North Carolina Coalition to End Homelessness

Privacy and Security

What’s on this page?

Tips to Keep NC Safe
How does HMIS Protect Clients?
Policies to Protect Privacy and Security
Technology to Protect Privacy and Security


Keep NC Data Safe!

Keeping electronic sensitive data isn’t as easy as putting a lock on a file cabinet. We are entrusted to keep client identifying information (client names, Social Security Numbers, Dates of birth, etc.) safe. Follow these tips to protect sensitive data from theft and vulnerability.

Protect Sensitive Data

 

Protect sensitive data

Use encryption when storing or transmitting sensitive data. Remove files containing sensitive data from your system when they are no longer needed. Remember that simply deleting files rarely means it's truly deleted permanently. If you store sensitive information on a flash drive or external hard drive, make sure to keep these locked as well. Unsure about how to store, handle or remove sensitive data? Contact us!

Practice Good Password Management

 

Practice good password management

FACT: We have too many passwords to manage. It's easy to take short-cuts, like using simple passwords repeatedly to remember them, but this isn’t safe. We highly recommend using long passwords with a strong mix of characters. Update passwords frequently, and once you use a password, don’t re-use it. Don't share your passwords or write them down.

 Never Leave Your Computer Unattended

 

Never leave your computer unattended

The physical security of your computer is just as important as its technical security. Do not let others access NC HMIS through your account. If you need to leave your computer- lock it so no one can use it. When finished using your computer, turn it off!  Leaving your computer on and connected to the internet opens the door for nasty malware.

Keep Software Up to Date

 

Keep software up to date

Operating system updates can be super annoying but they are necessary! These updates contain critical security patches that will help protect your computer from recently discovered threats. Failing to install these updates will put your computer at risk. Consider turning on automatic updates for your operating system. We recommend using web browsers such as Chrome or Firefox that receive frequent, automatic security updates. Be sure to keep browser plug-ins (Flash, Java, etc.) up to date, too.

Install Anti-Malware Protection

 

Install anti-malware protection

Malware includes computer viruses, worms, spyware, scareware and more. It can be present on websites and emails, or hidden in downloadable files. The best way to avoid getting infected is to install good protection, do periodic scans for spyware, and avoid clicking on suspicious email links or websites.

Download a copy for your office here.

 


How does HMIS Protect Clients?

HMIS is designed to protect clients from the ground up. Information collected by agencies and entered into HMIS cannot be shared with other agencies without a client's consent. Clients always have the right to determine if and what data is shared with agencies partnering in the community. Client information is also protected for reports required by and submitted to HUD because the data always de-identified. These reports allow communities to better understand how clients use homeless system services while protecting client information.

 


Policies to Protect Privacy and Security

Client data is protected when unauthorized access to view, modify, or obtain information in HMIS is prevented. The NC HMIS implementation as directed by our HMIS Lead, and supported by Local System Administrators like the Data Center staff, are responsible for maintaining access to information is based on these principles:

Informed Consent for data sharing within an agency
A client is provided accessible information about the use of HMIS, the protection of their information within HMIS, and the commitments of the agency with regards to their privacy while and after the client is served. If clients are properly informed and agree to services, HMIS can be used to store data.

Client Consent for data sharing between multiple agencies
Not only is a client informed to the privacy practices of the agency and HMIS, but they are also given options for if and how specific elements of their data could be shared between identified agencies, for the purposes of better, more coordinated services.


To follow these principles, the implementation has adopted policies to ensure this, including:

HMIS User Agreement and Code of Ethics
HMIS User requirements for initial privacy training (as identified on nchmis.org)
HMIS User requirements for Annual Privacy Updates (as identified on nchmis.org)


HMIS Participating Agencies

Agencies add another layer of protection and security for clients. Agencies should have Board-approved Privacy Policy and Grievance Policy that incorporate HMIS participation. Below are samples of what that could look like (accessible with your nchmis.org profile):

Agency Privacy Policy Template
Agency HMIS Grievance Policy Template

Additionally, client interactions are transparent with consistent language and materials to understand their rights and protections:

HUD Public Notice for display in waiting and intake areas
Privacy Script Template
Client Acknowledgment of Rights Form
Release of Information with Sharing Plan Template (valid only with an implemented Sharing Agreement)

 


Technology to Protect Privacy and Security

Clients trust service providers with extremely sensitive information, and we take that trust to heart. It’s important to be aware of which tools we use that are secure, and which tools are not as we gather and transport information about our clients. For example, our HMIS software “ServicePoint” by Mediware utilizes Secure Socket Layers (SSL) 128-bit encryption from the company Symantec. If you’d like to learn more about SSL certificates and encryption, Symantec has this brief introduction. On the other hand, most email providers like Gmail and Outlook are not encrypted. Here are a few of our standards for protecting our clients' data:

Electronic communication like email should not contain personally identifying information of clients like Full Legal Name, Date of Birth, Social Security Number, Disabling Condition(s), etc. Use HMIS ID numbers to avoid this.
HMIS reports with client identified information should never be emailed or saved in an unsecured location. 
HMIS should never be accessed from open internet connections like at cafes or libraries, and without password protection.
Tags: HMIS