Chapter 5101:9-9 Federal Tax Return Information Safeguarding Procedures

5101:9-9-14 [Rescinded] Professional education program.

Effective: 03/04/2013
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 307.86
Prior Effective Dates: 4/3/98, 6/17/04, 7/7/08

5101:9-9-15 Service level agreement (SLA).

(A) The SLA is a document of understanding provided by the Ohio department of job and family services (ODJFS) office of information services (OIS). ODJFS requires county agencies to enter into an SLA to delineate responsibilities for day-to-day information technology (IT) operations between the county agency and OIS to provide quality service to end users and to maintain the health and integrity of the ODJFS network.

(B) The SLA specifies what county agencies can expect from OIS concerning equipment supply, equipment standards, equipment servicing, delivery and availability, system response, information security, problem handling, and network management. As a condition of providing services, ODJFS requires county agencies elect a service level and enter into an SLA. All ODJFS commitments are subject to the availability of state and federal funds.

(C) In addition to the delineation of responsibilities between the county agency and OIS, the SLA, through the technology and service support policy (TSSP), as detailed in rule 5101:9-9-17 of the Administrative Code, includes the delineation of financial responsibility.

(D) A county agency wishing to assume more responsibility for the operation of its local network may do so, in accordance with the established SLA levels, provided the county agency can maintain eligibility and continues to fulfill the requirements.

(E) The signatories to the SLA are the county agency director and the deputy director of OIS utilizing the SLA signature document (SLA.13). The SLA incorporates, by reference, a number of additional supporting documents. Due to the ever-changing nature of the IT environment, the supporting documents may be updated on an ongoing basis by OIS.

(F) In the event of a disagreement regarding provisions of the executed SLA between OIS and the county agency, the initial attempt at resolution will commence at the county agency technical point of contact (TPOC) and OIS liaison level. If resolution is not possible at that level, the deputy director of OIS and the director of the county agency, or their designees, will work to resolve such issues and may utilize the methodology contained in the fiscal agreements if necessary.

(G) The most current version of the SLA is available on the OIS website.

Effective: 07/01/2009
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 5101.02
Prior Effective Dates: 10/1/03, 2/1/06, 7/1/07

5101:9-9-16 Negotiated service level agreement (SLA N).

(A) The negotiated service level agreement (SLA N) is a document of understanding between the Ohio department of job and family services (ODJFS) office of information services (OIS) and the county agency. A county that elects and is eligible for a SLA N is substantially different from other county agencies. Elected SLA N is available only to agencies having greater than five hundred filled, verifiable, full-time equivalent (FTE) employees and public children service agencies (PCSAs) that have never been on the ODJFS network.

While the SLA N allows for a high degree of flexibility, the universal provisions detailed in the SLA and rule 5101:9-9-15 of the Administrative Code apply to the SLA N.

(B) The intent of the SLA N is to address the flexibility required by county agencies while maintaining the integrity of the SLA program.

(C) The goal of the SLA N is to define the information technology (IT) expectations of ODJFS and the county agency and determine the appropriate level of service relative to service response, system availability, quantity of work processed, delineation of duties, and service support.

(D) Through SLA N, any ODJFS benefits, that is combinations of hardware, software, infrastructure, services, and network administration, may be negotiated as agreed upon by ODJFS and the county agency. Other county agency requirements may be negotiated as agreed upon by ODJFS and the county agency. Any state benefit is dependent on sufficient funding in the ODJFS OIS budget for the appropriate fiscal year.

(E) A county agency that elects a SLA N exercises considerable control of its county-based IT environment and the management of the county agency network.

(F) The SLA N supporting documentation identifies the scope of services performed either by ODJFS or the county agency and what is required to maintain the IT environment.

(G) In the event of a disagreement between ODJFS and the county agency regarding provisions of the executed SLA N, the initial attempt at resolution will begin at the county agency technical point of contact (TPOC) and OIS liaison level. If resolution is not possible at that level, the deputy director of OIS and the director of the county agency, or their designees, will work to resolve such issues utilizing the methodology contained in the SLA N.

(H) The most current version of the SLA N is available on the OIS website.

Effective: 07/01/2009
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 5101.02
Prior Effective Dates: 2/1/06, 7/1/07

5101:9-9-17 Technology and service support policy (TSSP).

(A) The Ohio department of job and family services (ODJFS), in a continuing effort to improve the level of customer service and responsiveness to county agencies, developed the technology and service support policy (TSSP).

The TSSP represents a commitment by ODJFS to provide quality, cost-effective networking products, services, and solutions to the county agencies throughout the state. The TSSP operates within the framework of the service level agreement (SLA) as detailed in the SLA.04 and rule 5101:9-9-15 of the Administrative Code.

(B) The TSSP is the policy by which county agencies request information technology (IT) equipment and services from the ODJFS office of information services OIS. All county agencies' requests for network equipment, installation of third-party software applications, or OIS assistance with equipment moves to new sites, require completion of the TSSP county request form.

(C) The TSSP coordinators in OIS oversee the request process and are responsible for working with the county agencies to determine financial responsibilities and costs, verify staff levels, and track the progress of requests, and serve as the ODJFS contact for county agency information related to the TSSP.

(D) As part of completing the TSSP county request form, the county agency will estimate the financial responsibilities associated with its request and submit the information to the TSSP coordinator in OIS.

(E) Whenever financial responsibilities are determined to be greater than those submitted in the county's request, OIS will contact the technical point of contact (TPOC) in the county agency. OIS will obtain the county agency's consent before continuing the fulfillment process.

(F) Financial responsibilities are enumerated in the TSSP. All ODJFS commitments relative to networking products, services, and solutions are subject to and contingent on the availability of state and federal funds. Whenever financial responsibilities are determined to be different from those submitted in the agency's original request, OIS will notify the county agency to obtain its consent before fulfilling the agency's request. Equipment acquisitions that may affect the ODJFS network, regardless of the cost or financial responsibility, must be approved by ODJFS before the agency purchases the equipment. Approval may be obtained through the TSSP request process.

(G) ODJFS retains ownership of networking products unless ODJFS specifically transfers ownership in accordance with procedures in rule 123:5-2-01 of the Administrative Code.

(H) Through TSSP, ODJFS seeks to do the following:

(1) Ensure timely and efficient delivery of IT products and services to ODJFS's customers;

(2) Increase the flexibility for county agencies to select networking products, services, and solutions that best meet their needs;

(3) Maintain continuity of a safe, sound, and secure computer environment; and

(4) Ensure budgetary predictability and cost-effectiveness of networking solutions for ODJFS and county agencies.

(I) OIS continues to provide the workstations, software, and network access necessary for county employees to complete their state-required job functions pursuant to and in compliance with the signed and established SLA levels.

(J) ODJFS will provide the network infrastructure to enable local agency staff to connect to the ODJFS network.

(K) As a way for county agencies to have the flexibility to meet future needs, ODJFS will provide an additional allowance of workstations in an amount of up to ten per cent of the local agency's filled full-time equivalent (FTE) employees.

Beyond this baseline, counties are responsible for financing computing resources.

(L) Unless specified to the contrary in the SLA for the individual county agency, county agencies will purchase service units from ODJFS.

Service units include, but are not limited to, maintenance, service, and use of state owned equipment.

(M) Costs associated with TSSP equipment service units are determined by the initial equipment costs to ODJFS. On-going services are included as part of the service unit at the expense of ODJFS. On-going services include moves, customer support, software upgrades, and equipment services. 5101:9-9-17 2

(N) The catalogue of network services section of the TSSP displays the networking products and services available to county agencies. The catalogue details the estimated costs a county agency will be subject to when it purchases service units for the products and services specified by its financial responsibility under the TSSP.

(O) Following the fulfillment of a request, ODJFS will generate an invoice for equipment and services rendered and mail it to the county agency for all requests determined to be the financial responsibility of the county agency. The service unit cost to the county agency will be the actual invoice cost for each piece of equipment used. Available TSSP service units may be found in the catalogue of network services section of the TSSP.

(P) When a request involves recurring charges, such as monthly data line fees, the county will be invoiced on a recurring basis. These invoices will utilize the same payment process as the other TSSP invoices.

(Q) County agencies and one-stops will pay the invoice by sending a check, made payable to the "Treasurer, State of Ohio," and including a copy of the invoice with the check.

(R) If payment is not received within sixty calendar days, the ODJFS office of fiscal services will notify the county agency via a memo.

(S) If payment is not received within ninety calendar days, the ODJFS office of fiscal services will recover the funds via an adjustment to the county agency's advance.

(T) County agencies shall use the JFS 02750 "Child Support Administrative Fund Monthly Financial Report" (rev. 10/2005), JFS 02820 "Child Welfare Monthly Financial Statement" (rev. 3/2004), or JFS 02827 "Monthly Financial Statement" (rev. 11/2000) to report TSSP expenditures.

(U) OIS will update the TSSP as dictated by changes in technology, service unit pricing, or available service offerings. The most current version of the TSSP is available on the OIS website.

Effective: 07/01/2009
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 5101.02
Prior Effective Dates: 2/1/06, 7/1/07

5101:9-9-20 Treatment of Health Insurance Portability and Accountability Act (HIPAA) inquiries to a county agency.

[This rule designated an internal management rule]

(A) HIPAA is a federal law that, among other regulation, requires the protection of confidentiality and security of health data including the safeguarding, privacy, and release of protected health information (PHI).

(B) PHI includes, but is not limited to, the following individually identifiable health information of public assistance applicants, recipients, and former recipients:

(1) Information relating to past, present, or future physical or mental health or condition of an individual;

(2) Provision of health care of an individual;

(3) Past, present, or future payment for health care to an individual; and

(4) Eligibility information of an individual for the medicaid, disability medical assistance or refugee medical assistance program, or any other plan or program that provides medical assistance or pays the cost of medical care.

(C) All current and future recipients of medicaid, disability medical assistance, and refugee medical assistance, or any other plan or program that provides medical assistance or pays the cost of medical care, received or will receive a privacy notice outlining the following descriptions of uses and disclosures, and recipient procedures:

(1) A description of the types of uses and disclosures of PHI the Ohio department of job and family services (ODJFS) or its delegated entity is permitted with examples to include payment, treatment, and healthcare operations;

(2) A description of other uses and disclosures permitted under HIPAA without written consent or authorization to include examples such as required by law;

(3) A statement that other uses and disclosures will be made only with the individual's written authorization;

(4) Complaint procedure;

(5) Request for restriction procedure;

(6) Request for amendment procedure; and

(7) Request for accounting procedure.

(D) If a recipient of benefits identified in paragraph (C) of this rule requests any of the procedures outlined in paragraphs (C)(4) to (C)(7) of this rule from the county agency or entity acting on behalf of ODJFS who collects and maintains the information identified in paragraph (B) of this rule through which the recipient participates, the county agency or entity acting on behalf of ODJFS shall do one of the following:

(1) Refer the recipient to the ODJFS privacy official by providing the recipient with the appropriate phone number; or

(2) Provide the recipient with a copy of the HIPAA privacy notice outlining the procedures set out in paragraphs (C)(4) to (C)(7) of this rule and notice identifying whom the recipient may contact to initiate those procedures (see http://www.state.oh.us/odjfs/hipaa/privacy.pdf).

Effective: 05/23/2008
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 5101.02
Prior Effective Dates: 4/14/03

5101:9-9-21 County agency records retention, access, and destruction.

[This rule designated an internal management rule]

(A) The following definitions are applicable to this rule:

(1) "County family services agency" has the same meaning as defined in section 307.981 of the Revised Code.

(2) "Grant" means an award for one or more family services duties or workforce development duties of federal financial assistance that a federal agency provides in the form of money, or property in lieu of money, to the Ohio department of job and family services (ODJFS) and that ODJFS awards to a county family services agency or workforce development agency. Grant may include state funds ODJFS awards to a county family services agency or workforce development agency to match the federal financial assistance. Grant does not mean technical assistance that provides services instead of money and does not mean other assistance provided in the form of revenue sharing, loans, loan guarantees, interest subsidies, or insurance.

(3) "Inactive records" refers to closed case files and those records that are no longer used on a regular basis.

(4) "Pass-through entity" means a non-federal entity that provides a federal award and/or state funds to a subrecipient to carry out a federal and/or state program, function, or activity.

(5) "Record" has the same meaning as defined in section 149.011 of the Revised Code.

(6) "Record series" means records that are filed together or maintained as a unit because they relate to a particular subject or function, result from the same activity, have a particular form, or have some other relationship arising from their creation, receipt, or use.

(7) "Retention schedule" means a document that assigns a required retention period to a record series based on its fiscal, legal, or administrative value.

(8) "Subrecipient" means a non-federal entity that expends federal awards and/or state funds received from a pass-through entity but does not include an individual that is a beneficiary of such program, function, or activity.

(9) "Workforce development agency" has the same meaning as defined in section 6301.01 of the Revised Code.

(B) All county family services agency and workforce development agency records are governed by section 149.38 of the Revised Code, which establishes a county records commission for each county. The functions of the county records commission are to provide rules for the retention and disposal of county records, review applications for one-time disposal of obsolete records, and review schedules of records retention and disposal submitted by county offices. Each county family services agency and workforce development agency shall comply with all applicable federal, state, and local records retention requirements for all records related to any program, function, or activity that is funded in whole or in part by state and/or federal funds.

(C) Each county family services agency and workforce development agency shall have a records retention schedule that governs each record series maintained by the agency and that includes the requirements set forth in this paragraph. Each such records retention schedule shall at a minimum do the following:

(1) Identify the name of the record series;

(2) Describe the use and purpose of the records;

(3) Assign a retention period based on the fiscal, legal, or administrative purpose value of the record series;

(4) Establish the method of disposition of the records when the retention period expires; and

(5) Comply with any minimum records retention requirements specified by applicable state law and regulations, applicable ODJFS records retention requirements, and applicable federal law and regulations, including, but not limited to, the following:

(a) Office of management and budget (OMB) circulars A-133, A-87 ( 2 C.F.R. 225 ), and A-102;

(b) 7 C.F.R. 3016 and 7 C.F.R. 272 applicable to the expenditure of food stamp program funds;

(c) 29 C.F.R. 95 applicable to not-for-profit organizations expending department of labor funds (DOL) funds;

(d) 29 C.F.R. 97 applicable to government units expending DOL funds;

(e) 45 C.F.R. 74 applicable to not-for-profit organizations expending department of health and human services (HHS) funds;

(f) 45 C.F.R. 92 applicable to government units expending HHS funds; or

(g) Any other federal award requirements related to any program, function, or activity the county family services agency or workforce development agency administers that is funded in whole or in part by federal funds.

(D) In addition to having the records retention schedules required by paragraph (C) of this rule, each county family services agency and workforce development agency shall have a records retention schedule governing all records of its subrecipients that document a program, function, or activity for which the county family services agency's or workforce development agency's subrecipient receives state and/or federal funds. Each county family services agency and workforce development agency shall include in any contract or other type of agreement awarding a grant to a subrecipient all applicable minimum federal, state, and local records retention requirements for all records documenting a program, function, or activity for which the county family services agency's or workforce development agency's subrecipient receives state and/or federal funds. Any succeeding subrecipient of state and/or federal funds passed through from the county family services agency's or workforce development agency's subrecipient is subject to the same requirements stated in this paragraph.

(E) Each county family services agency and workforce development agency shall retain financial, programmatic, statistical, and recipient records and supporting documents relating or pertaining to a federal award passed through from ODJFS for a minimum of three years after ODJFS's acceptance of the final closeout expenditure report for that federal award, or applicable ODJFS records retention requirements, whichever is longer, unless otherwise provided by any minimum records retention requirements specified by applicable state or federal law. A county family services agency or workforce development agency may establish a minimum records retention period that exceeds the minimum retention period provided by this paragraph.

(1) If any litigation, claim, investigation, criminal action, negotiation, audit, administrative review, or other action involving the records has been started before the expiration of the longer of the minimum retention period defined in paragraph (E) of this rule or before actual disposition of the records, the county family services agency or workforce development agency shall maintain the records until completion of the action and resolution of all issues that arise from it, or until the end of the longest applicable minimum retention period, whichever is later.

(2) If final payment after closeout of the federal award has not been made before the expiration of the longer of the minimum retention period defined in paragraph (E) of this rule or before actual disposition of the records, the county family services agency or workforce development agency shall maintain the records until final payment is made and resolution of all issues that arise from it, or until the end of the longest applicable minimum retention period provided in paragraph (E) of this rule, whichever is later.

(3) Each county family services agency and workforce development agency shall maintain a current file of all records that have been subject to a federal or state audit, administrative review, or other action, and must refer to that file before requesting approval from the county records commission to destroy any record.

(F) Each county family services agency and workforce development agency shall annually provide or make available to ODJFS the agency's records retention schedules, including any records retention schedule adopted pursuant to paragraph (D) of this rule. Each county family services agency and workforce development agency shall make its current records retention schedule readily available to the public.

(G) Each county family services agency and workforce development agency shall establish policies and procedures for the transfer and storage of inactive records that comply with all applicable state, federal, and local requirements. Secondary locations used for storing inactive records must provide adequate security and allow for the prompt and efficient retrieval of requested records.

(H) The requirements regarding access to records are as follows:

(1) Each county family services agency and workforce development agency shall adopt a public records policy for responding to public records requests in accordance with section 149.43 of the Revised Code.

(2) All records documenting a program, function, or activity for which the county family services agency and workforce development agency receive state and/or federal funds must be made available to authorized governmental agencies, including, but not limited to, ODJFS, the auditor of state, and other Ohio funding sources and federal funding sources upon request. This access to records includes, but is not limited to, all financial and programmatic records, supporting documents, statistical records, and other records of recipients, subrecipients, contractors, and subcontractors. This right of access is not limited to any required minimum retention period if the records are still being retained and have not been disposed at the time of the request.

(3) All information and records concerning an applicant, a recipient, or a former recipient must be safe guarded from release as specified by applicable state and federal law and regulations, including, but not limited to, rules 5101:1-1-03 , 5101:4-1-13 , and 5101:1-37-01.1 of the Administrative Code, and sections 5101.27 and 5101.28 of the Revised Code, and are subject to all applicable intercounty transfer requirements, including, but not limited to, rules 5101:1-1-14 and 5101:1-37-02.3 of the Administrative Code and"Procedure 16 Case File Transfer Procedure for Food Stamps."

(4) All public records as defined in division (A)(1) of section 149.43 of the Revised Code must also be made available for inspection or copying to any person at all reasonable times during regular business hours, as specified in division (B) of section 149.43 of the Revised Code.

(5) Each county family services agency and workforce development agency shall maintain its records in such a manner that the agency can fulfill its records access obligations promptly and efficiently.

(I) Each county family services agency and workforce development agency shall obtain approval from the county records commission before destruction of any records in accordance with section 149.38 of the Revised Code. Pursuant to section 149.38 of the Revised Code, the county records commission approval must in turn be reviewed by the Ohio historical society, and upon the Ohio historical society's review of the request to dispose the records, the auditor of state must approve or disapprove the request.

(J) After permission to destroy the records has been obtained, each county family services agency and workforce development agency shall follow the requirements established by the county records commission for disposal of county records.

(K) Notwithstanding the provisions in this rule, each county family services agency and workforce development agency shall continue to follow any minimum applicable ODJFS, state, and federal law records retention requirements requiring a longer minimum retention period than the general three-year retention period stated in paragraph (E) of this rule, such as, children services case records retention requirements set forth in rules 5101:2-33-23 and 5101:2-39-02 of the Administrative Code, and any other program-specific records retention requirements established by other state or federal law, unless directed to comply with the minimum records retention requirements provided in this rule.

Replaces: 5101-9-21

Effective: 08/23/2008
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 329.04 , 329.05 , 5101.27 , 5101.28
Prior Effective Dates: 3/7/82, 4/1/88 (Emer), 6/30/88, 2/15/96, 11/1/96

5101:9-9-21.1 Public assistance records: retention periods.

[This rule designated an internal management rule]

(A) The following definitions are applicable to this rule:

(1) "Inactive records" means closed case files and those records that are no longer used on a regular basis.

(2) "Public assistance record" means any record maintained in a case file related to an Ohio works first (OWF), a food stamps, a prevention, retention, and contingency (PRC), a disability financial assistance, or a refugee cash assistance group (AG).

(3) "Record" has the same meaning as defined in section 149.011 of the Revised Code.

(B) The minimum retention period for public assistance records is seven years, except as provided in paragraphs (C) and (D) of this rule.

(C) The following records may not be destroyed while the AG is active, and must be maintained for a minimum of three years from the date the AG becomes inactive:

(1) Enumeration verifications;

(2) Application forms and verifications that established initial program eligibility; and

(3) Documents that establish eligibility factors such as incapacity, limiting physical factors, and eligibility for supplemental security income (SSI).

(D) Any records existing in the AG file on the date the AG becomes inactive must be maintained for a minimum of three years from the date the AG becomes inactive, regardless of the age of the records.

(E) Rule 5101:4-1-05 of the Administrative Code governs the retention of food stamp records and must be followed in conjunction with the requirements of this rule.

(F) Counties that wish to selectively destroy documents from public assistance AG records in accordance with the requirements of this rule must specify the retention periods of the affected documents on the appropriate retention schedules.

Replaces: 5101-9- 21.1

Effective: 08/23/2008
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 329.04
Prior Effective Dates: 2/15/96

5101:9-9-25 Federal tax return information safeguarding procedures.

[This rule designated an internal management rule. For a copy of this rule, contact the Ohio Legislative Service Commission.]

5101:9-9-29 Ohio department of job and family services (ODJFS) audit function.

[This rule designated an internal management rule. For a copy of this rule, contact the Ohio Legislative Service Commission.]

5101:9-9-37 Data system security.

The following requirements ensure the security of departmental data and must be followed by all county employees who access the office of information technology (OIT) and the Ohio department of job and family services (ODJFS) local area networks.

(A) Users are responsible for system inquiries and activities executed with their system user indentification (USER-ID).

(B) Passwords must remain confidential and be between four and eight characters in length.

(C) A terminal or personal computer must never be left unattended or unsecured when logged onto the network.

(D) Only the files which are required to perform job duties shall be accessed.

(E) Passwords are valid for a maximum of thirty days and shall not be repeated for a twelve month period.

(F) The county liaison must contact the ODJFS security officer to have a forgotten password reset. The user will then supply a new password on their next access.

(G) Users must not change their passwords more than once per day.

(H) Users must comply with all items included on the JFS 07078 "Ohio Department of Job and Family Services Code of Responsibility" (Rev.3/03).

(I) An original signed JFS 07078 must be submitted to ODJFS with every county request for a USER-ID or user access to the OIT and ODJFS local area networks.

(J) Temporary access may be granted at the discretion of ODJFS upon receipt of a faxed request and signed JFS 07078. Failure to submit a signed original JFS 07078 to ODJFS within fourteen days will result in termination of access.

(K) The JFS 07078 is required for every new employee accessing the system, and for making changes to an existing employee's access.

(L) Counties must not modify the JFS 07078.

Replaces: 5101-9-37

Effective: 07/01/2005
Promulgated Under: 111.15
Statutory Authority: 5101.02 , 329.04
Rule Amplifies: 5101.02 , 329.04
Prior Effective Dates: 3/18/88 (Emer.), 6/10/88, 6/15/98

5101:9-9-38 County electronic data usage.

[This rule designated an internal management rule. For a copy of this rule, contact the Ohio Legislative Service Commission.]