Chicago Homeless Management Information System (HMIS) Standard Operating Procedures For Implementation Submitted for approval to the Chicago Planning Council on Homelessness Approved: 09/04/08

CONFIDENTIAL DO NOT SHARE, CITE, QUOTE, OR DUPLICATE WITHOUT PERMISSION

Table of Contents Introduction..................................................................................................................................... 1

HMIS Objectives Section 1.......................................................................................................................................... 4

Contractual Requirements and Roles Section 2........................................................................................................................................ 12

Implementation Policies & Procedures Section 3........................................................................................................................................ 21

Operational Policies and Procedures Section 4........................................................................................................................................ 41

Security Policies and Procedures Section 5........................................................................................................................................ 48

Internal Operating Policies & Procedures Section 6........................................................................................................................................ 53

Data Ownership, Usage and Release Policies & Procedures

i

Introduction HMIS Objectives

1

The Bowman Systems software product, ServicePoint, has been adopted by the Chicago Department of Human Service (CDHS) and the Chicago Continuum of Care, otherwise known as the Chicago Planning Council on Homelessness (Planning Council) as the official homeless management information system (HMIS) for continuum providers. The primary goal of the HMIS is to provide a data collection tool to aid the City and the continuum in its efforts to end homelessness in Chicago. The HMIS provides a critically important vehicle to collect longitudinal client-level data that is grounded in the actual experiences of homeless persons and the service providers who assist them throughout the city. The HMIS facilitates the analysis of information that is gathered from consumers throughout the service provision process to generate an unduplicated count and other aggregate (void of any identifying client level information) information that can be made available to policy makers, service providers, advocates, and consumer representatives. The HMIS implementation is led by the Chicago Department of Innovation and Technology (DOIT) and CDHS in close collaboration with the Planning Council and the Chicago Alliance to End Homelessness; or the subsequent designated entity responsible for preparing the HUD McKinney-Vento application. The Planning Council also relies on a number of committees and task groups to develop policy recommendations and provide guidance on implementation activities. These groups are committed to balancing the interests and needs of all stakeholders involved: homeless men, women, and children; service providers; funders; and policy makers. HMIS objectives for each group are listed below to document the expectations of the system and to inform future HMIS planning and operational decisions.

- HMIS Objectives to benefit homeless men, women, and children and case managers: Case managers should be able to use the software to track information about their clients in a way which will support the case management process. The software’s bed registry should provide real-time information on bed availability. Case managers and clients will have access to on-line benefits screening and community resource information to learn about resources that will help clients find and keep permanent housing or meet other goals that clients have for themselves. Service coordination can be improved when information is shared among case management staff within one agency or with staff in other agencies (with written client consent) who are serving the same clients.

- HMIS Objectives to benefit agencies and program managers: Aggregate program-

level and agency-level information and reports should be accessible to agencies and program managers to provide a more complete understanding of clients’ needs and outcomes, advocate for additional resources, complete grant applications, conduct evaluations of program services and staff performance, and report to funders. Minimally, the software should be able to generate the program portions of the HUD Annual Progress Report (APR) and homeless-related CDHS reports for various funding sources.

2

- HMIS Objectives to benefit the Chicago continuum of care: The software should facilitate case management and administrative processes for agencies to allow agency-level resources to focus as much as possible on direct services. Unduplicated, de-identified, system-wide information should be readily accessible to provide a more complete understanding of homelessness, client needs and outcomes, and program and system-level performance to inform policy decisions aimed at addressing and ending homelessness at local, state and federal levels. The software should also be able to generate data and/or reports to fulfill Federal Annual Homeless Assessment Report, continuum application requirements, and city-wide and system-level funding reports.

This document provides the policies, procedures, guidelines, and standards that govern HMIS operations and the roles and responsibilities for City and participating agency staff. They are collectively referred to as the Standard Operating Procedures (SOPs). The SOPs have been drafted in an attempt to achieve the stated objectives while simultaneously protecting individual client information with both procedural and technical mechanisms. In addition to the provisions included within the specific SOPs, HMIS stakeholders and users will need to comply with applicable local, state and federal laws.

3

Section 1 Contractual Requirements and Roles

4

SOP#: 01-010 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: PLANNING COUNCIL RESPONSIBILITIES Policy: The Planning Council will approve all major HMIS policy decisions. Standard: The HMIS related responsibilities of the Planning Council will be apportioned

according to the information provided below. Purpose: To define the roles and responsibilities of the Planning Council with respect to

HMIS activities. Scope: Chicago Planning Council on Homelessness Responsibilities: The Planning Council will support the overall HMIS initiative, in particular advising the HMIS Management Team on HMIS operations. The Planning Council shall meet at least quarterly, at which time HMIS decisions can be raised for discussion and/or approval. The Planning Council shall designate a committee or task group to develop and help enforce the implementation of HMIS policies. The Planning Council will provide guidance on the selected key issues that follow. These issues include:

- The guiding principles that should underlie the HMIS implementation activities of participating organizations and service programs;

- Setting and enforcing minimum data collection requirements, as defined in SOP 03-070: Data Collection Requirements;

- Encouraging Continuum-wide provider participation; - Facilitating consumer involvement; - Defining privacy protection policies for HMIS implementation; - Defining criteria, standards, and parameters for the usage and release of all data collected

as part of the HMIS; - Documenting, approving, and regularly reviewing the above policies in the form of the

“Chicago Homeless Management Information System Operating Procedures for Implementation” (commonly referred to as the SOPs);

- Establishing Continuum-level mechanisms for monitoring and/or enforcing compliance with the approved SOPs; and

- Compiling and analyzing HMIS data with other provider and community data sources. To the extent that an SOP is identified which conflicts with applicable local, state or federal laws, or contractual obligations, then the Planning Council will work with the City to amend the policy and/or software design to resolve the conflict. The Planning Council may also identify procedures that need to be amended based on the initial implementation and/or ongoing

5

operation of the system. If the Planning Council or its designee identifies procedures that need to be amended, the process will include:

- Any individual, organization or Planning Council committee/workgroup can raise concerns or recommendations for revisions to a specific SOP.

- The Planning Council shall designate a specific committee or workgroup to explore the concern and to develop a recommendation for full Planning Council consideration. While a single committee may be identified as the primary entity generally responsible for overseeing the SOPs, another committee may be designated as the lead to explore a specific concern/recommendation.

- Proposed revisions must be presented and approved by the full Planning Council. - After approval, a list of all revisions, the date revised, and a brief description of the

change should be incorporated as part of the Table of Contents in the SOP documentation. Most current revision dates should also be noted at the top of each individual policy.

6

SOP#: 01-020 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS MANAGEMENT TEAM RESPONSIBILITIES Policy: An HMIS Management Team structure will be put into place that can adequately

support the operations of the HMIS according to the policies and procedures described in this document.

Standard: The responsibilities of the HMIS Management Team will be apportioned

according to the information provided below. Purpose: To define the roles and responsibilities of the HMIS Management Team

organization and staff. Scope: The HMIS Management Team includes City staff representing the Department of

Innovation & Technology (DOIT), and the Department of Human Services (CDHS).

Responsibilities: The HMIS Management Team is responsible for:

- Oversight of the City’s adherence to the HMIS policies and procedures; - Supervising the contractual relationship with HMIS Vendor; and - Financing the HMIS operation.

The HMIS Management Team is also responsible for oversight of all day-to-day operations including:

- Quality assurance of the Bowman application operation; - Maintaining the technical infrastructure hosted within the City of Chicago; - Managing agency and user system access based on execution of applicable agreements,

training, and adherence to approved policies; - Administering other system functions; - Providing technical support and application training to users, in compliance with levels

documented in SOP 05-020: Technical Support Policies and Procedures; - Developing a reasonable number of reports for HMIS users based on funding

requirements; - Maintaining the overall HMIS quality assurance program; and - Orientation and supervision of HMIS technical staff to ensure appropriate program

operations, compliance with guiding principles and Standard Operating Procedures.

7

The HMIS Management Team will respect the core principles of the system by: - Ensuring that access to areas containing equipment, data, and software will be secured. - All client-identifying information will be strictly safeguarded in accordance with all

applicable local, state and federal laws using the latest technology available. - All data will be securely protected to the maximum extent possible. - Ongoing Security assessments to include penetration testing will be conducted on a

regular basis. To facilitate the operation of the HMIS implementation, the HMIS Management Team will assign qualified staff to act as the HMIS System Administrators to manage the interface between central HMIS operations and Partner Agencies for system administration purposes. In addition to the positions identified within this section of the SOPs, a limited number of other members of the HMIS Management Team may have access to client-level data as part of their system administration data. For instance, the Application Administrator(s) at DOIT and/or The HMIS Vendor may need occasional access to data in order to manage and test application development and administration functions. City of Chicago employees must execute computer security and data confidentiality agreements prior to employment. The HMIS Vendor employees are bound by the HMIS contract to maintain strict confidentiality of all HMIS data.

8

SOP#: 01-030 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS SYSTEM ADMINISTRATOR RESPONSIBILITIES Policy: The HMIS Management Team will be responsible for managing the day-to-day

technical aspects of the HMIS. Standard: Designated staff, housed at CDHS, will hold the position of the HMIS System

Administrator. Purpose: To outline the major responsibilities of the HMIS System Administrator. Scope: HMIS System Administrator Responsibilities: The HMIS System Administrator is responsible for:

- Understanding all aspects of the HMIS Bowman Systems – ServicePoint software (commonly referred to as the HMIS);

- Providing ad-hoc application training and technical support to Agency Technical Administrators about the HMIS application, functionality, and agency-level system administration functionality;

- Communicating system availability, planned outages, and other HMIS information to Agency Technical Administrators for Direct and Interface agencies;

- Assigning user IDs to new users based on the approved licensing structure, authorized agency requests, and documentation of user training;

- Managing user accounts and application access control, in conjunction with the Agency Technical Administrators;

- Assisting with Agency data migration; - Administering the HMIS portion of the database, in conjunction with DOIT and the

HMIS Vendor staff; - Managing HMIS user interfaces; - Making application level changes to setups and configurations; - Modifying and creating high-level formulas and code definitions/business rules; and - Communicating significant application issues and/or system enhancement requests to the

HMIS Management Team.

9

SOP#: 01-040 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: PARTNER AGENCY RESPONSIBILITIES Policy: The Executive Director of every Partner Agency will be responsible for oversight

of all agency staff members who generate or have access to client-level data stored in the system software to ensure adherence to the HMIS standard operating procedures outlined in this document.

Standard: The Executive Director holds final responsibility for the adherence of his/her

agency's personnel to the HMIS Guiding Principles and Standard Operating Procedures outlined in this document.

Purpose: To outline the role of the agency Executive Director with respect to oversight of agency personnel in the protection of client data within the HMIS application.

Scope: Executive Director in each Partner Agency Responsibilities: The Partner Agency’s Executive Director is responsible for all activity associated with agency staff access and use of the HMIS. This person is responsible for establishing and monitoring agency procedures that meet the criteria for access to the HMIS, as detailed in the Standard Operating Procedures (SOPs) outlined in this document. The Executive Director will be ultimately responsible for any misuse of the software system by his/her designated staff. The Executive Director agrees to only allow access to the HMIS based upon need. Need exists only for those program staff, volunteers, or designated personnel who work directly with (or supervise staff who work directly with) clients and/or have data entry or other data-related agency administrative responsibilities. The Executive Director also oversees the implementation of data security policies and standards and will:

- Assume responsibility for completeness, accuracy, and protection of client-level data entered into the HMIS system;

- Establish business controls and practices to ensure organizational adherence to the HMIS SOPs;

- Assign an Agency Technical Administrator to manage agency-related technical tasks; - Communicate control and protection requirements to agency custodians and users; - Authorize data access to agency staff and assign responsibility for custody of the data;

and - Monitor compliance and periodically review control decisions.

10

SOP#: 01-050 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS AGENCY TECHNICAL ADMINISTRATOR

RESPONSIBILITIES Policy: Every Partner Agency must designate one person to be the Agency Technical

Administrator. Standard: The designated Agency Technical Administrator holds responsibility for the

administration of the system software in his/her agency. Purpose: To outline the role of the Agency Technical Administrator Scope: Partner Agencies Responsibilities: The Agency Technical Administrator, as appointed by the Executive Director, will need to successfully complete the Technical Administration training provided by HMIS Management. This person will be responsible for:

- Reviewing and updating agency information in HMIS database, including agency-defined fields, user access initially, and in an ongoing capacity;

- Managing technical access to the software system for persons authorized by the agency's Executive Director by working with the HMIS System Administrator to create usernames and passwords;

- Notifying HMIS System Administrator of personnel changes within 24 hours of their occurrence;

- Training new staff persons on the HMIS SOPs in this document and any agency policies which impact the security and integrity of client information;

- Ensuring that access to the HMIS be granted to authorized staff members only after they have successfully completed training and satisfactorily demonstrated proficiency in use of the software and understanding of the SOPs and agency policies referred to above.

- Notifying all users in their agency of interruptions to service. The Agency Technical Administrator is also responsible for implementation of data security policy and standards, including:

- Administering agency-specified business and data protection controls; - Administering and monitoring of access control; - Detecting and responding to violations of the SOPs or agency procedures; and - Providing assistance in the backup and recovery of data (for agencies that are not directly

inputting client data into the HMIS database. - Enforce the HMIS Vendor’s End User License Agreement (EULA).

11

Section 2 Implementation Policies & Procedures

12

SOP#: 02-010 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS PARTICIPATION POLICY Policy: Agencies that are funded by the City or HUD to provide homeless programs in the

City of Chicago are required to participate in the HMIS. All other homeless providers are strongly encouraged to participate in the HMIS.

Standard: HMIS Management Team will provide quality HMIS services to all participating

agencies. Purpose: To outline which agencies are expected to participate in the HMIS, the extent to

which their participation is mandated or voluntary, and a definition of participation.

Scope: All homeless providers. Procedure: Beginning with the 2003 City of Chicago and ESG grants, HUD is requiring all grantees and sub-recipients of McKinney-Vento and homeless HOPWA grants to participate in the local HMIS. McKinney-Vento grants include Emergency Shelter Grants and Supportive Housing Program, Section 8 Moderate Rehabilitation SRO, Shelter Plus Care grants. This policy is consistent with the Congressional Direction for communities to provide data to HUD on the extent and nature of homelessness and the effectiveness of its service delivery system in preventing and ending homelessness. The HMIS and its operating policies and procedures are structured to comply with the HUD Data and Technical Standards Final Notice. Recognizing that agencies may be further regulated by HIPAA and other Federal, State and local laws, the CDHS may negotiate its procedures and/or execute appropriate business agreements with partner agencies so they are in compliance with applicable laws. Participation Requirements Mandated Participation All providers that are funded by the City or HUD to provide homeless services must meet the Minimum Participation Standards of the HMIS, as defined by this SOP. Participating agencies will be required to comply with all applicable SOPs.

13

Voluntary Participation Although funded programs are required to meet minimum participation standards, the City and the Planning Council will strongly encourage those agencies to have all agency programs fully participate. While neither the Planning Council nor CDHS can require non-funded providers to participate in the HMIS, they will also work closely with non-funded agencies to articulate the benefits of the HMIS and to strongly encourage their participation in order to achieve a comprehensive and accurate understanding of homelessness in Chicago. Minimum Participation Standards A client has the right to refuse to have his/her data entered into the HMIS database. The client’s individual choice regarding participation will not affect his/her right to services. Minimally participation includes:

- Collecting the universal data elements, as defined in SOP 03-070: Data Collection Requirements, for all programs operated by the agency that primarily serve persons who are homeless or formerly homeless;

- Collecting program-specific data elements, as defined in SOP 03-070: Data Collection Requirements, for all clients served by the program funded by HUD and/or CDHS; and

- Submitting data to the HMIS using one of the following options: • Option 1: Entering client-level data into the HMIS within 24 hours of client

interaction for CDHS funded programs, and within seven days of client interaction for all others, as defined by the Direct Partner Agreement.

• Option 2: Uploading digital data to the HMIS from an existing agency database on a regular basis, using an HMIS interface as provided by the vendor. With this option, the agency will be responsible for programming the interface, including all associated costs. (Interface Partner Agency)

• Option 3: Due to legal constraints, extreme vulnerability, and heightened safety needs of victims of domestic violence, DV providers need an alternative method of participation in the HMIS. The HUD Final Notice provides additional time to develop an appropriate strategy for participation of DV programs. Thus, Option 3 is included as a placeholder that will need to be defined after the conversations between the City and domestic violence stakeholders have been held. Additionally, based on the outcome of this conversation, the method of participation will also need to be defined for “mainstream” homeless shelters that serve victims of domestic violence.

All submitted data will be used by the City and the Planning Council for analytical and administrative purposes, including the preparation of CDHS’ reports to funders and the continuum’s participation in the Federal AHAR.

14

Discussion of Participation Options Each agency will have an opportunity to determine which participation option is most appropriate given agency functional and administrative needs, technological capacity, funding requirements, client characteristics and circumstances, and legal constraints. Agencies that receive funding from HUD or CDHS must meet specific funding requirements related to data submittal. The participation options are described below. If additional information is desired, HMIS Management Team and/or the Planning Council can elaborate on each option to help each partner agency decide on the most appropriate way of participating in the HMIS initiative.

- Direct Data Entry Option: Authorized agency users directly enter client-level data into the HMIS database. Users have rights to access data for clients served by their agency and use HMIS functionality based on their user level privileges. The agency’s data will be stored in the HMIS central database server, protected by numerous technologies to prevent access from unauthorized users. Unless a client requests that his/her identifiers remain hidden at the time that his/her record is created, primary client identifiers (e.g. name, SSN, DOB and gender) will be able to be queried by other HMIS users to prevent duplicate records from being created in the database. However, other individual client data will not be accessible by other HMIS users outside of the client notification and interagency data sharing procedures. These procedures are described in SOP 03-060: Client Notification Policies and Procedures and SOP 03-080: Interagency Data Sharing.

Interface Data Transmission Option: If the agency maintains its own electronic case

management information system, the agency can choose to upload electronic client-level data to the HMIS on a regular basis, using an HMIS interface as provided by the vendor.

- Participation Option for DV Programs and Submittal of Data about Victims served by

Mainstream Programs: As stated above, this participation option will be defined as a result of a separate set of discussions. The resulting revisions to or additional SOPs will be forwarded to the Planning Council for consideration and approval.

15

SOP#: 02-020 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: INITIAL PARTICIPATION REQUIREMENTS Policy: Each Partner Agency must meet all initial participation requirements in order to

receive access to the HMIS. Standard: HMIS Management Team will certify that the Partner Agency has met the

participation requirements prior to initiating the HMIS. Purpose: To provide Agencies with clear expectations for their participation in the HMIS. Scope: System-wide Requirements: HMIS Group Orientation and a 1:1 Agency Mtg: Agency representatives are required to participate in an HMIS Group Orientation and a 1:1 Agency Meeting to discuss HMIS goals and objectives, requirements, site considerations, and documentation. Partner Agreement: An authorized Agency representative is required to execute a Partner Agreement stating his/her commitment to uphold the policies and procedures for effective use of the system and proper collaboration with the HMIS Management. An executed Partner Agency Agreement must be present in the HMIS Management Team Agency file prior to HMIS access. Information Security Protocol: Documentation of the agency’s Information Security Protocol (developed in accordance with SOP 02-030: HMIS Agency Information Security Protocol Requirements) and dissemination plan must be on site at agency prior to HMIS access. Documentation: All documentation on agency and program information must be submitted to ensure that complete and accurate Partner Agency information is input within the HMIS. All forms must be present in the HMIS Management Team Agency file prior to HMIS access. Agency Technical Administrator: One key staff person or contractor must be designated to serve as the Agency Technical Administrator for the agency. (See Section One for a description of responsibilities.) The Agency Technical Administrator must be formally identified and attend Agency Administrator Training prior to HMIS access. Site Hardware & Connectivity Requirement: Any computer being used to access the HMIS must meet the minimum hardware and recommended connectivity requirements indicated in SOP 02-040: HMIS Agency Hardware and Connectivity Requirements. Partner Agencies that are funded by the City or HUD to provide homeless services will be allowed to submit budget revisions to reallocate available grant funds to support costs of equipment and connectivity required for participation in the HMIS, if necessary.

16

Fees: All applicable fees must be paid as part of the implementation. - Each Partner Agency will be assigned a specified number of user licenses that will be

fully subsidized by the City as part of the HMIS initiative. Agencies can purchase additional user licenses for a fee. The HMIS Management Team will publish an annual HMIS Fee Schedule detailing all HMIS costs.

- The City, via its HMIS HUD grant, will subsidize overhead training and technical support costs associated with HMIS policy and software training, such as staff, location, curriculum development, and web-enabled technical support materials.

- Ultimately, each Partner Agency is liable for individual agency costs associated equipment purchase, equipment maintenance, internet connectivity, and related personnel expenses.

Data Migration: All data that will be migrated from a Direct Partner Agency’s existing database to the HMIS database must be cleaned, updated, and formatted according to HMIS data specifications prior to migration. The specific conversion process must be individually discussed with the HMIS Management Team.

17

SOP#: 02-030 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS AGENCY INFORMATION SECURITY PROTOCOL

REQUIREMENTS Policy: Partner Agencies must develop and have in place minimum information security

protocols to protect client information stored in the HMIS database. Standard: HMIS Management Team staff will certify that the Partner Agency has adequate

documentation of its information security protocol, a dissemination plan, and verification that the information security protocols have been implemented within the agency prior to granting HMIS access.

Purpose: To protect the confidentiality of client data and to ensure its integrity at the

agency site. Scope: Direct Partner Agencies Requirements: At a minimum, the Direct Partner Agency must develop rules, protocols or procedures that are consistent with Section 3: Operational Policies and Procedures and Section 4: Security Policies and Procedures to address the following:

- Internal agency procedures for complying with the HMIS Notice of Uses and Disclosures and provisions of other HMIS client and agency agreements (See SOP 03-060: HMIS Client Notification and Consent Procedures);

- Maintaining an updated copy of the agency’s Notice of Uses and Disclosures or equivalent privacy notice on the agency’s website, in accordance with SOP 03-060.

- Appropriate assignment of user accounts; - Preventing user account sharing; - Protection of unattended workstations; - Protection of physical access to workstations where employees are accessing HMIS; - Identification of appropriate locations and methods for safe, protected storage,

transmission and access to hardcopy and digital HMIS generated client records and reports with identifiable client information;

- Immediate notification to HMIS System Administrator of addition, changes to or disposal of equipment used to access the HMIS;

- Proper cleansing of equipment prior to transfer or disposal; and - Procedures for regularly auditing compliance with the Agency Information Security

Protocol.

18

SOP#: 02-040 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS AGENCY HARDWARE, CONNECTIVITY AND

SECURITY REQUIREMENTS Policy: Any computer that interfaces with the HMIS must meet the minimum desktop

specifications and recommended connectivity specifications identified by this SOP.

Standard: The Partner Agency must certify that they have adequate hardware and

connectivity to interface with the HMIS prior to granting HMIS access. Purpose: To provide agencies with minimum requirements for hardware and connectivity. Scope: System-wide Requirements: Workstation Specifications: Computers interfacing with HMIS must meet the minimum desktop specifications below.

- Operating System: Windows XP Pro Service Pack 2 (Recommended), Windows 2000 Pro with Service Pack 4 or Windows XP Service Pack 2.

- Processor and Memory: Minimum specifications required to run the selected operating system

- Video: Color monitor (17” Recommended) with graphics card that supports 1024 x 768-display resolution, 256 Colors or better.

- Web Browser: Mozilla Firefox 5.0 or above is the preferred browser. MS Internet Explorer 6.0 or above is also supported.

Internet Specifications: Agencies directly entering data must have internet connectivity for each workstation that will be accessing the HMIS. To optimize performance, all agencies are encouraged to secure a high speed internet connection with a cable modem or DSL/ISDN. Agencies with very low expected volume may be able to connect using a dial-up connection; however, the HMIS Management Team strongly discourages using a dial-up connection. Response on dial-up connections is consistently slow and can result in an inordinate amount of staff hours spent entering data. Agencies considering or using a wireless internet configuration must employ higher security measures. Wireless settings must be documented as part of the information security protocol, and should be verified with the HMIS Management Team prior to HMIS-HMIS access. Security Specifications:

19

All workstations directly accessing the HMIS and any workstation that is on a network that has a workstation(s) directly accessing the HMIS must have:

- Operating System Updates. Operating system updates must be downloaded and applied automatically or on a regular basis.

- Adequate firewall protection and apply all critical virus and system updates automatically.

- Virus protection software. Virus definitions must be updated automatically. - Anti-spyware software. Spyware definitions must be updated automatically. - Anti-Phishing software. Phishing definitions must be updated automatically.

20

Section 3 Operational Policies and Procedures

21

SOP#: 03-010 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS AGENCY SET-UP PROCEDURE Policy: The HMIS System Administrator may set up a new agency account, based on the

following procedure. Standard: The HMIS System Administrator must verify documentation of all initial

implementation requirements listed in Section 2 prior to authorizing a new agency.

Purpose: To inform potential agencies and the HMIS System Administrator of the Agency

set-up requirements. Scope: Direct Partner Agencies and Interface Agencies Responsibilities: The HMIS System Administrator shall:

- Review HMIS records to ensure that the Agency does not have previous violations with the HMIS SOPs that prohibit access to the HMIS.

- Verify that the required documentation has been correctly executed and submitted, including:

• Executed Partner Agreement; • Agency, User, and Program Information Forms; • Designation of Agency Technical Administrator; and • Fee Payment, if applicable

- Request and receive approval from the HMIS Management Team to set up a new agency. - Authorize a new Agency within the HMIS. - Work with the Agency Technical Administrator to input applicable agency and program

information. - Work with HMIS Management Team to migrate legacy data, if applicable.

22

SOP#: 03-020 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS USER SET-UP PROCEDURE Policy: The HMIS System Administrator may create a new User ID for eligible

individuals based on the following procedure. Standard: The HMIS System Administrator must document that the following set-up

procedure has occurred prior to setting up a new user. Purpose: To inform all parties involved with the HMIS of the requirements to become an

HMIS user. Scope: Direct Partner Agencies and Interface Partner Agencies Responsibilities: User Requirements Prior to being granted a username and password, users must:

- Execute an HMIS User Agreement; and - Successfully complete all HMIS policy and application training required for assigned

user level. (Training requirements are documented in SOP 03-040: HMIS Training Requirements.)

HMIS users cannot attend training until all agency and user paperwork is complete and approved by the Executive Director (or designee). Users must be aware of the sensitivity of client-level data and take appropriate measures to prevent unauthorized disclosure of it. Users are responsible for protecting institutional information to which they have access and for reporting security violations. Users must comply with the all policy and standards described in these Standard Operating Procedures. They are accountable for their actions and for any actions undertaken with their usernames and passwords. If the Direct Partner Agency wants to authorize system use for a new user, the Agency Executive Director (or authorized designee) must:

- Determine the access level of the proposed HMIS user (See SOP 03-030 HMIS User Access Levels); and

- Authorize the creation of a user account for the specified individual by completing a new User Access Request Form that designates the access level.

23

The proposed HMIS user must: - Attend applicable training modules (once enrolled by the Agency Technical

Administrator). - Execute an HMIS User Agreement

o Statement of Ethics o Information Security Protocol o End User’s License Agreement (EULA)

The Agency Technical Administrator must:

- Input the user information into an ‘HMIS New User Access Request’ form in the HMIS for HMIS System Administrator approval.

- Enroll the potential HMIS user in the required training modules. - Submit the executed HMIS User Agreement via email, fax or mail to the HMIS System

Administrator. The HMIS System Administrator shall:

- Review HMIS records about previous users to ensure that the individual does not have previous violations with the HMIS SOPs that prohibit access to the HMIS.

- Verify that the required documentation (HMIS New User Access Request electronic form and HMIS User Agreement have been correctly executed and submitted.

- Verify that required training modules have been successfully completed. - Approve the new user request electronically by assigning a user ID.

Once the user ID is established, the Agency Technical Administrator is responsible for maintaining the user account. The Agency Technical Administrator should work with the new user upon creation of the account to establish a permanent password using the self-serve functionality within the HMIS. The Agency Technical Administrator is also responsible for immediately terminating user access if any user leaves employment with the agency, or otherwise no longer needs access to the HMIS. The Executive Director is responsible for ensuring that the user understands and complies with all applicable HMIS SOPs.

24

SOP#: 03-030 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: HMIS USER ACCESS LEVELS Policy: Each HMIS user must be assigned a designated user access level that controls the

level and type of access the individual has within the system. Standard: The HMIS System Administrator will not create a user ID until documentation of

successful completion of required training is provided. Purpose: To designate HMIS user access levels. Scope: Direct Partner Agencies and Interface Partner Agencies Responsibilities: All HMIS users must be assigned a designated user access level that controls the level and type of access that user has within the system. Unless otherwise specified below, each user will only have access to client-level data that is collected by their own agency or an agency network partner, unless a client specifically consents to temporary information sharing for referral purposes. The level of access for each HMIS user type is defined in the table below. Every user in ServicePoint is assigned a user level which grants them access to specific functionalities within the software. See Figure 1 to determine access privileges for the available user levels. Keep these in mind when assigning user access levels to new ServicePoint users.

Resource Specialist I Resource Specialist I users are limited to the ResourcePoint module. This allows users to search for area providers/organizations and view their details. These users have no access to client or service records. A Resource Specialist cannot modify or delete data.

Resource Specialist II Resource Specialist II users have access to ResourcePoint. These users are also considered agency-level I&R specialists who update their own organization’s information. To perform these tasks, they also have access to Admin Providers and Agency Newsflash

Resource Specialist III Same as Resource Specialist II, but also includes access to System Newsflash and limited range of reports.

Volunteer

Volunteers have access to ResourcePoint. These users can also view or edit basic demographic information about clients on the Profile screen, but they are restricted from viewing other assessments. A volunteer can create new client records, make referrals, or check clients in and out of shelters. Administrators often assign this user level to individuals who complete client intake and refer clients to agency staff or a case manager. In order to perform these tasks, volunteers have access to some areas of ClientPoint and ShelterPoint.

25

Agency Staff

Agency Staff users have access to ResourcePoint and ShelterPoint. These users also have limited access to ClientPoint, including access to service records and clients’ basic demographic data on the Profile screen. Agency Staff cannot view other assessments or case plan records. Agency Staff can also add news items to Agency Newsflash.

Case Managers I&II

Case Managers have access to all ServicePoint features except those needed to run audit reports and features found under the Admin tab. They have access to all screens within ClientPoint, including assessments and service records. Case Manager II users can also create/edit client infractions if given access by an Agency Administrator or above.

Agency Admin

Agency administrators have access to all ServicePoint features, including agency level administrative functions. These users can add and remove users to and from their organization, as well as edit their organization’s data. They also have full reporting access with the exception of five reports: Client/Service Access Information, AHAR Annual Homeless Assessment Report, Duplicate Client Report, Exhibit 1: HUD-40076 (CoC)-M), and Call Record Report. Agency Admins cannot access the following administrative functions: Assessment Administration, Direct Access to Admin> Groups, Picklist Data, Admin> Users> Licenses, Shadow Mode, or System Preferences. Agency Administrators can delete clients that were created by organizations within their organizational tree. They cannot, however, delete clients who are shared across organizational trees. Additionally, Agency Admins can delete needs and services created within their own organizational tree, unless the needs and services are for a shared

Executive Director Executive Directors have the same access rights as Agency Administrators; however, they are ranked above Agency Administrators.

System Operator

System Operators have access to administrative functions. They can set up new providers/organizations, add new users, reset passwords, and access other system-level options. They can also order and manage user licenses. These users have no access to ClientPoint, ShelterPoint, or Reports. System Operators help maintain ServicePoint, but cannot access any client or service records.

System Admin I

System Administrator I users have access to all ServicePoint features and functions except the Client/Service Access Information audit report, Shadow Mode, and System Preferences. System Administrator I users cannot merge clients and do not have access to the following reports: AHAR Annual Homeless Assessment Report, Duplicate Client Report, Exhibit 1: HUD-40076 (CoC)-M), and Call Record Report. System Administrator I users can delete clients that were created by organizations within their organizational tree. They cannot, however, delete clients who are shared across organizational trees. Additionally, System Admin I users can delete needs and services created within their own organizational tree, unless the needs and services are for a shared client.

System Admin II

System Administrator II users have full and complete access to all ServicePoint features and functions. This includes access to Provider Groups and the ability to generate reports for these groups. System Administrators II can delete clients, needs, and services created across organizational trees.

NOTE: Neither a System Operator nor a System Administrator II has the ability to enter

client data for multiple providers. The System Operator cannot enter client data at all and the System Administrator II can only enter client data for the default provider/organization (all users are linked to a default provider/organization

26

when they are created). Conversely, the Agency Administrator can enter client data for any provider/organization within its ‘tree’ without having to select provider/organizations under the heading ‘Entering data as: [name of provider].

27

System-level Users The HMIS System Administrator will be assigned Level 1 access in order to accomplish their system administration and reporting responsibilities. In addition, a limited number of other members of the HMIS Management Team may have Level 1 access as part of their system administration responsibilities. For instance, the System Administrator(s) at the City of Chicago and/or the HMIS Vendor may need occasional access to data in order to manage and test application development and administration functions. HMIS Partners can be assured that City of Chicago employees must undergo a criminal background check and must execute computer security and data confidentiality agreements prior to employment. The HMIS Vendor employees are bound by the HMIS contract to maintain strict confidentiality of all HMIS data, and undergo similar employment screening protocols. As well, all system-level users will also undergo HMIS policy training and execute an HMIS User Agreement. Certain identified agency staff may be assigned System Administrator level of access in order for them to create reports across multiple programs for analytical purposes. These staff will not be accessing client records directly, but will be working in the ART Reporting area of the system. Only de-identified client information will be displayed in any reports generated. The System Administrator will grant access to specific persons within each agency, subject to the same security protocols (e.g., background checks) used for the System Administrator. These persons include: staff members of the CDHS Office of Reporting who are responsible for generating City homeless program funding reports; staff of the CDHS Homeless Services Division who are responsible for evaluating program effectiveness related to City-funded contracts; staff of the Mayor’s Liaison on Homelessness or comparable office of the City who are responsible for providing analysis on the state of homelessness in Chicago; and staff of the Chicago Alliance to End Homelessness who are responsible for data analysis and reporting related to the implementation of the 10-Year Plan to End Homelessness. Based upon a written request to the HMIS System Administrator, a listing of persons with access to system-level HMIS data will be provided to any Partner Agency within 5 business days of receipt of the request.

28

SOP#: 03-040 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS USER TRAINING REQUIREMENTS Policy: HMIS users must successfully complete the training modules required for their

user type. Standard: The HMIS System Administrator will not create a user ID until documentation of

successful completion of required training is provided. Purpose: To inform users of the training requirements to access the HMIS. Scope: Direct Partner Agencies and Interface Partner Agencies Responsibilities: Prior to gaining access to the HMIS application, users must successfully complete the following training modules. User Type Training Module(s) Training Provider Agency Case Management Users

Basic Computer Training (optional, based on users’ computer skills) Basic HMIS Policy Training for Agency Users Basic HMIS Application Training for Agency Users

Community Resources (see referral list) CDHS or designated Training provider

Agency Policy User Basic Computer Training (optional, based on users’ computer skills) Basic HMIS Policy Training for Agency Policy Users Basic HMIS Application Training for Agency Policy User

Community Resources (see referral list) CDHS or designated Training provider

Agency Technical Administrator (Direct Partner Agency)

Basic HMIS Policy Training for Agency Technical Administrators Basic HMIS Application Training for Agency Users Advanced HMIS Application Training on Agency Technical Administration

CDHS or designated Training Provider

29

SOP#: 03-050 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: HMIS CLIENT NOTIFICATION POLICIES AND PROCEDURES Policy: Partner Agencies shall use the required client notification and/or consent

procedure prior to entering any client-level data into the HMIS. Standard: The Executive Director of each Partner Agency is responsible for ensuring that

the agency has implemented appropriate procedures to enforce the client notification and consent procedures.

Purpose: To give client’s control of their personal information. Scope: System-wide Responsibilities: All verbal and written client notification and consent must include a statement that no client will be denied service for refusal to consent. The City has prepared standard documents for Client Notice of Uses and Disclosures, Client Consent for Network Data Sharing, Client Release of Information for Agency Referrals, and Notice and Consent for Persons who May be Victims of Domestic Violence, Parts 1 &2. Partner Agencies may either use these forms or incorporate the content of the HMIS documents in their entirety into the Agency’s own documentation. All written consent forms must be stored in a client’s case management file for recordkeeping and auditing purposes. Agencies must make reasonable accommodations for persons with disabilities throughout the data collection process. This may include but is not limited to, providing qualified sign language interpreters, readers or materials in accessible formats such as Braille, audio, or large type, as needed by the individual with a disability. Agencies that are recipients of federal assistance shall provide required information in languages other than English that are common in the community, if speakers of these languages are found in significant numbers and come into frequent contact with the program. Definitions and Descriptions of Client Notification and Consent Procedures Client Notice: A written notice, and accompanying cover page, of the assumed functions of the HMIS must be posted and given to each client so they are aware of the potential use of his/her information and where it is stored. To fulfill this requirement, the agency may either adopt the HMIS Notice of Uses and Disclosures or may develop an equivalent Privacy Notice, and accompanying cover page, that incorporates all of the content of the standard HMIS Notice. If the agency has a website, the adopted Notice of Uses and Disclosures or equivalent privacy notice must also be posted on the website.

30

No consent is required for the functions articulated in the notice, except for consent to enter information into the clinical assessment screens (See below). However, as part of the notification process, clients must be informed of their right to designate that his/her client record only be viewed/accessed by staff of the agency that entered the information into the database; thus, it is not shared or accessible. And that the client has the right to refuse to have his/her information entered into the HMIS system at all. This client also has a right to view a copy of his/her record upon request. Special Notice and Consent for Persons who May be Victims of Domestic Violence: The purpose of this Notice is to make clients who have experienced domestic violence aware of potential safety risks if their information is entered into a central database such as the HMIS and to make them aware of their options regarding participation in the HMIS. Prior to entering any client information into the HMIS database, the mainstream service provider must present each client with the Special Notice for Persons who May be Victims of Domestic Violence and provide an oral explanation of the Notice. The Notice identifies who will have access to client information in the HMIS database, advises victims of safety risks, and informs victims that they may make choices to protect themselves if they fear for their safety. Clients who are concerned for their safety must be given Part 2, Notice & Consent for Persons who May be Victims of Domestic Violence, to read and select the HMIS participation option that is best for them. The service provider must provide these clients with an oral explanation of their participation options. Clients must be given the option to participate fully in the HMIS. Clients who choose not to participate fully in HMIS may limit their participation by selecting one of two options: (1) no client information will be entered into the HMIS database; or (2) client identifying information will be entered, but designated as unshared/inaccessible. The staff at mainstream agencies must be trained on the protocol for educating domestic violence victims about their participation options. Client Refusal: After learning about HMIS, if a client does not wish to have his/her information entered into the HMIS system, the client’s information may not be entered into the system. CDHS and the Planning Council will develop polices and procedures for the reporting of de-identified information about these clients. Unshared/Inaccessible: After learning about the HMIS, if a client does not wish to have his/her Primary Identifiers accessible to all HMIS users, the originating HMIS user should indicate on the Intake Screen that the client has requested his/her record remain unshared/inaccessible. This will allow only agency staff to access the client’s information for agency purposes. This action will allow HMIS System-level users (as defined in SOP 03-030: HMIS User Access Levels) to view client-identifying information, but will prevent any personal client-identifying information from being accessed by HMIS users outside of the originating agency.

31

Written Client Consent for Interagency Data Sharing: At the initial intake, the Client should be provided an oral explanation and written documentation about the option of sharing his/her General Client Information within the originating agency’s Sharing Network. (The specific details of interagency data sharing are described in SOP 03-080: HMIS Interagency Data Sharing.) If a client is interested in sharing his/her General Client Information within the network, he/she must provide written consent. The consent must be specific regarding purpose, the expiration of the sharing, affected data elements, function, and involved parties. The client maintains a right to revoke written authorization at any time, in which case, any currently shared information will become non-shared from that point forward. To fulfill this requirement, the agency may adopt the HMIS Client Consent for Network Data Sharing or may develop an internal form that incorporates the content of the standard HMIS form. Written Client Consent for Sensitive Clinical Assessment Information: Before entering any information into a clinical assessment screen, an additional consent must be obtained from the client. The consent must be specific regarding the disclosure of HIV/AIDS, Mental Health and/or Substance Abuse information, the purpose of the disclosure, the expiration of the consent, affected data elements, function, and involved parties. The client maintains a right to revoke written consent at any time, in which case, the client’s HIV/AIDS, Mental Health and/or Substance Abuse information will cease to exist in HMIS. To fulfill this requirement, the agency may adopt the HMIS Client Consent to Enter Sensitive Information into HMIS or may develop an internal form that incorporates the content of the standard HMIS form. Applicability Each consent method is used for varying purposes and types of agencies. In all cases, the Partner Agency shall uphold Local, State and Federal Confidentiality regulations to protect client records and privacy. If an agency is covered by HIPAA, the HIPAA regulations prevail. The table below summarizes the client data categories and the related notification/consent and sharing rules that relate to each data category. These minimum procedures should not imply that all providers will perform all of these functions. Specific Client Notification Procedures for Unaccompanied Minor Youth Based on their age and potential inability to understand the implications of sharing information, the HMIS cannot be used to input information about unaccompanied minor youth. Thus even with a written client authorization, users cannot input any information about an unaccompanied minor youth in the HMIS. CDHS and the Planning Council will develop policies and procedures for the reporting of information about these clients. For the purposes of this policy, minor youth are defined as youth under 18. This in no way should be construed to limit the services that may be provided to unaccompanied minor youths.

32

Privacy Compliance and Grievance Policy Agencies must establish a regular process of training users on this policy, regularly auditing that the policy is being followed by agency staff (including employees, volunteers, affiliates, contractors and associates), and receiving and reviewing complaints about potential violations of the policy. Agencies may want to appoint a Chief Privacy Officer to be responsible for these tasks.

33

SOP#: 03-060 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: HMIS DATA COLLECTION REQUIREMENTS Policy: All agencies that provide homeless services are encouraged, and required if

funded by CDHS and/or HUD, to collect data for all clients served by their programs, as specified by this policy.

Standard: The Partner Agency will develop an interview protocol that facilitates the

collection of the required data elements over time, beginning with some elements at intake and others over time.

Purpose: To ensure that agencies understand the data collection requirements set by the

Planning Council, HUD and CDHS. Scope: Partner Agencies Responsibilities: Universal Data Elements The Partner Agency is responsible for ensuring that a minimum set of data elements, referred to as the Universal Data Elements, will be collected and/or verified from all clients at initial program enrollment or as soon as possible thereafter. The universal data elements are:

- First, Middle, Last Name, and Suffix - Social Security Number - Date of Birth or estimated Date of Birth (age) - Ethnicity and Race - Gender - Veteran Status - Disabling Condition - Residence Type Prior to Program Entry and Length of Stay - Zip code of last Permanent Residence - Program Entry and Exit Dates

Partner agencies must report client-level data for the universal data elements using the required response categories detailed in Exhibit 3: Required Response Categories for Universal Data Elements of the HUD Data and Technical Standards Final Notice. Program-specific Data Elements All City-funded and HUD-funded Partner Agencies are also responsible for ensuring that the following data elements, referred to as Program-Specific Data Elements, are collected from all

34

clients that are served by the City or HUD funded programs. These program-specific data elements must be entered into the HMIS within 24 hours of client interaction for CDHS funded programs, and within seven days of collecting the information for all other programs. The timeframes for data collection are included for each data element. The Program-specific Data Elements are located throughout the HMIS application. Additional information on their location within the HMIS will be provided as part of the HMIS training materials. They include:

- Causes of Homelessness (Program Entry) - Income Sources and Amounts (Program Entry and Exit); - Source of Non-cash benefits (Program Entry and Exit); - Presence of Physical Disability (Program Entry); - Presence of Developmental Disability (Program Entry); - HIV Positive or AIDS Diagnosis (Program Entry); - Mental Health Status and Chronicity (Program Entry); - Presence of Substance Addictions and Chronicity (Program Entry); - History of Domestic Violence and Timeframe (Program Entry); - Services Received (Throughout Program Enrollment); - Destination upon Leaving Program (Program Exit); - Reasons for Leaving (Program Exit); Additional Data Elements for CDHS funded programs include: - Causes of homelessness. - Duration of homelessness. - Language spoken. - Program outcomes.

Partner Agencies must provide client-level data for the program-specific data elements using the required response categories detailed in Exhibit 4: Required Response Categories for Program-Specific Data Elements of the HUD Data and Technical Standards Final Notice. CDHS maintains its right to amend its minimum required data elements through its grant contract process independent of this SOP. DV Anonymous HMIS Data Submittal Partner Agency Data Collection Requirements Note that this section should not be considered final, and may be revised as a result of the specific discussions between DV programs, the City, Planning Council, Chicago Alliance or current HUD applicant, and the HMIS Vendor. [Data Collection is defined as: a) obtaining client information at the Agency through interview of and/or service provision to the client; and b) the storing of client information at the Agency in paper or electronic format. DV Anonymous HMIS Data Submittal (Anonymous Data) Partner Agencies shall collect and store the Universal and Program-specific data elements defined above.

35

Anonymous Client-level Data are defined as individual client records that contain no personal client identifying information, in whole or in part, or any information that may be used to deconstruct a person's identity. No one beyond the originating agency will have access to any client personal identifying information. Client personal identifying information is defined as the following data fields:

a) Name(s) or Aliases b) Social Security Number c) Date of Birth d) Mother’s Maiden Name e) Unique Identifying Characteristics f) Address-specific Residence Prior to Program g) Unique Person Identifier* h) Any other data fields that may be used to leverage the identity of any individual client.

*A unique client identifier shall be assigned by the Agency to each client. The unique client identifier shall not contain any masked client personal identifying information. The unique client identifier shall not contain, in whole or in part, any client personal identifying information as listed above in fields a) through f). The unique client identifier provides an unduplicated internal count of clients served by the Agency, and provides the Planning Council and the City the means of conducting longitudinal analysis of services provided to each client. With this option, the Agency will submit Anonymous Client-level Data to the Chicago Alliance or current HUD applicant and/or CDHS in an electronic format, according to the technical specifications developed by the Planning Council and the CDHS. The data specifications will be developed by CDHS and the Planning Council, after discussion with DV Agency leadership and IT staff. The timing and methodology of developing the export functionality to fulfill these data submittal requirements will be subject to agreement between the Planning Council, CDHS and the Agency.]

36

SOP#: 03-070 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: HMIS INTERAGENCY DATA SHARING Policy: Data sharing among agencies will be supported automatically for both direct and

interface agencies. All HOPWA and domestic violence agencies/programs shall be exempt from participation in data sharing.

Standard: For partner agencies wishing not to engage in data sharing arrangements, a

written, formal document must be signed by the Executive Directors of the agencies opting out of the data sharing network.

Purpose: To formalize the vehicle through which agencies can share client records or exit

the data sharing network, thus allowing such agencies to discontinue the sharing of client records.

Scope: Partner agencies wishing not to share client-level data. Background: Written Documentation: Agencies wishing not to share information electronically through the HMIS are required to document this fact in writing by jointly executing an Interagency Network Data Sharing Exit Agreement, as provided by the HMIS Management Team. Role of the Executive Director: The Executive Director is responsible for ensuring that users within his/her agency abide by all the policies stated in the Interagency Network Data Sharing Agreement. Executive Directors wishing not to participate in the data sharing network must execute an Interagency Network Data Sharing Exit Agreement, and identify a lead representative to contact the HMIS System Administrator to initiate the opt-out process. Role of the HMIS System Administrator: Once the Executive Directors of agencies have executed the Interagency Network Data Sharing Exit Agreement and the HMIS System Administrator has been contacted/notified, the HMIS System Administrator will remove the agency from the data sharing network in the system. Client Authorization: Case managers from agencies in the data sharing network may only share client information if the client authorizes that sharing with a valid Client Consent Form, as described in SOP 03-060: Client Notification Policies and Procedures. Steps for an Agency in the Interagency Data Sharing Network: The general steps include:

- All of the Executive Directors/agencies using the HMIS are included in the Interagency Data Sharing Network and must execute an Interagency Data Sharing Agreement.

37

- Each participating agency will retain a copy of the agreement and a master will be filed with the HMIS System Administrator.

- The HMIS System Administrator will establish the data sharing privileges. - Once data sharing among a network is established, authorized users will be able to grant

permission based on appropriate client consent to share individual client information with all other authorized users in the network.

- Although data sharing privileges may be established through these actions, authorized users will only be able to view client data (beyond the universally shared Primary Identifiers) for clients enrolled in a program within their Agency.

Steps for Exiting an Interagency Data Sharing Network: The general steps include:

- All of the Executive Directors/agencies wishing to opt-out of the Interagency Data

Sharing Network must execute an Interagency Data Sharing Exit Agreement. - Each exiting agency will retain a copy of the agreement and a master will be filed with

the HMIS System Administrator. - The HMIS System Administrator will remove the data sharing privileges. - Once data sharing among a network is removed, users will no longer be able to grant

permission based on appropriate client consent to share individual client information with all other authorized users in the network.

- Although data sharing privileges may be discontinued through these actions, authorized users will only be able to view client data (beyond the universally shared Primary Identifiers) for clients enrolled in a program within their Agency.

Data Sharing protocol will be reinforced by the following technical mechanisms:

- Only authorized users will have HMIS access, controlled by user ID and password. - Each user’s access to data will be defined by their user type. Users will only be able to

see data categories viewable by their respective user level, regardless of information sharing privileges within an agency or network.

- When a client record is set-up to be accessed by a user at another agency, the originating

user must verify client authorization and indicate time period for data sharing. - Users will only be able to view client data (beyond the universally shared Primary

Identifiers) for clients enrolled in a program within their Agency. - Protected information (clinical mental health assessment, clinical substance abuse

assessment, clinical HIV/AIDS information, and domestic violence incident information) will not be shared within a network. This information will only be viewable by users at the originating agency, with the exception of information sent to another specific agency through the referral process (described in SOP 03-090: HMIS Information Sharing Referral Procedures).

- Random file checks for appropriate client authorization, audit trails, and other monitoring tools may be used to monitor that this data sharing procedure is followed. Specific monitoring procedures around program enrollment will be implemented to ensure appropriate client information access.

38

SOP#: 03-080 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: HMIS INFORMATION SHARING REFERRAL PROCEDURES Policy: Agencies will be able to share client information with agencies outside of their

Interagency Network with appropriate written client authorization. Standard: For Partner Agencies to share client information with agencies outside of their

Interagency Network, a client must provide a written release of information for referral purposes.

Purpose: To formalize the vehicle through which agencies can share data outside of their

Interagency Network Agreements. Scope: Partner Agencies wishing to share client-level data outside of an Interagency

Network. Responsibilities: Any client information stored in the client record of an originating agency may be shared with another Partner Agency based on a written client release of information. Referrals cannot be directed to a specific user at a receiving agency. Users at the receiving agency will only be able to view the client-designated portions of the originating agency’s client record based on their user access levels for the timeframe specified in the referral. One or more persons at each agency should be designated to receive incoming referrals daily and direct them to appropriate personnel within the agency. Since the recipient agency will have an “active window” to the specified portions of the originating agency’s file, users within the recipient agency will also be able to see all changes made to record during the authorized timeframe. The default value for the timeframe for information sharing for referral purposes will be set to fifteen days to limit the privacy and safety risks for clients. Referring agencies will have the opportunity to set an alternative timeframe, if more appropriate. During that timeframe, the recipient agency can print a hardcopy of the client information for archival purposes or can enter client information into its own client record to permanently incorporate the information into its electronic file. At the expiration of that timeframe, the recipient agency will retain a record of the referral but will no longer be able to view the client information. Upon request by the receiving agency and with client consent, the originating agency can extend or re-release the information. Role of Executive Director: The Executive Director is responsible for establishing and ensuring compliance of all client notification and consent policies stated in the Client Release of Information for Referrals form.

39

Client Authorization: HMIS Users may only share client information if the client authorizes that sharing with a valid Client Release of Information for Referrals form, as described in SOP 03-060: Client Notification Policies and Procedures. The general steps include:

- Authorized users will be able to grant permission based on appropriate client consent to share individual client information with another Agency’s users.

- Although data sharing privileges may be established through these actions, authorized users are only able to view client information beyond the universally shared identifiers for clients that they enroll in a program within their agency.

Data Sharing protocol will be reinforced by the following technical mechanisms:

- Only authorized users will have HMIS access, controlled by user ID and password. - Each user’s access to data will be defined by their user type. Users will only be able to

see data categories viewable by their respective user level, regardless of information sharing privileges within an agency or network.

- Prior to a client record being set-up for access by users at another agency, the originating user must obtain client authorization, indicate time period for data sharing, and specify data categories to be shared.

- Users will only be able to view client data (beyond the universally shared identifiers) for clients enrolled in a program within their Agency.

- Random file checks for appropriate client authorization, audit trails, and other monitoring tools may be used to monitor that this data sharing procedure is followed. Specific monitoring procedures will also be implemented to ensure that clients are being appropriately enrolled in programs.

40

Section 4 Security Policies and Procedures

41

SOP#: 04-010 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: SYSTEM ACCESS CONTROL POLICIES AND PROCEDURES Policy: HMIS Management Team must reasonably secure the system from access from

unauthorized users. Standard: HMIS Management Team or its designee should employ access prevention and

physical access control measures to secure HMIS system resources. Purpose: To protect the security of the HMIS system resources. Scope: HMIS Management Team and Agency Technical Administrators Guidelines:

Central HMIS Equipment Access Prevention Mechanism All computing resources will be protected at all times by a firewall. User access through the Internet will be controlled using workstation and user authentication at all times. Physical access to the system data processing areas, equipment and media must be controlled commensurate with the threat and exposure to loss. Available precautions include equipment enclosures, lockable power switches, equipment identification and fasteners to secure the equipment. The HMIS Management Team will determine the physical access controls appropriate for the environment housing the central HMIS equipment based on HMIS security policies, standards and guidelines. All those granted access to an area or to data are responsible for their actions. Additionally, if an individual gives access to another person, the authorizing individual is responsible for the other person’s activities. Workstation Access Controls Access to the HMIS will only be allowed from computers specifically identified by the Executive Director and Agency Technical Administrator of the Participating Agency. Laptops will require an additional security form stating that use will not be for unauthorized purposes from unauthorized or inappropriate locations. Laptops should not use unprotected, public locations to access the HMIS for security and privacy purposes. Access to HMIS computer workstations should be controlled through physical security measures and/or a password. Each Agency Technical Administrator will determine the physical access controls appropriate for their organizational setting based on HMIS security policies, standards and guidelines. Each workstation should meet appropriate and current security protection, as specified in SOP 02-040: HMIS Hardware, Connectivity, and Security Requirements. If an agency accesses the HMIS through a network, all workstations on that network must be protected by similar measures. An agency using or considering a wireless internet configuration must employ higher security measures, as described in SOP 02-040: HMIS Hardware, Connectivity, and Security Requirements.

42

SOP#: 04-020 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: DATA ACCESS CONTROL POLICIES AND PROCEDURES Policy: HMIS Management Team must reasonably secure the HMIS data from access

from unauthorized users. Standard: HMIS Management Team or its designee should employ access prevention

control measures to secure HMIS database resources. Purpose: To protect the security of the HMIS database(s). Scope: HMIS Management Team and Agency Technical Administrators Guidelines: User Accounts Agency Technical Administrators and the HMIS System Administrator must follow the procedures documented in Section 2 for user account set-up, including verification of eligibility, appropriate training, and establishment of appropriate user type. Each user’s access to data should be defined by their user type and specific agency data-sharing agreements. Agency Technical Administrators must regularly review user access privileges and terminate user IDs and passwords from their systems when users no longer require access. It is the responsibility of the user’s supervisor to notify the Agency Technical Administrator immediately when a user leaves the agency or no longer requires access to the HMIS system. The Agency Technical Administrator should terminate the rights of a user immediately upon termination from their current position. It is the responsibility of the user’s supervisor to notify the Agency Technical Administrator immediately when a user leaves the agency. The Agency Technical Administrator is responsible for removing users from the system. If a staff person is to go on leave for a period of longer than 30 days, their account should be temporarily suspended within 5 business days of the start of their leave. It is the responsibility of the user’s supervisor to notify the Agency Technical Administrator when the user will be on leave for a period longer than 30 days. Users should only be logged into the HMIS from one workstation at any given time. User Passwords Each user must have a unique identification code (user ID). Each user’s identity will be authenticated using a user password. Passwords are the individual’s responsibility. Users are prohibited from sharing user IDs or passwords. Sanctions will be imposed on the user and/or agency if user account sharing occurs.

43

A temporary password will be automatically generated from the system when a new user is created. Agency Technical Administrators will communicate the system-generated password to the user. The user will be asked to establish a permanent password at initial log-in. Users will be able to select and change their own passwords, and must do so at least every forty-five days. A password cannot be re-used until 2 password selections have expired. Passwords should be between eight and sixteen characters long and not easily guessed or found in a dictionary. The password format is alphanumeric. Any passwords written down must be securely stored and inaccessible to other persons. Users should not save passwords on a personal computer for easier log on. Password Reset The Agency Technical Administrator will have the authority to reset a user password. The System Administrator and technical support triage team will have the ability to temporarily reset a password during non-business hours. Temporary Suspension of User Access to Database Resources System Inactivity: Users must logoff from the HMIS and workstation if they leave their workstation. HMIS Management Team must establish inactivity time-out thresholds to be implemented by the vendor, where technically feasible, for terminals and workstations that access HMIS information. Therefore, if a user is logged onto a workstation, and the period of inactivity on the workstation exceeds the designated inactivity time period. The user will be automatically logged off of the system. By default the inactivity period is set to 30 minutes – if a user is inactive in ServicePoint for 30 minutes, then the user is logged off and must reenter his/her user ID and password in order to resume work. Unsuccessful logon: If a User unsuccessfully attempts to logon four times, the User ID will be “locked out”, access permission revoked and unable to gain access until their password is reset by the Agency Technical Administrator. Electronic Data Controls Agency Policies Restricting Access to Data: The Partner Agencies must establish internal access to data protocols based on the final HUD Data and Technical Standards. Raw Data: Users who have been granted access to the HMIS Report Writer tool have the ability to download and save client level data onto their local computer. Once this information has been downloaded from the HMIS server in raw format to an Agencies computer, this data then becomes the responsibility of the agency.

44

Ability to export Agency specific Database from HMIS: Partner Agencies will have the ability to export a copy of their own data for internal analysis and use. Agencies are responsible for the security of this information. Hardcopy and Digital Data Controls Printed versions (hardcopy) of confidential data should not be copied or left unattended and open to compromise. Media containing HMIS client identified data may not be shared with any person or agency other than the owner of the data for any reason not disclosed within the Client Notice. Agencies policies, consistent with applicable state and federal laws, should be established regarding appropriate locations for storage, transmission, use and disposal of HMIS generated hardcopy or digital data. HMIS data may be transported by authorized employees using methods deemed appropriate by the participating agency that meet the above standard. Reasonable care should be used, and media should be secured when left unattended. Magnetic media containing HMIS data which is released and/or disposed of from the participating organization and central server should first be processed to destroy any data residing on that media. Degaussing and overwriting are acceptable methods of destroying data. HMIS information in hardcopy format should be disposed of properly. This may include shredding finely enough to ensure that the information is unrecoverable.

45

SOP#: 04-030 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: AUDITING POLICIES AND PROCEDURES Policy: HMIS Management Team and Agency Technical Administrators will monitor

system and database access that could potentially reveal a violation of security protocols.

Standard: HMIS Management Team or its designee and Agency Technical Administrators

will implement a monitoring plan to monitor compliance with data security standards.

Purpose: To protect the security of the HMIS system and databases. Scope: HMIS Management Team and Agency Technical Administrators Guidelines: Access Monitoring Plan The HMIS application must maintain an audit trail that tracks user log-in attempts for a minimum of six months. The HMIS application must also maintain an audit trail that tracks to deletions to client records (including the actual assessment entry, date deleted, and username) for a minimum of six months and a record of deleted client records (case number, intake information, date deleted, and username) for a minimum of one year. The HMIS application is designed to record transactional data on all other client information for historical and audit purposes. Each entry shall also reflect the user that created the entry and the date and name of the user that made the most recent modification. The HMIS Application Administrator must regularly review audit records for evidence of violations or system misuse. Audits may include reviews of user data activity to identify inactive users and reviews to determine instances of simultaneous user logins to identify user account sharing. The Agency Technical Administrator must regularly review these logs for its agency’s users to determine unauthorized or inappropriate access to HMIS client records. Agencies should also institute internal monitoring methods to ensure compliance with these SOPs. Agencies may be required to demonstrate that they are complying, and/or may be subject to technical and policy monitoring by the Chicago Alliance or current HUD applicant or the City. All users and custodians are obligated to report suspected instances of noncompliance and/or security violations to an Agency Technical Administrator, the HMIS System Administrator, and/or Application Administrator, as soon as possible. All users and custodians are obligated to report suspected instances of noncompliance and/or security violations to an Agency Technical Administrator, the HMIS System Administrator, and/or Application Administrator, as soon as possible.

46

Violations & Sanctions Violations of Security Procedures

- Violations of security procedures will be sanctioned. - All potential violations of any security protocols will be investigated. - If possible, all confirmed violations will be communicated in writing to the affected client

within 14 days, unless the client cannot be located. If the client cannot be located, a written description of the violation and efforts to locate the client will be prepared by the Commerce HMIS staff and placed on file in a client file at the Agency that originated the client’s record.

- Any user found to be in violation of security protocols will be sanctioned accordingly. - Sanctions may include but are not limited to; a formal letter of reprimand, suspension of

system privileges, revocation of system privileges and criminal prosecution. - Any agency that is found to have consistently and/or flagrantly violated security

protocols may have their access privileges suspended or revoked. - All sanctions are imposed by the Department of Human Services HMIS staff. - All sanctions can be appealed to the HMIS Committee.

47

Section 5 Internal Operating Policies & Procedures

48

SOP#: 05-010 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: SYSTEM AVAILABILITY POLICIES AND PROCEDURES Policy: The HMIS application will be available to users in a manner consistent with the

agencies’ reasonable usage requirements. Standard: HMIS Management Team or its designee will operate the system full-time and

respond immediately in the event of an interruption to service, as defined by the guidelines in this policy.

Purpose: To define system availability. Scope: HMIS Management Team or its designee Guidelines: These guidelines are provided as a reference; however, the official document for system operation is the vendor Service Level Agreement (SLA). Hours of System Operation The HMIS Vendor will identify hours, and a set time for planned back-up, security patches, etc. HMIS Management Team Team Availability The HMIS Management Team will be available during normal City business hours. After normal City business hours, users should follow the protocols established in SOP 05-020: Technical Support Policies and Procedures. HMIS Management Team staff will be on-call by the City Help Desk in the event of an identified disaster. Planned Interruption to Service The HMIS System Administrator or other HMIS Management Team staff will inform ensure that all users are informed via HMIS email and/or fax of any planned interruption to service. An explanation of the need for the interruption, expected duration, and benefits or consequences will be provided. Unplanned Interruption to Service When an event occurs that makes the system inaccessible and the interruption is expected to exceed two hours, the Application Administration and HMIS Management Team staff will make a determination to switch service to the secondary server. At this point, users will be able to resume operation. During the next full backup process, HMIS Management Team will restore the primary server with the real-time data from the secondary server, at which point operations can resume on the primary server.

49

SOP#: 05-020 Revision: Prepared by: HMIS Approval Date: 9/04/08 Revision Date: Revised by: Title: TECHNICAL SUPPORT POLICIES AND PROCEDURES Policy: The HMIS Management Team will offer standard technical support services to all

Partner Agencies and users. Standard: Users needing technical support on the HMIS application should access standard

technical support services using the guidelines articulated in this policy. Purpose: To define technical support services. Scope: System-wide. Guidelines: Technical Support Resolution Procedure – Use of the HMIS Application As unanticipated technical support questions on the use of the HMIS application, users should follow the following procedure to resolve their questions. During normal City business hours:

- Utilize on-line help resources and/or training materials. - If question is still unresolved, direct the technical support question to the Agency

Technical Administrator. - If question is still unresolved, the Agency Technical Administrator can contact the City’s

Help Desk (312-744-DATA) to determine the appropriate procedure. . - If question is still unresolved, the HMIS System Administrator can further direct the

question to DOIT staff and/or the HMIS Vendor technical support staff. After normal City business of hours:

- Utilize on-line help resources and/or training materials. - If issue can wait to be addressed during the following business day, please wait and

follow the escalation procedure outlined above, - If not, then direct the technical support question to the Agency Technical Administrator,

if available. - If unavailable or is the question is still unresolved, contact the City’s Help Desk (312-

744-DATA) to determine the appropriate procedure. If the City’s Help Desk determines that the issue needs immediate attention, the request will be forwarded to appropriate City or the HMIS Vendor technical support. Otherwise, the City Help Desk may indicate that the user should pursue assistance through normal channels on the following business day.

50

Technical Support Resolution Procedure – Access to the HMIS Application or Database If a user experiences an unplanned interruption to HMIS operation, users should follow the following procedure to notify the HMIS Management Team and/or understand the status of operations. During normal City business hours:

- Contact your Agency Technical Administrator, who should immediately check the status of the agency’s ISP.

- If the system outage is unrelated to the agency’s internet connectivity, the Agency Technical Administrator should contact the HMIS System Administrator and/or the City’s Help Desk (312-744-DATA) to immediately report the interruption.

- The Agency Technical Administrator should communicate the results of the status update to all agency users who may attempt to use the HMIS application during the period of interruption.

- At all times, the City Help Desk (312-744-DATA) will provide a central clearinghouse of information about all system interruptions.

After normal City business of hours:

- Attempt to determine if the interruption is related to the agency’s internet connection. (For instance, try to access another site on the internet.) If the issue is related to the Agency’s internet connectivity, contact the Agency’s technical support.

- If the system outage is unrelated to the agency’s internet connectivity, the user should contact the City’s Help Desk (312-744-DATA) to immediately report the interruption.

- The user should attempt to communicate the results of the status update to other agency users who may attempt to use the HMIS application during the period of interruption.

- At all times, the City Help Desk (312-744-DATA) will provide a central clearinghouse of information about all system interruptions.

User Training The HMIS Management Team will provide ongoing HMIS software training on a monthly basis, as described in SOP 03-040: HMIS Training Requirements. If additional or specific training needs arise, the HMIS System Administrator may be able to arrange for special training sessions. Agency/User Forms All Agency Technical Administrators will be trained in the appropriate on-line and hardcopy forms. If the Agency Technical Administrator has questions on how to complete HMIS forms, he/she should contact the HMIS System Administrator. Report Generation Each agency may send its Agency Technical Administrator to receive training on how to develop agency-specific reports using the HMIS and ART Reports. The HMIS System Administrator will be a resource to agency staff as they develop reports, but will only be available to provide a

51

limited, reasonable level of support to each agency. Other DOIT Reporting staff may be available to provide limited, reasonable follow-up support regarding agency-level report generation. Training in the creation and modification of reports using ART is available from Bowman Systems. Standard reports are also available. Once acquired through the vendor, the report can be copied, shared, modified and used by all agencies. The HMIS User Group will be the primary body to query Partner Agencies on their reporting needs and to prioritize a list of reports to be developed by the HMIS System Administrator for all HMIS Partner Agencies. Programming-related Service Requests If the user encounters programming issues within the HMIS application that need to be addressed, the user should identify the error or suggested improvement to the Agency Technical Administrator. The Agency Technical Administrator should complete an HMIS Service Request form identifying the specific nature of the issue or recommended improvement along with immediacy of the request. Service requests will be reviewed by the HMIS System Administrator for further action. Requests to fix programming errors or “bugs” will be prioritized and forwarded to the HMIS Management Team and/or the HMIS Vendor programming team, as appropriate. Suggested application improvements will be compiled and periodically discussed by the HMIS System Administrator and the HMIS User Group. A prioritized list of improvements will be submitted to the HMIS Management Team for review and submittal to the HMIS Vendor.

52

Section 6 Data Ownership, Usage and Release Policies & Procedures

53

SOP#: 06-010 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: UNDUPLICATION POLICIES AND PROCEDURES Policy: The Planning Council will employ a range of methods to achieve unduplication to

accommodate the unique situations of different provider types. Standard: The HMIS and HMIS System Administrator shall train users on and employ the

methods described below to achieve the highest degree of unduplication possible while also respecting the other privacy and security policies within these SOPs.

Purpose: To define the overall unduplication approach. Scope: System-wide. Guidelines: The HMIS software, ServicePoint, uses the following data elements to identify possible duplicate client records:

Name (first, middle initial, last name, suffix) Date of Birth (DOB) Gender Soundex values based on client name

Additionally a user may identify possible duplicates using the social security number. In order to minimize the number of instances where the same client may have two or more records created in the HMIS, the following steps should be followed:

1. Sharing of information in the client table with as many agencies as possible; the client table contains the client name and social security number; only when the client name is shared with other agencies and programs can duplication be prevented. (Primary sharing rules are established in the provider setup section of the software.)

2. When entering information about a client for the first time (i.e. client is new to the program or agency); the user should enter the client name and if available, the social security number. All possible matches will be displayed and the user should review the list to identify any possible matches. Note that some clients may use a “nick name” rather that the given formal name, both should be searched for possible matches – e.g. Bill, William, Willie, Billy – could be searched by using only the first letter, B and W with the last name to identify possible matches.

3. (ClientID cards, which show the ClientID number and the client name is an excellent way for clients to self identify that their information is already in the database, and allows the user to pull up the correct record quickly by entering the ClientID number)

54

4. Upon opening the client record of an existing client, the user should review the universal data elements, which are displayed on the screen, ensuring that the correct record has been accessed.

5. Whenever a new client record is created, all universal data elements should be completed, helping to avoid the creation of duplicate records.

Backend methods for identifying duplicate records: The HMIS software generates a field for each client record created to assist in the identification of possible duplicate records. This field, called UniqueID, is created by the system based on the client’s first name, last name, date of birth, gender, and a soundex value. Each time any of these values is changed, the UniqueID field is updated. The system administrator is able to run a report, Duplicate Client Report, that identifies all instances where two or more client records have the same UniqueID value. This report displays the UniqueID value, the client first and last name and the ClientID number. This list is a candidate list of potential duplicates, and upon further evaluation, client records that are duplicates may be identified. The system administrator may then merge duplicate records, after consulting with the agency or agencies involved. Where it may be desired, the system administrator can run this report, reviewing client records created by a specific program to determine whether that program is creating an unusual number of duplicates. Additionally, reports may be created in ART to identify further duplicate candidates, e.g. those with the same DOB, or SSN, or other data field. Whenever two or more clients share the same UniqueID value, for reporting purposes, these clients should be considered to be the same client, and thus this field is used whenever an “unduplicated count” of clients is desired. This field is used in all reports created by the vendor which require an unduplicated count. Anonymous and Unnamed Client records. Anonymous Client: When consistent with policy, a user may add a client to the database by using the Anonymous Client option. In lieu of entering the client first and last name, the system assigns a unique number to this client record. Normally when a record is created using this feature it is too protect the privacy of the client and the record is not shared with other programs. Whether shared or not, as the number is assigned by the system, every record created using the Anonymous feature is unique, i.e. duplicates are not possible. However, if the same client presents at two different programs and each adds the client as a new client, OR the client presents at the same program at different times, and is entered as a new client each time, then in fact two records for the same client exist but unduplicating these records is not possible as the name of the client is not recorded. Therefore, this feature should only be used in accordance with HMIS policy #______ which permits it use when ________________

55

Unnamed Client: The Unnamed Client feature is used similarly to the Anonymous Client function, except that upon creating the client record, the user enters the actual client name on the screen, and the name is used to create the UniqueID field. However, as the client name is not stored in the database, subsequent identification of the client by a user, requires the entry of the ClientID value. The user is able to view all data elements except the client name. For reporting purposes, if the same client has records created two or more times, then the system will have the same UniqueID value for each instance, resulting in an unduplicated count. Only the System Administrator would be able to link two or more records together in this manner. It is advised that when the user is deciding between entering a client using Anonymous vs. Unnamed, that Unnamed be used, if appropriate.

56

SOP#: 06-020 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: DATA QUALITY POLICIES AND PROCEDURES Policy: All data entered into the HMIS and/or used by the HMIS System Administrator,

Planning Council, Chicago Alliance or current HUD applicant or City offices responsible for the Plan to End Homelessness for analytical or reporting purposes must meet the data quality standards.

Standard: The Planning Council must adopt a data quality plan to ensure that all data meets

the data quality standards. Purpose: To define data quality standards and a data quality management plan. Scope: System-wide. Guidelines:

Data must pass “Fitness for Use” Tests Completeness

o Information is entered on all clients o Information on the client is complete

Accuracy

o Data reflects reality o Data is entered correctly o Data has face validity – reflects what we know

Consistency

o Performance information is consistent across time

57

SOP#: 06-030 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: DATA OWNERSHIP POLICIES AND PROCEDURES Policy: All data usage is governed by the owner’s of the data. Standard: Data entered into the HMIS for the purposes of the HMIS initiative shall be

considered owned by the client and agency that collected the information. Purpose: To define data ownership. Scope: System-wide. Guidelines: The client ultimately retains ownership of any identifiable client-level information that is stored within the HMIS. If the client consents to share data, the client, or agency on behalf of the client, has the right to later revoke permission to share his/her data without affecting his/her right to service. Identifiable client-level data may only be stored and accessed within the HMIS in accordance with the client notification and consent procedures in SOP 03-030: HMIS User Access Levels and SOP 03-060: Client Notification Policies and Procedures. In cases where agencies and clients agree to share identifiable client-level data, this information may only be shared in accordance with SOP 03-060: HMIS Client Notification Policies and Procedures, SOP 03-080: HMIS Interagency Data Sharing, and SOP 03-090: HMIS Information Sharing Referral Procedures In the event that the relationship between the HMIS and a Direct Partner Agency is terminated, the agency will retain ownership of the identifiable client-level data that has been submitted to the HMIS. The HMIS staff shall make reasonable accommodations to assist a Direct Partner Agency to export their data in a format that is usable in an alternative database. In this circumstance, any agency-entered client-level data must be de-identified in order to remain in the HMIS database. This de-identified information shall remain available to the City and Planning Council and Chicago Alliance for analytical purposes. For the purposes of de-identification, the personal identification number shall not be considered an identifying data element if it is not stored with any other personal identifiers.

58

SOP#: 06-040 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: HMIS DATA USES AND DISCLOSURES POLICIES AND

PROCEDURES Policy: All HMIS stakeholders will follow the data disclosure policies and procedures to

guide the use and disclose of client information stored in or generated by the HMIS.

Standard: This policy establishes the Planning Council-approved uses and disclosures for

HMIS client data. Purpose: To define minimum standards for data disclosure. Scope: System-wide. Guidelines: Each HMIS Partner Agency must comply with the following Uses and Disclosures, as outlined in the standard HMIS Notice of Uses and Disclosures. A Partner Agency has the right to establish additional uses and disclosures as long as they do not conflict with the Planning Council-approved uses and disclosures. Privacy Notice Requirement Each Agency must either adopt the standard Notice of Uses and Disclosures or develop an alternative Agency Privacy Notice that incorporates the content of the standard Notice. Every agency must post the notice and/or provide a copy of the notice to each client, in accordance with SOP 03-060: HMIS Client Notification and Consent Procedures. If an agency maintains a public web page, the agency must post the current version of its privacy notice on the web page. An agency’s Privacy Notice must:

- Specify all potential uses and disclosures of client personal information. - Specify the purpose for collecting the information. - Specify the time period for which the data will be retained at the agency and the method

for disposing of it or removing identifiers from personal information that is not in current use seven years after it was created or last changed.

- State the process and applicability of amendments, and commit to documenting all privacy notice amendments.

- Offer reasonable accommodations for persons with disabilities and/or language barriers throughout the data collection process.

- Allow the individual the right to inspect and to have a copy of their client record and offer to explain any information that the individual may not understand.

- Specify a procedure for accepting and considering questions or complaints about the privacy and security policies and practices.

59

Planning Council-approved Uses and Disclosures HMIS client data may be used or disclosed for (1) case management, (2) administrative, (3) billing, (4) analytical purposes, and (5) other purposes as required by law. Uses involve sharing parts of client information with persons within an agency. Disclosures involve sharing parts of client information with persons or organizations outside of an agency.

• Case Management Uses and Disclosures: Agencies may use or disclose client information for case management purposes associated with providing or coordinating services. Unless a client requests that his/her record remain hidden, personal identifiers will be disclosed to other HMIS agencies so other agencies can easily locate the client’s record if he/she goes to them for services. Beyond personal identifiers, each agency can only disclose client information with other agencies with written client consent.

• Administrative Uses and Disclosures: Agencies may use client information internally to carry out administrative functions, including but not limited to legal, audit, personnel, oversight and management functions. Client information will be stored on a central citywide case management database; as such client information will be disclosed for system administration purposes to City employees or contractors who administer the central database.

• Billing Uses and Disclosures include functions related to payment or reimbursement for services. An example might include generating aggregate reports for the people and organizations that fund an agency. A client’s personal information may be disclosed for billing or reimbursement purposes, if required by the funder/billing agency.

• Analytical Uses and Disclosures: Agencies may use client information for internal analysis. An example would be analyzing client outcomes to evaluate program effectiveness. Agencies will disclose client personal identifiers to the central system administrators for uses related to creating an unduplicated database on clients served within the system, ultimately resulting in the creation of de-identified personal information. Agencies may also disclose portions of a client’s information without the personal identifiers for analytical purposes related to analyzing client data, including but not limited to understanding trends in homelessness and needs of persons who are homeless, and assessing the implementation of Chicago’s 10-Year Plan to End Homelessness.

A client record will be stored on the HMIS system with personal identifiers for a period of seven years from the time it was last modified. Beyond that point, all personally identifying information will be removed and the remaining information will only be retained in a de-identified format.

60

SOP#: 06-050 Revision: Prepared by: HMIS Approval Date: In Progress Revision Date: Revised by: Title: DATA RELEASE POLICIES AND PROCEDURES Policy: All HMIS stakeholders will follow the data release policies and procedures to

guide the release of client information stored in or generated by the HMIS. Standard: Data must be categorized as confidential or internal unless it meets the data

release policy. Purpose: To define standards and circumstances for data release. Scope: System-level Data (HMIS Management) Guidelines: Procedures for Transmission and Storage of Data All data must be classified and treated according to one of the following definitions. All of these data classifications are controlled by the data release criteria defined below. Confidential Data: Confidential information is information that identifies clients contained within the database. Examples include social security number, name, address, or any other information that can be leveraged to identify a client. Specific identifiable data elements are described in SOP 03-070: Data Collection Requirements. Confidential data requires appropriate security and protection at all times as described in SOP 04-020: Data Access Control Policies and Procedures. Internal Data: Internal data is any information that is scheduled, but not yet approved, for publication. Examples include draft reports, fragments of data sets, or data without context. Accessible only to internal employees. No auditing is required. No special requirements around destruction of these data. This data must be stored securely and can be transmitted via internal or first class mail. Public Data: Public data is any information that is published according to Data Release policies. Additional security controls are not required.

61

Data Release Criteria HMIS client data will only be released in aggregate or anonymous client-level data formats for purposes beyond those specified in SOP 06-050: HMIS Data Uses and Disclosure Policies and Procedures, according to the criteria specified below, Client-identified Data Release Criteria: No identifiable client data will be released to any person, agency, or organization that is not the owner of said data for any purpose other than those specified in SOP 06-050: HMIS Data Uses and Disclosure Policies and Procedures without written permission from the owner. Aggregate Data Release Criteria:

- All data must be anonymous, either by removal of all identifiers and/or all information that could be used to infer an individual or household’s identity.

- Aggregate Data must represent sixty percent (60%) of the clients in that universe (program, agency, subpopulation, geographic area, etc.), unless otherwise required for the Congressional AHAR.

- Only Partner Agencies can authorize release of aggregate, program-specific information beyond the standard reports compiled by CDHS and the Chicago Alliance or current HUD applicant for funding purposes. There will be full access to aggregate data for all participating agencies.

- Parameters of the aggregate data (e.g. where the data comes from, what it includes and what it does not include) will be presented to each requestor of aggregate data.

- Released aggregate data will be made available in the form of an aggregate report or as a raw dataset.

Anonymous Client-level Data Release Criteria:

- All data must be anonymous, either by removal of all identifiers and/or all information that could be used to infer an individual or household’s identity.

- Program specific information will not be released without the written consent of the agency Executive Director.

- Parameters of the data (e.g. where the data comes from, what it includes and what it does not include) will be presented to each requestor of data.

Data Release Process Beyond individual agency reports, City reports, Chicago Alliance reports, or current HUD applicant reports on its funded programs, the Mayor’s Liaison on Homelessness - or similar proceeding City office - and the Chicago Alliance to End Homelessness CEO must jointly approve data for public classification and release.

62