Presentation on theme: "HMIS Data & Technical Standards: Privacy Requirements & Compliance"— Presentation transcript:
1 HMIS Data & Technical Standards: Privacy Requirements & Compliance Matt White, Abt Associates Inc.HUD’s National HMIS Technical Assistance InitiativeApril 11, 2008
2 Overview Review of Privacy Standards Applicability of the Privacy StandardsHMIS, HIPAA and Other Applicable LawsPostings and Privacy Policies7 Steps for Developing a Privacy NoticeHMIS Consent ModelsFunding and ConsentPrivacy Compliance and Implications for CoCs and Providers
3 Privacy Standards Framework Defines two tiers of privacy:Required baseline standards; andAdditional recommended protocols.Outlines the policy solutions and technical safeguards necessary to protect client data.Describes how HMIS requirements relate to federal, state and local laws.Handout #1
4 Privacy Standards 4.1.1. Definition of Terms Homeless Management Information System (HMIS) - the information system designated by a CoC to process PPI or other data in order to generate an unduplicated accounting of homelessness within the CoC. An HMIS may include other functions beyond unduplicated accounting.Covered Homeless Organization (CHO) – any organization (employees, volunteers, and contractors) that records, uses or processes Protected Personal InformationProtected Personal Information (PPI) – any information about a homeless client that (1) identifies a specific individual, (2) can be manipulated so that identification is possible (3) can be linked with other available information to identify a specific individual.
5 Privacy StandardsAllowable HMIS Uses and Disclosures of Protected Personal Information (PPI)A CHO may use or disclose PPI from an HMIS:To provide or coordinate services to an individual;For functions related to payment or reimbursement for services;To carry out administrative functions, including but not limited to legal, audit, personnel, oversight and management functions; orFor creating de-identified PPI
6 4.1.3. Allowable (but not mandatory) HMIS Uses and Disclosures of PPI (cont.) Uses and disclosures required by lawUses and disclosures to avert a serious threat to health or safetyUses and disclosures about victims of abuse, neglect or domestic violenceUses and disclosures for academic research purposesDisclosures for law enforcement purposes
7 4.2 HMIS Privacy Requirements Data Collection LimitationsData QualityPurpose and Use LimitationsOpennessAccess and CorrectionAccountability
8 4.2.1. Collection Limitation Baseline RequirementA CHO may collect PPI only when appropriate to the purposes for which the information is obtained or when required by lawA CHO must collect PPI by lawful and fair means and, where appropriate, with the knowledge or consent of the individualA CHO must post a sign at each intake desk (or comparable location) that explains generally the reasons for collecting this information
9 4.2.1. Collection Limitation (cont.) Optional ElementsRestricting collection of personal data, other than required HMIS data elementsCollecting PPI only with the express knowledge or consent of the individual (unless required by law)Obtaining oral or written consent from the individual for the collection of personal information from the individual or from a third party
10 4.2.2. Data Quality Baseline Requirement Optional Elements PPI collected by a CHO must be relevant to the purpose for which it is to be used. To the extent necessary for those purposes, PPI should be accurate, complete and timelyA CHO must develop and implement a plan to dispose of, or, in the alternative, to remove identifiers from, PPI that is not in current use seven years after the PPI was created or last changed (unless a statutory, regulatory, contractual, or other requirement mandates longer retention)Optional ElementsNone definedQuality (accurate, complete, timely) not defined
11 4.2.3. Purpose Specification and Use Limitation Baseline RequirementA CHO must specify in its privacy notice the purposes for which it collects PPI and must describe all uses and disclosuresA CHO may use or disclose PPI only if the use or disclosure is allowed by this standard and is described in its privacy notice. A CHO may infer consent for all uses and disclosures specified in the notice and for uses and disclosures determined by the CHO to be compatible with those specified in the notice.Except for first party access to information and any required disclosures for oversight of compliance with HMIS privacy and security standards, all uses and disclosures are permissive and not mandatory. Uses and disclosures not specified in the privacy notice can be made only with the consent of the individual or when required by law.
12 4.2.3. Purpose Specification and Use Limitation (cont.) Optional Elements 1Seeking either oral or written consent for some or all processing when individual consent for a use, disclosure or other form of processing appropriate;Agreeing to additional restrictions on use or disclosure of an individual’s PPI at the request of the individual if the request is reasonable. The CHO is bound by the agreement, except if inconsistent with legal requirements;Limiting uses and disclosures to those specified in its privacy notice and to other uses and disclosures that are necessary for those specified;
13 4.2.3. Purpose Specification and Use Limitation (cont.) Optional Elements 2Committing that PPI may not be disclosed directly or indirectly to any government agency (including a contractor or grantee of an agency) for inclusion in any national homeless database that contains personal protected information unless required by statute;Committing to maintain an audit trail containing the date, purpose and recipient of some or all disclosures of PPI;Committing to make audit trails of disclosures available to the homeless individual; andLimiting disclosures of PPI to the minimum necessary to accomplish the purpose of the disclosure.
14 4.2.4. Openness Baseline Requirement Publish a privacy notice describing its polices and practices for the processing of PPI and must provide a copy of its privacy notice to any individual upon request.A CHO must post a sign stating the availability of its privacy notice to any individual who requests a copy.A CHO must state in its privacy notice that the policy may be amended at any time and that amendments may affect information obtained by the CHO before the date of the change. An amendment to the privacy notice regarding use or disclosure will be effective with respect to information processed before the amendment, unless otherwise stated.
15 4.2.4. Openness (cont.) Optional Elements Making a reasonable effort to offer a copy of the privacy notice to each client at or around the time of data collection or at another appropriate time;Giving a copy of its privacy notice to each client on or about the time of first data collection. If the first contact is over the telephone, the privacy notice may be provided at the first in-person contact (or by mail, if requested); and/orAdopting a policy for changing its privacy notice that includes advance notice of the change, consideration of public comments, and prospective application of changes.
16 4.2.5. Access and Correction Baseline Requirement In general, a CHO must allow an individual to inspect and to have a copy of any PPI about the individual.A CHO must offer to explain any information that the individual may not understand.A CHO must consider any request by an individual for correction of inaccurate or incomplete PPI pertaining to the individual. A CHO is not required to remove any information but may, in the alternative, mark information as inaccurate or incomplete and may supplement it with additional information.
17 4.2.5. Access and Correction (cont.) Optional Elements 1A CHO SHOULD reserve the ability to rely on the following reasons for denying requests:Information compiled in reasonable anticipation of litigation or comparable proceedings;Information about another individual (other than a health care or homeless provider);Information obtained under a promise of confidentiality (other than a promise from a health care or homeless provider) if disclosure would reveal the source of the information; orInformation, the disclosure of which would be reasonably likely to endanger the life or physical safety of any individual.
18 4.2.5. Access and Correction (cont.) Optional Elements 2Accepting an appeal of a denial of access or correction by adopting its own appeal procedure and describing the procedure in its privacy notice;Limiting the grounds for denial of access by not stating a recognized basis for denial in its privacy notice;Allowing an individual whose request for correction has been denied to add to the individual’s information concise statement of disagreement. A CHO may agree to disclose the statement of disagreement whenever it discloses the disputed PPI to another person. These procedures must be described in the CHO’s privacy notice; and/orProviding to an individual a written explanation of the reason for a denial of an individual’s request for access or correction.
19 4.2.6. Accountability Baseline Requirement A CHO must establish a procedure for accepting and considering questions or complaints about its privacy and security policies and practices.A CHO must require each member of its staff (including employees, volunteers, affiliates, contractors and associates) to sign (annually or otherwise) a confidentiality agreement that acknowledges receipt of a copy of the privacy notice and that pledges to comply with the privacy notice.
21 Agenda Check… Review of Privacy Standards Applicability of the Privacy StandardsHMIS, HIPAA and Other Applicable LawsPostings and Privacy Policies7 Steps for Developing a Privacy NoticeHMIS Consent ModelsFunding and ConsentPrivacy Compliance and Implications for CoCs and Providers
22 Applicability of Privacy Standards Apply to all Covered Homeless Organizations (CHOs) that record, use or process Protected Personal Information (PPI) for an HMIS, including:Continuums of Care (CoCs)Homeless service providersHMIS hosts or administratorsEmployees, volunteers, affiliates, contractors, and associates are covered by the privacy standards of the CHOs they deal withPrivacy standards apply to all CHOs – regardless of funding source – who use the HMIS
23 HMIS & HIPAAHealth Insurance Portability and Accountability Act of (HIPAA) creates challenges for HMIS implementationsHIPAA privacy rules take precedence over HMIS Privacy StandardsHIPAA covered entities are required to meet HIPAA baseline privacy requirements, not HMIS
24 HMIS & HIPAA (cont.) Most CHOs are not covered by HIPAA The only ways in which an entity becomes regulated under HIPAA is if it is:A “health care provider” that engages in one of HIPAA’s covered standard transactions electronically;A “clearinghouse”; orA “health plan.”To learn more go to or see 45 CFREven if a CHO is health care provider for HIPAA purposes, it may not be a health care provider covered by HIPAA. If you are a CHO and are not sure whether you are a health care provider, you may not need to spend time and/or money finding out, because the only way HIPAA regulations cover you is if you are BOTH a health care provider and engage in covered standard transactions electronically (such as health claims, healthcare payments, healthcare premiums, referral authorizations, etc).Even CHOs that are HIPAA-covered providers can be “hybrid-entities”.HIPAA allows flexible structuring of covered providers as “hybrids” with covered and non-covered components.A CHO’s non-covered functions (for example, intake that may triage to covered and non-covered services) may be defined as a non-covered component of a hybrid entity exempt from HIPAA’s rules.The trade-offs in choosing a hybrid entity structure often balance information flow within the CHO against subjecting non-covered functions to rules poorly-designed to meet client and CHO needs.Neither a CoC nor an HMIS is a “clearinghouse.” A clearinghouse is defined by HIPAA as: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions:(1) Processes or facilitates the processing of health information received from another entity in a non-standard format or containing non-standard data content into standard data elements or a standard transaction(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into non-standard format or non-standard data content for the receiving entity (see 45 CFR )
25 HMIS & Other Privacy Laws CHOs must comply with more stringent federal, state and local confidentiality lawsIf a conflict exists between state law and the HMIS, an official legal opinion on the matter should be prepared by the state’s Attorney General and submitted to HUD’s General Counsel for Review
26 HMIS & Domestic Violence Shelters In January 2006, the Violence Against Women Act (VAWA) Reauthorization of 2005 became lawVAWA contains provisions that amend the McKinney- Vento Homeless Assistance Act relating to the disclosure of data to HMIS by domestic violence providers (seeapplies to SHP-funded victim service providers, not mainstream providers
27 Agenda Check… Review of Privacy Standards Applicability of the Privacy StandardsHMIS, HIPAA and Other Applicable LawsPostings and Privacy Policies7 Steps for Developing a Privacy NoticeHMIS Consent ModelsFunding and ConsentPrivacy Compliance and Implications for CoCs and Providers
30 7 Steps to Develop a Baseline Privacy Notice Step 1: What the Notice CoversStep 2: How and Why Personal Information is CollectedStep 3: Uses and Disclosure of Personal InformationStep 4: Inspection and Correction of Personal InformationStep 5: Quality of DataStep 6: Complaints and AccountabilityStep 7: History of Changes
31 1. What the Notice Covers Name and address of CHO Description of programs covered by the noticeDefinition of personal protected information (PPI)Purpose of the noticeAmendment policyRight to receive a copy of the notice
32 2. How and Why Personal Information is Collected Purpose(s) of capturing personal informationLawful and fair means to collect personal informationConsent protocolSources of client informationReasons for asking for information – posted sign at intake desk
33 3. Uses and Disclosures of Personal Information Describe uses and disclosures that may be used, including:To provide or coordinate services;Payment or reimbursement for services;Carry out administrative functions;Create de-identified (anonymous) data;When required by law;To avert a serious threat to health or safety;To report abuse, neglect or domestic violence to a government authority;For academic research purposes; andFor law enforcement purposes.All other uses and disclosures will require consent
34 4. Inspection & Correction of Personal Information The privacy notice should also include:Procedure for inspection, access to a copy, or correction by a client with an explanation;Protocol for requesting correction; andProtocol for denial or request to correct.
35 5. Data QualityInformation is used for the purpose for which it is collectedSeek to maintain only personal information that is accurate, complete and timelyPolicy for disposal and/or removal of identifiers after 7 years of non-usePolicy for maintenance of information if required by statute, regulation, contract or other requirements
36 6. Complaints and Accountability Describe complaint procedure for questions or concerns about privacy and security policiesSigned receipt of compliance with privacy notice by all staff including employees, volunteers, affiliates, contractors and associates
37 7. History of ChangeA version control system should be used and summarizedExample:Version 1.0 Sept. 10, First adopted.Version 1.1 Oct. 21, Added Accountability to Access and CorrectionVersion 1.2 Nov. 23, Clarified compliant procedure
38 Additional Privacy Considerations Each baseline requirement has additional privacy protections that can be implemented and should be included in the privacy noticeAdditional protections may include:Amendment proceduresProvision of noticeCollection purposeUses and disclosuresAccess/correction procedures
39 Agenda Check… Review of Privacy Standards Applicability of the Privacy StandardsHMIS, HIPAA and Other Applicable LawsPostings and Privacy Policies7 Steps for Developing a Privacy NoticeHMIS Consent ModelsFunding and ConsentPrivacy Compliance and Implications for CoCs and Providers
40 HMIS Consent Models Inferred Consent: Implied/Informed Consent: Baseline requirementClient’s consent to release information is inferred from the privacy postingImplied/Informed Consent:Verbal or physical consent is requiredWritten Consent:Client must sign a release of information (ROI)
41 Levels of ConsentConsent to use data within an agency for program or agency operationsConsent to share personal identifying information for de- duplication purposes across the CoCConsent to share additional information across programs to coordinate case management and service delivery
42 HMIS Consent Examples Chicago Michigan Lake County, IL Inferred consent to share personal identifiers with an opt-out to share additional informationMichiganInferred consent/written consent for those at riskLake County, ILInformed consent at agency and written consent for data sharing
43 Inferred Consent with Opt-out: Chicago A notice informs clients of how personal information is used and disclosedPersonal identifiers are disclosed to central server and typically shared with other providers for unduplication purposesThe notice offers clients the ability to opt-out of some disclosures to other agenciesClients can request that personal identifiers NOT be shared; andClients are asked to consent affirmatively to additional information sharing for case management purposes
44 Informed Consent with Risk Assessment: Michigan All clients receive oral explanation and copy of privacy notice – consent is inferred for data entry into HMISEvery client is screened using a risk assessment tool to assess risk for data sharing for:Clients with friends or family who may have access to HMIS records; andVictims of domestic violenceWhen risk is assessed to be high, the client is informed of options to participate and asked to consent to:Entering data into HMIS;Sharing identifiers with other providers; andSharing data more broadly with other providers for case management
45 Written Consent: Lake County, IL Informed consent for entering personal information into HMISSharing of personal information between agencies requires written consent of client (or legal guardian)Sharing information on prior residence, income, health, criminal record or social services records requires a separate signed release of information
46 Funding & ConsentFunder data collection, record keeping, and reporting requirements often affect the scope of client consentHUD-funded programs can infer consent from a client to participate in HMIS with appropriate baseline privacy protections in place (i.e., posted sign, privacy notice, etc.)Other funding sources may have similar programmatic requirements
47 Privacy Standards – Required Documentation Standard Operating Procedures – documents the community’s general privacy philosophy and required rolesAgency Participation Agreement – formally establishes parameters for HMIS participation by an AgencyUser Agreement* – formally establishes parameters for HMIS participation by an end userPosting* – notifies clients about agency’s privacy practicesPrivacy Notice (Policy)* – notifies clients about how agency can use and disclose PPIInteragency Data Sharing Agreement – formally establishes parameters for uses and disclosures of client data that are electronically shared between agenciesHandout #3