Ohio BoSCoC HMIS Security Breach Protocol
Rationale: The Policies and Procedures manual identifies the Security Standards applicable to all Ohio Balance of State Continuum of Care (BoSCoC) HMIS end users and Covered Homeless Organizations (CHOs). Breaches of these standards, including, but not limited to, sharing of username and passwords and emailing Personally Identifying Information (PII), are cause for serious concern and could potentially jeopardize client confidentiality. This protocol outlines the process that the HMIS Management Committee will use to respond to HMIS security breaches.
Policy: This process specifically applies to HMIS Security Breaches, though depending on the gravity of the breach, the HMIS Management Committee may opt to immediately and permanently revoke licensure, as specified in the Policies and Procedures manual.
Procedure: Any type of security breach will be deemed an offense for response via this protocol. The following information provides a description of what will occur once any breach has been detected:
These actions apply to any licensed HMIS user who breaches any of the security policies listed in Section IV (Security Standards) of the Ohio BoSCoC HMIS Policies and Procedures Manual.
If the login of a person who no longer works at the agency is shared, the agency will be in direct violation of its Agency Agreement with COHHIO. As such, in this case, the procedure would begin as if it were a Second Offense.
If there are multiple HMIS security breaches within one agency the HMIS Management Committee may require a response from the agency, over and beyond the protocol listed above.