1060 Technology and Data Management | ADMINISTRATION-5600-MANUAL
Georgia Division of Aging Services |
||||
Chapter: |
1000 – General DAS Administration |
Effective Date: |
06/15/2023 |
|
Section Title: |
Technology and Data Management |
Reviewed or Updated in: |
MT 2023-07 |
|
Section Number: |
1060 |
Previous Update: |
MT 2022-06 |
Summary Statement
This section establishes policies and guidelines for implementing and managing technology systems and data management activities at the Georgia Department of Human Services Division of Aging Services (DHS/DAS), Area Agency on Aging (AAA) and provider organization levels of the statewide aging network.
The fundamental purpose of the policies and guidelines is to protect the State’s stored information about consumers who receive services through the aging network’s programs.
The DAS Data System is the system of record for all programs administered and funded by the DHS/DAS
Background and Scope
The DHS/ DAS operates in a data-driven environment, which will become only more extensive, pervasive, and complex in the future.
The DAS is responsible for creating, managing, supporting, and maintaining a statewide centralized database, the DAS Data System (DDS). The DDS is the mechanism used to track, account for and report service delivery and financial data for all programs administered and funded by DAS.
Under the Older Americans Act of 1965, as amended, and as articulated in the 2016 compliance supplement (2 CFR 200, Appendix XI), the State Unit on Aging is required to “develop policies governing all aspects of programs operated under the State Plan and to monitor their implementation, including assessing performance for quality and effectiveness and specifying data system requirements to collect necessary and appropriate data.
DAS Data System/AAAs
AAAs use the DDS to
-
Create individual client records
-
Enter individual client assessment data
-
Create area plans
-
Establish administrative and service budgets
-
Comply with Federal and State reporting requirements
-
Generate reports used for program management
-
Request reimbursement for services rendered
-
Evaluate and improve the quality of the service delivery system
The DDS is designed and intended to be implemented and used at both the AAA and service provider organization levels. Service providers are authorized to
-
Establish client records
-
Establish service delivery logs
-
Enter service data and generate reports related to their clients, sites, and services.
The DDS Manuals provide technical information regarding how to use the system. Each program has a manual; the manuals may be accessed in Appendix H of this manual.
These policies and guidelines, and related authorities, apply to the DAS; allied federal and state agencies; contractors, Regional Commissions and/or Area Agencies on Aging; and subcontractor agencies and vendors, including private non-profit organizations, proprietary organizations, and city and county governments.
DAS Data System/APS and PGO
The Adult Protective Services Section and Public Guardianship Office in DAS use the DDS to:
-
Create individual client records
-
Enter individual client assessment data
-
Create case plans
-
Comply with Department and Division reporting requirements
-
Generate reports for program management, including leveling caseloads and supervisory units
-
Evaluate and improve the quality of services provided.
Resource Database
DAS currently recognizes EmpowerLine Pro (EPro), owned by the Atlanta Regional Commission, as the official resource database for the purposes of providing Older Americans Act Information and Referral services. All AAAs and APS/PGO case managers have access to EPro. AAA Resource Specialists must update resources according to the ARC update schedule to ensure that resources are current and accurate.
Definitions
For purposes of these policies and guidelines the following definitions are provided:
Access: To instruct, communicate with, cause input to or output from, cause data processing or otherwise make use of any resources of a computer, information system, or information network.
Authorized User: One who has been verified as having valid rights to and who has been granted rights of access to an information technology system based on that person’s responsibilities within an organization and his/her need for access to the system.
Computer: An internally programmed automated device that performs data processing or telephone switching.
Computer system: At least one computer together with a set of related, connected, or unconnected peripheral devices.
Electronic document: A structured data file, most commonly created in a word processing or spreadsheet application, but possibly in other personal computer applications, such as desktop publishing, electronic mail or presentation software.
Electronic record: A document or other type file that is transmitted or submitted electronically.
System: An assembly of components (hardware, software, procedures, human functions, and other resources) connected by some form of regulated interaction to form an organized whole. A group of related processes.
Objectives
The Objectives of these policies and guidelines are to:
-
Assure compliance with applicable state and federal law and regulations
-
Assure that all entities that are part of the regional and statewide aging services network have appropriate and adequate access to both the data entry and reporting functions of the DDS, based on their organizational capabilities, expressed in terms of budget, staffing and technical capacities
-
Establish the authority given by the DAS to the AAA to grant to their staff and provider agencies appropriate access to the DDS with necessary security protections; AAAs email DAS for staff access to the DDS
-
Assure that the documentation related to reporting client or other programmatic activity through electronic or other means to the Department is maintained accurately, completely and in a timely fashion
-
Assure that data collected, stored and reported in and by the state system are managed in a secure fashion which protects the privacy and confidentiality of applicants and clients
-
Provide credible, timely data which are used to support management decision-making and program administration
-
Provide general guidelines for disposal of electronic documents related to program administration and other purposes, maintained outside of the DDS; and
-
Provide steps required to change data elements or reports within DDS
Basic Considerations
It is the intent of the Division of Aging Services that Area Agencies on Aging assess the staffing and technological capacity of the service provider network. They must also provide technical assistance and training to providers and deploy the DDS to providers who demonstrate the capacity to perform the essential data management functions, including but not limited to data entry, data validation, and report generation.
The State’s information is to be handled in such a manner to protect it from unauthorized or accidental disclosure, inappropriate modification, or loss. The integrity of the State’s information resources must be protected.
The State, in processing confidential information, must have adequate controls over users' access to the data system.
Confidentiality is determined in accordance with state and federal laws, rules and regulations and any applicable state laws, rules, and regulations.
Data Management
Activities associated with data management include:
-
Data verification and validation, in general
-
Entry of required participant and/or activity data into the DDS
-
Monthly service delivery reporting into the data system
-
Generation, analysis, and timely submission of programmatic and fiscal reports, and reports yielding data about client and service characteristics
-
Maintenance of resource databases or other directories
-
Retention of, safeguarding, and appropriate disposal of the records of participants, including information generated at intake, screening, and at the assessment and service delivery levels.
Participant Records
Non-Electronic
Area Agencies on Aging (AAAs) – there is no requirement for non-electronic records. AAAs may choose to retain copies of documents with original signatures. However, good quality (300dpi) scanned copies of original documents attached to the DDS electronic file are sufficient.
APS and PGO – refer to MAN 5500 (APS) and MAN 5800 (PGO) for non-electronic record requirements.
Once uploaded to the DDS, documents must be deleted from the scanning device. |
Electronic
The DDS is the participant electronic record.
At DAS direction, newly established programs may require separate electronic records (EXCEL, etc.), until data fields are added to the DDS. |
The state and federal government and the Department/Division shall have full and complete access to all consumer/customer/client records, administrative records, financial records, pertinent books, documents, papers, correspondence, including e-mails, management reports, memoranda, and any other records of the AAA and subcontractors for the purpose of conducting or reviewing audit examinations, excerpts, and transcripts.
AAAs will establish protocols for monitoring electronic files, including required access, with or without notice, to such files by authorized DAS staff, staff of any state or federal funding agency, auditors, and/or staff of the Office of Inspector General. The Checklist for Disposal of Electronic Documents, found in Appendix D may be used as a guide for disposing of electronic documents, including email.
Security and Access Management
It is the policy of the Division of Aging Services that Area Agencies on Aging manage the security of and access to the individual computers and network servers used in the respective offices and facilities used by the AAA and provider organizations to record and report client, programmatic and fiscal data.
The AAA is responsible for verifying for each staff member at the AAA and provider level, his/her need for access to the DDS and to which functions within the DDS users have need of access. Authorized users may access the system only while actively employed or providing volunteer staff service. AAAs/providers may request appropriate system access for contract employees, for the term of the contract agreement.
The AAA is responsible for assuring that authorized users have and use individual passwords to access the system. Passwords may not be shared and passwords of users at all levels (state, AAA, providers) will expire after 90 days and will have to be reset. The DDS will prompt users when a reset is required. Refer to the DDS Password Reset Guide in Appendix H of this manual.
The AAA will develop and implement procedures for requesting DAS to disable passwords and discontinue access to the system whenever AAA or provider agency staff, including contract staff and volunteers, terminate employment or volunteer service for any reason. Refer to DDS User Access Request Procedures in Appendix H of this manual and the DDS Worker Change Request Form in Appendix D of this manual
Owners of data at each level of the network are ultimately responsible for ensuring that adequate controls exist to protect their transactions. The type and degree of protection shall be commensurate with the nature of the information, the operating environment, the potential for exposures resulting from the loss, misuse, or unauthorized access to or modification of the information.
Each AAA must evaluate its business needs and the associated risks for its local information systems in conjunction with its management of data handling.
The following are guidelines for data management and handling standards and best practices were adapted from the State of North Carolina’s Information Resource Management Commission Guidelines:
-
The originator of a telephone call, a facsimile transmission, an e-mail, a computer transaction, or any other telecommunications transmission, should be aware of the possibility of compromise of confidentiality, integrity or availability of the information transmitted, and determine whether the information requires additional protection and handling.
-
Agencies should provide special protection and handling to information that is covered by statutes, including, for example, confidential information, financial information, protected health information.
-
Owners of confidential information should authorize access on a strict “need to know” basis in conformance with legal requirements for allowable access.
-
Agency personnel should have access to confidential information only for the performance of their duties
-
An agency that receives/uses confidential information from another agency shall observe and maintain the confidentiality conditions imposed by the providing agency.
The Georgia Technology Authority also has best practices on its website; refer to References below for the link.
Monitoring
AAAs must conduct periodic reviews of participants' records maintained at the AAA/provider level to verify that eligibility criteria for services are met and required documentation is maintained, based on a review of assessment and reassessment documentation and documentation of service plans and service delivery activities. The AAA shall comply with the Division’s requirements relating to Area Agency on Aging Administrative Requirements and monitoring of subcontractors.
The Department/Division reserves the right to monitor and inspect the operations of the Regional Commission/Area Agency on Aging and any subcontractor for compliance with the provisions of contracts with the Department and all applicable federal and state laws and regulations and Department policy, with or without notice, at any time during the term of the contract.
Monitoring and inspection activities may include, without limitation,
-
On-site health and safety inspections
-
Financial and service delivery audits
-
Review of any records developed directly or indirectly as a result of the contract
-
Review of management systems, policies, and procedures
-
Review of service authorization and utilization activities
-
Review of any other area, activities, or materials relevant to or pertaining to the contract; and
-
Requirements to maintain on file with the Department such records as the Department may require to demonstrate compliance with the provisions of the contract.
The Department will provide the contractor/subcontractor with a report of any findings and recommendations and may require the development of corrective action plans as appropriate.
Disposal of Electronic Records
AAAs and contractors are required to comply with state record retention requirements. Refer to Section 1061, Record Retention, in this manual.
Data entered and stored in the DDS are managed by DAS.
Technology Planning
As a part of the larger strategic planning process, AAAs periodically will assess the technology needs of both their own organizations and assist subcontractors to identify their technology needs. Technology needs assessments are used to identify barriers to compliance with minimum technology standards implemented by the Department of Human Services Division of Aging Services. AAAs will assure the availability of adequate and sufficient resources to develop, implement and maintain technology infrastructure, equipment and staffing to stay abreast of changes in standards and requirements.
HELPDESK Protocol
There are three progressive levels of support for resolution of DAS database issues.
Level 1 Support:
To facilitate timely resolution of issues, providers and AAA staff should first attempt to resolve any issues with AAA trainers/points of contact for the data system. This will streamline DAS' ability to resolve issues and provide opportunities for AAA staff to become more proficient in the system.
Level 2 Support:
DAS staff will provide Level 2 support via the DDS Helpdesk, dds.helpdesk@dhs.ga.gov
When contacting the helpdesk, include the DDS Issues Log spreadsheet, found in Appendix D of this manual, for clarity of the issue and so that statewide feedback may be provided to the appropriate parties. Required information:
-
Wellsky USER NAME (as necessary)
-
Client ID (as necessary)
-
PRIMARY PROGRAM or JOB FUNCTION/PROVIDER/AAA
-
STATE IN THE EMAIL SUBJECT LINE THE ISSUE CATEGORY
Level 3 Support:
If the issue cannot be resolved at level 2, DAS will work with the vendor (Wellsky) to determine a resolution.
Change Control Process
DDS' Change Control Process ensures changes within the DDS are introduced, approved, or denied, and prioritized in a controlled, protected and coordinated manner.
The DAS Change Control Board consists of the Division Director, Deputy Directors, and Senior Field Operations Manager. The Associate General Counsel for DAS and the DHS Deputy Director for the Office of Information Technology and the remainder of DAS Management Team serve in an advisory capacity. The Division Director chairs the Change Control Board and is the final authority on decisions.
Submission of Change Requests
Requests for changes may be made by any DDS user.
System Outages and Break Fixes: system outages, error messages or other functionality issues may be reported to dds.helpdesk@dhs.ga.gov. Program Integrity staff will triage these requests and report to Wellsky as necessary.
Password Resets: Users are encouraged to set up their security questions in the "My Profile" section of the DDS system. Once set up, users may reset their own password using the "Forgot Password?" link on the main login page.
If the user has not set up their security questions, or are locked out of the system, requests may be made to the DDS Helpdesk at dds.helpdesk@dhs.ga.gov for a manual user reset.
Functionality: Requests for functionality that does not currently exist in the requestor program area or requests to change system functionality, including any modifications to screen layouts and content of drop-down boxes, must be requested using the DDS Change Request Form found in Appendix D of this manual. Completed forms and supporting documentation must be emailed to dds.helpdesk@dhs.ga.gov with Change Request in the subject line.
Reports: Requests for new or modified reports must be made using the DDS Report Request Form found in Appendix D of this manual. Completed forms and supporting documentation must be emailed to dds.helpdesk@dhs.ga.gov with Report Request in the subject line. Report requests will be forwarded to the reports team in the Program Integrity section.
The DAS Change Control Board will meet no less than monthly. The Section Manager for Program Integrity or designee will maintain a log for change and report requests to include requests for review, prioritization, and disposition of requests.
DAS Change Control Board Review
The Section Manager for Program Integrity or his designee will set the agenda for regular board meetings and may call unscheduled meetings to address urgent requests.
The Change Control Board may adopt an expedited review format for straightforward requests.
To ensure a complete review, the Change Control Board may ask the requestor to provide supporting documentation or to attend the Change Control Board meeting to present or explain a request.
A requestor may ask to meet with the Change Control Board to present a request.
Disposition of Requests
The Change Board will assign one of the following dispositions to each request:
-
Approved. The board indicates the level of priority for the request as immediate, high, medium, or low
-
Returned to requestor for additional information. The request will be revisited by the board once the additional information is received.
-
Returned to requestor with recommendation for alternative solution. This disposition is used when the desired result may be accomplished by a process change, leveraging another feature in the system or another technology tool.
-
Denied
Requestors will be notified via email the disposition of a request.
Assignment of Approved Requests
The Section Manager for Program Integrity will assign/forward requests as appropriate to:
-
Vendor Help Desk, or
-
Program Integrity Staff for configuration changes or report development, or
-
Vendor staff for development of a Statement of Work and Price quote.
The requestor and/or other staff as required shall cooperate in the development of final requirements for modifications or reports.
Requests requiring a Statement of Work and a price quote may require additional contracting. The Business Operations Section Manager and designated staff will facilitate the contracting process.
The Change Control Board may, at its discretion, obtain a Statement of Work and price quote before approval of a request.
Record Keeping
The Section Manager for Program Integrity or designee is responsible for tracking change requests including but not limited to the following:
-
Date of Request
-
Name of Requestor
-
Program (ex: APS, GeorgiaCares)
-
Type Request, including brief descriptor
-
Status of request
-
Pending
-
Approved
-
Returned for Additional Information
-
Returned with Recommendation for Alternative Solution
-
Denied
-
-
Assignment of request
-
Vendor Help Desk, including ticket number
-
Program Integrity Staff
-
Request for Statement of Work
-
-
Completion Date
An update shall be given to the DAS Management Team on a monthly basis regarding the number and status of requests.
References
U.S. Code, Title 42 §3025 Designation of State Agencies, (a) Duties of Designated Agency (1)©
Code of Federal Regulations, Title 45, part 1321, Grants to State and Community Programs on Aging, Subpart B, State Agency Responsibilities, §11, State Agency Policies
Code of Federal Regulations, Title 45, part 1321, Grans to State and Community Programs on Aging, Subpart B, State Agency Responsibilities §17, Content of State Plan
Code of Federal Regulations, Title 2, part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, Subpart F, Audit Requirements, §521, Appendix XI, Compliance Supplement
Code of Federal Regulations, Title 45, part 1321, Grants to State and Community Programs on Aging, Subpart B, State Agency Responsibilities, §51, Confidentiality and Disclosure of Information
42 U.S.C.§ 1301 et seq., Public Law 104-191, Health Insurance Portability and Accountability Act of 1996
Code of Federal Regulations, Title 45, part 160, General Administrative Requirements, and part 164, Security and Privacy (HIPAA)
The Georgia Computer Systems Protection Act (OCGA § 16-9-90 et seq.)
OCGA § 30-5-7, Confidentiality of public records
The Georgia Technology Authority, www.gta.georgia.gov ; search “best practices”.
Stanford Libraries data best practices: library.stanford.edu/research/data-management-services/data-best-practices
Access to Services, MAN 5200:
-
ELAP – Section 2020
-
GeorgiaCares – Section 403
-
ADRC – Section 5035
-
Community Transitions – Sections 6141 and 6213
Home and Community Based Services, MAN 5300:
-
Client Assessment – Section 114.8
-
Program Guidelines and Requirements – Section 202.5
-
In Home Services – Chapter 208
-
Case Management – Section 201.131
Adult Protective Services, MAN 5500:
-
Documentation – Sections 2012, 3012 and 4008
Public Guardianship Office, MAN 5800:
-
Case Record Maintenance – Section 3060