(a) General provisions.
(1) The State agency and the State unit must adopt and implement written policies and procedures to safeguard the confidentiality of all personal information, including photographs and lists of names. These policies and procedures must ensure that -
(i) Specific safeguards are established to protect current and stored personal information, including a requirement that data only be released when governed by a written agreement between the designated State unit and receiving entity under paragraphs (d) and (e)(1) of this section, which addresses the requirements in this section;
(ii) All applicants and recipients of services and, as appropriate, those individuals' representatives, service providers, cooperating agencies, and interested persons are informed through appropriate modes of communication of the confidentiality of personal information and the conditions for accessing and releasing this information;
(iii) All applicants and recipients of services or their representatives are informed about the State unit's need to collect personal information and the policies governing its use, including -
(A) Identification of the authority under which information is collected;
(B) Explanation of the principal purposes for which the State unit intends to use or release the information;
(C) Explanation of whether providing requested information to the State unit is mandatory or voluntary and the effects of not providing requested information;
(D) Identification of those situations in which the State unit requires or does not require informed written consent of the individual before information may be released; and
(E) Identification of other agencies to which information is routinely released;
(iv) An explanation of State policies and procedures affecting personal information will be provided to each individual in that individual's native language or through the appropriate mode of communication; and
(v) These policies and procedures provide no fewer protections for individuals than State laws and regulations.
(2) The State unit may establish reasonable fees to cover extraordinary costs of duplicating records or making extensive searches and must establish policies and procedures governing access to records.
(b) State program use. All personal information in the possession of the State agency or the designated State unit must be used only for the purposes directly connected with the administration of the vocational rehabilitation program. Information containing identifiable personal information may not be shared with advisory or other bodies that do not have official responsibility for administration of the program. In the administration of the program, the State unit may obtain personal information from service providers and cooperating agencies under assurances that the information may not be further divulged, except as provided under paragraphs (c), (d), and (e) of this section.
(c) Release to applicants and recipients of services.
(1) Except as provided in paragraphs (c)(2) and (3) of this section, if requested in writing by an applicant or recipient of services, the State unit must make all requested information in that individual's record of services accessible to and must release the information to the individual or the individual's representative in a timely manner.
(2) Medical, psychological, or other information that the State unit determines may be harmful to the individual may not be released directly to the individual, but must be provided to the individual through a third party chosen by the individual, which may include, among others, an advocate, a family member, or a qualified medical or mental health professional, unless a representative has been appointed by a court to represent the individual, in which case the information must be released to the court-appointed representative.
(3) If personal information has been obtained from another agency or organization, it may be released only by, or under the conditions established by, the other agency or organization.
(4) An applicant or recipient of services who believes that information in the individual's record of services is inaccurate or misleading may request that the designated State unit amend the information. If the information is not amended, the request for an amendment must be documented in the record of services, consistent with § 361.47(a)(12).
(d) Release for audit, evaluation, and research. Personal information may be released to an organization, agency, or individual engaged in audit, evaluation, or research only for purposes directly connected with the administration of the vocational rehabilitation program or for purposes that would significantly improve the quality of life for applicants and recipients of services and only if, in accordance with a written agreement, the organization, agency, or individual assures that -
(1) The information will be used only for the purposes for which it is being provided;
(2) The information will be released only to persons officially connected with the audit, evaluation, or research;
(3) The information will not be released to the involved individual;
(4) The information will be managed in a manner to safeguard confidentiality; and
(5) The final product will not reveal any personal identifying information without the informed written consent of the involved individual or the individual's representative.
(e) Release to other programs or authorities.
(1) Upon receiving the informed written consent of the individual or, if appropriate, the individual's representative, the State unit may release personal information to another agency or organization, in accordance with a written agreement, for its program purposes only to the extent that the information may be released to the involved individual or the individual's representative and only to the extent that the other agency or organization demonstrates that the information requested is necessary for its program.
(2) Medical or psychological information that the State unit determines may be harmful to the individual may be released if the other agency or organization assures the State unit that the information will be used only for the purpose for which it is being provided and will not be further released to the individual.
(3) The State unit must release personal information if required by Federal law or regulations.
(4) The State unit must release personal information in response to investigations in connection with law enforcement, fraud, or abuse, unless expressly prohibited by Federal or State laws or regulations, and in response to an order issued by a judge, magistrate, or other authorized judicial officer.
(5) The State unit also may release personal information in order to protect the individual or others if the individual poses a threat to his or her safety or to the safety of others.