Skip to main content

Library: Policy

340:65-1-2. Confidential nature of case material

Revised 9-16-19

(a) Legal basis.The Oklahoma Department of Human Services (DHS) maintains the confidentiality of all applications, information, and records concerning any applicant or recipient, per the Oklahoma Social Security Act located in Sections 161-260 of Title 56 of the Oklahoma Statutes and the Federal Social Security Act.

(b) Custody of records.All case information including electronic data procured by, or available to, any DHS employee is the property of DHS and is used only in accordance with the provisions of the law and DHS rules.

(1) Authority to disclose information.The county director is responsible for the custody of records in the county office and for their proper use.All requests for information from a DHS record are referred to the county director, except when the request originates within DHS in carrying out its regular functions.Employees of each DHS division may exchange necessary information when working with the same family or a related case to provide benefits and services. • 1

(2) Safeguarding of case information.Case information must be safeguarded, per Oklahoma Administrative Code  (OAC) 340:1-1-20, DHS:2-41-15, DHS:2-45, DHS:65-3-6 and as provided in this subsection.

(A)The county director or field manager is:

(i) the custodian of client records assigned to and, located in a county office or support center or processed at an alternate work location; and  • 2

(ii) responsible for:

(I) taking reasonable precautions to ensure the confidentiality and proper use of client case information; and

(II) ensuring employees know DHS rules regarding safeguarding of client case information and when and to whom information may be released.

(B) Per DHS:2-1-301, alternate work locations must be capable of safeguarding case information.When an alternate work location does not meet safeguarding standards, case information must not be received, stored, or processed at that location.

(C) Practices for safeguarding information include:

(i) secure physical storage of records in locked buildings, rooms, and containers;

(ii) secure storage and care of DHS-owned electronic equipment;  • 3

(iii) controlled or restricted access to areas containing case information;  • 4

(iv) case information:

(I) must be secured in a storage area when an employee is not present, such as in a desk or file cabinet;  • 5

(II) may not be stored on any electronic device or storage media that is not the property of DHS; and

(III) may not be emailed outside of the agency unless it is encrypted; and  • 6

(v) reasonable privacy or restricted viewing of electronic data visible on computer screens or mobile devices.

(D) Information that must be safeguarded includes:

(i) names and addresses, including lists;

(ii) information contained in an application;

(iii) reports of investigations;

(iv) medical data including, but not limited to, diagnosis and past history of disease and disability;

(v) correspondence and other records concerning the condition or circumstances of any person from whom or about whom information is obtained, regardless of whether it is recorded;

(vi) evaluations of such information;

(vii) warrant registers; and

(viii) all data items available on computer screens.Disclosure to any unauthorized person is a violation of federal and state regulations.Persons considered to be authorized are:

(I) the client;

(II) the client's authorized representative;

(III) DHS employees;

(IV) authorized volunteers; and

(V) employees of outside agencies with a contract or agreement allowing access to specific data.  • 7

(3) Safeguarding of federal tax information (FTI).Per Section 6103 of Title 26 of the United States Code (26 U.S.C. § 6103), DHS must safeguard and restrict access to FTI only to persons whose duties or responsibilities require access.

(A) FTI information that must be safeguarded includes:

(i) the client's name;

(ii) the client's Social Security number;

(iii) Internal Revenue Service (IRS) reporting firm, company, and political subdivision;

(iv) state agency account number;

(v) type of income; and

(vi) the amount of income or resources.

(B) Adult and Family Services (AFS) restricts access to FTI to designated AFS FTI specialists who complete a favorably adjudicated suitability or security background investigation prior to handling FTI and annually thereafter.At a minimum, the background investigation must be at a tier-two level as designated by federal investigative standards and include:

(i) the results of a Federal Bureau of Investigation (FBI) fingerprint check using Form FD-258, FBI Applicant Fingerprint Card, from the state identification bureau.In Oklahoma, the Criminal Identification Section of the Oklahoma State Bureau of Investigation is the agency authorized to conduct FBI fingerprinting.The fingerprint results check the employee's criminal history in all 50 states;

(ii) a check of local law enforcement agencies where the employee lived, worked, and/or attended school within the last five years to identify trends of misbehavior and, when applicable, of the appropriate agency for any identified arrests; and

(iii) validation of the employee's identity and eligibility to legally work in the United States (U.S.).New employees must complete the U.S. Citizenship and Immigration Services Form I-9, Employment Eligibility Verification, and within three days of completing the form, be processed through E-Verify to assist with verifying the employee's employment status and the documents provided with Form I-9.

(C) Practices for safeguarding information include:

(i) securing FTI, such as any written, typed, photocopied, or printout of information from the Income Eligibility Verification System-Internal Revenue Service (IEVS-IRS), Beneficiary and Earnings Data Exchange System (BENDEX), and Beneficiary Earnings Exchange Record (BEER) in a storage area, such as a locked desk or file cabinet;  • 8

(ii) not viewing or storing FTI on any electronic device that is not DHS or the State of Oklahoma property;

(iii) not printing or maintaining FTI in a non-electronic format;  • 9

(iv) not emailing FTI; and

(v) not faxing FTI.

(D) Disclosure of FTI in violation of the guidelines specified in IRS Publication 1075 is considered a felony punishable by a fine in any amount not exceeding $5,000 or imprisonment of not more than five years, or both, together with the prosecution costs.Further, an AFS FTI specialist may lose access to FTI and be subject to disciplinary action, per DHS:2-1-7 when he or she:

(i) does not properly safeguard FTI;

(ii) does not complete or pass the annual favorably adjudicated suitability or security background investigation; or

(iii) releases FTI to an unauthorized person(s), per 26 U.S.C. §7213.

(4) Nature of information to be made available.General information not identified with any particular person or group of persons, such as total expenditures made, number of recipients, and other statistical information and social data contained in reports or surveys do not fall within the type of material to be safeguarded.

(A) Requested information is released to representatives of agencies that are authorized by law to have the information.Information may be released to other agencies only when they give assurance that the:

(i) confidential character of the information will be preserved;

(ii) information will be used only for purposes related to the administration of the assistance program and the functioning of the inquiring agency; and

(iii) protection standards established by the agency to which information is disclosed are equal to those established by DHS, both in regard to the use of the information by employees and the provision of protective procedures.

(B) Client addresses may be disclosed to federal, state, and local law enforcement officers who furnish the client's name, Social Security number, and notify DHS that the location or apprehension of the client is within their official duties and that the client is:

(i) a fugitive felon who is fleeing to avoid prosecution, custody, or confinement after conviction; or

(ii) violating a condition of probation or parole.

(C) The days and hours a child is approved for the Child Care Subsidy Program may be disclosed to a child care provider.

(D) Upon written request, information used to establish eligibility that is not otherwise protected by law is made available to the client or the client's representative during normal business hours.Confidential information, including the names of persons who have disclosed information about the client without the client's knowledge and the nature or status of pending criminal prosecutions is withheld.

(E) Information obtained by the employee from collateral sources, other than public records or the employee's written evaluation of the client's situation, must not be made available to the client or to any other person without the consent of the person who gave the information.

(F) Prior to a fair hearing, the designated county or support center employee is responsible for providing the client with a copy of the completed hearing summary and documents or other records the employee plans to present at the hearing.

(5) Release of information at client request.Upon the client's, or the client representative's, written request, DHS may release information provided to DHS by the client to the client or to other persons, courts, or agencies when the written release designates the person and the material to be made available.

(A) When a DHS employee receives a written inquiry requesting client information from an interested person, accompanied by the client's written permission, the employee may furnish the information.

(B) When the written inquiry does not conclusively show that the person was asked to obtain the information on the client's behalf, the employee determines the client's wishes before releasing the information.

(6) Release of information to courts.DHS employees may only release case information about the client in court proceedings upon subpoena, except upon request by court officials in cases of abandonment and desertion, neglect of children, or restitution when such cases were referred to the court by DHS.In these situations, DHS employees' testimony is limited to material affecting the administration of the public assistance law except when participating in a case requested by the client or the client's representative in which his or her personal interests are at stake.

(A) When a DHS employee is subpoenaed by the court for the purpose of giving testimony based upon DHS records, the county director confers with the DHS Legal Services (LS) regarding recognition by the court of the right of DHS under the law to protect its records, and of the confidential character of information made available to DHS in the process of administering assistance.

(B) When there is reason to believe that the court will not respect the confidential character of DHS records, the county director communicates immediately with DHS LS regarding the steps to be taken.  • 10

(7) Release of information to the DA.DHS employees may release information to the DA as necessary, to carry out DHS policy regarding child support pursuit from a non-custodial parent.When child support pursuit is required in order for a client to receive benefits, such as Temporary Assistance for Needy Families (TANF), Child Care Subsidy or SoonerCare (Medicaid), AFS employees inform the client of this requirement.

(8) Release of medical information.Medical information paid for by DHS is not released, even at the request of the person to whom it pertains, except to another agency to which the person applied for services with the objective to protect or advance the person's welfare.There is nothing in Oklahoma law or federal law to prevent a physician from releasing medical information to his or her patient or a patient's authorized representative.The physician, in such instances, is governed by the physician-patient relationship.

(A) DHS LS is responsible for determining if the requested medical information may be released under federal regulations and DHS rules.  • 11

(B) AFS employees do not release information obtained from the Veterans Administration or from the Social Security Administration to anyone outside of DHS.

(C) When a client requests a fair hearing on a medical decision, all medical records or reports considered in establishing a medical decision are provided to the client or the client's authorized representative at a reasonable time before the hearing except for psychological and psychiatric records.Copies of psychological and psychiatric records are only released with the consent of the treating physician or practitioner or when ordered released by a court of competent jurisdiction upon a finding that it is in the best interest of a patient.

Revised 9-16-19

1.Paper documents from imaged case records must remain in the county office unless the county director approves removal to another designated location.The county director may delegate approval authority to the employee's supervisor.

(1) Upon approval, paper copies of relevant documents included in the imaged case record may be made, when:

(A) an employee in another division within the Oklahoma Department of Human Services (DHS) cannot access the imaged case record and needs documents from the case record for use in a criminal or administrative investigation or to review the record for other DHS official business; or

(B) a court issues a subpoena for the case record to be brought to court.

(2) Prior to receiving permission to work from home or at an alternate location, the supervisor must discuss with the employee how he or she will safeguard confidential information to ensure the information cannot be accessed by others.

2.Refer to DHS:65-3-6 for more information regarding:

(1) the county director's or field manager's responsibility to safeguard records;

(2) the confidentiality of client information and the need to be alert to possible compromises of security and conflicts of interest; and

(3) employee responsibility to inform the county director or field manager when they, members of their household, relatives, or other persons whose circumstances are considered sensitive in nature apply for or receive benefits or services from the county office or support center where the employee works.This allows the county director or field manager to appropriately assign these cases to avoid any appearance of conflict of interest or to advise the employee or the household member to apply in another county office or support center.

3.Refer to DHS:2-41-15(l) for information regarding the safeguarding of mobile equipment.

4.Controlled access includes the implementation of practices to identify staff accessing areas where case information is located.Refer to DHS:2-21-113 for rules concerning the display of identification badges in DHS facilities.

5.Case information is not left on a desk, file cabinet, work area, or other location when the employee is away from the desk or work area.

6.(a) When a client provides his or her email address, DHS employees may send email communications to clients provided the communication does not contain personal health, adult protective services (APS), child welfare (CW), alcohol or drug treatment, or mental health information.The employee must encrypt the email when it contains confidential case information.Refer to the External EMail Encryption Guide for encryption instructions located under the InfoNet IT Tools tab/Secure Email.

(b) Per Health Insurance Portability and Accountability Act (HIPAA) rules at OAC 340:2, DHS must protect health information using data security rules for encryption, per DHS:2-41-15 when transmitting DHS data over the Internet.

(c) Email communication does not take the place of written communications required by law or policy, such as:

(1) providing official written notice of benefit actions taken on the client's case; or

(2) the requirement to send Form 08AD092E, Client Contact and Information Request, to inform a client of an interview time or verification request unless the worker receives client consent before emailing Form 08AD092E.This may occur when the worker submits a client's application by proxy or completes a phone interview with the client.A best practice is to send the email while talking to the client so the client can confirm email receipt.Once the phone conversation concludes, the worker must document the consent and verification requested in FACS Case Notes and image Form 08AD092E into the case record.

(d) Some examples of appropriate email communication include, but are not limited to, emailing to:

(1) request the client call the worker to arrange an interview time or answer questions;

(2) inform the client that incomplete verification was received or additional verification is required; or

(3) respond to an email received from a recognized client account.

(e) The worker images a copy of the email communication in the case record or records the content and date of the communication in FACS Case Notes.When a response is needed within a certain time frame, the time frame is clearly stated in the email.

7.DHS enters into different types of information sharing agreements or contracts with outside agencies.Adult and Family Services (AFS) Business Process Information Security and Exchange employees maintain such agreements or contracts.County office and support center employees send inquiries regarding release of such information to the Information Security and Exchange mailbox at AFS.Security@okdhs.org to determine what, if any, information may be released.

8.Any record containing raw tax data or information must be secured in a storage area, such as a locked desk or file cabinet.At no time is raw tax data left on a desk, file cabinet, work area, or any other location even when the employee is away from the desk or work area for a short period of time.

(1) Provisions of Section 7213 of the Internal Revenue Code (IRC), Section 7213 of Title 26 of the United States Code (26 U.S.C. § 7213), make willful, unauthorized disclosure of federal returns or return information a felony punishable by a fine not exceeding $5,000 or imprisonment of not more than five years, or both, together with the costs of prosecution and dismissal from office or discharge from employment.

(2) Provisions of 26 U.S.C. § 7213A, the Taxpayer Browsing Protection Act, make unauthorized inspection of returns or return information a misdemeanor punishable by a fine not exceeding $1,000 or imprisonment of not more than one year, or both, together with the cost of prosecution and dismissal from office or discharge from employment.

(3) Provisions of 26 U.S.C. § 7431 permit a taxpayer to bring suit for civil damages for unauthorized disclosure of returns or return information in the amount equal to the sum of the greater of $1,000 for each act or the sum of the actual damages sustained plus the cost of the action.

9.Federal tax information (FTI) is viewed on the PS2 eligibility system through the IEV and BWG transactions. FTI must not be printed unless authorized by a DHS Legal Services (LS) attorney.

10.Refer to DHS:2-25-10 regarding subpoenaed records.

11.When the worker receives a request for medical information not defined in Oklahoma Administrative Code OAC 340:65-1-2, the worker's supervisor or the county director emails AFS Health Related and Medical Services (HR&MS) at hrms@okdhs.org and outlines the details of the request.When a legal opinion is necessary, the HR&MS programs manager makes a referral to DHS LS.After receiving legal guidance, HR&MS staff contacts county staff regarding what action to take.Depending on the decision, the worker releases the medical information or informs the person requesting the information that the medical information cannot be released.

Back to Top