What data privacy concerns should I be aware of in HMIS?
Entering and accessing data comes with a high degree of responsibility on behalf of agencies and users.
Key responsibilities include:
- Posting the Posted Data Privacy Notice. This document must be posted at each intake desk or comparable location.
- Providing each client with the Data Privacy Notice and Release of Information. The Release of Information (ROI) allows the client to dictate whether they would like to share their data with agencies statewide. If an ROI has been properly recorded in the client’s HMIS record by another agency, you need not present the client with another ROI form. There are several versions of the ROI available on the Administrative Documents page, including translations into five languages.
- No conditioning of services. Agencies may not condition any services upon or decline to provide any services to a client based upon a client's refusal to sign the ROI, unless a program funder or internal management practices require the entry of identified information into the HMIS to deliver services. Agencies may not limit client service or refuse to provide service in a way that discriminates against clients based on information obtained from HMIS. Agencies may not penalize a client based on historical data contained in the HMIS.
- Responding to client grievances. The Service Recipient Grievance form must be made available to clients upon request and is used to submit a confidential formal grievance about the way their personal and private data has been used with Minnesota’s HMIS. The Partner Agency and the Lead Agency are prohibited from retaliating against clients for filing a complaint.
- Keeping HMIS intake forms or printed information from HMIS in a secure file. This applies to any client-level data for entry in HMIS or reported out of HMIS.
- Not sharing passwords. Users are strictly prohibited from sharing passwords, and written passwords must be kept physically secure. Only authorized users may access HMIS.
- Abiding by minimum necessary use. Users are bound by the User Agreement to only view, obtain, disclose, or use HMIS information necessary to perform their jobs. Users may only access information for legitimate business purposes of their Agency.
- Logging out if you walk away. If a user needs to leave the work area where their computer is located, they must log off before leaving the area.
- Notifying ICA within 24 hours when a user needs to be deactivated. Notify the Helpdesk within 24 hours if a staff person is leaving your agency or no longer needs HMIS access. [Tip: add a step to your employee departure documentation to make sure this happens consistently!] When you contact the Helpdesk, please let us know whether you want to keep the user’s license assigned to your agency so it can be transferred to a new user once they complete training.
- Immediately notifying ICA of any real or potential security breaches.
Comprehensive data privacy requirements and consequences for violating those requirements are spelled out in several documents, linked below.