Client Privacy and Client Security Adapted from a Presentation By: U.S. Department of Housing and Urban Development CoC Training Series
Privacy and Security Privacy is the control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure. Security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled.
Informed Consent: Informed consent is the process through which a discussion with clients the nature of the worker/client relationship. Through informed consent, the worker and client outline what the client can expect from the professional relationship, as well as what the worker expects from the client’s participation. Informed consent often includes a discussion of basic protocols, such as how to make or cancel appointments, or the best way to contact. The process should also involve outlining what work will be done with and for the client, and what expectations there are for client involvement. Integral to the informed consent process is a discussion of client confidentiality. Using simple language, appropriate to the developmental and language needs of the client, the social worker needs to explain to the client that he or she will generally keep information private, but that there are specific instances when persons are required to break client confidentiality.
Social Media Summary Social platforms were created to help people connect with one another, broadcast their ideas, and create stores of personal information online. Services like Facebook, Twitter, YouTube were built for sharing public information, not for confidential information.
Develop A Social Media Policy Why? To govern how employees/CoC use social media To protect confidential information and prevent improper use of social media To provide protection in litigation To outline disciplinary procedures
Remember Social platforms are created to help people connect with each other, broadcast their ideas, and create stores of personal information online. Services like Facebook, Twitter and YouTube were built for sharing, not for secrets.
TIP 1 Never post anything you would be uncomfortable reading re-printed in the newspaper. This can be a helpful test to take before you hit the send button. Take time for thought before posting a blog or sending a tweet. After completing your thoughts or responses, save them as a draft and then read them later before posting. Often e-mails or tweets are an immediate response that lack thought and reflection. REMEMBER: once you hit the send button, it’s a permanent record that cannot be retracted.
TIP 2 The technology is here to stay. Your workforce uses it on your computer system, on a smart phone and away from work. Social media can create branding, be a communication tool, creates a sense of community, good public relations, be a fundraising tool and can establish the organization as an expert or leader. Your workforce consists of your employees, volunteers, trainees and other persons whose conduct, in the performance of work for a Covered Entity, is under the direct control of such entity, whether or not they are paid by the Covered Entity. You are responsible for your workforce to comply with all requirement. Even on social media!
Privacy Requirements Privacy Standards: Protect client personal information from unauthorized disclosure Some of the 7 HMIS Privacy Standard components: Collection limitations Purpose and use limitations Openness Accountability
Collection Limitations Only collect information that is appropriate for the purposes that the information is obtained or when required by law Use lawful and fair means to collect it When appropriate, collect data with knowledge or consent of the client Post sign; infer consent for collection Must post a sign at intake desk (or comparable location) that explains generally the reasons for collecting this information. Collection Limitations – this slide lists the things you have to do. In layman’s terms, this means that you can’t collect and use information just because you want to. Collect data that makes sense for the program you run and in accordance with requirements from your funding sources. In other words, don’t collect shoe size unless you are providing shoes to clients as part of your program and you need the information to order more. You should also make sure to use lawful and fair means to collect data - make sure the client has some knowledge that you are collecting it and if it from a source other than them, from who. For HMIS purposes, all programs must post a sign at the intake desk or area that explains in general terms the reasons you are collecting information from the client and agencies must have privacy policies in place. Additionally, HMIS must have privacy policies and if there is a website, privacy policies must be posted on the website.
Purpose and Use Limitations Notice must specify purposes for PPI collections and must describe all uses/disclosures A program may use/disclosure PPI only if allowed by the standard and described in the privacy notice Notice may infer consent for described uses/ disclosures and for compatible uses/ disclosures All uses/disclosures are permissive (except first party request or required by law) Uses/disclosures not specified in notice need written consent of the individual or legal requirement Purpose and Use Limitations stems back to collection limitations. This is about having a privacy policy that describes – clearly – for the client how their data is going to be used and who will have access to it. Again, this is not about restricting use or access, it’s about being transparent about it…and these are things that you must do. If you intend to use the data for purposes not stated in the notice, then you do need either written consent from the client or proof that its use is a legal requirement.
Openness Be open with agencies, client’s, and other parties about how you protect client information from unethical use You must post a sign about your Privacy policies (called a Privacy Notice) and your Privacy policies must be available to anyone who requests them – including clients and the media. If your agency has a web page, you must post your Privacy Notice on your web page. This is true about individual agencies as well as any web pages associated with your HMIS. Openness is about transparency. Again, you must post a privacy notice and have privacy policies available to anyone who requests them – including clients AND media. And again, if your agency has a webpage, your privacy notice must be posted on the webpage.
Accountability Must establish procedure for accepting and considering complaints about privacy and security policies and practices Must require all staff members to sign a confidentiality agreement (acknowledging receipt of and pledging to comply with the privacy notice) Accountability means taking responsibility for enforcing your Privacy policies and having a process in place for someone to make sure that you stand by your policies. Agencies must develop policies and procedures to accept and consider complaints when someone feels that that their privacy has been breached or if they feel your Privacy policies are too strict, or maybe not strict enough. Recommend agency have or develop and put in place a confidentiality agreement with all staff members collecting, entering, or accessing client data. This is most commonly included as part of the end user agreement, but make sure that the end user agreement includes language that specifically states that by signing the agreement, the staff person is acknowledging receipt of and pledging compliance with the privacy notice. Another alternative is to make this a separate form that staff sign…and tie it to an annual training.
Other Privacy Laws Programs must comply with more stringent federal, state and local confidentiality laws; and If a conflict exists between state law and the HMIS an official legal opinion on the matter should be prepared by the state’s Attorney General and submitted to HUD’s General Counsel for Review. Domestic Violence Victim Service Providers are prohibited from entering data into HMIS and legal service providers are not to enter confidential client notes into HMIS. Sometimes there are other laws that also come into place regarding privacy.
Levels of Consent Consent to use data within an agency for program or agency operations. Consent to share additional information across programs to coordinate case management and service delivery. A client can consent for you to use their data within your agency. They can also consent for you to share their data with other agencies to coordinate case management and streamline access to other services.
Baseline Privacy Standards Must comply with other federal, state, and local confidentiality law Must comply with limits to data collection (relevant, appropriate, lawful, specified in privacy notice) Must have written privacy policy - and post it on your web site Must post sign at intake or comparable location with general reasons for collection and reference to privacy policy May infer consent for uses in the posted sign and written privacy policy At a minimum, you must: Read slide
Strong password Keep it secret We All Know It….. Strong password Keep it secret
Hard Copy Security Applicable to any paper or other hard copy containing PPI that is generated by, or for, the HMIS Intake forms Consent forms Reports Must supervise hard copies at all times when in a public area. Includes intake areas When staff are not present, hard copies must be secured Must not be stored or displayed in any publically accessible location Hard copies of data. Read slide. Do not underestimate the importance of securing and protecting the hard copies of data that go into the HMIS. You must protect the data from the second the client provides it until it is suitably destroyed.
Thank you!