HMIS Data and Technical Standards Training

Prepared by Abt Associates for the U.S. Department of Housing and Urban Development

Homeless Management Information Systems (HMIS) Data and Technical

Standards: Complying with the Privacy Requirements in the Final

Notice

Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 2

HMIS Data and Technical Standards Training

• This is training module 3 of a 4 part series addressing the following components of the Final HMIS Data and Technical Standards

– Training 1: Overview

– Training 2: Participation and Data Collection Requirements

– Training 3: Privacy Standards

– Training 4: Security and Technical Standards

• Other training modules are available at www.hmis.info


Companion Training Materials

• This training module features an accompanying set of training materials that includes:

– Overview of the Privacy Standards

– Baseline Model Privacy Notice for Homeless Organizations

– Sample Community Documents

• Privacy Posting from the Iowa HMIS

• Sample Privacy Notice from Rhode Island HMIS

• Sample Consent Protocol from Chicago’s Enterprise Case Management HMIS

• Excerpts from Lake County, IL Consent Protocol on Confidentiality and Informed Consent


Overview

• Privacy and Applicability of the Privacy Standards

• HMIS, HIPAA, and Other Applicable Laws

• Postings and Privacy Policies

• 7 Steps for Developing a Privacy Notice

• HMIS Consent Models

• Funding and Consent

• Summary


Defining Privacy

• Privacy refers to the safeguarding of protected personal information in the HMIS from open view, sharing or inappropriate use

• Protected Personal Information (PPI) is any information that might identify a specific individual or that might be manipulated or linked with other information to identify a specific individual


Privacy Standards Framework

• Defines two tiers of privacy: required baseline standards and additional recommended protocols;

• Outlines the policy solutions and technical safeguards necessary to protect client data; and

• Describes how HMIS requirements relate to federal, state and local laws.


Applicability of Privacy Standards

• Applies to all Covered Homeless Organizations (CHO) that record, use, or process Protected Personal Information (PPI) for an HMIS including:

– Continuum of Care (CoC)

– Homeless service provider

– HMIS host or administrator, etc.

• Employees, volunteers, affiliates, contractors, and associates are covered by the privacy standards of the CHOs they deal with; and

• Privacy standards apply to all CHOs- regardless of funding source- who use the HMIS.

• Handout: Overview of Privacy Standards


HMIS and HIPAA

• Health Insurance Portability and Accountability Act (HIPAA) privacy rules take precedence over HMIS Privacy Standards

• HIPAA covered entities are required to meet HIPAA baseline privacy requirements not HMIS

• Most CHOs are not covered by HIPAA: To learn more go to http://www.hhs.gov/ocr/hipaa/


HMIS and Other Privacy Laws

• CHOs must comply with more stringent federal, state and local confidentiality laws; and

• If a conflict exists between state law and the HMIS an official legal opinion on the matter should be prepared by the state’s Attorney General and submitted to HUD’s General Counsel for Review.


HMIS and Domestic Violence Shelters

• In January 2006, the Violence Against Women Act (VAWA) Reauthorization of 2005 became law.

• VAWA contains provisions that amend the McKinney-Vento Homeless Assistance Act relating to the disclosure of data to HMIS by domestic violence providers. This legislation can be found at http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h3402:

• HUD is analyzing the legislation to determine the most appropriate instructions and advice to convey to communities and domestic violence programs


Questions?

• Are you aware of any state law that requires additional provisions for confidentiality?

• Has your community undertaken a legal assessment of existing state laws where a conflict may exist?

• What has been your experience?


Privacy Postings

• Every CHO must post the following information at each intake desk or comparable location:

– General explanation of reasons for collecting information; and

– Privacy policy/notice is available upon request.

• Handout: Sample Privacy Posting from Iowa HMIS


Privacy Policy & Consent

• A CHO must adopt a privacy policy consistent with CoC privacy protocols.

– If a CHO has a website it can post its privacy notice there.

• Once a CHO adopts its privacy policy - it may infer client consent from the protocols and practices described in the policy.


7 Steps to Develop a Baseline Privacy Notice

• Step 1: What the Notice Covers

• Step 2: How and Why Personal Information is Collected

• Step 3: Uses and Disclosures of Personal Information

• Step 4: Inspection and Correction of Personal Information

• Step 5: Quality of Data

• Step 6: Complaints and Accountability

• Step 7: History of Changes

• Handout: Baseline Privacy Notice


1. What the notice covers

• Name and address of CHO;

• Description of programs covered by the notice;

• Definition of personal protected information (PPI);

• Purpose of the notice;

• Amendment policy; and

• Right to receive a copy of the notice.


2. How and Why Personal Information is Collected

• Purpose(s) of capturing personal information;

• Lawful and fair means to collect personal information;

• Consent protocol;

• Sources of client information; and

• Reasons for asking for information—posted sign at intake desk.


3. Uses and Disclosures of Personal Information

• Describe uses and disclosures that may be used including:

– To provide or coordinate services;

– Payment or reimbursement for services;

– Carry out administrative functions;

– Create de-identified (anonymous) data;

– When required by law; and

– To avert a serious threat to health or safety.


3. Uses and disclosures (cont.)

• Describe uses and disclosures that may be used including:

– To report abuse, neglect, or domestic violence to a governmental authority;

– For academic research purposes;

– For law enforcement purposes; and

– All other uses and disclosures will require consent.


4. Inspection/Correction of Personal Information

• The Privacy Notice should also include:

– Procedure for inspection, access to a copy, or correction by a client with an explanation;

– Protocol for requesting correction; and

– Protocol for denial or request to correct.


5. Data Quality

• Information is used for the purpose for which it is collected.

• Seek to maintain only personal information that is accurate, complete, and timely.

• Policy for disposal and/or removal of identifiers after 7 years of non-use.

• Policy for maintenance of information if required by statute, regulation, contract or other requirements.


6. Complaints and Accountability

• Describe complaint procedure for questions or concerns about privacy and security policies.

• Signed receipt of compliance with privacy notice by all staff including employees, volunteers, affiliates, contractors, and associates.


7. History of Change

• A version control system should be used and summarized.

• Example:

– Version 1.0 Sept 10, 2004. First adopted.

– Version 1.1 Oct 21, 2004. Added Accountability to Access and Correction.

– Version 1.2 Nov 23, 2004. Clarified compliant procedure.


Additional Privacy Considerations

• Each baseline requirement has additional privacy protections that can be implemented and should be included in the privacy notice.

• Additional protections may include:

– Amendment procedures;

– Provision of notice;

– Collection purpose;

– Uses and Disclosures; and

– Access/Correction procedures.


HMIS Consent Models

• Inferred Consent:

– Baseline Requirement; and

– Client’s consent to release information is inferred from the privacy posting.

• Implied/Informed Consent:

– Verbal or physical consent is required.

• Written Consent:

– Client must sign a release of information (ROI).


Levels of Consent

• Consent to use data within an agency for program or agency operations.

• Consent to share personal identifying information for de-duplication purposes across the CoC.

• Consent to share additional information across programs to coordinate case management and service delivery.


HMIS Consent Examples

• Chicago:

– Inferred consent to share personal identifiers with an opt-out to share additional information.

• Michigan:

– Inferred consent/ written consent for those at risk.

• Lake County, IL:

– Informed consent at agency and written consent for data sharing.


Inferred Consent with Opt-out: Chicago

• A notice informs clients of how personal information is used and disclosed.

– Personal identifiers are disclosed to central server and typically shared with other providers for unduplication purposes.

• The notice offers clients the ability to opt-out of some disclosures to other agencies.

– Clients can request that personal identifiers NOT be shared; and

– Clients are asked affirmatively to consent to additional information sharing for case management purposes.

• Handout: Sample Consent Protocol from Chicago’s Enterprise Case Management HMIS


Informed Consent with Risk Assessment: Michigan

• All clients receive oral explanation and copy of privacy notice- consent is inferred for data entry into HMIS.

• Every client is screened using a risk assessment tool to assess risk for data sharing for:

– Clients with friends or family who may have access to HMIS records; and

– Domestic Violence Victims.

• Handout: Risk Assessment Paper


Informed Consent with Risk Assessment: Michigan (continued)

• When risk is assessed to be high, the client is informed of options to participate and asked to consent to:

– Entering data into HMIS;

– Sharing identifiers with other providers; and

– Sharing data more broadly with other providers for case management.


Written Consent: Lake County, IL

• Informed consent for entering personal information into HMIS.

• Sharing of personal information between agencies requires written consent of client (or legal guardian).

• Sharing information on prior residence, income, health, criminal record or social services records requires a separate signed release of information.

• Handout: Excerpts from Lake County, IL Consent Protocol on Confidentiality and Informed Consent


Funding and Consent

• Funder data collection, record keeping, and reporting requirements often affect the scope of client consent.

• HUD funded programs can infer consent from a client to participate in HMIS with appropriate baseline privacy protections in place (i.e. posted sign, privacy notice, etc.).

• Other funding sources may have similar programmatic requirements.


Summary

• Must also comply with other federal, state, and local confidentiality law

• Must comply with limits to data collection (relevant, appropriate, lawful, specified in privacy notice)

• Must have written privacy policy and post on web site (if applicable)

• Must post sign at intake or comparable location with general reasons for collection and reference to privacy policy

• May infer consent for uses in the posted sign and written privacy policy


Additional Resources

• Final Notice:

– http://www.hud.gov/offices/cpd/homeless/hmis/standards/index.cfm

• HMIS Related Info:

– http://www.hud.gov/offices/cpd/homeless/hmis/index.cfm

– www.hmis.info