340:65-1-2. Confidential nature of case material
(a) Purpose. The purpose of this Chapter is to describe rules for the comprehensive management of Adult and Family Services (AFS) cases.
(b) Legal basis. Oklahoma Human Services (OKDHS) maintains the confidentiality of all applications, information, and records concerning applicants and recipients, per the Oklahoma Social Security Act located in Sections 161-260 of Title 56 of the Oklahoma Statutes (56 O.S. §§ 161-260) and the Federal Social Security Act.
(c) Custody of records. All case information including electronic data procured by, or available to, any OKDHS employee is OKDHS property and is used only in accordance with the provisions of federal laws, Oklahoma Statutes, and OKDHS rules.
(1) Authority to disclose information. The county director is responsible for the custody of records in the county office and for their proper use. All requests for information from an OKDHS record are referred to the county director, unless the request originates within OKDHS in carrying out its regular functions. Employees of each OKDHS division may exchange necessary information when working with the same family or a related case to provide benefits and services. • 1
(2) Safeguarding case information. OKDHS employees safeguard case information, per Oklahoma Administrative Code (OAC) 340:1-1-20, OKDHS:2-41-15, OKDHS:2-45, 340:65-3-6, and as provided in (A) through (D) of this subsection.
(A) The county director is:
(i) the custodian of client records assigned to and, located in a county office or processed at an alternate work location; and • 2
(ii) responsible for:
(I) taking reasonable precautions to ensure client case information confidentiality and proper use; and
(II) ensuring employees know OKDHS rules regarding safeguarding client case information and when and to whom information may be released.
(B) Per OKDHS:2-1-301, alternate work locations must be capable of safeguarding case information. When an alternate work location does not meet safeguarding standards, case information is not received, stored, or processed at that location.
(C) Practices for safeguarding information include:
(i) secure records storage in locked buildings, rooms, and containers;
(ii) securely storing OKDHS-owned electronic equipment; • 3
(iii) controlling or restricting access to areas containing case information; • 4
(iv) case information is:
(I) secured in a storage area, such as in a desk or file cabinet, when an employee is not present; • 5
(II) not stored on any electronic device or storage media that is not OKDHS property;
(III) not emailed outside of the agency unless it is encrypted; and • 6
(IV) destroyed in secure destruction bins when in paper form, after it is not longer needed or required; and
(v) providing reasonable privacy or restricted viewing of electronic data visible on computer screens or mobile devices.
(D) Information that must be safeguarded includes:
(i) names and addresses, including lists;
(ii) information contained in an application;
(iii) investigation reports;
(iv) medical data including, but not limited to, diagnosis and past history of disease and disability;
(v) correspondence and other records concerning the condition or circumstances of any person from whom or about whom information is obtained;
(vi) evaluations of information contained in (i) through (v); and
(vii) all data items available on computer screens. Disclosure to any unauthorized person is a federal and state regulation violation. Authorized persons are:
(I) the client;
(II) the client's authorized representative;
(III) OKDHS employees;
(IV) authorized volunteers; and
(V) other agencies' employees with a contract or agreement that allows access to specific data. • 7
(3) Safeguarding federal tax information (FTI). Per Section 6103 of Title 26 of the United States Code (26 U.S.C. § 6103), OKDHS must safeguard and restrict access to FTI only to persons whose duties or responsibilities require access.
(A) FTI information that must be safeguarded includes:
(i) the client's name;
(ii) the client's Social Security number;
(iii) Internal Revenue Service (IRS) reporting firm, company, and political subdivision;
(iv) state agency account number;
(v) income type; and
(vi) the amount of income or resources.
(B) AFS restricts FTI access to designated AFS FTI specialists who complete a favorably adjudicated suitability or security background investigation prior to handling FTI and annually thereafter. At a minimum, the background investigation must be at a tier-two level as designated by federal investigative standards and include:
(i) the results of a Federal Bureau of Investigation (FBI) fingerprint check using Form FD-258, FBI Applicant Fingerprint Card, from the state identification bureau. In Oklahoma, the Oklahoma State Bureau of Investigation Criminal Identification Section is the agency authorized to conduct FBI fingerprinting. The fingerprint results check the employee's criminal history in all 50 states;
(ii) a check of local law enforcement agencies where the employee lived, worked, or attended school within the last five years to identify trends of misbehavior and any identified arrests;
(iii) validating the employee's identity and eligibility to legally work in the United States (U.S.). New employees must complete the U.S. Citizenship and Immigration Services Form I-9, Employment Eligibility Verification, and be processed through E-Verify within three days of completing the form to assist with verifying the employee's employment status and the documents provided with Form I-9; and
(iv) completing another background investigation every 10 years following the previous background investigation's completion.
(C) Information safeguarding practices include:
(i) securing FTI, such as any written, typed, photocopied, or printed information from the Income Eligibility Verification System-Internal Revenue Service (IEVS-IRS), and Beneficiary and Earnings Data Exchange System (BENDEX) in a storage area, such as in a locked desk or file cabinet; • 8
(ii) not viewing or storing FTI on any electronic device that is not OKDHS or State of Oklahoma property;
(iii) not printing or maintaining FTI in a non-electronic format; • 9
(iv) not emailing FTI; and
(v) not faxing FTI.
(D) FTI disclosure in violation of the guidelines specified in IRS Publication 1075, is considered a felony punishable by a fine in any amount not exceeding $5,000 or imprisonment of not more than five years, or both, together with the prosecution costs. Further, an AFS FTI specialist may lose access to FTI and be subject to disciplinary action, per OKDHS:2-1-7 when he or she:
(i) does not properly safeguard FTI;
(ii) does not complete or pass the annual favorably adjudicated suitability or security background investigation; or
(iii) releases FTI to an unauthorized person(s), per 26 U.S.C. § 7213.
(4) Nature of information to be made available. General information not identified with any particular person or group of persons, such as total expenditures made, number of recipients, and other statistical information and social data contained in reports or surveys do not fall within the material to be safeguarded.
(A) Requested information is released to representatives of other agencies that are authorized by federal law or Oklahoma Statutes to have the information. Information may be released to other agencies only when they give assurance that the:
(i) confidential character of the information will be preserved;
(ii) information will be used only for purposes related to administering the assistance program and the inquiring agency's functionality; and
(iii protection standards established by their agency are equal to those established by OKDHS, both in regard to how their employees will use the information and their protective procedures provisions.
(B) Client addresses may be disclosed to federal, state, and local law enforcement officers who furnish the client's name, Social Security number, and notify OKDHS that the location or apprehension of the client is within their official duties and that the client is:
(i) a fugitive felon who is fleeing to avoid prosecution, custody, or confinement after conviction; or
(ii) violating a probation or parole condition.
(C) The days and hours a child is approved for the Child Care Subsidy Program may be disclosed to a child care provider.
(D) Upon written request, information used to establish eligibility that is not otherwise legally protected is made available to the client or the client's representative during normal business hours. Confidential information, including the names of persons who have disclosed information about the client without the client's knowledge, and the nature or status of pending criminal prosecutions, is withheld.
(E) Information the employee obtains from collateral sources, other than public records or the employee's written evaluation of the client's situation, is not made available to the client or to any other person without the consent of the person who gave the information.
(F) Prior to a fair hearing, the designated county employee is responsible for providing the client with a copy of the completed hearing summary and documents or other records the employee plans to present at the hearing.
(5) Information release at client request. Upon the client's, or the client representative's, written request, OKDHS may release client provided information to the client or the authorized representative. When an OKDHS employee receives a written inquiry from an interested person, another agency, or the courts and the client's written permission accompanies the inquiry, the employee may furnish the information when the written release specifies what client provided information to release and to whom it may be released.
(6) Information release to courts. OKDHS employees may only release case information about the client in court proceedings upon subpoena, except upon a court official's request in cases of child abandonment and desertion, child neglect, or restitution when OKDHS referred such cases to the court. In these situations, OKDHS employees' testimony is limited to material affecting the administration of public assistance law except when participating in a case requested by the client or the client's representative in which the client's personal interests are at stake.
(A) When a court subpoenas an OKDHS employee to give testimony based upon OKDHS records, the county director confers with OKDHS Legal Services (LS) regarding the proper way to convey to the court the confidential character of information made available to OKDHS in the process of administering assistance and OKDHS's right of, per 43A O.S. § 10-110, to protect its records.
(B) When there is reason to believe the court will not respect the confidential character of OKDHS records, the county director communicates immediately with OKDHS LS to determine the best course of action to take. • 10
(7) Information release to the District Attorney (DA). OKDHS employees may release information to the DA as necessary, to carry out OKDHS rules regarding child support pursuit from a non-custodial parent. When child support pursuit is required in order for a client to receive Temporary Assistance for Needy Families benefits or SoonerCare (Medicaid), AFS employees inform the client of this requirement.
(8) Medical information release. Medical information OKDHS or the Oklahoma Health Care Authority pays for is not released, even at the request of the person to whom it pertains, except to another agency to which the person applied for services with the objective to protect or advance the person's welfare. There is nothing in federal law or Oklahoma Statutes to prevent a physician from releasing medical information to his or her patient or a patient's authorized representative. In such instances, the physician-patient relationship governs the physician.
(A) OKDHS LS is responsible for determining if the requested medical information may be released under federal regulations and OKDHS rules. • 11
(B) AFS employees do not release information obtained from the U. S. Department of Veterans Affairs or from the Social Security Administration to anyone outside of OKDHS.
(C) When a client requests a fair hearing on a medical decision, all medical records or reports considered in establishing a medical decision are provided to the client or the client's authorized representative at a reasonable time before the hearing except for psychological and psychiatric records. Copies of psychological and psychiatric records are only released with the treating physician's or practitioner's consent or when a court of competent jurisdiction orders it released upon a finding that it is in the patient's best interest.
1. The county director may delegate approval authority to the employee's supervisor. Upon approval, paper copies of relevant documents included in the imaged case record may be made, when:
(1) an employee in another division within Oklahoma Human Services (OKDHS) cannot access the imaged case record and needs documents from the case record for use in a criminal or administrative investigation or to review the record for other OKDHS official business; or
(2) a court issues a subpoena for the case record to be brought to court.
2. Refer to OKDHS:65-3-6 for more information regarding:
(1) the county director's or field manager's responsibility to safeguard records;
(2) the confidentiality of client information and the need to be alert to possible security compromises and conflicts of interest; and
(3) employee responsibility to inform the county director or field manager when they, members of their household, relatives, or other persons whose circumstances are considered sensitive in nature apply for or receive benefits or services from the county office where the employee works. This allows the county director or field manager to appropriately assign these cases to avoid any appearance of conflict of interest or to advise the employee or the household member to apply in another county office.
3. Refer to OKDHS:2-41-15(I) for information regarding the safeguarding of mobile equipment.
4. Controlled access includes implementing practices to identify staff accessing areas where case information is located. Refer to OKDHS:2-21-113 for rules concerning displaying identification badges in OKDHS facilities.
5. Case information is not left on a desk, file cabinet, work area, or other location when the employee is away from the desk or work area. When making home visits or traveling to and from work locations or home, case information is not left in vehicles unless it is unavoidable. When it is unavoidable, case information must be stored in the locked trunk.
6. (a) When a client provides his or her email address, OKDHS employees may send email communications to clients, provided the communication does not contain personal health, adult or child protective services, alcohol or drug treatment, or mental health information. The employee must encrypt the email when it contains confidential case information. Refer to the External EMail Encryption Guide for encryption instructions located under the InfoNet IT Tools tab/Secure Email.
(b) Per Health Insurance Portability and Accountability Act (HIPAA) rules Oklahoma Administrative Code (OAC) 340:2, OKDHS protects health information using data security rules for encryption. Refer to OKDHS:2-41-15 when transmitting OKDHS data over the Internet.
(c) Email communication does not take the place of written communications required by law or policy, such as:
(1) providing official written notice of benefit actions taken on the client's case; or
(2) the requirement to send Form 08AD092E, Client Contact and Information Request, to inform a client of an interview time or verification request unless the worker receives client consent before emailing Form 08AD092E. This may occur when the worker submits a client's application by proxy or completes a phone or video conference interview with the client. Best practice is to send the email while talking to the client so the client can confirm email receipt. Once the phone or video conference conversation concludes, the worker documents the consent and verification requested in FACS case notes and images Form 08AD092E into the case record.
(d) Some examples of appropriate email communication include, but are not limited to, emailing to:
(1) request the client call the worker to arrange an interview time or answer questions;
(2) inform the client that incomplete verification was received or additional verification is required; or
(3) respond to an email received from a recognized client account.
(e) The worker images a copy of the email communication in the case record or records the content and communication date in FACS case notes. When a response is needed within a certain time frame, the time frame is clearly stated in the email.
7. OKDHS enters into different types of information sharing agreements or contracts with outside agencies. Adult and Family Services (AFS) Business Process Information Security and Exchange employees maintain such agreements or contracts. When other agencies request case information, county office employees send an email to the Information Security and Exchange mailbox at AFS.Security@okdhs.org to determine what, if any, information may be released.
8. Any record containing raw tax data or information must be secured in a storage area, such as a locked desk or file cabinet. At no time is raw tax data left on a desk, file cabinet, work area, or any other location even when the employee is away from the desk or work area for a short time period.
(1) Willful, unauthorized disclosure of federal returns or return information is a felony punishable by a fine not exceeding $5,000 or imprisonment of not more than five years, or both, together with the costs of prosecution and dismissal from office or discharge from employment, per Section 7213 of the Internal Revenue Code (IRC), Section 7213 of Title 26 of the United States Code (26 U.S.C. § 7212).
(2) Unauthorized inspection of returns or return information is a misdemeanor punishable by a fine not exceeding $1,000 or imprisonment of not more than one year, or both, together with the cost of prosecution and dismissal from office or discharge from employment, per 26 U.S.C. § 7213A, the Taxpayer Browsing Protection Act.
(3) A taxpayer is permitted to bring suit for civil damages for unauthorized disclosure of returns or return information in the amount equal to the sum of the greater of $1,000 for each act or the sum of the actual damages sustained plus the cost of the action, per 26 U.S.C. § 7431.
9. Federal tax information (FTI) is viewed on the PS2 eligibility system through the IEV and BWG transactions. FTI is not be printed unless an OKDHS Legal Services (LS) attorney authorizes printing.
10. Refer to OKDHS:2-25-10 regarding subpoenaed records.
11. When the worker receives a request for medical information not described in OAC 340:65-1-2, the worker's supervisor or the county director emails AFS Health Related and Medical Services (HR&MS) at email@example.com and outlines the request's details. When a legal opinion is necessary, the HR&MS programs manager makes a referral to OKDHS LS. After receiving legal guidance, HR&MS staff contacts county staff regarding what action to take. Depending on the decision, the worker releases the medical information or informs the person requesting the information that the medical information cannot be released.