This website publishes administrative rules on their effective dates, as designated by the adopting state agencies, colleges, and
universities.
Rule |
Rule 5101:9-9-15 | Master service agreement (MSA).
(A) The MSA is a document of
understanding provided by the Ohio department of job and family services
(ODJFS) office of information services (OIS). ODJFS requires county agencies to
enter into an MSA to delineate responsibilities for day-to-day information
technology (IT) operations between the county agency and OIS to provide quality
service to end users and to maintain the health and integrity of the ODJFS
network. (B) The MSA outlines expectations between
the county agencies and OIS including the IT resources supply and management,
standards, support efforts, information security, and service provider
alignment. A county agency shall elect a service level as part of the MSA
program. All ODJFS commitments are subject to the availability of state and
federal funds. (C) The technology and service support
policy (TSSP) also details the delineation of responsibilities, including
financial responsibilities as shown in rule 5101:9-9-17 of the Administrative
Code. (D) The county agency director and the deputy director of
OIS shall utilize the MSA signature document to show acceptance of the MSA, and
all related levels and support documentation. Due to the ever- changing nature
of the IT environment, OIS may update the supporting documentation as
needed. (E) In the event of a disagreement regarding provisions of
the executed MSA between OIS and the county agency, the initial attempt at
resolution will commence at the county agency technical point of contact (TPOC)
and OIS liaison level. If resolution is not possible at that level, the deputy
director of OIS and the director of the county agency, or their designees, will
work to resolve such issues and may utilize the methodology contained in the
fiscal agreements if necessary. (F) The most current version of the MSA is available on the
county operations user experience (UX) sharepoint portal.
Last updated April 5, 2024 at 8:34 AM
|
Rule 5101:9-9-17 | Technology and service support policy (TSSP).
(A) The Ohio department of job and family
services (ODJFS), in a continuing effort to improve the level of customer
service and responsiveness to county agencies, developed the technology and
service support policy (TSSP). The TSSP represents a commitment by ODJFS to
provide quality, cost-effective networking products, services, and solutions to
the county agencies throughout the state. The TSSP operates within the framework of the
master service agreement (MSA) as detailed in the MSA and rule 5101:9-9-15 of
the Administrative Code. (B) The TSSP is the policy by which
county agencies request information technology (IT) equipment and services from
the ODJFS office of information services (OIS). All county agency requests for
network equipment, installation of third-party software applications, or OIS
assistance with equipment moves to new sites, require completion of the JFS
01321 "TSSP County Request." (C) TSSP coordinators in OIS oversee the
request process and are responsible for working with the county agencies to
determine financial responsibilities and costs, verify staff levels, track the
progress of requests, and serve as the ODJFS contact for county agency
information related to the TSSP. (D) As part of completing the JFS 01321,
the county agency will estimate the financial responsibilities associated with
its request and submit the information to the TSSP coordinators in
OIS. (E) Whenever financial responsibilities
are determined to be greater than those estimated on the JFS 01321, OIS will
contact the technical point of contact (TPOC) in the county agency. OIS will
obtain the county agency's consent before continuing the fulfillment
process. (F) Financial responsibilities are
enumerated in the TSSP. All ODJFS commitments relative to networking products,
services, and solutions are subject to and contingent on the availability of
state and federal funds. Whenever financial responsibilities are determined to
be different from those estimated in the agency's original request, OIS
will notify the county agency to obtain its consent before fulfilling the
agency's request. Equipment acquisitions that may affect the ODJFS
network, regardless of the cost or financial responsibility, must be approved
by ODJFS before the agency purchases the equipment. Approval may be obtained
through the TSSP request process. (G) ODJFS retains ownership of networking
products unless ODJFS specifically transfers ownership in accordance with
procedures in rule 123:5-2-01 of the Administrative Code. (H) Through TSSP, ODJFS seeks to do the
following: (1) Ensure timely and
efficient delivery of IT products and services to ODJFS's
customers; (2) Increase the
flexibility for county agencies to select networking products, services, and
solutions that best meet their needs; (3) Maintain continuity
of a safe, sound, and secure computer environment; and (4) Ensure budgetary
predictability and cost-effectiveness of networking solutions for ODJFS and
county agencies. (I) OIS continues to provide the
workstations, software, and network access necessary for county employees to
complete their state-required job functions pursuant to and in compliance with
the signed and established MSA levels. (J) ODJFS will provide the network
infrastructure to enable local agency staff to connect to the ODJFS
network. (K) As a way for county agencies to have
the flexibility to meet future needs, ODJFS will provide an additional
allowance of workstations in an amount of up to ten per cent of the local
agency's filled full-time equivalent (FTE) employees. Beyond this baseline, counties are responsible
for financing computing resources. (L) County agencies will purchase service
units from ODJFS, unless otherwise specified in the MSA for the individual
county agency. Service units include, but are not limited to,
maintenance, service, and use of state owned equipment. (M) Costs associated with TSSP equipment
service units are determined by the initial equipment and warranty costs to
ODJFS. On-going services are included as part of the service unit at the
expense of ODJFS. On-going services include moves, customer support, software
upgrades, and equipment services. (N) The catalog of network services
section of the TSSP displays the networking products and services available to
county agencies. The catalog details the estimated costs a county agency will
be subject to when it purchases service units and services that it specifies on
the JFS 01321 that it submits to OIS. (O) Following the fulfillment of a
request, the ODJFS office of fiscal and monitoring services (OFMS) will
generate an invoice from the Ohio administrative knowledge system (OAKS) for
equipment and services rendered. The county contact is notified that the
invoice has been placed on the county user experience (UX) sharepoint portal
for retrieval. The service unit cost to the county agency will be the actual
invoice cost for each piece of equipment used and warranty purchased. Available
TSSP service units may be found in the catalog of network services section of
the TSSP. (P) When a request involves recurring
charges, the county will be invoiced on a recurring basis. These invoices will
utilize the same payment process as the other TSSP invoices. (Q) County agencies will pay the invoice
by sending a check, made payable to the "Treasurer, State of Ohio,"
and including a copy of the invoice with the check. Remit payments to the
following address: "Huntington National Bank ODJFS L-3659 Columbus, Ohio 43260" (R) If payment is not received within
sixty calendar days, the ODJFS office of fiscal and monitoring services will
notify the county agency. (S) If payment is not received within
ninety calendar days, the ODJFS office of fiscal and monitoring services will
recover the funds via an adjustment to the county agency's
advance. (T) County agencies shall use the JFS
02750 "Child Support Enforcement Agency (CSEA) Quarterly Financial
Statement", JFS 02820 " Children Services Quarterly Financial
Statement", or JFS 02827 "Public Assistance (PA) Quarterly Financial
Statement" to report TSSP expenditures. (U) OIS will update the TSSP as dictated
by changes in technology, service unit pricing, or available service offerings.
The most current version of the TSSP is available on the county user experience
(UX) sharepoint portal.
Last updated April 5, 2024 at 8:34 AM
|
Rule 5101:9-9-20 | Treatment of Health Insurance Portability and Accountability Act (HIPAA) inquiries to a county agency.
(A) HIPAA is a federal law requiring the
protection of confidentiality and security of health data including the
safeguarding, privacy, and release of protected health information
(PHI). (B) PHI includes, but is not limited to,
the following individually identifiable health information of public assistance
applicants, recipients, and former recipients: (1) Information relating
to past, present, or future physical or mental health or condition of an
individual; (2) Provision of health
care to an individual; (3) Past, present, or
future payment for health care to an individual; and (4) Eligibility
information of an individual for the medicaid, disability medical assistance,
or refugee medical assistance program, or any other plan or program that
provides medical assistance or pays the cost of medical care. (C) All current and future recipients of
medicaid, disability medical assistance, refugee medical assistance, or any
other plan or program that provides medical assistance or pays the cost of
medical care, received or will receive a privacy notice outlining the following
descriptions of uses and disclosures, and recipient procedures: (1) A description of the
types of uses and disclosures of PHI the Ohio department of job and family
services (ODJFS) or its delegated entity is permitted to make, with examples to
include payment, treatment, and healthcare operations; (2) A description of
other uses and disclosures permitted under HIPAA without written consent or
authorization to include examples such as required by law; (3) A statement that
other uses and disclosures will be made only with the individual's written
authorization; (4) Complaint procedure; (5) Request for restriction
procedure; (6) Request for amendment procedure;
and (7) Request for accounting
procedure. (D) If a recipient of benefits identified
in paragraph (C) of this rule requests any of the procedures outlined in
paragraphs (C)(4) to (C)(7) of this rule from the county agency or entity
acting on behalf of ODJFS who collects and maintains the information identified
in paragraph (B) of this rule through which the recipient participates, the
county agency or entity acting on behalf of ODJFS shall do one of the
following: (1) Refer the recipient
to the ODJFS privacy official by providing the recipient with the appropriate
phone number; or (2) Provide the recipient
with a copy of the HIPAA privacy notice outlining the procedures set out in
paragraphs (C)(4) to (C)(7) of this rule and notice identifying whom the
recipient may contact to initiate those procedures. http://medicaid.ohio.gov/FOROHIOANS/AlreadyCovered/NoticeofPrivacyPractices.aspx
|
Rule 5101:9-9-21 | County agency records retention, access, and destruction.
(A) The following definitions are
applicable to this rule: (1) "County family
services agency" has the same meaning as defined in section 307.981 of the
Revised Code. (2) "Grant"
means an award for one or more family services duties or workforce development
duties of federal financial assistance that a federal agency provides in the
form of money, or property in lieu of money, to the Ohio department of job and
family services (ODJFS) and that ODJFS awards to a county family services
agency or local area. Grant may include state funds ODJFS awards to a county
family services agency or local area to match the federal financial assistance.
Grant does not mean technical assistance that provides services instead of
money and does not mean other assistance provided in the form of revenue
sharing, loans, loan guarantees, interest subsidies, or insurance. (3) "Inactive
records" refers to closed case files and those records that are no longer
used on a regular basis. (4) "Local
area," has the same meaning as defined in section 6301.01 of the Revised
Code. (5) "Pass-through entity" means
a non-federal entity that provides a federal award and/or state funds to a
subrecipient to carry out a federal and/or state program, function, or
activity. (6) "Record" has the same
meaning as defined in section 149.011 of the Revised Code. (7) "Record series" means
records that are filed together or maintained as a unit because they relate to
a particular subject or function, result from the same activity, have a
particular form, or have some other relationship arising from their creation,
receipt, or use. (8) "Retention schedule" means
a document that assigns a required retention period to a record series based on
its fiscal, legal, historical or administrative value. (9) "Subrecipient" means a
non-federal entity that expends federal awards and/or state funds received from
a pass-through entity but does not include an individual that is a beneficiary
of such program, function, or activity. (10) "Workforce development
agency" has the same meaning as defined in section 5116.01 of the Revised
Code. (B) Each county family services agency
and local area shall comply with all applicable federal, state, and local
records retention requirements for all records related to any program,
function, or activity that is funded in whole or in part by state and/or
federal funds. Local records retention requirements may be available through
the county records commission in each county, which are established pursuant to
section 149.38 of the Revised Code. The functions of the county records
commission are to provide rules for the retention and disposal of county
records, to review applications for one-time disposal of obsolete records, and
to review schedules of records retention and disposal submitted by county
offices. (C) Each county family services agency
and local area shall have a records retention schedule that governs each record
series maintained by the agency and that includes the requirements set forth in
this paragraph. Each such records retention schedule shall at a minimum do the
following: (1) Identify the name of
the record series; (2) Describe the use and
purpose of the records; (3) Assign a retention
period based on the fiscal, legal, historical or administrative purpose value
of the record series; (4) Establish the method
of disposition of the records when the retention period expires;
and (5) Comply with any
minimum records retention requirements specified by applicable state law and
regulations, applicable ODJFS records retention requirements, and applicable
federal law and regulations, including, but not limited to, the
following: (a) 2 C.F.R. Part 200; (b) 7 C.F.R. 272.1(f) applicable to the expenditure of food
stamp program funds; (c) 29 C.F.R. 95.53 applicable to non-profit organizations
expending department of labor funds (DOL) funds; (d) 29 C.F.R. 97.42 applicable to government units expending DOL
funds; (e) 45 C.F.R. 75.361 applicable to non-federal entities expending
department of health and human services (HHS) funds; or (f) Any other federal award requirements related to any program,
function, or activity the county family services agency or local area
administers that is funded in whole or in part by federal funds. (D) In addition to having the records
retention schedules required by paragraph (C) of this rule, each county family
services agency and local area shall have a records retention schedule
governing all records of its subrecipients that document a program, function,
or activity for which the county family services agency's or local
area's subrecipient receives state and/or federal funds. Each county
family services agency and local area shall include in any contract or other
type of agreement, including grant awards to subrecipients and subcontracts
with service providers, all applicable minimum federal, state, and local
records retention requirements for all records documenting a program, function,
or activity for which the county family services agency's or local
area's subrecipient, contractor or subcontractor receives state and/or
federal funds. Any succeeding subrecipient or subcontractor of state and/or
federal funds passed through from the county family services agency's or
local area's subrecipient, contractor or subcontractor is subject to the
same requirements stated in this paragraph. (E) Each county family services agency
and local area shall retain financial, programmatic, statistical, and recipient
records and supporting documents relating or pertaining to a federal award
passed through from ODJFS for a minimum of three years after submittal of the
final expenditure report for the grant, or applicable ODJFS records retention
requirements, whichever is longer, unless otherwise provided by any minimum
records retention requirements specified by applicable state or federal law. A
county family services agency or local area may establish a minimum records
retention period that exceeds the minimum retention period provided by this
paragraph. (1) If any litigation,
claim, investigation, criminal action, negotiation, audit, administrative
review, or other action involving the records has been started before the
expiration of the longer of the minimum retention period defined in paragraph
(E) of this rule or before actual disposition of the records, the county family
services agency or local area shall maintain the records until completion of
the action and resolution of all issues that arise from it, or until the end of
the longest applicable minimum retention period, whichever is
later. (2) If final payment
after closeout of the federal award has not been made before the expiration of
the longest applicable minimum retention period defined in paragraph (E) of
this rule or before actual disposition of the records, the county family
services agency or local area shall maintain the records until final payment is
made and resolution of all issues that arise from it, or until the end of the
longest applicable minimum retention period provided in paragraph (E) of this
rule, whichever is later. (3) Each county family
services agency and local area shall maintain a current file of all records
that have been subject to a federal or state audit, administrative review, or
other action, and must refer to that file before requesting approval from the
county records commission to destroy any record. (F) Each county family services agency
and local area shall annually provide or make available to ODJFS the
agency's records retention schedules, including any records retention
schedule adopted pursuant to paragraph (D) of this rule. Each county family
services agency and local area shall make its current records retention
schedule readily available to the public. (G) Each county family services agency
and local area shall establish policies and procedures for the transfer and
storage of inactive records that comply with all applicable state, federal, and
local requirements. Secondary locations used for storing inactive records must
provide adequate security and allow for the prompt and efficient retrieval of
requested records. (H) The requirements regarding access to
records are as follows: (1) Each county family
services agency and local area shall adopt a public records policy for
responding to public records requests in accordance with section 149.43 of the
Revised Code. Public records do not include information or records specifically
exempted from treatment as public records in division (A)(1) of section 149.43
of the Revised Code, or information or records that are expressly made
confidential under other federal or state laws or regulations. (2) All records
documenting a program, function, or activity for which the county family
services agency and local area receive state and/or federal funds must be made
available to authorized governmental agencies, including, but not limited to,
ODJFS, the auditor of state, and other Ohio funding sources and federal funding
sources upon request. This access to records includes, but is not limited to,
all financial and programmatic records, supporting documents, statistical
records, and other records of recipients, subrecipients, contractors, and
subcontractors. This right of access is not limited to any required minimum
retention period if the records are still being retained and have not been
disposed at the time of the request. (3) All information and
records concerning an applicant, a recipient, or a former recipient must be
safe guarded from release as specified by applicable state and federal law and
regulations, including, but not limited to, rules 5101:1-1-03, 5101:4-1-13, and
5160-1-32 of the Administrative Code, and section 5101.27 of the Revised Code,
and are subject to all applicable intercounty transfer requirements, including,
but not limited to, rules 5101:1-1-13 and 5101:4-8-19 of the Administrative
Code. (4) All public records as
defined in division (A)(1) of section 149.43 of the Revised Code must also be
made available for inspection or copying to any person at all reasonable times
during regular business hours, as specified in division (B) of section 149.43
of the Revised Code. (5) Each county family
services agency and local area shall maintain its records in such a manner that
the agency can fulfill its records access obligations promptly and
efficiently. (I) Each county family services agency
and local area shall obtain approval from the county records commission before
destruction of any records in accordance with section 149.38 of the Revised
Code. Pursuant to section 149.38 of the Revised Code, the county records
commission approval must in turn be reviewed by the Ohio history connection,
and upon completion of the Ohio history connection's review of the request
to dispose the records, the auditor of state must approve or disapprove the
request. (J) After permission to destroy the
records has been obtained, each county family services agency and local area
shall follow the requirements established by the county records commission for
disposal of county records. (K) Notwithstanding the provisions in
this rule, each county family services agency and local area shall continue to
follow any minimum applicable ODJFS, state, and federal records retention
requirements requiring a longer minimum retention period than the general
three-year retention period stated in paragraph (E) of this rule, such as
children services case records retention requirements set forth in rule
5101:2-33-23 of the Administrative Code, and any other program-specific records
retention requirements established by other state or federal law, unless
directed to comply with the minimum records retention requirements provided in
this rule. (L) The retention, destruction and access
provisions adopted or established by a local area pursuant to this rule will
apply to every workforce development agency within that local
area.
Last updated April 3, 2023 at 8:35 AM
|
Rule 5101:9-9-21.1 | Public assistance records: retention periods.
(A) The following definitions are
applicable to this rule: (1) "Inactive
records" means closed case files, where the assistance group
(AG): (a) Is no longer receiving benefits; (b) Has no pending administrative action, hearing or appeal;
and (c) The county agency no longer has a legal duty to act on the
case. (2) "Public
assistance record" means any record maintained in a case file related to
an Ohio works first (OWF), food assistance, prevention, retention, and
contingency (PRC), disability financial assistance, or refugee cash assistance
group (AG). (3) "Record"
has the same meaning as defined in section 149.011 of the Revised
Code. (B) The minimum retention period for
public assistance records is seven years, except as provided in paragraphs (C)
and (D) of this rule. (C) The following records may not be
destroyed while the AG is active, and must be maintained for a minimum of three
years from the date the AG becomes inactive: (1) Enumeration
verifications; (2) Application forms and
verifications that established initial program eligibility; and (3) Documents that
establish eligibility factors such as incapacity, limiting physical factors,
and eligibility for supplemental security income (SSI). (D) Notwithstanding the requirements
outlined in rule 5101:4-1-05 of the Administrative Code, any records existing
in the AG file on the date the AG becomes inactive must be maintained for a
minimum of three years from the date the AG becomes inactive, regardless of the
age of the records. (E) Rule 5101:4-1-05 of the
Administrative Code governs the retention of food assistance records and must
be followed in conjunction with the requirements of this rule. (F) Counties that wish to selectively
destroy documents from public assistance AG records in accordance with the
requirements of this rule must specify the retention periods of the affected
documents on the appropriate retention schedules.
Last updated April 3, 2023 at 8:35 AM
|
Rule 5101:9-9-25 | Federal tax information safeguarding procedures.
Effective:
October 4, 2021
(A) Federal tax information (FTI):
definition, usage limitations and notification, and
non-disclosure. (1) FTI is any return or
return information received from the internal revenue service (IRS) or
secondary source, such as the social security administration (SSA), federal
office of child support enforcement, or U.S. department of the treasury -
bureau of the fiscal service, and also includes any information created and/or
maintained by the Ohio department of job and family services (ODJFS) or a
county agency that is derived from these sources. (2) FTI is provided to
federal, state, and local agencies by the IRS or the SSA for use in the cash
assistance, food assistance, unemployment compensation, and child support
programs as authorized by the Internal Revenue Code, and is provided solely for
the purpose of performing the responsibilities of each program. (3) 26 U.S.C. 6103 (section 6103 of the
Internal Revenue Code) limits the usage of FTI to only those purposes
explicitly defined. The IRS office of safeguards requires advance notification
(at least forty-five days) prior to implementing certain operations or
technological capabilities that require additional uses of the FTI, such
as: (a) Contractor access; (b) Cloud computing; (c) Consolidated data center; (d) Data warehouse processing; (e) Non-agency-owned information systems; (f) Tax modeling; (g) Test environment; and (h) Virtualization of IT systems. (4) Disclosure of FTI to any contractor
is not permitted unless the agency notifies the IRS office of safeguards, in
writing, per the IRS forty-five day notification reporting requirements and
obtains approval prior to re-disclosing FTI to a specifically noted
contractor. (5) FTI associated with the treasury
offset program (TOP) may not be disclosed to any contractor for any purpose,
except for limited child support enforcement purposes, as specified in IRS
publication 1075, "Tax Information Security Guidelines for Federal, State,
and Local Agencies." (B) Confidential personal information
(CPI) is defined in section 1347.15 of the Revised Code, and does include FTI,
but FTI must meet additional safeguards as outlined by the IRS. (C) Safeguarding procedures and controls
ensure the confidential relationship between the taxpayer and the IRS.
Safeguarding procedures and controls are derived from IRS publication 1075,
prepared and updated by the IRS. (D) The IRS conducts on-site safeguard
reviews of ODJFS safeguard controls, at a minimum once every three years, which
includes an evaluation of the use of FTI and the measures employed by the
receiving agency to protect the data. An independent internal inspection of
specific offices within ODJFS is required every eighteen months. In addition,
periodic independent internal inspections of all local offices must be
conducted to ascertain if the safeguarding controls that are in place meet the
requirements of IRS publication 1075. Offices to be inspected include, but are
not limited to those referenced in paragraph (A)(2) of this rule. Periodic
inspections conducted by program offices of local offices occur every three
years. A record will be made of each inspection, citing the findings
(deficiencies) as well as recommendations and corrective actions to be
implemented where appropriate. (E) All program offices and their
respective local agencies must ensure procedures are implemented governing the
safeguarding of FTI as defined by IRS publication 1075. Procedures must be
updated to reflect any significant program changes. (F) Per section 6103 of the Internal
Revenue Code, all agencies receiving FTI are required to provide a disclosure
awareness training program for their employees and contractors. Disclosure
awareness training is described in detail within IRS publication 1075.
Employees and contractors must maintain their authorization to access FTI
through annual training and recertification. Prior to granting an agency
employee or contractor access to FTI, each employee or contractor must certify
his or her understanding of the IRS's and the agency's security
policy and procedures for safeguarding IRS information. Employees must be
advised of the provisions of sections 7431, 7213, and 7213A of the Internal
Revenue Code regarding the "Sanctions for Unauthorized Disclosure"
and the "Civil Damages for Unauthorized Disclosure." Agencies must
also comply with the requirements of rule 5101:9-9-25.1 of the Administrative
Code. (G) Additional FTI safeguarding
procedures. (1) FTI must be
maintained separately from other information to the maximum extent possible to
avoid inadvertent disclosures and to comply with the federal safeguards
required by paragraph (p)(4) of section 6103 of the Internal Revenue Code.
Agencies with FTI must also comply with all other requirements of paragraph
(p)(4) of section 6103 of the Internal Revenue Code. (2) All information
obtained from the IRS must be safeguarded in accordance with the safeguarding
requirements of paragraph (p)(4) of section 6103 of the Internal Revenue Code,
as described in IRS publication 1075. (H) Prohibition against public disclosure
of safeguards reports and related communications. (1) ) Safeguards reports
and related communications, such as IRS official agency records that are the
property of the IRS, and IRS records that are subject to disclosure
restrictions under federal law and IRS rules and regulations, may not be
released publicly under state sunshine or information sharing/open records
provisions. Release of any IRS safeguards document requires the express
permission of the IRS. Requests received through sunshine and/or information
sharing/open records provisions must be referred to the federal Freedom of
Information Act (FOIA) statute for processing. State and local agencies
receiving such requests should refer the requestor to the instructions to file
a FOIA request with the IRS. Additional guidance may be found at:
http://www.irs.gov/uac/IRS-Freedom-of- Information and questions should be
referred to the safeguards mailbox at Safeguardreports@irs.gov. (2) If it is determined
that it is necessary to share safeguarded IRS documents and related
communications with another governmental function/branch for the purposes of
operational accountability or to further facilitate protection of federal tax
information, the recipient governmental function/branch must be made aware, in
unambiguous terms, that the documents and related communications: (a) Are the property of the IRS; (b) Constitute IRS official agency records; and (c) Are subject to disclosure restrictions under federal law and
IRS rules and regulations.
Last updated October 4, 2021 at 8:18 AM
|
Rule 5101:9-9-25.1 | County agency federal tax information safeguarding procedures.
Effective:
October 4, 2021
(A) This supplemental rule provides
general guidance to county agencies on the safeguarding of federal tax
information (FTI), with the exception of child support enforcement agencies,
which are required to comply with the requirements of rule 5101:12-1-20.2 of
the Administrative Code. Individual program offices may, at their discretion,
establish additional rules and/or additional training programs. County agencies
should consult their respective program office for additional information
regarding the safeguarding of FTI. (B) Required employee awareness
training: Each county agency must provide disclosure
awareness training to employees and contractors in accordance with guidelines
set forth in internal revenue service (IRS) publication 1075, "Tax
Information Security Guidelines for Federal, State and Local Agencies."
Employees and contractors must maintain their authorization to access FTI
through annual training and recertification. Prior to granting an agency
employee or contractor access to FTI, each employee or contractor must certify
his or her understanding of the IRS's and the agency's security
policy and procedures for safeguarding IRS information. Employees must be
advised of the provisions of sections 7431, 7213, and 7213A of the Internal
Revenue Code regarding the "Sanctions for Unauthorized Disclosure"
and the "Civil Damages for Unauthorized Disclosure." The disclosure
awareness training records must be maintained for a minimum of five years or in
accordance with the agency's applicable records retention schedule,
whichever is longer. (C) Proper record keeping of
FTI: County agencies must keep records detailing
internal requests for FTI by agency employees as well as requests received from
outside of the agency, except for child support enforcement agencies, which are
required to follow rule 5101:12-1-20.2 of the Administrative Code. A tracking log must be used to record all
movement, storage, and destruction of both electronic and non-electronic FTI
received by the agency from the IRS. The data elements of the tracking log
shall comply with the guidelines set forth in IRS publication 1075 and those
provided by the applicable ODJFS program office. FTI must not be recorded on
any tracking log. The logs must be maintained for a minimum of five years or in
accordance with the agency's applicable records retention schedule,
whichever is longer. (D) Secure storage and handling of
FTI: (1) FTI must be handled
in such a manner that it does not become misplaced or available to unauthorized
staff. When not in use, FTI must be secured via the required two barrier
minimum pursuant to the "Minimum Protection Standards (MPS)" section
of IRS publication 1075. Refer to table 3 in section 4.2 of IRS publication
1075 for further guidance. (2) Minimum protection
standards establish a uniform method of physically protecting data and systems
as well as non-electronic forms of FTI. Local factors may require additional
security measures, therefore, local county management must analyze local
circumstances to determine location, container, and other physical security
needs at individual facilities. The MPS have been designed to provide
management with a basic framework of minimum security requirements. The
objective of these standards is to prevent unauthorized access to FTI. MPS
requires two barriers. Examples of two barrier minimum under the concept of MPS
are outlined in IRS publication 1075. (3) FTI should not be
filed in areas used by employees not authorized to have access to FTI such as
areas used for breaks, food preparation or any similar facilities. FTI files
should not be maintained in areas that allow clients access. However, when this
is not practical, caution must be exercised by the agency pursuant to the
"Minimum Protection Standards (MPS)" section of IRS publication 1075.
Refer to table 3 in section 4.2 of IRS publication 1075 for further
guidance. (E) Restricting access to
FTI: Access to file storage areas that contain FTI
must be limited to the absolute minimum number of employees necessary. The
following measures should be followed to adequately restrict access to the file
storage areas containing FTI: (1) Except where the
state program office maintains records on access and training, a current list
of employees who are authorized to have access to FTI shall be maintained by
the county agency. (2) Warning signs must be
posted to identify restricted access areas and to give notice of the potential
consequences for unauthorized disclosure or inspection of FTI. (3) Cleaning, building
inspections or maintenance of secured areas containing FTI, must be performed
in the presence of an employee authorized to access FTI. An exception to this
rule is during non-duty hours, when cleaning, inspection or maintenance
personnel need access to locked buildings or rooms. This may be permitted as
long as there is a second barrier to prevent access to FTI. Access may be
granted to a locked building or a locked room if FTI is in a locked security
container. If FTI is in a locked room but not a locked security container then
access may be granted to the building but not the room. (4) Each agency shall
control physical access to areas where systems or files containing FTI are
housed. The agency shall issue authorization credentials, including badges,
identification cards, or smart cards pursuant to section 4.3.2 of IRS
publication 1075. (5) Access to file areas
that contain FTI must be restricted to agency employees who have an established
security profile that identifies the class-level and role-based rights that
necessitate authorizing the employee to have such access. (6) The location and
physical layout of the file storage area should be such that unnecessary
traffic is avoided. (7) A visitor sign
in/sign out log must be maintained and must be inspected at least monthly by
agency security personnel. The data elements contained on the log must meet the
guidelines outlined in IRS publication 1075. (8) Keys to the files
must be issued only to agency employees authorized to enter the secured
area. (9) If possible, security
staff should be agency employees. Only authorized employees, or escorted
individuals supervised by authorized employees, may have access to areas where
FTI is located during working and nonworking hours. (10) All records
containing FTI, either open or closed, must be safeguarded pursuant to IRS
publication 1075. FTI should not be commingled within any information system or
within any physical files and documents. When commingling of agency
documentation data and FTI is unavoidable, FTI must be labeled pursuant to IRS
publication 1075, and access must be restricted to only authorized
personnel. (F) Proper disposal of FTI: (1) Users of FTI are
required by the Internal Revenue Code to take certain actions after using FTI,
to protect its confidentiality. When FTI is no longer useful, agency officials
and employees must either return the information, including any copies made, to
the office from which it was originally obtained or destroy the
FTI. (2) An agency electing to
return IRS information must use a receipt process and ensure that
confidentiality is protected at all times during transport. (3) FTI (non-electronic)
furnished to any authorized agency employee or user and any paper material
generated therefrom, such as copies, photo impressions, computer printouts,
notes, and work papers, must be destroyed pursuant to IRS publication 1075
directives. (4) FTI (electronic)
stored in electronic format (e.g., hard drives, tapes, CDs, flash media, etc.)
must be destroyed and/or disposed of pursuant to IRS publication 1075
directives. Electronic media containing FTI must not be made available for
reuse by other offices or released for destruction without first being
subjected to electromagnetic erasing (media sanitization). (5) For county agencies,
programs and records where contractors are permitted to be used, any
destruction, sanitization, and/or disposal of FTI by a contractor must be
witnessed by an agency official or employee. FTI destroyed or sanitized,
pursuant to sections 8.0 to 8.4 of IRS publication 1075, is no longer
considered FTI and can be disposed of in any manner the agency deems
appropriate. (G) Computer security
controls: If any local agency office stores FTI within a
county owned information system, they must: (1) Ensure the required
agreements with ODJFS and the IRS have been established pursuant to IRS
publication 1075. (2) Ensure the local
agency office's required policies, procedures, and information system meet
the minimum computer system security controls detailed in IRS publication
1075.
Last updated October 4, 2021 at 8:18 AM
|
Rule 5101:9-9-26 | Safeguarding federal tax information (FTI) using background investigations.
(A) Definitions used in this
rule. (1) "Federal Tax
Information" (FTI) is any return or return information received from the
internal revenue service (IRS), or secondary source, such as the social
security administration (SSA), federal office of child support enforcement
(OCSE), or U.S. department of the treasury, including the bureau of the fiscal
service, centers for medicare and medicaid services (CMS) and also includes any
information created and/or maintained by the Ohio department of job and family
services (ODJFS) or a county agency that is derived from these
sources. (2) "Return and
Return Information." A return is any tax or information return, estimated
tax declaration, or refund claim (including amendments, supplements, supporting
schedules, attachments or lists) required by or permitted under the internal
revenue code (IRC) and filed with the IRS by, on behalf of, or with respect to
any person or agency. Return information includes: (a) The potential liability of any person under the IRC for any
tax, penalty, interest, fine, forfeiture, or other imposition or
offense. (b) The taxpayer's name, address and identification
number. (c) Personally identifiable information (PII),
including: (i) The name of a person
with respect to whom a return is filed. (ii) The taxpayer mailing
address. (iii) The taxpayer
identification number. (iv) Email
addresses. (v) Telephone
number(s). (vi) Social security
number(s). (vii) The date and place
of birth. (viii) The mother's
maiden name. (ix) The biometric data
(e.g. height, weight, eye color, fingerprints). (x) Bank account information. (xi) Any combination of the PII identified in this
paragraph. (3) "County
Agency" means the county department of job and family services, the public
children services agency, and the child support enforcement agency. This
definition is intended to be the same as "County Family Services
Agency" used in section 307.981 of the Revised Code. (4) "County Agency
Contractor" means any governmental or non-governmental entity, which can
include an individual, that receives funds from the county agency, whether
directly or indirectly, to provide services, assistance, or benefits to
individuals or that performs duties or activities for the county agency
pursuant to a contract, grant, or other agreement. County agencies authorized
to receive FTI to administer temporary assistance for needy families (TANF),
supplemental nutrition assistance program (SNAP) and medicaid are prohibited
from contracting for services that allow disclosure of or access to FTI in
those programs. (5) A "final
candidate" is an individual, whether or not currently employed by a county
agency, who has submitted an application for employment at the county agency
and who has received an offer of employment conditioned upon a favorable
adjudication of an FBI and BCI fingerprint background check. (B) Safeguarding FTI using background
investigations; general provisions. (1) All final candidates,
current employees, current and prospective intermittent employees, county
agency contractors/contract employees, subcontractors, or temporary service
personnel that have access to or use FTI shall be subject to a background check
that meets the requirements of IRS publication 1075, "Tax Information
Security Guidelines for Federal, State and Local Agencies." Once an
initial background check has been successfully completed and the final
candidate, current employee, current or prospective intermittent employee,
county agency contractor/contract employee, subcontractor, or temporary service
personnel is found to be suitable for access to FTI, reinvestigation shall
occur at least every five years, at a minimum, from the date it was initially
determined that the individual is suitable for access to FTI, if remaining in a
position with access to FTI. (2) Effective September
30, 2019, to maintain access to systems containing FTI, all current employees,
intermittent employees, county agency contractors/contract employees and
temporary service personnel that have access to or use FTI shall have submitted
to an FBI and BCI fingerprint background check. (3) Effective October 1,
2019, prior to being granted access to FTI, all final candidates, prospective
intermittent employees, prospective county agency contractors/contract
employees, subcontractors, and prospective temporary service personnel shall
complete an FBI and BCI fingerprint background check and investigation that is
favorably adjudicated in accordance with the written policy developed by the
county agency pursuant to paragraph (B)(5) of this rule. (4) Effective December
31, 2019, to maintain access to systems containing FTI, all current employees,
intermittent employees, county agency contractors/contract employees,
subcontractors, and temporary service personnel that have access to or use FTI
shall have submitted to an FBI and BCI fingerprint background check and
investigation that is favorably adjudicated in accordance with the written
policy developed by the county agency pursuant to paragraph (B)(5) of this
rule. (5) Effective September
3, 2019, county agencies shall develop a written policy requiring all final
candidates, employees, current and prospective intermittent employees, county
agency contractors/contract employees, subcontractors, and temporary service
personnel with access to FTI to submit to an FBI and BCI fingerprint background
check and investigation that is favorably adjudicated. (6) Background investigations conducted
by the county agencies for final candidates, employees, current and prospective
intermittent employees, county agency contractors/contract employees,
subcontractors, and temporary services personnel who are or will be granted
access to FTI shall include, at a minimum: (a) FBI finger printing (FD-258), a review of federal bureau of
investigation (FBI) fingerprint results conducted to identify possible
suitability issues. (b) Ohio bureau of criminal investigation (BCI) finger printing,
a review of the BCI fingerprint results conducted to identify possible
suitability issues. (c) Citizenship/residency. Validate the individual's
eligibility to legally work in the United States (e.g., a United States citizen
or foreign citizen with the necessary authorization.) (C) Safeguarding FTI using background
investigations; policy guidance. (1) County agencies are
required to have a policy that requires final candidates, employees, current
and prospective intermittent employees, county agency contractors/contract
employees, subcontractors, and temporary services personnel, who will use or
have access to FTI to complete an FBI and BCI fingerprint background check and
investigation that is favorably adjudicated. This policy will identify the
process, steps, timeframes, and favorability standards that the county agency
has adopted. The policy shall establish the criteria upon which final
candidates, employees, current and prospective intermittent employees, county
agency contractors/contract employees, subcontractors, and temporary services
personnel, would have access to FTI denied or withdrawn. County agencies may
use ODJFS' model background check policy, as outlined in the appendix to
this rule, or design their own substantial equivalent. (2) A county agency shall
identify in its policy any criminal convictions that may disqualify final
candidates, employees, current and prospective intermittent employees, county
agency contractors/contract employees, subcontractors, and temporary services
personnel from having access to FTI based upon the criminal record, the nature
of the duties of the position held or applied for, and the nature of the access
to FTI. County agencies should consult, at a minimum, sections 2921.02,
2921.41, 2921.43 and 2961.02 of the Revised Code, when identifying potentially
disqualifying offenses. (3) A county agency shall
set forth in its policy or procedure the factors it will consider when
determining if an individual with a criminal record should be adjudicated
favorably. Factors that county agencies may want to consider are: (a) Relationship of the criminal record to access to the type of
FTI used or accessible in the position. (b) Nature of work to be performed. (c) The time that has lapsed since the conviction. (d) The age of the individual at the time of the
offense. (e) The seriousness and specific circumstances of the offense,
including the type of harm that the individual caused, and/or the legal
elements involved in the specific crime committed. (f) The number of offenses on the criminal record. (g) Whether the individual has pending charges. (h) Any evidence of rehabilitation or contrition. (i) Any other relevant information, including that submitted by
or on behalf of the individual, or other information obtained by the county
agency. (4) A county agency shall
set forth in its policy or procedure the notification, appeal, and final
determination process that it will offer to final candidates, current and
prospective employees, intermittent employees, county agency
contractors/contract employees, subcontractors and temporary service personnel,
for those with convictions who are not favorably adjudicated as being eligible
for access to FTI. (D) Remedial action. A county agency found to have failed to conduct
background investigations in accordance with this rule and IRS publication
1075, or who has failed to create a policy as described in paragraph (B) of
this rule, shall be notified of these failures by ODJFS in writing within
thirty days after completion of the investigation or review. Any action taken
by ODJFS to bring the county agency into compliance with this rule and IRS
publication 1075 shall be done pursuant to section 5101.24 of the Revised Code.
Examples of remedial action include corrective action plans or the withholding
of funds. The county agency is responsible to ensure that county agency
contractors or subcontractors that currently have or will have access to FTI or
who provide contract employees to county agencies who currently have or will
have access to FTI to secure FBI and BCI fingerprint checks that are favorably
adjudicated. ODJFS may take action against the county agency pursuant to
section 5101.24 of the Revised Code if the county agency fails to obtain
compliance by the county agency contractor.
View Appendix
Last updated April 3, 2023 at 8:35 AM
|
Rule 5101:9-9-29 | Ohio department of job and family services (ODJFS) audit function.
(A) "Auditing" is the
systematic application of procedures to compare historical data to established
criteria to prepare an attestation as to the degree of correspondence between
the two. (B) "Historical data" consists
of management representations, either explicit or implicit. Management
representations include, but are not limited to: (1) Representations as to
characteristics of information such as completeness or accuracy. (2) The occurrence or
non-occurrence of transactions or events. (3) The existence or non-existence of tangibles,
intangibles, rights and obligations. (4) The valuation or allocation of tangibles and
intangibles. (5) Rights and obligations. (6) Compliance or non-compliance with laws or
regulations. (7) Operational characteristics. (C) "Criteria" may be financial
or non-financial. Applicable criteria may include, but are not limited
to: (1) Accounting and auditing standards and
principles. (2) State, federal and local laws, regulations,
administrative rules, ordinances and court opinions. (3) Generally accepted principles of accounting and
administrative control. (D) "Person" means an
individual, corporation, business trust, estate, trust, partnership, or
association as used in any statute, unless another definition is used in such
statute or a related statute. (E) "Public office" means any
state agency, public institution, political subdivision, or other organized
body, office, agency institution, or entity established by the laws of this
state for the exercise of any function of government. (F) Audits performed by ODJFS include,
but are not limited to: (1) Any examinations or
review of books, records or any other evidence relating to the collection,
receipt, accounting for use, claim, or expenditure of state or federal funds
received from or through ODJFS. (2) Any examination or
review to determine whether any person, public office, vendor, sub-recipient,
or provider of goods or services to ODJFS has complied or is in compliance with
the federal statute or regulation, state statute or administrative rule,
ordinances, or orders pertaining to the collection, receipt, accounting for,
use, claim or expenditure of state or federal funds from or through
ODJFS. (3) Any examination or
review of any person, public office, vendor, sub-recipient, or provider of
goods or services to ODJFS; collecting, receiving, accounting for using,
claiming, or expending state or federal funds from or through ODJFS; or
submitting to the department data which serves as the basis for funding from or
through the department. (4) Any financial
statement, financial-related, performance, economy and efficiency, or program
results audits of organizations, agencies, programs, activities, or functions
under the authority, aegis, or oversight of ODJFS. (5) Any examination,
review, investigation, or financial statement, financial-related, performance,
economy and efficiency, or program results audits required or intended to
address federal or state audit, monitoring, or review
requirements. (G) ODJFS may perform or provide for the
performance of any audits within the scope of this rule. The timing, frequency,
scope, and objectives of audits may vary with ODJFS' assessment of audit
needs and the available resources of ODJFS. (H) ODJFS may develop and implement
policies and procedures at variance with the provisions of this rule as
necessary to comply with the requirements of federal statute or regulation, or
state statute or administrative rule. (I) For the purpose of audits performed
by or provided by ODJFS, auditees must maintain documentation conforming to all
requirements prescribed by ODJFS, federal statute or regulation and state
statute or administrative rule. Auditees must prepare and maintain
documentation to support all transactions and to permit the reconstruction of
all transactions and the proper completion of all reports required by state and
federal law and regulations, and which substantiates compliance with all
applicable federal statutes or regulations, state statutes or administrative
rules. (J) Auditees must make available to ODJFS
personnel all records necessary to document all transactions. Records must
include sufficient detail to disclose: (1) Services provided to
program participants. (2) Administrative cost
of services provided to program participants. (3) Charges made and
payments received for items identified in paragraphs (J)(1) and (J)(2) of this
rule. (4) Cost of operating the
organizations, agencies, programs, activities, and functions. (K) Auditees must maintain adequate
systems of internal control to ensure: (1) Accurate and reliable
financial and administrative reports. (2) Efficient and
effective use of resources. (3) Compliance with laws
and regulations. (L) Audits performed by other public or
private audit organizations on behalf of ODJFS will be reviewed and released by
ODJFS. Audit reports for audits performed by ODJFS or by other public or
private audit organizations on behalf of ODJFS may be the basis for action by
ODJFS as authorized by federal statute or regulation, state statute or
administrative rule, including, but not limited to, section 5101.24 of the
Revised Code. (M) A certified copy of any portion of
any audit report released by ODJFS containing factual information is prima
facie evidence of the facts contained therein for the purpose of any
administrative appeal or proceeding. (N) At the conclusion of an audit, ODJFS
will normally conduct an exit conference with the auditee. However, an exit
conference is not required where the auditee fails to respond, within a
reasonable period of time, to a request by ODJFS to schedule an audit, where an
audit conference would impair, impede, or otherwise threaten the ability of
ODJFS to satisfy legal requirements that it supervise the auditee or direct
compliance with state and federal law, or where the subject matter of the audit
is currently the subject of another state or federal audit or criminal
investigation. Objectives of exit conferences include: (1) To provide ODJFS with
an opportunity to present the results of the audit and obtain the response of
the auditees. (2) To provide the
auditee with an understanding of the audit findings. (3) To obtain relevant
information with respect to issues raised by the audit. ODJFS will evaluate any written response of an
auditee and will consider whether the proposed audit report should be revised
based upon the response. When an auditee submits a written response and ODJFS
concludes that no revision of the draft audit report is appropriate or
warranted, the response shall be attached to or summarized in the final
report.
|
Rule 5101:9-9-37 | Data system security.
The following requirements ensure the security of
departmental data and must be followed by all county and state employees
(hereafter referred to as 'user' or 'users') who access
data systems maintained by the office of information services (OIS) and the
Ohio department of job and family services (ODJFS) via the private or public
network. (A) Users are responsible for system
inquiries and activities executed with their system user identification
(USER-ID, also know as an Ohio ID, or OH|ID.) (B) Users shall follow DAS password
standards found at
https://das.ohio.gov/portals/0/dasdivisions/employeeservices/pdf/das-its-2100-01-a
das password standard organizational users.pdf. (C) A terminal or personal computer must never be left
unattended or unsecured when logged onto the ODJFS network or
device. (D) Only the files or information that are required to
perform one's own job duties, shall be accessed. (E) Users must comply with all items included on the user
attestation, JFS 07078 " Code of Responsibility" form, and review and
sign, electronically, on an annual basis. (F) An original signed (physical or electronic) JFS 07078
hardcopy form, or digital JFS 07078 submission must be submitted to ODJFS with
every county request for a USER-ID or user access to the OIS and ODJFS
networks. (G) The JFS 07078 (paper or digital form) is required for
every new user accessing the system, and for making changes to an existing
user's access. (H) Counties must not modify the JFS 07078
form. (I) County users shall also abide by the
data security provisions contained in IPP 3001 found at
ipp.odjfs.state.oh.us/IPP03000/.
Last updated July 1, 2021 at 11:10 AM
|
Rule 5101:9-9-38 | County electronic data usage.
Effective:
November 1, 2020
(A) As used in this rule, "county
family services agency" means a county department of job and family
services, public children services agency, child support enforcement agency, or
other entity designated by a board of county commissioners in accordance with
section 307.981 of the Revised Code. (B) The county family services agency
shall not download, match, scrape or extract data, or data elements from any
Ohio department of job and family services (ODJFS) system(s) where the data
owner is the internal revenue service (IRS), social security administration
(SSA) or other state or federal entity, without obtaining express written
permission from the data owner, for the download, match, scrape or data
extract. ODJFS can only authorize the download, scrape or extract of data where
ODJFS is the data owner. (C) Excluding the data and data elements
described in paragraph (B) of this rule, the following are permissible uses of
ODJFS systems including but not limited to SETS, Ohio benefits, SACWIS, OWCMS,
and CCIDS: (1) A county family
services agency employee may download, match, scrape or extract data from an
ODJFS system to perform duties directly related to or required by his or her
job functions or duties, but only if such job functions or duties are directly
related to administration of programs overseen by ODJFS for which the county
family services agency is responsible for administering on behalf of ODJFS.
This includes utilizing data to fulfill federal or state program-related audit
requirements, to the extent necessary and appropriate. (2) A person or third
party under contract with a county family services agency may download, match,
scrape or extract data from an ODJFS system if: (a) It is directly related to or required for
administration of program(s) overseen by ODJFS, which the county family
services agency is responsible for administering on behalf of
ODJFS; (b) The contract requires, at a minimum, that the
contractor comply with the same confidentiality and data security provisions to
which ODJFS and the county family services agency are subject;
and, (c) The county family services agency assumes full legal
and financial responsibility, including for any litigation or adverse federal,
state, or county audit findings resulting from the contractor's use,
management, misuse or mismanagement of the data. (d) Except as prohibited by law, nothing in paragraph
(C)(2)(c) of this rule shall prevent the county family services agency from
seeking and obtaining payment or other compensation or relief from its
contractor, either as set forth in the county family services agency's
contract with its contractor, or by way of legal, administrative, or other
action. (3) Any download, match, scrape or extraction of data under
paragraph (C) of this rule shall be in compliance with data security
requirements contained in rule 5101:9-9-37 of the Administrative Code and all
other applicable federal and state confidentiality laws. (D) Except when specifically authorized
by paragraph (C) of this rule, a county family services agency shall obtain the
written approval of ODJFS prior to performing or authorizing any person or
entity to perform any download, match, scraping or extraction of data from
ODJFS systems that is migrated to a computer system, data base or application
not under the control of ODJFS. To obtain approval from ODJFS, the county
family services agency shall utilize the following procedure: (1) The director of the
county family services agency or designee shall submit a data request, as
outlined in ODJFS "Internal Policy and Procedure 3002 Data Stewardship and
Managing Data Requests," to the ODJFS deputy director who is responsible
for authorizing the use of the data. The county family services agency's
request must identify: (a) The specific data being sought; (b) The business use of the data; (c) The dates during which the data usage will be in
effect; (d) Why the data access through existing state supported
reporting software does not address the county's needs; (e) Any potential impact upon ODJFS systems; (f) The technical details involved; (g) Each entity that exercises control over the computer
system, application, or data base to which the data will be migrated;
and (h) The data security controls that will be used by the
county agency, including the completion of a "Privacy Impact
Assessment" (PIA), as required by section 1347.15 of the Revised Code,
when data is migrated to a computer system, data base or application not under
the control of ODJFS. (2) The authorizing ODJFS
deputy director, in conjunction with the ODJFS chief legal counsel and ODJFS
chief information officer, or their designees, will review the county family
services agency request to determine the appropriateness, feasibility, and
legality of the request. ODJFS may opt to have a representative from the
requesting county family services agency explain the request and answer any
questions from ODJFS, including but not limited to, technical, legal,
programmatic or confidentiality issues. (3) ODJFS will provide a
tentative approval or disapproval within sixty days of the receipt of the
county family services agency request, as well as ODJFS' receipt of any
additional information it needs to make a tentative decision. Final approval
does not occur until the supporting documentation, including the proposed
"Data Sharing Agreement" (DSA) and completed PIA is reviewed by ODJFS
and the authorizing deputy director notifies the county family services agency
of the decision in writing. (4) If the county family
services agency data request is approved by ODJFS, the county family services
agency must execute the DSA with any entity receiving and/or accessing the
data. The DSA shall: (a) Specify the dates during which the DSA will be in
effect, which shall not be longer than two years, subject to
renewal. (b) Identify the data, business use(s) of the data,
technical details, and the responsibility of the county family services agency
to ensure that all federal and state data security and confidentiality
requirements are met. (c) Not be effective prior to the date that it is signed by
both the county family services agency representative and any participating
entity. (5) If the county family
services agency wants to change any provisions of the original request,
including the business use of the data and/or the computer system, data base or
application not under the control of ODJFS to which the data is being migrated,
the county family services agency shall seek approval of the changes from
ODJFS, following the requirements in paragraphs (D)(1) to (D)(4) of this rule.
No changes are permitted until ODJFS approves the request.
|
Rule 5101:9-9-39 | ODJFS systems access and disclosures.
Effective:
August 18, 2016
(A) Pursuant to federal and state law,
and subject to rules 5101:9-22-15 and 5101:9-22-16 of the Administrative Code,
the Ohio department of job and family services (ODJFS) may access and disclose
information contained in systems controlled or maintained by the department, or
controlled and maintained for the benefit of the department. (B) The department's access and disclosure shall be in
furtherance of ODJFS program administration, and such disclosure may be subject
to a written agreement. (C) Program administration includes, but is not limited to,
ODJFS federal reporting and oversight requirements. (D) Any release of information shall preserve the
confidential nature of the information.
|