ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

Similar documents
Transmittal for Handbook No: REV-1,CHG-4 Issued:

HIPAA PRIVACY TRAINING

Chapter 5 BRIEFINGS AND VOUCHER ISSUANCE

Chapter 5 BRIEFINGS AND VOUCHER ISSUANCE PART I: BRIEFINGS AND FAMILY OBLIGATIONS

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

LTRAP Voucher, Pre-application & Waiting List FAQs: 2015.

PRIVACY POLICIES AND PROCEDURES

NOTICE OF PRIVACY PRACTICES

FISCAL YEAR FAMILY SELF-SUFFICIENCY PROGRAM GRANT AGREEMENT (Attachment to Form HUD-1044) ARTICLE I: BASIC GRANT INFORMATION AND REQUIREMENTS

VHA Privacy Policy Training FY VHA Privacy Office

Compliance Program Code of Conduct

STANDARDS OF CONDUCT A MESSAGE FROM THE CHANCELLOR INTRODUCTION COMPLIANCE WITH THE LAW RESEARCH AND SCIENTIFIC INTEGRITY CONFLICTS OF INTEREST

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Information Privacy and Security

Notice of Privacy Practices for Protected Health Information (PHI)

FAFSA Completion Initiative Participation Agreement

SEMCIL PCA CHOICE PROGRAM PCA Recipient and Direct Support Professional (DSP) Role and Responsibilities MEMORANDUM OF AGREEMENT

GATEWAY BEHAVIORAL HEALTH SERVICES VOLUNTEER/INTERNSHIP APPLICATION

A general review of HIPAA standards and privacy practices 2016

Federal Occupational Health (FOH) Employee Assistance Program

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

Compliance Program Updated August 2017

Home help services cannot be paid to: A minor (17 and under). Fiscal Intermediary (FI).

COMPLIANCE PLAN PRACTICE NAME

STANDARD ADMINISTRATIVE PROCEDURE

PATIENT INFORMATION. In Case of Emergency Notification

IVAN FRANKO HOME Пансіон Ім. Івана Франка

Chapter 5 BRIEFINGS AND VOUCHER ISSUANCE

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

PHA 5-Year and Annual Plan

North Hawaii Community Hospital Volunteer Services Application

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

Medical Records Chapter (1) The documentation of each patient encounter should include:

FAMILY SELF SUFFICIENCY ACTION PLAN

St. Vincent Apartments 1521 Las Vegas Blvd. North Las Vegas, NV 89101

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Oversight of Nurse Licensing. State Education Department

Chapter 9 Legal Aspects of Health Information Management

I. POLICY: DEFINITIONS:

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Housing Authority of Travis County. PHA 5 Year Plan. form HUD (1/2007) Page 1 of 7

always legally required to follow the privacy practices described in this Notice.

Chapter 2 - Organization and Administration

NOTICE OF PRIVACY PRACTICES

RECOVERY KENTUCKY ADMINISTRATIVE MANUAL INTRODUCTION

The Act, which amends the Small Business Act ([15 USC 654} 15 U.S.C. 654 et seq.), is intended to:

SANTA RITA CARE CENTER Notice of Information Practices

Compliance Program, Code of Conduct, and HIPAA

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

HOUSING AUTHORITY CITY OF KENNEWICK (KHA) JOB DESCRIPTION. Section 8 Housing Quality Standard (HQS) Inspector. Housing Programs Director

HIPAA Health Insurance Portability and Accountability Act of 1996

Applicable To: Central Records Unit employees, Records Section Communications, and SSD commander. Signature: Signed by GNT Date Signed: 11/18/13

DATA PROTECTION POLICY

Privacy Practices Home Visit Doctor, LLC July 2017

MCCP Online Orientation

System of Records Notice (SORN) Checklist

KENNEWICK HOUSING AUTHORITY (KHA) JOB DESCRIPTION. Administrative Services Director

Southwest Acupuncture College /PWFNCFS

Patient Privacy Requirements Beyond HIPAA

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

SUMMARY OF JOINT NOTICE OF PRIVACY PRACTICES (HOSPITAL AND MEMBERS OF ITS MEDICAL STAFF)

U. S. Department of Housing and Urban Development. Office of Public and Indian Housing

B. ACCESS, STORAGE, CUSTODY, CONTROL AND TRANSMISSION OF CLASSIFIED INFORMATION

Health Information Privacy Policies and Procedures

HIPAA Notice of Privacy Practices

KENNEWICK HOUSING AUTHORITY (KHA) JOB DESCRIPTION. Receptionist. Housing Programs Director

PHA 5-Year and Annual Plan

247 CMR: BOARD OF REGISTRATION IN PHARMACY

COMPLIANCE PROGRAM. Our commitment to ethical conduct and compliance depends on all employees having a clear understanding of Corporate expectations.

Exhibit 11-1 Veterans Affairs Supportive Housing (VASH)

SUPPORTED LIVING PROVISION OF IN-HOME SUBSIDIES FOR PERSONS IN SUPPORTED LIVING ARRANGEMENTS

HUD s Service Coordinator in Multifamily Housing Program Resource Guide

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

physicians, nurses, and technicians and other Facility personnel for review and learning purposes. We may also combine the medical information we

Definitions: In this chapter, unless the context or subject matter otherwise requires:

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

MONTGOMERY COUNTY INTERMEDIATE UNIT #23

Request for Proposal Project Based Housing and Urban Development Vouchers that Serve the Homeless

HIPAA PRIVACY NOTICE

I. Preamble: II. Parties:

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, D,C,

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

PART I: COMMUNITY SERVICE REQUIREMENT

UNIVERSITY OF ROCHESTER MEDICAL CENTER BILLING COMPLIANCE PLAN

INCOMPLETE APPLICATIONS WILL NOT BE PROCESSED

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Title: HIPAA PRIVACY ADMINISTRATIVE

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

State & Federal Grants Manual

MEDI-CAL (MC051) EDI ENROLLMENT INSTRUCTIONS

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

Name of Sex: M F Applicant: Last First Middle. Date of Birth: Social Security Number: Phone: ( ) City State Zip. Phone: ( ) City State Zip

***************************************************************************************

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

March 31, 2006 APD OP SUPPORTED LIVING PROVISION OF IN-HOME SUBSIDIES FOR PERSONS IN SUPPORTED LIVING ARRANGEMENTS

NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Training for Non-Clinical Workforce

Transcription:

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY Rev. October 2011

EIV Security Policy Acknowledgment Form By signing this form I acknowledge my receipt of the EIV System Security Policy approved by the Chief Executive Officer, and my responsibility to abide by its contents. I further understand and agree to the following: This manual represents a summary of the most important policies relative to the EIV System, but is not intended to be all inclusive of the Housing Authority of the City of El Paso (HACEP) policies or practices. It is not intended to be comprehensive or to address all the possible application of, or exceptions to, the general policies and procedures described. The Housing Authority retains the sole right in its business judgment to modify, suspend, interpret or cancel in whole or in part at any time, and with or without notice, any of the published or unpublished EIV System policies or practices. For specific. information, I must to refer to HID PIH Notice 2010 Administrative Guidance for Effective and Mandated Use of the Enterprise Income Verification (EIV) system, HUD Handbook 2400.25 Rev 1 dated May 2005 (as applicable) and other HUD and HACEP related reference materials since this policy represents only a brief summary. Employee Signature Employee Name (print) Job Title Date 2

Table of Contents Page Introduction 4 Applicability 4 Purpose 5 Privacy Act Considerations 5 Section 1: Safeguarding EIV Data 6-7 Section 2: Security Awareness Training 8 Section 3: Reporting Improper Disclosures 9 Section 4: Legal Action 10 3

Introduction The Enterprise Income Verification (EIV) System is intended to provide a single source of income-related data to Public Housing Agencies (PHAs) for use in verifying the income reported by tenants in the various assisted housing programs administered by PHAs across the nation. The Office of Public and Indian Housing (PIH) is responsible for administering and maintaining the EIV system. The EIV system assists PHAs in the up-front verification of tenant income by comparing the tenant income data obtained from various sources including: Tenant-supplied income data captured on Form HUD-50058 and maintained in the Public Housing Information Center (PIC) database; Wage information from the State Wage Information Collection Agencies (SWICAs); Social Security (SS) and Supplemental Security Income (SSI) from the Social Security Administration (SSA); and User Profile information from the PIC database. As of December 29, 2009, HUD mandated the use of the EIV system in its entirety to verity tenant employment and income information during mandatory reexaminations of family composition and income; and reduce administrative and subsidy payment errors in accordance with 24 CFR 5.236 and administrative guidance issued by HUD. EIV tenant data must be used to verify a tenant's eligibility for participation in a HUD rental assistance program and to determine the level of assistance the tenant is entitled to receive. Any other use, unless approved by the HUD Headquarters EIV Coordinator or EIV Security Officer, is specifically prohibited and may result in the imposition of civil or criminal penalties on the responsible person or persons. Further, no adverse action can be taken against a tenant until the PHA has independently verified the EIV information and the tenant has been granted an opportunity to contest any adverse findings through the established grievance hearing or other legal procedures. Applicability The procedures outlined in this document apply to PHAs administering the Public Housing (PH) and the Housing Choice Voucher Program (HCVP). The security procedures outlined in this document apply to all EIV data, regardless of the media on which they are recorded. Computerized media containing EIV data must be afforded the same levels of protection given to paper documents or any other media with EIV data. Purpose This policy provides HACEP staff who have been granted access to EIV with practices, controls and safeguards that must be implemented to insure adequate protection of the confidentiality of the tenant income data and compliance with federal laws regarding the protection of this information. EIV documents and/or actions will be integrated into HACEP's occupancy protocols, which also involve Privacy Act related materials, e.g., third-party income, medical and other documents. 4

Privacy Act Considerations The data in EIV contains personal information on individual tenants which is protected under the Federal Privacy Act. The information in EIV may only be used for limited official purposes, as noted below. A. Official Purpose Include: 1. PHAs, in connection with the administration of PIH programs, for verifying the employment and income at the time of interim and annual reexaminations. 2. HUD staff for monitoring and oversight of PHA compliance with HUD program requirements. 3. Independent Auditors hired by the PHA or HUD to perform a financial audit for use in determining the PHA s compliance with HUD program requirements, including verifying income and determining the accuracy of the rent and subsidy calculations. Restrictions on disclosure requirements for Independent Auditors: (a) May only access EIV income information within family files and only within the offices of the PHA or PHA-hired management agent; (b) May not transmit or transport EIV income information in any form; (c) May not enter EIV income information on any portable media; (d) Must sign non-disclosure oaths that the EIV income information will be used only for the purpose of the audit; and (e) May not duplicate EIV income information or re-disclose EIV income information to any user not authorized by Section 435(j)(7) of the Social Security Act to have access to the EIV income data. B. Official Purposes Does NOT Include: Sharing the information with governmental or private entities not involved in the reexamination process specifically used for PIH rental assistance programs. Disclosing the EIV information to other private or public entities for purposes other than determining eligibility and level of assistance for PIH rental assistance programs is prohibited since these entities are not a party to the computer matching agreements with the HHS and SSA. The fact that these entities may find the EIV beneficial for similar eligibility and determination purposes for other low- income housing programs or public benefits, does not permit these entities to use or view information in the EIV system that is covered by the computer matching agreements. EIV data will only be provided to the adult family member who disputes EIV information. Privacy of data and data security for computer systems are covered by a variety of federal laws and regulations, government bulletins, and other guiding documents. The Privacy Act of 1974 as amended, 5 U.S.C. 552 (a) is one such regulation and EIV data require careful handling in order to assure PHA compliance with the Privacy Act. (See Appendix A Safeguards Provided by the Privacy Act). The Act also describes the criminal penalties associated with violation of policy supporting the Act. (See Appendix B Criminal Penalties Associated with the Privacy Act). Authorized staff must assure that a copy of the HUD Form-9886, Authorization for the Release of Information/Privacy Act Notice, has been signed by each member of the household eighteen (18) years of age or older and the family head and spouse, regardless of age, and is in the household file. By signing this form, the tenant authorizes HUD and the PHA to obtain and verify income and unemployment compensation information from various sources including current and former employers, state agencies, and the SSA. HUD is relying on the PHAs to have this authorization on file as required by 24 CFR Part 5.230. Information obtained is protected under the Privacy Act. 5

Section 1 - Safeguarding EIV Data Protective measures will ensure that EIV data is used for official purposes only, and not disclosed in any way that would violate the privacy of the individuals represented in the system data. Designated staff will adhere to the following procedures: The designation of the EIV Administrator, Security Coordinator, and individuals, who will serve as backups for these positions, will be at the discretion of the Chief Executive Officer. Appointments may include Director of Budgets, Chief Financial Officer, Chief Operating Officer, Director of Section 8, and Director of Public Housing. The EIV Administrator will be responsible for approving user access to authorized staff in the Public Housing Department to all staff (including PHA hired management agents) who have a need to access the EIV system, including, but not necessarily limited to, Regional Supervisors, Asset Managers, Assistant Asset Managers, Compliance Manager, Production and Quality Control Technicians, and Eligibility/Admissions staff. The EIV Administrator will be responsible for assigning user access to authorized staff in the HCV Department to include HCV Supervisors, HCV Technicians and the HCV Compliance Unit. The EIV Administrator will be responsible for approving user access to designated staff in Multifamily Housing to include Multifamily Asset Manager and Assistant Asset Manager. The EIV Security Coordinator will be responsible for maintaining and enforcing security procedures. HACEP users and recipients of EIV data will ensure compliance with security policies and procedures outlined in this document. Violations will be immediately reported to the EIV Administrator or designee and may lead to disciplinary action up to and including termination of employment. Staff involved in the access or receipt of EIV data will ensure that data is used for official purposes only, and not disclosed in any way that would violate the privacy of the individuals represented in the system data. EIV data will be handled in such a manner that it does not become misplaced or made accessible to unauthorized personnel. In the event that it is necessary to transport tenant files between HACEP offices, the files will be transported in a locked document carrier labeled Authorized Personnel Only. Files may not be transported via interoffice mail, but must be hand carried by authorized staff. Staff will never take resident files home for any reason. Users must not duplicate EIV data. EIV computer printouts shall immediately be placed in the tenant file. If EIV data is kept in file cabinets, the cabinets must be maintained in a locked room and identified by the use of posted signs indicating Authorized Personnel Only. The Directors of Public Housing and Section 8 will issue keys and track the inventory of keys available, the number of keys issued, and to whom the keys were issued. (See Appendix E Key Accountability Record). All employees who are issued keys to security rooms and/or file cabinets will complete a form 6

acknowledging the receipt of the key(s). The EIV Security Coordinator will maintain these forms. (See Appendix F Acknowledgment of Receipt of Keys). The EIV Administrator will maintain a record of all users upon approval by the Chief Operating Officer or designee. (See Appendix D - Access Authorization Form). The EIV Administrator will ensure that all users who access the EIV system have a current User Agreement on file. The administrator will secure and maintain such records. (See Appendix D - HUD Rules of Behavior and User Agreement). The EIV Security Coordinator will conduct a quarterly review of all user IDs to determine if there is a valid need for access to EIV data. The EIV Security Coordinator will obtain a list of all users and will meet with the Director of Public Housing and the Director of Section 8 to verify whether those listed continue to require access. All records maintained by the EIV Administrator and the EIV Security Coordinator will be labeled "Authorized Personnel Only" and will be maintained in a folder separate from other information and files within a filing cabinet. The designated area will be within a locked room. Restricted areas will be cleaned only during regular office hours or in the presence of an employee with authorized access. Computer screens displaying EIV data will not be left unattended. Computer screens will not be placed in such a way where unauthorized persons may view information. Users will either log out of the system or lock the computer when not in use. Computer printouts will be retrieved from a designated printer, as soon as they are generated and will not be left unattended. EIV computer printouts that are erroneously generated will be shredded and recorded in a designated. Users will not access data through any computer other than the assigned and designated secure computers of HACEP. Unauthorized access or known security breaches will be reported to the EIV Administrator and EIV Security Coordinator. The EIV Security Coordinator will notify the Chief Executive Officer and the Director of Human Resources. The Chief Executive Officer will promptly notify appropriate authorities including the HUD Field Office's Public Housing Director. 7

Section 2 - Security Awareness Training As a condition of initial and continued access to the EIV System, PHA staff are required to complete Annual Security Awareness training and EIV system training (initial (complete system training). Thereafter, update (interim system changes) training) is required when offered by HUD Headquarters (HHQ). All EIV training must be completed as directed by HUD. Training requirements also apply to those individuals who will not access the EIV system, but will view or handle printed and/or electronic EIV data. Individuals who will view and/or handle printed EIV information are required to complete only annual Security Awareness training (EIV) system training is optional for these individuals). EIV training provided by third parties does not fulfill the mandatory EIV training requirement. The EIV Administrator and Security Coordinator will train employees in EIV System security policies and procedures before granting access to EIV information. Attendance records will be maintained. (See Appendix I Security Awareness Training Attendance Record). Users will be provided a copy of the HACEP EIV Security Policies and EIV Procedures Manuals. Employees will be advised of the penalties associated with the provisions of the Privacy Act of 1974, Section 552(a), which makes unauthorized disclosure or misuse of tenant wage data a crime punishable by a fine of up to $5,000. (See Appendix B Criminal Penalties Associated with the Privacy Act). Employees will be briefed annually thereafter. The EIV Security Coordinator will maintain attendance records. (See Appendix I Security Awareness Training Attendance Record). The EIV Administrator and/or the EIV Security Coordinator may communicate security information and requirements to appropriate personnel through various methods outside of the formal trainings and awareness sessions. Methods may include discussions at meetings or security bulletins posted throughout work areas. Upon completion of trainings, the EIV Administrator and EIV Security Coordinator will ensure that employees have completed the User Agreement indicating that they are aware of the safeguards and responsibilities associated with using the system. (See Appendix D HUD Rules of Behavior and User Agreement). 8

Section 3 - Reporting Improper Disclosures Recognition, reporting, and disciplinary action in response to security violations are crucial to successfully maintain the security and privacy of the EIV system. Security violations may include the disclosure of private data as well as attempts to access unauthorized data and the sharing of User IDs and Passwords. Employees making the observation or receiving information with regard to improper disclosure of EIV information or other security violations should contact the EIV Security Coordinator. The EIV Security Coordinator will immediately contact the EIV Administrator for the purpose of immediately revoking access to the EIV system until which time a determination is made. The Chief Executive Officer should provide the HUD Field Office Public Housing Director with the written documentation. The HUD Field Office Public Housing Director upon receipt of the written documentation will make a determination regarding the referral and the provision of the written documentation to the Headquarters EIV Coordinator and/or EIV Security Officer for further review and follow-up action. 9

Section 4 Legal Action In the event of current or pending litigation, legal counsel will provide guidance with regard to applicable documents. If litigation is pending, all applicable documents and records, regardless of disposal date, will be retained until resolution of the legal matter. 10

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback