Policies & Procedures

The following summary of the HMIS Policies and Procedures is meant to give an overview of policies and procedures that affect HMIS end users. 

Background/Overview

Use of a Homeless Management Information System (HMIS) is required by federal legislation, and is overseen by the Department of Housing and Urban Development. It is used to 1) collect unduplicated counts of individuals and families experiencing homelessness, 2) analyze patterns of use of assistance provided in a community, and 3) to provide information to project sponsors and applicants for needs analysis and funding allocation.

The Baltimore Continuum of Care HMIS Lead Agency is the Mayor’s Office of Homeless Services. The work of the HMIS Lead is overseen by the Data and Performance Committee of the Journey Home Board. The Baltimore City HMIS software is Eccovia Solutions’ ClientTrack.

Stakeholder Responsibilities

In brief, Baltimore City HMIS stakeholders and their responsibilities include:

CoC Board: Designates the Baltimore City HMIS Lead Agency and utilizes HMIS data to monitor progress toward CoC goals.

Data & Performance Steering Committee: Provides oversight and direction to the HMIS Lead Agency, setting and monitoring performance metrics and benchmarks.

HMIS Lead Agency:

● Administers, monitors and supports the HMIS, including providing training and technical assistance to HMIS users, ensuring exempt and nonexempt agency compliance with HMIS requirements, ensuring system compliance with HUD HMIS Data and Technical standards, and overseeing HMIS data analysis.

● Monitors HMIS security and carries out HMIS privacy and security protocols.

● Reports to CoC Board and Data & Performance Committee on progress toward goals.

● Facilitates operation of Data & Performance Committee

● Manages the HMIS project grant.

Participating Agencies: Sign and ensure compliance with the HMIS Participation Agreement, and work with the HMIS Lead Agency to ensure high HMIS compliance and acceptable data quality.

Exempt Agencies: Use a comparable database to HMIS, and ensure compliance with Federal HMIS regulations.

HMIS Representatives: Serves as the primary contact for their agency’s HMIS matters, including, but not limited to:

● Ensuring agency compliance with HMIS Policies & Procedures

● Serve as the Agency HMIS Security Officer, ensuring compliance with security protocols and documenting and reporting any suspected violations of data privacy and security.

● Manage their agency’s HMIS Users, including authorizing new users, notifying the Lead Agency of HMIS user removals, and monitor user data collection and HMIS usage.

System Users: Sign and adhere to the System User Agreement and System User Confidentiality Acknowledgement, comply with HMIS Policies and Procedures, and report any technical system issues to the HMIS Lead Agency.

System Access Requirements

HMIS is hosted in a web-based software, meaning any device with an Internet connection can be used to access the system. Internet browsers used to access HMIS must be up to date, and Internet connections must be secure. Devices used to access HMIS must be password protected, with an automatic system lock within 15 minutes of inactivity, and must have up to date virus protection.

HMIS users are required to attend Security, Privacy, and System Orientation training before receiving access to HMIS. An annual Refresher Training requirement must be fulfilled to maintain access to HMIS.

HMIS passwords may not be shared under any circumstances. To reset your HMIS password, contact the HMIS Help Desk or use the “forgot password” link on the HMIS log in page.

Data Collection Requirements

Each Participating Agency is responsible for collecting the data elements required for their project type by their funding source(s), as specified by the contract, program regulations and HMIS regulations and guidance. Each Participating Agency is required to communicate to the HMIS Lead any changes in funding sources or project definitions to ensure the continued collection of the minimum data requirements.

Data must be entered into HMIS within 24 hours of client contact.

Data Security

Because of the confidential nature of the data stored within HMIS, there are several HMIS security protocols that users must follow to prevent unauthorized access or exposure of data:

● Passwords: Users may not share their HMIS passwords, even with other authorized HMIS users. They may not allow an Internet browser to save HMIS passwords, or store their password in an easily accessible location.

● Physical location: The system must be accessed from a sufficiently private physical location to prevent unauthorized persons from viewing HMIS data. Users must log out of the system when their workspace will be unattended.

● User inactivity: Users will be locked out of their account if they have not logged in for 60 or more days. Users may regain system access by contact the HMIS help desk. Users who have not logged in for more than 180 days must be reauthorized by their HMIS Rep, and may be required to fulfil an additional training requirement.

● Data storage and management: Users are responsible for maintaining the security of all client data extracted from HMIS, including data stored on electronic media and hard copies of personally identified data. HMIS Users and their Participating Agencies are held liable for any security or privacy breaches that result from extracted HMIS data being inappropriately stored or managed.

○ HMIS data may only be stored on electronic devices owned by their agency, which must be password protected.

○ HMIS data in the form of hard paper copies must be stored in locked filing cabinets when not in use, must be handled in such a way to prevent exposure to unauthorized HMIS users, shall not be left unattended, and may not be removed from the Agency’s facilities without permission from the HMIS Representative and the individual’s supervisor. Hard copies of HMIS data must be shredded before being disposed.

In the event of a security incident, which includes any attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with HMIS system operations, users should notify their HMIS Representative and the HMIS Lead Agency immediately.

Data Privacy

The HMIS Lead, Participating Agencies and their users may only collect and use HMIS data for the specific internal purposes and reasons relevant to the work of the Continuum of Care. Every organization with access to Personally Identifiable Information (PII) may only collect information by lawful and fair means with the knowledge and consent of the individual.

Authorized uses of HMIS data include:

1. To provide or coordinate services;

2. To locate programs that may be able to assist clients;

3. To refer clients to HMIS-participating programs;

4. To establish client eligibility for programs;

5. To produce agency-level reports regarding use of services;

6. To track agency-level and system-level outcomes;

7. For agency operational purposes, including administrative functions such as legal, audits, personnel, oversight, and management functions

8. To comply with government and other funding agency reporting requirements;

9. To identify service needs in our community;

10. To support system-level planning;

11. To conduct research for government and educational purposes approved by the HMIS Lead;

12. To monitor compliance with HMIS Policies and Procedures;

13. To accomplish any and all other purposes deemed necessary by the Baltimore City

Other disclosures of client-level data to persons and organizations not authorized to view the information in the HMIS requires the client’s written consent, unless the disclosure is required by law.

Information Sharing

It is the responsibility of the Participating Agency and the staff person conducting the client’s Intake to explain HMIS information sharing to the client.

Information entered into HMIS is shared with users within the agency who enter the information and the HMIS Lead Agency. Certain information when saved in HMIS is always shared with all Participating Agencies in the Continuum to prevent duplication of client records and services.

Clients can consent to share all of their information with all Participating Agencies within the Continuum by signing a Consent to Share Information form. Clients can revoke that consent at any time by signing a Revocation of Consent to Share Information form. These forms should be stored in the client’s paper file.

When a client indicates that they do or do not consent to share their information, the user should select “Yes” or “No” for the Client Consent to Share field on the Basic Client Information form, and indicate the date that the form was completed.

Data Quality

The HMIS Lead monitors for data quality in the following areas:

● Coverage: The extent to which agencies required to participate in HMIS are fulfilling their participation requirements.

● Timeliness: The extent to which agencies are entering data within the 24-hour data timeliness requirement.

● Completeness: The extent to which agencies are fulfilling the minimum data requirements.

● Accuracy: The extent to which client data entered into HMIS reflects the information provided by the client.

● Consistency: The extent to which HMIS agencies are entering data in a uniform manner, assessed by the instance of duplicate client records.

Data quality reports are shared with agencies on a quarterly basis, and agencies have the capability to monitor their HMIS data quality independently through the use of reports and system data. The HMIS Lead will work with agencies that fail to satisfy data collection requirements to implement a plan for corrective action. If the agency repeatedly fails to satisfy data quality requirements and comply with corrective action requirements, the HMIS Lead may find the agency in violation of the terms and conditions for HMIS participation, which may culminate in a loss of project funding.