(a) Division of Youth Services staff and contracted providers shall fully comply with applicable state and federal law governing the confidentiality of records and information pertaining to the custody, care, and treatment of youth served by the division, including without limitation:
- (1) Confidentiality provisions in the Arkansas Juvenile Code of 1989, Arkansas Code § 9-27-301 et seq.;
- (2) The Health Insurance Portability and Accountability Act;
- (3) The Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g; and
(4) Department of Human Services policies relating to:
- (A) Privacy;
- (B) Confidentiality and secure communications; and
- (C) Records storage and disposition.
- (b) The provisions contained in this part are not intended to restrict the ability of the division to provide any contract facility or contracted providers with full and complete information on any juvenile that is committed to that facility.
- (c) All records pertaining to youths charged as delinquent and adjudicated delinquent are confidential and shall only be released if authorized under the provisions of Arkansas Code § 9-28-217.
- (d) If records contain protected health information (PHI) or information concerning the treatment of a substance use disorder, then release of records shall comply with division Policy 4009.
(e) Division staff and contracted providers shall observe the following guidelines in protecting the privacy of youth and families served by the division:
(1) All release of records to outside parties shall be authorized by:
- (A) The division Records Manager;
- (B) A division assistant director;
- (C) The Office of Chief Counsel; or
- (D) Another person designated by the Director of the Division of Youth Services;
(2) Any youth records maintained in hard copy, including in the division Records Unit or at a program site or facility, shall be:
- (A) Marked “Confidential”; and
- (B) Stored in a locked cabinet when not in use;
- (3) Access to youth records, even by authorized staff, shall require, at a minimum, a log to record all access to the file;
- (4) Youth information, including photographs, placement, or personal details, shall not be publicized in any way, whether deidentified or not, including on social media or in marketing materials, without prior written notice to and approval by the director or his or her designee;
- (5) Where possible, records and data shall be deidentified or aggregated in a way that prevents discovery of any individual youth’s identity;
- (6) Secure email and electronic records servers shall be utilized to ensure privacy protections remain intact during storage and transmission of youth’s information;
- (7) The division and contracted provider staff should receive privacy training no less frequently than annually, including training on when and how to report privacy breaches; and
- (8) To ensure transparency and open communication between members of an individual youth’s treatment team and family, youth shall be assigned a unique identifier number at intake which may be used to verify an individual’s authority to receive protected information regarding the youth.
- (f) Failure to observe strict compliance of this part at all levels of the division system may result in disciplinary action against staff, or penalties up to and including monetary damages or cancellation of provider contracts.