HMIS Data

1
HMIS Data Technical Standards Privacy
Requirements Compliance

• Matt White, Abt Associates Inc.
• HUDs National HMIS Technical Assistance
  Initiative

April 11, 2008
2
Overview

• Review of Privacy Standards
• Applicability of the Privacy Standards
• HMIS, HIPAA and Other Applicable Laws
• Postings and Privacy Policies
• 7 Steps for Developing a Privacy Notice
• HMIS Consent Models
• Funding and Consent
• Privacy Compliance and Implications for CoCs and
  Providers

3
Privacy Standards Framework

• Defines two tiers of privacy
• Required baseline standards and
• Additional recommended protocols.
• Outlines the policy solutions and technical
  safeguards necessary to protect client data.
• Describes how HMIS requirements relate to
  federal, state and local laws.

Handout 1
4
Privacy Standards

• 4.1.1. Definition of Terms
• Homeless Management Information System (HMIS) -
  the information system designated by a CoC to
  process PPI or other data in order to generate an
  unduplicated accounting of homelessness within
  the CoC. An HMIS may include other functions
  beyond unduplicated accounting.
• Covered Homeless Organization (CHO) any
  organization (employees, volunteers, and
  contractors) that records, uses or processes
  Protected Personal Information
• Protected Personal Information (PPI) any
  information about a homeless client that (1)
  identifies a specific individual, (2) can be
  manipulated so that identification is possible
  (3) can be linked with other available
  information to identify a specific individual.

5
Privacy Standards

• 4.1.3. Allowable HMIS Uses and Disclosures of
  Protected Personal Information (PPI)
• A CHO may use or disclose PPI from an HMIS
• To provide or coordinate services to an
  individual
• For functions related to payment or reimbursement
  for services
• To carry out administrative functions, including
  but not limited to legal, audit, personnel,
  oversight and management functions or
• For creating de-identified PPI

6
4.1.3. Allowable (but not mandatory) HMIS Uses
and Disclosures of PPI (cont.)

• Uses and disclosures required by law
• Uses and disclosures to avert a serious threat to
  health or safety
• Uses and disclosures about victims of abuse,
  neglect or domestic violence
• Uses and disclosures for academic research
  purposes
• Disclosures for law enforcement purposes

7
4.2 HMIS Privacy Requirements

• 4.2.1. Data Collection Limitations
• 4.2.2. Data Quality
• 4.2.3. Purpose and Use Limitations
• 4.2.4. Openness
• 4.2.5. Access and Correction
• 4.2.6. Accountability

8
4.2.1. Collection Limitation

• Baseline Requirement
• A CHO may collect PPI only when appropriate to
  the purposes for which the information is
  obtained or when required by law
• A CHO must collect PPI by lawful and fair means
  and, where appropriate, with the knowledge or
  consent of the individual
• A CHO must post a sign at each intake desk (or
  comparable location) that explains generally the
  reasons for collecting this information

9
4.2.1. Collection Limitation (cont.)

• Optional Elements
• Restricting collection of personal data, other
  than required HMIS data elements
• Collecting PPI only with the express knowledge or
  consent of the individual (unless required by
  law)
• Obtaining oral or written consent from the
  individual for the collection of personal
  information from the individual or from a third
  party

10
4.2.2. Data Quality

• Baseline Requirement
• PPI collected by a CHO must be relevant to the
  purpose for which it is to be used. To the extent
  necessary for those purposes, PPI should be
  accurate, complete and timely
• A CHO must develop and implement a plan to
  dispose of, or, in the alternative, to remove
  identifiers from, PPI that is not in current use
  seven years after the PPI was created or last
  changed (unless a statutory, regulatory,
  contractual, or other requirement mandates longer
  retention)
• Optional Elements
• None defined
• Quality (accurate, complete, timely) not defined

11
4.2.3. Purpose Specification and Use Limitation

• Baseline Requirement
• A CHO must specify in its privacy notice the
  purposes for which it collects PPI and must
  describe all uses and disclosures
• A CHO may use or disclose PPI only if the use or
  disclosure is allowed by this standard and is
  described in its privacy notice. A CHO may infer
  consent for all uses and disclosures specified in
  the notice and for uses and disclosures
  determined by the CHO to be compatible with those
  specified in the notice.
• Except for first party access to information and
  any required disclosures for oversight of
  compliance with HMIS privacy and security
  standards, all uses and disclosures are
  permissive and not mandatory. Uses and
  disclosures not specified in the privacy notice
  can be made only with the consent of the
  individual or when required by law.

12
4.2.3. Purpose Specification and Use Limitation
(cont.)

• Optional Elements 1
• Seeking either oral or written consent for some
  or all processing when individual consent for a
  use, disclosure or other form of processing
  appropriate
• Agreeing to additional restrictions on use or
  disclosure of an individuals PPI at the request
  of the individual if the request is reasonable.
  The CHO is bound by the agreement, except if
  inconsistent with legal requirements
• Limiting uses and disclosures to those specified
  in its privacy notice and to other uses and
  disclosures that are necessary for those
  specified

13
4.2.3. Purpose Specification and Use Limitation
(cont.)

• Optional Elements 2
• Committing that PPI may not be disclosed directly
  or indirectly to any government agency (including
  a contractor or grantee of an agency) for
  inclusion in any national homeless database that
  contains personal protected information unless
  required by statute
• Committing to maintain an audit trail containing
  the date, purpose and recipient of some or all
  disclosures of PPI
• Committing to make audit trails of disclosures
  available to the homeless individual and
• Limiting disclosures of PPI to the minimum
  necessary to accomplish the purpose of the
  disclosure.

14
4.2.4. Openness

• Baseline Requirement
• Publish a privacy notice describing its polices
  and practices for the processing of PPI and must
  provide a copy of its privacy notice to any
  individual upon request.
• A CHO must post a sign stating the availability
  of its privacy notice to any individual who
  requests a copy.
• A CHO must state in its privacy notice that the
  policy may be amended at any time and that
  amendments may affect information obtained by the
  CHO before the date of the change. An amendment
  to the privacy notice regarding use or disclosure
  will be effective with respect to information
  processed before the amendment, unless otherwise
  stated.

15
4.2.4. Openness (cont.)

• Optional Elements
• Making a reasonable effort to offer a copy of the
  privacy notice to each client at or around the
  time of data collection or at another appropriate
  time
• Giving a copy of its privacy notice to each
  client on or about the time of first data
  collection. If the first contact is over the
  telephone, the privacy notice may be provided at
  the first in-person contact (or by mail, if
  requested) and/or
• Adopting a policy for changing its privacy notice
  that includes advance notice of the change,
  consideration of public comments, and prospective
  application of changes.

16
4.2.5. Access and Correction

• Baseline Requirement
• In general, a CHO must allow an individual to
  inspect and to have a copy of any PPI about the
  individual.
• A CHO must offer to explain any information that
  the individual may not understand.
• A CHO must consider any request by an individual
  for correction of inaccurate or incomplete PPI
  pertaining to the individual. A CHO is not
  required to remove any information but may, in
  the alternative, mark information as inaccurate
  or incomplete and may supplement it with
  additional information.

17
4.2.5. Access and Correction (cont.)

• Optional Elements 1
• A CHO SHOULD reserve the ability to rely on the
  following reasons for denying requests
• Information compiled in reasonable anticipation
  of litigation or comparable proceedings
• Information about another individual (other than
  a health care or homeless provider)
• Information obtained under a promise of
  confidentiality (other than a promise from a
  health care or homeless provider) if disclosure
  would reveal the source of the information or
• Information, the disclosure of which would be
  reasonably likely to endanger the life or
  physical safety of any individual.

18
4.2.5. Access and Correction (cont.)

• Optional Elements 2
• Accepting an appeal of a denial of access or
  correction by adopting its own appeal procedure
  and describing the procedure in its privacy
  notice
• Limiting the grounds for denial of access by not
  stating a recognized basis for denial in its
  privacy notice
• Allowing an individual whose request for
  correction has been denied to add to the
  individuals information concise statement of
  disagreement. A CHO may agree to disclose the
  statement of disagreement whenever it discloses
  the disputed PPI to another person. These
  procedures must be described in the CHOs privacy
  notice and/or
• Providing to an individual a written explanation
  of the reason for a denial of an individuals
  request for access or correction.

19
4.2.6. Accountability

• Baseline Requirement
• A CHO must establish a procedure for accepting
  and considering questions or complaints about its
  privacy and security policies and practices.
• A CHO must require each member of its staff
  (including employees, volunteers, affiliates,
  contractors and associates) to sign (annually or
  otherwise) a confidentiality agreement that
  acknowledges receipt of a copy of the privacy
  notice and that pledges to comply with the
  privacy notice.

20
4.2.6. Accountability (cont.)

• Optional Elements
• Requiring each member of its staff (including
  employees, volunteers, affiliates, contractors
  and associates) to undergo (annually or
  otherwise) formal training in privacy
  requirements
• Establishing a method, such as an internal audit,
  for regularly reviewing compliance with its
  privacy policy
• Establishing an internal or external appeal
  process for hearing an appeal of a privacy
  complaint or an appeal of a denial of access or
  correction rights and/or
• Designating a chief privacy officer to supervise
  implementation of the CHOs privacy standards.

21
Agenda Check

• Review of Privacy Standards
• Applicability of the Privacy Standards
• HMIS, HIPAA and Other Applicable Laws
• Postings and Privacy Policies
• 7 Steps for Developing a Privacy Notice
• HMIS Consent Models
• Funding and Consent
• Privacy Compliance and Implications for CoCs and
  Providers

22
Applicability of Privacy Standards

• Apply to all Covered Homeless Organizations
  (CHOs) that record, use or process Protected
  Personal Information (PPI) for an HMIS,
  including
• Continuums of Care (CoCs)
• Homeless service providers
• HMIS hosts or administrators
• Employees, volunteers, affiliates, contractors,
  and associates are covered by the privacy
  standards of the CHOs they deal with
• Privacy standards apply to all CHOs regardless
  of funding source who use the HMIS

23
HMIS HIPAA

• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA) creates challenges for HMIS
  implementations
• HIPAA privacy rules take precedence over HMIS
  Privacy Standards
• HIPAA covered entities are required to meet HIPAA
  baseline privacy requirements, not HMIS

24
HMIS HIPAA (cont.)

• Most CHOs are not covered by HIPAA
• The only ways in which an entity becomes
  regulated under HIPAA is if it is
• A health care provider that engages in one of
  HIPAAs covered standard transactions
  electronically
• A clearinghouse or
• A health plan.
• To learn more go to http//www.hhs.gov/ocr/hipaa/
  or see 45 CFR 160.102-103

25
HMIS Other Privacy Laws

• CHOs must comply with more stringent federal,
  state and local confidentiality laws
• If a conflict exists between state law and the
  HMIS, an official legal opinion on the matter
  should be prepared by the states Attorney
  General and submitted to HUDs General Counsel
  for Review

26
HMIS Domestic Violence Shelters

• In January 2006, the Violence Against Women Act
  (VAWA) Reauthorization of 2005 became law
• VAWA contains provisions that amend the
  McKinney-Vento Homeless Assistance Act relating
  to the disclosure of data to HMIS by domestic
  violence providers (see http//thomas.loc.gov/cgi-
  bin/bdquery/z?d109h3402)
• applies to SHP-funded victim service providers,
  not mainstream providers

27
Agenda Check

• Review of Privacy Standards
• Applicability of the Privacy Standards
• HMIS, HIPAA and Other Applicable Laws
• Postings and Privacy Policies
• 7 Steps for Developing a Privacy Notice
• HMIS Consent Models
• Funding and Consent
• Privacy Compliance and Implications for CoCs and
  Providers

28
Privacy Postings

• Every CHO must post the following information at
  each intake desk or comparable location
• General explanation of reasons for collecting
  information and
• Privacy policy/notice is available upon request.

29
Privacy Policy Consent

• A CHO must adopt a privacy policy consistent with
  CoC privacy protocols
• If a CHO has a website, it can post its privacy
  notice there
• Once a CHO adopts its privacy policy, it may
  infer client consent from the protocols and
  practices it described in the policy

Handout 2
30
7 Steps to Develop a Baseline Privacy Notice

• Step 1 What the Notice Covers
• Step 2 How and Why Personal Information is
  Collected
• Step 3 Uses and Disclosure of Personal
  Information
• Step 4 Inspection and Correction of Personal
  Information
• Step 5 Quality of Data
• Step 6 Complaints and Accountability
• Step 7 History of Changes

31
1. What the Notice Covers

• Name and address of CHO
• Description of programs covered by the notice
• Definition of personal protected information
  (PPI)
• Purpose of the notice
• Amendment policy
• Right to receive a copy of the notice

32
2. How and Why Personal Information is Collected

• Purpose(s) of capturing personal information
• Lawful and fair means to collect personal
  information
• Consent protocol
• Sources of client information
• Reasons for asking for information posted sign
  at intake desk

33
3. Uses and Disclosures of Personal Information

• Describe uses and disclosures that may be used,
  including
• To provide or coordinate services
• Payment or reimbursement for services
• Carry out administrative functions
• Create de-identified (anonymous) data
• When required by law
• To avert a serious threat to health or safety
• To report abuse, neglect or domestic violence to
  a government authority
• For academic research purposes and
• For law enforcement purposes.
• All other uses and disclosures will require
  consent

34
4. Inspection Correction of Personal Information

• The privacy notice should also include
• Procedure for inspection, access to a copy, or
  correction by a client with an explanation
• Protocol for requesting correction and
• Protocol for denial or request to correct.

35
5. Data Quality

• Information is used for the purpose for which it
  is collected
• Seek to maintain only personal information that
  is accurate, complete and timely
• Policy for disposal and/or removal of identifiers
  after 7 years of non-use
• Policy for maintenance of information if required
  by statute, regulation, contract or other
  requirements

36
6. Complaints and Accountability

• Describe complaint procedure for questions or
  concerns about privacy and security policies
• Signed receipt of compliance with privacy notice
  by all staff including employees, volunteers,
  affiliates, contractors and associates

37
7. History of Change

• A version control system should be used and
  summarized
• Example
• Version 1.0 Sept. 10, 2004. First adopted.
• Version 1.1 Oct. 21, 2004. Added Accountability
  to Access and Correction
• Version 1.2 Nov. 23, 2004. Clarified compliant
  procedure

38
Additional Privacy Considerations

• Each baseline requirement has additional privacy
  protections that can be implemented and should be
  included in the privacy notice
• Additional protections may include
• Amendment procedures
• Provision of notice
• Collection purpose
• Uses and disclosures
• Access/correction procedures

39
Agenda Check

• Review of Privacy Standards
• Applicability of the Privacy Standards
• HMIS, HIPAA and Other Applicable Laws
• Postings and Privacy Policies
• 7 Steps for Developing a Privacy Notice
• HMIS Consent Models
• Funding and Consent
• Privacy Compliance and Implications for CoCs and
  Providers

40
HMIS Consent Models

• Inferred Consent
• Baseline requirement
• Clients consent to release information is
  inferred from the privacy posting
• Implied/Informed Consent
• Verbal or physical consent is required
• Written Consent
• Client must sign a release of information (ROI)

41
Levels of Consent

• Consent to use data within an agency for program
  or agency operations
• Consent to share personal identifying information
  for de-duplication purposes across the CoC
• Consent to share additional information across
  programs to coordinate case management and
  service delivery

42
HMIS Consent Examples

• Chicago
• Inferred consent to share personal identifiers
  with an opt-out to share additional information
• Michigan
• Inferred consent/written consent for those at
  risk
• Lake County, IL
• Informed consent at agency and written consent
  for data sharing

43
Inferred Consent with Opt-out Chicago

• A notice informs clients of how personal
  information is used and disclosed
• Personal identifiers are disclosed to central
  server and typically shared with other providers
  for unduplication purposes
• The notice offers clients the ability to opt-out
  of some disclosures to other agencies
• Clients can request that personal identifiers NOT
  be shared and
• Clients are asked to consent affirmatively to
  additional information sharing for case
  management purposes

44
Informed Consent with Risk Assessment Michigan

• All clients receive oral explanation and copy of
  privacy notice consent is inferred for data
  entry into HMIS
• Every client is screened using a risk assessment
  tool to assess risk for data sharing for
• Clients with friends or family who may have
  access to HMIS records and
• Victims of domestic violence
• When risk is assessed to be high, the client is
  informed of options to participate and asked to
  consent to
• Entering data into HMIS
• Sharing identifiers with other providers and
• Sharing data more broadly with other providers
  for case management

45
Written Consent Lake County, IL

• Informed consent for entering personal
  information into HMIS
• Sharing of personal information between agencies
  requires written consent of client (or legal
  guardian)
• Sharing information on prior residence, income,
  health, criminal record or social services
  records requires a separate signed release of
  information

46
Funding Consent

• Funder data collection, record keeping, and
  reporting requirements often affect the scope of
  client consent
• HUD-funded programs can infer consent from a
  client to participate in HMIS with appropriate
  baseline privacy protections in place (i.e.,
  posted sign, privacy notice, etc.)
• Other funding sources may have similar
  programmatic requirements

47
Privacy Standards Required Documentation

• Standard Operating Procedures documents the
  communitys general privacy philosophy and
  required roles
• Agency Participation Agreement formally
  establishes parameters for HMIS participation by
  an Agency
• User Agreement formally establishes parameters
  for HMIS participation by an end user
• Posting notifies clients about agencys
  privacy practices
• Privacy Notice (Policy) notifies clients about
  how agency can use and disclose PPI
• Interagency Data Sharing Agreement formally
  establishes parameters for uses and disclosures
  of client data that are electronically shared
  between agencies

Handout 3
48
Summary

• Must also comply with other federal, state and
  local confidentiality law
• Must comply with limits to data collection
  (relevant, appropriate, lawful, specified in
  privacy notice)
• Must have written privacy policy and post on web
  site (if applicable)
• Must post sign at intake or comparable location
  with general reasons for collection and reference
  to privacy policy
• May infer consent for uses in the posted sign and
  written privacy policy