Agency of Human Services: Final Adopted Rule For Access to Information
This is a rule promulgated in 1996 by the Agency of Human Services as AHS Rule 96-1. It also is known as AHS Rule 96-23. The Department of Health is a department within the agency.
1.1 "Agency" means the Agency of Human Services or any of theoffices, departments or programs that comprise the Agency.
1.2 "AHS" means the Vermont Agency of Human Services
1.3 "Client" means an individual or family who is voluntarilyserved by a department, office, program, contractor or grantee ofthe Agency of Human Services.
1.4 "Contractor" means an individual or entity with whom theAgency or any of its departments, offices or programs has acontract to provide personal services.
1.5 "Employee" means any person who works in a full-time, part-time, temporary, or contractual position for the Agency or any ofits departments, offices, or programs.
1.6 "Grantee" means an individual or entity with whom the Agencyor any part thereof has a grant to provide personal services.
1.7 "Program" means a set of services, (such as determining and processing ANFC benefits, verifying and setting up delivery for WIC foods) for which the Agency bears fiscal responsibility.
1.8 "Administrative Obligations" means activities pursuant to federal or state laws or regulations (such as verification of eligibility, verification of service delivery, detection of fraud, monitoring of quality assurance, audit of expenditure reports) which provide for accountability in the use of public funds.
II. Basic Principles
2.1 Presumption of Confidentiality
All information specific to, and identifying of, individualsand families is presumed to be confidential and subject to thesestandards. Employees shall not disclose the informationunless a specific exception to the presumption applies or thedisclosure is authorized by the client, a court or as otherwise authorized by law or rule.
2.2 Existing Statutes
These rules are not intended to expand or diminish currentprovisions in law relating to disclosure of confidentialinformation.
2.3 Information Collection
Employees shall collect and record only that informationneeded to fulfill the goal of serving the client and meetingadministrative or legal obligations.
2.4 Informing Clients
At the initial meeting with each client, or within two weeks, employees shall review and offer to provide the rules for access to information to the client.
III. Permissible Disclosures
3.1 Client Consent
No information about a client shall be released without prior consent from the client, unless directly connected with the administration of a program or necessary for compliance with federal or state laws or regulations.
3.2 Sharing "Non-identifiable" Information
Information that does not identify a client may be used forstatistical research, forecasting program needs, or other suchpurposes.
3.3 Public Information
Information defined as public by 1 VSA & 317 or otherapplicable statute is available to the public. The proceduresin the public records statute shall be followed before publicinformation is released.
3.4 Information Sharing for Administrative Purposes
Employees may share information which is necessary tosatisfy the Agency's administrative obligations. Departmentswill develop written agreements limiting the kinds of informationto be shared when programs are jointly administered by different Departments. No information shall be released to a person or entity that is out of state, unless directly connected with the administration of a program or necessary for compliance with federal or state laws or regulations.
3.5 Disclosure Without Consent in Limited Circumstances
Employees must release sufficient information tocomply with mandatory reporting requirements for cases involvingthe abuse, neglect, or exploitation of children and persons whoare elderly or who have disabilities. Information may be releasedwithout consent when Vermont law creates a duty to warn identified individuals of potential harm to their person or property, in response to court orders, or to investigate or report criminal activity as required by federal or state law or regulation. Only information relevant to the situation shall be disclosed. The employee shall document the date, purpose and content of the report, the name, address and affiliation of the person to whom the information was released, and shall notify the client that the information was disclosed.
IV. Procedures Related to Consent
4.1 Obtaining Informed Consent
Prior to releasing confidential information the Agency shallobtain the client's informed consent. This includes providinginformation about consent in a language and format understandableto the client. Reasonable accommodations shall be made forspecial needs based on the individual or family's education,culture, or disability. Employees shall inform clients that granting consent is not a pre-requisite for receiving services, and shall explain that they may apply for services separately.
4.2 Consent of Minors to Release of Information
Employees shall obtain the consent of a minor client torelease information concerning treatment for which parentalconsent is not required.
4.3 Format for Consent to Share Information
Consent for the sharing or release of information shallordinarily be in writing. If an emergency situation requires granting of verbal consent, written consent shall be obtained at the next office visit or within thirty days, whichever comes sooner. Required information will include:
- Names of the people about whom information may beshared
- A checklist of the kinds of information to be shared
- A checklist of the departments within the Agency toreceive the information
- A statement or date covering expiration of consent
- A statement about procedures for revoking consent
- Signature of individuals covered by the consent, ortheir parents or guardians
- Signature of the individual explaining the consentprocess with their position and job title.
- A space to provide individualized instructions.
- A copy of the consent form shall be provided to all signatories.
4.4 Client Access to Records
Unless prohibited by federal or state law or regulation, clients shall be permitted to view and obtain copies of their records. Each department within the Agency shall have written procedures which permit clients to verify personal information they have provided for accuracy and completeness and for placing amendments to the information in their files. Employees shall take reasonable steps to present records in a form accessible to the client, including but not limited to large type format or verbal review. A fee not to exceed the actual cost of copying may be charged for records exceeding 10 pages. This fee shall be waived if it would prohibit access.
V. Procedures to Protect Confidentiality
5.1 Staff Training
All AHS employees and all AHS volunteers and interns, shall be instructed in these rules. AHS shall train their Contractors and grantees who shall, in turn, provide the same instruction for their employees, interns, and volunteers.
5.2 Response to Requests for Information
An employee shall not respond to requests from outside the Agency for information about clients even to acknowledge that the person is a client, unless authorized. If a client has consented to or requests that information be released, the employee shall comply with the request.
5.3 Designated Individual
Each agency or department shall appoint one or more trained staff members to be responsible for responding to all requests for client information when there is no written consent to release, and no statutory or administrative authority permitting release of the requested information. These individuals shall be specially trained in maintaining confidentiality. A list of the designated individuals for each department and office shall be maintained in the Attorney General's office; Human Services Division.
5.4 Affirmation of Understanding
Employees shall sign an affirmation that they will complywith these rules. This affirmation shall be part of theirpersonnel files. Supervisors shall review this affirmationduring annual evaluations. Violation of these rules shall result in disciplinary action.
5.5 Written Agreements with Grantees or Contractors
The following assurance, or one similar to it, will beincluded in all AHS grants/contracts signed after these ruleshave been approved:
[Grantee/contractor] agrees to comply with the requirementsof AHS Rule No. 96-1 concerning access to information. Thecontractor shall require all of its employees to sign the AHSaffirmation of understanding or an equivalent statement.
5.6 Client Referrals
When referring a client to another agency for services, ifthe referral does not meet the criteria for permissibledisclosures under Section 3.4, the initial agency shall obtain the consent of the client for the referral and alert the receiving agency that confidential client information accompanies the referral.
5.7 Documentation of Disclosure
Requests for disclosures of client information shallbe maintained in the client's file if the request does not meetthe definition of a permissible disclosure under Section 3.4.
Employees shall document in writing any information actually disclosed, along with the name of the person/agency to whom it was disclosed and the date of the disclosure. When permissible disclosures are made under Section 3.4, documentation may be limited to the name of the department/agency/program to whom the disclosure was made.
VI. Information Systems
6.1 Computerized Information:
When developing a computerized data system, the Agencyshall:
- Develop security procedures consistent with the rule;
- Instruct staff in the security procedures;
- Inform clients if a computerized system is being used;
- Establish written agreements with participatingagencies outlining procedures for sharing andprotecting information.
- Develop security procedures in relation to the transmission of information.
6.2 Security Procedures
The Agency shall develop a protocol which is consistent with the requirements of this rule to safeguard confidentialclient information. Contractors and grantees shall also develop aprotocol or shall adopt the protocol of the Agency. The protocolshall be designed to safeguard written information, data incomputer systems, and verbal exchange of information. Theprotocol shall prohibit unauthorized access to records andinclude an appropriate disciplinary process for violations of thesecurity rules.
Written procedures for implementing these rules shall beused as the basis for employee instruction and shall be availablefor review in the Agency Central Office.