Privacy and Security: Allowable AKHMIS and CES Uses and Disclosures of Protected Personal Information

Definition:

Protected Personal Information (PPI): Any information maintained by or for a Covered Homeless Organization about a client at-risk of or experiencing homelessness that: (1) Identifies, either directly or indirectly, a specific individual; (2) can be manipulated by a reasonably foreseeable method to identify a specific individual; or (3) can be linked with other available information to identify a specific individual.

PPI includes, but is not limited to, Social Security numbers, passport numbers, drivers license numbers, addresses, email addresses, photos, biometric data, or any other information that can be traced to one individual. Medical, educational, financial, and employment information all fall under PII.

ALLOWABLE AKHMIS AND CES USES AND DISCLOSURES OF Protected Personal Information (PPI)

• Client consent for any uses and disclosures defined in this section is assumed when organizations follow HUD HMIS Standards for notifying clients of privacy policies.
• A Covered Homeless Organization (CHO) may use or disclose PPI from the AKHMIS, and/or the CoCs CES under the following circumstances:
• To provide or coordinate services for an individual or household;
• For functions related to payment or reimbursement for services;
• To conduct administrative functions, including but not limited to legal, audit, personnel, oversight, and management functions;
• When required by law;
• For research and/or evaluation; or
• For creating de-identified PII.

More information can be found in the AKHMIS Policies and Procedures.

Email protocol for sharing PPI

DO NOT include client names, social security number or other information that identifies, either directly or indirectly, a specific individual in emails or Help Desk requests.

DO NOT attach a report or screenshot which may include client names, social security number or other information that identifies, either directly or indirectly, a specific individual in emails or Help Desk request.

DO USE the client record ID to identify the client in an email or Help Desk Request.

DO USE ONLY ENCRYPTED EMAIL with end-to-end encryption for any message that contains PPI. An alternative is to make a phone call directly to the authorized person who needs the information.

DO CONTACT AKHMIS Help Desk if you need help securely transmitting a report that contains PPI. Contact the Help Desk prior to transmitting the report.

DO STORE reports that may include PPI in a secure location when not in use (such as a locking file cabinet, locking shred bin, or locking desk drawer).