The Cincinnati/Hamilton County HMIS follows HUD's most recent standards and rules governing privacy and degree of information sharing. In order for the Cincinnati CoC to fulfill its mission of ultimately solving the problem of homelessness in Cincinnati and Hamilton County, all users, agencies, and system administrators must adhere to this privacy plan.
The core of our privacy plan is the HMIS Privacy Notice and Client Consent Form (this form may be updated without notice--the most recent version is posted on the Local HMIS Documentation page of Strategies to End Homelessness' website). The HMIS Privacy Notice and Client Consent Form describes how client information may be used by the CoC and how clients can access their own information.
The CoC Homeless Clearinghouse (the HUD-designated board charged with ensuring the Cincinnati CoC follows HUD's regulations) created and provides the HMIS Privacy Notice and Client Consent Form for each agency to make sure all agencies follow the same standards of client privacy protection.
HMIS User Responsibilities
The importance of clients' privacy and the user's role in protecting and maintaining that privacy cannot be emphasized too strongly. An HMIS user is defined as a person who has direct interaction with a client or their data. This could be any person at the agency: staff member, volunteer, contractor, etc. Users have these responsibilities:
- Understand the HMIS Privacy Notice and Client Consent Form.
- Be able to explain the HMIS Privacy Notice and Client Consent Form to clients.
- Present to the client the HMIS Privacy Notice and Client Consent Form before collecting any information.
- Have the client complete (or refuse) the HMIS Privacy Notice and Client Consent Form prior to collecting HMIS data. Note: Even if a client refuses to complete the form, the client cannot be refused service by the agency.
- Follow the CoC's Privacy Plan as contained in these articles and as summarized by the HMIS Privacy Notice and Client Consent Form.
- Know where to refer the client if they cannot answer the client's questions.
- Uphold the client's privacy in HMIS.
HMIS Agency Responsibilities
HUD standards dictate agencies are responsible for guarding client privacy. Meeting the minimum standards in this privacy plan and the HMIS Privacy Notice and Client Consent Form are required for participation in HMIS. Any agency may exceed these minimum standards:
- Review their program requirements to determine what industry privacy standards must be met that exceed the minimum standards outlined in this privacy plan and the HMIS Privacy Notice and Client Consent Form. (Examples include but are not limited to the following: Substance Abuse Providers covered by 24 CFR Part 2, HIPPA Covered Agencies.)
- Review the 2004 HUD HMIS Privacy Standards (69 Federal Register 45888).
- Uphold both the letter and spirit of both this privacy policy and the HMIS Privacy Notice and Client Consent Form.
- Ensure that all clients are aware of and have access to the HMIS Privacy Notice and Client Consent Form. The form must be presented to a client for signature or refusal prior to any Personal Identifiable Information (PII) data being collected. Client consent is not required for provision of services by an agency and services must be provided even upon refusal by client to participate in HMIS.
- Make reasonable accommodations for persons with disabilities, language barriers, or education barriers.
- Ensure that anyone working with clients covered by this privacy plan can meet the User Responsibilities.
- Require each HMIS user to sign (at least annually, and as soon as any revisions are made) a confidentiality agreement that acknowledges receipt of a copy of this privacy plan and the HMIS Client Privacy Notice and Client Consent Form and which pledges to comply with both.
- A CHO must establish a procedure for accepting and considering questions or complaints about its privacy and security policies and practices.
Reasons to Collect PII
Subject to limitations listed in the HMIS Privacy Notice and Client Consent Form, agencies may collect PII in order to:
- Verify eligibility for services.
- Provide and/or coordinate services to clients and/or refer clients to services that meet their needs.
- Report program progress to funders in order to successfully continue payment or reimbursement of services provided to our clients.
- Collaborate with other local agencies to improve service coordination, reduce gaps in services, and develop community-wide strategic plans to address basic human needs.
- To carry out administrative functions, including but not limited to, legal, audit, personnel, oversight and management functions.
- To create de-identified and/or aggregate level data scrubbed of PII.
- Participate in research projects to better understand the needs of people served, which will be collected and used either by consent where privacy concerns are addressed or with de-identified data.
Reasons to Disclose PII
- When the law requires it.
- When necessary to prevent or respond to a serious and imminent threat to health or safety to an individual or the public.
- When a judge, law enforcement or administrative agency orders it--however, agencies are obligated to limit such information to the minimum necessary to accomplish the purpose of the disclosure.
Updates and Amendments
The CoC Privacy Plan as well as the HMIS Privacy Notice and Client Consent Form may be updated and/or amended at any time. The most recent documents can be found on the STEH website: https://www.strategiestoendhomelessness.org/what-we-do/data/hmis-transition/
Contact Information
If you need help, or wish to offer suggestions or feedback, please contact the Cincinnati/Hamilton County HMIS Support Team at HMISsupport@end-homelessness.org or by calling 513-263-2790 9 a.m. -3 p.m. Monday-Friday excluding holidays.
When contacting HMIS Support, please do not include any Personal Identifiable Information such as social security numbers, birth dates, etc. Acceptable information is first name and last 4 digits of SSN, or Clarity Unique Identifier found on the Clarity client's profile page.