Nonprofit Confidentiality In The Age of Big Data by The Advocacy Foundation, Inc.

The e-Advocate Quarterly Magazine

Nonprofit Confidentiality In The Age of Big Data Proverbs 11:13 | Proverbs 17:9 James 5:16 | Hebrews 10:1-39

“Helping Individuals, Organizations & Communities Achieve Their Full Potential”

Vol. XI, Issue LI – Q-3 July| August| September 2025

The Advocacy Foundation, Inc. Helping Individuals, Organizations & Communities Achieve Their Full Potential

Since its founding in 2003, The Advocacy Foundation has become recognized as an effective provider of support to those who receive our services, having real impact within the communities we serve. We are currently engaged in many community and faith-based collaborative initiatives, having the overall objective of eradicating all forms of youth violence and correcting injustices everywhere. In carrying-out these initiatives, we have adopted the evidence-based strategic framework developed and implemented by the Office of Juvenile Justice & Delinquency Prevention (OJJDP). The stated objectives are: 1. 2. 3. 4. 5.

Community Mobilization; Social Intervention; Provision of Opportunities; Organizational Change and Development; Suppression [of illegal activities].

Moreover, it is our most fundamental belief that in order to be effective, prevention and intervention strategies must generally be Community Specific, Culturally Relevant, EvidenceBased, and Collaborative. The Violence Prevention and Intervention programming we employ in implementing this community-enhancing framework include the programs further described throughout our publications, programs and special projects both domestically and internationally.

www.TheAdvocacyFoundation.org ISBN: ......... .........

../2015 Printed in the USA

Advocacy Foundation Publishers 3601 N. Broad Street, Philadlephia, PA 19140 (878) 222-0450 | Voice | Fax | SMS

Page 2 of 70

The Advocacy Foundation, Inc. Helping Individuals, Organizations & Communities Achieve Their Full Potential

The e-Advocate Quarterly

Nonprofit Confidentiality In The Age of Big Data

â&#x20AC;&#x153;Helping Individuals, Organizations & Communities Achieve Their Full Potential 1735 Market Street, Suite 3750 Philadelphia, PA 19102

| 100 Edgewood Avenue, Suite 1690 Atlanta, GA 30303

John C Johnson III Founder & CEO

(878) 222-0450 Voice | Fax | SMS www.TheAdvocacyFoundation.org

Page 3 of 70

Page 4 of 70

Biblical Authority Proverbs 11:13 (NIV) 13 A gossip betrays a confidence, but a trustworthy man keeps a secret.

______

Proverbs 17:9 (NIV) 9 He who covers over an offense promotes love, but whoever repeats the matter separates close friends.

______

James 5:16 (NIV) 16 Therefore confess your sins to each other and pray for each other so that you may be healed. The prayer of a righteous man is powerful and effective.

______

Hebrews 10:1-39 (NIV) Christ's Sacrifice Once for All 1 The law is only a shadow of the good things that are coming--not the realities themselves. For this reason it can never, by the same sacrifices repeated endlessly year after year, make perfect those who draw near to worship. 2 If it could, would they not have stopped being offered? For the worshipers would have been cleansed once for all, and would no longer have felt guilty for their sins. 3 But those sacrifices are an annual reminder of sins, 4 because it is impossible for the blood of bulls and goats to take away sins. 5 Therefore, when Christ came into the world, he said: "Sacrifice and offering you did not desire, but a body you prepared for me; 6 with burnt offerings and sin offerings you were not pleased. 7 Then I said, 'Here I am--it is written about me in the scroll-- I have come to do your will, O God.' " 8 First he said, "Sacrifices and offerings, burnt offerings and sin offerings you did not desire, nor were you pleased with them" (although the law required them to be made). 9 Then he said, "Here I am, I have come to do your will." He sets aside the first to establish the second. 10 And by that will, we have been made holy through the sacrifice of the body of Jesus Christ once for all. 11 Day after day every priest stands and performs his religious duties; again and again he offers the same sacrifices, which can never take away sins. 12 But when this priest had offered for all time one sacrifice for sins, he sat down at the right hand of God. 13 Since that time he waits for his enemies to be made his footstool, 14 because by one sacrifice he has made perfect forever those who are being made holy. 15 The Holy Spirit also testifies to us about this. First he says: 16 "This is the covenant I will make with them after that time, says the Lord. I will put my laws in their hearts, and I will write them on their minds." 17 Then he adds: "Their sins and lawless acts I will remember no more." 18 And where these have been forgiven, there is no longer any sacrifice for sin. Page 5 of 70

A Call to Persevere 19 Therefore, brothers, since we have confidence to enter the Most Holy Place by the blood of Jesus, 20 by a new and living way opened for us through the curtain, that is, his body, 21 and since we have a great priest over the house of God, 22 let us draw near to God with a sincere heart in full assurance of faith, having our hearts sprinkled to cleanse us from a guilty conscience and having our bodies washed with pure water. 23 Let us hold unswervingly to the hope we profess, for he who promised is faithful. 24 And let us consider how we may spur one another on toward love and good deeds. 25 Let us not give up meeting together, as some are in the habit of doing, but let us encourage one another--and all the more as you see the Day approaching. 26 If we deliberately keep on sinning after we have received the knowledge of the truth, no sacrifice for sins is left, 27 but only a fearful expectation of judgment and of raging fire that will consume the enemies of God. 28 Anyone who rejected the law of Moses died without mercy on the testimony of two or three witnesses. 29 How much more severely do you think a man deserves to be punished who has trampled the Son of God under foot, who has treated as an unholy thing the blood of the covenant that sanctified him, and who has insulted the Spirit of grace? 30 For we know him who said, "It is mine to avenge; I will repay," and again, "The Lord will judge his people." 31 It is a dreadful thing to fall into the hands of the living God. 32 Remember those earlier days after you had received the light, when you stood your ground in a great contest in the face of suffering. 33 Sometimes you were publicly exposed to insult and persecution; at other times you stood side by side with those who were so treated. 34 You sympathized with those in prison and joyfully accepted the confiscation of your property, because you knew that you yourselves had better and lasting possessions. 35 So do not throw away your confidence; it will be richly rewarded. 36 You need to persevere so that when you have done the will of God, you will receive what he has promised. 37 For in just a very little while, "He who is coming will come and will not delay. 38 But my righteous one will live by faith. And if he shrinks back, I will not be pleased with him." 39 But we are not of those who shrink back and are destroyed, but of those who believe and are saved.

Page 6 of 70

Page 7 of 70

Table of Contents e-Advocate Quarterly Nonprofit Confidentiality In The Age of Big Data

______

Biblical Authority I.

Introduction

II.

The Board of Directors

III.

Organizational Staff & Management

IV.

Collaborative Partnerships

Community Stakeholders

VI.

HIPAA

VII. Referrals VIII. Limits On Confidentiality IX.

References Attachments A. Sample Confidentiality Agreements B. Sample Board of Directors Code of Ethics and Confidentiality Policy C. Understanding Best Practices in Client Confidentiality

Page 8 of 70

Page 9 of 70

Introduction by: The Association of Corporate Counsel Victoria Prince, Borden Ladner Gervais LLP Like their for-profit counterparts, board members of a non-profit corporation are in a fiduciary relationship with the corporation. This means that they are obliged to act honestly and in good faith in respect of the corporation. The obligation has many components, including a duty to avoid conflicts of interest and a duty to avoid abusing their position to gain personal benefit. One component of board members’ fiduciary obligation is a duty to maintain the confidentiality of information that they acquire by virtue of their position. When is the Duty of Confidentiality Engaged Board members’ duty of confidentiality can affect their actions in a variety of scenarios. Below are some examples of situations in which the duty of confidentiality can become engaged. 



In some cases, the duty of confidentiality may relate to the disclosure of personal information to which the board member is privy as a result of his or her position, for example personal health information, employee information, or information regarding a member’s financial position. In some circumstances, the duty of confidentiality may be closely linked with directors’ duty to avoid conflicts of interest. For example, a board member may have loyalties towards a constituency, special interest group or individual within the membership of the organization. If the board is engaged in making a decision that the group or individual has a position on or would be affected by, it would be inappropriate for the board member to share with the group or individual information that the board member learned through his or her position. It is the board member’s duty to maintain the confidentiality of information gained through his or her position, regardless of obligations or loyalties to other organizations or individuals. The board may engage in heated discussion in the course of decision-making. It would be inappropriate for a board member to gossip among the wider organization about “who said what” after the decision has been made or during the course of discussion.

Consider Developing a Confidentiality Policy Board members’ duty of confidentiality results from their fiduciary obligations to the corporation, and does not depend for its existence on the creation of a policy or other instrument. If it has not already done so, however, a board may wish to consider instituting a governance policy with respect to confidentiality. As a matter of best practices, such a policy can be used to reflect and clarify the expectation for its members and to explain the application of the duty.

Page 10 of 70

Once approved by the board on a motion, the confidentiality policy would govern future decision-making and action, and could form the basis for the development of more detailed procedures, if required. Board members participate in policy making as a group, providing an opportunity for members to familiarize themselves with this aspect of their fiduciary responsibilities and to consider how the duty of confidentiality applies in the context of their organization. As with all policy decisions, it is wise to record a confidentiality policy in a policy manual or handbook, to ensure that it is readily available for referral. A confidentiality policy may, among other things:   

      

Identify its purpose. Define to whom the policy applies: board members? non-board committee members? staff? Identify the directors’ duty of confidentiality, and define its scope: for example, not to disclose or discuss with another person or entity, or to use for their own purpose, confidential information concerning the organization’s affairs received in their capacity as directors, unless the board authorizes such disclosure. Provide that board members not make any statement to the press or the public unless authorized to do so by the board. Require that board members and anyone else to whom the policy applies review and sign the policy. Define what matters are considered confidential. Provide a process by which the board may authorize disclosure of confidential matters. Provide a process by which meetings or portions of meetings may be held in camera. Link to or combine with the organization’s privacy policy or conflict of interest policy. Link to or combine with the organization’s confidentiality policy for staff.

Consequences of Breaching the Duty of Confidentiality The organizational consequences of a confidentiality breach at the board level will vary. If board members do not have confidence that their colleagues will keep board discussions in confidence, the organization’s governance will suffer, since good governance requires full and frank disclosure at the board level. In addition, individuals or the organization itself may be harmed by the inappropriate disclosure of information. What if a board member disagrees with a board decision? How can he or she register his or her disagreement, if bound by confidentiality? Once passed, a board decision becomes a decision of the board as a whole, to be complied with by all. A director who disagrees with a board decision may register dissent, however, and if seriously at odds with board policy, should consider resigning. Creating a policy could help your board deal with issues before they arise.

Page 11 of 70

Page 12 of 70

The Board of Directors A cornerstone of corporate law is that a member of a Board of Directors owes fiduciary duties to the corporation he or she serves. One of these fiduciary duties is the duty of loyalty.

The duty of loyalty requires board members to act in the interest of the corporation and not in the directorsâ&#x20AC;&#x2122; own interest or in the interest of another person or organization. In exercising their duty of loyalty, directors must act in a manner they believe is in the best interests of the nonprofit corporation without taking their personal interests into account. Directors should not use their corporate position to make a personal profit or gain or for other personal advantage. Another important component of the duty of loyalty is a duty of confidentiality. The duty of confidentiality is essentially a duty not to speak about board matters to non-board members or share board materials without non-board members unless authorized to do so. Similarly, the presence of staff and other guests at board meetings can chill Board member communications. Open dialogue is crucial to board deliberations. If Board members do not feel that their conversations are private or that the confidentiality of their discussions will be respected, they may feel pressure to avoid certain topic areas or to hedge their comments in a way that doesnâ&#x20AC;&#x2122;t serve the organizationâ&#x20AC;&#x2122;s best interests.

Page 13 of 70

To avoid breaches of the duty of confidentiality, Boards should consider adopting a confidentiality policy and having new directors and officers sign a commitment that they understand and will follow the policy. This by no means ensures compliance, but it can help to emphasize the importance of maintaining the confidentiality of board deliberations and ensures all directors and officers are aware of their duty to protect confidential Board information. ______ Unfortunately, case law regarding a director’s obligation to maintain the confidentiality of corporate information is limited. Under Delaware law, a director’s fiduciary duty of loyalty requires directors not to misuse or disclose confidential corporate information to others to further their own private interests rather than those of the corporation.1 While a director may believe that conveying confidential corporate information to the press is in the best interests of the corporation, a court will decide with 20-20 hindsight whether the disclosure was consistent with the director’s fiduciary duties. In the JC Penney incident, the board reportedly was considering pursuing legal action against Ackman, whose disclosures the company’s chairman characterized as “disruptive and counterproductive.”2 According to at least one report, Ackman sought, in connection with his ultimate resignation from the board, a release from any potential liability.3 Short of pursuing legal action, boards are limited in their ability to sanction a rogue director. Under Delaware law, directors cannot remove a fellow director from the board, nor can they simply exclude the director from board meetings. A board of directors, however, can form a special committee that does not include the offending director and conduct delicate board business through the special committee. One court recently noted, however, that “the degree to which such a committee would need to provide some form of update periodically or upon request to other directors or the board has not been fully determined and is likely fact-dependent.”4 Because of these difficulties, the most likely remedy a board will pursue is to simply not renominate the director when he or she stands for re-election. Despite these limited remedies, there are some steps that a board can take to help preserve boardroom confidentiality: 

Adopt robust confidentiality policy. While almost all public companies have adopted insider trading policies prohibiting the disclosure by insiders of material nonpublic information about the company, few companies expressly restrict the disclosure of boardroom deliberations and other information learned by directors in the course of their service to the company. Companies should review and revise their corporate governance guidelines or other appropriate policies to expressly prohibit such disclosure unless required by law or approved by the board. The policy should clearly identify as “confidential information” any nonpublic information about discussions and deliberations at the board level, as well as information relating to board dynamics and company personnel. Boards should also make sure that their Regulation FD disclosure policy and/or corporate governance guidelines squarely address who is authorized to speak on behalf of the company. If nothing else, a robust confidentiality policy will impress upon directors the importance that the company places on boardroom confidentiality and foster voluntary compliance. Also, Delaware courts do give weight to board confidentiality

Page 14 of 70

policies when analyzing confidentiality claims, at least when ruling on shareholder demands to inspect company books and records. 

Expressly address disclosure by designated directors to their sponsors. The extent to which a director serving at the behest of a hedge fund or other sponsor may convey confidential corporate information to the sponsor is not clearly established under Delaware law. However, in a 2013 decision, the Delaware Chancery Court declared in dicta that “[w]hen a director serves as the designee of a stockholder on the board, and when it is understood that the director acts as the stockholder’s representative, then the stockholder is generally entitled to the same information as the director.”6 To negate any implicit understanding or confusion in this regard, a company’s director confidentiality policy should expressly prohibit disclosure to a director’s sponsor unless the company otherwise expressly agrees. In addition, designated directors often gain their board seats through a negotiated settlement between the company and the sponsor in connection with a pending or threatened proxy fight. The settlement agreement should clearly address the extent to which the director may share confidential information with his sponsor and should impose confidentiality restrictions on the sponsor.



Consider confidentiality requirements for nomination and qualification of directors. Many companies have adopted “second generation” advance notice bylaws that provide, among other things, that a shareholder nominee for election to the board must, as a precondition to nomination, agree in writing to comply with all company policies that are applicable to directors. When combined with a robust director confidentiality policy as discussed above, this type of bylaw can help deter confidentiality breaches. A company may also wish to consider adding a director qualification bylaw that would render a director ineligible to serve if the director violated the company’s confidentiality policies. Alternatively, a company could require a director to agree in advance to resign from the board if the director violates the policy. Although Delaware law contemplates that a resignation conditioned upon a director failing to receive a specified vote for reelection may be irrevocable,7 it is not clear whether advance resignations given in other contexts may be irrevocable. In any event, these types of mechanisms would need to be carefully crafted to ensure that the procedure for determining a violation is fair and does not unduly restrict a director’s disclosure of information that is consistent with the director’s fiduciary duties.



Send periodic reminders. To enhance compliance, the company should periodically remind directors of their confidentiality obligations under the company’s insider trading, Regulation FD and boardroom confidentiality policies.

The preservation of boardroom confidentiality is critical to the effective operation of a board. Directors cannot be open and honest in their discussions if they fear that their comments or positions will appear in tomorrow’s newspaper. With the increasing success of hedge funds and other special-interest investors in placing directors on boards, there will be less collegiality in the boardroom and a greater risk of leaks. Directors who serve on a board at the behest of specialinterest investors must not lose sight of the fact that they nevertheless owe their fiduciary duties to the stockholders as a whole.

Page 15 of 70

Page 16 of 70

Organizational Staff & Management Confidentiality in employment is important regardless of whether you have signed a written confidentiality agreement. If your employment exposes you to confidential information owned by your employer, you should not publicize that confidential information. If you do, you risk legal trouble because of your breach of employee confidentiality.

Termination The first and most obvious result of a breach of confidentiality is termination. Even if you have an employment contract, it is likely that a breach of confidentiality also constitutes a breach of your employment contract. In almost all circumstances, an employer will be well within his legal rights to fire you if you breach the employer's confidentiality.

Lawsuit Damages An employer can also sue an employee for breach of confidentiality, and if successful at trial, the employer can obtain monetary damages from the employee. This means the employee will have to pay money to the employer, especially if the employee's breach caused identifiable monetary damage to the employer.

Page 17 of 70

For example, if the employee shares confidential information with a competitor, the employer may be able to prove loss of market share and revenue, which the employee would then have to pay as damages to the employer. In some cases, an employer may even be able to obtain punitive damages against the employee.

Criminal Charges In extreme circumstances, a breach of confidentiality can result in criminal charges against the employee. A breach of confidentiality may constitute theft of the employer's proprietary information or intellectual property. Theft is a crime punishable by fine or imprisonment. The state or federal government will charge you with the crime, not your employer. But your employer can encourage the government to do so.

Reputation From a long-term perspective, breach of confidentiality can permanently tarnish an employee's reputation. This is especially true if the employee works in a specialized industry where competing companies know one another well. Future employers will not look on job applicants favorably if the applicant has breached the confidentiality of a previous employer.

The National Association of Social Workers The National Association of Social Workers sets out its Confidentiality Policy as follows: 1.07 Privacy and Confidentiality

(a) Social workers should respect clientsâ&#x20AC;&#x2122; right to privacy. Social workers should not solicit private information from clients unless it is essential to providing services or conducting social work evaluation or research. Once private information is shared, standards of confidentiality apply. (b) Social workers may disclose confidential information when appropriate with valid consent from a client or a person legally authorized to consent on behalf of a client. (c) Social workers should protect the confidentiality of all information obtained in the course of professional service, except for compelling professional reasons. The general expectation that social workers will keep information confidential does not apply when disclosure is necessary to prevent serious, foreseeable, and imminent harm to a client or other identifiable person. In all instances, social workers should disclose the least amount of confidential information necessary to achieve the desired purpose; only information that is directly relevant to the purpose for which the disclosure is made should be revealed. (d) Social workers should inform clients, to the extent possible, about the disclosure of confidential information and the potential consequences, when feasible before the disclosure is Page 18 of 70

made. This applies whether social workers disclose confidential information on the basis of a legal requirement or client consent. (e) Social workers should discuss with clients and other interested parties the nature of confidentiality and limitations of clients’ right to confidentiality. Social workers should review with clients circumstances where confidential information may be requested and where disclosure of confidential information may be legally required. This discussion should occur as soon as possible in the social worker-client relationship and as needed throughout the course of the relationship.

(f) When social workers provide counseling services to families, couples, or groups, social workers should seek agreement among the parties involved concerning each individual’s right to confidentiality and obligation to preserve the confidentiality of information shared by others. Social workers should inform participants in family, couples, or group counseling that social workers cannot guarantee that all participants will honor such agreements. (g) Social workers should inform clients involved in family, couples, marital, or group counseling of the social worker’s, employer’s, and agency’s policy concerning the social worker’s disclosure of confidential information among the parties involved in the counseling. (h) Social workers should not disclose confidential information to third-party payers unless clients have authorized such disclosure. (i) Social workers should not discuss confidential information in any setting unless privacy can be ensured. Social workers should not discuss confidential information in public or semipublic areas such as hallways, waiting rooms, elevators, and restaurants. (j) Social workers should protect the confidentiality of clients during legal proceedings to the extent permitted by law. When a court of law or other legally authorized body orders social workers to disclose confidential or privileged information without a client’s consent and such disclosure could cause harm to the client, social workers should request that the court withdraw

Page 19 of 70

the order or limit the order as narrowly as possible or maintain the records under seal, unavailable for public inspection. (k) Social workers should protect the confidentiality of clients when responding to requests from members of the media. (l) Social workers should protect the confidentiality of clients’ written and electronic records and other sensitive information. Social workers should take reasonable steps to ensure that clients’ records are stored in a secure location and that clients’ records are not available to others who are not authorized to have access. (m) Social workers should take precautions to ensure and maintain the confidentiality of information transmitted to other parties through the use of computers, electronic mail, facsimile machines, telephones and telephone answering machines, and other electronic or computer technology. Disclosure of identifying information should be avoided whenever possible. (n) Social workers should transfer or dispose of clients’ records in a manner that protects clients’ confidentiality and is consistent with state statutes governing records and social work licensure. (o) Social workers should take reasonable precautions to protect client confidentiality in the event of the social worker’s termination of practice, incapacitation, or death. (p) Social workers should not disclose identifying information when discussing clients for teaching or training purposes unless the client has consented to disclosure of confidential information. (q) Social workers should not disclose identifying information when discussing clients with consultants unless the client has consented to disclosure of confidential information or there is a compelling need for such disclosure. (r) Social workers should protect the confidentiality of deceased clients consistent with the preceding standards. 1.08 Access to Records

(a) Social workers should provide clients with reasonable access to records concerning the clients. Social workers who are concerned that clients’ access to their records could cause serious misunderstanding or harm to the client should provide assistance in interpreting the records and consultation with the client regarding the records. Social workers should limit clients’ access to their records, or portions of their records, only in exceptional circumstances when there is compelling evidence that such access would cause serious harm to the client. Both clients’ requests and the rationale for withholding some or all of the record should be documented in clients’ files. (b) When providing clients with access to their records, social workers should take steps to protect the confidentiality of other individuals identified or discussed in such records.

Page 20 of 70

Social Workers as Mandated Reporters: Conflicted Over Confidentiality? Part IV by Kathryn Krass The New Social Worker (2014) In some agencies or practice settings, informed consent involves the client signing a form that acknowledges receipt of certain information. Although a written tool is a good idea, it is important that there be additional methods for ensuring informed consent. In all cases, with or without written informed consent tools, the social worker and client should discuss, face-to-face, expectations for confidentiality and when confidentiality will be breached. The social worker should use language the client can understand. So, the social worker can say that he or she will keep information “private” or “between the two of us.” But it is very important that the social worker make it clear that there may be times when the “private” information will be shared with others. Basic language can be used, such as, “I will have to share this private information if I think that you are going to hurt yourself, or hurt someone else, or if I think someone may be hurting you or someone else.” As with other forms of communication with clients, it is important to ensure that the client understands what you outline through informed consent. With child clients, or clients with impaired cognitive ability, you can start by asking them if they understand, but it is best to follow up. You can ask a question like, “If a boy told me that his mother was hurting him, would I keep that private?” And then explain who you would report to and why, highlighting that child protective services would then help protect that person from being hurt again. It is possible that by explaining to your client the limits of confidentiality, the client may choose not to disclose information that would warrant you to make a report to child protective services. It is important to remember that it is the client’s right to choose what information to share with you. That is part of the client’s right to “self-determination” (NASW Code, Standard 1.02). Informed consent is most often thought of in the context of the contracting stage with a client, which comes at the beginning of the professional relationship. To be effective, informed consent should be seen as an ongoing process. Informed consent can be integrated into each session with a client, or at regular/periodic intervals throughout a professional relationship. As the goals of the relationship change, informed consent should be revisited. The Responsibility to Keep Client Information Confidential Confidentiality means that information shared within a relationship will not be shared outside that relationship. The expectation is that what a client tells a social worker, the social worker will not reveal to others. The purpose of client confidentiality is to encourage clients to share information that may be embarrassing, or even self-incriminating. Through the sharing of such information, the social worker can help the client address an issue, concern, or problem the client Page 21 of 70

may be experiencing. The social worker’s obligation to keep client information confidential is supported through state and federal law, but most often is discussed in reference to the NASW Code of Ethics. In the NASW Code of Ethics (NASW, 2008), Standard 1.07 outlines that social workers “should respect client’s right to privacy” (1.07[a]) by protecting “confidentiality of all information obtained in the course of professional service, except for compelling professional reasons” (1.07[b]). So, is the legal requirement to report suspected child maltreatment a “compelling professional reason” to break client confidentiality? And the simple answer is “yes.” Although a social worker’s primary commitment is to his or her client, the Code outlines that social workers have a responsibility to the larger society as well. In Standard 1.01, the Code acknowledges there are times when the social worker’s responsibility to society at large, or a specific legal obligation of the social worker, may supersede loyalty to a client. The example of child abuse reporting is specifically highlighted in this standard. So, the legal requirement of all social workers to report suspected child maltreatment trumps the responsibility to keep client confidences quiet. The NASW Code and related laws all find this to be so. The Importance of Informed Consent Balancing the ethical responsibility to protect client confidentiality and the legal obligation to protect children from harm is difficult, even for social workers with decades of experience! So, how do you actually do this? First things first, you start at the beginning of the relationship with your client by incorporating a discussion of the limits to client confidentiality with your client through informed consent. Informed consent is the process through which social workers discuss with clients the nature of the social worker/client relationship. Through informed consent, the social worker and client outline what the client can expect from the professional relationship, as well as what the social worker expects from the client’s participation. Informed consent often includes a discussion of basic protocols, such as how to make or cancel appointments, or the best way to contact the social worker. The process should also involve outlining what work will be done with and for the client, and what expectations there are for client involvement. Integral to the informed consent process is a discussion of client confidentiality. Using simple language, appropriate to the developmental and language needs of the client, the social worker needs to explain to the client that he or she will generally keep information private, but that there are specific instances when the social worker is required to break client confidentiality. It is at this point that the social worker should highlight that if he or she suspects child maltreatment based on information received from the client, the social worker must break client confidentiality to make a report of the suspicion to child protective services.

Page 22 of 70

It is important to clarify with the client that this means that the social worker may have to report suspected child abuse or neglect based on what the client says, even if the client is neither the victim nor the perpetrator. In other words, the social worker may (depending on the state where he or she resides*) have to make a report involving people he or she has never met. In some agencies or practice settings, informed consent involves the client signing a form that acknowledges receipt of certain information. Although a written tool is a good idea, it is important that there be additional methods for ensuring informed consent. In all cases, with or without written informed consent tools, the social worker and client should discuss, face-to-face, expectations for confidentiality and when confidentiality will be breached. The social worker should use language the client can understand. So, the social worker can say that he or she will keep information “private” or “between the two of us.” But it is very important that the social worker make it clear that there may be times when the “private” information will be shared with others. Basic language can be used, such as, “I will have to share this private information if I think that you are going to hurt yourself, or hurt someone else, or if I think someone may be hurting you or someone else.” As with other forms of communication with clients, it is important to ensure that the client understands what you outline through informed consent. With child clients, or clients with impaired cognitive ability, you can start by asking them if they understand, but it is best to follow up. You can ask a question like, “If a boy told me that his mother was hurting him, would I keep that private?” And then explain who you would report to and why, highlighting that child protective services would then help protect that person from being hurt again. It is possible that by explaining to your client the limits of confidentiality, the client may choose not to disclose information that would warrant you to make a report to child protective services. It is important to remember that it is the client’s right to choose what information to share with you. That is part of the client’s right to “self-determination” (NASW Code, Standard 1.02). Informed consent is most often thought of in the context of the contracting stage with a client, which comes at the beginning of the professional relationship. To be effective, informed consent should be seen as an ongoing process. Informed consent can be integrated into each session with a client, or at regular/periodic intervals throughout a professional relationship. As the goals of the relationship change, informed consent should be revisited.

Page 23 of 70

Protecting Your Clients Even When Breaking Confidentiality Whereas it is clear that professional standards of conduct accept and expect a social worker to break client confidentiality to report suspicions of child maltreatment, the Code also highlights the social workerâ&#x20AC;&#x2122;s responsibility to minimize harm to a client from this kind of disclosure. Social workers are expected to provide the least amount of confidential client information necessary. Even while making a report to child protective services, you should try to protect your client as much as possible. If you make a report to child protective services about a client, you do not provide a complete bio-psycho-social assessment of your client. Instead, you provide the information necessary for fulfilling your legal obligation to report, as well as your ethical obligation to the larger society, while protecting as much of your clientâ&#x20AC;&#x2122;s privacy as you can. The responsibility to keep client confidentiality while simultaneously adhering to the legal responsibility of social workers to protect children from maltreatment is an obvious conflict. However, a firm grounding of the professional relationship through thoughtful informed consent and attention to the responsibilities of the social worker to minimize harm to the client even after client confidentiality is breached show how such conflict can be effectively eased.

Page 24 of 70

Page 25 of 70

Collaborative Partnerships Communities all around the country are creating innovative partnerships to assist victims of domestic violence, dating violence, sexual assault, and stalking. These innovative partnerships are collaborations among various groups that address systems concerns and individual cases. Some of these innovative partnerships may include agencies or personnel sharing space (colocation) and technology resources, aggregate data collection of client information, case management meetings across agencies, client referrals, and periodic or occasional interactions among staff from different agencies that want to coordinate services.

Structuring or coordinating your innovative partnership has legal and ethical implications, including discussing appropriate approaches for partner agencies to protect or share individual client information. Agencies and professionals who collaborate in an innovative partnership, whether those partners are located in the same physical space or not, should recognize that the goal of the collaboration is to provide access to domestic violence and sexual assault victim services that enhance victim safety and privacy. Victim safety and privacy can be compromised by the failure to maintain the confidentiality of client information. Conversely, information sharing, when authorized by a victim, may increase the effectiveness of service delivery and increase victim safety and offender accountability. Collaborating entities should affirm that confidentiality and privacy protections are critical to serving victims/clients who use any of their services and should agree that they will not share information without the clientâ&#x20AC;&#x2122;s authorization or notice to the client (as appropriate, based on agency role and legal mandate).

Page 26 of 70

The collaboration partners should recognize that victims/clients retain the right to choose what personal information to share with the collaboration and its individual partner agencies, including the choice of who within the collaboration (what partners) may have access to the information, at all stages. The collaborating partners should recognize that the collaboration itself, and the various partners who are collaborating through the partnership, may each have different obligations concerning confidentiality and information sharing. While agencies may have differing obligations, each agency’s individual, professional confidentiality obligations must be honored within the entire collaboration. It should be the policy of the collaboration and its partners to hold confidential (to the extent required under state and federal law and agencies’ policies) all communications, observations, and information made by or about victims/clients. If information-sharing is required between certain partners (e.g., between law enforcement and prosecutors), a victim/client will be notified of this BEFORE she/he signs a release for information to be released to those partners. Vigilance The partnership collaboration or the existence of any confidentiality agreement or memorandum of understanding (MOU) between or among partners does not limit or eliminate confidentiality protections for victims/clients. Indeed, it requires constant vigilance in order to ensure that confidentiality of victim/client information is protected. Confidentiality Walls “Confidentiality walls” are needed to protect confidential information and to preserve the integrity of the collaboration. Such “walls” may be needed within the collaboration to help establish boundaries and keep confidential information from being shared. Partners may have information sharing prohibitions (e.g., law enforcement may not be able to share information gained from criminal background checks). Adherence to Policy Staff, volunteers, counselors, advocates, board members, student interns, consultants, independent contractors, and other community partners of the collaboration should understand that their continued employment or volunteer position is contingent on adherence to all privacy, information sharing, and confidentiality policies. Confidentiality Commitment All staff, volunteers, counselors, advocates, board members, student interns, consultants, independent contractors, and community partners must sign a written agreement to comply with all privacy, information sharing, and confidentiality policies. This agreement should be placed in the personnel files of the staff and in the individual files of volunteers, counselors, advocates,

Page 27 of 70

board members, student interns, consultants, independent contractors, and other community partners. Notice of Victim/Client Rights All victim/clients must be provided information about the agency and the collaborationâ&#x20AC;&#x2122;s confidentiality policy and practices, and his/her rights under such policies. Duration of Confidentiality The obligation to maintain confidentiality does not end when the service to a victim/client is concluded; nor does confidentiality end on the death of the client in many jurisdictions. Confidentiality extends to all current and former victims/clients who seek services. A release should be reasonably time-limited as determined by the purpose of the release and the circumstances of the survivorâ&#x20AC;&#x2122;s situation. In general, there is no reason a release should be more than 15-30 days, since the release can be reaffirmed and extended if the survivor authorizes it. Law The collaboration and each partner should follow all relevant laws and policies related to confidentiality, information sharing, and privacy of victim/client information. In the event that there is confusion about whether victim/client information should be protected from disclosure, the collaboration should err on the side of protecting the information. Technology Technology can both enhance and infringe on protecting confidential client information. The risks and benefits that come from using technology to store, record, or transmit client information while providing advocacy services or counseling should be shared with the client. The client should make the decision of whether to use a specific technology to share his/her information or how a particular technology is used, based on his/her particular circumstances.

Page 28 of 70

Types of Innovative Partnerships Common types of innovative partnerships include co-located services, community collaboration, and other coordinated efforts. Each of these innovative partnerships shares common elements, but they also face different challenges and require unique, thoughtful, and specific policies to address those challenges. In addition, each agency within the collaboration should have its own internal confidentiality policies, regardless of the type of collaboration model and regardless of who the collaboration partners are in the innovative partnership. Suggested confidentiality and privacy policies for co-located services include:      

Client Notice of Rights Form Client Limited Release of Information Form Policy on Confidentiality and Privacy for Co-Located Services Policy on Securing Paper and Electronic Information Policy on Sharing Physical Space MOU Partnership Agreement for Community Collaborations

Suggested confidentiality and privacy policies for community collaborations include:  Client Notice of Rights Form  Client Limited Release of Information Form  Policy on Confidentiality and Privacy for Community Collaborations  Policy on Securing Paper and Electronic Information  MOU Partnership Agreement for Community Collaborations Suggested confidentiality and privacy policies for coordinated efforts include:   

Client Notice of Rights Form Client Limited Release of Information Form MOU Partnership Agreement for Community Collaborations

Training on confidentiality should cover, among other things:      

Applicable laws and exceptions. Technology use and risks, including using online technology (instant messaging, web interface, e-mail), phones and cell phones, and safe computer use. Waivers, including inadvertent waivers of confidentiality. Creating effective confidentiality policies. Services to special needs populations. Confidentiality and information sharing obligations of each partner agency.

Page 29 of 70

Page 30 of 70

Community Stakeholders Stakeholder Engagement is the process by which an organization involves people who may be affected by the decisions it makes or can influence the implementation of its decisions. They may support or oppose the decisions, be influential in the organization or within the community in which it operates, hold relevant official positions or be affected in the long term. Stakeholder engagement is a key part of corporate social responsibility (CSR) and achieving the triple bottom line. Organizations engage their stakeholders in dialogue to find out what social and environmental issues matter most to them about their performance in order to improve decision-making and accountability. Engaging stakeholders is a requirement of the Global Reporting Initiative, a network-based organization with sustainability reporting framework that is widely used around the world. The International Organization for Standardization (ISO) requires stakeholder engagement for all their new standards. Involving stakeholders in decision-making processes is not confined corporate social responsibility (CSR) processes. It's a tool used by mature private and public sector organizations, especially when they want to develop understanding and agree to solutions on complex issues or issues of concern. An underlying principle of stakeholder engagement is that stakeholders have the chance to influence the decision-making process. This differentiates stakeholder engagement from communications processes that seek to issue a message or influence groups to agree with a decision that is already made. The Environment Council developed the Principles of Authentic Engagement. These are intended to provide a framework for genuine stakeholder engagement. Jeffrey (2009) in "Stakeholder Engagement: A Road map to meaningful engagement" describes seven core values for the practices of gaining meaningful participation of which perhaps the three most critical are: ď&#x201A;ˇ ď&#x201A;ˇ ď&#x201A;ˇ

Stakeholders should have a say in decisions about actions that could affect their lives or essential environment for life. Stakeholder participation includes the promise that stakeholders's contribution will influence the decision Stakeholder participation seeks input from participants in designing how they participate.

The practitioners in stakeholder engagement are often businesses, non-governmental organizations (NGOs), labor organizations, trade and industry organizations, governments, and financial institutions.

Page 31 of 70

Components Partnerships, in the context of corporate social responsibility interactions, are people and organizations from some combination of public, business and civil constituencies who engage in common societal aims through combining their resources and competencies, sharing both risks and benefits. Agreeing on the rules of engagement is integral to the process. It is important for everyone to understand each party's role. Buy-in is essential for success in stakeholder engagement. Every party must have a stake in the process and have participating members have decision-making power. Every party must be committed to the process by ensuring action based on the decisions made through the engagement. No decisions should be already made before commencing stakeholder engagement on the issue. It is integral that the dialogue has legitimacy in influencing the decision. ______ In some cases, access to a client's data, as provided by the institution in question, may be limited to law enforcement agencies and require a legal procedure prior to such action (e.g.: court order, etc.). This applies to bank account information or medical records. In some cases the data is by definition inaccessible to third parties and should never be revealed; this can include confidential information gathered by attorneys, psychiatrists, psychologists, or priests. One well known result that can seem hard to reconcile is that of a priest hearing a murder confession, but being unable to reveal details to the authorities. However, had it not been for the assumed confidentiality, it is unlikely that the information would have been shared in the first place, and to breach this trust would then discourage others from confiding with priests in the future. So, even if justice was served in that particular case (assuming the confession lead to a correct conviction), it would result in fewer people taking part in what is generally considered a beneficial process. This could also be said of a patient sharing information with a psychiatrist, or a client seeking legal advice from a lawyer as well.

Page 32 of 70

Page 33 of 70

HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104â&#x20AC;&#x201C;191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It has been known as the Kennedyâ&#x20AC;&#x201C;Kassebaum Act or Kassebaum-Kennedy Act after two of its leading sponsors. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

Title I: Health Care Access, Portability, and Renewability Title I of HIPAA regulates the availability and breadth of group health plans and certain individual health insurance policies. It amended the Employee Retirement Income Security Act, the Public Health Service Act, and the Internal Revenue Code.... Title I requires the coverage of and also limits restrictions that a group health plan can place on benefits for preexisting conditions. Group health plans may refuse to provide benefits relating to preexisting conditions for a period of 12 months after enrollment in the plan or 18 months in the case of late enrollment. Title I allows individuals to reduce the exclusion period by the amount of time that they had "creditable coverage" prior to enrolling in the plan and after any "significant breaks" in coverage. "Creditable coverage" is defined quite broadly and includes nearly all group

Page 34 of 70

and individual health plans, Medicare, and Medicaid. A "significant break" in coverage is defined as any 63 day period without any creditable coverage. Title I also requires insurers to issue policies without exclusion to those leaving group health plans with creditable coverage (see above) exceeding 18 months, and renew individual policies for as long as they are offered or provide alternatives to discontinued plans for as long as the insurer stays in the market without exclusion regardless of health condition. Some health care plans are exempted from Title I requirements, such as long-term health plans and limited-scope plans such as dental or vision plans that are offered separately from the general health plan. However, if such benefits are part of the general health plan, then HIPAA still applies to such benefits. For example, if the new plan offers dental benefits, then it must count creditable continuous coverage under the old health plan towards any of its exclusion periods for dental benefits. An alternate method of calculating creditable continuous coverage is available to the health plan under Title I. That is, 5 categories of health coverage can be considered separately, including dental and vision coverage. Anything not under those 5 categories must use the general calculation (e.g., the beneficiary may be counted with 18 months of general coverage, but only 6 months of dental coverage, because the beneficiary did not have a general health plan that covered dental until 6 months prior to the application date). Since limited-coverage plans are exempt from HIPAA requirements, the odd case exists in which the applicant to a general group health plan cannot obtain certificates of creditable continuous coverage for independent limitedscope plans such as dental to apply towards exclusion periods of the new plan that does include those coverages. Hidden exclusion periods are not valid under Title I (e.g., "The accident, to be covered, must have occurred while the beneficiary was covered under this exact same health insurance contract"). Such clauses must not be acted upon by the health plan and also must be re-written so that they comply with HIPAA. To illustrate, suppose someone enrolls in a group health plan on January 1, 2006. This person had previously been insured from January 1, 2004 until February 1, 2005 and from August 1, 2005 until December 31, 2005. To determine how much coverage can be credited against the exclusion period in the new plan, start at the enrollment date and count backwards until a significant break in coverage is reached. So, the five months of coverage between August 1, 2005 and December 31, 2005 clearly counts against the exclusion period. But the period without insurance between February 1, 2005 and August 1, 2005 is greater than 63 days. Thus, this is a significant break in coverage, and any coverage prior to it cannot be deducted from the exclusion period. So, this person could deduct five months from his exclusion period, reducing the exclusion period to seven months. Hence, Title I requires that any preexisting condition begin to be covered on August 1, 2006.

Page 35 of 70

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the health care system. However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information. These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA. Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.

Privacy Rule The effective compliance date of the Privacy Rule was April 14, 2003, with a oneyear extension for certain "small plans". The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates". PHI is any

Page 36 of 70

information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of an individual's medical record or payment history. Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law such as reporting suspected child abuse to state child welfare agencies. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; or to identify or locate a suspect, fugitive, material witness, or missing person. A covered entity may disclose PHI (Protected Health Information) to facilitate treatment, payment, or health care operations without a patient's express written authorization. Any other disclosures of PHI (Protected Health Information) require the covered entity to obtain written authorization from the individual for the disclosure. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose. The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals. For example, an individual can ask to be called at his or her work number instead of home or cell phone numbers. The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures. They must appoint a Privacy Official and a contact person responsible for receiving complaints and train all members of their workforce in procedures regarding PHI. An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR). However, according to the Wall Street Journal, the OCR has a long backlog and ignores most complaints. "Complaints of privacy violations have been piling up at the Department of Health and Human Services. Between April of 2003 and November 2006, the agency fielded 23,886 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved." However, in July 2011, UCLA agreed to pay $865,500 in a settlement regarding potential HIPAA violations. An HHS Office for Civil Rights investigation showed that from 2005 to 2008 unauthorized employees repeatedly and without legitimate cause looked at the electronic protected health information of numerous UCLAHS patients.

Security Rule The Final Rule on Security Standards was issued on February 20, 2003. It took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 Page 37 of 70

for "small plans". The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. Some privacy advocates have argued that this "flexibility" may provide too much latitude to covered entities. The standards and specifications are as follows: ď&#x201A;ˇ

Administrative Safeguards â&#x20AC;&#x201C; policies and procedures designed to clearly show how the entity will comply with the act o Covered entities (entities that must comply with HIPAA requirements) must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. o The policies and procedures must reference management oversight and organizational buy-in to compliance with the documented security controls. o Procedures should clearly identify employees or classes of employees who will have access to electronic protected health information (EPHI). Access to EPHI must be restricted to only those employees who have a need for it to complete their job function. o The procedures must address access authorization, establishment, modification, and termination. o Entities must show that an appropriate ongoing training program regarding the handling of PHI is provided to employees performing health plan administrative functions. o Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place. o A contingency plan should be in place for responding to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedures in place. The plan should document data priority and failure analysis, testing activities, and change control procedures. o Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits. Audits should be both routine and event-based. o Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.

Page 38 of 70



Physical Safeguards – controlling physical access to protect against inappropriate access to protected data o Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.) o Access to equipment containing health information should be carefully controlled and monitored. o Access to hardware and software must be limited to properly authorized individuals. o Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts. o Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public. o If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities.



Technical Safeguards – controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. o Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional. o Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. o Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity. o Covered entities must also authenticate entities with which they communicate. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems. o Covered entities must make documentation of their HIPAA practices available to the government to determine compliance. o In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing. o Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)

Page 39 of 70

Unique Identifiers Rule (National Provider Identifier) HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans, must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions by May 23, 2007. Small health plans must use only the NPI by May 23, 2008. Effective from May 2006 (May 2007 for small health plans), all covered entities using electronic communications (e.g., physicians, hospitals, health insurance companies, and so forth) must use a single new NPI. The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. However, the NPI does not replace a provider's DEA number, state license number, or tax identification number. The NPI is 10 digits (may be alphanumeric), with the last digit being a checksum. The NPI cannot contain any embedded intelligence; in other words, the NPI is simply a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "subparts" such as a free-standing cancer center or rehab facility.

Enforcement Rule On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations. For many years there were few prosecutions for violations. This may have changed with the fining of $50,000 to the Hospice of North Idaho (HONI) as the first entity to be fined for a potential HIPAA Security Rule breach affecting fewer Page 40 of 70

than 500 people. Rachel Seeger, a spokeswoman for HHS, stated, â&#x20AC;&#x153;HONI did not conduct an accurate and thorough risk analysis to the confidentiality of ePHI as part of its security management process from 2005 through Jan. 17, 2012.â&#x20AC;? This investigation was initiated with the theft from an employees vehicle of an unencrypted laptop containing 441 patient records. As of March 2013, the U.S. Dept. of Health and Human Resources (HHS) has investigated over 19,306 cases that have been resolved by requiring changes in privacy practice or by corrective action. If noncompliance is determined by HHS, entities must apply corrective measures. Complaints have been investigated against many different types of businesses such as national pharmacy chains, major health care centers, insurance groups, hospital chains and other small providers. There were 9,146 cases where the HHS investigation found that HIPAA was followed correctly. There were 44,118 cases that HHS did not find eligible cause for enforcement; for example, a violation that started before HIPAA started; cases withdrawn by the pursuer ; or an activity that does not actually violate the Rules. According to the HHS website (www.hhs.gov), the following lists the issues that have been reported according to frequency: 1. 2. 3. 4. 5.

Misuse and disclosures of PHI No protection in place of health information Patient unable to access their health information Using or disclosing more than the minimum necessary protected health information No safeguards of electronic protected health information. (www.hhs.gov/enforcement, 2013)

The most common entities found to be required to take corrective action in order to be in voluntary compliance according to HHS are listed by frequency: 1. 2. 3. 4. 5.

Private Practices Hospitals Outpatient Facilities Group plans such as insurance groups Pharmacies (hhs.gov/enforcement, 2013)

HIPAA and Drug & Alcohol Rehabilitation Organizations Special considerations for confidentiality are needed for health care organizations that offer federally funded drug or alcohol rehabilitation services. Predating HIPAA by over a quarter century are the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970 and language amended by the Drug Abuse Office and Treatment Act of 1972.

Violations of HIPAA According to the US Department of Health and Human Services Office for Civil Rights, between April 2003 and January 2013 they received 91,000 complaints of HIPAA violations, in which Page 41 of 70

22,000 led to enforcement actions of varying kinds (from settlements to fines) and 521 led to referrals to the US Dept of Justice (criminal actions). Examples of significant breaches of protected information and other HIPAA violations include:  



the largest loss of data that affected 4.9 million people by Tricare Management of Virginia in 2011 the largest fines of $4.3 million levied against Cignet Health of Maryland in 2010 for ignoring patients' requests to obtain copies of their own records and repeated ignoring of federal officials' inquiries the first criminal indictment was lodged in 2011 against a Virginia physician who shared information with a patient's employer "under the false pretenses that the patient was a serious and imminent threat to the safety of the public, when in fact he knew that the patient was not such a threat."

Page 42 of 70

The differences between civil and criminal penalties are summarized in the following table: Type of Violation Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA HIPAA violation due to reasonable cause and not due to willful neglect HIPAA violation due to willful neglect but violation is corrected within the required time period HIPAA violation is due to willful neglect and is not corrected

CIVIL Penalty (max) $100 per violation, with an $50,000 per annual maximum of violation, with an $25,000 for repeat annual maximum of violations $1.5 million $1,000 per violation, with $50,000 per an annual maximum of violation, with an $100,000 for repeat annual maximum of violations $1.5 million $10,000 per violation, with $50,000 per an annual maximum of violation, with an $250,000 for repeat annual maximum of violations $1.5 million $50,000 per $50,000 per violation, with violation, with an an annual maximum of annual maximum of $1,000,000 $1.5 million CRIMINAL Penalty A fine of up to $50,000 CIVIL Penalty (min)

Type of Violation Covered entities and specified individuals who "knowingly" obtain or disclose individually identifiable health information Imprisonment up to 1 year A fine of up to $100,000 Offenses committed under false pretenses Imprisonment up to 5 years Offenses committed with the intent to sell, A fine of up to $250,000 transfer, or use individually identifiable health information for commercial Imprisonment up to 10 years advantage, personal gain or malicious harm

Other short titles

Kassebaum-Kennedy Act, Kennedy-Kassebaum Act

Long title

An Act To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify Page 43 of 70

the administration of health insurance, and for other purposes. Acronyms (colloquial)

HIPAA (pronounced HIP-pah)

Enacted by

the 104th United States Congress Citations

Public Law

Pub.L. 104–191

Statutes at Large

110 Stat. 1936 Legislative history

    



Introduced in the House as H.R. 3103 by Bill Archer (RTX) on March 18, 1996 Committee consideration by House Ways and Means Passed the House on March 28, 1996 (267–151) Passed the Senate on April 23, 1996 (100-0, in lieu of S. 1028) Reported by the joint conference committee on July 31, 1996; agreed to by the House on August 1, 1996 (421–2) and by the Senate on August 2, 1996 (98–0) Signed into law by President Bill Clinton on August 21, 1996

Page 44 of 70

Page 45 of 70

Referrals Clients referred by courts and allied agencies present therapists with problems of confidentiality, allegiance, and client deception. These problems may be alleviated by informing clients of limits on confidentiality and by client participation in defining the relationship between therapist and referral institution. Establishment of a treatment-information dichotomy is seen as a means of resolving the therapeutic dilemma. Respecting clients' privacy and confidentiality are fundamental requirements for keeping trust and respecting client autonomy. The professional management of confidentiality concerns the protection of personally identifiable and sensitive information from unauthorized disclosure. Disclosure may be authorized by client consent or the law. Any disclosures of client confidences should be undertaken in ways that best protect the client's trust and respect client autonomy. Communications made on the basis of client consent do not constitute a breach of confidentiality. Client consent is the ethically preferred way of resolving any dilemmas over confidentiality. Exceptional circumstances may prevent the practitioner from seeking client consent to a breach of confidence due to the urgency and seriousness of the situation, for example, preventing the client causing serious harm to self or others. In such circumstances the practitioner has an ethical responsibility to act in ways which balance the client's right to confidentiality against the need to communicate with others. Practitioners should expect to be ethically accountable for any breach of confidentiality. Confidential information about clients may be shared within teams where the client has consented or knowingly accepted a service on this basis; the information can be adequately protected from unauthorized further disclosures; and the disclosure enhances the quality of service available to clients or improves service delivery. Practitioners should be willing to be accountable to their clients and to their profession for their management of confidentiality in general and particularly for any disclosures made without their client's consent. Good records of existing policy and practice and of situations where the practitioner has breached confidentiality without client consent, greatly assist ethical accountability. In some situations the law forbids the practitioner informing the client that confidential information has been passed to the authorities, nonetheless the practitioner remains ethically accountable to colleagues and the profession.

Page 46 of 70

Page 47 of 70

Limits on Confidentiality Confidentiality is an ethical concern. The fundamental intent is to protect a client's right to privacy by ensuring that matters disclosed to a professional not be relayed to others without the informed consent of the client. In discussing confidentiality, therapists also hope to encourage communication. Neither privacy nor confidentiality, however, are absolute rights, especially in the case of minors. There are fundamental exceptions, some involving ethical considerations and some involving legalities. Privileged communication is a legal concept. It addresses legal rights protecting clients from having their disclosures to certain professionals revealed during legal proceedings without their informed consent. For example, 20 states fully or partly protect communications between school counselors and their pupil clients (Sheeley & Herlihy, 1987). Legal determinations regarding who is the client (e.g., whether minors or their parents hold the "privilege") and limitations on clients' rights to privileged communication are the bases for legal exceptions to maintaining confidentiality. There are times when professionals would prefer to maintain confidences but cannot do so legally or ethically.1 Examples include instances when clients indicate an intention to harm themselves or someone else and when they have been abused. As a result of legislation, litigation, and ethical deliberations, professional guidelines call on interveners to breach the confidence and tell appropriate public authorities when there is a "clear danger to the person or to others" (American Psychological Association, 1981, p.636). In this vein, but perhaps going a step further, the ethical guidelines for school counselors call for reporting instances when information provided by clients indicates circumstances likely to have a negative effect on others; that is, without revealing the identity of the client, the counselor is expected to report such circumstances "to the appropriate responsible authority" (American Association for Counseling and Development, 1981, p. 4). However , it is left to individual counselors to decide which circumstances are "likely" and what constitutes a "negative effect" that is serious enough to require reporting. In order to adequately inform minors of exceptions to the promise of privacy, therapists must add a statement about exceptions, such as this: Although most of what we talk about is private, there are three kinds of problems you might tell me about that we would have to talk about with other people. If I find out that someone has been seriously hurting or abusing you, I would have to tell the police about it. If you tell me you have made plan to seriously hurt yourself, I would have to let your parents know. If you tell me you have made a 1

* Excerpts from Taylor, L. & Adelman, H. (1989). Reframing the confidentiality dilemma to work in childrenâ&#x20AC;&#x2122;s best interests. Professional Psychology; Research and Practice, 20, 79-83

Page 48 of 70

plan to seriously hurt someone else, I would have to warn that person. I would not be able to keep these problems just between you and me because the law says I can’t. Do you understand that it’s OK to talk about most th\ings here but that these are three things we must talk about with other people?

Because youngsters may feel, a bit overwhelmed about the exceptions to privacy and the serious problems described, they may simply nod their acquiescence or indicate that they are unsure about how to respond. To soften the impact, therapists may add statements, such as this: Fortunately, most of what we talk over is private. If you want to talk about any of the three problems that must be shared with others, we’ll also talk about the best way for us to talk about the problem with others. I want to be sure I’m doing the best I can to help you.

States vary in the degree to which their laws specify limitations on privileged communication between counseling professionals and minor clients. Some protect only disclosures about problems related to alcohol and other drugs. Others give broad protection, specifying a few exceptions such as reporting child abuse and crime or potential criminal activity. As far as professional psychology is concerned, however, the bottom line is that , “a gradual and continuous weakening has occurred in the confidentiality privilege" (Everstine et al., 1980, p.836). Undoubtedly, breaking confidentiality in any case can interfere with the trust between client and professional and make it difficult to help the client. Prevailing standards, however, stress that this concern is outweighed by the responsibility of the intervener to prevent various threats. In particular, matters such as suicide and assault on others (including physical and sexual abuse), which initially were defined as legal exceptions to privileged communications, have become established limits on confidentiality. As a result, the ethical task of informing prospective clients about all the exceptions and limits related to confidentiality has made the processes of ensuring privacy and building trust almost paradoxical. Existing limits on confidentiality clearly reflect circumstances in which the society sees its interests as paramount and requires counselors to disclose, what they learn even though the interveners believe it may hinder their efforts to help the client. The issues related to such limits are complex, controversial, and beyond the scope of this article. For our purposes, we can simply acknowledge that society always is likely to impose some limitations on privileged communication and that counselors always will find such limits troublesome. Confidentiality as a Limitation on Helping Concerns about protecting a client's right to privacy and exceptions to this right have been discussed thoroughly in the literature. Less attention has been paid to the fact that there are times when keeping information confidential can seriously hamper an intervener’s efforts to help a client. The complexity of the ethical issues need not concern us here. We can simply take it as axiomatic that there will be times when interveners find it in the best interest of a minor client for others to know something that he or she has disclosed. In its ethical guidelines on confidentiality, the American Psychological Association recognizes that there are instances when information obtained in clinical or counseling relationships should be Page 49 of 70

shared with others. In doing so, the guidelines stress that such sharing should occur "only with persons clearly concerned with the case" (APA, 1981, p. 636). Given that teachers and parents are clearly connected and see themselves as also working in a minor's best interests, some interveners feel it appropriate-even essential-to discuss information with them. In other words, there are times when an intervener sees keeping a specific confidence shared by a minor client as working against the youngsterâ&#x20AC;&#x2122;s best interests and will evaluate the costs of not communicating the information to others as outweighing the potential benefits of maintaining the minorâ&#x20AC;&#x2122;s privacy.

Page 50 of 70

Page 51 of 70

References ______ 1. http://www.lexology.com/library/detail.aspx?g=ddaaae2f-493b-4727-8abd-c7bd88aff2b1 2. http://charitylawyerblog.com/2012/05/31/board-confidentiality-what-happens-in-theboard-room-stays-in-the-board-room/ 3. http://www.akingump.com/en/experience/practices/corporate/ag-deal-diary/addressboardroom-confidentiality.html 4. http://smallbusiness.chron.com/employee-consequences-breach-confidentiality15476.html 5. http://www.naswdc.org/pubs/code/code.asp 6. http://www.co.weld.co.us/assets/19DA65546172285aAc75.pdf 7. http://www.socialworker.com/feature-articles/practice/social-workers-as-mandatedreporters%3A/ 8. http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act 9. http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCsQFj AB&url=http%3A%2F%2Fwww.ccasa.org%2Fwpcontent%2Fuploads%2F2014%2F01%2FNNEDV_GeneralPhilosophyAndPrinciples_No v08-1.doc&ei=Ks_Vcn0OJPnsAThrIH4Bg&usg=AFQjCNGdF3C0ufQ7VpwLssVL6UKWPMaJDg 10. https://www.google.com/search?q=community+stakeholder+confidentiality&oq=commu nity+stakeholder+confidentiality&gs_l=serp.3...912976.917191.0.918014.21.21.0.0.0.1.1 38.1445.18j2.20.0.msedr...0...1c.1.64.serp..10.11.849.hlrlnYgWRYI 11. http://en.wikipedia.org/wiki/Client_confidentiality 12. http://smhp.psych.ucla.edu/qf/confid_qt/overview2.pdf 13. http://www.ncbi.nlm.nih.gov/pubmed/7425103 14. http://www.bacp.co.uk/ethical_framework/ETHICAL%20FRAMEWORK%20%28BSL %20VERSION%29/Respectingprivacyandconfidentiality%20.php 15. http://bha.dhmh.maryland.gov/FORENSIC_SERVICES/Documents/Consenttoreleaseinf o.pdf

Page 52 of 70

Page 53 of 70

Notes ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________

Page 54 of 70

Page 55 of 70

Page 56 of 70

Attachment A Sample Confidentiality Agreement

Page 57 of 70

Sample Confidentiality Agreements for Information about Clients NOTE: These samples are provided for educational purposes only and should not be considered legal or other professional advice. The National Council of Nonprofits encourages nonprofits to seek the advice of competent professional advisors prior to adopting this, or any template document. SAMPLE #1 Confidentiality Policy for Employees, Volunteers and Board Members Respecting the privacy of our clients, donors, members, staff, volunteers and of the [Name of Nonprofit] itself is a basic value of [Name of Nonprofit]. Personal and financial information is confidential and should not be disclosed or discussed with anyone without permission or authorization from the [executive director]. Care shall also be taken to ensure that unauthorized individuals do not overhear any discussion of confidential information and that documents containing confidential information are not left in the open or inadvertently shared. Employees, volunteers and board members of [Name of Nonprofit] may be exposed to information which is confidential and/or privileged and proprietary in nature. It is the policy of [Name of Nonprofit] that such information must be kept confidential both during and after employment or volunteer service. Staff and volunteers, including board members, are expected to return materials containing privileged or confidential information at the time of separation from employment or expiration of service. Unauthorized disclosure of confidential or privileged information is a serious violation of this policy and will subject the person(s) who made the unauthorized disclosure to appropriate discipline, including removal/dismissal. SAMPLE #2 Confidentiality Policy All information concerning clients, former clients, our staff, volunteers, and financial data, and business records of [Name of Nonprofit] is confidential. “Confidential” means that you are free to talk about [Name of Nonprofit] and about your program and your position, but you are not permitted to disclose clients’ names or talk about them in ways that will make their identity known.No information may be released without appropriate authorization. This is a basic component of client care and business ethics. The board of directors, staff and our clients rely on paid and volunteer staff to conform to this rule of confidentiality. [Name of Nonprofit] expects you to respect the privacy of clients and to maintain their personal and financial information as confidential. All records dealing with specific clients must be treated as confidential. General information, policy statements or statistical material that is not identified with Copyright © National Council of Nonprofits

any individual or family is not classified as confidential. Staff members are responsible for maintaining the confidentiality of information relating to other staff members and volunteers, in addition to clients. Failure to maintain confidentiality may result in termination of your employment, or other corrective action. This policy is intended to protect you as well as [Name of Nonprofit] because in extreme cases, violations of this policy also may result in personal liability. Rationale Confidentiality is the preservation of privileged information. By necessity personal and private information is disclosed in a professional working relationship. Part of what you learn is necessary to provide services to the applicant or client; other information is shared within the development of a helping, trusting relationship. Therefore, most information gained about individual clients through an assignment is confidential in terms of the law, and disclosure could make you legally liable. Disclosure could also damage your relationship with the client and make it difficult to help the person. Before you begin your assignment as a staff member/volunteer, you should be aware of the laws and penalties for breaching confidentiality. Although the agency is liable for your acts within the scope of your duty, giving information to an unauthorized person could result in the agency's refusal to support you in the event of legal action. Violation of the state statutes regarding confidentiality of records is punishable upon conviction by fines or by imprisonment or by both. Certification I have read [Name of Nonprofit]â&#x20AC;&#x2122;s policy on confidentiality and the Statement of Confidentiality presented above. I agree to abide by the requirements of the policy and inform my supervisor immediately if I believe any violation (unintentional or otherwise) of the policy has occurred. I understand that violation of this policy will lead to disciplinary action, up to and including termination of my service with [Name of Nonprofit]. . Signature __________________________ Name ______________________ Date __________

SAMPLE #3 ACKNOWLEDGEMENT OF CONFIDENTIALITY OF CLIENT INFORMATION I agree to treat as confidential all information about clients or former clients and their families that I learn during the performance of my duties as _______________________ (position title), and I understand that it would be a violation of policy to disclose such information to anyone without checking first with my supervisor. Signature of Staff Member/Volunteer ___________________________________________ Date ___________________ Name ____________________________________________ Copyright ÂŠ National Council of Nonprofits

SAMPLE #4 Confidentiality Policy It is the policy of [Name of Nonprofit] that board members and employees of [Name of Nonprofit] will not disclose confidential information belonging to, or obtained through their affiliation with [Name of Nonprofit] to any person, including their relatives, friends, and business and professional associates, unless [Name of Nonprofit] has authorized disclosure. This policy is not intended to prevent disclosure where disclosure is required by law. Board members, volunteers and employees are cautioned to demonstrate professionalism, good judgment, and care to avoid unauthorized or inadvertent disclosures of confidential information and should, for example, refrain from leaving confidential information contained in documents or on computer screens in plain view. Upon separation of employment and at the end of a board memberâ&#x20AC;&#x2122;s term, he or she shall return, all documents, papers, and other materials, that may contain confidential information. Failure to adhere to this policy will result in discipline, up to and including separation of employment or service with [Name of Nonprofit].

Attachment B Board of Directors Code of Ethics and Confidentiality Policy

Page 58 of 70

Board of Directors Code of Ethics and Confidentiality Policy Code of Ethics and Confidentiality: In order to encourage and foster open and candid discussion at its meetings, the Board of Directors of the US Composting Council believes confidentiality must be maintained. Therefore, it is the policy of the Board of Directors of USCC that each director and staff member shall keep confidential any and all information relating to discussions at its meetings unless compelled by legal process to disclose such information, or as otherwise agreed by the Board. While Board members are free to discuss the result of Board action items, disclosing any information concerning the discussion of such items during the Board meeting is prohibited. Board members acknowledge that any violation of this policy could cause harm to USCC and frustrate Board deliberations. Therefore, any Board member who violates this policy shall be subject to termination of his/her Board position. In order to ensure compliance with applicable laws and to protect USCC, its members, officers, directors, staff, and committee members from potential legal problems regarding conflicts of interest and violation of fiduciary obligations, USCC endorses and adopts the following statement of policy: I. Duty of Loyalty Among the fiduciary obligations of an officer, director, staff member, or committee member of a non-profit corporation is a duty of loyalty to the non-profit corporation. This includes supporting, and not opposing directly or indirectly or taking any other stance against, the policies and positions duly adopted by USCC's Board of Directors. As representatives of USCC, officers, directors, staff, and committee members are obligated to maintain this duty of loyalty in all manner of activities during their terms of office. This duty of loyalty is not intended to, nor should it; discourage debate within Board or committee meetings. Such debate is encouraged and is part of the individual's responsibility in the deliberation process. II. Confidentiality of Board Discussions and Board Documents In order to encourage and foster open and candid discussion at its meetings, the Board of Directors of USCC believes confidentiality must be maintained. Therefore, it is the policy of the Board of Directors of the USCC that each director and staff member shall keep confidential any and all information relating to discussions at its meetings, including any and all materials, e.g., correspondence, reports, etc., unless compelled by legal process to disclose such information, or as otherwise agreed by the Board. While Board and staff members are free to discuss actions adopted by the Board, disclosing or distributing any information concerning the discussion of such items during the Board meeting is prohibited. III. Conflicts of Interest Another fiduciary obligation of a non-profit corporation officer, director, staff, and committee member is to avoid "conflicts of interest". A "conflict of interest" is generally defined as a transaction in which, because the individual is, either directly or indirectly, a party to the transaction or possible beneficiary of the transaction, there is or may be a conflict between the individual's fiduciary obligations to the non-profit corporation and the individual's personal or business interests. To avoid potential conflict of interest problems, USCC implements the following procedures:

1. In any transaction involving USCC and a USCC officer, director, staff, or committee member, and any corporation, partnership or other entity in which an individual is an officer, director, staff, or committee member has or expects or intends to have a financial or other beneficial interest, such individual, prior to any discussion or decision concerning the transaction, shall fully disclose to the USCC Board or the appropriate committee considering the transaction the material facts of the transaction and the individual's interest or relationship. 2. Upon such disclosure, the individual shall take no further part in the meeting during which time the proposal is considered and voted upon. 3. After receiving such disclosure, prior to approving the transaction, the board or committee must conclude that the transaction is â&#x20AC;&#x153;fair to USCCâ&#x20AC;? and must approve the transaction without the participation or the vote of the interested individual. 4. The interested individual's presence at the meeting may be counted in determining whether a quorum of the Board or committee is present, but that individual shall not vote on the transaction. IV. Fiduciary Obligations as to USCC Opportunities Another fiduciary obligation prohibits an officer or director of a non-profit corporation from seizing a "corporate opportunity" for his or her company's benefit or his or her personal benefit. This means that such an individual may not take advantage of a business opportunity in which the officer or director knows USCC has a genuine interest and where such an Association opportunity would be consistent with USCC's purposes, mission and goals as a non-profit corporation. Further, if the officer or director becomes aware of such an opportunity, he or she is obliged to so inform USCC and allow USCC to act first. V. Participation in Deliberations and Actions In any case in which there is a question of loyalty, conflict of interest, or corporate opportunity raised, the officer or director shall not participate in the meeting for the entire time the matter is discussed and voted upon. I have read and understand the above expectations for the position of Director for the US Composting Council and agree to abide by this Code of Ethics and duty of confidentiality.

__________________________________________ Signature

__________________ Date

Attachment C Understanding Best Practices in Client Confidentiality

Page 59 of 70

Release of Information (ROI)

Release of Information (ROI) Guidelines  



  

A Release of Information form or ROI is the most common means of sharing information about a client between agencies and helping professionals. ROIs generally last only for a one year period. In some instances a client may choose to allow their information to be shared for a period of a lesser duration, such as three or six months. Once the specified time has elapsed the ROI is no longer valid and the agency or organization must have an updated signed and dated ROI form from the client in order to continue sharing the client’s info with other agencies. ROIs may only authorize an agency to share very specific information about the client and not every detail of their lives that they have shared with a professional. For example if a client signs an ROI allowing his case worker to talk with his pastor about his relationship with his kids, it would not be appropriate for the case worker to also share with the pastor that the client was thinking of attending a new church. Ask the following questions when deciding to share confidential information: "Why is it important that this information be shared?" "How will the client benefit by a decision to share or not share information?" "Does sharing the confidential information outweigh maintaining confidentiality?" "What will be the effect on the client’s life?" A client may revoke or terminate their consent for the sharing of information at any time. When the person is legally incompetent, because of age or disability for example, the parent or guardian may sign Discuss limits of confidentiality with clients at the onset of services.

Required Contents of a Release Form (Excerpt from Soler and Peters, The School Services Sourcebook, 1993)

Any release of personal information should be in writing. It should contain the following:

         

The name of the person who is the subject of information. The name of the person, program, or agency sharing the information. The name of the person, program, or agency with whom the information will be shared. The reasons for sharing the information. The kind of information that will be shared. The signature of the person who is the subject of the information. The date the release is signed. A statement that the release can be revoked any time by the subject of the information. An expiration date for the release or a specific event (such as the end of the school year) that will terminate the release. A notice stating that the subject of information has a right to receive a copy of the release.

Mandated Reporting Most individuals in the helping professions, including but not limited to pastors, teachers, health care workers, and human services workers are mandated reporters of issues of abuse and neglect involving children, elderly persons, and disabled adults. If you feel that a client has disclosed information to you that may be considered an issue of abuse or neglect you have a moral and legal duty to report this. You do not need a Release of Information to report these issues and you will not be identified as the reporter. Reports of abuse and neglect can be made by calling the Weld County Department of Human Services screening number: 970-352-1551 x6211.

(Parts excerpt from: Confidentiality and School Social Work: A Practice Perspective - (Practice update from the National Association of Social Workers)

If you feel that someone is in immediate danger take appropriate action and call 911 and report the incident to the police department.

Understanding Best Practices in Client Confidentiality

Confidentiality Guidelines

Confidentiality Basic principles: Confidentiality is based on four basic principles: 1. 2. 3. 4.

Respect for an individual’s right to privacy. Respect for human relationships in which personal information is shared. Appreciation of the importance of confidentiality to both individuals and society. Expectations that those who pledge to safeguard confidential information will do so.

Why is Confidentiality Important? When determining eligibility for certain services and providing needed and appropriate resources, human service agencies , non profit organizations, and health care providers often require that clients share very private information about themselves. Laws and statutes are in place to protect the privacy of these individuals and to ensure that this information is released only when necessary. Soler and Peters (1993) outline several reasons for protecting the privacy of clients:



 

Confidential information in its broadest form is any information given in confidence to a helping professional. Confidential information may include, but is not restricted to, disclosures of physical, mental or emotional abuse; family problems; substance abuse; criminal behavior; sexual activity; or suicidal thinking.



A helping professional respects the confidential nature of information concerning clients and may give the information only to authorized personnel or agencies directly concerned with the clients’ welfare. In most instances a Release of Information form signed by the client must accompany this request.



In certain instances the withholding of this information may pose a threat to that individual or another person’s welfare or wellbeing. In cases where the helping professional is a mandated reporter for these issues the need for protecting those individuals may supersede the clients’ right to privacy. Protocols and policies regarding sharing of information and forms utilized to do so may differ within each agency or organization.

(Parts excerpt from Understanding Confidentiality. - The Manitoba Teachers' Society)



"Confidentiality restrictions protect embarrassing personal information from disclosure. This information may include histories of emotional instability, marital conflicts, medical problems, physical or sexual abuse, alcoholism, drug use, limited education, or erratic employment. Confidentiality provisions also prevent the improper dissemination of information about children and families that might increase the likelihood of discrimination against them. Such information--about HIV status, mental health history, use of illegal drugs, or charges of child abuse--can be harmful if released. Harm can occur even if records show that the information is unproven or inaccurate. Protecting confidential information can be necessary to protect personal security. For example, in a domestic violence situation, an abused woman who leaves home may be in great danger if law enforcement personnel disclose her new location. Confidentiality provisions also protect family security. Many immigrant families, for example, shy away from using public health clinics or other social services for fear that the Immigration and Naturalization Service (INS) will take action against them. Restricting the information that human service agencies receive may also protect job security. Some information--such as a history of mental health treatment-may have no connection with a person's actual job performance but could jeopardize the individual's position, likelihood of promotion, or ability to find new positions.



Children and families also want to avoid prejudice or differential treatment by people such as teachers, school administrators, and service providers. Teachers may lower their expectations for the children they know are eligible for food stamps or free school lunches. This may set in motion a self-fulfilling prophecy in which lowered expectations lead to lowered performance. Confidentiality provisions also may be necessary to encourage individuals to make use of services designed to help them. Adolescents may avoid seeking mental health services at a school-based clinic, for example, if they believe that information will get back to their teachers, parents, or peers. The same holds for birth control or HIV-related medical consultations."

(Excerpt from http://www.ncrel.org/sdrs/areas/issues/envrnmnt/css/cs3lk2.htm), adopted from Soler, M. & Peters, C. (1993). Who should know what? Confidentiality and information sharing in service integration.

Limits of Confidentiality Duty to Warn Court cases have held that when an individual indicates the intention of doing something harmful, dangerous, or criminal to self or others, it is the professional’s duty to warn appropriate parties. This includes:

  

The family of an individual who intends to harm her or himself Others the individual actions may harm Appropriate authorities and emergency responders

Page 60 of 70

Advocacy Foundation Publishers The e-Advocate Quarterly Issue

Title

Quarterly

Vol. I

2015 The ComeUnity ReEngineering Project Initiative The Adolescent Law Group Landmark Cases in US Juvenile Justice (PA) The First Amendment Project

The Fundamentals

2016 The Fourth Amendment Project Landmark Cases in US Juvenile Justice (NJ) Youth Court The Economic Consequences of Legal Decision-Making

Strategic Development Q-1 2016

2017 The Sixth Amendment Project The Theological Foundations of US Law & Government The Eighth Amendment Project The EB-5 Investor Immigration Project*

Sustainability Q-1 2017

2018 Strategic Planning The Juvenile Justice Legislative Reform Initiative The Advocacy Foundation Coalition for Drug-Free Communities Landmark Cases in US Juvenile Justice (GA)

Collaboration Q-1 2018

I II III IV Vol. II V VI VII VIII Vol. III IX X XI XII Vol. IV XIII XIV XV XVI

Q-1 2015 Q-2 2015 Q-3 2015 Q-4 2015

Q-2 2016 Q-3 2016 Q-4 2016

Q-2 2017 Q-3 2017 Q-4 2017

Q-2 2018 Q-3 2018 Q-4 2018

Page 61 of 70

Issue

Title

Quarterly

Vol. V

2019

Organizational Development

XVII XVIII XIX XX

The Board of Directors The Inner Circle Staff & Management Succession Planning

Q-1 2019 Q-2 2019 Q-3 2019 Q-4 2019

XXI XXII

The Budget* Data-Driven Resource Allocation*

Bonus #1 Bonus #2

Vol. VI

2020

Missions

XXIII

Q-1 2020

XXV XXVI

Critical Thinking The Advocacy Foundation Endowments Initiative Project International Labor Relations Immigration

Vol. VII

2021

Community Engagement

XXIV

XXVII XXVIII XXIX XXX XXXI Vol. VIII

The 21st Century Charter Schools Initiative The All-Sports Ministry @ ... Lobbying for Nonprofits Advocacy Foundation Missions Domestic Advocacy Foundation Missions International 2022

Q-2 2020 Q-3 2020 Q-4 2020

Q-1 2021 Q-2 2021 Q-3 2021 Q-4 2021 Bonus ComeUnity ReEngineering

XXXV

The Creative & Fine Arts Ministry @ The Foundation The Advisory Council & Committees The Theological Origins of Contemporary Judicial Process The Second Chance Ministry @ ...

Vol. IX

2023

Legal Reformation

XXXVI

The Fifth Amendment Project The Judicial Re-Engineering Initiative The Inner-Cities Strategic Revitalization Initiative Habeas Corpus

Q-1 2023

XXXII XXXIII XXXIV

XXXVII XXXVIII XXXVIX

Q-1 2022 Q-2 2022 Q-3 2022 Q-4 2022

Q-2 2023 Q-3 2023 Q-4 2023

Page 62 of 70

Vol. X

2024

ComeUnity Development

XXXVXI XXXVXII XXXVXIII

The Inner-City Strategic Revitalization Plan The Mentoring Initiative The Violence Prevention Framework The Fatherhood Initiative

Vol. XI

2025

Public Interest

XLIX L

Public Interest Law Spiritual Resource Development Nonprofit Confidentiality In The Age of Big Data Interpreting The Facts

Q-1 2025 Q-2 2025

XXXVX

LI LII

Q-1 2024 Q-2 2024 Q-3 2024 Q-4 2024

Q-3 2025 Q-4 2025

The e-Advocate Journal of Theological Jurisprudence Vol. I – 2017 The Theological Origins of Contemporary Judicial Process Scriptural Application to The Model Criminal Code Scriptural Application for Tort Reform Scriptural Application to Juvenile Justice Reformation Vol. II – 2018 Scriptural Application for The Canons of Ethics Scriptural Application to Contracts Reform & The Uniform Commercial Code Scriptural Application to The Law of Property Scriptural Application to The Law of Evidence

Page 63 of 70

Legal Missions International Issue Vol. I I II III IV

Title

Quarterly

2015 Godâ&#x20AC;&#x2122;s Will and The 21st Century Democratic Process The Community Engagement Strategy Foreign Policy Public Interest Law in The New Millennium

Vol. II

2016

V VI VII VIII

Ethiopia Zimbabwe Jamaica Brazil

Vol. III

2017

IX X XI XII

India Suriname The Caribbean United States/ Estados Unidos

Vol. IV

2018

XIII XIV XV XVI

Cuba Guinea Indonesia Sri Lanka

Vol. V

2019

XVII XVIII XIV XV

Russia Australia South Korea Puerto Rico

Q-1 2015 Q-2 2015 Q-3 2015 Q-4 2015

Q-1 2016 Q-2 2016 Q-3 2016 Q-4 2016

Q-1 2017 Q-2 2017 Q-3 2017 Q-4 2017

Q-1 2018 Q-2 2018 Q-3 2018 Q-4 2018

Q-1 2019 Q-2 2019 Q-3 2019 Q-4 2019

Page 64 of 70

Issue

Title

Vol. VI

2020

XVI XVII XVIII XIX XX

Trinidad & Tobago Egypt Sierra Leone South Africa Israel

Vol. VII

2021

XXI XXII XXIII XXIV XXV

Haiti Peru Costa Rica China Japan

Vol VIII

2022

XXVI

Chile

Quarterly Q-1 2020 Q-2 2020 Q-3 2020 Q-4 2020 Bonus

Q-1 2021 Q-2 2021 Q-3 2021 Q-4 2021 Bonus

Q-1 2022

The e-Advocate Juvenile Justice Report Vol. I – Juvenile Delinquency in The US Vol. II. – the Prison Industrial Complex Vol. III – Restorative/ Transformative Justice Vol. IV – The Sixth Amendment Right to The Effective Assistance of Counsel Vol. V – The Theological Foundations of Juvenile Justice Vol. VI – Collaborating to Eradicate Juvenile Delinquency

Page 65 of 70

The e-Advocate Newsletter 2012 - Juvenile Delinquency in the US Genesis of the Problem Family Structure Societal Influences Evidence-Based Programming Strengthening Assets v. Eliminating Deficits 2013 - Restorative Justice in the US Introduction/Ideology/Key Values Philosophy/Application & Practice Expungement & Pardons Pardons & Clemency Examples/Best Practices 2014 - The Prison Industrial Complex 25% of the World's Inmates Are In the US The Economics of Prison Enterprise The Federal Bureau of Prisons The After-Effects of Incarceration/Individual/Societal 2015 - US Constitutional Issues In The New Millennium The Fourth Amendment Project The Sixth Amendment Project The Eighth Amendment Project The Adolescent Law Group 2016 - The Theological Law Firm Academy The Theological Foundations of US Law & Government The Economic Consequences of Legal Decision-Making The Juvenile Justice Legislative Reform Initiative The EB-5 International Investors Initiative 2017 - Organizational Development The Board of Directors The Inner Circle Staff & Management Succession Planning Page 66 of 70

Bonus #1 The Budget Bonus #2 Data-Driven Resource Allocation 2018 - Sustainability The Data-Driven Resource Allocation Process The Quality Assurance Initiative The Advocacy Foundation Endowments Initiative The Community Engagement Strategy 2019 - Collaboration Critical Thinking for Transformative Justice International Labor Relations Immigration God's Will & The 21st Century Democratic Process 2020 - Community Engagement The Community Engagement Strategy The 21st Century Charter Schools Initiative Extras The NonProfit Advisors Group Newsletters The 501(c)(3) Acquisition Process The Board of Directors The Gladiator Mentality Strategic Planning Fundraising 501(c)(3) Reinstatements The Collaborative US/ International Newsletters How You Think Is Everything The Reciprocal Nature of Business Relationships Accelerate Your Professional Development The Competitive Nature of Grant Writing Assessing The Risks

Page 67 of 70

Page 68 of 70

About The Author John C (Jack) Johnson III Founder & CEO

John C. (Jack) Johnson III was educated at Temple University, in Philadelphia, Pennsylvania and Rutgers Law School, Camden, New Jersey. In 1998, he moved to Atlanta, Georgia in order to pursue greater opportunities to provide advocacy and preventive programmatic services for at-risk young persons and their families caught-up in the Juvenile Justice process. There, along with a small group of community and faith-based professionals, “The Advocacy Foundation, Inc." was conceived and implemented over a ten year period, originally chartered as a Juvenile Delinquency Prevention and Educational Support Services organization consisting of Mentoring, Tutoring, Counseling, Character Development and a host of related components. The Foundation’s Overarching Mission is “To help Individuals, Organizations, & Communities Achieve Their Full Potential”, by implementing a wide array of evidence-based proactive multi-disciplinary "Restorative Justice" programs & projects throughout the northeast, southeast, and eastern international-waters regions, providing prevention and support services to at-risk youth, young adults, and their families, as well as to Social Service, Juvenile Justice and Mental Health professionals” everywhere. The Foundation has since relocated its headquarters to Philadelphia, Pennsylvania, and been expanded to include a three-tier mission. In addition to his work with the Foundation, Jack also served as an Adjunct Professor of Law & Business at National-Louis University of Atlanta (where he taught Political Science, Business Ethics, and Labor & Employment Relations to undergraduate and graduate level students. He has also served as Board President for a host of up & coming nonprofit organizations throughout the region, including “Visions Unlimited Community Development Systems, Inc.”, a multi-million dollar, award-winning, Violence Prevention and Gang Intervention Social Service organization in Atlanta, as well as Vice-Chair of the Georgia/ Metropolitan Atlanta Violence Prevention Partnership, a state-wide 300 member violence prevention organization.

† www.TheAdvocacyFoundation.org

Page 69 of 70

Page 70 of 70