HMIS Data & Technical Standards: Privacy Requirements & Compliance Matt White, Abt Associates Inc. HUD’s National HMIS Technical Assistance Initiative April 11, 2008

Overview Review of Privacy Standards Applicability of the Privacy Standards HMIS, HIPAA and Other Applicable Laws Postings and Privacy Policies 7 Steps for Developing a Privacy Notice HMIS Consent Models Funding and Consent Privacy Compliance and Implications for CoCs and Providers

Privacy Standards Framework Defines two tiers of privacy: Required baseline standards; and Additional recommended protocols. Outlines the policy solutions and technical safeguards necessary to protect client data. Describes how HMIS requirements relate to federal, state and local laws. Handout #1

Privacy Standards 4.1.1. Definition of Terms Homeless Management Information System (HMIS) - the information system designated by a CoC to process PPI or other data in order to generate an unduplicated accounting of homelessness within the CoC. An HMIS may include other functions beyond unduplicated accounting. Covered Homeless Organization (CHO) – any organization (employees, volunteers, and contractors) that records, uses or processes Protected Personal Information Protected Personal Information (PPI) – any information about a homeless client that (1) identifies a specific individual, (2) can be manipulated so that identification is possible (3) can be linked with other available information to identify a specific individual.

Privacy Standards 4.1.3. Allowable HMIS Uses and Disclosures of Protected Personal Information (PPI) A CHO may use or disclose PPI from an HMIS: To provide or coordinate services to an individual; For functions related to payment or reimbursement for services; To carry out administrative functions, including but not limited to legal, audit, personnel, oversight and management functions; or For creating de-identified PPI

4.1.3. Allowable (but not mandatory) HMIS Uses and Disclosures of PPI (cont.) Uses and disclosures required by law Uses and disclosures to avert a serious threat to health or safety Uses and disclosures about victims of abuse, neglect or domestic violence Uses and disclosures for academic research purposes Disclosures for law enforcement purposes

4.2 HMIS Privacy Requirements 4.2.1. Data Collection Limitations 4.2.2. Data Quality 4.2.3. Purpose and Use Limitations 4.2.4. Openness 4.2.5. Access and Correction 4.2.6. Accountability

4.2.1. Collection Limitation Baseline Requirement A CHO may collect PPI only when appropriate to the purposes for which the information is obtained or when required by law A CHO must collect PPI by lawful and fair means and, where appropriate, with the knowledge or consent of the individual A CHO must post a sign at each intake desk (or comparable location) that explains generally the reasons for collecting this information

4.2.1. Collection Limitation (cont.) Optional Elements Restricting collection of personal data, other than required HMIS data elements Collecting PPI only with the express knowledge or consent of the individual (unless required by law) Obtaining oral or written consent from the individual for the collection of personal information from the individual or from a third party

4.2.2. Data Quality Baseline Requirement Optional Elements PPI collected by a CHO must be relevant to the purpose for which it is to be used. To the extent necessary for those purposes, PPI should be accurate, complete and timely A CHO must develop and implement a plan to dispose of, or, in the alternative, to remove identifiers from, PPI that is not in current use seven years after the PPI was created or last changed (unless a statutory, regulatory, contractual, or other requirement mandates longer retention) Optional Elements None defined Quality (accurate, complete, timely) not defined

4.2.3. Purpose Specification and Use Limitation Baseline Requirement A CHO must specify in its privacy notice the purposes for which it collects PPI and must describe all uses and disclosures A CHO may use or disclose PPI only if the use or disclosure is allowed by this standard and is described in its privacy notice. A CHO may infer consent for all uses and disclosures specified in the notice and for uses and disclosures determined by the CHO to be compatible with those specified in the notice. Except for first party access to information and any required disclosures for oversight of compliance with HMIS privacy and security standards, all uses and disclosures are permissive and not mandatory. Uses and disclosures not specified in the privacy notice can be made only with the consent of the individual or when required by law.

4.2.3. Purpose Specification and Use Limitation (cont.) Optional Elements 1 Seeking either oral or written consent for some or all processing when individual consent for a use, disclosure or other form of processing appropriate; Agreeing to additional restrictions on use or disclosure of an individual’s PPI at the request of the individual if the request is reasonable. The CHO is bound by the agreement, except if inconsistent with legal requirements; Limiting uses and disclosures to those specified in its privacy notice and to other uses and disclosures that are necessary for those specified;

4.2.3. Purpose Specification and Use Limitation (cont.) Optional Elements 2 Committing that PPI may not be disclosed directly or indirectly to any government agency (including a contractor or grantee of an agency) for inclusion in any national homeless database that contains personal protected information unless required by statute; Committing to maintain an audit trail containing the date, purpose and recipient of some or all disclosures of PPI; Committing to make audit trails of disclosures available to the homeless individual; and Limiting disclosures of PPI to the minimum necessary to accomplish the purpose of the disclosure.

4.2.4. Openness Baseline Requirement Publish a privacy notice describing its polices and practices for the processing of PPI and must provide a copy of its privacy notice to any individual upon request. A CHO must post a sign stating the availability of its privacy notice to any individual who requests a copy. A CHO must state in its privacy notice that the policy may be amended at any time and that amendments may affect information obtained by the CHO before the date of the change. An amendment to the privacy notice regarding use or disclosure will be effective with respect to information processed before the amendment, unless otherwise stated.

4.2.4. Openness (cont.) Optional Elements Making a reasonable effort to offer a copy of the privacy notice to each client at or around the time of data collection or at another appropriate time; Giving a copy of its privacy notice to each client on or about the time of first data collection. If the first contact is over the telephone, the privacy notice may be provided at the first in-person contact (or by mail, if requested); and/or Adopting a policy for changing its privacy notice that includes advance notice of the change, consideration of public comments, and prospective application of changes.

4.2.5. Access and Correction Baseline Requirement In general, a CHO must allow an individual to inspect and to have a copy of any PPI about the individual. A CHO must offer to explain any information that the individual may not understand. A CHO must consider any request by an individual for correction of inaccurate or incomplete PPI pertaining to the individual. A CHO is not required to remove any information but may, in the alternative, mark information as inaccurate or incomplete and may supplement it with additional information.

4.2.5. Access and Correction (cont.) Optional Elements 1 A CHO SHOULD reserve the ability to rely on the following reasons for denying requests: Information compiled in reasonable anticipation of litigation or comparable proceedings; Information about another individual (other than a health care or homeless provider); Information obtained under a promise of confidentiality (other than a promise from a health care or homeless provider) if disclosure would reveal the source of the information; or Information, the disclosure of which would be reasonably likely to endanger the life or physical safety of any individual.

4.2.5. Access and Correction (cont.) Optional Elements 2 Accepting an appeal of a denial of access or correction by adopting its own appeal procedure and describing the procedure in its privacy notice; Limiting the grounds for denial of access by not stating a recognized basis for denial in its privacy notice; Allowing an individual whose request for correction has been denied to add to the individual’s information concise statement of disagreement. A CHO may agree to disclose the statement of disagreement whenever it discloses the disputed PPI to another person. These procedures must be described in the CHO’s privacy notice; and/or Providing to an individual a written explanation of the reason for a denial of an individual’s request for access or correction.

4.2.6. Accountability Baseline Requirement A CHO must establish a procedure for accepting and considering questions or complaints about its privacy and security policies and practices. A CHO must require each member of its staff (including employees, volunteers, affiliates, contractors and associates) to sign (annually or otherwise) a confidentiality agreement that acknowledges receipt of a copy of the privacy notice and that pledges to comply with the privacy notice.

4.2.6. Accountability (cont.) Optional Elements Requiring each member of its staff (including employees, volunteers, affiliates, contractors and associates) to undergo (annually or otherwise) formal training in privacy requirements; Establishing a method, such as an internal audit, for regularly reviewing compliance with its privacy policy; Establishing an internal or external appeal process for hearing an appeal of a privacy complaint or an appeal of a denial of access or correction rights; and/or Designating a chief privacy officer to supervise implementation of the CHO’s privacy standards.

Agenda Check… Review of Privacy Standards Applicability of the Privacy Standards HMIS, HIPAA and Other Applicable Laws Postings and Privacy Policies 7 Steps for Developing a Privacy Notice HMIS Consent Models Funding and Consent Privacy Compliance and Implications for CoCs and Providers

Applicability of Privacy Standards Apply to all Covered Homeless Organizations (CHOs) that record, use or process Protected Personal Information (PPI) for an HMIS, including: Continuums of Care (CoCs) Homeless service providers HMIS hosts or administrators Employees, volunteers, affiliates, contractors, and associates are covered by the privacy standards of the CHOs they deal with Privacy standards apply to all CHOs – regardless of funding source – who use the HMIS

HMIS & HIPAA Health Insurance Portability and Accountability Act of 1996 (HIPAA) creates challenges for HMIS implementations HIPAA privacy rules take precedence over HMIS Privacy Standards HIPAA covered entities are required to meet HIPAA baseline privacy requirements, not HMIS

HMIS & HIPAA (cont.) Most CHOs are not covered by HIPAA The only ways in which an entity becomes regulated under HIPAA is if it is: A “health care provider” that engages in one of HIPAA’s covered standard transactions electronically; A “clearinghouse”; or A “health plan.” To learn more go to http://www.hhs.gov/ocr/hipaa/ or see 45 CFR 160.102-103 Even if a CHO is health care provider for HIPAA purposes, it may not be a health care provider covered by HIPAA. If you are a CHO and are not sure whether you are a health care provider, you may not need to spend time and/or money finding out, because the only way HIPAA regulations cover you is if you are BOTH a health care provider and engage in covered standard transactions electronically (such as health claims, healthcare payments, healthcare premiums, referral authorizations, etc). Even CHOs that are HIPAA-covered providers can be “hybrid-entities”. HIPAA allows flexible structuring of covered providers as “hybrids” with covered and non-covered components. A CHO’s non-covered functions (for example, intake that may triage to covered and non-covered services) may be defined as a non-covered component of a hybrid entity exempt from HIPAA’s rules. The trade-offs in choosing a hybrid entity structure often balance information flow within the CHO against subjecting non-covered functions to rules poorly-designed to meet client and CHO needs. Neither a CoC nor an HMIS is a “clearinghouse.” A clearinghouse is defined by HIPAA as:   A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a non-standard format or containing non-standard data content into standard data elements or a standard transaction (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into non-standard format or non-standard data content for the receiving entity (see 45 CFR 160.103)

HMIS & Other Privacy Laws CHOs must comply with more stringent federal, state and local confidentiality laws If a conflict exists between state law and the HMIS, an official legal opinion on the matter should be prepared by the state’s Attorney General and submitted to HUD’s General Counsel for Review

HMIS & Domestic Violence Shelters In January 2006, the Violence Against Women Act (VAWA) Reauthorization of 2005 became law VAWA contains provisions that amend the McKinney- Vento Homeless Assistance Act relating to the disclosure of data to HMIS by domestic violence providers (see http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h3402:) applies to SHP-funded victim service providers, not mainstream providers

Agenda Check… Review of Privacy Standards Applicability of the Privacy Standards HMIS, HIPAA and Other Applicable Laws Postings and Privacy Policies 7 Steps for Developing a Privacy Notice HMIS Consent Models Funding and Consent Privacy Compliance and Implications for CoCs and Providers

Privacy Postings Every CHO must post the following information at each intake desk or comparable location: General explanation of reasons for collecting information; and Privacy policy/notice is available upon request.

Privacy Policy & Consent A CHO must adopt a privacy policy consistent with CoC privacy protocols If a CHO has a website, it can post its privacy notice there Once a CHO adopts its privacy policy, it may infer client consent from the protocols and practices it described in the policy Handout #2

7 Steps to Develop a Baseline Privacy Notice Step 1: What the Notice Covers Step 2: How and Why Personal Information is Collected Step 3: Uses and Disclosure of Personal Information Step 4: Inspection and Correction of Personal Information Step 5: Quality of Data Step 6: Complaints and Accountability Step 7: History of Changes

1. What the Notice Covers Name and address of CHO Description of programs covered by the notice Definition of personal protected information (PPI) Purpose of the notice Amendment policy Right to receive a copy of the notice

2. How and Why Personal Information is Collected Purpose(s) of capturing personal information Lawful and fair means to collect personal information Consent protocol Sources of client information Reasons for asking for information – posted sign at intake desk

3. Uses and Disclosures of Personal Information Describe uses and disclosures that may be used, including: To provide or coordinate services; Payment or reimbursement for services; Carry out administrative functions; Create de-identified (anonymous) data; When required by law; To avert a serious threat to health or safety; To report abuse, neglect or domestic violence to a government authority; For academic research purposes; and For law enforcement purposes. All other uses and disclosures will require consent

4. Inspection & Correction of Personal Information The privacy notice should also include: Procedure for inspection, access to a copy, or correction by a client with an explanation; Protocol for requesting correction; and Protocol for denial or request to correct.

5. Data Quality Information is used for the purpose for which it is collected Seek to maintain only personal information that is accurate, complete and timely Policy for disposal and/or removal of identifiers after 7 years of non-use Policy for maintenance of information if required by statute, regulation, contract or other requirements

6. Complaints and Accountability Describe complaint procedure for questions or concerns about privacy and security policies Signed receipt of compliance with privacy notice by all staff including employees, volunteers, affiliates, contractors and associates

7. History of Change A version control system should be used and summarized Example: Version 1.0 Sept. 10, 2004. First adopted. Version 1.1 Oct. 21, 2004. Added Accountability to Access and Correction Version 1.2 Nov. 23, 2004. Clarified compliant procedure

Additional Privacy Considerations Each baseline requirement has additional privacy protections that can be implemented and should be included in the privacy notice Additional protections may include: Amendment procedures Provision of notice Collection purpose Uses and disclosures Access/correction procedures

Agenda Check… Review of Privacy Standards Applicability of the Privacy Standards HMIS, HIPAA and Other Applicable Laws Postings and Privacy Policies 7 Steps for Developing a Privacy Notice HMIS Consent Models Funding and Consent Privacy Compliance and Implications for CoCs and Providers

HMIS Consent Models Inferred Consent: Implied/Informed Consent: Baseline requirement Client’s consent to release information is inferred from the privacy posting Implied/Informed Consent: Verbal or physical consent is required Written Consent: Client must sign a release of information (ROI)

Levels of Consent Consent to use data within an agency for program or agency operations Consent to share personal identifying information for de- duplication purposes across the CoC Consent to share additional information across programs to coordinate case management and service delivery

HMIS Consent Examples Chicago Michigan Lake County, IL Inferred consent to share personal identifiers with an opt-out to share additional information Michigan Inferred consent/written consent for those at risk Lake County, IL Informed consent at agency and written consent for data sharing

Inferred Consent with Opt-out: Chicago A notice informs clients of how personal information is used and disclosed Personal identifiers are disclosed to central server and typically shared with other providers for unduplication purposes The notice offers clients the ability to opt-out of some disclosures to other agencies Clients can request that personal identifiers NOT be shared; and Clients are asked to consent affirmatively to additional information sharing for case management purposes

Informed Consent with Risk Assessment: Michigan All clients receive oral explanation and copy of privacy notice – consent is inferred for data entry into HMIS Every client is screened using a risk assessment tool to assess risk for data sharing for: Clients with friends or family who may have access to HMIS records; and Victims of domestic violence When risk is assessed to be high, the client is informed of options to participate and asked to consent to: Entering data into HMIS; Sharing identifiers with other providers; and Sharing data more broadly with other providers for case management

Written Consent: Lake County, IL Informed consent for entering personal information into HMIS Sharing of personal information between agencies requires written consent of client (or legal guardian) Sharing information on prior residence, income, health, criminal record or social services records requires a separate signed release of information

Funding & Consent Funder data collection, record keeping, and reporting requirements often affect the scope of client consent HUD-funded programs can infer consent from a client to participate in HMIS with appropriate baseline privacy protections in place (i.e., posted sign, privacy notice, etc.) Other funding sources may have similar programmatic requirements

Privacy Standards – Required Documentation Standard Operating Procedures – documents the community’s general privacy philosophy and required roles Agency Participation Agreement – formally establishes parameters for HMIS participation by an Agency User Agreement* – formally establishes parameters for HMIS participation by an end user Posting* – notifies clients about agency’s privacy practices Privacy Notice (Policy)* – notifies clients about how agency can use and disclose PPI Interagency Data Sharing Agreement – formally establishes parameters for uses and disclosures of client data that are electronically shared between agencies Handout #3

Summary Must also comply with other federal, state and local confidentiality law Must comply with limits to data collection (relevant, appropriate, lawful, specified in privacy notice) Must have written privacy policy and post on web site (if applicable) Must post sign at intake or comparable location with general reasons for collection and reference to privacy policy May infer consent for uses in the posted sign and written privacy policy