630 likes | 789 Views
Welcome to Your Housing Help Session!. Today’s Topics: EIV Update Recent webcasts EIV Security New requirements HUD training. Welcome to Housing Help!. Upcoming topics for the management series: 4/10/09: Creating & managing a housing nonprofit (PH) 4/17/09: Managing your HCV funding.
E N D
Welcome to Your Housing Help Session! • Today’s Topics: • EIV Update • Recent webcasts • EIV Security • New requirements • HUD training
Welcome to Housing Help! • Upcoming topics for the management series: • 4/10/09: Creating & managing a housing nonprofit (PH) • 4/17/09: Managing your HCV funding
HUD’s EIV Web Page • http://www.hud.gov/offices/pih/programs/ph/rhiip/uivsystem.cfm • EIV User Manual (Version 8.0, December 2007) • Privacy and Security Requirements • Security Procedures Guide
EIV Update • HUD training webcasts on EIV • 1/16/08 • 8/26/08 • 2/11/09 – 2/12/09
EIV Update • 2/09 webcasts are archived at: http://www.hud.gov/webcasts/archives/ph.cfm • 2008 webcasts are archived at: http://www.hud.gov/webcasts/archives/iv.cfm
EIV Update • Training materials from webcasts • PowerPoints • Case studies & solutions • Handouts • http://www.hud.gov/offices/pih/programs/ph/rhiip/training.cfm
January 2008 Webcast • HUD webcast 1/16/08 contained revised guidance on use of EIV • Previous guidance is obsolete and has been removed from EIV website • $2400 discrepancy • Instructions on anticipating income with EIV
HUD Guidance on EIV • EIV is sufficient as third-party verification when: • The family does not dispute the data, and • Current tenant-provided documents (i.e. paystubs) are available
HUD Guidance on EIV • The PHA MUST obtain additional third-party verification when the family disputes EIV employer data
HUD Guidance on EIV • The PHA MAY obtain additional third-party verification when the PHA determines that additional information is necessary, such as: • Effective dates of employment • Pay rate, hours worked for new jobs • Confirmation of a change in circumstances (reduced hours, reduced rate of pay)
HUD Guidance on EIV • Use tenant-provided documents to project annual income, unless: • The family disputes EIV employer data, OR • The PHA determines that additional information is necessary
HUD Guidance on EIV • HUD recommends that tenant-provided documents should be dated within 60 days of interview date • Current and consecutive
HUD Guidance on EIV • Quote from webcast: • “The PHA will use tenant-provided documents or most current information to calculate anticipated annual income.” • EIV quarterly wages are NOT used to project annual income
HUD Guidance on EIV:File Documentation • If the family does not dispute EIV employer data, and the PHA determines that additional information is not necessary: • EIV income details report • ICN in FL • Tenant-provided documents
HUD Guidance on EIV:File Documentation • If the family disputes, or PHA requires additional information: • EIV printout (except in FL) • Tenant-provided documents • Third-party written verification
August 2008 Webcast • Comprehensive training on “Effective Use of EIV” • Extensive discussion of EIV reports and their usage • New reports • Added functionality
August 2008 Webcast • EIV sign-on now includes certification of EIV & security training • HUD webcast training is sufficient • EIV training and annual EIV security training are separate requirements • Staff members may view webcast(s) and obtain certification from HUD
August 2008 Webcast • Clarification that EIV is sufficient verification of SS/SSI iffamily agrees • Discussion of identity theft • Guidance on use of income discrepancy report
2008 Webcasts • Both 2008 webcasts include case studies of unreported income • Calculation method for overpaid subsidies • First written guidance from HUD on this issue
2/09 Webcasts • Day 1: First 2 hours on rent refinement final rule • FR notice 1/27/09 • HUD has proposed delay of effective date for further review
2/09 Webcasts • Deceased tenant report: single-member households now marked with red asterisk • User ID masked per PHA requests • PH flat rent families are now excluded from the income discrepancy reports • Additional planned improvements for 2009 & 2010
HUD Consolidated Reviews • Program areas under review: • RIM • UIV • SEMAP • PHAS Management Assessment (MASS) • Civil rights
HUD Consolidated Reviews • HUD UIV Monitoring Report • Implementation review • Security assessment • Income discrepancy review • 5 highest dollar discrepancies per program • Link in your HHS e-mail
Introduction • HUD has published an EIV Security Procedures manual for PHAs • Available on HUD’s EIV web page • See workbook references tab • EIV security requirements are mandatory • Violations may result in civil and/or criminal penalties
Introduction • The information in this session is adapted from 2 sources: • HUD’s EIV Security Procedures manual • HUD’s EIV webcasts • “Includes security awareness training”
Introduction • In this session, we will cover: • Privacy Act requirements • Overview of policies and controls for securing UIV data • Administrative • Technical • Physical
Privacy Act Requirements • Whenever HUD or a PHA requests information about a tenant they should ensure the following: • The data is only used for verification of tenant income to determine: • a tenant’s eligibility for participation in a rental assistance program • the level of assistance that they are entitled to receive
Privacy Act Requirements • Whenever HUD or a PHA requests information about a tenant they should ensure the following: • It is not disclosed in any way that would violate the privacy of the individuals represented in the system
Privacy Act Requirements • The tenant is notified of the following: • HUD or the PHA’s authorization and purpose for collecting the information • the uses that may be made of the data collected, and • the consequences to the individual for failing to provide the information
Privacy Act Requirements • On request, the tenant is provided with access to records pertaining to them and an opportunity to correct or challenge the contents of the records
Civil Penalties Associated with the Privacy Act • A tenant may take legal action against HUD or a PHA for the following agency actions: • Refusal to grant access to a record • Refusal to amend or correct a record
Civil Penalties Associated with the Privacy Act • If found liable, HUD or the PHA will be required pay the tenant: • Damages sustained as a result of the agency’s action • The costs of the lawsuit, including reasonable attorney fees
Criminal Penalties Associated with the Privacy Act • A PHA employee can be found guilty of a misdemeanor or a felony if that employee, knowingly and willfully: • Discloses a tenant’s records to an unauthorized party • Fraudulently represents him/herself to obtain another individual’s record
Security Safeguards • HUD describes 3 types of safeguards: • Administrative • PHA access policies • Technical • Part of EIV system • Physical • Barriers to unauthorized access
Administrative Safeguards • PHAs should implement administrative safeguards to address the following: • Assigning and monitoring access rights • Determine which users should have access to UIV information • Maintain a record of all users who have approved access to UIV data
Administrative Safeguards • Assigning and monitoring access rights • Conduct a quarterly review of all user IDs to determine if the user still has a valid need to access the UIV data • Ensure that access rights are modified or revoked as appropriate • More information: Day 1 of 2/09 webcast
Administrative Safeguards • Keeping records and monitoring security issues • Assure that a copy of Form HUD-9886 has been signed by each adult member of the household and is kept in the household file • Maintain a key control log to track the inventory of keys available, the number of keys issued and to whom the keys are issued
Administrative Safeguards • Keeping records and monitoring security issues • Ensure that all employees and contractors who have been issued keys to secure areas complete a form acknowledging the receipt of the key • Maintain a log of all users who access designated secure areas including the date and time of entry and exit and the purpose of the access
Administrative Safeguards • Keeping records and monitoring security issues • Ensure that combination locks are reset regularly, including whenever an employee leaves the PHA • Ensure that UIV information is disposed of in an appropriate manner and maintain a log of all documents that have been burned or shredded • Or may follow written records retention policy
Administrative Safeguards • Conducting security awareness training • Ensure that all users of UIV data receive training in UIV security policies and procedures at the time of employment and at least annually afterwards • Maintain a record of all personnel who have attended training sessions • Train on individual PHA policies as well as HUD or third-party training
Administrative Safeguards • Conducting security awareness training • Communicate security information and requirements to appropriate personnel • Distribute all user guides and security procedures to personnel using UIV data
Administrative Safeguards • Reporting improper disclosures • Report any evidence of unauthorized access or known security breaches to the PHA executive director • Document all improper disclosures in writing • Report all security violations regardless of whether the security violation was intentional or unintentional
Technical Safeguards • Purposes of the technical safeguards: • Reduce the risk of a security violation related to the EIV systems’ software, network, or applications • Identify and authenticate all users seeking access to the UIV data • Deter and detect attempts to access the system without authorization • Monitor the user activity on the EIV system
Technical Safeguards • The technical controls that have been built into the EIV systems address the following: • User identification and authentication • Each user is required to have their own user ID and password • The user ID identifies the PHA(s) and tenant information that the user is authorized to access
Technical Safeguards • User identification and authentication • Passwords are encrypted and the password file is protected from unauthorized access • The system forces all users to change their password every 21 days and limits the reuse of previous passwords
Technical Safeguards • User identification and authentication • After three unsuccessful attempts to log into PIC, the user ID is locked. All PIC password resets are handled by the security administrators at the PHA or in the local HUD Field Office. Additional information and assistance can be obtained from pichelp@hud.gov. In using the EIV system, the log on restrictions do not apply.
Technical Safeguards • Online user alerts • Online warning messages that inform the user of the civil and criminal penalties associated with unauthorized use of the UIV data