§ 367.69 What are the special requirements pertaining to the protection, use, and release of personal information?
(a) General provisions. The DSA and all other service providers under this part shall adopt and implement policies and procedures to safeguard the confidentiality of all personal information, including photographs and lists of names. These policies and procedures must assure that—
(1) Specific safeguards protect current and stored personal information, including a requirement that data only be released when governed by a written agreement between the DSA and other service providers and the receiving entity under paragraphs (d) and (e)(1) of this section, which addresses the requirements in this section;
(2) All applicants for, or recipients of, services under this part and, as appropriate, those individuals' legally authorized representatives, service providers, cooperating agencies, and interested persons are informed of the confidentiality of personal information and the conditions for gaining access to and releasing this information;
(3) All applicants or their legally authorized representatives are informed about the service provider's need to collect personal information and the policies governing its use, including—
(i) Identification of the authority under which information is collected;
(ii) Explanation of the principal purposes for which the service provider intends to use or release the information;
(iii) Explanation of whether providing requested information to the service provider is mandatory or voluntary and the effects to the individual of not providing requested information;
(iv) Identification of those situations in which the service provider requires or does not require informed written consent of the individual or his or her legally authorized representative before information may be released; and
(v) Identification of other agencies to which information is routinely released;
(4) Persons who do not speak, listen, read, or write English proficiently or who rely on alternative modes of communication must be provided an explanation of service provider policies and procedures affecting personal information through methods that can be meaningfully understood by them;
(5) At least the same protections are provided to individuals served under this part as provided by State laws and regulations; and
(6) Access to records is governed by rules established by the service provider and any fees charged for copies of records are reasonable and cover only extraordinary costs of duplication or making extensive searches.
(b) Service provider use. All personal information in the possession of the service provider may be used only for the purposes directly connected with the provision of services under this part and the administration of the program under which services are provided under this part. Information containing identifiable personal information may not be shared with advisory or other bodies that do not have official responsibility for the provision of services under this part or the administration of the program under which services are provided under this part. In the provision of services under this part or the administration of the program under which services are provided under this part, the service provider may obtain personal information from other service providers and cooperating agencies under assurances that the information may not be further divulged, except as provided under paragraphs (c), (d), and (e) of this section.
(c) Release to recipients of services under this part.
(1) Except as provided in paragraphs (c)(2) and (3) of this section, if requested in writing by a recipient of services under this part, the service provider shall release all information in that individual's record of services to the individual or the individual's legally authorized representative in a timely manner.
(2) Medical, psychological, or other information that the service provider determines may be harmful to the individual may not be released directly to the individual, but must be provided through a qualified medical or psychological professional or the individual's legally authorized representative.
(3) If personal information has been obtained from another agency or organization, it may be released only by, or under the conditions established by, the other agency or organization.
(d) Release for audit, evaluation, and research. Personal information may be released to an organization, agency, or individual engaged in audit, evaluation, or research activities only for purposes directly connected with the administration of a program under this part, or for purposes that would significantly improve the quality of life for individuals served under this part and only if, in accordance with a written agreement, the organization, agency, or individual assures that—
(1) The information will be used only for the purposes for which it is being provided;
(2) The information will be released only to persons officially connected with the audit, evaluation, or research;
(3) The information will not be released to the involved individual;
(4) The information will be managed in a manner to safeguard confidentiality; and
(5) The final product will not reveal any personally identifying information without the informed written consent of the involved individual or the individual's legally authorized representative.
(e) Release to other programs or authorities.
(1) Upon receiving the informed written consent of the individual or, if appropriate, the individual's legally authorized representative, the service provider may release personal information to another agency or organization, in accordance with a written agreement, for the latter's program purposes only to the extent that the information may be released to the involved individual and only to the extent that the other agency or organization demonstrates that the information requested is necessary for the proper administration of its program.
(2) Medical or psychological information may be released pursuant to paragraph (e)(1) of this section if the other agency or organization assures the service provider that the information will be used only for the purpose for which it is being provided and will not be further released to the individual.
(3) The service provider shall release personal information if required by Federal laws or regulations.
(4) The service provider shall release personal information in response to investigations in connection with law enforcement, fraud, or abuse, unless expressly prohibited by Federal or State laws or regulations, and in response to judicial order.
(5) The service provider also may release personal information to protect the individual or others if the individual poses a threat to his or her safety or to the safety of others.