§ 364.56What are the special requirements pertaining to the protection, use, and release of personal information?
(a)General provisions. The State plan must assure that each service provider will adopt and implement policies and procedures to safeguard the confidentiality of all personal information, including photographs and lists of names. These policies and procedures must assure that—
(1) Specific safeguards protect current and stored personal information;
(2) All applicants for, or recipients of, IL services and, as appropriate, those individuals' legally authorized representatives, service providers, cooperating agencies, and interested persons are informed of the confidentiality of personal information and the conditions for gaining access to and releasing this information;
(3) All applicants or their legally authorized representatives are informed about the service provider's need to collect personal information and the policies governing its use, including—
(i) Identification of the authority under which information is collected;
(ii) Explanation of the principal purposes for which the service provider intends to use or release the information;
(iii) Explanation of whether providing requested information to the service provider is mandatory or voluntary and the effects to the individual of not providing requested information;
(iv) Identification of those situations in which the service provider requires or does not require informed written consent of the individual or his or her legally authorized representative before information may be released; and
(v) Identification of other agencies to which information is routinely released;
(4) Persons who are unable to communicate in English or who rely on alternative modes of communication must be provided an explanation of service provider policies and procedures affecting personal information through methods that can be adequately understood by them;
(5) At least the same protections are provided to individuals with significant disabilities as provided by State laws and regulations; and
(6) Access to records is governed by rules established by the service provider and any fees charged for copies of records are reasonable and cover only extraordinary costs of duplication or making extensive searches.
(b)Service provider use. All personal information in the possession of the service provider may be used only for the purposes directly connected with the provision of IL services and the administration of the IL program under which IL services are provided. Information containing identifiable personal information may not be shared with advisory or other bodies that do not have official responsibility for the provision of IL services or the administration of the IL program under which IL services are provided. In the provision of IL services or the administration of the IL program under which IL services are provided, the service provider may obtain personal information from other service providers and cooperating agencies under assurances that the information may not be further divulged, except as provided under paragraphs (c), (d), and (e) of this section.
(c)Release to recipients of IL services.
(1) Except as provided in paragraphs (c)(2) and (c)(3) of this section, if requested in writing by a recipient of IL services, the service provider shall release all information in that individual's record of services to the individual or the individual's legally authorized representative in a timely manner.
(2) Medical, psychological, or other information that the service providerdetermines may be harmful to the individual may not be released directly to the individual, but must be provided through a qualified medical or psychological professional or the individual's legally authorized representative.
(3) If personal information has been obtained from another agency or organization, it may be released only by, or under the conditions established by, the other agency or organization.
(d)Release for audit, evaluation, and research. Personal information may be released to an organization, agency, or individual engaged in audit, evaluation, or research activities only for purposes directly connected with the administration of an IL program, or for purposes that would significantly improve the quality of life for individuals with significant disabilities and only if the organization, agency, or individual assures that—
(1) The information will be used only for the purposes for which it is being provided;
(2) The information will be released only to persons officially connected with the audit, evaluation, or research;
(3) The information will not be released to the involved individual;
(4) The information will be managed in a manner to safeguard confidentiality; and
(5) The final product will not reveal any personally identifying information without the informed written consent of the involved individual or the individual's legally authorized representative.
(e)Release to other programs or authorities.
(1) Upon receiving the informed written consent of the individual or, if appropriate, the individual's legally authorized representative, the service provider may release personal information to another agency or organization for the latter's program purposes only to the extent that the information may be released to the involved individual and only to the extent that the other agency or organization demonstrates that the information requested is necessary for the proper administration of its program.
(2) Medical or psychological information may be released pursuant to paragraph (e)(1) of this section if the other agency or organization assures the service provider that the information will be used only for the purpose for which it is being provided and will not be further released to the individual.
(3) The service provider shall release personal information if required by Federal laws or regulations.
(4) The service provider shall release personal information in response to investigations in connection with law enforcement, fraud, or abuse, unless expressly prohibited by Federal or State laws or regulations, and in response to judicial order.
(5) The service provider also may release personal information to protect the individual or others if the individual poses a threat to his or her safety or to the safety of others.