WOMEN'S DAYTIME DROP-IN CENTER PRIVACY NOTICE
DATE: March 1, 2005
SUBJECT: Privacy and Confidentiality
1. To protect the privacy of agency clients
2. To comply with applicable laws and regulations.
3. To insure fair information practices as to:
c. Collection limitations
d. Purpose and use limitations
e. Access and correction
f. Data Quality
STATEMENT OF POLICY:
1) The Women's Daytime Drop-In Center (WDDC) privacy practices comply with all applicable laws governing HMIS client privacy/confidentiality. Applicable standards include, but are not limited to the following.
e) Alameda County-wide Continuum of Care InHOUSE partner agency sharing agreement(s).
2) Use of Information PPI (Protected Personal Information that is information which can be used to identify a specific client) can be used only for the following purposes:
a) To provide or coordinate services to a client.
b) For functions related to payment or reimbursement for services.
f) To prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.
3) Collection and Notification Information will be collected only by fair and lawful means with the knowledge or consent of the client.
"We collect personal information directly from you for reasons that are discussed in our Privacy. Notice. We may be required to collect some personal information by law or by organizations that give us money to operate this program. Other personal information that we collect is important to run our programs, to improve services for homeless persons, and to better understand the needs of homeless persons. We only collect information that we consider to be appropriate.
The collection and use of all personal information is guided by strict standards of confidentiality. Our Privacy Notice is posted. A copy of our Privacy Notice is available to all clients upon request."
d) This sign will be explained in cases where the client is unable to read and/or understand it.
4) Data Quality PPI data will be accurate, complete, timely, and relevant.
a) All PPI collected will be relevant to the purposes for which it is to be used.
b) Identifiers will be removed from data that is not in current use after 7 years (from date of creation or last edit) unless other requirements mandate longer retention.
c) Data will be entered in a consistent manner by authorized users.
d) Data will be entered in as close to real-time data entry as possible.
e) Measures will be developed to monitor data for accuracy and completeness and for the correction of errors.
f) Data quality is subject to routine audit by System Administrators who have administrative responsibilities for the database.
5) Privacy Notice, Purpose Specification and Use Limitations The purposes for collecting PPI data, as well as it uses and disclosures will be specified and limited.
a) The purposes, uses, disclosures, policies, and practices relative to PPI data are to be outlined in this agency Privacy Notice.
b) The agency Privacy Notice will comply with all applicable regulatory and contractual limitations.
c) The agency Privacy Notice will be made available to agency clients, or their representative, upon request and explained/interpreted as needed.
d) Reasonable accommodations will be made with regards to the Privacy Notice for persons with disabilities and non-English speaking clients as required by law.
e) PPI will be used and disclosed only as specified in the Privacy Notice, and only for the purposes specified therein.
f) Uses and disclosures not specified in the Privacy Notice can be made only with the consent of the client.
g) The Privacy Notice will be posted on the agency web site.
h) The Privacy Notice will reviewed and amended as needed.
i) Amendments to or revisions of the Privacy Notice will address the retroactivity of any changes.
j) Permanent documentation will be maintained of all Privacy Notice amendments/revisions.
k) All access to, and editing of PPI data will be tracked by an automated audit trail, and will be monitored for violations use/disclosure limitations.
6) Record Access and Correction Provisions will be maintained for the access to and corrections of PPI records.
f) A client may be denied access to their personal information in the case of repeated or harassing requests for access or correction. However, if denied, documentation will be provided regarding the request and reason for denial to the individual and be made a part of the client's record.
7) Accountability Processes will be maintained to insure that the privacy and confidentiality of client information is protected and staff is properly prepared and accountable to carry out agency policies and procedure that govern the use of PPI data.
f) Regular user meetings will be held and issues concerning data security, client confidentiality, and information privacy will be discussed and solutions will be developed.
8) Sharing of Information Client data may be shared with partnering agencies only with client approval
a) All routine data sharing practices with partnering agencies will be documented and governed by the CoC MOU Agreement that defines the agency-determined sharing practice.
b) A completed InHOUSE Client Release of Information (ROI) Form is needed before information may be shared electronically.
c) Clients will be informed about and understand the benefits, risks, and available alternatives to sharing their information prior to signing an ROI, and their decision to grant permission shall be voluntary.
d) Clients who choose not to authorize sharing of information cannot be denied services for which they would otherwise be eligible.
e) All Client Authorization for ROI forms related to the InHOUSE system will be placed in a file to be located on premises and will be made available to the CoC Staff for periodic audits.
f) InHOUSE-related Authorization for ROI forms will be retained for a minimum period of three (3) years, after which time the forms will be discarded in a manner that ensures client confidentiality is not compromised.
g) No confidential/restricted information received from the InHOUSE system will be shared with any organization or individual without proper written consent by the client, unless otherwise permitted by applicable regulations or laws.
h) Restricted information, including progress notes and psychotherapy notes about the diagnosis, treatment, or referrals related to a medical health, disabilities, mental health disorder, drug or alcohol use, HIV/AIDS, and any violence-related concerns shall not be shared with other participating Agencies without the clients written, informed consent as documented on the Agency Authorization for Release of Restricted Information Form.
i) If a client has previously given permission to share information with multiple agencies, beyond basic identifying information and non-restricted service transactions, and then chooses to revoke that permission with regard to one or more of these agencies, the affected agency/ agencies will be contacted accordingly, and those portions of the record impacted by the revocation, too will be locked from further sharing.
j) All client ROI forms will include an expiration date, and once a Client ROI expires, any new information entered will be closed to sharing unless a new Client ROI is signed by the client and entered in the InHOUSE system.
9) System Security System security provisions will apply to all systems where PPI is stored: agency's networks, desktops, laptops, mini-computers, mainframes and servers.
a) Password Access:
viii) Individuals with User IDs and Passwords will not give or share assigned User IDs and Passwords to access the InHOUSE system with any other person, organization, governmental entity, business.
b) Virus Protection and Firewalls:
i) Commercial anti-virus protection software will be maintained to protect all agency network systems and workstations from virus attack.
ii) Virus protection will include automated scanning of files as they are accessed by users.
c) Physical Access to Systems where InHOUSE Data is Stored
i) Computers stationed in public places must be secured when workstations are not in use and staff is not present.
d) Stored Data Security and Disposal:
iii) InHOUSE data downloaded onto a data storage medium must be disposed of by reformatting as opposed to erasing or deleting. This includes hard drives.
iv) A data storage medium will be reformatted a second time before the medium is reused or disposed of.
e) System Monitoring
i) User access to the InHOUSE Live Web Site will be monitored using the computer access logs located on each computer's explorer "history" button, or via a central server report.
f) Hard Copy Security:
g) Authorized Location Access:
i) Access to the InHOUSE system is allowed only from authorized agency locations.
10) Agency HMIS/InHOUSE Grievance Policy
11) Agency Procedures: