Who owns the data in HMIS (in other words, who governs its uses and disclosures), and how do we ensure that data is both private and secure, but also that we aren’t limiting access beyond what is required? 

Date Published: October 2017

Print ShareThis


The privacy and security standards, as described in the 2004 Data and Technical Standards Notice, seek to protect the confidentiality of personal information while allowing for reasonable, responsible, and limited uses and disclosures of data. These privacy and security standards are based on principles of fair information practices and on security standards recognized by the information privacy and technology communities.

While the 2004 Data and Technical Standards Notice does not explicitly address issues of data ownership, it's important to remember that the CoC Program Interim Rule gives CoCs authority over and responsibility of HMIS. As a result, data ownership questions should be addressed by the CoC(s) through any HMIS governance, policies, and/or agreements in place between associated parties.

At the most basic level, clients own their personal data. When a client seeks assistance from a service provider, the service provider's privacy policy governs the transfer of this ownership. The policy details what will be done with the collected data and the client must consent to this policy. For example, a provider's privacy policy may indicate that certain client information will be shared with other HMIS participating agencies in order to facilitate more efficient service delivery for the client throughout the homeless services system. When a service provider enters the data for this client and all other clients served into HMIS, the HMIS participation agreement between the service provider and the HMIS Lead governs the transfer of ownership, again detailing what will be done with the collected data.

Existing HMIS policy recognizes the administrative responsibilities of HMIS Leads and System Administrators in 4.1.3(3) of the 2004 HUD Data and Technical Standards Notice, which establishes that Covered Homeless Organizations (CHOs) may use or disclose protected personal information (PII) from an HMIS to carry out administrative functions, including but not limited to legal, audit, personnel, oversight and management functions. There is an understanding that if the HMIS Lead role, and its accompanying functions and responsibilities, shift from one agency to another, the allowable disclosure for the purposes in 4.1.3(3) shift as well.

Tags: Data - Data Security

Links in This FAQ