Our HMIS Security Policy has been updated & will be reflected in our updated HMIS Policies and Procedures in the near future!
What has changed?
We are no longer using certificates to access the HMIS database.
What does this mean?
- Any user may access HMIS on a secure workstation without needing an HMIS certificate installed; the workstation must not be a personal device.
- In order to remain compliant with HUD's Proposed Rule and all standards set forth in the RICoC's HMIS Policies and Procedures, all HMIS users (regardless of their level of access), MUST maintain all private data securely.
- All computers that have had an HMIS certificate installed on it will not need the certificate removed.
- Audit reports will be ran using IP addresses in order to monitor access of HMIS to ensure it is not being misused.
What security precautions must
- The HMIS HelpDesk MUST be notified within 24 hours of when a user changes positions in which HMIS is not required or leaves an organization.
- All HMIS users must follow the same guidelines as agreed to upon signing their end user agreement that is in the HMIS Policies and Procedures manual.
- All HMIS username and passwords must NEVER be shared - audits will be done to track usage. This will cause you to lose access to HMIS which is a requirement for many organizations for select positions.
- HMIS Users who have not logged onto the system in the previous 30 days will be flagged as inactive and will need to contact the HelpDesk to gain access to the system again.
- Every single work station used for HMIS must have a password protected screen saver that is activated after 5-minutes of inactivity.
- Every device used to access HMIS must not be a public computer; if it is shared within the workplace, it should be password protected with separate user accounts.
- Confidential data must NEVER be permanently stored to any device. If a report with client identifying information is downloaded, it must be deleted (and the trash/recycle bin, and downloads folder must be emptied).
- Never send ANY screen shots or anything with client personally protected information (PPI) via unencrypted channels.
- HMIS must ONLY be accessed through a SECURED network. Do NOT access HMIS in any public network whatsoever (library, hospitals, coffee shop...etc.).