AIDS Alabama HMIS Privacy and Confidentiality Policy Guidelines

REASONS FOR POLICY:

1. To protect the privacy of Agency clients
2. To comply applicable laws and regulations
3. To insure fair information practices as to:

1. Openness
2. Accountability
3. Collection limitations
4. Purpose and use limitations
5. Access and correction
6. Data Quality
7. Security

 

STATEMENT OF POLICY:

1. Compliance   Agency privacy practices will comply with all applicable laws governing HMIS client privacy/confidentiality. Applicable standards include, but are not limited to the following.

1. Federal Register Vol. 69, No. 146 (HMIS FR 4848-N-02) - Federal statute governing HMIS information.
2. HIPAA - the Health Insurance Portability Act.
3. 42 CFR Part 2. - Federal statute governing drug and alcohol treatment.
4. Metropolitan Birmingham Services for the Homeless HMIS Privacy Policy
5. Agency Partnership Agreement(s).

 

NOTE: HIPAA statutes are more restrictive than the HMIS FR 4848-N-02 standards and in cases where both apply, HIPAA over-rides the HMIS FR 4848-N-02 standards.  

 

2. Use of Information   PPI (protected personal information , that is information which can be used to identify a specific client) can be used only for the following purposes:

1. To provide or coordinate services to a client.
2. For functions related to payment or reimbursement for services.
3. To carry out administrative functions such as legal, audit, personnel, planning, oversight and management functions.
4. For creating de-personalized client identification for unduplicated counting.
5. Where disclosure is required by law.
6. To prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.
7. To report abuse, neglect, or domestic violence as required or allowed by law.
8. Contractual research where privacy conditions are met (including a written agreement).
9. To report criminal activity on agency premises.
10. For law enforcement purposes in response to a properly authorized request for information from a properly authorized source.

NOTE:  HMIS FR 4848-N-02 standards list items a-d above as allowable reasons for disclosing PPI but make provisions for additional uses to meet individual agency obligations (e-j above.) . It also states that “except for first party access to information and required disclosures for oversight and compliance auditing, all uses and disclosures are permissive and not mandatory.

NOTE:  if a client refuses to release PPI, and such information is needed/required in order to provide services, the client’s refusal may necessitate denial of service.

 

3. Collection and Notification   Information will be collected only by fair and lawful means with the knowledge or consent of the client.

1. PPI will be collected only for the purposes listed above.
2. Clients will be made aware that personal information is being collected and recorded.
3. A written sign will be posted in locations where PPI is collected. This written notice will read:

“We collect personal information directly from you for reasons that are discussed in our privacy statement.  We may be required to collect some personal information by law or by organizations that give us money to operate this program.  Other personal information that we collect is important to run our programs, to improve services for homeless persons, and to better understand the needs of homeless persons.  We only collect information that we consider to be appropriate.”

“The collection and use of all personal information is guided by strict standards of confidentiality.  Our Privacy Notice is posted.  A copy of our Privacy Notice is available to all clients upon request.”

1. This sign will be explained in cases where the client is unable to read and/or understand it.

 

NOTE: Under HMIS FR 4848-N-02, agencies are permitted to require a client to express consent to collect PPI verbally or in writing, however this is optional and not a requirement of the statute.

4. Data Quality   PPI data will be accurate, complete, timely, and relevant.

1. All PPI collected will be relevant to the purposes for which it is to be used.
2. Identifiers will be removed from data that is not in current use after 7 years (from date of creation or last edit) unless other requirements mandate longer retention.
3. Data will be entered in a consistent manner by authorized users.
4. Data will be entered in as close to real-time data entry as possible.
5. Measures will be developed to monitor data for accuracy and completeness and for the correction of errors.

1. The agency runs reports and queries monthly to help identify incomplete or inaccurate information.
2. The agency monitors the correction of incomplete or inaccurate information.
3. By the 15th of the following month all monitoring reports will reflect corrected data.

1. Data quality is subject to routine audit by System Administrators who have administrative responsibilities for the database.

 

5. Privacy Notice, Purpose Specification and Use Limitations   The purposes for collecting PPI data, as well as it uses and disclosures will be specified and limited.

1. The purposes, uses, disclosures, policies, and practices relative to PPI data will be outlined in an agency Privacy Notice (copy attached).
2. The agency Privacy Notice will comply with all applicable regulatory and contractual limitations.
3. The agency Privacy Notice will be made available to agency clients, or their representative, upon request and explained/interpreted as needed.
4. Reasonable accommodations will be made with regards to the Privacy Notice for persons with disabilities and non-English speaking clients as required by law.
5. PPI will be used and disclosed only as specified in the Privacy Notice, and only for the purposes specified therein,
6. Uses and disclosures not specified in the Privacy Notice can be made only with the consent of the client.
7. The Privacy Notice will be posted on the Agency web site.
8. The Privacy Notice will reviewed and amended as needed.
9. Amendments to or revisions of the Privacy Notice will address the retroactivity of any changes.
10. Permanent documentation will be maintained of all Privacy Notice amendments/revisions.
11. All access to, and editing of PPI data will be tracked by an automated audit trail, and will be monitored for violations use/disclosure limitations.

NOTE: Items above are required by HMIS FR 4848-N-02, and/or  HMIS policy, but agencies can restrict and limit the use of PPI data further by requiring express client consent for various types of uses/disclosures, and/or by putting restriction or limits on various kinds of  uses/disclosures.

6. Record Access and Correction   Provisions will be maintained for the access to and corrections of PPI records.

1. Clients will be allowed to review their HMIS record within 5 working days of a request to do so.
2. During a client review of their record, an Agency staff person must be available to explain any entries the client does not understand.
3. The client may request to have their record corrected so that information is up-to-date and accurate to ensure fairness in its use.
4. When a correction is requested by a client, the request will be documented and the staff will make a corrective entry if the request is valid.
5. A client may be denied access to their personal information for the following reasons:

1. Information is compiled in reasonable anticipation of litigation or comparable proceedings;
2. Information about another individual other than the Agency staff would be disclosed,
3. Information was obtained under a promise of confidentiality other than a promise from this provider and disclosure would reveal the source of the information
4. Information, the disclosure of which would be reasonably likely to endanger the life or physical safety of any individual.

1. A client may be denied access to their personal information in the case of repeated or harassing requests for access or correction.  However, if denied, documentation will be provided regarding the request and reason for denial to the individual and be made a part of the client’s record.
2. A grievance process may be initiated if a client feels that their confidentiality rights have been violated, if access has been denied to their personal records, or if they have been put at personal risk, or harmed.

 

7. Accountability Processes will be maintained to insure that the privacy and confidentiality of client information is protected and staff is properly prepared and accountable to carry out Agency policies and procedure that govern the use of PPI data.

1. All HMIS users must sign a Users Agreement that specifies each staff persons obligations with regard to protecting the privacy of PPI and indicates that they have received a copy of the Agency’s Privacy Notice and that they will comply with its guidelines.
2. All users of the HMIS must complete formal privacy training.
3. A process will be maintained to document and verify completion of training requirements.
4. A process will be maintained to monitor and audit compliance with basic privacy requirements including but not limited to auditing clients entered against signed HMIS Releases.
5. Regular user meetings will be held and issues concerning data security, client confidentiality, and information privacy will be discussed and solutions will be developed. 

8. Sharing of Information  Client data may be shared with partnering agencies only with client approval

1. All routine data sharing practices with partnering agencies will be documented and governed by an Agency Partnership Agreement.
2. Agency defaults within the HMIS system will be set to “open” except for agencies serving high risk clients.
3. A completed HMIS Client Release of Information (ROI) Form is need before information may shared electronically.

1. The HMIS release lists all HMIS partnering agencies to inform the client about what is shared and with whom it is shared. 
2. The client accepts or rejects the sharing plan.
3. If the client rejects the sharing plan, staff will close the record and inform the System Administrator for client record duplication monitoring.

1. Clients will be informed about and understand the benefits, risks, and available alternatives to sharing your information prior to signing an ROI, and their decision to sign or not sign shall be voluntary.
2. Clients who choose not to authorize sharing of information cannot be denied services for which they would otherwise be eligible.
3. All Client Authorization for ROI forms related to the HMIS will be placed in a file to be located on premises;
4. HMIS-related Authorization for ROI forms will be retained for a period of 7 years, after which time the forms will be discarded in a manner that ensures client confidentiality is not compromised.
5. No confidential/restricted information received from the HMIS will be shared with any organization or individual without proper written consent by the client, unless otherwise permitted by applicable regulations or laws.
6. Restricted information, including progress notes and psychotherapy notes, about the diagnosis, treatment, or referrals related to a mental health disorder, drug or alcohol disorder, HIV/AIDS, and domestic violence concerns shall not be shared with other participating Agencies without the client’s written, informed consent as documented on the Agency-modified Authorization for Release of Confidential Form. 

1. Sharing of restricted information is not covered under the general HMIS Client ROI.
2. If a field that normally contains non-confidential information discloses confidential information.

1. The staff completes an Authorization to release Confidential Information.
2. If the client refuses to authorize the release, the staff closes the Assessment/Screen by clicking the lock on the screen and removing any exceptions.

1. If a client has previously given permission to share information with multiple agencies, beyond basic identifying information and non-restricted service transactions, and then chooses to revoke that permission with regard to one or more of these agencies, the effected agency/ agencies will be contacted accordingly, and those portions of the record, impacted by the revocation, to will be locked from further sharing.
2. All client ROI forms will include an expiration date, at which time a new ROI must be signed by the client.

 

9. System Security   System security provisions will apply to all systems where PPI is stored, Agency’s networks, desktops, laptops, mini-computers, mainframes and servers.

1. Password Access:

1. Only individuals who have completed Privacy and System Training may be given access to the HMIS through User IDs and Passwords.
2. Temporary/default passwords will be changed on first use.
3. Access to PPI requires a user name and password at least 8 characters long and using at least two numbers and two letters.
4. User Name and password may not be stored or displayed in any publicly accessible location.
5. Passwords must be changed routinely.
6. Users must not be able to log onto more than one workstation or location at a time.
7. Individuals with User IDs and Passwords will not give or share assigned User ID and Passwords to access the HMIS with any other organization, governmental entity, business, or individual.

1. Virus Protection and Firewalls:

1. Commercial virus protection software will be maintained by the Agency to protect HMIS system from virus attack.
2. Virus protection will include automated scanning of files as they are access by users.
3. Virus Definitions will be updated regularly.
4. All workstations will be protected by a firewall either through a workstation firewall or a server firewall.

1. Physical Access to Systems where HMIS Data is Stored
2. Computers stationed in public places must be secured when workstations are not in use and when staff are not present.
3. After a short period of time a password protected screen saver will be activated during time that the system is temporarily not in use.
4. For extended absence, staff must log off the computer

1. Stored Data Security and Disposal:

1. All HMIS data downloaded onto a data storage medium must be maintained and stored in a secure location.
2. Data downloaded for purposes of statistical analysis will exclude PPI whenever possible.
3. HMIS data downloaded onto a data storage medium must be disposed of by reformatting as opposed to erasing or deleting.
4. A data storage medium will be reformatted a second time before the medium is reused or disposed of.

1. System Monitoring
2. User access to the HMIS Live Web Site will be monitored using the Audit User Report feature of the HMIS software.

1. Hard Copy Security:

1. Any paper or other hard copy containing PPI that is either generated by or for HMIS, including, but not limited to report, data entry forms and signed consent forms will be secured.
2. Agency staff will supervise, at all times, hard copy with identifying information generated by or for the HMIS when the hard copy is in a public area.  If the staff leaves the area, the hard copy must be secured in areas not accessible by the public.
3. All written information pertaining to the user name and password must not be stored or displayed in any publicly accessible location.

 

NOTE :Various important aspects of system security are the contracted responsibility of Bowman Systems and are therefore not covered in agency policy.  These involve procedures and protections that take place at the site of the central server and include data backup, disaster recovery, data encryption, binary storage requirements, physical storage security, public access controls, location authentication etc.

 

 

PROCEDURES:

1. HMIS is integrated into the agency’s Informed Consent Privacy Notice which is signed at the client intake.   
2. The Board approves the Policies & Procedures including the Confidentiality/Privacy Policy. 
3. Any remote access by the staff must be in a location where those without authorization, or need to view the contents of the system, are not present. The same work place precautions concerning leaving the computer unattended or not securing printed material apply. The room or office should be locked and the computer should be password protected from anyone but the authorized User.
4. The Administrator and Assistant Administrator will have Agency Administrator Access Level. Other case managers and data input personnel will have Case Manager I Access Level.
5. The room or office where the system is being used should be behind two doors capable of being locked when not occupied.
6. Procedures for acquiring client consent.

1. The Agency’s Privacy Notice should be posted.

How the Privacy Notice will be explained:
“We collect personal information directly from you for reasons that are discussed in our privacy statement.  We may be required to collect some personal information by law or by organizations that give us money to operate this program.  Other personal information that we collect is important to run our programs, to improve services for homeless persons, and to better understand the needs of homeless persons.  We only collect information that we consider to be appropriate.”

“The collection and use of all personal information is guided by strict standards of confidentiality.  Our Privacy Notice is posted.  A copy of our Privacy Notice is available to all clients upon request.”

1. The Informed Consent and signed release will be presented to the client at intake or the next case management session if it has not previously completed.

A second Release will be required to share restricted information to designated agencies.