Soler, M. & Peters, C. (1993). Who should know what? Confidentiality and information sharing in service integration. Des Moines, IA: National Center for Service Integration (pp. 5, and 12-19).

All too often, the services available to children and families at risk do not provide a close fit to what they actually need. These parents and children become defined by the labels they receive initially- "mentally ill," "delinquent," "abusive," or "drug dependent." They move into systems that provide limited individual services and ignore broader family issues. This single-issue approach often reduces the effectiveness of the services and misses the opportunity to address the underlying needs of clients in a comprehensive way. Their labels outlive their usefulness and prevent the development of effective services strategies. Different service systems may simultaneously or sequentially serve the same individuals without any coordination or continuity in service provision.

Recognizing this lack of coordination across service systems and the fragmentation and duplication of services it often creates, states and communities seek more integrated approaches that involve greater coordination and collaboration across different agencies and organizations serving children and families. Through interagency partnerships, states and communities hope to fill gaps in services, provide more service continuity and consistency, and reach beyond specific labels to provide more effective services for children and families.

These collaborations face many obstacles. One of the most commonly cited obstacles to interagency collaboration is the existence of confidentiality provisions that appear to restrict agencies from working together. Many professional view these limits on the flow of information - and potentially on the delivery of services - as major impediments to interagency collaboration. This resource brief proposes that confidentiality need not to a significant impediment to interagency collaboration. Based on the work in number of states and communities, several mechanisms exist for effective interagency information sharing that balance the interests of children and families (in protecting information from disclosure) with the interests of agencies who need to share information to work effectively. This brief draw from legal research, literature reviews, and extensive discussions with public officials and agency personnel who have addressed confidentiality concerns successfully. This brief does not aim to be a comprehensive analysis of confidentiality mandates or an exhaustive treatment of what any particular agency must do to satisfy those mandates. It is also not designed to help evade confidentiality provisions.

The interests of children and families in protecting private information from unauthorized disclosure are significant and should not be disregarded. The goal of this brief is to show that agencies can share information while respecting the rights and interests of children and families.

Ways to Facilitate Appropriate Information Sharing

This Resource brief concurs with a larger Youth Law Center study of confidentiality provisions and interagency collaborations which concluded that agencies can successfully balance the privacy interests of clients and their own needs for information sharing and can find ways to share virtually all necessary information.

This chapter discusses how agencies can share needed information. Different agencies have different types of confidentiality requirements. These different requirements must be understood and balanced in order to share information across agencies. The first section discusses obtaining informed consent to release information. The second reviews informal exchanges of information - information sharing authorized by statute, memoranda of understanding, interagency contracts, similar agreements, and court orders. The third discusses safeguards that agencies should employ to assure that information is not shared inappropriately. The final section covers special considerations when dealing with computerized information.

Informed Consent: Releases and Waivers

Informed consent is the most common formal mechanism for exchanging information. The individual, who is the subject of the information, gives consent generally through a signed written release. When the person is legally incompetent, because of age for example, the parent or guardian my sign.

Federal statutes affecting children and families authorize disclosure of confidential information with consent. Privileges rooted in state law may also be waived with consent to release information. Some laws provide specific requirements for the consent to release information. For example, federal alcohol and drug abuse regulations are specific and include a sample release form. State laws stipulate requirements for release of certain kinds of information, such as HIV status and mental health information.

Requirements of release. Any release of personal information should be in writing. It should contain the following:

• The name of the person who is the subject of information.
• The name of the person, program, or agency sharing the information.
• The name of the person, program, or agency with whom the information will be shared.
• The reasons for sharing the information.
• The kind of information that will be shared.
• The signature of the person who is the subject of the information.
• The date the release is signed.
• A statement that the release can be revoked any time by the subject of the information.
• An expiration date for the release or a specific event (such as the end of the school year) that will terminate the release.
• A notice stating that the subject of information has a right to receive a copy of the release.

Notices to clients. Notices to clients of agency's need to release information are critical to the process of obtaining informed consent. These notices inform clients about the purpose and the extent of the consent being requested. Inadequate and confusing notices may mislead clients and impair the relationship between clients and service providers. Clearly presented notices can inform clients of their rights and help promote trust in the agency. Some statutes include specific requirements for notices to clients regarding the release of confidential information.

Routines for obtaining releases. It is good practice to obtain written releases from clients during initial interviews or as services begin. These releases should cover routine information. If the agency need additional information from the client later, it can obtain a supplemental release.

Multiagency releases. In Iowa, California, and other states, interagency collaborations have developed comprehensive release forms that satisfy the confidentiality mandates of the participating agencies. By signing one release form, the client permits the participating agencies to exchange information and to coordinate services for the client.

Obstacles to Making Consent Informed

Consent to release confidential information must be "informed." The concept is analogous to consent to medical treatment. Generally, a client may give consent to release information in the same circumstances in which he or she may give consent to treatment: the person should possess sufficient knowledge of the risks and benefits of the release of information, and should be capable of making a reasoned choice between alternatives. The person should understand what information will be disclosed, to whom it will be disclosed, the purpose of the disclosure, and the benefits of such disclosure.

• Minors and legal "incompetency. " Even though minors are not legally allowed to make certain decisions, some state statutes provide that they may consent to release information. California, for example, allows minors to consent to and release information pertaining to certain types of health care, including care related to pregnancy, rape, sexually transmitted diseases, HIV/AIDS, and drug or alcohol abuse. Some states have "mature minor" rules under which minors found by a court to be sufficiently mature may consent to medical care and to the release of records. Some states allow minors who are legally emancipated, or who are themselves parents, to consent to care and the release of records.

• Language and culture. Language and culture may compound the difficulties in obtaining informed consent. A written release of confidential information in a language not understood by the client is invalid. Some confidentiality statutes require that a notice of the consent, or the release form itself, be presented in the individual's native language. Agency personnel should also be aware of different cultural customs and attitudes about privacy. Many immigrants fear that the personal information they provide may put them or their families at risk of deportation. Whenever this is an issue, release forms should state clearly that no personal information will be given to the Immigration and Naturalization Service.

• Consequences of refusing to give to consent. In most situations, if an agency worker explains the purposes and benefits of information sharing to a client, the client will consent to release information. If an agency needs the information to fulfill its own legal duties, it may be required to seek a court order to obtain the information. If an agency needs client information to provide additional services and the client initially refuses to allow for sharing of information to provide additional services and the client initially refuses to allow for sharing of information, the agency personnel should seek to show and convince clients that it is in their interest to allow sharing, and that sharing is essential to providing additional services.

Penalty for violation. Violations of confidentiality may result in criminal and civil liability on the part of the agency and the individual who releases the information. The agency may also face the loss of federal or other funds. In practice, however, such penalties are quite rare because most information sharing benefits the client. Mistakes can occur, but the agency's beneficial intent is usually evident. Moreover, the initiation of formal proceedings may lead to an even wider disclosure of the information the client wishes to keep confidential. Only in the most unusual situations, in clear violation of applicable regulations, have clients sought relief under the penalty provisions of confidentially statutes. The real force of confidentiality provisions is not in the legal penalties but in making it clear to agency workers that clients have legitimate interests in protecting personal information. Professionalism, ethics, and the tone set by agency administrators all play important roles in enforcing confidentiality provisions.

Other Methods of Sharing Information

Information sharing authorized by statute and regulation. Most federal statutes permit disclosure of confidential information for a variety of administrative purposes without consent of the individual. An agency may share information for a number of reasons, including the following:

• Administration of the program or related programs.
• Audits
• Determinations of eligibility for services.
• Medical emergencies.
• Investigations, prosecutions, or civil or criminal proceedings related to program administration.

Authorized sharing of confidential information is common in state statutes. The statutes fall into several categories: broad authorizations for information sharing among agencies, specific authorizations regarding particular types of information (such as child abuse information), and authorizations to share information to develop more comprehensive services for children and families (such as statutes that establish multidisciplinary teams to develop treatment plans).

Interagency agreements and memoranda of understanding. Under several federal and state statutes, agencies may enter into agreements to share information about clients to better achieve service goals. For example, federal regulations concerning alcohol and drug abuse authorize interagency information exchanges under a "qualified service organization agreement" (QSOA). Statutes in several states contain similar authorizations that allow agencies to share information without obtaining written releases from individual clients. Interagency agreements should specify:

• What information will be shared.
• How the information will be shared.
• Who will have access to the information.
• The purposes for information sharing.
• Assurances by the participating agencies that they will not disclose the information further except as dictated by the agreement, and that they will resist other efforts to obtain the information.
• Other requirements mandated by applicable confidentiality provisions.

Court orders. In recent years some juvenile courts have issued orders to guide interagency sharing of information. These orders allow the routine disclosure of juvenile court information to designated county departments to assist case planning and treatment.

Informal exchanges of information. The most common way to share information among agencies in informal. It is usually verbal and by telephone. A probation officer may, for example, call a school counselor to find out whether a child is attending school, in compliance with terms of probation. This methods of exchange occurs principally when people who need limited bits of information are familiar with each other and have developed a relationship of trust.

Despite the widespread use of this form of information sharing, it may not comply with statutory requirements. These informal exchanges frequently take place without consent or statutory authorization. If an agency participates in this form of information exchange, it should advise clients that such limited, informal information sharing may occasionally be necessary, and then determine whether the clients have objections to the practice.

The agency will be on safest legal grounds if it obtains voluntary consent, in written form, to the exchange of verbal information, and establishes clearly the types of information exchanges that will occur. Clients are most likely to consent to such information sharing if they know it will help the agency respond to them. While informal and verbal communications often do not result in any written records, they represent communications and therefore do come under confidentiality provisions.

Ensuring Compliance with Information Sharing and Confidentiality Provisions

Whatever the procedures established for information sharing and confidentiality, it is up to agency workers to carry out those procedures. Agencies should strive to provide work places that foster respect for clients and their privacy.

The methods described below can help emphasized the importance of confidentiality and help meet confidentiality obligations.

Gatekeepers. Many agencies designate one individual to act as the "gatekeeper" of confidential information concerning agency clients. This person fields requests for confidential information. Often the gatekeeper is the agency counsel. Other agencies designate a "seasoned" employee with specialized training who develops experience with the confidentiality issue and becomes a local specialist. The gatekeeper's duties may include:

• Maintaining a library of confidentiality materials.
• Providing training for agency employees on confidentiality requirements.
• Responding to requests for information and maintaining records of requests and responses.
• Developing forms for information requests.
• Suggesting some changes in information management practices when appropriate.
• Assuring that records are secure from fire, theft, and other damage.

Confidentiality oaths. Several statutes require confidentiality oaths, particularly for researchers. Some agencies use these staff pledges of confidentiality to promote sensitivity to clients' interests in privacy. The confidentiality oaths are usually written and signed. They constitute promises to use information only for designated agency purposes, and not to disclose the information to any other person or agency unless specifically authorized.

The importance of staff training. To follow legal mandates and respect individuals' right to privacy, it is essential for agencies to establish thorough and ongoing programs of staff instruction. Staff training on confidentiality should include:

• The reasons for ensuring confidentiality of information about children and families.
• The specific information the agency needs.
• The reasons why the agency needs the information.
• The type of information the worker's agency will share with other agencies.
• The purposes of information sharing among agencies.
• The legal provisions, particularly federal and state statutes and regulations, applicable to the agency's work.
• The importance of clearly explaining to clients why consent is essential.
• The need for sensitivity to language and cultural issues.
• The requirements of informed consent and the necessary elements for written releases.
• The role of interagency agreements, court orders, and other mechanisms that facilitate interagency information sharing that does not require the consent of clients.
• Special issues that arise from the use of automated management information systems.

Working With Computerized Information

The greatest strength of the computer is also its greatest danger: all of the information in all of the files is potentially available to anyone with a computer terminal - all without the consent of the clients. Consequently, automated systems containing client information require more levels and types of security than nonautomated systems. This is particularly significant with today's rapid growth of technology. Most agency records will eventually be stored in computers. When one agency's records become linked on a computer network with another agency's records for the sharing of information, safeguards must be in place to assure that confidential information will not be disclosed improperly. In developing a computerized data system and using it effectively, agencies should go through the following steps:

• Determine the purpose of the system.
• Obtain the cooperation of all participating agencies.
• Develop thorough security procedures.
• Train staff carefully.
• Provide notices to clients.

Determine the purpose of the system. Automated data management may have several purposes. Some purposes focus on the systems providing services; these include researching needs for services in the community, reporting services provided by particular agencies, evaluating the effectiveness of services, assessing cost-effectiveness of services, and planning for the future. Other purposes focus on meeting the needs of individual clients; these include assisting in comprehensive assessments of client needs, finding services in the community that can meet the client's needs, and tracking the cost of providing the services. Planners should determine the purposes of the system at the design stage because that decision will affect other aspects of the system - such as information accessibility, levels of security, and system usefulness to administrators, policymakers, and workers.

Obtain the cooperation of all participating agencies. The development of an automated system requires a high degree of cooperation among agencies. Agencies must agree on what kind of hardware and software they will use and how they will ensure compatibility. Agencies must also agree on how to identify people in the system (using a selected numerical code). Although these initial steps are rudimentary, they can be substantial obstacles for agencies. Beyond the issues of hardware and software compatibility and common client identifiers, agencies need to agree on many other issues - such as what information each agency will enter into the system, who will have access to the information in the system, how the information may be used by participating agencies, and which security measures will be instituted to protect confidentiality and the integrity of the system.

Develop thorough security procedures. Agencies should develop several levels of security to properly safeguard automated data systems:

• Security of the physical environment. Data tapes and disks should remain in locked rooms when not in use. Access to these materials should be strictly controlled, with chain-of-custody controls on the people who move tapes and disks. Agencies should maintain logs for recording the location of all disks and tapes at all times. Access to computers tapped into the data should be strictly limited.

• Security of on-line data. Once the information is stored in the computer system, agencies should limit access to it. This usually involves a series of passwords. Each password allows the user to get deeper into the system, depending on his or her authorization to have that level of information. Security is maintained if each user knows only the passwords that allow access to the information that the user has a legitimate need for. Some information may be so sensitive that agencies will prefer not to enter it into any computer database subject to access from outside agencies.

• Use of identifiers to mask personal identities. Agencies should identify individuals whose information is in the system by codes, not by personal names. One of several identifiers could be used, including agency-assigned identifying numbers. Some systems have specialized methods for developing identifiers, such as using certain letters from the client's last name. In theory, only one person knows the true identity of the person, the person who enters the information initially into the computer and assigns an identifier. This technical breach of confidentiality is usually considered minor and inconsequential.

Train staff carefully. The importance of staff training in this area cannot be overstated. Automated systems make so much more confidential information potentially available to so many more workers that the need for regular and comprehensive training is much greater.

Provide notices to clients. Clients should receive notices stating that certain information about them is being recorded on an automated data system and that it will be accessible to others for specific purposes. The notice should specify the type of information entered into the system, the particular individuals or agencies who will have access to the information, the reasons for which they may have access to the information, and the uses they may make of the information. If the information can be shared among agencies, pursuant to a statutory provision or an interagency agreement, a general notice to this effect may be sufficient. If the information sharing requires the client's consent, the agencies could develop a common consent form that the client can sign only once.

Confidentiality provisions strike a balance between the interests of children and families in protecting information from disclosure and the interests of agencies in sharing information. By using the principles and mechanisms described in this brief, agencies should not find that confidentiality provisions significantly impede interagency collaboration. Many agencies both share information and respect the privacy interests of children and families.

To order the preceding Resource Brief in its entirety, please contact:
National Center for Service Integration
c/o Child and Family Policy Center
Fleming Building, Suite 1021
218 Sixth Avenue
Des Moines, Iowa 50309
(515) 280-9027

Back to Top