How is privacy addressed with by-name homelessness data?
The collection, use, and sharing of by-name data by organizations in the local homeless response system is subject to all of the federal, local, and state laws and policies that govern data in a community’s Homeless Management Information System (HMIS).
HMIS refers to a local information technology system that is mandated by the U.S. Department of Housing and Urban Development (HUD), which is used to collect client-level data and data on the services provided to people experiencing, and at risk of, homelessness.
That means, for example, that any community’s by-name data must adhere to privacy rules as outlined in the HMIS data standards developed by HUD, as well as local privacy rules determined by the HMIS Lead Agency or Continuum of Care. For some context, these guidelines — which relate to the collection, management, and reporting of client data — may be aligned with, but less restrictive than, HIPAA protections.
How is consent obtained?
Each community has written policies and protocols that define how consent is obtained and documented, which must be in compliance with the aforementioned laws and policies. These policies may outline when different approaches are used for different situations, whether that is informed, verbal, or written consent. Often, Built for Zero communities include specific clauses related to usage and collection of by-name data in their policies.
Obtaining consent requires communities to post privacy notices and go through individual agreements with clients that detail what data is being collected, why it’s being collected, how it will be used, and with whom it will be shared.
What protections are in place around how the data is shared and used?
Based on federal rules and regulations, the use of data is restricted to the following four uses:
- Providing or coordinating services to an individual
- Creating de-identified client records from Personally Identifying Information
- Carrying out administrative functions (e.g., legal, audit, personnel, oversight, and management functions)
- Functions related to payment or reimbursement for services
A different set of laws, including the Violence Against Women Act, protect the privacy of survivors of domestic violence, and their information is prohibited from being stored in HMIS.
What happens if people do not consent to sharing their information for HMIS or by-name data?
Our experience with communities finds that this can happen, though it happens very rarely. It is critical to know that clients are not denied services if consent is not provided. Communities take different approaches to ensure they can still support these individuals.
Some communities use unique markers or aliases as proxies for identifying information, which can be used to account for those individuals. In other communities, information systems that live outside of the HMIS or by-name data are used instead — as in within a local VA medical center system — to maintain awareness and connections to ensure these individuals are supported.
Can people experiencing homelessness access and control their own data or rescind consent?
Clients should be able to own their own data, and homeless response systems should be able to control data about the care being provided for people. But because some tools are not designed in a user-centered way, there are barriers that can make it difficult to fully realize these goals.
The Built for Zero team and national leaders across the field are committed to finding solutions so people experiencing homelessness can experience data ownership in a way that is not the norm, given current software and practices of homeless response systems. We’re working to develop and implement solutions that can improve this.
How does technology impact a community’s ability to implement best practices around privacy and the sharing of data?
The technology that is available to a community can greatly limit or support their ability to meet privacy, access, and ownership needs. Many communities have reported that the HMIS software at their disposal is too rigid, restrictive, or unresponsive to meet these needs. This means that people are forced to develop workarounds, which can unintentionally compromise a community’s ability to ensure that their intent around privacy is fully operationalized. We are trying to work with software vendors and policy makers to address this issue.
Have we observed that privacy and access approaches differ from community to community?
The most common differences we see across communities are related to protocols around the sharing of information, which dictates who can access that information and for what purposes. Some communities — particularly those managing larger systems — have more robust privacy and sharing protocols. This may be because of partner needs; for example, a community may be working with the VA, which requires only read-only access to the data. or they have set up data warehouses, or separate data management systems designed to enable and support analytics.
To what extent does a community’s HMIS setup matter when it comes to practices around privacy?
A community’s HMIS setup can greatly influence how data is accessed, used, and shared. One factor is whether a community is operating with an open or closed Homeless Management Information System. An open system enables any licensed user from the community’s team to pull up a client’s dashboard, which includes information on whether they were enrolled in services from the other participating agencies within a Continuum of Care.
A closed system only allows a user to see the services that a person has received from their own organization. Communities that have open systems can more readily access by-name data or facilitate case conferencing work. Communities that start out with open systems are generally doing more advanced data work.
What is the engagement with law enforcement agencies in Coordinated Entry Systems/data sharing?
Engagement with law enforcement and a community’s data system for homelessness depends on the specific community. The communities we have spoken to on the issue prohibited law enforcement from accessing HMIS to protect client and service provider relationships. In some of those communities, law enforcement officers remain in contact with homeless service providers, so they can connect individuals experiencing homelessness to support.
How does Community Solutions engage with communities’ data?
Any person-specific, identifying information is only accessible to the local partners reflected in the consent and data sharing agreements that are subject to the federal, state, and local laws and regulations.
Community Solutions receives regular, usually monthly, reporting of aggregate, de-identified data from Built for Zero communities. Community Solutions prioritizes upholding both the rules and intent around privacy, consent, and data sharing when engaging with this data. As an organization, Community Solutions does not access any communities by-name or HMIS data directly. In cases where individual staff members are granted access to coach and support communities, they must sign the community’s HMIS agreement.
We work to ensure that data we receive preserves the privacy of individuals, and that any analysis conducted on the data does not produce insights that would uniquely identify an individual.
In communities where Community Solutions is supporting the sharing of information across systems or into data warehouses, we prioritize arranging and aligning multiple data sets in a way that can preserve privacy.