Child welfare professionals face a daunting array of privacy, confidentiality, and security rules. Too often, the answer to the question, “May I share this vital information with a colleague who is also working with this family?” is a frustrated shrug and an exasperated, “Better not, just to be safe.” Conflicting guidance, misinterpretations, and uncertainty abound, and this is a significant barrier to achieving client-centric interoperability, fully informed decision-making, and evidence-based practices.
Agencies struggle to comply with the privacy provisions in CAPTA, HIPAA, FERPA, SAMHSA’s 42 C.F.R. part 2, and those laws’ state and local counterparts. Staff attends regular training sessions and signs numerous acknowledgements that their legal obligations are understood. But, have we gotten to the point where a normal human being with a complex and demanding “day job” can no longer reasonably be expected to comprehend (and, therefore, flawlessly abide by) the patchwork of data-access rules?
Imagine that a local school district wants to share periodic grade reports and any school disciplinary events with a student’s foster parents, caseworker, and CASA volunteer. However, FERPA is often considered a prohibition to sharing this kind of information. An interdisciplinary team works hard to tackle the problem and creates a detailed intergovernmental agreement that states the following data-access policy:
- The student’s caseworker will seek to secure the educational parent’s written, signed consent to the disclosure of academic and school-discipline data. If the caseworker is unable to secure such consent, then the matter will be brought before the family court judge, who will make a case-by-case determination and enter appropriate orders. Either a signed consent or a court order will be secured for every school-aged child within 60 days of out-of-home placement, and a copy will be provided to the school’s liaison.
- Within 30 days of the school liaison’s receipt of a signed consent or a court order, the school district will grant the following persons access to the student’s academic and school-discipline records:
- The student’s caseworker,
- The student’s foster parent(s), and
- The student’s CASA volunteer.
- The child welfare agency agrees to notify the school’s liaison within 30 days of any change in the child’s assigned caseworker, foster-care placement, or assigned CASA volunteer, so that the school district can update the access to the student’s records.
Source Subject = School (the custodian of the data)
Target Subject = Caseworker, Foster Parent, or CASA Volunteer (the requestor of the data)
Target Object = Grade Report or Discipline Report (the data that are requested)
Action = View (the type of operation the requestor seeks to perform on the requested data)
Condition = Student Foster Care Flag
Condition = Consent or Court Order
Technical components of the information-sharing service are then configured to retrieve the data that are required to calculate whether a request will be granted or denied.
- Who is requesting the information?
- What information is being requested?
- Who is the information’s custodian?
- What operation will be performed on the information?
- What conditions must be satisfied?
The information-sharing service can also create an audit log of all requests and their outcomes, so that the appropriateness of “grant” and “deny” decisions can be tested periodically. An information-sharing service can also be configured to notify particular stakeholders of particular events – for example, an e-mail could be sent to a data custodian when a request for access is denied.
Download the PDF