Kentucky Homeless Management Information System
Privacy Notice
Effective February 1, 2005
It shall be the policy of the Kentucky Homeless Management Information System (KYHMIS)
System Administrator(s) , participating Providers and any entity or person(s) with access to the
Protected Personal Information (PPI) contained in KYHMIS to establish and adhere to the
following guidelines regarding the use and disclosure of PPI.
Participating KYHMIS agencies must comply with federal, state and local laws that require
additional confidentiality protections.
These KYHMIS standards give precedence to the HIPAA privacy and security rules because:
(1) The HIPAA rules are more finely attuned to the requirements of the health care system; (2)
the HIPAA rules provide important privacy and security protections for protected health
information; and (3) requiring a homeless provider to comply with or reconcile two sets of rules
would be an unreasonable burden.
Policies
Allowable KYHMIS Uses and Disclosures of Protected Personal Information (PPI)
1. Participating agencies may use or disclose PPI from KYHMIS under the following
circumstances: (1) To provide or coordinate services to an individual: (2) for functions
related to payment or reimbursement for services: (3) to carry out administrative
functions, including but not limited to legal, audit, personnel, oversight and management
functions: or (4) for creating de-identified PPI.
Use and disclosures required by law.
2. Participating agencies may use or disclose PPI when required by law to the extent that
the use or disclosure complies with and is limited to the requirements of the law.
Uses and disclosures to avert a serious threat to health or safety.
3. Participating agencies may, consistent with applicable law and standards of ethical
conduct, use or disclose PPI if: (1) The participating agency, in good faith, believes the
use or disclosure is necessary to prevent or lessen a serious and imminent threat to the
health or safety of an individual or the public; and (2) the use or disclosure is made to a
person reasonably able to prevent or lessen the threat, including the target of the threat.
Uses and disclosures about victims of abuse, neglect or domestic violence.
4. Participating agencies may disclose PPI about an individual whom the agency
reasonably believes to be a victim of abuse, neglect or domestic violence to a
government authority (including a social service or protective services agency)
Policies & Procedures Rev. 2.0 6/21/2007
1
authorized by law to receive reports of abuse, neglect or domestic violence under any of
the following circumstances:
芒
Where the disclosure is required by law and the disclosure complies with and
is limited to the requirements of the law:
芒
If the individual agrees to the disclosure; or
芒
To the extent that the disclosure is expressly authorized by statute or
regulation; and the agency believes the disclosure is necessary to prevent
serious harm to the individual or other potential victims; or if the individual is
unable to agree because of incapacity, a law enforcement or other public
official authorized to receive the report represents that the PPI for which
disclosure is sought is not intended to be used against the individual and that
an immediate enforcement activity that depends upon the disclosure would
be materially and adversely affected by waiting until the individual is able to
agree to the disclosure.
5. A participating agency that makes a permitted disclosure about victims of abuse, neglect
or domestic violence must promptly inform the individual that a disclosure has been or
will be made, except if:
芒
The agency, in the exercise of professional judgment, believes informing the
individual would place the individual at risk of serious harm; or
芒
The agency would be informing a personal representative (such as a family
member or friend), and the agency reasonably believes the personal
representative is responsible for the abuse, neglect or other injury, and that
informing the personal representative would not be in the best interests of the
individual as determined by the agency in the exercise of professional
judgment.
Use and disclosures for academic research purposes:
6. Participating agencies may use or disclose PPI for academic research conducted by an
individual or institution that has a formal relationship with the agency if the research is
conducted either:
芒
By and individual employed by or affiliated with the organization for use in a
research project conducted under a written research agreement approved in
writing by a program administrator (other than the individual conducting the
research) designated by the agency; or
芒
By and institution for use in a research project conducted under a written
research agreement approved in writing by a program administrator
designated by the agency.
7. A written research agreement must: (1) Establish rules and limitations for the processing
and security of PPI in the course of the research; (2) provide for the return or proper
disposal of all PPI at the conclusion of the research; (3) restrict additional use or
disclosure of PPI, except where required by law; and (4) require that the recipient of data
formally agree to comply with all terms and conditions of the agreement. A written
research agreement is not a substitute for approval of a research project by an
Institutional Review Board, Privacy Board or other applicable human subjects protection
institution.
Disclosures for law enforcement purposes.
8. A participating agency may, consistent with applicable law and standards of ethical
conduct, disclose PPI for a law enforcement purpose to a law enforcement official under
any of the following circumstances:
芒
In response to a lawful court order, court-ordered warrant, subpoena or
summons issued by a judicial officer, or a grand jury subpoena;
芒
If the law enforcement official makes a written request for protected personal
information that: (1) Is signed by a supervisory official of the law enforcement
Policies & Procedures Rev. 2.0 6/21/2007
2
agency seeking the PPI; (2) states that the information is relevant and
material to legitimate law enforcement investigation; (3) identifies the PPI
sought: (4) is specific and limited in scope to the extent reasonably
practicable in light of the purpose for which the information is sought; and (5)
states that de-identified information could not be used to accomplish the
purpose of the disclosure.
9. If the agency believes in good faith that the PPI constitutes evidence of criminal conduct
that occurred on the premises of the agency;
10. In response to an oral request for the purpose of identifying or locating a suspect,
fugitive, material witness or missing person and the PPI disclosed consists only of name,
address, date of birth, place of birth, Social Security Number, and distinguishing physical
characteristics; or
11. If (1) the official is an authorized federal official seeking PPI for the provision of
protective services to the President or other persons authorized by 19 U.S.C 3056, or to
foreign heads of state or other persons authorized by 22 U.S.C. 2709 (a)(3), or for the
conduct of investigations authorized by 18 U.S.C. 871 and 879 (threats against the
President and others); and (2) the information requested is specific and limited in scope
to the extent reasonably practicable in light of the purpose for which the information is
sought.
Collection limitation.
12. A participating agency may collect PPI only when appropriate to the purposes for which
the information is obtained or when required by law. An agency must collect PPI by
lawful and fair means and, where appropriate, with the knowledge or consent of the
individual.
Purpose specification and use limitation.
13. Participating agencies may use or disclose PPI only if the use or disclosure is allowed by
the standards described in this privacy notice. Agencies may infer consent for all uses
and disclosures specified in this notice and for uses and disclosures determined by the
agency to be compatible with those specified in the notice.
14. Except for first party access to information and any required disclosures for oversight of
compliance with HMIS Privacy and security standards, all uses and disclosures are
permissive and not mandatory. Uses and disclosures not specified in the privacy notice
can be made only with the consent of the individual or when required by law.
15. A participating agency must obtain written consent from the individual to use or disclose
personal information with a third party. See the Informed Client Consent and Release of
Information document.
16. Participating agencies agree to additional restrictions on use or disclosure of an
individual's PPI at the request of the individual if the request is reasonable and noted on
the Informed Client Consent and Release of Information. The agency is bound by the
agreement, except if inconsistent with legal requirements.
17. Participating agencies may use or disclose any aggregate data obtained from KYHMIS
as long as all identifiers are removed.
Openness
18. Participating agencies must provide a copy of this privacy notice to any individual upon
request. A current version of the privacy notice is published on the web @
www.kyhmis.org.
19. This privacy notice may be amended at any time and the amendments may affect
information obtained before the date of change. An amendment to the privacy notice
regarding use or disclosure will be effective with respect to information processed before
the amendment, unless otherwise stated. All amendments to the privacy notice must be
consistent with the requirements of these privacy standards.
Policies & Procedures Rev. 2.0 6/21/2007
3
Access and correction.
20. In general, a participating agency must allow an individual to inspect and to have a copy
of any PPI about the individual. The agency must offer to explain any information that
the individual may not understand.
21. Participating agencies must consider any request by an individual for correction of
inaccurate or incomplete PPI pertaining to the individual. Although an agency is not
required to remove any information but may, in the alternative, mark information as
inaccurate or incomplete and may supplement it with additional information.
22. Participating agencies reserve the ability to rely on the following reasons for denying an
individual inspection or copying of the individual's PPI:
芒
Information compiled in reasonable anticipation of litigation or comparable
proceedings;
芒
Information about another individual (other than a health care or homeless
provider);
芒
Information, the disclosure of which would be reasonably likely to endanger
the life or physical safety of any individual.
23. Participating agencies can reject repeated or harassing requests for access or
correction. An agency that denies an individual's request for access or correction must
explain the reason for the denial to the individual and must include documentation of the
request and the reason for the denial as part of the protected personal information about
the individual.
Accountability .
24. Questions or complaints about this privacy notice should be sent in writing to KHYMIS
staff at: Kentucky Housing Corp, 1231 Louisville Rd., Frankfort, KY attn: KYHMIS.
Policies & Procedures Rev. 2.0 6/21/2007
4
search
