1060 Technology and Data Management | ADMINISTRATION-5600-MANUAL

This section establishes policies and guidelines for implementing and managing technology systems and data management activities at the Georgia Department of Human Services Division of Aging Services (DHS/DAS), Area Agency on Aging (AAA) and provider organization levels of the statewide aging network.

The fundamental purpose of the policies and guidelines is to protect the State’s stored information about consumers who receive services through the aging network’s programs.

The DAS Data System is the system of record for all programs administered and funded by the DHS/DAS

The DHS/ DAS operates in a data-driven environment, which will become only more extensive, pervasive, and complex in the future.

The DAS is responsible for creating, managing, supporting, and maintaining a statewide centralized database, the DAS Data System (DDS). The DDS is the mechanism used to track, account for and report service delivery and financial data for all programs administered and funded by DAS.

Under the Older Americans Act of 1965, as amended, and as articulated in the 2016 compliance supplement (2 CFR 200, Appendix XI), the State Unit on Aging is required to “develop policies governing all aspects of programs operated under the State Plan and to monitor their implementation, including assessing performance for quality and effectiveness and specifying data system requirements to collect necessary and appropriate data.

For purposes of these policies and guidelines the following definitions are provided:

Access: To instruct, communicate with, cause input to or output from, cause data processing or otherwise make use of any resources of a computer, information system, or information network.
Authorized User: One who has been verified as having valid rights to and who has been granted rights of access to an information technology system based on that person’s responsibilities within an organization and his/her need for access to the system.

Computer: An internally programmed automated device that performs data processing or telephone switching.

Computer system: At least one computer together with a set of related, connected, or unconnected peripheral devices.

Electronic document: A structured data file, most commonly created in a word processing or spreadsheet application, but possibly in other personal computer applications, such as desktop publishing, electronic mail or presentation software.

Electronic record: A document or other type file that is transmitted or submitted electronically.

System: An assembly of components (hardware, software, procedures, human functions, and other resources) connected by some form of regulated interaction to form an organized whole. A group of related processes.

The Objectives of these policies and guidelines are to:

It is the intent of the Division of Aging Services that Area Agencies on Aging assess the staffing and technological capacity of the service provider network. They must also provide technical assistance and training to providers and deploy the DDS to providers who demonstrate the capacity to perform the essential data management functions, including but not limited to data entry, data validation, and report generation.

The State’s information is to be handled in such a manner to protect it from unauthorized or accidental disclosure, inappropriate modification, or loss. The integrity of the State’s information resources must be protected.

The State, in processing confidential information, must have adequate controls over users' access to the data system.

Confidentiality is determined in accordance with state and federal laws, rules and regulations and any applicable state laws, rules, and regulations.

Activities associated with data management include:

It is the policy of the Division of Aging Services that Area Agencies on Aging manage the security of and access to the individual computers and network servers used in the respective offices and facilities used by the AAA and provider organizations to record and report client, programmatic and fiscal data.

The AAA is responsible for verifying for each staff member at the AAA and provider level, his/her need for access to the DDS and to which functions within the DDS users have need of access. Authorized users may access the system only while actively employed or providing volunteer staff service. AAAs/providers may request appropriate system access for contract employees, for the term of the contract agreement.

The AAA is responsible for assuring that authorized users have and use individual passwords to access the system. Passwords may not be shared and passwords of users at all levels (state, AAA, providers) will expire after 90 days and will have to be reset. The DDS will prompt users when a reset is required. Refer to the DDS Password Reset Guide in Appendix H of this manual.

The AAA will develop and implement procedures for requesting DAS to disable passwords and discontinue access to the system whenever AAA or provider agency staff, including contract staff and volunteers, terminate employment or volunteer service for any reason. Refer to DDS User Access Request Procedures in Appendix H of this manual and the DDS Worker Change Request Form in Appendix D of this manual

Owners of data at each level of the network are ultimately responsible for ensuring that adequate controls exist to protect their transactions. The type and degree of protection shall be commensurate with the nature of the information, the operating environment, the potential for exposures resulting from the loss, misuse, or unauthorized access to or modification of the information.

Each AAA must evaluate its business needs and the associated risks for its local information systems in conjunction with its management of data handling.

The following are guidelines for data management and handling standards and best practices were adapted from the State of North Carolina’s Information Resource Management Commission Guidelines:

The Georgia Technology Authority also has best practices on its website; refer to References below for the link.

AAAs must conduct periodic reviews of participants' records maintained at the AAA/provider level to verify that eligibility criteria for services are met and required documentation is maintained, based on a review of assessment and reassessment documentation and documentation of service plans and service delivery activities. The AAA shall comply with the Division’s requirements relating to Area Agency on Aging Administrative Requirements and monitoring of subcontractors.

The Department/Division reserves the right to monitor and inspect the operations of the Regional Commission/Area Agency on Aging and any subcontractor for compliance with the provisions of contracts with the Department and all applicable federal and state laws and regulations and Department policy, with or without notice, at any time during the term of the contract.

Monitoring and inspection activities may include, without limitation,

The Department will provide the contractor/subcontractor with a report of any findings and recommendations and may require the development of corrective action plans as appropriate.

AAAs and contractors are required to comply with state record retention requirements. Refer to Section 1061, Record Retention, in this manual.

Data entered and stored in the DDS are managed by DAS.

As a part of the larger strategic planning process, AAAs periodically will assess the technology needs of both their own organizations and assist subcontractors to identify their technology needs. Technology needs assessments are used to identify barriers to compliance with minimum technology standards implemented by the Department of Human Services Division of Aging Services. AAAs will assure the availability of adequate and sufficient resources to develop, implement and maintain technology infrastructure, equipment and staffing to stay abreast of changes in standards and requirements.

There are three progressive levels of support for resolution of DAS database issues.

Level 1 Support:

To facilitate timely resolution of issues, providers and AAA staff should first attempt to resolve any issues with AAA trainers/points of contact for the data system. This will streamline DAS' ability to resolve issues and provide opportunities for AAA staff to become more proficient in the system.

Level 2 Support:

DAS staff will provide Level 2 support via the DDS Helpdesk, dds.helpdesk@dhs.ga.gov

When contacting the helpdesk, include the DDS Issues Log spreadsheet, found in Appendix D of this manual, for clarity of the issue and so that statewide feedback may be provided to the appropriate parties. Required information:

Level 3 Support:

If the issue cannot be resolved at level 2, DAS will work with the vendor (Wellsky) to determine a resolution.

DDS' Change Control Process ensures changes within the DDS are introduced, approved, or denied, and prioritized in a controlled, protected and coordinated manner.

The DAS Change Control Board consists of the Division Director, Deputy Directors, and Senior Field Operations Manager. The Associate General Counsel for DAS and the DHS Deputy Director for the Office of Information Technology and the remainder of DAS Management Team serve in an advisory capacity. The Division Director chairs the Change Control Board and is the final authority on decisions.

U.S. Code, Title 42 §3025 Designation of State Agencies, (a) Duties of Designated Agency (1)©

Code of Federal Regulations, Title 45, part 1321, Grants to State and Community Programs on Aging, Subpart B, State Agency Responsibilities, §11, State Agency Policies

Code of Federal Regulations, Title 45, part 1321, Grans to State and Community Programs on Aging, Subpart B, State Agency Responsibilities §17, Content of State Plan

Code of Federal Regulations, Title 2, part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, Subpart F, Audit Requirements, §521, Appendix XI, Compliance Supplement

Code of Federal Regulations, Title 45, part 1321, Grants to State and Community Programs on Aging, Subpart B, State Agency Responsibilities, §51, Confidentiality and Disclosure of Information
42 U.S.C.§ 1301 et seq., Public Law 104-191, Health Insurance Portability and Accountability Act of 1996

Code of Federal Regulations, Title 45, part 160, General Administrative Requirements, and part 164, Security and Privacy (HIPAA)

The Georgia Computer Systems Protection Act (OCGA § 16-9-90 et seq.)

OCGA § 30-5-7, Confidentiality of public records

The Georgia Technology Authority, www.gta.georgia.gov ; search “best practices”.

Stanford Libraries data best practices: library.stanford.edu/research/data-management-services/data-best-practices

Access to Services, MAN 5200:

Home and Community Based Services, MAN 5300:

Adult Protective Services, MAN 5500:

Public Guardianship Office, MAN 5800: