In North Carolina, each county department of social services (DSS) is responsible for receiving and evaluating reports of alleged abuse, neglect, or exploitation of disabled adults. See G.S. 108A-102 and –103. These reports and the evaluations that follow them often involve highly sensitive information about vulnerable adults. From time to time, each DSS receives requests for this adult protective services (APS) information. For example, a law enforcement agency may want APS information to help solve a crime or protect a crime victim. A medical examiner may seek APS information to investigate an individual’s cause of death. A concerned family member may ask for APS information to better understand how DSS handled a deceased relative’s case. In each of these scenarios, DSS needs to understand when it is legally allowed—or even required—to release this information. This blog explores North Carolina’s laws regarding the confidentiality of APS information, including introducing a new flowchart for analyzing when state and federal laws allow APS information to be disclosed. Future blog posts in this series will provide examples of mandatory and permissive disclosures of APS information.

What Confidentiality Laws Apply to APS Information?

The Foundation: G.S. 108A-80.

G.S. 108A-80 is the foundational state confidentiality statute that broadly protects social services information. Under G.S. 108A-80, it is unlawful for any person to disclose or use information regarding individuals applying for or receiving public assistance or social services that may be directly or indirectly derived from the records, files, or communications of a county DSS or acquired in the course of performing official duties, except for purposes directly connected with the administration of programs of public assistance and social services.

G.S. 108A-80 makes all information about individuals applying for or receiving social services confidential, but it does not clarify when DSS may (or must) disclose that information. Some of those answers are found in Title 10A of the North Carolina Administrative Code (NCAC), which provides more specific rules regarding when DSS may (or must) disclose certain social services information. The rules that apply generally to social services information—including economic services and APS information—are found in 10A NCAC Chapter 69.  These rules contain several exceptions that would allow DSS to disclose APS information to specific individuals or agencies for particular purposes. For example, under the NCAC rules, DSS may share confidential information:

• internally among DSS staff as necessary to make referrals, provide supervision and consultation, or determine client eligibility for services or programs (10A NCAC 69 .0501);
• with another county DSS as necessary to facilitate the provision of a service requested by a referring county DSS (10A NCAC 69 .0501);
• with federal, state, or county employees for the purpose of monitoring, auditing, evaluating, or facilitating the administration of other state and federal programs, provided that “the need for the disclosure of confidential information is justifiable for the purpose” (10A NCAC 69 .0503).

Specific Rules and Statutes for Some APS Information.

A few specific categories of APS information receive heightened confidentiality protection under North Carolina law (specifically, under 10A NCAC Chapter 71A and G.S. 108A-116). Reading the statutes and rules in harmony with each other, the laws requiring heightened protection for certain APS information override the general authority for disclosing information provided under the 10A NCAC Chapter 69 rules described above. In other words, when the Chapter 69 rules allow information to be disclosed but a rule or statute more specifically applying to APS information does not allow it, DSS should follow the more APS-specific rule or statute.

The following three categories of APS information receive more heightened, specific confidentiality protections under North Carolina law:

1. The identity of the reporter (or anyone who provides information to DSS during an APS investigation). 10A NCAC 71A .0802 only allows DSS to disclose the reporter’s identity in three specific situations:

• when a court orders disclosure of this information;
• to the Division of Health Service Regulation when Division staff request this information to carry out an investigation; and
• to the district attorney’s office or law enforcement officials involved with a criminal investigation of alleged abuse, neglect, or exploitation of a disabled adult.

2. Any “specific findings” included in DSS’s evaluation report when evaluating any report of abuse, neglect, or exploitation of a disabled adult. See 10A NCAC 71A .0803. These specific findings may only be disclosed:

• pursuant to the disabled adult’s authorization;
• pursuant to a court order;
• to other persons or agencies as necessary to provide protective services to the disabled adult;
• to the district attorney or law enforcement agencies upon request, but only if evidence of abuse, neglect, or exploitation is found;
• to federal, state, and law enforcement agencies when the results of the APS evaluation indicate violations of other laws enforced by those agencies; or
• to certain agencies within the North Carolina Department of Health and Human Services (NCDHHS) when a county DSS has substantiated a report of abuse, neglect, or exploitation.

3. Copies of a disabled adult or older adult’s financial records or other information DSS receives as part of a financial exploitation report from a financial institution.

Any financial institution (or officer or employee of a financial institution) with reasonable cause to believe that a disabled adult is the victim or target of financial exploitation must report that information to the appropriate county DSS. G.S. 108A-115. Any information DSS receives from a financial institution making such a report may only be disclosed by DSS pursuant to a court order. G.S. 108A-116(d). Likewise, DSS may only disclose copies of a disabled adult or older adult’s financial records that it receives from a bank or other financial institution pursuant to a court order. G.S. 108A-116(d).

Other State Law Limitations.

Two other state laws (not specifically related to social services) may further limit how DSS may disclose certain information in a client’s APS records. These laws apply to two different types of information:

• Information From Any “Facility” Providing Mental Health, Developmental Disabilities, or Substance Abuse (MH/DD/SA) Services. Any information relating to an individual served by a “facility” and received in connection with the performance of any function of the facility is protected by Article 3 of Chapter 122C of the North Carolina General Statutes (G.S. 122C-52 through -56). A “facility” includes any individual, agency, company, area authority, or state facility whose primary purpose is to provide services for the care, treatment, habilitation, or rehabilitation of individuals with mental illnesses, intellectual or other developmental disabilities, or substance use disorders. G.S. 122C-3(14). For example, “facilities” include providers of outpatient and inpatient services, state-operated and privately operated psychiatric hospitals, psychiatric residential treatment centers, and organizations and individuals who contract with LME/MCOs to provide MH/DD/SA services to clients. The G.S. 122C confidentiality statutes protect, for example, information about an individual’s mental health diagnosis or treatment. They also protect information that identifies someone as a recipient of mental health, developmental disabilities, or substance abuse services from a “facility.” See G.S. 122C-3(9) (defining “confidential information”).
• Information Identifying Someone as Having a Reportable Communicable Disease.“All information and records…that identify a person who has or may have a disease or condition required to be reported” are confidential under North Carolina law. G.S. 130A-143. The list of reportable communicable diseases is found at 10A NCAC 41A .0101 and includes diseases and conditions such as syphilis, gonorrhea, HIV infection, chickenpox, botulism, tuberculosis, polio, rabies, meningitis, malaria, measles, mumps, Lyme disease, smallpox, typhoid, and whooping cough, among others.

For a more detailed explanation of these state confidentiality laws and how they apply, please refer to Part 2 of this School of Government bulletin.

Federal Limitations.

Even if state confidentiality laws allow the disclosure of APS information under certain circumstances, DSS may not disclose the information if doing so would be prohibited by a federal confidentiality law. Two federal confidentiality laws often arise in discussions about APS records held by DSS.

• The Health Insurance Portability and Accountability Act (“HIPAA”). Contrary to a popular misconception, the HIPAA Privacy Rule does not apply to an individual’s health records in the hands of any person or entity. HIPAA and its implementing regulations only apply to “covered entities” and their “business associates.” Covered entities are health plans, health care clearinghouses, and health care providers who electronically transmit health information as part of a transaction that is regulated under HIPAA. A business associate is a person or entity that performs certain functions or activities on behalf of a HIPAA covered entity that involve the use or disclosure of protected health information, pursuant to a business associate agreement. Not every DSS will be a HIPAA covered entity. Each DSS should discuss with legal counsel whether it is a HIPAA covered entity (particularly since HIPAA involves many requirements beyond confidentiality), but as a general principle, a DSS is more likely to be a HIPAA covered entity if it has a health care provider (including a behavioral health provider) on its staff that bills Medicaid or private insurance for services. If a DSS is not a covered entity or business associate of a covered entity, then HIPAA does not apply to medical records or other health information that DSS has in its APS records. In other words, once records or information are disclosed by a health care provider to a DSS that is not a HIPAA covered entity or business associate of a HIPAA covered entity, that DSS is not bound by HIPAA with respect to how it discloses the records or information.
• 42 C.F.R. Part 2. These federal regulations apply to information acquired or created by federally assisted “programs” (including individual healthcare providers) that provide substance use disorder (SUD) diagnosis, treatment, or referral for treatment. Unlike HIPAA, the confidentiality restrictions of 42 C.F.R. Part 2 (Part 2) continue to apply to SUD diagnosis or treatment information in the hands of any “lawful holder” who receives such information from a Part 2 program. In other words, once DSS receives SUD diagnosis or treatment information from a Part 2 covered provider, it may only disclose that information as allowed by Part 2. Generally speaking, absent a medical emergency, DSS may only disclose Part 2 protected information pursuant to
  • written consent from the patient, which must meet certain requirements (42 CFR Part 2 Subpart C), or
  • a court order, which must meet certain requirements (42 CFR Part 2 Subpart E).

For a more detailed explanation of each of these federal confidentiality laws and how they apply, please refer to Part 2 of this School of Government bulletin.

Framework for Analyzing When DSS May Disclose APS Information

The complex legal landscape described above requires DSS to synthesize many state and federal requirements when dealing with a request for APS information. To help determine if disclosing information is permitted, prohibited, or required, a DSS should consider the five questions below. This framework is illustrated in this new flowchart, available as a free download from the School of Government.

1. Does a state or federal law require the disclosure of this information to the requesting party? In other words, does the requesting party have a statutory right of access to this particular information, even if it would otherwise be confidential? Some state and federal laws require the disclosure of information or records in certain circumstances to certain recipients, even when that information would otherwise be confidential under state law. For example, the Chief Medical Examiner or county medical examiner has a statutory right to inspect and copy the medical records of any decedent whose death is under investigation. G.S. 130A-385(a)(1). As another example, if DSS receives information during an APS investigation that a juvenile may have been physically harmed in violation of any criminal statute by any person other than the juvenile’s parent, guardian, custodian, or caretaker, DSS must report that information to the district attorney and to the appropriate local law enforcement agency within 48 hours after receipt of the information. G.S. 7B-307. If the disclosure of certain APS information is required by federal law, DSS should disclose the information. If the disclosure of certain APS information is required by state law, DSS should disclose the information, unless federal law prohibits the disclosure. Mandatory disclosures will be discussed in more detail in a future post in this series.

2. If the answer to #1 is “no” (the law does not mandate disclosure of the information), then ask: does the requested information fall into one of three specific categories of APS information (identity of the reporter, specific APS evaluation findings, certain financial records) that receive more heightened confidentiality protection under state law?

If so, DSS should look to the specific statute or rule that applies to that information to see if the disclosure is allowed.

• For information about the identity of the reporter or anyone who provides information to DSS in the course of an APS investigation, look to 10A NCAC 71A .0802.
• For specific findings included in DSS’s evaluation report when evaluating a report of abuse, neglect, or exploitation of a disabled adult, look to 10A NCAC 71A .0803.
• For copies of a disabled adult or older adult’s financial records, or other information DSS receives in the course of a report of financial exploitation from a financial institution, look to G.S. 108A-116(d).

3. If the answer to #2 is “no” (the information does not fall into a category that receives heightened protection under state law), then ask: do the generally applicable social services confidentiality rules in 10A NCAC Chapter 69 allow this disclosure?

These rules allow disclosure of social services information in a number of different circumstances, including:

• when the client provides written consent (10A NCAC 69 .0401);
• when the client requests access to their own information (10A NCAC 69 .0301);
• internally within DSS, when necessary for DSS to make internal referrals, provide supervision and consultation, or determine client eligibility for services or programs (10A NCAC 69 .0501);
• to another county DSS, when a different county DSS is providing services to a client (10A NCAC 69 .0501);
• for research purposes, as approved by NCDHHS (10A NCAC 69 .0502);
• as required to comply with court order or state or federal law (10A NCAC 69 .0504); and
• to federal, state, or county employees for the purpose of monitoring, auditing, evaluating, or facilitating the administration of other state and federal programs (10A NCAC 69 .0503).

Each of these rules has specific requirements and conditions regarding when information may be disclosed. DSS employees should review the specific rule that applies to the situation to determine whether (and to what extent) DSS is allowed to release information.

4. If disclosure of APS records or information is allowed under Step #2 or #3, above, then ask: does the requested information include MH/DD/SA information that DSS received from “a facility” or information that identifies someone as having a communicable disease?

• If the requested information includes MH/DD/SA information that DSS received from “a facility,” DSS should look to G.S. 122C-52 through -56 to determine when that information may be released. These statutes contain many different exceptions that allow disclosure of MH/DD/SA information, including allowing disclosure to the client or their “legally responsible person” (under certain circumstances, see G.S. 122C-53(c)-(d)), disclosure pursuant to the consent of the client or their legally responsible person (G.S. 122C-53(a)), disclosure as required by state or federal law (G.S. 122C-54(h)), and disclosure for purposes of filing a petition for the adjudication of incompetency of the client and the appointment of a guardian under Chapter 35A of the General Statutes (G.S. 122C-54(a1)).
• If the requested information includes identifiable communicable disease information, DSS should look to G.S. 130A-143 to determine when that information may be released. This statute lists eleven different circumstances in which communicable disease information may be disclosed.

5. If disclosure of APS records or information is required or allowed under Steps #1-4, above, then ask: does a federal law (such as 42 C.F.R. Part 2) prohibit DSS from releasing any part of the requested information?

If a federal law prohibits disclosure of certain information, then DSS must redact or withhold that information, even if it would be allowed (or required) to release it under state law. For example, state law (10A NCAC 71A .0803) allows DSS to share specific findings of its APS evaluation “to other persons or agencies as necessary to provide protective services” to a disabled adult. However, if that APS evaluation contains diagnosis or treatment information about the disabled adult’s substance use that came from a federally funded SUD treatment program, 42 C.F.R. Part 2 will generally prohibit DSS from releasing that information without written consent of the client (see Subpart C of Part 2), a court order (see Subpart E of Part 2), or a bona fide medical emergency in which the client’s prior written consent cannot be obtained (42 C.F.R. 2.51).

Special Information Sharing Framework for Case Review Multidisciplinary Teams

Effective October 1, 2025, a new law (Session Law 2025-23) authorizes DSS to share APS information with a case review multidisciplinary team (MDT), if the case review MDT has been established pursuant to requirements in the new law (case review MDT is defined in G.S. 108A-118.1, and requirements for a county to establish an MDT are set forth in G.S. 108A-118.2).

• Under the new law, DSS will be authorized to share any information (whether or not confidential under any other state law) with the Case Review Multidisciplinary Team, if such information is relevant to (1) performing reviews of selected active cases in which disabled adults or older adults are being served by APS through a local department of social services; or (2) providing, arranging, or coordinating services on behalf of disabled adults or older adults whose cases have been or are currently under review by the Case Review Multidisciplinary Team. G.S. 108A-118.6(a).
• DSS cannot, however, share with the team (1) any information that discloses the identity of an individual who has reported suspected abuse, neglect, or exploitation of a disabled adult or older adult to DSS, except as allowed by state or federal law (look to 10A NCAC 71A .0802 to determine which reporter identity may be disclosed), or (2) any information that DSS would be prohibited from sharing under federal law. G.S. 108A-118.6(a)-(b).

Accordingly, when DSS is considering whether it may disclose APS information to a Case Review Multidisciplinary Team, it may skip the steps above and instead consider:

1. Is this information relevant to:

• performing reviews of selected active cases in which disabled adults or older adults are being served by APS through local departments of social services; or
• providing, arranging, or coordinating services on behalf of disabled adults or older adults whose cases have been or are currently under review by the Case Review Multidisciplinary Team?

2. If yes to either, then DSS may disclose such information to the Case Review Multidisciplinary Team, with the exception of:
   • information about the reporter of abuse, neglect, or exploitation, which may only be disclosed to specific team members when allowed by 10A NCAC 71A .0802; and
   • information that DSS is prohibited from releasing to the team by federal law.