How Do Confidentiality Laws Apply to Internal Information Sharing Within a County Department of Social Services?
Published: 05/11/22
Author Name: Kristi Nickodem
In North Carolina, a county director of a department of social services (DSS) is responsible for administering and providing a wide variety of social services and economic services programs. Recently, a DSS director asked me for some information on how state and federal confidentiality laws apply to situations in which her staff need to share confidential information with one another across some of these different programs and services. This is a great question, because the laws governing disclosures of confidential information by DSS also apply to internal disclosures, not just external disclosures. Internal disclosures may occur when DSS staff share information across programs or between units or internal departments within the same DSS. For example, child welfare staff might request information from adult protective services (APS) staff for purposes of determining a case plan for a parent and a child. APS staff might ask for information from income maintenance staff to ensure that proper economic services are being provided to a vulnerable older adult. Each of these situations requires an analysis of whether an internal disclosure of the requested information is permissible.
I address this topic more comprehensively in a new bulletin published by the School of Government: Internal Sharing of Information Within a County Department of Social Services. While this blog post briefly touches on some of the points raised in this new publication, I hope interested readers will refer to the bulletin for a more in-depth analysis of how federal and state laws interact to allow (or prohibit) internal information sharing within a DSS.
Why is it so difficult to determine when DSS staff can share information internally? A county DSS is subject to an intricate web of state and federal statutes and regulations, some of which do not harmonize neatly with one another. By way of example, let’s look at a few of the primary confidentiality laws that impact a county DSS in North Carolina.
Relevant Federal Laws
- Each county DSS is subject to a multitude of federal laws and regulations that are specific to particular funding streams. Each federally funded program or social service (e.g., Medicaid, Food and Nutrition Services, Work First, Title IV-D of the Social Security Act) has its own set of associated regulations protecting the confidentiality of information about individuals who receive services or assistance.
- Outside of a DSS, other agencies and entities that receive federal funding may also be subject to federal laws and regulations that restrict the disclosure of confidential information. When those entities provide information or records to a DSS, the DSS may become bound by those same restrictions. For example, federal law stringently restricts the disclosure of information regarding individuals who receive alcohol or substance use disorder prevention or treatment services from federally assisted programs. If DSS received information or records from a federally assisted alcohol or substance-use disorder treatment program, the DSS is then bound by the confidentiality requirements imposed on that program with respect to the handling of such information or records.
- A DSS may also be subject to federal confidentiality requirements that are not tied to particular funding streams. For example, in certain instances, a DSS may be subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with respect to disclosures of certain protected health information. A DSS will also be subject to restrictions in the Internal Revenue Code regarding the disclosure of federal tax information.
Relevant State Laws
- Chapter 108A, Section 80 of the North Carolina General Statutes (G.S.) is the overarching state confidentiality statute for social services information. Under G.S. 108A-80, it is unlawful for any person to disclose or use information regarding individuals applying for or receiving public assistance or social services that may be directly or indirectly derived from the records, files, or communications of a county DSS or acquired in the course of performing official duties, except for purposes directly connected with the administration of programs of public assistance and social services in accordance with federal law and the rules of the Social Services Commission. The implementing regulations for G.S. 108A-80, found at Chapter 69 of Title 10A of the North Carolina Administrative Code (N.C.A.C.), provide more specific rules for exactly when and how social services information can be shared. Both G.S. 108A-80 and 10A N.C.A.C. Chapter 69 broadly apply to all social services information, including economic, child protective, and adult protective services information.
- North Carolina law contains additional statutes and regulations specific to the confidentiality of child protective services (CPS) information and adult protective services (APS) information. See, e.g., G.S. 7B-302(a1) and -2901(b) and 10A N.C.A.C. Ch. 70 (governing CPS information), and G.S. 108A-116(d) and 10A N.C.A.C. Ch. 71A (governing APS information. In certain cases, the state laws specific to CPS and APS information are more restrictive than G.S. 108A-80 and 10A N.C.A.C. Chapter 69, which broadly apply to all social services information.
- Other North Carolina confidentiality laws that are not specific to social services may also apply to information held by a DSS. For example, North Carolina law limits disclosure of information from facilities that provide mental health, developmental disability, and substance use disorder treatment services. See G.S.122C-51 to -56; 10A N.C.A.C. Subch. 26B. State law also prohibits disclosure of information identifying a person who has or may have a reportable communicable disease or condition, subject to certain exceptions. See G.S. 130A-143.
How Do the Federal and State Laws Work Together?
To untangle the many laws and regulations that impact internal information sharing within a DSS, it is important to understand the relationship between federal and state confidentiality laws. The analysis begins with federal law. If a DSS is prohibited from disclosing information under federal law, that DSS should not disclose such information, even if it would be permitted under state law. Conversely, if a DSS is allowed to disclose information under federal law but is prohibited from disclosing such information under state law, the DSS should not disclose such information, even though it would be permitted under federal law. However, if federal law requires—not simply allows—disclosure, the information should be disclosed despite state law prohibiting disclosure.
When is Internal Information Sharing is Allowed by Federal Law?
Each major source of federal funding received by a county DSS has an associated set of federal statutes and regulations governing confidentiality. It can be challenging to determine what all of the federal funding-related laws ultimately allow and how they interact with each other. A few examples of the major sources of funding for county DSS programs and the associated laws that might allow for internal information sharing are discussed in more detail in the bulletin (including CAPTA, Title IV programs, SNAP, Medicaid, NC Health Choice for Children, and CCDF). With a few exceptions described in the bulletin, federal law provides fairly broad leeway for a county DSS to share information internally between federally funded programs for purposes of program administration, including making benefits eligibility determinations. However, some of the disclosures allowed under federal law may be prohibited under North Carolina state law. Federal law is the starting point, but it is not the end of the analysis.
When is Internal Information Sharing is Allowed by State Law?
The regulations found in 10A N.C.A.C. Chapter 69 (“the Chapter 69 regulations”) allow for certain internal sharing of social services information for program administration purposes. Under 10A N.C.A.C. 69, § .0501, DSS staff may share confidential information internally as necessary to make referrals, provide supervision and consultation, or determine eligibility for services or programs. Similarly, 10A N.C.A.C. 69, § .0503 allows for information sharing with other county employees for the purpose of monitoring, auditing, evaluating, or facilitating the administration of other state and federal programs. Under 10A N.C.A.C. 69, § .0503, a DSS is required to evaluate a request for information and only make the disclosure if (1) the need for disclosure is justifiable for the purpose and (2) adequate safeguards are maintained to protect the information from re-disclosure. Since the Chapter 69 regulations apply broadly to all social services information, a DSS director can allow internal disclosures of information as permitted under 10A N.C.A.C. 69, §§ .0501 and .0503, unless otherwise prohibited by federal or state law. The Chapter 69 regulations must be read together with any other federal or state law applicable to the specific information at issue.
Limitations on Internal Information Sharing Under State Law
If a DSS director determines that internal information sharing is allowed under federal law and under the Chapter 69 regulations that broadly apply to all social services information, the next step is to determine whether any other state laws might prohibit such information sharing. This determination is the most difficult when it involves CPS information and certain APS information, which receive heightened confidentiality protections under North Carolina law. In certain cases, the state statutes and regulations requiring heightened protection for CPS information and certain APS information will prohibit some internal information sharing that would otherwise be allowed under the Chapter 69 regulations for other types of social services information.
Child Protective Services Information
G.S. 7B-302(a1) requires that all CPS information be held “in the strictest confidence.” The confidentiality requirement of this statute applies as soon as DSS receives a report of suspected child abuse, neglect, dependency, or death due to maltreatment. It covers (1) all information obtained in the report, (2) the reporter’s identity, and (3) all information gathered by DSS following the report. CPS information can only be disclosed in certain limited circumstances identified in G.S. Chapter 7B (e.g., exceptions enumerated in G.S. 7B-302(a1), (e); G.S. 7B-2901(b); G.S. 7B-3100) and 10A N.C.A.C. Chapter 70. Program administration is not one of the permitted circumstances, meaning that some of the broader exceptions for internal DSS information sharing in 10A N.C.A.C. 69, §§ .0501 and .0503 arguably do not apply to CPS information.
When might internal sharing of CPS information within a DSS be permitted?
- Protection of a juvenile. One key exception to the prohibition on disclosure in G.S. 7B-302(a1) is that DSS can and should disclose CPS information to any federal, state, or local government entity (or any agent of such an entity) to protect a child from abuse or neglect. See G.S. 7B-302(a1)(1). This could include internal sharing of information for purposes of protecting a juvenile. Notably, the statute uses the phrase “to protect a juvenile” rather than “to protect the juvenile,” meaning that CPS information may be disclosed when necessary to protect any child, not merely the child who is the subject of the information being disclosed. Any confidential information disclosed for purposes of protecting a child must remain confidential with the party to whom it is disclosed and must only be re-disclosed for purposes directly connected with carrying out that party’s mandated responsibilities.
- Assessment of a report or provision of protective services. Another important exception to the basic prohibition on disclosure in G.S. 7B-302(a1) allows internal information sharing for purposes of providing or arranging protective services for a child. Under G.S. 7B-302(e), DSS may consult with any agency or individual when performing any duties related to the (1) assessment of an abuse, neglect, or dependency report or (2) provision or arrangement for protective services. Under 10A N.C.A.C. 70A, § .0113(b), DSS may, without a court order, share information from the protective services case record with agencies or individuals that provide or facilitate the provision of protective services to a child. These provisions in the law allow CPS staff to share information with other programs or units within DSS as necessary for providing protecting services for a child or assessing a report of abuse, neglect, or dependency.
Adult Protective Services Information
APS information is subject to the general confidentiality protections that apply to all social services information under G.S. 108A-80, meaning that it can typically be shared internally for program administration purposes as permitted under 10A N.C.A.C. 69, §§ .0501 and .0503. However, there are a few specific categories of APS information that receive heightened confidentiality protection under other regulations or statutes.
- Information about the identity of the reporter (or about anyone who provides information to DSS in the course of an APS investigation). 10A N.C.A.C. 71A, § .0802 only allows DSS to disclose the reporter’s identity in three specific situations: (1) when a court orders disclosure; (2) when the disclosure is to the Division of Health Service Regulation in response to Division staff requesting information to carry out an investigation; and (3) when the disclosure is to the district attorney’s office or to law enforcement officials involved with a criminal investigation of alleged abuse, neglect, or exploitation of a disabled adult.
- Any “specific findings” included in DSS’s evaluation report, when evaluating any report of abuse, neglect, or exploitation. Per 10A N.C.A.C. 71A, § .0803, these specific findings can only be disclosed (1) pursuant to the disabled adult’s authorization; (2) pursuant to a court order; (3) to other persons or agencies as necessary to provide protective services; (4) to the district attorney or law enforcement agencies upon request, but only if evidence of abuse, neglect, or exploitation is found; (5) to federal, state, and law enforcement agencies when the results of the protective services evaluation indicate violations of other laws enforced by those agencies; or (6) to certain agencies within the North Carolina Department of Health and Human Services (NCDHHS) when a county DSS has substantiated a report of abuse, neglect, or exploitation.
- Any copies of a disabled adult or older adult’s financial records. Per G.S. 108A-116(d), these records may only be disclosed pursuant to court order.
The North Carolina CPS and APS statutes and regulations referenced above generally only refer to “the department” keeping records and information confidential. There is no mention of particular units or divisions within a DSS, so it is unclear how these heightened confidentiality standards should apply to internal information sharing. The most prudent and cautious interpretation of these state laws is that a DSS should have an internal firewall around CPS information and certain APS information. In other words, a disclosure from the CPS or APS unit to another unit within DSS (for example, CPS to Economic Services) should be treated more like an external disclosure and should have to meet one of the exceptions under state law for permissible disclosures of CPS or APS information. For example, CPS information could be disclosed internally within a DSS in order to protect a child from abuse or neglect or to facilitate the provision of protective services. Similarly, the “specific findings” of an APS evaluation report could be disclosed as necessary to provide protective services to a vulnerable adult. The new bulletin describes the rationale for this interpretation in greater detail.
Finally, the bulletin also provides several hypothetical scenarios exploring the interplay between federal and state laws regarding confidentiality in the context of internal information sharing. I hope that DSS directors, attorneys, and staff will find this bulletin to be a helpful reference guide in the event of future questions regarding internal disclosures of confidential information.
1
Coates’ Canons NC Local Government Law
How Do Confidentiality Laws Apply to Internal Information Sharing Within a County Department of Social Services?
Published: 05/11/22
Author Name: Kristi Nickodem
In North Carolina, a county director of a department of social services (DSS) is responsible for administering and providing a wide variety of social services and economic services programs. Recently, a DSS director asked me for some information on how state and federal confidentiality laws apply to situations in which her staff need to share confidential information with one another across some of these different programs and services. This is a great question, because the laws governing disclosures of confidential information by DSS also apply to internal disclosures, not just external disclosures. Internal disclosures may occur when DSS staff share information across programs or between units or internal departments within the same DSS. For example, child welfare staff might request information from adult protective services (APS) staff for purposes of determining a case plan for a parent and a child. APS staff might ask for information from income maintenance staff to ensure that proper economic services are being provided to a vulnerable older adult. Each of these situations requires an analysis of whether an internal disclosure of the requested information is permissible.
I address this topic more comprehensively in a new bulletin published by the School of Government: Internal Sharing of Information Within a County Department of Social Services. While this blog post briefly touches on some of the points raised in this new publication, I hope interested readers will refer to the bulletin for a more in-depth analysis of how federal and state laws interact to allow (or prohibit) internal information sharing within a DSS.
Why is it so difficult to determine when DSS staff can share information internally? A county DSS is subject to an intricate web of state and federal statutes and regulations, some of which do not harmonize neatly with one another. By way of example, let’s look at a few of the primary confidentiality laws that impact a county DSS in North Carolina.
Relevant Federal Laws
- Each county DSS is subject to a multitude of federal laws and regulations that are specific to particular funding streams. Each federally funded program or social service (e.g., Medicaid, Food and Nutrition Services, Work First, Title IV-D of the Social Security Act) has its own set of associated regulations protecting the confidentiality of information about individuals who receive services or assistance.
- Outside of a DSS, other agencies and entities that receive federal funding may also be subject to federal laws and regulations that restrict the disclosure of confidential information. When those entities provide information or records to a DSS, the DSS may become bound by those same restrictions. For example, federal law stringently restricts the disclosure of information regarding individuals who receive alcohol or substance use disorder prevention or treatment services from federally assisted programs. If DSS received information or records from a federally assisted alcohol or substance-use disorder treatment program, the DSS is then bound by the confidentiality requirements imposed on that program with respect to the handling of such information or records.
- A DSS may also be subject to federal confidentiality requirements that are not tied to particular funding streams. For example, in certain instances, a DSS may be subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with respect to disclosures of certain protected health information. A DSS will also be subject to restrictions in the Internal Revenue Code regarding the disclosure of federal tax information.
Relevant State Laws
- Chapter 108A, Section 80 of the North Carolina General Statutes (G.S.) is the overarching state confidentiality statute for social services information. Under G.S. 108A-80, it is unlawful for any person to disclose or use information regarding individuals applying for or receiving public assistance or social services that may be directly or indirectly derived from the records, files, or communications of a county DSS or acquired in the course of performing official duties, except for purposes directly connected with the administration of programs of public assistance and social services in accordance with federal law and the rules of the Social Services Commission. The implementing regulations for G.S. 108A-80, found at Chapter 69 of Title 10A of the North Carolina Administrative Code (N.C.A.C.), provide more specific rules for exactly when and how social services information can be shared. Both G.S. 108A-80 and 10A N.C.A.C. Chapter 69 broadly apply to all social services information, including economic, child protective, and adult protective services information.
- North Carolina law contains additional statutes and regulations specific to the confidentiality of child protective services (CPS) information and adult protective services (APS) information. See, e.g., G.S. 7B-302(a1) and -2901(b) and 10A N.C.A.C. Ch. 70 (governing CPS information), and G.S. 108A-116(d) and 10A N.C.A.C. Ch. 71A (governing APS information. In certain cases, the state laws specific to CPS and APS information are more restrictive than G.S. 108A-80 and 10A N.C.A.C. Chapter 69, which broadly apply to all social services information.
- Other North Carolina confidentiality laws that are not specific to social services may also apply to information held by a DSS. For example, North Carolina law limits disclosure of information from facilities that provide mental health, developmental disability, and substance use disorder treatment services. See G.S.122C-51 to -56; 10A N.C.A.C. Subch. 26B. State law also prohibits disclosure of information identifying a person who has or may have a reportable communicable disease or condition, subject to certain exceptions. See G.S. 130A-143.
How Do the Federal and State Laws Work Together?
To untangle the many laws and regulations that impact internal information sharing within a DSS, it is important to understand the relationship between federal and state confidentiality laws. The analysis begins with federal law. If a DSS is prohibited from disclosing information under federal law, that DSS should not disclose such information, even if it would be permitted under state law. Conversely, if a DSS is allowed to disclose information under federal law but is prohibited from disclosing such information under state law, the DSS should not disclose such information, even though it would be permitted under federal law. However, if federal law requires—not simply allows—disclosure, the information should be disclosed despite state law prohibiting disclosure.
When is Internal Information Sharing is Allowed by Federal Law?
Each major source of federal funding received by a county DSS has an associated set of federal statutes and regulations governing confidentiality. It can be challenging to determine what all of the federal funding-related laws ultimately allow and how they interact with each other. A few examples of the major sources of funding for county DSS programs and the associated laws that might allow for internal information sharing are discussed in more detail in the bulletin (including CAPTA, Title IV programs, SNAP, Medicaid, NC Health Choice for Children, and CCDF). With a few exceptions described in the bulletin, federal law provides fairly broad leeway for a county DSS to share information internally between federally funded programs for purposes of program administration, including making benefits eligibility determinations. However, some of the disclosures allowed under federal law may be prohibited under North Carolina state law. Federal law is the starting point, but it is not the end of the analysis.
When is Internal Information Sharing is Allowed by State Law?
The regulations found in 10A N.C.A.C. Chapter 69 (“the Chapter 69 regulations”) allow for certain internal sharing of social services information for program administration purposes. Under 10A N.C.A.C. 69, § .0501, DSS staff may share confidential information internally as necessary to make referrals, provide supervision and consultation, or determine eligibility for services or programs. Similarly, 10A N.C.A.C. 69, § .0503 allows for information sharing with other county employees for the purpose of monitoring, auditing, evaluating, or facilitating the administration of other state and federal programs. Under 10A N.C.A.C. 69, § .0503, a DSS is required to evaluate a request for information and only make the disclosure if (1) the need for disclosure is justifiable for the purpose and (2) adequate safeguards are maintained to protect the information from re-disclosure. Since the Chapter 69 regulations apply broadly to all social services information, a DSS director can allow internal disclosures of information as permitted under 10A N.C.A.C. 69, §§ .0501 and .0503, unless otherwise prohibited by federal or state law. The Chapter 69 regulations must be read together with any other federal or state law applicable to the specific information at issue.
Limitations on Internal Information Sharing Under State Law
If a DSS director determines that internal information sharing is allowed under federal law and under the Chapter 69 regulations that broadly apply to all social services information, the next step is to determine whether any other state laws might prohibit such information sharing. This determination is the most difficult when it involves CPS information and certain APS information, which receive heightened confidentiality protections under North Carolina law. In certain cases, the state statutes and regulations requiring heightened protection for CPS information and certain APS information will prohibit some internal information sharing that would otherwise be allowed under the Chapter 69 regulations for other types of social services information.
Child Protective Services Information
G.S. 7B-302(a1) requires that all CPS information be held “in the strictest confidence.” The confidentiality requirement of this statute applies as soon as DSS receives a report of suspected child abuse, neglect, dependency, or death due to maltreatment. It covers (1) all information obtained in the report, (2) the reporter’s identity, and (3) all information gathered by DSS following the report. CPS information can only be disclosed in certain limited circumstances identified in G.S. Chapter 7B (e.g., exceptions enumerated in G.S. 7B-302(a1), (e); G.S. 7B-2901(b); G.S. 7B-3100) and 10A N.C.A.C. Chapter 70. Program administration is not one of the permitted circumstances, meaning that some of the broader exceptions for internal DSS information sharing in 10A N.C.A.C. 69, §§ .0501 and .0503 arguably do not apply to CPS information.
When might internal sharing of CPS information within a DSS be permitted?
- Protection of a juvenile. One key exception to the prohibition on disclosure in G.S. 7B-302(a1) is that DSS can and should disclose CPS information to any federal, state, or local government entity (or any agent of such an entity) to protect a child from abuse or neglect. See G.S. 7B-302(a1)(1). This could include internal sharing of information for purposes of protecting a juvenile. Notably, the statute uses the phrase “to protect a juvenile” rather than “to protect the juvenile,” meaning that CPS information may be disclosed when necessary to protect any child, not merely the child who is the subject of the information being disclosed. Any confidential information disclosed for purposes of protecting a child must remain confidential with the party to whom it is disclosed and must only be re-disclosed for purposes directly connected with carrying out that party’s mandated responsibilities.
- Assessment of a report or provision of protective services. Another important exception to the basic prohibition on disclosure in G.S. 7B-302(a1) allows internal information sharing for purposes of providing or arranging protective services for a child. Under G.S. 7B-302(e), DSS may consult with any agency or individual when performing any duties related to the (1) assessment of an abuse, neglect, or dependency report or (2) provision or arrangement for protective services. Under 10A N.C.A.C. 70A, § .0113(b), DSS may, without a court order, share information from the protective services case record with agencies or individuals that provide or facilitate the provision of protective services to a child. These provisions in the law allow CPS staff to share information with other programs or units within DSS as necessary for providing protecting services for a child or assessing a report of abuse, neglect, or dependency.
Adult Protective Services Information
APS information is subject to the general confidentiality protections that apply to all social services information under G.S. 108A-80, meaning that it can typically be shared internally for program administration purposes as permitted under 10A N.C.A.C. 69, §§ .0501 and .0503. However, there are a few specific categories of APS information that receive heightened confidentiality protection under other regulations or statutes.
- Information about the identity of the reporter (or about anyone who provides information to DSS in the course of an APS investigation). 10A N.C.A.C. 71A, § .0802 only allows DSS to disclose the reporter’s identity in three specific situations: (1) when a court orders disclosure; (2) when the disclosure is to the Division of Health Service Regulation in response to Division staff requesting information to carry out an investigation; and (3) when the disclosure is to the district attorney’s office or to law enforcement officials involved with a criminal investigation of alleged abuse, neglect, or exploitation of a disabled adult.
- Any “specific findings” included in DSS’s evaluation report, when evaluating any report of abuse, neglect, or exploitation. Per 10A N.C.A.C. 71A, § .0803, these specific findings can only be disclosed (1) pursuant to the disabled adult’s authorization; (2) pursuant to a court order; (3) to other persons or agencies as necessary to provide protective services; (4) to the district attorney or law enforcement agencies upon request, but only if evidence of abuse, neglect, or exploitation is found; (5) to federal, state, and law enforcement agencies when the results of the protective services evaluation indicate violations of other laws enforced by those agencies; or (6) to certain agencies within the North Carolina Department of Health and Human Services (NCDHHS) when a county DSS has substantiated a report of abuse, neglect, or exploitation.
- Any copies of a disabled adult or older adult’s financial records. Per G.S. 108A-116(d), these records may only be disclosed pursuant to court order.
The North Carolina CPS and APS statutes and regulations referenced above generally only refer to “the department” keeping records and information confidential. There is no mention of particular units or divisions within a DSS, so it is unclear how these heightened confidentiality standards should apply to internal information sharing. The most prudent and cautious interpretation of these state laws is that a DSS should have an internal firewall around CPS information and certain APS information. In other words, a disclosure from the CPS or APS unit to another unit within DSS (for example, CPS to Economic Services) should be treated more like an external disclosure and should have to meet one of the exceptions under state law for permissible disclosures of CPS or APS information. For example, CPS information could be disclosed internally within a DSS in order to protect a child from abuse or neglect or to facilitate the provision of protective services. Similarly, the “specific findings” of an APS evaluation report could be disclosed as necessary to provide protective services to a vulnerable adult. The new bulletin describes the rationale for this interpretation in greater detail.
Finally, the bulletin also provides several hypothetical scenarios exploring the interplay between federal and state laws regarding confidentiality in the context of internal information sharing. I hope that DSS directors, attorneys, and staff will find this bulletin to be a helpful reference guide in the event of future questions regarding internal disclosures of confidential information.