HOMELESS MANAGEMENT INFORMATION SYSTEM (HMIS) POLICIES & PROCEDURES (PARTICIPANT S GUIDE)

Transcription

1 OUTLINE: HOMELESS MANAGEMENT INFORMATION SYSTEM (HMIS) 1. HMIS Overview (S1, p. 7) 2. HMIS Participation (S3, p.20) 3. Participation Agreement (S3.1, p. 20 & App. C, p. 60) 4. CHO End User Agreement (S3.6.2, p. 25 & App. G, p.71) 5. Data Warehouse End User Agreement (S2.2.4, p.17 & App. B, p. 56) 6. User Agreement Breach (S3.6.3, p. 25) 7. Administrative and Software Certification Checklist (S3.2.2, p. 21 & App. D, p.63) 8. Security Plan (S4, p.28 & App. E, p. 67) 9. Privacy Policy (S6, p. 38) 10. Data Quality Plan (S7, p. 44 & App. F, p. 71) HMIS OVERVIEW (S1, p. 7): What is HMIS? What is the purpose of HMIS? What would you include in a policies and procedures document for HMIS? New York City Homeless Management Information System (HMIS) 10/17/2014 HMIS Policies & Procedures v3.0 1 Learning Objectives: At the end of this training, you will be able to: Locate the NYC HMIS Policies & Procedures (P&P) v3.0 Identify key terms, roles and responsibilities Determine if you are meeting standards for: Security plan Privacy policy Data quality Submit Appendix forms 10/17/2014 HMIS Policies & Procedures v3.0 2 Homeless Management Information System (HMIS) is used to track the use of services and housing within the NYC Coalition on the Continuum of Care (CCoC). HMIS was established in 2001 after Congress issued a directive to the US Department of Housing and Urban Development (HUD) to provide data and analysis on the extent and nature of homelessness and the effectiveness of implemented programs. HMIS tracks unduplicated count of clients served at the local level, analyzes patterns of service use and evaluates the effectiveness of implemented systems. HMIS is essential to efforts to coordinate client services and inform community planning and public policy. Through HMIS, homeless individuals benefit from improved coordination in and between agencies, informed advocacy efforts, and policies that result in targeted services. Analysis of information gathered through HMIS is critical to the preparation of a periodic accounting of homelessness in New York City, including required HUD reporting, as well as analyzing performance related to preventing and ending homelessness across New York City. ACTIVITY - [BRAINSTORM]: What would YOU include in HMIS policies and procedures for? Security Plan Privacy Policy Data Quality Plan HINT: Think about what policies and procedures are in place at your organization! HMIS Overview Homeless Management Information System: To record and analyze client, service, and housing data for individuals and families who are homeless or at risk of homelessness Unduplicated data across projects in a community Aggregate HMIS data can be used to understand the size, characteristics, and needs of the homeless population at multiple levels: project, system, local, state, and national NOTE: The Annual Homeless Assessment Report (AHAR) is provided by HUD to Congress on individuals & households experiencing homelessness across the country 10/17/2014 HMIS Policies & Procedures v3.0 3

2 HMIS PARTICIPATION (S1, p. 7; S1.4, p.10; & S3, p.20) Participation in the HMIS Data Warehouse begins with the Contributing HMIS Organization (CHO) entering data into their system. The HMIS P&P v3.0 refers to their system, as the project-level HMIS-compliant system. Then CHO s project-level HMIS-compliant system uploads to the HMIS Data Warehouse. The HMIS Lead Agency runs reports from the HMIS Data Warehouse. This whole process encompasses the HMIS implementation and must meet the HUD HMIS standards and NYC CCoC Policies and Procedures. HMIS Policies & Procedures (P&P) US Department of Housing & Urban Development (HUD) Requires HMIS Participation Standards for privacy, security, and data quality NYC Coalition on the Continuum of Care (CCoC) adopted policies and procedures 10/24/2014 HMIS Policies & Procedures v3.0 4 Projects that receive HUD s program funding are required to participate in HMIS, including the Emergency Solutions Grants (ESG) Program, Continuum of Care (CoC) Program, Housing Opportunities for People with Aids (HOPWA), and Veterans Affairs Supportive Housing (VASH). HMIS Participation NYC CCoC HMIS Data Warehouse In addition, other federal entities have required HMIS participation for their homeless-related programs and grants. These include the U.S. Department of Veteran Affairs (VA) Grant Per Diem (GPD) Program, VA Community Contract Emergency Housing (CCEH) Program, VA Supportive Services for Veteran Families (SSVF) Program, U.S. Department of Health and Human Services (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) Projects for Assistance in Transition from Homelessness (PATH) Programs; and HHS Administration for Children and Families (ACYF)- Family and Youth Service Bureau (FYSB): Runaway and Homeless Youth (RHY) Program. All other homeless-related projects operating in NYC are strongly encouraged to participate in HMIS. *Any project participating in the HMIS is subject to comply with the current HMIS Policies and Procedures. Contributing HMIS Organization (CHO) Project-level Compliant System 10/17/2014 HMIS Policies & Procedures v3.0 4 NOTE: HMIS P&P v3.0, S7.2, p. 44 HMIS Participation Thresholds, states, the CCoC aspires to have 100% of all projects primarily dedicated to serving homeless persons participate in HMIS. HUD requires HMIS standards for privacy, security, and data quality. The NYC Continuum of Care (CoC) adopted these HMIS Policies and Procedures (P&P) v.3.0, available on the NYC CCoC website via the HMIS>Policies and Procedures page. o HMIS Participation HMIS Lead Agency runs reports from HMIS Required if funded by the following programs: HUD/SNAPS: CoC, ESG, HOPWA, VASH VA: GPD, CCEH, SSVF HHS/SAMHSA: PATH HHS/ACYF- FYSB: RHY * All other homeless-related programs operating in NYC are strongly encouraged to participate. Any participating project must comply with the HMIS Policies and Procedures. To end homelessness, a community must know the scope of the problem, characteristics of those who find themselves homeless, and understand what is working in their community and what is not. HMIS helps provide reliable, aggregate data on clients being served. 10/21/2014 HMIS Policies & Procedures v3.0 5 ACTIVITY- [MATCHING/S1.4 KEY TERMS]: Match the HMIS P&P Key Terms with the appropriate Definition #s below. HINT: Key Terms are located in Section 1.4 of the HMIS P&P v3.0!

3 Contributing HMIS Organization (CHO) Contacts: CHO HMIS Administrator CHO HMIS Security Contact CHO End User 1. A single point-of-contact established by each CHO who is responsible for annually certifying that the CHO adheres to the Security Plan; testing the CHO security practices for compliance; communicating any security questions, requests, or security breaches to the DHS System Administrator and Security Officer, and security-related HMIS information relayed from DHS to the CHO s End Users. 2. An employee, volunteer, affiliate, associate, or any other individual acting on behalf of a CHO or an HMIS Lead Agency who uses or uploads data in project-level HMIS-compliant system from which data are periodically uploaded to the HMIS Data Warehouse. Throughout this document, users will be specified as Data Warehouse End Users or CHO End Users. 3. A single point-of-contact established by each CHO who is responsible for day-to-day operation of the CHO data collection system, ensuring project-level data quality according to the terms of the Appendix C. Organization HMIS Participation Agreement and associated data quality plan, and managing the upload process from the CHO project-level HMIS-compliant system to the HMIS Data Warehouse. NOTE: Some of the appendix forms returned were signed by the CHO Executing Officer, and CHO HMIS Data Warehouse End Users. Data Collection Points: Annual Assessment Record Creation Update Project Exit Project Entry 1. Data collection point indicating the element is required to be collected at every project entry. Elements collected at project entry must have an information date that matches the client s project entry date. 2. Data Collection Point that that is to be recorded no more than 30 days before or after the anniversary of the client s Project Entry Date, regardless of the date of the most recent update. Information must be accurate as of the Information Date. 3. Data collection point indicating the element is required to be collected at every project exit. Elements collected at project exit must have an Information Date that matches the client s Project Exit Date. 4. Data collection point indicating the element is required to be collected when the client record is created. Elements collected at record creation should have one and only one value for each client in an HMIS. 5. Data collection point indicating that the element may be collected and entered into HMIS at multiple points during an enrollment in order to track changes over time. The system must be able to support a theoretically unlimited number of update records per enrollment. Each update requires the creation of a new record with a distinct Information Date.

4 PARTICIPATION POLICIES & AGREEMENT (S3, p & App. C, p. 60) To be considered a participating project, the CHO project must collect all data elements required for the project and ensure that uploads meet standards specified in S7. Data Quality Plan and enter client-level data into the project-level HMIS-compliant system as per the appropriate data collection stage, and abide by the terms of the Appendix C. Participating Agreement. In the Appendix C. Participation Agreement (p.60), CHOs are responsible for: a) Self certifying compliance with these policies and procedures b) Remediation for non-compliant systems c) Collecting and uploading data to the NYC HMIS as per these policies and procedures Participation Agreement Appendix C. Participation Agreement (p. 60) Certifications updated annually Collect all required data elements Project Descriptor Data Elements, Universal Data Elements, Program Specific Data Elements, & Metadata Elements that are applicable to the project type Upload client records for all participating projects By the 10 th business day of each month Meet data quality standards CHO Executing Officer Signature 10/17/2014 HMIS Policies & Procedures v3.0 6 d) Ensuring End Users of the project level HMIS compliant system are adhering to the privacy and confidentiality requirements e) Training CHO End Users on CHO s Project-level HMIS-compliant system The Participation Agreement is signed by the Department of Homeless Services (DHS) and the CHO Executing Officer (S3.2.1; p.21). The CHO Executing Officer also designates the CHO HMIS Administrator (S3.2.2, p. 21) and the CHO HMIS Security Contact (S3.2.3, p. 22). The CHO Executing Officer is expected to be an authorized signor for the CHO, and may fulfill multiple roles (including those they are responsible for designating). The Executing Officer s name, title, phone, and will also be provided by the CHO in Appendix D. NYC HMIS Administrative & Software Certification Checklist. NOTE: The CHO Executing Officer role is typically filled by the Executive Director (ED), Chief Executive Officer (CEO), Chief Operating Officer (COO) of the CHO. CHO Executing Officer Executes the Participation Agreement Designates the CHO Administrator and Security Contact Certifies compliance with HMIS P&P Authorized Signor for the CHO The CHO Executing Officer role is typically filled by the Executive Director (ED), Chief Executive Officer (CEO), Chief Operating Officer (COO), or President of the CHO 10/21/2014 HMIS Policies & Procedures v3.0 7 CHO END USER AGREEMENTS (S3.6.2, p. 25 & App. G, p.75) CHO End Users are categorized as Project End Users and/or Data Warehouse End Users. CHO End User agreements comply with the HMIS Data Technical Standards Notice, published in the Federal Register by HUD. CHO End Users have a moral and a legal obligation to ensure that data is being collected, accessed, and used appropriately. Proper user training, adherence to the NYC HMIS P&P, and a clear understanding of the privacy, security and confidentiality policies are vital to achieving these goals. 2 Types of CHO End User Agreements Project End User Agreement Log-in access to the CHO HMIS project-level compliant system (i.e. to enter/view local data) Data Warehouse End User Agreement Log-in access to the NYC CoC HMIS Data Warehouse (i.e. to upload data into the NYC CoC HMIS Data Warehouse) NOTE: Indicates receipt of the appropriate training (S3.7, p.26 Training Requirements) and has read, understood and agrees to fulfill all of the obligations contained in the HMIS Policies and Procedures 10/21/2014 HMIS Policies & Procedures v3.0 8 Prior to being granted access to any project-level HMIS-compliant system (i.e. for the CHO s computer system), each CHO End User must sign a Project End User Agreement indicating that he or she has received all required HMIS training (see S3.7, p. 26 Training Requirements) and has read, understood and agrees to fulfill all of the obligations contained in the HMIS Policies and Procedures. Each CHO is

5 responsible for ensuring that end users are trained on system use, privacy, security, and data collection requirements. Each CHO will maintain a written policy detailing its management control over access authorization, user levels, and process for activating a new user. Each CHO HMIS Administrator is responsible for the distribution, collection and storage of signed CHO End User Agreements. An example is provided in Appendix G. Example NYC HMIS Project End User Agreement (p.75). NOTE: Each CHO will indicate in the Appendix D. Administrative and Software Certification Checklist (p.66) whether or not such a CHO End User Agreement exists and whether or not all users have signed the Agreement. The second to last paragraph may be completed for affirming full compliance last year, along with signatures (plus page 1 required, if no further details have changed). DATA WAREHOUSE (DW) END USER AGREEMENT (S , p & App. B, p. 58) Project End User Agreement For access to the project-level HMIS-compliant system Distributed, collected and stored by CHO HMIS Administrator (NOT returned to HMIS Lead) Signed by CHO End Users (ex. Appendix G) User Policy; User Responsibility NOTE: CHO manages end users access, authorization, and permission levels. CHO is responsible for training on system use, privacy, security, and data collection requirements. 10/21/2014 HMIS Policies & Procedures v3.0 9 The NYC CCoC HMIS Data Warehouse receives regularly uploaded data from CHOs. The Data Warehouse End Users conduct uploads within the first 10 business days of each month. NOTE: Typically only 1-2 people within each CHO are NYC CoC HMIS DW End Users. The HMIS Policies and Procedures require adherence with: S2.2.3, p.16 Data Warehouse End Users S2.2.4, p.17 Data Warehouse End User Agreements All sections related to client privacy, security, and confidentiality Data Warehouse End User Agreement Indicates understanding and acceptance of the proper use of User ID and password, for access to the NYC CCoC HMIS Data Warehouse Complies with HMIS P&P training received on the NYC CCoC HMIS Data Warehouse Use, Privacy, Data Collection, and Security Policy Confidentiality of Client Data Appendix B. Signed by the CHO s Data Warehouse End User and Executing Officer 10/21/2014 HMIS Policies & Procedures v Prior to being granted log-in credentials to the NYC CCoC HMIS Data Warehouse, each Data Warehouse End User must sign the Appendix B. Data Warehouse End User Agreement, indicating their receipt of appropriate training (S3.7, p. 26 Training Requirements, and Appendix A. Data Warehouse User Guide, p. 49) and that they have read, understood, and agree to fulfill all of the obligations contained in the HMIS Policies and Procedures. The HMIS Lead (NYC DHS) will retain a log of each Data Warehouse End User, including the name, CHO, user group, and date training was completed. The HMIS Lead will assign the user group and privileges based on the CHO HMIS Administrator s recommendations. The permission types are defined as: Internal Audit messages Project Chart Access Data Entry Access Exception Overrides All Data Warehouse End Users are responsible and accountable for safeguarding information assets from unauthorized modification, disclosure, and destruction.

6 USER AGREEMENT BREACH (S3.6.3, p. 25) The HMIS P&P S3.6.3, p. 25 User Agreement Breach indicates that each CHO will develop and implement a written policy for managing a breach of the User Agreement. Therefore, a user who breaches the terms of the End User Agreement will face the sanctions specified by the CHO. Any Breaches related to security or privacy must be reported to the HMIS Lead within 3 business days of discovery. Penalties may include a ban from using the project-level HMIS compliant system and/or legal action. ADMINISTRATIVE AND SOFTWARE CERTIFICATION CHECKLIST (S3.2.2, p. 21 & App. D, p.63) User Agreement Breach Unauthorized use or disclosure of PII CHO must have written policy CHO Sanctions Security or Privacy Breach Inform HMIS Lead within 3 business days of discovery 10/14/2014 HMIS Policies & Procedures v HMIS P&P S3.2.2, p.21 CHO HMIS Administrators, indicates that the CHO HMIS Administrator is a single point of communication CHO HMIS Administrator between the end users and the HMIS Lead. They are responsible for annually reviewing the Administrative & Software Certification Communication, Training, Reporting Checklist (Appendix D, p.63). This includes ensuring the stability of Internet & Data Warehouse Connection the organization connection to the Internet and the data warehouse, either directly or in communication with other technical Compliance Manager: professionals. They are responsible for training CHO End Users in CHO User Names & Passwords data collection, security and privacy policies and procedures. They Client Confidentiality provide support for the generation of organization reports, while Data Collection, Security, & Privacy P&P managing organization user names and passwords for project-level HMIS-compliant systems. In addition, CHO HMIS Administrators monitor compliance with the standards of client confidentiality and data collection, entry and retrieval. 10/14/2014 HMIS Policies & Procedures v The Administrative and Software Certification Checklist (Appendix D, p. 63) includes contact information for the Executing Officer, CHO HMIS Administrator, and Backup CHO HMIS Administrator; a list of the CHO HMIS Administrator s duties; a checklist for Administrative Requirements; a checklist for Software and Technical Requirements; a list of all participating projects; and signatures of the CHO HMIS Administrator and Executing Officer. Administrative and Software Certification Checklist Documents compliance with: Administrative Requirements Software & Technical Requirements Participating Projects List Signed by CHO HMIS System Administrator and Executing Officer (Appendix D) 10/14/2014 HMIS Policies & Procedures v3.0 12

7 The Administrative Requirements state the CHO must have a written policy for communication of HMIS matters and managing User Levels & Activation. This includes implementing CHO End User Agreements, CHO sanctions for Breach, and training ALL End Users on system use, privacy, security, and data collection. In addition, the CHO Privacy Policy must be posted on the CHO s website (if the CHO has a website), and the Privacy Policy Notice must be posted where data collection occurs. NOTE: We will be discussing the HMIS P&P S6. Privacy Policy requirements in depth later on in this course. The Administrative Requirements also refer to S7.4.1 Timeliness, p. 45 and S7.4.3 Accuracy, p.46. Timeliness requires the data to be entered in the project-level HMIS-compliant system within a timely manner, adhering with the 2014 HMIS Data Administrative and Software Certification Checklist Administrative Requirements: S3.2.4 CHO Communications S3.6.1 User Levels and Activation S3.6.2 CHO User Agreement S3.6.3 User Agreement Breach S3.7 Training Requirements S6 Privacy Policy S6.6.2 Informed Client Consent S7.4.1 Timeliness & S7.4.3 Accuracy 10/21/2014 HMIS Policies & Procedures v Standards for data gathering collection points.. Accuracy requires an internal CHO procedure to validate accuracy of data elements. The Technical Requirements (S3.3, p.23) for data collection system, include being a relational database capable of recording data transactions and preserving historical data; have the capacity to collect system use data; have the ability to collect all data elements; meet technical security and technical privacy requirements; and have the ability to transfer data or export data (via CSV) for uploading to the Data Warehouse. Administrative and Software Certification Checklist Software & Technical Requirements (S3.3): S4 HMIS Security Plan S6 Privacy Policy S7 Data Quality Plan 10/14/2014 HMIS Policies & Procedures v3.0 14

8 ACTIVITY- [Mid-Review]: HINT: All clues are pertinent to the last 5 topics covered (Participation Agreement, Project End User Agreement, Data Warehouse End User Agreement, User Agreement Breach, and the Administrative and Software Certification Checklist)! 1. Appendix B. DW End User Agreement is for log in access to the HMIS. 2. Appendix C. Participation Agreement is signed by HMIS Lead (DHS) and the CHO s Officer. 3. The CHO HMIS is responsible for the distribution, collection and storage of signed CHO Project End User Agreements (for end user access to the project-level HMIS compliant system). 4. The existing NYC HMIS participants will indicate that compliance was met last year on the Appendix Forms & E. Security Certification Checklist. 5. The existing NYC HMIS participants will re-submit fully revised, completed, signed Appendix Forms & F. Project Information Form to the HMIS Lead (NYC DHS) this year. 6. Submit the HMIS P&P Appendix forms by January, 2015 to the HMIS Coordinator, Nicketa Nusum (DHS) via to NNusum@dhs.nyc.gov 7. Go to the NYC CoC website URL, to view a copy of the HMIS P&P v End User Breaches related to security or privacy must be reported to the HMIS Lead (DHS) within business days. 9. Section 3.7 Requirements indicates that each CHO is responsible for ensuring all End Users are appropriately trained on system use, privacy, security, and data collection requirements. 10. The DW End User training material on system use is within Appendix.

9 SECURITY PLAN & SECURITY CERTIFICATION CHECKLIST (S4, p.28 & App. E, p. 67) The goal of a Security Plan is to ensure that HMIS data is collected, used and maintained in a confidential secure environment at all times. HMIS P&P S4, p. 28 Security Plan relates to this topic. Security Plan S4.1, p.28 GOAL = To ensure that the HMIS data is collected, used, and maintained in a confidential and secure environment at all times. S4.2 HMIS Lead Security Officer & CHO Security Contact S4.6 CHO Project-level HMIS-compliant System Security S4.3 Compliance Review S4.7 PII Management and Disposal S4.4 Use Requirements S4.8 Security Incidents S4.5 Data Warehouse Security S5 Disaster Recovery 10/14/2014 HMIS Policies & Procedures v The CHO Security Contact is responsible for writing, maintaining, and testing security practices; annually reviewing the Security Certification Checklist (Appendix E, p. 67); certifying adherence to a Security Plan; communicating security questions, requests, or breaches to the HMIS Lead (DHS) System Administrator and Security Officer; communicating security-related HMIS information to the CHO End Users; and completing security training (from the HMIS Lead). Security Contact Test CHO security practices Certify that CHO adheres to Security Plan Security-related communications System Administrator Security Officer End Users Signs the Security Certification Checklist (Appendix E) 10/14/2014 HMIS Policies & Procedures v The Security Certification Checklist includes contact information for the CHO s Security Contact, a list of the Security Contact s duties, a checklist assuring consistency with the Security Plan, and signatures of both the Security Contact and the Executing Officer. Security Certification Checklist Physical Security (S4.5.1, p.31 & S4.6.1, p.33) Backup Requirements (S4.5,2, p.31 & S4.6.2, p.33) Software Security (S4.5.3, p.32 & S4.6.3, p.31) Password Compliance (S4.5.5, p.32 & S4.6.5, p. 34) Audit Compliance (S4.5.6, p.33 & S4.6.6, p.35) PII Management & Storage (S4.7, p. 35) Disposal Compliance (S4.7.3, p. 36) 10/14/2014 HMIS Policies & Procedures v3.0 17

10 Security Plan- Password Compliance Changed upon initial login > 8 characters, At least 1 alphanumeric At least 1 numeric or special character Must not be easily guessed Different from prior 4 passwords Cannot be changed more than 1X/day Upon 5 unsuccessful login attempts, user is locked out for at least 30 minutes 10/14/2014 HMIS Policies & Procedures v Security Plan- Electronic PII May only be saved to encrypted hard drives Not stored on personally owned media Not place on USB drive for personal use Protect from modification, theft or unauthorized access PII Management and Disposal ( S.4, p. 35) CHOs will follow their own policy for conducting background checks and hiring individuals with criminal justice histories. Each CHO will protect they physical security of the facilities and data storage media. They will copy and store HMIS data in a secure off-site location weekly (minimum). The checklist certifies the restoration of backed up data has been tested within last 12 months; the bugs reported will be addressed within 3 business days ; and that CHO promptly applies all enhancements, upgrades, and bug fixes released by the software provider. In addition, they will install, update, and use anti-virus software on all owned devices (NOTE: minimum monthly scan for viruses and malware). Other specifics include firewall protection of HMIS data; remote-network access and non-owned devices; audit records of user activity; specifying that End Users may not electronically transmit any unencrypted client-level data across a public network; specifying any hard drives or removable media storing PII will be encrypted; specifying thresholds and process for security incident reporting; maintaining records of all security breaches; and maintaining and recovering access to its own data (S5 Disaster Recovery). ACTIVITY- [TRUE OR FALSE SCENARIO/SECURITY PLAN]: Are these Security Plan scenarios True or False? HINT: Think about the Security Plan already in place at your organization! 10/14/2014 HMIS Policies & Procedures v Security Plan- Hardcopy PII Locked files or file rooms Prevent exposure to others Not removed from places of business Sealed envelopes and receipt delivery records Fax Machines/Printers kept in secure areas Call recipients in advance of faxing 10/14/2014 HMIS Policies & Procedures v3.0 20

11 XYZ Agency is a not-for-profit organization providing housing and employment services to families through their XXX Housing Project, YYY Employment Project, and ZZZ Child Care Project. They often receive client referrals from 123 Social Service Organization, which also operates within the NYC CCoC. 1. Jack is Case Manager at XXX Housing Project. Jack s client is also in need of employment services. Therefore, Jack sends an with the Name, Date of Birth, and Social Security Number of his client to YYY Employment Project to request employment services. All s at the XXX Housing Project are auto-encrypted, and therefore Jack is adhering to the HMIS P&P Security Plan requirements. a. TRUE b. FALSE 2. Jill is the Program Director for ZZZ Child Care Project. Parents, referred by 123 Social Service Organization are requesting child care services for their child. The parents did not have any historical medical records or identification documentation for the child. Jill faxed a child information request form to 123 Social Service Organization, which included the personally identifiable information of the parents, but not the child. No phone calls or s were made. Since the child will be receiving child care services, and not the parents, Jill adhered to the HMIS P&P Security Plan requirements. a. TRUE b. FALSE 3. Jack is mentoring Susan, a newly hired case manager at XXX Housing Project. Susan has signed a Project End User Agreement Form, indicating that she received all required training and has read, understood and agrees to fulfill all obligations of the HMIS P&P. However, Susan hasn t been given her own computer and log-in access yet. Jack has been walking through training steps with Susan on his computer with fake client data. He explained that she can get started entering in real client data when he s out to lunch later today. He will log-in with his username and password, and then she can get the work done on his computer. Since Jack and Susan have the same permission levels as Case Managers, Jack is adhering to the HMIS P&P Security Plan Requirements. a. TRUE b. FALSE

12 PRIVACY POLICY (S6, p. 38) The goal of the Privacy Policy is to ensure that all required client data will be captured in the NYC HMIS while maintaining the confidentiality and security of the client. HMIS P&P S.6, p.38 Privacy Policy relates to this topic. Privacy Policy S6.1 GOAL = To ensure that all required client data will be captured in the NYC HMIS while maintaining the confidentiality and security of the data in conformity with all current regulations related to the client s rights for privacy and data confidentiality. S6.2 Policy Access & Amendment S6.7 HMIS Data Use and Disclosure S6.3 Applicability S6.8 Access & Correction S6.4 CHO Policy S6.9 Data Retrieval & Sharing S6.5 Compliance Review S6.10 Record Retention Schedule S6.6 Privacy Policy Notice S6.11 Grievance 10/14/2014 HMIS Policies & Procedures v The Privacy Policy will specify all potential uses and disclosures of client personal information; specify the purpose for collecting the information; specify the time period for which the data will be retained at the organization; specify the method for disposing or removing data identifiers (from personal information that is not in current use 7 years after it was added to the HMIS or last changed); state the process and applicability of amendments, and commit to documenting all privacy notice amendments; offer reasonable accommodations for persons with disabilities and/or language barriers throughout the data collection process; allow the client the right to inspect and to have a copy of their client record and offer to explain any information that the individual may not understand; specify a procedure for accepting and considering questions or complaints about the privacy policy. Privacy Policy- Minimum Requirements Specify all potential uses & disclosures of PII Specify purpose for collecting the information Specify data retention time-frame & method for disposal or de-identification after 7 years Amendatory procedure & documentation Accommodate disability & language barriers Allow client s right to a copy of their record Specify process for privacy policy suggestions 10/14/2014 HMIS Policies & Procedures v Privacy Policy- HMIS Data Use and Disclosure Case Management services Payment/Reimbursement services Administrative functions Use of Services reports (aggregate data) Create de-identified (anonymous) information Track project-level outcomes Assess & plan service needs Conduct research studies 10/14/2014 HMIS Policies & Procedures v Each CHO s Privacy Policy will include a provision stating that the CHO will only collect data with the knowledge or consent of their clients. Each year CHOs Administrator will sign the Appendix D: Administrative and Software Certification Checklist, indicating that they are in compliance. The CHO may have its own Privacy Policy in place or adopt the HMIS P&P Appendix H: Example Minimal Standard CHO Privacy Policy. Privacy Policy- HMIS Data Use and Disclosure When required by law To avert serious threat of health or safety To report abuse, neglect or domestic violence to government authority To a law enforcement official To comply with government reporting obligations for HMIS To third parties (ie. conduct data match, or approved research by DHS IRB) 10/14/2014 HMIS Policies & Procedures v3.0 25

13 CHOs that maintain websites will post their adopted privacy policy to the website. Each CHO that is a recipient of federal assistance will provide required information in languages other than English that are common in the community. Accommodations for persons with disabilities may include sign language interpreters, readers, Braille, audio, large type, etc. Each CHO will describe in its privacy policy how it will manage requests from clients for correction of inaccurate or incomplete HMIS records Appendix H, p. 77: Example Privacy Policy What Policy Covers How & Why We Collect PII How We Use & Disclose PII How to Inspect & Correct PII Data Retention Complaints & Accountability Privacy Policy- Privacy Policy Notice 10/14/2014 HMIS Policies & Procedures v Privacy Policy accessible to clients & public CHO Privacy Policy posted on CHO website Client knowledge or consent of data collection Post sign where data collection occurs (S6.6.2, p. 40) Language & Disability accommodations 10/14/2014 HMIS Policies & Procedures v3.0 27

14 ACTIVITY- [TRUE OR FALSE SCENARIO/PRIVACY POLICY]: Are these Privacy Policy scenarios True or False? HINT: Think about the Privacy Policy in place at your organization! 1. Chris has requested a copy of his client record from XYZ Agency. His new case manager, Robyn provides it to him in English. Chris does not understand the information and has asked for an explanation. Chris s previous case manager had entered the data on his client record, and no longer works at XYZ Agency. Therefore, no explanation was provided to Chris. Since a copy of client record was provided to the client upon request, XYZ Agency adhered to the HMIS P&P Privacy Policy requirements. a. TRUE b. FALSE 2. The 123 Social Services Organization does not have its own website and cannot post their Privacy Policy online. Therefore, 123 Social Services Organization is NOT adhering to the HMIS P&P Privacy Policy requirements. a. TRUE b. FALSE 3. XYZ Agency operates in a predominantly Spanish speaking community within NYC. XYZ Agency s website posts their Privacy Policy in English and Spanish. Their Privacy Notice sign is hanging at all areas where data is collected in both English and Spanish. Therefore, XYZ Agency is adhering to the HMIS P&P Privacy Policy requirements. a. TRUE b. FALSE

15 DATA QUALITY PLAN & PROJECT INFORMATION FORM (S7, p. 44 & Appendix F, p. 71) The goal of the Data Quality Plan is that all NYC HMIS participants provide complete, accurate, and timely data for documenting the Continuum of Care needs, performance, and services provided to the homeless. HMIS data is included in reports for Annual Evaluation, Housing Inventory Count (HIC), Point in Time Count, and the Annual Homeless Assessment Report (AHAR). Reports may go to HUD, the Steering Committee, and other stakeholders. Improved participation and data quality will enhance the competitiveness of the NYC CCoC in the annual HUD competition. Appendix F, p. 71: Project Information Form is completed by the CHO for each participating project. All NYC HMIS participants must adhere to the Data Quality Plan. CHO s ensure data is entered in the project-level HMIS-compliant system in a timely, complete, and accurate manner. NOTE: Regarding data elements, the CHO will provide required Project Descriptor Data Elements prior to initial setup in HMIS. The CHO s participating projects client records will include Universal Data Elements and Program-Specific Data Elements. Data Quality Plan S7.1 GOAL = to receive complete, accurate, and timely data uploaded to the NYC HMIS, for documenting the CoC needs, performance, and services provided to the homeless. S7.2, p. 44 HMIS Participation Thresholds S7.3, p.45 Minimum Required Data Elements S7.4, p. 45 Data Collection and Upload Standards S7.4.1 Timeliness S7.4.2 Completeness S7.4.3 Accuracy S7.5, p. 47 Data Quality Monitoring S7.5.1 Data Quality Reporting S7.5.2 Remediation 10/14/2014 HMIS Policies & Procedures v Data Quality Plan- Appendix F. Project Information Each participating project Revised as per the 2014 HMIS Data Standards Project Descriptor Data Elements Resource and referral services Project type, funding source, main site description Type of housing offered Operations start date 10/24/2014 HMIS Policies & Procedures v Data Quality includes timeliness, completeness and accuracy of data entry. The goal of timeliness (S7.4.1, p. 45) is to ensure access to data when it is needed. This includes proactively planning, monitoring, and reporting; as well as reactively responding to inquiries, change requests, etc. Uploads to the NYC HMIS Data Warehouse are by the 10 th business day of the following month. Data Quality corrections must be resolved no later than the 20 th business day of the following month. Data Quality Plan- Timeliness Data Uploads to NYC HMIS Data Warehouse: by the 10 th business day of the following month Each CHO will develop and implement a policy requiring that all client data be entered into the project-level HMIS compliant system in accordance with the 2014 HMIS Data Standards 5 data collection points: record creation, project entry, update, annual assessment, and project exit 10/21/2014 HMIS Policies & Procedures v The 2014 HMIS Data Standards have five data collection points: record creation, project entry, update, annual assessment, and project exit. Each CHO will develop and implement a policy requiring that all client data be entered into the project-level compliant system accordingly. Data collected as an update should be entered within three business days.

16 The goal of completeness (S7.4.2, p. 46) is to ensure sufficient data on clients, their demographic characteristics, and service use to facilitate confident reporting and analysis on the extent and characteristics of homelessness including: Unduplicated counts of clients served in the CoC Patterns of use of people entering and exiting the homeless assistance system; and Evaluation of the effectiveness of homeless systems Data completeness is evaluated by the HMIS Lead on a quarterly basis and will be calculated as an overall percentage of all required data fields for all clients active during the quarter. The quarterly report from the HMIS Lead (NYC DHS) to the CHO will indicate the number of clients added in the quarter, active in the quarter, and the missing/client doesn t know/client refused/data no collected rate for each data element for active clients. In addition, HMIS Lead will provide a length of stay and bed utilization report to all lodging projects in an effort to highlight all missing exit data. NOTE: High rates of longer-than-expected lengths of stay and/or over-utilization of beds can indicate that clients are not being exited appropriately. The goal of accuracy is to make sure HMIS data is entered correctly and can be verified with documentation. Each CHO will conduct logic checks on the data in its project-level HMIS-compliant system. They will regularly compare universal and program specific data elements to available paper records. The CHO will update and/or correct missing or inaccurate data. NOTE: CHO Administrative and Software Checklist refers to this type of policy. Data Quality Plan- Accuracy Goal = Data entered correctly and can be verified with documentation CHO will: Assess client truthfulness, accuracy of data collected by staff, and accuracy of data entered by staff Logic checks and compare with paper records Update and/or correct data 10/14/2014 HMIS Policies & Procedures v HMIS Lead will check consistency across all forms of reporting, and may refer Projects to the PQI Process. They monitor CHOs to ensure data quality issues are quickly identified and resolved. The HMIS Lead provides quarterly reports on project-level data completeness, length of stay, and bed utilization rate to agencies, Data Management Committee, CoC Steering Committee, and to the public via the CoC Website Data Quality Plan- Monitoring HMIS Lead runs quarterly reports for review: Agency (via ) Data Management Committee CCoC Steering Committee Public website ( CHO corrects for subsequent monthly upload Additional training or referral to PQI Process May be considered in breach of their Participation Agreement 10/14/2014 HMIS Policies & Procedures v3.0 33

17 ACTIVITY- [TRUE OR FALSE SCENARIO/DATA QUALITY PLAN]: Are these Data Quality Plan scenarios True or False? HINT: Think about the Data Quality Plan in place at your organization! 1. Client Seth leaves the XXX Housing Project to live with a friend. No exit interview was completed. Case Manager Jack has entered the Project Exit Date, and selected Client Refused, in the Destination field. Jack is adhering to the HMIS P&P Data Quality Plan since a field is being selected from the drop down list instead of leaving it blank. a. TRUE b. FALSE 2. Case Manager Jack is admitting a new client into the XXX Housing Project. Since the client is replying to Jack s questions in Spanish, Jack enters Ethnicity as Hispanic without asking his client what his Ethnicity is. Jack is adhering to the HMIS P&P Data Quality Plan requirements because the Ethnicity field is completed. a. TRUE b. FALSE 3. Case Manager Jack asks his client for the Social Security Number. The client refuses to provide it. Jack enters the Social Security Number as and selects REFUSED in the SSN Data Quality field. Jack is adhering to the HMIS P&P Data Quality Plan requirements because he entered the data as per the client s response. a. TRUE b. FALSE

18 SUMMARY In summary, HUD requires NYC HMIS Data Warehouse Participation and standards for it s privacy, security, and data quality. The NYC CCoC has adopted the HMIS P&P v3.0 to assist participants (ie. CHOs) in their efforts to adhere to HUD s requirements. Communications regarding HMIS Policies and Procedures will be distributed via , telephone, NYC CCoC listserv, Data Management Committee Meetings, and/or Steering Committee meetings. CHO s may contact the HMIS Project System Administrator, Alyson Zikmund, azikmund@dhs.nyc.gov to resolve any concerns with the policies, procedures, or operations of the HMIS Project. For technical support of non-awards systems (i.e. regarding data uploads), contact the HMIS Coordinator, Nicketa Nusum, nnusum@dhs.nyc.gov. For AWARDS systems, utilize Foothold Technology Services (FTS) online help desk. You may also refer to Appendix A: Data Warehouse User Guide. Each CHO is responsible for submitting updated Appendix forms to the HMIS Lead annually. During the first implementation of HMIS P&P in 2013, CHOs had 30 days from their date of training completion to return the Appendix Forms. CHO s then had 90 days from the signature date on the Appendix Form to adhere to the HMIS Policies and Procedures. Some CHOs adopted Appendix G- Project End User Agreement, and Appendix H-Privacy Policy, if needed. Otherwise a copy of their policy and procedure in place was submitted with the Appendix Forms. In addition, DHS should be notified within 15 business days of any contact change to the Appendix Forms. We suggest that all trainees read through the appropriate HMIS P&P Sections and Appendices related to their role at the CHO. Summary- Communications & Telephone NYC CCoC Listsev Data Management Committee Meetings Steering Committee Meetings 10/14/2014 HMIS Policies & Procedures v Summary- HMIS Lead Contacts HMIS Project System Administrator Alyson Zikmund, azimund@dhs.nyc.gov HMIS Coordinator Nicketa Nusum, nnusum@dhs.nyc.gov HMIS Security Officer Valery Dmitriev, vdmitrie@dhs.nyc.gov HMIS P&P Trainer Sharon Fathi, sfathi@dhs.nyc.gov 10/14/2014 HMIS Policies & Procedures v Summary- Take-Aways! Take a moment to reflect on the training materials, and think of at least 2 things you have learned that will be useful to you on the job! Scribe writes down team s answers Presenter will share results with the class Each teammate contributes 10/14/2014 HMIS Policies & Procedures v3.0 37