INSIGHTS
April 10, 2019
White Papers

Maximizing Linkages: A Policymaker's Guide to Data-Sharing

Khaliyl Lane, Social Interest Solutions

Download a PDF of this report

Introduction

State and local agencies administer public benefit programs that help vulnerable populations. These programs provide children, for instance, with affordable health care, safe housing, and adequate nutrition. When one agency shares information with another program to help enroll low-income people in additional programs for which they qualify, providing support becomes more efficient, eligible enrollment increases, and it reduces hassles for struggling families. To encourage this type of connection, in November 2017, Social Interest Solutions (SIS), in partnership with the Center on Budget and Policy Priorities, produced both a paper and interactive online tool[1] to:

[H]elp state and local policymakers and program officials identify opportunities under federal law to streamline the application and enrollment process by relying on eligibility determinations made by other programs. We refer to these cross-enrollment opportunities as “linkages” between programs. [2]

The ability to effectively leverage linkages to establish Integrated Eligibility Systems (IES), however, requires that agencies be willing to embrace opportunities to engage in cross-enrollment. One particular barrier that has surfaced with policymakers is their expressed concerns that privacy laws inhibit their ability to share data across systems. In order to bring more clarity to these perceived cultural and legal limitations, SIS’ policy analysis has revealed underutilized pathways to support data-sharing across multiple programs to support IES, as well as explicit authority to undertake targeted outreach and educational services between programs. For instance, the findings uncovered opportunities to leverage confidential health information, which has long been considered off limits under most circumstances, to support the administration of other public benefit programs.


The findings uncovered opportunities to leverage confidential health information, which has long been considered off limits under most circumstances, to support the administration of other public benefit programs.
 

In particular, SIS set out to better understand the boundaries and opportunities for data-sharing under federal and California privacy laws for four key public benefit programs: Temporary Assistance for Needy Families (TANF); Medicaid; Supplemental Nutrition Assistance Program (SNAP); and Special Supplemental Nutrition for Women, Infants and Children Program (WIC). This paper provides a deep dive into the federal and state statutes, regulations, and policies governing privacy rights in general — and data-sharing specifically — for each of the four programs.

This paper will review statutory and regulatory language to determine how each respective program’s data can be shared to support other public benefit programs.

Key findings for each program include:

TANF

  • State TANF and child welfare services have already developed successful data-sharing agreements, as encouraged by federal guidance provided by the Administration for Children & Families in the U.S. Department of Health and Human Services. 
  • In California, recipients of TANF data — which may include public or private entities — must guarantee that they will adhere to the same confidentiality requirements that are applied to the state TANF agency. 
  • State TANF agencies have broad flexibility to share applicant and recipient information with other agencies to improve coordination of services. Federal laws explicitly require TANF agencies to allow for data-sharing to support federal or federally-assisted programs, such as Medicaid and child welfare services (among other programs).
  • Federal and state laws explicitly permit TANF agencies to share applicant and/or recipient information to support other health and human service programs with regard to eligibility determinations.

Medicaid

  • The Health Insurance Portability and Accountability Act (HIPAA) provides significant authority to use and disclose protected health information (PHI) while also providing appropriate protections for sensitive information. In particular, further analysis of privacy law reveals opportunities to leverage Medicaid data in order to provide services to program beneficiaries.
  • HIPAA authorizes the release of PHI without consent for the purposes of treatment, payment, and health care operations, which may include quality assessment and improvement activities, including case management and care coordination, among other uses.
  • HIPAA regulations authorize Medicaid agencies to share PHI without consent of the individual to support other government agencies administering public benefits, if required or authorized by statute or regulation.
  • HIPAA regulations do require that Medicaid agencies, to the best extent possible, minimize both the amount and the number of persons who have access to PHI.

SNAP

  • Significant leeway is provided to state SNAP administrators who seek to use and disclose applicant and recipient data to support the administration of other public benefit programs. Specifically, opportunities exist to leverage data collected in SNAP to engage in outreach to low-income individuals who have applied or may be considering applying for other social service programs with similar eligibility requirements, such as TANF and Medicaid.
  • Similarly, federal and state laws allow administrators to leverage SNAP applicant and recipient information to support eligibility verification for programs like Medicaid.
  • Federal regulations require state agencies to provide adequate notice to SNAP applicants that their personal information may be shared with other government agencies for eligibility verification purposes. In California, state law also requires that sufficient safeguards are in place to protect confidential applicant or recipient information.

WIC

  • State and local WIC agencies are fairly limited in their ability to use or disclose confidential information without consent from the applicant or recipient. However, federal and state law does recognize the need for WIC applicants or recipients to receive streamlined access to other medical assistance programs, such as Medicaid.
  • State and local WIC agencies are required to provide applicants or recipients information on Medicaid, as well as direct referral to state Medicaid agencies for families that are deemed eligible or presumptively eligible for additional health care services. States have executed on a variety of approaches to referrals between these programs to support cross-enrollment.
  • Federal regulations permit the use and disclosure of confidential WIC data for “non-WIC purposes” upon approval by the state’s Chief State Health Officer, among other requirements.
  • The Oregon Health Authority implemented policies and procedures that acquire consent from applicants and recipients during the application and certification stage of enrollment to allow for data-sharing between WIC and Head Start services.

Our guide also highlights the efforts of several state agencies, such as the California Department of Health and Human Services (CHHS), to establish innovative Intra-Agency Data Exchange Agreements that support data-sharing across departments to facilitate IES, program evaluation, and encourage cross-enrollment, among other benefits.

This guide is the second in a series that SIS has issued to empower government entities, advocates, and other stakeholders when considering data-sharing initiatives. Through safe, secure, and responsible data-sharing initiatives, governments can take a major step towards developing a public benefit system that provides dignified, efficient services to all of those that are in need.

TABLE OF CONTENTS

Overview

Overarching Privacy Laws

Program-Specific Privacy Review

Recommendations

Conclusion

Part I – Overview

Social service programs operated by state and county governments store critical data about individuals and their experiences that could be leveraged to improve outcomes and increase efficiencies across programs. Due to perceived legal barriers and other confidentiality concerns, many program administrators have been wary to explore the development of safe and secure data-sharing agreements with sister agencies. In contrast, private sector entities such as Google and Amazon have harnessed the power of data to forecast and subsequently meet consumer demand, and support their ability to make informed decisions related to organizational efficiency and scalability.

The purpose of this guide is to examine federal and state privacy laws that apply to key public programs, which can then begin to move critical data out of existing silos and use it in responsible ways to improve the health and well-being of communities. The analysis focuses specifically on permissible data-sharing of individual-level data for the purpose of streamlining eligibility verification processes and/or connecting program recipients with other benefits and services they may qualify to receive (e.g., outreach and referral services). 

For many years, states have engaged in varying degrees of data-sharing as a common-sense way to streamline eligibility and enrollment processes for both consumers and providers — thereby reducing barriers for low-income families and bolstering program efficiency.[3] For instance, data-sharing has been used to support cross-enrollment for so-called “categorical eligible” households, like SSI recipients, across programs. Some state Medicaid agencies have been able to decrease duplicative processes and accelerate enrollment by determining Medicaid eligibility based on an applicant’s eligibility determination issued by another program (such as SNAP).[4] Others have used data-sharing to leverage SNAP data to verify income for Medicaid applicants, without requiring applicants to provide documentation a second time.[5]

 CASE IN POINT

Some government agencies have gone even further to realize the potential of robust integrated eligibility & enrollment and data systems within the public sector.[6] In Allegheny County, Pennsylvania, for example, the Department of Human Services embraced innovation to establish data-sharing across agencies to create a data warehouse to improve services to clients, inform policymaking, and evaluate program and operational effectiveness.[7] A handful of other states (Colorado, Maryland, New York, North Carolina, South Carolina, as well as Pennsylvania) leverage Medicaid enrollment data to connect low-income seniors to SNAP in partnership with a third-party agency, based on research showing that increased food security improves health and reduces costs for this vulnerable population.[8]

Still, much more work can be done to replicate these promising initiatives in other states and local municipalities. To help bring this vision into clearer view, SIS’ analysis seeks to provide insight into both perceived and real data-sharing barriers and capabilities within public benefit programs, so that more government agencies can build on these data-sharing success stories.

SIS’ analysis should not be interpreted to overlook data security as a foundational component of any data-sharing initiative. The capacity to protect the sensitive data of our most vulnerable citizens is tantamount to the ability to improve benefits access and efficiency across public benefit programs. The goal of this guide is to support and inform the development of responsible, secure data-sharing initiatives that may be used to improve outcomes for low-income families and individuals throughout the United States.

Part II: Overarching Privacy Laws

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA), signed in 1996, is a foundational privacy law governing PHI.[9] HIPAA helps define the key differences and overlap between PHI and personally identifiable information (PII). PHI includes any information received during the provision of health care that can be used to personally identify an individual, such as a medical record, laboratory report, or hospital bill.[10] PII, by comparison, is defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”[11] Overlap between PHI and PII can occur when common identifiers, such as name, address, birth date, or Social Security number are associated with health information.

Under HIPAA rules, PHI is held or transmitted by a “covered entity” or a “business associate.” A covered entity includes individuals, organizations, and agencies that serve as health care providers (e.g., doctors, psychologists, dentists), health plans (e.g., health insurance companies or government health programs, such as Medicaid), and/or health care clearinghouses.[12] A HIPAA business associate is a person or third-party entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.[13] HIPAA protections are applied to all PHI obtained either by covered entities, business associates, or both. Two major HIPAA rules are often applied when establishing data-sharing agreements that involve PHI:

  • The Privacy Rule; and
  • The Security Rule.

The Privacy Rule, issued in 2000, sets national standards for when and how PHI may be used and disclosed.[14],[15] Notably, the Privacy Rule requires that:

  • When PHI is requested, used, or disclosed by a covered entity or business associate, reasonable efforts must be taken to meet the minimum necessary standard, which means that data owners must limit information shared to what is relevant and necessary to achieve the intended purpose.[16]
  • A covered entity must enter into a data use agreement (DUA) before there is any use or disclosure of a limited data set (e.g., PHI that excludes certain identifiers) to an outside institution or party for research, public health, or health care operation purposes without obtaining consent.[17]
  • Patients have a right to receive adequate notice of the use and disclosure of PHI as well as information on their individual rights and the covered entity’s legal duties with respect to PHI;[18]
  • A covered entity must obtain satisfactory assurances from its business associates or third-party service providers to ensure they are aware of the parameters for accessing and sharing PHI and are in adherence to privacy procedures;[19]
  • Covered entities must establish and prove adherence to privacy procedures, including regularly administering HIPAA training to employees to ensure understanding with both federal and state laws, as well as an organization’s privacy procedures; [20],[21]
  • Covered entities must appoint a Privacy Official to oversee the organization’s data-privacy program.[22]

The Privacy Rule does not prohibit a covered entity from using and disclosing PHI within certain limits and protections. Indeed, HIPAA specifically authorizes the release of PHI without consent, for the purposes of treatment, payment, and health care operations, which may include quality-improvement activities.
 

The Security Rule,  issued in 2003, identifies specific safeguards that covered entities and their business associates must implement.[23] Specifically, the Security Rule requires that:

  • Covered entities ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain, or transmit, and protect that data from reasonably anticipated threats or impermissible disclosures;[24]
  • Covered entities and business associates create a written security plan, which must include administrative safeguards, physical safeguards, and technical safeguards;[25] and

Covered entities and business associates ensure compliance by their workforce.[26]

The Privacy Rule does not prohibit a covered entity from using and disclosing PHI within certain limits and protections. Indeed, HIPAA specifically authorizes the release of PHI without consent, for the purposes of treatment, payment, and health care operations, which may include quality-improvement activities.[27],[28],[29]

Other Federal Privacy Laws

There are several other federal laws that address data-sharing for health and human services programs. The Privacy Act of 1974 (Privacy Act) governs the collection and dissemination of information about individuals by federal agencies.[30] It includes stringent confidentiality provisions, but permits disclosure without the subject’s consent for a “routine use,” defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected.”[31] For instance, some public benefit program rules authorize — and, in some cases, require — state agencies to use data collected from their respective programs to support the administration of other federally-assisted programs (e.g., SNAP and TANF).

Other federal privacy laws include the Family Educational Rights and Privacy Act (FERPA),which governs privacy of education records, and those governing the confidentiality of alcohol and substance use disorder (SUD) records.[32],[33],[34] Although some public benefits data can be shared to streamline eligibility for school-based programs (e.g., the free and reduced-price lunch program), FERPA is generally understood as restricting student data from flowing in the opposite direction. Similarly, the federal regulations in the Public Health and Welfare Code impose restrictions on the disclosure and use of alcohol and drug patient records as long as the information was received or acquired by a federally assisted alcohol or drug program.[35] In simple terms, protected data can be any information disclosed by a federally assisted program that directly or past substance use disorders, resulting in arguably more stringent confidentiality protections than required by HIPAA.[36],[37]

California Privacy Laws and Guidance

Confidentiality of Medical Information Act (CMIA)[38] – The CMIA establishes additional confidentiality protections related to PHI. The Act protects the confidentiality of individually identifiable medical information obtained by a health care provider, health care service plan, or contractor, among others.[39] Like HIPAA, CMIA permits the disclosure of PHI without patient authorization for the purposes of treatment, payment, and health care operations.[40] However, CMIA differs from HIPAA in a few distinct ways: CMIA expands the definition of provider of health care to include any business that offers hardware or software — including mobile apps — that is expected to maintain medical information.[41] Second, it provides individuals a private right of action when a violation of privacy has occurred, which HIPAA does not.[42]

Information Practices Act[43] – The Information Practices Act (IPA) expands limitations on the right of governmental agencies to disclose personal information about an individual. The statute generally defines “personal information” as any information that is maintained by an agency in California that can be used to identify or describe an individual (e.g., name, Social Security number, home address, etc.).[44]

The IPA illustrates the conditions of personal data disclosures allowed within California. In particular, no agency may disclose any personal information in a manner that would link it to the individual to whom it pertains unless the information is disclosed, as follows:

(e) To a person, or to another agency where the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use is compatible with a purpose for which the information was collected and the use or transfer is accounted for in accordance with Section 1798.25 [which requires agencies to “keep an accurate accounting of the date, nature, and purpose of each disclosure.”]
[45]

 CASE IN POINT

Recent examples from California suggest that the kind of data-sharing explored in this guide complies with the IPA. In 2014, for instance, the California Department of Health Care Services (DHCS) addressed the transfer of personal data from CalFresh (California’s SNAP program) to Medi-Cal (California’s Medicaid program) in order to streamline enrollment into expanded Medicaid. Because the use of SNAP enrollment information was compatible with the purpose for which it was collected (enrollment into a public benefit program), “Express Lane Eligibility” (as the program is known) was deemed permissible by federal and state authorities.[46]

Chapter 5300 of the State Administrative Manual[47] Prepared by the Department of General Services through the Office of Information Security, the State Administrative Manual (SAM) outlines state administrative rules on the use and disclosure of personal information for all state entities unless otherwise explicitly exempted by law or state policy. In general, SAM provides statewide privacy guidelines and limitations on information that is owned or managed by state entities to restrict the use or disclosure of personal information for purposes outside of the original intent of its collection.

With regard to data-sharing, SAM permits “information asset owners, custodians, and users” to disclose, use, or make available personal information for purposes other than those for which it was originally collected if the use or disclosure is explicitly allowed under the IPA, among other criteria.[48] SAM refers to information used by third parties to clarify that information asset owners and users shall apply the requirements of this policy to any third party handling personal information collected by the state entity, “in order to accomplish a state entity function that is consistent with the original purposes for which it was collected.”[49] It also states that any third party and its staff with access to personal information must agree to be subject to the state entity’s privacy policies and practices.

CHHS’ Memorandum of Understanding and Intra-Agency Data Exchange Agreement In 2016, CHHS issued a Memorandum of Understanding (MOU) and Intra-Agency Data Exchange Agreement to facilitate the integration and exchange of information between all CHHS departments, including California’s Department of Health Care Services (DHCS), Department of Public Health (CDPH), and Department of Social Services (CDSS).[50] The MOU articulates that it is in compliance with all applicable federal, state, and local laws, regulations, and policies regarding data use and disclosure confidentiality, and thereby serves as the primary agreement to facilitate data exchange among CHHS departments. It seeks to bolster and streamline data integration within CHHS Departments by alleviating the need for “point-to-point” agreements except where mandated by the federal government or law. The Agreement further specifies that the MOU portion of the document is not intended to apply to CHHS departments that do not meet the definition of a covered entity or business associate under HIPAA, and therefore does not impose HIPAA requirements or standards on non-covered entities or components, such as WIC under CPDH, of CHHS departments.

In addition, the Agreement establishes a common set of terms and conditions to facilitate “secure interoperable data exchange between [and] among CHHS departments.” Other notable provisions include authorization of CHHS departments to provide, access, and/or use data collected by other departments for permitted purposes and only to the extent necessary, which permits data-sharing activities that comply with all applicable laws, rules and regulations.

CHHS’ Data Playbook, which provides guidance on the Agreement, clarifies that it is split into two parts: one Master Agreement, with boilerplate legal language; and subordinate “Business Use Case Proposals.”[51] The Data Playbook also explains that business-use case proposals — which includes information such as data type, intended use, etc. — are used to document each data exchange under the Master Agreement. CHHS’s Agreement permits data providers to object to business-use case proposals from recipient Departments, which triggers a review of the specific proposal, unless the “transfer or receipt of data is required by law[.]” Finally, the Agreement states clearly that it “shall remain in full force and effect immediately from the date of execution [May 2016]…,” which indicates that the terms of the Agreement are still in effect.

PART III: Program-Specific Privacy Review

Temporary Assistance for Needy Families (TANF)[52]

Under TANF, the federal government provides grants to states that then have broad flexibility to carry out a wide range of income assistance services under TANF’s block grant structure.[53] TANF is a time-limited income assistance program that supports families with children when the parents or other responsible relatives cannot provide for the family’s basic needs.

Federal Law and Guidance

The Federal TANF statute provides the Secretary of the U.S Department of Health and Human Services (HHS) the authority to interpret and provide guidance and rulemaking to implement various data-exchange provisions within TANF, particularly when they are related to standardizing data exchange and improving interoperability. [54], [55] The statute requires only that TANF jurisdictions “[t]ake such reasonable steps as the State deems necessary to restrict the use and disclosure of information about individuals and families receiving assistance under the program attributable to funds provided by the federal government.”[56]

In 2015, the Administration for Children and Families (ACF) — the division of HHS that governs both TANF and the child welfare system — released guidance on data-sharing capabilities within TANF statute to support state efforts to establish data-sharing agreements to improve the economic and social well-being of foster youth.[57] More specifically, ACF released an Information Memorandum to state TANF agencies, encouraging them to “coordinate, collaborate, and share data on the children, youth, and families that they serve,” particularly those in the foster care system.[58]

ACF makes clear in the Information Memorandum that TANF allows for data-sharing to support state or tribal child welfare agencies, acknowledging that there are no statutory or regulatory barriers to doing so.[59] 

 CASE IN POINT

TANF has jurisdiction over data-sharing in the context of foster care maintenance. TANF federal regulations go a step further to articulate that a State Plan for financial assistance must provide that the use or disclosure of information concerning applicants and recipients be allowed, with certain safeguards, for purposes directly connected with, but not limited to, any of the following programs: TANF, Child Welfare Services, Child Support, Foster Care Maintenance, Medicaid, Social Services, Supplementary Security Income (SSI), among other Federal or federally assisted programs which provide assistance, in cash or in kind, or services, directly to individuals on the basis of need.[60]

State Law and Guidance – California

CalWORKS (California’s TANF program) — along with CalFresh — permits confidential applicant or recipient information to be shared, with proper safeguards, for purposes directly connected with the administration of public social services.[61]Public social services are defined as aid or services administered or supervised by CDSS or the DHCS. [62],[63]

Subsection (b) of the statute authorizes any county welfare department in California to release its lists of applicants for, and/or recipients of, public social services to any other county welfare department overseen by CDSS. The statute also requires that applicant or recipient data be shared when requested by any county welfare department or CDSS.[64]

Subsection (d) explicitly permits county welfare departments and CDSS to share data with other public agencies for eligibility verification or for purposes directly connected with the administration of public social services. The provision also allows for information exchange with county superintendents of schools or superintendents of school districts to facilitate the administration of federally assisted programs such as free or reduced-price school meals programs.[65]

The statute also explicitly authorizes county welfare departments to provide, without client consent, information to a housing authority to aid in determining eligibility for housing programs or services for which the client has applied or which he or she is receiving, as long as the receiving agency complies with all state and federal confidentiality and privacy laws.[66],[67] The same provision states that the section may be implemented either through an automated data exchange system or through a manual system.

Subsection (f) authorizes CDSS to make rules and regulations governing the custody, use, and preservation of all information pertaining to the administration of CalWORKS and CalFresh. The provision provides broad authority for CDSS to exchange information with other public or private agencies that plan, provide, or secure social services, such as Medicaid or WIC, for or on behalf of recipients or applicants.[68],[69]

The CA statute makes clear that CalWORKS and CalFresh confidentiality requirements shall not be applied to the Medi-Cal program nor supersede existing federal or state privacy laws that govern Medicaid, such as HIPAA.[70] The state legislature’s analysis of Senate Bill 346, which clarified existing law to exclude Medi-Cal for the purposes of CalWORKS and CalFresh’s confidentiality requirements, does not discourage sharing between the programs.[71] Rather, the Senate Floor analysis explains that CalWORKS and CalFresh confidentiality requirements explicitly exclude Medi-Cal because the medical assistance program is accountable to various other federal and state privacy protections in order to safeguard PHI. The bill’s sponsor makes clear that the intent of the bill was to support robust data-sharing opportunities across programs:

System interoperability within counties is essential in providing clients timely access to the services for which they are eligible… SB 346 allows county human service departments to more easily share client eligibility information with county health departments in order to simplify enrollment in public health care coverage programs…[72]

Such efforts on behalf of the state legislature appear to have been pursued in response to recommendations submitted on behalf of advocates that sought clarification on how to interpret state confidentiality law related to CalWORKS and CalFresh programs.[73]


The bill’s sponsor makes clear that the intent of the bill was to support robust data-sharing opportunities across programs: System interoperability within counties is essential in providing clients timely access to the services for which they are eligible… SB 346 allows county human service departments to more easily share client eligibility information with county health departments in order to simplify enrollment in public health care coverage programs…
 

CalWORKS regulations clarify state statute to affirm that confidential information may be released without the consent of the applicant or recipient for purposes directly connected with the administration of public social services.[74] In addition, CDSS regulations expressly permit access to confidential CalWORKS information for CDSS, DHCS, and Depts. of Health, Education, and Welfare (currently known as HHS), and county welfare departments within the state.[75] CalWORKS regulations do require that any contract between a public or private agency (e.g. state contractor) that involves the release of confidential information include a provision ensuring such information will be used in accordance with the state’s confidentiality and privacy laws and proceeding regulations.[76],[77],[78]

Key Findings – TANF (CalWORKs)

As described above, federal and state law provides state TANF agencies with significant opportunities to engage in data-sharing to improve access and outcomes for program applicants or recipients that may be eligible for other health and human services.

Fortunately, CDSS has a history of sharing data to support the administration of other social services programs, such as Medi-Cal and child welfare.

 CASE IN POINT

CDSS, DHCS use Data-Sharing to Support Foster Youth In 2015, CDSS and DHCS entered into an agreement with other relevant stakeholders that supported the use and disclosure of confidential data regarding youth in foster care. The agreement cites the statutory authority for both agencies to manage the administration and delivery of public social services.[79] The agreement permits both agencies to identify and share with each other confidential information including medical data, mental health data, and demographic data to support the provision of services to children or non-minor dependents receiving child welfare services, among other stated goals.[80] Under the MOU, CDSS agreed to comply with HIPAA when accessing or using confidential data provided by DHCS, and conversely, DHCS agreed to comply with CDSS confidentiality and security requirements, among other applicable federal and state privacy and security laws.[81] The agreement now serves as a model agreement for state agencies that wish to pursue pathways provided through federal and state laws to leverage CalWORKS data in a way that is mutually beneficial for providers and consumers of public social services in California.

Supplemental Nutrition Assistance Program (SNAP)[82]

SNAP is administered at the federal level by the Food and Nutrition Service (FNS) at the U.S. Department of Agriculture (USDA). SNAP is a federally funded, state-operated anti-hunger program that provides nutritional assistance to low-income individuals and families. The Federal government supports the full cost of SNAP benefits, while states share the cost of administering the program. In 2017, the SNAP program helped 42 million people nationwide afford a nutritionally balanced diet, including roughly ten percent of the population in California.[83]

Federal Law and Guidance

Federal SNAP laws permit data-sharing. In fact, the statute includes a section that directs the USDA to develop data exchange standards to govern, among other things, “necessary categories of information that state agencies operating related programs are required under to law to electronically exchange with another state agency.”[84] In 2017, USDA issued a Request for Information to support FNS’ ability to designate data exchange standards, which identifies data-sharing and analysis as a way to improve SNAP services.[85] In particular, SNAP statute requires the state agency to establish safeguards that permit the disclosure of applicant household information to persons directly connected with administration of other “federal assistance programs,” including “federally assisted state programs.” [86] The federal statute also authorizes state SNAP agencies to inform low-income households about the availability, eligibility requirements, application procedures and the benefits of SNAP.[87]

Federal regulations set in place certain requirements for data-sharing within SNAP. For example, regulations require that state SNAP agencies execute a data-exchange agreement with the other state agency before exchanging information.[88] The recipients of SNAP information are also required to adequately protect against unauthorized disclosure of information.[89] Federal SNAP regulations give states’ the option to use or disclose SNAP applicant or recipient information to support the administration of other federally assisted state programs that serve low income individuals.[90] Further, the federal rules permit data-sharing to streamline eligibility determinations for individuals that may become categorically eligible for SNAP because they qualify for other public assistance programs, such as SSI or TANF.[91],[92] In addition, the rule explicitly permits state SNAP agencies to exchange information with other state agencies that administer programs such as TANF, Medicaid, and SSI for purposes of maintaining and using an income and eligibility verification system (IEVS).[93]

State Law and Guidance – California

CalFresh and CalWORKS confidentiality requirements are governed by the same state statute. As noted above, California law permits confidential applicant or recipient information to be shared, with proper safeguards, for purposes directly connected with the administration of public social services.[94]


In particular, SNAP statute requires the state agency to establish safeguards that permit the disclosure of applicant household information to persons directly connected with administration of other “federal assistance programs,” including “federally assisted state programs.” The federal statute also authorizes state SNAP agencies to inform low-income households about the availability, eligibility requirements, application procedures and the benefits of SNAP.
 

The places where CalWORKS and CalFresh privacy rules diverge are described in CDSS’ Manual of Policies and Procedures (MPP), which provides a regulatory framework for the confidentiality of public assistance information in accordance with state confidentiality and privacy laws, as well as federal regulations.[95]

Similar to federal SNAP regulations, CalFresh rules described in the MPP allow for the use or disclosure of applicant or recipient household information.[96] The data may be used to support the administration of other federal, or federally assisted state programs that provide assistance to low-income individuals.[97] The use or disclosure of CalFresh data can also be shared with other public agencies at the federal or state level to support administration of various assistance programs, as well as for audit and law enforcement purposes.[98] State rules also permit the exchange of CalFresh data to supervisors of school districts to support federally assisted programs such as the free or reduced-price school meal program. As with other programs, state regulation requires agencies that receive CalFresh applicant or recipient data to take appropriate measures to protect against its unauthorized disclosure.[99]

Key Findings – SNAP (CalFresh)

Similar to TANF, federal laws and regulations create pathways to support the use and disclosure of SNAP data to enhance coordination across public assistance programs. Federal SNAP law provides state agencies with the authority to inform low-income households of their potential eligibility for SNAP benefits, along with other helpful resources that may streamline access to the program.[100] The statute provides local agencies the ability to engage in outreach to low-income individuals who have applied, or may be considering applying for, other social service programs with similar eligibility requirements, such as TANF and Medicaid. As noted above, the statute explicitly permits the exchange of applicant household information to support the administration of other public assistance programs.[101] Many states already utilize SNAP data to support the administration of social service programs like Medicaid, which often relies on SNAP data during the eligibility and renewal process for beneficiaries.[102]

As demonstrated by California’s execution of the aforementioned Express Lane Eligibility strategy, there is no limitation on the ability of state or county welfare departments to share confidential CalFresh data with DHCS. Indeed, subsection (f) lays the groundwork by empowering CDSS to create rules that allow for local county welfare departments to provide or exchange information with agencies, public or private, that are engaged in planning, providing, or securing social services for or on behalf of recipients or applicants.[103] State regulations require recipients of CalFresh data to take “appropriate measures” to protect against unauthorized disclosure of CalFresh applicant or recipient data.[104] However, federal regulations do require that state agencies provide adequate notice to SNAP applicants that PII may be shared with other government agencies for eligibility verification services.[105] States typically fulfill this requirement by providing notice on SNAP application and recertification forms.

Medicaid[106]

Medicaid was established in 1965 under the Social Security Act and is jointly financed by state and federal governments to assist low-income families and individuals in accessing health coverage. Medicaid privacy laws are different from other public benefit programs in that most information is considered PHI rather than just PII.


Many states already utilize SNAP data to support the administration of social service programs like Medicaid, which often relies on SNAP data during the eligibility and renewal process for beneficiaries.
 

Federal Law and Guidance

Federal law permits the use or disclosure of Medicaid applicant and/or recipient information for purposes directly connected with the administration of the State Plan, among other limited activities.[107] Each state‘s Medicaid program is required to file a State Plan, which serves as an agreement between the state and the federal government outlining how the state will implement Medicaid. Federal regulations specify the purposes directly related to State plan administration, including:

  • Establishing eligibility;
  • Determining the amount of medical assistance;
  • Providing services for recipients; and
  • Conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to the administration of the plan.[108]

In addition, the federal Medicaid statute requires that state agencies enter into interagency agreements to support eligibility determinations for Medicaid under the State Plan.[109] The statute specifically refers to interagency agreements with public agencies that include, but are not limited to, TANF, WIC, SNAP, and Child Care Development Block Grants.[110]

Recognizing that Medicaid beneficiaries may also face various other public health challenges, federal agencies have in the past partnered to coordinate federal efforts to support state-level data-sharing and information systems to improve outcomes for vulnerable populations. [111] In fact, in 1998, the Health Care Financing Administration (subsequently named the Centers for Medicare & Medicaid Services [CMS] in 2001), the Health Resources and Services Administration (HRSA) and the Centers for Disease Control and Prevention (CDC) signed an interagency agreement to allow states to link data sets that would develop activities to support improvements in Medicaid and public health program design and outcomes.[112] Such efforts have paved the way for data-sharing between state public health departments and Medicaid programs to improve health outcomes of people living with HIV, among other critical public health initiatives.[113]

Of particular importance for this guide, federal law and regulations require Medicaid agencies to coordinate operations with WIC agencies, which includes providing referrals to WIC.[114],[115] The Medicaid State Plan must meet three basic requirements:

  • Coordinated operation of the Medicaid program with the state’s WIC program;
  • Timely written notice of the availability of WIC benefits to all individuals in the state who are determined eligible (including presumptively eligible) for Medicaid, and who are:
    • Pregnant women;
    • Postpartum women;
    • Breastfeeding women; and
    • Children under the age of 5.
  • Referrals for the same eligible individuals, or presumptively eligible individuals, to the local agency responsible for administering the WIC program.[116]

Medicaid agencies are also required to provide information on the WIC program throughout the year to all Medicaid beneficiaries who may meet the requirements of the program, including those found to be presumptively eligible.[117]

Medicaid information may also be shared to support other public benefit programs. For example, HIPAA’s Privacy Rule authorizes covered entities to share client PHI related to eligibility or enrollment in Medicaid to support another government agency administering a public benefit, if required or authorized by statute or regulation.[118] Additionally, the HIPAA Privacy Rule authorizes covered entities to disclose PHI to another government agency providing public benefits if the programs serve the same or similar populations and the disclosure is deemed necessary to coordinate the covered functions of such program or to improve administration and management related such functions.[119]

State Law and Guidance – California

California statute mirrors the federal Medicaid rules to require that any use or disclosure of confidential information about Medi-Cal applicants or recipients be related to the administration of the program.[120] Permissible program operations include, but are not limited to: establishing eligibility; determining the amount of medical assistance; providing services for recipients; law enforcement purposes; and auditing of the program.[121] The statute also makes clear that all Medi-Cal data that may be used to identify an applicant or recipient must be adequately safeguarded.[122]

State statute allows Medicaid agencies to develop data-sharing initiatives that disclose PHI. In particular, subsection (f) of the statute provides DHCS the authority to establish rules that authorize data-sharing with agencies, public or private, that are engaged in planning, providing, or securing such services for applicants or recipients.[123]

A California Medi-Cal regulation limits the disclosure of all individual medical records without the written consent of the beneficiary or their personal representative.[124] However, the regulation clarifies that it does not preclude the release of information between individuals or institutions providing care, fiscal intermediaries, and state or local official agencies.[125] This is consistent with the authority provided under federal and state Medicaid privacy laws that allow for the disclosure of PHI to other government agencies to support the administration of other public benefit programs.

Key Findings – Medicaid (Medi-Cal)

Opportunities exist for Medicaid agencies to share PHI with other social service agencies to support eligibility determinations and outreach while still adhering to federal and state privacy protections. As a provider of health care services, Medicaid agencies are subject to HIPAA privacy protections, meaning PHI can only be released “for the purposes of treatment, payment, and health care operations.”[126] Federal law also permits the use or disclosure of applicant and recipient data for purposes directly connected with the administration of the State Plan.[127],[128] Many State Plans include outreach and wellness programs that improve recipients’ overall health and, in turn, lower costs. With this in mind, several states have interpreted federal Medicaid and HIPAA laws as allowing for robust data-sharing agreements that provide integrated services — such as SNAP and WIC outreach and education — for Medicaid beneficiaries.[129],[130]

 CASE IN POINT

Massachusetts Supports Sharing Medicaid Data to Support WIC Outreach Services In 2006, the Massachusetts Department of Public Health’s WIC program entered into a data-sharing agreement with Massachusetts’s Office of Medicaid (MassHealth) to enhance enrollment, coordination, and collaboration across programs. In particular, the agreement provides for “targeted outreach to families who are receiving MassHealth benefits and who are eligible for WIC benefits in order to increase utilization of program services.”[131] The agencies cite authority to establish such an agreement pursuant to both WIC and Medicaid federal law, which requires coordinated operations between the two programs.

In addition, the agreement addresses HIPAA concerns by referring to regulation that allows covered entities to share information with other public benefits agencies if authorized by state law or regulation. Finally, there is reference to the state laws that provide authority under the HIPAA regulatory pathway. The agreement allows for the state Medicaid agency to share contact information — including but not limited to full name, date of birth, and address — with the Massachusetts WIC program in order to identify MassHealth members who are eligible but not yet enrolled by authorizing WIC Management Information System staff to conduct a data match for individuals identified as WIC-eligible but not enrolled in WIC. In addition, the agreement authorizes WIC staff access to Medicaid/MassHealth’s coverage portal to determine specific MassHealth coverage types and therefore presumptive eligibility for the WIC program. Once they are identified, the state WIC agency sends a postcard to the MassHealth member with information highlighting specifics on what WIC offers and mentions that “most MassHealth members who are pregnant or have children under age 5 are eligible for WIC benefits and services.” The individual is encouraged to contact a WIC office in their community, call the WIC 1-800 number, or visit the website for more information.

For streamlining eligibility determinations, federal regulations specify that purposes directly related to the administration of the State Plan may include establishing eligibility and providing services for recipients.[132] Such activities allow for data-sharing specifically within the context of providing services for recipients, such as when a Medi-Cal beneficiary is determined to be at nutritional risk by their health care provider and referred to WIC or CalFresh to receive nutritional assistance. Medi-Cal regulations provide further support for this interpretation by explicitly authorizing health agencies to exchange information between individuals or institutions providing care, and state or local office agencies.[133] However, Medicaid regulations do require state agencies to create interagency agreements in order to do so. California has made great progress toward this goal by developing the Intra-Agency Data Exchange Agreement in 2016 (described in Part II), and more can be done.

 CASE IN POINT

Connecticut Supports Data-Sharing between Medicaid and Public Health Programs In 2005, Connecticut’s Department of Public Health (DPH) entered into a data-sharing agreement with the state’s Department of Social Services (DSS), which administers Medicaid and the State Children’s Health Insurance Program (CHIP), in order to improve public health service delivery and public health outcomes for low-income populations.[134] The agreement supported data-matching between Medicaid (HUSKY Plan A), Title V Maternal and Child Health Services Block Grant, and CHIP (HUSKY Plan B). Such efforts directed DSS to conduct a match of calendar year birth records and HUSKY Plan A enrollment data to identify the births to women covered by Medicaid and enrolled in managed care during pregnancy. As stated within the agreement, the linkages between DPH and DSS data sets allowed both agencies to “evaluate access to care and quality of care for the Medicaid/non-Medicaid populations and the comparison of prenatal care utilization and pregnancy outcomes among high-risk groups.”[135] The agreement cites authority for such data-sharing activities pursuant to state and federal law. Of note, the agreement includes a commitment to developing long-term data-sharing initiatives between the two programs to improve outcomes for low-income individuals. For instance, a stated goal within the agreement is:

To implement a process that allows for joint access to critical Medicaid and public health data without duplication of effort by developing policies and protocols related to sharing relevant data; data systems planning and development; data analysis; needs assessments; and quality assurance reviews, as permitted by state and federal law; […] and to promote long-range planning as it relate to data-sharing.[136]

Women, Infants, and Children (WIC)[137]

Similar to SNAP, the WIC program is administered at the federal level by the USDA’s Food and Nutrition Service (FNS). WIC’s services are provided through federal grants to states for supplemental foods, health care referrals, and nutrition education to support nearly 7.2 million low-income women, infants, and children up to age five who are found to be at nutritional risk each year.[138]

Federal Law and Guidance

The WIC federal statute remains mostly silent on the use and disclosure of applicant and recipient information. The statute requires state WIC agencies to provide certain nutrition-education services and/or materials to individuals applying or reapplying for the program.[139] In doing so, state WIC agencies must provide individuals with written information about the Medicaid program, as well as a referral to agencies that can determine presumptive eligibility for Medicaid, if individuals are not participating in the program and appear to meet the family income requirements.[140]

Federal WIC regulations are much more prescriptive than the statue, specifying that WIC data is confidential, regardless of the original source and exclusive of previously applicable confidentiality laws.[141] FNS issued rules in 2000 and 2006 to remove barriers to coordination among programs caused by these regulatory restrictions on sharing confidential WIC recipient information.[142] The rules clarify that WIC confidentiality protections, rather than HIPAA requirements or any other federal, state or local programs’ confidentiality provisions, attach to and take precedence in protecting WIC applicant and recipient information.[143] Put simply, under most circumstances, WIC-related data is considered exempt from HIPAA and, similarly, WIC service providers are not generally considered covered entities under HIPAA.

Federal WIC regulations mandate that state agencies limit the use and disclosure of WIC data to persons directly connected with the administration or enforcement of the WIC program who the state agency determines have a “need to know” for WIC program purposes.[144] The rule also clarifies that “persons” may include, but are not limited to: personnel from its local agencies (LAs) and other WIC state or local agencies; persons under contract with the state WIC agency to perform research regarding the WIC program; and various law enforcement professionals.[145] For example, the regulations permit release forms authorizing disclosure to private physicians or other health care providers to be included as part of the WIC application or certification process, but clarify that all other requests for applicants or recipients to sign voluntary release forms must occur after the application and certification process is completed.[146] With some exceptions, participant’s consent must be obtained in order to disclose WIC-related data to any third party, or other programs and health providers.[147]

However, WIC regulations do explicitly address integration with other health and human services. In particular, federal rules require state WIC agencies to combine WIC program intake procedures with intake procedures for other health programs or services administered by state and local agencies, whenever possible.[148] Such “merging” activities may include verification procedures, certification interviews, and income computations.[149] In addition, regulation explicitly requires WIC agencies to provide applicants and recipients’ information on – and referral to – other health-related and public assistance programs, when appropriate.[150]

WIC regulations also establish guidelines for the use of confidential applicant or recipient information to support the administration of other programs that serve persons eligible for the WIC program.[151] Such activities must be in accordance with requirements laid out in regulation, which permit the use and disclosure of confidential applicant or recipient information for “non-WIC purposes” and may be broadly applied to WIC state and local agencies and public organizations.[152] The requirements include: subsection (h)(1)  which grants the Chief State Health Officer the authority to designate in writing the permitted “non WIC uses of information and the names of the organizations to which such information may be disclosed.”[153] Subsection (h)(2) requires that notice be given to WIC applicants and recipients that the Chief State Health Officer may authorize the use and disclosure of information about their participation in the program to state and local agencies as well as other public organizations that serve persons eligible for the WIC program.[154] Lastly, subsection (h)(3) requires the WIC agency to enter into a written agreement with the public organization or state agency that will be granted authority to use and disclose confidential WIC data for non-WIC purposes.[155],[156]


However, WIC regulations do explicitly address integration with other health and human services. In particular, federal rules require state WIC agencies to combine WIC program intake procedures with intake procedures for other health programs or services administered by state and local agencies, whenever possible. Such “merging” activities may include verification procedures, certification interviews, and income computations. In addition, regulation explicitly requires WIC agencies to provide applicants and recipients’ information on — and referral to — other health-related and public assistance programs, when appropriate.
 

WIC regulations further require that the written agreement must specify that the receiving organization may use confidential applicant and recipient information only for:

  • Establishing eligibility of WIC applicants or recipients for other programs the organization administers;
  • Conducting outreach to the same population for such programs;
  • Enhancing the health, education, or well-being of WIC applicants or recipients;
  • Streamlining administrative procedures in order to minimize burdens on staff, applicants, or recipients in either the receiving program or the WIC program; and
  • Assessing and evaluating the responsiveness of the state’s health system to a recipients’ health care needs and outcomes.[157]

Any agreement between the state and local WIC agency and a public organization must also include assurances that the organization will not use the information for any other purpose or share it with a third party.[158]

State Law and Guidance – California

California state law permits the CPDH to collect data to determine the need for and the continuation of a supplemental nutritional program for WIC recipients.[159] It also authorizes CDPH to establish guidelines and criteria for local agencies to use when determining eligibility.[160] The statute permits a health professional on the staff of a local WIC agency to determine if an applicant is at nutritional risk through referral data submitted by outside health professionals not on the staff of the local agency, which would require the transference of sensitive data.[161] State regulations allow for WIC employee, applicant, or recipient information to be disclosed without written consent only when:

  • Requested by a representative of CDPH/WIC, state DHCS Audits and Investigations, State Controller’s Office, USDA, and other authorized state or federal representatives designated by federal WIC regulations/statutes during normal business hours for the purpose of inspecting, auditing, and photocopying such records; and
  • Requested by another local WIC agency to verify that individual’s program eligibility and to investigate potential dual participation.[162]

Further, section IV of the WIC Policies and Procedures Manual (WPPM) states that when a local agency is part of a multi-service social service and/or health agency that provides more than WIC services, such as a hospital or a county health department, non-WIC personnel may have access to PII — but only if written consent is first obtained from the applicant or recipient.[163]

Finally, section VII outlines reporting requirements for local agency employees to adhere to when handling confidential information. Any suspected breach of the security of such confidential information must be reported the day that the loss or suspected breach of confidential information is discovered — a higher standard than under HIPAA.[164]

State regulation sets in place referral requirements as well. For example, local WIC agencies are required to provide WIC applicants and recipients with information on Medi-Cal and other health-related or public assistance programs at each certification.[165] Local agencies must also determine, during certification, if any additional programs would benefit the applicant or recipient, and provide the necessary information for accessing the service(s) — such as a description of the program’s benefits, or the specific steps required to access the program — as well as attempt to provide targeted referrals to program.[166]

Key Findings for WIC

In comparison to other public benefit programs, federal WIC laws and regulations place relatively strict limitations on the use and disclosure of confidential data without consent from the applicant or recipient. Despite these limitations, pathways exist to foster data-sharing agreements between WIC and other health and human service programs that serve similar populations.

For instance, federal WIC statute requires state and local WIC agencies to provide individuals applying or reapplying for the program information on Medicaid, as well as referral to agencies that determine eligibility for Medicaid services.[167] In doing so, the provision implicitly acknowledges that WIC applicants, recipients, and their families will benefit from expanded access to comprehensive health care services as provided through Medicaid. By requiring coordination between the two programs, federal law recognizes the value of information exchange as a useful and necessary tool to ensure eligible, and presumptively eligible, WIC families receive every opportunity to access quality health services through Medicaid. Similarly, federal and state regulation support opportunities to educate and provide referral to other public assistance programs for WIC applicants and recipients. 

As noted above, federal regulations permit state and local WIC agencies to use and disclose confidential applicant or recipient data for “non-WIC purposes” under certain circumstances.[168] They allow the use or disclosure of confidential data only when the state or local WIC agency can meet the following requirements:

  • Designate in writing from the Chief State Health Officer that data-sharing is allowed;
  • Provide notice to applicants and recipients — either at the time of application or through a subsequent notice — that clearly indicates that information about their participation in WIC may be used for non-WIC purposes;
  • Enter into a written agreement with the recipient organization; and
  • Provide in the State Plan a list of organizations with which the state has executed or intends to execute a written agreement. The written agreement must also meet certain requirements as defined in regulations.[169]  

Given the complex challenges faced by WIC recipients to meet their families’ health care needs, it would benefit state and local WIC agencies to explore the opportunities laid out in federal statutes and regulations to establish processes that connect WIC applicants or recipients to other health and human services. To meet WIC consent requirements, state or local WIC agencies may want to consider automatic opt-in procedures to lay the groundwork for future coordination with other programs that serve persons eligible for WIC. Such efforts could be used to improve outcomes for WIC recipients by streamlining access to critical supports and services including child care, health, food assistance, and workforce development, as well as other resources that may prove useful in empowering program recipients.
 

Given the complex challenges faced by WIC recipients to meet their families’ health care needs, it would benefit state and local WIC agencies to explore the opportunities laid out in federal statutes and regulations to establish processes that connect WIC applicants or recipients to other health and human services.[170],[171] To meet WIC consent requirements, state or local WIC agencies may want to consider automatic opt-in procedures to lay the groundwork for future coordination with other programs that serve persons eligible for WIC. Such efforts could be used to improve outcomes for WIC recipients by streamlining access to critical supports and services including child care, health, food assistance, and workforce development, as well as other resources that may prove useful in empowering program recipients.

While the WIC pathway toward data-sharing requires coordination at the state and local level, federal WIC regulators recognize that opportunities should exist to establish robust data-sharing agreements for non-WIC purposes, allowing local agencies to more effectively meet the needs of their clients.[172] For instance, efforts to build on the referral requirements laid out in federal and state regulation could be used to streamline application processes within other programs that would benefit the WIC applicant or recipient.[173]

 CASE IN POINT

Oregon WIC Uses Data-Sharing to Coordinate Services With Head Start Program In Oregon, the agency that governs WIC services — Oregon Health Authority (OHA) — entered into a data-sharing agreement with the Oregon Head Start Association (OHSA), a nonprofit that provides services related to the Head Start preschool education program. Founded on the grounds that both programs serve a similar population, the agreement allows for greater coordination of care between WIC and OHSA staff to ensure clients receive streamlined certification, nutrition education, home visits, and parent training, among other resources. The foundation of OHA’s MOU clarifies that WIC recipients must have signed a release to share their personal information when they first enter the program.

Further, Oregon WIC’s data-sharing agreement with OHSA provides a blueprint for ways to seek consent at the application and certification stage of enrollment.[174],[175] Of note, OHA staff ensure that WIC recipients are notified that attending an approved OHSA nutrition education class during their current WIC certification period can be used to satisfy their nutrition education requirements for the program. Thus, WIC recipients are provided an incentive to sign a release of information, while also receiving other helpful information about the benefits of the OHSA program.

Oregon’s data-sharing partnership was successful because it effectively captured client consent. By contrast, Minnesota encountered issues executing an otherwise laudable data-sharing effort.[176] In 2015, FNS conducted a Management Evaluation of Minnesota Department of Health’s WIC program and found that the agency was not in compliance with data privacy requirements. In particular, FNS found that Minnesota’s WIC program had shared recipient names and contact information with the state’s Child and Teen Check-up program, which is administered by the same agency, without first obtaining written consent from the WIC recipient, parent, or guardian.[177] As stated above, federal regulations require that a recipient’s consent must be obtained in order to release WIC to any third party, even when sharing with other programs and health providers within the same agency.

PART IV: Recommendations

Data-sharing capabilities are within reach for government entities. While appropriate measures must be taken to ensure the safe and secure exchange of information, the benefits of establishing robust integrated data systems are significant. SIS has compiled a list of general practices for government entities and other relevant stakeholders to consider when exploring opportunities to leverage social service data for good.

Best Practices to Leverage Social Service Data for Good

  • Clearly Define the Purpose: As discussed throughout this guide, the ability to adequately frame the problem and/or purpose for desired data-sharing activities is integral toward developing effective and secure data-sharing agreements. Such efforts should also identify the key data elements necessary to complete the project.
  • Conduct a Survey of the Landscape: Cataloging data-sharing initiatives within a state can inform future endeavors by deepening stakeholder knowledge as to what agreements are currently in place and the data types that are already being shared. Such an exercise can reveal opportunities to build upon or replicate certain provisions within existing agreements.[178]
  • Commit the Resources: Dedicate resources that match the complexity and reach of the proposed data-sharing agreement. Such resources may include staff time, technical assistance, adequate training in data management, investments in IT infrastructure and security, etc.
  • Build Consensus: Reach consensus among relevant stakeholders — such as government agencies, public and private entities, etc. — by engaging in open dialogue to discuss data-related challenges, programmatic goals, data accessibility and standardization, as well as best practices.
  • Maintain Cross-Agency Coordination: Formalize and facilitate regular communication between relevant staff by identifying “data-sharing liaisons” to support the effective exchange of information and subsequent analysis as defined within the data-sharing agreement.
  • Identify Leadership: Government agencies need data-sharing champions, with the power to commit adequate resources, to support strong agreements with sister agencies that are built around coordination, transparency, and accountability.
  • Establish Legal Parameters: Efforts should be made to include an entity’s legal counsel early on to ensure that the proposed agreement and its stated goals adequately address federal and state rules related to data privacy and protection, etc.
  • Standardize Processes: Develop and implement an agency-wide data governance model that supports a systematic approach toward tracking all external and internal data-sharing activities to establish cohesive authority, conflict resolution procedures, management, and decision-making processes.[179]
  • Track Outcomes/Value: Consider short- and long-term benefits of data-sharing by developing metrics to measure outcomes of data-sharing activities to determine business value, cost savings, enrollment, etc.
  • Develop a Resource Hub: Many government agencies have cited limited resources (or expertise) as a key constraint to data-sharing.[180] State administrators could collaborate to create a statewide, web-based “data-sharing hub” for the purpose of compiling and disseminating materials and/or resources to educate and assist relevant stakeholders in their ability to establish safe, secure, and cost-effective data-sharing agreements that support low-income individuals and families while adhering to confidentiality requirements.
    • In California, CHHS has developed a web-based “Data Playbook” that provides numerous materials to support intra-agency data-sharing efforts including toolkits, training resources, etc.
  • Create a Checklist: Ensuring adequate safeguards is a key component toward sharing sensitive client data. State administrators may consider producing checklists to serve as a guide for stakeholders on key data privacy and security requirements for outside entities, such as agency staff, state contractors, or other state agencies that seek to leverage PII and/or PHI within these respective programs. For instance, the checklist may clarify that proposed agreements must outline appropriate technical, physical, and administrative safeguards to protect PII/PHI, among other general requirements.
    • In Colorado, the Department of Education has created a checklist to inform their staffs’ ability to develop and review data-sharing agreements involving the disclosure of PII to outside entities. [181]
  • Expand Data-Matching Strategies: Some states have interpreted federal and state law to support data-matching across programs that serve similar populations (e.g. Medicaid and WIC) to engage in targeted outreach and referral processes.
    • In Massachusetts, state administrators have leveraged HIPAA pathways to authorize Medicaid agencies to use and disclose PHI to support data-matching with local WIC agencies to reach families that are WIC eligible but unenrolled.
  • Utilize Public Health Nexus: Identify opportunities to leverage consumer data across programs within the context of providing services to recipients— such as SNAP and WIC outreach and referral — for Medicaid recipients determined to be at nutritional risk by their health care provider.
  • Formalize Referral Processes: Federal and state laws support varied levels of coordination among social service agencies. In order to maximize referral processes, state administrators may consider issuing guidance that clearly defines what information may be shared within a program referral, or in what fashion a referral may be transferred, and to what end. Such information may help to facilitate state or local agency efforts to enroll eligible but unenrolled recipients in other programs more effectively through smart, secure, and robust referral processes.
  • Establish Consent: Develop educational materials and training for assisters to aid their ability to inform applicants or recipients of other programs for which they may be eligible. Such training should also support assisters’ ability to obtain consent from applicants or recipients during the application and recertification processes. In addition, administrators may explore opportunities to leverage automatic opt-in processes with proper notification provided to the applicant or recipient.

Conclusion

Despite the gradual shift to embrace information exchange among government agencies, more work can be done. When executed in a responsible and purposeful way, data-sharing has the ability to maximize efficiencies and address critical social determinants of health using limited resources to target eligible but unenrolled individuals to bolster cross-enrollment, or linkages, between social services programs. In addition, efforts to support thoughtful, secure data sharing across agencies can lay the groundwork for targeted outreach and education, and ensure low-income individuals and families are made aware of and can receive the full array of supports for which they qualify.

The ability for government to effectively provide person-centered, comprehensive services will require a shift at the federal, state, and local-levels to embrace concepts that harness the power of data. There are many lessons to be learned from federal and state agencies that have already engaged in data-sharing to improve outcomes for beneficiaries. Examples from across the country have shown the many shared benefits of harnessing data for good to support eligibility and enrollment procedures, cost efficiency, program evaluation, and informed decision-making. In order to fully realize the potential of data-sharing, state administrators will need to grapple with the legal and cultural issues associated with confidentiality and privacy protections which have often served as a major roadblock to information exchange. Once on solid footing, administrators can begin the process of removing the silos built around consumer data to create a government that is better equipped to meet the unique needs of individuals and families.

Khaliyl N. Lane is a Senior Policy Analyst on Social Interest Solutions’ Strategy and Innovation Team, where he combines both lived experience and in-depth policy expertise to improve beneficiaries’ experience within health and human service programs. In this role, Khaliyl provides policy analysis, research and technical assistance to develop human-centered solutions and thought leadership at the intersection between policy and technology. He is the primary author of SIS’s data-sharing guide, which addresses a variety of health and human services programs, including Medicaid, SNAP, Child Welfare, among other programs.

About Social Interest Solutions
Social Interest Solutions (SIS) is a national nonprofit dedicated to improving access to quality health and social services through policy and technology solutions. We work with federal, state, and local agencies, service providers, community-based organizations, and researchers to better connect millions of low-income Americans to health care, nutrition, and other programs.

[1] “Interactive: Linkages Across Public Benefit Programs Offer Opportunities for Streamlining,” Center on Budget and Policy Priorities and Social Interest Solutions, November 2017. Available at https://www.cbpp.org/research/poverty-and-inequality/interactive-linkages-across-public-benefit-programs-offer

[2] “Opportunities to Streamline Enrollment Across Public Benefit Programs, Center on Budget and Policy Priorities and Social Interest Solutions,” November 2017. Available at https://www.alluma.org/opportunities-streamline-enrollment-across-public-benefit-programs

[3] “Big Data: Seizing Opportunities, Preserving Values,” Executive Office of the President (May 2014). Available at https://obamawhitehouse.archives.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf

[4] “Facilitating Medicaid and CHIP Enrollment and Renewal in 2014” Department of Health & Human Services (May 17, 2013). Available at: https://www.medicaid.gov/federal-policy-guidance/downloads/sho-13-003.pdf

[5] “Opportunities for States to Coordinate Medicaid and SNAP Renewals,” Center on Budget and Policy Priorities (February 2016). Available at: https://www.cbpp.org/research/health/opportunities-for-states-to-coordinate-medicaid-and-snap-renewals

[6] “Status of State Efforts to Integrate Health and Human Service Systems and Data,” Office of the Assistant Secretary for Planning and Evaluation, U.S. Department of Health and Human Services (2016). Available at: https://aspe.hhs.gov/system/files/pdf/255411/StateHHSSystems.pdf

[7] “IDS Case Study: Allegheny County’s Data Warehouse: Leveraging Data to Enhance Human Service Programs and Policies,” Actionable Intelligence for Social Policy (AISP), University of Pennsylvania. Kitzmiller, Erika M. (2013). Available at: https://www.aisp.upenn.edu/wp-content/uploads/2015/08/AlleghenyCounty-_CaseStudy.pdf

[8] Where We Work: Seniors and SNAP, Benefits Data Trust (2019). Available at: https://bdtrust.org/where-we-work/; https://bdtrust.org/seniors-and-snap/

[9] Public Law 104-191

[10] “Health Information Privacy: Methods for De-identification of PHI,” U.S. Dept. of Health & Human Services (2015) Available at https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#top

[11] Rules and Policies: Protecting PII – Privacy Act, Government Services Administration (10/31/2014). Available at: https://www.gsa.gov/reference/gsa-privacy-program/rules-and-policies-protecting-pii-privacy-act

[12] “Health Information Privacy: Covered Entities and Business Associates,” U.S. Dept. of Health & Human Services (2017). Available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

[13] 45 C.F.R. §160.103 (1)-(3)

[14] “Health Information Privacy: Summary of the HIPAA Privacy Rule,” U.S. Dept. of Health & Human Services (2013). Available at https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?language=es

[15] 45 C.F.R Part 164, Subpart E

[16] 45 C.F.R. §164.502(b)

[17] 45 C.F.R § 164.514(e)

[18] 45 C.F.R §164.520(a)(1)

[19] 45 C.F.R §164.502(e)(1)(i)

[20] 45 C.F.R §164.530(i) and (j)

[21] 45 C.F.R §164.530(b)

[22] 45 C.F.R §164.530(a)

[23] 45 C.F.R §160 and Subparts A and C of §164. 

[24] 45 C.F.R §164.306(a)

[25] 45 C.F.R. § 164.316.

[26] 45 C.F.R §164.306(a)

[27] 45 C.F.R §164.506

[28] In 2013, HHS issued guidance on the Uses and Disclosures for Treatment, Payment, and Health Care Operations under HIPAA. That guidance can be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html

[29] The Breach Notification Rule, issued in 2013; requires covered entities to notify when there is a breach of unsecured PHI. The Breach Rule directs entities to notify affected individuals, the Secretary of Health and Human Services (HHS), and, under certain circumstances, the media within specified periods of time in the event of a health data breach.

[30] Privacy Act of 1974, 5 U.S.C. §552a.

[31] 5 U.S.C. §522a (a)(7)

[32] 20 U.S.C. §1232g; 34 C.F.R § 99

[33] 34 C.F.R §99.3

[34] 42 U.S.C. §290dd-2

[35] 42 C.F.R §2.2(a)

[36] Most drug and alcohol treatment programs are federally-assisted. In 2012, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued guidance that summarizes the application of Substance Abuse Confidentiality Regulations to Behavioral Health Primary Care Providers. That guidance can be found at https://www.integration.samhsa.gov/March_2012_-_42_CFR.ppt

[37] Most substance abuse treatment programs are also subject to the HIPAA Privacy Rule. In 2004, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued guidance that summarizes variance between the two Rules and implementation solutions. That guidance can be found at http://www.hipaa.samhsa.gov/download2/SAMHSAPart2-HIPAAComparison2004.pdf.

[38] California (CA) Civil Code § 56 et seq.

[39] CA Civil Code §56.10-56.16

[40] CA Civil Code §56.10 (c)         

[41] CA Civil Code § 56.06 (b)        

[42] CA Civil Code §§ 56.35 – 56.37

[43] CA Civil Code §§ 1798-1798.78

[44] CA. Civil Code §1798.3

[45] CA. Civil Code §1798.24 [emphasis added]

[46] Affordable Care Act Guidance: Medi-Cal Eligibility Division Information letter No.: I 14-02, California Department of Health Care Services (January 9, 2014). Available at: https://www.dhcs.ca.gov/services/medi-cal/eligibility/Documents/MEDIL/2014/I14-02.pdf

[47] SAM -Information Security: Office of Information Security, California Department of General Services (2013). Available at: http://www.documents.dgs.ca.gov/sam/SamPrint/new/sam_master/Sam_master_File/chap5300/5300.pdf

[48] “Limiting Use and Disclosure: State Administrative Manual, Office of Administrative Security,” (2014). Available at http://www.documents.dgs.ca.gov/sam/SamPrint/new/sam_master/sam_master_File/chap5300/5310.3.pdf

[49] Id.

[50] Data Playbook: CHHS Data Sharing Legal Agreement: State of California, CHHS (2016). Available at https://github.com/chhsdata/dataplaybook/raw/gh-pages/documents/datasharing/CHHS%20Data%20Sharing%20-%20Legal%20Agreement.pdf

[51] CHHS Data Sharing Framework: CHHS Data Playbook (N/A). Available at: https://chhsdata.github.io/dataplaybook/resource_library/#datasharing

[52] 42 U.S.C. §601et. seq.

[53] “Programs for Families & Children: What is TANF,” HHS (2012). Available at: https://www.hhs.gov/answers/programs-for-families-and-children/what-is-tanf/index.html

[54] 42 U.S.C. §611

[55] 42 U.S.C. §611(a)(d)(1)(A)

[56] 42 U.S.C. §602 (a)(1)(A)(iv)

[57] Office of Family Assistance: Data Sharing Between TANF and Child Welfare Agencies, ACF (2015). Available at: https://www.acf.hhs.gov/ofa/resource/tanf-acf-im-2015-02-data-sharing-between-tanf-and-child-welfare-agencies

[58] Office of Family Assistance, Ibid.

[59] Office of Family Assistance, Ibid.

[60] 42 C.F.R §205.50(a)(1)(i)(A)-(G)

[61] CA W&IC §10850 et. seq.

[62] CDSS and DHCS, pursuant to WIC, Division 9, § 10000 et seq., are responsible for the administration and delivery of public social services.

[63] CA W&IC §10051 defines “public social services” as those activities and functions of state and local government administered or supervised by the department or the State Department of Health Services and involved in providing aid or services or both, including health care services and medical assistance, to those people of the state who, because of their economic circumstances or social condition, are in need thereof and may benefit thereby.

[64] CA W&IC §10850.5 (b)

[65] CA W&IC §10850.5(d)

[66] CA W&IC §10850.5

[67] CA W&IC §10850 and the federal Privacy Act of 1974.

[68] CA W&IC §10850(f). The law also allows for the use and disclosure of non-identifiable data for research purposes.

[69] CA W&IC §11525. Also represents state law that supports research for TANF-specific purposes. Specifically, it requires CDSS establish procedures to provide access to information on CalWORKS families to counties and researchers to support ongoing monitoring, research, and evaluation of the program. However, the provision mandates that CDSS ensure that the information identifiable to individuals and families is removed to maintain strict confidentiality. Other research-related data disclosures include sharing CalWORKS information with a university center for the purposes of linking the data with other appropriate data to evaluate the impact of the program. The provision again stresses that CDSS must ensure that information identifiable to individuals and families is removed to maintain confidentiality. 

[70] CA W&IC §10850(j)(1)

[71] Office of Senate Floor Analyses (September 2013), citing Santa Clara County Board of Supervisors. Available at http://leginfo.legislature.ca.gov/faces/billAnalysisClient.xhtml?bill_id=201320140SB346#

[72] Id.

[73] Id.

[74] MPP §19-004.11.

[75] MPP §19-004.312

[76] MPP §19-004.2

[77] CDSS’ Manual of Policies and Procedures (MPP) §19-004.6 authorizes the disclosure of confidential information concerning CalWORKs families to support the administration of federally-assisted programs, such as free or reduced-price school meals.

[78] MPP §19-008. CalWORKS regulation specifies that the purpose of public assistance and social service records is to evidence eligibility and delivery of public social services. The applicant’s or recipient’s record should only contain facts relevant to his or her case.

[79] Global Memorandum of Understanding: Child Welfare Services, CDSS (2015). Available at http://www.cdss.ca.gov/pdf/GlobalDataSharingAgreement.pdf

[80] Id.

[81] Id.

[82] 7 U.S.C. §2011 et seq.

[83] A Closer Look at Who Benefits from SNAP: State-by-State Fact Sheets, Center on Budget and Policy Priorities (2018). Available at https://www.cbpp.org/research/a-closer-look-at-who-benefits-from-snap-state-by-state-fact-sheets

[84] 7 U.S.C. § 2020(v)(1)

[85] Request for Information: SNAP Data Exchange Standardization, USDA (2016). Available at https://www.fns.usda.gov/snap/fr-052516

[86] 7 U.S.C § 2020(e)(8)(A)(i)

[87] 7 U.S.C § 2020(e)(1)(A)

[88] 7 C.F.R §272.8 (a)(4)

[89] 7 C.F.R §272.1(c)(2)

[90] 7 C.F.R. § 272.1(c)(1)

[91] Id.

[92] 7 C.F.R §273.2(j)(2)

[93] 7 C.F.R §272.8 (a)(2)

[94] CA W&IC §10850 et. seq. [Emphasis added]

[95] MPP §19-001 et seq.

[96] MPP §63-201.3 et seq.

[97] Id.

[98] MPP §63-201.311 – 316 et seq.

[99] MPP §63.201.34

[100] 7 U.S.C. §2020(e)(1)(A)(B) … “the State agency shall: at the option of the State agency, inform low-income households about the availability, eligibility requirements, application procedures, and benefits of the supplemental nutrition assistance program; and comply with regulations of the Secretary requiring the use of appropriate bilingual personnel and printed material in the administration of the program in those portions of political subdivisions in the State in which a substantial number of members of low-income households speak a language other than English.”

[101] 7 U.S.C §2020(8)(A)(i)(ii)

[102] Opportunities to Streamline Enrollment Across Public Benefit Programs: Poverty and Inequality, Center on Budget and Policy Priorities (November 2017). Available at https://www.cbpp.org/research/poverty-and-inequality/opportunities-to-streamline-enrollment-across-public-benefit

[103] CA W&IC §10850(f)

[104] MPP §63.201.34

[105] 7 C.F.R. 273.2 (b)(4)

[106] 42 U.S.C. §1396 et seq.

[107] 42 U.S.C. 1396a (a)(7)(A)(i) – (ii)

[108] 42 C.F.R. § 431.302

[109] 42 U.S.C § 1396a (e)(13)(F)(i)(IV)

[110] 42 U.S.C. 1396a (e)(13)(F)(ii) (I)

[111] Facilitating Collaborations for Data Sharing Between State Medicaid and Health Agencies: State Health Officers, HCFA (N/A). Available at https://www.medicaid.gov/Federal-Policy-Guidance/downloads/SMD102298.pdf

[112] Id.

[113] How States Use Medicaid and State Health Department Data to Improve Health Outcomes of People Living with HIV: National Academy for State Health Policy, Available at: https://www.hiv.gov/federal-response/policies-issues/affinity

[114] 42 U.S.C. § 1396a(a)(11)(c)

[115] 42 C.F.R. §431.635(c)(1)

[116] 42 C.F.R. § 431.635(c)(1)-(3)

[117] Id.

[118] 45 C.F.R 164.512(k)(6)(i)-(ii)

[119] Id. [emphasis added]

[120] CA. W&IC §14100.2 (a)

[121] CA W&IC §14100.2 (c)

[122] CA. W&IC §14100.2 (b)

[123] CA W&IC §14100.2 (f)

[124] 22 C.C.R. §51009 [Confidential Nature of Records]

[125] Id.

[126] 45 C.F.R. §164.501

[127] 42 U.S.C 1396a(a)(7)(A)(i)-(ii)

[128] The provision also explicitly establishes a direct linkage to allow for the exchange of information necessary to determine eligibility for free or reduced-price school meals

[129] Where We Work: Seniors and SNAP, Benefits Data Trust (2019). Available at: https://bdtrust.org/where-we-work/; https://bdtrust.org/seniors-and-snap/

[130] Memorandum of Understanding: State of Massachusetts Department of Public Health and Office of Medicaid MassHealth Program (2006). Available at https://drive.google.com/file/d/18Hprzm3TYCEjeHumhIUj0k3yfc2yv-F9/view?usp=sharing

[131] Memorandum of Understanding: State of Massachusetts Department of Public Health and Office of Medicaid MassHealth Program (2006). Available at https://drive.google.com/file/d/18Hprzm3TYCEjeHumhIUj0k3yfc2yv-F9/view?usp=sharing

[132] 42 C.F.R. § 431.302

[133] 22 C.C.R. §51009

[134] Memorandum of Understanding: State of Connecticut DPH and DSS (2005) Available at: https://drive.google.com/file/d/1fz6wEjf79Mk6mYwQaj6VJvhWI8gi629b/view?usp=sharing

[135] Id.

[136] Id.

[137] 42 U.S.C. §1786

[138] WIC: Frequently Asked Questions about WIC; USDA (April 2018). Available at https://www.fns.usda.gov/wic/frequently-asked-questions-about-wic

[139] 42 U.S.C. §1786 (e)(4)(B)

[140] Id.

[141] 7 C.F.R. § 246.26 (d)

[142] 7 C.F.R 246 (d)(1)(i) – See 71 Federal Register 56707 for further background.

[143] Id.

[144] 7 C.F.R §246.26 (d)(1) – See preamble from 71 FR 56707, which amended the regulation to clarify that WIC data is not subject to HIPAA. [Emphasis added]

[145] Id.

[146] 7 C.F.R §246.26 (d)(4)

[147] Id.

[148] 7 C.F.R. §246.7(a)

[149] Id.

[150] 7 C.F.R. §246.7(b)

[151] 7 C.F.R §246.26 (d)(2)

[152] 7 C.F.R §246.26 (h)(1)-(3)

[153] Id.

[154] Id. [Emphasis added]

[155] Id.

[156] Subsection (h)(3) also requires the State WIC agency or its local agencies include in its State Plan, a list of all public organizations or government agencies with which the WIC agency or its local agencies has executed or intends to execute a written agreement.

[157] 7 C.F.R. §246.26 (h)(3)(i) (A) – (E) [Emphasis added]

[158] 7 C.F.R §246.26 (h)(3)(ii)

[159] CA Health & Safety Code §123305

[160] CA Health & Safety Code §123290(g)(1)

[161] CA Health & Safety Code §123290(g)(2)

[162] WIC Policies and Procedures Manual (WPPM) #120-10

[163] Id.

[164] Id.

[165] WPPM #700-02

[166] Id.          

[167] 42 U.S.C. §1786 (e)(4)(B)

[168] 7 CFR §246.26 (h)(1)-(3)

[169] 7 CFR §246.26(h)(3)(i)(A) – (E)

[170] 42 U.S.C. §1786 (e)(4)(B) (C)

[171] 7 CFR §246.26 (h)(1)-(3)

[172] Id.

[173] WPPM #700-02

[174] Working together to better serve our shared families: WIC & Head Start Collaboration, OHA (2017). Available at: https://www.oregon.gov/oha/PH/HEALTHYPEOPLEFAMILIES/WIC/Documents/collaborate/wic-collaborate-head-start.docx

[175] WIC/ Head Start Mutual Agreement: County Health Department WIC, OHA (N/A). Available at: https://www.oregon.gov/oha/PH/HEALTHYPEOPLEFAMILIES/WIC/Documents/collaborate/head-start-mou-1.doc

[176] WIC Data Privacy Memo Revised: Betsy Clarke, WIC Director at the Minnesota Department of Health (2016). Available at https://www.health.state.mn.us/docs/people/wic/localagency/wedupdate/moyr/2016/topic/dataprivacy.pdf

[177] Id.

[178] How States Use Medicaid and State Health Department Data to Improve Health Outcomes of People Living with HIV: National Academy for State Health Policy, Available at: https://www.hiv.gov/federal-response/policies-issues/affinity

[179] Computer Science Resource Center: Data Governance, National Institute of Standards and Technology (N/A). Available at: https://csrc.nist.gov/glossary/term/data-governance

[180] The State of Data Sharing at the U.S. Department of Health and Human Services: Office of the Chief Technology Officer (Sept. 2018). Available at: https://www.hhs.gov/sites/default/files/HHS_StateofDataSharing_0915.pdf

[181] Colorado Department of Education: Checklist for Data Sharing Agreements (April 2014). Available at: http://www.cde.state.co.us/sites/default/files/CDE%20Checklist%20for%20Data%20Sharing%20Agreements%20%284.15.14%29.pdf