Agencies are responsible for creating their own protocols on limiting access to data based on the most recent HUD Data and Technical Standards.


Handling Client Level Data


Users are allowed to download and save client-level data. They are also allowed to export a copy of the data for internal use. However, once the information has been downloaded and/or exported, it is the agency's and user's responsibility to keep it secure. See Data Breach Prevention Measures

for more information on protecting data. 


All client level data must be protected to the fullest extent possible. This means never leaving it in public places, don't fax it, don't keep it on desks in unlocked offices, and don't send it electronically. Acceptable ways of transmitting client data via email is to use the Clarity Unique Identifier, found on the client profile page in Clarity; the Vesta Public ID; or the client's first name and last 4 digits of the social security number. 


Exception: The only permissible way of sending Personal Identifiable Information (PII) electronically is through the Clarity Messaging System. See the article HMIS Messaging Best Practices for more information on using the Clarity Messaging System. 

What to Do in Case of a Data Security Breach

HMIS Support, the CoC, the Agency Administrator and Executive Director must be contacted within 24 hours if a data security breach is detected. The CoC recommends these best practices to prevent data breaches:


  • Limit access to all forms of PII (full name, birth date, social security number, etc.).
  • Whenever possible, strip names, birth dates, and SSNs from reports. Provide this information only to people that "need to know" in the organization. 
  • Secure electronic files containing PII on a network drive with limited access and password protection (don't back up these types of files).
  • Properly dispose of paper copies generated by HMIS by shredding them or storing them in a locked cabinet. 
  • Do not store or save files containing exported information (e.g., data exported to Excel or Access) on jump/flash drives, CDs, or DVDs. 

Agency Security Requirements

As noted above, agencies are free to create their own security rules and protocols as long they abide by the HUD Data and Technical Standards. Security rules should include, but are not limited to:


  • Procedures for complying with the HMIS Privacy Notice and Client Consent Form as well as all other HMIS agency agreements. 
  • Posting and maintaining the most current version of the HMIS Privacy Notice and Client Consent Form on the agency's website.
  • Posting a copy of the HMIS Privacy Notice and Client Consent Form in client intake areas explaining why personal information is collected. 
  • Methods to prevent user account sharing.
  • Protecting unattended workstations.
  • Limiting use of HMIS capable workstations to authorized personnel only.
  • Securing storage of and restricting access to PII.
  • Formatting all storage media, including hard drives, more than once before disposal or reuse.
  • Creating audit procedures to comply with security protocol.
  • Procedures to secure networks, laptops, desktop computers, etc.
  • Methods to make sure the agency is consistently complying with not only Cincinnati/Hamilton County HMIS standards, but HUD's standards as well. 

Contact Information

If you need help, or wish to offer suggestions or feedback, please contact the Cincinnati/Hamilton County HMIS Support Team at HMISsupport@end-homelessness.org or by calling 513-263-2790 9 a.m. -3 p.m. Monday-Friday excluding holidays. 


When contacting HMIS Support, please do not include any Personal Identifiable Information such as social security numbers, birth dates, etc. Acceptable information is first name and last 4 digits of SSN, or Clarity Unique Identifier found on the Clarity client's profile page.