05. ROI Frequently Asked Questions
Overview
This article contains frequently asked questions about data sharing in HMIS. This FAQ list has been populated based off of questions we've received during ClientTrack training and demo sessions. ICA will continue adding to this article as we receive more questions and build clearer answers.
Details
What is the Data Privacy Notice (DPN) and HMIS Release of Information (ROI)?
The purpose of the first page of the form - the Data Privacy Notice (DPN) - is to inform clients about what kinds of information are collected in HMIS, why its collected, who can see it, how privacy is protected, and what the client's rights are. It should be presented at intake and thoroughly reviewed with the client. Agencies should provide each client with a written copy of the DPN.
The purpose of the first page of the form - the HMIS Release of Information (ROI) - is to enable clients to choose whether or not they want their transactional information in HMIS shared to be visible/available to all agencies statewide. If I client says that they do not want that information shared (they only want it visible to the agency collecting it), then the transactions being entered by that agency must be set to "Restrict to Organization" in ClientTrack.
What is the "Posted" Data Privacy Notice, and how is it different?
The "Posted" DPN is a separate file available to download and print, and is a simplified version of the full Data Privacy Notice that clients read when they sign the ROI. Agencies are required by HUD to post this notice in a visible locations that clients can see as a consistent reminder. It does not replace the full DPN that clients must be presented with. It is designed to be more of an ongoing reminder.
Is there a new ROI and DPN now that we're in ClientTrack?
YES! The data visibility and sharing structure in ClientTrack (CT) is quite different from our former experience in Community Services (CS). In CS, the whole entire record was either shared or not shared. In CT, core "basic information" is visible by default to all end users (as explained in the DPN). This ensures we can minimize creation of duplicate records. When clients sign the ROI, they are agreeing or not agreeing to share their "transactional information". All existing clients must be presented with the new ROI and DPN.
Do clients need to sign the new ROI even if they signed the previous one before we switched over to ClientTrack?
Yes, all existing clients should be presented with the new DPN and ROI.
Where should my agency store signed paper copies of client HMIS ROIs?
Agencies should store physical copies of signed releases in a secure physical location within their organization. ClientTrack does have functionality for uploading and storing releases in the system, however that will not be immediately available at go-live.
Is there a place in ClientTrack where I could store the signed ROI?
Yes! You could upload it to the Client Files section. The ROI document would be considered "Basic Information" so you should keep the Visibility marked as "All Organizations". That will ensure other agencies can actually reference it.
What is the difference between the Standard/HIPAA/MGDPA ROI versions?
Some organizations that utilize HMIS are covered under the Health Insurance Portability & Accessibility Act (HIPAA) or the Minnesota Government Data Practices Act (MGDPA). ICA does not currently maintain a list of which agencies are covered under either of these laws. If you are uncertain of the status of your own agency, please reach out to your organization's leadership for further clarity.
The key differences are that MGDPA and HIPAA organizations cannot collect verbal consent over the phone - it must be collected in person. Additionally, HIPAA covered organizations have an additional prompt to enable clients to opt in or out of their information being included in research.
Can the HMIS ROI be read and signed by the client verbally over the phone?
A signature is not required on the general HMIS ROI and agencies can document that verbal consent was obtained verbally from the client by indicating this on the signature line. Agencies should refer first with their own data privacy agreements, then any data sharing arrangements they may have. (For instance, verbal consent is NOT allowed for HIPAA-covered agencies.) Additionally, make sure the Data Privacy Notice is available to clients at intake, even if an intake is being conducted over the phone.
If a client declined statewide data sharing and that was documented properly in Community Services, how does that "transfer" into ClientTrack?
more info coming soon....
What do I do if I find a client record for which their sharing preference seemingly did not transfer appropriately (ie they declined to share previously but their transactional information appears to be shared in CT)?
more info coming soon....
If, when I present the updated release to my existing clients who had previously consented to statewide data sharing, they choose Do Not Share, what do I do in ClientTrack to update visibility?
more info coming soon....
What if a client revokes their HMIS ROI consent, or vice versa?
If a client's consent choice changes, it changes as of the date they notified you and signed a new release. Any data from that point onward should have the new choice reflected. Additionally, make sure to go into the Profile and update their sharing selection.
Note that data entered previously will retain the sharing option that applied at the time it was entered. You are welcome to go in and update the sharing on any forms within your own agency's editing purview (those are the only ones you would be able to edit) as a courtesy, but it is not required.
What if different household members have different sharing preferences? For example, the parent consents to sharing but doesn't want their childrens' transactions shared?
This difference in sharing preferences can cause a conflict on the Program Enrollment page (the form where you are selecting which project the household is enrolling in) because there you have to select Share or Restrict for the whole household - you can't select different options for each individual.
In this scenario, the best practice would be to apply the restricted choice to all family members. Make sure to let the client know about this - that a system limitation at this time means that we need to apply the same visibility to all family members. Make sure they know that this will not have any bearing on the quality of services they receive.
Related Articles & References
Under construction, coming soon!
Core HMIS Workflow How-to Guides:
Questions? Email the Helpdesk: MNHMIS@icalliances.org