Ariz. Admin. Code § R21-7-122 - Confidentiality

A. The Department shall maintain the confidentiality of any applicant or licensee and facility address under A.R.S. § 8-502.

B. The Department shall maintain the confidentiality of a source filing a licensing complaint.

C. Except as otherwise allowed under A.R.S. § 8-807 or otherwise authorized by law, a licensee's records concerning a child in their care and the child's family are confidential and the licensee shall not disclose or knowingly permit the disclosure of confidential information.

D. The Agency shall keep all child records and Agency financial records in a locked, fire-resistant file or in a password protected electronic filing format. The Agency shall ensure records are properly maintained, secured, and protected against loss or corruption. The Agency shall limit access to child records to authorized staff and to the Department.

E. The licensee shall maintain written policy and procedures to keep the Agency's records secure in a manner that preserves confidentiality and prevents loss, tampering, or unauthorized use. The policy and procedures shall:

1. Be consistent with any laws applicable to the specific records; and

2. Cover the following:

a. The manner in which children's records are maintained, stored, and destroy;

b. Identification of the staff who:

i. Supervise the maintenance of records,

ii. Have custody of records, and

iii. Have access to records;

c. The persons to whom records may be released and under what circumstances records may be released, including release of information to custodial and non-custodial parents and guardians;

d. The protection of children in care against public identification; including through social media; and

e. Photography, and audio or audio-visual recording, which shall include;

i. Circumstances under which photographs and audio or audio-visual recordings are created;

ii. Methods and timeframe of storage;

iii. Circumstances under which the licensee will access the material;

iv. Who may access the material;

v. Location in and outside of the facility in which photography and audio or audio-visual recording is prohibited; and

vi. Access by the Department.

F. Before using personally identifiable information for publicity, fundraising, or research, a licensee shall obtain:

1. A written consent to release, from a parent or guardian; or

2. A court order, if the child is a ward of the court.

G. The licensee may release personally identifiable information about a child in care or family to a person who requires the information to treat or provide services to the child unless the release is prohibited by law.

H. A consent to release of information shall include:

1. The name of the person or entity to whom the information is to be released;

2. A description of the information to be disclosed;

3. The reason for disclosure;

4. The expiration date of consent, not to exceed six months from date of signature; and

5. The dated signature of the person or Placing Entity's representative authorizing the release.

I. Notwithstanding any other provision of this Chapter, in a medical emergency, the licensee shall promptly release necessary information to the person or entity providing the child in care with services related to the emergency.

J. Records Storage Space

1. The licensee shall maintain or have available a physical space for records storage that protects confidentiality and provides security against theft, unauthorized release, security breach, damage, and loss.

2. The records storage space may be a space for hard copy records, a server for electronic and digital records, or both.

3. The licensee shall lock all hard copy records and shall encrypt and password protect electronic records.

4. If the Agency contracts for storage space the contract shall include:

a. A provision that all data is owned jointly by the licensee and the Department and that a contractor may not use or disseminate the data in any way;

b. A provision that the contractor shall return all data immediately upon cessation of the contract; and

c. A provision requiring security against theft, unauthorized release, security breach, damage, and loss of records.

K. The licensee shall comply with all record retention laws and the Department's record retention schedules.

L. The licensee shall destroy records in a manner that maintains confidentiality and shall comply with all applicable laws.

Notes

Ariz. Admin. Code § R21-7-122

New Section made by final rulemaking at 29 A.A.R. 2231, effective 11/6/2023.