•  - -
  • HMIS Security Audit Checklist

    HMIS Security Audit Checklist

  • Welcome to the HMIS Security Audit Checklist.  The HMIS Privacy & Security Plan contains detailed descriptions and directions about meeting all of the HMIS Participating Agency security requirements.  We request that you complete this checklist to affirm that you understand and are adhering to all of these security requirements.

    New HMIS Participating Agencies complete this checklist as part of their onboarding process.  Additionally, we requires all HMIS Participating Agencies to complete this checklist on an annual basis during the HMIS Security Audit (most often held in the spring).  If you have any questions about these security requirements or need assistance, please email HMIS.

     

  • Annual Security Audit Checklist

    Annual Security Audit Checklist

  • During our annual security audit, we like to check in with our community partners to see if the staff members who are assigned are still working as your Executive/Ceo/Director,  Security Officer, and HMIS Lead.  We've included descriptions of the leadership roles below as a convenient reminder:

    Leadership Roles at your Agency

    When your organization became an HMIS Participating Agency, we collected names and contact information for individuals at your organization who can answer questions we may have about your HMIS Participation. These are the three specific roles that must have a staff member identified.  

    • Executive/CEO/Director: This individual is authorized to sign agreements on behalf of your organization and is ultimately responsible for the actions of your staff in our HMIS.
    • Partner Agency Security Officer: This individual is responsible for conducting your agency's HMIS Annual Security Audit and working with HMIS to resolve any issues.  They are tasked with enforcing privacy and security rules with all HMIS users in your organization, including addressing any security breaches HMIS identifies. 
    • HMIS Lead: This individual is the senior most staff member who will be actively working in HMIS.  They are the point person for addressing all data quality issues, including reviewing the work of individual HMIS users who may need retraining.
  • Initial Security Audit Checklist

    Initial Security Audit Checklist

    For organizations applying to become HMIS Participating Agencies

  • This page includes verification of all HMIS Security Requirements for your organization.  They have been broken down into sections, including

    • Client Privacy Security Requirements
      • HMIS Consumer Notice and HMIS Privacy Statement
      • Release of Information (ROI)
      • Hard Copy Data
      • Special Considerations
    • Computer Systems Security Requirements
      • Virus Protection
      • Firewalls
      • Physical Access
    • HMIS Users Security and Training Requirements

    Please click on each section below to answer all of these questions.

     

    • Client Privacy Security Requirements 

    • Consumer Notice and Privacy Statement

      HMIS Participating Agencies must be famliar with our HMIS Consumer Notice and HMIS Privacy Statement.  Both notices explain why an HMIS Participating Agency will ask for a client's personal private information (PPI) and the rights the client has to consent or deny to share that information. Both of these documents must be printed and physically posted for clients to see.  

      The HMIS Consumer Notice explains to clients that your program participates in HMIS and outlines the client's rights to share or withhold both specific pieces of PPI and consent for the information to be shared between HMIS Participating Agencies (ROI).  Based on the language at the beginning of the Consumer Notice, you will need to either use the HMIS Consumer Notice for HUD-Funded Programs or for Non-HUD Funded Programs as is appropriate to your organization.

      The HMIS Privacy Statement goes into more detail about the information that is gathered in HMIS and provides clients with direction on how to request access to their record and request corrections to the information.  Based on the language within the HMIS Privacy Statement, you will need to either use the HMIS Privacy Statement for HUD-Funded Programs or for Non-HUD Funded Programs as is appropriate for to your organization.

    • Release of Information (ROI)

      Please review the current Release of Information (HMIS) documents required for entering client data into HMIS. The release is valid for seven (7) years from the date of the client's signature.  The ROI confirms that the client is willing to have their information in HMIS shared between agencies.  Because this ROI confirms client consent for all HMIS Participating Agencies and not just yours specifically, each individual agency does not need to get a new ROI, provided that confirm there is a valid ROI on file for their client.  

      HMIS ROIs - Sacramento CoC, Yolo CoC                                  

    • Hard Copy Data

      Hard Copy Data refers to any physical documents or other items that contain client PII.  All HMIS Participating Agencies must abide by these security requirements regarding the security of your physical data.  Please answer the questions below to affirm that you are able to meet this requirements.

    • Special Considerations

      This section addresses support needed for disabled clients and clients with unique needs.  Please answer the questions below to affirm that you are able to meet these requirements.

    • Computer Systems Security Requirements 

    • Virus Protection, Firewalls, and Physical Access

      This section addresses security requirements for your computers and internet connections.  Please answer the questions below to affirm that you are able to meet these requirements.

    • HMIS Users Security and Training Requirements 

    • HMIS Users

      This section affirms that your supervisory staff will enforce the security and training requirements for all HMIS users within your organization.  Please answer the questions below to affirm that you will direct your staff to meet these requirements.

    • If you have not submitted requests yet for HMIS user access, please do so soon.  The timing of onboarding new agencies is carefully balanced. Delays in requesting new user access for your staff will cause delays in your staff's access to the system. Please submit those requests as soon as possible.

  • Annual HMIS Security Audit Checklist

    Annual HMIS Security Audit Checklist

  • This page includes verification of all HMIS Security Requirements for your organization.  They have been broken down into sections, including

    • Client Privacy Security Requirements
      • HMIS Consumer Notice and HMIS Privacy Statement
      • Release of Information (ROI)
      • Hard Copy Data
      • Special Considerations
    • Computer Systems Security Requirements
      • Virus Protection
      • Firewalls
      • Physical Access
    • HMIS Users Security and Training Requirements

    Please click on each section below to answer all of these questions.

     

    • Client Privacy Security Requirements 

    • Consumer Notice and Privacy Statement

      HMIS Participating Agencies must be famliar with our HMIS Condumer Notice and HMIS Privacy Statement.  Both notices explain why HMIS Participating Agency as for a cient's personal private information (PPI) and the rights the client has to consent or deny to share that information. Both of these documents must be printed and physically posted for clients to see.  

      The HMIS Consumer Notice explains to clients that your program participates in HMIS and outlines the client's rights to share or withhold both specific pieces of PPI and consent for the information to be shared between HMIS Participating Agencies (ROI).  Based on the language at the beginning of the Consumer Notice, you will need to either use the document for HUD-Funded Programs or for Non-HUD Funded Programs as is appropriate to your organization.

      The HMIS Privacy Statement goes into more detail about the information that is gathered in HMIS and provides clients with direction on how to request access to their record and request corrections to the information.  Based on the language within the HMIS Privacy Statement, you will need to either use the document for HUD-Funded Programs or for Non-HUD Funded Programs as is appropriate for to your organization.

    • Release of Information (ROI)

      Please review the current Release of Information (HMIS) documents required for entering client data into HMIS. The release is valid for seven (7) years from the date of the client's signature.  The ROI confirms that the client is willing to have their information in HMIS shared between agencies.  Because this ROI confirms client consent for all HMIS Participating Agencies and not just yours specifically, each individual agency does not need to get a new ROI, provided that confirm there is a valid ROI on file for their client.  

      HMIS ROIs - Sacramento CoC, Yolo CoC                          

    • Hard Copy Data

      Hard Copy Data refers to any physical documents or other items that contain client PII.  All HMIS Participating Agencies must abide by these security requirements regarding the security of your physical data.  Please answer the questions below to affirm that you are able to meet this requirements.

    • Special Considerations

      This section addresses support needed for disabled clients and clients with unique needs.  Please Please answer the questions below to affirm that you are able to meet this requirements.

    • Computer Systems Security Requirements 

    • Virus Protection, Firewalls, and Physical Access

      This section addresses security requirements for your computers and internet connections.  Please answer the questions below to affirm that you are able to meet this requirements.

    • HMIS Users Security and Training Requirements 

    • HMIS Users

      This section affirms that your supervisory staff will enforce the security and training requirements for all HMIS users within your organization.  Please answer the questions below to affirm that you will direct your staff to meet these requirements.

  • HMIS Security Audit Checklist

    HMIS Security Audit Checklist

  • This concludes the HMIS Security Audit.  By submitting this form, you are stating that all of the information entered is accurate and complete.  If you are unsure of your answers, please save the form and email HMIS for guidance.

  • Should be Empty: