Guidelines and Tools
Click here to download a PDF of this section. To download tools for category two, click the folder below. You can use the menu below to jump to each section of the guidelines.
JUMP TO A SECTION:
- 2A. Create the foundation.
- 2B. Identify key decision points that may require information sharing and map out the information flow between each point.
- 2C. Identify what laws and policies govern information sharing at each decision point. This effort should take into account federal and state law, any federal and state regulations, and local policy memoranda.
- 2D. Develop any needed law and policy for effective sharing of case information among the involved agencies.
- 2E. Develop the protections for the information that is to be shared.
- 2F. Develop accessible processes and procedures for youths and/or their parents/legal guardians, in accordance with applicable law, to review information that is collected about them and that may be disclosed. Provide them with the procedures and opportunity to approve and/or amend their information.
- 2G. Identify the information sharing systems and their current capacities.
- 2H. Develop protocols for the operation of information sharing agreements, practitioner’s guides, authorization to release forms, and any other tools for case information sharing.
- 2I. Seek approval of any drafted tools such as information sharing agreements, practitioner’s guides, and authorization to release of information forms from the participating agencies and their legal counsels.
2A. CREATE THE FOUNDATION
Establish the infrastructure for organization and governance
A collaborative entity representative of all the agencies involved in information sharing, as well as youth and their families, should govern the development of effective information sharing. This should be a group whose membership possesses the authority to direct the development and approval of information sharing policy, products, and activities.
This Collaborative entity should be identified or developed at a state or local level, or it could be a state-local hybrid, depending on what jurisdiction the information sharing development encompasses. It may be that an existing collaborative entity can effectively serve this purpose. For example, in Louisiana there are state mandated local Children and Youth Planning Boards on which nearly all of the involved agencies sit and whose goals imply the need for effective information sharing across agencies. In Illinois, it could be the Juvenile Justice Council; in Washington, it could be the King County Collaborative (known as Uniting for Youth) at a local level or the Administrative Office of the Courts at a state level.
To carry out specific information sharing efforts, sites should develop a team or committee representative of the involved agencies and youth and their families. This group can establish the goals of the effort, identify the questions that need to be answered, and review existing information sharing protocols. It is also important to determine which entity, agency, or person will be responsible for leading each information sharing development effort. For example, if a particular product is going to be developed – such as an information sharing guide – one of the participating entities should be designated to bring the group together, keep them on task to meet deadlines for the development of e product, and provide auspices for the product to be disseminated and updated periodically.
Identify the goals for data collection and sharing for program evaluation and/or performance measurement
It is critical to carefully identify information sharing goals to direct the development of specific policies as well as specific products. Agencies within jurisdictions should first come to agreement as to why they are working on information sharing rather than moving too quickly to develop a product.
For example, a group of agencies could spend time on the development of an authorization to release form or an information sharing agreement without first considering why they need to share information, at what points, and to achieve what purposes. This can result in unnecessary information sharing beyond what is “need to know.”
Goals can be tied to the desired outcomes for youth who the agencies are serving. Thus, for example, the collaborative may want to share information to divert more youth from juvenile justice system involvement, or increase school attendance for youth on probation. Defining a goal in these terms will help the collaborative come to agreement on what information each partner needs to help youth achieve these outcomes.
Review existing federal and state laws
While there will be legal and policy analyses specific to particular information sharing efforts, a jurisdiction should set out the basic statutory framework of federal and state laws on confidentiality and information sharing along with corresponding policies. This should be accomplished by establishing a committee comprised of policy and program personnel from each of the participating agencies and their legal counsel, as well as representatives of children and families in the juvenile justice system. The statutory and policy framework should identify the opportunities and prohibitions that exist to sharing information regarding youth and families served by multiple systems.
This committee may identify the gaps in a state’s existing statutory and policy framework for information sharing and identify what legislation, policies, and protocols will need to be developed in order to share information across agencies to ensure coordinated case planning. It may also act as a body to approve proposed legislation, policies, and protocol. It is important that members of the committee possess the authority to act on behalf of their agencies as they either develop legislation, policies, and protocol or approve recommendations for the same.
The committee must possess the expertise to tackle the various issues regarding information sharing that go beyond the basic statutory compilation as it develops legislation, policies, and protocol. Such issues include protection of the privacy interests of juveniles and their families; whether public safety is taken into account in decisions to share information; what historical problems have existed between agencies seeking information from one another; whether policies are written clearly and accurately to reflect the statutory framework within which information sharing takes place; whether policies and protocol have been carefully explained and promoted to staff; and whether parents, family members, and caretakers are well-informed regarding their privacy rights and their decision to authorize or not authorize the release of confidential information.
Assess the readiness of information technology systems to support the project
Personally identifiable information of youth and families is often stored electronically and shared and disseminated through electronic media. In support of information sharing development efforts, sites should identify who in each participating agency will be responsible for the access to, development of, and security of information for the information sharing collaborative. These individuals should either sit on committees or teams dedicated to the development of particular information sharing efforts or develop a means of communication to each agency apprised of the efforts.
As part of the information sharing analysis and planning process an assessment should be conducted on all the participating agencies’ information sharing systems and system infrastructure. The assessment should include inventorying and identifying databases, operating systems, networks, software modeling tools and enterprise architecture tools used by the agencies. Once the assessment is completed, the information should serve as a baseline for designing an information sharing strategy for the collaborative while identifying what information or categories of information each of the participating agencies collect. It also reveals data redundancies and gaps in the collection of information. 
Security requirements tied to data security and privacy laws must be included in the technical and business requirements. After assessing the threats to privacy and security, the collaborative can determine appropriate and effective safeguards to address those risks. Administrative safeguards may include security clearance and pass codes, prohibiting attachment of unauthorized hardware to the system, and audits. 
Provide the training
Each site should provide training on law, policy, and protocol to all personnel involved in information sharing. Training for all involved in any of the information sharing development or implementation efforts will assure the efforts’ success. This training should include purpose, benefits, expected outcomes, policies, protocols and technical training on the systems that will be used to provide information electronically. It should be provided both in the individual participating agencies and in cross agency training sessions, as appropriate. Training curricula should be developed in formats that are easily accessible for new personnel and can be readily updated as required.
2B. IDENTIFY ALL KEY DECISION POINTS THAT MAY REQUIRE THE SHARING OF INFORMATION AND MAP OUT THE DESIRED FLOW OF INFORMATION FROM ONE POINT TO THE NEXT.
Developing a project that involves the sharing of personally- identifiable information is best done by first examining discrete decision points in the juvenile court process and determining current and desired information flows. This is a critical exercise for several reasons. Different laws govern what information may be shared and with whom at various points in the juvenile court process, and all stakeholders must have a clear understanding of the legal requirements. Such an exercise prompts a valuable discussion between stakeholders as to what information needs to be, and doesn’t need to be, shared at various points, so that they can develop a consensus on what it means to share information on a “need-to-know-basis.”
The Map of Juvenile Justice Process is a visual aid in thinking about the discrete points in the juvenile court process where an important decision is made regarding the youth. The map is divided into three major areas – Investigation/Intake, Adjudication, and Disposition. It is not intended to represent an accurate picture of every jurisdiction’s juvenile process; the user may have to make modifications to reflect local variations.
Similarly, the Map of the Child Welfare System Process shows the key decision points in cases of suspected child abuse and neglect. It specifically shows the flow from the initial referral, through investigation, and the court process, leading to findings and ultimately placement and/or services for the child and family.
When used in conjunction with the other materials, these will enable a discussion of the types of information that are used at each decision point, barriers or prohibitions in disclosing or using certain types of information, and the different legal rules.
Once determining the key decision points for information sharing, groups can assess the flow of information to better understand why information is being requested at each key decision point. The Decision Point Legal Analysis Worksheets are designed to lead the users through a legal analysis exercise that will be the foundation for their information sharing project. Specifically, the tool will assist users in identifying decision points in the juvenile justice process where information can be shared in their jurisdiction, and identify the federal and state laws that govern the flow and use of that information. For that reason, this exercise is best done by a group of stakeholders familiar not only with the juvenile justice process but other systems, including child welfare, education, and the courts.
The Worksheet also allows stakeholders to identify and develop an implementation plan for any needed changes in law, policy or practice to ensure compliance with governing laws regarding disclosure of information and to protect the rights of youth. And it lays the foundation for developing an interagency memorandum of understanding (MOU).
To aid in completing the worksheets, refer to the Map of the Juvenile Justice Process, which identifies the key decision points in three discrete phases of the juvenile court process – Investigation/Intake, Adjudication, and Disposition. The Worksheets provide prompts to facilitate discussion at each of these stages.
The questions under “Flow of Information” prompt the users to describe what types of information the decision-maker at the particular point in the process will want to obtain.
- Who has the information?
- Who wants the information?
- What specific information does the requestor want?
- What does the requestor want to do with the information?
These preliminary questions are critical in enabling stakeholders to understand what types of information might be useful (if available) at different points in the juvenile process, and how they information may be used.
2C. IDENTIFY WHAT LAWS AND POLICIES GOVERN THE SHARING OF INFORMATION AT EACH DECISION POINT. THIS EFFORT SHOULD TAKE INTO ACCOUNT FEDERAL AND STATE LAW, ANY FEDERAL AND STATE REGULATIONS, AND LOCAL POLICY MEMORANDA REGARDING INFORMATION SHARING.
This process includes the following five (5) steps:
Review the Category One Federal Law Overview
Refer to the Category One Federal Law Overview to ensure an understanding of the federal laws that govern information and records in your jurisdiction.
Review the Template for Narrative Legal Analysis to analyze state laws
The Template for Narrative Analysis of Legal Requirements for Information Sharing may be used to organize a summary analysis of the law on information sharing for your particular jurisdiction. In the Narrative, the reader will be prompted to provide information regarding the jurisdiction’s treatment of records related to youth in the juvenile justice and child welfare systems. This includes law enforcement records, detention records, intake records, court records, behavioral and physical health records, and education records. The narrative’s length obviously may vary: Some jurisdictions may prefer summary statements of law, while others may want considerably more detail in the narrative. Regardless, the narrative is an important tool for describing in one place the “state of the law” for the particular jurisdiction.
When conducting legal analysis on state confidentiality laws, consider the threshold questions: what specific information do you wish to share and for what purpose; and what key decisions points do you intend to share or exchange information; who will have access to the information that is shared; and how will you protect against improper disclosure of information?
A stakeholder group in Miami, Florida collaborated to undertake an examination of federal and state laws and regulations governing the sharing of information about youth. The group included the private child welfare agency Our Kids – Miami-Dade-Monroe Counties, Inc., and information technology personnel and legal counsel from various youth serving agencies. Over the course of several working sessions, the group identified the specific data and information elements to be shared; at what key decision points the information and data will be shared; with whom it would be shared; and protections against further disclosure. The resulting Florida Legal Justification Grid supports the proper and lawful exchange and sharing of relevant information and data.
Utilize a matrix to organize laws and policies across agencies to pinpoint the circumstances under which information mapped in the desired flow may or may not be shared
The Decision Point Legal Analysis Worksheet can be utilized to help create this matrix. As described in Guideline 1B, the Decision Point Legal Analysis Worksheet first takes users through an exercise in which they can identify key decision points in the juvenile justice process. The worksheet then prompts users to identify the applicable laws governing the flow of information at each decision point.
Specifically, the worksheet prompts users to answer the following information with respect to current or desired information sharing at each decision point:
- What federal and state laws pertain?
- What does each law permit/prohibit?
- What are the legal requirements for information sharing? (e.g., is a signed consent needed? Or a court order? Or does this disclosure fall within an exception to consent?)
Examples of such matrices are found in publications by two counties in Washington state: the King County Resource Guide: Information Sharing (Second Edition) and the Clark County Information Sharing Guide.
The National Juvenile Information Sharing Initiative (NJISI) developed a legal matrix and data exchange spreadsheet for the states of Colorado and Hawaii, respectively. The matrix and spreadsheet provided the collaborative within each of the jurisdictions with the capacity to identify the: (1) data and information that needed to be shared or exchanged between agencies during a specific event or incident in the juvenile justice process; and (2) laws and rules that governed how the information should be shared.
NJISI’s project team reviewed each jurisdiction’s juvenile justice and information sharing processes and engaged a legal expert to review state and federal laws that governed the information within that jurisdiction. The legal expert also determined any time constraints within the statutes for sharing the information so that this information could be incorporated into the spreadsheet. The NJISI project team and collaborative members then walked through each event and incident to: identify outcomes of the incident or the event , identify if the event occurred at a specific location, who the primary agency was that would require the information collected during the incident or event, who the participating agencies were that would also need the information or would provide additional information and, what data categories would be part of the information or data exchange (substance abuse, medical, education, law enforcement, juvenile justice, child welfare, mental health).
The matrix once completed would then provide the collaborative with the applicable State Statutes and Federal Rules that governed the data and if there were specific conditions that would have to be met in order to share the information. Tool Kit users can consult the NJISI Legal Analysis Abstract of Colorado Statutes to guide the development of a matrix in their own jurisdiction.
Identify any existing memoranda of understanding or policies that govern information sharing across agencies.
In addition to federal and state laws, it is critical to identify and review existing agreements or policies that govern information flows.
Identify any changes in practice to be implemented to ensure compliance with governing laws regarding disclosure of information.
By completing the Decision Point Legal Analysis Worksheet to identify the desired flow of information, reviewing the Category One Federal Law Overview, and creating the Narrative of Legal Requirements for Information Sharing for laws in your jurisdiction, one can determine whether changes need to be made in practice to assure compliance with the laws. For example, do stakeholders need to create and ask youth and their families to sign an authorization to release information form? Is a court order needed?
2D. DEVELOP ANY NEEDED LAW AND POLICY FOR EFFECTIVE SHARING OF CASE INFORMATION AMONG THE INVOLVED AGENCIES.
Once you have determined what gaps exist in your state’s laws and policies governing information sharing, you can begin the task of developing needed laws and policies governing the sharing of information
To develop law and policy:
Use the Worksheet for Analyzing Statutes.
The Worksheet for Analyzing State Statutes is designed to provide individuals with a checklist of questions to consider when evaluating their own state’s information-sharing laws or proposed legislation on information-sharing. Many of the points in the worksheet, however, contemplate implementation procedures for the information-sharing policy described in the statute. The exact details of implementation may not be found within the text of the statute or proposed legislation, but in implementing procedures separately published or in comments or annotations to the statute. This worksheet can be used when thinking about drafting new legislation or to evaluate current legislative efforts on information-sharing policies. The points of consideration are categorized to facilitate user-friendliness.
Review and complete the Worksheet for Analyzing MOUs.
Some jurisdictions may already have in place a MOU that is not working optimally, or a draft that has not yet been signed off on by all the parties. In that case, you can use the Worksheet to Analyze Memoranda of Understanding and Protocols For Information Sharing Between Youth-Serving Agencies to analyze the existing document. The worksheet will help you to identify possible gaps in the MOU and areas that may need further detail or refinement. The worksheet in particular asks the user to consider whether certain safeguards are contained in the MOU to ensure that information is not improperly disclosed or used. Again, the signatories may decide to limit the level of specificity in the MOU and agree to form an interagency management team to develop a more detailed protocol to guide day-to-day operation of the information sharing project.
Review sample MOUs and review and complete the Template for Developing an Interagency MOU.
There are a variety of ways to approach the task of developing a MOU. For example, some jurisdictions have created a MOU in which the parties agree to examine information sharing issues with some detail regarding the process by which that will be done. The MOU titled Sample Interagency Agreement on Information Sharing developed by the Uniting For Youth (UFY) out of is an excellent example of this. The parties to the agreement are named, basic definitions are provided, statements of purpose are articulated, and the terms of the agreement are described.
Another approach is to nest an agreement to examine confidentiality issues in a more general agreement on systems integration. Three examples are provided.
- The Hopetown Hypothetical Agreement, which is between a department of juvenile justice, a department of family and children services, and the county juvenile court. It focuses on broad areas of agreement designed to foster system integration. One area of agreement is a commitment to assess management information systems, identify critical information to be shared across systems, and identify statutory and policy barriers and obstacles to information sharing.
- The Jefferson Parish, Louisiana Memorandum of Understanding sets forth the purpose, goals and parties that are making a commitment to establish a cooperative relationship between stakeholder agencies and to formally authorize the transmittal of confidential individual information in compliance with applicable state and federal laws to streamline the juvenile’s passage through the system. It is an excellent example of the components necessary to construct a multi-system commitment to a thorough examination of the legal and policy issues affecting data and information sharing.
- The Outagamie County, Wisconsin Memorandum of Understanding reflects an agreement by the county child welfare and juvenile justice agencies. While also setting out the broader purpose for which the information is to be shared, it also includes results from a legal analysis of statutes that justifies the ability to share specific information while simultaneously specifying the limits on the disclosures.
An alternative approach, for which the Template for Developing an Interagency MOU is provided, is to create a much more detailed MOU which specifies the types of information that will be generated by the parties to the agreement, and the discrete ways in which that information may be used or in which use is prohibited. The template is organized around the three distinct phases of the juvenile court process – investigation/intake, adjudication, and disposition. Some jurisdictions may seek a MOU with this level of specificity; others may decide that a more general agreement is preferable, or more easily negotiated, and the parties agreeto form some type of interagency management team to develop a more detailed protocol to guide day-to-day operation of the information sharing project.
Regardless of the type of MOU the parties agree to enter, there are certain elements that are essential to include. These include (but may not be limited) to the following:
- Title of the MOU;
- Identity of the Parties to the MOU;
- Legal Authority for the MOU, if explicit authority exists;
- Purpose of the MOU;
- Responsibilities of the Parties (These should be clearly articulated and written as specifically as possible.);
- Issues that the MOU does not cover, including, where relevant, items to which the parties have not agreed;
- Dispute Resolution Techniques. (If the parties have a disagreement regarding the terms or implementation of the MOU, how will those disputes be settled?);
- Duration of the MOU; and
- Signatories to the MOU.
The National Juvenile Information Sharing Initiative (NJISI) MOU template is also an excellent tool available to jurisdictions. The NJISI also makes available a number of sample MOUs from various states.
2E. DEVELOP THE PROTECTIONS FOR THE INFORMATION THAT IS TO BE SHARED.
The risks posed by sharing sensitive, personal information among involved agencies cannot be ignored. It is important to educate the involved agencies about those risks so that they can incorporate the necessary protections into their practices. Materials that are developed for practitioners who are requesting and sharing information should emphasize the risks involved and direct a thoughtful inquiry regarding the need for and handling of case information.
To support responsible information sharing, jurisdictions must enact legislation and/or develop policies and protocol that address the following issues:
- Who will have access to the information that is to be shared;
- How the information may and may not be used by its recipients;
- The circumstances under which a recipient may further disseminate information received, including for what purposes further disclosure will be permitted;
- How the subject of the information will be protected during its use and after its use;
- Development of a registry or system for recording requests, transmissions, and receipts of information;
- The handling of complaints of improper disclosure or use of information subject to the agreement; and
- Common administrative, physical, and technical security safeguards to protect against any reasonably anticipated threats to the integrity of juvenile information and to ensure the confidentiality of private information.
The Worksheet for Analyzing Statutes, the Worksheet for Analyzing MOUs, and the Template for Developing an Interagency MOU can all be useful in helping to identify what protections are currently in place and what protections still need to be implemented.
2F. DEVELOP ACCESSIBLE PROCESSES AND PROCEDURES FOR YOUTHS AND/OR THEIR PARENTS/LEGAL GUARDIANS, IN ACCORDANCE WITH APPLICABLE LAW, TO REVIEW INFORMATION THAT IS COLLECTED ABOUT THEM AND THAT MAY BE DISCLOSED. PROVIDE THEM WITH THE PROCEDURES AND OPPORTUNITY TO APPROVE AND/OR AMEND THEIR INFORMATION.
- Use the Worksheet for Analyzing Statutes, the Worksheet for Analyzing MOUs, and the Template for Developing an Interagency MOU to identify what provisions in laws and policies provide access to youth and their families and the opportunity to correct erroneous representations. Develop and implement protections to fill any gaps that exist.
- Conduct a quality assurance check to ensure that these provisions are being implemented in practice and not just on paper.
- Develop guides to educate youth and their families about the information about them that is being collected and shared and their rights regarding their information.
2G. IDENTIFY THE INFORMATION SHARING SYSTEMS AND THEIR CURRENT CAPACITIES.
- Identify and document the existing technical procedures and the existing capacity of each system involved in the information sharing initiative.
- Describe the automated systems that store the sought information from each agency.
- Determine how the existing systems will be utilized to provide access to information.
- Assess the current accuracy of the existing data/information in the systems to understand the level of quality assurance that will be required by the participating agencies.
2H. DEVELOP PROTOCOLS FOR THE OPERATION OF INFORMATION SHARING AGREEMENTS, PRACTITIONER’S GUIDES, AUTHORIZATION TO RELEASE FORMS, AND ANY OTHER TOOLS FOR CASE INFORMATION SHARING.
Described below are various tools that jurisdictions may create for use as part of their information sharing project. The Tool Kit includes examples of these tools for adaptation. It is important to note that no matter which tools the jurisdiction decides to utilize, staff in participating agencies who will use the tools must be trained as to their appropriate use. In addition, the jurisdiction should set up a conflict resolution mechanism to which participating agencies can submit questions about the operation of these tools.
Authorization to release information forms (consent forms)
While there are circumstances in which the un-consented release of information is legally permitted, it is strongly preferred that consent be obtained from the person designated under the applicable law as controlling third-party access to the information. That person will typically be the minor and/or the minor’s legal guardian, depending on the type of information that is sought. Legal rules governing the content of consent forms vary by jurisdiction and by law, but the following elements are essential characteristics of any consent form. Specifically, the form should:
- Identify the individual who the information is about.
- Identify the disclosing agency.
- Identify (with as much specificity as possible) the information to be disclosed. n Identify the purpose of the disclosure.
- Identify the agencies that will receive or access the information.
- State the expiration date of the consent or the circumstances under which it will automatically expire or terminate (for example when the youth leaves the court’s supervision with no subsequent oversight).
- Describe how a youth, or legal representative can revoke the consent, and state explicitly that the consent is revocable.
- State the date consent is given with the signature of the party providing consent.
- State that the person whose information is to be disclosed has a right to receive a copy of the consent.
Agencies typically have developed their own consent forms for use in disclosing information. However, in a jurisdiction where multiple agencies are agreeing to share information, it is recommended that the agencies develop a common consent form for use in all situations in which a youth’s information is to be released. Use of a common consent form has several advantages:
- It assures that all agencies are using forms that meet legal requirements.
- It eliminates debate over the particulars of one agency’s consent form versus another.
- It permits consent for multiple disclosures to be made at one time.
No matter what type of consent form is used, a critical complementary step is to establish a protocol for obtaining informed consent from clients. This includes explaining to clients the purpose for seeking the information and for what purpose it will be used. A number of sample consent forms that meet the requirements of multiple laws are provided. A particular jurisdiction of course may want to develop its own form, particularly to assure that the form meets any discrete provisions of that jurisdiction’s law. However, these forms may provide a good place to start the process.
Information sharing project teams may adapt the following sample consent forms for their use:
- The Comprehensive Multiagency Consent Form provides for the sharing of information between multiple agencies working collaboratively and within a juvenile/youth assessment environment. The form provides for mandatory disclosures when sharing information such as disclosures for consent periods, revocation limitations, treatment data disclosure limitations and written and verbal authorization and consent requirements. The form also provides the person filling out the form to check the types of information requested under the consent and automatically fills the form with the appropriate disclosures for the information that is being requested. The form can be downloaded at http://www.acg-online.net/tools.html
- The Clark County, Washington Authorization for Disclosure/Release of Information for Protected Health Information (PHI) includes the necessary elements for disclosure of PHI as defined in HIPAA.
Business Associate Agreements
The parties to an information sharing agreement may utilize services that will give other entities access to protected health information when those entities provide ancillary services to a covered entity. In such cases, the party providing the ancillary services will need to have a “business associate agreement” with the covered entity to comply with HIPAA.
“Business associate” activities are defined quite broadly and include legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, and financial services as well as any other services that a covered entity might contract for. One type of organization that requires a business associate agreement is an accrediting body.
Business Associate Agreements can be used in the context of information sharing if some or all of the parties in a particular jurisdiction have protected health information stored and retained electronically by a common entity in order to facilitate ready access to the data. In that situation, a business associate agreement would be required between the health care providers (who are “covered entities” under HIPAA) and the organization storing the protected health information. A second example would be if the parties to the agreement wished to have a program evaluation done by a university (as an example) and the evaluation requires access to protected health information. A third example is if a covered entity in the jurisdiction has outside counsel through contract; the outside counsel would be a business associate. One sample business associate agreement is provided:
- The Department of Health and Human Services Office of Civil Rights, which has primary responsibility for enforcing and interpreting HIPAA. The template illustrates those things that must be in such an agreement and can also be downloaded at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html#2.
Qualified Service Organization agreements
Qualified Service Organization Agreements are designed to memorialize the relationship between a treatment provider and an entity providing ancillary services.
A person or organization that provides services to a program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, medical, accounting, or other professional services, or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy. The person or organization has entered into a written agreement with a program providing drug or alcohol referral, diagnosis or treatment under which the person or organization acknowledges that in receiving, storing, processing or otherwise dealing with any records concerning enrolled persons, it is fully bound by these regulations and, if necessary, will resist in judicial proceedings any efforts to obtain access to records of enrolled persons except as permitted by these regulations.
Courts obviously have a significant role in making judgments regarding access to and disclosure of individually identifiable information. Both HIPAA and 42 CFR, Part 2 permit disclosures pursuant to court order.
One important role courts can play in assuring clarity in information sharing is to insert paragraphs in their orders explicitly permitting or restricting the use of certain types of information. For example, the judicial order from Georgia makes clear that probation officers are not covered entities under HIPAA and may therefore disclose (and have access to) otherwise protected health information. Note that this is an example of a blanket court order that is legally effective. In general, blanket court orders that direct agencies to release information about youth involved in the juvenile court are not legally effective when governing laws require that entities provide notice to the subject of the information prior to releasing the information. For example, an order that all schools are to release educational records of youth under probation supervision to the juvenile probation would not work because FERPA requires schools to alert the parents of students about the order before the school complies.
There are also circumstances in which an attorney for a party may seek a court order permitting access to protected health information. An example of a protective order from Cook County, Illinois is included.
2I. SEEK APPROVAL OF ANY DRAFTED TOOLS SUCH AS INFORMATION SHARING AGREEMENTS, PRACTITIONER’S GUIDES, AND AUTHORIZATION TO RELEASE OF INFORMATION FORMS FROM THE PARTICIPATING AGENCIES AND THEIR LEGAL COUNSELS.
In order to ensure implementation of the tools and policies you have developed, it is important to get stakeholder buy-in. Contact the participating agencies and their legal counsel to get approval of the tools you’ve developed.