Topic Number2.3.7Effective Date

September 1, 2013 (rev)

September 23, 2015 (rev)

December 1, 2016 (rev)

August 21, 2018 (rev)

ProcedureConfidentiality, Privacy, and Disclosure
PurposeTo document standards and expectations for maintaining and safeguarding client confidentiality, privacy, and proper disclosure of information, in accordance with federal and state laws and regulations.
Accountability Indicators
  • There is evidence of a formalized and current orientation and annual training program for WWRC employees, affiliates, volunteers, and contractors to facilitate understanding and proper safeguarding of client confidentiality, privacy, and disclosure of information, as documented in individual training transcripts and aggregate training records obtained through the Commonwealth of Virginia Learning Center (VLC).
  • WWRC employees, affiliates, volunteers, and contractors demonstrate appropriate understanding and application of the proper safeguarding of client confidentiality, privacy, and disclosure of information, as observed, reported, and documented through formal audits. There is evidence of corrective action taken to remediate any deficiencies noted. 
Policy Reference

See also WWRC Administrative Governance Procedure 2.3.6, Client Records, Safeguarding Client Records.

Detailed Governance ReferenceN/A
Executive Staff ContactSteve Conley, IT Director, WWRC


Every Day in Every Way We…..  


Put Our Clients First  
Take Care of Customers 
Work in Teams 
Value our Staff 
Are Organized, Utilized, and Valuable 
Preserve Leadership Ethics, Accountability, Center Values, and Public Trust 



Governance Procedures 

WWRC employees, affiliates, volunteers, and contractors are expected to protect the confidentiality and privacy of client information and records at all times. 


Information Disclosure

Information disclosure is governed and regulated by applicable federal and state laws.  WWRC's Records Management Services Department will accept a written consent form as a current release when received within one year of the client's dated signature, unless there is an earlier expiration date or the client has died.  WWRC will only release information with the written informed consent of the client or his/her authorized representative, except under the following conditions:

  • As required by judicial order
  • Agencies, organizations and authorized personnel on the Regular Access List (see below) 


Family members, friends whom clients may consider a "significant other", attorneys, employers, and other parties may not have access to information unless they are representatives of a client who has been declared legally incompetent.  These representatives are court-appointed and may be either individuals or committees.  WWRC Records Management Services Department will request that these representatives furnish proof of their responsibility.  

When the client is under the age of 18, only the parent(s)/guardian(s) of the client may access information/records.  The parent/guardian is expected to show personal identification and sign a statement regarding their relationship to the client.  

Consumers aged 18 and above may review, challenge, amend, obtain a copy of, or disclose any information about themselves, per established protocols contained in this governance procedure.  

Note:  WWRC includes pre-admission information as part of the official chart/record for admitted clients.  However, as this information was obtained for the purpose of planning WWRC services and not for subsequent re-disclosure, WWRC's Records Management Services Department will release pre-admissions records obtained from another agency or organization only when there is a signed authorization from the client or his/her legal guardian; the signed authorization must specifically authorize WWRC to release the pre-admissions information and must include the report title, report date, and originating facility for each report to be released.  WWRC's  Records Management Services Department will advise clients and other parties who seek pre-admission information to contact the original source as the preferred action of choice.  

Special Circumstances for WWRC Consumers in the PERT Program (HIPAA vs. FERPA)


According to guidance from the Virginia Attorney General's Office (email dated March 19, 2018), a WWRC consumer who is referred to PERT from a local school division, regardless of age (under vs. over the age of 18), is subject to the laws and regulations of the Family Educational Rights and Privacy Act (FERPA) governing "education records".  "Education records" are defined as records that contain information directly related to a student and which are maintained by an educational agency or institution or by a party acting for the agency or institution.  A summary of the AG's Office findings include:


  • When a student turns 18 years old or enters a postsecondary institution at any age, rights under FERPA transfer from the student's parents to the student. Under FERPA, a student to whom the rights have transferred is known as an "eligible student." Although the law does say that the parents' rights afforded by FERPA transfer to the "eligible student," FERPA clearly provides ways in which an institution can share education records on the student with his or her parents.
  • If the student is a dependent for tax purposes under the IRS rules, a school/postsecondary institution may release any and all information to parents, without the consent of the eligible student.
  • If there is a health or safety emergency involving the student, a school/postsecondary institution is permitted to disclose information from education records to parents.
  • HIPAA's Privacy Rule excludes records protected by FERPA at school districts and postsecondary institutions that provide health or medical services to students.

Restricted Access

Clients may not have direct access to their own records when the treating physician or clinical psychologist has written on any report:  "In my opinion, a review of such records by the client would be injurious to the client's physical or mental health or well-being".  Under these circumstances, the client is required to access information about the report directly from a clinical psychologist, a physician, or a licensed certified psychologist.  The treating physician is the only professional who, by statute, has the authority to identify and label a record, which will deny access to the client.  No other professional can restrict any other information.


Personal information may be released to an organization, agency, or individually engaged in audit, evaluation, or research, only:

  • for purposes directly connected with the administration of the comprehensive rehabilitation program;
  • for purposes which would significantly improve the quality of life for persons with disabilities; AND
  • if the organization, agency, or individual assures that:
    • the information will be used only for the purposes for which it is being provided;
    • the information will be released only to persons officially connected with the audit, evaluation or research;
    • the information will not be released to the involved individual;
    • the information will be managed in a manner to safeguard confidentiality; and
    • the final product will not reveal any personal identifying information (such as name, address, WWRC or Social Security Number) without the informed written consent of the involved individual, or his or her representative.


Individuals who are conducting educational research are expected to inform the RMS Department of their project. The researcher must provide a copy of research approval from the DRS Human Subjects Research Review Committee.


Regular Access 

Federal and state agencies listed on the next page's chart are granted regular access (meaning that written consent is not required) for the purpose of cooperative planning and the provision of rehabilitation services or by authority of federal or state law:


                                      Agency Name                                                                                                Allowable Use                                                        
  • Virginia Department for Aging and Rehabilitative Services (DARS)
  • As required for administration of the state VR Program
  • Case Management

    *Written informed consent is required for adjudication of DDS claims
  • Virginia Cooperative Agreements

When confidentiality is protected and referenced within the Agreement

  • Blue Cross/Blue Shield, Medicare, and the Virginia Medical Assistance Program

     *These are contractual services as a provider relationship

Medical and financial records may be reviewed and audited on specific client accounts.

  • Offices of the Attorney General and Commonwealth of Virginia Governor

As relevant to the administration of rehabilitative services

  • Social Security Administration

Information may be disclosed regarding clients who apply for or receive benefits

  • U.S. Office of the Secretary of Health, Education, and Welfare
When the client or representative has asked the Office to review a final decision of the DARS Commissioner, a complete and certified copy of the case record, including records and transcripts of the Commissioner's Fair Hearing decision, will be furnished
  • U.S. Department of Education

Financial information on clients who apply for or receive benefits

  • Virginia Department of Health (VDH)
  • In the course of an investigation, research, or studies of diseases or deaths which are of public health importance
  • As requested for a formal investigation by the Office of the State Medical Examiner
  • Statewide Cancer Registry:  may provide abstracts of records to include name, address, sex, race, and other data required by law for clients having malignant tumors or cancers
  • Virginia Department of Social Services (DSS)
  • Clients who apply for or receive services
  • Parent Locator Unit:  Upon request, information shall be given about the location, income, and property of clients who have abandoned, deserted, or failed to support children and their caretakers who are receiving public assistance. No other information is authorized for release.
  • Virginia Department for the Blind and Visually Impaired (DBVI) 

Clients who apply for or receive services

  • Virginia Employment Commission (VEC)

Assist in job placement and post-employment services for clients

  • Veterans Administration (VA)

VA personnel who have responsibility to process an application or those assigned to provide benefits.



Role-Specific Program Responsibilities


Admissions Department

Admissions will identify what specific reports need to be sent to a sponsor as part of the rehabilitation program. If the sponsor is not on the Regular Access List, WWRC's Admissions personnel will obtain written informed consent from the client using the Consent to Release Information Form prior to adding sponsor's name to the enrollment sheet as a recipient of routine Center reports.


Rehabilitation Counseling

During initial interviews, counselors are expected to explain confidentiality policies and conditions for releasing information. Clients (except minors and those who have an appointed guardian) will be personally responsible for decisions and activities while at the Center and away from the facility. Therefore, the counselor needs to determine with the client what information may be shared with family or friends who may be involved with the client's personal life.


"Informed consent" means that the client is aware of what specific information is to be disclosed. Therefore, counselors will ask the client to sign the Consent Form, which identifies what information may be released. Statements can include, but are not limited to: setting program objectives or deciding future discharge and employment plans; being hospitalized for planned medical services (individual who is named on enrollment sheet for emergencies will be contacted for any life-threatening situations); and discussing any actions and decisions which may involve disciplinary matters, suspension or discharge.

When a client requests a review of his/her WWRC records, the individual should be referred to the Center counselor or, in his/her absence, the counselor's supervisor. This employee will confirm the client's age and competency status for accessing information.

  • For those clients who are under age 18 or who have been declared incompetent, the counselor will assist the client by coordinating the desired review with the parent(s) or representative.
  • For clients who have the right to review records, the counselor should review the WWRC chart/record to learn if there are any medical or mental records which have been restricted by a treating physician. These are the only reports that can and must be removed before access.
  • As the official record must be understandable to the client, a professional employee (counselor or supervisor) will give the client the WWRC chart or record and will remain with the client during the review to interpret reports or to assist the client, who may wish to seek additional information regarding the contents. The staff will respect the client's right of privacy but will ensure that information is not added to or removed from the record at this review.


Clients who request a copy of records will be instructed to complete a Consent Form. The counselor sends the form to the Records Management Services Department that will prepare a copy for the client. The counselor shall ensure that the client is aware of the charge for this service.

WWRC Physician 

WWRC employees who question whether their record may be injurious to the client's physical or mental health or well-being, may request the treating physician to review the record, and if it is felt to be appropriate, will restrict access to the client.

WWRC medical staff members may release information to other physicians for consultation and treatment purposes. The attending physician may include pre-admission material when deemed necessary.

Responding to External Requests for Client Information

WWRC employees are expected to refer any external request for client information to the Center's Records Management Services Department and to notify their supervisor and Division Director upon receipt.   WWRC's Records Management Services Department will manage requests during normal business hours and respond within a fourteen (14) day period, except for emergency situations which will be handled immediately in accordance with the protocol listed below.   The Records Management Services Department will record each request and document the action taken.  

There will be a charge for copies of records unless the request is from those who need information to assist the client in assuring continuity of care in the rehabilitation process. When records are copied, the Records Management Services Department will charge as follows:


Finder's Fee - $5.00 and $0.50 per page for first 50 pages;

$0.25 for pages after 50


A bill for copied material will be attached to the information with instructions to make payment to the WWRC Business Office.  A copy of the bill will be sent to the Business Office cashier.


Emergencies and Life-Threatening Situations

Information may be disclosed during an emergency when it is reasonable to believe that a delay will pose a threat to the client's safety, the safety of others, or result in either serious bodily injury, deterioration of physical/mental health, or death.  Under these circumstances, authority to disclose information is delegated to the Rehabilitation Counselor, Rehabilitation Counselor Manager, WWRC Physician, or On-Call Administrator if Records Management Services Department personnel are not available (i.e. outside of normal business hours).   Authority to disclose information is limited to that which is necessary to deal with the emergency or life-threatening situation.   


Examples may include (but are not limited to):

  • When there is an emergency admission or commitment to a hospital;
  • When acute care hospital personnel require specific information from WWRC records;
  • When law enforcement officials need specific information for an emergency;
  • When reporting an unsafe driver to the Virginia Department of Motor Vehicles (DMV) – this condition is considered as imposing a life-threatening situation after a medical evaluation has determined that the individual is not a safe driver, but the person does not voluntarily relinquish the license.  The individual should be informed of the reason for sending a medical statement to DMV and the regulations that permit such disclosure.


When it is necessary to disclose client information during an emergency or life-threatening situation, the responsible employee is expected to sign and date entry into the client's record with reference to WWRC policy and governance procedure, the reasons and specific information released, reason why a written informed consent could not be obtained, and the person to whom the information was released.

Depositions, Subpoenas, Subpoenas Duces Tecum, and Court Orders


Depositions, subpoenas, subpoenas duces tecum, and court orders require either informed written consent or a judicial order.  A judicial order can either be a court order signed by a judge or a judge's written command to testify or produce records in court.


Records Management Services personnel are expected to request or confirm that a current (dated within the past year) informed written consent is on file.  If consent is not available, RMS personnel will require a judicial order.  RMS personnel will coordinate a response with the affected WWRC employee, WWRC Administration, the respective attorney, and if necessary, the Attorney General's Office prior to a response.  Unless ordered, pre-admission material will not be released as a WWRC document. 


WWRC employees who are required to testify as a rehabilitation service provider are only authorized to disclose information about which they have personal knowledge or experience.

Special Requests


  • Visitors and Callers

    WWRC employees are expected to inform visitors and callers about confidentiality policies and practices that limit disclosure.  The visitor or caller may choose to leave a message for the client.  It then becomes the client's responsibility to determine if they want to contact the caller or visitor. 
  • Third Party Payers

    A written informed consent is required to provide information necessary for collection of payment.
  • News Media

A written informed consent is required, except for public events and disclosure as Directory Information.

  • Law Enforcement Officers

Personal information will be released only to the extent necessary to respond to investigations in connection with law enforcement, fraud, or judicial order.    


Protocols for Changing a Client Record


Revoking a Consent Authorization

A client may rescind a prior authorization.  This must be done in writing and once received, revokes all current authorizations, except to those individuals or parties named on the Regular Access List.  Records Management Services Department personnel are expected to clearly mark client records where a prior authorization has been rescinded.  

Challenging and Correcting a Record by Client or Representative

Upon request to do so, a client or his/her representative will be clearly advised of the right to challenge, correct or have explained any information in the information system, except when access is restricted by the treating physician. The following procedures will be followed: 

  • Clients who are currently enrolled will be instructed by the assigned Rehabilitation Counselor that any request to correct, amend, or delete information is to be done in writing, giving specific reasons why information is being contested.
  • The assigned Rehabilitation Counselor will submit this statement to the originator of record or, in that person's absence, the department supervisor.
  • The originator will discuss the matter with the client and will advise him/her in writing whether the record will remain intact or if it will be changed. A copy of that statement and any changes will be sent to the Rehabilitation Counselor who, after review, will initial and forward it to the Medical Records Services Department.
  • If the review with the originator/ supervisor does not resolve the dispute, the Counselor will advise the client to file a statement of not more than 200 words setting forth his/her position.  This statement will become a permanent part of the client's record. The Records Management Services Department staff will forward a copy of this additional information to all those who previously received the information now being challenged, and to those who will receive this information in the future.

Correcting/Changing a Report Entry by Employees

Employees may correct their own entries in an active chart/report which has not been sent to anyone by marking through the error with one line, inserting new wording above the error, and then signing and dating the entry.


Once a report has been distributed or filed in the Records Management Services Department, it becomes part of the permanent record and no hand corrections will be made. If corrections/changes are necessary, the employee will prepare an addendum to the report that explains the change. This addendum will be sent to the RMS Department, where it will be attached to the original report and forwarded to recipients of the earlier records.


Records will not be changed any time there is a request to release information.


No employee may change or remove another employee's report. In the event a change is required after the individual originating the report has left employment with WWRC, the former employee's supervisor may dictate an addendum and the reason requiring the addendum.

Breach and Sanctions


Unauthorized access of any client record or sharing of information from such records constitutes a breach of the confidentiality of the record, which may lead to sanctions including, but not limited to, termination of employment or other relationship with WWRC, loss of clinical privileges, removal of access to client records at WWRC, and /or applicable civil and criminal penalties. 


WWRC employees are expected to immediately report any breach, or suspected breach, of confidential information to their manager, the Records Management Services Director/HIPAA Privacy Officer, or the Information Security Officer immediately. This report can be anonymous.



A confidentiality statement is included within each classified employee's Employee Work Profile (EWP), is reviewed annually as part of the annual performance planning process and is documented in the EWP by signature of staff and supervisor.


WWRC Supervisors are also expected to review this confidentiality statement with hourly staff, student interns/affiliates, and volunteers. Supervisors are expected to provide a signed copy to the staff member, student intern/affiliate or volunteer, keep a copy for their files, and to forward the original to HR or the HIPAA Privacy Officer, dependent on whether the person is a paid employee of WWRC or not. 


Where relevant and appropriate, the WWRC Contracts Office will attach a Business Associate Agreement as part of negotiated contracts and Memoranda of Understanding in compliance with HIPAA policies and regulations. Contract staff will be held accountable for compliance with terms and conditions of the associated Business Associate Agreement.




While I am working, observing, or volunteering at the Wilson Workforce and Rehabilitation Center, I may learn things I would not ordinarily know about our clients. I must protect their privacy. I will use confidential information only as needed to perform my legitimate duties as an employee/volunteer/student affiliated with the Wilson Workforce and Rehabilitation Center.  This means among other things, that:


  • I will only access confidential information for which I have a need to know.
  • I will not in any way divulge, copy, release, sell, loan, review, alter, or destroy any confidential information except as properly authorized within the scope of my professional activities affiliated with the Wilson Workforce and Rehabilitation Center.
  • I will not misuse or carelessly handle confidential information.


I understand that it is mandatory for employees, observers, and volunteers to maintain the privacy and confidentiality of all clients in order to maintain a position of trust in the community and to protect our client's rights.


I have read, understand, and will abide by the stated rules of confidentiality at the Wilson Workforce and Rehabilitation Center.  





Orientation and Training Requirements


Agency Information Security Officers and HIPAA Privacy Officers  are the designated content experts for orientation and ongoing education, awareness, and training of WWRC employees, affiliates, volunteers, and contractors regarding roles, responsibilities, and expectations for protection of client information and records through appropriate safeguarding of confidentiality and privacy. 


Orientation and training topics are expected to include, but are not limited to:

  • instruction on who and how authorization to access records may be obtained; disposal procedures; how an employee may access his or her own record; and how personnel shall respond to law enforcement and media requests for patient specific information.
  • principles of minimal use, transmission of sensitive data, encryption, de-identification, minimal use, storage of hard copy documents, release of information, and agency sanctions for improper use.
  • Agency's Personally Identifiable Information (PII) and Protected Health Information (PHI) policies and procedures.

All new employees (classified, temporary workers, and part-time staff) as well as contractors and volunteers are expected to complete training on how to properly handle federally-protected data and what the consequences are for non-compliance as soon as practical to comply with federal and state requirements, no later than thirty (30) days after the start date .  If training is not completed within that time frame, access to sensitive hard copy and electronic data, should be suspended until the training is completed. 

All WWRC employees (classified, temporary workers, and part-time staff) as well as contractors, interns and volunteers who have access to the Commonwealth of Virginia network are expected to complete annual training on these topics. If training is not completed, access to sensitive data should be suspended until the training is completed.  For individuals that do not typically have access to electronic data (e.g. housekeeping / janitorial workers), working in areas where sensitive hard copy is handled should be suspended until training is completed.