Privacy Law and Policy Reporter
It is unusual to be able to describe a privacy development in the United States using the word novel in a positive way. A recent endeavor from the federal Department of Housing and Urban Development (HUD) provides that opportunity. The occasion is the issuance of standards for implementation of a Homeless Management Information System or HMIS. The HMIS standards include a novel approach to protect the privacy of homeless clients of organizations subject to the standards.
Before reading the details, the reader must know that the author of this article played a significant role in the development of the privacy portion of the HMIS standards as a consultant to the firm that assisted HUD in developing the standards.
The main goal of HUD’s effort at developing an HMIS is to collect better information on the homeless. Homeless services are often provided throughout the United States through small homeless service providers that often have limited resources and staff. Homeless services are sometimes coordinated through local bodies known as Continuums of Care. Federal assistance is available to homeless providers through a variety of programs, but the federal government does not have sufficient data to provide an accurate count of the homeless or to support planning needs.
HUD’s solution is an HMIS, a computerized data collection application that facilitates the collection of information on homeless individuals and families using residential or other homeless assistance services. An HMIS will have the capacity to integrate data from all homeless service providers in a community and to capture basic descriptive information on every individual served. HUD and others will use the information derived from the HMIS to better understand the characteristics of homeless persons, including demographic characteristics, patterns of homelessness, and use of services. The information will also help to improve the delivery of housing and services to specific sub-populations, including veterans and others.
A central national database of homeless individual is not part of HMIS. Data will be collected and integrated at the local level to avoid duplication. Once duplicate records have been matched, the need for identifiable information will no longer exist. Centralized records will not be identifiable.
HUD recognized at the beginning that privacy would be a major concern for the project because of the significant new collection of personal data. Privacy is an especially serious matter for some homeless providers. In particular, those who offer services to victims of domestic violence – battered spouses – fear that any release of identification or location information about clients will put the physical safety or lives of those clients at risk. However, not every homeless provider or client has the same need for privacy protections.
The HMIS standards set out the data elements necessary to support the objective of better information and elimination of duplication in counting. The standards include universal data elements that are to be collected from all clients served by homeless assistance programs. The standards also describe additional data elements that are required for particular programs or that are optional in other circumstances. The actual details of the data to be collected are not important for the purposes of this discussion. It is sufficient to know that the information collected includes identifying and other data about those receiving services, such as name, Social Security Number, date of birth, ethnicity and race, and disability. Without question, the personal information to be collected for HMIS includes sensitive data.
Developing a privacy standard for HMIS presented three main challenges. First, many diverse organizations are subject to the rule, and they do not have the same programmatic and organizational needs or resources. As already described, domestic violence shelters have the greatest concern about protecting the privacy of their clients. An organization that merely serves meals to homeless clients may have a lesser concern about privacy, but the collection of the required data elements still presents some privacy issues that require attention.
How can a privacy rule meet the needs of organizations on the different ends of the privacy spectrum? The solution started from the realization that one size would not fit all. For example, a privacy rule would have to take into account the differing needs and resources of a soup kitchen and a domestic violence shelter. However, those differences do not detract from the existence of a privacy interest for all homeless clients. To meet those interests, the rule establishes a baseline of privacy protections applicable to all covered providers of homeless services.
The rule goes further. It also describes additional privacy protections that homeless organizations can voluntarily adopt. For example, one part of the rule requires that organizations provide each requesting individual with access to his or her record. That is the baseline requirement applicable to all. One of the voluntary privacy protections is an appeal mechanism for anyone who believes that access was improperly denied. An organization may commit to having an appeal mechanism through the organization’s privacy notice.
Another example comes from the rule’s approach to consent. The baseline requirement allows an organization to infer consent for all data collection, use, and disclosure activities that the organization described in its privacy notice. For some homeless providers that serve large numbers of clients, any requirement for formal consent might create substantial administrative difficulties. However, for those providers that have greater needs and resources, the voluntary privacy protections allow an organization to commit itself to seeking either oral or written consent for some or all personal information processing. Each organization covered by the privacy rule can choose its own level of privacy above the baseline standards.
What is novel is the detailing in the rule of additional privacy protections. The rule sets out twenty-five voluntary protections for organizations to consider and adopt as appropriate to their own resources and the needs of their clients. The additional protections serve as a menu, and that menu is not exclusive. Organizations can add other protections not specified in the rule if they wish, but they can also select none, one, or more of the options presented. The baseline privacy protections will be universal, but local discretion will determine which mix of protections will be available at any organization.
The second challenge resulted because some organizations are already subject to a federal privacy rule for health information. The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) authorized the issuance of rules for health privacy. The health privacy rule applies to health care providers, health insurance plans, and health care clearinghouses that help to transfer data between other health institutions. Some but not all homeless service providers will be covered by the health privacy rule.
The health privacy rule is long, highly detailed, and complex. It is hard enough for small, underfunded homeless service providers covered by the health privacy rule to comply. Adding an overlapping and partially conflicting set of privacy standards for personal information about homeless clients would be an overwhelming burden. The task of addressing the conflict between two different privacy regimes would also complicate the homeless privacy rules as well.
The solution was to exempt any HMIS organization from the HMIS privacy rule if the organization determines that the federal health privacy rule covers a substantial portion of its records about homeless clients. The HMIS privacy rule saves enormous headaches by making sure that organizations covered by both rules would not have a conflict. The price paid is that it is possible that some records could fall into an unregulated space between the two rules. The substantial portion test leaves gaps. However, homeless providers proceeding in good faith can fill those gaps by applying homeless privacy rules on their own and in the absence of a specific regulatory obligation.
The HMIS rule adds yet another set of privacy standards to the growing and disjointed collection of U.S. privacy laws and regulations. The so-called American sectoral approach to privacy continues to expand, always with policies that differ in significant ways from the policies previously imposed elsewhere. No two sets of U.S. privacy rules are identical, and many personal records remain outside the scope of any privacy rules.
The potential clash of privacy requirements for organizations subject to both the homeless privacy standards and the health privacy rule resulted in the adoption of a specific policy to avoid any direct overlap. The homeless standards also recognize the possibility that other federal, state, or local laws may also establish privacy requirements, and the homeless standards expressly give way to laws that require additional confidentiality protections. The flexibility of the HMIS standards in establishing a baseline set of privacy rules but allowing each organization to adopt additional privacy protections should permit compliance, although perhaps an uneasy compliance, with any disparate laws that exist.
The third challenge for HMIS was defining the content of information privacy. What are the elements of privacy that would meet the needs and interests of the homeless? The answer to this question was relatively easy. An appropriate response to most information privacy problems can be found in the principles of Fair Information Practices (FIPs). While the international community is intimately familiar with FIPs, formal application of FIPs in American privacy regulation is still relatively unusual. For example, the HIPAA health privacy rule reflects FIPs policies, but the framework of the rule is invisible and FIPs were barely mentioned during its development.
The HMIS rule expressly adopts FIPs policies, organizing its requirements using traditional FIPs categories. The categories used for HMIS are openness, accountability, collection limitation; purpose and use limitation; access and correction; data quality; and security. The FIPs framework works just as well for the homeless as for any other constituency of individuals. The specific implementation required some adjustments for the circumstances, but this is normal. FIPs always need fine-tuning when used in any specific application. The basic principles themselves did not require any significant adjustment.
We do not know yet how the HMIS privacy rule will be received by the homeless providers that must comply with it or by the homeless clientele who are the intended beneficiaries. It may be some time before the providers understand the rule and complete their implementation. Parts of the HMIS rule remain contentious, including the reliance on Social Security Numbers, and the collection and use for HMIS purposes of personal identifiers of domestic violence victims. Also, some of the privacy choices included in the baseline and in the optional elements could be the subject of debate by privacy professionals. The privacy rule may have novel elements, but it is not entirely free from controversy.
Robert Gellman is a Privacy and Information Policy Consultant in Washington, DC. His email address is <email@example.com>.
 The final version of the Homeless Management Information Systems Data and Technical Standards was issued on July 30, 2004. The text can be found at <http://a257.g.akamaitech.net/7/257/2422/06jun20041800/edocket.access.gpo.gov/2004/04-17097.htm>.
 One of the major programs is the McKinney-Vento Homeless Assistance Act, 42 U.S.C. §11301 et seq.
 Public Law No. 104-191, §264(c), 110 Stat. 2033 (1996). The text of the law can be found at <http://aspe.hhs.gov/admnsimp/pl104191.htm>.
 The health privacy rules issued by the Department of Health and Human Services can be found at <http://www.hhs.gov/ocr/hipaa/finalreg.html>. Related rules imposing security requirements for health records can be found at <http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp>.
 The HMIS standards include security standards that are organized in the same manner as the privacy standards. All covered organizations must meet baseline security requirements, but additional security protections may be optionally implemented. The security standards cover records maintained on computer systems and on paper. See section 4.3 of the HMIS standards.