HomePolicy and Standards DocumentsPolicies and Procedures ManualSecurity Breaches Protocol

2.3. Security Breaches Protocol

Ohio BOSCOC HMIS Security Breach Protocol

Rationale:The Policies and Procedures manual identifies the Security Standards applicable to all Ohio Balance of State Continuum of Care (BOSCOC) HMIS end users and Covered Homeless Organizations (CHOs). Breaches of these standards, including, but not limited to, sharing of username and passwords and emailing Personally Identifying Information (PII), are cause for serious concern and could potentially jeopardize client confidentiality. This protocol outlines the process that the HMIS Core Team will use to respond to HMIS security breaches.

Policy: This process specifically applies to HMIS Security Breaches, though depending on the gravity of the breach, the Core Team may opt to immediately and permanently revoke licensure, as specified in the Policies and Procedures manual.

Procedure: Any type of security breach will be deemed an offense for response via this protocol. The following information provides a description of what will occur once any breach has been detected:

o   Inactivate login immediately.

o   User must take and pass the Privacy and Security quiz to get license back.

o   User must have their supervisor and Executive Director or equivalent sign the Security Breach Acknowledgement form.

o   Inactivate login immediately.

o   Notify the user's supervisor and Executive Director or equivalent.

o   Notify the HMIS Lead Agency (ODSA)

o   May notify ODSA, HUD, or VA, who may withhold funding or take other action due to violation of the agency's grant agreement, at HMIS Lead Agency's (ODSA) discretion.

o   License may be reactivated at HMIS Lead Agency's (ODSA) discretion.

o   License revoked permanently.

o   Further actions taken as necessary, such as reporting to funder or notifying clients of the data breach.

Additional Information:

These actions apply to any licensed HMIS user who breaches any of the security policies listed in Section IV (Security Standards) of the Ohio Balance of State HMIS policy.

If the login of a person who no longer works at the agency is shared, the agency will be in direct violation of its Agency Agreement with ODSA. As such, in this case, the procedure would begin as if it were a Second Offense.

If there are multiple HMIS security breaches within one agency the HMIS Core Group may require a response from the agency, over and beyond the protocol listed above. 

To obtain a login, contact the COHHIO HMIS Department at hmis@cohhio.org for training. As stated in the Policies and Procedures manual, the Balance of State HMIS offers two ServicePoint licenses per agency. Should your agency need more licenses than this, the agency must cover the extra costs. Users will receive a license after successfully completing training.


This page was: Helpful | Not Helpful
2.4. Participation Fee Policy