FORMAL APPEAL TO RSA CITES THE PEOPLES RIGHTS TO CONFIDENTIALITY

July 20, 2007

John Hager, Assistant Director
Office of Special Education and Rehabilitative Services
Rehabilitation Services Administration
United States Department of Education
400 Maryland Avenue, S.W. 
Washington, D.C. 20515

Thomas Kelley, Chief
Independent Living Unit
Office of Special Education and Rehabilitative Services
Rehabilitation Services Administration
United States Department of Education
400 Maryland Avenue, S.W. 
Washington, D.C. 20515

Re: Award Numbers:	
H132A930542
H132A980813

Dear  Mr. Hager and Mr. Kelley,

This letter constitutes a formal request for reconsideration of the July
5, 2007 decision by the United States Department of Education's
Rehabilitation Services Administration ('RSA') to improve special
conditions on the grants provided to Everybody Counts Center for
Independent Living and the Indiana Freedom, Access, Community, Empowerment
and Support (collectively referred to as the 'Centers.') As was confirmed
in an e-mail from David Esquith, Director of State Monitoring and Program
Improvement Division, the Centers' formal request for reconsideration was
due on or before July 21, 2007, and therefore this request is timely. 

As an initial note, we were glad to learn that the only concerns that
resulted from RSA's recent monitoring review of our centers had to do with
differing interpretations of federal regulations that apply to
confidentiality of consumer service records. Thank you for your prompt
notification. 

In addition, by initiating this formal request for reconsideration, we
assume that this will stay the requirement set forth on page three of
RSA's decision that states 'failure to provide the Department with
unrestricted access to the records pertinent to your federal grant awards
within 30 days....will be considered a material failure to comply with the
requirements of the grant and may result in more severe enforcement
action' at least until such time as RSA acts on t his request. If that is
not the case, please advise us immediately, so that we can take any and
all precautions to protect our rights and those of our consumers. 

As further set forth in formal request for reconsideration, the Centers
did not fail to provide RSA with access to consumer service records, and
therefore RSA has no basis to impose these special conditions.  We
therefore request that RSA immediately remove these special conditions on
our awards and restore our prior status. 

We further reiterate the request we have made to several RSA
administrative staff persons, and that is to provide the 'statute or
regulation applicable to the action involved' as referred to in 34 CFR
74.62 (b), Hearings and Appeals. 

Turning now to the substance of our request for reconsideration, we agree
that 34 CFR 364.37 says that the state plan must include satisfactory
assurances that all recipients of financial assistance under Parts B and C
of Chapter 1 will provide sufficient access to specific records. The only
reference to 364.37 or provision of access to records which is included in
Indiana's stated plan is that taken from RSA's pre-print under 7.4, Access
to Financial Records, (Sec. 704 (m) 4 & 5) of the Act; 34 CFR 364.37),
which states 'all recipients of financial assistance under Chapter 1 will
afford access to the Secretary and the Comptroller General or any of their
duly authorized representatives, for the purpose of conducting audits and
examinations, to all records maintained pursuant to section 7.3 of the
SPIL immediately above, and any other books, documents, papers, and
records of the recipients that are pertinent to the financial assistance
received under Chapter 1.'

Prior to the review team's visit, we were notified that the team leader,
Felipe Lulli, would determine the methodology by which consumer service
records would be reviewed to determine compliance with applicable
regulations.  However, Mr. Lulli repeatedly refused to provide an answer
to our questions about the pertinence of requiring that personal
identification information be disclosed in the course of RSA's review of
individual consumer files. 

34 CFR 364.56 requires CILs to adopt and implement policies and procedures
to safeguard the confidentiality of all personal information, including
photographs and lists of names. Those policies and procedures require us
to assure that specific safeguards protect current and stored personal
information, and that all applicants for services are informed of the
confidentiality of personal information and the conditions for gaining
access to or releasing that information. 

Title VII requires consumer control of the center regarding decision
making, service delivery, management, and establishment of the policy and
direction of the center. Our consumer controlled board of directors has
always taken very seriously our responsibility to honor and safeguard
personal information about those who request or receive assistance. That
is why Everybody Counts developed and follows strict confidentiality
policies that meet the requirements of 34 CFR 364.56. Our policies with
respect to the information contained in consumer service records read as
follows: 

"At all times, information contained in individual Consumer Service
Records (CSRs) will be treated with the utmost respect and
confidentiality. Only staff persons or volunteers who have signed
statements which acknowledge their responsibility to maintain
confidentiality about the nature or content of information obtained from
individuals who request or receive services are authorized to access CSRs. 
These files will at all times be maintained in a manner which ensures that
this will be the case. Specific directions with respect to location,
allocation of keys to locked file cabinets, etc. will be determined by
administrative staff from time to time and subsequently shared with all
appropriate individuals.. Written CSRs may not be removed from the offices
at any time, with the exception of the relocation of those offices, at
which time they will be maintained under lock and key and under the
supervision of administrative staff. Electronic CSRs may be accessed only
by means of assigned passwords, which will be re-assigned periodically in
order to ensure security. Information contained in individual CSRs may be
shared with other parties only when consumers sign Everybody Counts'
written release forms which authorize such action or, in the event that a
release form is received from another agency, only after staff has
confirmed with the consumer his or her signature of authorization." 

When first notified of our random selection for a monitoring visit, we
were sent an Organizational Review Guide (ORG) which states, in Section
II: 'it is RSA's intent that, in the on-site review process and in the
application of the ORG, there be appropriate latitude and flexibility to
accommodate the variety of the organizational settings and the program
variations that exist in the CILs funded under, and complying with, title
VII of the ACT. The ORG and procedures were developed to allow this
balance to be achieved while assuring uniformity in review practices and
consistency of policy interpretation.'

As we reported to the Review Team leader, we know that during previous
reviews of other CILs and state IL programs, RSA has accepted redacted
consumer service records and/or agreed to review only those with
identifiable personal information redacted. We have never been advised
that this was inadequate, nor are we aware of any regulations that would
require a CIL to disclose such information without taking steps to
safeguard its confidentiality. It was therefore our expectation that RSA
would take into consideration the specific policies that have been
developed by the Centers to ensure that the confidentiality of the
Centers' individual consumers would be protected. 

In fact, 34 CFR 364.56 states that individuals requesting assistance must
be provided with an identification of those situations in which the
service provider requires or does not require informed written consent of
the individual before information may be released, and identification of
other agencies to which information is routinely released. Therefore, in
compliance with this regulation, since first receiving Part C funds in
1992, Everybody Counts has not routinely released personal information to
any other agency, nor have we been asked to do so. In fact, as part of its
2002 review of Indiana's IL program, RSA administrative staff advised CILs
that they recognized their need to obtain releases of information from
individuals whose CSRs would be reviewed. RSA then determined that a total
of 14 CSRs from 9 CILs was sufficient to allow them to determine the 
extent to which the CILs were in compliance with requirements as 
to the content of CSRs.

In addition, CFR 364.56 states that all personal information in the
possession of CILs may be used only for the purposes directly connected
with the provision of IL services and the administration of the IL program
under which IL services are provided. Information containing identifiable
personal information may not be shared with advisory or other bodies that
do not have official responsibility for the provision of IL services or
the administration of the IL program under which IL services are provided. 

This excerpt from the regulations was specifically discussed during
meetings of individuals who were receiving assistance from our Centers.
Our understanding was, and remains, that this meant that no one other than
those persons working directly with consumers or supervising those
individuals would have access to any identifiable personal information.
Accordingly, our consumers were assured that the confidentiality policy
stated above would be strictly enforced. 

CFR 364.56 also speaks to the release of confidential information for
purposes of audit, evaluation, and research. Specifically, it states: 
'personal information may be released to an organization, agency, or
individual engaged in audit, evaluation, or research activities only for
purposes directly connected with the administration of an IL program, or
for purposes that would significantly improve the quality of life for
individuals with significant disabilities'

After having been notified that both of our Centers had been randomly
selected for on-site reviews, we were sent an Organization Review Guide
(ORG) which included a 'check list of materials that may be needed for the
review.' CSRs were not included in this list. 

The ORG does, however, speak to CSRs.. It states that the team leader
should determine the method to be used for selecting CSRs for review by
the team, and that the number of CSRs should be sufficient to determine
whether or not the CIL is meeting standards and providing the services
reported in the 704 report, and whether or not the information in the CSR
includes all necessary or recommended content. 

Given the RSA's previous position that only 2 CSRs from each CIL would be
sufficient to confirm that the CILs were maintaining accurate and
appropriate records, we thought it would be more than sufficient to obtain
releases of information from 8 consumers to share their would be a
sufficient number of individuals who had requested assistance.  Although
the review team reported that the total was only 5, in fact 8 CSRs were
made available.). 

We provided the review team with a list of all consumers who had received
services through our center, together with information with respect to
their gender, age and disability. We also directly connected the review
team to more than a dozen consumers. They met with each of our staff, all
persons with whom we have contractual arrangements and all but one member
of the board of directors. 

On the next to the last day of the review, the team leader advised that he
would require unrestricted access to all CSRs, not just those for which we
had obtained releases of information. He said that the regulations gave
him that right.  Given that we understood that access to confidential
information should only be 'directly connected with the administration of
an IL program, or for purposes that would significantly improve the
quality of life for individuals with significant disabilities,' we asked
him to explain the rationale for such a request, but he declined our
request. 

We then contacted our Congressman, whose staff advised that we should
request the team leader's position and the specific legal citation in
writing. We did so, but Mr. Lulli refused to provide that information. 

In an effort to provide the review team with materials that they
apparently believed were relevant to their review, we offered CSRs which
had all personal information redacted. Mr. Lulli said he was under
direction from his superiors not to accept anything other than full
unrestricted access. We offered to roll each center's CSR file cabinets
over to the copy machine and copy any and all files the review team
identified as they watched us do so. Again, we were told that this was
insufficient. 

34 CFR 364.56 also requires CILs to release personal information if
required by federal laws or regulations, and to release personal
information in response to investigations in connection with law
enforcement, fraud or abuse, unless expressly prohibited by federal or
state laws or regulations, and in response to judicial order. 

Our understanding of federal laws and regulations which govern the
operation of a Center for Independent Living indicates that we were acting
withing those laws and regulations. In fact, we believe that we would be
in violation of federal regulations if we release the CSRs without taking
steps to protect the confidentiality rights of our consumers. 

We believe that it was reasonable to request that the team leader explain
the rationale by which he was insisting upon access to personally
identifying information which was other than what we knew to be the norm. 

We believe that it was reasonable to request notice of the review team
leader's demand in writing, with reference to the specific regulation
being cited, in order that we could share it with the board of directors,
who were not notified of the review team's intent during their meeting the
day before the demand was issued. 

We know that we were completely cooperative in every other aspect of the
review process, providing access to any and all fiscal, personnel or
operational records. We provided access to our board of directors, staff,
consumers, contractual providers including our outside accountant,
community partners, and even a meeting with the defendants in a recently
won ADA transportation lawsuit. 

34 CFR 74.53(e) states that the Secretary, the Inspector General,
Comptroller General of the United States, or any of their duly authorized
representatives, have the right of timely and unrestricted access to any
books, documents, papers or other records of recipients that are pertinent
to their awards.  However, nothing in this regulation indicates that
personal information must be disclosed without ensuring that there are
sufficient protections in place to ensure the confidentiality of the
information. 'Unrestricted access' is not mutually exclusive to the
concept of protecting confidential information. 

We asked Mr. Lulli for an explanation as to how it was 'pertinent to our
award' to allow the review team to simultaneously view the names and
addresses of consumers with confidential information included in their
files, and why it would be insufficient to redact the names, as had been
done in previous reviews conducted by RSA. He refused to provide this
explanation. After having reviewed the on-site review guide as it pertains
to the type of verification required re: consumer service records, we
continue to believe that our request was valid and appropriate. 

To summarize, we did not refuse the RSA monitoring review team access to
consumer service records. Rather, we acted in accordance with regulations
which require us to develop and maintain policies which protect the
confidentiality of our consumers by requesting RSA to either accept
consumer service records for which we had obtained releases of
information, accept redacted copies of consumer records, or to copy any
redact all consumer service records they selected.  During the exit
conference, we requested an opportunity to provide notice to consumers of
RSA's intent to review their confidential records, in accordance with the
regulations which we are required to follow. Mr. Lulli said that he would
note and respond to our request that RSA return to complete the review
once we had been able to achieve that objective. 

It is therefore Everybody Counts' position that we did not fail to provide
access to the CSRs but rather, were merely attempting to comply with
applicable federal regulations which mandate that we safeguard the
confidentiality of our consumers. 

Given that the records of more than 2,000 consumers are maintained in 38
file cabinet drawers, we suggest that perhaps a compromise would be to ask
RSA to select and identify those files which they wish to review, then
allow us to directly contact the individuals whose files were selected to
obtain written waivers that will allow us to disclose the consumers'
confidential information to RSA. Of course, we remain willing to provide
RSA with access to all 2,000 of the consumer service records if they will
allow us to redact personal identification information from those files. 

We look forward to receiving your response to this reconsideration request
at your earliest convenience. If it would be at all helpful to your
evaluation of this request, we videotaped the entire review and would be
happy to provide you with a copy of that videotape if you would like. 

Sincerely,

Teresa L. Torres, Executive Director
Evelyn Rhenwrick, Board President

cc:  

Steven M. Siros
Jenner & Block 
330 N. Wabash Avenue
Chicago, IL 60622

U.S. Representative Peter J. Visclosky
701 E. 83rd Avenue, Suite B
Merrillville, IN 46410

U.S. Senator Evan Bayh
5400 Federal Plaza
Hammond, IN 46320

U.S. Senator Richard Lugar
175 W. Lincolnway, Suite G-1
Valparaiso, IN 46383