[Federal Register Volume 76, Number 237 (Friday, December 9, 2011)]
[Proposed Rules]
[Pages 76917-76927]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-31634]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT
24 CFR Parts 91, 576, 580, and 583
[Docket No. FR-5475-P-01]
Homeless Management Information Systems Requirements
AGENCY: Office of the Assistant Secretary for Community Planning and
Development.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: This proposed rule provides for the establishment of
regulations for Homeless Management Information Systems (HMIS), which
are the local information technology systems that HUD recipients and
subrecipients use for homeless assistance programs authorized by the
McKinney-Vento Homeless Assistance Act (the McKinney-Vento Act). The
Homeless Emergency Assistance and Rapid Transition to Housing Act of
2009 (HEARTH Act), enacted into law on May 20, 2009, in addition to
consolidating and amending programs authorized by the McKinney-Vento
Act, codifies in law the Continuum of Care planning process, as well as
certain data collection requirements integral to HMIS. The HEARTH Act
requires that HUD ensure operation of and consistent participation by
recipients and subrecipients in HMIS. While Continuums of Care have
been using HMIS for several years, this proposed rule would add a new
part to the Code of Federal Regulations to regulate the administration
of HMIS and collection of data using HMIS, as provided for by the
HEARTH Act. In addition, this proposed rule would make corresponding
changes to HUD's regulations for Consolidated Submissions for Community
Planning and Development Programs, at 24 CFR part 91; the Emergency
Solutions Grants program, at 24 CFR part 576; the Shelter Plus Care
Program, at 24 CFR part 582; and the Supportive Housing Program, at 24
CFR part 583.
DATES: Comment Due Date. February 7, 2012.
ADDRESSES: Interested persons are invited to submit comments regarding
this rule to the Regulations Division, Office of General Counsel, 451
7th Street, SW., Room 10276, Department of Housing and Urban
Development, Washington, DC 20410-0500. Communications must refer to
the above docket number and title. There are two methods for submitting
public comments. All submissions must refer to the above docket number
and title.
1. Submission of Comments by Mail. Comments may be submitted by
mail to the Regulations Division, Office of General Counsel, Department
of Housing and Urban Development, 451 7th Street SW., Room 10276,
Washington, DC 20410-0500.
2. Electronic Submission of Comments. Interested persons may submit
comments electronically through the Federal eRulemaking Portal at
http://www.regulations.gov. HUD strongly encourages commenters to
submit comments electronically. Electronic submission of comments
allows the commenter maximum time to prepare and submit comments,
ensures timely receipt by HUD, and enables HUD to make them immediately
available to the public. Comments submitted electronically through the
http://www.regulations.gov Web site can be viewed by other commenters
and interested members of the public. Commenters should follow the
instructions provided on that site to submit comments electronically.
Note: To receive consideration as public comments, comments must
be submitted through one of the two methods specified above. Again,
all submissions must refer to the docket number and title of the
rule.
No Facsimile Comments. Facsimile (FAX) comments are not acceptable.
Public Inspection of Public Comments. All properly submitted
comments and communications submitted to HUD will be available for
public inspection and copying between 8 a.m. and 5 p.m., eastern time,
weekdays at the above address. Due to security measures at the HUD
Headquarters building, an advance appointment to review the public
comments must be scheduled by calling the Regulations Division at (202)
708-3055 (this is not a toll-free number). Individuals with speech or
hearing impairments may access this number through TTY by calling the
Federal Information Relay Service at (800) 877-
[[Page 76918]]
8339. Copies of all comments submitted are available for inspection and
downloading at http://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Ann Marie Oliva, Director, Office of
Special Needs Assistance Programs, Office of Community Planning and
Development, Department of Housing and Urban Development, 451 7th
Street SW., Washington, DC 20410-7000; telephone number (202) 708-4300
(this is not a toll-free number). Hearing- and speech-impaired persons
may access this number through TTY by calling the Federal Information
Relay Service at (800) 877-8339 (this is a toll-free number).
SUPPLEMENTARY INFORMATION:
I. Background--HEARTH Act
The Act to Prevent Mortgage Foreclosures and Enhance Mortgage
Credit Availability was signed into law on May 20, 2009 (Pub. L. 111-
22). This new law implements a variety of measures directed toward
keeping individuals and families from losing their homes. Division B of
this new law is the Homeless Emergency Assistance and Rapid Transition
to Housing Act of 2009. The HEARTH Act consolidates and amends three of
the homeless assistance programs authorized by title IV of the
McKinney-Vento Act (42 U.S.C. 11371 et seq.) into a single grant
program. Also, the HEARTH Act revised the Emergency Shelter Grants
program to broaden its existing emergency shelter and homelessness
prevention activities, to add new activities to rapidly rehouse
homeless families and individuals, and to change the program's name to
the Emergency Solutions Grant program. The HEARTH Act also codifies in
law the Continuum of Care planning process and certain data collection
requirements and requires HUD to ensure operation of and consistent
participation by recipients and subrecipients of programs authorized by
Title IV of the McKinney-Vento Act in HMIS.
II. This Proposed Rule
A. Background
Commencing in 2004, HUD has required recipients of McKinney-Vento
Act funds to collect electronic data on their homeless clients through
HMIS.\1\ HMIS is a software application used to collect demographic
information on people served. The purpose of HMIS is to record and
store client-level information about the numbers, characteristics and
needs of persons who use homeless housing and supportive services and
about persons who receive assistance for persons at risk of
homelessness over time, to produce an unduplicated count of homeless
persons for each Continuum of Care; to understand the extent and nature
of homelessness locally, regionally and nationally; and to understand
patterns of service use and measure the effectiveness of programs.
---------------------------------------------------------------------------
\1\ HUD's ``Third Progress Report on HUD's Strategy for
Improving Homeless Data Collection, Reporting and Analysis,'' dated
March 2004, described HUD's efforts, commencing in 2001 and in
collaboration with recipients and subrecipients to develop an
effective data collection system on the homeless, at both the
national and local levels. See http://www.hud.gov/offices/cpd/homeless/hmis/strategy/reporttocongress2004.pdf. These efforts
concluded with a notice that HUD published in the Federal Register
on July 30, 2004 (69 FR 45888) that provided final data and
technical standards for HMIS.
---------------------------------------------------------------------------
This proposed rule establishes regulations for HMIS at 24 CFR part
580 and makes corresponding amendments to the Consolidated Plan
regulations, codified in 24 CFR part 91; the Emergency Solutions Grants
program regulations, codified in 24 CFR part 576, and established by
interim rule published on December 5, 2011 (76 FR 75954); the Shelter
Plus Care program regulations, codified in 24 CFR part 582; and the
Supportive Housing Program regulations, codified in 24 CFR part 583.
Informed by HUD's experience with HMIS, the proposed rule would
implement the HEARTH Act requirements and make mandatory the practices
that HUD previously provided as guidance. The regulatory framework
proposed by this rule is designed to provide for uniform technical
requirements of HMIS, for proper collection of data and maintenance of
the database, and to ensure the confidentiality of the information in
the database. HUD is publishing the HMIS rule separate from the program
rules in part to avoid repetition in those rules, but also because
recipients of grants and assistance from other Federal agencies that
are now requiring them to use HMIS to collect data and produce reports
will benefit from a separate rule.
The following sections of this preamble provide a section-by-
section overview of the proposed rule.
B. Section-by-Section Overview of Proposed Part 580
General Provisions (Subpart A)
Purpose and Scope (Sec. 580.1)
This section provides that the purpose of HMIS is to record and
store client-level information about the numbers, characteristics, and
needs of homeless persons and those at risk of homelessness. This
section also clarifies the scope of homeless assistance and prevention
programs that must utilize HMIS.
With respect to scope, this rule clarifies that all recipients of
financial assistance under the Continuum of Care program, the Emergency
Solutions Grant program, the Rural Housing Stability Assistance (RHS)
program, as well as HUD programs previously funded under the McKinney-
Vento Act (the Supportive Housing Program, the Shelter Plus Care
program, and the Section 8 Single Room Occupancy Moderate
Rehabilitation program) are required to use HMIS to collect client-
level data on persons served. Homeless and nonhomeless projects not
funded under the McKinney-Vento Act may participate in the local HMIS,
and must follow HMIS regulations and any additional requirements as may
be issued by notice, in accordance with the Paperwork Reduction Act.
Definitions (Sec. 580.3)
Under this rule, a comparable database means a database used by a
victim service provider or a legal service provider that collects
client-level data over time and generates unduplicated aggregate
reports based on the data, in accordance with the requirements of this
part. Information entered into a comparable database must not be
entered directly into or provided to an HMIS.
Consistent with section 401(32) of the McKinney-Vento Act, this
rule defines the term victim service provider as a private nonprofit
organization whose primary mission is to provide services to victims of
domestic violence, dating violence, sexual assault, or stalking. This
term includes rape crisis centers, battered women's shelters, domestic
violence transitional housing programs, and other programs.
HMIS Administration (Subpart B)
This section of the proposed rule identifies the responsibilities
of the Continuum of Care, and the HMIS Lead.
Responsibilities for HMIS Administration (Sec. 580.5)
This section establishes that the Continuum of Care is responsible
for making decisions about HMIS management and administration. As
provided in the Definition section of this rule, Continuum of Care
means the group composed of representatives of organizations, including
nonprofit homeless providers, faith-based organizations, governments,
businesses, advocates, public housing agencies, school districts,
social service providers,
[[Page 76919]]
mental health agencies, hospitals, universities, affordable housing
developers, and law enforcement, that serve homeless and formerly
homeless veterans, and homeless and formerly homeless persons that
carry out the responsibilities delegated to a Continuum of Care under
HUD's regulations in 24 CFR part 578. The Continuum of Care is
responsible for ensuring that the HMIS for the Continuum of Care is
operated in accordance with the provisions of the new regulations and
other applicable laws.
Duties of the Continuum of Care (Sec. 580.7)
This section provides that the Continuum of Care must designate a
single information system as the official HMIS software for the
geographic area. A single information system reduces administrative
burden, is more economical for Continuums and, most importantly, allows
for Continuum-wide collaboration between organizations serving homeless
persons and persons at risk of homelessness. The Continuum must also
designate the HMIS Lead. The HMIS Lead must be an instrumentality of
state or local government, or a private nonprofit organization. The
Continuum must review, revise, and approve all policies and plans the
HMIS Lead is required to develop. Finally, the Continuum must develop a
governance charter and document all assignments and designations
consistent with the governance charter.
This section also provides that a Continuum of Care may choose to
participate in HMIS with one or more other Continuums of Care. To
create a multi-Continuum HMIS, each Continuum must designate the same
HMIS software and the same HMIS Lead and must adopt a joint governance
charter. The HMIS must be capable of reporting unduplicated data for
each Continuum of Care separately.
Duties of the HMIS Lead (Sec. 580.9)
This section lists the duties of the HMIS Lead. These duties
include developing written policies and procedures for all Covered
Homeless Organizations (CHOs), executing an HMIS participation
agreement with each CHO, serving as the applicant to HUD for any HMIS
grants that will cover the Continuum of Care geographic area, and
monitoring compliance by all CHOs of the Continuum of Care.
Eligible Activities (Subpart C)
Funding for HMIS (Sec. 580.21)
Funding for HMIS is provided through Federal assistance or other
public or private resources. HMIS Leads and CHOs must refer to program
regulations to determine how funds are made available. One source of
Federal funding for HMIS is the programs authorized by Title IV of the
McKinney-Vento Act. The applicable program regulations for the HUD
McKinney-Vento Act programs are found in the regulations of Chapter V
of title 24 of the Code of Federal Regulations. These regulations
provide how funds are made available and the requirements attached to
those funds. Concurrently with the publication of this rule, HUD is
also publishing the Emergency Solutions Grants interim rule. HUD
expects to publish proposed rules for the new programs created by the
HEARTH Act amendments to the McKinney-Vento Act shortly. Those rules
will control the extent to which grant funds can be used for the costs
of carrying out HMIS activities.
Eligible Activities (Sec. 580.23)
This section identifies the activities that are needed to
administer and run an HMIS. The activities listed in Sec. 580.23(a)
may be carried out only by the HMIS Lead. This is because the HMIS Lead
is the only organization given the authority by the Continuum of Care
to make system-wide decisions regarding the HMIS that impact all CHOs
within the Continuum and because all of these activities relate to
administering the system on behalf of the Continuum and the CHOs. The
activities listed in Sec. 580.23(b) are activities that every
organization that contributes data to an HMIS will need to do. If an
HMIS Lead also operates a project and contributes data to the HMIS, it
will carry out these activities in addition to those listed under Sec.
580.23(a). This section also clarifies that operation of a comparable
database by victim service providers and legal service providers is an
eligible HMIS activity.
Carrying Out HMIS Activities (Sec. 580.25)
This section requires recipients and subrecipients of McKinney-
Vento Act program funds to participate in the HMIS established by the
Continuum of Care for their geographic area and specifies the
parameters in which recipients and subrecipients of funds carry out
eligible HMIS activities. Participation in HMIS by recipients and
subrecipients of Emergency Solutions Grants program funds is
statutorily required.
This section also provides that victim service providers must not
directly enter or provide data into an HMIS if they are legally
prohibited from participating in HMIS and that legal service providers
may choose not to use HMIS if it is necessary to protect attorney-
client privileges. Victim service providers and legal service providers
that are recipients of funds requiring participation in HMIS, but which
do not directly enter data into an HMIS, must use a comparable
database. This section specifies the standards for a comparable
database. Victim service providers have been prohibited from entering
data into HMIS since the passage of the Violence Against Women Act and
Department of Justice Reauthorization Act of 2005 (42 U.S.C. 13925).
The Notice of Allocation, Application Procedures, and Requirements for
Homelessness Prevention and Rapid Re-Housing Program Recipients and
subrecipients under the American Recovery and Reinvestment Act of 2009
(HPRP Notice) established, for the first time, standards for a
comparable database and required victim service providers to enter data
into a comparable database. Entering data into a comparable database
was necessary to produce the reports required by the Homelessness
Prevention and Rapid Re-Housing Program (HPRP). The HPRP Notice also
established the ability for legal service providers to use a comparable
database instead of directly entering data into the HMIS where it is
necessary to protect attorney-client privileges. HUD is proposing to
adopt above requirements in this rule because without information from
victim service providers and legal service providers, the collaborative
applicant cannot effectively carry out its required duties and the
Continuum of Care cannot evaluate the system-wide performance of the
Continuum. A comparable database allows the collaborative applicant and
Continuum to obtain the aggregate data needed while respecting the
sensitive nature of the client-level information if it complies with
all HMIS data, technical, and security standards as established in this
part or by notice.
HMIS Governance, Technical, Security, and Data Quality Standards
(Subpart D)
HMIS Governance Standards (Sec. 580.31)
The importance of the integrity and security of HMIS cannot be
overstated. Given such importance, it is equally important that HMIS is
administered and operated under high standards of data quality and
security. To strive to meet this objective, this section requires the
HMIS Lead to adopt policies and procedures for the operation of its
HMIS. These policies and procedures must not only meet HUD standards,
but as this regulatory section specifies, the
[[Page 76920]]
policies and procedures must meet applicable state or local
governmental requirements. This section also emphasizes that the HMIS
Lead and the CHOs are jointly responsible for ensuring that HMIS data
processing capabilities, including the collection, maintenance, use,
disclosure, transmission, and destruction of data and the maintenance
privacy, security, and confidentiality protections. In particular,
governing policies and procedures must allow any CHO that is also a
covered entity under the Health Insurance Portability and
Accountability Act (HIPAA) to make disclosures of protected health
information in a manner that fully complies with the HIPAA privacy and
security rules.
HMIS Technical Standards (Sec. 580.33), HMIS Security Standards (Sec.
580.35), and Data Quality Standards and Management (Sec. 580.37)
These three sections address required technical aspects of the HMIS
system and provide direction to ensure that each HMIS is and remains a
system of accuracy, integrity, and confidentiality. The standards in
these three regulatory sections broadly present the parameters of each
of these areas. By including these standards in regulations, HUD seeks
to have uniform and consistent standards with respect to technology,
security, and data quality. It is not HUD's intent that these standards
be so restrictive that there is no flexibility to adapt to changing
technology, which may enhance security, data quality, and the technical
features of the system application that is currently HMIS. Therefore,
specific details applicable to each of these areas will be reserved for
inclusion in a notice that will be subject to the Paperwork Reduction
Act.
The placement of the detailed operating and technical functions of
HMIS in a supplemental document will allow HUD to be more responsive to
changes in technology. HUD will propose any changes to these standards
through notice and the public comment process. This procedure will
allow for a more expedient adoption of technology requirements. The
security standards section specifies that HMIS Leads must establish a
security plan, which must be approved by the Continuum of Care,
designate a security officer, conduct workforce security screening,
report security incidents, establish a disaster recovery plan, and
conduct an annual security review. Additionally, HMIS Leads must ensure
that each CHO designates a security officer and conducts workforce
security measures, and that each user completes security training at
least annually and each CHO conducts an annual security review.
The data quality standards and management section specifies that
HMIS Leads must set data quality benchmarks for CHOs, including bed
coverage rates and service-volume coverage rates. In the 2006 Continuum
of Care Exhibit 1 Application, HUD established the use of bed coverage
rates as a data quality measure. As HMIS is used to collect increasing
amounts of information on projects without overnight accommodations,
HUD needs a method for calculating the coverage rate a Continuum of
Care has in recording the people served in these projects. HUD proposes
that service-volume coverage be calculated for a HUD-defined category
of projects without overnight accommodations, such as homelessness
prevention projects or street outreach projects, by dividing the number
of persons served annually by the projects that participate in the HMIS
by the number of persons served annually by all of the Continuum of
Care projects within the HUD-defined category. HUD is specifically
seeking public comment on this data quality measurement.
Maintaining and Archiving Data (Sec. 580.51)
This section specifies that CHOs and HMIS Leads refer to applicable
program regulations to determine the length of time that records must
be maintained for inspection and monitoring purposes. The HMIS Lead may
archive data in the HMIS, but must follow archiving data standards
established by HUD in Federal Register notices.
C. Explanation of Changes to Proposed Changes to Parts 91, 576, 582,
and 583
This proposed rule would revise the definition of HMIS in 24 CFR
part 91 and each of the HMIS-related sections of 24 CFR part 576, as
amended by the Interim Rule for the Emergency Solutions Grants program,
published on December 5, 2011 (76 FR 75954). Specifically, references
to the new part 580 replace the references to HUD's standards on
participation, data collection, and reporting under a local HMIS.
This proposed rule would also revise the recordkeeping requirements
for the definition of ``homeless'' to allow a certificate or other
appropriate service transaction recorded in an HMIS that meets the
requirements of the new part 580 to be acceptable evidence of third-
party documentation and intake worker observations in parts 576, 582,
and 583.
III. Solicitation of Public Comment
HUD invites comment on the HMIS requirements as presented in this
proposed rule. Public comment on this rule will assist HUD in
developing an effective regulatory framework for administration of
HMIS.
IV. Findings and Certifications
Regulatory Planning and Review
The Office of Management and Budget (OMB) reviewed this rule under
Executive Order 12866, ``Regulatory Planning and Review.'' This rule
was determined to be a ``significant regulatory action,'' as defined in
section 3(f) of the order (although not an economically significant
regulatory action under the order). The docket file is available for
public inspection in the Regulations Division, Office of the General
Counsel, 451 7th Street SW., Room 10276, Washington, DC 20410-0500. Due
to security measures at the HUD Headquarters building, please schedule
an appointment to review the docket file by calling the Regulations
Division at (202) 402-3055 (this is not a toll-free number).
Individuals with speech or hearing impairments may access this number
via TTY by calling the Federal Relay Service at (800) 877-8339.
Information Collection Requirements
The information collection requirements contained in this proposed
rule have been submitted to OMB under the Paperwork Reduction Act of
1995 (44 U.S.C. 3501-3520). In accordance with the Paperwork Reduction
Act, an agency may not conduct or sponsor, and a person is not required
to respond to, a collection of information, unless the collection
displays a currently valid OMB control number.
The burden of the information collections in this proposed rule is
estimated as follows:
[[Page 76921]]
Reporting and Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
Response
Information collection Number of frequency Total annual Burden hours Total annual
respondents (average) responses per response hours
----------------------------------------------------------------------------------------------------------------
580.5 Responsibility for HMIS 450 1 450 4 1,800
administration.................
580.7 Duties of the Continuum of 450 1 450 42 18,900
Care...........................
580.9(a) Duties of the HMIS 350 125 43,750 8 350,000
Lead--Ensure operation and
participation..................
580.9(b) Duties of the HMIS 350 1 350 80 28,000
Lead--Develop written policies.
580.9(c) Duties of the HMIS 350 125 43,750 1 43,750
Lead--Execute participation
agreements.....................
580.9(e) Duties of the HMIS 350 125 43,750 8 350,000
Lead--Monitor and Enforce
Compliance.....................
580.9(f) Duties of the HMIS 350 3 1,050 40 42,000
Lead--Develop plans............
580.25(d) Carrying out HMIS 2,000 1 2,000 40 80,000
Activities--Standards for
Comparable Database............
580.31(c) Unduplicated Count.... 350 1 350 16 5,600
580.31(f) Implementing 300 1 300 4 1,200
specifications.................
580.35(d)(1) Administrative 7,600 1 7,600 2 15,200
Safeguards--Security Officer...
580.35(d)(2) Workforce Security. 7,600 12 91,200 2 182,400
580.35(d)(3) Security Awareness 350 125 43,750 1 43,750
Training and Follow-up.........
580.35(d)(4) Reporting Security 350 1 350 8 2,800
Incidents......................
580.35(d)(5) Disaster Recovery 350 1 350 8 2,800
Plan...........................
580.35(6) Annual Security Review 350 125 43,750 1 43,750
580.35(7) Contracts and Other 350 125 43,750 .25 10,938
Arrangements...................
580.37(c) Data Quality 350 1 350 4 1,400
Benchmarks.....................
-------------------------------------------------------------------------------
Total....................... .............. .............. .............. .............. 1,224,288
----------------------------------------------------------------------------------------------------------------
In accordance with 5 CFR 1320.8(d)(1), HUD is soliciting comments
from members of the public and affected agencies concerning this
collection of information to:
(1) Evaluate whether the proposed collection of information is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden of
the proposed collection of information;
(3) Enhance the quality, utility, and clarity of the information to
be collected; and
(4) Minimize the burden of the collection of information on those
who are to respond, including through the use of appropriate automated
collection techniques or other forms of information technology; e.g.,
permitting electronic submission of responses.
Interested persons are invited to submit comments regarding the
information collection requirements in this rule. Comments must refer
to the proposal by name and docket number (FR-5475-P-01) and must be
sent to:
HUD Desk Officer, Office of Management and Budget, New Executive Office
Building, Washington, DC 20503, Fax number: (202) 395-6947; and
Reports Liaison Officer, Office of Community Planning and Development,
Department of Housing and Urban Development, 451 Seventh Street, SW.,
Room 7220, Washington, DC 20410-7000.
Environmental Impact
This proposed rule does not direct, provide for assistance or loan
and mortgage insurance for, or otherwise govern or regulate, real
property acquisition, disposition, leasing, rehabilitation, alteration,
demolition, or new construction, or establish, revise, or provide for
standards for construction or construction materials, manufactured
housing, or occupancy. Accordingly, under 24 CFR 50.19(c)(1), this
proposed rule is categorically excluded from environmental review under
the National Environmental Policy Act of 1969 (42 U.S.C. 4321).
Unfunded Mandates Reform Act
The Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538)
(UMRA) establishes requirements for Federal agencies to assess the
effects of their regulatory actions on state, local, and tribal
governments and on the private sector. This proposed rule does not
impose a Federal mandate on any state, local, or tribal government, or
on the private sector, within the meaning of UMRA.
Regulatory Flexibility Act
The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) generally
requires an agency to conduct a regulatory flexibility analysis of any
rule subject to notice and comment rulemaking requirements, unless the
agency certifies that the rule will not have a significant economic
impact on a substantial number of small entities. This rule addresses
the requirements of the HMIS as provided by the HEARTH Act (Pub. L.
111-22). The purpose of this rule is to determine the framework and
conditions of the information technology system used by all recipients
of grant funds under the McKinney-Vento Act, as amended by the HEARTH
Act. Given the narrow scope of this rule, HUD has determined that it
would not have a significant economic impact on a substantial number of
small entities.
Notwithstanding HUD's determination that this rule will not have a
significant effect on a substantial number of small entities, HUD
specifically invites comments regarding any less burdensome
alternatives to this rule that will meet HUD's objectives as described
in this preamble.
Executive Order 13132, Federalism
Executive Order 13132 (entitled ``Federalism'') prohibits an agency
from publishing any rule that has federalism implications if the rule
either imposes substantial direct compliance costs on state and local
governments and is not required by statute, or the rule preempts state
law, unless the agency meets the consultation and funding requirements
of section 6 of the Executive Order. This
[[Page 76922]]
final rule does not have federalism implications and does not impose
substantial direct compliance costs on state and local governments nor
preempt state law within the meaning of the Executive Order.
List of Subjects
24 CFR Part 91
Aged, Grant programs--housing and community development, Homeless,
Individuals with disabilities, Low- and moderate-income housing,
Reporting and recordkeeping requirements.
24 CFR Part 576
Community facilities, Emergency solutions grants, Grant programs--
housing and community development, Grant program--social programs,
Homeless, Reporting and recordkeeping requirements.
24 CFR Part 580
Community facilities, Emergency shelter grants, Grant programs--
housing and community development, Homeless, Information technology
system, Management system, Nonprofit organizations, Reporting
requirements, Supportive housing programs--housing and community
development, Supportive services.
24 CFR Part 582
Homeless, Rent subsidies, Reporting and recordkeeping requirements,
Supportive housing programs--housing and community development,
Supportive services.
24 CFR Part 583
Homeless, Rent subsidies, Reporting and recordkeeping requirements,
Supportive housing programs--housing and community development,
Supportive services.
Accordingly, for the reasons stated above, HUD proposes to amend 24
CFR parts 91, 576, 580, and 583 as follows:
PART 91--CONSOLIDATED SUBMISSIONS FOR COMMUNITY PLANNING AND
DEVELOPMENT PROGRAMS
1. The authority citation for 24 CFR part 91 continues to read as
follows:
Authority: 42 U.S.C. 3535(d), 3601-3619, 5301-5315, 11331-
11388, 12701-12711, 12741-12756, and 12901-12912.
2. In Sec. 91.5, the definition of ``Homeless Management
Information System (HMIS)'' is revised to read as follows:
Sec. 91.5 Definitions.
* * * * *
Homeless Management Information System (HMIS). The information
system designated by the Continuum of Care to comply with the
requirements of 24 CFR part 580 and used to record, analyze, and
transmit client and activity data in regard to the provision of
shelter, housing, and services to individuals and families who are
homeless or at risk of homelessness.
* * * * *
PART 576--EMERGENCY SOLUTIONS GRANTS PROGRAM
3. The authority citation for 24 CFR part 576 continues to read as
follows:
Authority: 42 U.S.C. 11371 et seq., 42 U.S.C. 3535(d).
4. In Sec. 576.2, the definition of ``homeless management
information system (HMIS)'' is revised, and the definition of ``HMIS
Lead'' is added, to read as follows:
Sec. 576.2 Definitions.
* * * * *
Homeless Management Information System (HMIS) means the information
system designated by the Continuum of Care to comply with 24 CFR part
580 and used to record, analyze, and transmit client and activity data
in regard to the provision of shelter, housing, and services to
individuals and families who are homeless or at risk of homelessness.
HMIS Lead means the entity designated by the Continuum of Care in
accordance with 24 CFR part 580 to operate the Continuum's HMIS on the
Continuum's behalf.
* * * * *
5. Section 576.107 is revised to read as follows:
Sec. 576.107 HMIS component.
(a) Eligible costs.
(1) The recipient or subrecipient may use ESG funds to pay the
costs of contributing data to the HMIS designated by the Continuum of
Care for the area, including the costs of:
(i) Purchasing or leasing computer hardware;
(ii) Purchasing software or software licenses;
(iii) Purchasing or leasing equipment, including telephones, faxes,
and furniture;
(iv) Obtaining technical support;
(v) Leasing office space;
(vi) Paying charges for electricity, gas, water, phone service, and
high-speed data transmission necessary to operate or contribute data to
the HMIS;
(vii) Paying salaries for operating HMIS, including:
(A) Completing data entry;
(B) Monitoring and reviewing data quality;
(C) Completing data analysis;
(D) Reporting to the HMIS Lead;
(E) Training staff on using the HMIS or a comparable database; and
(F) Implementing and complying with HMIS requirements;
(viii) Paying costs of staff to travel to and attend HUD-sponsored
and HUD-approved training on HMIS and programs authorized by Title IV
of the McKinney-Vento Homeless Assistance Act;
(ix) Paying staff travel costs to conduct intake; and
(x) Paying participation fees charged by the HMIS Lead, as defined
in 24 CFR 580.3, if the recipient or subrecipient is not the HMIS Lead.
(2) If the recipient or subrecipient is the HMIS Lead, as defined
in 24 CFR 580.3, it may also use ESG funds to pay the costs of:
(i) Hosting and maintaining HMIS software or data;
(ii) Backing up, recovering, or repairing HMIS software or data;
(iii) Upgrading, customizing, and enhancing the HMIS;
(iv) Integrating and warehousing data, including development of a
data warehouse for use in aggregating data from subrecipients using
multiple software systems;
(v) Administering the system;
(vi) Reporting to providers, the Continuum of Care, and HUD; and
(vii) Conducting training on using the system or comparable
database, including traveling to the training.
(3) If the subrecipient is a victim services provider or a legal
services provider, it may use ESG funds to establish and operate a
comparable database that complies with 24 CFR part 580.
(b) General restrictions. Activities funded under this section must
comply with the HMIS requirements at 24 CFR part 580.
6. In Sec. 576.400, paragraph (f) is revised to read as follows:
Sec. 576.400 Area-wide systems coordination requirements.
* * * * *
(f) Participation in HMIS. The recipient must ensure that data on
all persons served and all activities assisted under ESG are entered
into the applicable HMIS for the geographic area in which those persons
and activities are located, or a comparable database, as provided under
24 CFR part 580. The entry, storage, and use of this data are subject
to the HMIS requirements at 24 CFR part 580.
7. In Sec. 576.500, paragraphs (b) and (x)(1)(i) are revised to
read as follows:
[[Page 76923]]
Sec. 576.500 Recordkeeping and reporting requirements.
* * * * *
(a) * * *
(b) Homeless status. The recipient must maintain and follow written
intake procedures to ensure compliance with the homeless definition in
Sec. 576.2. The procedures must require documentation at intake of the
evidence relied upon to establish and verify homeless status. The
procedures must establish the order of priority for obtaining evidence
as third-party documentation first, intake worker observations second,
and certification from the person seeking assistance third. However,
lack of third-party documentation must not prevent an individual or
family from being immediately admitted to emergency shelter, receiving
street outreach services, or being immediately admitted to shelter or
receiving services provided by a victim service provider. A certificate
or other appropriate service transaction recorded in an HMIS or other
database that meets the standards prescribed by HUD in 24 CFR part 580
is acceptable evidence of third-party documentation and intake worker
observations.
* * * * *
(x) * * *
(1) * * *
(i) All records containing protected identifying information, as
defined in 24 CFR 580.3, regarding any individual or family who applies
for and/or receives ESG assistance will be kept secure and
confidential;
* * * * *
PART 582--SHELTER PLUS CARE
8. The authority for 24 CFR part 582 continues to read as follows:
Authority: 42 U.S.C. 3535(d), and 11403-11407b.
9. In Sec. 582.301, paragraph (b) is revised to read as follows:
Sec. 582.301 Recordkeeping.
(a) [Reserved.]
(b) Homeless status. The recipient must maintain and follow written
intake procedures to ensure compliance with the homeless definition in
Sec. 582.5. The procedures must require documentation at intake of the
evidence relied upon to establish and verify homeless status. The
procedures must establish the order of priority for obtaining evidence
as third-party documentation first, intake worker observations second,
and certification from the person seeking assistance third. However,
lack of third-party documentation must not prevent an individual or
family from being immediately admitted to emergency shelter, receiving
street outreach services, or being immediately admitted to shelter or
receiving services provided by a victim service provider, as defined in
section 401(32) of the McKinney-Vento Homeless Assistance Act, as
amended by the HEARTH Act. A certificate or other appropriate service
transaction recorded in an HMIS or other database that meets the
standards prescribed by HUD in 24 CFR part 580 is acceptable evidence
of third-party documentation and intake worker observations.
* * * * *
PART 583--SUPPORTIVE HOUSING PROGRAM
10. The authority citation for 24 CFR part 583 continues to read as
follows:
Authority: 42 U.S.C. 3535(d) and 11389.
11. In Sec. 583.301, paragraph (b) is revised to read as follows:
Sec. 583.301 Recordkeeping.
(a) [Reserved.]
(b) Homeless status. The recipient must maintain and follow written
intake procedures to ensure compliance with the homeless definition in
Sec. 583.5. The procedures must require documentation at intake of the
evidence relied upon to establish and verify homeless status. The
procedures must establish the order of priority for obtaining evidence
as third-party documentation first, intake worker observations second,
and certification from the person seeking assistance third. However,
lack of third-party documentation must not prevent an individual or
family from being immediately admitted to emergency shelter, receiving
street outreach services, or being immediately admitted to shelter or
receiving services provided by a victim service provider, as defined in
section 401(32) of the McKinney-Vento Homeless Assistance Act, as
amended by the HEARTH Act. A certificate or other appropriate service
transaction recorded in an HMIS or other database that meets the
standards prescribed by HUD in 24 CFR part 580 is acceptable evidence
of third-party documentation and intake worker observations.
* * * * *
12. A new part 580 is added to read as follows:
PART 580--HOMELESS MANAGEMENT INFORMATION SYSTEM
Subpart A--General Provisions
Sec.
580.1 Purpose and scope.
580.3 Definitions.
Subpart B--HMIS Administration
580.5 Responsibility for HMIS administration.
580.7 Duties of the Continuum of Care.
580.9 Duties of the HMIS Lead.
Subpart C--Eligible Activities
580.21 Funding for HMIS.
580.23 Eligible Activities.
580.25 Carrying out eligible activities.
Subpart D--HMIS Governance, Technical, Security, and Data Quality
Standards
580.31 HMIS governance standards.
580.33 HMIS technical standards.
580.35 HMIS security standards.
580.37 Data quality standards and management.
Subpart E--Maintaining and Archiving Data
580.41 Maintaining and archiving data.
Subpart F--Sanctions
580.51 Sanctions.
Authority: 42 U.S.C. 11301, 42 U.S.C. 3535(d).
Subpart A--General Provisions
Sec. 580.1 Purpose and scope.
(a) Purpose. The purpose of a homeless management information
system (HMIS), whether funded by public or private resources, is to
record and store client-level information about the numbers,
characteristics, and needs of persons who use homeless housing and
supportive services and for persons who receive assistance for persons
at risk of homelessness, including:
(1) Aggregation of HMIS data. Information in HMIS may be aggregated
to:
(i) Obtain information about the extent and nature of homelessness
over time;
(ii) Produce an unduplicated count of homeless persons;
(iii) Understand patterns of service use; and
(iv) Measure the effectiveness of homeless assistance projects and
programs.
(2) Uses of aggregate HMIS information. Information generated from
the HMIS:
(i) Will be used by recipients and subrecipients to report to HUD
and for such other reasons as may be specified in law or regulation or
by HUD through notices;
(ii) Will be used by HUD and other Federal agencies to report to
Congress, to evaluate recipient performance, and for such other reasons
as may be specified in law or regulation or by HUD through notice; and
(iii) May be made available to the public to raise awareness and
enhance local planning processes.
[[Page 76924]]
(b) Scope. (1) Every Continuum of Care must have an HMIS that is
operated in compliance with the requirements of this part.
(2) All recipients of grants from the programs authorized by Title
IV of the McKinney-Vento Act are required to use HMIS, except as
provided in Sec. 580.25(d).
(3) Homeless and nonhomeless projects that are not funded by grants
from programs authorized by Title IV of the McKinney-Vento Act may also
participate in the local HMIS, and must follow all of the requirements
set forth in this part.
Sec. 580.3 Definitions.
The following terms have the following meanings:
Act means the McKinney-Vento Homeless Assistance Act, and, unless
otherwise specified, as amended by the Homeless Emergency Assistance
and Rapid Transition to Housing Act of 2009 (Division B of Pub. L. 111-
22 (HEARTH Act) (42 U.S.C. 11371 et seq.).
Continuum of Care means the group composed of representatives from
organizations including nonprofit homeless providers, victim service
providers, faith-based organizations, governments, businesses,
advocates, public housing agencies, school districts, social service
providers, mental health agencies, hospitals, universities, affordable
housing developers, law enforcement, organizations that serve veterans,
and homeless and formerly homeless persons organized to carry out the
responsibilities of a Continuum of Care established under 24 CFR part
578.
Comparable database means a database that is not the Continuum's
official HMIS, but an alternative system that victim service providers
and legal services providers may use to collect client-level data over
time and to generate unduplicated aggregate reports based on the data,
and that complies with the requirements of this part. Information
entered into a comparable database must not be entered directly into or
provided to an HMIS.
Contributing HMIS Organization (or CHO) means an organization that
operates a project that contributes data to an HMIS.
Data recipient means a person who obtains personally identifying
information from an HMIS Lead or from a CHO for research or other
purposes not directly related to the operation of the HMIS, Continuum
of Care, HMIS Lead, or CHO.
Homeless Management Information System (HMIS) means the information
system designated by Continuums of Care to comply with the requirements
of this part and used to record, analyze, and transmit client and
activity data in regard to the provision of shelter, housing, and
services to individuals and families who are homeless or at risk of
homelessness.
HMIS Lead means an entity designated by the Continuum of Care in
accordance with this part to operate the Continuum's HMIS on its
behalf.
HMIS vendor means a contractor who provides materials or services
for the operation of an HMIS. An HMIS vendor includes an HMIS software
provider, web server host, data warehouse provider, as well as a
provider of other information technology or support.
HUD means the Department of Housing and Urban Development.
Participation fee means a fee the HMIS Lead charges CHOs for
participating in the HMIS to cover the HMIS Lead's actual expenditures,
without profit to the HMIS Lead, for software licenses, software annual
support, training, data entry, data analysis, reporting, hardware,
connectivity, and administering the HMIS.
Protected identifying information means information about a program
participant that can be used to distinguish or trace a program
participant's identity, either alone or when combined with other
personal or identifying information, using methods reasonably likely to
be used, which is linkable to the program participant.
Unduplicated count of homeless persons means an enumeration of
homeless persons where each person is counted only once during a
defined period.
User means an individual who uses or enters data in an HMIS or
another administrative database from which data is periodically
provided to an HMIS.
Victim service provider means a private nonprofit organization
whose primary mission is to provide services to victims of domestic
violence, dating violence, sexual assault, or stalking. This term
includes rape crisis centers, battered women's shelters, domestic
violence transitional housing programs, and other programs.
Subpart B--HMIS Administration
Sec. 580.5 Responsibility for HMIS administration.
Every Continuum of Care must have an HMIS that complies with this
part. The Continuum of Care is responsible for ensuring that its HMIS
is administered in accordance with the requirements of this part and
other applicable Federal, state, and local laws and ordinances.
Sec. 580.7 Duties of the Continuum of Care.
(a) Required duties. The Continuum of Care must:
(1) Designate a single information system as the official HMIS
software for the geographic area. The software must comply with the
requirements of this part.
(2) Designate an HMIS Lead, which may be itself, to operate the
HMIS. The HMIS Lead must be a state or local government, an
instrumentality of state or local government, or a private nonprofit
organization.
(3) Develop a governance charter, which at a minimum includes:
(i) A requirement that the HMIS Lead enter into written HMIS
Participation Agreements with each CHO requiring the CHO to comply with
this part and imposing sanctions for failure to comply;
(ii) The participation fee charged by the HMIS; and
(iii) Such additional requirements as may be issued by notice from
time to time.
(4) Maintain documentation evidencing compliance with this part and
with the governance charter; and
(5) Review, revise and approve the policies and plans (required by
this part and by any notices issued from time to time.
(b) Discretionary actions. A Continuum of Care may choose to
participate in an HMIS with one or more other Continuums, subject to
the following conditions:
(1) All Continuums of Care within a multi-Continuum HMIS must
designate the same HMIS Lead and must work jointly with the HMIS Lead
to develop and adopt a joint governance charter;
(2) All Continuums of Care within a multi-continuum HMIS must
designate the same governance, technical, security, privacy, and data
quality standards;
(3) Each Continuum of Care must designate the same information
system as the official HMIS software; and
(4) The HMIS must be capable of reporting unduplicated data for
each Continuum of Care separately.
Sec. 580.9 Duties of the HMIS Lead.
The HMIS Lead shall:
(a) Ensure the operation of and consistent participation by
recipients of funds from the Emergency Solutions Grants Program and
from the other programs authorized by Title IV of the McKinney-Vento
Act. Duties include establishing the HMIS; conducting oversight of the
HMIS; and taking
[[Page 76925]]
corrective action, if needed, to ensure that the HMIS is compliant with
the requirements of this part;
(b) Develop written HMIS policies and procedures in accordance with
Sec. 580.31 for all CHOs;
(c) Execute a written HMIS Participation Agreement with each CHO,
which includes the obligations and authority of the HMIS Lead and CHO,
the requirements of the security plan with which the CHO must abide,
the requirements of the privacy policy with which the CHO must abide,
the sanctions for violating the HMIS Participation Agreement (e.g.,
imposing a financial penalty, requiring completion of standardized or
specialized training, suspending or revoking user licenses, suspending
or revoking system privileges, or pursuing criminal prosecution), and
an agreement that the HMIS Lead and the CHO will process Protected
Identifying Information consistent with the agreement. The HMIS
Participation Agreement may address other activities to meet local
needs;
(d) Serve as the applicant to HUD for grant funds to be used for
HMIS activities for the Continuum of Care's geographic area, as
directed by the Continuum, and, if selected for an award by HUD, enter
into a grant agreement with HUD to carry out the HUD-approved
activities;
(e) Monitor and enforce compliance by all CHOs with the
requirements of this part and report on compliance to the Continuum of
Care and HUD;
(f) The HMIS Lead must submit a security plan (see Sec. 580.35), a
data quality plan (see Sec. 580.37), and a privacy policy (see Sec.
580.31(g)) to the Continuum of Care for approval within [the date that
is 6 months after the effective date of the final rule to be inserted
at final rule stage] and within 6 months after the date that any change
is made to the local HMIS. The HMIS Lead must review and update the
plans and policy at least annually. During this process, the HMIS Lead
must seek and incorporate feedback from the Continuum of Care and CHO.
The HMIS Lead must implement the plans and policy within 6 months of
the date of approval by the Continuum of Care.
Subpart C--Eligible Activities
Sec. 580.21 Funding for HMIS.
Eligibility of costs of carrying out HMIS activities depends on the
source of the funds. HMIS Leads and CHOs must look to the regulations
for the funding source to determine what costs are eligible.
Sec. 580.23 Eligible activities.
(a) HMIS Lead. Only the HMIS Lead may carry out the following
activities:
(1) Host and maintain HMIS software or data;
(2) Backup, recovery, and repair of the HMIS software or data;
(3) Upgrade, customize, and enhance the HMIS;
(4) Integrate and warehouse data, including development of a data
warehouse for use in aggregating data from subrecipients using multiple
software systems;
(5) System administration;
(6) Report to providers, the Continuum, and HUD;
(7) Conduct training for recipients on the use of the system,
including the reasonable cost of travel to the training; and
(8) Such additional activities as may be authorized by HUD in
notice.
(b) HMIS Lead and CHOs. HMIS Leads that are also CHOs and other
CHOs may carry out the following activities:
(1) Purchase, lease, or license computer hardware and software;
(2) Purchase or lease equipment, including telephones, faxes, and
furniture;
(3) Pay for technical support;
(4) Lease office space;
(5) Pay for electricity, gas, water, phone service, and high-speed
data transmission costs necessary to operate and participate in the
HMIS;
(6) Pay salaries for operating HMIS, which includes:
(i) Data entry;
(ii) Monitor and review data quality;
(iii) Data analysis;
(iv) Report to the HMIS Lead;
(v) Attend HUD-sponsored and HUD-approved training on HMIS and
programs authorized by Title IV of the McKinney-Vento Act;
(vi) Conduct training for CHOs on the HMIS or comparable database;
(vii) Travel to conduct intake and to attend training;
(viii) Implement and comply with HMIS requirements; and
(7) Pay the participation fee to the HMIS Lead that is established
by the Continuum of Care in the governance charter;
(8) If the CHO is a victim services provider, as defined under 24
CFR 580.3, or a legal services provider, establish and operate a
comparable database that complies with 24 CFR 580.25; and
(9) Such other activities as authorized by HUD in notice.
Sec. 580.25 Carrying out HMIS activities.
(a) ESG. Each recipient and subrecipient of ESG grant funds under
24 CFR part 576 is required to enter data in the Continuum's HMIS or a
comparable database, as provided under this part.
(b) Reserved.
(c) Reserved.
(d) Victim service and legal service providers. Victim service
providers shall not directly enter or contribute data into an HMIS if
they are legally prohibited from participating in HMIS. Legal service
providers may choose not to use HMIS if it is necessary to protect
attorney-client privilege. Victim service and legal service providers
that are recipients of funds that require participation in HMIS that do
not directly enter or contribute data to an HMIS must use a comparable
database instead.
(1) Standards for a comparable database. (i) The comparable
database must meet the standards of this part and comply with all HMIS
data information, security, and processing standards, as established by
HUD in notice.
(ii) The comparable database must meet the standards for security,
data quality, and privacy of the HMIS within the Continuum of Care. The
comparable database may use more stringent standards than the Continuum
of Care's HMIS.
(2) Victim service providers and legal service providers may
suppress aggregate data on specific client characteristics if the
characteristics meet the requirements of this part and any conditions
as may be established by HUD in notice.
Subpart D--HMIS Governance, Technical, Security, and Data Quality
Standards
Sec. 580.31 HMIS governance standards.
(a) Development of local HMIS policies and procedures. An HMIS Lead
must adopt written policies and procedures for the operation of the
HMIS that apply to the HMIS Lead, its CHOs, and the Continuum of Care.
These policies and procedures must comply with all applicable Federal
law and regulations, and applicable state or local governmental
requirements. An HMIS Lead may not establish local standards for any
CHO that contradicts, undermines, or interferes with the implementation
of the HMIS standards as prescribed in this part.
(b) The HMIS Lead and the CHO using the HMIS are jointly
responsible for ensuring that HMIS processing capabilities remain
consistent with the privacy obligations of the CHO.
(c) Unduplicated count. An HMIS Lead must, at least once annually,
or upon request from HUD, submit to the
[[Page 76926]]
Continuum of Care an unduplicated count of clients served and an
analysis of unduplicated counts, when requested by HUD.
(d) Reporting. The HMIS Lead shall submit reports to HUD as
required.
(e) CHO requirements. A CHO must comply with the applicable
standards set forth in this part.
(f) Implementing specifications. A CHO must comply with Federal,
state, and local laws that require additional privacy or
confidentiality protections. When a privacy or security standard
conflicts with other Federal, state, and local laws to which the CHO
must adhere, the CHO must contact the HMIS Lead and collaboratively
update the applicable policies for the CHO to accurately reflect the
additional protections.
(g) Other requirements. (1) An HMIS Lead must develop a privacy
policy. At a minimum, the privacy policy must include data collection
limitations; purpose and use limitations; allowable uses and
disclosures; openness description; access and correction standards;
accountability standards; protections for victims of domestic violence,
dating violence, sexual assault, and stalking; and such additional
information and standards as may be established by HUD in notice.
(2) Every organization with access to protected identifying
information must implement procedures to ensure and monitor its
compliance with applicable agreements and the requirements of this
part, including enforcement of sanctions for noncompliance.
(3) An HMIS Lead or CHO that contracts with an HMIS vendor must, as
part of its contract with an HMIS vendor, require the HMIS vendor and
the software to comply with HMIS standards issued by HUD.
Sec. 580.33 HMIS technical standards.
(a) In general. HMIS Leads and HMIS vendors are jointly responsible
for ensuring compliance with the technical standards applicable to
HMIS, as provided in this document and any supplemental notices, and
for addressing any identified system or operating deficiencies
promptly. Grant funds must be used only for software that meets the
requirements of this part.
(b) Required functionality. The HMIS must meet all required
functionality established by HUD in notice.
(c) Unduplication requirements. An HMIS must be capable of
unduplicating client records as established by HUD in notice.
(d) Data collection requirements. (1) Collection of all data
elements. An HMIS must contain fields for collection of all data
elements established by HUD in notice. For fields that contain response
categories, the response categories in the HMIS must either directly
match or map to the response categories defined by HUD.
(2) Maintaining historical data. An HMIS must be able to record
data from a theoretically limitless number of service transactions and
historical observations for data analysis over time and assessment of
client outcomes, while following Federal, state, territorial, or local
data retention laws and ordinances.
(e) Reporting requirements. (1) Standard HUD reports. An HMIS must
be able to generate the report outputs specified by HUD. The reporting
feature must be able to represent dates in the past for all historical
and transactional data elements.
(2) Data quality reports. An HMIS must be capable of producing
reports that enable the CHOs and the HMIS Lead to assess compliance
with local data quality benchmarks and any HUD-established data quality
benchmarks.
(3) Audit reports. An HMIS must be capable of generating audit
reports to allow the HMIS Lead to review the audit logs on demand,
including minimum data requirements established by HUD in notice.
Sec. 580.35 HMIS security standards.
(a) In general. Security standards, as provided in this section,
are directed to ensure the confidentiality, integrity, and availability
of all HMIS information; protect against any reasonably anticipated
threats or hazards to security; and ensure compliance by end users.
Written policies and procedures must comply with all applicable Federal
law and regulations, and applicable state or local governmental
requirements.
(b) System applicability. All HMIS Leads, CHOs, and HMIS vendors
must follow the security standards established by HUD in notice.
(c) Security management. (1) Security plan. All HMIS Leads must
develop a HMIS security plan, which meets the minimum requirements for
a security plan as established by HUD in notice, and which must be
approved by the Continuum of Care.
(2) Timeline for implementation. The HMIS Lead must submit the
security plan to the Continuum of Care for approval within 6 months of
[effective date of final rule to be inserted at final rule stage]. The
HMIS Lead and CHOs must implement all administrative, physical, and
technical safeguards within 6 months of the initial approval of the
security plan. If one or more of these standards cannot be implemented,
the HMIS Lead must justify the implementation delay and produce a plan
of action for mitigating the shortfall, and develop milestones to
eliminate the shortfall over time.
(d) Administrative safeguards. The administrative actions,
policies, and procedures required to manage the selection, development,
implementation, and maintenance of security measures to protect HMIS
information must, at a minimum, meet the following:
(1) Security officer. Each HMIS Lead and each CHO must designate an
HMIS security officer to be responsible for ensuring compliance with
applicable security standards. The HMIS Lead must designate one staff
member as the HMIS security officer.
(2) Workforce security. The HMIS Lead must ensure that each CHO
conduct criminal background checks on the HMIS security officer and on
all administrative users. Unless otherwise required by HUD, background
checks may be conducted only once for administrative users.
(3) Security awareness training and follow-up. The HMIS Lead must
ensure that all users receive security training prior to being given
access to the HMIS, and that the training curriculum reflects the
policies of the Continuum of Care and the requirements of this part.
HMIS security training is required at least annually.
(4) Reporting security incidents. Each HMIS Lead must implement a
policy and chain of communication for reporting and responding to
security incidents, including a HUD-determined predefined threshold
when reporting is mandatory, as established by HUD in notice.
(5) Disaster recovery plan. The HMIS Lead must develop a disaster
recovery plan, which must include at a minimum, protocols for
communication with staff, the Continuum of Care, and CHOs and other
requirements established by HUD in notice.
(6) Annual security review. Each HMIS Lead must complete an annual
security review to ensure the implementation of the security
requirements for itself and CHOs. This security review must include
completion of a security checklist ensuring that each of the security
standards is implemented in accordance with the HMIS security plan.
(7) Contracts and other arrangements. The HMIS Lead must retain
copies of all contracts and agreements executed as part of the
administration and management of the HMIS or required to
[[Page 76927]]
comply with the requirements of this part.
(e) Physical safeguards. The HMIS Lead must implement physical
measures, policies, and procedures to protect the HMIS.
(f) Technical safeguards. The HMIS Lead must implement security
standards establishing the technology that protects and controls access
to protected electronic HMIS information, and outline the policy and
procedures for its use.
Sec. 580.37 Data quality standards and management.
(a) In general. The data quality standards ensure the completeness,
accuracy, and consistency of the data in the HMIS. The Continuum of
Care is responsible for the quality of the data produced.
(b) Definitions. For the purpose of this section, the term:
(1) HMIS participating bed means a bed on which required
information is collected in an HMIS and is disclosed at least once
annually to the HMIS Lead in accordance with the requirements of this
part.
(2) Lodging project means a project that provides overnight
accommodations.
(3) Nonlodging project means a project that does not provide
overnight accommodations.
(c) Data quality benchmarks. HMIS Leads must set data quality
benchmarks for CHOs. Benchmarks must include separate benchmarks for
lodging and nonlodging projects. HMIS Leads must establish data quality
benchmarks, including minimum bed coverage rates and service-volume
coverage rates, for the Continuum(s) of Care. HMIS Leads may establish
different benchmarks for different types of projects (e.g., emergency
shelter projects, permanent housing projects) based on population.
(1) For the purpose of data quality, the bed coverage rate measures
the level of lodging project providers' participation in a Continuum of
Care's HMIS.
(i) The bed coverage rate is calculated by dividing the number of
HMIS participating by the total number of year-round beds in the
geographic area covered by the Continuum of Care.
(ii) Bed coverage rates must be calculated separately for emergency
shelter, safe haven, transitional housing, and permanent housing.
(iii) Bed coverage rates must be calculated for each comparable
database.
(2) For the purpose of data quality, the service-volume coverage
rate measures the level of nonlodging project participation in a
Continuum of Care's HMIS.
(i) Service-volume coverage is calculated for each HUD-defined
category of dedicated homeless nonlodging projects, such as street
outreach projects, based on population.
(ii) The service-volume coverage rate is equal to the number of
persons served annually by the projects that participate in the HMIS
divided by the number of persons served annually by all Continuum of
Care projects within the HUD-defined category.
(iii) Service-volume rates must be calculated for each comparable
database.
(d) Data quality management. (1) Data quality plan. All HMIS Leads
must develop and implement a data quality plan, as established by HUD
in notice.
(2) The HMIS must be capable of producing reports required by HUD
to assist HMIS Leads in monitoring data quality.
Subpart E--Maintaining and Archiving Data
Sec. 580.41 Maintaining and archiving data.
(a) Maintaining data. Applicable program regulations establish the
length of time that records must be maintained for inspection and
monitoring to determine that the recipient has met the requirements of
the program regulations.
(b) Archiving data. Archiving data means the removal of data from
an active transactional database for storage in another database for
historical, analytical, and reporting purposes. The HMIS Lead must
follow archiving data standards established by HUD in notice, as well
as any applicable Federal, state, territorial, local, or data retention
laws or ordinances.
Subpart F--Sanctions
Sec. 580.51 Sanctions
The program regulations for the programs that fund the HMIS
activities contain the sanctions for noncompliance with this part.
Dated: November 4, 2011.
Mercedes M[aacute]rquez,
Assistant Secretary for Community, Planning and Development.
[FR Doc. 2011-31634 Filed 12-8-11; 8:45 am]
BILLING CODE 4210-67-P