Docs Category: Privacy Security and Ethics

About this Document

Agencies who enter data into HMIS are required to post this notice in English and Spanish in every room/area that where client data is collected. You can download and print the document below.

Client Consent

Remember, client consent is not required to enter data in HMIS. If a client requests more information, you should provide them with a printed copy of the Housing Forward’s Privacy Policy. All required questions should be asked regardless of whether or not the client wants their data entered in the system. “Client Refused” is an appropriate answer to any question that a client refuses to answer because they do not want their data collected.

For sensitive organizations only:
While sensitive organizations are not required to get clients’ consent to enter data, you are required to get consent to share the data. Complete the Client Consent and Release of Information for each client who agrees to share their data in HMIS. If you are unsure if your organization is a sensitive organization, submit a Spiceworks ticket to the HMIS team for assistance.

About this Document

Agencies who enter data into HMIS are required to post this notice in English and Spanish in every room/area that where client data is collected.

Client Consent

Remember, client consent is not required to enter data in HMIS. If a client requests more information, you should provide them with a printed copy of the MDHA Privacy Policy. All required questions should be asked regardless of whether or not the client wants their data entered in the system. “Client Refused” is an appropriate answer to any question that a client refuses to answer because they do not want their data collected.

For sensitive organizations only:
While sensitive organizations are not required to get clients’ consent to enter data, you are required to get consent to share the data. Complete the Client Consent and Release of Information for each client who agrees to share their data in HMIS. If you are unsure if your organization is a sensitive organization, submit a Spiceworks ticket to the HMIS team for assistance.

This privacy policy is a detailed policy for clients’ whose data is entered in HMIS. It explains why the data is collected and how it is used by our community. Agencies should keep several copies of this policy on hand so that it can be provided to clients upon request.

NOTE: Remember, client consent is not required to enter data in HMIS. All required questions should be asked regardless of whether or not the client wants their data entered in the system. “Client Refused” is an appropriate answer to any question that a client refuses to answer because they do not want their data collected.

What is PPI?

PPI stands for Protected Personal Information. Any client information than can identify that client to a third party is considered PPI. You may also see “PII” which stands for Personal Identifying Information. However, HUD standards refer to PPI, so that is the language that MDHA has chosen to use.

Types of PPI

PPI can include a client’s name and/or a combination of any of the follow information:

• First and Last Name
• Date of Birth (DOB)
• Social Security Number (SSN)
• ZIP Code
• Project Entry & Exit Dates
• Address
• Phone Number
• Email Address
• Certificate and/or License Numbers
• Full Face Photos

Using and Sharing PPI

A Data Breach can be defined as any time one of the following occurs while you are accessing, using, or sharing PPI in either physical or digital forms:

Loss of Control, Compromise, Unauthorized Discloser, Unauthorized Acquisition or Access

Best Practices for Managing PPI

Use the references below to determine appropriate and inappropriate practices for managing client PPI based on the way you access the information.

Email

DO

• Attach PPI in a separate document.
• Password-protect or encrypt the document containing PPI.
• Send the password or encryption code by separate communication.

DO NOT

• Never email PPI to a personal email address.
• Avoid mentioning in the email subject that the email contains PPI.
• Be careful when replying all. Ask yourself, who needs this information?

Hard Copy

DO

• Lock the file or cabinet drawer where hard copies are kept.
• Keep the room where files are stored locked when possible.
• Shred documents that contain PPI when they need to be disposed of.

DO NOT

• Never throw a client’s file directly in the trash.
• Never leave documents out on desks, printers, copiers, etc. unattended.
• Do not remove PPI hard copies from your work location.

U.S. Mail

DO

• Seal all envelopes containing PPI.
• Use opaque envelops or contains.
• Use First Class or Priority Mail, or another traceable service, to track the mail and ensure it arrives at its intended location.

DO NOT

• Do not label the exterior of envelopes with “sensitive” or “confidential”.

Websites & Shared Drives

DO

• Only use shared access software that can verify users and/or viewers.
• Use drives or networks that allow you to minimize access on a “need to know” basis.

DO NOT

• Never use public sharing sites like Google Docs to access, store, or share PPI.
• Never share PPI on social networking sites.
• Never send PPI in a Spiceworks help desk ticket to the HMIS team.

Accounts

DO

• Ensure your login and password information are protected and not accessible to anyone else
• Confirm the identity of anyone who may request or receive PPI from you digitally, especially via email
• Pay attention to your accounts and update password regularly, or if you notice suspicious activity

DO NOT

• Never allow your browser to save or auto-fill your password.
• Never share accounts, even with people you trust or people you report to. Logins and passwords must be unique and private
• Avoid repeating the same username and password combination on multiple sites, as this makes your account less secure.