LIS

Virginia Law

Administrative Code

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Virginia Administrative Code
Title 22. Social Services
Agency 30. Department For Aging And Rehabilitative Services
Chapter 20. Provision of Vocational Rehabilitation Services
11/24/2024

22VAC30-20-190. Protection, use, and release of personal information.

A. Purpose. The purpose is to establish policies and procedures to protect current and stored personal information and for the proper dissemination of this information in accordance with the statutes of the Code of Virginia, Virginia Freedom of Information Act, Virginia Privacy Protection Act, and the Workforce Innovation and Opportunity Act. Clients shall be referred to as data subjects in this section.

B. Application. This applies to all employees of the department, consultants, affiliates and volunteers.

C. Policies. The department shall:

1. Comply with state statutes when releasing any information regarding data subjects by:

a. Disclosing information or records to the data subject who is 18 years old, except:

(1) If data subject has been legally declared as incompetent then the right to access information has been granted to the individual or committee which has been appointed as guardian, authorized agents or representatives.

(2) When the treating physician has written on a mental or medical record: "In my opinion a review of such records by the data subject would be injurious to the data subject's physical or mental health or well being." This does not preclude access to that report by authorized agents or representatives. The treating physician is the only professional who, by statute, has the authority to label and deny access to a mental record by the data subject. Access to other information is not restricted.

b. Disclosing information or records only to the parent or guardian for the data subject who is under 18 years old;

2. Follow procedures which ensure that all records and other personal, identifying data are treated as confidential information, meaning that other than regular access authority and the exceptions which are permitted by code and statutes, no expressed personal or documented information shall be released to a third party without the written, informed consent of the data subject or his authorized agent or by court order;

3. Obtain and document only that information which is necessary to plan and deliver rehabilitation services;

4. Maintain and post the department's access list which designates staff positions of those who have the privilege of reviewing and checking out records;

5. Assign to all individuals as defined in subsection B of this section and acknowledge written requests for information which are identified and occur after a data subject's application for services;

6. Charge for copies of information unless the request is from those who need information to assist data subject in the rehabilitation program. The rate shall be $.15 per page or the actual cost, whichever is less; and

7. Keep records in offices unless in accordance with a court order, statute, or by special authorization from the department representative.

D. Procedures for disclosing information.

1. Handling disclosures.

a. Each request to disclose information shall be handled during normal business hours.

b. Each written request shall be responded to within 14 working days.

c. Before an employee releases information to a person or organization other than those identified on the access list, written, informed consent must be given by data subject or the authorized agent.

When there is need to release information regarding data subjects, informed consent forms should be initiated through the data subject's counselor. Forms are completed prior to releasing information and filed in data subject's record.

d. Any employee who releases information after informed consent is obtained must document data subject's record with employee's name, date, the purpose for giving specific information, and to whom information was given. These statements are also documented when the record has been reviewed by or copied for the data subject.

2. Accessing information for specific situations.

a. A data subject's request to review personal record.

(1) When a data subject requests a review of his case records, the individual should be referred to their counselor, or in his absence, the counselor's supervisor. This employee is responsible for confirming the data subject's age, and competency status to access information in his own behalf.

(2) For those data subjects who are younger than age 18 years or who have been declared incompetent, the department shall explain right to access and assist data subject by coordinating the desired review with parent or authorized agent.

(3) For data subjects who have the right to access information, the department should obtain the case record and review contents to learn if there are any mental records which a treating physician has identified as not to be reviewed. These are the only reports which can and must be removed before access.

(4) The department gives data subject their case record and is available throughout the review to interpret reports or to assist the data subject, who may wish to seek additional information regarding contents. The data subject may choose to review their case record without interpretation.

b. Access by parents, guardians, or authorized agents.

(1) When a data subject is a minor or has been legally declared as incompetent, the parent, guardian, or authorized agent, is expected to furnish personal identification and sign a statement regarding their relationship to data subject.

(2) When a data subject is 18 years or older and there is a parent who wants to review information or accompany data subject to a data subject oriented meeting, the data subject shall sign an "Authorization for Release of Information," form prior to disclosure.

c. Access by "significant others" (other family members or friends).

(1) When a data subject is a minor or has been legally declared as incompetent, the parent, guardian, or authorized agent, shall give written, informed consent prior to disclosure.

(2) When a data subject is 18 years or older, he shall give written, informed consent prior to disclosure.

d. Access by third parties.

(1) Unless required by law, or the department, no disclosure shall be made to third parties without written, informed consent from the data subject or the legally authorized agent. Upon disclosure, third parties shall be advised to maintain confidentiality with no redisclosure of information.

(2) The following information is either required by law or permitted by mission of the agency and shall be disclosed without the data subject's authorization:

(a) Within the department, employees shall be given information which is relevant to case management or research requirements.

(b) The department's medical consultants may release information to another physician for consultation or hospitalization purposes.

(c) For emergencies:

(i) Telephone and face-to-face disclosure may be made to any person for an emergency when it is reasonable to believe that a delay shall result in serious bodily injury, death or deterioration of the physical or mental condition of data subject. Examples: (i) an emergency admission or commitment to a hospital; (ii) an inquiry from an acute care hospital, data is limited to answers for specific information from the data subject's case record; and (iii) an inquiry by law-enforcement officials regarding an emergency situation. Information is limited to that which is necessary to deal with the emergency.

(ii) When it becomes necessary to release information in these circumstances, the responsible department party shall enter the following in the data subject's case record: (i) the date the information was released; (ii) the person to whom information was released; (iii) the reason the information was released; (iv) the reason written, informed consent could not be obtained; and (v) the specific information which was released.

(d) For court orders and subpoena, all requests for information by court orders shall be processed by the data subject's counselor unless there is some question about the need for legal advice. In those situations, the department representative shall decide if contact needs to be made with the department representative in the Attorney General's office prior to compliance. This contact shall be made by the commissioner's designee.

(e) The Virginia Department of Social Services shall be given, upon request, information about the location, income, and property of data subjects who have abandoned, deserted, or failed to support children and their caretakers who are receiving public assistance. No other information may be released.

(f) The Virginia Department of Health shall be given access to medical records in the course of an investigation, research, or studies of diseases or deaths which are of public health importance.

(g) The Virginia Department of Health may be provided with abstracts of records of data subjects having malignant tumors or cancers. Such abstracts may include the name, address, sex, race, and any other medical information required by law.

(h) Information may be released as requested for a formal investigation to the Virginia Department of Health, State Medical Examiner.

e. Access by special interest third parties.

(1) Release of information shall include a written, informed consent.

(2) Except for public events, no data other than directory information shall be released to the news media without the written, informed consent of the data subject or the authorized agent.

(3) No information shall be released to law-enforcement officers without the written, informed consent of the data subject or the authorized agent, or without judicial order.

(4) Audio tapes, video tapes, computerized data or other media reproduction are considered as confidential records and shall be treated like written material.

E. Procedure for changing a record.

1. Revoking an authorization of consent.

a. If anyone, such as an attorney, has a data subject sign an authorization which rescinds all prior authorizations, this negates all previous authorizations. The department shall make this a part of the case record.

b. When the revocation clause appears in the record, the department no longer has the authority to disseminate additional information other than to those on the regulation department access list.

c. If the data subject is currently a client, their counselor shall record any authorization which includes a revocation clause. This means that all routines for forwarding reports to those not on department's access list shall be stopped.

d. The rehabilitation counselor shall notify the Wilson Workforce and Rehabilitation Center (WWRC) counselor or sponsor of the situation and inform the data subject of the restriction.

e. The department shall acknowledge and comply with the attorney's request for information. A separate letter shall also advise the attorney that this clause denies access of information to persons or organizations which are responsible for continuing rehabilitation services. The department shall advise the attorney of the need to be provided with an additional statement which reinstates communication and correspondence.

2. Reinstating consent. When a satisfactory reinstatement statement and new consent is received from the attorney and the data subject, the department shall file the additional authorization and inform appropriate department counterparts about the new release.

3. Challenging and correcting a record by the data subject or agent.

a. The data subject or agent has a right to contest the accuracy or completeness of any personal record, except access to challenging or correcting a treating physician's mental record which has been identified as not to be reviewed by the data subject.

b. Data subjects who are currently clients shall be instructed by their counselor that any request to correct, amend, or delete information is to be done in writing, giving specific reasons why information is being contested.

c. The counselor shall submit this statement to their immediate supervisor.

d. The Supervisor shall interview staff, as necessary, examine pertinent records, and submit a written recommendation to their regional or center director. This recommendation is to include a statement and rationale to either uphold or to change existing records.

e. When the regional or center director determines that information which is being disputed is, in fact, incomplete, inaccurate, not pertinent, untimely, or unnecessary to be retained, that individual shall instruct the original writer to amend the report in question. If the originator is no longer an employee, the regional or center director or a designee shall prepare the amended report. A copy of the amended report shall be sent to the local office for the client's file.

f. The department shall disseminate the amended version of the report to any previous recipients and as part of the record for all further requests for information.

g. The department shall notify the data subject in writing of the decision. A copy of that notice is to be filed in data subject's local office file.

h. If the investigation does not change the record or resolve the dispute, the data subject may file a statement stating what he believes to be an accurate or complete version of that information. This statement becomes a permanent part of the record. The department shall forward a copy to all previous recipients who have access to the information being disputed.

F. Procedures of safeguarding records.

1. Maintaining security of records.

a. Data subject records are the property of the department and are entrusted to personnel who safeguard records from loss, defacement, or use by unauthorized persons.

b. No record is to be defaced by marking, underlining, or entering notations by anyone other than the originator of any document.

c. When a record is requested, either by court or a directive from the commissioner, a certified copy of the record shall be provided by the counselor.

d. Whoever removes records has the responsibility to assure confidentiality of content while it is out. It must never be left unattended in areas which are accessible to unauthorized individuals.

e. Confidentiality shall be maintained in work areas where casework documents are being prepared, filed, or distributed.

2. Violating confidentiality. Individuals who violate security standards or the confidentiality code by releasing information without obtaining or following procedures may be subject to their name being removed from the access list and to discipline under the standards of conduct.

G. Department's access list. The following have been approved to have access to the case records of clients served by the department:

1. Administrative and supervisory staff engaged in dutiful performance of their job which requires access to individual client files;

2. Service delivery personnel including rehabilitation counselors, vocational evaluators, or psychiatrists; and

3. Clerical personnel as appropriate.

Statutory Authority

§ 51.5-131 of the Code of Virginia.

Historical Notes

Derived from VR595-01-1 § 19, eff. July 1, 1987; amended, Virginia Register Volume 11, Issue 1, eff. November 2, 1994; Volume 35, Issue 1, eff. October 3, 2018.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.