HMIS Privacy and Security Essentials Quiz 1. Question Title * 1. User Information - Please answer all of the following questions to ensure you receive credit for completing the quiz: Name: Email Address (use the email address associated with your Clarity user license): Agency: Job Title: For the following questions, please carefully read the statements and select all options that apply. Question Title * 2. Data privacy measures ensure that (select all that apply): Someone whose information is being used and/or disclosed by another party is fully informed and has choice in how that information is used/disclosed. Organizations who share other people's personal information are protected legally and do not have to ask for consent to share information or inform the person whose information they are sharing. Question Title * 3. What is Personally Protected Information (PPI)? Select all that apply. Information you can share about anyone because it's unlikely to be able to be linked back to a specific person. Information that identifies a specific individual, can be manipulated to identify someone or can be linked with other available information to identify someone. Examples of PPI include first name, last name and Social Security Number, among others. Question Title * 4. How do participating agencies and users formalize their commitment to meeting RTFH's requirements for using HMIS? Select all that apply: Agencies sign an Agency Participation Agreement agreeing to abide by all relevant laws and HMIS Policies and Procedures. Agencies and users do not formally commit to meeting RTFH's requirements; they have an unwritten understanding. Users sign User Agreements agreeing to abide by HMIS Policies and Procedures and ethical principles prior to using HMIS. Question Title * 5. The following are all responsibilities that users are expected to fulfill related to using HMIS: Review and abide by all requirements in HMIS Policies and Procedures. Follow 3-Step Privacy Process for collecting HMIS data. Enter data accurately based on client self-report. Report observed security violations. Only enter data and view HMIS records for the purposes of delivering and coordinating services for clients. True False Question Title * 6. When is it appropriate to share your Clarity username/password with another user in order for them to log in? Select all that apply: When another user who has not yet obtained a Clarity user license needs to enter client data into HMIS. When your supervisor needs to monitor the data you entered in HMIS. Never. Question Title * 7. Click each step of the 3-Step Privacy Process for collecting HMIS Data from the options listed. Notice of Privacy Practices (NPP) Verify client's fingerprint before creating client record in HMIS Take a picture of the client Multiparty Authorization (MPA) Run a background check to verify information the client provided Mandatory Data Collection Notice Question Title * 8. How is it okay to share clients’ personally protected information (PPI) with other HMIS users via email? Select all that apply. By only including the client’s initials in an email. By only emailing HMIS users at your agency. By attaching PPI to the email but not including it in the body of the email. There’s no method that is appropriate to share PPI via email; stick to client's Clarity unique identifier. Question Title * 9. All HMIS users should implement the following practices in regards to the security of their workstation (select all that apply): Lock your computer any time you step away from your workstation. Leave all signed paper MPA's in plain sight on top of your desk even when you leave for the day so that you do not forget to upload them in Clarity the next day. If your computer screen is visible to people passing by, put up a privacy screen. Write your Clarity username and password on a Post-It note and stick it to your computer screen or keyboard so that you always remember it. If you retain hard copy records with HMIS information (such as copies of signed MPA’s or printed reports with PPI), secure them by keeping them inside a locked file cabinet and/or in an office that is locked when not in use. Question Title * 10. Which of the following statements accurately describe the requirements for the HMIS Mandatory Data Collection Notice? Select all that apply. The Mandatory Data Collection Notice should be posted and clearly visible at client intake areas. The Mandatory Data Collection Notice fully informs a client that their information is collected and shared in HMIS, making it possible to share their data as long as they see it. The Mandatory Data Collection Notice should only be presented to clients after their information has already been entered into HMIS. A letter-sized version of the Mandatory Data Collection Notice should be printed and carried with homeless outreach teams when they provide services in the field. Question Title * 11. Which of the following statements accurately describe the requirements for the Notice of Privacy Practices (NPP)? Select all that apply. The NPP should be provided to a client if they request more information related to their data being entered into HMIS. The NPP no longer needs to be signed by every client whose data will be entered into HMIS. The NPP needs to be uploaded into HMIS. Question Title * 12. Which of the statements below is true in regards to sharing data in HMIS? Select all that apply. Clients that do not share data can be denied services. Client records are shared by default in Clarity (with a few exceptions for restricted agencies, programs or victim service providers). Sharing data in HMIS helps de-duplicate client records and improve coordination. Client profiles are shared by default in Clarity, but program enrollment data is not visible by default to agencies other than the one that entered it. Question Title * 13. Which of the statements below is true in regards to San Diego's HMIS Trust Network? Select all that apply. The HMIS Trust Network is made up of all HMIS Participating Agencies that have signed an Agency Participation Agreement agreeing to enter data in HMIS and fulfill HMIS requirements. Trust Network providers can share clients' HMIS information with organizations who are not yet in the Trust Network, if they are likely to join soon. If a client expresses concerns about who their HMIS data is being shared with or asks for a specific list of providers who could see their HMIS data, you do not need to show them a list of providers but can just repeat that it is shared with the "HMIS Trust Network". The list of Trust Network providers with whom HMIS data is shared can be found on the RTFH website. Question Title * 14. Which of the statements below accurately describe the requirements that Participating Agencies and HMIS Users need to fulfill regarding the HMIS Multiparty Authorization (MPA)? Select all that apply. Discuss the MPA with all clients and collect their response. If you forget to discuss the MPA with a client, email support@rtfhsd.org to request that RTFH restrict access to the record. If a client declines to share data or revokes authorization to share data email support@rtfhsd.org to request that RTFH restrict their Clarity record. If a client declines to share data, do not create a client record for them in Clarity. Inform clients that it is their right to share or not share their data, but that only providers serving them will regularly view their data, that protocols are in-place to keep their information secure, and that sharing may streamline some services, such as the CES process. Question Title * 15. How long is authorization to share data via the MPA valid for? 1 year 3 years 7 years 10 years Indefinitely or until a client states they no longer wish to share. Question Title * 16. An adult client entered your emergency shelter on 8/25/2019. While completing an intake with the client, you discussed the MPA with him and he signed a paper copy of the MPA authorizing sharing his data in HMIS. 2 days later - on 8/27/2019 - you are now entering this client's information in Clarity and documenting his response to the MPA. From the options below, pick the correct way to document this client's MPA response in Clarity: Question Title * 17. Review the list below of potential options you can select when filling out a client's ROI in Clarity as well as the situation described for each.Check all options that are correct ways to document the client's MPA: Permission = "No"When a client declined authorization or revoked authorization to share data. Permission = "No"If you are an outreach worker, have not yet been able to discuss the MPA with a client but need to create a client record and will follow instructions in Outreach Cheat Sheet to privatize client record. End Date = 8/1/2020When the client signed an MPA on 8/1/2019. Documentation = "Verbal Consent"211 providers and during emergency protocol (after checking in with designated HMIS Agency Admin) Documentation = "Signed Paper Document"When it has been one week since the client signed the MPA. Documentation = "Household"For a 45-year old woman who does not require a legal guardian but whose husband signed the MPA. Documentation = "Household"For a 12-year-old who entered your program with her mother and whose mother indicated she was signing the MPA for both herself and her daughter. Question Title * 18. Select all options from the list below that are correct ways to handle a client's decline or revocation of authorization to share data in HMIS: If the client has previously authorized data sharing but are now saying they no longer wish to share, ask them to sign a "Revocation of Authorization" form printed from the RTFH website. If this is the first time this client has discussed their data sharing wishes and they decline to share, document their decline via an Electronic Signature in their ROI in Clarity. Scan and upload hard copy documentation of the client's declined Revocation form to the Files tab of the client record. Add a new ROI entry for the client in Clarity with an ROI Permission of "No". Skip informing RTFH about the client's wishes because you are confident you properly restricted the client's record in Clarity. Email support@rtfhsd.org immediately after documenting client's wishes properly in Clarity to request that they restrict the Clarity client record. De-identify the client record in Clarity on your own. Question Title * 19. Select all statements below that accurately describe how restricting records in Clarity works when a client declines or revokes authorization to share data: If only one agency has entered data into the client's record in Clarity, the record can be privatized by RTFH using Clarity's automatic Privacy feature and all data can be retained. If multiple agencies have entered data into a client's Clarity record, the record only needs to be de-identified if the client can be categorized as a member of a vulnerable population. If multiple agencies have entered data into a client's Clarity record, the record cannot be privatized using Clarity's automatic privacy feature and must be de-identified. If a client who you are serving is de-identified in Clarity, you will be informed by RTFH and should retain the client's PII and Clarity unique identifier on-paper in a secure location, then privatize any future data you enter throughout the course of serving the client. If a client who you are serving is de-identified in Clarity, you will be informed by RTFH and should delete all data that you entered into their record. The first step to restricting a client's record in Clarity is always emailing support@rtfhsd.org. The first step to restricting a client's record is only emailing support@rtfhsd.org if the record has had data entered by multiple agencies in Clarity and must be de-identified. Question Title * 20. Do you have any questions or topics you would like to receive more information on? *Optional Page1 / 1 100% of survey complete. Done