[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Draft Privacy Rulemaking- Vermont
Folks:
While I understand that most folks on this list are preoccupied with the
Leahy-Bennett bill before congress, I would like to ask those with expertise
in this field to read and reply/comment on this proposed rule which is being
developed in Vermont by the Agency of Human Services. Possibly it's easier
to make small progress here in Vermont which could serve as an example. If
you can help find or better yet help plug the holes in this rule, it would
sure be appreciated.
What is unique at this time is the financial carrot which the agency is
trying to eat which they cannot have until the language in the rule is
agreed to between bureaucrats, advocates and lawyers.
One thing the rule does not do is prohibit inter-state matching with human
service client data. This was specifically required by the language in law
directing that this rule be developed.
Thanks in advance.
Stephen Whitaker
privacy advocate
********************Begin_Included_Text************************
Agency of Human Services
Proposed Rules for
Access to Information
I. Definitions
1.1 "Agency" means the Agency of Human Services or any of the
offices, departments or programs that comprise the Agency.
1UE.2 "AHS" means the Vermont Agency of Human Services
1.3 "Client" means an individual or family who is voluntarily
served by a department, office, program, contractor or grantee of
the Agency of Human Services.
1.4 "Contractor" means an individual or entity with whom the
Agency or any of its departments, offices or programs has a
contract to provide personal services.
1.5 "Employee" means any person who works in a fulltime, parttime,
temporary, or contractual position for the Agency or any of
its departments, offices, or programs.
1.6 "Grantee" means an individual or entity with whom the Agency
or any part thereof has a grant to provide personal services.
II. Basic Principles
2.1 Presumption of Confidentiality
All information specific to, and identifying of, individuals
and families is presumed to be confidential and subject to these
standards. Employees shall not disclose the information
unless a specific exception to the presumption applies or the
disclosure is authorized by the client, a court or another
appropriate mechanism.
2.2 Existing Statutes
These rules are not intended to expand or diminish current
provisions in law relating to disclosure of confidential
information.
2.3 Information Collection
Employees shall collect and record only that information
needed to fulfill the goal of serving the client and meeting
administrative or legal requirements.
2.4 Informing Clients
At the initial meeting with each client, or soon thereafter,
employees shall provide the rules for access to information to
the client.
III. Permissible Disclosures
3.1 Client Consent
No information about a client shall be released outside the
Agency without prior consent from the client, unless directly
connected with the administration of a program or necessary for
compliance with federal or state requirements.
3.2 Sharing "Non-identifiable" Information
Information that does not identify a client may be used for
statistical research, forecasting program needs, or other
purposes.
3.3Public Information
Information defined as public by 1 VSA & 317 or other
applicable statute is available to the public. The procedures
in the public records statute shall be followed before public
information is released.
3.4 Information Sharing for Administrative Purposes
Employees may share information which is necessary to
satisfy the agency's administrative obligations. Departments
will develop written agreements limiting the kinds of information
to be shared when programs are jointly administered by different
organizations. No information shall be released to a person or
entity that is out of state, unless directly connected with the
administration of a program or necessary for compliance with
federal or state requirements.
3.5Disclosure Without Consent in Limited Circumstances
Employees must release sufficient information to
comply with mandatory reporting requirements for cases involving
the abuse, neglect, or exploitation of children and persons who
are elderly or who have disabilities. Information may be released
without consent when there is a duty to warn identified
individuals of potential harm to their person or property, in
response to court orders, or, in limited instances, to
investigate or report criminal activity. Only information
relevant to the situation shall be disclosed and the employee
shall document the date and content of the report as well as the
name of the person to whom the information was released.
IV. Procedures Related to Consent
4.1 Obtaining Informed Consent
Prior to releasing confidential information the Agency shall
obtain the client's informed consent. This includes providing
information about consent in a language and format understandable
to the client. Reasonable accommodations shall be made for
special needs based on the individual or family's education,
culture, or disability.
4.2 Consent of Minors to Release of Information
Employees shall obtain the consent of a minor client to
release information concerning treatment for which parental
consent is not required.
4.3 Format for Consent to Share Information
Consent for the sharing or release of information shall
ordinarily be in writing. Required information will include:
1. Names of the people about whom information may be
shared
2.A checklist of the kinds of information to be shared
3.A checklist of the departments within the Agency to
receive the information
4. A statement or date covering expiration of consent
5. A statement about procedures for revoking consent
6. Signature of individuals covered by the consent, or
their parents or guardians if they are younger than 18
7. Signature of the individual explaining the consent
process
A copy of the consent form should be provided to all
signatories.
4.4 Client Access to Records
Employees shall inform clients of procedures to view and
obtain copies of their records. Each department within the
agency shall have written procedures which permit clients to
verify personal information they have provided for accuracy and
completeness and for placing amendments to the information in
their files. Employees shall take reasonable steps to present
records in a form accessible to the client, including but not
limited to large type format or verbal review. A fee not to
exceed the standard cost of copying may be charged for records
exceeding 10 pages.
V.Procedures to Protect Confidentiality
5.1 Staff Training
All AHS employees (full-time, part-time, temporary, and
contractual) and all AHS volunteers and interns, shall be
instructed in these rules. Contractors and grantees of AHS shall
provide the same instruction for their employees, interns, and
volunteers.
5.2 Response to Requests for Information
An employee should not respond to requests from outside the
Agency for information about clients even to acknowledge that the
person is a client, unless authorized. If a client has consented
to or requests that information be released, the employee may
comply with the request.
5.3 Designated Individual
Each agency or department should appoint one or more trained
staff members to be responsible for responding to all requests
for
client information when there is no written consent to release,
and no statutory or administrative authority permitting release
of the
requested information. These individuals shall be specially
trained in maintaining confidentiality. A list of the designated
individuals for each department and office shall be maintained in
the Attorney General's office; Human Services Division.
5.4 Affirmation of Understanding
Employees shall sign an affirmation that they will comply
with these rules. This affirmation shall be part of their
personnel files. Supervisors shall review this affirmation
during annual evaluations.
5.5Written Agreements with Grantees or Contractors
The following assurance, or one similar to it, will be
included in all AHS grants/contracts signed after these rules
have been approved:
[Grantee/contractor] agrees to comply with the requirements
of AHS Rule No. 961 concerning access to information. The
contractor shall require all of its employees to sign the AHS
affirmation of understanding or an equivalent statement.
5.6Client Referrals
When referring a client to another agency for services, if
the referral does not meet the criteria for permissible
disclosures under Section 3.4, the initial agency should
ordinarily obtain the consent of the client for the referral and
alert the receiving agency that confidential client information
accompanies the referral.
5.7 Documentation of Disclosure
Written requests for disclosures of client information shall
be maintained in the client's file if the request does not meet
the definition of a permissible disclosure under Section 3.4.
Employees document any information actually disclosed, along with
the name of the person/agency to whom it was disclosed and the
date of the disclosure.
E. Automated Systems
VI. Computerized Information
6.1 When developing a new computerized data system, the Agency
shall
1. Develop security procedures
2. Instruct staff in the security procedures for the
system
3. Inform clients if a computerized system is being used
4. Establish written agreements with participating
agencies outlining procedures for sharing and
protecting
information.
6.2 Security Procedures
The Agency shall develop protocol to safeguard confidential
client information. Contractors and grantees shall also develop a
protocol or shall adopt the protocol of the Agency. The protocol
shall be designed to safeguard written information, data in
computer systems, and verbal exchange of information. The
protocol shall prohibit unauthorized access to records and
include an appropriate disciplinary process for violations of the
security rules.
6.3 Procedures
Written procedures for implementing these rules shall be
used as the basis for employee instruction and shall be available
for review in the Agency Central Office
The attached document contains proposed screen which will be
developed to protect the new AHS client database This document
is not part of the proposed rule on "Access to Information". It
was developed to visually demonstrate what a future computer
screen could look like.
AID# SOS#
(to be billed for(Do not
complete)
publication costs)
PROPOSED RULE: COVER SHEET
NOTE: File this form and its attachments with the Secretary of
State. You must file an economic impact statement, adopting
page, the text of the proposed rule, and an annotated text
showing changes from existing rules with this cover sheet. You
must also file an incorporation by reference statement if
applicable.
Please complete the following:
1.Title or subject of proposed rule: Access to information
2.Agency: Human Services
3.Concise summary explaining the effect of the rule (150 words
or less): This rule will establish a systematic procedure
for protecting confidentiality, obtaining informed consent,
sharing information, and developing new and secure data
systems across the departments, offices, and programs of the
Agency of Human Services.
4.Statutory authority for this rule: Sec. 2(d) of Act No. 62
of the Acts of 1995
5.Explanation of why this rule is necessary: This rule
provides the standards for protecting confidentiality when
it outlines exchange of information standards and sets
standards for the development of computerized systems
serving more than one department.
6.List of people, enterprises and government entities affected
by this rule: Employees and voluntary clients of the Agency
of Human Services, employees and clients of
grantees/contractors of the Agency.
7.Brief summary of economic impact of this rule: The cost of
building a new prototype computer system capable of
determining eligibility across departments and permitting
voluntary clients to determine which kinds of information
may be shared with which departments or offices is estimated
at $20,000 for the prototype. If this funding comes from
the Capital appropriation it will not have an impact on
direct services.
8.Name, address and phone number of agency contact person for
this rule: David G. Struck, Federal Programs Administrator
Agency of Human Services
103 South Main Street
Waterbury, VT 056710201
(PLEASE COMPLETE THE BACK OF THIS COVER SHEET)
9.Date, time and place of scheduled hearing, if any (no sooner
than 10 days following second publication: December 19,
1995 at 9:00 a.m. in the Agency of Human Services Conference
Room, State Office Complex, Waterbury, Vermont.
10.Deadline for public comments (no earlier than 7 days after
scheduled hearing): December 26, 1995.
CERTIFICATION: AS THE ADOPTING AUTHORITY (see 3 V.S.A. _
801(b)(11) for a definition) OF THIS RULE, I APPROVE THE CONTENTS
OF THIS FILING.
Date(Sign here)
(Type name here please)
ADOPTING PAGE
Note: This form must be filed three time during the rulemaking
process, viz., with the Proposed Rule Cover Sheet, Final Proposal
Cover Sheet, and Adopted Rule Cover Sheet.
Please complete the following:
1.Title or subject of rule: Access to information
2.Agency: Agency of Human Services
3.Agency's reference number, if any: 961
4.This is: X a new rule
an amendment of an existing rule
a repeal of an existing rule
Except for new rules, please give the name of the existing rule
and the date on which it was last amended or adopted:
Note: To satisfy the requirement for an annotated text, an
agency must submit the entire rule in annotated form with the
filings of proposed rules and final proposals. Filing a
paragraph or page of a large rule is not sufficient. Similarly,
if the rules of the agency have been published as part of the
Vermont Administrative Code (VAC), the agency shall file the
annotated text, if possible, using the appropriate page or pages
of the VAC as a basis for the annotated version. New rules need
not be accompanied by an annotated text. Rules which have been
comprehensively revised are also exempted from the requirement
for an annotated text, although a copy of the former rule is
required.
ECONOMIC IMPACT STATEMENT
Note: In completing the economic impact statement, an agency
analyzes the anticipated costs and benefits to be expected from
adoption of the rule. Where this form is insufficient for your
purposes, please use additional sheets.
Please complete the following:
1.Title or subject of rule: Access to Information
2.Agency: Human Services
3.Please list categories of people, enterprises and government
entities potentially affected by this rule and estimate for
each the costs and benefits anticipated. If applicable,
include small businesses, and complete items 4 and 5 on the
back side of this sheet as well. Please be as specific as
possible, giving full information on your assumptions, data
and benefits involved. Costs and benefits can include any
tangible or intangible entities or forces which will make an
impact on life without this rule. This rule will not have
an economic impact on small business or clients. Cost will
be increased by the Agency of Human Services to implement
this rule of $20,000.
(PLEASE COMPLETE THE BACK OF THIS FORM)
4.Please compare the economic impact of the rule with the
economic impact of other alternatives to the rule, including
no rule on the subject or a rule having separate
requirements for small business. N/A
5.Flexibility statement: Please compare the burden imposed on
small business by compliance with the rule to the burden
which would be imposed by alternatives considered in 3
V.S.A._832a. N/A
CERTIFICATION: AS THE ADOPTING AUTHORITY (see 3
V.S.A._801(b)(11) for a definition) OF THIS RULE, I CONCLUDE THAT
THIS RULE IS THE MOST APPROPRIATE METHOD OF ACHIEVING THE
REGULATORY PURPOSE. IN SUPPORT OF THIS CONCLUSION, I HAVE
ATTACHED ALL FINDINGS REQUIRED BY 3 V.S.A._832a.
Date(Sign here)
(Type name here please)
policy.form
********************End_Included_Text************************
Stephen Whitaker
P. O. Box 1331
Montpelier, Vermont
05601-1331
802.479.6118