5101:1-1-03 Disclosure of recipient information, nondiscrimination, and treatment of information received from the internal revenue service and social security administration.

(A) What records are confidential?

All information and records concerning a recipient of disability financial assistance (DFA) pursuant to Chapter 5115. of the Revised Code, Ohio works first (OWF) pursuant to Chapter 5107. of the Revised Code, and prevention, retention and contingency (PRC) pursuant to Chapter 5108. of the Revised Code are confidential. No information or records regarding applicants, recipients, or former recipients of any of the programs listed in this paragraph is to be released to anyone except as provided in sections 5101.27 and 5101.28 of the Revised Code, including an entity administering a program assisting needy individuals with the costs of public utility services or as otherwise delineated in this rule pursuant to section 5101.30 of the Revised Code.

(B) When is information allowed to be disclosed?

In accordance with sections 5101.27, 5101.28 and 5101.30 of the Revised Code, recipient information and records for any of the programs identified in paragraph (A) of this rule may be released to the following entities identified in paragraphs (B)(1) to (B) (8) of this rule. However, only the minimum information or records necessary to fulfill the need for the sharing of information shall be released.

(1) A provider of services or assistance connected with the programs identified in paragraph (A) of this rule. Access to information under this paragraph is limited to information that is essential for the provider to render or bill for services or assistance. Providers shall not use this information except for the purpose described in this paragraph and are subject to penalties established in section 5101.99 of the Revised Code for unauthorized use of the information.

(2) Any private contractor, grantee, or other state or county entity, performing administrative or other duties on behalf of the Ohio department of job and family services (ODJFS) or a county agency when in compliance with paragraphs (B)(2)(a) to (B)(2)(c) of this rule. Access under this paragraph includes but is not limited to exchange of information pursuant to section 307.987 of the Revised Code. Information is limited only to information needed for completion of the administrative or other duties on behalf of ODJFS or the county agency:

(a) There shall be a signed, written agreement with the contractor, grantee, or entity, that establishes the purpose and scope of duties to be performed for ODJFS or the county agency.

(b) The agreement shall contain language that the contractor, grantee, or entity shall not use the information received pursuant to the agreement for purposes other than those established in the written agreement.

(c) The agreement shall include language that establishes that the contractor, grantee, or entity is bound by relevant Ohio confidentiality laws and ODJFS rules; and, that disclosure of the information by the contractor, grantee, or entity in a manner not authorized by the Revised Code or Administrative Code is a breach of the contract and subject to penalties set forth in section 5101.99 of the Revised Code.

(3) Any state licensing or certification authority while performing its statutory duties of conducting or assisting with investigations, prosecution or civil or criminal proceedings against medicaid providers, provided that any such licensing or certification authority agrees to be bound by the same rules and regulations regarding recipient confidentiality that binds ODJFS. To ensure agreement of confidentiality, these information requests and responses will be conducted solely between the requesting authority and the appropriate office within ODJFS.

(4) A county child support enforcement agency when requesting relevant information needed to secure child support pursuant to rule 5101:1-3-10 of the Administrative Code.

(5) State and local offices of women, infants and children, child and family health services, and the children with medical handicaps program. The information shared is limited to eligibility information for specific individuals or assistance groups receiving these services.

(6) A public children services agency (PCSA) when the county agency is to report known or suspected instances of child abuse and neglect of a child receiving OWF, PRC or DFA or when the PCSA needs information in order to conduct an assessment or investigation of a report of alleged child abuse or neglect, as described in rule 5101:2-33-28 of the Administrative Code. Instances of abuse and neglect situations exist when a child experiences physical or mental injury, sexual abuse, or exploitation, or negligent treatment or maltreatment under circumstances that indicate the child's health or welfare is threatened.

(7) To the extent permitted by federal law, the ODJFS and county agencies shall provide information, except information directly related to the receipt of medical assistance or medical services, regarding recipients of public assistance under a program administered by the ODJFS or a county agency pursuant to Chapter 5107., 5108., or 5115. of the Revised Code to law enforcement agencies upon request for the purposes of investigations, prosecutions, and criminal and civil proceedings that are within the scope of the law enforcement agencies' official duties.

(8) Information about a recipient shall be exchanged, obtained, or shared only when the ODJFS, the county agency, or law enforcement agency requesting the information gives sufficient information to specifically identify the recipient. In addition to the recipient's name, identifying information may include the recipient's current or last known address, social security number, other identifying number, age, gender, physical characteristics, any information specified in an agreement entered into under section 5101.28 of the Revised Code, or any information considered appropriate by ODJFS or the county agency.

(C) What are the requirements regarding protection of the recipient's right to control personal data?

The following requirements shall be explained at the time of application for assistance or services and are included to protect the recipient's right to control personal data.

(1) Whenever a recipient of any of the programs identified in paragraph (A) of this rule is asked to supply personal data to the county agency or ODJFS, the legal requirements for providing or not providing such data shall be explained to him.

(2) Upon the request of any recipient of any of the programs identified in paragraph (A) of this rule, the county agency shall make all data collected about that individual available to the individual. Medical, psychiatric or psychological information may not be released to the individual or his legal guardian when the county agency has reason to believe that its release may have an adverse effect on the individual.

When the county agency has reason to believe that the release of medical, psychiatric or psychological information may have an adverse effect, the county agency shall release this information to a physician, psychiatrist or psychologist designated by the individual. Once the individual provides expressed and informed consent, the county agency will send this information to the designated medical provider. The medical provider will then determine whether the information should be disclosed to the recipient.

In addition, the county agency shall supply an interpretation of the data when it is not readily understandable. When the individual feels that the data is incomplete or inaccurate, the individual has the right to include additional information in the individual's files.

(3) Upon any request for individual data through compulsory legal process, the recipient of any program identified in paragraph (A) of this rule, shall be immediately informed of such request. In addition, the department shall inform the court of the statutory and regulatory provisions against disclosure of information, when state or federal law precludes the release of the information. When the court still seeks the information, and when the information is not protected by any other privilege recognized by law, the county agency will furnish the specified information to the court itself along with ODJFS policies for safeguarding that information. At the same time, the county agency shall notify the individual that the information has been furnished to the court and shall supply duplicate copies to that individual of the information so furnished.

(4) Pursuant to division (D) of section 5101.27 of the Revised Code, ODJFS and the county agency may release information about a recipient of any of the programs listed in paragraph (A) of this rule, when the recipient gives voluntary, written consent in compliance with section 5101.27 of the Revised Code.

(D) What are the county agency responsibilities concerning nondiscrimination?

The county agency is responsible for providing assistance without discrimination on account of race, color, religion, national origin, gender, sexual orientation, disability, age or political beliefs, in a manner consistent with the all federal and state laws relating to nondiscrimination.

(E) What forms are to be used to request a release of information?

A signed JFS 07341 "Applicant/Recipient Authorization for Release of Information" (rev. 4/2004) shall be obtained whenever the county agency requests information from a third party. The county agency shall use the ODM 03397 "Authorization for the Release or Use of Protected Health Information (PHI)" (rev. 8/2014) when the information is medical in nature or the JFS 06907 "LEAP-Learning, Earning, and Parenting Program School Information Release Form" (rev. 8/2003) when requesting attendance and educational information for LEAP program participants. A copy of any signed release shall be included in the individual's file.

(F) What are the confidentiality requirements for obtaining information from the social security administration (SSA)?

(1) The SSA sends information to the ODJFS about retirement, survivors and disability insurance (RSDI) and supplemental security income (SSI) beneficiaries who are an applicant for or recipients of any of the programs listed in paragraph (A) of this rule. The SSA limits use and disclosure of this SSA information.

(2) The Privacy Act of 1974, PL 93-579, (12/1974), 88 Stat. 1896, 5 U.S.C. 522a, allows the SSA to release information to ODJFS and the county agency without a release of information from the beneficiary only as long as the information is for a "routine use" and for specified programs. Every use or disclosure of SSA information that is not routine or is not for an approved, specified program requires the prior written permission of the beneficiary or the SSA, respectively.

(a) The routine uses and approved programs for RSDI information obtained from SSA are: to determine eligibility for and administer OWF, DFA, food assistance, Title XX social services, Title IV-E, child support and energy assistance.

(b) The routine uses and approved programs for SSI benefits obtained from SSA are: to determine eligibility for and administer OWF, food assistance, DFA, energy assistance, Title XX social services, Title IV-E, child support and interim assistance.

(G) What are the disclosure, confidentiality, and physical safeguarding requirements of SSA and internal revenue service (IRS) information?

(1) Whenever ODJFS or the county agency discloses SSA information received from the SSA to someone who is not an employee of ODJFS or a county agency, it shall do so only for a routine use of an approved program and shall disclose only the information needed to accomplish the purpose of the routine use.

(2) ODJFS may disclose SSA information to another state agency, provided it is for routine use for an approved program and only the needed information is disclosed.

(3) ODJFS and/or the county agency shall keep a record every time they disclose information received from SSA to anyone who is not an employee of ODJFS or a county agency, even when the disclosure is for a routine use.

(a) The required record of disclosure of SSA information shall be kept in the individual case record and also in a central county agency file.

(b) The case record notation and the central file shall contain the date of disclosure, the information disclosed, the purpose of the disclosure, and the person to whom the information was disclosed. For the case record, the county agency shall enter the notation about the disclosure. For the central file, the county agency shall maintain separate records, for each source of data disclosed.

(c) The record of disclosure shall be retained for five years or the life of the application, whichever is longer. The disclosure records are subject to inspection by the SSA.

(4) The IRS sends unearned income information received from 1099 forms filed with that agency to ODJFS regarding applicants and recipients of any of the programs listed in paragraph (A) of this rule.

(5) 26 U.S.C. 6103 (1/2013), allows the disclosure of tax return information to federal, state and local agencies by the IRS for use in their temporary assistance for needy families and food assistance programs. The return information is disclosed solely for the purpose of, and to the extent necessary in, determining eligibility for, or the correct amount of benefits under the specified programs.

(6) IRS return information may not be disclosed to, exchanged with, or utilized by any other state agency. ODJFS and county agency employees who are entitled to access tax return information generally shall not disclose this information to any party outside the agency other than the taxpayer to whom the information relates or the taxpayer's duly appointed representative who has the explicit authority to obtain tax return information.

(7) To the extent that disclosure of IRS information is necessary to verify eligibility for and the correct amount of benefits, including past benefits, such disclosure may be made only when there is no other means of verifying the unearned income information, and only to the extent necessary to verify the unearned income information.

(a) All ODJFS and county agency employees with access to IRS return information shall have disclosure awareness training for safeguarding requirements and shall be advised on an annual basis of IRS penalty provisions.

(b) A permanent system of standardized record keeping shall be maintained by the county agency that documents requests for, and disclosure of return information. When redisclosure is authorized, the information disclosed outside the agency shall be recorded on a separate list that reflects to whom the disclosure was made, what was disclosed, why and when it was disclosed.

(8) ODJFS and the county agency shall physically protect SSA and IRS information from unauthorized access. The physical record number of SSA and IRS information required to be safeguarded include, but are not limited to, the following:

(a) Benefit earnings exchange record information that contains federal wage information obtained from the SSA master earnings file;

(b) IRS information return master file that contains returns filed by payers of income such as dividends, interest and retirement income.

(9) ODJFS and the county agency shall:

(a) Limit access to the data to only those employees and officials who need it to perform their official duties in connection with the approved programs.

(b) Store data in an area that is physically safe from access by unauthorized persons.

(c) Store, process and use magnetic tapes, screen prints and any electronic data in any computer system in such a way that information cannot be retrieved by unauthorized persons.

(d) Advise all personnel who will have access to the data of the confidential nature of the information, the safeguards required, and the criminal and civil sanctions for noncompliance contained in federal and state statutes.

(e) Permit the SSA and IRS to make onsite inspections to ensure that adequate safeguards are being maintained.

(f) Ensure that during interactive interviews confidential information is not exposed to any individual who is not the subject of the confidential information.

Effective: 2/1/2016
Five Year Review (FYR) Dates: 09/14/2015 and 02/01/2021
Promulgated Under: 119.03
Statutory Authority: 5101.27, 5101.30, 5107.05, 5115.04
Rule Amplifies: 5101.27, 5101.28, 5101.30
Prior Effective Dates: 1/1/74, 1/1/76, 1/1/83, 10/1/84 (Emer.), 12/27/84, 7/1/85 (Emer.), 9/29/85; 1/18/86, 8/1/86 (Emer.), 10/3/86, 10/1/88 (Emer.), 12/20/88, 7/14/89 (Emer.), 10/1/89, 1/1/90 (Emer.), 3/22/90, 4/7/90, 10/1/90, 10/10/91 (Emer.), 12/20/91, 1/1/93, 1/1/94 (Emer.), 1/30/94, 1/1/96 (Emer.), 10/11/96 (Emer.), 11/1/96, 1/1/97, 7/1/97, 10/1/97 (Emer.), 12/30/97, 7/1/98, 11/1/98, 7/1/99, 11/1/02, 4/1/03, 7/1/05, 10/1/10