Privacy and Security: AKHMIS Privacy and Security
Content
HMIS Privacy is a client’s right to have control over data about themselves, and how it is accessed and used. HMIS Security are the measures used to protect data and uphold client privacy.
A critical part of providing shelter and homeless services is collecting information from people to make informed decisions about the services or housing they could benefit from. These decisions are often based on sensitive client information, so HUD requires CoCs and organizations to have strict policies and safeguards in place to protect this information.
Why is this important? If you share a person’s AKHMIS data inappropriately, you are putting that person at risk. This is a type of data breach. If you are responsible for a data breach, you or your organization must contact the person to let them know about the data breach.
How do you avoid creating a data breach that puts people at risk? Learn the allowable ways to share AKHMIS data and avoid sharing data outside of the allowable ways. This training has the details you need to know.
Data Privacy
The Statewide Consumer Notice must be posted wherever client information is collected. This may include at a case manager’s desk, in physical or digital format to be shared with clients by street outreach workers, or in any spaces where interviews with people are conducted for HMIS or Coordinated Entry. We need to inform clients that we collect their personal information and enter it into a private, protected database. We also need to inform them that only the minimum data necessary is collected, and it is used to run programs, improve services, and to continue to receive funding to provide these services.
Staff must provide a verbal explanation of HMIS and its purpose within the organization to all clients and ensure that clients understand the Statewide Consumer Notice. Make sure you can provide a client with a copy or direct them to an online location.
Arrangements must be made for a qualified interpreter for clients who have difficulty understanding English. If a person requests it, a copy of the Alaska CoC Statewide Privacy Policy must be provided to them.
Clients have a right to know what information about themselves (and about those under their care) is stored in HMIS. An HMIS user at an organization is required to review a person’s HMIS data with them if they make this request. Clients may only request their own HMIS records, and those of any child or dependent of whom they have legal guardianship.
Allowable Data Disclosure
Client-level HMIS data can only be disclosed or shared under specific circumstances as outlined in the AKHMIS Policies and Procedures. The following are scenarios that allow you to disclose a person’s AKHMIS data:
- When you are collaborating with another organization that also uses AKHMIS to provide services to a client, such as referring a client to a housing program, you are allowed to reference a client’s information.
- When you and your coworkers are evaluating the effectiveness of your organization’s programs, you are allowed to reference a client’s information.
- When you are helping prevent a serious threat to safety, such as calling law enforcement and providing a client’s name and date of birth if they are a safety threat to themselves or another person, you are allowed to reference a client’s information.
- When speaking with law enforcement who are seeking a fugitive, you are allowed to disclose whether a client is present in your facility – HOWEVER, in most non-emergency situations, law enforcement officials must submit a written request or a warrant to access any client-level data. If you’re unsure about what to do in a situation like this, email the AKHMIS Helpdesk to confirm if you are allowed to disclose data or not.
When you do have an allowable reason to share a person’s HMIS data, make sure you’re only sharing the data that’s required. For example, when coordinating care with another provider who uses AKHMIS, share only the person’s Client ID number and any pertinent information that is not already recorded in AKHMIS. As much as possible, HMIS data should be kept within HMIS, and only use Client ID numbers to refer to specific clients within HMIS if necessary.
Non-Allowable Data Disclosure
These are scenarios where you are not allowed to disclose a person’s HMIS data:
- When you are interacting with clients, you are not allowed to reference another client’s information.
- When you are speaking to a client’s family or friends, you are not allowed to reference the client’s information.
- When you are speaking to elected officials or members of the press, you are not allowed to reference a client’s information.
- When you are speaking to another provider that uses AKHMIS about anything not related to coordinating services for a person, you are not allowed to reference that person’s information.
Data Security
Organizations must have internal policies to ensure all baseline security measures are met and maintained for equipment used to access HMIS.
The basic requirements for all computers and devices used to access HMIS are secure internet access, virus protection, network traffic firewall protection, up to date internet browsers, and a password protected screensaver.
Email is not as secure as AKHMIS. Client information should not be shared over email unless there is end-to-end encryption. Most email does not have end-to-end encryption and therefore cannot be used to send client names or other protected client information. You should only communicate about a client’s HMIS record by referencing the Client ID number.
HMIS complies with HIPAA, and all federal, state, and local confidentiality laws to protect client confidentiality. Personal client information is stored on an encrypted centralized database, and the HMIS software vendor uses a secure connection when information is transferred over the web.
Every HMIS user is granted a unique user ID and password. Users must choose a strong password and never share their password with anyone, including ICA. Click the link to test the strength of your current password: https://www.security.org/how-secure-is-my-password/
Do not set your internet browsers to save your HMIS password. If you do this and someone else uses your computer and logs in with your password, it is a data breach that you are responsible for. AKHMIS includes an audit trail that shows everything done under your login, so guard that login information carefully!
Users must ensure that their screen is not visible to non-HMIS users while working in HMIS, and make sure to lock computers whenever stepping away from it. Allowing someone to look over your shoulder while you’re working in HMIS is a data breach unless they have the same HMIS access you do.
Do not access client data on a public computer (like at the library), in a public setting (like at a coffee shop), or over unsecured public wi-fi (like free wi-fi offered in public spaces). In any of those places, an unauthorized person could steal your login information and create a data breach.
These are additional user requirements to protect client information:
- Organizations must have internal policies for not allowing unauthorized individuals in areas where client data is entered into HMIS.
- HMIS data should be kept within HMIS as much as possible, but if any information is printed from HMIS it must be handled and stored appropriately.
- Physical client files should be stored in a locked filing cabinet, or in an office with a door that locks. If you need to write down your password, you must keep it in a secure location.
- Also, if you become aware of AKHMIS being improperly handled or shared outside of what’s allowable in the AKHMIS Policies & Procedures, you are required to report it immediately to the AKHMIS Help Desk. Once the data breach is reported, ICA can take steps to restore data security.
Privacy and Security in Your Job
The best way to prevent a privacy or data breach is to keep data in HMIS as much as possible. If you are needing to reference a specific client in communication, simply use their Client ID number and have the recipient look up the information in HMIS themselves.
Never communicate a client's name, date of birth, social security number, or any other identifying information online without encryption. You should never send a standard email with any of this information.
Keep your HMIS login information to yourself. You are responsible for all activity under your account. If you think someone else can log in "as you,” you can change your password at any time.
Only access HMIS client records in private, secure locations. Don’t use a public computer to access HMIS, make sure others can't look over your shoulder at your screen, and always log out of HMIS when you are done. Make sure any downloaded HMIS files are deleted completely after use, or stored in a password protected, secure location.
Video
Click to view the video: Video – AKHMIS Privacy & Security
Resources
AKHMIS Policies and Procedures
Alaska CoCs Statewide Consumer Notice