https://www.ncceh.org/hmis/privacy/
Privacy
Keeping electronic sensitive data isn’t as easy as putting a lock on a file cabinet. We are entrusted to keep client identifying information (client names, Social Security Numbers, Dates of birth, etc.) safe. Follow these tips to protect sensitive data from theft and vulnerability. Download a copy for your office here.
Protect sensitive data
Use encryption when storing or transmitting sensitive data. Remove files containing sensitive data from your system when they are no longer needed. Remember that simply deleting files rarely means it's truly deleted permanently. If you store sensitive information on a flash drive or external hard drive, make sure to keep these locked as well. Unsure about how to store, handle or remove sensitive data? Contact us!
Practice good password management
FACT: We have too many passwords to manage. It's easy to take short-cuts, like using simple passwords repeatedly to remember them, but this isn’t safe. We highly recommend using long passwords with a strong mix of characters. Update passwords frequently, and once you use a password, don’t re-use it. Don't share your passwords or write them down.
Never leave your computer unattended
Keep software up to date
Install anti-malware protection
HMIS is designed to protect clients from the ground up. Information collected by agencies and entered into HMIS cannot be shared with other agencies without a client's consent. Clients always have the right to determine if and what data is shared with agencies partnering in the community. Client information is also protected for reports required by and submitted to HUD because the data always de-identified. These reports allow communities to better understand how clients use homeless system services while protecting client information.
For more details about what is shared and why, go to our Client Consent page.
Client data is protected when unauthorized access to view, modify, or obtain information in HMIS is prevented. As HMIS Lead Agency for the HMIS@NCCEH implementation, the Data Center staff are responsible for maintaining access to information is based on these principles:
Implied Consent for data sharing within an agency A client is provided accessible information about the use of HMIS, the protection of their information within HMIS, and the commitments of the agency with regards to their privacy while and after the client is served. If clients are properly informed and agree to services, HMIS can be used to store data. |
Informed Client Consent for data sharing between multiple agencies Not only is a client informed to the privacy practices of the agency and HMIS, but they are also given options for if and how specific elements of their data could be shared between identified agencies, for the purposes of better, more coordinated services. |
The main document outlining these principles is the HMIS Release of Information (ROI) that should be signed by the client at the first available in person meeting. The ROI is also used for when working with clients remotely. The Data Center provides guidance for agencies conducting remote services including: the Verbal ROI Script, Verbal ROI How To's, and the Verbal ROI during COVID-19 documents.
To follow these principles, the implementation has adopted policies to ensure this, including:
HMIS User Agreement and Ethical Standards
All HMIS Users are required to complete a privacy training before receiving a license. Users must complete an annual privacy training in order to maintain their license. This sample HMIS User Agreement and Ethical Standards outlines important protections for client privacy and confidentiality.
For a complete list of administrative documents and support guides for case manager staff, go to The Data Center's Admin page: https://www.ncceh.org/hmis/administrative/.
HMIS Particiapting Agencies add another layer of protection and security for clients. Agencies should have a Board-approved Privacy Policy and Grievance Policy that incorporate HMIS participation.
Additionally, client interactions should be transparent with consistent language and materials to understand their rights and protections.
Click here to see which agencies participate in the HMIS@NCCEH implementation.
HMIS Participating Agencies also partner with other community providers to match clients to available permanent housing resources. Local Coordinating Groups exist in each community and use limited HMIS data in their By Name Lists to facilitate this coordination.
Click here to look up an Agency/Organization and see the other agencies working together in Coordinating Groups. This list provides transparency for clients wondering who their agency works with locally and who their HMIS info may be shared with.
See someone missing from your local group? Please complete this Form for Coordinating Group Updates and the Data Center will post the updates for clients to view.
Clients trust service providers with extremely sensitive information, and we take that trust to heart. It’s important to be aware of which tools we use that are secure, and which tools are not as we gather and transport information about our clients. For example, our HMIS software “ServicePoint” by Mediware utilizes Secure Socket Layers (SSL) 128-bit encryption from the company Symantec. If you’d like to learn more about SSL certificates and encryption, Symantec has this brief introduction. On the other hand, most email providers like Gmail and Outlook are not encrypted. Here are a few of our standards for protecting our clients' data:
Electronic communication like email should not contain personally identifying information of clients like Full Legal Name, Date of Birth, Social Security Number, Disabling Condition(s), etc. Use HMIS ID numbers to avoid this. |
HMIS reports with client identified information should never be emailed or saved in an unsecured location. |
HMIS should never be accessed from open internet connections like at cafes or libraries, and without password protection. |