Data Standards Compliance Checklist

HMIS System Administrator Toolbox

CoC/Implement Jurisdiction Data Standards Compliance Assessment Checklist 1.0

Applicable Standards for each CoC, Implementing Jurisdiction or ASP / Community Status /
Description / Notice Ref # / Strategies for Implementation / Yes / No / Notes /
Policy Issues
Data Collection Requirements:
Does the CoC want to limit minimum data collection to the requirements specified in the HMIS Standards or are there additional data elements that should be required based on local needs? Do all providers know what they need to collect? / 1.4, 1.5, Sections 2 and 3 / SOPs (Establish a participation policy for providers and clear expectations for data collection.)
DV Provider Participation:
Has the CoC developed a policy and method for DV provider participation that will allow the CoC to generate analysis based on a systemwide unduplicated count? / 1.5.6 / SOPs (Establish a participation policy for DV providers and clear expectations for data collection.)
Notification and/or Consent Policies:
Does the CoC have privacy policies and procedures to ensure that all agencies and users share a common understanding of client notification and/or consent procedures?
Decisions:
-  standard uses and disclosures
-  policy on when client can be notified vs when a client must provide consent regarding use and disclosure of data
-  procedure for how users should provide notification and/or consent / 4.2.1
4.2.2
4.2.3 / SOPs (Document all baseline expectations for agency and user behavior in the SOPs, including notification and consent procedures, reasonable accommodation for persons with disabilities and persons that don’t speak English, client rights with respect to their information, etc.) Sample Privacy Notice and related documents (Develop a template of the privacy notice, protocol for amending the privacy notice, explanation for clients, and related consent agreements for all agencies to adopt and use.)
Security standards:
Does the CoC have minimum security standards to ensure that all agencies understand how to protect the HMIS application and database?
-  Define the frequency of virus protection updates
-  Define appropriate physical locations for HMIS access (characteristics of physical environment, appropriateness of use of laptops, appropriateness of use of users’ home workstations, etc.)
-  Frequency and method of HMIS data backup (document sys admin responsibility to implement or contractually secure this service with ASP, if appropriate) / 4.3 / SOPs (Document all baseline expectations for agency and user behavior in the SOPs, including core elements of an appropriate agency security protocol.) Sample Information Security Protocol (Document how to operationalize the minimum security policies by providing a sample information security protocol.)
Data Access and Release policies:
Does the CoC have minimum data access standards to ensure that all agencies understand how to protect HMIS data in both hardcopy and digital formats? / 4.3.2, 4.3.3 / SOPs (Document procedures for storing HMIS data in digital and hardcopy formats.)
Central CoC Data Repository:
Does the CoC have a designated central database repository that collects all of the providers’ HMIS data at least annually for the purposes of generating an unduplicated count and basic analysis of the unduplicated HMIS data? / 5.2.1 / Central database (Data must be collected at least annually and stored for a minimum of seven years after the data of collection by the central repository.) SOPs.
Agency and User Issues
Data Collection:
Do all providers know what they need to collect? Do they know how to correctly code individual client records to capture household groupings? / 1.4, 1.5, Sections 2, 3 and 5 / User training (Consistently communicate requirements). Develop user tools (Quick Cheat Sheet).
DV Provider Participation:
Do DV agencies know what they need to collect and how they can participate? / 1.5.6 / User training (Consistently communicate requirements). Develop user tools (Quick Cheat Sheet).
Bed Coverage:
Is there an emphasis on obtaining emergency shelter, transitional housing, and outreach provider participation? Note subsequent participation priorities too. / 1.6 / Agency outreach and user training.
Notification and Consent Policies:
Do all agency executives understand their responsibilities? / 4.2.6 / Agency Agreement (Require all agency executives to sign prior to bringing the agency online.) Agency executive training.
Notification and Consent Policies:
Do all users understand their responsibilities? NOTE: If this is delegated to participating agencies, CoC may want to implement more extensive monitoring procedures. / 4.2.6 / User Agreement (Require all users to sign prior to gaining system access.) User training.
Security Standards:
Do agencies understand the security standards that apply to their users? / 4.3.1 / Agency Agreement. (Require all agency executives to sign prior to bringing the agency online.) Information Security Protocol (CoC could require each agency to adopt a security protocol that addresses all aspects of the security standards. CoC could provide a sample information security protocol to ensure that agencies understand minimum requirements.)
Hard Copy Security:
Do agencies understand how to protect hard copy data, including reports, data entry forms, signed consent forms, etc.? / 4.3.3 / Agency Agreement. (Require all agency executives to sign prior to bringing the agency online.) Information Security Protocol (CoC could require each agency to adopt a security protocol that addresses all aspects of the security standards. CoC could provide a sample information security protocol to ensure that agencies understand minimum requirements.)
Software Issues
Data Elements:
Does your software collect all of the universal and program-specific data elements, including the required response categories and technical elements? / 1.4, 1.5, Sections 2, 3 and 5 / Inventory your software. Work with your vendor to program software to collect missing elements and response categories.
Data Completeness:
Does the software automatically generate default exit dates by program type? Does the software maintain transactional data for data elements that need to be analyzed over time, such as income and service utilization? / 5.1.5 / Software programming. (Based on local assumptions, the software should be programmed to generate default exit dates by program type to ensure complete universal data collection.)
Data Collection:
Do all providers know what they need to collect? / 1.4, 1.5, Sections 2 and 3 / Software tools (e.g. CoC may want to require or prompt for missing data). Software queries to check for missing or inaccurate data.
DV Provider Participation:
Based on the adopted policy, does the software need to provide an alternative method for client-level data submission? / 1.5.6 / Software design and integration tools.
Privacy policy:
Does the software support the CoC’s notice or consent procedure (opt-in or opt-out), if applicable? / 4.2.1 / Software tools (e.g. checkbox to remind user about notification procedure, way to flag a record if client opts out of default setting, way to flag a record if client wants data shared beyond the default setting, etc.)
Timeliness of PPI Storage:
Does the CHO dispose of or remove identifiers from a client record after a specified period of time? (Minimum standard: 7 years after PPI was last changed if record is not in current use.) Note this is a CHO requirement, but will need to be operationalized at the CoC level (central database) and at the CHO-level if the CHO maintains a decentralized database. / 4.2.2 / Automated data management (Does software automatically dispose of or remove identifiers from a client record after a specified period of time?)
User Authentication:
Does the password protocol meet the minimum standard? (e.g. Require a minimum of 8 characters including at least one number and one letter; prohibit use of username, HMIS name, or vendor’s name; prohibit use of a password which consists entirely of any word found in the dictionary; and prohibit use of any of the above spelled backwards?) / 4.3.1 and 4.3.2 User Authentication / Password Limitations (Password parameters should be built into the application.)
User Logon:
Does the software prohibit users from logging onto the HMIS application more than once at any given time? / 4.3.1 and 4.3.2 User Authentication / Software user authentication (Application should verify that user is not already logged on before granting access to the database application.)
Workstation authentication:
If users access the HMIS through a public forum (e.g. internet), does the software authenticate the workstation prior to granting access? / 4.3.1 Public Access / Sys admin or ASP should use PKI or extranets that limit access based on the Internet Provider (IP) address prior to granting access to the HMIS application.
Virus Protection:
Does the lead org and ASP have regularly updated virus protection software that automatically scans files as they are accessed by users on the system where the HMIS application is housed? / 4.3.1 Virus Protection / Install virus protection software; Assign someone to regularly update definitions.
Disaster Protection and Recovery:
Does lead org or ASP back up all HMIS data on a regular basis to another medium and store it in a secure off-site location? NOTE: This standard applies to each CHO, but is most likely operationalized through the CoC. / 4.3.1 Disaster Recovery and Backup / Backup Plan. (Documented in SOP, Agency Agreement, or Service Contract with ASP)
Disposal:
Does lead org and/or ASP appropriately reformat the storage medium when disposing of HMIS data? NOTE: This standard applies to each CHO, but is most likely operationalized through the CoC. / 4.3.1 Disposal / Disposal Plan. (Documented in SOP, Agency Agreement, or Service Contract with ASP)
System Monitoring:
Does lead org and/or ASP routinely monitor to verify that users are appropriately accessing the HMIS and that security systems are intact? NOTE: This standard applies to each CHO, but is most likely operationalized through the CoC. / 4.3.1 System Monitoring / User access log and other System monitoring. (Sys admin and/or agency administrators should routinely review user access log to verify that user access is consistent with expected patterns. Document in SOP, Service Contract with ASP, and/or Agency Agreement.)
Electronic Data Transmission:
Does the HMIS application encrypt all HMIS data that are electronically transmitted over the Internet, publicly accessible networks or phone lines? / 4.3.2 Electronic Data Transmittal / Software application. (Verify with software provider/ASP that application uses 128-bit encryption to transmit HMIS data using tertiary systems.)
Electronic Data Storage:
Does the HMIS application store HMIS data in a binary format? / 4.3.2 Electronic Data Storage / Software application. (Verify with software provider that application stores HMIS data in a binary format.)
Data export:
Can the software export HMIS data in a comma-separated values text file, according to the prescribed format? / 5.1.7 / Software programming.
Monitoring: Does the CoC monitor its participating agencies on compliance with the following areas?
Data Quality:
Are providers collecting what they need to collect? / 1.4, 1.5, Sections 2 and 3 / QA procedure (Sys admin or data analyst could run query to check for complete and accurate data and follow up with providers to improve data quality.)
Privacy Policies:
Are all agencies complying with the minimum standards established in Section 4 and any additional adopted CoC privacy policies? / Section 4 / Site monitoring (site monitoring could randomly check sites for compliance or could systematically monitor all agencies. Could be integrated with other regular grant monitoring, application review, ...)
User Agreements:
Have all users signed a user agreement that specifies their responsibilities? / 4.2.6 / Central copies of User Agreement (CoC could maintain copies of the user agreement centrally, or require submittal prior to granting a user ID/password, or monitor sites to ensure they’re completed)
Virus and Firewall Protection:
Does the agency regularly update virus definitions? / 4.3.1 Virus Protection, Firewalls / Site monitoring (site monitoring could randomly check sites for compliance or could systematically monitor all agencies. Could be integrated with other regular grant monitoring, application review, ...)
Workstation Access:
Does agency appropriately locate and staff equipment that is authorized to access the HMIS application? Does the agency follow the laptop and/or home access policy appropriately? / 4.3.1 Physical Access / Site monitoring (site monitoring could randomly check sites for compliance or could systematically monitor all agencies. Could be integrated with other regular grant monitoring, application review, ...)

Page 1 of 12

Developed by the National HMIS TA Initiative by the QED Group, LLC for HUD

HMIS System Administrator Toolbox

CoC/Implement Jurisdiction Data Standards Compliance Assessment Checklist 1.0

Baseline elements of the sign at the intake Desk:

-  General explanation of the reasons for collecting client information. (4.2.1)

-  Offer to provide a copy of the notice upon request (4.2.4)

Baseline elements of the Privacy Notice:

-  Specify the purposes for which it collects PPI (4.2.3)

-  Define all uses and disclosures (4.2.3)

-  Amendment policy and procedure (4.2.4)

-  Right of client to inspect and have a copy of any PPI about the individual, offer to explain the information, consider any request for correction of inaccurate or incomplete PPI. (4.2.5)

-  Right of client to complain about the agency’s privacy and security policies and practices (4.2.6)

HMIS Agency Participation Agreement should specify and ask agency executives to affirm that they will:

-  Comply with data collection requirements

-  Comply with state and federal law

-  Post a sign at intake meeting minimum standards

-  Adopt and comply with a privacy notice (meeting minimum standards, documenting all amendments, post on website, provide in foreign languages as appropriate) (4.2, see description of privacy notice above)

-  Provide reasonable accommodation to persons with disabilities to ensure that they understand the privacy notice (4.2.4, see exceptions)

-  Comply with additional CoC privacy policies on notification and/or consent (4.2.4)

-  Establish a procedure for accepting and considering questions or complaints about its privacy and security policies and practices (4.2.6)

-  Ensure that all users at its agency understand and comply with its privacy notice (4.2.6)

-  Comply with the security standards in the HMIS standards. [Agreement could require each agency to establish an information security protocol that outlines practices to comply with the security standards.] (4.3)

-  Establish mechanisms to protect hard copy data, including reports, data entry forms, signed consent forms, etc. (4.3.3)

-  Submit data at least annually to the central CoC respository, if the agency is maintaining its own independent database. (5.2.1)