As stated in Part I of this memorandum, any record identified as
a "public record" must be released upon request. RC §149.43(A)(1)
excepts records from being designated as "public records" when there is
a federal or state law which prohibits the release of the record or labels it as
confidential. The following is a list of federal and state laws which make certain
records or information confidential or prohibit their release. The federal and state
statutes have been grouped according to program or subject matter.
A.GENERAL
1.TAX
RETURN INFORMATION
Internal Revenue Code (IRC) Section 6103 (26 USC 6103) states that all income returns and return
information shall be confidential, and that no officer or employee of any state,
any local child support enforcement agency, or any local agency administering a
public assistance, unemployment, or medical assistance program shall disclose any
return or return information obtained by him/her in the course of his/her work responsibilities.
IRC Section 7213 (26 USC 7213) makes unlawful disclosures a felony offense,
and IRC Section 7431 (26 USC 7431) permits civil damages to be imposed on individuals
who make unlawful disclosures.
In addition, 42 USC 664 allows the interception of federal tax refunds
in order to satisfy child support obligations. 26 USC 6103 and IRS publication 1075 outline strict requirements
for the handling of this information by state agencies operating child support programs.
OAC rule 5101:1-1-36(G): This cash assistance rule references
section 1137 of the Social Security Act, which requires that ODJFS develop an Income
& Eligibility Verification System (IEVS). Ohio's IEVS is integrated into Ohio
Benefits, which allows ODJFS to obtain information from its own office of unemployment
insurance operations (OUIO) and the social security administration (SSA). Under
IEVS, ODJFS matches public assistance applicant/recipient social security numbers
with OUIO's wage records and unemployment compensation records, as well as SSA's
benefit earnings exchange records, and Supplemental Security Income (SSI) and Retirement,
Survivors, Disability Insurance (RSDI) benefit information provided by SSA. If the
source of any tax data contained in matched information is SSA, or some other federal
agency, the information is considered federal tax information (FTI). Match information
for IEVS which contains FTI must be protected from disclosure to unauthorized persons.
The rule states that computer screen printouts or copies of letters mailed or received
regarding FTI must be safeguarded. The rule requires that FTI not be commingled
within the assistance group case record, because if it is commingled, the entire
assistance group case record must be safeguarded in the same way as FTI, and labeled
as SSA-provided FTI. The rule then sets out under what circumstances and to whom
the Federal Tax Information can be released. 12/1/18.
OAC rule 5101:4-7-09: Rule pertains to use of IEVS in food
assistance program. Rule says that, in general, unemployment compensation benefit
information, SSI and social security data from the SSA are verified upon receipt,
whereas county agencies must independently verify IRS information, and federal and
state wage information obtained from SSA and the state unemployment office. The
rule also specifies the types of independent verification that can be done, and
the actions that county agencies must take when information is received as a result
of data exchange agreements. Paragraph (G) restricts county usage of IEVS information
to program administration (i.e., determining assistance group's eligibility or ineligibility
for SNAP, and the amount of SNAP), and Paragraph (J) says that IEVS match information
may only be disclosed as permitted in OAC rule 5101:4-1-13. Paragraph (K) requires that ODJFS and
the county agencies keep a record for at least three years, or during the active
life of the application (whichever is longer) of any release of confidential IEVS
information (e.g., federal tax information (FTI), including SSA match data) to any
non-ODJFS or non-county agency employee. County/state workers must record the disclosure(s)
in the applicant's case file, and the county must keep track of it in BENDEX. Paragraph
(I) says that matches containing FTI are confidential, must be safeguarded as required
in OAC rule 5101: 4-1-13, must be stored in a place physically safe from access
by unauthorized individuals, and cannot be commingled with the rest of the case
record. 6/1/22.
OAC rule 5101:9-9-25 outlines federal tax return information
safeguarding procedures, which are intended to maintain confidentiality of taxpayer
data; and, OAC 5101:9-9-25.1 does the same for county agencies. 10/4/21.
OAC Rule 5101:9-9-26: Ohio rule that implements IRS Publication
1075 provision requiring individuals who are given access to federal tax information
(FTI) to undergo FBI and BCI fingerprint checks to identify suitability issues associated
with access to FTI, as well as validate their eligibility to lawfully work in the
United States. An initial background check must be successfully completed for all
final candidates, current employees, current or prospective intermittent employees,
county agency contractor/contract employees, or temporary service personnel to determine
suitability to access FTI, and reinvestigation must occur every five years from
the date it was initially determined, for individuals remaining in a position with
access to FTI. 4/1/23.
OAC rule 5101:12-1-22: ODJFS Office of Child Support rule
regarding safeguarding of federal tax information (FTI) received from the IRS. See
also 26 USC 6103 and IRS Publication 1075. 11/1/22.
OAC rule 5101:12-1-22.1: ODJFS Office of Child Support procedure
for conducting county CSEA visits and requiring county CSEA self-inspection, to
verify FTI is being properly safeguarded. 11/1/22.
2.SOCIAL
SECURITY NUMBERS
As a result of growing problems of identity theft and intrusions
on personal privacy, this section on Social Security numbers was added to the Manual,
as a reminder to all government employees of the importance of safeguarding the
confidentiality of all social security numbers in the possession of state and local
government. Unless specifically authorized by law, there should be no public disclosure
of SSNs of government employees, public assistance applicants/recipients, child
support clients, unemployment insurance claimants, workforce development participants,
private sector employers/businesses/contractors, and participants in any other program
administered by ODJFS or a county DJFS which collects and maintains social security
numbers (SSNs) and related data. The Internal Revenue Code, 26 USC 6109(d), states that an SSN is issued to an individual
for tax identification purposes.
5 USC § 552 (public information) and 5 USC § 552a (the Privacy Act of 1974) are the federal
counterparts of the Ohio public information and privacy laws.
5 USC § 552(b) lists exemptions to the federal Freedom
of Information Act, including matters that are specifically exempted from disclosure
by statute ((b)(3)) and trade secrets and commercial or financial information obtained
from a person ((b)(4)).
5 USC § 552a(a)(8),(e),(o) & (p): This statute does
not prohibit release of the Social Security numbers but creates an individual expectation
of privacy by requiring that any federal government agency that requests an individual
to disclose his Social Security number to inform that individual whether that disclosure
is mandatory or voluntary, under what authority the number is solicited, and what
use will be made of it. Also requires that non-federal
agencies (like ODJFS) enter into matching agreements with source agencies (like
the Social Security Administration), to independently verifying matched
information, and to notify applicants for and recipients of financial
assistance of their right to contest the findings of any match that results in
adverse action. Please note that public assistance, child support and children
services records and portions of daycare records are not public records pursuant
to other federal and state statutes. Social Security numbers would also not be public
records under those laws. Social Security numbers contained in personnel files have
been determined by the Ohio Supreme Court to not be public records pursuant to a
Constitutional right of privacy. In addition, ORC 149.43(A)(1)(dd) exempts disclosure
of social security numbers to the public, and ORC 1347.12 requires notification
to individuals if their social security numbers are accessed from any government
system without authorization, and/or used or redisclosed inappropriately. Requests
for release of Social Security numbers in other situations (e.g., provider information)
should be analyzed on a case by case basis. Also cited as Sections 7(a) and (b)
of the Privacy Act of 1974.
7 USC 2011-2036, Section 1137(a) of the Social
Security Act (42 USC 1320b-7), and 42 CFR 435.910, authorize the collection and use of Social
Security numbers in the Food Assistance and Medicaid programs. (See also OAC Rules
5101:1-1-03 and 5101:1-3-09). Social Security Numbers can be used to determine
eligibility and verify information.
7 USC 2018(c) and 7 CFR 278.1(q): Limit access to and disclosure of food
assistance retailer information, such as identities of store owners and personnel,
and specific proprietary data. While information can be used for administration
of food assistance program, special provisions apply to employer identification
numbers (EINs) and federal employer identification numbers (FEINs). The disclosure
of SSNs and EINs is limited to qualifying Federal agencies or instrumentalities
which otherwise have access to SSNs and EINs based on law and routine use. Release
of information under this CFR provision is limited to information relevant to the
administration or enforcement of the specified laws and regulations, as determined
by FNS.
29 USC 3141(i)(3), the Workforce Innovation and Opportunity
Act (WIOA), requires compliance with 20 USC 1232g (and the corresponding regulations in 34 CFR part 99), the Family Educational Rights and Privacy
Act of 1974 (FERPA), which was enacted to protect student privacy rights in education
records, and applies to all public and private educational institutions that receive
federal educational funds. FERPA requires safeguards to protect against the disclosure
of personal identifying data regarding students.
42 USC 405(c)(2)(C)(viii)(I): Social security account
numbers and related records that are obtained or maintained by authorized persons
pursuant to any provision of law, enacted on or after October 1, 1990, are confidential
and non-disclosable.
20 CFR 603.4 and 20 CFR § 603.9: Require state unemployment compensation
(UC) agencies to establish procedures to protect the confidentiality of information
against unauthorized access, disclosure or redisclosure. 20 CFR 603.5 authorizes state unemployment compensation
agencies to share wage and claim data with certain requesting agencies, but only
for the purpose of verifying eligibility for, and the amount of, benefits. These
provisions also apply to the State Wage Interchange System (SWIS), which is an interstate
data exchange system that facilitates the exchange of UC wage records for use by
participating states in assessing and enhancing the performance of various programs
identified in the Workforce Innovation and Opportunity Act (WIOA).
42 CFR 435.910: Requires Medicaid applicants to furnish
state Medicaid agency with their social security number. But, agency must advise
applicant of legal authority for requesting SSN, and how the agency will use the
SSN (i.e., verifying income, eligibility, and amount of assistance); assist applicant
in obtaining an SSN or other evidence if they do not have one; and not delay services
to an otherwise eligible individual.
RC
§ 149.45: Defines “personal information” to include social security numbers,
driver’s license numbers, state identification numbers, state and federal taxpayer
identification numbers, financial account numbers, and credit and debit card numbers,
which are all exempt from treatment as public record under RC
149.43(A)(1)(dd). Also prohibits public offices from making Social Security
numbers available to the general public on the Internet without first redacting,
encrypting or truncating the SSN. In addition, an individual may ask a public office
or employee to redact/remove the individual's federal tax ID number, driver's license
number and bank account number (and protective services workers, prosecutors, and
other designated public service workers can also ask that their residential and
familial information be redacted) from any public website. The public office must,
within five business days of receiving a request to do so, either redact the personal
(and sometimes residential/familial) information from internet postings, or explain
to the requester why the redactions are impracticable. A public office or employee
is not liable in damages in a civil action for any harm an individual sustains as
a result of including the individual's personal information on the Internet, unless
the public office or employee acted with malicious purpose, in bad faith, or in
a wanton or reckless manner.
RC § 1347.12: Sets forth procedures for public entities,
except for HIPAA-covered state entities, when they become aware of electronic security
breaches, which often include names and social security numbers (see also AG's authority
to investigate breaches in 1347.191; and penalties that court can impose in 1349.192).
9/29/15.
RC § 5101.181and RC § 5101.182:
State that the director of job and family services, county director of job and family
services, county prosecutors, attorney general, auditors of state or any agent or
employee of those officials having access to information or documents received as
a result of a Social Security number match of public assistance recipients and Ohio
income tax records, workers compensation records, state retirement records, and
state personnel records may not divulge information from these matches except to
determine overpayments, audits, investigations, prosecution, or in accordance with
a proper judicial order. Any person violating these sections shall be disqualified
from acting as an agent or employee or in any other capacity under appointment or
employment of any state or county board, commission, or agency.
OAC rule 5101:1-1-03: Makes all information and records collected,
received or maintained by ODJFS or a CDJFS concerning an applicant for, or recipient
or former recipient of, OWF or PRC (TANF) benefits confidential. The rule describes
under what general circumstances the information can be released, the forms needed
to authorize information releases, and procedures to follow if information is requested
through court process, including immediately notifying the recipient of the request
and informing the court of the laws and regs prohibiting disclosure. Also restricts
ODJFS and county DJFS use of retirement, survivors and disability insurance (RSDI),
supplemental security income (SSI), and benefit earnings exchange records (BEER)
information from the Social Security Administration (SSA) to “routine use” and requires
approval from beneficiary or SSA for non-routine use. Also requires that disclosures
of SSA-provided information to non-ODJFS/CDJFS employees be recorded, even when
it is a routine use, and that the records be retained for five (5) years. Federal
tax information (FTI) and unearned income information provided by the Internal Revenue
Service (IRS) is only to be used for determining TANF and SNAP eligibility and the
amount of benefits, and can only be shared with the subjects of the information
and their duly appointed representatives with explicit authority to obtain tax return
information. Disclosure awareness training for state/county employees with FTI access,
standardized record-keeping for requests and disclosures of FTI, and special safeguarding
and access limits for SSA and IRS data are also described in the rule. 2/1/22.
OAC rule 5101:1-3-09: Describes the social security number
requirement for the Ohio Works First (OWF) cash assistance program. 2/1/22.
OAC rule 5101:4-3-22(H): Sets out the acceptable purposes
for utilizing a SNAP/Food Assistance recipient's social security number. 1/1/23.
3.VOTER
REGISTRATION
RC
§ 111.42: Allows victims of domestic violence, stalking,
human trafficking, rape, or sexual battery to apply to the Ohio Secretary of State
for an address designated by the Secretary of State, to serve as that individual’s
mailing address, and to thereby shield their actual address from being accessed
or viewed by the general public. This law affects ODJFS and county agency collection
and treatment of client, employee and contractor addresses. However, RC §111.43(E)(1)(b)(iv) allows participants to complete
a form authorizing the Secretary of State to disclose confidential address and other
information for verification purposes, including to public assistance program administrators.
Paragraph (E)(3) prohibits redisclosure of information. 4/29/22.
RC § 3503.10(E)(4): Sets forth requirements for designated
public agencies (e.g., county DJFS) to assist individuals with voter registration,
including keeping certain information confidential, such as the identity of the
public agency through which a person registered to vote, or updated his/her voter
registration, or declined to register to vote. Purpose is to avoid divulging that
a particular registered voter is an applicant for/recipient of either public assistance,
or some other service/benefit administered by/through ODJFS and its county counterparts,
which would violate recipient confidentiality. 9/26/2003.
4.AUDITS
2 CFR 200.337: Non-federal entities must give the federal
inspector general, comptroller, awarding agency, and pass-through entity timely
and reasonable access to any records or personnel the non-federal entity has, that
are pertinent to the federal award, for the purpose of audits, examinations, interviews,
excerpts, and transcripts. However, the federal awarding agency, pass-through entity
and authorized representative should only be given access to the true names of crime
victims in extraordinary and rare circumstances, and not for “routine monitoring.”
11/12/20.
2 CFR 200.338: While non-federal entities are not generally
subject to federal FOIA requirements (5 USC 552), federal awarding agencies cannot
place restrictions on the non-federal entity’s disclosure of its records to the
public, except for personally identifiable information and other information contained
in those records that would be considered exempt/confidential. 11/12/20.
RC
§121.22(D)(2)&(D)(12): Exempts the following meetings from the open
meetings (Sunshine laws) requirements-(1) Audit conferences between ODJFS audit
staff and officials of the public office (county DJFS or CSEA) being audited, and
(2) Audit conferences between the state auditor/independent CPA and officials of
the public office (ODJFS) being audited. 4/7/23.
RC §5101.37(D): Makes audit reports, working papers and
other audit-related records non-public, until they are formally released by ODJFS.
9/29/11.
B.FOOD
ASSISTANCE/SUPPLEMENTAL NUTRITION ASSISTANCE PROGRAM (SNAP)
Federal Laws and Regulations:
7 USC 2015(d)(4): Requires states to implement an employment
and training program.
7 USC 2018(c): Limits access to and disclosure of information
provided to ODJFS and counties by retail food stores and wholesale food concerns,
such as income and sales tax filings, purchase invoices, EBT equipment records,
and transaction and redemption data provided through EBT system. Information can
only be used for administration of the food assistance program (SNAP) and women,
infants and children (WIC) program, and related investigations and enforcement.
See also 7 CFR 278.1(q), which reiterates that ownership information
and sales and redemption data may be used for SNAP/WIC program administration, investigation
and enforcement, but imposes additional restrictions on which parties may access,
use and disclose employer identification numbers (EINs) & social security numbers
(SSNs), and for what purposes.
7 USC 2020(e)(8): Requires that states have safeguards
in place to protect information obtained from SNAP applicant households, and lists
what uses and disclosures are permissible, and to which parties, for what purposes,
and under what conditions information about food assistance applicants and recipients
may be disclosed.
7 CFR § 272.1(c): Restricts the release of information
obtained from food assistance applicants/recipients to specific persons and situations.
They are: (1) persons directly connected with the administration or enforcement
of the Food Assistance Act; other federal assistance programs and federally-assisted
State programs providing assistance on a means tested basis to low income individuals;
and, general assistance programs that are subject to the joint processing requirements
in 7 CFR §273.2(j)(2); (2) persons directly connected with the administration or
enforcement of programs required to participate in the State Income Eligibility
Verification System (IEVS), to the extent SNAP information is useful in verifying
eligibility or benefit amounts under those [other] programs; (3) persons directly
connected with verification of immigration status of aliens applying for SNAP through
the Systematic Alien Verification for Entitlements (SAVE) program, to the extent
needed to identify the individual for verification purposes; (4) persons directly
connected with administration of Title IV-D child support, and to assist federal
HHS employees in verifying eligibility for Disability benefits under Titles II and
XVI of the SSA; (5) employees of federal comptroller for audit purposes; (6) local,
state or federal law enforcement officials in connection with Food Assistance Act
violations (must be in writing and contain identity of individual requesting information,
authority to do so, violation being investigated, and identity of person being investigated)
or (7) if assistance group (AG) member is fleeing to avoid prosecution or custody
for a crime that would be classified as a felony or who is violating a condition
of probation or parole (in which case AG member's address, SSN and photo may be
released to law enforcement, but only after law enforcement officer provides the
name of the individual being sought); (8) local educational agencies administering
the national school lunch or breakfast program, for purposes of certifying the eligibility
of school-aged children for receipt of free meals, based on their receipt of SNAP;
and (9) written request from food assistance recipient or authorized representative
except for information concerning the nature or status of a pending criminal prosecution
or the identity of informants. It should also be noted that the persons receiving
the information must protect the information from unauthorized disclosure to other
persons. General information that does not identify specific food assistance applicants
or recipients are "public records" and must be made available to the general
public upon request.
7 CFR § 273.2(f)(4): states "When talking with collateral
contacts, State agencies should disclose only the information that is absolutely
necessary to get the information being sought. State agencies should avoid disclosing
that the household has applied for SNAP benefits, nor should they disclose any information
supplied by the household…or suggest that the household is suspected of any wrong
doing."
State Statutes and Rules:
RC § 5101.26: Sets out definitions of terms for confidentiality
purposes. Effective 9/29/11, 10/01/11 and 9/29/13, various amendments separated
"medical assistance recipient" from the definition of "public assistance
recipient" by defining "public assistance" as "financial assistance
or social services that are provided under a program administered by [ODJFS] or
a county agency…" and stating that ““Public assistance” does not mean medical
assistance provided under a medical assistance program, as defined in 5160.01 of
the Revised Code.”
RC § 5101.27: Sets
out confidentiality requirements for all non-medical public assistance (PA) programs,
including OWF, PRC, and child care subsidies. Section (C) requires ODJFS to release
the minimum information necessary about a public assistance recipient who receives
publicly funded child care, to the Ohio Department of Health or tuberculosis control
unit, for purposes directly connected to a public health investigation related to
RC 3301.531 or 5104.037, but only if ODJFS is unable to timely obtain voluntary,
written authorization from the recipient and to the extent permitted by federal
law. ODJFS must immediately notify the public assistance recipient of any release
of their information that is based on Section (C). 4/12/21.
RC § 5101.272: RC
§5101.272:Sets
out what elements public assistance recipients must include in a written authorization
form, to allow ODJFS and/or county DJFSs to disclose recipient information to third
parties and the recipient’s legal counsel, as described in RC 5101.27(D) and (E).
The release authorization provisions for medical assistance recipients are in RC 5160.46.
OAC rule 5101:4-1-13: Paragraph (C) governs the disclosure
of SNAP/Food Assistance information. This section reflects RC Chapter 1347, 7 USC
2020(e)(8) and 7 CFR §272.1. Paragraph (D) requires that parties receiving information
under (C) adequately protect it from unauthorized access and redisclosure. Paragraphs
(D) and (E) state that IEVS information and FTI data are subject to additional federal
safeguarding requirements imposed by the SSA and IRS, including IRS Pub. 1075; that
federal and state wage and unemployment benefit information must only be used to
determine SNAP eligibility and benefit amounts; and that SNAP assistance group information
must not be recorded by SSA and IRS staff. 3/1/23.
OAC rule 5101:4-2-09(I)(2): States that a release signed
by a SNAP/Food Assistance applicant or recipient is not necessary when a CDJFS is
attempting to secure verification from collateral sources for food assistance eligibility
purposes. However, the county agency should disclose only the information that is
absolutely necessary to get the information being sought and avoid disclosing that
the assistance group (AG) has applied for SNAP. No information provided by the AG
may be disclosed to the collateral contact, and there must be no suggestion that
the AG has provided any incorrect information. Paragraph (J) cites OAC rule 5101:4-7-09
as governing the release of Income & Eligibility Verification System (IEVS)
information. 9/1/21.
OAC rule 5101:4-3-07(I): Requires a county agency to report
to ODJFS, when an applicant or recipient is “known to be an illegal alien,” as determined
by findings or conclusions made as part of a formal determination by the U.S. citizenship
and immigration services (USCIS) under U.S. DHS. 2/1/21.
OAC rule 5101:4-3-22(H): Sets out the acceptable administrative
purposes for utilizing a SNAP/Food Assistance recipient's social security number.
1/1/23.
OAC 5101:4-7-08: Requires county DJFSs to use the Office
of Child Support’s national directory of new hires and state directory of new hires
to ensure that all employment has been reported, verified and used appropriately
when determining SNAP eligibility. After receiving an alert of a new hire match
in the statewide automated eligibility system, the county agency must contact the
assistance group to obtain verbal and documentary verification of employment and
income.
OAC rule 5101:4-7-09: Rule pertains to use of IEVS in food
assistance program. In general, unemployment compensation benefit information, SSI
and social security data are verified upon receipt, whereas county agencies must
independently verify IRS information, federal wage information obtained through
the Benefit Earnings Data Exchange (BENDEX) from SSA, and state wage information
obtained from the state unemployment office. The rule also specifies the types of
independent verification that can be done, and the actions that county agencies
must take when information is received as a result of data exchange agreements.
Paragraph (G) restricts county usage of IEVS information to program administration
(i.e., determining assistance group's eligibility for SNAP, the amount of SNAP,
and SNAP investigations and prosecutions), and Paragraph (J) says that IEVS match
information may only be disclosed as permitted in OAC rule 5101:4-1-13. Paragraph
(K) requires that ODJFS and the county agencies keep a record of any release of
confidential IEVS information (federal tax information (FTI), including SSA match
data) to any non-ODJFS/county agency employee, for at least three years, or during
the active life of the application (whichever is longer). County/state workers must
record details of the disclosure(s) in the applicant's case file, and the county
must keep track of it in BENDEX. Paragraph (I) says that matches containing FTI
are confidential, must be safeguarded as required in OAC rule 5101:4-1-13, must
be stored in a place physically safe from access by unauthorized individuals, and
cannot be commingled with the rest of the case record. 6/1/22.
OAC rule 5101:4-8-30(F): Requires safeguarding of tax information
used for the SNAP/Food Assistance Treasury Offset Program (TOP). 3/1/20.
OAC rule 5101:9-22-15: This ODJFS internal management rule
defines “personal information” and states that release of personal information is
governed by exemptions to public records listed in RC 149.43(A), the Personal Information
Systems Act (RC Chapter 1347), and dozens of federal and state laws and regulations
like the ones listed in this Manual that make applicant, recipient, and participant
information confidential or non-public. The rule also requires that individuals
who are authorized to access and use personal information in ODJFS-maintained systems
take reasonable precautions to protect the personal information from unauthorized
use, disclosure, modification or destruction, and take role-based and job-specific
security and privacy training; that aggregate data be masked in accordance with
Section III of IPP 3002; that privacy impact assessments be completed for new and
existing systems containing personal information, to ensure that the appropriate
level of privacy and security measures are in place; and that data breaches and
exposures be reported to the chief inspector, chief privacy officer, and chief information
security officer. Disciplinary action can be imposed for intentional violations
by employees, and questions regarding permissible and impermissible disclosures
can be addressed to agency legal counsel. 3/24/22.
C.TEMPORARY
ASSISTANCE for NEEDY FAMILIES (TANF) and/or CASH ASSISTANCE
(Ohio Works First & Prevention, Retention
and Contingency)
Programs established in Ohio under Title IV-A include all programs
that are funded in part with the federal Temporary Assistance for Needy Families
(TANF) block grant established by Title IV-A of the Social Security Act, 110 Stat.
2113 (1996), 42 U.S.C. 601, as amended. These programs include Ohio
Works First (OWF) established and administered in accordance with Chapter 5107 of the Revised Code, the Prevention, Retention
and Contingency (PRC) Program established and administered in accordance with Chapter 5108 of the Revised Code. There are also Title
IV-A programs established by the General Assembly or Governor’s Executive Order
that are administered or supervised by ODJFS pursuant to section 5101.801 of the Revised Code that are not considered “assistance,”
and are instead classified as “benefits” or “services”.
Federal Laws and Regulations:
42 USC § 602(a)(1)(A)(iv): Requires the states under TANF
to take such reasonable steps as the State deems necessary to restrict the use and
disclosure of information about individuals and families receiving assistance under
the program attributable to funds provided by the Federal Government.
42 USC § 608(a)(9)(B): Requires the states to furnish
a federal, state or local law enforcement officer, upon the request of the officer,
with the current address of any TANF recipient if the law enforcement officer needs
the address to conduct the officer's official duties and the location or apprehension
of the recipient is within such official duties. However, the officer must furnish
the state agency or county agency with the name of the recipient.
45 CFR § 205.50: Use or disclosure of information concerning
applicants and recipients of financial assistance under Title IV-A (funded with
TANF) is limited to purposes directly connected with: (1) administration of the
plan or program; (2) investigations, prosecutions, or criminal or civil proceedings
conducted in connection with the administration of any such plans or programs; (3)
the administration of any other federal or federally assisted program which provides
assistance, in cash or in kind, or services, directly to individuals on the basis
of need; (4) information to the Employment Security Agency as required by law; (5)
audits conducted in connection with the administration of any such plan or program,
by a government entity authorized by law to conduct such audits; (6) administration
of a state unemployment compensation program; and (7) reporting to the appropriate
agency or official information on known or suspected child abuse or exploitation,
or negligent treatment or maltreatment of a child receiving aid under circumstances
which indicate that the child's health or welfare is threatened.
Information to be safeguarded includes at least: (1) names and addresses
of applicants and recipients and amounts of assistance provided; (2) information
related to a person's economic and social conditions; (3) evaluation of information
concerning a particular individual; and (4) medical data. Release or use of information
concerning applicants or recipients is restricted to those persons who are subject
to standards of confidentiality comparable to those of the agency administering
the financial assistance program. Generally, notice and consent of an individual
is required to release information to an outside source. Courts must also be informed
of statutory provisions, rules, and policies against disclosure when recipient or
applicant information is subpoenaed. This provision also applies to IV-E information.
ODJFS and/or the county agency may provide the address of a recipient
to state or local law enforcement upon request, if law enforcement first provide
the state or local agency with the recipient’s name and social security number,
and satisfactorily demonstrate that the recipient is a fugitive felon (as defined
by the State), the location or apprehension of such felon is within the law enforcement
officer’s official duties, and the request is made in the proper exercise of those
duties.
State Statutes and Rules:
RC § 307.983: Each board of county commissioners is required
to establish a plan of cooperation with the county family services agencies and
workforce development entity serving the county specifying how such agencies will
exchange information and coordinate and enhance services and assistance to individuals
and families.
RC § 307.987: To the extent permitted by federal law and
regulations and state law and rules, contracts entered into by the board of county
commissioners, plans of cooperation, regional plans of cooperation, a transportation
work plan, and procedures established for providing services to children who are
frequently relocated, shall permit the exchange of information needed to improve
services and assistance to individuals and families and the protection of children.
A private or government entity receiving such information shall be bound by the
same standards of confidentiality as the entity that provides the information. Amended
3/24/21.
RC § 4123.27: Allows the sharing of recipient specific
information related to OWF and PRC with the Bureau of Workers’ Compensation for
matching purposes. BWC may only share names and SSNs of public assistance recipients
who are also receiving workers’ comp, and the amount of workers’ comp, with the
State Auditor. Statute also appears to permit sharing with the Governor, Attorney
General and select or standing committees of the General Assembly.
RC § 5101.181: As part of the procedure for the determination
of overpayments charged to a recipient of public assistance, the director of ODJFS
shall furnish quarterly the name and Social Security number of each individual who
receives public assistance to the Director of Administrative Services, the Administrator
of the Bureau of Workers’ Compensation, and each of the state's retirement boards.
These entities will in turn notify the state auditor as to whether such individual
is receiving wages or benefits, and the amount. The Auditor of State and the Attorney
General or their designees may examine any records whether in computer or printed
format, in the possession of the Director of ODJFS or any CDJFS director. Safeguards
restrict access to such records to purposes directly connected with an audit or
investigation, prosecution, or criminal or civil proceeding conducted in connection
with the administration of the programs, and compliance with rules of ODJFS restricting
the disclosure of information regarding recipients of public assistance is required.
The state auditor then determines whether an overpayment of public assistance occurred
and thereafter notifies ODJFS.
RC § 5101.182: For purposes of determining overpayments,
the statute permits ODJFS to report recipient names and SS #s to the tax commissioner,
who then reports to the state auditor which recipients filed tax returns, and how
much gross income the recipients received. The director of ODJFS, directors of CDJFS,
county prosecutors, Attorney General, Auditor of State, or agent or employee of
those officials having access to tax returns, or reports of amounts of federal adjusted
gross income, names or addresses or other tax information of recipients of public
assistance furnished by the tax commissioner for investigatory purposes under this
section, shall not divulge or use any such information except for the purpose of
determining overpayments of public assistance, or for an audit, investigation, or
prosecution, or in accordance with a proper judicial order.
RC § 5101.26: Sets out definitions of terms for confidentiality
purposes. Effective 9/29/11, 10/01/11 and 9/29/13, various amendments separated
"medical assistance recipient" from the definition of "public assistance
recipient" by defining "public assistance" as "financial assistance
or social services that are provided under a program administered by [ODJFS] or
a county agency…" and stating that ““Public assistance” does not mean medical
assistance provided under a medical assistance program, as defined in 5160.01 of
the Revised Code.”
RC § 5101.27: Sets
out confidentiality requirements for all non-medical public assistance (PA) programs,
including OWF, PRC, and child care subsidies. Section (C) requires ODJFS to release
the minimum information necessary about a public assistance recipient who receives
publicly funded child care, to the Ohio Department of Health or tuberculosis control
unit, for purposes directly connected to a public health investigation related to
RC 3301.531 or 5104.037, but only if ODJFS is unable to timely obtain voluntary,
written authorization from the recipient and to the extent permitted by federal
law. ODJFS must immediately notify the public assistance recipient of any release
of their information that is based on Section (C). 4/12/21.
RC § 5101.272: RC
§5101.272:Sets
out what elements public assistance recipients must include in a written authorization
form, to allow ODJFS and/or county DJFSs to disclose recipient information to third
parties and the recipient’s legal counsel, as described in RC 5101.27(D) and (E).
The release authorization provisions for medical assistance recipients are in RC 5160.46.
RC § 5101.273: RC §5101.272:Permits ODJFS to disclose public assistance recipient information
to HHS and neighboring states to actively participate in a PA reporting information
system. Eff. 9/29/13.
RC § 5101.28: Upon the request of ODJFS or a county DJFS,
law enforcement agencies are required to verify whether a public assistance recipient
is a fleeing felon or in violation of probation or parole. Upon the request of law
enforcement, CDJFS and ODJFS must share information regarding recipients of OWF
and PRC (but not medical assistance or services) with law enforcement agencies as
defined in RC § 5101.26, for the purpose of investigations, prosecutions and criminal
and civil proceedings that are within the scope of the law enforcement agency's
official duties, as well as to the State Auditor's Office for statutory audit purposes.
However, 45 CFR 205.50 only permits agencies administering TANF
to disclose the recipient’s address; and, only if law enforcement provide the state
or county DJFS with the name of the recipient, whatever other identifying information
is needed to retrieve the recipient’s address, and satisfactorily demonstrate that
the individual is a fleeing felon, that apprehension of the individual is within
their official duties, and that the officer is properly exercising those duties.
RC §5101.30: Gives ODJFS authority to adopt rules in accordance
with Chapter 119 of the Revised Code implementing sections 5101.26 to 5101.30 of
the Revised Code and governing the custody, use, disclosure and preservation of
the information generated or received by ODJFS, county agencies, other state and
county entities, contractors, grantees, private entities, or officials participating
in the administration of public assistance programs.
RC § 5101.80: ODJFS is the single state agency for the
administration and supervision of the administration of all Title IV-A programs.
No county or state agency administering a Title IV-A program may establish, by rule
or otherwise, a policy governing a Title IV-A program that is inconsistent with
a Title IV-A program established, in rule or otherwise, by ODJFS.
OAC rule 5101:1-1-03: Makes all information and records collected,
received or maintained by ODJFS or a CDJFS concerning an applicant for, or recipient
or former recipient of, OWF or PRC (TANF) benefits confidential. The rule describes
under what general circumstances the information can be released, the forms needed
to authorize information releases, and procedures to follow if information is requested
through court process, including immediately notifying the recipient of the request
and informing the court of the laws and regs prohibiting disclosure. Also restricts
ODJFS and county DJFS use of retirement, survivors and disability insurance (RSDI),
supplemental security income (SSI), and benefit earnings exchange records (BEER)
information from the Social Security Administration (SSA) to “routine use” and requires
approval from beneficiary or SSA for non-routine use. Also requires that disclosures
of SSA-provided information to non-ODJFS/CDJFS employees be recorded, even when
it is a routine use, and that the records be retained for five (5) years. Federal
tax information (FTI) and unearned income information provided by the Internal Revenue
Service (IRS) is only to be used for determining TANF and SNAP eligibility and the
amount of benefits, and can only be shared with the subjects of the information
and their duly appointed representatives with explicit authority to obtain tax return
information. Disclosure awareness training for state/county employees with FTI access,
standardized record-keeping for requests and disclosures of FTI, and special safeguarding
and access limits for SSA and IRS data are also described in the rule. 2/1/22.
OAC rule 5101:1-1-36: This cash assistance rule references
section 1137 of the Social Security Act, which requires that ODJFS develop an Income
& Eligibility Verification System (IEVS). Ohio's IEVS is integrated into Ohio
Benefits, which allows ODJFS to obtain information from its own office of unemployment
insurance operations (OUIO) and the social security administration (SSA). Under
IEVS, ODJFS matches public assistance applicant/recipient social security numbers
with OUIO's wage records and unemployment compensation records, as well as SSA's
benefit earnings exchange records (BEER), and SSI and RSDI benefit information provided
by SSA to ODJFS’ state verification exchange system (SVES). If the source of the
matched information is SSA, or some other federal agency, the information is considered
federal tax information (FTI). Match information for IEVS which contains federal
tax data must be protected from disclosure to unauthorized persons. The rule states
that computer screen printouts or copies of letters mailed or received regarding
FTI must be safeguarded in accordance with federal and state law and IRS Publication
1075. The rule requires that FTI not be commingled within the assistance group case
record, because if it is commingled, the entire assistance group case record must
be safeguarded in the same way as FTI, and labeled as SSA-provided FTI. See also
OAC rules 5101:9-9-25, 5101:9-9-25.1, and 5101:9-9-26 for FTI restrictions. IEVS
data is available to ODJFS and county DJFS employees for determining past and current
eligibility. Aside from that IEVS data can only be released to the subject of the
information, and details of all disclosures to non-ODJFS/CDJFS employees must be
recorded and retained for five (5) years, including in the assistance group record
and the county’s central file of IEVS disclosures. 12/1/18.
OAC rule 5101:1-3-10: Requires the CDJFS to collect and report
various types of data regarding an assistance group to the CSEA.
OAC rule 5101:2-33-28: Requires PCSAs to engage in joint
planning and sharing of information with CDJFS in certain circumstances, including
for families receiving OWF. However, CDJFS is required to keep child abuse/neglect
information that it receives in a separate file, not in the CDJFS’ case record,
to help maintain confidentiality. 8/1/20.
OAC rule 5101:9-22-15: This ODJFS internal management rule
defines “personal information” and states that release of personal information is
governed by exemptions to public records listed in RC 149.43(A), the Personal Information
Systems Act (RC Chapter 1347), and dozens of federal and state laws and regulations
like the ones listed in this Manual that make applicant, recipient, and participant
information confidential or non-public. The rule also requires that individuals
who are authorized to access and use personal information in ODJFS-maintained systems
take reasonable precautions to protect the personal information from unauthorized
use, disclosure, modification or destruction, and take role-based and job-specific
security and privacy training; that aggregate data be masked in accordance with
Section III of IPP 3002; that privacy impact assessments be completed for new and
existing systems containing personal information, to ensure that the appropriate
level of privacy and security measures are in place; and that data breaches and
exposures be reported to the chief inspector, chief privacy officer, and chief information
security officer. Disciplinary action can be imposed for intentional violations
by employees, and questions regarding permissible and impermissible disclosures
can be addressed to agency legal counsel. 3/24/22.
D.MEDICAL
NOTE: THE INFORMATION IN THIS SECTION MAY NOT BE
CURRENT OR ACCURATE. The Ohio Department of Medicaid (ODM) administers or
oversees the administration of Medicaid-related assistance programs in Ohio.
Therefore, to obtain the most current information regarding applicable federal
and state confidentiality laws that apply to medical assistance records,
contact ODM (legal@medicaid.ohio.govor mcdlegal@medicaid.ohio.gov) or visit Medicaid.Ohio.gov.
1.MEDICAID
Federal Laws and Regulations:
42 USC § 1396a(a)(5): State and local governments must
perform Medicaid eligibility function, not private contractor. See also State Medicaid
manual, Sections 2905 and 2909(B) & (C).
And, 42 USC 1396a(a)(7) requires state agencies to provide
safeguards that restrict use or disclosure of information about Medicaid applicants/recipients
to purposes directly connected with (a) state plan administration and (b) the exchange
of information necessary to verify certification of children's eligibility for free
or reduced school breakfast/lunch. State agencies are bound by these requirements,
as further interpreted in 42 CFR 431.300 to 431.307, which require that use and
disclosure of applicant and recipient info only be permitted when directly connected
to the administration of the State Plan.
Also, 42 USC 1320b-7 allows ODJFS to operate IEVS as part of
Ohio Benefits, but IEVS data is provided to us by the U.S. Treasury Dept. under
26 USC 6103(I)(7), and only entities covered by 26 USC 6103 can access IEVS/ Ohio
Benefits.
42 USC § 1396r-8(b)(3)(D): Information disclosed by manufacturers
or wholesalers in relation to the best price for outpatient drugs is confidential
and shall not be disclosed by the Secretary of HHS or Veterans Affairs, or by the
state (ODJFS/ODM) or its contractor, in a form which discloses the identity of a
specific manufacturer or wholesaler, prices charged for drugs by such manufacturer
or wholesaler, except as the Secretary of HHS determines to be necessary to carry
out related regulations, and to permit the Comptroller General, Director of the
Congressional Budget Office (CBO), Medicare Payment Advisory Commission, and Medicaid
Payment & Access Commission to review the information.
42 CFR Part 2: Serves to protect patient records created by federally
assisted programs for the treatment of substance use disorders (SUD), and lists
restrictions on redisclosure.
42 CFR § 431.10: Single state agency must perform Medicaid administrative
function. See also Chapter 2 of the State Medicaid Manual.
42 CFR § 431.300: Access to, and use and disclosure of,
Medicaid information of applicants and beneficiaries (recipients) must be safeguarded
by the state, so that it is restricted to purposes directly connected with the administration
of the Medicaid program.
42 CFR § 431.301 & SSA
§1902(a)(7): requires state's Medicaid plan to provide safeguards that
restrict the use or disclosure of information concerning applicants/recipients to
purposes directly connected with plan administration. 42 CFR Part 431, Subpart F.
42 CFR § 431.302: Says that purposes directly related
to state plan administration of the Medicaid program include: (1) establishing eligibility;
(2) determining the amount of medical assistance; (3) providing services for beneficiaries
(recipients); & (4) conducting or assisting an investigation, prosecution, or
civil or criminal proceeding related to plan administration.
42 CFR § 431.305: Specifies the types of Medicaid information
that must be safeguarded, including: (1) names and addresses; (2) medical services
provided; (3) social and economic conditions or circumstances; (4) agency evaluation
of personal information; (5) medical data, including diagnosis and past history
of disease or disability; (6) any information received for verifying income eligibility
and amount of medical assistance payments (income information received from the
SSA or IRS must be safeguarded according to the requirements of the agency that
furnished the data); (7) any information received in connection with the identification
of legally liable third party resources under RC §433.138, and (8) social security
numbers.
42 CFR § 431.306: Requires ODM to establish rules governing
the release and use of Medicaid information and persons who receive the information
must be subject to a confidentiality standard comparable to those of the state.
These regulations require notification and the obtaining of permission from the
subject of the information before responding to a request for information from an
outside source unless there is an emergency situation wherein the subject of the
information must be notified immediately after the release, or the information is
used to verify income and determine eligibility. Section (f) requires that, pursuant
to a court subpoena of a person's Medicaid information, the court must be informed
of applicable statutory provisions, policies, and regulations restricting disclosure
of information. Sections (g) and (h) require data exchange agreements if information
is shared in certain situations.
42 CFR § 435.904: While "initial processing"
of Medicaid applications may be contracted out to non-employees, initial processing
excludes evaluating Medicaid application information and supporting documents, as
well as making eligibility determinations. Only state/county employees can make
eligibility determinations. State/county contractors can only do "initial processing",
which excludes eligibility determinations.
42 CFR § 435.945: Requires the Ohio Department of Medicaid
to verify Medicaid eligibility and the amount of medical assistance payments. Requires
that the eligibility and medical assistance payment information be supplied to other
agencies in the state, agencies in other states and to federal programs for programs
listed in 42 CFR §435.948(a) (AFDC, Medicaid, State-administered supplementary payment
programs under Section 1616(a) of the Act, SWICA, Unemployment Compensation, Food
Assistance, and any state program administered under a plan approved under Title
I, X, XIV or XVI); child support enforcement program under Title IV-D; SSA for old
age, survivors and disability benefits under title II; and in relation to SSI benefits
under Title XVI. The regulation requires that applicants and persons being redetermined
for eligibility be informed that the agency will obtain and use information available
to it to verify income and eligibility or for other purposes directly connected
to the State plan. This regulation also requires written agreements with other agencies
before releasing data or requesting data from other agencies, and requires that
all agreements include provisions for safeguarding and limiting the use and disclosure
of information.
42 CFR § 483.315(i): Specifies under what circumstances
data from the federal Resident Assessment Instrument (RAI) for long term care facilities
can be released.
45 CFR § 95.621: Provides that State agencies are responsible
for the security of all automated data processing systems involved in administration
of HHS programs, and requires establishment of a security plan that includes policies
and procedures on physical security of ADP resources, personnel security, and software
and data security. Also requires state agencies to conduct biennial review and evaluation
of physical and data security operating procedures and personnel practices.
45 CFR § 160 Subpart A, B and C: These are the general
provisions of the Health Insurance Portability and Accountability Act (HIPAA) which
define certain terms, speak to applicability of the Act and relationship of the
Act to state laws. HIPAA-covered entities include health plans, and the definition
of ‘health plan’ includes state Medicaid programs.
45 CFR Part 164, Subparts A, C and E: These are the security
and privacy regulations governing covered entities’ and their business associates’
use, disclosure, and safeguarding of protected health information (PHI) and electronic
PHI (ePHI). Subpart C (known as the security rule) sets forth administrative, technical
and physical standards for protecting ePHI, and Subpart E (known as the privacy
rule) sets forth privacy standards for use and disclosure of PHI.
State Statutes and Rules:
RC
§ 109.85: Authorizes JFS to seek assistance from AG's Office in Medicaid
fraud investigations, but does not prohibit county prosecutors from investigating
and prosecuting Medicaid fraud.
RC
§ 173.20: Gives the Department of Aging Long Term Care Ombudsman, under
certain circumstances and unless prohibited by law, access to any records, including
medical records of a nursing facility resident that are reasonably necessary for
investigation of a complaint.
RC
§ 173.22: Makes the investigation files of the Department of Aging Long
Term Care Ombudsman non-public and allows disclosure of the records only at the
discretion of the state ombudsman, the regional program maintaining the records,
or by court order.
RC
§ 339.81: States that any information, data and reports regarding a case
of tuberculosis that are furnished to, or procured by, a county or district TB control
unit or the Dept. of Health, shall be confidential and used only for statistical,
scientific, and medical research for the purpose of controlling TB in Ohio. No physician,
hospital or other entity furnishing information, data or reports pursuant to this
chapter shall by reason of such furnishing be deemed to have violated any confidential
relationship, be held to answer for willful betrayal of a professional confidence,
or be held liable in damages to any person.
RC §§ 2305.24 and 2305.251:
Concerns confidentiality of information furnished pursuant to hospital utilization
review, peer review & quality assurance review. These statutes may be marginally
relevant if ODJFS obtains these records through Medicaid related reviews and subpoenas
are issued which may encompass this information.
RC § 3701.028: No person or government entity receiving
certain information from the Health Department relating to the program for medically
handicapped children and of programs funded with funds received from the "Maternal
and Child Health Block Grant" Title V of the "Social Security Act,"
95 Stat. 818 (1981), 42 U.S.C.A.§701, as amended, may release that information without
the consent of the subject of the information or the subject's guardian (if the
subject is a minor) except as necessary to administer the program for medically
handicapped children or other programs funded with money received from the "Maternal
and Child Health Block Grant," coordinate the provision of services under the
programs with other state agencies and city and general health districts, or coordinate
payment of providers. The records that are subject to this statute are: records
that pertain to medical history, diagnosis, treatment, or medical condition; reports
of psychological diagnosis and treatment and reports of social workers; and reports
of public health nurses.
RC § 3701.243: Prohibits state or local governments that
acquire certain AIDS related information while providing any health care services
from disclosing or compelling another to disclose the information unless the release
falls within exceptions contained in sections 3701.243 or 3701.248. The information
protected under Section 3701.243 is: the identity of a person on whom an HIV test
in performed; the results of an HIV test that would identify a person or the identity
of a person who has been diagnosed with AIDS or an AIDS-related condition. 4/6/23.
RC § 3701.74: Allows patients, their representatives,
and other authorized persons the right to examine or obtain copies of the patient’s
medical records from the patient’s health care providers. If a health care provider
fails to furnish the requested records, the person making the request may initiate
a civil action against the health care provider, to enforce their right to access
the records. 4/6/23.
RC §3701.741: Requires health care providers and medical records
companies to provide state and county DJFS with one free copy of medical records
upon their request. Also says how much copy charges can be. 9/29/13.
RC § 3701.75: Governs use of e-signatures for any health
care records maintained by the Department of Health, and requires that each state
department adopt a policy on usage.
RC § 3701.9310: Information, data, and records about a
decedent, which is collected for use and maintained by the Ohio violent death reporting
system including, but not limited to, medical records, coroner investigative records,
and laboratory reports, are confidential. This information is also not subject to
a subpoena, discoverable, or admissible in civil or criminal proceedings (see 3701.9311).
However, the director of Health may adopt rules and establish standards and procedures
to make this information available to researchers (see 3701.9312).
RC § 3798.02: For purposes of eliminating barriers to
the adoption and use of electronic health records and health information exchanges,
the legislative intent in enacting ORC Chapter 3798 is to make state law governing
a covered entity's use and disclosure of protected health information (PHI) no more
stringent than the HIPAA privacy rule, and to supersede any judicial/administrative
rulings that are inconsistent with ORC Chapter 3798.
RC § 3798.03: A covered entity must make PHI it maintains
available to the subject of the information or to his/her personal representative,
in accord with 45 CFR 164.524, and a covered entity must maintain administrative,
technical & physical safeguards to protect the privacy of PHI, in accord w 45
CFR 164.530(c).
RC § 3798.04: A covered entity is prohibited from using
or disclosing PHI in a manner inconsistent with 45 CFR 164.502; or without an authorization
that is valid under 45 CFR 164.508 &, if applicable, 42 CFR part 2, except as
permitted under Subchapter C of Subtitle A of CFR Title 45.
RC § 3798.07: Whenever a covered entity discloses PHI
to a health information exchange without a valid authorization, the covered entity
must comply with applicable federal disclosure laws for PHI, written requests from
the individual or his/her representative, and state laws governing a minor's receipt
of medical care and to make his/her own medical decisions. However, Section (B)
says that any added requirements in (A) do not supersede certain state laws, rules
and codes, which may require either disclosure or confidentiality. So, conflicts
between Section (A) and Section (B) are resolved in favor of Section (B). 10/17/19.
RC § 3798.10: Authorizes/requires the Director of the
Ohio Department of Medicaid to adopt rules regarding a standard [release] authorization
form for the use & disclosure of PHI by Ohio covered entities. A person or government
entity can accept a form other than the one the Director prescribes, as long as
it meets all the requirements specified in 45 C.F.R. 164.508 and, if applicable,
42 C.F.R. part 2.
RC § 3798.12: Section (A) says that ORC Chapter 3798 supersedes
all other ORC sections, OAC rules, guidances, orders and ordinances, when it comes
to the confidentiality, privacy, security, or privileged status of PHI maintained
in, or transacted or accessed through a health information exchange, EXCEPT for
those specified in Section (B).
RC § 3798.13: Requires Ohio’s Medicaid Director to adopt
rules regarding the criteria a person must meet to be considered a minor, when he/she
is mentally/physically disabled and under the age of 21.
RC § 5101.26: Sets out definitions of terms for confidentiality
purposes. Effective 9/29/11, 10/01/11 and 9/29/13, various amendments separated
"medical assistance recipient" from the definition of "public assistance
recipient" by defining "public assistance" as "financial assistance
or social services that are provided under a program administered by [ODJFS] or
a county agency…" and stating that "Public assistance does not mean medical
assistance provided under a medical assistance program, as defined in 5160.01 of
the Revised Code…"
RC § 5160.39: Third
party insurers or insurance programs which may be liable to pay all or part of the
medical costs of a Medicaid applicant/recipient may give or receive confidential
information regarding such applicants/recipients, upon request of the Ohio Department
of Medicaid (ODM). ODM must limit its use of information gained from such third
parties to purposes directly connected with the administration of the Medicaid program
and the child support program authorized by Title IV-D of the Social Security Act.
No third party may disclose to other parties or make use of any information regarding
recipients of medical assistance that the third party receives from ODM.
RC § 5160.45: Sets
out confidentiality requirements for all medical assistance programs and limits
disclosures to purposes directly connected with administration of a medical assistance
program, and to the recipient, or his/her own authorized representative, legal guardian
or attorney, if the recipient's attorney has obtained a release authorization that
meets the requirements of RC 5160.46.
RC § 5160.46: Sets
out the required elements of a release authorization form allowing the disclosure
of medical assistance recipient specific information. See also 45 CFR 164.508(c),
which contains 8 elements required in any HIPAA-compliant release, including (a)
identifying the information being sought in a specific, meaningful way; (b) providing
an expiration date or event that relates to the purpose of disclosure; and (c) informing
the individual of her/his/their right to revoke. 9/29/13.
RC § 5160.48: Requires
the Medicaid director to set out in administrative code rules procedures for the
release of information.
RC § 5162.03: For the purpose of section 1902(a)(5) of
the Social Security Act and 42 USC 1396a(a)(5), the Ohio Department of Medicaid
is the single state agency for the supervision of the administration of the Medicaid
program. As the single state agency, ODM shall comply with 42 CFR 431.10(e) and
all other federal requirements.
RC § 5163.40: Healthy Start Program applications must
require no more info than is necessary for making Healthy Start eligibility determinations.
RC § 5164.341(E): BCII report on independent Medicaid
HCBS Waiver providers is not public and may only be released to subject of check
or their representative, Medicaid staff if needed for purposes of program administration,
Medicaid department's designee, individual receiving or deciding whether to receive
home & community-based services from the subject of the check, and court or
other necessary individual involved in a case dealing with a denial or termination
of a provider agreement related to the criminal records check, or civil or criminal
action regarding the Medicaid program.
RC § 5164.342(H): Report of criminal records check on
waiver agency employees and job applicants is not public and may only be released
to subject of check or their representative, chief administrator of agency requesting
check, Ohio Department of Medicaid staff for program administration purposes, Director
of Aging if waiver agency is also a community-based long-term care provider or subcontractor,
individual receiving or deciding whether to receive home & community-based services
from the subject of the check, and court or other necessary individual dealing with
case involving employment, UC, or civil or criminal action regarding Medicaid program.
RC § 5164.756: States that information shared with the
Ohio Department of Medicaid by drug companies in relation to determining drug rebates
are not public records, and shall be treated as confidential by the Dept.
RC § 5165.88: Provides that, unless required by court
order or needed for other limited purposes specified in RC 5165.88, ODJFS and any
contracting agency shall not release the identity of any resident of a nursing facility;
the identity of any individual who submits a complaint about a nursing facility;
the identity of any individual who provides the department or agency with information
about a nursing facility and has requested confidentiality; or any information that
would reasonably tend to disclose the identity of any individual described previously.
Also says that records containing information concerning the aforementioned persons
are non-public records under RC §149.43.
RC § 5302.221: Medicaid estate recovery program administrator
must create a form and provide it to Ohio county recorders offices. County recorders
must then ensure that a copy of the form is provided to the beneficiary of a transfer
on death designation (or the beneficiaries representative) prior to recording the
realty transfer. Beneficiaries who indicate on the form that the deceased owner
or predeceased spouse were on Medicaid, or who do not know if they were on Medicaid,
must submit the completed form to the administrator of the Medicaid estate recovery
program. 4/6/17.
OAC
Rule 5160-1-32: This rule pertains to "safeguarding & releasing
[Medicaid] information". 1/13/17.
OAC rule 5160:1-1-04: This rule pertains to "Medicaid:
Income & Eligibility Verification System (IEVS)."
OAC
rule 5160-1-08(M): In conjunction with ORC 5160.37,
requires Medicaid consumer to notify ODM prior to initiating any action against
a liable third party. And, if a Medicaid consumer or individual acting on the behalf
of a consumer, requests a financial statement (a claim) from a Medicaid provider
for services paid by or billed to ODM, the rule requires the Medicaid provider to
(1) require that the Medicaid consumer or representative make the request in writing;
(2) notify ODM immediately after receiving a written request, and forward a copy
of the request for financial statements to the ODM bureau of claims operations,
(3) release the financial statement to the Medicaid consumer or representative within
30 days of receiving the written request, and (4) put specific language regarding
ODM's right of recovery on any records released to either the Medicaid consumer
or individual acting on his/her/their behalf. 9/16/19.
OAC rules5160-45-07
and 5160-45-08: Sets forth the process and requirements
for criminal records checks of current and prospective employees of agency and non-agency
(or independent) providers of home and community-based services (HCBS). Paragraph
(D) of both rules says that reports of any criminal records checks conducted by
BCII in accordance with these rules are not public records for purposes of ORC 149.43,
and shall only be made available to individuals listed in the rules. 4/1/18.
OAC rule 5101:6-50-07: Allows, when an RC Chapter 119 hearing
has been requested, discovery of any matter that is not privileged or confidential
and that does not involve an action under RC Chapters 5103 and 5104 (certification
of children’s residential facilities and child day care licensing).
2.HIPAA:
Health Insurance Portability and Accountability Act of 1996 (45 CFR Parts 160 and
164)
HIPAA is a federal law that governs covered entities’ and their business
associates’ uses and disclosures of protected health information or PHI.
45 CFR 160.103 defines "covered entity" as health
plans, health care clearinghouses, and health care providers that transmit any health
information in electronic form in connection with a covered transaction.
45 CFR 160.103 also defines "business associate"
as:
(i)A Health Information
Organization, E-prescribing Gateway, or other person that provides data transmission
services with respect to protected health information to a covered entity and that
requires access on a routine basis to such protected health information.
(ii)A person that
offers a personal health record to one or more individuals on behalf of a covered
entity.
(iii)A subcontractor
that creates, receives, maintains, or transmits protected health information on
behalf of the business associate.
The Ohio Department of Medicaid (ODM) is considered a "covered
entity" as a Health Plan for the Medicaid program, the Children Health Insurance
Programs (CHIP) and the Refugee Medical Program (RMP). Among other things, HIPAA
restricts the release of protected health information (PHI) possessed by covered
entities like ODM to third parties, and requires covered entities to release PHI
to the subject of the PHI or her/his/their personal representative upon request.
SSA and state DDS (Disability Determination Services) agencies are not covered entities,
but health care providers performing consultative examinations (CEs) for SSA and
DDS are subject to Privacy Act of 1974 and may be "covered entities".
See HIPAA and the Social Security Disability Programs - Information
for CE Providers (ssa.gov).
Subsequent to the July 1, 2013 creation of ODM,
certain support offices within ODJFS, including the Office of Information Services
(OIS) and Bureau of State Hearings, continued to perform services for ODM, and staff
within those offices have likely continued to be HIPAA-covered when working on Medicaid-related
matters. Moreover, ODJFS and ODM jointly supervise county departments of job and
family services in their administration of the SNAP, TANF and Medicaid programs
(which all utilize a statewide database named Ohio Benefits), and most CDJFS’s access,
utilize and transmit PHI electronically.
Penalties for Non-compliance
HIPAA permits the Department of Health and Human Services, Office
of Civil Rights (HHS OCR) to assess criminal and civil penalties for failure to
protect PHI (See 42 USC 1320d-5 - 42 USC 1320d through 1320d-9) and civil penalties for
failure to release PHI to the subject of the PHI or guardian of the subject of the
PHI. See also Section IV of this Manual for applicable penalties.
Release of Information
RC 5160.45(D)
and OAC 5160-1-32 specify the conditions under which information
regarding Medicaid applicants and beneficiaries may be released. Generally, HIPAA
would preempt state law, however under 45 CFR 160.203, state law is not preempted when it is
more stringent than the standards and requirements of HIPAA. Federal
and state Medicaid laws and regulations are more stringent than HIPAA with
respect to the release of Medicaid applicant and recipient information to third
parties. CHIPS I and II are under the same restrictions as Medicaid through
RC §5160.45
and RC §5160.46.
Breach Notification
Each state must include in all contracts, a documented process to
report improper use or disclosure of PHI. Notification of a security incident within
Ohio Benefits should be immediately reported by the contractor to state staff, who
in turn must report it immediately to the CMS Director of Division of State Systems.
Under 45 CFR Part 164, subpart D, HIPAA breach means the acquisition,
access, use, or disclosure of PHI in a manner not permitted under subpart E, which
compromises the security or privacy of the protected health information.
45 CFR 164.404(b) says that unless notification would
impede law enforcement (see 45 CFR 164.412) notice to each individual whose PHI
has been unlawfully accessed, acquired, used or disclosed must be made within 60
days. And, under 45 CFR 164.404(c) and (d), the notice must be in writing, include
certain standard information, and be sent by first class mail to their last know
address or, if agreed upon by the individual, electronic mail. If there is insufficient
or outdated contact information, then "substitute notice" is permitted.
Phone notice may be used in addition to the aforementioned methods, when the circumstances
are urgent and there is an imminent risk of misuse of unprotected PHI.
45 CFR 164.408(c): Requires that covered entities, following
the discovery of a breach of unsecured PHI involving fewer than 500 individuals,
maintain a log or other documentation of each such breach and, within 60 days after
the end of the calendar year, notify the HHS Secretary of all breaches that occurred
during the preceding calendar year, as specified on the HHS website. For breaches
involving 500 or more individuals, covered entities must notify the HHS Secretary
"contemporaneously" with when they notify each individual whose PHI has
been, or is reasonably believed by the covered entity to have been, accessed, acquired,
used, or disclosed as a result of such breach, which notice must be provided no
later than sixty (60) days from the date the breach is discovered (see 45 CFR 164.404(a)). Notification to HHS Secretary and
individuals affected by the breach may be delayed if law enforcement notifies the
covered entity or business entity that notification would impede a criminal investigation
or cause damage to national security (see 45 CFR 164.412).
42 USC 17901 to 17953: Federal laws on Health Information
Technology (or HITECH). The HITECH breach notification provisions in 42 USC 17932 (HITECH §13402) are similar to the provisions
in 45 CFR 164.404 and 164.408.
Per RC 5160.45 and OAC 5160-1-32, ODM is requiring each CDJFS to comply with
certain portions of the HIPAA privacy requirements since these agencies have access
to eligibility information and PHI for the medical programs cited above. For instance,
45 CFR 164.512(e) requires notice to the subject of the
information that a subpoena for their information has been received, and also requires
the party in receipt of the subpoena to make reasonable efforts to obtain a qualified
protective order prior to release of any HIPAA-protected information. 45 CFR 164.512(f) describes the circumstances under which
certain PHI may be disclosed by a covered entity to law enforcement. And, 45 CFR 164.514(b)(2) contains requirements for de-identifying
an individual, including not identifying him/her to within the last two digits of
his/her zip code (depending on the population size in a particular geographic area).
45 CFR 164.514(d) says that only the amount reasonably
necessary to accomplish the purpose of the disclosure may be shared, in order to
comply with any lawful disclosure request.
HIPAA security regulations can be found in 45 CFR 164, Subparts A & E, and set standards for
the electronic transmission of PHI.
E.Child
Welfare
(Adoption/Foster
Care/Abuse-Neglect/PCSA/Child Fatality)
Federal Laws and Regulations:
42 USC §671(a)(8): Requires that all State plans involving
foster care and adoption assistance provide safeguards which restrict the use or
disclosure of information concerning individuals assisted under the State plan.
42 USC §671(a)(20)(B)(iii): Requires that all state plans
have in place safeguards to prevent the unauthorized disclosure of information in
any child abuse and neglect registry maintained by the State, and to prevent any
such information obtained pursuant to this subparagraph from being used for a purpose
other than conducting background checks in foster or adoptive placement cases.
42 USC §5106a(b)(2)(B)(viii): Federal grants for child
protective services require a State plan to be coordinated with a State plan under
Title IV, Part B of the Social Security Act (42 USC 621, et seq.), including an
assurance (among other assurances) in the form of a certification by the Governor
that the State is enforcing a state law, or has in effect and is operating a statewide
program, relating to child abuse and neglect that includes methods to preserve the
confidentiality of all records in order to protect the rights of the child and of
the child's parents or guardians. The methods to preserve the confidentiality can
include that reports and records made and maintained pursuant to the purposes of
this Act only be made available to individuals who are the subject of the report;
federal, state, or local government entities, or any agency of such entities having
a need for such information in order to carry out its responsibilities under law
to protect children from abuse and neglect; child abuse citizen review panels; child
fatality review panels; a grand jury or court upon a finding that information in
the record is necessary for the determination of an issue before the court or grand
jury; and other entities or classes of individuals statutorily authorized by the
state to receive such information pursuant to a legitimate State purpose. Last amended
1/7/19.
42 USC §5106a(b)(2)(B)(x): The state plan required by
42 USC 5106a(b)(1) also must include provisions which allow for public disclosure
of the findings or information about the case of child abuse or neglect which has
resulted in a child fatality or near fatality.
42 USC §5106a(c)(4)(B)(i): Members and staff of a state-established
citizen review panel related to child abuse and neglect, child fatalities or foster
care shall not disclose to any person or government official any identifying information
about any specific child protection case with respect to which the panel is provided
information and shall not make public other information unless authorized by state
statute.
42 USC §5106a(c)(5)(A): Requires that each state that
establishes a citizen review panel provide the panel access to information on cases
that the panel desires to review if such information is necessary for the panel
to carry out its functions.
42 USC §5106a(c)(6): Requires that each citizen review
panel prepare and make available to the public, on an annual basis, a report containing
a summary of the activities of the panel, and recommendations to improve the child
protection services system at the state and local levels. Within six months thereafter,
the appropriate State agency shall submit a written response to the recommendations.
45 CFR §205.50: The restrictions set out in this regulation
were the same ones that restricted the release of TANF applicant, recipient and
former recipient information. This regulation requires that the State plan for financial
assistance under Title IV-A restrict the use and disclosure of information concerning
applicants and recipients, to purposes directly connected with: (1) the administration
of the plan or program; (2) investigations, prosecutions, or criminal or civil proceedings
conducted in connection with the administration of any such plans or programs; (3)
the administration of any other federal or federally assisted program which provides
assistance, in cash or in kind, or services, directly to individuals on the basis
of need; (4) information to the Employment Security Agency as required by law; (5)
audits conducted in connection with the administration of any such plan or program,
by a government entity authorized by law to conduct such audits; (6) administration
of a state unemployment compensation program; and (7) reporting to the appropriate
agency or official information on known or suspected child abuse or exploitation,
or negligent treatment or maltreatment of a child receiving aid under circumstances
which indicate that the child's health or welfare is threatened.
Information to be safeguarded includes at least: (1) names and addresses
of applicants and recipients; (2) information related to a person's economic and
social conditions; (3) evaluation of information concerning a particular individual;
and (4) medical data. Release or use of information concerning applicants or recipients
is restricted to those persons who are subject to standards of confidentiality comparable
to those of the agency administering the financial assistance program. Generally,
notice and consent of an individual is required to release information to an outside
source. Courts must also be informed of statutory provisions, rules, and policies
against disclosure when a recipient or applicant information is subpoenaed.
45 CFR §1355.21: Requires that each state plan for Titles
IV-E and IV-B of the Social Security Act provide for safeguards on the use and disclosure
of information which meet the requirements contained in 42 USC 671(a)(8), as well
as the provisions in 45 CFR §1355.30.
45 CFR §1355.30(p)(3): Requires that safeguarding of IV-E
(foster care and adoption) and IV-B (child welfare) information adhere to restrictions
set out in 45 CFR §205.50 (see above).
45 CFR §1355.41: Requires states to collect and report
information on the characteristics and experiences of a child in foster care, adoption,
and guardianship to the HHS Administration for Children & Families (ACF) on
a semi-annual basis, in a format specified by ACF.
45 CFR 1356.30: Prohibits ODJFS from approving or issuing
a license to a prospective foster or adoptive parent, or from claiming federal financial
participation for any foster care maintenance or adoption payments, if ODJFS finds,
based on a criminal records check, that the prospective foster or adoptive parent
has been convicted of certain types of felonies.
State Statutes and Rules:
RC
§109.57(H): Information obtained by a government entity or person under
section 109.57 of the Revised Code is confidential and shall not be released or
disseminated.
RC §109.5721: Addresses Bureau of Criminal Identification
& Investigation (BCII) fingerprint database on individuals employed by, licensed
by, or approved for adoption by a government agency, and says that a public office
that elects to receive notice of any arrest, conviction or guilty plea of an individual
whose name is retained in the fingerprint database, may use that information solely
to determine the individual's eligibility for continued employment with the public
office, to retain licensure issued by the public office, or to be approved for adoption
by the public office, but is otherwise confidential. Fingerprint impressions and
BCII results are not transferrable, and individuals must be reprinted when seeking
employment with, licensure by, or approval for adoption by a different participating
public office or private party. The Ohio Attorney General must promulgate rules
for expungement or sealing of records of individuals who are no longer employed,
granted licensure, or approved for adoption by the participating public office or
private party. (Amended 9/29/2017).
RC
§121.22(D)(5): Exempts meetings of a child fatality review board from
the Open Meetings (Sunshine law) requirement.
RC
§121.37(A)(2)(c): Records identifying individual children maintained
by the Family and Children First Cabinet council are confidential and shall be disclosed
only as provided by law.
RC
§149.43(A)(1)(d): Excludes records pertaining to adoption proceedings
from being treated as public record.
RC
§149.43(A)(1)(e): Excludes information
contained in the putative father registry from being treated as public record.
RC §149.43(A)(1)(f): Excludes
certain adoption-related records listed in RC §3107.52(A) from being treated as public record.
RC §149.435: Prohibits law enforcement personnel from
disclosing identifying information about a delinquent child or arrestee in a routine
factual report, when the child is also an abused child (except in certain limited
circumstances).
RC §307.627: Allows child fatality review boards access
to summary information from: PCSAs, PCPAs, agencies that provide services specifically
to a child or family, law enforcement agencies, or other public or private entity
that provided services to a child whose death is being reviewed by the board. The
board can also access or request certain confidential abuse and neglect investigatory
records that are described in 2151.421(I)(4). The board members must preserve the confidentiality
of any records received pursuant to this statute. If the death of a child is being
investigated or the prosecutor is seeking to prosecute someone for causing the death
of a child, the board is not entitled to the prosecutor's information unless the
prosecuting attorney agrees to provide it.
RC § 307.628: Immunizes from civil liability an individual
or public or private entity providing information, documents, or reports to a child
fatality review board for any injury, death, or loss to person or property that
otherwise might be incurred or imposed as a result of providing the information,
documents, or reports to the review board.
RC §1347.08(E)(2) & (F)(2): Excludes access to the
putative father registry by the subject, and to criminal law enforcement investigatory
records or trial preparation records by the subject, the subject's guardian, or
an attorney authorized by the subject.
RC §2151.141: States
that if a complaint is filed with respect to a child pursuant to Section 2151.27
which alleges that a child is abused, neglected, or dependent, any individual or
entity listed in RC §2151.14(D)(1), that is investigating the abuse, neglect or
dependency, has custody of the child, is preparing a social history for the child,
or is providing any services for the child, may request records concerning the child
from a PCSA, PCPA, probation dept., law enforcement agency or prosecuting attorney.
Any individual or entity receiving a records request under this statute must provide
them, unless release of the information is prohibited by law. If the individual
or entity receiving the records request determines that it cannot release the requested
information, it must file a motion in the court where the complaint was filed setting
out its reasons for not complying with the request, so that the court can rule on
whether or not the records can be disclosed.
RC §2151.142: Makes confidential the residential address
of each officer or employee of a public children services agency or a private child
placing agency who performs official responsibilities or duties described in RC
§2151.14, RC §2151.141, RC §2151.33, RC §2151.353, RC §2151.412, RC §2151.413, RC
§2151.414, RC §2151.415, RC §2151.416, RC §2151.417, RC §2151.421,
§§2151.4220 to 2151.4234 or another section of the Revised Code and to the residential
address of persons related to that officer or employee by consanguinity or affinity.
Any such addresses must be redacted if contained in records containing information
subject to release under RC §149.43. The residential address must be disclosed to
a journalist if certain requirements are met (See RC §2151.142(D)). 5/30/22.
RC §2151.421: Certain
professionals (listed in the statute) must report, and others may report, cases
of child abuse/neglect to the public children services agency (PCSA) or peace officer
in the county in which the child resides, or in which the abuse or neglect is occurring
or has occurred. The county PCSA must investigate, in accordance with Paragraph
(G), any reports made pursuant to this statute. Except as otherwise stated in (I)(1),
a report made under this section is confidential. Paragraph (N) allows sharing of
specified information from an investigation (e.g., allegations, alleged perpetrator
and disposition) with designated officials of an out-of-home care entity when the
abuse and neglect is alleged to have occurred in that entity. Paragraph (M) makes
mandatory reporters liable for compensatory and exemplary damages to the child for
failing to report abuse/neglect of the child; and allows person bringing civil action
on child's behalf to use other reports of abuse/neglect in the civil action, provided
that identifying information about the alleged child victims and persons making
the reports are redacted from the other reports. 5/30/22.
RC §2151.423: Requires PCSA to disclose confidential investigatory
information obtained pursuant to RC 2151.421 or 2151.422, to federal, state or local
governmental entities, including any appropriate military authority, responsible
for protecting children from abuse/neglect. Information disclosed pursuant to this
section is confidential and is not subject to disclosure pursuant to ORC sections
149.43 or 1347.08 by the agency to whom the information was disclosed. The agency
receiving the information must maintain the confidentiality of information disclosed.
9/29/21.
RC §2151.86: Requires
that the appointing or hiring officer of any entity that appoints or employs any
person responsible for a child's care in an out-of-home care setting request that
BCII conduct a criminal records check on all persons under final consideration for
appointment or employment. The statute also requires a BCII check on all prospective
adoptive parents and prospective foster caregivers, and all adults residing with
them. Records checks must be conducted every four years. The report of any criminal
records check conducted by BCII pursuant to this statute is not a public record
for purposes of RC §149.43 and shall not be made available to any person other than
the person who is the subject of the criminal records check or that individual’s
representative; the entity requesting the criminal records check or its representative;
ODJFS, a county DJFS, or a public children services agency; and any court, hearing
officer, or other necessary individual involved in a case dealing with the denial
of employment, final order of adoption, or foster home certificate.
RC §3107.031: Allows adoptive parents to receive copy
of their own home study from the assessor, except for opinions of third parties.
It is possible this statute could also be used to withhold or redact any psychological
evaluations and other records of a sensitive nature that are provided to the assessor
by individuals other than the applicant.
RC §3107.034: Requires adoption agency or attorney who
arranges an adoption to ask ODJFS to check the Central Registry of another state,
whenever either the prospective adoptive parent or another adult member of the household
has resided in another state within five years immediately prior to the date on
which a criminal records check is requested pursuant to RC §2151.86. The adoption
agency or attorney arranging the adoption shall review the results of the check
prior to finalization of adoption, and consider it in the same way as they would
a summary report of a search of SACWIS, created as part of the home study pursuant
to RC
§3107.033. The summary report from SACWIS provided pursuant to RC 3107.033
should include a chronological list of abuse and neglect determinations or allegations
of which the person seeking to adopt is subject, and in regard to which a public
children services agency determined that abuse/neglect occurred, was unable to determine
that abuse/neglect occurred, or initiated an investigation that is still pending.
The summary report from SACWIS shall NOT contain information about abuse/neglect
that the PCSA concluded did NOT occur, or the identity of the person or entity that
reported (or participated in the reporting of) abuse/neglect, or information prohibited
from being disseminated by, or interfering with eligibility under, CAPTA. The statute
also requires ODJFS to check the Ohio Central Registry upon the request of its out-of-state
counterparts. 8/14/08.
RC §3107.063: Lists the parties who can request a search
of the putative father registry, to whom information can be disclosed, and what
to include in the notifications.
RC §3107.17: No
person or governmental entity shall knowingly reveal any information contained in
a paper, book, or record pertaining to an adoption that is part of the permanent
record of a court or maintained by the department of job and family services, an
agency, or attorney without the consent of a court. The section also requires that
ODJFS prescribe a form that permits individuals identified in the section, to request
the court’s permission to inspect the social or medical histories of the biological
parents, to the extent they are kept in the court’s permanent record. 3/20/15.
RC § 3109.051(H): States that a non-residential parent is entitled
to access any record related to their child as the residential parent, unless a
court determines that such access would not be in the child’s best interest, in
which case the court shall specify the terms and conditions under which the non-residential
parent is to have access. Keepers of child records who fail to comply with the court’s
order will be in contempt.
RC § 3705.09(G): Provides that when a birth certificate is changed
to add a father's name once paternity is established, the old birth certificate
and supporting documentation which prompted issuing the new birth certificate is
sealed and cannot be released without a court order.
RC § 3705.12 through RC 3705.126:
Sets out guidelines for having the department of health prepare a new birth certificate
for an individual who is adopted. The statute says that upon the issuance of the
new birth record, the original birth record shall cease to be a public record. 3/20/15.
RC § 3705.23: Excludes
the "information for medical and health use only" section of the birth
certificate from the certified copy of the birth record, unless specifically requested
by the subject of the birth record, either of the subject’s parents or guardian,
a lineal descendant, or a federal or state government criminal prosecutor or investigator.
The information may also be released pursuant to court order, or by authorization
of the state registrar if done in accordance with health department rule.
RC §§5101.13 through 5101.134: Authorizes Statewide Automated Child Welfare Information
System (SACWIS) to replace Central Registry and sets forth what and to whom SACWIS
data can be disclosed. Expressly makes information contained in or obtained from
SACWIS confidential and not subject to disclosure pursuant to sections 149.43 or
1347.08 of the Revised Code. ODJFS and public children services agencies (PCSAs)
are permitted to access and utilize SACWIS for purposes of assessment, investigation
and services to children and their families, as well as for purposes permitted under
federal or state law and rule. 8/14/08.
RC § 5101.27: Sets
out confidentiality requirements for all non-medical public assistance (PA) programs,
including OWF, PRC, and child care subsidies. 4/12/21.
RC § 5101.29: When contained in a record held by ODJFS
or a county agency, excludes from classification as public records the names and
other identifying information regarding: (A) children enrolled in or attending a
child day-care center or home subject to licensure or registration under RC Chapter
5104; (B) children placed with an institution or association certified under RC
§5103.03
of the Revised Code; (C) persons who make an oral or written complaint to ODJFS
or other state or county entity responsible for enforcing RC Chapter 5103 or 5104,
regarding an institution, association, child day-care center, or home subject to
licensure or registration; and (D) foster caregivers and prospective foster caregivers,
including the foster caregiver application and home study.
However, the identity of a foster caregiver along with other details must be
disclosed, when he/she has had a foster care certificate revoked pursuant to RC
Chapter 5103, or is indicted or convicted of any prohibited offense listed in
RC §2151.86.
RC §5101.80(E): Requires authorized representative of
ODJFS, CDJFS or state agency administering a Title IV-A program, including the kinship
permanency incentive program, to have access to all records and information bearing
thereon for the purposes of investigations conducted pursuant to RC §5101.80. Authorized
representatives of government entities and private, not-for-profit entities administering
projects funded with Title IV-A demonstration program funds, shall have similar
access for purposes of project-related investigations.
RC § 5153.111(A) & (D): Public children services agency
(PCSA) directors must ask BCII to conduct a criminal records check on all prospective
employees applying for employment with the agency that would require the employee
to be responsible for the care, custody, or control of a child. The report of any
criminal BCII check pursuant to this statute is not a public record and cannot be
made available to any person other than the applicant who is the subject of the
criminal records check or the applicant’s representative, the PCSA requesting the
criminal records check or its representative, and any court, hearing officer, or
other necessary individual involved in a case dealing with the denial of employment
to the applicant.
RC § 5153.17: County public children services agencies
(PCSAs) must keep records of investigations, and of the care, training and treatment
afforded children, and all other records required by ODJFS confidential. These records,
however, shall be open to inspection by ODJFS, the director of the county department
of job and family services, and other persons upon written permission of the executive
PCSA director.
RC § 5153.171: Requires the county PCSA director to confer
with the county prosecutor in relation to a request for information about a child
who was under eighteen years of age, who was a resident of the county served by
the agency at the time of the child's death and whose death may have been caused
by abuse, neglect, or other criminal conduct. If the county prosecutor intends to
prosecute a person for causing the child's death, the prosecuting attorney decides
what information may be released, if any. The prosecutor is required to notify the
PCSA director of the intent to prosecute and the determination of what information
may be released. The director may only release the information designated by the
prosecutor. If the prosecutor does not intend to prosecute a person for causing
a child's death, the prosecutor shall notify the PCSA director who shall release
the information described in RC § 5153.172, except as provided in RC § 5153.173.
This statute shields the PCSA director from civil liability or criminal prosecution
if the PCSA director releases information authorized by RC 5153.171 in good faith.
RC § 5153.172: Notwithstanding RC §2151.421, RC §3701.243
and RC §5153.17 or any other section of the Revised Code pertaining to confidentiality
and unless precluded by RC § 5153.173, the PCSA Director shall disclose about a
deceased child: the child's name, summary report of abuse or neglect reports made
pursuant to RC §2151.421 of which the child was subject, final disposition of the
report or status of the investigation, services provided to or purchased for the
child by the PCSA, and actions taken by PCSA in response to the report of child
abuse and neglect. Names of the parties who reported the abuse/neglect, names of
parents and siblings of the child; contents of psychological, psychiatric, therapeutic,
clinical or medical reports or evaluations regarding the child; witness statements;
police or other investigative reports; or any other information other than stated
in this statute are prohibited from being released pursuant to this statute.
RC § 5153.173: A common pleas court can provide an order
to stop the release of information required to be released pursuant to RC §5153.172
upon a motion by the PCSA which alleges that disclosing this information would not
be in the best interest of a deceased child's sibling or another child residing
in the deceased child's household.
OAC rule 5101:1-1-03(B)(6): CDJFS can share with a PCSA the
minimum information necessary to fulfill the need for the sharing, when the CDJFS
is required to report instances of known or suspected child abuse/neglect of a child
receiving OWF or PRC, or when the PCSA needs information to conduct an assessment
or investigation of an allegation of child abuse or neglect, as described in OAC rule 5101:2-33-28(G)(2). 2/1/22.
OAC rule 5101:2-7-04: A foster caregiver must maintain a
record on each foster child and the rule specifies what must be included in these
records. The rule then goes on to preclude the foster caregiver from disclosing
or knowingly allowing the disclosure of any information regarding the foster child
or the foster child's family to persons not directly involved in the foster child's
care and treatment on an official basis.
OAC rule 5101:2-33-21: Makes referrals, assessments, investigations,
and provision of services related to child abuse/neglect/dependency reports and
families in need of services confidential, including identity of referent/reporter
or any person providing information during an assessment or investigation. Also
specifies what, under what circumstances and to whom confidential child welfare
information may be shared by a PCSA. 8/1/20.
OAC rule 5101:2-33-23(B): Makes all case records that are
prepared, maintained or kept by the PCSA confidential, and releasable only in accordance
with 5101:2-33-21. 8/15/20.
OAC rule 5101:2-33-28: Requires PCSAs to engage in joint
planning and sharing of information with CDJFS in certain circumstances. However,
identity of person reporting abuse/neglect or of person providing information during
the assessment/investigation, may not be shared with the CDJFS, and any child abuse/neglect
information that is permitted to be shared must be kept in a separate file, not
in the CDJFS’ case record, to help maintain confidentiality. 8/1/20.
OAC rule 5101:2-33-70: Requires ODJFS to establish and maintain
Ohio SACWIS in accordance with 42 USC 674(a)(3)(C). The rule also describes the
types of data that PCSAs, private child placing agencies (PCPAs) and private non-custodial
agencies (PNAs) must enter into Ohio SACWIS and the residential treatment information
system (RTIS), and to whom and for what purposes SACWIS data may be accessed and
used. Also covers access to and use of SACWIS/RTIS by juvenile court subgrantees
of ODJFS for the purposes of Title IV-E reimbursement, and local public entities
(LPEs) operating qualified residential treatment programs (QRTPs). 10/1/22.
OAC rules 5101:2-36-03(AA)(6) & 5101:2-36-04(W)(6): Both rules require, in certain circumstances
(alleged intra-familial abuse/neglect and specialized assessments and/or investigations),
that the PCSA notify the child's non-custodial parent of the receipt of the child
abuse/neglect report, as well as the report disposition and case decision. 6/17/18.
OAC rule 5101:2-42-90: Requires PCSAs and PCPAs to share
specified child-related information with potential caregivers, prior to placing
a child in substitute care or respite care. Also has provisions for sharing information
with boards of education for school districts and juvenile courts, and for inclusion
in individual child care agreements when children are placed in substitute care
settings. 5/1/21.
OAC rule 5101:2-48-09(O)(10): The PCSA, PCPA, and PNA must
document that each person seeking adoption approval has completed preservice training
prior to approval of the home study, including sharing with the prospective adoptive
parent information about the child’s commission of a violent crime, prior to placement
with the adoptive parent. 2/1/22.
OAC rule 5101:2-48-19: Governs the release and transfer of
adoptive home studies by and to PCSAs, PCPAs, PNAs or comparable agencies within
and outside of Ohio. 3/1/21.
OAC rule 5101:2-48-20: Governs the release of birth parent
and sibling identifying and non-identifying information to an adopted person or
the adoptive parents, as well as the release of adoptive parent and sibling identifying
and non-identifying information to the birth parent or birth sibling. 2/1/21.
OAC rule 5101:2-48-21: Paragraph (D) requires a child study
inventory (CSI) to be shared with a PCSA, PCPA or PNA assisting in the adoptive
placement of a child, as well as with the adoptive parents, prior to the adoptive
placement. Paragraph (E) states that for newborns placed from the hospital into
an adoptive home, the PCSA or PCPA must provide a copy of the CSI to adoptive parents
within 30 days of placement. 5/1/21.
OAC rule 5101:2-48-22: Sets out what PCSAs, PCPAs and PNAs
must include in an adoptive family case record. 5/1/22.
OAC rule 5101:2-48-23: Governs the preservation of adoptive
child case records and sets out under what circumstances the record can be released
or reviewed. 2/1/21.
OAC rule 5101:6-50-07: When an RC Chapter 119 hearing has
been requested, allows discovery of any matter that is not privileged or confidential,
except in cases involving actions under RC chapters 5103 and 5104 (foster caregiver,
private non-custodial agency (PNA), and private child placing agency (PCPA) certification,
& child day care licensing), and records referenced in RC §5101.29 (identifying
information about children enrolled in child day care, children placed in an institution,
and persons making complaints about child day care centers or homes), in which instances
no discovery is permitted, unless parties agree to it. 1/1/19.
OAC rule 5101:9-9-39: Allows ODJFS to access and use information
contained in systems (such as SACWIS) that are controlled or maintained by or for
the benefit of ODJFS, for purposes of ODJFS program administration (which includes
federal reporting and oversight requirements). Disclosures may be subject to a written
agreement, and any release of information shall preserve the confidential nature
of it. 8/18/16.
OAC rule 5101:9-22-15: This ODJFS internal management rule
defines “personal information” and states that release of personal information is
governed by exemptions to public records listed in RC 149.43(A), the Personal Information
Systems Act (RC Chapter 1347), and dozens of federal and state laws and regulations
like the ones listed in this Manual that make applicant, recipient, and participant
information confidential or non-public. The rule also requires that individuals
who are authorized to access and use personal information in ODJFS-maintained systems
take reasonable precautions to protect the personal information from unauthorized
use, disclosure, modification or destruction, and take role-based and job-specific
security and privacy training; that aggregate data be masked in accordance with
Section III of IPP 3002; that privacy impact assessments be completed for new and
existing systems containing personal information, to ensure that the appropriate
level of privacy and security measures are in place; and that data breaches and
exposures be reported to the chief inspector, chief privacy officer, and chief information
security officer. Disciplinary action can be imposed for intentional violations
by employees, and questions regarding permissible and impermissible disclosures
can be addressed to agency legal counsel. 3/24/22.
F.ADULT
SERVICES
State Statutes and Rules:
RC §5101.63(F): Written and oral reports of suspected abused, neglected
or exploited adults, and subsequent investigatory records, are confidential and
are not considered public records pursuant to RC §149.43. The information shall
only be made available upon request to the adult who is the subject of the report,
and to legal counsel for the adult. Name and identifying information of person who
made the report may be redacted if including that information would create risk
of harm to that individual or to the subject of the report. 4/4/23.
RC §5101.61(B): Gives ODJFS director authority to adopt rules governing
county departments' implementation of adult protective services, as defined &
described in ORC 5101.60 to 5101.71. 9/29/18.
OAC rule 5101:2-20-04(G): Makes adult protective services
case records confidential. 10/1/21.
OAC rule 5101:2-20-05: Makes records pertaining to referral,
assessment, and investigation of adult abuse/neglect/exploitation confidential,
and all information in the statewide adult protective services information system
(SAPSIS) confidential. The rule also permits limited disclosures, including for
administrative purposes, to the subject of the information and/or his/her legal
counsel upon request, and to the court pursuant to a court order and under limited
circumstances. 10/1/21.
G.CHILD
DAY CARE
State Statutes and Rules:
RC § 5101.29: When contained in a record held by ODJFS
or a county agency, excludes from classification as public records the names and
other identifying information regarding: (A) children enrolled in or attending a
child day-care center or home subject to licensure or registration under RC Chapter
5104; and (B) persons who make an oral or written complaint to ODJFS or other state
or county entity responsible for enforcing RC Chapter 5103 or 5104, regarding an
institution, association, child day-care center, or home subject to licensure or
registration. 1/1/14.
RC § 5104.013(A), (F) & (L): Requires ODJFS to have
BCII conduct criminal background checks on owners, licensees, administrators, job
applicants and employees of child day-care centers, type A and type B family day-care
homes and any adults who reside in the homes, approved child day camps, and licensed
preschool and school child programs that provide publicly-funded child care. In-home
aides are also required to undergo BCII criminal records checks. In addition, child
day camps, other than approved child day camps, shall request that BCII conduct
a criminal records check of any individual who applies to for employment and for
existing employees every five years. Any BCII report completed pursuant to this
statute is confidential and shall not be made available to any person other than
the subject of the criminal records check or the subject’s representative, the director
of job and family services, the director of a county department of job and family
services, and any court, hearing officer, or other necessary individual involved
in a case dealing with a denial of licensure, approval or certification related
to the search. ODJFS shall in turn notify the licensed child day care center, licensed
home, approved child day camp, licensed preschool program or licensed school child
program of any person who is ineligible for employment. The statute also requires
that ODJFS conduct a search of SACWIS for abuse/neglect reports related to the aforementioned
parties. BCII checks and SACWIS searches musty typically be conducted every 5 years
after the initial check. 10/17/19.
RC § 5104.038: The administrator of each child day-care
center shall maintain enrollment, health, and attendance records for all children
attending the center and health and employment records for all center employees.
The records shall be confidential except that they shall be disclosed by the administrator
to the director of ODJFS upon request for the purpose of administering and enforcing
this chapter and rules adopted pursuant to this chapter. Neither the center nor
the licensee, administrator, or employees of the center shall be civilly or criminally
liable in damages or otherwise for records disclosed to the ODJFS director by the
administrator pursuant to this division. It shall be a defense to any civil or criminal
charge based upon records disclosed by the administrator to the director of ODJFS
that the records were disclosed pursuant to this division. 1/1/14.
OAC rule 5101:2-12-09: Requires criminal records checks of
owners, administrators, employees, and staff members of child care centers applying
for licensure or employment, and every five years thereafter.
OAC rule 5101:2-12-10(C)(3): Requires owners and administrators
of licensed child care centers to provide their staff with copies of their own training
documentation within 5 business days of their staff member’s request, or at the
time of separation for records not verified in the Ohio professional registry (OPR).
10/29/21.
OAC rule 5101:2-12-15(D): Requires that licensed child care
centers treat as confidential any children’s records they collect, including child
enrollment and health records, medical statements, and medical/physical care plans,
and only disclose them to ODJFS for purposes of administering ORC chapter 5104 and
OAC chapter 5101:2-12. In addition, immunization records must be made available
for review by the Ohio Department of Health, for purposes of disease outbreak control
and immunization level assessment. 10/29/21.
OAC rule 5101:2-12-16(G)(4): If a child is transported from
a child care center for emergency treatment by anyone other than a parent, requires
that the child’s health and medical records accompany the child. 10/29/21.
OAC rule 5101:2-13-03: (G)(5) requires that the county agency
provide a copy of the inspection report to anyone who submits a request to the county
agency, but only after the county agency has removed all confidential information
from the report. Paragraph (I) makes licensing inspection records public. 5/15/22.
OAC rule 5101:2-13-07(C): Requires licensed family child
care providers to ensure that all employees and child care staff members create
or update their individual profile in the Ohio professional registry (OPR), create
an employment record on or before the first day of employment, including date of
hire, and update their individual profiles or employment records in OPR within five
(5) calendar days of a change, including updates to contact information and positions
or roles. Providers must also maintain records of each current employee and child
care staff member for at least 3 years after the staff member’s departure (including
the staff member’s scheduled days and hours, group assignments, and end date of
employment). Employment records related to staff members are confidential, except
when requested by the county agency or ODJFS for purposes of administering RC Chapter
5104 and OAC Chapter 5101:2-13. 10/29/21.
OAC rule 5101:2-13-09: Requires criminal records checks of
all staff members, employees, substitutes, and adult residents of licensed type
A and type B home providers (collectively referred to as family child care providers)
and those applying for a license to become a family child care provider. Records
check must be done at time of license application or prior to first day of employment
and, every 5 years thereafter. The rule applies to even records of convictions that
have been sealed. 9/29/19.
OAC rule 5101:2-13-10(F)(3): Requires family child care providers
to give their staff copies of their own training documentation within 5 business
days of their staff member’s request, or at the time of separation for records not
verified in the Ohio professional registry. 10/29/21.
OAC rule 5101:2-13-15(D): Children’s records (including attendance
and medical records) required to be kept by licensed family child care providers
shall be confidential, except they shall be available to ODJFS and the county agency
for purposes of administering RC Chapter 5104 and OAC 5101:2-13. Immunization records
shall be subject to review by the Ohio Department of Health for disease outbreak
control and immunization level assessment purposes. 10/29/21.
OAC 5101:2-13-26(B): Paragraphs (B)(1) and (B)(2) describe
the types of documentation that the county agency must maintain regarding licensed
family child care providers; (B)(2) and (B)(3) specify the retention period for
those documents; (B)(4) prohibits county agencies from disclosing (a) identifying
information about complainants, witnesses and those to whom confidentiality has
been reasonably promised, (b) any information, when such information would disclose
the identity of one to whom confidentiality has been reasonably promised, and (c)
provider medical records that pertain to the provider’s condition, when generated
in the process of medical treatment; and, (B)(5) through (B)(8) specify what information
the county agency must share with the PCSA, law enforcement, provider, and ODJFS.
10/29/21.
OAC rule 5101:2-14-03: Requires criminal background checks
of all certified in-home aides. Rule even applies to records of convictions that
have been sealed. 10/29/21.
OAC rule 5101:2-14-06(F): Makes all information collected
about in-home aides (IHAs) by county agencies confidential, except to ODJFS for
purposes of monitoring review of its certification program and investigating complaints
involving county agencies, and to the PCSA and law enforcement for purposes of investigating
alleged child abuse and neglect. Any information disseminated about IHAs must be
documented, including the date of dissemination, to whom, and the reason. 10/29/21.
OAC rule 5101:2-14-07(B)(4): Requires that inspection reports
be kept on file at the county agency, and that a copy of the JFS 01642 “In-Home
Aide Assurances”, with confidential information removed, be released to anyone upon
request. 10/20/19.
OAC rule 5101:6-50-07: When an RC Chapter 119 hearing has
been requested, allows discovery of any matter that is not privileged or confidential
and that does not involve an action under RC Chapters 5103 and 5104 (foster caregiver,
PNA, and PCPA certification, and child day care licensing only permit discovery
if parties stipulate). Information designated as non-public in RC §5101.29 is also not discoverable for purposes of an
RC Chapter 119 hearing. 1/1/19.
H.CHILD
SUPPORT
Federal Laws and Regulations:
42 USC §653: Addresses confidentiality of the Federal
Parent Locator System and to whom the information may be released (authorized person,
as defined in the statute). Section (j)(8) allows HHS Secretary to disclose employer
information from the National Directory of New Hires to state unemployment agencies,
for the purposes of UC administration.
42 USC §654(26): Requires the state to protect confidential
child support information.
42 USC §654a: Paragraph (d) requires the ODJFS Office
of Child Support (OCS) to establish & implement safeguards for child support
automated data systems, to ensure system integrity, accuracy and completeness, and
to restrict access to and use of information contained therein. OCS must have written
policies that (1) permit access to and use of child support data by state agency
personnel, but only to the extent necessary to administer the child support program;
and (2) specify the data that may be used for particular program purposes, and the
personnel permitted to access such data. Federal law also requires system controls
to ensure strict adherence to policies, routine monitoring of access through such
methods as audit trails to detect and guard against unauthorized access and use,
and training of state and local agency staff and contractors on access restrictions,
penalties and security procedures. (45 CFR 307.13 is very similar to this provision).
45 CFR § 235.70: Allows county departments of job and
family services to send a copy of the Title IV-A (cash assistance) case record and
other relevant information to a CSEA.
45 CFR § 302.35: Requires the state child support agency
to maintain a parent locator service (PLS) to provide location information to authorized
persons for authorized purposes that are listed in the CFR.
45 CFR § 303.15: Allows use of the Federal Parent Locator
Service (FPLS) for enforcing any state or federal law with respect to the unlawful
taking or restraint of a child or making or enforcing a child custody or visitation
determination. This information is given to the IV-D agency pursuant to an agreement
with federal office of child support enforcement. Access to FPLS information is
limited to child custody or visitation or parental kidnapping cases. After information
is requested from FPLS and then sent to a requestor, the IV-D agency must destroy
any confidential records and information related to the request.
45 CFR § 303.21: Requires state and county child support
agencies to safeguard and restrict disclosure of information relating to a specified
individual or an individual who can be identified by reference to one or more factors
specific to him or her, including but not limited to the individual's Social Security
number, residential and mailing addresses, employment information, and financial
information. However, (d) says upon request, the ODJFS Office of Child Support may
disclose: (1) confidential information to state agencies as necessary to assist
them in carrying out their responsibilities under plans and programs funded under
titles IV, XIX, or XXI of the Social Security Act (SSA), as well as SNAP including
(i) Any investigation, prosecution or criminal or civil proceeding conducted in
connection with the administration of any such plan or program; and (ii) Information
on known or suspected instances of physical or mental injury, sexual abuse or exploitation,
or negligent treatment or maltreatment of a child under circumstances which indicate
that the child's health or welfare is threatened; and, (2) information in the state
directory of new hires (SDNH), pursuant to sections 453A and 1137 of the SSA for purposes of income and eligibility
verification. However, authorized disclosures under (1) and (2) above shall not
include confidential information from the National Directory of New Hires or the
Federal Case Registry, unless authorized under 45 CFR §307.13 or unless it is independently
verified information. No financial institution data match information may be disclosed
outside the administration of the IV-D program and no IRS information may be disclosed,
unless independently verified or otherwise authorized in Federal statute. States
must have safeguards in place as specified in SSA section 454A(d) and (f).
45 CFR § 303.30: Requires IV-D agency to obtain IV-A or
IV-E information not supplied by the agencies holding it (including whether non-custodial
parent has health insurance), and provide that information timely, efficiently,
and cost-effectively to the state Medicaid agency.
45 CFR § 303.69: Allows U.S. attorneys and federal agents
to request information directly from federal parent locator service, for purposes
of parental kidnapping or child custody case. Request must be submitted in writing
and contain required statements.
45 CFR § 303.70: Requires state child support agencies to have
procedures for submissions to the State or Federal parent locator service (PLS)
for the purpose of locating parents, putative fathers, or children for the purpose
of establishing parentage or establishing, setting the amount of, modifying, or
enforcing child support obligations; for the purpose of enforcing any Federal or
State law with respect to the unlawful taking or restraint of a child or making
or enforcing a child custody or visitation determination as defined in section 463(d)(1) of the Social Security Act (42 USC 663), or
for the purpose of assisting State agencies to carry out their responsibilities
under title IV-D, IV-A, IV-B, and IV-E programs. Only the central State PLS may
make submittals to the Federal PLS for the purposes specified above. The regulation
also requires Title IV-D agency director or designee to attest annually to limited
uses of federal/state PLS and to whom information will be disclosed; specifies what
data elements about parents, non-parents, and putative fathers must be included
in submittals; and requires that PLS information be treated as confidential and
safeguarded.
45 CFR §307.13: Addresses security and confidentiality
for computerized support enforcement systems in operation after October 1, 1997.
Requires that State child support agencies have safeguards to protect integrity,
accuracy, completeness, access to, and use of computerized support enforcement system
data, including written policies regarding access to data by agency personnel and
sharing with others. Certain information contained in SETS can be released in connection
with SSA Titles IV (including IV-D child support), XIX (Medicaid) and XXI (child
health assistance), but the regulation places limits on the disclosure of NDNH,
FCR, financial institution and IRS information outside the IV-D program & requires
audit trails and staff training.
State Statutes and Rules:
RC
§149.43 (A)(1)(e): Excludes information contained in the putative father
registry from being considered as public record when held by ODJFS or a CSEA.
RC
§ 149.43(A)(1)(o): Excludes new
hire records provided by employers to ODJFS for child support purposes under RC § 3121.894 from being considered as public records.
RC §3107.063: Sets forth the procedure to be used by a
biological mother, adoption attorney, PCSA, PCPA, and PNA for requesting that ODJFS
search the putative father registry to determine whether a man is registered as
the minor's putative father. 3/23/15.
RC § 3121.76: Limits the use of information received by
ODJFS from a financial institution
through an agreement pursuant to the statute to purposes of establishment,
modification, or enforcement of a child support order. Such information is not a
public record. 3/22/01.
RC § 3121.84: Requires ODJFS Office of Child Support (OCS)
to make comparisons of information in the case registry with information in OCS’
birth registry and new hires directory, and to provide reports of information in
the registry to other federal and state governmental entities, as specified in state
administrative rules and consistent with Title IV-D.
RC §3121.898: New Hire data shall only be used for the
purposes set forth in 42 USC 653a, including locating individuals for purposes
of establishing paternity; establishing, modifying and enforcing support orders;
and verifying eligibility for Title IV-A programs (like OWF and PRC), Medicaid,
Unemployment Compensation (UC), Food Assistance (FS) and employment security programs
administered by ODJFS.
RC § 3121.899: New hire information shall not be considered public
records and shall be accessed, used, and disclosed as specified in ODJFS’ administrative
rules. ODJFS may share information in new hire reports with any county child support
enforcement agency, any county department of job and family services, and ODJFS
staff (including Employment Security program staff), but only for purposes specified
in RC § 3121.898; and with the Bureau of Workers’ Compensation for their program
administration.
RC § 3123.89: Requires
that ODJFS develop and implement a real time data match program with the state lottery
commission and its agents to identify obligors who are subject to a final enforceable
determination that they are in default of a child support order, requires county
CSEAs to issue an intercept directive to the state lottery commission, including
the name and social security number of the obligor and amount of arrearages owed,
and requires the lottery commission to deduct the amount of arrearages from the
lottery prize award and send it to the ODJFS Office of Child Support. 3/23/22.
RC § 3123.92: Requires any CSEA administering a court
or CSEA enforceable finding of default against an obligor to contact at least one
consumer reporting agency in the State and provide to the consumer reporting agency
the obligor's name, address, and social security number or other identification
number and any other identifying information concerning the obligor.
RC §3123.93: Allows
consumer reporting agencies to obtain certain information maintained by the ODJFS
Office of Child Support regarding obligors.
RC § 3123.95 et seq. Authorizes and sets forth requirements
for the establishment and use by ODJFS of a poster program, to display photos of
obligors who are delinquent in their support payments, for purposes of increasing
collections.
RC§ 3123.954: Precludes a county CSEA from providing the
address or other personal information of an obligee to the ODJFS Office of Child
Support Enforcement when the CSEA submits the name of the obligor to be included
on a poster. See also RC § 3123.95 et seq., RC § 3123.957 and OAC rules 5101:12-50-65 and 5101:12-50-65.1,
for provisions regarding the office of child support's poster program.
RC § 3125.08: Requires that ODJFS adopt rules that limit
access to and use of SETS information to the extent necessary to carry out administration
of the child support program; monitoring, identifying and preventing unauthorized
access; informing personnel with access of applicable requirements, penalties and
security procedures; and establishing penalties for violations.
RC § 3125.16: Allows each obligor and obligee under a
support order to review all records related to support orders held by CSEAs and
any other information maintained by the CSEA, except to the extent prohibited by
state or federal law.
RC §3125.49: Precludes ODJFS Office of Child Support and
county CSEA from using social security numbers made available by the Ohio Department
of Health’s office of vital statistics for any purpose other than child support
enforcement.
RC § 3125.50: Prohibits
all persons, including county CSEAs, from releasing information concerning applicants
for and recipients of child support services, except as permitted under rules promulgated
by ODJFS. Statute also prohibits the ODJFS Office of Child Support and county CSEAs
from redisclosing information collected from any officer or entity of the state
or any political subdivision of the state that would aid the CSEA in locating an
absent parent; any information concerning the employment, compensation, and benefits
of any obligor or obligee subject to a support order; name and address of any obligor
or obligee subject to a support order and the obligor's employer in the customer
records of a public utility; and home address and income information obtained from
the Ohio Department of Taxation, except as provided by rules promulgated by ODJFS.
OAC rule 5101:1-1-03: Makes all information and records collected,
received or maintained by ODJFS or a CDJFS concerning an applicant for, or recipient
or former recipient of, OWF or PRC (TANF) benefits confidential. The rule describes
under what general circumstances the information can be released, the forms needed
to authorize information releases, and procedures to follow if information is requested
through court process, including immediately notifying the recipient of the request
and informing the court of the laws and regs prohibiting disclosure. Also restricts
ODJFS and county DJFS use of retirement, survivors and disability insurance (RSDI),
supplemental security income (SSI), and benefit earnings exchange records (BEER)
information from the Social Security Administration (SSA) to “routine use” and requires
approval from beneficiary or SSA for non-routine use. Also requires that disclosures
of SSA-provided information to non-ODJFS/CDJFS employees be recorded, even when
it is a routine use, and that the records be retained for five (5) years. Federal
tax information (FTI) and unearned income information provided by the Internal Revenue
Service (IRS) is only to be used for determining TANF and SNAP eligibility and the
amount of benefits, and can only be shared with the subjects of the information
and their duly appointed representatives with explicit authority to obtain tax return
information. Disclosure awareness training for state/county employees with FTI access,
standardized record-keeping for requests and disclosures of FTI, and special safeguarding
and access limits for SSA and IRS data are also described in the rule. 2/1/22.
OAC rule 5101:9-22-15: This ODJFS internal management rule
defines “personal information” and states that release of personal information is
governed by exemptions to public records listed in RC 149.43(A), the Personal Information
Systems Act (RC Chapter 1347), and dozens of federal and state laws and regulations
like the ones listed in this Manual that make applicant, recipient, and participant
information confidential or non-public. The rule also requires that individuals
who are authorized to access and use personal information in ODJFS-maintained systems
take reasonable precautions to protect the personal information from unauthorized
use, disclosure, modification or destruction, and take role-based and job-specific
security and privacy training; that aggregate data be masked in accordance with
Section III of IPP 3002; that privacy impact assessments be completed for new and
existing systems containing personal information, to ensure that the appropriate
level of privacy and security measures are in place; and that data breaches and
exposures be reported to the chief inspector, chief privacy officer, and chief information
security officer. Disciplinary action can be imposed for intentional violations
by employees, and questions regarding permissible and impermissible disclosures
can be addressed to agency legal counsel. 3/24/22.
OAC rule 5101:12-1-20: Contains definitions of terms used
in OAC Rules 5101:12-1-20.1 and 5101:12-1-20.2. The rule allows case participants
to request their own information by providing proper identification; requires that
individuals other than the case participant (including PCSAs) submit written requests;
and mandates that individuals, courts, and agents of the United States with access
to case record information (including in SETS) maintain the confidentiality of the
information and safeguard it, regardless of the medium in which it is kept. Information
can only be disclosed as permitted in child support rules, and often limited to
performing functions necessary for carrying out the child support program. 4/1/18.
OAC rule 5101:12-1-20.1: Describes the requirements for the
use, protection and dissemination of information that is collected and maintained
by the ODJFS Office of Child Support or a county CSEA in the performance of support
enforcement program functions. Rule sets forth if, when, to whom, and under what
circumstances an individual’s case record information (including parent locator
service (PLS) and national directory of new hire (NDNH) data) may be disclosed.
Paragraph (C) allows non-PLS information to be disclosed for administration of child
support, SNAP, OWF, Medicaid and foster care; federal, state, and local audits;
and, to report to an appropriate child welfare agency or official, suspected or
known instances of abuse, exploitation, or neglect of a child who is the subject
of a child support order. 4/1/18.
OAC rule 5101:12-1-20.2: Requires that child support enforcement
agencies safeguard confidential participant (obligor and obligee) information received
from the Ohio department of taxation and ODJFS Office of Unemployment Insurance
Operations. Rule describes the procedures county agencies must follow to safeguard
information. 4/1/18.
OAC rule 5101:12-1-22: ODJFS Office of Child Support rule
regarding safeguarding of federal tax information (FTI) received from the IRS. See
also 26 USC 6103 and IRS Publication 1075. 11/1/22.
OAC rule 5101:12-1-22.1: ODJFS Office of Child Support procedure
for conducting county CSEA visits and requiring county CSEA self-inspection, to
verify FTI is being properly safeguarded. 11/1/22.
OAC rule 5101:12-10-90(C): States that new hire reports are
not considered public records for purposes of section 149.43
of the Revised Code, and that ODJFS may only disclose new hire reports to entities
described in RC 3121.898 and 3121.899. 6/1/21.
OAC rule 5101:12-20-10: Sets forth which parties are authorized
to obtain an individual’s current residential address or place of employment from
the Federal Parent Locator Service. Also provides details on how requests must be
made and when a court order is required. 1/1/17.
OAC rules 5101:12-50-65 & 12-50-65.1: Authorizes and sets forth requirements for ODJFS
Office of Child Support and county child support enforcement agencies to implement
poster program, displaying photos of delinquent obligors, to increase collections.
3/1/17.
OAC rule 5101:12-55-10: Financial Institution Data Match
(FIDM) is an optional program that allows county child support enforcement agencies
to enforce and collect final and enforceable determinations of default from child
support obligors’ financial accounts. 2/11/19.
I.UNEMPLOYMENT
COMPENSATION (UC) BENEFITS & UNEMPLOYMENT INSURANCE (UI) TAX
Federal Laws and Regulations:
26 USC 3301 to 3311: Federal
Unemployment Tax Act (FUTA) laws are codified here. 26 USC 3304(a)(16)(C)
requires state unemployment program to establish safeguards to ensure that any
wage and unemployment compensation information that is shared (including with
state Title IV-A and IV-D programs) only be used for authorized purposes.
29 USC § 49b (b): Requires State unemployment compensation
(UC) and employment services offices to share data with State offices running TANF,
Food Assistance and Child Support programs, such as the amount of UC benefits being
paid to individuals, their most recent home address, and if they have refused an
offer of employment.
42 USC § 503(a)(1) and (8): Require that state law provide
for such methods of administration as are found by the Secretary of Labor to be
reasonably calculated to insure full payment of unemployment compensation when due
and restricts expenditure of all money received by the State solely for the purposes
and in the amounts found necessary by the Secretary of Labor for the proper and
efficient administration of state unemployment compensation law.
These sections have been interpreted by the Department of Labor as
requiring that employer, wage, and claim information be treated as confidential
and used only for administration of the unemployment insurance tax and compensation
program, with few exceptions (see 20 CFR 603.4).
42 USC §1320b-7(a)(5) and (a)(6): Requires the establishment
of an Income and Eligibility Verification System (IEVS) between listed programs
with adequate safeguards to assure that information is made available only to the
extent necessary to assist in the valid administration of the programs, only exchanged
with agencies authorized to receive such information, & adequately protected
against unauthorized disclosure; and that notification is provided to applicants
and recipients that information in the system will be shared with other agencies,
and reimbursement is made to agencies providing the information for the cost of
providing it.
20 CFR Parts 601 to 625: Source of federal
unemployment regulations, including Trade Adjustment Assistance in Part 618.
20 CFR §603.2: Defines unemployment terms such as "wage
information," "claim information," and "requesting agency."
20 CFR §603.3: Subpart B includes 20 CFR 603.3 through
603.12, and all pertain to implementation of federal UC and FUTA (Federal Unemployment
Tax Act) confidentiality requirements, including mandating that states create uniform
minimum UC safeguards and data sharing agreements, as outlined in SSA §303 (42 USC
503) and FUTA (26 USC §3304(a)(16)).
20 CFR §603.5: Sets forth exceptions to UC confidentiality
that are mostly discretionary. However, the federal exceptions can only be followed
if authorized by state law, including RC §4141.21, and disclosure does not interfere
with the efficient administration of State UC law.
20 CFR §603.6: Sets forth mandatory disclosures requiring
State Unemployment Insurance Agencies (SUIAs) to share certain UC claim and/or UI
tax and wage information with federal agencies administering public works/assistance
through employment, as well as with food and cash assistance programs and HUD, for
purposes of determining eligibility for those programs, with CSEA for establishing
and collecting child support, and with U.S. Departments of Labor and Education for
purposes of evaluations conducted under WIOA section 116(e)(4).
20 CFR 603.8: Except as specified in section (b) of the
regulation, prohibits state UC agencies from using unemployment grant funds to pay
for the cost of making UC information disclosures that are not directly connected
to UC program administration. Also requires state UC agencies to seek payment in
advance or reimbursement to cover the cost of such disclosures.
20 CFR Part §603.9: Under this regulation, for certain
types of disclosures, state unemployment compensation (UC) agencies must require
recipients of information to comply with the following measures (and others not
listed in this summary) to preserve confidentiality and prevent unauthorized access
or disclosure: 1) use information only for purposes authorized by law and consistent
with an agreement that meets the requirements of section 603.10; 2) store information in a place physically
secure from unauthorized access; 3) store and process electronic information in
a way that unauthorized persons cannot obtain it by any means; 4) instruct all personnel
with access of the confidentiality requirements and sanctions for unauthorized disclosure;
and, have the contracting party sign an acknowledgment that personnel have been
so instructed; and (5) maintain an auditable system.
20 CFR 603.11: Requires state unemployment agencies to
notify claimants and employers of how their information will be used, with what
parties it will be shared, and for what purposes.
20 CFR §§603.20 through 603.23: These regulations describe
mandatory Income and Eligibility Verification System (IEVS) disclosures to requesting
agencies.
20 CFR §677.175 & WIOA §116(i)(2):
Require state workforce education and training programs to use quarterly wage records
to measure the progress of the state on performance accountability measures.
State Statutes and Rules:
RC §4141.162: Requires the establishment of IEVS,
specifies the programs to be included in the system, and provides that the
requirements of RC § 4141.21 and any sanctions imposed for improper disclosure
of such information apply to the redisclosure of information under this
section. The section also requires the adoption of rules to include specific
requirements including notification to applicants and recipients that
information in the system may be shared with other agencies, that information
is made available only to the extent necessary to assist in the valid
administration of the programs, and that information is adequately protected
from unauthorized disclosures. Amended effective 9/29/13.
RC § 4141.21: Except as provided in RC§4141.162
(IEVS), and subject to RC § 4141.43 (cooperation with certain state, federal and
other agencies), information maintained by or furnished to ODJFS or UCRC by
employers or employees pursuant to RC Chapter 4141 is for the exclusive use and
information of ODJFS and UCRC in the discharge of their respective duties and
is not open to the public and cannot be used in any action or proceeding or be
admissible in evidence in any action other than one arising under RC Chapter
4141 or RC §5733.42. All of the information and records necessary or useful in
the determination of any particular claim for benefits or necessary in
verifying any charge to an employer's account under RC §§ 4141.23 to 4141.26, shall be available for examination
and use by the employer and the employee involved. 9/30/21.
[In Freed vs. Grand Court Lifestyles, 100 F. Supp. 2d 610 (Dec.
21, 1998), the Federal Court overruled OBES's Motion to Quash in part, and
sustained the Motion in part. Three conditions on releasing UC claimant data to
the former employer were listed in Freed, in which the claimant had filed an
ADA-based discrimination suit against the former employer in federal court:
(1)There must be a
federal questions involved, before release will be required. If it's only a
federal diversity issue involving questions of state law, then no disclosure is
required, as RC §4141.21 still applies, and is not abridged by Federal Rule of
Evidence 501.
(2)Only personal
information provided to ODJFS by the UC claimant may be released to the
claimant's former employer. (Note: The federal court looked at only the facts
of this particular case, and the usefulness to the Defendant of UC data (the
receipt of which implied that the plaintiff could work) to their defense of an
ADA claim (in which obtaining proof of receipt of UC benefits would actually
undermine the requesting party's argument that the plaintiff/UC claimant was
too disabled to work), and balanced the policy interests served by recognizing
state's privilege against the policy interests served by allowing access to the
requested information. The facts of other cases may not warrant application of
Freed, and/or may not warrant disclosure of UC claimant data.)
(3)Any
discoverable records should be issued under seal, and with written assurances
that the documents be maintained as confidential and only be utilized for the
limited purposes of defending the federal civil suit filed by the claimant].
[But, see AG Opinion 2010-029, which says JFS may provide BWC
with certified copies of UC records, for use in BWC civil and criminal cases,
and JFS may allow its representative to testify regarding those records at BWC
trial]
RC § 4141.22: No person shall disclose any
information maintained by or furnished to ODJFS or UCRC by employers or
employees unless such disclosure is permitted by RC §4141.22. Information
obtained by ODJFS and UCRC under RC Chapter 4141 that pertains to the
transactions, property, business, or mechanical, chemical, or other industrial
process of any person, firm, corporation, association, or partnership is
prohibited from divulged by current and former employees of ODJFS, UCRC, county
family services agencies, and workforce development agencies. 9/30/21.
RC § 4141.43: Provides the director of ODJFS with
discretionary authority to disclose information to various agencies, including
but not limited to the bureau of workers compensation, IRS, United States
employment service, and the railroad retirement board. Basis for RC 4141.43 and
other UC confidentiality statutes lies in SSA §§303(a)(1), (a)(7), (c)(1), (d),
(e), (h) & (i). 9/29/17.
RC § 5733.42(E): Financial statements and other
information submitted by an applicant to ODJFS for an employee training tax
credit, and any other information taken for any purpose from such statements or
information, are not public records. However, ODJFS, the tax commissioner, or
the superintendent of insurance may make use of the statements and other
information for purposes of issuing public reports or in connection with court
proceedings concerning tax credits allowed under this section and RC §§ 5725.31
and RC 5729.07.
4/12/21.
OAC 4141-16-01, 4141-16-02, & 4141-16-03: These IEVS-related rules require that
ODJFS disclose wage and claim information to authorized agencies under an
agreement, when needed by those agencies to verify eligibility for and/or the
amount of benefits. The agreement with authorized agencies must include
provisions to prevent unauthorized access to and disclosure of confidential
information. See also 20 CFR 603.22 and RC 4141.162. 11/12/18.
OAC rule 4141-43-01: Governs the exchange and
disclosure of wage, claim, employer, employment and training, and other
confidential information to state departments, other governmental agencies, or
service providers, and certain nongovernmental agencies for research. All
disclosures under this rule must be for purposes of providing and improving
employment and training services. This rule strictly prohibits redisclosure of
the information received by third parties. 7/27/18.
OAC rule 4141-43-02: Sets out
under what circumstances wage, claim, and/or employment and training
information furnished to or maintained by ODJFS pursuant to RC Chapter 4141, can
be shared with county departments of job and family services, state and county
child support enforcement agencies, and governmental agencies administering
employment and training and public assistance programs. The rule also permits
the sharing of certain information with civil and criminal prosecuting
authorities. 4/1/20.
J.WORKFORCE
DEVELOPMENT
1.THE
WORKFORCE INNOVATION AND OPPORTUNITY ACT (WIOA)
29 USC 3141(i)(2): Requires that the Office of
Unemployment Insurance Operations share wage information for purposes of WIOA
performance reporting requirements.
29 USC 3141(i)(3): WIOA requires compliance with the
Family Educational Rights and Privacy Act of 1974 (FERPA), which is codified in
20 USC 1232g and the corresponding regulations in 34 CFR part 99. FERPA was enacted to protect student
privacy rights in education records, and applies to all public and private
educational institutions that receive federal educational funds. FERPA requires
safeguards to protect against the disclosure of personal identifying data
regarding students.
29 USC § 3245(a)(4): Part (A) of this section
requires that certain WIOA records maintained by ODJFS be made available to the
public upon request. Part (B) excepts from treatment as public record any
information, the disclosure of which would constitute a clearly unwarranted
invasion of personal privacy, and trade secrets, or commercial or financial
information, that is obtained from a person and is privileged or confidential.
29 USC §3341: Nothing in WIOA shall be construed to
supersede the privacy protections afforded parents and students under section
444 of the General Education Provisions Act (20 U.S.C. 1232g); and nothing in
WIOA shall be construed to permit the development of a national database of
personally identifiable information (PII) regarding individuals who have
received WIOA or Title IV services. 7/22/14.
20 CFR 677.175:
Requires use of unemployment’s quarterly wage information, to the extent
permitted under federal and state law, for WIOA performance reporting.
20 CFR 677.230(e): Governor and designated state
agency must facilitate eligible training provider matches with OUIO’s wage
records for performance reporting.
20 CFR 683.220: Requires recipients and subrecipients
of WIOA and Wagner-Peyser funds to have internal control structures and written
policies in place that provide safeguards to protect personally identifiable
information and other sensitive information. Internal controls include
evaluating and monitoring recipient’s and subrecipient’s compliance with
federal and state laws and regulations, including WIOA, and taking prompt
corrective action when noncompliance is identified.
29 CFR §38.41: Requires each state WIOA recipient
(&/or local workforce development area, per the state plan) to collect and
maintain data and records that will help U.S. DOL’s Civil Rights Center (CRC)
determine whether the recipient is in compliance with the non-discrimination
and equal opportunity provisions of WIOA section 188. The system and format
used to maintain records must be designed to allow the state recipient and CRC
to conduct statistical and other quantifiable data analyses to verify state’s
compliance. Information and records about applicants, registrants, eligible
applicants/registrants, participants, terminees, employees and applicants for
employment must be stored in a manner that ensures confidentiality and can only
be used for purposes of recordkeeping and reporting to CRC, determining
eligibility for WIOA programs and activities, and determining a recipient’s
compliance with non-discrimination requirements. Each WIOA recipient must also
keep (and submit to CRC upon request) logs of complaints alleging
discrimination in relation to WIOA programs or activities. The logs must
include complainant names, addresses and other identifying information and
complaint details. Any information in the logs that could lead to the
identification of a particular individual as having filed a complaint must be
kept confidential.
34 CFR § 99.30(a): This is a FERPA regulation and
provides that with certain exceptions, "[t]he parent or eligible student
shall provide a signed and dated written consent before an educational agency
or institution discloses personally identifiable information from the student's
education records." Personally identifiable information includes but is
not limited to the student's name; a personal identifier, such as a student's
social security number; other information that, alone or in combination, would
allow a reasonable person to identify the student with reasonable certainty; or
information requested by a person who the educational agency reasonably
believes knows the identity of the student to whom the record relates. (34 CFR § 99.3).
RC § 307.983: Each board of county commissioners is
required to establish a plan of cooperation among county workforce development
agencies specifying how such agencies will exchange information and coordinate
and enhance services and assistance to individuals and families.
OAC rule 4141-43-01: Allows the use and disclosure of
wage information, claim information, employment and training information and
employer information maintained by ODJFS for the purpose of providing or
improving employment and training. 7/27/18.
OAC rule 4141-43-02: Sets out under what circumstances
wage, claim and/or employment and training information maintained by ODJFS can
be shared with county departments of job and family services, state and county
child support enforcement agencies, and governmental agencies administering
employment and training and public assistance programs. 4/1/20.
Workforce Innovation and Opportunity Act (WIOA) Section 116(i)
(same as 29 USC 3141(i)): Requires state workforce agencies to
utilize quarterly wage reports to ascertain their progress on state and local
performance accountability measures, and consistent with state law. Requires
that DOL make arrangements, consistent with state law, to ensure that the wage
records of any state are available to any other state to the extent that such
wage records are required by the state in carrying out the state plan or
completing the annual performance report described in subsection (d).
OAC rule 5101:11-7-02(D): Makes the identities of those
filing or assisting with apprenticeship-related complaints confidential, except
for purposes of carrying out EEO requirements and disclosures made with the
permission of the person in question. 10/1/20.
2.LABOR
MARKET INFORMATION
Any information provided to, or obtained, accessed or used by
the Office of Workforce Development’s Labor Market Information unit (LMI), is
governed by the same confidentiality laws and regulations, and security,
retention and destruction policies as the underlying information.
In addition, data LMI receives from the Federal Bureau of Labor
Statistics may also be subject to the Confidential Information Protection and
Statistical Efficiency Act (CIPSEA) of 2002 (44 USC 3561, et seq., especially 44 USC 3571 and 3572), Privacy Act (5 USC 552a), Nationwide Workforce and LMI System (29 USC 49l-2), and Trade Secrets Act (18 USC 1832).
3.EMPLOYMENT
SERVICES (Including Wagner-Peyser)
29 USC 49l-2: Prohibits officers, employees, and
agents of the federal government from (1) using information furnished to them
for statistical purposes, for any other purpose; and, (2) publishing or making
any media transmittal of information concerning individual subjects that might
identify them, directly or indirectly, without the consent of the individual or
agency that is the subject of the information. Also makes statistical
information about individual subjects immune from legal process, so that it
cannot be admitted as evidence, or used for any purpose in any action, suit, or
other judicial or administrative proceeding.
20 CFR 653.110: Aggregate data collected pursuant to 20 CFR 653.109, such as the total number of migrant
and seasonal farmworkers (MSFWs) contacted through outreach, referred to or
placed in jobs, and registered for career services, their median earnings, and
the percentage in unsubsidized employment, must be disclosed to the public
within 10 business days of the receipt of a written request for such data.
However, intra-agency memoranda and reports between ODJFS and DOL-ETA that
contain mostly statements of opinion, rather than facts, may be withheld from
the public, provided that the requestor is informed of the reason for
withholding in writing. And, information and documents may also be withheld if
their disclosure would constitute a clearly unwarranted invasion of personal or
employer privacy, as long as the rationale for non-disclosure is provided in
writing to the requesting party. In Ohio, no personally identifiable
information about MSFWs or workforce participants is shared with the general
public, on the basis that disclosure of such information would constitute a
clearly unwarranted invasion of personal privacy.
20 CFR 655.63: Says that U.S. DOL will maintain a
publicly accessible electronic file showing all employers that have applied for
temporary non-agricultural labor certifications (for H2B visas), the number of
workers requested, the dates filed & decided, and the outcome.
20 CFR 658.411(a)(3): The identity of complainants
and any persons who furnish information relating to, or assisting in, an
investigation of a job services complaint to ODJFS shall be kept confidential
to the maximum extent possible, consistent with applicable law and a fair
determination of the complaint. Requires that copy of completed Job Services
complaint submission be given to the complainant(s) and the appropriate
Complaint System representative.
RC 4141.21: Except as provided in RC
4141.162(IEVS), and subject to RC 4141.43
(cooperation with certain state, federal and other agencies), information
maintained by or furnished to the director of ODJFS or UCRC by employers or
employees pursuant to RC Chapter 4141 (employment services law) is for the
exclusive use and information of ODJFS and UCRC in the discharge of their
duties and shall not be open to the public or used in any court in any action
or proceeding pending therein, or be admissible in evidence in any action other
than one arising under RC Chapter 4141 or RC 5733.42.
All of the information and records necessary or useful in the determination of
any particular claim for benefits or necessary in verifying any charge to an
employer's account under RC sections 4141.23 to 4141.26, shall be available
for examination and use by the employer and the employee involved.
RC § 4141.43: Provides the director of ODJFS with
discretionary authority to disclose information to various agencies, including
but not limited to the bureau of workers’ compensation, IRS, United States
employment service, and the railroad retirement board.
OAC rule 4141-43-01: Sets guidelines for the use and
disclosure of wage information, claim information, employment and training
information, and employer information.
K.STATE
HEARINGS
Federal Regulations:
7 CFR 273.15(p)(1) & (q)(5): Requires that
hearing decisions related to Food Assistance be made available to the public,
provided that names, addresses and other information that would identify
household members are kept confidential. This regulation also requires that the
Food Assistance/SNAP assistance group or its representative be given access to
all documents and records to be used at the state hearing at a reasonable time
prior to the state hearing as well as at the state hearing. But, names of
individuals who have provided information about the household without its
knowledge, and the nature and status of pending criminal cases, must be
protected from release. State agencies must provide households with a free copy
of relevant portions of the case file, upon their request.
45 CFR 205.10(a)(19): Requires that hearing decisions
related to IV-A be made available to the public with identifying information of
the IV-A assistance group kept confidential.
State Rules:
OAC rule 5101:6-5-01(F) & (G): Gives individuals
requesting a state hearing and their authorized representative access to their
case file, and to any other documents and records the local agency intends to
use at the state hearing. The rule also sets out the procedure for requesting
and issuing subpoenas during the state hearing process. 4/1/23.
OAC rule 5101:6-7-01(G): Allows the public to inspect
all state hearing decisions, subject to applicable disclosure safeguards. The
implication of this rule is that an appellant's identity is not subject to
disclosure, but the decision itself (with appellant and household members’
identifying information redacted) is available as a public record upon request.
4/1/23.
OAC rule 5101:6-8-01(K): Allows the public to inspect
all administrative appeal decisions, subject to applicable disclosure
safeguards. The implication of this rule is that an appellant's identity is not
subject to disclosure, but the decision itself (with appellant/household
members’ identifying information redacted) is available as a public record upon
request. 4/1/23.
OAC rule 5101:6-20-16(H): Allows inspections of
administrative disqualification decisions subject to applicable disclosure
safeguards. The implication of this rule is that an appellant's identity is not
subject to disclosure but the decision itself (with identifying information of
appellant & household members redacted) is available as a public record
upon request. 3/1/19.
OAC rule 5101:6-50-07: When RC Chapter 119 hearing has
been requested, allows discovery of any matter that is not privileged or
confidential and that does not involve actions under RC Chapters 5103 and 5104
(certification of children’s residential facilities and child day care
licensing). 1/1/19.
OAC rule 5101:9-22-15: This ODJFS internal management
rule defines “personal information” and states that release of personal
information is governed by exemptions to public records listed in RC 149.43(A),
the Personal Information Systems Act (RC Chapter 1347), and dozens of federal
and state laws and regulations like the ones listed in this Manual that make
applicant, recipient, and participant information confidential or non-public.
The rule also requires that individuals who are authorized to access and use
personal information in ODJFS-maintained systems take reasonable precautions to
protect the personal information from unauthorized use, disclosure,
modification or destruction, and take role-based and job-specific security and
privacy training; that aggregate data be masked in accordance with Section III
of IPP 3002; that privacy impact assessments be completed for new and existing
systems containing personal information, to ensure that the appropriate level
of privacy and security measures are in place; and that data breaches and
exposures be reported to the chief inspector, chief privacy officer, and chief
information security officer. Disciplinary action can be imposed for
intentional violations by employees, and questions regarding permissible and
impermissible disclosures can be addressed to agency legal counsel. 3/24/22.
L.MISCELLANEOUS
Federal Laws and Regulations:
29 CFR § 825.500(g): Records and documents relating
to medical certifications, recertifications or medical histories of employees
or employee's family members, created for purposes of the Family Medical Leave
Act (FMLA) shall be maintained as confidential medical records in separate
files/records from the usual personnel files. If the Genetic Information
Nondiscrimination Act (GINA) of 2008 is applicable, records created for FMLA
containing family medical history or genetic information shall be maintained in
accordance with Title II of GINA (29 CFR 1635.9), which permits information to
be disclosed consistent with FMLA confidentiality requirements. And, if the
Americans with Disabilities Act (ADA) or the Americans with Disabilities
Amendments Act of 2008 (ADAA) is also applicable, such records shall be
maintained in conformance with ADA confidentiality requirements except: (1)
Supervisors and managers may be informed regarding necessary restrictions on
the work or duties of an employee and necessary accommodation; (2) First aid
and safety personnel may be informed (when appropriate) if the employee's physical
or medical condition might require emergency treatment, and (3) Government
officials investigating compliance with FMLA (or other pertinent law) shall be
provided relevant information upon request.
29 CFR § 1630.14(b), (c) and (d): This is a part of
the regulations related to the Americans with Disability Act and addresses
medical examination information received from employees, either voluntarily as
part of an agency health program or mandatory examinations needed due to
business necessity. This section requires that employers keep this information
in separate forms and medical files and keep them confidential. This regulation
allows the release of this information to supervisors and managers in relation
to necessary restrictions on the work or duties of the employee and necessary
accommodations; first aid and safety personnel, when appropriate, if the
disability might require emergency treatment; and government officials
investigating compliance with the regulation.
State Statutes and Rules:
RC §9.01: Sets out the standards for copying and
preserving records for specified purposes onto different format or medium.
Gives the copies the same effect of law as the original record(s). 9/26/03.
RC
§9.28: Materials
submitted to a public office in response to a competitive solicitation are not
public until after the public office announces the award of the contract.
4/6/17.
RC § 9.312: A state agency may request additional
financial information from a low bidder on a contract (in addition to a surety
licensed to do business in Ohio). This additional financial information to show
financial responsibility is confidential except under proper order from the
court, and is not a public record under RC §149.43. 11/2/18.
RC
§102.03(B): Prohibits current and former public official or employee
from disclosing or using, without proper authorization, any confidential
information the public official or employee acquired in the course of their
official duties, when the confidential designation is warranted and preserving
confidentiality is necessary to the proper conduct of government business.
Statute is part of revolving door restriction that prohibits former public
employees from representing private sector clients in front of their former
public sector employer. 4/4/23.
RC §124.88: Records of the identity, diagnosis,
prognosis, or treatment of any person that are maintained in connection with
the employee assistance program (EAP) are not public records under RC §149.43
and shall be disclosed without written permission of the subject of the record
only to medical personnel to the extent necessary to meet a bona fide medical
emergency or to qualified personnel for the purpose of conducting scientific
research, management audits, financial audits, or program evaluation, but the
personnel shall not directly or indirectly identify any person who is the
subject of the record in any report of the research, audit, or evaluation or in
any other manner. Records may also be disclosed pursuant to court order, if
good cause is shown and certain safeguards are in place. 9/29/13.
RC §125.071: Affords some protections for the
procurement process until the contract is awarded and the process is completed.
10/25/95.
RC
§§ 131.02 & 131.022: Both say private entity to which ODJFS
claims are sold, conveyed or transferred, shall be bound by all federal and
corresponding state confidentiality requirements concerning the information
included in the sale, conveyance or transfer. 9/30/21 and 6/30/06.
RC
§ 145.27(A), (B) & (D)(4): Sets out what public employee and
public assistance recipient information held by the Public Employee Retirement
System (PERS) is confidential. 1/7/13.
RC § 149.431: Makes financial records required to be
kept by any governmental entity or agency and any nonprofit corporation or association
(except a charitable trust corporation organized under RC Chapter 1719 or 3941)
related to contracts or agreements with the federal government, unit of state
government, or a political subdivision or taxing unity of the state, public
records as defined in (A)(1) of RC §149.43 and subject to the requirements of
division (B) of that statute. The law also states that information directly or
indirectly identifying a present or former individual patient or client or
her/his diagnosis, prognosis, or medical treatment, treatment for a mental or
emotional disorder, treatment for a developmental disability, treatment for
drug abuse or alcoholism, or counseling for personal or social problems is not
a public record. It states that release of the financial records can be
deferred for a reasonable amount of time if at the time a request for release
is made a patient or client whose confidentiality might be violated by the
release of records is being provided confidential professional services. The
law also does not require a nonprofit corporation or association that receives
both public and private funds in fulfillment of a contract, to keep as public
records the financial records of any private funds expended in relation to the
performance of services.
RC
§ 149.40: States that public offices shall only create: records that
are necessary for the proper documentation of the organization, functions,
policies, decisions, and procedures of the office; records of essential
transactions; and, records necessary for the protection of the legal and
financial rights of the state and persons directly affected by the agency’s
activities.
RC § 149.433: Excludes from treatment as public
record infrastructure records of public offices, public schools, and chartered
nonpublic schools; infrastructure records of a private entity that is submitted
to the public office for use by that public office, if certain criteria
described in the statute are met; and security records of public offices. This
section is useful for protecting data obtained from surveys and audits, when
the data is obtained to improve infrastructure/security. One exception is the
notification school boards are required to issue to the public under RC
2923.122(D)(1)(d), informing them that the board has authorized one or more
persons to go armed within a school operated by the board, whenever such authorization
is given. 9/12/22.
RC § 149.434: Requires that each public office
maintain a database or list of names of public officials and employees elected
to or employed by that public office, and that such information be made
available to the public upon request. 9/30/21.
RC § 1306.23: Records that would disclose or may lead
to the disclosure of records or information that would jeopardize the state's
continued use or security of any computer or telecommunication devices or services
associated with electronic signatures, electronic records, or electronic
transactions are not public records for purposes of RC §149.43.
RC §§ 1333.61 through 1333.69: These statutes define
and preclude the release of trade secrets. If records in the possession of a
public office are marked as trade secret, and are the subject of a records
request, party making assertion may need court injunction - RC §1333.65.
RC §1347.12: Sets forth procedures for public
entities when they become aware of electronic security breaches. See also
definitions in RC §1347.01, AG's investigatory authority in RC §1349.191, and penalties in RC § 1349.192). 9/29/15 & 2/7/06.
RC § 4701.19(B): Exempts from treatment as public records
statements, records, schedules, working papers, and memoranda made by a
certified public accountant or public accountant incident to or in the course
of performing an audit of a public office or private entity. However, reports submitted
by the accountant to the client are not exempt from treatment as public
records. 3/30/99.
RC §5101.46(D): Requires ODJFS to prepare a report
every federal fiscal year on the use of Title XX social services grant funds,
and to make it available for public inspection. 10/12/16.
OAC 5101:9-9-38: This county electronic data usage rule
prohibits county family services agencies (CFSAs) from downloading, matching,
scraping or extracting data or data elements from any ODJFS system where the
data owner is the Internal Revenue Service, Social Security Administration, or
other federal or state entity, without first obtaining express written
permission from the data owner. ODJFS can only authorize the download, scrape
or extract of data where ODJFS is the data owner. Division (C) states that a
CFSA employee may download, match, scrape or extract data from ODJFS systems,
including SETS, Ohio Benefits, SACWIS, OWCMS, and CCIDS, if it is directly
related to the employee's job functions or duties, but only if such job
functions or duties are directly related to the administration of a program the
county agency is administering for ODJFS. Division (D) describes the process
for obtaining ODJFS approval for data usages not covered by Division (C),
including submitting a data request to the ODJFS deputy director for the
program responsible for the data, completing an ODJFS Privacy Impact Assessment
form, assisting in drafting a data sharing agreement when needed, and obtaining
ODJFS Legal and Office of Information Services review and approval. 11/1/20.