XX. Retention of and Access to Records

1.  CLIENT FILE REQUIREMENTS

Each client served should have a file documenting any and all services received.

Files should include documentation of any and all services received, including but not limited to:

·         Type of case (Domestic Violence, Homicide, etc.)

·         Client Eligibility

·         Communications (copies of letters, notes of conversations, etc.)

·         Activities provided to client, date and detail

Certain types of agencies will also need to include the following, if applicable:

·         Referrals (CIC, Shelter, Counseling, etc.)

·         Safety Planning (safe place to wait, escort from car, etc.)

Each client file should have a contact or notes sheet to facilitate this documentation.  Make it easy to use so you can document activities, especially in court.

If your agency utilizes a records management system (RMS)– ensure that information in the RMS is correct and can be viewed by your program monitor.

2.  RETENTION OF RECORDS

In accordance with the requirements set forth in 28 CFR Part 66  for state and local governments and Part 70  for Non-Profit organizations, all financial records, supporting documents, statistical records, and all other records pertinent to the award shall be retained by each subrecipient organization for AT LEAST FIVE YEARS following the closure of their most recent audit report containing the final invoice of the Grant Contract. Retention is required for purposes of Federal and State examination and audit.  Records may be retained in an automated format.  State or local governments may impose record retention and maintenance requirements in addition to those prescribed. Reference 2 CFR 200.333

·         Coverage:  The retention requirement extends to books of original entry, source documents supporting accounting transactions, the general ledger, subsidiary ledgers, personnel, and payroll records, cancelled checks, and related documents and records.  Source documents include copies of all awards, applications, and required subrecipient financial and narrative reports.  Personnel and payroll records shall include the time and attendance reports for all individuals reimbursed under the award, whether they are employed full-time or part-time.  Time and effort reports are also required for subcontractors.

·         Retention Period:  The five-year retention period starts from the date of the submission of the closure of the single audit report which covers the grant period.  If any litigation, claim, negotiation, audit, or other action involving the records has been started before the expiration of the five-year retention period the records must be retained until completion of the action and resolution of all issues which arise from it or until the end of the five- year retention period, whichever is later.

3. MAINTENANCE OF RECORDS

Subrecipients of funds are expected to see that records of different fiscal periods are separately identified and maintained so that information desired may be readily located.  Subrecipients are also obligated to protect records adequately against fire or other damage.  When records are stored away from the subrecipient's principal office, a written index of the location of records stored should be on hand and ready access to the records should be assured.

4. ACCESS TO RECORDS

The awarding agency includes OCJP, the Federal Agency, the DHHS and the DOJ Office of the Inspector General, the Comptroller General of the United States, or any of their authorized representatives, who shall have the right of access to any pertinent books, documents, papers, or other records of subrecipients which are pertinent to the award, in order to make audits, examinations, excerpts, and transcripts.  The right of access must not be limited to the required retention period but shall last as long as the records are retained.

5. CONFIDENTIALITY

To ensure the safety of victims and their families, subrecipients shall protect the confidentiality and privacy of persons receiving services. The obligations set forth in this Section shall survive the termination of this Grant Contract.

Personally identifying information (PII) or personal information means individually identifying information for or about an individual including information likely to disclose the location of a victim regardless of whether the information is encoded, encrypted, hashed or otherwise protected, including:

·         First and last name;

·         Home or other physical address;

·         Contact information (including, but not limited to, email address, telephone/fax number, web address or postal address);

·         Social security number, driver’s license number, passport number, student identification number; and

·         Any other information including date of birth, racial or ethnic background, or religious affiliation that would serve to identify an individual.

a. Confidentiality Policy: Each agency that receives a grant from the Office of Criminal Justice Programs (OCJP) to provide direct services to victims of crime should have a confidentiality policy in place to protect confidential personally identifying information.  Furthermore, confidentiality statements should be signed by all staff, volunteers, interns, board members, etc. and should state, at a minimum, that s/he will protect the personally identifying information of all persons contacting the agency for service, regardless of whether these persons actually receive services from the agency.

Agencies should ensure that all client information that contains personally identifying information is kept out of view from clients, visitors, volunteers, and others who are not authorized to view the information.

Agencies should never ask support group participants to sign a log-in sheet with their first and last name or any other personally identifying information.  Agencies should tell a support group participant that signing in is optional.

b.       Nondisclosure: Subject to subparagraphs (c) and (d) below, subrecipients shall not:

- disclose, reveal, or release any personally identifying information or individual information collected in connection with services requested, utilized, or denied through the subrecipient’s programs, regardless of whether the information has been encoded, encrypted, hashed, or otherwise protected; or

- disclose, reveal, or release individual client information without the informed, written, reasonably time-limited consent of the person (or in the case of an unemancipated minor, the minor and the parent or guardian or in the case of legal incapacity, a court-appointed guardian) about whom information is sought, whether for this program or any other Federal, State, tribal, or territorial grant program, except that consent for release may not be given by the abuser of the minor, incapacitated person, or the abuser of the other parent of the minor.

If a minor or a person with a legally appointed guardian is permitted by law to receive services without the parent's or guardian's consent, the minor or person with a guardian may release information without additional consent.

c.       Release of Information: If release of information described in subparagraph (B) is compelled by statutory or court mandate:

- subrecipients shall make reasonable attempts to provide notice to victims affected by the disclosure of information; and

- subrecipients shall take steps necessary to protect the privacy and safety of the persons affected by  using an approved release of  information.

Sample Release of Information Form

 d.  Information sharing

1.  Subrecipients may share--

·         Nonpersonally identifying data in the aggregate regarding services to their clients and nonpersonally identifying demographic information in order to comply with Federal, State, tribal, or territorial reporting, evaluation, or data collection requirements

·         Court-generated information and law enforcement-generated information contained in secure, governmental registries for protection order enforcement purposes; and

·         Law enforcement-generated and prosecution-generated information necessary for law enforcement and prosecution purposes.

2.  In no circumstances may--

·         An adult, youth, or child victim of crime be required to provide a consent to release his or her personally identifying information as a condition of eligibility for the services provided by the grantee or subrecipient

·         Any personally identifying information be shared in order to comply with Federal, tribal, or State reporting, evaluation, or data collection requirements, whether for this program or any other Federal, tribal, or State grant program.

3. Statutorily mandated reports of abuse or neglect

Nothing in this section prohibits a subrecipient from reporting suspected abuse or neglect, as those terms are defined and specifically mandated by Tennessee Code Annotated (TCA), 37-1-403; 37-1-605 and 71-6-103. See Grant Certifications

Release of Information Best Practices

For more information on confidentiality, especially for STOP and SASP subrecipients, consult the Office on Violence Against Women FAQs.

6.  HIPPA COMPLIANCE REQUIREMENTS

The State and the Subrecipient shall comply with obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH) and any other relevant laws and regulations regarding privacy (collectively the “Privacy Rules”).  The obligations set forth in this Section shall survive the termination of this Grant Contract.

a. The Grantee warrants to the State that it is familiar with the requirements of the Privacy Rules and will comply with all applicable HIPAA requirements in the course of this Grant Contract.

b.  The Grantee warrants that it will cooperate with the State, including cooperation and coordination with State privacy officials and other compliance officers required by the Privacy Rules, in the course of performance of this Grant Contract so that both parties will be in compliance with the Privacy Rules.

c.  The State and the Grantee will sign documents, including but not limited to business associate agreements, as required by the Privacy Rules and that are reasonably necessary to keep the State and the Grantee in compliance with the Privacy Rules.  This provision shall not apply if information received by the State under this Grant Contract is NOT “protected health information” as defined by the Privacy Rules, or if the Privacy Rules permit the State to receive such information without entering into a business associate agreement or signing another such document.