Last updated April 16, 2024
When to use:
Any time we are working with someone's personal, private information, we must protect it. Here you will find our legal requirements, policies, and protocols.
By law we are required to:
- Protect client data.
- Offer every person our notice of privacy practices (NPP) at least once every three years to inform them how we protect, use and may share their information.
- Inform people that our calls are recorded.
- Identify a person by having the person provide you with at least three identifiers (i.e., address, date of birth, phone number, etc.) prior to using an existing record, sharing information, or changing benefits.
- Collect the minimal amount of data necessary to support the person’s needs.
- Write summarized notes objectively, which means without personal opinion.
- At their request and through a formal process, provide people with a copy of their file and any information pertaining to them.
- If you need to collect more than basic information (name, DOB, phone number, address) from someone other than the client you will need to get permission via release of information, recorded verbal consent or power of attorney/guardianship paperwork.
Notice of privacy practice and call recording:
We must inform people that our calls are recorded, offer the NPP at least once every three years and provide a copy anytime it is requested. The messaging at the beginning of each inbound call and chat completes this. However, unless the client tracking system (CTS) shows it has been offered within the last three years, staff must:
- Offer it on outbound calls.
- Offer it during in-person meetings, get a signature showing it was offered and attach to the CTS case.
- Offer it in the person’s own language if the client is using an interpreter.
- Send a copy with PAS client letters.
What to say:
Sample phone script: Because I'm collecting personal information about you, I need to let you know our calls are recorded and we will protect your information according to state and federal policies. You can view our notice of privacy practices on our website, or I can send you a copy by email or mail.
Sample in-person script: Because I’m collecting personal information about you, I need to let you know about our privacy practices and how we will protect your information according to state and federal policies. I have a copy of our notice of privacy practices for you to sign.
Check for and document the NPP:
You can check if the NPP has been offered and document the new offering in the summary tab of the CTS.
To check, scan the date of privacy policy acceptance field in the recent cases box.
If it is not an inbound call/chat and the NPP has been offered within the last three years, you can mark the privacy policy acceptance field as not applicable.
Every time the NPP has been offered, including every inbound call/chat, select yes for the privacy policy acceptance field and enter the date it was offered.
Note:
- If a copy is requested, you can direct them to the Senior LinkAge Line website, or email/mail a copy (located within CTS word templates).
- If the person you are talking to is not the client or legal representative, mark the privacy field as not applicable since the client is not being offered the NPP.
- If you are speaking to the client via an inbound call/chat, but they want to remain anonymous, mark the privacy field as yes since they were still offered the NPP via the recording.
- You do not have to tell providers on an outbound call that the call is being recorded.
Identify the person:
Prior to using an existing record, sharing any personal information, or making any benefit changes, you must confirm you are speaking to the correct person by having the person provide to you three identifying data points about themselves such as first name, last name, DOB, address, phone number, etc.
If the person is unwilling to share private information, general support can still be provided. Staff can use the Anonymous Client record and summarize the call in an activity note.
If you personally know the person (friend, family, etc.) you should transfer them to another Senior LinkAge Line staff (if transferring back into queue use * to jump to the top of the queue) to prevent any appearance of a conflict of interest. If a transfer is not possible, due to need for in-person assistance and staff locations, work with your supervisor on setting appropriate boundaries.
Permission to work with others:
Before collecting or sharing information about a client, you must confirm you are working with the correct person by having the person provide at least three identifying data points about themselves (if a provider, the agency they are from) AND meet one of the following.
Client gave recorded verbal permission
- In recorded phone calls, the person provided verbal permission to share their private information with a provider or individual.
- The person must not sound coerced or raise concerns about competency.
- If someone asks for information about another person who is not on the call, a three-way call should be conducted to gain the person’s permission.
- Verbal permission should be limited to the specific instance. If ongoing support is needed, an ROI should be completed and attached to the client's record.
Received signed ROI or effective POA/Guardianship
The client can sign our authorization for release and exchange of information (ROI) or have a power of attorney (POA) or guardian provide paperwork showing their effective status as a legal representative.
- See the Release of Information and Power of Attorney quick references.
- Guardianship can also be verified via the MN Trial Court Guardian Search. Staff can pull up the official document to verify guardianship and then save the document to upload to CTS.
- Copies can be sent to SLL via mail, fax, secure upload site or at the time of in-person meeting.
- A copy must be saved to the CTS case and if there is a physical copy, shred within 24 hours.
- Staff must get a new signature on the ROI or another copy of the POA/guardianship if it still needed annually or if there is a change to the ROI/POA/Guardianship.
If the person is unwilling or unable to provide permission, we can offer general support but must not discuss personal data.
Resource coordinator ROI sample script: I have this form for us to go through called an authorization for release and exchange of information. This form allows you to give permission to myself and the Senior LinkAge Line to create a support plan with the providers or other people you choose. This may involve exchanging information such as how you're doing; your medical information on file; and the follow-up services that we talked about. Please know at any point in time you can choose to reverse this release of information if you change your mind. Are you comfortable signing this?
Provider within the welfare system
Permission is not required when information is shared or collected within the welfare system which allows SLL to exchange information with the following entities for the purposes of determining eligibility, coordinating services for an individual or family and administering federal funds or programs:
- Department of Human Services staff
- Local social services & agencies
- County welfare, public health, housing & veteran services agencies
- Ombudsman for older adults or mental health
- Native American tribes if they provide services within the welfare system
- Entities on contract with the above-mentioned agencies to the extent specified in their contract.
Note: ACL and CMS are not considered part of the welfare system; therefore, staff will need to get the person’s permission before SHIP information is provided.
Exceptions
- Per state and federal requirements, preadmission screening (PAS) specialists can share PAS information with submitters (hospitals, clinics, and hospice), nursing facilities, counties, managed care organizations, Tribal Nations and individuals for the purposes of processing a PAS.
- Note: If a facility calls in asking for a SSN, or a clinic is asking for the person’s discharge location, the information cannot be provided as it is not needed to process a PAS.
- Resource coordinators can work with nursing facilities and hospitals for purposes of following up on the profile list and online referrals but should try to secure a ROI as soon as possible.
Note taking:
Staff must:
- Take notes within the CTS or the resource coordinator assessment on an agency issued laptop.
- You must not take notes on paper or other software including word documents/sticky notes/notepad, as these do not meet our legal requirements for data security.
- Document objectively (just the facts, no opinions) and summarize who they spoke with, any permissions given, what was done and next steps.
- The next staff person to assist should be able to understand easily and quickly what happened and what is needed now.
- Match or create a record for the client unless the person is remaining anonymous and no private information is discussed.
- If speaking to another person, create a record for the contact unless the person is remaining anonymous and no private information is discussed.
- Not share what is written in notes without a data request.
What to say:
You sometimes will need to download sensitive information such as an online referral or letter template. Be sure to delete your downloads as soon as possible but at least each night. You can automatically set download clearing on your computer or browser, reach out if needed to your agency’s IT department.
Paper data storage:
Paper document retention comes with higher security risk and must be kept to a minimum and in the most secure place possible. If you have printed materials with sensitive information such as a mailing, a form that needs to be physically signed, etc. you must keep a copy within the CTS and then securely destroy or return the item to the person as soon as possible. If it cannot be destroyed or returned immediately, you must use a locked cabinet, locked office door and/or locked bag and the private information should not be in view of any visitors or other walking by.
Data incidents:
When someone’s private data has been compromised it is vital that the issue is reported and addressed immediately. There are steps that must be taken to follow federal guidelines and evaluate any risk that may come from the improper disclosure of information.
Incidents include, sending or sharing private information with an individual that does not have a right to that information or looking up a person such as a friend or neighbor without their permission.
If you become aware of or suspect a data incident has occurred, you must immediately notify your supervisor or contact center manager. The supervisor must report it to the MBA-SLL team within 24 hours of the incident occurring or knowledge of the incident, whichever is sooner. The report must be made on the Area Agency on Aging’s letterhead and include the following:
- Date and time of incident
- Parties involved, including the staff and clients involved and number of people
- Scope
- The type of data involved
- How the incident occurred
- Any notice to affected parties
- Actions taken
- Safeguards in place
The MBA-SLL team will then investigate the incident and with the AAA determine next steps including communication to the impacted person, reporting to state and federal authorities, additional training required and disciplinary action if needed.
A PAS sent to another professional within the PAS network, such as to the wrong facility or lead agency should be reported to your supervisor and the document shredded or deleted immediately by the recipient but a data incident report to the MBA-SLL team is not needed.
Data requests:
People we serve have a right to their information. Information Senior LinkAge Line collects includes client files, notes, phone calls, website chats, online referrals from providers and preadmission screenings.
- If a person requests to see their information, such as CTS record, preadmissions screening, phone calls, etc., direct them to the bottom right corner of the Minnesota Board on Aging website (or send them a copy) for the MBA Data Access Policy - Private form to make their request in writing.
- The notice of privacy practices must also be sent to the person.
- Note: for requests made by someone other than the client, appropriate legal documentation will need to be attached.
- Document in the CTS that the form was provided.
- Notify the requestor the MN Board on Aging will process the request.
Sometimes people will request that we delete their information, while we can make a person’s record anonymous to start, we cannot delete data as we are legally required to follow state and federal data retention laws.
Links: