05. ROI Frequently Asked Questions
Overview
This article contains frequently asked questions about data sharing in HMIS. This FAQ list has been populated based off of questions we've received during ClientTrack training and demo sessions. ICA will continue adding to this article as we receive more questions and build clearer answers.
Details
What is the Data Privacy Notice (DPN) and HMIS Release of Information (ROI)?
The purpose of the first page of the form - the Data Privacy Notice (DPN) - is to inform clients about what kinds of information are collected in HMIS, why its collected, who can see it, how privacy is protected, and what the client's rights are. It should be presented at intake and thoroughly reviewed with the client. Agencies should provide each client with a written copy of the DPN.
The purpose of the first page of the form - the HMIS Release of Information (ROI) - is to enable clients to choose whether or not they want their transactional information in HMIS shared to be visible/available to all agencies statewide. If I client says that they do not want that information shared (they only want it visible to the agency collecting it), then the transactions being entered by that agency must be set to "Restrict to Organization" in ClientTrack.
What is the "Posted" Data Privacy Notice, and how is it different?
The "Posted" DPN is a separate file available to download and print, and is a simplified version of the full Data Privacy Notice that clients read when they sign the ROI. Agencies are required by HUD to post this notice in a visible locations that clients can see as a consistent reminder. It does not replace the full DPN that clients must be presented with. It is designed to be more of an ongoing reminder.
Is there a new ROI and DPN now that we're in ClientTrack?
YES! The data visibility and sharing structure in ClientTrack (CT) is quite different from our former experience in Community Services (CS). In CS, the whole entire record was either shared or not shared. In CT, core "basic information" is visible by default to all end users (as explained in the DPN). This ensures we can minimize creation of duplicate records. When clients sign the ROI, they are agreeing or not agreeing to share their "transactional information". All existing clients must be presented with the new ROI and DPN.
Do clients need to sign the new ROI even if they signed the previous one before we switched over to ClientTrack?
Yes, all existing clients should be presented with the new DPN and ROI.
Where should my agency store signed paper copies of client HMIS ROIs?
Agencies should store physical copies of signed releases in a secure physical location within their organization. ClientTrack does have functionality for uploading and storing releases in the system, however that will not be immediately available at go-live.
What is the difference between the Standard/HIPAA/MGDPA ROI versions?
Some organizations that utilize HMIS are covered under the Health Insurance Portability & Accessibility Act (HIPAA) or the Minnesota Government Data Practices Act (MGDPA). ICA does not currently maintain a list of which agencies are covered under either of these laws. If you are uncertain of the status of your own agency, please reach out to your organization's leadership for further clarity.
The key differences are that MGDPA and HIPAA organizations cannot collect verbal consent over the phone - it must be collected in person. Additionally, HIPAA covered organizations have an additional prompt to enable clients to opt in or out of their information being included in research.
Can the HMIS ROI be read and signed by the client verbally over the phone?
A signature is not required on the general HMIS ROI and agencies can document that verbal consent was obtained verbally from the client by indicating this on the signature line. Agencies should refer first with their own data privacy agreements, then any data sharing arrangements they may have. (For instance, verbal consent is NOT allowed for HIPAA-covered agencies.) Additionally, make sure the Data Privacy Notice is available to clients at intake, even if an intake is being conducted over the phone.
If a client declined statewide data sharing and that was documented properly in Community Services, how does that "transfer" into ClientTrack?
more info coming soon....
What do I do if I find a client record for which their sharing preference seemingly did not transfer appropriately (ie they declined to share previously but their transactional information appears to be shared in CT)?
more info coming soon....
If, when I present the updated release to my existing clients who had previously consented to statewide data sharing, they choose Do Not Share, what do I do in ClientTrack to update visibility?
more info coming soon....
What if a client revokes their HMIS ROI consent, or vice versa?
more info coming soon....
Related Articles & References
Under construction, coming soon!
Core HMIS Workflow How-to Guides:
Questions? Email the Helpdesk: MNHMIS@icalliances.org