Hiring Events: Mar 28: Laredo | Mar 29: Laredo, Orange, Jasper | Mar 30: Beaumont, Texoma | Apr 4: Zapata | Apr 5: Texoma | More Job Fairs
TWC has launched a new way for customers to communicate with the agency.
Visit the Request Help portal to find answers to frequently asked questions and get help.


The Board VR Requirements Manual: 

  • Outlines the roles, responsibilities, coordination of, and fee structure for each of the three Board-VR services;
  • Establishes basic standards that apply to all of the services; 
  • Provides published standards for maintaining compliance; and
  • provides criteria in order to meet TWC performance expectations for each purchase.

All policies established in this chapter apply to Summer Earn and Learn (SEAL), Wage Services for VR Participants in Paid Work Experience (PWE), and the Student HireAbility Navigator programs unless otherwise specified.

Return to Top

1.1 Documentation, Recordkeeping, and Monitoring

Boards must maintain sufficient records participants as well as Navigator deliverables for the purposes of documenting, invoicing, program planning, monitoring, and service delivery. These records are considered supplemental information needed by the Board and its subcontractors for operational, documentation, and invoicing purposes.

Boards and any subcontractors associated with the programs must retain financial and supporting documents, statistical records, and any other records pertinent to the services provided under the these program. All records must be maintained in a paper or secure electronic format and in a safe and confidential manner. The records and documents must be kept for seven (7) years after the date of submission of the final invoice or until all billing-related questions are resolved, whichever is later.

Boards and any subcontractors associated with the programs must allow on-site monitoring visits and desk reviews, as deemed necessary by TWC to review all pertinent records.  Boards and any subcontractors associated with the programs must remedy in a timely manner, any weaknesses, deficiencies, or program noncompliance found as a result of a review, audit or investigation, and monitoring visit conducted by TWC.

Return to Top

1.2 Records Storage

1.2.1 Paper Record Storage

Paper is the preferred method for storing records. Stored paper documents must be protected:

  • as required in 1.3 Confidentiality; and
  • in a retrievable and organized manner that prevents the documents from being stolen, tampered with, or damaged.

The Board assumes all business risk associated with lost records. Lost records could result in adverse action against the Board. 

1.2.2 Electronic Storage (Not Cloud-Based or on a Third-Party Server)

Records stored on desktop computers or on portable devices (for example, on laptops, USB flash drives, hard drives, CDs, and DVDs) must be protected as required in 1.3 Confidentiality and 1.4 Data Encryption.

Portable devices must be protected from theft, tampering, or damage. The Board is responsible for all data collection and assumes all business risk associated with lost data. Lost data could result in adverse action against the Board.

1.2.3 Cloud-Based Storage

Records that are stored entirely or partially in the cloud must be stored in compliance with the Federal Risk and Authorization Management Program (FedRAMP), or must be able to be made compliant in a short, defined period of time, as independently verified and validated by a FedRAMP-accredited third-party assessment organization (3PAO).

The Board must comply with TWC's requirement that all data remain in the United States and meet TWC's stringent privacy and security requirements.

TWC's privacy and security requirements include the following:

Protecting confidential TWC information, including personally identifiable information, from—at a minimum—unauthorized disclosure, unauthorized access, and misuse in accordance with the National Institute of Standards and Technology's (NIST) Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), by establishing controls such as role-based access, encryption at rest, and encryption in transit

Disposing of data in a manner that complies with NIST Special Publication 800-88, Guidelines for Media Sanitization

Complying with TWC's minimum encryption standards, that is, with the Federal Information Processing Standard (FIPS) 140-2, validated 256 bit, Advanced Encryption Standard (AES), and SHA-256 Cryptographic Hash Algorithm

Complying with TWC's minimum cryptographic protocol Transport Layer Security (TLS) 1.1 (TLS 1.2 preferred) for protecting the security and privacy of communications over a computer network, including over the internet

Maintaining continuous process improvement and vigilance to assess risks, monitor and test security protection, and implement changes needed to protect TWC data

Cooperating fully with TWC's chief information security officer to detect and remediate vulnerability of the hosting infrastructure and/or the application

Giving TWC access to the Board's facilities, installations, technical capabilities, operations, documentation, records, and databases, to the extent required to carry out FedRAMP assessments and FedRAMP continuous monitoring, to safeguard against threats and hazards to the security, integrity, and confidentiality of the nonpublic TWC data that are collected and stored by the Board

The Board must notify TWC about new or unanticipated threats or hazards or about safeguards that cease to function, as the issues are discovered.

Complying with any additional FedRAMP privacy requirements

Understanding that TWC has the right to perform manual or automated audits, scans, reviews, or other inspections of the IT environment being used to provide or facilitate services for TWC

In accordance with Federal Acquisition Regulation 52.239-1, the Board must do as follows:

Obtain the contract officer's written consent before publishing or disclosing the details of safeguards that the Board designs, develops, or otherwise provides to TWC under contract (exception: disclosures to a consumer agency for the purposes of certifying or verifying authorization)

Give TWC access within 72 hours to the Board's facilities, installations, technical capabilities, operations, documentation, records, and databases, to the extent required to conduct an inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of TWC data

Inspections include vulnerability scans of authenticated and unauthenticated:

  • operating systems and networks;
  • web applications; and
  • database applications.

Automated scans can be performed by TWC personnel (or agents acting on behalf of TWC) using equipment operated or authorized by TWC and using TWC-specified tools.

Notify TWC immediately, if new or unanticipated threats or hazards are discovered, or if safeguards cease to function

If the Board chooses to run its own automated scans or audits, results from the scans or audits may, at TWC's discretion, be accepted in lieu of vulnerability scans performed by TWC; however:

  • the scanning tools and their configurations must be approved by TWC; and
  • the complete results must be provided to TWC

Return to Top

1.3 Confidentiality

All Boards, contractor employees, and subcontractors must keep VR participant and employee information confidential.

The Board must provide physical safeguards for confidential records, such as locked cabinets or encrypted file storage, and ensure that the records are available only to authorized staff members as needed to provide goods or services. VR participant case records must be stored in a secured location where there is maximum protection against fire, water damage, theft, and other hazards.

If a breach of confidentiality is discovered, the Board must report it immediately to the:

  • assigned VR counselor; or
  • TWC contract manager.

Return to Top

1.4 Data Encryption

VR policy and federal law requires that all email messages that contain confidential information must be sent using the level of encryption required by publication 140-2 of the Federal Information Processing Standard (FIPS).

If a Board is not equipped to use the FIPS 140-2 level of encryption, the Board must ask a VR staff member who is equipped to send the email message. The same message can then be used to send encrypted information back to VR, when the directions are followed accurately.

If the Board fails to use the FIPS 140-2 level of encryption, the Board must report a breach of confidentiality to the assigned TWC contract manager.

Return to Top

1.5 Sound Fiscal and Business Practices

Boards must demonstrate business procedures and internal controls that prevent the following practices:

Abuse - practices that are inconsistent with sound fiscal or business practices and that result in unnecessary costs, such as intentional destruction, diversion, manipulation, misapplication, or misuse of public resources in both financial or nonfinancial settings

Fraud - any intentional conduct designed to deceive others, resulting in a loss to the victim and/or a gain or benefit to the actor

Misconduct - intentional wrongdoing or improper behavior or activity

Waste - the thoughtless or careless expenditure, consumption, mismanagement, misuse, or squander of public resources, such as incurring unnecessary costs because of inefficient or ineffective practices, systems, or controls

Boards, Board employees and subcontractors must:

  • implement and maintain business controls that prevent fraud, waste, or abuse;
  • implement, maintain, and strengthen controls over the costs of services; and
  • obtain high-quality goods and services that are cost effective for VR participants.

Return to Top

1.6 Allegations or Incidents of Abuse, Neglect, or Exploitation

Texas Family Code §261.101 requires a professional person who has cause to believe that a child's physical or mental health or welfare has been adversely affected by abuse or neglect by any individual to immediately (within 48 hours) report the suspected abuse.

Texas Human Resources Code §48.051 requires a professional individual (such as any TWC contractor) to make a report if there is cause to believe that an individual age 65 or older or an individual with a disability is being abused, neglected, or exploited.

Any TWC contractor is a professional and is required to report any allegations or incidents of abuse, neglect, or exploitation.

Return to Top

1.7 Reporting and Documenting Allegations of Abuse, Neglect, or Exploitation

To report allegations of abuse, neglect, or exploitation, the individual who has cause to believe that abuse, neglect, or exploitation has occurred:

  • immediately contacts law enforcement, if the incident is a threat to health or safety;
  • secures the individual's safety;
  • immediately reports the incident to the appropriate investigatory agency, as listed in 1.8 Reporting to Investigatory Agencies;
  • documents in the VR participant's case file which investigatory agency was contacted, including the reference number provided by the investigatory agency; and
  • notifies the VR counselor, program specialist, and/or appropriate contract manager about the allegation.

If a licensed professional is involved as an alleged perpetrator, the information must also be reported to the appropriate professional licensing agency.

If injuries are sustained during an alleged incident, appropriate medical personnel must be contacted.

Return to Top

1.8 Reporting to Investigatory Agencies

Any Board or Board's employee or subcontractor that has cause to believe that a child who is a minor, an adult with a disability, or an individual 65 years of age or older is at risk of or in a state of harm due to abuse, neglect, or exploitation must immediately report the information to the appropriate investigatory agency (see the table below). If the incident is a threat to health or safety, the local law enforcement agency must also be notified.

Reporting suspected abuse, neglect, or exploitation directly to the appropriate investigatory agency is required, regardless of the circumstances.

Return to Top

1.9 Reporting Process

If the alleged abuse, neglect, or exploitation occurs in…

…then the Board that has cause to believe abuse, neglect, or exploitation has occurred, reports the information to the following:

  • a child care operation licensed by the Texas Department of Family and Protective Services, including a residential child care operation;
  • a state-licensed facility or community center that provides services for mental health, intellectual disabilities, or related conditions;
  • an adult foster home that has three or fewer VR participants and is not licensed by Texas Health and Human Services
  • an unlicensed room and board facility;
  • a school; or
  • an individual's own home

Texas Department of Family and Protective Services
Statewide Intake Program
P.O. Box 149030
Austin, Texas 78714-9030

Voice: 1-800-252-5400
Fax: (512) 832-2090

Texas Abuse Hotline

  • an assisted-living care facility licensed by Texas Health and Human Services;
  • a nursing home, adult day care;
  • a private intermediate care facility for individuals with intellectual disabilities; or
  • an adult foster care facility

Texas Department of Aging and Disability Services
Complaints Management and Investigations
P.O. Box 149030, Mail Code E-340
Austin, Texas 78714-9030


a Texas Department of State Health Services licensed substance abuse facility or program

Texas Department of State Health Services
Substance Abuse Compliance Group Investigations
1100 W. 49th Street
Austin, Texas 78756
Mail Code 2823


the Criss Cole Rehabilitation Center at:

Texas Workforce Commission
4800 N. Lamar Blvd.
Austin, Texas 78756

Report incident to the incident report mailbox for TWC Risk and Security Management at IncidentReports.RSM@twc.texas.gov

The Criss Cole Rehabilitation Center Policy Manual (Word) has additional reporting requirements.

a hospital licensed by the Texas Department of State Health Services

Texas Department of State Health Services
Facility Licensing Group
1100 W. 49th Street
Austin, TX 78756

Complaint Hotline: 1-888-973-0022

Return to Top

1.10 Reporting Abuse, Fraud, Misconduct, and Waste

A Board is responsible for any abuse, fraud, misconduct, or waste that is committed by the Board's staff or subcontractors.
If abuse, fraud, misconduct, or waste is reported, the Board must provide the assigned TWC contract manager with:

  • the name of the individual providing the information;
  • the name of the individual submitting the information (if different from the individual providing the information);
  • the name of an additional contact person;
  • details about whether and when law enforcement was notified;
  • the names of witnesses;
  • the name of the individual or facility being reported; and
  • detailed information about the abuse, fraud, misconduct, or waste.

Boards must report all allegations of fraud, misconduct, and waste to TWC Fraud Reporting.

Return to Top

1.11 Reporting Substance Abuse by VR Participants

If a VR participant is observed using alcohol or drugs, or any other evidence of substance abuse by the VR participant exists, the Board must:

  • report the information immediately to the VR counselor; and
  • document that the VR counselor was informed of the observations and other evidence.

Return to Top

1.12 Professionalism

Boards, their employees, and any subcontractors must perform in a professional manner and dress in business casual attire that is appropriate for the work activity and workplace:

  • when interacting with VR participants and staff; and
  • when providing services and visiting VR offices.
  • A professional manner is defined as:
  • maintaining the confidentiality of all customer information in full compliance with state and federal regulations;
  • obtaining a written confidentiality release when sharing information with others who are not VR staff or are not the customer's legal guardian;
  • not representing oneself as a state of Texas employee;
  • not representing the Board as a state agency;
  • reporting in a timely manner and to appropriate authorities the abuse or neglect of any customer or customer's family member;
  • considering the negative impacts of action or inaction on the part of the individual or contractor to the health, safety, or welfare of any customer or customer's family member;
  • avoiding relationships with VR participants or VR staff that would impair the contractor's objectivity in performing his or her duties or that would endanger confidentiality;
  • not engaging in activities or relationships with VR participants that might be misconstrued by the VR participant; or
  • not allowing a third party to be present when meeting with a VR participant at the VR participant's home or business, unless the VR participant has signed a release allowing the third party to be present or unless the third party is a potential employer.

Return to Top

1.13 Conflict of Interest

Boards and potential contractors must not offer, give, or agree to give TWC staff anything of value. Anything of value includes prepared foods, gift baskets, promotional items, awards, gift cards, meals, or promises of future employment. If a violation occurs, corrective action is required and may include contract termination or disqualification from receiving a future contract with TWC. Real or apparent conflicts of interest might occur when a former VR employee becomes an employee or a subcontractor of a Board.
A Board must not:

  • hire, contract with, or accept as a volunteer any current employees of TWC-VR
  • hire, contract with, or accept as a volunteer any former employees of TWC-VR earlier than 12 months after the separation date, if the former employee will provide contracted services as defined in the Board VR Requirements manual and/or Texas Government Code §572.069; or
  • knowingly request or obtain confidential information from a state employee for the benefit of the contractor, personally or professionally.

The scenarios above do not make up a complete list of real or apparent conflicts of interest. Failure to disclose a conflict of interest can result in contract termination, disqualification from receiving a future contract, and/or recoupment of payments.

Each Board must have a current VR3444, Conflict of Interest Certification, on file with its contract manager.

Return to Top

1.14 Board Required Policy and Procedures

The Board must develop and adhere to policies and procedures to protect VR participants, VR participant interests, visitors, and the Board's staff.
Boards must have policies and procedures in place before providing services to VR participants and must review and update their policies to ensure continued compliance with the standards. Boards must ensure that their policies and procedures do not conflict with the standards or the requirements of their contract. Boards must develop a written plan and maintain documentation that staff and customers, as appropriate, have been educated on policies and procedures.

At a minimum, Boards must have written policy and procedures on the following:

  • Maintaining confidentiality of VR participant and employee information (refer to 1.3 Confidentiality and 1.4 Data Encryption), including:
    • providing physical safeguards;
    • providing authorized access; and
    • reporting a breach of confidentiality
  • Managing VR participant expectations and responsibilities
  • Managing VR participant grievances
  • Providing VR participants with the VR toll-free telephone number (1-800-628-5115) and explaining that the number is for applicants and customers to use to report complaints or compliments about the contractor
  • Maintaining the Board's standards on
    • promoting employment of qualified individuals with disabilities;
    • maintaining professionalism;
    • avoiding conflicts of interest;
    • maintaining confidentiality;
    • using data encryption;
    • following sound fiscal and business practices;
    • reporting abuse, fraud, misconduct, and waste;
    • referring customers to VR; and
    • adhering to the terms of the contract.
  • Providing VR participant orientation on the reporting of allegations or incidents of abuse, exploitation, or neglect that involve individuals with disabilities (see Allegations or Incidents of Abuse, Neglect, or Exploitation).
  • Reporting observations or evidence that a customer is using alcohol or drugs (see Reporting Substance Abuse by VR participants)
  • Reporting unusual or unexpected incidents that compromise or may compromise the health or safety of individuals or the security of property used by the Board's employees or VR participants and visitors, including:
  • how to obtain emergency medical services for VR participants; and
  • how and when to report incidents.

Return to Top

1.15 Safe and Secure Environments

Boards must provide a safe and secure environment for their employees, VR participants, and visitors.
The Board must report all incidents in accordance with:

  • the Board's policies and procedures;
  • the Board's contract; and
  • state and/or federal regulations and laws.

An incident is an unusual or unexpected event that compromises or may compromise the health or safety of individuals or the security of property.
The Board must report incidents that involve VR participants, the Board's employees, or subcontractors.

Examples of incidents include, but are not limited to:

  • violence, including domestic violence;
  • automobile accidents;
  • physical or sexual assault;
  • terrorist threats;
  • serious medical emergencies, deaths, or suicides;
  • breaches of confidential information (refer to 1.6.3 Confidentiality);
  • theft or loss of property or mischievous or malicious destruction of property on loan from or purchased by VR;
  • negative behaviors displayed by VR participants;
  • fires or accidents involving hazardous materials;
  • interruption of service that is due to an emergency or disaster;
  • threat of harm to oneself or others by personal contact, letter, phone, or email; and
  • abuse, neglect, or exploitation of an individual with a disability.

All incidents must be reported within one business day to the:

  • VR counselor; and
  • TWC contract manager.

VR policies and procedures require VR employees to report incidents in writing, as required by Texas law, the appropriate licensure and investigating agencies, the standards, and the Board's contract. See 1.6 Allegations or Incidents of Abuse, Neglect, or Exploitation.

Return to Top