1 / 31

Michigan Statewide Homeless Management Information System

Michigan Statewide Homeless Management Information System. Privacy and Confidentiality Core Training Program. 4/2005R. About MSHMIS.

hang
Download Presentation

Michigan Statewide Homeless Management Information System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Michigan StatewideHomeless Management Information System Privacy and Confidentiality Core Training Program 4/2005R

  2. About MSHMIS • Congress directed HUD to “Collect an array of data on homelessness in order to prevent duplicate counting of homeless persons, and to analyze their patterns of use of assistance, including how they enter and exit the homeless assistance system and the effectiveness of the systems.” • Aggregates common information at the agency, community and state levels. • Focusing services and locating alternative resources to help homeless persons. • Web based, coordinated by MiCAH, contracted with MSHDA. • MSHMIS is running “closed” with “exception.” Decisions about sharing records through MSHMIS are made by the participating agency.

  3. Agency Privacy • The MSHMIS Participation Agreement restricts and specifies the use of aggregate data.  Issues addressed include the fact that only the organization or continua may approve publication of data specific to that organization or continua, and that analysis and publication of community-wide numbers will be guided by a local CoC designated report committee.

  4. ABOUT PAPER • Agencies should plan to have paper forms on site. • To collect information that is saved for entry later. • To insure that staff can use paper if your system is down, if there is a power outage, or if MSHMIS/ServicePoint is off-line. • To allow staff to continue to work with clients if the staff are struggling or need to have a questioned answered during business hours. • Questions on Forms should flow in the same order as the questions on the database to ease entry & improve data quality. • A basic paper form can be found on the MiCAH Web site under HMIS and Contributions from Users.

  5. Governing Laws, Statues, Administrative Rules • The MSHMIS Privacy Plan was developed with input from Mental Health, Drug and Alcohol Treatment, HIV/Aids and Domestic Violence to allow those programs with the most restrictive confidentiality guidelines and needs to participate in the HMIS. • The MSHMIS Privacy Plan has been through extensive legal review beginning with MSHDA, whose legal staff collaborated in document preparation. Agency Lawyers and Executive Directors reviewed the plan during the Pilot process. Finally the Plan has been reviewed and approved by Michigan’s Attorney General. • HUD recently deferred implementation deadlines for Domestic Violence programs. The decision to come onto the System is the agency’s – not driven by the HUD mandate. Please contact the State DV funding Board (MDVPTB) if you have questions.

  6. Each Provider Agency must adhere to the following: • All MSHMIS Standards • Laws, Statutes, Admin. Rules specific to the services provided by the agency (i.e. mental health, substance abuse, domestic violence, etc.)

  7. Confidentiality and Informed Consent • To ensure protections of clients’ privacy, releasing information only with a written consent • Agency provides Privacy Notice to each consumer • Agency will not solicit or share information unless it is essential to providing services, program management, or as part of approved research. • Agencies will assign each staff an appropriate “Access Level” based on a need to know. • Agency will not divulge confidential information without proper written consent.

  8. The General RuleIndividuals and/or Entities are prohibited from disclosing any patient related information

  9. Overview of MSHMIS Privacy Practice • All organizations must screen clients for safety issues related to using the system to automate sharing. Through the Privacy Notice and the Release, MSHMIS makes clients a partner is the core decisions related to data sharing. • If a risk is identified related to the system, agencies are asked to help clients communicate their preferences with other participating agencies.

  10. Privacy Notice All staff must have read and understand the Agency’s Privacy Notice • Oral explanation of the Privacy Notice is planned by the agency – a script is adopted reflecting the type of service and the type of information. • What is MSHMIS? • Why does this agency use it? • Security • Privacy Protection • Benefits and Risks for clients • The staff provides the Privacy Notice to the client and explains the Notice.

  11. The MSHMIS Release Because each record can be completely closed, the Release is designed to obtain client consent regarding the use of the “profile pick list” and data sharing - NOT basic entry. When closed, MSHMIS operates like any other internal record-keeping system.

  12. MSHMIS Release • When presenting the MSHMIS release to clients, develop attachments that reflect your Sharing Agreements (QSOBAAs) as well as any second level releases for confidential information. • The staff explains the MSHMIS Release, negotiates an expiration date, and obtains the client’s signature. • The Program displays the HUD Public Notice regarding MSHMIS. • Clients cannot be denied services that they would otherwise qualify for based on a refusal to share information.

  13. Step 1: MSHMIS Release • After the Notice is explained, the MSHMIS Release is introduced. The client decides if the Profile (the only “open” part of MSHMIS) should stay open to support unduplication and sharing. The Profile should close if: • a.The client is concerned about someone knowing they have sought services even if no information about the specific service is given. • b.The client has friends, family or enemies who work in MSHMIS participating agencies. • c. The client is at significant risk, is famous, or has a relationship with the agency itself (e.g. the child of a Board member). In this case “anonymous” entry should be considered. • The Profile may be closed by clicking the orange “security” button. • The agency may also tailor where the profile is open, limiting access to the Profile to a small group.

  14. Step 2: MSHMIS Release • The client decides if the Social Security number (SS#) should be included on the Profile. • Agencies may make a prior decision to omit all SS#s from the Profile Field. • The agency may also elect to use only the last 4 digits of the SS# or use a “place keeper” like “0” and the last 3 digits – “1234” becomes “0234.” • An alternative SS# field has been provided on the “Additional Profile” assessment so that the SS# may be documented for agency purposes, but not included on the Profile. • If the agency elects to omit the SS# from the Profile, they may simplify the MSHMIS Release by omitting the reference to the SS# when asking about the profile.

  15. Step 2 Release Continued • If the client requests a closed profile and you find his/her name already on the open Profile Picklist, complete the following steps: • Do not click on the open profile that already exist. Enter the name, DOB, and Gender as though no match was available. However, be sure you spell the name exactly the same as that noted on the open Profile and carefully enter DOB and Gender. You may then close your Profile as requested. • An explanation of coordinating the closing of a profile is included on the MSHMIS Release.

  16. Step 3: MSHMIS Release • Does the Client agree to the Sharing Plan defined in the agency’s Sharing Agreement(s)/ QSOBAA? The Client approves the total Sharing Plan or does not agree to share . • All screens included in the sharing plan have the same security. • All questions within the screens have the same security. • The client is provided information about what is shared with whom. • If the client does not approve the sharing plan, the staff enters “no” on the ROI closing all assessments. The ROI will state that the sharing has been “denied.”

  17. Step 4: MSHMIS Release • An end date is negotiated for the MSHMIS Release. To optimize the coordinated care and to reduce the complexity of managing the ROI, the client is encouraged toselect a date that spans the length of time the client is likely to participate in the program. • If new information is entered after the expiration of the ROI, the information will not be shared. You must obtain a new Release prior to entering new information if that information is to be shared.The default rules applied at data entry continues for the life of the data. • Without an ROI or when the staff closes a record, MSHMIS operates like any other internal automated record-keeping or reporting system. The sharing functionality is disabled.

  18. Progress or psychotherapy notes; Diagnosis, treatment, or referrals related to a mental health disorder, drug or alcohol disorder, HIV or AIDS, and domestic violence concerns. This information shall NOT be shared with other participating agencies without the client’s written, informed consent. Sharing of confidential information is NOT covered under the general MSHMIS Client Release of Information. The Release is signed and logged onto the System prior to entering confidential information. Release Confidential Information Finally, the Client is informed that if confidential information is included in the information collected, he/she will be asked to approve a second release to allow that information to be shared.

  19. Release Confidential Information(continued) • What do you do if a benign field reveals restricted information? For example, a client indicates a treatment facility in the current residence field? • Complete the second release for restricted information with the client. • Staff should close the impacted screen by clicking on the “lock,” if the client does not want the data to be shared or if staff wishes to simply close the assessment.

  20. About the Profile • The Profile screen is the only open default on the MSHMIS. I includes the name, the Year of Birth, the Gender, and the last 4 digits with client approval. • The Profile is used to as a picklist to select shared records and to reduce duplication in the system – a client gets one, and only one, identifier. • Always write the Client ID number down or print the opening page with the ID number. • Always ask the client if they have been entered under another name. If the name has changed, hyphenate the names - “old name-new name.”

  21. More About the Profile • Because we allow users to close of the Profile, it is very important that you carefully enter the first and last names, DOB, and gender. These fields are used by the system to identify duplicate records. • If “Anonymous” entry is used, the Agency will need to maintain a list of clients and related anonymous codes to find the record again. They must keep that list secure.

  22. Computer Security • All computers that directly connect to the internet must have a firewall and current virus and spyware protection. • All servers must be protected by a firewall. • All computers used to access MSHMIS must be secured from public use. • Required Internet Tools settings: • History to 2 days, and • Delete temporary files on exit.

  23. MSHMIS Security • All transmissions over the internet are provided industry-leading 128 bit AES encryption. • Cell level encryption is also provided for all identifiers on the database. If the database is successfully “hacked”, they will still not have access to identified data. • Client information is stored on a server in a locked bank with controlled access in Shreveport, LA. • The application is on a server separated by a second fire wall from the server that contains the data. • Multiple security tests have been conducted including professional “hackers” to assess data security.

  24. Agency Responsibilities • MSHMIS is a prioritized process within the Agency. • System users complete formal training on Privacy and Confidentiality provided by certified trainers. • Agency leadership ensure that system users abide by the privacy rules. • User meetings are held at least quarterly and review the agency’s privacy practice. • Agency leadership adapts the MSHMIS Release and the Privacy Notice to reflect their sharing decisions and in compliance with core standards. The Agency shall inform MSHMIS of any modifications prior to implementation of the form. • The Agency has a Board Certified Confidentiality Policy. With regard to the HMIS, the Policy must reflect the privacy rules that you have learned today. An example policy is provided by MSHMIS.

  25. Privacy is a culture: Common Violations • Staff disclosing client information to 3rd parties without client authorization. • Staff having clients sign “blank releases” in order to fill in at a later date when staff need them. • The use of “General Releases” (prohibited by state and federal law). • Staff gossip outside of the professional setting - “under the table case discussions” or “unauthorized staff meetings.” • Staff identifying individuals as clients at social events and/or self help groups. • Agencies and staff failing to establish and/or inform clients of the rules related to privacy and confidentiality when participating in group sessions.

  26. Common Violations (Page 2) • Small Town / Small Community issues - “everybody knows everybody.” Where clients park is an issue. • Client files left in an open area for others to see. • Unlocked and/or unattended files that store client charts and/or records. • Unattended computer screens with client information visible or accessible. • Attended computer screens visible to unauthorized personnel while entering data (work space configuration). • Unauthorized use of computer passwords and/or log-in codes

  27. Common Violations (Page 3) • Removal of client files from agency premises - taking files home to “catch Up” on paperwork or charting including unauthorized downloading of electronic files. • Accessing files from remote locations. • Agency failing to have proper security for storing, retrieving, and accessing client information. Any file (word, excel, etc) with client identifiers on an agency computer should be secured. • E-mail and cell phones are not secure. Any client related information should be zipped. Clients should not be discussed during cell phone conversations. Remember: You have a professional Responsibility to maintain the individuals “Right to Privacy” There are penalties for violating the client’s “Right to Privacy”

  28. Tracking Privacy • The System provides a tracking of all individuals who have "touched" a record within the system, assuring personal accountability regarding what is done in the System with regard to agency records.

  29. Minimum Data Entry Minimum Client Date Entry should reflect type and intensity of services delivered, as well as meet funding and management requirements. • 1.MSHMIS recommends that, in addition to Profile and Additional Profile demographic data, all agencies at minimum complete a HUD entry and exit and the HUD Assessment Screen. • a.Regardless of funding source, the HUD Assessment will provide appropriate and complete data for agency, continua and state planning purposes. • b.Additionally, this Assessment Entry/Exit populates the APR Report. The APR report is the best ServicePoint Report for monitoring the quality of data entry. It is designed to show the Provider who is included in each count, what data is missing and links to the records in question.

  30. To Go Live: • Agencies must sign an Administrative QSOBAA (Qualified Service Organization Business Associates Agreement) that will assure that all organizations (local lead agency, MiCAH & MSHDA) involved in the administration of the System may not re-release record level/identified data.  That agreement also requires that the Lead Organization resist subpoenas in the same manner that a service organization would, and to maintain the data in a secure manner, meeting all confidentiality requirements. • Agencies must also sign a Participation Agreement which reflects what you have learned today. That agreement is between MiCAH and the participating agency. • All Users must carefully review and sign the MSHMIS Users Agreement. That agreement must be kept on file.

  31. MiCAH Web Site • The MiCAH Web Site contains: • A List of Organizations that can see the Profile statewide is provided on the MiCH Web Site. • The most current version of all the Forms and Documents. www.mihomeless.org

More Related