAC rule 5101:2-48-09(N)(12): The PCSA, PCPA, and PNA must document that each person seeking adoption approval has completed certain preservices prior to approval of the home study, including sharing with the prospective adoptive parent information about the child’s commission of a violent crime, prior to placement with the adoptive parent. 

OAC rule 5101:2-48-19: Governs the release of adoptive home studies by PCSAs, PCPAs, or PNAs. (Amended effective 11/1/15).

OAC rule 5101:2-48-20: Governs the release of birth parent and sibling identifying or non-identifying information to an adopted person or the adoptive parents. (Amended effective 10/1/14).

OAC rule 5101:2-48-21(E): Requires a child study inventory to be shared with a PCSA, PCPA or PNA assisting in the adoptive placement of a child prior to the adoptive placement. (Amended effective 10/1/14).

OAC rule 5101:2-48-22: Sets out what must be included by a PCPA, PCSA or PNA in an adoptive family case record. (Amended effective 10/1/15).

OAC rule 5101:2-48-23: Governs the preservation of adoptive child case records and sets out under what circumstances the record can be released or reviewed. (Amended eff. 10/1/15).

OAC rule 5101:6-50-07: When an RC Chapter 119 hearing has been requested, allows discovery of any matter that is not privileged or confidential, except in cases involving actions under RC chapters 5103 and 5104 (foster caregiver, private non-custodial agency (PNA), and private child placing agency (PCPA) certification, & child day care licensing), in which instances no discovery is permitted, unless parties agree to it. (Amended effective 2/28/14).

OAC rule 5101:9-9-39: Allows ODJFS to access and use information contained in systems (such as SACWIS) that are controlled or maintained by or for the benefit of ODJFS, for purposes of ODJFS program administration (which includes federal reporting and oversight requirements).  Disclosures may be subject to a written agreement, and any release of information shall preserve the confidential nature of it.  (Effective 8/18/16).  

OAC rule 5101:9-22-15: This is the ODJFS internal management rule related to the Personal Information Systems Act (Chapter 1347). See Part II of this Manual.

F.       CHILD DAY CARE

State Statutes and Rules:

RC § 5101.29: When contained in a record held by ODJFS or other state or local entity responsible for enforcing RC Chapter 5104, names and other identifying information regarding children enrolled in or attending a child day-care center or home subject to licensure, certification, or registration are excluded from being considered as public records pursuant to RC §149.43. RC §5101.29 also excludes from public record the names and other identifying information of persons who make an oral or written complaint to ODJFS or the county agency responsible for enforcing RC Chapter 5104, regarding a child day-care center or home subject to licensure, certification, or registration.

RC § 5104.011(C)(2): The administrator of each child day-care center shall maintain enrollment, health, and attendance records for all children attending the center and health and employment records for all center employees. The records shall be confidential, except that they shall be disclosed by the administrator to the director of ODJFS upon request for the purpose of administering and enforcing this chapter and rules adopted pursuant to this chapter. Neither the center nor the licensee, administrator, or employees of the center shall be civilly or criminally liable in damages or otherwise for records disclosed to the director of ODJFS by the administrator pursuant to this division. It shall be a defense to any civil or criminal charge based upon records disclosed by the administrator to the director of ODJFS that the records were disclosed pursuant to this division. (Pursuant to SB 316, effective 1/1/14, ORC 5104.011 was repealed, and the language in (C)(2) above was moved to ORC 5104.038).

RC § 5104.012(A) and (D): Requires that all current and prospective employees at type A homes and child day-care centers have a criminal background check completed by BCII. The report of the criminal background check received from BCII is not a public record for the purposes of RC §149.43 and is not to be made available to any person other than the applicant who is the subject of the criminal records check or his representative; the center or type A home requesting the criminal records check or its representative; ODJFS or CDJFS; and any court, hearing officer, or other necessary individual involved in a case dealing with the denial of employment to the applicant. (Amendments effective 9/29/11, 1/1/13 and 1/1/14). Repealed 9/29/15.

RC § 5104.013(A), (F) & (L): Requires ODJFS as part of its licensure of child day-care centers and type A & licensed type B family day-care homes to have BCII conduct criminal background checks on owners, licensees or administrators of the day-care center; any owner, licensee, or administrator of a type A or type B family day-care home, and any person eighteen years of age or older who resides in a type A or licensed type B family day-care home. In addition, the administrator of any center, type A home, or licensed type B home shall request that BCII conduct a criminal records check of any individual who applies to the center or home for employment.  Any BCII report completed pursuant to this statute is not a public record under RC §149.43 and shall not be made available to any person other than the person who is the subject of the criminal records check or his representative, the director of job and family services, the director of a county department of job and family services, the center, type A home, or type B home involved, and any court, hearing officer, or other necessary individual involved in a case dealing with a denial of licensure or certification related to the criminal records check. (Amendments effective 9/29/11, 1/1/13, 1/1/14, and 9/29/15).

RC § 5104.038: The administrator of each child day-care center shall maintain enrollment, health, and attendance records for all children attending the center and health and employment records for all center employees. The records shall be confidential except that they shall be disclosed by the administrator to the director of ODJFS upon request for the purpose of administering and enforcing this chapter and rules adopted pursuant to this chapter. Neither the center nor the licensee, administrator, or employees of the center shall be civilly or criminally liable in damages or otherwise for records disclosed to the director of ODJFS by the administrator pursuant to this division. It shall be a defense to any civil or criminal charge based upon records disclosed by the administrator to the director of ODJFS that the records were disclosed pursuant to this division. (Effective 1/1/14.  Formerly in ORC 5104.011(C)(2)).

OAC rule 5101:2-12-08(C): Requires that licensed child care center employee records be kept confidential, but shall be made available to ODJFS for purposes of administering RC Chapter 5104 (“Child Care”) and OAC Chapter 5101:2-12 (“Licensing of Child Care Centers”).  Records must include days and hours worked, duties and group assignments (if applicable), and shall be retained for at least 3 years after the employee’s departure.  Amended effective 10/29/17.

OAC rule 5101:2-12-09: Requires criminal records checks of owners, administrators, representatives, employees, and staff members of child care centers applying for licensure, and every five years after licensure.  The rule also sets forth the procedure for obtaining criminal records checks, requires that the results be sent to ODJFS, and only allows the results to be disclosed to the person who is the subject of the check, the child care center, and ODJFS.  The rule applies to even records of convictions that have been sealed.  Amended 10/29/17.

OAC rule 5101:2-12-10(C)(3): Requires owners and administrators of licensed child care centers to provide their staff with copies of their own training documentation within 5 business days of their staff member’s request, or at the time of separation for records not verified by the Ohio professional registry (OPR).  Amended effective 10/29/17.

OAC rule 5101:2-12-15(D): Requires that licensed child care centers treat as confidential any children’s records they collect, including child enrollment and health records, medical statements, and medical/physical care plans, and only disclose them to ODJFS for purposes of administering ORC chapter 5104 and OAC chapter 5101:2-12. In addition, immunization records must be made available for review by the Ohio Department of Health, for purposes of disease outbreak control and immunization level assessment. Amendment effective 12/31/16.

OAC rule 5101:2-12-16(F)(3): If a child is transported from a child care center for emergency treatment, requires that the child’s medical records accompany the child. Amended 10/29/17. 

OAC rule 5101:2-13-03: (G)(6) requires that the county agency provide a copy of the JFS 01926 “Inspection Report for Family Child Care”, or its system generated equivalent, to anyone who submits a request to the county agency, but only after the county agency has removed all confidential information from the JFS 01926. Paragraph (I) makes licensing inspection records public. Amended 10/29/17.

OAC rule 5101:2-13-08(C) & (G): Requires licensed family child care providers to maintain on file at the facility employment records of each child care staff member, and to retain those records for inspection by ODJFS and the county agency for at least 3 years after the staff member’s departure. The records shall include days and hours worked, and job duties and group assignments, if applicable. Also requires child records described in 5101:2-13-15 to be shared with any substitute caregivers who are used by family child care providers. Amended 10/29/17.

OAC rule 5101:2-13-09: Requires criminal records checks of all staff members, employees, substitutes, and adult residents of licensed type A and type B home providers (collectively referred to as family child care providers) and those applying for a license to become a family child care provider. Records check must be done every 5 years, and results shall only be made available to the subject of the records check, the family child care provider, the county agency, and ODJFS. The rule applies to even records of convictions that have been sealed.

OAC rule 5101:2-13-10(E)(3): Requires family child care providers to give their staff copies of their own training documentation within 5 business days of their staff member’s request, or at the time of separation for records not verified by the Ohio professional registry (OPR).  Amended effective 10/29/17.

OAC rule 5101:2-13-15(D):Children’s records (including attendance and medical records) required to be kept by licensed family child care providers shall be confidential, except they shall be available to ODJFS and the county agency for purposes of administering RC Chapter 5104 and OAC 5101:2-13. Immunization records shall be subject to review by the Ohio Department of Health for disease outbreak control and immunization level assessment purposes. (Replaced OAC 5101:2-13-37(C), effective 12/31/16).

OAC 5101:2-13-26(B): Paragraphs (B)(1) and (B)(2) describe the types of documentation that the county agency must maintain regarding licensed family child care providers; (B)(2) and (B)(3) specify the retention period for those documents; (B)(4) prohibits county agencies from disclosing (a) identifying information about complainants, witnesses and those to whom confidentiality has been reasonably promised, (b) any information, when such information would disclose the identity of one to whom confidentiality has been reasonably promised, and (c) provider medical records; and, (B)(5) through (B)(8) specify what information the county agency must share with the PCSA, law enforcement, provider, and ODJFS. (Amended 10/29/17).

OAC rule 5101:2-13-37(C): Medical records required to be kept by type A day-care homes shall be confidential, except they shall be available to ODJFS. Immunization records shall be subject to review by the Ohio Department of Health for disease outbreak control and immunization level assessment purposes. (Rescinded effective 12/31/16 and Moved to 5101:2-13-15(D)).

OAC rule 5101:2-14-03(C) & (D): Requires that complaint investigations of Type B family day-care homes and in-home aides be kept by director of the CDJFS in that county and, with confidential information removed, released to anyone upon written request. Requires criminal background checks of all certified in-home aides, the results of which are only made available to the subject of the records check, the county agency, and ODJFS. Rule even applies to records of convictions that have been sealed. Amended 10/29/17. 

OAC rule 5101:2-14-06(F): Makes all information collected about in-home aides by county agencies confidential, except to ODJFS for purposes of monitoring review and complaint investigation, and to the PCSA and law enforcement for purposes of investigating alleged child abuse and neglect. Any information disseminated about IHAs must be documented, including the date of dissemination, to whom, and the reason.  Amended 10/29/17.

OAC rule 5101:2-14-07(B)(4): Requires that inspection reports be kept on file at the county agency, and that a copy of the JFS 01642 “In-Home Aide Assurances”, with confidential information removed, be released to anyone upon request. (Amended 10/29/17).

OAC rule 5101:2-14-11(D), (E), (P) & (T): Requires BCI checks for type B home providers, any adult residents of the home, substitute/emergency caregivers or in-home aides. Record check results are only made available to the subject of the records check. Rescinded 12/31/16.

OAC rule 5101:2-14-26(B) & (D): Sets out what immunization, health and other information must be in children's records at type B family day-care homes. The rule allows release of the records only to the director of the CDJFS in that county, the provider or to a person who provides written authorization from the child's parent/caretaker. Emergency transportation authorization and health records may be disclosed in an emergency or substitute situation to the emergency or substitute provider or to a health professional administering emergency care to the child.  Rescinded effective 01/01/14. 

OAC rule 5101:2-14-62: Sets out what type of information related to a certified child care provider cannot be released by a CDJFS. This rule requires sharing of this information with ODJFS and a PCSA or law enforcement agency as needed when there is an allegation of child abuse and/or neglect. Rescinded 01/01/14.

OAC rule 5101:6-50-07: When an RC Chapter 119 hearing has been requested, allows discovery of any matter which is not privileged or confidential, except in cases involving actions under RC Chapters 5103 and 5104 (foster caregiver, PNA, and PCPA certification, and child day care licensing), in which instances no discovery is permitted, unless parties stipulate to it. Amended effective 2/28/14. 

G.      CHILD SUPPORT

Federal Laws and Regulations:

42 USC §653: Addresses confidentiality of the Federal Parent Locator System and to whom the information may be released (authorized person defined in the statute). Section (j)(8) allows HHS Secretary to disclose employer information from the National Directory of New Hires to state unemployment agencies, for the purposes of UC administration. 

42 USC §654(26): Requires the state to protect confidential child support information.

42 USC §654a: Paragraph (d) requires the ODJFS Office of Child Support (OCS) to establish & implement safeguards for child support automated data systems, to ensure system integrity, accuracy and completeness, and to restrict access to and use of information contained therein. OCS must have written policies that (1) permit access to and use of child support data by state agency personnel, but only to the extent necessary to administer the child support program; and (2) specify the data that may be used for particular program purposes, and the personnel permitted to access such data. Federal law also requires system controls to ensure strict adherence to policies, routine monitoring of access through such methods as audit trails to detect and guard against unauthorized access and use, and training of state and local agency staff and contractors on access restrictions, penalties and security procedures. (45 CFR 307.13 is very similar to this provision).

45 CFR § 235.70: Allows county Job and Family Services departments to send a copy of the ADC case record and other relevant information to a CSEA.

45 CFR § 302.35(a)(2),(c) & (d): Requires the state child support agency to maintain a parent locator service (PLS) to provide location information to authorized persons for authorized purposes that are listed in the CFR.

45 CFR § 303.15: Allows use of the Federal Parent Locator Service (FPLS) for enforcing any state or federal law with respect to the unlawful taking or restraint of a child or making or enforcing a child custody or visitation determination. This information is given to the IV-D agency and pursuant to an agreement between the FPLS. Access to the FPLS information shall be restricted only in connection with child custody or parental kidnapping cases. After information is requested from FPLS and then sent to a requestor, the IV-D agency must destroy any confidential records and information related to the request.

45 CFR § 303.21: Requires safeguarding and restricts disclosure of information relating to a specified individual or an individual who can be identified by reference to one or more factors specific to him or her, including but not limited to the individual's Social Security number, residential and mailing addresses, employment information, and financial information. However, (d) says upon request, the ODJFS Office of Child Support may disclose: (1) confidential information to state agencies as necessary to assist them to carry out their responsibilities under plans and programs funded under titles IV, XIX, or XXI of the Social Security Act, as well as SNAP including (i) Any investigation, prosecution or criminal or civil proceeding conducted in connection with the administration of any such plan or program; and (ii) Information on known or suspected instances of physical or mental injury, sexual abuse or exploitation, or negligent treatment or maltreatment of a child under circumstances which indicate that the child's health or welfare is threatened; and, (2) information in the state directory of new hires (SDNH), pursuant to sections 453A and 1137 of the Act for purposes of income and eligibility verification. However, authorized disclosures under (1) and (2) above shall not include confidential information from the National Directory of New Hires or the Federal Case Registry, unless authorized under 45 CFR §307.13 or unless it is independently verified information. No financial institution data match information may be disclosed outside the administration of the IV-D program and no IRS information may be disclosed, unless independently verified or otherwise authorized in Federal statute. States must have safeguards in place as specified in section 454A(d) and (f) of the Act.

45 CFR § 303.30: Allows access by IV-D agency to obtain IV-A or IV-E information not supplied by the agencies holding the information and allows the obtaining of medical support information with the consent of a non-recipient and without the consent of a Medicaid applicant or recipient.

45 CFR 303.69: Allows U.S. attorneys and federal agents to request information directly from federal parent locator service, for purposes of parental kidnapping or child custody case. Request must be submitted in writing and contain required statements.

45 CFR§ 303.70:  Requires state child support agencies to have procedures for submissions to the State or Federal parent locator service (PLS) for the purpose of locating parents, putative fathers, or children for the purpose of establishing parentage or establishing, setting the amount of, modifying, or enforcing child support obligations; for the purpose of enforcing any Federal or State law with respect to the unlawful taking or restraint of a child or making or enforcing a child custody or visitation determination as defined in section 463(d)(1) of the Social Security Act (42 USC 663), or for the purpose of assisting State agencies to carry out their responsibilities under title IV-D, IV-A, IV-B, and IV-E programs. Only the central State PLS may make submittals to the Federal PLS for the purposes specified in above.

45 CFR §307.13: Addresses security and confidentiality for computerized support enforcement systems in operation after October 1, 1997. Requires that information contained in SETS be confidential and be released only in connection with the IV-D (child support), IV-A (TANF), Title XIX(Medicaid) and (effective 12/30/10) Title XXI (child health assistance) programs. Also, effective 12/30/10, limits are placed on the disclosure of NDNH, FCR, financial institution and IRS information outside the IV-D program.

State Statutes And Rules:

RC §149.43 (A)(1)(e): Excludes information contained in the putative father registry from being considered as public record when held by ODJFS or a CSEA.

RC § 149.43(A)(1)(o):  Excludes new hire and rehire records provided by employers to ODJFS for child support purposes from being considered as public records. Section refers to RC § 3121.894 (new hire directory), which was amended effective 03/21/05.

RC §3107.063: Sets forth the procedure to be used by a biological mother or adoption attorney for requesting that ODJFS search the putative father registry to determine whether a man is registered as the minor's putative father.  Amended effective 3/23/15.

RC § 3121.76: Limits the use of information received by ODJFS from a financial institution

through an agreement pursuant to the statute to purposes of establishment, modification or enforcement of a child support order. Such information is not a public record.

RC § 3121.84: Sets out the types of matches that must be done with the case registry of all child support orders and to what governmental entities the matches should be shared.

RC §3121.898: New Hire data shall only be used for the purpose of locating individuals for purposes of establishing paternity; establishing, modifying and enforcing support orders; and verifying eligibility for Title IV-A programs (like OWF and PRC), Medicaid, Unemployment Compensation (UC), Food Assistance (FS) and employment security programs administered by ODJFS.

RC § 3121.899:  New hire information shall not be considered as public record information pursuant to RC §149.43 and shall be used for the purpose of locating individuals for purposes of establishing paternity; establishing, modifying and enforcing support orders; and to detect fraud (verify eligibility) in any program administered by ODJFS. The new hire information shall also be shared with the Employment Services units of ODJFS and the Bureau of Workers Compensation.

RC § 3123.89: Permits OCSEA to release name and SSN of obligor to Ohio Lottery Commission to intercept lottery winnings.  Amended 9/15/14.

RC § 3123.92: Requires any CSEA administering a court or CSEA enforceable finding of default against an obligor to contact at least one consumer reporting agency in the State and provide to the consumer reporting agency the obligor's name, address, and social security number or other identification number and any other identifying information concerning the obligor.

RC §3123.93:  Allows consumer reporting agencies to obtain certain information maintained by the ODJFS Office of Child Support regarding obligors.

RC § 3123.95 et seq. Authorizes and sets forth requirements for the establishment and use by ODJFS of a poster program, to display photos of obligors who are delinquent in their support payments, for purposes of increasing collections.

RC§ 3123.954: Precludes a county CSEA from providing the address or other identifying information of an obligee to the ODJFS Office of Child Support Enforcement when the CSEA submits the name of the obligor to be included on a poster. See also RC § 3123.95 et seq., RC § 3123.957 and OAC rules 5101:12-50-65 and 5101:12-50-65.1, for provisions regarding the office of child support's poster program.

RC § 3125.08: Sets out limits for access and use of SETS information.

RC § 3125.16: Allows each obligor and obligee under a support order to review all records related to support orders held by CSEAs and any other information maintained by the CSEA, except to the extent prohibited by state or federal law.

RC §3125.49: Precludes ODJFS Office of Child Support or any CSEA from using social security numbers made available from the local registrar of vital statistics for any purpose other than child support enforcement.

RC § 3125.50:  Authorizes release of information concerning applicants for and recipients of child support services by CSEAs only under rules promulgated by ODJFS. This statute also precludes release of information collected from any officer or entity of the state or any political subdivision of the state that would aid the CSEA in locating an absent parent; any information concerning the employment, compensation, and benefits of any obligor or obligee subject to a support order; name and address of any obligor or obligee subject to a support order and the obligor's employer in the customer records of a public utility; and the Department of Taxation except as provided by rules promulgated by ODJFS.

OAC rule 5101:1-1-03: Disclosure of recipient information, Nondiscrimination, and treatment of information received from the IRS and SSA: addresses the release of OWF, PRC, TANF and DFA information held by ODJFS or a CDJFS specific to an applicant, recipient or former recipient. This is an extremely important rule and should be consulted when this type of information is requested by any third party. The rule describes under what general circumstances the information can be released, exceptions to the general requirements, what is required in information releases, and procedures to follow if information is requested through court process. Also contains provisions on the use, protection and redisclosure of client-specific data received by ODJFS and CDJFS from the SSA and IRS. (Amendments took effect 10/01/10).

OAC rule 5101:9-22-15: This is the ODJFS internal management rule related to the Personal Information Systems Act (Chapter 1347). See Part II of this Manual.

OAC rule 5101:12-1-20: Contains definitions of terms used in OAC Rules 5101:12-1-20.1, 5101:12-1-20.2 and 5101:12-1-20.3. (Amended effective 3/1/12).

OAC rule 5101:12-1-20.1: Describes the requirements for the use, protection and dissemination of information that is collected and maintained by the ODJFS Office of Child Support or a county CSEA in the performance of support enforcement program functions. Obligor/obligee information may be disclosed for administration of child support, OWF and Medicaid; federal, state and local audits; and, to report to an appropriate child welfare official, suspected abuse or neglect of a child who is the subject of a child support order. Other individuals may inspect documents concerning an obligor or obligee, by obtaining a signed authorization from the obligor/obligee that includes the items listed in the rule. (Amended effective 9/1/12 to delete (B)(5)(c)(iv) & (v) on whether or not CSEA had to independently verify income, NDNH & FCR information before sharing with OWF or Med programs).

OAC rule 5101:12-1-20.2: Requires that child support agencies safeguard confidential participant (obligor and oblige) information received from the Internal Revenue Service (IRS). Rule includes details of steps county agencies and employees must take to safeguard information. Failure to comply with safeguarding requirements can result in revocation of county agency/employee access to the Support Enforcement Tracking System (SETS). (Amended effective 3/1/12, so that rule covers only safeguarding of federal tax information received from IRS).

OAC rule 5101:12-1-20.3: Describes procedures child support enforcement agencies (CSEAs) must follow to safeguard information received from the ODJFS Office of Unemployment Compensation & Ohio department of taxation. (Effective 3/1/12).

OAC rule 5101:12-10-90(C): States that new hire reports are not considered public records for purposes of section 149.43 of the Revised Code, and that ODJFS may only disclose new hire reports in accordance with OAC rules 5101:12-10-90.2(E) and 5101:12-10-90.3(D). Amended 9/1/15.

OAC rule 5101:12-20-10: Sets forth which parties are authorized to obtain from the Federal Parent Locator Service, the current residential address or place of employment of an individual. Also provides details on how requests must be made, and when a court order is required. (Amended effective 3/1/12).

OAC rules 5101:12-50-65 & 12-50-65.1: Authorizes and sets forth requirements for ODJFS Office of Child Support and county child support enforcement agencies to implement poster program, displaying photos of delinquent obligors, to increase collections. Amended 3/1/17.

OAC rule 5101:12-55-10: Financial Institution Data Match (FIDM) program allows OCS to obtain data from financial institutions for purposes of collecting back due support. (Amended effective 2/1/16).

H.       ADULT SERVICES

State Statutes and Rules:

RC §5101.61(F):  Written and oral reports of suspected abused, neglected or exploited adults, and subsequent investigatory records, are confidential and are not considered public records pursuant to RC §149.43. The information shall only be made available upon request to the adult who is the subject of the report, and to legal counsel for the adult. (Amended 9/29/15).

RC §5101.71(B):  Gives ODJFS director authority to adopt rules governing county departments' implementation of adult protective services, as defined & described in ORC 5101.60 and 5101.71. (Amended effective 9/29/15).

OAC rule 5101:2-20-04: Makes adult protective services case records confidential. Amended effective 8/1/12.

I.        REFUGEE ASSISTANCE

State Rules:

OAC rule 5101:1-1-03: Disclosure of recipient information, nondiscrimination, and treatment of information received from the IRS and SSA: addresses the release of OWF, PRC, TANF and DFA information held by ODJFS or a CDJFS specific to an applicant, recipient or former recipient. This is an extremely important rule and should be consulted when this type of information is requested by any third party. The rule describes under what general circumstances the information can be released, exceptions to the general requirements, what is required in information releases, and procedures to follow if information is requested through court process. Also contains provisions on the use, protection and redisclosure of client-specific data received by ODJFS and CDJFS from the SSA and IRS. (Amended 2/1/16).

OAC rule 5101:1-2-40.2(B)(5):says that the refugee social services program must comply with the confidentiality provisions of RC §5101.27. (See also OAC Rule 5101:9-6-16, "RSS Program Allocation"). Rescinded effective 6/1/15.

J.       TITLE XX

State Statutes:

RC §5101.46(D): Requires ODJFS to prepare a report every fiscal year related to the use of Title XX funds which will be available for public inspection. Amended effective 10/12/16.

K.       UNEMPLOYMENT COMPENSATION BENEFITS, TAX AND WAGE RECORDS

Federal Laws and Regulations:

26 USC 3301 to 3311: Federal Unemployment Tax Act (FUTA) laws are codified here. 

29 USC § 49b (b): Requires State UC offices to share UC data with State offices running TANF, Food Assistance and Child Support programs.

42 USC § 503(a)(1) and (8): Require that state law provide for such methods of administration as are found by the Secretary of Labor to be reasonably calculated to insure full payment of unemployment compensation when due and restricts expenditure of all moneys received by the State through the Unemployment Insurance Agent to be used solely for the purposes and in the amounts found necessary by the Secretary of Labor for the proper and efficient administration of such law.

These sections have been interpreted by the Department of Labor to provide that employer, wage and claim information collected and maintained for the administration of the unemployment compensation program are confidential and, with a few exceptions, not subject to disclosure (see 20 CFR 603.4). This confidentiality requirement pertains to information required from individuals and employers or employing units for the purposes of administration of the revenue and benefit provisions of state UC laws.

42 USC §1320b-7(a)(5) and (a)(6): Requires the establishment of an Income and Eligibility Verification System (IEVS) between listed programs with adequate safeguards to assure that information is made available only to the extent necessary to assist in the valid administration of the programs, only exchanged with agencies authorized to receive such information, adequately protected against unauthorized disclosure, notification is provided to applicants and recipients that information in the system may be shared with other agencies, and reimbursement to agencies providing the information.

20 CFR Parts 601 to 625: Unemployment regulations are codified here, including Trade Adjustment Assistance in parts 617 and 618.

20 CFR §603.2: Defines terms used with regard to IEVS including "wage information," "claim information," and "requesting agency."

20 CFR §603.3: Subpart B includes 20 CFR 603.2 through 603.12, and all pertain to implementation of federal UC and FUTA (Federal Unemployment Tax Act) confidentiality requirements, including mandating that states create uniform minimum UC safeguards and data sharing agreements, as outlined in SSA §303 (same as 42 USC 503) and FUTA (26 USC §3304(a)(16)).

20 CFR §603.5: Sets forth exceptions to UC confidentiality. However, the federal exceptions can only be followed if authorized by state law, and Ohio UC confidentiality laws, including RC §4141.21, are more restrictive than federal law.

20 CFR §603.6: Requires the Office of Unemployment Compensation to share income and employment information with food and cash assistance programs, for purposes of determining eligibility for those programs, and with CSEA and HUD. Same as 29 USC 49b.

20 CFR Part §603: Requires state unemployment compensation (UC) agencies to establish procedures to protect the confidentiality of information against unauthorized access, disclosure or redisclosure. The state unemployment compensation agency must require requesting agencies to comply with the following measures to protect the confidentiality of the information against unauthorized access or disclosure: 1) information shall be used only to the extent necessary to assist in the valid administrative needs of the program receiving such information; 2) The requesting agency shall not use the information for any purposes not specifically authorized under an agreement that meets the requirements of section 603.6; 3) information shall be stored in a physically secure place; 4) electronic information shall be secured from unauthorized access; 5) requesting agencies shall instruct all personnel of the confidential nature of the information. 20 CFR 603.5 authorizes state unemployment compensation agencies to share wage and claim data with certain requesting agencies, but only for the purpose of verifying eligibility for, and the amount of, benefits. Both CFR provisions apply to the Wage Record Interchange System (WRIS), which is an interstate data exchange system that facilitates the exchange of UC wage records for use by participating states in assessing and enhancing the performance of various programs identified in the Workforce Innovation and Opportunity Act (WIOA). These regulations also set forth provisions which must appear in the Agreement between the state unemployment compensation (UC) agencies and the requesting agency with respect to the release of Income and Eligibility Verification System (IEVS). See also Unemployment Insurance Procedure Letter (UIPL) 23-96 - Requirements for disclosure of wage record information to private entities, as well as UIPL 19-12, which largely superseded UIPL 23-96 for consensual releases of claimant information to consumer reporting agencies (third parties other than an agent).

20 CFR §609.13: Addresses confidentiality of information related to the Unemployment Compensation for Federal Civilian Employee program (UCFE) administered by the state unemployment agency.

20 CFR §614.14: Addresses confidentiality of information related to the Unemployment Compensation for Ex-Service Members (UCX) administered by the state unemployment agency.

20 CFR §617.57: Information about Trade Adjustment Assistance (TAA) collected by state agency is confidential and can only be used to the same extent as unemployment insurance information. But, TAA information can only be disclosed to employers and other persons as needed for TAA administrative purposes listed in 20 CFR Part 617.

20 CFR §677.175 & WIOA §116(i)(2): Require state workforce education and training programs to use quarterly wage records to measure the progress of the state on performance accountability measures.

State Statutes and Rules:

RC §4141.162: Requires the establishment of IEVS, specifies the programs to be included in the system, and provides that the requirements of RC § 4141.21 and any sanctions imposed for improper disclosure of such information apply to the redisclosure of information under this section. The section also requires the adoption of rules to include specific requirements including notification to applicants and recipients that information in the system may be shared with other agencies, that information is made available only to the extent necessary to assist in the valid administration of the programs, and that information is adequately protected from unauthorized disclosures.  Amended effective 9/29/13.

RC § 4141.21: Except as provided in RC§4141.162(IEVS), and subject to RC § 4141.43:  (cooperation with certain state, federal and other agencies), information maintained by or furnished to the director of ODJFS by employers or employees pursuant to RC Chapter 4141 (employment services law) is for the exclusive use and information of ODJFS in the discharge of its duties and is not open to the public and cannot be used in any action or proceeding or be admissible in evidence in any action other than one arising under RC Chapter 4141 or RC §5733.42 (RC §4141.16 and RC §4141.161 were both repealed). All of the information and records necessary or useful in the determination of any particular claim for benefits or necessary in verifying any charge to an employer's account under RC §§ 4141.23  to 4141.26, shall be available for examination and use by the employer and the employee involved.

[In Freed vs. Grand Court Lifestyles, 100 F. Supp. 2d 610 (Dec. 21, 1998), the Federal Court overruled OBES's Motion to Quash in part, and sustained the Motion in part. Three conditions on releasing UC claimant data to the former employer were listed in Freed, in which the claimant had filed an ADA-based discrimination suit against the former employer in federal court:

(1) There must be a federal questions involved, before release will be required. If it's only a federal diversity issue involving questions of state law, then no disclosure is required, as RC §4141.21 still applies, and is not abridged by Federal Rule of Evidence 501.

(2) Only personal information provided to ODJFS by the UC claimant may be released to the claimant's former employer. (Note: The federal court looked at only the facts of this particular case, and the usefulness to the Defendant of UC data (the receipt of which implied that the plaintiff could work) to their defense of an ADA claim (in which obtaining proof of receipt of UC benefits would actually undermine the requesting party's argument that the plaintiff/UC claimant was too disabled to work), and balanced the policy interests served by recognizing state's privilege against the policy interests served by allowing access to the requested information. The facts of other cases may not warrant application of Freed, and/or may not warrant disclosure of UC claimant data.)

(3) Any discoverable records should be issued under seal, and with written assurances that the documents be maintained as confidential and only be utilized for the limited purposes of defending the federal civil suit filed by the claimant].

[But, see AG Opinion 2010-029, which says JFS may provide BWC with certified copies of UC records, for use in BWC civil and criminal cases, and JFS may allow its representative to testify regarding those records at BWC trial]

RC § 4141.22: No person shall disclose any information maintained by or furnished to the director of ODJFS by employers or employees unless such disclosure is permitted by RC §4141.22.

RC § 4141.43:  Provides the director of ODJFS with discretionary authority to disclose information to various agencies, including but not limited to the bureau of workers compensation, United States IRS, United States employment service, and the railroad retirement board. Basis for RC 4141.43 and other UC confidentiality statutes lies in SSA §§303(a)(1), (a)(7), (c)(1), (d), (e), (h) & (i).

RC §5733.42(E): Financial statements and other information submitted by an applicant to ODJFS for an employee training tax credit, and any other information taken for any purpose from such statements or information, are not public records subject to RC §149.43. However, ODJFS, the tax commissioner, or the superintendent of insurance may make use of the statements and other information for purposes of issuing public reports or in connection with court proceedings concerning tax credits allowed under this section and RC §5725.31, RC §5729.07, and RC §5747.39.

OAC 4141-16-01 through 4141-16-03: Requires ODJFS to disclose wage and claim information to authorized agencies under an agreement, when needed by those agencies to verify eligibility for and/or the amount of benefits. The agreement with authorized agencies must include provisions to prevent unauthorized access to and disclosure of confidential information.

OAC rule 4141-43-01: Governs the exchange and disclosure of wage, claim, employer, employment and training, and other confidential information to state departments, other governmental agencies, or service providers, and certain nongovernmental agencies for research and for the purpose of providing and improving employment and training services. This rule strictly prohibits redisclosure of the information received.

OAC rule 4141-43-02: Allows the sharing of wage, claim and/or employment and training information furnished to or maintained by ODJFS pursuant to RC Chapter 4141 with county departments of job and family services, state and county child support enforcement agencies, and governmental agencies administering employment and training and public assistance programs. The rule also allows the sharing of certain information with civil and criminal prosecuting authorities.

L.       WORKFORCE DEVELOPMENT

1.       THE WORKFORCE INVESTMENT ACT INNOVATION AND OPPORTUNITY ACT (WIAWIOA)

20 USCA § 9274:Nothing in WIA should be construed to supersede the privacy protections afforded parents and students under section 444 of the General Education Provisions Act (20 U.S.C. 1232g), as added by the Family Educational Rights and Privacy Act of 1974 or FERPA (section 513 of Public Law 93-80; 88 Stat. 571). Repealed 7/22/14, effective 7/1/15, and replaced with 29 USC 3341.

29 USC 2871(f)(2)3141(i)(2): Requires that the Office of Unemployment Insurance Operations share wage information for purposes of WIAWIOA performance reporting requirements.

29 USC 2871(f)(3)3141(i)(3): the Workforce Investment ActWIOA requires compliance with 20 USC 1232g, the Family Educational Rights and Privacy Act of 1974 (FERPA), which was enacted to protect student privacy rights in education records, and applies to all public and private educational institutions that receive federal educational funds. FERPA requires safeguards to protect against the disclosure of personal identifying data regarding students, which includes social security numbers (SSNs). Under FERPA, schools can only give info to the Department of Education, not the Department of Labor, making cross-matching of SSNs potentially problematic. Additionally, educational agencies and institutions may disclose information from the student's education records, such as the SSN, with the prior written consent of either the minor student’s parents, or, the student himself/herself, if the student is over the age of 17, or attending a postsecondary institution at any age. .  Repealed effective 7/1/15 and replaced with 29 USC 3141(i)(3).

29 USC §29353245(a)(4): Part (A) of this section requires certain WIAWIOA records maintained by ODJFS available to the general public. Part (B) excepts requirement of public access to information, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy and trade secrets, or commercial or financial information, which is obtained from a person and is privileged or confidential.

29 USC §3341:Nothing in WIOA shall be construed to supersede the privacy protections afforded parents and students under section 444 of the General Education Provisions Act (20 U.S.C. 1232g); and, nothing in WIOA shall be construed to permit the development of a national database of personally identifiable information (PII) regarding individuals who have received WIOA or vocational rehabilitation services.  (Enacted 7/22/14).

20 CFR 603.7: Requires state unemployment compensation (UC) agencies to establish procedures to protect the confidentiality of information against unauthorized access, disclosure or redisclosure. 20 CFR 603.5 authorizes state unemployment compensation agencies to share wage and claim data with certain requesting agencies, but only for the purpose of verifying eligibility for, and the amount of, benefits. Both these provisions apply to the Wage Record Interchange System (WRIS), which is an interstate data exchange system that facilitates the exchange of UC wage records for use by participating states in assessing and enhancing the performance of various programs identified in the workforce investment actWorkforce Innovation and Opportunity Act (WIAWIOA).

29 CFR §37.3738.41: Requires each WIAWIOA recipient to collect data and records which show that the recipient is in compliance with the non-discrimination and equal opportunity provisions of WIAWIOA. Any of this data and records that contain information on applicants, registrants, eligible applicants/registrants, participants, terminees, employees and applicants for employment are considered confidential and can only be used for purposes of record keeping and reporting to the Department of Labor, determining eligibility, and determining compliance with non-discrimination requirements. Each WIOA recipient must also keep logs of complaints alleging discrimination in relation to providing services under WIOA. Any of these logs that contain identifying information of a particular individual must be kept confidential and may be shared only with the Department of Labor and the Governor.   

34 CFR § 99.30(a): This is a FERPA regulation and provides that with certain exceptions, "The parent or eligible student shall provide a signed and dated written consent before an educational agency or institution discloses personally identifiable information from the student's education records." Personally identifiable information includes but is not limited to: the student's name; a personal identifier, such as a student's social security number; and other information that would make the student's identity easily traceable (34 CFR § 99.3).

RC § 307.983: Each board of county commissioners is required to establish a plan of cooperation among county workforce development agencies specifying how such agencies will exchange information and coordinate and enhance services and assistance to individuals and families.

OAC rule 4141-43-01: Allows the use and disclosure of wage information, claim information, employment and training information and employer information maintained by ODJFS for the purpose of providing or improving employment and training program as well as research for certain specified purposes.

OAC rule 4141-43-02: Sets out under what circumstances wage, claim and/or employment and training information maintained by ODJFS can be shared with county departments of job and family services, state and county child support enforcement agencies, and governmental agencies administering employment and training and public assistance programs.

Workforce Investment Act Workforce Innovation and Opportunity Act (WIAWIOA) Section 136(f)(2)116(i) (same as 29 USC 3141): In measuring the progress of the state on state and local performance measures, a state shall utilize quarterly wage records, consistent with state law. DOL shall make arrangements, consistent with state law, to ensure that the wage records of any state are available to any other state to the extent that such wage records are required by the state in carrying out the state plan of the state or completing the annual report described in subsection (d) [performance reports].

OAC rule 5101:11-6-03(D): Makes the identities of those filing apprenticeship-related complaints confidential, except for purposes of carrying out EEO requirements. Eff. 8/7/14.

2.       LABOR MARKET INFORMATION

Information maintained by or furnished to the director of ODJFS under RC Chapter 4141 as Labor Market Information is governed by the same laws and regulations that govern the underlying confidential information. Labor Market Information and BLS data are also subject to the Confidential Information Protection and Statistical Efficiency Act (CIPSEA) of 2002 (Title 5 of Public Law 107-347), Privacy Act (5 USC 552a), WIOA (29 USC 49l-2), and Trade Secrets Act (18 USC 1905).

3.       EMPLOYMENT SERVICES (Including Wagner-Peyser)

29 USC 49l-2: Prohibits officers, employees, and agents of the federal government from (1) using information furnished to them for statistical purposes, for any other purpose; and, (2) publishing or releasing to the media any information concerning individual subjects that might identify them, directly or indirectly, without the consent of the individual or agency that is the subject of the information. Also makes statistical information about individual subjects immune from legal process, so that it cannot be admitted as evidence, or used for any purpose in any action, suit, or other judicial or administrative proceeding.  

20 CFR 653.110: Aggregate data collected pursuant to 20 CFR 653.109, such as the total number of migrant and seasonal farmworkers (MSFWs) contacted through outreach, referred to or placed in jobs, and registered in career services, must be disclosed to the public within 10 business days of the receipt of a public records request for such data.  However, intra-agency memoranda and reports between ODJFS and DOL-ETA that contain mostly statements of opinion, rather than facts, may be withheld from the public.  And, information and documents may also be withheld if their disclosure would constitute a clearly unwarranted invasion of personal or employer privacy, as long as the rationale for non-disclosure is provided in writing to the requesting party. In Ohio, no personally identifiable information about MSFWs or workforce participants is shared with the general public, on the basis that disclosure of such information would constitute a clearly unwarranted invasion of personal privacy. Eff. 8/19/16.

20 CFR 655.63: Says that U.S. DOL will maintain a publicly accessible electronic file showing all employers that have applied for temporary non-agricultural labor certifications (for H2B visas), the number of workers requested, the dates filed & decided, and & the outcome.

20 CFR § 658.411(a)(3): The identity of complainants and any persons who furnish information relating to, or assisting in, an investigation of a job services complaint to ODJFS shall be kept confidential to the maximum extent possible, consistent with applicable law and a fair determination of the complaint. Requires that copy of completed Job Services complaint submission be given to the complainant(s) and the appropriate Complaint System representative. 20 CFR §658.413 was removed 8/19/16 and language above was moved to 658.411.

RC § 4141.21: Except as provided in RC §4141.162(IEVS), and subject to RC § 4141.43 (cooperation with certain state, federal and other agencies), information maintained by or furnished to the director of ODJFS by employers or employees pursuant to RC Chapter 4141 (employment services law) is for the exclusive use and information of ODJFS in the discharge of its duties and is not open to the public and cannot be used in any action or proceeding or be admissible in evidence in any action other than one arising under RC Chapter 4141 or RC §5733.42 (RC §4141.16 and RC §4141.161 were both repealed). All of the information and records necessary or useful in the determination of any particular claim for benefits or necessary in verifying any charge to an employer's account under RC sections 4141.23 to 4141.26, shall be available for examination and use by the employer and the employee involved.

RC § 4141.43: Provides the director of ODJFS with discretionary authority to disclose information to various agencies, including but not limited to the bureau of workers compensation, United States IRS, United States employment service, and the railroad retirement board.

OAC rule 4141-43-01: Sets guidelines for the use and disclosure of wage information, claim information, employment and training information, and employer information.

M.      STATE HEARINGS

Federal Regulations:

7 CFR 273.15(p)(1) & (q)(5): Requires that hearing decisions related to Food Assistance be made available to the public with identifying information of the appellant being kept confidential. This regulation also requires that the Food Assistance/SNAP assistance group or its representative be given access to all documents and records to be used at the state hearing at a reasonable time prior to the state hearing as well as at the state hearing. But, names of individuals who have provided information about the household without its knowledge, and the nature and status of pending criminal cases, must be protected from release.

45 CFR 205.10(a)(19): Requires that hearing decisions related to IV-A be made available to the public with identifying information of the IV-A assistance group kept confidential.

State Rules:

OAC rule 5101:6-5-01(E) & (F): Allows an Appellant requesting a state hearing and/or his/her authorized representative access to his/her case record or other relevant agency records for purposes of preparing for a state hearing. This rule also sets out the procedure for subpoenas in the state hearing process. Amended 2/28/14.

OAC rule 5101:6-7-01(G): Allows inspections of state hearing decisions subject to applicable disclosure guidelines. The implication of this rule is that an Appellant's identity is not subject to disclosure but the decision itself (with identifying information of Appellant deleted) is available as a public record upon request.  Amended 2/28/14.

OAC rule 5101:6-8-01(K): Allows inspections of administrative appeal decisions subject to applicable disclosure guidelines. The implication of this rule is that an Appellant's identity is not subject to disclosure but the decision itself (with identifying information of Appellant deleted) is available as a public record upon request.  Amended 7/25/16.

OAC rule 5101:6-20-16(H): Allows inspections of administrative disqualification decisions subject to applicable disclosure guidelines. The implication of this rule is that an Appellant's identity is not subject to disclosure but the decision itself (with identifying information of Appellant deleted) is available as a public record upon request.  Amended 2/28/14.

OAC rule 5101:6-50-07: Allows when RC Chapter 119 hearing has been requested, discovery of any matter which is not privileged or confidential except in cases involving actions under RC Chapters 5103 and 5104 (child day care licensing and children's residential licensing). Amended 2/28/14.

OAC rule 5101:9-22-15: This is the ODJFS internal management rule related to the Personal Information Systems Act (Chapter 1347). See Part II of this Manual.  Amended 12/15/16.

N.       MISCELLANEOUS

Federal Laws and Regulations:

29 CFR § 825.500(g): Records and documents relating to medical certifications, recertifications or medical histories of employees or employee's family members, created for purposes of the Family Medical Leave Act (FMLA) shall be maintained as confidential medical records in separate files/records from the usual personnel files. If the Genetic Information Nondiscrimination Act (GINA) of 2008 is applicable, records created for the FMLA containing family medical history or genetic information shall be maintained in accordance with Title II of GINA (29 CFR 1635.9), which permits information to be disclosed consistent with the FMLA. And, if the Americans With Disabilities Act (ADA) or the Americans with Disabilities Amendments Act of 2008 (ADAA) is also applicable, such records shall be maintained in conformance with ADA confidentiality requirements except: (1) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee necessary accommodation; (2) First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment and (3) Government officials investigating compliance with the FMLA (or other pertinent law) shall be provided relevant information upon request.  Amended 2/6/13.

29 CFR § 1630.14(b), (c) and (d): This is a part of the regulations related to the Americans with Disability Act and addresses medical examination information received from employees, either voluntarily as part of an agency health program or mandatory examinations needed due to business necessity. This section requires that employers keep this information in separate medical files and keep them confidential. This regulation allows the release of this information to: supervisors and managers in relation to necessary restrictions on the work or duties of the employee and necessary accommodations; first aid and safety personnel, when appropriate, if the disability might require emergency treatment; and government officials investigating compliance with the regulation.  Amended 5/17/16.

State Statutes and Rules:

RC §9.01: Sets out the standards for copying and preserving records for specified purposes onto different format or medium. Gives the copies the same effect of law as the original record(s). 9/26/03.

RC § 9.312: A state agency may request additional financial information from a low bidder on a contract (in addition to a surety licensed to do business in Ohio). This additional financial information to show financial responsibility is confidential except under proper order from the court, and is not a public record under RC §149.43.  Amended 9/29/15.

RC §102.03(B): Prohibits public official or employee from disclosing information that is "confidential" either by statute or based on circumstances and the need for confidentiality for the proper conduct of government business. Amended effective 3/20/14. 

RC §124.88: Records of the identity, diagnosis, prognosis, or treatment of any person that are maintained in connection with the employee assistance program (EAP) are not public records under RC §149.43 and shall be disclosed without written permission of the subject of the record only to medical personnel to the extent necessary to meet a bona fide medical emergency or to qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but the personnel shall not directly or indirectly identify any person who is the subject of the record in any report of the research, audit, or evaluation or in any other manner. Records may also be disclosed pursuant to court order, if good cause is shown and certain safeguards are in place. Prior to 9/29/13 it was RC 3701.041.

RC §125.071: Affords some protections for the procurement process until the contract is awarded and the process is completed.

RC §§ 131.02 & 131.022: Both say private entity to which ODJFS claims are sold, conveyed or transferred, shall be bound by any and all state and federal confidentiality requirements concerning the information included in the sale, conveyance or transfer. Amended 9/6/12 and 6/30/06, respectively.

RC § 145.27: Sets out what information held by the Public Employee Retirement System (PERS) is confidential. Amended effective 1/7/13.

RC § 149.431: Makes financial records required to be kept by any governmental entity or agency and any nonprofit corporation or association (except a charitable trust corporation organized under Chapter 1719 of the Revised Code) related to contracts or agreements with the federal government, unit of state government, or a political subdivision or taxing unity of the state, public records as defined in division (A)(1) of RC §149.43 and subject to the requirements of division (B) of that statute. The statute also states that information directly or indirectly identifying a present or former individual patient or client or his diagnosis, prognosis, or medical treatment, treatment for a mental or emotional disorder, treatment for mental retardation or a developmental disability, treatment for drug abuse or alcoholism, or counseling for personal or social problem is not a public record. It states that release of the financial records can be deferred for a reasonable amount of time if at the time a request for release is made a patient or client whose confidentiality might be violated by the release of the records is being provided confidential professional services. The statute also does not require a governmental entity or agency and any nonprofit corporation or association to keep financial records as public records related to private funds expended in relation to the performance of services pursuant to a contract or agreement.  Amended effective 4/5/17.

RC § 149.433: Any record held by a public office which discloses the configuration of that office's critical systems including, but not limited to, communication, computer, electrical, mechanical, ventilation, water and plumbing systems, security codes or the infrastructure or structural configuration of the building in which a public office is located is not a public record. This statute also excludes from being a public record any records that contain information directly used for protecting or maintaining the security of a public office against attack, interference or sabotage; records assembled, prepared, or maintained by a public office to prevent, mitigate, or respond to acts of terrorism, including any portion of a record containing specific and unique vulnerability assessments or specific and unique response plans either of which is intended to prevent or mitigate acts of terrorism, and communication codes or deployment plans of law enforcement or emergency response personnel; specific intelligence information and specific investigative records shared by federal and international law enforcement agencies with state and local law enforcement and public safety agencies; and national security records classified under federal executive order and not subject to public disclosure under federal law that are shared by federal agencies, and other records related to national security briefings to assist state and local government with domestic preparedness for acts of terrorism.  Amended effective 9/26/16.

RC § 1306.23: Records that would disclose or may lead to the disclosure of records or information that would jeopardize the state's continued use or security of any computer or telecommunication devices or services associated with electronic signatures, electronic records, or electronic transactions are not public records for purposes of RC §149.43.

RC § 1333.61: Defines and precludes the release of trade secrets. This may become relevant if information contained in RFP's or ITB's is requested by a third party.

RC § 1347.12: Sets forth procedures for public entities when they become aware of electronic security breaches (see also definitions in RC §1347.01; AG's investigatory authority in RC §1349.191 and penalties in RC § 1349.192).  Amended effective 9/29/15.

RC § 3701.041: Effective 9/29/13, renumbered as RC 124.88.

RC § 3701.74: Provides the subject of medical records or their representatives the right to access their medical records from a hospital or health care provider. In the event that a health care provider denies the subject of the record access to his/her own medical records, this section also allows the subject or their representative to initiate a civil action against the health care provider, to obtain the medical records. Amended effective 9/15/14.

RC § 4701.19:  Makes statements, records, schedules, working papers, and memoranda made by certified public accountant or public accountant incident to or in the course of performing an audit of a public office or private entity, except report submitted by the accountant to the client, non-public under RC §149.43.  Eff. 3/30/99.

OAC 5101:9-9-38: Pertains to county electronic data usage. Except when specifically authorized by division (B) of this rule, a county agency shall obtain the written approval of ODJFS prior to performing or authorizing any person or entity to perform any download, match, scraping or extraction of data from ODJFS systems that is migrated to a computer system, data base or application not under the control of ODJFS. The rule also sets out the procedure for obtaining ODJFS approval. Division (B) states that a county DJFS, CSEA, PCSA, WDA or other county entity may download, match, scrape or extract data from ODJFS systems, including but not limited to SETS, CRIS-E, SIS, SACWIS, SCOTIOWCMS, ICMS, MAPS and MMIS, if it is (1) directly related to a county employee's job duties, (2) directly related to the administration of the program by a person under contract with the county agency, or (3) for the purpose of providing data to law enforcement, or a state or federal auditor, and is not in conflict with state or federal confidentiality laws.