Statutes, codes, and regulations
Vermont Administrative Code
Agency 13 - AGENCY OF HUMAN SERVICESSubagency 000 - GENERAL
Chapter 002 - CONSUMER INFORMATION AND PRIVACY
Section 13 000 002 - CONSUMER INFORMATION AND PRIVACY

13-002 Code Vt. R. 13-000-002-X

Download
PDF
Current through August, 2024
Section 13 000 002 - CONSUMER INFORMATION AND PRIVACY
Section 1 Definitions
1.1 "Agency" means the Vermont Agency of Human Services or any of its departments, offices, or divisions.
1.2 "Consumer" means an individual or family who is served, voluntarily or involuntarily, by the Agency. A Consumer served by any department, office, division, or program of the Agency, or its Contractors or Grantees, is considered to be a Consumer of the entire Agency.
1.3 "Contractor" means an individual or entity with whom the Agency has a contract to provide services. This rule only applies to such individuals or entities when they are providing these services under the contract.
1.4 "Disclose" or "Disclosure" means a communication of a Consumer's Individually Identifiable Information, an affirmation of another person's communication of Individually Identifiable Information, or an acknowledgment of an individual's status as a recipient of services or benefits, outside the Agency.
1.5 "Employee" means any person who works in a full-time, part-time, or temporary position for the Agency. Volunteers and interns of the Agency are considered Employees and have the same obligations under this rule as Employees.
1.6 "Grantee" means an individual or entity with whom the Agency has a grant to provide services. This rule only applies to such individuals or entities when they are providing these services under the grant.
1.7 "Individually Identifiable Information" means information created or received by the Agency or its Contractors and Grantees that identifies a Consumer, or where there is a reasonable basis to believe the information can be used to identify a Consumer.
1.8 "Inter-Disciplinary Team" means a group of Employees, Contractors, Grantees, or other individuals who are engaged in identifying, coordinating, planning, arranging, and providing support or services to a Consumer in order to carry out the Agency's legal obligations.
1.9 "Need-to-Know" means a Contractor, Grantee, or Employee has an actual need to access the information to perform his or her work on behalf of the Agency.
1.10 "Program Administration" means activities necessary to carry out the operations of the Agency. This consists of establishing eligibility and scope of services and assistance for which a Consumer has applied including the identification and coordination of those services within the Agency and its Contractors and Grantees; planning, arranging, providing, funding, or paying for services and assistance for individuals and families; coordination of benefits; detecting fraud and abuse; engaging in quality control and improvement activities; emergency response or disaster relief, and complying with federal and state legal, reporting, and funding requirements. Program administration is synonymous with agency administration and is bounded by state and federal enactments that require stricter confidentiality.
1.11 "Record" means any item, collection, or grouping of written or electronic information that includes Individually Identifiable Information that is maintained, collected, or used by the Agency, in whole or in part, to make decisions about an individual.
1.12 "Share" or "Sharing" means a communication of a Consumer's Individually Identifiable Information, an affirmation of another person's communication of Individually Identifiable Information, or an acknowledgment of an individual's status as a recipient of services or benefits within the Agency and its Contractors or Grantees when they are performing work on behalf of the Agency.
Section 2 Basic Principles
2.1 Principles of Confidentiality

The respectful treatment of Consumers includes respecting the privacy of their Individually Identifiable Information, while making every effort to meet their needs and assist them to successfully navigate the human services system.

All Individually Identifiable Information is presumed to be confidential and subject to these standards. Employees shall not Disclose the Individually Identifiable Information unless the Disclosure is authorized by the Consumer, a court, or is otherwise permitted or required by law.

Some Individually Identifiable Information is protected by federal and state confidentiality laws that have more rigorous standards which are not preempted by this rule and require informed Consumer consent before Disclosure.

2.2 Disclosures Required or Permitted by Law

This rule is not intended to expand or diminish current provisions in law relating to disclosure of confidential information.

2.3 Information Collection

Employees shall collect and record only the minimum amount of Individually Identifiable Information needed to fulfill the goals of serving the Consumer and meeting administrative or legal obligations.

2.4 Informing Consumers

At the earliest opportunity, Employees, Grantees and Contractors shall provide a Notice of Individually Identifiable Information Practices and explain to each individual or family the confidentiality laws that apply to Agency services. The Contractor's or Grantee's explanation shall include a description of the types of Individually Identifiable Information that may be lawfully used based on the scope of their work on behalf of the Agency and the situations in which a Consumer's consent is needed to permit a Disclosure.

Section 3 Permissible Sharing and Disclosure
3.1 Sharing and Disclosure of Individually Identifiable Information

Except as provided in section 3.2 and for uses of Individually Identifiable Information that are permitted or required by state and federal law, Employees, Contractors and Grantees will ensure written permission or authorization has been obtained to disclose Individually Identifiable Information with non-Agency related service providers who are involved with the Consumer's services prior to Sharing or Disclosing any information.

When the Sharing or Disclosing of information is initiated by Employees or by Contractors and Grantees performing Agency work, the permission or authorization used will contain the required information set forth in this rule in section 4.2, except as otherwise provided by law.

All Sharing and Disclosures made by Employees, Contractors, and Grantees pursuant to Consumer consent shall include only the Individually Identifiable Information necessary for the purposes for which the permission or authorization was given and shall be made only as indicated in the permission or authorization.

Under all circumstances, all Individually Identifiable Information Shared among Employees, Contractors, and Grantees who are involved with providing services to the Consumer, or who administer those services, will be shared only on a Need-to-Know basis.

3.2 Information Sharing for Program Administration

Unless otherwise prohibited or restricted by law, the Agency may Disclose and Share Individually Identifiable Information without consent when required for Program Administration. No Individually Identifiable Information shall be Disclosed to a person or entity, unless directly connected with Agency Program Administration or necessary for compliance with federal or state laws or regulations or pursuant to Consumer permission or authorization.

3.3 Inter-Disciplinary Teams

Members of an Inter-Disciplinary Team may or may not need a Consumer's permission or authorization to share Individually Identifiable Information for the purpose of engaging in identifying, coordinating, planning, arranging, and providing services to a Consumer in order to carry out the Agency's statutory obligations.

Provided no stricter confidentiality laws apply, when the Inter-Disciplinary Team consists only of Employees, Contractors and/or Grantees of the Agency, members of the team are permitted to share Individually Identifiable Information with the team without the permission or authorization of the Consumer.

When an Inter-Disciplinary Team consists of individuals in addition to Employees, Contractors, or Grantees of the Agency, the Employee, Contractor or Grantee members of the team can only Disclose Individually Identifiable Information with the entire team with the permission or authorization of the Consumer.

Specific additional permission or authorization is also needed when stricter confidentiality laws apply such as those related to mental health, HIV, substance abuse, domestic violence, vocational rehabilitation services, or Adult Protective Services.

3.4 "Non-identifiable" Information

Information that does not identify a Consumer may be used for statistical research, reporting, and/or forecasting program needs.

3.5 Public Information

Information defined as public by 1 VSA § 317 or other applicable statute is available to the public. The procedures in the public records statute shall be followed before public information is released.

Section 4 Procedures Related to Sharing or Disclosing Individually Identifiable Information
4.1 Obtaining Informed Permission or Authorization

To ensure permission or authorization is informed, materials about granting permission or authorization, the Agency confidentiality guidelines, and permission or authorization forms shall be in a language and format understandable to the Consumer. Reasonable accommodations shall be made for special needs. Employees, Contractors, and Grantees shall inform Consumers that granting permission or authorization is not a pre-requisite for receiving services that they are entitled to and for which they have applied, although refusal to give permission or authorization may limit the Agency's ability to provide the best quality services.

The Employee, Contractor or Grantee also shall explain the process and benefits of Service Coordination. The Consumer shall be provided with a copy of the most current Agency confidentiality guidelines and relevant permission or authorization form, as well as any other information required by state or federal law.

4.2 Required Elements of Permission or Authorization

Permission or authorization for the Sharing or Disclosure of Individually Identifiable Information shall ordinarily be in writing. If an emergency situation requires granting of verbal permission or authorization, such verbal permission or authorization will be documented as soon as possible thereafter. The permission or authorization shall contain the following elements:

1. The name of the Consumer who is permitting or authorizing to have his or her Individually Identifiable Information Shared or Disclosed;
2. A list or description of the kinds of information to be Shared or Disclosed;
3. An explanation of the purpose for which the permission or authorization is given;
4. A list or description of those authorized to receive the information;
5. A statement that the permission or authorization may be revoked in writing at any time except to the extent that the permission or authorization has already been acted or relied upon;
6. The date, event, or condition upon which the permission or authorization will expire if not revoked earlier;
7. The signature of the Consumer granting permission or authorization, or the name and signature of the person with authority to do so and the date;
8. The signature of the individual explaining the permission or authorization process with his or her position, job title, and date;
9. A space to provide individualized instructions; and
10. A statement that the information will not be disclosed further unless such disclosure is required or allowed by law.

A copy of the permission or authorization shall be provided to all signatories.

4.3 Consumer Access to Records

Unless prohibited or restricted by federal or state law or regulation, Consumers shall be permitted to view and obtain copies of their Agency records. The Agency shall have written procedures that are consistent with HIPAA which permit Consumers to review Individually Identifiable Information for accuracy and completeness and to request amendments to the information. Employees shall take reasonable steps to present records in a form accessible to the Consumer, including but not limited to large type format or verbal review. A reasonable, cost-based fee may be imposed, provided that the fee includes only the cost of copying, postage, and preparing an explanation or summary of the records as requested by the Consumer. This fee shall be waived if it would prohibit access.

Section 5 Procedures to Protect Confidentiality
5.1. Agency Employees

The Agency shall ensure that all Employees shall be informed about this rule as well as the confidentiality protections afforded Consumers under the state and federal laws that apply to their area of employment. Employees shall sign an affirmation that they were informed and will comply with this rule. This affirmation shall be part of their personnel files. Supervisors shall review this affirmation with Employees during evaluations. Violation of this rule may result in disciplinary action.

5.2 Written Agreements with Grantees and Contractors

The Agency shall ensure its Contractors and Grantees are aware of this rule as well as the confidentiality protections afforded Consumers under the state and federal laws that apply to their services. Each Contractor and Grantee will inform its staff, volunteers, and interns of this rule and require them to comply with it.

5.3 Response to Third Party Non-Agency Requests for Individually Identifiable Information

An Employee shall not respond to requests from outside the Agency for Individually Identifiable Information about a Consumer even to acknowledge that the person is or is not a Consumer, unless required or permitted to by law or authorized by the Consumer in writing.

5.4 Documentation of Disclosure

Disclosures of Consumer Individually Identifiable Information shall be documented if the request does not meet the definition of a permissible Disclosure under Section 3.

Employees shall document in writing any Individually Identifiable Information actually Disclosed, along with the name of the person/entity to whom it was Disclosed and the date of the Disclosure.

5.5 Electronic Information

The Agency shall:

1. Ensure security procedures and policies consistent with this rule and HIPAA are established;
2. Ensure Employees are knowledgeable about the security procedures;
3. Include in its written agreements with Contractors and Grantees the requirements for Sharing and protecting electronic Individually Identifiable Information;
4. Maintain protocols limiting access to Individually Identifiable Information to only those Employees, Contractors, and Grantees who have an actual need to access the information in order to perform their work on behalf of the Agency.
5.6 Information Sharing Guidelines

The Agency shall create and follow written guidelines for the treatment of written, verbal, and electronic information. These shall be available to Consumers, Employees, Contractors, Grantees, third parties, as necessary to improve the overall understanding of this rule. The guidelines shall be updated as necessary.

13-002 Code Vt. R. 13-000-002-X

STATUTORY AUTHORITY: 3 V.S.A. § 3053
EFFECTIVE DATE: April 1, 1996 Secretary of State Rule Log #96-23
AMENDED: January 1, 2009 Secretary of State Rule Log #08-048