Data Standards Compliance Checklist - HUD Exchange



|Applicable Standards for each CoC, Implementing Jurisdiction or ASP |Community Status |

|Description |Notice Ref|Strategies for Implementation |Yes |No |Notes |

| |# | | | | |

|Policy Issues |

|Data Collection Requirements: | | | | | |

|Does the CoC want to limit minimum data collection to the requirements specified|1.4, 1.5, |SOPs (Establish a participation policy for | | | |

|in the HMIS Standards or are there additional data elements that should be |Sections 2|providers and clear expectations for data | | | |

|required based on local needs? Do all providers know what they need to collect?|and 3 |collection.) | | | |

|DV Provider Participation: | | | | | |

|Has the CoC developed a policy and method for DV provider participation that |1.5.6 |SOPs (Establish a participation policy for DV| | | |

|will allow the CoC to generate analysis based on a systemwide unduplicated | |providers and clear expectations for data | | | |

|count? | |collection.) | | | |

|Notification and/or Consent Policies: | |SOPs (Document all baseline expectations for | | | |

|Does the CoC have privacy policies and procedures to ensure that all agencies |4.2.1 |agency and user behavior in the SOPs, | | | |

|and users share a common understanding of client notification and/or consent |4.2.2 |including notification and consent | | | |

|procedures? |4.2.3 |procedures, reasonable accommodation for | | | |

|Decisions: | |persons with disabilities and persons that | | | |

|standard uses and disclosures | |don’t speak English, client rights with | | | |

|policy on when client can be notified vs when a client must provide consent | |respect to their information, etc.) Sample | | | |

|regarding use and disclosure of data | |Privacy Notice and related documents (Develop| | | |

|procedure for how users should provide notification and/or consent | |a template of the privacy notice, protocol | | | |

| | |for amending the privacy notice, explanation | | | |

| | |for clients, and related consent agreements | | | |

| | |for all agencies to adopt and use.) | | | |

|Security standards: | | | | | |

|Does the CoC have minimum security standards to ensure that all agencies |4.3 |SOPs (Document all baseline expectations for | | | |

|understand how to protect the HMIS application and database? | |agency and user behavior in the SOPs, | | | |

|Define the frequency of virus protection updates | |including core elements of an appropriate | | | |

|Define appropriate physical locations for HMIS access (characteristics of | |agency security protocol.) Sample | | | |

|physical environment, appropriateness of use of laptops, appropriateness of use | |Information Security Protocol (Document how | | | |

|of users’ home workstations, etc.) | |to operationalize the minimum security | | | |

|Frequency and method of HMIS data backup (document sys admin responsibility to | |policies by providing a sample information | | | |

|implement or contractually secure this service with ASP, if appropriate) | |security protocol.) | | | |

| | | | | | |

| | | | | | |

|Data Access and Release policies: | | | | | |

|Does the CoC have minimum data access standards to ensure that all agencies |4.3.2, |SOPs (Document procedures for storing HMIS | | | |

|understand how to protect HMIS data in both hardcopy and digital formats? |4.3.3 |data in digital and hardcopy formats.) | | | |

|Central CoC Data Repository: | | | | | |

|Does the CoC have a designated central database repository that collects all of |5.2.1 |Central database (Data must be collected at | | | |

|the providers’ HMIS data at least annually for the purposes of generating an | |least annually and stored for a minimum of | | | |

|unduplicated count and basic analysis of the unduplicated HMIS data? | |seven years after the data of collection by | | | |

| | |the central repository.) SOPs. | | | |

| | | | | | |

| | | | | | |

|Agency and User Issues |

|Data Collection: | | | | | |

|Do all providers know what they need to collect? Do they know how to correctly |1.4, 1.5, |User training (Consistently communicate | | | |

|code individual client records to capture household groupings? |Sections |requirements). Develop user tools (Quick | | | |

| |2, 3 and 5|Cheat Sheet). | | | |

|DV Provider Participation: | | | | | |

|Do DV agencies know what they need to collect and how they can participate? |1.5.6 |User training (Consistently communicate | | | |

| | |requirements). Develop user tools (Quick | | | |

| | |Cheat Sheet). | | | |

|Bed Coverage: | | | | | |

|Is there an emphasis on obtaining emergency shelter, transitional housing, and |1.6 |Agency outreach and user training. | | | |

|outreach provider participation? Note subsequent participation priorities too. | | | | | |

|Notification and Consent Policies: | | | | | |

|Do all agency executives understand their responsibilities? |4.2.6 |Agency Agreement (Require all agency | | | |

| | |executives to sign prior to bringing the | | | |

| | |agency online.) Agency executive training. | | | |

|Notification and Consent Policies: | | | | | |

|Do all users understand their responsibilities? NOTE: If this is delegated to |4.2.6 |User Agreement (Require all users to sign | | | |

|participating agencies, CoC may want to implement more extensive monitoring | |prior to gaining system access.) User | | | |

|procedures. | |training. | | | |

|Security Standards: | | | | | |

|Do agencies understand the security standards that apply to their users? |4.3.1 |Agency Agreement. (Require all agency | | | |

| | |executives to sign prior to bringing the | | | |

| | |agency online.) Information Security | | | |

| | |Protocol (CoC could require each agency to | | | |

| | |adopt a security protocol that addresses all | | | |

| | |aspects of the security standards. CoC could| | | |

| | |provide a sample information security | | | |

| | |protocol to ensure that agencies understand | | | |

| | |minimum requirements.) | | | |

|Hard Copy Security: | | | | | |

|Do agencies understand how to protect hard copy data, including reports, data |4.3.3 |Agency Agreement. (Require all agency | | | |

|entry forms, signed consent forms, etc.? | |executives to sign prior to bringing the | | | |

| | |agency online.) Information Security | | | |

| | |Protocol (CoC could require each agency to | | | |

| | |adopt a security protocol that addresses all | | | |

| | |aspects of the security standards. CoC could| | | |

| | |provide a sample information security | | | |

| | |protocol to ensure that agencies understand | | | |

| | |minimum requirements.) | | | |

| | | | | | |

|Software Issues |

|Data Elements: | | | | | |

|Does your software collect all of the universal and program-specific data |1.4, 1.5, |Inventory your software. Work with your | | | |

|elements, including the required response categories and technical elements? |Sections |vendor to program software to collect missing| | | |

| |2, 3 and 5|elements and response categories. | | | |

|Data Completeness: | | | | | |

|Does the software automatically generate default exit dates by program type? |5.1.5 |Software programming. (Based on local | | | |

|Does the software maintain transactional data for data elements that need to be | |assumptions, the software should be | | | |

|analyzed over time, such as income and service utilization? | |programmed to generate default exit dates by | | | |

| | |program type to ensure complete universal | | | |

| | |data collection.) | | | |

|Data Collection: | | | | | |

|Do all providers know what they need to collect? |1.4, 1.5, |Software tools (e.g. CoC may want to require | | | |

| |Sections 2|or prompt for missing data). Software | | | |

| |and 3 |queries to check for missing or inaccurate | | | |

| | |data. | | | |

|DV Provider Participation: | | | | | |

|Based on the adopted policy, does the software need to provide an alternative |1.5.6 |Software design and integration tools. | | | |

|method for client-level data submission? | | | | | |

|Privacy policy: | | | | | |

|Does the software support the CoC’s notice or consent procedure (opt-in or |4.2.1 |Software tools (e.g. checkbox to remind user | | | |

|opt-out), if applicable? | |about notification procedure, way to flag a | | | |

| | |record if client opts out of default setting,| | | |

| | |way to flag a record if client wants data | | | |

| | |shared beyond the default setting, etc.) | | | |

|Timeliness of PPI Storage: | | | | | |

|Does the CHO dispose of or remove identifiers from a client record after a |4.2.2 |Automated data management (Does software | | | |

|specified period of time? (Minimum standard: 7 years after PPI was last changed | |automatically dispose of or remove | | | |

|if record is not in current use.) Note this is a CHO requirement, but will need| |identifiers from a client record after a | | | |

|to be operationalized at the CoC level (central database) and at the CHO-level | |specified period of time?) | | | |

|if the CHO maintains a decentralized database. | | | | | |

|User Authentication: | | | | | |

|Does the password protocol meet the minimum standard? (e.g. Require a minimum |4.3.1 and |Password Limitations (Password parameters | | | |

|of 8 characters including at least one number and one letter; prohibit use of |4.3.2 User|should be built into the application.) | | | |

|username, HMIS name, or vendor’s name; prohibit use of a password which consists|Authentica| | | | |

|entirely of any word found in the dictionary; and prohibit use of any of the |tion | | | | |

|above spelled backwards?) | | | | | |

|User Logon: | | | | | |

|Does the software prohibit users from logging onto the HMIS application more |4.3.1 and |Software user authentication (Application | | | |

|than once at any given time? |4.3.2 User|should verify that user is not already logged| | | |

| |Authentica|on before granting access to the database | | | |

| |tion |application.) | | | |

|Workstation authentication: | | | | | |

|If users access the HMIS through a public forum (e.g. internet), does the |4.3.1 |Sys admin or ASP should use PKI or extranets | | | |

|software authenticate the workstation prior to granting access? |Public |that limit access based on the Internet | | | |

| |Access |Provider (IP) address prior to granting | | | |

| | |access to the HMIS application. | | | |

|Virus Protection: | | | | | |

|Does the lead org and ASP have regularly updated virus protection software that |4.3.1 |Install virus protection software; Assign | | | |

|automatically scans files as they are accessed by users on the system where the |Virus |someone to regularly update definitions. | | | |

|HMIS application is housed? |Protection| | | | |

|Disaster Protection and Recovery: | | | | | |

|Does lead org or ASP back up all HMIS data on a regular basis to another medium |4.3.1 |Backup Plan. (Documented in SOP, Agency | | | |

|and store it in a secure off-site location? NOTE: This standard applies to each|Disaster |Agreement, or Service Contract with ASP) | | | |

|CHO, but is most likely operationalized through the CoC. |Recovery | | | | |

| |and Backup| | | | |

|Disposal: | | | | | |

|Does lead org and/or ASP appropriately reformat the storage medium when |4.3.1 |Disposal Plan. (Documented in SOP, Agency | | | |

|disposing of HMIS data? NOTE: This standard applies to each CHO, but is most |Disposal |Agreement, or Service Contract with ASP) | | | |

|likely operationalized through the CoC. | | | | | |

|System Monitoring: | | | | | |

|Does lead org and/or ASP routinely monitor to verify that users are |4.3.1 |User access log and other System monitoring. | | | |

|appropriately accessing the HMIS and that security systems are intact? NOTE: |System |(Sys admin and/or agency administrators | | | |

|This standard applies to each CHO, but is most likely operationalized through |Monitoring|should routinely review user access log to | | | |

|the CoC. | |verify that user access is consistent with | | | |

| | |expected patterns. Document in SOP, Service | | | |

| | |Contract with ASP, and/or Agency Agreement.) | | | |

|Electronic Data Transmission: | | | | | |

|Does the HMIS application encrypt all HMIS data that are electronically |4.3.2 |Software application. (Verify with software | | | |

|transmitted over the Internet, publicly accessible networks or phone lines? |Electronic|provider/ASP that application uses 128-bit | | | |

| |Data |encryption to transmit HMIS data using | | | |

| |Transmitta|tertiary systems.) | | | |

| |l | | | | |

|Electronic Data Storage: | | | | | |

|Does the HMIS application store HMIS data in a binary format? |4.3.2 |Software application. (Verify with software | | | |

| |Electronic|provider that application stores HMIS data in| | | |

| |Data |a binary format.) | | | |

| |Storage | | | | |

|Data export: | | | | | |

|Can the software export HMIS data in a comma-separated values text file, |5.1.7 |Software programming. | | | |

|according to the prescribed format? | | | | | |

|Monitoring: Does the CoC monitor its participating agencies on compliance with the following areas? |

|Data Quality: | | | | | |

|Are providers collecting what they need to collect? |1.4, 1.5, |QA procedure (Sys admin or data analyst could| | | |

| |Sections 2|run query to check for complete and accurate | | | |

| |and 3 |data and follow up with providers to improve | | | |

| | |data quality.) | | | |

|Privacy Policies: | | | | | |

|Are all agencies complying with the minimum standards established in Section 4 |Section 4 |Site monitoring (site monitoring could | | | |

|and any additional adopted CoC privacy policies? | |randomly check sites for compliance or could | | | |

| | |systematically monitor all agencies. Could | | | |

| | |be integrated with other regular grant | | | |

| | |monitoring, application review, ...) | | | |

|User Agreements: | | | | | |

|Have all users signed a user agreement that specifies their responsibilities? |4.2.6 |Central copies of User Agreement (CoC could | | | |

| | |maintain copies of the user agreement | | | |

| | |centrally, or require submittal prior to | | | |

| | |granting a user ID/password, or monitor sites| | | |

| | |to ensure they’re completed) | | | |

|Virus and Firewall Protection: | | | | | |

|Does the agency regularly update virus definitions? |4.3.1 |Site monitoring (site monitoring could | | | |

| |Virus |randomly check sites for compliance or could | | | |

| |Protection|systematically monitor all agencies. Could | | | |

| |, |be integrated with other regular grant | | | |

| |Firewalls |monitoring, application review, ...) | | | |

|Workstation Access: | | | | | |

|Does agency appropriately locate and staff equipment that is authorized to |4.3.1 |Site monitoring (site monitoring could | | | |

|access the HMIS application? Does the agency follow the laptop and/or home |Physical |randomly check sites for compliance or could | | | |

|access policy appropriately? |Access |systematically monitor all agencies. Could | | | |

| | |be integrated with other regular grant | | | |

| | |monitoring, application review, ...) | | | |

Baseline elements of the sign at the intake Desk:

- General explanation of the reasons for collecting client information. (4.2.1)

- Offer to provide a copy of the notice upon request (4.2.4)

Baseline elements of the Privacy Notice:

- Specify the purposes for which it collects PPI (4.2.3)

- Define all uses and disclosures (4.2.3)

- Amendment policy and procedure (4.2.4)

- Right of client to inspect and have a copy of any PPI about the individual, offer to explain the information, consider any request for correction of inaccurate or incomplete PPI. (4.2.5)

- Right of client to complain about the agency’s privacy and security policies and practices (4.2.6)

HMIS Agency Participation Agreement should specify and ask agency executives to affirm that they will:

- Comply with data collection requirements

- Comply with state and federal law

- Post a sign at intake meeting minimum standards

- Adopt and comply with a privacy notice (meeting minimum standards, documenting all amendments, post on website, provide in foreign languages as appropriate) (4.2, see description of privacy notice above)

- Provide reasonable accommodation to persons with disabilities to ensure that they understand the privacy notice (4.2.4, see exceptions)

- Comply with additional CoC privacy policies on notification and/or consent (4.2.4)

- Establish a procedure for accepting and considering questions or complaints about its privacy and security policies and practices (4.2.6)

- Ensure that all users at its agency understand and comply with its privacy notice (4.2.6)

- Comply with the security standards in the HMIS standards. [Agreement could require each agency to establish an information security protocol that outlines practices to comply with the security standards.] (4.3)

- Establish mechanisms to protect hard copy data, including reports, data entry forms, signed consent forms, etc. (4.3.3)

- Submit data at least annually to the central CoC respository, if the agency is maintaining its own independent database. (5.2.1)

NOTE: These responsibilities may be detailed in the agreement or may be documented by reference to the adopted SOPs.

HMIS User Agreement should ask users to affirm that they:

- will comply with state and federal law

- acknowledge receipt of a copy of the agency’s privacy notice and will comply with the privacy notice (4.2.6)

- will comply with the CoC procedure for providing notice and/or consent to clients (4.2.4)

- will provide reasonable accommodation to persons with disabilities and persons that don’t speak English to ensure that they understand the privacy notice (4.2.4, if applicable)

- will agree to maintain written information about their password in a private, secure location (4.3.1)

NOTE: These responsibilities may be detailed in the agreement or may be documented by reference to the adopted SOPs.

Potential information security protocol provisions:

- User Authentication policies: (4.3.1 User Authentication)

o Password parameters that meet the HMIS standard for user authentication

o Policies that prohibit storing or displaying written information on user access (e.g. username and password) in a publicly accessible location

o Policies that prohibit users from logging into more than one workstation at a time

- Procedure to maintain virus protection software with [define minimum timeframe] updated virus definitions on all workstations on the same network as an HMIS workstation. (4.3.1 Virus Protection)

- Procedure to maintain a firewall at the point of access to the Internet (network and/or individual workstations). (4.3.1 Firewal)

- Procedure to authenticate all workstations accessing the HMIS application through a public forum (e.g. internet) prior to connecting to the HMIS application. (4.3.1 Public Access)

- Protocol to define appropriate physical locations for workstations, and parameters for accessing the HMIS through laptops and/or home workstations. Only workstations that meet this standard will be authorized to access the HMIS (e.g. workstation authentication).

- Procedure to install password protected screensavers on all workstations that are authorized to access the HMIS; set screensaver to automatically turn on when the workstation is temporarily not in use.

- Policy/procedure to instruct staff to log off of the HMIS application and shut down the computer when workstation will not be in use for an extended period of time.

- Procedure to protect hard copy data containing personal protected information that is generated from or for the HMIS, including reports, data entry forms, signed consent forms, etc.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download