02. Data Sharing & Privacy in HMIS

Overview

This article will explain the concepts of Data Sharing, Privacy, Security, and Confidentiality in HMIS, as well as the basics of how client information in HMIS is made visible, or shared statewide, with agencies that participate in Minnesota's HMIS, and how some elements of client records may not be shared based on client consent.


  • More About This — Further important information is found in this section.
  • Details — Specific details and/or step-by-step workflows will be described in this section.
  • Video — Any relevant videos will be posted in this section.

More About This

💥You can view and download all documents referenced in this article on the HMIS Minnesota website, in the Client Intake Documents section of this page: Administrative Documents


Details

It is important that all HMIS users understand the value of the following concepts:

  • Data Sharing pertains to the visibility of how different elements of client records are shared statewide in Minnesota's HMIS, and how clients are in control of authorizing the sharing of transaction information in the system.
  • Data Privacy is about the client’s right to what information is collected and stored in HMIS, how/when it is shared, who can see it, how their privacy is protected, and what their rights are. This includes the HMIS data of any children or minors of whom a client may be the legal guardian. 
  • Data Security is the protection of client data from accidental or intentional but unauthorized modification, deletion, or disclosure, using physical security, software security, administrative procedures, personal responsibility, and other safeguards to limit accessibility.
  • Data Confidentiality is your ethical obligation to keep client information private unless you are given explicit authorization by the client to share the information through the HMIS Release of Information.

Client Data Sharing in ClientTrack

In ClientTrack, client data is split into two categories:

  • BASIC INFORMATION: This is information that rarely or never changes for an individual. This includes, but may not be limited to, full name, date of birth, social security number, demographics, basic contact information, and family information. Collection of this information ensures that duplicate client records are not created in HMIS.
    • This data is visible to all MN HMIS end users by default. Clients do not opt-in or opt-out of this, but they are informed of this when presented with the HMIS Release of Information and the Data Privacy Notice. Clients may still decline to provide this basic information and they cannot be denied services for doing so.
  • TRANSACTIONAL INFORMATION: This type of information includes services a client receives, specific programs they are enrolled in, and more in-depth personal history about their experience of homelessness and barriers.
    • In order to make this data visible to all agencies in HMIS, clients must consent to sharing it via the HMIS Release of Information. The HMIS ROI only needs to be presented to the client once, by the agency completing the client's first intake in HMIS. This consent should be applied to all transactional data entered going forward, unless or until the client later revokes consent.

This option allows for one and only one record to be created for every client in HMIS.​ Having a single record for each client reduces the number of questions clients must answer when seeking assistance, improves data quality, and provides those reviewing HMIS data with a clearer understanding of who is participating in the homeless response system.​


Statewide Data Sharing

Minnesota's HMIS continues to use a Statewide Data Sharing model (often abbreviated as SWDS). This means that when a client consents to share their Transactional Information, that data is visible to any agency or end user that participates in HMIS in Minnesota. There is not an option to select by-agency or by-end user who can see specific client data. This is a straightforward approach that ensures optimal service coordination across homeless response agencies.

  • NOTE: HMIS users and agencies must have a business purpose for engaging with a given client record. Having access does not mean users can look up anyone they want. Access to client data is still restricted to having a legitimate reason for doing so (aka, the agency is planning to engage the client in specific services). Users agree to this when they sign the HMIS User Agreement upon completion of User Training.

The HMIS Release of HMIS Information (ROI)

By completing the HMIS ROI, clients will indicate either Share or Do Not Share for their Transactional Information data in HMIS. By selecting Share, they are consenting to Statewide Data Sharing, ensuring optimal service coordination and minimizing the need to "re-collect" data at each agency they receive services from.

  • The HMIS ROI must be presented to every client in your program at intake, or to each adult in a household. Guardians should also complete and sign the ROI on behalf of their minor children.

For step-by-step instructions on how to record the client's sharing consent when creating a new client record, please see the article titled: Client Intake: Release of Information


The HMIS Data Privacy Notice

The HMIS Data Privacy Notice (or abbreviated as DPN) informs clients about what information is collected and stored in HMIS, how/when it is shared, who can see it, how their privacy is protected and kept confidential, and what their rights are. Clients do not consent to the DPN - it is simply presented to them so that they are aware and understand.

  • The DPN must be presented to all clients at intake at the same time that the client is being presented with the HMIS Release of Information.
  • The DPN must also be visibly posted at your agency, in compliance with HUD data policies, where it is viewable by clients at intake.
  • The DPN is available for your agency to download and print from our website, linked at the beginning of this article. As of August 2024, the DPN is only available in English, however it will be translated into Spanish, Hmong, Russian, Karen, and Somali as soon as possible.

Data Privacy Requirements of HMIS Agencies & Users

The HMIS User Policy is a form signed by all new HMIS users before they gain access to the system. It specifies the responsibilities of individuals who access Minnesota’s HMIS and includes limitations on collecting data and accessing data.  

Highlights:

  • HMIS-participating agencies must notify the MN Helpdesk within 24 hours whenever an HMIS user leaves their position and is no longer employed by the agency!
  • Your HMIS password and account is for your use only and must not be shared with anyone, even other HMIS users at your agency. Sharing your HMIS password or access with anyone else is a serious user violation and may result in suspension of your access to the system.
  • HMIS users must make sure that information taken from HMIS is not shared with non-agency staff, including staff from other agencies. HMIS users are only able to share information in HMIS with non-HMIS users within the same agency in order to provide services. This data can be shared in the form of screenshots or downloaded reports. 
  • If you are logged into HMIS and leave the work area where the computer is located, you must log out of the site before leaving the work area.
  • It is also your agency’s responsibility to ensure that all users keep their HMIS training up-to-date on a continual basis. 
  • Your agency's physical paper client files, including signed Releases of Information, should always be stored in a locked cabinet in a locked staff office, and kept for at least seven years.

Why is This So Important?

HMIS Data privacy and security should be a priority for all of us, in part because of the nature of the data being entered into our system.

We are stewards of the very personal and private data of highly vulnerable populations in our state, many of whom are going through a difficult time in their lives when we are collecting their information and entering it into HMIS. ICA takes this responsibility very seriously, and the expectations of our HMIS users reflect this.  

Collecting and sharing participants’ personal information is often a necessary aspect of helping people to resolve their housing crises.

Decisions regarding the type of service or housing assistance that would be most appropriate for a household are often based on sensitive participant information collected over time, and potentially used by multiple providers in electronic and printed formats. It is the responsibility of all who use Minnesota’s HMIS to keep this sensitive client information as secure and confidential as possible. 


Video

Under construction, coming soon!

Back to top


Related Articles & References

Under construction, coming soon!


Core HMIS Workflow How-to Guides:

HMIS Fundamentals

ClientTrack Basics

Client Intake

Program Enrollment


Questions? Email the Helpdesk: MNHMIS@icalliances.org

Still need help? Contact Us Contact Us