Bitfocus Blog

Enhancing HMIS Data Security with Role-Based Access Control

Written by Bitfocus | April 12, 2024

Increased efficiency, stronger security, improved compliance — these are just a few of the crucial benefits role-based access can create for your organization.

In an HMIS, role-based access controls who can see and change information in the system. In a nutshell, this access system works by assigning different roles to users and giving each role different permissions. 

Assigning distinct roles ensures that users can only see the information they need to do their jobs. For example, a case manager might only need to see information about their clients, while a program manager might need information about all clients. 

Role-based access helps to improve data security by reducing the risk of unauthorized access to sensitive HMIS information. User roles also enhance operational efficiency by making it easier for employees to input and find job-specific details quickly.

In this article, our team at Bitfocus will detail the benefits of role-based access, highlight real-world examples of role-based access control in practice, and provide best practices for implementing role-based access. 

Let’s jump right in.

Key Benefits of Role-Based Access in HMIS

Improved Data Security and Privacy

We’ll start with one of the most critical benefits: increased security. Limiting the number of users accessing sensitive information can help reduce the risk of data breaches. By restricting access to information on a need-to-know basis, role-based access can help protect the confidentiality of client data — a top priority for CoCs nationwide.

Bitfocus Professional Services, our team of strategic experts, recently contracted with a customer in Cuyahoga County to implement Outreach, a Clarity HMIS module that leverages geospatial analytics to help communities provide better care. This project was initiated in response to concerns about protecting the privacy and security of encampment location information.

The county's goal was to allow all HMIS users to contribute location data while restricting access to encampment data to outreach staff and other authorized personnel. Clarity HMIS provided the necessary access role options and structures to achieve this goal, helping to protect Cuyahoga County’s homeless population.

 

Assigning roles to users helps communities keep their data private and secure, as it has with Cuyahoga County.

By creating customized access roles, Clarity gave this customer the ability to:

  • Allow most users to collect location data, while restricting access to outreach and encampment information to need-to-know staff.
  • Ensure that only authorized personnel have access to sensitive encampment location data.
  • Protect the privacy and security of encampment residents.

Increased Operational Efficiency

Another benefit of role-based access? Users can find the information they need far more quickly.

Here’s what this looks like in action. 

One community in Massachusetts had initially implemented a restricted sharing environment in their HMIS, which hindered care coordination efforts and limited visibility into shelter availability. This lack of visibility made it difficult to know the real-time shelter availability at any given moment, resulting in unused shelter beds during the winter.

To address this, the community began using Clarity HMIS role-based access permissions to expand access to client records and shelter availability information to key staff members.

 

Assigning role-based access permissions gives this Massachusetts community greater operational efficiency.

 

By granting these users expanded access, the community can now:

  • Improve care coordination efforts, bringing clients indoors as quickly as possible.
  • Increase shelter utilization during the winter months.

Greater Regulatory Compliance

Implementing role-based access can help organizations demonstrate their compliance with regulations that require them to protect client data.

For example, administrators can show HIPAA compliance by restricting access to patient data to authorized healthcare providers only or demonstrate VOCA/VAWA compliance by configuring the system as a DV-comparable database for Victim Service Providers.

Role-Based Access in Practice

The intuitive role-based access control in Clarity provides all users with an excellent data entry experience.

Some of the many features in Clarity that align with best practices in role-based access control include:

  • Customized access roles. Clarity provides different access roles to support an intuitive data entry experience for various user groups, including shelter intake staff, case managers, data analysts, and volunteers who provide meal services.
  • Report library access levels. Access rights can be used to control which users have access to the Clarity report library.
  • Granular access permissions. Individual access roles dictate what users can view, write, edit, and delete. These roles streamline the user experience and simplify data management.
  • Seamless user experience. Any areas of the system to which the user does not have access are eliminated from view, keeping the interface clean and efficient.
  • Additional agency access. Clarity allows users to be granted additional agency access. This affords more flexibility without the added costs of another user license.




An HMIS like Clarity makes it easy to select roles and permissions as well as to assign users to these roles.

 

These features allow role-based access to support the different roles within direct service agencies.

How to Operationalize Role-Based Access

Operationalizing role-based access in HMIS involves balancing flexibility and control, mapping users and roles, implementing additional security measures, and conducting regular evaluations to ensure effective and secure access management.

Flexibility Versus Control Considerations

The balance between flexibility and control in assigning roles and permissions is a delicate one.

Flexibility allows users to access the data and functionality they need to do their jobs effectively. It also empowers users to make decisions and take action without waiting for approval. Both of these flexible benefits often lead to improved productivity and efficiency. However, too much flexibility can result in security violations that role-based control can prevent.

Control prevents unauthorized users from accessing sensitive data or performing unauthorized actions, which helps to ensure that data is used appropriately and for its intended purpose. Such guardrails protect the organization from security breaches and compliance violations. However, settings might be too restrictive, like in the earlier example of the Massachusetts community.

Organizations can strike the right balance between flexibility and control by understanding the specific needs of their organization and users. The following factors should be considered:

  • The sensitivity of the data
  • The risk of unauthorized access
  • The need for flexibility

These factors will shape the degree of flexibility and control in user and role mapping.

User and Role Mapping

The first step in setting up role-based access in HMIS is to list all roles in the organization that require access to the system.

Next, the data that each role needs to access should be determined.

Using the previous two steps, roles that correspond to the jobs in the organization can be created in the HMIS. Administrators should reach out to HMIS participating agencies to understand access and sharing needs if needed.

It is important to avoid overcomplicating roles. The number of access roles should be minimized to standardize the user experience and streamline system administration.

Once roles have been created, users should be assigned to the appropriate roles. Some administrators adhere to a "least privilege policy," where users are only granted the minimum level of access necessary to perform their jobs.

Additional Security Measures

Users should be encouraged to choose strong passwords to minimize the chances of unauthorized access.

Instead of password access, organizations may consider using a single sign-on (SSO) solution to simplify user authentication and management.

Role and User Evaluation

Sometimes, a least privilege policy makes it difficult for users to do their jobs effectively. Therefore, it is essential to review and update roles and user assignments regularly. Access might need to be revamped so that users have the access they need to do their jobs.

Regular role evaluation also prevents granting too much access to users, which can increase the risk of data breaches and misuse.

By following these tips, organizations can help to set up role-based access in HMIS effectively and avoid common pitfalls.

The Future of HMIS with Role-Based Access

At Bitfocus, we know that as technology advances and becomes more sophisticated, so do security threats. Our unparalleled dedication to keeping Clarity secure and compliant is part of why 70+ CoC customers trust Clarity with their confidential information.

In addition, we regularly add new access roles to ensure communities have control over how their users access data and new features.

Empowering Your Community with Secure, Efficient Role Management

Role-based access control ensures data security and operational efficiency. By restricting access to data and functionality based on users' roles and responsibilities, organizations can reduce the risk of unauthorized access, improve data integrity, and enhance compliance with regulations. 

Role-based access can also streamline workflows, improve collaboration, and increase productivity by providing users with the tools and resources they need to do their jobs effectively.

Clarity HMIS can help organizations implement role-based access quickly. By using Clarity’s customizable access roles and robust security features, organizations can create a more secure and efficient environment for their data and improve the quality of services provided to clients.

Curious to hear more? Schedule a conversation with our team at Bitfocus today!