Can I Disclose This Information? Complying with Confidentiality & Disclosure Requirements

Reprinted with permission, CAPLAW Legal Update, June, 2008
© Community Action Program Legal Services, Inc.

By Anita Lichtblau, Esq., CAPLAW

“Confidentiality” is a word frequently heard in community serving organizations. It is a given in most programs that client and employee records will be treated confidentially. But what does that mean? And how knowledgeable is your nonprofit, or if you are an attorney, your client, about the relevant confidentiality and disclosure requirements?

All too often, employees are unclear about how to comply with their obligations to keep records confidential. That uncertainty, and consequent violation of a client’s or employee’s privacy, even if unintentional, could lead to unfortunate results, such as assessment of a monetary penalty, if a state statute so provides, or a lawsuit by the wronged individual for violation of a statute or regulation or a general right to privacy under state law. A government funding source could also cite the nonprofit for a deficiency in the performance of the grant or contract if the breach of confidentiality violates the terms and conditions of the grant or contract. Aside from legal consequences, violations of confidentiality can also create ill will toward the nonprofit, and a poor public perception of how the agency treats its employees and clients.

On the other hand, there is a flip side to the “confidentiality” question: when and to whom must records be disclosed? There are many potential situations where disclosure is, or appears to be, required. For example, terms and conditions of grants or contracts may require disclosure of client records or individual client information to the funding source, or at least allow access by the funding source to this information. The client or employee herself may seek access to the records. Or the nonprofit may receive a request from the public or a government agency, or a subpoena for records in connection with a civil lawsuit, a criminal prosecution, or an administrative proceeding.

Although it would be useful to be able to set out a simple set of confidentiality/disclosure rules for nonprofits to follow, the reality is that the requirements vary from state to state and program to program. However, here are a series of steps that will help to determine the applicable requirements and how to meet them.

1.         Know what information is collected and in what form.

The first step is to understand, on an organization-wide basis, what type of “personal” data is collected. Medical or health-related information? Financial information? In what form is it collected: paper forms; computer input into an organization-wide database; a funding agency database? Are there differences among programs or is there a standardized intake form? This is important to know because different laws apply to different types of information.

2.            Review the terms of contracts and grants from funding sources, as well as any statutes or regulations which are incorporated therein, for confidentiality and disclosure/access provisions.

One of the first places to check for confidentiality/disclosure requirements is the terms and conditions of contracts or grant awards from funding sources. Many contracts or funding agreements will contain two types of provisions: one requiring the grantee to maintain confidentiality of client information and one permitting or requiring the government-funding sources, , or government auditors, to have access to records. State contracts may require grantees to comply with the state agency’s own internal confidentiality policies or guidelines, or with a general state statute limiting disclosure of certain personal information. Increasingly, funding sources are requiring grantees/contractors to input individual client data into a computerized, state agency-wide database for purposes of data collection and program monitoring. It goes without saying that if a particular regulation or guideline is referenced in the contract, a careful review should be made of the referenced provision.

These provisions may not be the easiest to find. They may be “hidden” in the fine print of the form contracts attached to all of the city or state contracts. Or they may just be referenced as a citation to a regulation. And watch out for conflicting provisions among programs. One program may prohibit disclosure of names, etc. of clients to any third parties (HUD Section 8 housing voucher programs, for example); but another (state CSBG program, for example) may require disclosure of client information for all programs for reporting purposes. Don’t ignore the inconsistencies; they may require negotiations with both agencies for a resolution that everyone can live with.

3.            Determine which other laws on confidentiality and disclosure apply to the Nonprofit.

Private non-profits sometimes mistakenly assume that general federal privacy and public records law apply to their operations. That is not generally the case. Neither the Freedom of Information Act, 5 U.S.C. 552, nor the Privacy Act of 1974, 5 U.S.C. 552a, apply to private non-profit ’s, even if they receive federal funding. See Boggs v. Southeastern Tidewater Opportunity Project, No. 2:96cv196, 1996 U.S. Dist. LEXIS 6977 (E.D. Va. 1996) (Community Action Agency not subject to FOIA or Privacy Act).[i] Of course, any information that nonprofits supply to federal agencies may be subject to those federal laws once it is in their hands.

There are several federal laws governing disclosure of specific types of information, however, which may be applicable to some nonprofits. For example, if a nonprofit runs an alcohol or drug abuse treatment program, patient records relating to such treatment are confidential and, in general, may be disclosed only with the patient’s written consent, except:

·        to medical personnel in an emergency;

·        to qualified personnel for research, audits, or program evaluation, as long as patient identities are not identified;

·        by court order; and

·        to appropriate authorities in cases of suspected child abuse and neglect. 42 C.F.R. Part 2.

Another example is a federal law known as HIPAA, the Health Information Portability and Accountability Act, P.L. 104-191 (1996), which created new confidentiality requirements for health care providers. In some cases, nonprofits, as sponsors of employee health care plans, may also have some obligations under HIPAA to the extent that they collect health care information on individual employees. Check with an attorney knowledgeable about HIPAA compliance to determine if your nonprofit needs to take steps to comply with that law.

            Similarly, if your nonprofit electronically transmits health protected information about clients, HIPAA may require that the nonprofit implement a privacy policy and authorization procedures to clarify how and when a client authorizes disclosure of protected health information.  Check with an attorney knowledgeable about HIPAA compliance to determine if and how your nonprofit should implement policies and procedures to comply with HIPAA.

Most of the relevant laws on confidentiality and disclosure, however, will be state laws. These can vary widely from state to state. Some restrictions on disclosing confidential or “personal information” apply only to public entities (government programs); some apply to private nonprofit entities carrying out publicly-funded activities. Some states have one law which covers all “personal data”; others have a patchwork of laws and regulations covering specific types of information (such as medical, substance abuse, or financial), or specific programs (such as childcare). Still other laws may specifically exempt certain information from coverage by general confidentiality laws. For example, a law may require disclosure of information concerning child abuse to a particular state agency, notwithstanding a prohibition on such disclosure contained in a more general confidentiality statute. The key on this issue then is determining which state laws, and there may be a number of them, potentially apply to the nonprofit.

State public records laws, as well as their interpretation on coverage and other issues, will also differ by state. Some laws, on their face, apply not only to public agencies or entities, but also to publicly-funded private entities. Others are interpreted by state courts, regulations or advisory opinions (often the State Attorney General) to cover at least some publicly-funded non-profits. State Community Services Block Grant statutes, regulations, and contract or grant terms and conditions should also be checked, since they may impose public record and open meeting law requirements on nonprofits.

4.         Make sure Nonprofit employees understand the circumstances under which disclosure is allowed.

Most laws prohibiting disclosure also spell out circumstances where it is allowed, similar to the provisions listed above for the drug and alcohol abuse treatment information. Obtaining written authorization from the client or employee for disclosure of information to a particular party is usually sufficient; authorization by a specific law or court order, or imminent danger to the individual are all common exemptions. Some laws allow disclosure even if no written authorization is obtained if the data subject is notified of the request for information and given the opportunity to object and/or seek a protective order in court. In some states, this requirement of notification may apply even where the “request” was made in the form of a subpoena served on the nonprofit in connection with a pending civil or criminal matter.

So What’s the Bottom Line?

Here are a few things to keep in mind when reviewing confidentiality issues:

·        After reviewing relevant contracts, grants, and laws and regulations, come up with a workable confidentiality policy for the nonprofit.[ii] Although some programs may have stricter requirements for disclosure of information than others (health services programs, for example), set a minimum level of compliance with general federal and state law. Be sure to think about application of the policy not only to employees, but also to volunteers, board members and members of affiliated groups, such as a Head Start Policy Council.

·        Don’t assume that a nonprofit may legally disclose client or employee information, even on an informal basis, just because the funding source asks for it. Grants and contracts may contain boilerplate provisions requiring disclosure or access that are inconsistent with state privacy laws. Grant and contract provisions and regulations governing one program may also be inconsistent with those governing another program. There are two potential ways to resolve this – either negotiate the offending provision out of the contract(s), or make sure that clients, and employees if necessary, understand and acknowledge in writing that personal information may be disclosed to funding agencies for purposes of monitoring and auditing the program.

·        Don’t assume that disclosure of personal information in response to a subpoena, without the consent or notification of the data subject, is necessarily legal under state law. Check the applicable law.

·        Assign one person within the agency to address confidentiality issues and respond to requests and subpoenas for client or employee information.. T he person selected should consult with the nonprofit’s legal counsel to ensure familiarity with relevant laws and seek guidance on particular issues as they come up.

·        When dealing with children, make sure you know who has legal rights to access information about the child. If there is a question about the parental status or rights, ask for documentation from the parents. Even if a parent does not have physical custody of the child, s/he may have the legal right to see the child’s records. Determining what information may be disclosed, particularly if it relates not only to the child, but also to the parent, may be difficult and require some investigation of both the facts of the case and the state law.

·        Ensure that clients understand and agree to the nonprofit’s confidentiality/disclosure policy. One way to do this is to include an acknowledgement, signed by the client, on the initial intake form. Here is some suggested language for those nonprofits who intend to provide access to client information to funding sources and similar entities:

[Name of Nonprofit] attempts, to the greatest extent possible, to protect the confidentiality of information I provide. However, information I provide in this form and otherwise to [Nonprofit] may be released to other programs within [Nonprofit], and/or to the government agency/ies) which fund and/or audit [Nonprofit] program(s) in which I participate if such information is requested or required by the agency. Release of information to other agencies/persons shall be made only upon my additional consent and/or as required or authorized by law. By signing this document, I understand and agree to this information disclosure policy.

Conclusion

In this era of instant communications and increasing ability to collect and disseminate information, privacy concerns are on many people’s radar screens. With calls for increasing accountability and provable results from many government-funded programs conducted by nonprofits, questions about disclosure of information are sure to continue and intensify. As with any other compliance issue, a working knowledge of the relevant rules and the ability to recognize red flags are crucial in avoiding problems down the road. A thorough review of confidentiality/disclosure issues and practices at the nonprofit level, combined with the establishment or revision of workable written policies, and legal guidance on particularly thorny questions that arise, will go a long way toward that goal.

The Pro Bono Partnership gratefully acknowledges the contribution of this article by Community Action Program Legal Services, Inc.