Focusing public attention on emerging privacy and civil liberties issues

Homeless Management Information Systems and Domestic Violence

Introduction

The Homeless Management Information Systems are software applications that record, store and track charateristics and service needs of homeless individuals. The department of Housing and Urban Development (HUD) sets standards for this software, and it is supplied by vendors. It is usually a web-based application that links together programs in a regional community -- they are not stand alone software that a single program would use to track its own clients internally. HUD funded entities are expected to implement HMIS. HMIS systems link together homeless programs in regional Communities of Care (CoC). CoCs a can be the size of a municipality or more. For example, Philadelphia, PA is a CoC. New Mexico has two, one for Albuquerque, and one for the remainder of the state.

History of HUD, HMIS and Domestic Violence

The Mckinney Vento Homeless Assistance Act was passed in 1987. In various reauthorizations it has continued to fund homeless assistance programs. In a Conference Committee Report, 106-988, Congress asked for an unduplicated count of homelessness, as well as data that allows an analysis of homeless uses of assistance, such as entry and exit in the system and how effective the system is.

In July of 2003 the Department of Housing and Urban Development filed a Federal Register Notice describing the HUD's intention to implement Homeless Management Information Systems. The Proposal included a section on "Special Provisions for Domestic Violence Shelters." HUD said it was aware of and sensitive to the data confidentiality needs domestic violence shelters have with respect to local homeless information systems. HUD stated that as a minimum, HUD funded shelters will not be expected to participate in HMIS where software or data poses a significant risk to domestic violence shelter clients. Additionally, regular homeless services would not have to report personally identifying information for domestic violence victims.

One year later HUD published its final notice implementing the Homeless Management Information Systems. In this notice HUD determined that it is "essential" for domestic violence providers to participate in HMIS, and that there are adequate technologies to protect the data of domestic violence victims. Domestic violence programs would thus have to participate in local HMIS and submit client-level information. HUD did this in response to comments that domestic violence programs play a significant role in some communities' homeless programs. Thus HUD reasoned that without DV programs it will be impossible to gain an accurate unduplicated count as well as understand the needs of the local homeless population.

The National Network to End Domestic Violence (NNEDV) responded with a petition for rulemaking asking for a reinstatement of the "life-saving" exemption for domestic violence programs. They noted that the proposal included no notice that the domestic violence exemption could be lifted, and that thus no opportunity to comment on this eventuality was available. Furthermore, they argued that the removal was unsupported by the record. NNEDV argued that there are other methods of achieving an unduplicated count, and HUD is not planning on achieving one under the proposed standards.

HUD declined NNEDV's petition to re-open rulemaking. HUD stated that based on comments received, they had strengthened the privacy and confidentiality provisions of HMIS, but that domestic violence program participation was necessary for compliance with congressional directives of an unduplicated count and analysis of uses of assistance.

HUD also issued a "Clarification and Additional Guidance for Domestic Violence Provider Shelters." Local HMIS may stage the entry of domestic violence providers last. Furthermore, while domestic violence providers must collect the same client level data as others, they do not have to submit all of this data. They may, instead of submitting name and social security number, submit coded or hashed identifiers along with the rest of the client record. However, the identifier needs to include -- at a minimum -- parts of a person's name, their date of birth and gender. These coded identifiers are to be used at the CoC level to produce an unduplicated count.

Following this, the Violence Against Women Act (VAWA) reauthorization in 2005 restricted HMIS data collection. Section 3 imposed nondisclosure restrictions on recipients of VAWA grants. Grantees may not reveal individual client information without informed written, reasonably time limited consent. If this information is compelled to be released, grantees are to take steps to notify the individuals whose information is released.

VAWA section 605 prevented the immediate disclosure of personally identifying information under HMIS grants into HMIS systems. Future disclosures of non-personally identifying information that has been de-identified, encrypted or otherwise encoded may be permitted after future rulemaking. Notably, personally identifying information is defined to include combinations of non-personally identifying information (such as date of birth, number of children, race) that together can serve to identify an individual. This responds to the coded identifiers proposed in HUD's clarification.

In March of 2007 HUD issued a notice concerning VAWA provisions. HUD notified victim service providers that they are barred from disclosing identifying information to HMIS, and that further guidance is being planned. HUD is also examining new technologies to determine whether it can protect personally identifying information.

Data Elements in the HMIS Final Notice

HUD's Data and Technical Standard's final notice defines the data elements in an HMIS. All programs are required to collect or generate Universal Data Elements. Certain programs may also be required to collect program specific data elements.

Universal Data Elements

The universal data elements are :

  1. Name
  2. Social Security Number
  3. Date of Birth
  4. Ethnicity and Race
  5. Gender
  6. Veteran Status
  7. Disabling Condition
  8. Residence Prior to Program Entry
  9. Zip Code of Last Permanent Address
  10. Program Entry Date
  11. Program Exit Date
  12. Unique Person Identification Number
  13. Program Identification Number
  14. Household Identification Number

All of these universal data elements must be obtained from adults and unaccompanied minors that apply for services. The first five are entered only the first time someone enters a particular program or other programs in the same Community of Care that share HMIS information. Number 7, Disabling Condition, simply indicates the presence of a disabling condition, not details of whether there is one. Residence Prior to Program Entry includes categories such as "emergency shelter, transitional housing, psychiatric hospital, prison, living with relatives, or apartment that you rent."

Number 12, the Unique Person Identification Number (PIN) is generated by the HMIS system and is used to uniquely identify that individual through the program or other programs in the CoC that share HMIS data. When a person enters a program, the staff will enter the name, SSN, date of birth and gender into the system. The system will perform a search in a centralized CoC database and return the matching PIN or generate a new one. The PIN should not contain any client provided information, and should be a randomly generated (ie, not sequential) number.

Program Specific Data Elements

Currently there are 11 program specific data elements that are required for reporting

  1. Income and Sources
  2. Non-cash Benefits
  3. Physical Disability
  4. Mental Disability
  5. HIV/AIDS
  6. Mental Health
  7. Substance Abuse
  8. Domestic Violence
  9. Services Received
  10. Destination
  11. Reason for Leaving

Other program specific data elements are defined. These are recommended, and are not currently required but may be required in the future.

  1. Employment
  2. Education
  3. General Health Status
  4. Pregnancy Status
  5. Veterans Information
  6. Children's Information

Staff enter these elements based on information provided by the client; taken from a case manager or case records; or observations by staff. The disability and substance abuse criteria ask if there is the presence of a disability. The mental disability and substance use fields also ask whether the condition is expected to be of long or indefinite duration and impairing of the client's ability to live independently. The domestic violence field asks whether there has been an experience of domestic violence, and at what time in the past was the most recent experience. General health status asks for simple answers such as "excellent, good, poor, don't know." Pregnancy status also asks for a due date. Veteran's status asks which conflict period one served in, the branch, geographic location, and discharge status. Children's education asks for, among other elements the name of child's school, and reasons why a child is not enrolled

Baseline Privacy and Security Safeguards in HMIS Final Notice

The final notice provides a set of privacy safeguards and security requirements. HUD takes a two-tiered approach, requiring a minimum baseline set of procedures while allowing other procedures at the choice of the program. The privacy safeguards follow the pattern of Fair Information Practices. The privacy requirements define Protected Personal Information (PPI) as information that (1) identifies a specific individual; (2) can be manipulated by a foreseeable method to identify an individual or; (3) can be linked to other information to identify an individual.

Uses and Disclosures

PPI may be disclosed or used to provide services to an individual; payment or reimbursement of services; administrative functions such as audits; or for creating de-identified PPI. It may be disclosed as required by law. In the case of victims of abuse neglect and domestic violence, it may be disclosed as required by law; if the victim agrees to the disclosure; or if it is permitted by law and the program believes the disclosure is necessary to prevent harm to the individual. The individual must be informed of this disclosure unless informing them would place them in greater risk or the person being informed is the one suspected of abuse.

Disclosures for academic research are permitted when there is a formal relationship with the researcher and a written research agreement. The agreement must specify limitations on the processing and security of PPI; provide for the return or disposal of PPI; and restrict additional disclosure of PPI.

Disclosures for law enforcement purposes may be made in response to lawful court orders or subpoenas. Further disclosures may be made in response to written request signed by a supervisory law enforcement official requesting PPI. The request must: state that the PPI is relevant and material to an ongoing investigation; identify the PPI sought; is specific and limited in scope and states that de-identified information cannot be used. Law enforcement disclosures may also be made when the PPI is evidence of criminal activity on the program's premises.

Disclosure in response to law enforcement oral requests for PPI are permitted for certain PPI when used to identify or locate a fugitive material witness or missing person. Lastly, PPI may be released under certain circumstances to federal officials charged with protecting the president and foreign officials.

Baseline Privacy Requirements

Data may be collected only when appropriate to services provided or required by law. Consent to data collection may be inferred by the circumstances of the collection, which must include a sign that generally explains the reasons for collecting this information. HUD suggests as appropriate the following language:

"We collect personal information directly from you for reasons that are discussed in our privacy statement. We may be required to collect some personal information by law or by organizations that give us money to operate this program. Other personal information that we collect is important to run our programs, to improve services for homeless persons, and to better understand the needs of of homeless personss. We only collect information that we consider to be appropriate."

A privacy policy should be made available to anyone that asks for it. If a program has a website, it must post this policy on that website as well. The policy must include the fact that the policy may change at any time and may affect data collected before the change, if the policy so provides.

Programs are required to keep PPI that is accurate, complete and timely. Programs are required to dispose of or de-identify data in records that have not been in current use for 7 years.

PII must have some measure of accessability. Programs must allow individuals to inspect and have a copy of any PPI about the individual. They are to consider requests to correct or complete information on an individual, but are not required to change it at their request. Instead, they may mark the information as inaccurate or incomplete, and may supplement it with additional information. PII also have to have some accountability for their data collection. Programs should establish procedures for considering complaints, and staff should annually sign confidentiality pledges and agreements to follow the privacy policy.

Data needs to be stored and transmitted with some security. Users that access the HMIS system must do so with usernames and passwords. Computers must be staffed or have password protected screen savers. Data transmitted over public networks should be encrypted.

Domestic Violence Implications

The main implication of all of this data collection and reporting for the domestic violence community is the obvious safety risk to survivors if abusers gain access to the personal information of clients. Domestic violence advocates have noticed the phenomenon of "separation violence" -- meaning that an abuser is more dangerous and likely to lash out when a survivor is taking steps towards independence. Flight from an abusive home into a shelter is such a separation. Therefore confidentiality at this time is paramount.

The baseline privacy standards permit data collection under a model of "inferred consent." The practice of inferring consent to data collection means that domestic violence survivors will be giving up data in fear that if they do not they will not receive shelter, and thus their data wil be entered into the HMIS.

The confidentiality of the data can be breached in various ways. The rules permit disclosures to oral law enforcement requests, which facilitates impostors pretexting the data. The technical standards do not require that data disclosures be logged, which limits the ability to track these impostors. Insider fraud in law enforcement agencies can also be used to breach security.

The data is shared among other programs in the CoC, thus the security of the system is only as strong as security in the weakest location. An insider in another program can thus also breach confidentiality innocently -- say as if they fall prey to pretexting -- or maliciously via fraud.

A further problem is that some demographic information that is supposedly de-identified can serve to identify people. Identification in supposedly de-identified data may create risks that data collectors do not see. Though the clarification exempts submission of name, SSN and address, other universal data elements can serve to identify individuals. A birthday, zip code and gender may be enough to identify someone.

Identification via demographics could be even easier in certain contexts. In some small communities, a demographic description including gender, children's information, zip code, ethnicity and age may be able to identify an individual. They may not identify the individual to a statistician, or an employee of the program, but an abuser searching for their victim will know what patterns to look for.

The HUD proposal to have domestic violence shelters delay their data submission to HMIS until after the client's departure may not adequately protect location information. Many shelters offer transitional housing, with the goal of moving the person out of homelessness and into the mainstream community. Thus identifying last shelter locations of individuals gives clues as to the community which the survivor has moved to.

Congressional goals can be met with other, less intrusive and less dangerous methods. One day counts such as "snapshots" can be statistically manipulated to form an unduplicated count. Similar to the census, some individuals can be sampled for that one time and provide more in-depth information, leading data for analysis of homelessness usage patterns.

Other Resources

EPIC Poverty and Privacy Page

HUD's HMIS Proposed Notice

EPIC Comments on the HMIS Proposed Notice

HUD's Final Rule on HMIS

HUD's HMIS Clarification and Additional Guidance for Domestic Violence Provider Shelters

EPIC Page on VAWA and Privacy

HUD's VAWA Notice

HMIS.info: A HUD portal for HMIS news and resources.