Data Privacy and COVID-19
HMIS Data Privacy and Security
ICA Minnesota has received the question "Since the HMIS COVID-19 survey contains medical information, are we to ask the client's permission to put this in HMIS?" You do not need to ask for additional consent to document COVID-19 symptoms or screening results. It's important to note that self-reported health information has long been in HMIS and that information is only shared within HMIS if the client has consented to sharing their information statewide. If the client didn't consent to sharing their information statewide, a closed record would be created, which would then prevent any sharing of information within HMIS. In regards to sharing out client information (i.e. disclosure), please refer to the following guidance.
The 2004 HMIS Privacy and Security Standards outlines the conditions in which select data can be shared when the safety or health of you or others is at risk. HUD released additional guidance at the end of March 2020 regarding COVID-19 and Data Sharing Practices, indicating it is permissible to share a participant’s COVID-19 status for the following purposes:
- Coordinating Services;
- Preventing/lessening threats to health or safety (see below); and
- Complying with state or local law.
HUD offers this guidance regarding Threats to Health or Safety:
A provider may share a participant’s COVID-19 status under applicable law and standards of ethical conduct if: 1) the provider believes in good faith that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public; and 2) the information is shared with a person reasonably able to prevent or lessen the threat. Note that the threat to health or safety can be a threat to any individual or the public in general. Under current emergency circumstances, disclosing COVID-19 status to anyone offering services to a client meets this standard. Disclosing information about other individuals possibly exposed to COVID-19 is also permissible under this authority to either the exposed individuals; to anyone who can offer health care, protection, or assistance to an exposed individual; or to anyone who can lessen the threat of COVID-19 to themselves, to others or to the public.
HUD has also provided guidance on some scenarios that might come up regarding sharing HMIS information right now. It's important to note that that while the HMIS Standards do allow for uses and disclosures of personally identifiable information (PII) for specific situations, providers should err on the side of caution when disclosing client information. If you need any clarification, you can always contact the Helpdesk with your questions!
On a related note, the expanded visibility of the alert system will be removed when "there is no longer community transmission or until there is a viable treatment or vaccine available to all, whichever occurs first." The Policy & Prioritization Committee of the HMIS Governing Board voted to adopt this guidance during the August 5, 2020 committee meeting. Alerts will still be in the client's record, but visibility will once again be reduced to the preexisting data sharing visibility arrangements for that particular provider.
HIPAA and HMIS
It is a common misconception to think that information you enter into HMIS is covered by HIPAA rules, however HMIS and HIPAA have different standards. While the HMIS privacy and security standards were based on HIPAA privacy and security standards, HIPAA standards are actually less protective of client information than the HMIS standards! (Read more about HMIS Protections below)
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a series of federal confidentiality provisions relating to how protected health information (PHI) should be handled. Within HIPAA there are several rules outlined; the rule that many service providers associate HIPAA with is the Privacy Rule. This rule outlines who is covered, what information is protected, and how protected health information can be used and disclosed. HIPAA-covered entities must comply with the guidelines of HIPAA (HHS HIPAA page).
What is PHI?
In the HIPAA rule, protected health information (PHI) is defined as "individually identifiable health information," which means an individual's health information and demographic information. This could include (but isn't necessarily limited to):
- Personally identifiable information (PII)
- Past, present, or future health status of the individual
- The individual’s health care provider(s)
Read more about the HIPAA definitions (45 C.F.R. § 160.103).
Is ICA covered by HIPAA?
- No. However, we maintain a database that HIPAA-covered entities enter information into.
HMIS Data Protections
Agencies that participate in statewide data sharing are required to provide the release of information (ROI) documentation to an individual initially entering HMIS and explain how the information that is collected may be used. Clients are given the option to opt out, with the understanding that services may be limited by lack of consent. While some information may be required by projects or public or private funders to determine eligibility for housing or services, or to assess needed services, clients generally should not be denied assistance if they refuse or are unable to supply certain pieces of information.
Personal information collected varies by program/funder, but information that is not necessary to obtain services should not be collected or shared.
Use the Release of Information (HIPAA) if your agency is covered under HIPAA. ICA will not be able to determine whether or not your agency is a covered entity, so it is important for you to know whether or not you must comply with HIPAA in addition to the HMIS privacy and security standards.
What does this all mean for my agency that is a HIPAA covered entity?
- You are required to use the HIPAA specific ROI
- You must ask this question: "(If HIPAA) Include client in database research?"