Homeless Management Information Systems (HMIS) Data and Technical Standards Final Notice; Clarification and Additional Guidance on Special Provisions for Domestic Violence Provider Shelters

AGENCY:

Office of the Assistant Secretary for Community Planning and Development, HUD.

ACTION:

Notice.

SUMMARY:

This notice clarifies and provides further guidance on the special provisions for domestic violence provider shelters participating in Homeless Management Information Systems (HMIS). This clarification and additional guidance follows issuance of the HMIS Data and Technical Standards Final Notice published on July 30, 2004, and the HMIS Data and Technical Standards Draft Notice, published on July 22, 2003.

DATES:

Effective Date: August 30, 2004.

FOR FURTHER INFORMATION CONTACT:

Michael Roanhouse, Office of Special Needs Assistance Programs, Office of the Assistant Secretary for Community Planning and Development, Room 7262, Department of Housing and Urban Development, 451 Seventh Street, SW., Washington, DC 20410-7000; telephone (202) 708-1226, ext. 4482 (this is not a toll-free number). Hearing- or speech-impaired individuals may access this number by calling the toll-free Federal Information Relay Service at 1-800-877-8339.

SUPPLEMENTARY INFORMATION:

I. Introduction

This notice provides clarification and further guidance on the special provisions for domestic violence provider shelters (section 1.5.6.) in the Homeless Management Information Systems (HMIS) Data and Technical Standards Final Notice (Final Notice), published on July 30, 2004 (69 FR 45888). This notice provides clarification and additional guidance on the timing of participation and data collection, submission, and aggregation requirements for HUD McKinney-Vento funded domestic violence shelters.

II. Background

HUD supported the development of local HMISs in response to Congressional direction on the need for improved data on and the analysis of the extent of homelessness and the effectiveness of the McKinney-Vento Act programs including: (1) Production of an unduplicated count of clients served at the local level; (2) analysis of patterns of use of people entering and exiting the homeless assistance system; and (3) evaluation of the effectiveness of the homeless assistance system. Broad-based participation of all homeless service providers at the local level in HMIS and the collection of longitudinal data are critical to meeting this directive.

Domestic violence programs play a critical role in many Continuums of Care (CoC) and constitute a large proportion of shelter beds and homeless service slots. Their absence from participation in an HMIS would prevent these communities from obtaining an unduplicated count of homeless persons in their community or understanding adequately the needs of the homeless population, including victims of domestic violence. In deciding whether domestic violence programs should be expected to participate in HMIS, HUD reviewed carefully the comments on the HMIS Data and Technical Standards Draft Notice, published on July 22, 2003 (68 FR 43430), and consulted with a wide range of stakeholders.

These stakeholders included local homeless assistance providers, domestic violence providers, national HMIS experts, national advocacy organizations, leading researchers and other federal agencies. Comments on the draft notice and subsequent stakeholder discussions led HUD to conclude that it was critical for domestic violence programs to participate in HMIS so as to fully understand homelessness at the local and national levels. It was also determined that safety concerns for domestic violence programs could be addressed effectively if:

• A distinction is made between (1) data that domestic violence providers collect from homeless persons and (2) data that domestic violence providers submit to a central server in order to produce an unduplicated count of homeless persons at the CoC level;
• Domestic violence programs are given ample time to implement technological, administrative, and other safeguards to participate in their community's HMIS;
• Adequate local privacy and security standards are developed to protect client information; and
• HUD offers extensive technical assistance support to communities and domestic violence programs.

To address the specific concerns regarding participation, HUD is providing the following clarification and additional guidance on the timing of participation and data collection, submission, and aggregation requirements for HUD McKinney-Vento funded domestic violence shelters.

III. The Timing of Domestic Violence Shelter Provider Participation in HMIS

HUD recognizes that communities and domestic violence programs need time to develop and implement methods to effectively address domestic violence provider participation in HMIS and, therefore, permits CoCs to stage the entry of domestic violence programs last, including after the October 2004, goal for HMIS implementation. The later staging of domestic violence providers will not affect HUD's assessment of CoC progress in HMIS implementation in the national CoC competitive ranking process.

HUD did not state a deadline for domestic violence provider participation in the HMIS and recommended the staging of their addition to the HMIS implementation last to allow for adequate time for planning, discussion, investigation, and development of local participation policies. HUD acknowledges the privacy and security concerns of domestic violence providers and has given discretion to each CoC to work with their domestic violence providers to identify methods of participation that will maximize the safety of persons served by those providers. The Final Notice also recognizes stronger state confidentiality provisions. In the event that state laws conflict with the Final Notice, as determined by an appropriate state government entity, state law will prevail (see Section 4 of the Final Notice).

IV. Data Collection Versus Data Submission Requirements of Domestic Violence Providers to a COC

The Final Notice states that domestic violence programs that receive HUD McKinney-Vento funds are expected to implement the universal and those program-specific data elements required for generation of an Annual Progress Report and Emergency Shelter Grant reporting (see section Sections 1.5.3. and 1.5.6. of the Final Notice). To clarify and provide additional guidance concerning the implementation, the following elaborates on the requirements for data collection, data submission, and data aggregation for domestic violence providers participating in HMIS.

Data Collection: All recipients of McKinney-Vento funds collect client-specific information at the program level to meet aggregate reporting requirements for the Annual Progress Report. This includes the following programs: Supportive Housing, Shelter Plus Care, Section 8 Moderate Rehabilitation Single Room Occupancy, and Emergency Shelter Grants. Accordingly, domestic violence programs that receive McKinney-Vento funds must collect the universal and program-specific data elements required for reporting. HUD does not require domestic violence providers to collect or report an address for a client served by a domestic violence provider.

Data Submission: HUD understands the concerns regarding submission of client-identified data from domestic violence programs to a central location. HUD will not require the submission of personal identifiers (name and Social Security Number (SSN)) from these programs to the CoC. Domestic violence programs can choose to use a proxy, coded, encrypted, or hashed unique identifier—in lieu of name and SSN—that is appended to the full service record of each client served and submitted to the central server at least once annually for purposes of unduplication and data analysis. The coded unique identifier would need to include, but is not limited to, characters and digits from a portion of a client's name, date of birth, and gender. This unique identifier can be generated either manually or through the use of an advanced technological encryption algorithm. Programs participating in HMIS are not required to share client data with any other organization besides the central coordinating entity identified by the CoC as described below.

Data Aggregation: CoCs should decide how they will use coded unique identifiers in consultation with their domestic violence programs and determine how to produce an unduplicated count of homeless clients at the CoC level using these coded identifiers. CoCs must have or designate a coordinating body responsible for collection and storage of data to a central location at least once a year (see Section 5.2.1. of the Final Notice). HUD fully supports alternative methods of participation by domestic violence providers. Domestic violence programs are charged to meet with CoC representatives to identify administrative solutions, such as delaying entry of data into the HMIS until after the client has exited the domestic violence program, or other technological or administrative solutions that adequately protect data and allow for an accurate unduplicated count of homeless persons and analysis of homeless data throughout the CoC to meet the goals of the congressional directive.

V. HMIS Privacy and Security Provisions

HUD recognizes that the privacy and security concerns of domestic violence victims are unlike those of other homeless clients. In response to these concerns, HUD has developed HMIS privacy and security standards that are improvements to current practices, set high baseline standards for all users of HMIS data, and adequately protect personal information collected from domestic violence victims as well as all homeless clients.

As stated in the Final Notice, the baseline privacy and security standards are based on principles of fair information practice and on security standards recognized by the information technology and privacy communities. The privacy standards were developed after careful review of the Health Insurance Portability and Accountability Act (HIPAA) standards for protecting patient information. The HIPAA privacy rule establishes a national baseline of privacy standards for most health information. For some key provisions in the HMIS privacy standards, HUD set baseline standards that exceeded those in HIPAA, especially for provisions that are important to domestic violence programs.

HUD also developed multi-layered security provisions that meet or surpass current Information Technology (IT) industry standards requiring: (1) User authentication; (2) industry standard encryption (128-bit Secure Socket Layer) of all HMIS data that are electronically transmitted over the Internet, publicly accessible networks, or phone lines; and (3) strict limitations to physical and network access to systems with HMIS data. In addition to these baseline standards, HUD recommends additional privacy and security standards that CoCs and programs could implement to further increase the security of the system. The baseline privacy and security standards for HMIS required by the Final Notice far exceed the requirements for many other systems into which these client data are entered. HUD continues to encourage organizations to apply these additional protections as they deem appropriate.

VI. Providing Technical Assistance to Communities and Domestic Violence Programs

HUD recognizes that the development of an HMIS with adequate technological and/or administrative solutions to protect client data can be challenging. HUD will continue to provide technical assistance to local CoCs to help them develop solutions that meet the needs of domestic violence victims and the programs that serve this population.

Research is currently underway to document successful methods of participation of domestic violence providers in existing HMIS implementations. Some of these methods use coded unique client identifiers that do not require providers to submit name, SSN, or other identifying information to the central server, but do allow for an unduplicated count at the CoC level. Other methods currently in use include delayed entry of data into the HMIS until after the client has exited the program or HMIS system administration/hosting by the domestic violence provider agency. Information about the specific methods will be posted on HUD's HMIS page and also distributed via the hmisinfo@hud.gov list-serve.

VII. Summary

HUD will exempt domestic violence providers from submission of client identifiers (name and SSN) to the CoC for unduplication and data analysis. Those programs electing this exemption are required to use either a proxy, coded, encrypted, or hashed unique identifier—in lieu of name and SSN—that is appended to the full service record of each client served and submitted to the CoC central server at least once annually for purposes of unduplication and data analysis. Domestic violence providers may also choose to adopt a delayed data entry protocol whereby client records are not entered into the HMIS system until a set period of time after exit.

CoC representatives are instructed to meet with domestic violence providers to develop and implement a method by which the CoC can unduplicate data across all providers in the HMIS. HUD fully supports alternative methods of participation by domestic violence providers including those that incorporate technological or administrative solutions that adequately protect data and allow for an accurate unduplicated local count of homeless persons and analysis of homeless data to meet the goals of the Congressional directive.