Homeless Management Information Systems Requirements
Federal Register, Volume 76 Issue 237 (Friday, December 9, 2011)
Federal Register Volume 76, Number 237 (Friday, December 9, 2011)
Proposed Rules
Pages 76917-76927
From the Federal Register Online via the Government Printing Office www.gpo.gov
FR Doc No: 2011-31634
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT
24 CFR Parts 91, 576, 580, and 583
Docket No. FR-5475-P-01
Homeless Management Information Systems Requirements
AGENCY: Office of the Assistant Secretary for Community Planning and Development.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: This proposed rule provides for the establishment of regulations for Homeless Management Information Systems (HMIS), which are the local information technology systems that HUD recipients and subrecipients use for homeless assistance programs authorized by the McKinney-Vento Homeless Assistance Act (the McKinney-Vento Act). The Homeless Emergency Assistance and Rapid Transition to Housing Act of 2009 (HEARTH Act), enacted into law on May 20, 2009, in addition to consolidating and amending programs authorized by the McKinney-Vento Act, codifies in law the Continuum of Care planning process, as well as certain data collection requirements integral to HMIS. The HEARTH Act requires that HUD ensure operation of and consistent participation by recipients and subrecipients in HMIS. While Continuums of Care have been using HMIS for several years, this proposed rule would add a new part to the Code of Federal Regulations to regulate the administration of HMIS and collection of data using HMIS, as provided for by the HEARTH Act. In addition, this proposed rule would make corresponding changes to HUD's regulations for Consolidated Submissions for Community Planning and Development Programs, at 24 CFR part 91; the Emergency Solutions Grants program, at 24 CFR part 576; the Shelter Plus Care Program, at 24 CFR part 582; and the Supportive Housing Program, at 24 CFR part 583.
DATES: Comment Due Date. February 7, 2012.
ADDRESSES: Interested persons are invited to submit comments regarding this rule to the Regulations Division, Office of General Counsel, 451 7th Street, SW., Room 10276, Department of Housing and Urban Development, Washington, DC 20410-0500. Communications must refer to the above docket number and title. There are two methods for submitting public comments. All submissions must refer to the above docket number and title.
1. Submission of Comments by Mail. Comments may be submitted by mail to the Regulations Division, Office of General Counsel, Department of Housing and Urban Development, 451 7th Street SW., Room 10276, Washington, DC 20410-0500.
2. Electronic Submission of Comments. Interested persons may submit comments electronically through the Federal eRulemaking Portal at http://www.regulations.gov. HUD strongly encourages commenters to submit comments electronically. Electronic submission of comments allows the commenter maximum time to prepare and submit comments, ensures timely receipt by HUD, and enables HUD to make them immediately available to the public. Comments submitted electronically through the http://www.regulations.gov Web site can be viewed by other commenters and interested members of the public. Commenters should follow the instructions provided on that site to submit comments electronically.
Note: To receive consideration as public comments, comments must be submitted through one of the two methods specified above. Again, all submissions must refer to the docket number and title of the rule.
No Facsimile Comments. Facsimile (FAX) comments are not acceptable.
Public Inspection of Public Comments. All properly submitted comments and communications submitted to HUD will be available for public inspection and copying between 8 a.m. and 5 p.m., eastern time, weekdays at the above address. Due to security measures at the HUD Headquarters building, an advance appointment to review the public comments must be scheduled by calling the Regulations Division at (202) 708-3055 (this is not a toll-free number). Individuals with speech or hearing impairments may access this number through TTY by calling the Federal Information Relay Service at (800) 877-
Page 76918
8339. Copies of all comments submitted are available for inspection and downloading at http://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Ann Marie Oliva, Director, Office of Special Needs Assistance Programs, Office of Community Planning and Development, Department of Housing and Urban Development, 451 7th Street SW., Washington, DC 20410-7000; telephone number (202) 708-4300 (this is not a toll-free number). Hearing- and speech-impaired persons may access this number through TTY by calling the Federal Information Relay Service at (800) 877-8339 (this is a toll-free number).
SUPPLEMENTARY INFORMATION:
-
Background--HEARTH Act
The Act to Prevent Mortgage Foreclosures and Enhance Mortgage Credit Availability was signed into law on May 20, 2009 (Pub. L. 111-
22). This new law implements a variety of measures directed toward keeping individuals and families from losing their homes. Division B of this new law is the Homeless Emergency Assistance and Rapid Transition to Housing Act of 2009. The HEARTH Act consolidates and amends three of the homeless assistance programs authorized by title IV of the McKinney-Vento Act (42 U.S.C. 11371 et seq.) into a single grant program. Also, the HEARTH Act revised the Emergency Shelter Grants program to broaden its existing emergency shelter and homelessness prevention activities, to add new activities to rapidly rehouse homeless families and individuals, and to change the program's name to the Emergency Solutions Grant program. The HEARTH Act also codifies in law the Continuum of Care planning process and certain data collection requirements and requires HUD to ensure operation of and consistent participation by recipients and subrecipients of programs authorized by Title IV of the McKinney-Vento Act in HMIS.
-
This Proposed Rule
-
Background
Commencing in 2004, HUD has required recipients of McKinney-Vento Act funds to collect electronic data on their homeless clients through HMIS.\1\ HMIS is a software application used to collect demographic information on people served. The purpose of HMIS is to record and store client-level information about the numbers, characteristics and needs of persons who use homeless housing and supportive services and about persons who receive assistance for persons at risk of homelessness over time, to produce an unduplicated count of homeless persons for each Continuum of Care; to understand the extent and nature of homelessness locally, regionally and nationally; and to understand patterns of service use and measure the effectiveness of programs.
---------------------------------------------------------------------------
\1\ HUD's ``Third Progress Report on HUD's Strategy for Improving Homeless Data Collection, Reporting and Analysis,'' dated March 2004, described HUD's efforts, commencing in 2001 and in collaboration with recipients and subrecipients to develop an effective data collection system on the homeless, at both the national and local levels. See http://www.hud.gov/offices/cpd/homeless/hmis/strategy/reporttocongress2004.pdf. These efforts concluded with a notice that HUD published in the Federal Register on July 30, 2004 (69 FR 45888) that provided final data and technical standards for HMIS.
---------------------------------------------------------------------------
This proposed rule establishes regulations for HMIS at 24 CFR part 580 and makes corresponding amendments to the Consolidated Plan regulations, codified in 24 CFR part 91; the Emergency Solutions Grants program regulations, codified in 24 CFR part 576, and established by interim rule published on December 5, 2011 (76 FR 75954); the Shelter Plus Care program regulations, codified in 24 CFR part 582; and the Supportive Housing Program regulations, codified in 24 CFR part 583. Informed by HUD's experience with HMIS, the proposed rule would implement the HEARTH Act requirements and make mandatory the practices that HUD previously provided as guidance. The regulatory framework proposed by this rule is designed to provide for uniform technical requirements of HMIS, for proper collection of data and maintenance of the database, and to ensure the confidentiality of the information in the database. HUD is publishing the HMIS rule separate from the program rules in part to avoid repetition in those rules, but also because recipients of grants and assistance from other Federal agencies that are now requiring them to use HMIS to collect data and produce reports will benefit from a separate rule.
The following sections of this preamble provide a section-by-
section overview of the proposed rule.
-
Section-by-Section Overview of Proposed Part 580
General Provisions (Subpart A)
Purpose and Scope (Sec. 580.1)
This section provides that the purpose of HMIS is to record and store client-level information about the numbers, characteristics, and needs of homeless persons and those at risk of homelessness. This section also clarifies the scope of homeless assistance and prevention programs that must utilize HMIS.
With respect to scope, this rule clarifies that all recipients of financial assistance under the Continuum of Care program, the Emergency Solutions Grant program, the Rural Housing Stability Assistance (RHS) program, as well as HUD programs previously funded under the McKinney-
Vento Act (the Supportive Housing Program, the Shelter Plus Care program, and the Section 8 Single Room Occupancy Moderate Rehabilitation program) are required to use HMIS to collect client-
level data on persons served. Homeless and nonhomeless projects not funded under the McKinney-Vento Act may participate in the local HMIS, and must follow HMIS regulations and any additional requirements as may be issued by notice, in accordance with the Paperwork Reduction Act.
Definitions (Sec. 580.3)
Under this rule, a comparable database means a database used by a victim service provider or a legal service provider that collects client-level data over time and generates unduplicated aggregate reports based on the data, in accordance with the requirements of this part. Information entered into a comparable database must not be entered directly into or provided to an HMIS.
Consistent with section 401(32) of the McKinney-Vento Act, this rule defines the term victim service provider as a private nonprofit organization whose primary mission is to provide services to victims of domestic violence, dating violence, sexual assault, or stalking. This term includes rape crisis centers, battered women's shelters, domestic violence transitional housing programs, and other programs.
HMIS Administration (Subpart B)
This section of the proposed rule identifies the responsibilities of the Continuum of Care, and the HMIS Lead.
Responsibilities for HMIS Administration (Sec. 580.5)
This section establishes that the Continuum of Care is responsible for making decisions about HMIS management and administration. As provided in the Definition section of this rule, Continuum of Care means the group composed of representatives of organizations, including nonprofit homeless providers, faith-based organizations, governments, businesses, advocates, public housing agencies, school districts, social service providers,
Page 76919
mental health agencies, hospitals, universities, affordable housing developers, and law enforcement, that serve homeless and formerly homeless veterans, and homeless and formerly homeless persons that carry out the responsibilities delegated to a Continuum of Care under HUD's regulations in 24 CFR part 578. The Continuum of Care is responsible for ensuring that the HMIS for the Continuum of Care is operated in accordance with the provisions of the new regulations and other applicable laws.
Duties of the Continuum of Care (Sec. 580.7)
This section provides that the Continuum of Care must designate a single information system as the official HMIS software for the geographic area. A single information system reduces administrative burden, is more economical for Continuums and, most importantly, allows for Continuum-wide collaboration between organizations serving homeless persons and persons at risk of homelessness. The Continuum must also designate the HMIS Lead. The HMIS Lead must be an instrumentality of state or local government, or a private nonprofit organization. The Continuum must review, revise, and approve all policies and plans the HMIS Lead is required to develop. Finally, the Continuum must develop a governance charter and document all assignments and designations consistent with the governance charter.
This section also provides that a Continuum of Care may choose to participate in HMIS with one or more other Continuums of Care. To create a multi-Continuum HMIS, each Continuum must designate the same HMIS software and the same HMIS Lead and must adopt a joint governance charter. The HMIS must be capable of reporting unduplicated data for each Continuum of Care separately.
Duties of the HMIS Lead (Sec. 580.9)
This section lists the duties of the HMIS Lead. These duties include developing written policies and procedures for all Covered Homeless Organizations (CHOs), executing an HMIS participation agreement with each CHO, serving as the applicant to HUD for any HMIS grants that will cover the Continuum of Care geographic area, and monitoring compliance by all CHOs of the Continuum of Care.
Eligible Activities (Subpart C)
Funding for HMIS (Sec. 580.21)
Funding for HMIS is provided through Federal assistance or other public or private resources. HMIS Leads and CHOs must refer to program regulations to determine how funds are made available. One source of Federal funding for HMIS is the programs authorized by Title IV of the McKinney-Vento Act. The applicable program regulations for the HUD McKinney-Vento Act programs are found in the regulations of Chapter V of title 24 of the Code of Federal Regulations. These regulations provide how funds are made available and the requirements attached to those funds. Concurrently with the publication of this rule, HUD is also publishing the Emergency Solutions Grants interim rule. HUD expects to publish proposed rules for the new programs created by the HEARTH Act amendments to the McKinney-Vento Act shortly. Those rules will control the extent to which grant funds can be used for the costs of carrying out HMIS activities.
Eligible Activities (Sec. 580.23)
This section identifies the activities that are needed to administer and run an HMIS. The activities listed in Sec. 580.23(a) may be carried out only by the HMIS Lead. This is because the HMIS Lead is the only organization given the authority by the Continuum of Care to make system-wide decisions regarding the HMIS that impact all CHOs within the Continuum and because all of these activities relate to administering the system on behalf of the Continuum and the CHOs. The activities listed in Sec. 580.23(b) are activities that every organization that contributes data to an HMIS will need to do. If an HMIS Lead also operates a project and contributes data to the HMIS, it will carry out these activities in addition to those listed under Sec. 580.23(a). This section also clarifies that operation of a comparable database by victim service providers and legal service providers is an eligible HMIS activity.
Carrying Out HMIS Activities (Sec. 580.25)
This section requires recipients and subrecipients of McKinney-
Vento Act program funds to participate in the HMIS established by the Continuum of Care for their geographic area and specifies the parameters in which recipients and subrecipients of funds carry out eligible HMIS activities. Participation in HMIS by recipients and subrecipients of Emergency Solutions Grants program funds is statutorily required.
This section also provides that victim service providers must not directly enter or provide data into an HMIS if they are legally prohibited from participating in HMIS and that legal service providers may choose not to use HMIS if it is necessary to protect attorney-
client privileges. Victim service providers and legal service providers that are recipients of funds requiring participation in HMIS, but which do not directly enter data into an HMIS, must use a comparable database. This section specifies the standards for a comparable database. Victim service providers have been prohibited from entering data into HMIS since the passage of the Violence Against Women Act and Department of Justice Reauthorization Act of 2005 (42 U.S.C. 13925). The Notice of Allocation, Application Procedures, and Requirements for Homelessness Prevention and Rapid Re-Housing Program Recipients and subrecipients under the American Recovery and Reinvestment Act of 2009 (HPRP Notice) established, for the first time, standards for a comparable database and required victim service providers to enter data into a comparable database. Entering data into a comparable database was necessary to produce the reports required by the Homelessness Prevention and Rapid Re-Housing Program (HPRP). The HPRP Notice also established the ability for legal service providers to use a comparable database instead of directly entering data into the HMIS where it is necessary to protect attorney-client privileges. HUD is proposing to adopt above requirements in this rule because without information from victim service providers and legal service providers, the collaborative applicant cannot effectively carry out its required duties and the Continuum of Care cannot evaluate the system-wide performance of the Continuum. A comparable database allows the collaborative applicant and Continuum to obtain the aggregate data needed while respecting the sensitive nature of the client-level information if it complies with all HMIS data, technical, and security standards as established in this part or by notice.
HMIS Governance, Technical, Security, and Data Quality Standards (Subpart D)
HMIS Governance Standards (Sec. 580.31)
The importance of the integrity and security of HMIS cannot be overstated. Given such importance, it is equally important that HMIS is administered and operated under high standards of data quality and security. To strive to meet this objective, this section requires the HMIS Lead to adopt policies and procedures for the operation of its HMIS. These policies and procedures must not only meet HUD standards, but as this regulatory section specifies, the
Page 76920
policies and procedures must meet applicable state or local governmental requirements. This section also emphasizes that the HMIS Lead and the CHOs are jointly responsible for ensuring that HMIS data processing capabilities, including the collection, maintenance, use, disclosure, transmission, and destruction of data and the maintenance privacy, security, and confidentiality protections. In particular, governing policies and procedures must allow any CHO that is also a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) to make disclosures of protected health information in a manner that fully complies with the HIPAA privacy and security rules.
HMIS Technical Standards (Sec. 580.33), HMIS Security Standards (Sec. 580.35), and Data Quality Standards and Management (Sec. 580.37)
These three sections address required technical aspects of the HMIS system and provide direction to ensure that each HMIS is and remains a system of accuracy, integrity, and confidentiality. The standards in these three regulatory sections broadly present the parameters of each of these areas. By including these standards in regulations, HUD seeks to have uniform and consistent standards with respect to technology, security, and data quality. It is not HUD's intent that these standards be so restrictive that there is no flexibility to adapt to changing technology, which may enhance security, data quality, and the technical features of the system application that is currently HMIS. Therefore, specific details applicable to each of these areas will be reserved for inclusion in a notice that will be subject to the Paperwork Reduction Act.
The placement of the detailed operating and technical functions of HMIS in a supplemental document will allow HUD to be more responsive to changes in technology. HUD will propose any changes to these standards through notice and the public comment process. This procedure will allow for a more expedient adoption of technology requirements. The security standards section specifies that HMIS Leads must establish a security plan, which must be approved by the Continuum of Care, designate a security officer, conduct workforce security screening, report security incidents, establish a disaster recovery plan, and conduct an annual security review. Additionally, HMIS Leads must ensure that each CHO designates a security officer and conducts workforce security measures, and that each user completes security training at least annually and each CHO conducts an annual security review.
The data quality standards and management section specifies that HMIS Leads must set data quality benchmarks for CHOs, including bed coverage rates and service-volume coverage rates. In the 2006 Continuum of Care Exhibit 1 Application, HUD established the use of bed coverage rates as a data quality measure. As HMIS is used to collect increasing amounts of information on projects without overnight accommodations, HUD needs a method for calculating the coverage rate a Continuum of Care has in recording the people served in these projects. HUD proposes that service-volume coverage be calculated for a HUD-defined category of projects without overnight accommodations, such as homelessness prevention projects or street outreach projects, by dividing the number of persons served annually by the projects that participate in the HMIS by the number of persons served annually by all of the Continuum of Care projects within the HUD-defined category. HUD is specifically seeking public comment on this data quality measurement.
Maintaining and Archiving Data (Sec. 580.51)
This section specifies that CHOs and HMIS Leads refer to applicable program regulations to determine the length of time that records must be maintained for inspection and monitoring purposes. The HMIS Lead may archive data in the HMIS, but must follow archiving data standards established by HUD in Federal Register notices.
-
Explanation of Changes to Proposed Changes to Parts 91, 576, 582, and 583
This proposed rule would revise the definition of HMIS in 24 CFR part 91 and each of the HMIS-related sections of 24 CFR part 576, as amended by the Interim Rule for the Emergency Solutions Grants program, published on December 5, 2011 (76 FR 75954). Specifically, references to the new part 580 replace the references to HUD's standards on participation, data collection, and reporting under a local HMIS.
This proposed rule would also revise the recordkeeping requirements for the definition of ``homeless'' to allow a certificate or other appropriate service transaction recorded in an HMIS that meets the requirements of the new part 580 to be acceptable evidence of third-
party documentation and intake worker observations in parts 576, 582, and 583.
-
-
Solicitation of Public Comment
HUD invites comment on the HMIS requirements as presented in this proposed rule. Public comment on this rule will assist HUD in developing an effective regulatory framework for administration of HMIS.
-
Findings and Certifications
Regulatory Planning and Review
The Office of Management and Budget (OMB) reviewed this rule under Executive Order 12866, ``Regulatory Planning and Review.'' This rule was determined to be a ``significant regulatory action,'' as defined in section 3(f) of the order (although not an economically significant regulatory action under the order). The docket file is available for public inspection in the Regulations Division, Office of the General Counsel, 451 7th Street SW., Room 10276, Washington, DC 20410-0500. Due to security measures at the HUD Headquarters building, please schedule an appointment to review the docket file by calling the Regulations Division at (202) 402-3055 (this is not a toll-free number). Individuals with speech or hearing impairments may access this number via TTY by calling the Federal Relay Service at (800) 877-8339.
Information Collection Requirements
The information collection requirements contained in this proposed rule have been submitted to OMB under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3520). In accordance with the Paperwork Reduction Act, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information, unless the collection displays a currently valid OMB control number.
The burden of the information collections in this proposed rule is estimated as follows:
Page 76921
Reporting and Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
Response
Information collection Number of frequency Total annual Burden hours Total annual
respondents (average) responses per response hours
----------------------------------------------------------------------------------------------------------------
580.5 Responsibility for HMIS 450 1 450 4 1,800
administration.................
580.7 Duties of the Continuum of 450 1 450 42 18,900
Care...........................
580.9(a) Duties of the HMIS 350 125 43,750 8 350,000
Lead--Ensure operation and
participation..................
580.9(b) Duties of the HMIS 350 1 350 80 28,000
Lead--Develop written policies.
580.9(c) Duties of the HMIS 350 125 43,750 1 43,750
Lead--Execute participation
agreements.....................
580.9(e) Duties of the HMIS 350 125 43,750 8 350,000
Lead--Monitor and Enforce
Compliance.....................
580.9(f) Duties of the HMIS 350 3 1,050 40 42,000
Lead--Develop plans............
580.25(d) Carrying out HMIS 2,000 1 2,000 40 80,000
Activities--Standards for
Comparable Database............
580.31(c) Unduplicated Count.... 350 1 350 16 5,600
580.31(f) Implementing 300 1 300 4 1,200
specifications.................
580.35(d)(1) Administrative 7,600 1 7,600 2 15,200
Safeguards--Security Officer...
580.35(d)(2) Workforce Security. 7,600 12 91,200 2 182,400
580.35(d)(3) Security Awareness 350 125 43,750 1 43,750
Training and Follow-up.........
580.35(d)(4) Reporting Security 350 1 350 8 2,800
Incidents......................
580.35(d)(5) Disaster Recovery 350 1 350 8 2,800
Plan...........................
580.35(6) Annual Security Review 350 125 43,750 1 43,750
580.35(7) Contracts and Other 350 125 43,750 .25 10,938
Arrangements...................
580.37(c) Data Quality 350 1 350 4 1,400
Benchmarks.....................
-------------------------------------------------------------------------------
Total....................... .............. .............. .............. .............. 1,224,288
----------------------------------------------------------------------------------------------------------------
In accordance with 5 CFR 1320.8(d)(1), HUD is soliciting comments from members of the public and affected agencies concerning this collection of information to:
(1) Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information;
(3) Enhance the quality, utility, and clarity of the information to be collected; and
(4) Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated collection techniques or other forms of information technology; e.g., permitting electronic submission of responses.
Interested persons are invited to submit comments regarding the information collection requirements in this rule. Comments must refer to the proposal by name and docket number (FR-5475-P-01) and must be sent to:
HUD Desk Officer, Office of Management and Budget, New Executive Office Building, Washington, DC 20503, Fax number: (202) 395-6947; and
Reports Liaison Officer, Office of Community Planning and Development, Department of Housing and Urban Development, 451 Seventh Street, SW., Room 7220, Washington, DC 20410-7000.
Environmental Impact
This proposed rule does not direct, provide for assistance or loan and mortgage insurance for, or otherwise govern or regulate, real property acquisition, disposition, leasing, rehabilitation, alteration, demolition, or new construction, or establish, revise, or provide for standards for construction or construction materials, manufactured housing, or occupancy. Accordingly, under 24 CFR 50.19(c)(1), this proposed rule is categorically excluded from environmental review under the National Environmental Policy Act of 1969 (42 U.S.C. 4321).
Unfunded Mandates Reform Act
The Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) (UMRA) establishes requirements for Federal agencies to assess the effects of their regulatory actions on state, local, and tribal governments and on the private sector. This proposed rule does not impose a Federal mandate on any state, local, or tribal government, or on the private sector, within the meaning of UMRA.
Regulatory Flexibility Act
The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) generally requires an agency to conduct a regulatory flexibility analysis of any rule subject to notice and comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. This rule addresses the requirements of the HMIS as provided by the HEARTH Act (Pub. L. 111-22). The purpose of this rule is to determine the framework and conditions of the information technology system used by all recipients of grant funds under the McKinney-Vento Act, as amended by the HEARTH Act. Given the narrow scope of this rule, HUD has determined that it would not have a significant economic impact on a substantial number of small entities.
Notwithstanding HUD's determination that this rule will not have a significant effect on a substantial number of small entities, HUD specifically invites comments regarding any less burdensome alternatives to this rule that will meet HUD's objectives as described in this preamble.
Executive Order 13132, Federalism
Executive Order 13132 (entitled ``Federalism'') prohibits an agency from publishing any rule that has federalism implications if the rule either imposes substantial direct compliance costs on state and local governments and is not required by statute, or the rule preempts state law, unless the agency meets the consultation and funding requirements of section 6 of the Executive Order. This
Page 76922
final rule does not have federalism implications and does not impose substantial direct compliance costs on state and local governments nor preempt state law within the meaning of the Executive Order.
List of Subjects
24 CFR Part 91
Aged, Grant programs--housing and community development, Homeless, Individuals with disabilities, Low- and moderate-income housing, Reporting and recordkeeping requirements.
24 CFR Part 576
Community facilities, Emergency solutions grants, Grant programs--
housing and community development, Grant program--social programs, Homeless, Reporting and recordkeeping requirements.
Community facilities, Emergency shelter grants, Grant programs--
housing and community development, Homeless, Information technology system, Management system, Nonprofit organizations, Reporting requirements, Supportive housing programs--housing and community development, Supportive services.
24 CFR Part 582
Homeless, Rent subsidies, Reporting and recordkeeping requirements, Supportive housing programs--housing and community development, Supportive services.
24 CFR Part 583
Homeless, Rent subsidies, Reporting and recordkeeping requirements, Supportive housing programs--housing and community development, Supportive services.
Accordingly, for the reasons stated above, HUD proposes to amend 24 CFR parts 91, 576, 580, and 583 as follows:
PART 91--CONSOLIDATED SUBMISSIONS FOR COMMUNITY PLANNING AND DEVELOPMENT PROGRAMS
1. The authority citation for 24 CFR part 91 continues to read as follows:
Authority: 42 U.S.C. 3535(d), 3601-3619, 5301-5315, 11331-
11388, 12701-12711, 12741-12756, and 12901-12912.
2. In Sec. 91.5, the definition of ``Homeless Management Information System (HMIS)'' is revised to read as follows:
Sec. 91.5 Definitions.
* * * * *
Homeless Management Information System (HMIS). The information system designated by the Continuum of Care to comply with the requirements of 24 CFR part 580 and used to record, analyze, and transmit client and activity data in regard to the provision of shelter, housing, and services to individuals and families who are homeless or at risk of homelessness.
* * * * *
PART 576--EMERGENCY SOLUTIONS GRANTS PROGRAM
3. The authority citation for 24 CFR part 576 continues to read as follows:
Authority: 42 U.S.C. 11371 et seq., 42 U.S.C. 3535(d).
4. In Sec. 576.2, the definition of ``homeless management information system (HMIS)'' is revised, and the definition of ``HMIS Lead'' is added, to read as follows:
Sec. 576.2 Definitions.
* * * * *
Homeless Management Information System (HMIS) means the information system designated by the Continuum of Care to comply with 24 CFR part 580 and used to record, analyze, and transmit client and activity data in regard to the provision of shelter, housing, and services to individuals and families who are homeless or at risk of homelessness.
HMIS Lead means the entity designated by the Continuum of Care in accordance with 24 CFR part 580 to operate the Continuum's HMIS on the Continuum's behalf.
* * * * *
5. Section 576.107 is revised to read as follows:
Sec. 576.107 HMIS component.
(a) Eligible costs.
(1) The recipient or subrecipient may use ESG funds to pay the costs of contributing data to the HMIS designated by the Continuum of Care for the area, including the costs of:
(i) Purchasing or leasing computer hardware;
(ii) Purchasing software or software licenses;
(iii) Purchasing or leasing equipment, including telephones, faxes, and furniture;
(iv) Obtaining technical support;
(v) Leasing office space;
(vi) Paying charges for electricity, gas, water, phone service, and high-speed data transmission necessary to operate or contribute data to the HMIS;
(vii) Paying salaries for operating HMIS, including:
(A) Completing data entry;
(B) Monitoring and reviewing data quality;
(C) Completing data analysis;
(D) Reporting to the HMIS Lead;
(E) Training staff on using the HMIS or a comparable database; and
(F) Implementing and complying with HMIS requirements;
(viii) Paying costs of staff to travel to and attend HUD-sponsored and HUD-approved training on HMIS and programs authorized by Title IV of the McKinney-Vento Homeless Assistance Act;
(ix) Paying staff travel costs to conduct intake; and
(x) Paying participation fees charged by the HMIS Lead, as defined in 24 CFR 580.3, if the recipient or subrecipient is not the HMIS Lead.
(2) If the recipient or subrecipient is the HMIS Lead, as defined in 24 CFR 580.3, it may also use ESG funds to pay the costs of:
(i) Hosting and maintaining HMIS software or data;
(ii) Backing up, recovering, or repairing HMIS software or data;
(iii) Upgrading, customizing, and enhancing the HMIS;
(iv) Integrating and warehousing data, including development of a data warehouse for use in aggregating data from subrecipients using multiple software systems;
(v) Administering the system;
(vi) Reporting to providers, the Continuum of Care, and HUD; and
(vii) Conducting training on using the system or comparable database, including traveling to the training.
(3) If the subrecipient is a victim services provider or a legal services provider, it may use ESG funds to establish and operate a comparable database that complies with 24 CFR part 580.
(b) General restrictions. Activities funded under this section must comply with the HMIS requirements at 24 CFR part 580.
6. In Sec. 576.400, paragraph (f) is revised to read as follows:
Sec. 576.400 Area-wide systems coordination requirements.
* * * * *
(f) Participation in HMIS. The recipient must ensure that data on all persons served and all activities assisted under ESG are entered into the applicable HMIS for the geographic area in which those persons and activities are located, or a comparable database, as provided under 24 CFR part 580. The entry, storage, and use of this data are subject to the HMIS requirements at 24 CFR part 580.
7. In Sec. 576.500, paragraphs (b) and (x)(1)(i) are revised to read as follows:
Page 76923
Sec. 576.500 Recordkeeping and reporting requirements.
* * * * *
(a) * * *
(b) Homeless status. The recipient must maintain and follow written intake procedures to ensure compliance with the homeless definition in Sec. 576.2. The procedures must require documentation at intake of the evidence relied upon to establish and verify homeless status. The procedures must establish the order of priority for obtaining evidence as third-party documentation first, intake worker observations second, and certification from the person seeking assistance third. However, lack of third-party documentation must not prevent an individual or family from being immediately admitted to emergency shelter, receiving street outreach services, or being immediately admitted to shelter or receiving services provided by a victim service provider. A certificate or other appropriate service transaction recorded in an HMIS or other database that meets the standards prescribed by HUD in 24 CFR part 580 is acceptable evidence of third-party documentation and intake worker observations.
* * * * *
(x) * * *
(1) * * *
(i) All records containing protected identifying information, as defined in 24 CFR 580.3, regarding any individual or family who applies for and/or receives ESG assistance will be kept secure and confidential;
* * * * *
PART 582--SHELTER PLUS CARE
8. The authority for 24 CFR part 582 continues to read as follows:
Authority: 42 U.S.C. 3535(d), and 11403-11407b.
9. In Sec. 582.301, paragraph (b) is revised to read as follows:
Sec. 582.301 Recordkeeping.
(a) Reserved.
(b) Homeless status. The recipient must maintain and follow written intake procedures to ensure compliance with the homeless definition in Sec. 582.5. The procedures must require documentation at intake of the evidence relied upon to establish and verify homeless status. The procedures must establish the order of priority for obtaining evidence as third-party documentation first, intake worker observations second, and certification from the person seeking assistance third. However, lack of third-party documentation must not prevent an individual or family from being immediately admitted to emergency shelter, receiving street outreach services, or being immediately admitted to shelter or receiving services provided by a victim service provider, as defined in section 401(32) of the McKinney-Vento Homeless Assistance Act, as amended by the HEARTH Act. A certificate or other appropriate service transaction recorded in an HMIS or other database that meets the standards prescribed by HUD in 24 CFR part 580 is acceptable evidence of third-party documentation and intake worker observations.
* * * * *
PART 583--SUPPORTIVE HOUSING PROGRAM
10. The authority citation for 24 CFR part 583 continues to read as follows:
Authority: 42 U.S.C. 3535(d) and 11389.
11. In Sec. 583.301, paragraph (b) is revised to read as follows:
Sec. 583.301 Recordkeeping.
(a) Reserved.
(b) Homeless status. The recipient must maintain and follow written intake procedures to ensure compliance with the homeless definition in Sec. 583.5. The procedures must require documentation at intake of the evidence relied upon to establish and verify homeless status. The procedures must establish the order of priority for obtaining evidence as third-party documentation first, intake worker observations second, and certification from the person seeking assistance third. However, lack of third-party documentation must not prevent an individual or family from being immediately admitted to emergency shelter, receiving street outreach services, or being immediately admitted to shelter or receiving services provided by a victim service provider, as defined in section 401(32) of the McKinney-Vento Homeless Assistance Act, as amended by the HEARTH Act. A certificate or other appropriate service transaction recorded in an HMIS or other database that meets the standards prescribed by HUD in 24 CFR part 580 is acceptable evidence of third-party documentation and intake worker observations.
* * * * *
12. A new part 580 is added to read as follows:
PART 580--HOMELESS MANAGEMENT INFORMATION SYSTEM
Subpart A--General Provisions
Sec.
580.1 Purpose and scope.
580.3 Definitions.
Subpart B--HMIS Administration
580.5 Responsibility for HMIS administration.
580.7 Duties of the Continuum of Care.
580.9 Duties of the HMIS Lead.
Subpart C--Eligible Activities
580.21 Funding for HMIS.
580.23 Eligible Activities.
580.25 Carrying out eligible activities.
Subpart D--HMIS Governance, Technical, Security, and Data Quality Standards
580.31 HMIS governance standards.
580.33 HMIS technical standards.
580.35 HMIS security standards.
580.37 Data quality standards and management.
Subpart E--Maintaining and Archiving Data
580.41 Maintaining and archiving data.
Subpart F--Sanctions
580.51 Sanctions.
Authority: 42 U.S.C. 11301, 42 U.S.C. 3535(d).
Subpart A--General Provisions
Sec. 580.1 Purpose and scope.
(a) Purpose. The purpose of a homeless management information system (HMIS), whether funded by public or private resources, is to record and store client-level information about the numbers, characteristics, and needs of persons who use homeless housing and supportive services and for persons who receive assistance for persons at risk of homelessness, including:
(1) Aggregation of HMIS data. Information in HMIS may be aggregated to:
(i) Obtain information about the extent and nature of homelessness over time;
(ii) Produce an unduplicated count of homeless persons;
(iii) Understand patterns of service use; and
(iv) Measure the effectiveness of homeless assistance projects and programs.
(2) Uses of aggregate HMIS information. Information generated from the HMIS:
(i) Will be used by recipients and subrecipients to report to HUD and for such other reasons as may be specified in law or regulation or by HUD through notices;
(ii) Will be used by HUD and other Federal agencies to report to Congress, to evaluate recipient performance, and for such other reasons as may be specified in law or regulation or by HUD through notice; and
(iii) May be made available to the public to raise awareness and enhance local planning processes.
Page 76924
(b) Scope. (1) Every Continuum of Care must have an HMIS that is operated in compliance with the requirements of this part.
(2) All recipients of grants from the programs authorized by Title IV of the McKinney-Vento Act are required to use HMIS, except as provided in Sec. 580.25(d).
(3) Homeless and nonhomeless projects that are not funded by grants from programs authorized by Title IV of the McKinney-Vento Act may also participate in the local HMIS, and must follow all of the requirements set forth in this part.
Sec. 580.3 Definitions.
The following terms have the following meanings:
Act means the McKinney-Vento Homeless Assistance Act, and, unless otherwise specified, as amended by the Homeless Emergency Assistance and Rapid Transition to Housing Act of 2009 (Division B of Pub. L. 111-
22 (HEARTH Act) (42 U.S.C. 11371 et seq.).
Continuum of Care means the group composed of representatives from organizations including nonprofit homeless providers, victim service providers, faith-based organizations, governments, businesses, advocates, public housing agencies, school districts, social service providers, mental health agencies, hospitals, universities, affordable housing developers, law enforcement, organizations that serve veterans, and homeless and formerly homeless persons organized to carry out the responsibilities of a Continuum of Care established under 24 CFR part 578.
Comparable database means a database that is not the Continuum's official HMIS, but an alternative system that victim service providers and legal services providers may use to collect client-level data over time and to generate unduplicated aggregate reports based on the data, and that complies with the requirements of this part. Information entered into a comparable database must not be entered directly into or provided to an HMIS.
Contributing HMIS Organization (or CHO) means an organization that operates a project that contributes data to an HMIS.
Data recipient means a person who obtains personally identifying information from an HMIS Lead or from a CHO for research or other purposes not directly related to the operation of the HMIS, Continuum of Care, HMIS Lead, or CHO.
Homeless Management Information System (HMIS) means the information system designated by Continuums of Care to comply with the requirements of this part and used to record, analyze, and transmit client and activity data in regard to the provision of shelter, housing, and services to individuals and families who are homeless or at risk of homelessness.
HMIS Lead means an entity designated by the Continuum of Care in accordance with this part to operate the Continuum's HMIS on its behalf.
HMIS vendor means a contractor who provides materials or services for the operation of an HMIS. An HMIS vendor includes an HMIS software provider, web server host, data warehouse provider, as well as a provider of other information technology or support.
HUD means the Department of Housing and Urban Development.
Participation fee means a fee the HMIS Lead charges CHOs for participating in the HMIS to cover the HMIS Lead's actual expenditures, without profit to the HMIS Lead, for software licenses, software annual support, training, data entry, data analysis, reporting, hardware, connectivity, and administering the HMIS.
Protected identifying information means information about a program participant that can be used to distinguish or trace a program participant's identity, either alone or when combined with other personal or identifying information, using methods reasonably likely to be used, which is linkable to the program participant.
Unduplicated count of homeless persons means an enumeration of homeless persons where each person is counted only once during a defined period.
User means an individual who uses or enters data in an HMIS or another administrative database from which data is periodically provided to an HMIS.
Victim service provider means a private nonprofit organization whose primary mission is to provide services to victims of domestic violence, dating violence, sexual assault, or stalking. This term includes rape crisis centers, battered women's shelters, domestic violence transitional housing programs, and other programs.
Subpart B--HMIS Administration
Sec. 580.5 Responsibility for HMIS administration.
Every Continuum of Care must have an HMIS that complies with this part. The Continuum of Care is responsible for ensuring that its HMIS is administered in accordance with the requirements of this part and other applicable Federal, state, and local laws and ordinances.
Sec. 580.7 Duties of the Continuum of Care.
(a) Required duties. The Continuum of Care must:
(1) Designate a single information system as the official HMIS software for the geographic area. The software must comply with the requirements of this part.
(2) Designate an HMIS Lead, which may be itself, to operate the HMIS. The HMIS Lead must be a state or local government, an instrumentality of state or local government, or a private nonprofit organization.
(3) Develop a governance charter, which at a minimum includes:
(i) A requirement that the HMIS Lead enter into written HMIS Participation Agreements with each CHO requiring the CHO to comply with this part and imposing sanctions for failure to comply;
(ii) The participation fee charged by the HMIS; and
(iii) Such additional requirements as may be issued by notice from time to time.
(4) Maintain documentation evidencing compliance with this part and with the governance charter; and
(5) Review, revise and approve the policies and plans (required by this part and by any notices issued from time to time.
(b) Discretionary actions. A Continuum of Care may choose to participate in an HMIS with one or more other Continuums, subject to the following conditions:
(1) All Continuums of Care within a multi-Continuum HMIS must designate the same HMIS Lead and must work jointly with the HMIS Lead to develop and adopt a joint governance charter;
(2) All Continuums of Care within a multi-continuum HMIS must designate the same governance, technical, security, privacy, and data quality standards;
(3) Each Continuum of Care must designate the same information system as the official HMIS software; and
(4) The HMIS must be capable of reporting unduplicated data for each Continuum of Care separately.
Sec. 580.9 Duties of the HMIS Lead.
The HMIS Lead shall:
(a) Ensure the operation of and consistent participation by recipients of funds from the Emergency Solutions Grants Program and from the other programs authorized by Title IV of the McKinney-Vento Act. Duties include establishing the HMIS; conducting oversight of the HMIS; and taking
Page 76925
corrective action, if needed, to ensure that the HMIS is compliant with the requirements of this part;
(b) Develop written HMIS policies and procedures in accordance with Sec. 580.31 for all CHOs;
(c) Execute a written HMIS Participation Agreement with each CHO, which includes the obligations and authority of the HMIS Lead and CHO, the requirements of the security plan with which the CHO must abide, the requirements of the privacy policy with which the CHO must abide, the sanctions for violating the HMIS Participation Agreement (e.g., imposing a financial penalty, requiring completion of standardized or specialized training, suspending or revoking user licenses, suspending or revoking system privileges, or pursuing criminal prosecution), and an agreement that the HMIS Lead and the CHO will process Protected Identifying Information consistent with the agreement. The HMIS Participation Agreement may address other activities to meet local needs;
(d) Serve as the applicant to HUD for grant funds to be used for HMIS activities for the Continuum of Care's geographic area, as directed by the Continuum, and, if selected for an award by HUD, enter into a grant agreement with HUD to carry out the HUD-approved activities;
(e) Monitor and enforce compliance by all CHOs with the requirements of this part and report on compliance to the Continuum of Care and HUD;
(f) The HMIS Lead must submit a security plan (see Sec. 580.35), a data quality plan (see Sec. 580.37), and a privacy policy (see Sec. 580.31(g)) to the Continuum of Care for approval within the date that is 6 months after the effective date of the final rule to be inserted at final rule stage and within 6 months after the date that any change is made to the local HMIS. The HMIS Lead must review and update the plans and policy at least annually. During this process, the HMIS Lead must seek and incorporate feedback from the Continuum of Care and CHO. The HMIS Lead must implement the plans and policy within 6 months of the date of approval by the Continuum of Care.
Subpart C--Eligible Activities
Sec. 580.21 Funding for HMIS.
Eligibility of costs of carrying out HMIS activities depends on the source of the funds. HMIS Leads and CHOs must look to the regulations for the funding source to determine what costs are eligible.
Sec. 580.23 Eligible activities.
(a) HMIS Lead. Only the HMIS Lead may carry out the following activities:
(1) Host and maintain HMIS software or data;
(2) Backup, recovery, and repair of the HMIS software or data;
(3) Upgrade, customize, and enhance the HMIS;
(4) Integrate and warehouse data, including development of a data warehouse for use in aggregating data from subrecipients using multiple software systems;
(5) System administration;
(6) Report to providers, the Continuum, and HUD;
(7) Conduct training for recipients on the use of the system, including the reasonable cost of travel to the training; and
(8) Such additional activities as may be authorized by HUD in notice.
(b) HMIS Lead and CHOs. HMIS Leads that are also CHOs and other CHOs may carry out the following activities:
(1) Purchase, lease, or license computer hardware and software;
(2) Purchase or lease equipment, including telephones, faxes, and furniture;
(3) Pay for technical support;
(4) Lease office space;
(5) Pay for electricity, gas, water, phone service, and high-speed data transmission costs necessary to operate and participate in the HMIS;
(6) Pay salaries for operating HMIS, which includes:
(i) Data entry;
(ii) Monitor and review data quality;
(iii) Data analysis;
(iv) Report to the HMIS Lead;
(v) Attend HUD-sponsored and HUD-approved training on HMIS and programs authorized by Title IV of the McKinney-Vento Act;
(vi) Conduct training for CHOs on the HMIS or comparable database;
(vii) Travel to conduct intake and to attend training;
(viii) Implement and comply with HMIS requirements; and
(7) Pay the participation fee to the HMIS Lead that is established by the Continuum of Care in the governance charter;
(8) If the CHO is a victim services provider, as defined under 24 CFR 580.3, or a legal services provider, establish and operate a comparable database that complies with 24 CFR 580.25; and
(9) Such other activities as authorized by HUD in notice.
Sec. 580.25 Carrying out HMIS activities.
(a) ESG. Each recipient and subrecipient of ESG grant funds under 24 CFR part 576 is required to enter data in the Continuum's HMIS or a comparable database, as provided under this part.
(b) Reserved.
(c) Reserved.
(d) Victim service and legal service providers. Victim service providers shall not directly enter or contribute data into an HMIS if they are legally prohibited from participating in HMIS. Legal service providers may choose not to use HMIS if it is necessary to protect attorney-client privilege. Victim service and legal service providers that are recipients of funds that require participation in HMIS that do not directly enter or contribute data to an HMIS must use a comparable database instead.
(1) Standards for a comparable database. (i) The comparable database must meet the standards of this part and comply with all HMIS data information, security, and processing standards, as established by HUD in notice.
(ii) The comparable database must meet the standards for security, data quality, and privacy of the HMIS within the Continuum of Care. The comparable database may use more stringent standards than the Continuum of Care's HMIS.
(2) Victim service providers and legal service providers may suppress aggregate data on specific client characteristics if the characteristics meet the requirements of this part and any conditions as may be established by HUD in notice.
Subpart D--HMIS Governance, Technical, Security, and Data Quality Standards
Sec. 580.31 HMIS governance standards.
(a) Development of local HMIS policies and procedures. An HMIS Lead must adopt written policies and procedures for the operation of the HMIS that apply to the HMIS Lead, its CHOs, and the Continuum of Care. These policies and procedures must comply with all applicable Federal law and regulations, and applicable state or local governmental requirements. An HMIS Lead may not establish local standards for any CHO that contradicts, undermines, or interferes with the implementation of the HMIS standards as prescribed in this part.
(b) The HMIS Lead and the CHO using the HMIS are jointly responsible for ensuring that HMIS processing capabilities remain consistent with the privacy obligations of the CHO.
(c) Unduplicated count. An HMIS Lead must, at least once annually, or upon request from HUD, submit to the
Page 76926
Continuum of Care an unduplicated count of clients served and an analysis of unduplicated counts, when requested by HUD.
(d) Reporting. The HMIS Lead shall submit reports to HUD as required.
(e) CHO requirements. A CHO must comply with the applicable standards set forth in this part.
(f) Implementing specifications. A CHO must comply with Federal, state, and local laws that require additional privacy or confidentiality protections. When a privacy or security standard conflicts with other Federal, state, and local laws to which the CHO must adhere, the CHO must contact the HMIS Lead and collaboratively update the applicable policies for the CHO to accurately reflect the additional protections.
(g) Other requirements. (1) An HMIS Lead must develop a privacy policy. At a minimum, the privacy policy must include data collection limitations; purpose and use limitations; allowable uses and disclosures; openness description; access and correction standards; accountability standards; protections for victims of domestic violence, dating violence, sexual assault, and stalking; and such additional information and standards as may be established by HUD in notice.
(2) Every organization with access to protected identifying information must implement procedures to ensure and monitor its compliance with applicable agreements and the requirements of this part, including enforcement of sanctions for noncompliance.
(3) An HMIS Lead or CHO that contracts with an HMIS vendor must, as part of its contract with an HMIS vendor, require the HMIS vendor and the software to comply with HMIS standards issued by HUD.
Sec. 580.33 HMIS technical standards.
(a) In general. HMIS Leads and HMIS vendors are jointly responsible for ensuring compliance with the technical standards applicable to HMIS, as provided in this document and any supplemental notices, and for addressing any identified system or operating deficiencies promptly. Grant funds must be used only for software that meets the requirements of this part.
(b) Required functionality. The HMIS must meet all required functionality established by HUD in notice.
(c) Unduplication requirements. An HMIS must be capable of unduplicating client records as established by HUD in notice.
(d) Data collection requirements. (1) Collection of all data elements. An HMIS must contain fields for collection of all data elements established by HUD in notice. For fields that contain response categories, the response categories in the HMIS must either directly match or map to the response categories defined by HUD.
(2) Maintaining historical data. An HMIS must be able to record data from a theoretically limitless number of service transactions and historical observations for data analysis over time and assessment of client outcomes, while following Federal, state, territorial, or local data retention laws and ordinances.
(e) Reporting requirements. (1) Standard HUD reports. An HMIS must be able to generate the report outputs specified by HUD. The reporting feature must be able to represent dates in the past for all historical and transactional data elements.
(2) Data quality reports. An HMIS must be capable of producing reports that enable the CHOs and the HMIS Lead to assess compliance with local data quality benchmarks and any HUD-established data quality benchmarks.
(3) Audit reports. An HMIS must be capable of generating audit reports to allow the HMIS Lead to review the audit logs on demand, including minimum data requirements established by HUD in notice.
Sec. 580.35 HMIS security standards.
(a) In general. Security standards, as provided in this section, are directed to ensure the confidentiality, integrity, and availability of all HMIS information; protect against any reasonably anticipated threats or hazards to security; and ensure compliance by end users. Written policies and procedures must comply with all applicable Federal law and regulations, and applicable state or local governmental requirements.
(b) System applicability. All HMIS Leads, CHOs, and HMIS vendors must follow the security standards established by HUD in notice.
(c) Security management. (1) Security plan. All HMIS Leads must develop a HMIS security plan, which meets the minimum requirements for a security plan as established by HUD in notice, and which must be approved by the Continuum of Care.
(2) Timeline for implementation. The HMIS Lead must submit the security plan to the Continuum of Care for approval within 6 months of effective date of final rule to be inserted at final rule stage. The HMIS Lead and CHOs must implement all administrative, physical, and technical safeguards within 6 months of the initial approval of the security plan. If one or more of these standards cannot be implemented, the HMIS Lead must justify the implementation delay and produce a plan of action for mitigating the shortfall, and develop milestones to eliminate the shortfall over time.
(d) Administrative safeguards. The administrative actions, policies, and procedures required to manage the selection, development, implementation, and maintenance of security measures to protect HMIS information must, at a minimum, meet the following:
(1) Security officer. Each HMIS Lead and each CHO must designate an HMIS security officer to be responsible for ensuring compliance with applicable security standards. The HMIS Lead must designate one staff member as the HMIS security officer.
(2) Workforce security. The HMIS Lead must ensure that each CHO conduct criminal background checks on the HMIS security officer and on all administrative users. Unless otherwise required by HUD, background checks may be conducted only once for administrative users.
(3) Security awareness training and follow-up. The HMIS Lead must ensure that all users receive security training prior to being given access to the HMIS, and that the training curriculum reflects the policies of the Continuum of Care and the requirements of this part. HMIS security training is required at least annually.
(4) Reporting security incidents. Each HMIS Lead must implement a policy and chain of communication for reporting and responding to security incidents, including a HUD-determined predefined threshold when reporting is mandatory, as established by HUD in notice.
(5) Disaster recovery plan. The HMIS Lead must develop a disaster recovery plan, which must include at a minimum, protocols for communication with staff, the Continuum of Care, and CHOs and other requirements established by HUD in notice.
(6) Annual security review. Each HMIS Lead must complete an annual security review to ensure the implementation of the security requirements for itself and CHOs. This security review must include completion of a security checklist ensuring that each of the security standards is implemented in accordance with the HMIS security plan.
(7) Contracts and other arrangements. The HMIS Lead must retain copies of all contracts and agreements executed as part of the administration and management of the HMIS or required to
Page 76927
comply with the requirements of this part.
(e) Physical safeguards. The HMIS Lead must implement physical measures, policies, and procedures to protect the HMIS.
(f) Technical safeguards. The HMIS Lead must implement security standards establishing the technology that protects and controls access to protected electronic HMIS information, and outline the policy and procedures for its use.
Sec. 580.37 Data quality standards and management.
(a) In general. The data quality standards ensure the completeness, accuracy, and consistency of the data in the HMIS. The Continuum of Care is responsible for the quality of the data produced.
(b) Definitions. For the purpose of this section, the term:
(1) HMIS participating bed means a bed on which required information is collected in an HMIS and is disclosed at least once annually to the HMIS Lead in accordance with the requirements of this part.
(2) Lodging project means a project that provides overnight accommodations.
(3) Nonlodging project means a project that does not provide overnight accommodations.
(c) Data quality benchmarks. HMIS Leads must set data quality benchmarks for CHOs. Benchmarks must include separate benchmarks for lodging and nonlodging projects. HMIS Leads must establish data quality benchmarks, including minimum bed coverage rates and service-volume coverage rates, for the Continuum(s) of Care. HMIS Leads may establish different benchmarks for different types of projects (e.g., emergency shelter projects, permanent housing projects) based on population.
(1) For the purpose of data quality, the bed coverage rate measures the level of lodging project providers' participation in a Continuum of Care's HMIS.
(i) The bed coverage rate is calculated by dividing the number of HMIS participating by the total number of year-round beds in the geographic area covered by the Continuum of Care.
(ii) Bed coverage rates must be calculated separately for emergency shelter, safe haven, transitional housing, and permanent housing.
(iii) Bed coverage rates must be calculated for each comparable database.
(2) For the purpose of data quality, the service-volume coverage rate measures the level of nonlodging project participation in a Continuum of Care's HMIS.
(i) Service-volume coverage is calculated for each HUD-defined category of dedicated homeless nonlodging projects, such as street outreach projects, based on population.
(ii) The service-volume coverage rate is equal to the number of persons served annually by the projects that participate in the HMIS divided by the number of persons served annually by all Continuum of Care projects within the HUD-defined category.
(iii) Service-volume rates must be calculated for each comparable database.
(d) Data quality management. (1) Data quality plan. All HMIS Leads must develop and implement a data quality plan, as established by HUD in notice.
(2) The HMIS must be capable of producing reports required by HUD to assist HMIS Leads in monitoring data quality.
Subpart E--Maintaining and Archiving Data
Sec. 580.41 Maintaining and archiving data.
(a) Maintaining data. Applicable program regulations establish the length of time that records must be maintained for inspection and monitoring to determine that the recipient has met the requirements of the program regulations.
(b) Archiving data. Archiving data means the removal of data from an active transactional database for storage in another database for historical, analytical, and reporting purposes. The HMIS Lead must follow archiving data standards established by HUD in notice, as well as any applicable Federal, state, territorial, local, or data retention laws or ordinances.
Subpart F--Sanctions
Sec. 580.51 Sanctions
The program regulations for the programs that fund the HMIS activities contain the sanctions for noncompliance with this part.
Dated: November 4, 2011.
Mercedes Maacuterquez,
Assistant Secretary for Community, Planning and Development.
FR Doc. 2011-31634 Filed 12-8-11; 8:45 am
BILLING CODE 4210-67-P
