Agenda 2/14/2023 Item #16D 5 (Maintain and provide ongoing data management and information through the HMIS)16.D.5
02/ 14/2023
EXECUTIVE SUMMARY
Recommendation to authorize the Chairman to sign the Community Resource Network Agency Partnership
Agreement for Homeless Management Information Services between The Collier County Hunger &
Homeless Coalition, Inc., and Collier County.
OBJECTIVE: To maintain and provide ongoing data management and information through the Homeless
Management Information System (HMIS) in accordance with 24 CFR 576.107.
CONSIDERATIONS: Collier County, as the recipient of Emergency Solutions Grant Funding (ESG) through the
U.S. Department of Housing and Urban Development (HUD), partners with the Lead Agency on homelessness
Collier County Hunger and Homeless Coalition, Inc. (CCHHC), which utilizes the Community Resource Network
(CRN) for Homeless Management Information Services (HMIS). The CRN is an online web -based computerized
data collection, searching, sharing, and organizing tool designed to capture client -level information on the
characteristics and service needs of persons experiencing homelessness within Southwest Florida.
The Collier County Hunger and Homeless Coalition entered into an Agreement with WellSky on August 9, 2022, to
house the software and the reporting database for HMIS. The agreement between The Hunger and Homeless
Coalition and WellSky has no fixed termination date but shall terminate when all services expire or through a
request for termination.
Community and Human Services (CHS) currently utilizes the HMIS system to register and track client information
in partnership with the Collier County Hunger and Homeless Coalition. As users of the HMIS system, CHS is
bound by the Standard Operating Procedures of HMIS and all relevant HUD regulations. Users are bound by their
agency policies set forth in the agreement. These policies include User Agency Policy, Agency and Personnel
Responsibilities, Agency Code of Ethics, HMIS Background Check Agreement, Compliance Checklist and Privacy
Notice.
The partnership agreement presented as part of this item grants Collier County the right to use the CRN. As part of
this agreement, Collier County can input, use, and retrieve information concerning our own clients and share
information subject to agreements and governmental regulations on common clients.
The Agreement may be terminated with thirty (30) days advance written notice by either party.
FISCAL IMPACT: There is no new Fiscal impact associated with this item. Current ESG funds reside in Fund
(705), Project 33764 & 33824.
LEGAL CONSIDERATIONS: This item is approved for form and legality and requires a majority vote for Board
action. -DDP
GROWTH MANAGEMENT IMPACT: This item has no impact on the Housing Element of the Growth
Management Plan of Collier County.
RECOMMENDATION: To authorize the Chairman to sign the Community Resource Network Agency
Partnership Agreement for Homeless Management Information Services between the Collier County Hunger &
Homeless Coalition, Inc. and Collier County.
Prepared By: Carolyn Noble, Grants Coordinator; Community and Human Services Division
ATTACHMENT(S)
1. [linked] CCCHC CRN Stardard Operating Procedures (PDF)
2. User agreement (PDF)
Packet Pg. 1060
16.D.5
02/ 14/2023
3. Wellsky Master License (PDF)
4. Wellsky Services Agreement 2022 Amendment (PDF)
5. HMIS Lead Agency Agreement Signed 1.6.23 (PDF)
Packet Pg. 1061
16.D.5
02/14/2023
COLLIER COUNTY
Board of County Commissioners
Item Number: 16.13.5
Doe ID: 24288
Item Summary: Recommendation to the Chairman to sign the Community Resource Network Agency Partnership
Agreement for Homeless Management Information Services between The Collier County Hunger & Homeless
Coalition, Inc., and Collier County.
Meeting Date: 02/14/2023
Prepared by:
Title: — Community & Human Services
Name: Carolyn Noble
01/09/2023 8:32 AM
Submitted by:
Title: Manager - Federal/State Grants Operation — Community & Human Services
Name: Kristi Sonntag
01/09/2023 8:32 AM
Approved By:
Review:
Community & Human Services
Carolyn Noble
CHS Review
Community & Human Services
Jocelyn Pickens
Additional Reviewer
Community & Human Services
Donald Luciano
Additional Reviewer
Community & Human Services
Blanca Aquino Luque Additional Reviewer
Community & Human Services
Maggie Lopez
Additional Reviewer
Operations & Veteran Services
Jeff Newman
Additional Reviewer
Public Services Department
Todd Henry
PSD Level 1 Reviewer
Grants
Erica Robinson
Level 2 Grants Review
Public Services Department
Tanya Williams
PSD Department Head Review
County Attorney's Office
Derek D. Perry
Level 2 Attorney Review
Office of Management and Budget
Debra Windsor
Level 3 OMB Gatekeeper Review
County Attorney's Office
Jeffrey A. Klatzkow Level 3 County Attorney's Office Review
Grants
Therese Stanley
Additional Reviewer
Community & Human Services
Maggie Lopez
Additional Reviewer
Office of Management and Budget
Christopher Johnson
Additional Reviewer
County Manager's Office
Amy Patterson
Level 4 County Manager Review
Board of County Commissioners
Geoffrey Willig
Meeting Pending
Skipped
01/09/2023 8:14 AM
Completed
01/09/2023 9:02 AM
Completed
01/09/2023 11:41 AM
Completed
01/10/2023 4:24 PM
Completed
01/10/2023 8:53 PM
Completed
01/17/2023 1:05 PM
Completed
01/17/2023 1:47 PM
Completed
01/18/2023 8:59 AM
Completed
01/26/2023 8:27 AM
Completed
01/30/2023 8:35 AM
Completed
01/30/2023 9:30 AM
Completed
01/30/2023 9:50 AM
Completed
01/30/2023 4:17 PM
Completed
01/30/2023 7:33 PM
Completed
02/03/2023 11:42 AM
Completed
02/06/2023 4:16 PM
02/14/2023 9:00 AM
Packet Pg. 1062
Agency Name:
User Name:
(Please Print)
Community Resource Network System User Agreement
HUNGER
HOMELESS
COALITION
OF COLL1EFt COUNTY
In this System Users Agreement, "AGENCY" refers to the agency named above. AGENCY recognizes the primacy of client needs in
the design and management of the Community Resource Network (CRN). These needs include both the need continually to improve
the quality of homeless and housing services with the goal of eliminating homelessness in our community, and the need vigilantly to
maintain client confidentiality (45 CFR 164.306 ((b)), treating the personal data of our most vulnerable populations with respect and
care.
As the guardians entrusted with this personal data, CRN users have a moral and a legal obligation to ensure that the data they collect is
being collected, stored, accessed and used appropriately. It is also the responsibility of each user to ensure that client data is only used
to the ends to which it was collected, ends that have been made explicit to clients and are consistent with the mission to assist families
and individuals in our community to resolve their crisis. Proper user training, adherence to the CRN Policies and Procedures Manual,
and a clear understanding of client confidentiality are vital to achieving these goals.
Relevant points regarding client confidentiality include: (HIPPA 164.104)
• A client consent form (CRN Intake with ROI) must be signed by each client whose data is shared with Partner Agencies
via the CRN.
• Client consent may be revoked by that client at any time through a written notice.
• Clients have a right to inspect, receive a copy and request changes in their CRN records.
• CRN Users may not share client data with individuals or agencies that have not entered into an CRN Agency Sharing
Agreement without obtaining written permission from that client.
• CRN Users will maintain CRN data in such a way as to protect against revealing the identity of clients to unauthorized
agencies, individuals or entities.
• Any CRN User found to be in violation of the CRN Policies and Procedures, or the points of client confidentiality in this
User Agreement, may be denied access to the CRN.
I affirm the following: (Compliant to 45 CFR 164.306 ((d)), ((2)))
1. I have received training in how to use the CRN.
2. I have read and will abide by all policies and procedures in the CRN Policies and Procedures Manual.
3. I will maintain the confidentiality of client data in the CRN as outlined above and in the CRN Policies and Procedures
Manual.
4. I will only collect, enter, and extract data in the CRN relevant to the delivery of services to people experiencing a
crisis in our community.
5. I agree to accept and refer clients throughout the CoC/CRN for the purposes of preventing and ending homelessness.
User 'Signature
Date
c
m
E
d
L
a�
a
Q.
z
`m
c
M
a
co
2
00
00
N
N
c
m
E
m
L
M
L
m
to
c
m
E
Q
Packet Pg. 1063
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
WELLSKY CORPORATION
MASTER LICENSE AND SERVICES AGREEMENT
This Master License and Services Agreement (the "Agreement") is entered into as of 8/9/2022 , (the
"Effective Date"), by and between WellSky Corporation and its Affiliates, with offices at 11300 Switzer Road,
Overland Park, KS 66210 ("WellSky"), and Collier Hunger and Homeless Coalition a Non -Profit Organization with
offices at P. O. Box 9202, Naples, Florida 34101 ("Client"). Each of WellSky and Client may be referred to herein
individually as a "Party" and together as the "Parties." The Parties agree that any existing Orders shall be subject to
the terms and conditions included herein. The Parties agree as follows:
DEFINITIONS. Capitalized terms used
herein or in any Order Form, but not defined,
have the meaning set forth in Exhibit A.
2. SERVICES.
2.1. Cloud Services. During the Cloud Services
term set forth in an Order Form, WellSky shall
provide Client (a) a non-exclusive, non -
assignable, limited right to access and use the
Cloud Services during the Term, solely for
Client's internal business operations and
subject to the terms of this Agreement and the
applicable Order Form; and (b) Cloud Services
support as set forth in Exhibit B or in the
applicable Order Form. Client shall not have
any physical access to the Cloud Services
hardware.
2.2. Professional Services. Unless otherwise set
forth in an Order Form, Professional Services
shall be performed on a time and materials
basis at WellSky's standard rates.
2.3. Client Responsibilities. Client shall: (a)
approve access for all Permitted Users to the
Cloud Services and shall prevent unauthorized
access and use of the Cloud Services; (b)
provide network connectivity between Client's
local environment and the Cloud Services for
the implementation and execution of the Cloud
Services as provided in the Documentation; (c)
maintain bandwidth of sufficient capacity for
the operation of the Cloud Services; (d) have
sole responsibility for installation, testing, and
operations of Client facilities,
telecommunications and internet services,
equipment, and software upon Client's
premises necessary for Client's use of the
Cloud Services; and (e) pay all third -party
access fees incurred by Client to access and use
the Cloud Services. Client shall not, and shall
ensure that its Permitted Users do not: (i) sell,
resell, lease, lend or otherwise make available
the Cloud Services to a third -party; (ii) modify,
adapt, translate, or make derivative works of
the Cloud Services; or (iii) sublicense or
operate the Cloud Services for timesharing,
outsourcing, or service bureau operations
2.4. Suspension of Services. If (a) there is a threat
to the security of WellSky's systems or the
Services, or (b) Client's undisputed invoices
are sixty (60) days or more overdue, in addition
to any other rights and remedies (including
termination), WellSky may suspend the
Services without liability until all issues are
resolved.
THIRD -PARTY SOLUTIONS AND
HARDWARE. Subject to the terms and
conditions of this Agreement and any Order
Form, WellSky shall grant the licenses to
Third -Party Solutions as set forth in an Order
Form. Client agrees to purchase any Hardware
set forth in an Order Form.
4. PROPRIETARY RIGHTS.
4.1. Ownership. WellSky or its licensor retains all
right, title, and interest, in the Third -Party
Solutions, Documentation, Services, and Work
Product. WellSky shall grant to Client a non-
exclusive, non -transferable license to use
Work Product only for Client's own internal
purposes in connection with the Services.
4.2. Restricted Rights. The Cloud Services are
commercial computer software programs
developed exclusively at private expense. Use,
duplication, and disclosure by civilian
agencies of the U.S. Government shall be in
accordance with FAR 52.227-19 (b). Use,
duplication and disclosure by DOD agencies
are subject solely to the terms of this
Agreement, a standard software license
agreement as stated in DFARS 227.7202.
Contract # 03137191
August 6, 2021
Packet Pg. 1064
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
5. PAYMENTS BY CLIENT.
5.1. Payment. Client shall pay all fees for the
Services and Hardware. All invoices shall be
paid net thirty (30) days following the date of
the invoice. Invoices that are more than ten
(10) days past due shall be subject to a finance
charge at a rate of interest the lesser of one -
and -a -half percent (1.5%) per month or the
maximum permissible legal rate. Client shall
also be liable for any attorney and collection
fees arising from WellSky's efforts to collect
any unpaid balance of Client.
5.2. Scope of Use. The Third -Party Solutions and
Cloud Services are priced based on certain
metrics (e.g. Sites, Deliverables, Patient/Client
Census, and/or Permitted Users) as set forth in
an Order Form. Client may only expand its
use of the Third -Party Solutions and/or Cloud
Services upon payment of the applicable
additional license, support, and service fees at
WellSky's then -current rates. Any such fees
for additional scope of use will be immediately
due and payable.
5.3. Increases. All recurring fees may be increased
by WellSky once annually commencing one
(1) year following the Effective Date of the
applicable Order Form at a rate not to exceed
five percent (5%). Fees may further be
increased upon prior written notice to Client in
the event WellSky's third -party suppliers
increase such fees. The preceding limitation
shall not apply to any increase in fees
attributable to Client's acquisition of
additional Services.
5.4. Expenses. Client shall reimburse WellSky for
all reasonable Client -related travel, lodging,
and out-of-pocket expenses.
5.5. Shipping Fees, Taxes. Client shall pay all
shipping charges, as well as any taxes, fees or
costs imposed by any governmental body
arising as a result of this Agreement. WellSky
shall be responsible for taxes on its net income.
5.6. Audit. WellSky reserves the right to audit
Client's use of the Cloud Services (remotely or
on site) at a mutually agreeable time. If
Client's use is greater than contracted, Client
shall be invoiced for any unlicensed use (and
related support), and the unpaid license and
support fees shall be payable in accordance
with this Agreement. If any increase in fees is
required, Client shall also pay the expenses
associated with the audit.
6. LIMITED WARRANTIES AND
COVENANTS.
6.1. Services Warranty. WellSky warrants that (a)
when operated in accordance with the
Documentation the Cloud Services shall,
without material error, perform the functions
as set forth in the Documentation, and/or (b) it
shall perform the Professional Services in a
professional manner in accordance with the
applicable Documentation.
6.2. Remedy. Client's sole and exclusive remedy
for any breach of the warranties set forth herein
or in an Order Form shall be to notify WellSky
of the applicable non -conformity, in which
case WellSky shall use commercially
reasonable efforts to correct such non-
conformity by repairing the Cloud Services
and/or reperforming the Professional Services.
Notwithstanding the foregoing, WellSky shall
not be responsible for any non -conformity
which arises as a result of (a) any act or
omission of Client, including a failure to use
Cloud Services in conformance with the
Documentation or Applicable Law; or (b) any
failure of any component of Hardware, Third -
Party Solutions, or any Client -supplied
software, equipment, or other third -party
materials.
6.3. Disclaimer. EXCEPT AS EXPRESSLY
PROVIDED HEREIN OR IN AN ORDER
FORM, WELLSKY DISCLAIMS ALL
WARRANTIES, ORAL, WRITTEN,
EXPRESS, IMPLIED, OR STATUTORY;
INCLUDING BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF FITNESS FOR
A PARTICULAR PURPOSE AND
MERCHANTABILITY, AND ANY
WARRANTY OF NON -INFRINGEMENT,
OR ANY WARRANTIES ARISING FROM
TRADE PRACTICE, COURSE OF
PERFORMANCE, OR COURSE OF
DEALING. WELLSKY DOES NOT
WARRANT THAT THE SERVICES SHALL
BE ERROR -FREE OR UNINTERRUPTED,
OR THAT ALL DEFECTS SHALL BE
CORRECTED, OR THAT THE SERVICES
SHALL MEET CLIENT'S
REQUIREMENTS. CLIENT AGREES
THAT THE MANUFACTURERS OR
LICENSORS OF HARDWARE AND
Contract # 03137191
August 6, 2021
Packet Pg. 1065
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
THIRD -PARTY SOLUTIONS MAY
PROVIDE CERTAIN WARRANTIES AND
OTHER TERMS AND CONDITIONS WITH
RESPECT TO THE HARDWARE AND
THIRD -PARTY SOLUTIONS SUPPLIED
TO CLIENT UNDER THIS AGREEMENT.
WELLSKY MAKES NO
REPRESENTATIONS OR WARRANTIES
CONCERNING THE HARDWARE OR
THIRD -PARTY SOLUTIONS.
6.4. Client Warranty. Client warrants that Client
(a) has the power and authority to enter into
this Agreement and bind each Client affiliate
and Permitted User to the terms and conditions
set forth herein, and Client shall be responsible
for all acts and omissions of all Client affiliates
and Permitted Users; and (b) shall use its best
efforts to protect the security of the Cloud
Services.
LIMITATION OF LIABILITY.
WELLSKY'S MAXIMUM LIABILITY FOR
DAMAGES TO CLIENT FOR ANY CAUSE
WHATSOEVER ARISING UNDER OR
RELATED TO THIS AGREEMENT, IS
LIMITED TO THE FEES PAID UNDER THE
ORDER FORM FOR THE AFFECTED
SOFTWARE OR SERVICES DURING THE
TWELVE (12) MONTHS PRECEDING THE
EVENT GIVING RISE TO A CLAIM.
NEITHER WELLSKY NOR ITS
LICENSORS SHALL BE LIABLE FOR ANY
SPECIAL, CONSEQUENTIAL, INCIDEN-
TAL, INDIRECT, EXEMPLARY,
PUNITIVE DAMAGES, OR LOST PROFITS
BASED UPON BREACH OF WARRANTY,
BREACH OF CONTRACT, NEGLIGENCE,
STRICT LIABILITY, OR ANY OTHER
LEGAL THEORY, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES,
OR FOR ANY CLAIM BY A THIRD -
PARTY AGAINST CLIENT. WELLSKY
DISCLAIMS ANY AND ALL LIABILITY
ARISING OUT OF OR RELATED TO
CLIENT'S USE OF ANY VIDEO, EMAIL,
TEXING AND/OR RELATED TELEPHONY
SERVICES, INCLUDING ANY LIABILITY
RELATED TO CLIENT DATA
PROCESSED THEREIN. WELLSKY
SHALL NOT BE DEEMED TO BE
ENGAGED, DIRECTLY OR INDIRECTLY,
IN THE PRACTICE OF MEDICINE OR THE
DISPENSING OF MEDICAL SERVICES,
NOR SHALL IT BE RESPONSIBLE OR
LIABLE FOR THE USE, APPLICATION,
OR INTERPRETATION OF ANY
INFORMATION, RESULTS, OR PRODUCT
GENERATED BY OR RESULTING FROM
THE SERVICES OR ARISING FROM THE
CLIENT'S USE OF THE SERVICES, AND
DISCLAIMS ANY RESPONSIBILITY FOR
ACTIONS OF CLIENT OR THEIR CARE
PROVIDERS WHICH MAY RESULT IN
ANY LIABILITY OR DAMAGES DUE TO
MALPRACTICE, FAILURE TO WARN,
NEGLIGENCE, OR ANY OTHER BASIS.
8. INDEMNIFICATION.
8.1. WellSky Indemnity. WellSky shall defend,
indemnify, and hold Client and its officers,
directors, and employees harmless from and
against any third -party claims, suits, liabilities,
obligations, judgments, and causes of action
("Third -Party Claims") and associated costs
and expenses (including reasonable attorneys'
fees) to the extent arising out of any claim that
the Cloud Services infringes any currently
existing United States patent or copyright, or
misappropriates any trade secret, of any third -
party. If Client's use of the Cloud Services is
finally enjoined, WellSky shall, at its sole
option and expense, and as Client's sole and
exclusive remedy, either: (a) secure for Client
the right to continue to use the Cloud Services;
(b) replace, modify or correct such Cloud
Services to avoid such infringement, or (c)
terminate the Agreement and refund to Client,
as applicable, any prepaid amounts for Cloud
Services not yet performed. WellSky's
indemnification obligations shall not apply if
the Third -Party Claim results from: (i)
modifications of the Cloud Services by Client
or third parties; (ii) use of the Cloud Services
with non-WellSky software or equipment; or
(iii) use of the Cloud Services in violation of
this Agreement, Applicable Law, or not in
conformance with the Documentation.
8.2. Client Indemnity. Client shall defend,
indemnify, and hold WellSky and its officers,
directors, and employees harmless from and
against any Third -Party Claim and associated
costs and expenses (including reasonable
attorneys' fees) to the extent arising out of or
resulting from Client's use of the Cloud
Services or any claim by any party receiving
services from Client in connection with the
Cloud Services.
Contract # 03137191
August 6, 2021
Packet Pg. 1066
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
8.3. Indemnification Procedures. To be
indemnified, the party seeking indemnification
must: (a) give the other party timely written
notice of such Third -Party Claim (unless the
other party already has notice); provided,
however, that failure to give such notice will
not waive any rights of the indemnified party
except to the extent that the rights of the
indemnifying party are prejudiced thereby,
and; (b) give the indemnifying party authority,
information, and assistance for the Third -Party
Claim's defense and settlement. The
indemnifying party has the right, at its option,
to defend the Third -Party Claim at its own
expense and with its own counsel. The
indemnified party has the right, at its option, to
join in the defense and settlement of such
Third -Party Claim and to employ counsel at its
own expense, but the indemnifying party shall
retain control of the defense. The indemnifying
party has the right to settle the claim so long as
the settlement does not require the indemnified
party to pay any money or admit any fault
without the indemnified party's prior written
consent, which will not be unreasonably
withheld, conditioned, or delayed.
TERM AND TERMINATION OF
LICENSE AND AGREEMENT.
9.1. Term. If applicable, the right to access the
Cloud Services is set forth in an Order Form.
This Agreement remains in effect until all
Services expire or are terminated in
accordance with this Agreement.
9.2. Termination. This Agreement shall terminate
when all Services expire or are terminated or
sooner as provided in this Section 10. Either
Party may terminate this Agreement and the
licenses and/or right to access granted herein
if. (a) the other Party materially breaches this
Agreement and fails to cure such breach within
sixty (60) days after receipt of written notice of
the same, except in the case of failure to pay
fees when due, which must be cured within ten
(10) days after receipt of written notice from
WellSky; or (b) the other Party becomes the
subject of a voluntary proceeding relating to
insolvency, receivership, liquidation,
bankruptcy, or composition for the benefit of
creditors and such petition or proceeding is not
dismissed within sixty (60) days of filing.
Failure to use the Cloud Services and
Upgrades thereto in accordance with
Applicable Law is a material breach of this
Agreement.
9.3. Effect of Termination. Upon termination of
this Agreement, Client shall immediately cease
all use of the Third -Party Solutions and/or
Cloud Services, and the licenses granted and
all other rights of Client under this Agreement
shall terminate and revert to WellSky. Client
shall, within ten (10) days following such
termination, destroy or return to WellSky all
WellSky Confidential Information and certify
such return or destruction in writing to
WellSky.
9.4. Survival. The following sections shall survive
termination or expiration of this Agreement:
Sections 6.2 through 6.4, 7, 8, 9, 10, 11, and
12, as well as any obligation to pay fees arising
prior to termination or expiration.
10. CONFIDENTIAL INFORMATION. Each
Party shall (a) secure and protect the
Confidential Information using the same
degree or greater level of care that it uses to
protect such Party's own confidential
information, but no less than a reasonable
degree of care; (b) use the Confidential
Information of the other Party solely to
perform its obligations or exercise its rights
under this Agreement; (c) require their
respective employees, agents, attorneys,
subcontractors, and independent contractors
who have a need to access such Confidential
Information to be bound by confidentiality
obligations sufficient to protect the
Confidential Information; and (d) not transfer,
display, convey, or otherwise disclose or make
available all or any part of such Confidential
Information to any third -party. Either Party
may disclose the other Party's Confidential
Information to the extent required by
Applicable Law or regulation, including
without limitation any applicable Freedom of
Information or sunshine law, or by order of a
court or other governmental entity, in which
case the disclosing Party shall notify the other
Party as soon as practical prior to such
disclosure and provide an opportunity to
respond or object to the disclosure.
11. REGULATORY COMPLIANCE.
11.1. General. WellSky shall make available to the
Secretary of Health & Human Services or
Comptroller General of the United States its
Contract # 03137191
August 6, 2021
Packet Pg. 1067
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
books, documents, and records necessary to
verify the nature and extent of the costs of
those Services. Said access shall be limited to
a period of four (4) years after the provision of
the applicable services hereunder.
11.2. HIPAA. The parties agree to the terms of the
Business Associate Exhibit that is attached
hereto as Exhibit C.
12. GENERAL PROVISIONS.
12.1. Force Majeure. Neither Party shall be liable
for any loss, damages, or penalty (other than
the obligation to pay money) resulting from
any failure to perform due to causes beyond the
reasonable control of such Party, including, but
not limited to: supplier delay, acts of God,
labor disputes, acts of terrorism, war,
epidemic, unavailability of components, acts
of governmental authorities or judicial action,
compliance with laws, or material interruption
in telecommunications or utility service. The
delayed party shall perform its obligations
within a reasonable time after the cause for the
failure has been remedied, and the other party
shall accept the delayed performance.
12.2. Data Use. Client hereby grants to WellSky a
non-exclusive, perpetual license (a) to use the
Client Data in connection with the provision of
the Services; and/or (b) to use the Client Data
to create Deidentified Data. The license
includes a right to sublicense. WellSky owns
any Deidentified Data. Additionally, Client
authorizes WellSky to aggregate Client Data
with other WellSky client data in accordance
with the Documentation.
12.3. Injunctive Relief. Client acknowledges that
any breach by Client of Section 2.3 or 10 of
this Agreement shall cause WellSky
irreparable harm not compensable with money
damages, and that in the event of such breach,
WellSky shall be entitled to seek injunctive
relief, without bond, from any court of
competent jurisdiction.
12.4. Professional Responsibility. Client
acknowledges that the Licensed Software
and/or Services, and the information supplied
therein, are supplemental to (and not a
substitute for) the knowledge, expertise, skill
and judgment of physicians, clinicians, and/or
other care providers. Client shall ensure that
all care providers using the Licensed Software
and/or Services are aware of the limitations of
the use of the Licensed Software and/or
Services. CLIENT SHALL ENSURE THAT
ALL PROVIDERS USING THE LICENSED
SOFTWARE AND/OR SERVICES ARE
AWARE OF THE LIMITATIONS OF THE
USE OF THE LICENSED SOFTWARE
AND/OR SERVICES.
12.5. Assignment. Neither Party shall assign its
rights, duties or obligations under this Agree-
ment without the prior written consent of the
other Party and such consent shall not be
unreasonably withheld. Notwithstanding the
foregoing, WellSky may assign this
Agreement to an Affiliate or in connection
with any merger, reorganization or sale of
substantially all of WellSky's assets or other
change of control transaction without any
consent from Client.
12.6. Relationship of the Parties. WellSky is an
independent contractor, and none of WellSky's
employees or agents shall be deemed
employees or agents of Client. Nothing in this
Agreement is intended or shall be construed to
create or establish any agency, partnership, or
joint venture relationship between the Parties.
12.7. Export. Client agrees to comply with all export
and re-export restrictions and regulations of
the Department of Commerce or other United
States agency or authority, and not to transfer,
or authorize the transfer of, the Third -Party
Solutions to a prohibited country or otherwise
in violation of any such restrictions or
regulations.
12.8. Notices. All notices, requests, demands or
other communication required or permitted to
be given by one Parry to the other under this
Agreement shall be sufficient if sent by
certified mail, return receipt requested. The
sender shall address all notices, requests,
demands or other communication to the
recipient's address as set forth on the first page
of this Agreement, and in the case of WellSky,
to the attention of President and General
Counsel WArya &escjyer� �kant, to the
attention Executive Director of
12.9. Severability. If any provision of this
Agreement or any Order Form adopted in
connection herewith is held invalid or
otherwise unenforceable, the enforceability of
Contract # 03137191
August 6, 2021
Packet Pg. 1068
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
the remaining provisions shall not be impaired
thereby and the illegal provision shall be
replaced with a legal provision that
encapsulates the original intent of the Parties.
12.10. Entire Agreement; Amendment; Waiver. This
Agreement constitutes the entire agreement
between the Parties and supersedes any prior
or contemporaneous agreement or
understandings with respect to the subject
matter of this Agreement. In the event of a
conflict between this Agreement and an Order
Form, the Agreement shall control. This
Agreement shall be construed as if both Parties
had equal say in its drafting, and thus shall not
be construed against the drafter. This
Agreement may be modified only by a written
agreement signed by all of the Parties hereto.
No waiver or consent granted for one matter or
incident will be a waiver or consent for any
different or subsequent matter or incident.
Waivers and consents must be in writing and
signed by an officer of the other Party to be
effective.
12.11. Limitation on Actions. Neither party may
bring any action arising out of or otherwise
associated with this Agreement or the rights
granted hereunder (other than failures to pay)
more than two years after the cause of action
accrues.
12.12. Discounts. Client is reminded that if the
purchase includes a discount or loan, Client
may be required to fully and accurately report
such discount or loan on cost reports or other
applicable claims for payment submitted under
any federal health care program, including but
not limited to Medicare and Medicaid, as
required by federal law — see 42 CFR 1001.952
(h).
12.13. Purchase Orders; Acceptance of Quotes;
Access. If Client submits its own terms which
add to, vary from, or conflict with the terms
herein in Client's acceptance of a price
quotation or in a purchase order, or to
WellSky's employees, agents, and/or
contractors in the course of WellSky providing
the Services, any such terms are of no force and
effect and are superseded by this Agreement.
12.14. Governing Law. This Agreement will be
governed by, construed, and interpreted in
accordance with the laws of the State of
Kansas, excluding its rules of conflicts of law.
Both parties hereby consent and submit to the
courts located solely in the state of Kansas.
12.15. Non -Solicitation. During the term of this
Agreement and for a period of one (1) year
thereafter, Client agrees not to hire, directly or
indirectly, any employee or former employee
of WellSky, without obtaining WellSky's prior
written consent.
12.16. California Consumer Privacy The Parties
agree that the California Consumer Privacy
Act under Cal. Civ. Code § 1798 et seq.
("CCPA") may be applicable to the
Agreement. If applicable, WellSky shall be
deemed a "service provider" under the CCPA
if WellSky receives the "personal information"
of any "consumer" for "processing" on Client's
behalf.
12.17. Counterparts. This Agreement may be
executed in any number of counterparts, each
of which shall be an original, and such
counterparts together shall constitute one and
the same instrument. Execution may be
effected by delivery of email or facsimile of
signature pages, which shall be deemed
originals in all respects.
[remainder of page intentionally left blank]
Contract # 03137191 6 August 6, 2021
Packet Pg. 1069
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the day and year first above written.
COLLIER HUNGER AND HOMELESS
COALITION:
I V &Ad ITvc.Y W!N
(SIGNATURE)
MICHAEL OVERWAY
(PRINT NAME)
EXECUTIVE DIRECTOR
(TITLE)
8/9/2022
(DATE)
WELLSKY CORPORATION:
STEPHEN GREENBERG
stt pt(,t,ln, C'Vl,wbv,
SVP HUMAN AND SOCIAL SERVICES
8/9/2022
(DATE)
Contract # 03137191
August 6, 2021
Packet Pg. 1070
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
EXHIBIT A
a. "Affiliate" means with respect to WellSky, any other entity directly or indirectly, through one or more
intermediaries, Controlling, Controlled by, or under common Control with such entity.
b. "Applicable Law" means any law or regulation, or related administrative agency requirement affecting or
governing the features, functionality, use, or testing of any of the Cloud Services.
c. "Client Data" means all electronic data or information submitted by Client to the Services but excluding
Deidentified Data.
d. "Cloud Services" means, collectively, the WellSky software as a service offering listed in an Order Form and
defined in the Documentation, including (i) the WellSky hosted software and any upgrades, enhancements, or
new releases thereto, (ii) hardware and other equipment at WellSky's hosting site, and (iii) use of the telephone
support for Client in the operation of the Cloud Services. The term "Cloud Services" does not include
Professional Services.
e. "Concurrent User" means each Client workstation able to simultaneously access the System at any given
moment, for purposes of updating the System.
"Confidential Information" means (i) the Documentation, (ii) the design and architecture of the database, (iii)
the terms and conditions of this Agreement, and (iv) all other information of a confidential or proprietary nature
disclosed by one Party to the other Party in connection with this Agreement which is either (x) disclosed in
writing and clearly marked as confidential at the time of disclosure or (y) disclosed orally and clearly designated
as confidential in a written communication to the receiving Party within 7 days following the disclosure.
"Confidential Information" shall not include information (a) publicly available through no breach of this
Agreement, (b) independently developed or previously known to it, without restriction, prior to disclosure by
the disclosing Party, (c) rightfully acquired from a third -party not under an obligation of confidentiality.
g. "Control" over an Affiliate means (a) ownership of at least fifty percent (50%) of such Affiliate, or (b) the right
to determine management direction of such Affiliate.
h. "Deidentified Data" means Client Data that is deidentified by WellSky and such deidentification is certified
by a third -party as compliant with the deidentification standards under HIPAA or otherwise meets the
deidentification requirements under HIPAA.
i. "Documentation" means the most recent documentation of the functional operation and interoperability of the
Cloud Services.
j. FDA Clearance" means the 510(k) clearance received by WellSky from the Food and Drug Administration that
authorizes the commercialization of the Regulated Cloud Services and sets forth the specific parameters of use
for the Regulated Cloud Services operating environment, as applicable.
k. "First Productive Use" means the day Client begins using any part of the Cloud Services in a live production
environment.
1. "Hardware" means any computer hardware (including, as applicable, embedded or bundled third -party
software provided as a component of such hardware) identified in an Order Form to be purchased by Client from
WellSky.
in. "Order Form" means a work authorization executed by the Parties from time to time, including the Order
Forms(s) attached hereto setting forth the items being purchased by the Client, scope of use, pricing, payment
terms and any other relevant terms, which will be a part of and be governed by the terms and conditions of this
Agreement.
Contract # 03137191 8 September 14, 2021
Packet Pg. 1071
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
n. "Patient/Client Census" means the number of patients or clients that Client is treating, calculated as described
in the applicable Order Form.
o. "Permitted User" means an authorized user of the Third -Party Solutions and/or Cloud Services as described in
the applicable Order Form.
p. "Professional Services" means, collectively, the implementation, installation, data conversion, (including
extraction), validation, or training services provided by WellSky under or in connection with this Agreement.
q. "Regulated Cloud Services" means Cloud Services that are subject to the 510(k) clearance requirements as
promulgated by the United States Food and Drug Administration.
r. "Services" means the Cloud Services and the Professional Services set forth in an Order Form.
s. "Site" means each of the Client facility or facilities specified in an Order Form and for whom Client (a) owns
at least 50%, or (b) has the right to determine management direction.
t. "Third -Party Solutions" shall mean those licensed software programs software -as -a -service offerings
provided to WellSky by a third -party, which WellSky sublicenses or grants a right to access to Client hereunder,
for use with the Licensed Software or Cloud Services, and any Updates thereto, provided to Client by WellSky
under the terms of this Agreement or as identified in any Order Form.
u. "Upgrade" means the provision of any error corrections, bug fixes, enhancements, and/or new features to the
Cloud Services that WellSky makes generally commercially available to its clients who have current Cloud
Services subscriptions. Upgrades do not include modules or features that WellSky prices and markets
separately.
v. "Validation" means the procedure performed by Client to validate the Regulated Cloud Services pursuant to
certain rules and regulations promulgated by the Food and Drug Administration.
w. "Warranty Period" means either the period set forth in an Order Form, or if not specified, twelve months from
the execution of the applicable Order Form.
x. "Work Product" means any technology, documentation, software, procedures developed, conceived or
introduced by WellSky in the course of WellSky performing Services, whether acting alone or in conjunction
with Client or its employees, Permitted Users, affiliates or others, designs, inventions, methodologies,
techniques, discoveries, know-how, show -how and works of authorship, and all United States and foreign
patents issued or issuable thereon, all copyrights and other rights in works of authorship, collections and
arrangements of data, mask work rights, trade secrets on a world-wide basis, trademarks, trade names, and other
forms of corporate or product identification, and any division, continuation, modification, enhancement,
derivative work or license of any of the foregoing.
Contract # 03137191 9 September 14, 2021
Packet Pg. 1072
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
EXHIBIT B
WELLSKY CLOUD SERVICES SUPPORT TERMS
This Exhibit B sets forth certain WellSky Cloud Services support requirements. From time -to -time, these obligations
may change upon notice by WellSky to Client. This Exhibit B only applies to Cloud Services.
1. DEFINITIONS.
1.1. "Access Protocols" means industry standard internet access protocols through which WellSky makes the Cloud
Services accessible to the Client which includes, unless otherwise specified by the product or service contract
for, HTTPS and FTPS.
1.2. "Core System Functionality" means functionality that does require real time availability for effective use of
Cloud Services. Core system functionality includes all features required to commence a user session and
performs end user operations, including create, read, update and delete operations.
1.3. "Non -Core System Functionality" means functionality that does not require real time availability for effective
use of the Cloud Services. This explicitly includes, but is not limited to, reporting and background batch
processing.
1.4. "Scheduled Downtime" means the time which the Core System Functionality is unavailable for access to
Client's active Permitted Users according to the Access Protocols, due to scheduled system maintenance
performed by or on behalf of WellSky.
1.5. "Unscheduled Downtime" means the time during which the Core System Functionality is unavailable for
access by Client's Permitted Users according to the Access Protocols, other than for Scheduled Downtime and
the exceptions otherwise stated in the Agreement. Unscheduled Downtime will not include, without limitation,
any downtime arising from: (i) Client's breach of any provision of the Agreement; (ii) non-compliance by Client
with any provision of the Agreement; (iii) incompatibility of Client's equipment or software with the Cloud
Services; (iv) poor or inadequate performance of Client's systems; (v) Client's equipment failures; (vi) acts or
omissions of Client or its Permitted Users, contractors or suppliers; (vii) telecommunication or transportation
difficulties; (viii) Client's network and internet service provider, (ix) public internet, (x) security exposure, or
(xi) force majeure (as described in the Agreement).
2. TERM.
UNLESS OTHERWISE SET FORTH IN AN ORDER FORM, SUPPORT FOR THE CLOUD SERVICES ARE
AVAILABLE AS OF THE EFFECTIVE DATE OF THE APPLICABLE ORDER FORM(S) AND SHALL CONTINUE
UNTIL TERMINATION OF THE APPLICABLE CLOUD SERVICES AS PERMITTED IN THE AGREEMENT
AND/OR THE APPLICABLE ORDER FORM.
3. TELEPHONE SUPPORT.
WellSky shall provide telephone and portal issue support to assist Client with the use of the Cloud Services and to assist
with issue resolution during the term of this Agreement. The portal support will be available 24 hours a day and telephone
support will be available during the hours posted by WellSky.
4. AVAILABILITY.
After First Productive Use and during the Term, WellSky shall use commercially reasonable efforts to provide the Cloud
Services via the Internet twenty-four (24) hours a day, seven (7) days a week, in accordance with the terms of the
Agreement.
Periodically, WellSky will require Scheduled Downtime. Scheduled Downtime will normally be scheduled outside of
normal business hours, with twenty-four (24) hours' notice, or in the event of a more urgent need WellSky may give less
Contract # 03137191 to September 14, 2021
Packet Pg. 1073
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
notice to resolve an immediate security need. It is anticipated that there will be weekly scheduled downtime for system
maintenance, WellSky will post the standard downtime publicly for all WellSky clients.
Client acknowledges and agrees that, from time to time, the Cloud Services may be inaccessible or inoperable for the
following reasons: (i) equipment malfunctions; (ii) periodic maintenance; or (iii) catastrophic events beyond the control
of WellSky or that are not reasonably foreseeable by WellSky, including interruption or failure of telecommunication or
digital communication links or hostile network attacks. Client shall report any Unscheduled Downtime by calling
WellSky client support with the provided support number within one (1) day of its occurrence.
5. UPGRADES.
During the Term of the Cloud Services, WellSky may make Upgrades available to Client pursuant to WellSky's standard
release cycle. WellSky reserves the right to determine the content and availability of all Cloud Services, including
without limitation, Upgrades. Any enhancements or additions made to an interface as requested by Client are not part
of this Exhibit B and may increase the monthly charge by an amount which reflects the extent of the change.
Documentation updates shall generally be distributed to Client with each Upgrade.
6. INTERNET CONNECTION DEPENDENCE.
The performance and availability of the Cloud Services are directly dependent upon the quality of Client's Internet
connection. WellSky will aid the Client in determining the quality of their Internet connection via the use of tools
designed to measure throughput. This information may then be used to make an informed decision by Client regarding
Internet Service Provider ("ISP") selection. Failure of the Client's Internet connection to maintain satisfactory throughput
and latency is outside the scope of WellSky's responsibility and should be addressed by Client directly with the ISP.
WellSky cannot be held responsible for Internet infrastructure failures.
Contract # 03137191 11 September 14, 2021
Packet Pg. 1074
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
EXHIBIT C
BUSINESS ASSOCIATE AGREEMENT
BACKGROUND
A. Covered Entity and WellSky have entered into the Agreement, pursuant to which Covered Entity has licensed cloud
services from Business Associate and Business Associate provides implementation, maintenance, support, and other
services to Covered Entity.
B. Covered Entity possesses Protected Health Information that is protected under the Health Insurance Portability and
Accountability Act of 1996 (Public Law 104-191) and the regulations promulgated thereunder by the United States
Department of Health and Human Services (collectively, "HIPAA"), and is permitted to use or disclose such
Protected Health Information only in accordance with HIPAA and the Regulations.
C. Business Associate may have access to and may receive Protected Health Information from Covered Entity in
connection with its performance of services under the Agreement. The Agreement may from time to time require the
Business Associate's receipt, Use, and/or Disclosure of Protected Health Information (PHI) from Covered Entity.
D. The provisions of this BAA are intended in their totality to implement the HIPAA regulations as they concern
Business Associate Agreements. The provisions of the Agreement will remain in full force and effect and are
amended by this BAA only to the extent necessary to effectuate the provisions set forth herein.
TERMS
1. Definitions. All capitalized terms used but not otherwise defined in this BAA shall have the same meaning as those
terms in the Regulations.
a. Business Associate shall mean WellSky Corporation.
b. Covered Entity shall mean Client.
c. Individual shall have the same meaning as the term "individual" in 45 CFR § 160.103 of the
Regulations and shall include a person who qualifies as a personal representative in accordance with
45 CFR § 164.502(g) of the Regulations.
d. Regulations shall mean the Standards for Privacy of Individually Identifiable Health Information at 45
CFR Part 160 and Part 164, Subparts A and E, Security Standards for the Protection of Electronic
Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C; 45 CFR § 164.314,
and the Health Information Technology for Economic and Clinical Health Act (HITECH), as it directly
applies, as in effect on the date of this BAA.
e. Protected Health Information shall have the same meaning as the term "protected health information"
in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on
behalf of Covered Entity.
f. Required by Law shall have the same meaning as the term "required by law" in 45 CFR § 164.103 of
the Regulations.
g. Secretary shall mean the Secretary of the Department of Health and Human Services or his/her
designee.
h. Security Incident shall have the same meaning given to such term in 45 CFR § 164.304.
2. Obligations and Activities of Business Associate.
a. Business Associate agrees to comply with the requirements of the Privacy and Security Rules directly applicable
to Business Associates through the HITECH Act.
b. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required
by this BAA, the Privacy and Security Rules, the Agreement, or as required by law. Such disclosures shall be
consistent with the "minimum necessary" requirements of the Regulations.
c. Business Associate agrees to use reasonable and appropriate safeguards to protect against the use or disclosure
of the Protected Health Information other than as provided for by this BAA or the Agreement.
d. Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to
Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of
the requirements of this BAA.
Contract # 03137191
Wj
September 14, 2021
Packet Pg. 1075
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
e. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information
not provided for by the BAA of which it becomes aware.
f. Business Associate shall notify Covered Entity of a breach of the Privacy Rule relating to the impermissible use
or disclosure of Protected Health Information provided to the Business Associate for purposes of carrying out
its obligations under the Agreement. Unless otherwise required by law or agreed to by the parties, it shall be the
responsibility of Covered Entity to communicate with affected individual(s), the Secretary and the media
information regarding the unintended use or disclosure.
g. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected
Health Information received from, or created or received by Business Associate on behalf of Covered Entity
agrees to the same or similar restrictions and conditions that apply through this BAA to Business Associate with
respect to such information.
h. If Business Associate maintains Protected Health Information in a Designated Record Set for Covered Entity,
Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner
mutually agreed upon by the parties, to Protected Health Information in a Designated Record Set, to Covered
Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR
§ 164.524 of the Regulations. In the event a request for access is delivered directly to Business Associate by an
Individual, Business Associate shall as soon as possible, forward the request to Covered Entity.
i. If Business Associate maintains Protected Health Information in a Designated Record Set for Covered Entity,
Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record
Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 of the Regulations at the request
of Covered Entity or an Individual, and in the time and manner mutually agreed upon by the parties. In the event
a request for amendment is delivered directly to Business Associate by an Individual, Business Associate shall
as soon as possible, forward the request to Covered Entity.
j. Business Associate agrees to make internal practices, books, and records, including policies and procedures and
Protected Health Information, relating to the use and disclosure of Protected Health Information received from,
or created or received by Business Associate on behalf of Covered Entity available to the Secretary, in a time
and manner reasonably designated by Secretary, for purposes of the Secretary determining Covered Entity's
compliance with the Regulations.
k. Business Associate agrees to document such disclosures of Protected Health Information and information related
to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an
accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528 of the
Regulations.
1. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner mutually agreed,
information collected in accordance with Section 2(k) of this BAA, to permit Covered Entity to respond to a
request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45
CFR § 164.528 of the Regulations. In the event a request for accounting is delivered directly to Business
Associate by an Individual, Business Associate shall as soon as possible, forward the request to Covered Entity.
m. Notwithstanding anything to the contrary in the Agreement, any reporting or notification obligations of Business
Associate pursuant to this BAA shall be provided to Covered Entity's registered email address and shall satisfy
any such reporting or notification requirements under this BAA.
3. Permitted Uses and Disclosures by Business Associate.
a. Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information
to perform functions, activities or services for, or on behalf of, Covered Entity in connection with the BAA and
any other agreements in effect between Covered Entity and Business Associate, including without limitation the
provision of software implementation and support services, provided that such use or disclosure would not
violate the Regulations if done by Covered Entity.
b. Except as otherwise expressly limited in this BAA, Business Associate may use Protected Health Information
for the proper management and administration of Business Associate or to carry out the legal responsibilities of
Business Associate.
c. Except as otherwise expressly limited in this BAA, Business Associate may disclose Protected Health
Information for disclosures that are Required By Law, or if Business Associate obtains reasonable assurances
from the person to whom the information is disclosed that it will remain confidential and used or further
disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person
notifies the Business Associate of any instances of which it is aware in which the confidentiality of the
information has been breached.
Contract # 03137191
13
September 14, 2021
Packet Pg. 1076
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
d. Except as otherwise expressly limited in this BAA, Business Associate may use Protected Health Information
to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B) and in
accordance with the Documentation.
e. Business Associate may de -identify any PHI, provided such de -identification conforms to the requirements of
45 CFR § 164.514(b), including without limitation any documentation requirements. Business Associate may
Use or Disclose such de -identified information at its discretion, as such de -identified information does not
constitute PHI and is not subject to the terms of this BAA; provided that such Use or Disclosure is consistent
with the underlying Agreement and applicable law.
f Business Associate may use Protected Health Information to report violations of law to appropriate Federal and
State authorities, consistent with 45 CFR § 164.5020)(1).
4. Obligations of Covered Entity.
a. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered
Entity under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or
disclosure of protected health information.
b. Covered Entity shall notify Business Associate of any changes in or revocation of, the permission by an
individual to use or disclose his or her protected health information, to the extent that such changes may affect
the Business Associate's use or disclosure of protected health information.
c. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of protected health
information that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent
that such restriction may affect Business Associate's user or disclosure of protected health information.
d. Covered Entity shall not request Business Associate to use or disclose protected health information in any
manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
5. Electronic Data Security. Business Associate agrees to implement administrative, physical and technical
safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic
Protected Health Information that it creates, receives, maintains or transmits to or on behalf of Covered Entity as required
by the Regulations. Business Associate further agrees to ensure that any agent, including a subcontractor, to whom it
provides such information, agrees to implement reasonable and appropriate safeguards to protect it. Business Associate
agrees to promptly report to Covered Entity any Security Incident of which it becomes aware, provided that this BAA
shall constitute notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but
unsuccessful Security Incidents including, but not be limited to, pings and other broadcast attacks on Business Associate's
firewall, port scans, unsuccessful log -on attempts, denials of service and any combination of the foregoing, so long as
any such incident does not result in unauthorized access, use or disclosure of PHI or material disruption of Business
Associate's information systems.
6. Termination.
a. Except as otherwise provided herein, this BAA shall terminate upon termination of the Agreement.
b. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate of this
BAA, Covered Entity may:
1. Provide a reasonable opportunity for Business Associate to cure the material breach or end the material
violation and if Business Associate does not cure the material breach or end the material violation
within a reasonable time, Covered Entity may terminate this BAA and the provisions of the Agreement
that require or permit Business Associate to access Protected Health Information;
2. If Business Associate has breached a material term of this BAA and cure is not possible, immediately
terminate this BAA and the provisions of the Agreement that require or permit Business Associate to
access Protected Health Information; or
3. If neither termination nor cure is feasible, report the violation to the Secretary.
If Covered Entity breaches, Business Associate may terminate this BAA and any Underlying Agreement 30
days after written notice.
c. Effect of Termination.
1. Except as provided in paragraph (2) of this section, upon termination of this BAA, for any reason,
Business Associate shall return or destroy all Protected Health Information received from Covered
Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall
Contract # 03137191 14 September 14, 2021
Packet Pg. 1077
DocuSign Envelope ID: 3A290D98-9395-4EBF-9D44-9519960B99C4
16.D.5.c
apply to Protected Health Information that is in the possession of subcontractors or agents of Business
Associate. Business Associate shall retain no copies of the Protected Health Information.
2. In the event that Business Associate determines that returning or destroying the Protected Health
Information is infeasible, Business Associate shall provide to Covered Entity notification of the
conditions that make return or destruction infeasible. In such event, Business Associate shall extend
the protections of this BAA to such Protected Health Information and limit further uses and disclosures
of such Protected Health Information to those purposes that make the return or destruction infeasible,
for so long as Business Associate maintains such Protected Health Information. Except as provided
herein, any termination of the maintenance program or provisions of the Agreement that permit
Business Associate to access Protected Health Information shall not affect the parties' other obligations
or rights under the Agreement.
7. Miscellaneous.
a. Changes to Regulations. If the Regulations are amended in a manner that would alter the obligations of WellSky
as set forth in this BAA, then the parties agree in good faith to negotiate mutually acceptable changes to the
terms set forth in this BAA.
b. Survival. The respective rights and obligations of Business Associate under Section 6(c) of this BAA shall
survive the termination of this BAA.
c. Minimum Necessary. Covered Entity shall only provide a minimum amount of Protected Health Information
necessary for the Business Associate to satisfy its obligations under the Agreement.
d. Interpretation. Any ambiguity in this BAA shall be resolved to permit compliance with the Regulations.
e. Incorporation. Except for Covered Entity, no third -party may rely on the terms, conditions, rights, remedies, or
obligations hereunder. The terms of this BAA are fully incorporated in and subject to the terms of the
Agreement.
f. Governing Law. The choice of law and venue applicable to this BAA shall be the same as the choice of law
and venue that are applicable to the Agreement.
Contract # 03137191
15
September 14, 2021
Packet Pg. 1078
DocuSign Envelope ID: 9F97B860-8C8F-40C2-8225-CFDOD FD64D48
16.D.5.d
I:11►510401113010I12Y Y
TO THE
MASTER LICENSE AND SERVICES AGREEMENT
THIS AMFg1� nffiT NO. 2 to the Master and License and Services Agreement (this
"Amendment") is effective // , 2022 (the "Amendment Effective Date"), by and between Bowman
Systems, L.L.0 ("Bowman") and Collier Hunger and Homeless Coalition, ("Customer").
Recitals:
WHEREAS, Bowman and Customer entered into that certain Master License and Serivices
Agreement (the "Agreement") dated February 16, 2017;
WHEREAS, Bowman was acquired by Mediware Information Systems, Inc.
WHEREAS, Bowman was a wholly -owned subsidiary of Mediware Information Systems, Inc.
WHEREAS, Bowman merged into Mediware Information Systems, Inc.
WHEREAS, Mediware Information Systems, Inc. changed its name to WellSky Corporation.
WHEREAS, Bowman and Customer desire to modify the terms of the Agreement to change the
name of Bowman to WellSky Corporation as more specifically described herein.
NOW, THEREFORE, in consideration of the foregoing and other good and valuable consideration,
the receipt and sufficiency of which is hereby acknowledged, the parties hereto agree as follows:
1. Terms. Capitalized terms not otherwise defined herein shall have the meaning of such terms as
defined in the Agreement.
2. Amendment to the Agreement.
(a) Any reference to "Bowman Systems, L.L.C." or "Bowman" in the Agreement shall now refer
to "WellSky Corporation" or "WellSky," respectively.
(b) Any reference to the Bowman address shall be deleted and replaced with the following:
WellSky Corporation
11300 Switzer Road
Overland Park, KS 66210
3. Incorporation into Agreement. The terms and conditions of this Amendment shall be
incorporated by reference in the Agreement as though set forth in full therein. In the event of any inconsistency
between the provisions of this Amendment and any other provision of the Agreement, the terms and provisions of
this Amendment shall govern and control. Except to the extent specifically amended or superseded by the terms of
this Amendment, all of the provisions of the Agreement shall remain in full force and effect to the extent in effect on
the date hereof. The Agreement, as modified by this Amendment, constitutes the complete agreement among the
parties and supersedes any prior written or oral agreements, writings, communications or understandings of the
parties with respect to the subject matter thereof.
4. Section Headings. The headings of the Sections hereof are for convenience only and without
substantive meaning and shall not be used in interpreting any provision of this Amendment.
5. Execution in Counterparts. This Amendment may be executed in one or more counterparts,
Contract# 03137158
Packet Pg. 1079
DocuSign Envelope ID: 9F97B860-8C8F-40C2-8225-CFDOD FD64D48
16.D.5.d
each of which shall be deemed an original, but all of which together shall constitute one instrument. Facsimile
copies shall be deemed originals in all respects.
IN WITNESS WHEREOF, the parties have caused this Amendment to be executed by their
respective officers or agents thereunto duly authorized, to be effective as of the date first written above.
[SIGNATURES TO FOLLOW]
COLLIER HUNGER AND HOMELESS
COALITION: I
By: 71k'r- G Ord I��I, ,aid owl rW',
Name: Michael
Title: Executive Director
WELLSKY CORPORATION F/K/A BOWMAN
SYSTEMS, LLC
By: S at,Lla�!:r4
Name: Stephen Greenberg
Title: SVP Human & Social Services
Contract# 03137158
Packet Pg. 1080
16.D.5.e
HUNGER &
HOMELE55
COALITION
of c•:L L'ER ooLrgn
Agency Partnership Agreement
Continuum of Care (CRN)
The Collier County Hunger & Homeless Coalition Lead Agency
& Community Resource Networks
This Agreement is entered on this day of 2023 between The Collier County Hunger &
Homeless Coalition Lead Agency on Homelessness in Collier County Florida, and Collier County. The
Collier County Hunger & Homeless Coalition, hereafter known as "Lead Agency"_ and Collier County,
hereafter known as "Partner Agency," regarding access and use of the Lead Agency Community Resource
Network, hereafter known as the "CRN". This Agreement is valid for three (3) years from the date listed
above. The Partner Agency also agrees to accept referrals from other CoC programs and provide program
assistance in the Continuum of Care to assist with the Coordinated Assessment System.
Please submit as "Attachment All a list of all current programs.
I. Introduction
The Community Resource Network (CRN) is an on-line web based computerized data collection,
searching, sharing, and organizing tool designed to capture client -level information over time on the
characteristics and service needs of persons experiencing homelessness within Southwest Florida. The
Community Resource Network is the component of Lead Agency the Homeless Initiative for the Continuum
of Care, hereafter known as "CRN". The CRN covers the Collier County area. The CRN allows personnel
at Partner Agencies who have been authorized by the Lead Agency to input, use, and retrieve information
concerning their own clients and to share information, subject to agreements and governmental regulations,
on common clients. Through the use of the CRN, The Lead Agency can identify gaps in the local service
continuum and develop appropriate community -oriented responses to addressing the housing and service
delivery needs of persons experiencing homelessness. In addition, Partner Agencies can meet grant reporting
requirements and better serve the needs of their clients.
The Lead Agency is granting Partner Agency the right to utilize the CRN, subject to the terms and
conditions set forth in this Agreement. The comments and definitions contained in the footnotes in this
Agreement are binding and a part of this Agreement. All references to actions taken by or consents or
releases to be signed by a "Client" herein shall include the actions, consents, and releases of the Client's
guardian, where applicable.
The CRN enables fulfillment of the following goals:
a. Improved coordinated care for and services to homeless people.
b. Automated processes to replace manual processes (when practical).
c. Meeting reporting requirements including U.S. Department of Housing and Urban Development
(HUD) and non -HUD reports.
d. Minimally impacting automated systems of current providers.
e. Complying with all state and federal requirements regarding client/consumer confidentiality and data
security (HIPAA, etc.).
f. Delivering timely, credible, quality data about services and homeless people to the community.
g. Increased CRN participation by homeless providers in the Continuum of Care; and
h. A user-friendly system for providers and clients.
The Lead Agency provides oversight for the CRN and contracts with Wellsky, the developer, provider, and
host of the software that houses the CRN and the associated ART reporting database. The Lead Agency is
responsible for granting and limiting Partner Agencies' access to The CRN database. Utilizing a variety of
methods, the Lead Agency intends to protect, to the utmost of its ability, the CRN data from any
unauthorized modification, disclosure, corruption, destruction or inappropriate use.
Packet Pg. 1081
16.D.5.e
HUNGER &
HOMELESS
COALITION
'-r
Designed to benefit multiple stakeholders', the CRN, when used correctly and faithfully, will improve
knowledge about homeless people --their services and service needs, and may result in a more effective
and efficient service delivery system.
H. Confidentiality (45 CFR 164.308 ((b))
A. The Partner Agency and Lead Agency will comply with relevant and governing federal and
state confidentiality regulations and laws that protect client records and will only release
confidential client record's with consent by the clientz, or the client's guardian3, unless otherwise
provided for in regulations or laws.
1. The Partner Agency and Lead Agency will abide specifically, when applicable, by federal
confidentiality regulations as regarding disclosure of medical, alcohol and/or drug abuse records. In
general terms, the federal rules prohibit the disclosure of medical, alcohol and/or drug abuse records a
unless disclosure is expressly permitted by written consent of the person to whom it pertains or as
U)
otherwise permitted. A general authorization for the release of medical or other information is not =
necessarily sufficient for this purpose. The Partner Agency and Lead Agency understand. the federal w
rules that restrict any use of the information to criminally investigate or prosecute any alcohol or drug CIA
abuse patients. It is the responsibility of the Partner Agency to ensure that it remains informed and N
knowledgeable about all requirements of the rules and regulations governing its activities, and to stay N
abreast of new rules and regulations and interpretations thereof, and promptly instituting procedures cfl
designed to fully comply therewith. r
2. The Partner Agency and Lead Agency will abide specifically, when applicable, with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) and corresponding regulations passed
by the Federal Department of Health and Human Services. In general, the regulations provide
consumers with rights to control the release of medical information, including the right: to give
advance consent prior to disclosures of health information; to see a copy of health records; to request a
correction. to health records; to obtain documentation of disclosures of health information; to obtain an.
explanation of privacy rights and. to be informed about how information may be used or disclosed. The
current regulation provides protection for paper, oral and electronic information.
3. The Partner Agency and Lead Agency will abide by Florida State Laws and Federal Laws related to
confidentiality and security of domestic violence, medical, mental health and substance abuse
information as found in any Florida State Statutes and other relevant statutes, rules and regulations.
A. The Partner Agency will provide an implied consent to clients by posting a client
agreement form and may also provide an informed consent by keeping on file signed client
agreements, regarding the CRN, as directed by the CRN Policies & Procedures and arrange,
when possible, for a qualified interpreter or translator for an individual not literate in English or
having difficulty understanding the consent. The Lead Agency will ensure and conduct periodic
monitoring and reviews with Partner Agencies to enforce informed consent and confidentiality
standards as written in the CRN Policies & Procedures manual.
4. The Partner Agency shall display the Privacy Notice poster, which informs Clients of their rights, as
directed by the CRN Policies & Procedures manual.
5. Evaluation and research will only use de -identified Client data except in the case when the Partner
Agency evaluates and researches its own Clients or in the case where the Partner Agency is a sub
grantee and has an agreement in place to share Client data with the grantee. In all cases, the Partner
Agency and Lead Agency shall maintain compliance with all state and federal laws regarding research, CAp
evaluation and confidentiality of individual client identities.
Packet Pg. 1082
16.D.5.e
HUNGER&
HOMELSS
COALITION
6. The Partner Agency and Lead Agency will not divulge any confidential information received from
or for the CRN to any organization or individual without proper informed consent by the Client (or
guardian where appropriate) unless otherwise permitted by relevant regulations or laws.
7. The Partner Agency and Lead Agency will ensure that every person issued a User Identification
and Password to the CRN will comply with the following:
a. Read, sign and abide by the requirements of the User Policy, Responsibility Statement and.
Code of Ethics Agreement stating an understanding of, and agreement to comply with CRN
confidentiality requirements, policies, and procedures.
b. Obtain, read and abide by the CRN Policies & Procedures manual; and
c. Register for a unique User I.D. and password and not share or reveal that information with
other individuals. A User shall promptly report to Partner Agency and Lead Agency if the confidentiality of
such unique User I.D. and password has been or may have been compromised. In such event, a new User
I.D. and/or password shall be assigned, and the old one deactivated.
8. The Lead Agency shall ensure that all staff employed by the Lead Agency with access to the
Client database will have background checks conducted and receive basic confidentiality training.
(45 CFR 164.308 ((a)), ((3)), ((ii)), ((A)))
9. Partner Agency shall conduct background checks and provide basic confidentiality training to all
staff, volunteers and other persons issued User IDs and passwords for CRN. Partner Agency shall refer
to their personnel policies, current the Lead Agency CRN Policies and Procedures, and current HUD
Cli
Data and Technical Standards to determine if their staff, volunteers and other persons should be issued W
User IDs and passwords based on the results of the background check. Failure to pass a criminal
background check will result in a CRN License not being issued.
1.1. The Partner Agency shall ensure that appropriate actions are taken against any person associated
with the Partner Agency who violates client confidentiality and/or consent. Appropriate action may
include probation, termination, and/or filing of criminal charges by local law enforcement, and prompt
remedial action to contain and reverse the damage caused by such violation. The Partner Agency must
notify the Lead Agency in writing within three business days if such a violation of client confidentiality
and/or consent occurs. The Lead Agency will inquire about any violations as part of the security audit.
12. The Lead Agency shall ensure that appropriate actions are taken against any person associated
with the Lead Agency who violates client confidentiality and/or consent. Appropriate action may
include probation, termination, and/or filing of criminal charges by local law enforcement, and
prompt remedial action to contain and reverse the damage caused by such violation.
13. The Partner Agency and Lead Agency understand that the CRN application is secured by a user
authentication process, audit trails, data encryption (45 CFR 164.310 ((a)), ((2)), ((iii))) of at least 128-
bit for electronic data submission and data storage in binary and encrypted format. Partner Agency and
Lead Agency shall ensure that their respective users do not take any action to compromise, circumvent
or overcome such security features, or in any way to interfere with the proper and efficient operation
and administration of the CRN. Partner Agency and Lead Agency shall further ensure that its
authorized users do not attempt to access or use the CRN in a manner that exceeds their authorized
access level.
14. The Partner Agency and Lead Agency understand the server, which contains all Client
information, including encrypted identifying Client information, will be located at an appropriate
location as determined by Wellsky.
B. The Partner Agency and Lead Agency understand that Wellsky, Lead Agency, and C�'Q
the Lead Agency CRN are custodians of data, and not owners of data.
Packet Pg. 1083
16.D.5.e
HUNGER &
HOMELESS
COALITION
0
1. In the event the CRN ceases to exist, and the Lead Agency CRN does not elect to arrange
for the migration of the CRN to a different host or platform, the Lead Agency will notify
Partner Agency and provide a 60 day time period for the Partner Agency to access and save
agency specific client data, statistical data and frequency data from the entire system. Then,
the centralized server database will be purged or stored. If the latter occurs, the data will
remain in an encrypted state. Stored data may subsequently be used to populate an alternate
system for the administration of the CRN or other similar system.
m
2. In the event the Lead Agency ceases to administer the CRN, and another organization a
takes over administration of the data, the Lead Agency or its successor agency will inform, in a Q
timely manner, all affected Partner Agencies. g
L
3. If the Partner Agency ceases to exist, it shall notify and work with the Lead Agency to
determine the appropriate disposition of Partner Agency's data, including the transfer of the
a
data to a successor agency. N
4. If the Partner Agency chooses to withdraw from the CRN, the Partner Agency shall notify
the Lead Agency of intended withdrawal date. The Lead Agency shall allow sixty days for the w
Partner Agency to access and save its specific Client data, statistical data and frequency data
from the entire system. The Partner Agency is financially responsible for extracting its data.
M
N
5. In the event Wellsky ceases to exist, the Lead Agency will notify Partner Agencies in a �?
timely manner of the expected consequences of this event, and of a substitute service
provider, if any. In the event that Wellsky ceases to exist, they have committed to
transferring the CRN data to a third -party system. (Includes lines 1-5 45 CFR 164.308 a
((a)), ((�)), ((n)), ((D)), ((E)))
M. Data Entry and/or Regular Use
A. User Identification and Passwords are not permitted to be shared among users.
B. If a Partner Agency has entered a Client's basic identifying information, non -confidential service
transactions, confidential information and service records, AND has noted participation in the CRN as
directed by the CRN Policies & Procedures manual/ CRN Software manual, the Lead Agency and
other parties will be entitled toassume that a Client gave consent for such access.
C. In the event that a Client would like to rescind consent to participate in the CRN completely, the
Partner Agency at which her/his desire is expressed, will work with the Client to complete a brief
form 4, and Partner Agency will record in the software that the Client revoked authorization to
participate in the CRN as instructed by the CRN Policies & Procedures manual. Partner
Agency will still be able to access that record, but Client information will not be used in any CRN from
that point forward. Information about a client will remain in the central database for a minimum of
seven years after the client last received services, and after that period of time as required by law or the
agency policy and will remain accessible by the Partner Agency, which provided services to the Client
for reporting purposes.
D. The Partner Agency will enter information in the CRN about individuals for whom they enroll in a
program and/or those who are participants in one or more of the agency programs.
E. Partner Agency will not enter any fictitious or misleading Client data on an individual or family in
CRN, with the exception of alias names intentionally entered to aid in search of the record, contact or C, sp
communication with a client.
Packet Pg. 1084
16.D.5.e
HUNGER &
HOMELESS
COALITION
F. The Partner Agency will not misrepresent the number of Clients served or the type of services or
beds provided in the CRN by entering known, inaccurate information (i.e. Partner Agency will not
purposefully enter inaccurate information on a new record or to over -ride information entered by
another agency).
G. The Partner Agency will enter information into the CRN per agency and CRN adopted standards +.
and will strive for real-time, or close to real-time, data entry. Real-time or close to real-time is
defined by either immediate data entry upon seeing a client, or data entry into the CRN within five m
business days. Compliance will be monitored by the Lead Agency as part of the audit process.
a
a
H. The Partner Agency understands that a Client Sharing Agreement permits it to share confidential g
Client information with select agencies.' i
a�
c
I. Discriminatory comments by an employee, volunteer, or other person acting on behalf of the a
Partner Agency based on race, color, religion, national origin, marital status, political affiliation, N
sexual orientation, gender identity or expression, status regarding public assistance, disability, age or
military status are not permitted in CRN. Offensive language and profanity are not permitted in the =
CRN. This does not apply to the input of direct quotes by a client IF the Partner Agency believes that 00
w
it is essential to enter these comments for assessment, service and treatment purposes. Clients not N
willingly participating in CRN may also be denied services from the participating CRN agency.
M
N
J. The Partner Agency and Lead Agency will utilize CRN for valid business purposes only, which �?
are for the purposes of fulfilling the goals listed on page 1 of this agreement (Section I, a.-h.).
a�
c
K. The Partner Agency understands the Lead Agency will provide initial training and periodic a
updates to that training to assigned Partner Agency staff about the use of CRN. Partner Agency shall
be responsible for conveying such new information and training to other staff using the CRN within
the Partner Agency. New user trainings are conducted ad -hoc as needed. Partner Agencies are m
responsible for contacting Lead Agency for current trainings schedules. W
a
Q
L. All technical support requests from CRN users shall be submitted per Partner Agency protocol.
All technical support requests and inquiries shall. then be directed. to the Lead Agency by the a
designated person(s) within that agency. The Partner Agency shall not contact the vendor, Wellsky, Q
directly. If this occurs, the vendor will refer the Partner Agency back to the Lead Agency or the CRN
Policy Committee. The Partner Agency understands the Lead Agency will provide staff technical
support according to the following: vn
Technical support will be provided Monday -Friday 9:00 am. to 4.00 p.m. Eastern Standard Time
Support telephone numbers and email addresses will be provided to Partner Agencies upon signing of
this Agreement. Lead Agency will ensure that any support calls are responded to according to the chart
below provided that all available numbers and email addresses have been accessed.
Packet Pg. 1085
16.D.5.e
HUNGER &
HOMELESS
COALITION
>,
a
Technical Support Assistance Response Times
Severity
Description
Lead Agency (SA) Response
1
Major system or component is
During normal business hours, Lead
inoperative which is critical to the
Agency will contact Wellsky within 1
Partner Agency's business
hour.
2
Partner Agency is impacted by service
Lead Agency will respond to requests
delay but is still able to maintain
made by phone within one business day
business function
and respond to requests made by email
within two business days.
3
The problem has a reasonable
Lead Agency will respond to requests
circumvention and the Partner Agency
made by phone within one business day
can continue with little loss of
and respond to requests made by email
efficiency
within two business days.
4
The call requires minor action or is for
Lead Agency will respond to requests
informational purposes only
made by phone within one business day
and respond to requests made by email
within two business days.
All response times are subject to Wellsky corresponding prompt response and are not guaranteed.
M
N
M. The Partner Agency and Lead Agency will maintain the required HUD technical standards.
N. Transmission of material in violation of any United States federal or state law or regulation
is prohibited and includes, but is not limited to: copyright material, material legally judged to be
threatening or obscene, and material considered protected by trade secret or in any other manner
violate the proprietary rights of others.
O, Partner Agency assumes financial responsibility for virus protection software, and any
damages or liabilities that arise from its failure to utilize same.
P. The Partner Agency and Lead Agency will not use CRN with intent to defraud the federal,
state or local government or an individual entity, or to conduct any illegal activity.
Q. The Partner Agency recognizes the CRN User Group will serve as a discussion center regarding
CRN, including CRN process updates, policy and practice guidelines, data analysis, and
software/hardware upgrades. The Partner Agency will designate an Agency staff member to attend
CRN User Group meetings regularly and understands that the Lead Agency will continue to be
responsible for coordinating the CRN User Group activities.
R. The Partner Agency acknowledges that in the case of federal requirements or when approved by
the Lead Agency, other agencies will periodically have access to de -identified data to ensure the
information generated by or through the CRN presents an accuratepicture of homelessness and
services to homeless people in the Continuum of Care.
S. Each Partner Agency assumes responsibility for (its) staff and users' compliance with the CRN
data quality policy in regard to requirements for data entry and use of the CRN. To assess the quality
of data and reports generated by the system, the Lead Agency6 will conduct periodic monitoring and
reviews on data, although such monitoring or any failure to monitor shall not relieve Partner Agency
of its responsibilities hereunder.
C ,O
Packet Pg. 1086
16.D.5.e
HUNGER &
HOMELESS
COALITION
These include and are not limited to the following: (45 CFR 164.308 ((a)), ((I)), ((ii)), ((B)))
1. Quality of data entered by Partner Agencies
a. Inappropriate and/or duplicate records
b. Untimely and/or inaccurate information
c. Missing required data elements
2. Operation of the software
3. Reporting functionality
4. Compliance with the HEARTH Act.
5. Agrees to accept referrals for homeless services and or shelter beds from other CoC
partners and. work within the guidelines of the coordinated assessment process.
Lack of compliance with these requirements will lead to the possible loss of reporting privileges,
CoC resources, funding, and/or access to CRN.
T. Partner Agencies with Site Administrators must notify their Site Administrator in writing within 3
business days of any changes needed to a User ID including, but not limited to, new User ID issuance,
new personnel, and released or terminated personnel.
U. Partner Agencies without Site Administrators must notify Lead Agency in writing within 3
business day of any changes needed to a User ID including, but not limited to, new User ID
issuance, new personnel, and released or terminated personnel.
N
IV. Reports
A. The Partner Agency understands that it will retain access to all identifying and statistical data on
the Clients it serves.
B. The Partner Agency understands that before non -identifying system -wide aggregate
information collected by the CRN is disseminated to funders, state officials, etc., the request must
be approved by the Lead Agency.
V. Proprietary Rights and Database Integrity
A. The Partner Agency will not give or share assigned user identification and passwords to access
the CRN with any other organization, governmental entity,, business, media, or individual.
B. The Partner Agency will not cause in any manner, or way, corruption of the CRN. Any
unauthorized access or unauthorized modification to computer system information or interference with
normal system operations, whether on the equipment housed by Wellsky or the Lead Agency or any
computer system or network related to the CRN will result in immediate suspension of user license.
VI. Hold Harmless
A. The Partner Agency shall indemnify, save, defend, and hold harmless the Agency and its agents
and employees from any and all claims, demands, actions, causes of action of whatever nature or
character, arising out of or by reason of the execution of this agreement or performance of the
services provided for herein. It is understood and agreed the Partner Agency is not required to
indemnify the Lead Agency for claims, demands, actions or causes of action arising solely out of
the Partner Agency's negligence.
C,�,c
Packet Pg. 1087
16.D.5.e
+�y HUNGER &
���.. HOMELESS
tf�,t COALITION
B. Except to the extent permitted by s.768.28, F.S., or other Florida law, Paragraph 15 is not
applicable to contracts executed between the Department and state agencies or subdivisions
defined in s.768.28.F.S.
Vff. Lead Agency Responsibilities
A. Lead Agency agrees to contract with Wellsky for CRN software development and maintenance.
B. Lead Agency agrees to maintain Project Management Staff, who will provide training,
implementation, technical assistance and support to the Partner Agencies.
C. Lead Agency agrees to perform its duties in accordance with the CRN Policies & Procedures manual
and Statement of Work.
VIH. Dispute Resolution and Appeals
A. If the Partner Agency disagrees with any element of this Agreement, it shall make every
effort to address and resolve those issues with the Lead Agency
B. CRN will make every effort to resolve the issue; however, if the issue cannot be N
adequately resolved at this level, the Lead Agency Board shall recommend a process to �?
reach a resolution.
I.X. Terms and Conditions
A. The parties hereto agree that this Agreement is the complete and exclusive statement of the
agreement between parties and supersedes all prior proposals and understandings, oral and written,
relating to the subject matter of this Agreement.
B. Partner Agency shall not transfer or assign any rights or obligations under this Agreement without
the written consent of the Lead Agency.
B. This Agreement shall remain in -force until revoked in writing by either party with 30 days
advance written notice. The exception to this term is if allegations, or actual incidences, arise
regarding possible, or actual, breaches of this Agreement or jeopardy to the integrity of the CRN
by Partner Agency action or inaction. Should such situation arise, the Lead Agency may
immediately suspend access to the CRN until the allegations are resolved to protect the integrity
of the system, and if such resolution is not timely achieved, to terminate this Agreement.
Termination of this Agreement shall in no manner impact the Partner Agency's obligations of
indemnification, confidentiality and system integrity/security, all of which shall survive
termination of the Agreement.
1. When the Lead Agency becomes aware of a possible or actual incident, it shall make a
reasonable effort to address its concerns with the Executive. Director of the Partner Agency
prior to acting.
2. If the Lead Agency believes that the breach by a Partner Agency's such that it may damage
the integrity of the central database and the information in the central database for the Partner
Agency or any other Agency, it may take immediate steps to suspend the Partner Agency's
access to the CRN prior to addressing the concerns with the executive level of the Partner
�A
Packet Pg. 1088
16.D.5.e
1 HUNGER &
HOMELESS
COALITION
Agency. The Lead Agency will then address the concern with the executive level of the
Partner Agency to resolve the issue.
3. Action with a Partner Agency may include the provision of training and technical
assistance, suspension of access to the central database or other appropriate measures to
ensure that the data integrity is maintained.
D. This Agreement may be modified or amended by written agreement executed by both parties.
E. AlI responsibilities and obligations regarding the protection or destruction of confidential client
information shall survive the termination of this agreement.
F. Neither party may re -assign this agreement without the prior written consent of the other party.
Foot Notes:
' Provider agencies, homeless persons, HUD, the Lead Agency Board and stakeholder members, government
agencies, funders and the community.
2 Anyone who receives services from an agency `x
s Anyone legally in charge of the affairs of a minor or of a person deemed incompetent, according to the laws of the ao
State of Florida. All references to "client' in this Agreement also apply to "client's guardian." w
N
a Form Provided by Lead Agency — Revocation of Authorization for Release of Information N
5 Form provided by the Lead Agency— Client Sharing Agreement Form ROI M
6 The Lead Agency may conduct these reviews or may accept a similar review by another organization as evidence N
of compliance by the Partner Agency. r
Use of the CRN SYSTEM constitutes acceptance of these Terms and Conditions.
C,�C
Packet Pg. 1089
16.D.5.e
ATTEST:
CRYSTAL K. KINZEL, CLERK
Dated:
, Deputy Clerk
(SEAL)
WITNESSES:
Witness #1 ',nature
Witness #1 rinted Name
Witnes #2 gnature
N (a& a , I aw
Witness #j Printed Name
Approved as to form and legality:
Derek D. Perry
Assistant County Attorney
N\`l��O
r
Date:
BOARD OF COUNTY COMMISSIONERS OF
COLLIER COUNTY, FLORIDA
Rick LoCastro, Chant man
Date:
COLLIER COUNTY HUNGER & HOMELESS
COALITION, INC.
By:
DR. THOMAS FELKE, OARD CE CHAIR
Date:
2
M
N
to
C' ,p
Packet Pg. 1090
16.D.5.e
HUNGER &
HOMELESS
GOALITI.0N
PARTNER AGENCY USER INFORMATION:
Full Name: Carolyn Noble
Title: Grant Coordinator
Address: 3339 Tamiami Trail E, Suite 213, Naples, FL 34112
Email: carolyn.noble@colliercountyfl.gov
Phone: 239-450-5186
M
N
w
Packet Pg. 1091
Collier County CRN – Standard Operating Procedures Manual
1 | P a g e
Collier County Hunger & Homeless Coalition
Lead Agency
CRN Standard Operating Procedures
(Updated) November 27, 2019
V. 4.0
Exhibit I
Collier County CRN – Standard Operating Procedures Manual
2 | P a g e
Table of Contents
Introduction: CRN Objectives
Section 1: Contractual Responsibilities (HIPPA 164.104 except section 01-130)
01-010 CRN Lead Agency Responsibilities
01-020 CRN Steering Committee Responsibilities
01-030 CRN Project Manager/System Administrator (45 CFR 164.308 (a)(2))
01-040 CRN User Group Responsibilities
01-050 CRN Agency Executive Director Responsibilities
01-060 CRN Agency Super User Responsibilities
01-070 CRN Agency End User Responsibilities
Section 2: Implementation Policies & Procedures (Includes Sections: 02-010-030 45 CFR
164.308 (a)(1)(ii)(C)))
02-010 CRN Participation Policy
02-020 CRN Initial Participation Requirements
02-030 CRN Agency Information Security Protocol Requirements
02-040 CRN Agency Hardware, Connectivity and Security Requirements (45 CFR 164.308
(a)(2))
02-050 CRN User Implementation Requirements (45 CFR 164.308 (a)(2))
Section 3: Operational Policies & Procedures (Includes 03-010-060 45 CFR 164.308
(a)(4)(ii)(B)and (C))))
03-010 CRN Agency Set-up Procedure
03-020 CRN User Set-up Procedure
03-030 CRN User Access Levels
03-040 CRN User Training Requirements
03-050 CRN Client Set-up Procedure
03-060 CRN Client Notification Policies & Procedures
03-070 CRN Data Collection Requirements (Includes Sections: 03-070-090 45CFR 164.308
(a)(1)(ii)(A))))
03-080 CRN Interagency Data Sharing
03-090 CRN Information Sharing Referral Procedures
Section 4: Security Policies and Procedures (Includes Sections: 04-010-020 45 CFR 164.306
(b))
04-010 System Access Control Policies & Procedures
04-020 Data Access Control Policies & Procedures
04-030 Auditing Policies & Procedures (45 CFR 164.308 (a)(1)(ii)(D)))
Collier County CRN – Standard Operating Procedures Manual
3 | P a g e
Section 5: Internal Operating Policies & Procedures (All included 45 CFR 164.308
(a)(5)(ii)))
05-010 System Availability Policies & Procedures
05-020 Technical Support Policies & Procedures
Section 6: Data Ownership, Usage & Release Policies & Procedures (Includes Sections: 06-
010-020 45 CFR 164.310 (a)(2)(IV)
06-010 De-duplication Policies & Procedures
06-020 Data Quality Policies & Procedures
06-030 Data Ownership Policies & Procedures (Includes Sections: 06-030-060 45 CFR 164.308
(a)(3)(ii)(B))))
06-040 Data Classification Policies & Procedures
06-050 Data Uses & Disclosures Policies & Procedures
06-060 Data Release Policies & Procedures
Collier County CRN – Standard Operating Procedures Manual
4 | P a g e
Revisions control page
Date Summary of changes made Changes made by (Name)
4-3-17 Plan review Michael Overway, CRN
Administrator
10-10-18 Plan Review Michael Overway, CRN
Administrator
11-27-19 Plan Review Michael Overway, ED and
Nadja Joseph CRN
Administrator
It is the intent of this manual to ensure the Collier County Continuum of Care FL 606 remains in
compliance with 24 CFR HEARTH ACT, passed by Congress in 2009.
Collier County CRN – Standard Operating Procedures Manual
5 | P a g e
HUD Definitions per 24 CFR 576.2
576.2 Definitions.
Homeless means:
(1) An individual or family who lacks a fixed, regular, and adequate nighttime residence,
meaning:
(i) An individual or family with a primary nighttime residence that is a public or private
place not designed for or ordinarily used as a regular sleeping accommodation for human
beings, including a car, park, abandoned building, bus or train station, airport, or camping
ground;
(ii) An individual or family living in a supervised publicly or privately operated shelter
designated to provide temporary living arrangements (including congregate shelters,
transitional housing, and hotels and motels paid for by charitable organizations or by
federal, state, or local government programs for low-income individuals); or
(iii) An individual who is exiting an institution where he or she resided for 90 days or less
and who resided in an emergency shelter or place not meant for human habitation
immediately before entering that institution;
(2) An individual or family who will imminently lose their primary nighttime residence,
provided that:
(i) The primary nighttime residence will be lost within 14 days of the date of application for
homeless assistance;
(ii) No subsequent residence has been identified; and
(iii) The individual or family lacks the resources or support networks, e.g., family, friends,
faith-based or other social networks, needed to obtain other permanent housing;
(3) Unaccompanied youth under 25 years of age, or families with children and youth, who do
not otherwise qualify as homeless under this definition, but who:
(i) Are defined as homeless under section 387 of the Runaway and Homeless Youth Act (42
U.S.C. 5732a), section 637 of the Head Start Act (42 U.S.C. 9832), section 41403 of the
Violence Against Women Act of 1994 (42 U.S.C. 14043e-2), section 330(h) of the Public
Health Service Act (42 U.S.C. 254b(h)), section 3 of the Food and Nutrition Act of 2008 (7
U.S.C. 2012), section 17(b) of the Child Nutrition Act of 1966 (42 U.S.C. 1786(b)) or
section 725 of the McKinney-Vento Homeless Assistance Act (42 U.S.C. 11434a);
Collier County CRN – Standard Operating Procedures Manual
6 | P a g e
(ii) Have not had a lease, ownership interest, or occupancy agreement in permanent housing
at any time during the 60 days immediately preceding the date of application for homeless
assistance;
(iii) Have experienced persistent instability as measured by two moves or more during the
60-day period immediately preceding the date of applying for homeless assistance; and
(iv) Can be expected to continue in such status for an extended period of time because of
chronic disabilities, chronic physical health or mental health conditions, substance
addiction, histories of domestic violence or childhood abuse (including neglect), the
presence of a child or youth with a disability, or two or more barriers to employment, which
include the lack of a high school degree or General Education Development (GED),
illiteracy, low English proficiency, a history of incarceration or detention for criminal
activity, and a history of unstable employment; or
(4) Any individual or family who:
(i) Is fleeing, or is attempting to flee, domestic violence, dating violence, sexual assault,
stalking, or other dangerous or life-threatening conditions that relate to violence against the
individual or a family member, including a child, that has either taken place within the
individual's or family's primary nighttime residence or has made the individual or family
afraid to return to their primary nighttime residence;
(ii) Has no other residence; and
(iii) Lacks the resources or support networks, e.g., family, friends, faith-based or other
social networks, to obtain other permanent housing.
At risk of homelessness means: (1) An individual or family who:
(i) Has an annual income below 30 percent of median family income for the area, as
determined by HUD;
(ii) Does not have sufficient resources or support networks, e.g., family, friends, faith-based
or other social networks, immediately available to prevent them from moving to an
emergency shelter or another place described in paragraph (1) of the “homeless” definition
in this section; and
(iii) Meets one of the following conditions:
(A) Has moved because of economic reasons two or more times during the 60 days
immediately preceding the application for homelessness prevention assistance;
(B) Is living in the home of another because of economic hardship;
(C) Has been notified in writing that their right to occupy their current housing or living
situation will be terminated within 21 days after the date of application for assistance;
Collier County CRN – Standard Operating Procedures Manual
7 | P a g e
(D) Lives in a hotel or motel and the cost of the hotel or motel stay is not paid by
charitable organizations or by Federal, State, or local government programs for low-
income individuals;
(E) Lives in a single-room occupancy or efficiency apartment unit in which there reside
more than two persons or lives in a larger housing unit in which there reside more than
1.5 persons reside per room, as defined by the U.S. Census Bureau;
(F) Is exiting a publicly funded institution, or system of care (such as a health-care
facility, a mental health facility, foster care or other youth facility, or correction program
or institution); or
(G) Otherwise lives in housing that has characteristics associated with instability and an
increased risk of homelessness, as identified in the recipient's approved consolidated
plan;
(2) A child or youth who does not qualify as “homeless” under this section, but qualifies as
“homeless” under section 387(3) of the Runaway and Homeless Youth Act (42 U.S.C.
5732a(3)), section 637(11) of the Head Start Act (42 U.S.C. 9832(11)), section 41403(6) of
the Violence Against Women Act of 1994 (42 U.S.C. 14043e-2(6)), section 330(h)(5)(A) of
the Public Health Service Act (42 U.S.C. 254b(h)(5)(A)), section 3(m) of the Food and
Nutrition Act of 2008 (7 U.S.C. 2012(m)), or section 17(b)(15) of the Child Nutrition Act of
1966 (42 U.S.C. 1786(b)(15)); or
(3) A child or youth who does not qualify as “homeless” under this section, but qualifies as
“homeless” under section 725(2) of the McKinney-Vento Homeless Assistance Act (42 U.S.C.
11434a(2)), and the parent(s) or guardian(s) of that child or youth if living with her or him.
Collier County CRN – Standard Operating Procedures Manual
8 | P a g e
Introduction – CRN Objectives
I. Introduction
The Collier County Community Resource Networks (CRN) is administered by the designated
lead agency, The Collier County Hunger & Homeless Coalition, Inc. as the official Community
Resource Network (CRN) of the Continuum of Care (CoC) of Collier County.
Purpose of this manual: This document sets forth the policies, procedures, guidelines, and
standards that govern the CRN System. This manual also outlines the roles and responsibilities
of Collier County Hunger & Homeless Coalition, which is the designated lead agency, and the
participating partner agencies. All users of the CRN System agree to comply with the content of
this manual and to comply with 24 CFR HEARTH ACT data collection. This manual is
approved and amended periodically by the Board of Directors of Collier County Hunger &
Homeless Coalition and CoC Board as deemed necessary.
Vision Statement:
CRN will improve the efficiency and effectiveness of services provided to those in the
community who are homeless or at-risk of homelessness. Our approach will be collaborative and
client-centered, focused on improving the health, recovery, safety, quality of care and,
ultimately, the self-sufficiency of clients.
CRN will follow best practices for data sharing and outcome measurements to provide
accountability to all community partners while respecting client and service provider
confidentiality.
Method:
Collier County Hunger & Homeless Coalition is responsible for the basic architecture,
including staff training, support and overall coordination with the software vendor and
ensuring compliance with applicable confidentiality law and governing standards.
Web-based database management provides client tracking, case management, service and
referral management, bed availability for shelters, resource indexing, and reporting. The
software vendor is Bowman Systems.
Minimum hardware standards provide networking capabilities for data sharing and
communication among participating agencies.
Collier County CRN – Standard Operating Procedures Manual
9 | P a g e
The focus of this system implementation is tracking homeless individuals, although
agencies will be able to utilize it for all services provided.
Benefits for persons who are homeless: The CRN system will increase the responsiveness and
effectiveness of services for people who are homeless. Homeless persons will not need to repeat
their demographics, history and needs at each service location. Case managers will be able to
see services available to clients and individuals can be further tracked for successful completion
of goals. The communication made possible by the system will increase the extent to which
service providers can meet the needs of the person seeking assistance.
Benefits for service providers: Case managers and other service provider staff will use the
CRN to assess their clients’ needs, inform clients about resources, and coordinate service
provision both within and between service agencies. The system will be a tool to enhance
communication, coordination, and assistance in setting and achieving goals. Further, aggregated
information will be used to advocate for additional resources, complete grant applications,
conduct evaluations of the programs and delivery systems, and to provide reports for funding
agencies.
Benefits for the community and policy makers: The aggregated data resulting from the CRN
System will help inform policy decision makers that will affect the homeless in our community.
The community and its decision makers will have data available to help better understand the
causes of homelessness, current trends, program effectiveness, and gaps in existing systems.
II. General Principles for all Participants
a. Integrity: Information solicited for input in the CRN should be done so in a manner
that preserves the integrity of the database. Only information that has been confirmed
to be true and accurate is to be entered into the system.
b. Privacy: Information solicited for input in the CRN should be done so in a manner
that preserves the privacy of the individual giving the information. All system users
are required to adhere to all applicable federal and state laws regarding privacy and
confidentiality.
c. Client Self-determination: When soliciting information for the CRN, users must
remember that the client has the unconditional right to determine the services that
they desire to participate in, regardless of professional opinion. It is our desire to
work in tandem with clients, forming a partnership with the shared goal of assisting
our clients.
d. Respect: Services provided to clients in the Continuum of Care should be done so in
a manner that preserves their respect.
Collier County CRN – Standard Operating Procedures Manual
10 | P a g e
e. Dignity: Services provided to clients in the Continuum of Care should be done so in a
manner that preserves their dignity.
Collier County CRN – Standard Operating Procedures Manual
11 | P a g e
Section 1 – Contractual Responsibilities
SOP#: 01-010 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN LEAD AGENCY RESPONSIBILITIES
Policy: A lead agency will be assigned and have the responsibilities stated below.
Standard: The related responsibility for the lead agency will be apportioned per the
information provided below.
Purpose: To define the roles and responsibilities of the lead agency with respect to
CRN/CRN activities.
Scope: Continuum of Care / CRN Lead Agency.
Designation: The lead agency for the CRN is Collier County Hunger & Homeless Coalition.
Responsibilities:
- Employment of the Project Manager/System Administrator whose roles are described in
SOP# 01– 030;
- Obtain hosting services and purchases contract with software vendor(s);
- Maintain adequate property and liability insurance coverage provided through the
funding associated with CRN. At present this includes equipment, software, and
connectivity directly related to the day-to-day operation of the Project Management &
System Administrator office;
- Secure funding and funding policies in coordination with the recognized lead agency for
Collier County Continuum of Care, which is Collier County Hunger & Homeless
Coalition; and
- Coordinate community participation.
- Compliance with 24 CFR HEARTH ACT and revised HUD Data Standards as of August
2016.
Revision: Prepared by: CRN
Collier County CRN – Standard Operating Procedures Manual
12 | P a g e
SOP#: 01-020
Approval Date: Pending Revision Date: Revised by:
Title: CRN STEERING COMMITTEE RESPONSIBILITIES
Policy: The CRN Steering Committee will approve all major CRN/CRN policy decision
makers for recommendation to the Board of Directors of the CRN Lead Agency.
Standard: The CRN/CRN related responsibilities of the CRN Steering Committee will be
apportioned per the information provided below.
Purpose: To define the roles and responsibilities of the CRN Steering Committee with
respect to CRN/CRN activities.
Scope: Continuum of Care
Responsibilities:
The CRN Steering Committee will support the overall CRN/CRN initiative, advising the CRN
Management on CRN/CRN operations. The CRN Steering Committee shall meet at least
quarterly, at which time CRN decision points can be raised for discussion and/or approval. The
CRN Steering Committee shall designate a committee or task group to develop and help enforce
the implementation of CRN policies.
The CRN Steering Committee’s role is fundamentally advisory to the CRN/CRN project overall.
However, the CRN Steering Committee has authority to approve final decisions on the selected
key issues that follow.
These issues include:
- Determining the guiding principles that shall underlie the CRN/CRN implementation
activities of the CRN participating organizations and service programs;
- Setting and enforcing minimum data collection requirements, as defined in SOP# 03-070:
Data Collection Requirements;
- Encouraging Continuum of Care-wide provider participation;
- Facilitating client involvement;
- Defining privacy protection and confidentiality policies for all CRN/CRN activities;
- Defining criteria, standards, and parameters for the usage and release of all data collected
as part of the CRN; and
- Compiling and analyzing CRN data with other provider and community data sources.
SOP#: 01-030 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Collier County CRN – Standard Operating Procedures Manual
13 | P a g e
Title: CRN PROJECT MANAGER/SYSTEM ADMINISTRATOR
RESPONSIBILITIES
Policy: A Project Management structure will be put into place to adequately support the
operations of the CRN per the policies and procedures described in this document.
Standard: The responsibilities of the CRN Project Manager/System Administrator will be
apportioned per the information provided below.
Purpose: To define the roles and responsibilities of the CRN Project Manager/System
Administrator.
Scope: The CRN Project Manager/System Administrator.
Responsibilities:
The CRN Project Manager/System Administrator is responsible for:
- Oversight of the Partner Agencies’ adherence to the CRN policies and procedures, as
determined by the CRN Steering Committee;
- Creation of an annual budget and project specific budgets for the lead agency’s approval;
and
- Supervision of the contractual relationships with vendors.
The CRN Project Manager/System Administrator is also responsible for oversight of all day-to-
day operations including:
- Quality assurance of the vendor application operation;
- Managing agency and user system access based on execution of applicable agreements,
training, and adherence to approved policies;
- Providing technical support and application training to users, in compliance with levels
documented in SOP# 05-020: Technical Support Policies and Procedures;
- Developing a reasonable number of reports for CRN users based on requests from the
CRN Steering Committee or its designated committee;
- Maintaining overall CRN quality assurance program;
- Orientation and supervision of CRN software and hosting vendor to ensure appropriate
program operations and compliance with guiding principles and Standard Operating
Procedures.
- Understanding all aspects of the vendor CRN product (commonly referred to as the
CRN);
- Provision of ad-hoc application training and technical support to users, overall
functionality, and agency-level system administration functionality;
- Communicating system availability, planned and unplanned outages, and other CRN
information to Agency Super User;
Collier County CRN – Standard Operating Procedures Manual
14 | P a g e
SOP#: 01-030 Title: CRN PROJECT MANAGER/SYSTEM ADMINISTRATOR
RESPONSIBILITIES Page 2
- Assigning user IDs to new users based on the approved licensing structure, authorized
agency requests, and documentation of user training;
- Managing user accounts and application access control, in conjunction with the Agency
Super User and hosting company;
- Managing data sharing configuration, based on submission of executed Interagency Data
Sharing Agreements;
- Assisting with agency data migration;
- Supervision of CRN Database Administration as part of the contractual oversight of
hosting and software vendor;
- Recommending the creation and modification code definitions & business rules as well as
application level changes to set-ups and configurations to the appropriate vendor;
- Designing management, program, analytical and agency level reports per predefined
CRN standard formats and/or funding requirements or as requested by the CRN Lead
Agency;
- Designing and managing report structure, library and archive in cooperation with the
software vendor;
- Managing report access control; and
- Communicating significant application issues and/or system enhancement requests to the
software vendor and governing bodies.
The CRN Project Manager/System Administrator will respect the core principles of the system
by:
- Ensuring with the software vendor that access to areas containing equipment, data, and
software will be secured in accordance with HUD Data and Technical Standards;
- Strictly safeguarding all client-identifying information in accordance with all applicable
HUD Data and Technical Standards, Federal and State laws using the latest technology
available;
- Securely protecting all data to the maximum extent possible; and
- Conducting ongoing security assessments to include penetration testing on a regular
basis.
Collier County CRN – Standard Operating Procedures Manual
15 | P a g e
SOP#: 01-040 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN USER GROUP RESPONSIBILITIES
Policy: The Partner Agencies shall have a forum for providing input on planning and
CRN governance issues.
Standard: All Agency End Users and Agency Super Users will serve on the CRN User
Group to formally manage communication between user agencies and CRN
Project Manager/System Administrator on all system issues.
Purpose: To outline the major responsibilities of the CRN User Group.
Scope: System-wide
Responsibilities:
The CRN User Group is responsible for:
- Identifying and prioritizing system enhancements;
- Identifying and recommending solutions for known problems to the Project Manager;
- Providing quick feedback loop on system performance; and
- Providing recommendation for training and best practices for CRN.
User Group Chair/Co-chairs may be involved in the process of imposing sanctions on
users/agencies for misuse of system. (This procedure is further specified in SOP 04-030:
Auditing Policies and Procedures.)
Collier County CRN – Standard Operating Procedures Manual
16 | P a g e
SOP#: 01-050 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN AGENCY EXECUTIVE DIRECTOR RESPONSIBILITIES
Policy: The Executive Director of each Partner Agency will be responsible for oversight
of all agency staff members who generate or have access to client-level data
stored in the system software to ensure adherence to the CRN standard operating
procedures outlined in this document.
Standard: The Executive Director of each Partner Agency holds final responsibility for the
adherence of his/her agency's personnel to the CRN guiding principles and
Standard Operating Procedures outlined in this document.
Purpose: To outline the role of the agency Executive Director with respect to oversight of
agency personnel in the protection of client data within the CRN application.
Throughout this manual, the use of the title Executive Director indicates the
Executive Director of the agency or the person in that agency holding the title
equivalent to Executive Director.
Scope: Executive Director or equivalent in each Partner Agency
Responsibilities:
The Partner Agency’s Executive Director is responsible for all activity associated with agency
staff access and use of the CRN. This person is responsible for establishing and monitoring
agency procedures that meet the criteria for access to the CRN, as detailed in the Standard
Operating Procedures (SOPs) outlined in this document. The agency’s Executive Director will
be ultimately responsible for any misuse of the software system at their agency. The agency’s
Executive Director agrees to only allow access to the CRN based upon need. Need exists only
for those program staff, volunteers, or designated personnel who work directly with, or supervise
staff who work directly with, clients or have data entry or other data-related agency
administrative responsibilities.
The Executive Director as designated by each participating agency will be responsible for
oversight of all agency staff that generate or have access to client-level data stored in the system
software to ensure adherence to the CRN Policies and Procedures and all government
regulations.
The Partner Agency’s Executive Director also oversees the implementation of data security
policies and standards and will:
- Assume responsibility for completeness, accuracy, and protection of client-level data
entered into the CRN system;
Collier County CRN – Standard Operating Procedures Manual
17 | P a g e
- Establish business controls and practices to ensure organizational adherence to the CRN
SOPs;
SOP#: 01-050 Title: CRN AGENCY EXECUTIVE DIRECTOR RESPONSIBILITIES
Page 2
- Assign an agency Super User to manage agency-related technical tasks whose role is
described in SOP# 01-060;
- Communicate control and protection requirements to agency custodians and users;
- Authorize data access to agency staff and assign responsibility for custody of the data;
- Monitor compliance and periodically review control decisions;
- Implement adequate agency policies and procedures to safeguard the confidentiality and
security of data in accordance with all HUD Data and Technical Standards and all
applicable laws and regulations;
- Require Agency Super Users and End Users to participate in CRN training;
- Require Agency Super User and End Users to participate in User Group meetings;
- Maintain adequate property liability insurance coverage to safeguard hardware acquired
with CRN from possible client claims associated with CRN use;
- Properly maintain all components of the hardware acquired with CRN funding, and
report to the CRN Project Manager relevant changes in the equipment status;
- Maintain a complete inventory list including product and serial number. Each article or
component shall be tagged with an inventory number and the manufacturer’s serial
number, where applicable; and
Collier County CRN – Standard Operating Procedures Manual
18 | P a g e
SOP#: 01-060 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN AGENCY SUPER USER RESPONSIBILITIES
Policy: Every Partner Agency must designate one person to be the Agency Super User.
Standard: The designated Agency Super User holds responsibility for the administration of
the system software in his/her agency.
Purpose: To outline the role of the Agency Super User
Scope: Partner Agencies
Responsibilities:
The Executive Director of each Partner Agency will appoint a qualified person as the agency
Super User, who will need to successfully complete the Technical Administration training
provided by Project Manager/System Administrator.
This person will:
- Coordinate with the agency Executive Director for the proper use of the CRN within the
participating agency, including adherence to all CRN policies and procedures;
- Provides and coordinates training and technical support to end users within the agency
and with the Project Manager/System Administrator;
- Ensure that access to the CRN be granted to staff/volunteers only after they have received
training and demonstrated proficiency in the use of the software, along with an
understanding of policies and procedures related to CRN;
- Ensure that Agency End User IDs are not shared beyond the authorized staff person;
- Seek assistance from the CRN Project Manager/System Administrator as needed;
- Communicate regularly with the CRN Project Manager/System Administrator to ensure
the integrity of the CRN;
- Participate in scheduled CRN User Group Meetings;
- Maintain the participating agency’s list of end user IDs and associated names;
- Immediately inform the CRN Project Manager/System Administrator of any breaches in
security or confidentiality;
- Ensure that CRN forms are utilized properly and in compliance with CRN policies and
procedures;
- Be responsible for conveying to Agency End Users and clients the spirit of protecting
client data confidentiality and security;
- Be aware of and uphold all state and federal regulations regarding client confidentiality
and their rights to privacy;
- Provide updates to CRN to reflect changing information about the Participating Agency;
Collier County CRN – Standard Operating Procedures Manual
19 | P a g e
- Ensure information is being entered and is as complete as appropriate;
- Determine security level of staff; and
- Define any agency specific data that is needed.
- Enter data as required by 24 CFR HEARTH ACT, CRN Data Standards August 2016 for
reporting to the Dept. of HUD and Florida Dept. of Children & Families (DCF).
Collier County CRN – Standard Operating Procedures Manual
20 | P a g e
SOP#: 01-070 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN AGENCY END USER RESPONSIBILITIES
Policy: Only trained Agency End Users who have signed a User’s Agreement will have
access to the CRN.
Standard: The related responsibility for the Agency End User will be apportioned per the
information provided below.
Purpose: To define the roles and responsibilities of the Agency End User.
Scope: Participating Agency
Every End User in the agency will:
- Abide by the policies and procedures of the CRN, with special emphasis on
confidentiality and security issues;
- Abide by the Participating Agency’s internal policies and procedures;
- Fully and accurately communicate both orally and in writing (or some other means if a
disability or other reason prevents a client from comprehending oral and written
information) the rights of those clients with respect to their consent and authorization for
data input, interagency information sharing, and aggregate reporting;
- Participate in system training and in scheduled CRN User Group Meetings;
- Enter all information in a manner appropriate for your agency and the community CoC
universal required data elements
o Entry records using the Coordinated Intake Assessment must be filled in at intake
– each section header and subsequent questions must be completed for each intake
performed within 24 hours of program contact unless over a weekend, do not
update another agencies assessment,
o Exit Assessment is used when exiting a client from program – all questions must
be answered;
- Make sure all data collection follows 24 CFR HEARTH ACT data collection regulations
as amended in August 2016– CRN HEARTH Regulations will be updated periodically –
when issued Collier CRN will notify the agency;
- Be aware of and uphold all CRN Privacy & Security Policy including state and federal
regulations regarding client confidentiality and their rights to privacy.
Collier County CRN – Standard Operating Procedures Manual
21 | P a g e
Section 2 – Implementation Policies &
Procedures
SOP#: 02-010 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN PARTICIPATION POLICY
Policy: Agencies that are funded through Continuum of Care Committee efforts for
services to the homeless in Collier County will be required to participate in the
CRN. All other agencies serving the homeless and clients at-risk of homelessness
are strongly encouraged to participate in the CRN.
Standard: Lead Agency will provide quality CRN services to all participating agencies
through CRN.
Purpose: To outline which agencies are expected to participate in the CRN, the extent to
which their participation is mandatory or voluntary, and a definition of
participation.
Scope: All at risk and homeless providers
Procedure:
Beginning with 2003 CoC and ESG grants, HUD is requiring all grantees and sub-recipients of
McKinney-Vento and homeless HOPWA grants to participate in the local CRN. McKinney-
Vento grants include Emergency Shelter Grants and Supportive Housing Program, Section 8
Moderate Rehabilitation SRO, and Shelter Plus Care (now HUD Rental Assistance) grants. This
policy is consistent with the Congressional direction for communities to provide data to HUD on
the extent and nature of homelessness and the effectiveness of its service delivery system in
preventing and ending homelessness. The CRN and its operating policies and procedures are
structured to comply with the HUD Data and Technical Standards Final Notice as amended
August 2016. It is recognized that agencies may be further regulated by HIPAA and other
Federal, State and local laws. Therefore, the CRN Lead Agency may negotiate its procedures
and/or execute appropriate business agreements with partner agencies so they are following
applicable laws. This policy applies to; non-profit, for profit, faith-based, and government
agencies utilizing the CRN.
Collier County CRN – Standard Operating Procedures Manual
22 | P a g e
Participation Requirements
Mandated Participation
All providers that are funded by the Continuum of Care to provide homeless services must meet
the Minimum Participation Standards of the CRN, as defined by this SOP. Participating
agencies will be required to comply with all applicable SOPs, and must agree to, execute, and
comply with a CRN Agency Partner Agreement. Updated, modified and custom agreements
may be developed to accommodate additional CRN Partner Agencies who already have their
own client management system.
Collier County CRN – Standard Operating Procedures Manual
23 | P a g e
SOP#: 02-010 Title: CRN PARTICIPATION POLICY
Page 2
Voluntary Participation
Although mandated agencies are required to meet minimum participation standards, the CRN
Lead Agency strongly encourages mandated agencies to fully participate with all their relevant
homeless programs and supportive services to at risk populations.
While the CRN Lead Agency cannot require non-funded providers to participate in the CRN,
they will work closely with non-funded agencies to articulate the benefits of the CRN and to
strongly encourage their participation to achieve a comprehensive and accurate understanding of
homelessness in Collier County.
Minimum Participation Standards for Mandated and Voluntary Participants.
Each agency will have an opportunity to determine which participation option is most
appropriate given agency functional and administrative needs, technological capacity, funding
requirements, client characteristics and circumstances, and legal constraints. Agencies that
receive funding from the Continuum of Care must meet specific funding requirements related to
data submittal.
Domestic Violence providers that receive McKinney-Vento funding will be required to
participate using the Direct Partner (or Interface Partner) options (CRN Agency Partner
Agreement) for the McKinney-Vento funded programs, based on the participation requirements
specified in the 2016 HUD Data and Technical Standards Final Notice. CoC Compliance to 24
CFR HEARTH ACT is required as CRN Standards are released from HUD.
The participation options are described below. If additional information is desired, CRN Lead
Agency management can elaborate on each option to help each partner agency decide on the
most appropriate way of participating in the Continuum’s CRN initiative.
Minimal participation includes:
-Collecting the universal data elements, as defined in SOP# 03-070: Data Collection
Requirements, for all programs operated by the agency that primarily serve persons who are
homeless or formerly homeless or at risk of homelessness including the HUD 40118 assessment.
-Collecting program-specific data elements, as defined in SOP# 03-070: Data Collection
Requirements, for all clients served by a program funded by the Continuum of Care.
-Submitting data to the CRN Lead Agency using one of the following options:
Collier County CRN – Standard Operating Procedures Manual
24 | P a g e
SOP#: 02-010 Title: CRN PARTICIPATION POLICY
Page 3
Direct Data Entry Option: Entering client-level data into the CRN, defined as
Direct Partner. (Agency Partner Agreement).
The CRN central database server is protected by numerous technologies to prevent
access from unauthorized users. Unless a client requests that his/her identifiers
remain hidden at the time that his/her record is created, primary client identifiers (e.g.
name, SSN, DOB and gender) will be able to be queried by other CRN users to
prevent duplicate records from being created in the database. However, other
individual client data will not be accessible by other CRN users outside of the client
notification and interagency data sharing procedures. These procedures are
described in SOP# 03-060: Client Notification Policies and Procedures and SOP# 03-
080: Interagency Data Sharing for compliance with 24 CFR HEARTH ACT.
Anonymous CRN Data Submittal Option: Due to legal constraints, extreme
vulnerability, and heightened safety needs of victims of domestic violence, DV providers
have the option of submitting anonymous client-level data for programs that are not
funded with HUD McKinney-Vento. (Anonymous CRN Data Submittal Partner Agency).
If a DV agency determines that it cannot participate using any of the above options based
on legal constraints, and the vulnerability and safety needs of its clients, the agency can
participate by submitting anonymous client-level data about the persons served by their
program. This data will be collected and analyzed by the CRN Lead Agency as part of its
effort to understand homelessness and system effectiveness in the County. Anonymous,
client-level data will be merged into the CRN Lead Agency analytical database with de-
identified, unduplicated client-level data from other service providers. SOP# 03-070:
Data Collection Requirements defines which data elements are considered client personal
identifying information, and which will not be required for submittal to ensure an
unduplicated count across the Continuum of Care.
SOP#: 02-010 Title: CRN PARTICIPATION POLICY
Page 4
All submitted data will be used by the CRN Lead Agency for analytical and administrative
purposes, including the preparation of reports to funders and stakeholders. A client has the right
to refuse to have his/her data entered into the CRN database. The client’s individual choice
regarding participation will not affect his/her right to services. All data should be submitted on a
quarterly basis. See SOP# 03-050.
Collier County CRN – Standard Operating Procedures Manual
25 | P a g e
SOP#: 02-020 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN INITIAL PARTICIPATION REQUIREMENTS
Policy: Each Partner Agency must meet all initial participation requirements to receive
access to the CRN.
Standard: CRN Project Manager /System Administrator will certify that the Partner Agency
has met the participation requirements prior to initiating the CRN.
Purpose: To provide agencies with clear expectations for their participation in the CRN.
Scope: System-wide
Requirements:
CRN Group Orientation and a One-on-One Agency Meeting: Agency representatives are
required to participate in a CRN Group Orientation and a one- on- one Agency Meeting to
discuss CRN goals and objectives, requirements, site considerations, and documentation. A
completed Agency CRN Implementation Requirements Checklist must be present in the CRN
Project Manager’s agency file prior to CRN access.
Partner Agreement: An authorized agency representative is required to execute a Partner
Agreement stating his/her commitment to uphold the policies and procedures for effective use of
the system and proper collaboration with the CRN Project Management/System Administrator.
An executed Agency Partner Agreement must be present in the CRN Project Manager’s Agency
file prior to CRN access.
Information Security Protocol: Documentation of the agency’s Information Security Protocol
(developed in accordance with SOP# 02-030: CRN Agency Information Security Protocol
Requirements) and dissemination plan must be on-site at agency prior to CRN access.
Documentation: All documentation on agency and program information must be submitted to
ensure that complete and accurate Partner Agency information is input within the CRN. All
intake forms and necessary reports must be present in the CRN Project Manager’s agency file
and agency specific system configuration must be completed and successfully tested prior to
CRN access.
Agency Super User: One key staff person or contractor must be designated to serve as the
Agency Super User. (See SOP# 01-060) The Agency Super User must be formally identified
and attend Agency Super User Training prior to CRN access.
Collier County CRN – Standard Operating Procedures Manual
26 | P a g e
Site Hardware & Connectivity Requirement: Any computer being used to access the CRN
must meet the minimum hardware and recommended connectivity requirements indicated in
SOP# 02-040: CRN Agency Hardware and Connectivity Requirements.
SOP#: 02-020 Title: CRN INITIAL PARTICIPATION REQUIREMENTS
Page 2
Fees: All applicable fees must be paid as part of the implementation. (In the event CRN
institutes a fee schedule.)
- Each Partner Agency will be assigned a specified number of user licenses that will be
fully subsidized by the CCHC as part of the CRN initiative, including user related hosting
and support costs, provided sufficient funding is available.
- The CRN Lead Agency will subsidize overhead, training, and technical support costs
associated with CRN policy and software training, such as staff, location, curriculum
development, and web-enabled technical support materials.
- For agencies implementing in 2016-2017, all training costs will be fully subsidized by the
CRN Lead Agency. Beyond 2017, agencies may be asked to pay a training fee per
user/agency to cover training expenses, such as but not limited to, printed materials,
refreshments.
Data Migration: All data that will be migrated from a Direct Partner Agency’s existing
database to the CRN database must be cleaned, updated, and formatted per CRN data
specifications prior to migration. The specific conversion process must be individually discussed
with the CRN Project Manager/System Administrator.
Collier County CRN – Standard Operating Procedures Manual
27 | P a g e
SOP#: 02-030 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN AGENCY INFORMATION SECURITY PROTOCOL
REQUIREMENTS
Policy: Partner Agencies must develop and have in place minimum information security
protocols to protect client information stored in the CRN database.
Standard: CRN Project Manager/System Administrator will certify that the Partner Agency
has adequate documentation of its information security protocol, a dissemination
plan, and verification that the information security protocols have been
implemented within the agency prior to granting CRN access.
Purpose: To protect the confidentiality of client data and to ensure its integrity at the
agency site.
Scope: Direct Partner Agencies
Requirements:
At a minimum, the Direct Partner Agency must develop rules, protocols or procedures that are
consistent with Section 3: Operational Policies and Procedures and Section 4: Security Policies
and Procedures to address the following:
- Internal agency procedures for complying with the CRN Notice of Uses and Disclosures
and provisions of other CRN client and agency agreements (See SOP# 03-060: CRN
Client Notification and Consent Procedures);
- Maintenance of an updated copy of the agency’s Notice of Uses and Disclosures or
equivalent privacy notice on the agency’s website, in accordance with SOP# 03-060.
- Appropriate assignment of user accounts;
- Prevention of user account sharing;
- Protection of unattended workstations;
- Protection of physical access to workstations where employees are accessing CRN;
- Safe storage and protected access to hardcopy and digital CRN generated client records
and reports with identifiable client information;
- Proper cleansing of equipment prior to transfer or disposal; and
- Procedures for regularly auditing compliance with the Agency Information Security
Protocol.
Collier County CRN – Standard Operating Procedures Manual
28 | P a g e
SOP#: 02-040 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN AGENCY HARDWARE, CONNECTIVITY AND SECURITY
REQUIREMENTS
Policy: Any computer that interfaces with the CRN must meet the minimum desktop
specifications and recommended connectivity specifications identified by this
SOP.
Standard: The Partner Agency must certify that they have adequate hardware and
connectivity to interface with the CRN prior to granting CRN access.
Purpose: To provide agencies with minimum requirements for hardware and connectivity.
Scope: System-wide
Requirements:
Workstation Specifications:
Computers interfacing with CRN must meet the minimum desktop specifications below.
- Operating System: Windows 7 or newer with Service Pack
- Processor: 2 GB Pentium processor or higher
- Memory: 512 MB RAM
- Video: Color monitor (22” Recommended) with graphics card that supports 1024 x 768-
display resolution, 256 Colors or better.
- Web Browser: MS Internet Explorer 11, Service Pack 2 / MS Internet Explorer 7 / or MS
Internet Explorer 11.01, Service Pack 1, Mozilla 3+, or Google Chrome
Internet Specifications:
Agencies directly entering data must have internet connectivity for each workstation that will be
accessing the CRN. All agencies must have high speed internet connection with a cable modem
or DSL/ISDN or faster. Service Point utilizes a commercial grade 128-bit encryption by
VeriSign secured log in process.
Security Specifications:
All workstations accessing the CRN must have:
- Adequate firewall protection and apply all critical virus and system updates
automatically; and
- Virus protection software. Virus definitions must be updated automatically.
Collier County CRN – Standard Operating Procedures Manual
29 | P a g e
SOP#: 02-050 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN USER IMPLEMENTATION REQUIREMENTS
Policy: All Partner Agency users and the CRN Project Manager/System Administrator
who require legitimate access to the software system will be granted such access
only upon completion of required training and execution of a CRN User
Agreement.
Standard: Individuals with specific authorization to access the system software application
for the purpose of conducting data management tasks associated with their area of
responsibility.
Purpose: To outline the role and responsibilities of CRN users.
Scope: System-wide
Responsibilities:
Eligible Users
The CRN Project Manager/System Administrator shall only authorize use of the CRN to users
who need access to the system for technical administration of the system, report writing, data
analysis and report generation, back-up administration or other essential activity associated with
carrying out central server responsibilities.
The Partner Agency shall only authorize use of the CRN to users who need access to the system
for data entry, editing of client records, viewing of client records, report writing, administration
or other essential activity associated with carrying out participating agency responsibilities.
User types are defined in SOP# 03-030: CRN User Access Levels.
User Requirements
Prior to being granted a username and password, users must:
- Execute an CRN User Agreement; and
- Successfully complete all CRN policy and application training required for assigned user
level. (Training requirements are documented in SOP# 03-040: CRN Training
Requirements.)
Collier County CRN – Standard Operating Procedures Manual
30 | P a g e
CRN users cannot attend training until all agency and user paperwork is completed and approved
by the Executive Director (or authorized designee). Users must be aware of the sensitivity of
client-level data and take appropriate measures to prevent unauthorized disclosure
of it. Users are responsible for protecting institutional information to which they have access and
for reporting security violations. Users must comply with all policy and standards described in
these Standard Operating Procedures. They are accountable for their actions and for any actions
undertaken with their usernames and passwords.
SOP#: 02-050 Title: CRN USER IMPLEMENTATION REQUIREMENTS
Page 2
Enforcement Mechanisms
All potential violations of any security protocols will be investigated by CRN Project
Manager/System Administrator. Any user found to be in violation of security protocols will be
sanctioned per the procedure delineated in SOP# 04-030: Auditing Policies and Procedures.
Sanctions include, but are not limited to:
- a formal letter of reprimand;
- suspension of system privileges;
- revocation of system privileges; and
A Partner Agency’s access may also be suspended or revoked if serious or repeated violation(s)
of the SOPs occur by Agency users.
Collier County CRN – Standard Operating Procedures Manual
31 | P a g e
Section 3 – Operational Policies & Procedures
SOP#: 03-010 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN AGENCY SET-UP PROCEDURE
Policy: The CRN Project Manager/System Administrator may set up a new agency
account, based on the following procedure.
Standard: The CRN Project Manager/System Administrator must verify documentation of
all initial implementation requirements listed in Section 2 prior to authorizing a
new agency.
Purpose: To inform potential agencies and the CRN Project Manager/System Administrator
of the Agency set-up requirements.
Scope: Direct Partner Agencies and Interface Agencies
Responsibilities:
Prior to setting up a new Direct Partner Agency within the CRN database, the Executive Director
of the proposed agency must ensure completion of the required implementation requirements
outlined in Section 2: Implementation Policies and Procedures.
The CRN Project Manager/System Administrator shall:
- Review CRN records to ensure that the Agency does not have previous violations with
the CRN SOPs that prohibit access to the CRN;
- Verify that the required documentation has been correctly executed and submitted,
including:
Initial Implementation Requirements Checklist;
Executed Agency Partner Agreement;
Agency, User, and Program Information Forms;
Designation of Agency Super User;
- Request and receive approval from the CRN Lead Agency to set up a new agency;
- Authorize a new Agency within the CRN;
- Work with the Agency Super User to input applicable agency and program information;
and
- Work with Agency Super User to migrate legacy data, if applicable.
Collier County CRN – Standard Operating Procedures Manual
32 | P a g e
The process for setting up Interface Agencies is comparable, except that the CRN Project
Manager/System Administrator must also work with agencies to develop an approved interface
to upload data from the agency database to the CRN database.
SOP#: 03-020 Revision: Prepared by: CRN
Approval Date: 01/04/2005 Revision Date: Revised by:
Title: CRN USER SET-UP PROCEDURE
Policy: The CRN Project Manager/System Administrator may create a new User ID for
eligible individuals based on the following procedure.
Standard: The CRN Project Manager/System Administrator must document that the
following set-up procedure has occurred prior to setting up a new user.
Purpose: To inform all parties involved with the CRN of the requirements to become an
CRN user.
Scope: Direct Partner Agencies and Interface Partner Agencies
Responsibilities:
If the Direct Partner Agency wants to authorize system use for a new user, the agency Executive
Director (or authorized designee) must:
- Determine the access level of the proposed CRN user (See SOP# 03-030 CRN User
Access Levels); and
- Authorize the creation of a user account for the specified individual by completing a New
User Request form that designates the access level.
The proposed CRN user must:
- Attend applicable training modules (once enrolled by the Agency Super User); and
- Execute a CRN User Agreement.
The Agency Super User must:
- Input the user information into an ‘CRN New User Request’ form for CRN Project
Manager/System Administrator approval;
- Enroll the potential CRN user in the required training modules; and
- Submit the executed CRN User Agreement as an original to the CRN Project
Manager/System Administrator.
The CRN Project Manager/System Administrator shall:
- Review CRN user records to ensure that a user does not have previous violations with the
CRN SOPs that prohibit access to the CRN;
Collier County CRN – Standard Operating Procedures Manual
33 | P a g e
- Verify that the required documentation (CRN New User Request form and CRN User
Agreement) have been correctly executed and submitted;
- Verify that required training modules have been successfully completed; and
- Approve the new user request by assigning a user ID and password.
SOP#: 03-020 Title: CRN USER SET-UP PROCEDURE
Page 2
Once the user ID is established, the CRN Project Manager/System Administrator is responsible
for maintaining the user account. The Agency Super User is also responsible for
immediately informing the CRN Project Manager/System Administrator if any user terminates
employment with the agency, or otherwise no longer needs access to the CRN.
The Executive Director is responsible for ensuring that the user understands and complies with
all applicable CRN SOPs.
SOP#: 03-030 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN USER ACCESS LEVELS
Policy: Each CRN user shall be assigned a designated user access level that controls the
level and type of access the individual has within the system.
Standard: The CRN System Administrator will not issue a user ID until the agency
Executive Director (or authorized designee) has submitted a New User Request
form that designates the access level.
Purpose: To designate CRN user access levels.
Scope: Direct Partner Agencies and Interface Partner Agencies
Responsibilities:
All CRN users must be assigned a designated user access level that controls the level and type of
access that user has within the system. Unless otherwise specified below, each user will only
have access to client-level data that is collected by their own agency or an agency network
partner, unless a client specifically consents to temporary information sharing for referral
purposes.
Collier County CRN – Standard Operating Procedures Manual
34 | P a g e
(See table next page)
SOP#: 03-030 Title: CRN USER ACCESS LEVELS
Page 2
The level of access for each CRN user type is defined in the table below.
USER TYPES
Intake (Identifiers)*; Family Relationships; Housing History* Income & Benefits History; Public Assistance History; Educational and Vocational History; Employment History*; Veteran Information Legal Information; Basic Medical Information Special Needs Screening Clinical Mental Health Assessment Clinical Substance Abuse Information, Clinical HIV/AIDS Information DV Incident Tracking Program Registration; Program Exit; Service Plans; Services Received; Referrals Case Notes Bed Management (Availability) Bed Management (Bed Assignment) Information & Referral System Agency Admin. Functions** Reports (De-identified) Reports (Identified) Agency Initial
User V V V V
Agency End User M A A A V A A
Agency ED/CEO V V V V V V V V V V V V V
Agency End User M M M M M M M A M M V V V
Agency Super User M M M M M M M D D D M Y V V
CRN PM & SA D D D D D D D D D D D Y C C
Coalition ED V V V V
Legend:
V = View Only D = Delete Entries
M = View, Add and Modify A = View and Add New Data
C = Create Reports Y = Access to execute specified functions
Collier County CRN – Standard Operating Procedures Manual
35 | P a g e
SOP#: 03-040 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN USER TRAINING REQUIREMENTS
Policy: CRN users shall successfully complete the training modules required for their
user type.
Standard: The CRN System Administrator will not issue a user ID until documentation of
successful completion of required training is provided.
Purpose: To inform users of the training requirements to access the CRN.
Scope: Direct Partner Agencies and Interface Partner Agencies
Responsibilities:
Prior to gaining access to the CRN application, users must successfully complete the following
training modules.
User Type Training Module(s) Training Provider
Coalition ED Basic Computer Training
(optional, based on users’
computer skills)
Basic CRN Policy Training
for Agency Users
Basic CRN Application
Training for Report Viewing
Community Resources (see
referral list)
CRN Project Manager &
System Administrator
Agency Initial User
Basic Computer Training
(optional, based on users’
computer skills)
Basic CRN Policy Training
for Agency Users
Basic CRN Application
Training for Agency Users
Community Resources (see
referral list)
CRN Project Manager &
System Administrator
Agency ED Basic Computer Training
(optional, based on users’
computer skills)
Basic CRN Policy Training
for Agency Users
Basic CRN Application
Training for Agency Users
Community Resources (see
referral list)
CRN Project Manager &
System Administrator
Collier County CRN – Standard Operating Procedures Manual
36 | P a g e
SOP#: 03-040 Title: CRN USER TRAINING REQUIREMENTS
Page 2
User Type Training Module(s) Training Provider
Agency End User
Basic Computer Training
(optional, based on users’
computer skills)
Basic CRN Policy Training
for Agency Policy Users
Basic CRN Application
Training for Agency Policy
User
Community Resources (see
referral list)
CRN Project Manager &
System Administrator
Agency Super User
Basic CRN Policy Training
for Agency Technical
Administrators
Basic CRN Application
Training for Agency Users
Advanced CRN Application
Training on Agency Technical
Administration
CRN Project Manager &
System Administrator
CRN Project Manager &
System Administrator
Advanced CRN Application
Training on Overall Technical
Administration
Community Resources
Software Vendor
Collier County CRN – Standard Operating Procedures Manual
37 | P a g e
SOP#: 03-050 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN CLIENT SET-UP PROCEDURE
Policy: Each user must follow the client set-up procedure when creating a new client
record.
Standard: The Executive Director of each Partner Agency must ensure that the agency has
adequate procedures in place to ensure that client records are set up per this
procedure.
Purpose: To inform agencies and users about the appropriate client setup procedures.
Scope: System-wide
Responsibilities:
For Direct Partner Agencies:
1) Explain CRN to client, per SOP# 03-060: CRN Client Notification Procedure;
2) Search for existing Client Record. Select existing client record or create a new client
record;
3) Collect client information per SOP# 03-070: CRN Data Collection Requirements; and
4) If appropriate, grant inter-agency sharing, per SOP# 03-080: CRN Interagency Data
Sharing Procedures.
For Interface Partner Agencies:
1) Ensure that agency database generates unduplicated client analysis;
2) Explain Agency’s intent to share client information with the CRN, per SOP# 03-060:
CRN Client Notification Procedure;
3) Collect client information, per SOP# 03-070: CRN Data Collection Requirements; and
4) Upload client information on a weekly, if not more frequent, basis.
For Anonymous CRN Data Submittal Partner Agency
1) Ensure that agency database generates unduplicated client analysis;
2) Collect client information, per SOP# 03-070: CRN Data Collection Requirements; and
3) Submit anonymous client-level data to the CRN Database on a quarterly basis.
Collier County CRN – Standard Operating Procedures Manual
38 | P a g e
SOP#: 03-060 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN CLIENT NOTIFICATION POLICIES AND PRO CEDURES
Policy: Partner Agencies shall use the required client notification and consent procedure
prior to entering any client-level data into the CRN.
Standard: The Executive Director of each Partner Agency is responsible for ensuring that
the agency has implemented appropriate procedures to enforce the client
notification and consent procedures, consistent with HUD CRN Data & Technical
Standards, and applicable state and federal laws and rules regarding client
confidentiality and consent.
Purpose: To give clients control of their personal information.
Scope: System-wide
Responsibilities:
All verbal and written client notification and consent must include a statement that no client will
be denied service for refusal to consent. The CRN Steering Committee has prepared standard
documents for Client Notice of Uses and Disclosures, Client Consent for Network Data Sharing,
and Client Release of Information for Agency Referrals. Partner Agencies may either use these
forms or incorporate the content of the CRN documents in their entirety into the Agency’s own
documentation. All written consent forms must be stored in a client’s case management file for
recordkeeping and auditing purposes.
Agencies must make reasonable accommodations for persons with disabilities throughout the
data collection process.
Agencies that are recipients of federal assistance shall provide required information in languages
other than English that are common in the community, if speakers of these languages are found
in significant numbers and come into frequent contact with the program.
Definitions and Descriptions of Client Notification and Consent Procedures
Client Notice: A written notice of the functions of the CRN must be posted and can be given to
each client so they are aware of the potential use of his/her information and where it is stored.
To fulfill this requirement, the agency may either adopt the CRN Notice of Uses and Disclosures
or may develop an equivalent Privacy Notice that incorporates all the content of the standard
CRN Notice. If the agency has a website, the adopted Notice of Uses and Disclosures or
equivalent privacy notice must also be posted on the website
Collier County CRN – Standard Operating Procedures Manual
39 | P a g e
SOP#:03-060 Title: CRN CLIENT NOTIFICATION POLICIES AND PROCEDURES
Page 2
No consent is required for the functions articulated in the notice. However, as part of the
notification process, clients must be informed of their right to designate his/her client record as
hidden. This client also has a right to view a copy of his/her record upon request.
Client Record: After learning about the CRN, if a client does not wish to have his/her Primary
Identifiers accessible to all CRN users, the originating CRN user should indicate on the Intake
Screen that the client has requested his/her record remain hidden. A client record will allow the
agency to access the client’s information for agency purposes. This action will allow CRN
Project Manager/System Administrator (as defined in SOP# 03-030: CRN User Access Levels)
to view client-identifying information, but will prevent any personal client-identifying
information from being accessed by CRN users outside of the originating agency.
Written Client Consent for Interagency Data Sharing: At the initial intake, the Client should
be provided an oral explanation and written documentation about the option of sharing his/her
General Client Information within the originating agency’s Sharing Network. (The specific
details of interagency data sharing are described in SOP# 03-080: CRN Interagency Data
Sharing.) If a client is interested in sharing his/her General Client Information within the
network, he/she must provide written consent. The consent must be specific regarding purpose,
the expiration of the sharing, affected data elements, function, and involved parties. The client
maintains a right to revoke written authorization at any time, in which case, any currently shared
information will become non-shared from that point forward. To fulfill this requirement, the
agency may adopt the CRN Client Consent for Network Data Sharing and the Client Revocation
of Consent for Network Data Sharing or may develop an internal form that incorporates the
content of the standard CRN form.
Written Client Release of Information through the Referral Process: At any point during the
case management process, an agency staff member can initiate a referral to another agency. (The
specific details of Referral Process are described in SOP# 03-090: CRN Information Sharing
Referral Procedures.)
To provide access to client data with a referral, the originating agency must receive a written
client release of information that specifically indicates the recipient agency, purpose for sharing,
the specific data categories that are being shared, the expiration of the consent, and whether the
originating agency has permission to receive information back from the referral agency on the
outcome of the referral.
Any client data can potentially be sent through the referral process based on client release. To
fulfill this requirement, the agency may adopt the CRN Client Release of Information for
Collier County CRN – Standard Operating Procedures Manual
40 | P a g e
Referrals or may develop an internal form that incorporates the content of the standard CRN
form.
SOP#:03-060 Title: CRN CLIENT NOTIFICATION POLICIES AND PROCEDURES
Page 3
Applicability
Each consent method is used for varying purposes and types of agencies. In all cases, the Partner
Agency shall uphold Federal and State Confidentiality regulations to protect client records and
privacy. If an agency is covered by HIPAA, the HIPAA regulations prevail.
The table below summarizes the client data categories and the related notification/consent and
sharing rules that relate to each data category. These minimum procedures should not imply that
all providers will perform these functions.
Collier County CRN – Standard Operating Procedures Manual
41 | P a g e
Client Data Categories Summary of Notification/Consent & Data Sharing
Procedures
Primary Identifiers:
Name and Aliases*
Birth Date*
Gender
Social Security Number*
Ethnicity
Race
Veteran status
Housing Status
Disabling Condition
Residence Prior to program
entry
Zip Code of Last
Permanent Address
Program Entry Date
Program Exit Date
Head of Household
* These are considered personal
identifying data elements.
Non-shared client record: If a client asks to hide his/her primary
identifiers, the record will only appear on the Client Search List
for the Originating Agency. It will be hidden to all other
agencies. Some system-level users will have access to non-
shared client records for system administration purposes (as
specified in SOP# 03-030).
Shared client record: If the client does not ask to hide his/her
identifiers, the primary identifiers will be available to all CRN
users in the Client Search to locate an existing client as provided
in this agency’s data sharing agreements. None of the other
client information will be viewable, except as described below.
General Client Information:
Family/Relationship
Information
Income & Benefits
Information
Educational & Vocational
History
Housing History
Veteran Information
Non-shared record: If written consent is not provided by the
client, this information is only accessible within the Originating
Agency and some system-level users for system administration
purposes (as specified in SOP# 03-030).
Shared record: With written client consent, these data can be
shared among a Sharing Network. Any agency can choose to
join one Sharing Network. All agencies within a network must
execute an Interagency Data Sharing Agreement. Only agencies
in that network that are serving that client will be able to view the
record.
Referrals: Any of these modules can be sent to any other CRN
agency for a limited period through the referral process if
authorized with a written Client Release of Information.
Collier County CRN – Standard Operating Procedures Manual
42 | P a g e
SOP#:03-060 Title: CRN CLIENT NOTIFICATION POLICIES AND PROCEDURES
Page 4
Client Data Categories Summary of Notification/Consent & Data Sharing
Procedures
Protected Information:
Special Needs Screening
Clinical Mental Health
Assessment
Clinical Substance Abuse
Assessment
HIV/AIDS Information
Domestic Violence
Incident Information
Protected Information: This information is only available within
the Originating Agency to users that have an authorized access
level and to authorize system-level users for system
administration purposes.
Referrals: Protected information may be shared with other CRN
agencies for a limited period through the referral process if
authorized by a written Client Release of Information.
Specific Client Notification Procedures for Victims of Domestic Violence
A mainstream agency that is serving a victim of domestic violence must explain the potential
safety risks for domestic violence victims and the client’s specific options to protect her/his data,
such as designating her/his record as ‘not-shared’ to other agencies. Thus, the client notification
process must clearly state the potential safety risks for domestic violence victims and delineate
the participation options. As well, all staff must be trained on the protocol for educating
domestic violence victims about their individual participation options.
Specific Client Notification Procedures for Unaccompanied Minor Youth
Based on their age and potential inability to understand the implications of sharing information,
the CRN cannot be used to share information about unaccompanied minor youth. Thus, even
with a written client authorization, users cannot set up interagency data sharing for
unaccompanied minor youth. For the purposes of this policy, minor youth are defined as youth
under 18.
Privacy Compliance and Grievance Policy
Agencies must establish a regular process of training users on this policy, regularly auditing that
the policy is being followed by agency staff (including employees, volunteers, affiliates,
contractors and associates), and receiving and reviewing complaints about potential violations of
the policy. Agencies may want to appoint a Chief Privacy Officer to be responsible for these
tasks.
Collier County CRN – Standard Operating Procedures Manual
43 | P a g e
SOP#: 03-070 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN DATA COLLECTION REQUIREMENTS
Policy: All agencies that provide homeless services are encouraged, and in some cases
required, to collect data for all clients served by their programs, as specified by
this policy.
Standard: The Partner Agency will develop an interview protocol that facilitates the
collection of the required data elements over time, beginning with some elements
at intake and obtaining other data over time.
Purpose: To ensure that agencies understand the data collection requirements set by the
CRN Steering Committee.
Scope: Partner Agencies
Responsibilities:
Universal Data Elements
The Partner Agency is responsible for ensuring that a minimum set of data elements, referred to
as the Universal Data Elements, will be collected and verified from all clients at initial program
enrollment or as soon as possible thereafter. Direct Partner Agencies must enter data into the
CRN within seven days of collecting the information. Interface Partner Agencies must ensure
that the information is captured within seven days in an information system that can generate the
information in the prescribed format. Anonymous Data Submittal Partner Agencies must ensure
that the information is captured within a timely fashion using a methodology that can generate
the information in the prescribed format.
The universal data elements are all included on the Client Tab, Client Supplemental Tab.
They include:
- First, Middle, Last Name, and Suffix;
- Social Security Number;
- Date of Birth or estimated Date of Birth (age);
- Ethnicity and Race;
- Gender;
- Veteran Status;
- Disabling Condition (Unless presence of a disability is a condition of program
enrollment, disability status must be collected after program admission.);
Collier County CRN – Standard Operating Procedures Manual
44 | P a g e
- Residence Type Prior to Program Entry and Length of Stay;
- Zip code of last Permanent Residence;
- Housing Status
- Program Entry and Exit Dates; and
- Household Affiliation for the purposes of this Program Enrollment;
Agencies are striving to meet a minimum 90% data quality.
SOP#: 03-070 Title: CRN DATA COLLECTION REQUIREMENTS
Page 2
Partner agencies must report client-level data for the universal data elements using the required
response categories detailed in the Federal Register Part II- Department of Housing and Urban
Development - Community Resource Networks, (CRN); Data and Technical Standards Final
Notice; This Notice revises the Community Resource Networks (CRN) Data and Technical
Standards Final Notice (69 FR 146, August 2016). The Notice adds a new set of Program
Description Data Elements (Section 2). In addition, the Notice
presents revisions to Data Standards for Universal Data Elements (Section 3) and
Program-Specific Data Elements (Section 4). These sections replace Section 2
(Universal Data Elements) and Section 3 (Program-Specific Data Elements) of the 2016
Notice. All other sections of the 2014 notice remain in effect.
Program-specific Data Elements
All Continuum of Care-funded Partner Agencies are also responsible for ensuring that the
following assessment data elements, referred to as Program-Specific Data Elements, are
collected from all clients that are served by the Continuum funded programs. These program-
specific data elements must be entered into the CRN (or alternative approved information system
for Interface Partner Agencies) within seven days of collecting the information. The timeframes
for data collection are included for each data element.
The Program-specific Data Elements are located throughout the CRN application. Additional
information on their location within the CRN will be provided as part of the CRN training
materials. They include:
- Income Sources and Amounts (Program Entry and Exit);
- Source of Non-cash benefits (Program Entry and Exit);
- Presence of Physical Disability (Program Entry);
- Presence of Developmental Disability (Program Entry);
- HIV Positive or AIDS Diagnosis (Program Entry);
- Mental Health Status and Chronicity (Program Entry);
- Presence of Substance Addictions and Chronicity (Program Entry);
- History of Domestic Violence and Timeframe (Program Entry);
Collier County CRN – Standard Operating Procedures Manual
45 | P a g e
- Services Received (Throughout Program Enrollment);
- Referrals Provided (Throughout Program Enrollment)
- Destination upon Leaving Program (Program Exit);
- Reasons for Leaving (Program Exit);
- Program Outcomes (Throughout Program Enrollment or at Program Exit); and
- Data quality minimum of 90%
CRN Partner Agencies must provide client-level data for the program-specific data elements
using the required response categories detailed in the Federal Register Part II- Department of
Housing and Urban Development - Community Resource Networks (CRN); Data and Technical
Standards Final Notice; This Notice revises the Community Resource Networks (CRN) Data and
Technical Standards Final Notice (69 FR 146, August 2016). The Notice adds a new set of
Program Description Data Elements (Section 2). In addition, the Notice presents revisions to
Data Standards for Universal Data Elements (Section 3) and Program-Specific Data Elements
(Section 4). These sections replace Section 2
(Universal Data Elements) and Section 3 (Program-Specific Data Elements) of the 2016
Notice. All other sections of the 2014 notice remain in effect.
SOP#: 03-070 Title: CRN DATA COLLECTION REQUIREMENTS
Page 3
Domestic Violence Anonymous CRN Data Submittal Partner Agency Data Collection
Requirements
Data Collection is defined as: a) obtaining client information at the Agency through interview of
and/or service provision to the client; and b) the storing of client information at the Agency in
paper or electronic format. DV Anonymous CRN Data Submittal (Anonymous Data) Partner
Agencies shall collect and store the Universal and Program-specific data elements defined above.
Anonymous Client-level Data are defined as individual client records that contain no personal client
identifying information, in whole or in part, or any information that may be used to deconstruct a
person's identity. No one beyond the originating agency will have access to any client personal
identifying information.
Client personal identifying information is defined as the following data fields:
a) Name(s) or Aliases;
b) Social Security Number;
c) Date of Birth;
d) Mother’s Maiden Name;
Collier County CRN – Standard Operating Procedures Manual
46 | P a g e
e) Unique Identifying Characteristics;
f) Address-specific Residence Prior to Program;
g) Unique Person Identifier*; and
h) Any other data fields that may be used to leverage the identity of any individual client.
*A unique client identifier shall be assigned by the Agency to each client. The unique client identifier
shall not contain any masked client personal identifying information. The unique client identifier shall not
contain, in whole or in part, any client personal identifying information as listed above in fields a)
through f). The unique client identifier provides an unduplicated internal count of clients served by the
Agency, and provides the CRN Lead Agency the means of conducting longitudinal analysis of services
provided to each client.
With this option, the agency will submit Anonymous Client-level Data to the CRN Lead Agency
in an electronic format, per the technical specifications developed by the CRN Lead Agency.
The data specifications will be developed by the CRN Lead Agency after discussion with DV
Agency leadership and IT staff. The timing and methodology of developing the export
functionality to fulfill these data submittal requirements will be subject to agreement between the
CRN Lead Agency and the agency. All data should be submitted on a quarterly basis. See SOP#
03-050.
SOP#: 03-080 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN INTERAGENCY DATA SHARING
Policy: Data sharing among agencies will be supported upon formalization of data
sharing networks by participating agencies.
Standard: For Partner Agencies to engage in data sharing arrangements, a written, formal
document must be signed by the Executive Directors of the agencies entering into
a network and each client must provide written consent.
Purpose: To formalize the vehicle through which agencies can enter into an agreement
allowing such agencies to share client records.
Scope: Partner Agencies wishing to share client-level data.
Background:
Written Agreement: Agencies wishing to share information electronically through the CRN are
required to establish a data sharing network in writing by jointly executing an Interagency Data
Sharing Agreement, as provided by the CRN Management team.
Collier County CRN – Standard Operating Procedures Manual
47 | P a g e
Role of Executive Director: The Executive Director is responsible for ensuring that users within
his/her agency abide by all the policies stated in the Interagency Data Sharing Agreement.
Executive Directors wishing to participate in a data sharing network must execute an Interagency
Data Sharing Agreement, and identify a lead representative known as the Agency Super User to
contact the CRN System Administrator to initiate the process.
Role of CRN System Administrator: Once the Executive Directors of agencies have executed
the Interagency Data Sharing Agreement, the Agency Super Users will contact the CRN System
Administrator and the System Administrator will establish the Data Sharing in the system.
Client Authorization: Case managers from agencies that have a valid Interagency Data Sharing
Agreement may only share client information if the client authorizes that sharing with a valid
Client Consent Form, as described in SOP# 03-060: Client Notification Policies and Procedures.
SOP#: 03-080 Title: CRN INTERAGENCY DATA SHARING
Page 2
Steps for Establishing an Interagency Data Sharing:
The general steps include:
- Each of the Executive Directors must execute an Interagency Data Sharing Agreement;
- Each participating agency will retain a copy of the agreements and the original will be
filed with the CRN System Administrator;
- The CRN System Administrator will establish the data sharing privileges in the system;
- Once data sharing among agencies is established, authorized users will be able to grant
permission based on appropriate client consent to share individual client information with
all other authorized users in the system; and
- Although data sharing privileges may be established through these actions, authorized
users are only able to view client information, beyond the universally shared identifiers,
for the clients enrolled in a program within their agency.
Data Sharing protocol will be reinforced by the following technical mechanisms:
- Only authorized users will have CRN access, controlled by user ID and password;
- Each user’s access to data will be defined by their user type. Users will only be able to
see data categories viewable by their respective user level, regardless of information
sharing privileges within an agency;
- CRN System Administrator will need to “authorize” data sharing between agencies
before the agencies can begin sharing client information. This authorization will not be
Collier County CRN – Standard Operating Procedures Manual
48 | P a g e
granted unless CRN System Administrator has an executed Interagency Data Sharing
Agreement on file;
- Users will only be able to view client data (beyond the universally shared Primary
Identifiers) for clients enrolled in a program within their own Agency;
- Protected information (clinical mental health assessment, clinical substance abuse
assessment, clinical HIV/AIDS information, and domestic violence incident information)
will not be shared. This information will only be viewable by users at the originating
agency; and
- Random file checks for appropriate client authorization, audit trails, and other monitoring
tools may be used to monitor that this data sharing procedure is followed. Specific
monitoring procedures around program enrollment will be implemented to ensure
appropriate client information access.
SOP#: 03-090 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN INFORMATION SHARING REFERRAL PROCEDURES
Policy: Agencies will be able to share client information with agencies outside of the
Collier County Continuum of Care CRN Network with appropriate written client
authorization.
Standard: For Partner Agencies to share client information with agencies outside of the
Collier County Continuum of Care CRN Network, a client must provide a written
release of information for referral purposes.
Purpose: To formalize the vehicle through which agencies can share data outside of their
Collier County Continuum of Care CRN Network Agreements.
Scope: Partner Agencies wishing to share client-level data outside of the Collier County
Continuum of Care CRN Network.
Responsibilities:
Any client information stored in the client record of an originating agency may be shared with
another Partner Agency based on a written client release of information. Referrals cannot be
directed to a specific user at a receiving agency. Users at the receiving agency will only be able
to view the client-designated portions of the originating agency’s client record based on their
user access levels for the timeframe specified in the referral. One or more persons at each
agency should be designated to receive incoming referrals daily and direct them to appropriate
personnel within the agency.
Collier County CRN – Standard Operating Procedures Manual
49 | P a g e
Since the recipient agency will have an “active window” to the specified portions of the
originating agency’s file, users within the recipient agency will also be able to see all changes
made to the record during the authorized timeframe. The default value for the timeframe for
information sharing for referral purposes will be set to fifteen days to limit the privacy and safety
risks for clients. Referring agencies will have the opportunity to set an alternative timeframe, if
more appropriate. During that timeframe, the recipient agency can print a hardcopy of the client
information for archival purposes or can enter client information into its own client record to
permanently incorporate the information into its electronic file. At the expiration of that
timeframe, the recipient agency will retain a record of the referral but will no longer be able to
view the client information. Upon request by the receiving agency and with client consent, the
originating agency can extend or re-release the information.
Role of Executive Director: The Executive Director is responsible for establishing and ensuring
compliance of all client notification and consent policies stated in the Client Release of
Information for Referrals form.
SOP#: 03-090 Title: CRN INFORMATION SHARING REFERRAL PROCEDURES
Page 2
Client Authorization: CRN Users may only share client information if the client authorizes that
sharing with a valid Client Release of Information for Referrals form, as described in SOP# 03-
060: Client Notification Policies and Procedures.
The general steps include:
- Authorized users will be able to grant permission based on appropriate client consent to
share individual client information with another Agency’s users; and
- Although data sharing privileges may be established through these actions, authorized
users are only able to view client information beyond the universally shared identifiers
for clients that enroll in a program within their agency.
Data Sharing protocol will be reinforced by the following technical mechanisms:
- Only authorized users will have CRN access, controlled by user ID and password;
- Each user’s access to data will be defined by their user type. Users will only be able to
see data categories viewable by their respective user level, regardless of information
sharing privileges within an agency or network;
- When a client record is set-up to be accessed by users at another agency, the originating
user must obtain client authorization, indicate period of time for data sharing, and specify
data categories to be shared;
- Users will only be able to view client data (beyond the universally shared identifiers) for
clients enrolled in a program within their agency; and
Collier County CRN – Standard Operating Procedures Manual
50 | P a g e
- Random file checks for appropriate client authorization, audit trails, and other monitoring
tools may be used to monitor that this data sharing procedure is followed. Specific
monitoring procedures will also be implemented to ensure that clients are being
appropriately enrolled in programs.
Collier County CRN – Standard Operating Procedures Manual
51 | P a g e
Section 4 – Security Policies & Procedures
SOP#: 04-010 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: SYSTEM ACCESS CONTROL POLICIES AND PROCEDURES
Policy: CRN Project Management and participating agency must reasonably secure the
system from access by unauthorized users.
Standard: CRN Project Management or its designee and participating agency should employ
access prevention and physical access control measures to secure CRN system
resources.
Purpose: To protect the security of the CRN system resources.
Scope: CRN Project Management, Agency Executive Director, and Agency Super User
Guidelines:
Central CRN Equipment Access Prevention Mechanism
All computing resources will be protected always by a firewall. User access through the Internet
will be controlled using user authentication always.
Physical access to the system data processing areas, equipment, and media must be controlled
adequately from the threat of and exposure to loss. Available precautions include equipment
enclosures, lockable power switches, equipment identification and fasteners to secure the
equipment.
The CRN Project Management will determine the physical access controls appropriate for the
environment housing the central CRN equipment based on CRN security policies, standards, and
guidelines. All those granted access to an area or to data are responsible for their actions.
Additionally, if an individual gives access to another person, the authorizing individual is
responsible for the other person’s activities.
Workstation Access Controls
Access to the CRN will only be allowed from computers specifically identified by the Executive
Director and Agency Super User of the participating agency. Laptops will require an additional
security form stating that use will not be for unauthorized purposes from unauthorized locations.
Access to CRN computer workstations should be controlled through physical security measures
Collier County CRN – Standard Operating Procedures Manual
52 | P a g e
and/or a password. Each Agency Super User will determine the physical access controls
appropriate for their organizational setting based on CRN security policies, standards and
guidelines. Each workstation should have appropriate and current firewall and virus protection,
as specified in SOP# 02-040: CRN Hardware, Connectivity, and Security Requirements.
SOP#: 04-020 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: DATA ACCESS CONTROL POLICIES AND PROCEDURES
Policy: CRN Project Management and participating agency must reasonably secure the
CRN data from access from unauthorized users.
Standard: CRN Project Management and participating agency should employ access
prevention control measures to secure CRN database resources.
Purpose: To protect the security of the CRN database(s).
Scope: CRN Project Management, Agency Executive Director, and Agency Super User
Guidelines:
User Accounts
Agency Super User and the CRN System Administrator must follow the procedures documented
in Section 2 for user account set-up, including verification of eligibility, appropriate training, and
establishment of appropriate user type. Each user’s access to data should be defined by their
user type and specific agency data-sharing agreements. Agency Super Users must regularly
review End User access privileges and notify the CRN System Administrator to terminate End
User IDs and passwords from their systems when End User no longer requires access. It is the
responsibility of the End User’s supervisor to notify the Agency Super User immediately when
an End User leaves the agency or no longer requires access to the CRN system. Unless
otherwise terminated or suspended, a user account is valid for one year. The Agency Super User
must annually reauthorize an End User to maintain his/her system and database access. Users
may be required to attend supplemental training prior to reauthorization.
If a staff person is to go on leave for a period of longer than 30 days, their account should be
temporarily suspended within 5 business days of the start of their leave. It is the responsibility of
the End User’s supervisor to notify the Agency Super User when the End User will be on leave
for a period longer than 30 days.
Collier County CRN – Standard Operating Procedures Manual
53 | P a g e
User Passwords
Each user must have a unique identification code (user ID). Each user’s identity will be
authenticated using a user password. Passwords are the individual’s responsibility. Users are
prohibited from sharing user IDs or passwords. Sanctions will be imposed on the user and/or
agency if user account sharing occurs.
Passwords should be between eight and sixteen characters long and not easily guessed or found
in a dictionary. The password format is alphanumeric.
SOP#: 04-020 Title: DATA ACCESS CONTROL POLICIES AND PROCEDURES
Page 2
Any passwords written down must be securely stored and inaccessible to other persons. Users
should not save passwords on a personal computer for easier log on.
Password Reset
The CRN System Administrator will have the ability to reset a password during non-business
hours.
Temporary Suspension of User Access to Database Resources
In the case of system inactivity users must log off from the CRN and workstation if they leave
their workstation. CRN Project Management must establish inactivity time-out thresholds to be
implemented by the vendor, where technically feasible, for terminals and workstations that
access CRN information. Therefore, if a user is logged onto a workstation, and the period of
inactivity on the workstation exceeds the designated inactivity period of time the user will be
automatically logged off the system.
If a User unsuccessfully attempts to logon six times, the User ID will be “locked out”, access
permission revoked, and the user will be unable to gain access until his/her password is reset.
Electronic Data Controls
The Partner Agencies must establish internal access policies to data protocols based on the final
HUD Data and Technical Standards.
Partner Agencies will have the ability to export a copy of their own data for internal analysis and
use. Agencies are responsible for the security of this information.
Hardcopy Data Controls
Collier County CRN – Standard Operating Procedures Manual
54 | P a g e
Printed versions (hardcopy) of confidential data should not be copied or left unattended and open
to compromise. Media containing CRN client identified data may not be shared with any person
or agency other than the owner of the data for any reason not disclosed within the Client Notice.
CRN data may be transported by authorized employees using methods deemed appropriate by
the participating agency that meet the above standard. Reasonable care should be used, and
media should be secured, when left unattended. Magnetic media containing CRN data which is
released or disposed of from the participating organization and central server should first be
processed to destroy any data residing on that media. Degaussing and overwriting are acceptable
methods of destroying data. CRN information in hardcopy format should be disposed of
properly. This may include shredding finely enough to ensure that the information is
unrecoverable.
SOP#: 04-030 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: AUDITING POLICIES AND PROCEDURES
Policy: CRN Project Management and Agency Super User will monitor system and
database access that could potentially reveal a violation of security protocols.
Standard: CRN Project Management or its designee and Agency Super User will implement
a monitoring plan to monitor compliance with data security standards.
Purpose: To protect the security of the CRN system and databases.
Scope: CRN Project Management and Agency Super Users
Guidelines:
Access Monitoring Plan
The CRN application must maintain an audit trail that tracks user log-in attempts for a minimum
of six months. The CRN application must also maintain an audit trail that tracks deletions of
client records (including the actual assessment entry, date deleted, and username) for a minimum
of six months and a record of deleted client records (case number, intake information, date
deleted, and username) for a minimum of one year. The CRN application is designed to record
transactional data on all other client information for historical and audit purposes. Each entry
shall also reflect the user who created the entry and the date and name of the user who made the
most recent modification.
Collier County CRN – Standard Operating Procedures Manual
55 | P a g e
The CRN System Administrator must regularly review audit records for evidence of violations or
system misuse. The Agency Super User must regularly review the logs for its agency’s users to
determine unauthorized or inappropriate access to CRN client records.
All users and custodians are obligated to report suspected instances of noncompliance or security
violations to an Agency Super User or the CRN System Administrator as soon as possible.
Violations & Sanctions
All potential violations of any security protocols will be investigated by CRN Project
Management. Any user found to be in violation of security protocols will be sanctioned
accordingly. Sanctions include, but are not limited to:
- a formal letter of reprimand;
- suspension of system privileges;
- revocation of system privileges; and
SOP#: 04-030 Title: AUDITING POLICIES AND PROCEDURES
Page 2
A Partner Agency’s access may also be suspended or revoked if serious or repeated violation(s)
of the SOPs occur by agency users. All CRN sanctions will be imposed by a team comprised of
an CRN User Group Chair, the CRN System Administrator, and the CRN Steering Committee
Chair and Chair of the COC Committee. The Board of Directors of the CRN Lead Agency needs
to approve the sanctions prior to enforcement.
CRN sanctions can be appealed to a team comprised of the CRN Steering Committee Co-Chair,
and the CRN Lead Agency’s Board of Directors.
Criminal prosecution sanctions will be recommended by CRN Project Management and the CRN
Lead Agency’s Board of Directors to the appropriate law enforcement agency.
Collier County CRN – Standard Operating Procedures Manual
56 | P a g e
Section 5 – Internal Operating Policies &
Procedures
SOP#: 05-010 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: SYSTEM AVAILABILITY POLICIES AND PROCEDURES
Policy: The CRN application will be available to users in a manner consistent with the
agencies’ reasonable usage requirements.
Standard: CRN Project Manager/System Administrator and Software Vendor as hosting and
support partner will operate the system full-time and respond immediately in the
event of an interruption to service, as defined by the guidelines in this policy.
Purpose: To define system availability.
Scope: CRN Project Manager/System Administrator and Software Vendor
Guidelines:
These guidelines are provided as a reference; however, the official document for system
operation is the vendor Hosting and Support Agreement .
Hours of System Operation
The system is designed to be operating and available 24 hours a day 365 days a year. In the
unlikely event of an unplanned interruption of service, the vendor is responsible for rapid
response and returning the system to online status. For planned interruptions of service the
vendor shall schedule these during the least busy times and advise the CRN Project
Manager/System Administrator in advance. For regularly scheduled downtimes the vendor shall
identify hours, and a set time for planned back-up, security patches, etc. The Project
Manager/System Administrator has the authority to determine the definition of ‘advance
notification’ in this situation.
CRN Project Management & System Administrator Availability
The CRN Project Manager/System Administrator will be available during normal business hours
(9:00 – 5:00 Monday through Friday). After normal business hours, users should follow the
protocols established in SOP# 05-020: Technical Support Policies and Procedures. CRN Project
Collier County CRN – Standard Operating Procedures Manual
57 | P a g e
Manager/System Administrator will be on-call via cell phone in the event of a disaster identified
by the CRN Lead Agency.
Planned Interruption to Service
The CRN Project Manager/System Administrator will inform all users via CRN email and/or fax
of any planned interruption to service. An explanation of the need for the interruption, expected
duration, and benefits or consequences will be provided.
SOP#: 05-010 Title: SYSTEM AVAILABILITY POLICIES AND PROCEDURES
Page 2
Unplanned Interruption to Service
When an event occurs that makes the system inaccessible and the interruption is expected to
exceed two hours,
Hard-Disk Drive Failure
In the case of the primary hard-disk drive failure, our Application Server is housed with an ATA-
Raid Controller which is a RAID compliant drive redundancy. The RAID controller will detect
the failure and continue operation without interruption of service.
Multiple Hard Drive Failures
In the event of multiple disks failing, a stand-by drive is fully loaded with server requirements
and software requirements. Disk is loaded and all backup data collected the day before is loaded
to disk. Clients should expect a 2-4-hour lapse of service.
Fire or Natural Disaster
In the event of a fire or natural disaster, offsite data will be loaded into an off-site standby server
located offsite. Clients should experience no more than a 3-hour lapse in service with little or no
data loss.
Collier County CRN – Standard Operating Procedures Manual
58 | P a g e
SOP#: 05-020 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: TECHNICAL SUPPORT POLICIES AND PROCEDURES
Policy: The CRN Project Manager/System Administrator shall offer standard technical
support services to all Partner Agencies and users.
Standard: Users needing technical support on the CRN application should access standard
technical support services using the guidelines articulated in this policy.
Purpose: To define technical support services.
Scope: System-wide.
Guidelines:
Technical Support Resolution Procedure – Use of the CRN Application
As unanticipated technical support questions arise, users should implement the following
procedure(s) to resolve their questions.
During normal business hours:
- Utilize on-line help resources and/or training materials.
- If question is still unresolved, direct the technical support question to the Agency Super
User.
- If question is still unresolved, the Agency Super User can further direct the question to
the CRN Project Manager/System Administrator.
- If question is still unresolved, the CRN Project Manager/System Administrator can
further direct the question to the vendor technical support staff.
After normal business hours:
- Utilize on-line help resources and/or training materials.
- If issue can wait to be addressed during the following business day, please wait and
follow the escalation procedure outlined above,
- If not, then direct the technical support question to the Agency Super User, if available.
- If unavailable, or if the question is still unresolved, contact the CRN Project
Manager/System Administrator to determine the appropriate procedure. If the Project
Manager/System Administrator determines that the issue needs immediate attention, the
request will be forwarded to the vendor technical support. Otherwise, CRN Project
Manager/System Administrator may indicate that the user should pursue assistance
through normal channels on the following business day.
Collier County CRN – Standard Operating Procedures Manual
59 | P a g e
Technical Support Resolution Procedure – Access to the CRN Application or Database
If a user experiences an unplanned interruption to CRN operation, the user should implement the
following procedure to notify the CRN Project Manager/System Administrator and/or understand
the status of operations.
During normal business hours:
- Contact your Agency Super User, who should immediately check the status of the
agency’s ISP.
- If the system outage is unrelated to the agency’s internet connectivity, the Agency Super
User should contact the CRN Project Manager/System Administrator to immediately
report the interruption.
- The Agency Super User should communicate the results of the status update to all agency
users who may attempt to use the CRN application during the period of interruption.
- At all times, the CRN Project Manager/System Administrator will provide a central
clearinghouse of information about all system interruptions.
After normal business hours:
- Attempt to determine if the interruption is related to the agency’s internet connection.
(For example, try to access another site on the internet.) If the issue is related to the
Agency’s internet connectivity, contact the Agency Super User.
- If the system outage is unrelated to the agency’s internet connectivity, the user should
contact the CRN Project Manager/System Administrator to immediately report the
interruption.
- The user should attempt to communicate the results of the status update to other agency
users who may attempt to use the CRN application during the period of interruption.
- At all times, the CRN Project Manager/System Administrator will provide a central
clearinghouse of information about all system interruptions.
User Training
The CRN Project Manager/System Administrator will provide ongoing CRN software training
on a regular basis, as described in SOP# 03-040: CRN Training Requirements. If additional or
specific training needs arise, the CRN Project Manager/System Administrator may be able to
arrange for special training sessions.
Agency/User Forms
All Agency Super Users will be trained in the appropriate on-line and hardcopy forms. If the
Agency Super User has questions on how to complete CRN forms, he/she should contact the
CRN Project Manager/System Administrator.
Collier County CRN – Standard Operating Procedures Manual
60 | P a g e
SOP#: 05-020 Title: TECHNICAL SUPPORT POLICIES AND PROCEDURES
Page 2
Report Generation
CRN Project Manager/System Administrator shall work with the software vendor in developing
and creating the federal mandated reports for the CRN Lead Agency as well as for the Partner
agencies, exclusively related to the CRN database.
The CRN User Group will be the primary body to query Partner Agencies on their reporting
needs and to prioritize a list of reports to be developed by the CRN System Administrator for all
CRN Partner Agencies.
Time permitting, the CRN Project Manager/System Administrator shall aid in developing and
creating agency specific reports.
CRN Project Manager/System Administrator shall develop system related reports on usage,
access and performance etc. with the software vendor that are derived from the server monitoring
tools at the hosting site.
Programming-related Service Requests
If the user encounters programming issues within the CRN application that need to be addressed,
the user should identify the error or suggested improvement to the Agency Super User. The
Agency Super User should complete an CRN Service Request Form identifying the specific
nature of the issue or recommended improvement along with the immediacy of the request.
Service requests will be reviewed by the CRN Project Manager/System Administrator for further
action. Requests to fix programming errors or “bugs” will be prioritized and forwarded to the
vendor programming team, as appropriate. Suggested application improvements will be
compiled and periodically discussed by the CRN Project Manager/System Administrator and the
CRN User Group. A prioritized list of improvements will be submitted to the CRN Project
Manager/System Administrator for review and submittal to the vendor.
Collier County CRN – Standard Operating Procedures Manual
61 | P a g e
Section 6 – Data Ownership, Usage and Release
Policies & Procedures
SOP#: 06-010 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: DE-DUPLICATION POLICIES AND PROCEDURES
Policy: The CRN Lead Agency will employ a range of methods to achieve de-duplication
to accommodate the unique situations of different provider types.
Standard: The CRN System Administrator and Agency Super Users shall train users on and
employ the methods described below to achieve the highest degree of de-
duplication.
Purpose: To define the overall de-duplication approach.
Scope: System-wide.
Guidelines:
De-duplication Data Elements
The CRN application will use the following data elements to create unduplicated client records:
- Name (first, middle initial, last, alias);
- DOB (actual or estimated);
- Gender;
- Race and Ethnicity; and
- SSN (full or partial).
The primary way to achieve de-duplication will be a provider-mediated search of the client
database prior to creating a new client record. The user will be prompted to enter a minimum
number of data elements in the CRN, and a list of similar client records will be displayed.
Based on the results, the user will be asked to select a matching record if the other identifying
fields match correctly. If the user is unsure of a match (either because some data elements differ
or because of blank information), the user should query the client for more information and/or
create a new client record. The user will not be able to view sensitive client information or
program-specific information during the de-duplication process. After the client record is
selected, the user will only be able to view the previously existing portions of the client record if
he/she has explicit authorization to view that client’s record, as described in SOP 03-060: CRN
Client Notification and Consent Procedures
Collier County CRN – Standard Operating Procedures Manual
62 | P a g e
SOP#: 06-010 Title: DE-DUPLICATION POLICIES AND
PROCEDURES
Page 2
For providers who do not directly enter data in the CRN and those who do not share information
according to the Interagency Data Sharing Agreement, the de-duplication will occur on the back-
end using the same client identifiers or a masked ID generated from these identifiers called a
Hash Code:
- First letter of the first name;
- Four first letters of the last name;
- Full DOB; and
- Last four digits of SSN.
Data from Interface Partner Agencies can become, but does not have to become, part of the real-
time CRN client database. If their data is not merged into the CRN client database, the client
records will be integrated into an analytical database.
De-duplication Methods
Agency Type Provider-mediated Look-up* Backend Central Server Matching based on Identifiable Information Backend Central Server Matching based on Masked Identifier** Data Storage Location (Program, Agency, or Server Direct Partner
Agencies (DPA) Yes Yes Yes Server
Providers who upload
periodic client data No Yes Yes Agency and
Server
DV/MH/Youth/
HIV/AIDS etc.
Providers
If DPA optional encrypted Agency/Server
* Hidden client records will not be searchable as part of the provider-mediated look-up. Mainstream providers will
be trained on the use of hidden client records for use with victims of domestic violence and/or other clients who
deny the right to share their personal information. Hidden records will be unduplicated using one of the backend
processes.
** See Definition of a masked identifier below.
Collier County CRN – Standard Operating Procedures Manual
63 | P a g e
Definitions
Provider-mediated look-up: Prior to beginning a new client record, the intake worker or data
entry person will search for an existing client record using the de-duplication fields indicated
earlier in this SOP.
SOP#: 06-010 Title: DE-DUPLICATION POLICIES AND
PROCEDURES
Page 3
Hidden Client Data Entry: Primary identifiers are hidden to agency-level users outside of the
originating agency, as described in SOP 03-060: CRN Client Notification Policies and
Procedures.
Backend Central Server Matching based on Identifiable Information: System-level users
will manage a computer-aided process of matching client personal identifying information at the
central server level and assigning a common personal identification number to records with
similar identifiers for de-duplication purposes. This scenario will be used to produce
unduplicated count of hidden client records and will be applied to Collier County Continuum of
Care CRN Partner Agency data.
The process will also be used to validate data received from all users, as human error and
decisions may introduce error to the provider-mediated look-up process.
Backend Central Server Matching based on Masked Identifier: When primary identifiers
are not shared across agencies or shared with the CRN central server for purposes of avoiding
duplication, system-level users must complete de-duplication based on a masked identifier. The
originating agency must generate a masked identifier based on a CRN-specified algorithm based
on elements of the client’s personal identifying information. The masked identifiers will be used
by CRN system-level users to assign a common personal identification number to records with
similar masked identifiers (commonly known as Hash-Code.)
Collier County CRN – Standard Operating Procedures Manual
64 | P a g e
SOP#: 06-020 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: DATA QUALITY POLICIES AND PROCEDURES
Policy: All data entered into the CRN and used by the CRN System Administrator or
Lead Agency for analytical or reporting purposes must meet the data quality
standards.
Standard: The CRN Lead Agency must adopt a data quality plan to ensure that all data
meets the data quality standards.
Purpose: To define data quality standards and a data quality management plan.
Scope: System-wide.
Guidelines: 90% minimum data quality expectation
The CRN Lead Agency shall define a data quality plan that includes specific data quality
standards, mechanisms for monitoring data quality, sanctions for non-compliance with standards,
and assigned responsibilities.
This policy should be amended to incorporate the data quality plan once the HEARTH ACT
guidance is developed.
Current standards are met as outlined by Congress and the Dept of HUD. “This Notice revises
the Community Resource Networks (CRN) Data and Technical Standards Final Notice (69 FR
146, August 2016). The Notice adds a new set of Program Description Data Elements (Section
2). In addition, the Notice presents revisions to CRN Data Standards for Universal Data
Elements (Section 3) and Program-Specific Data Elements (Section 4). These sections replace
Section 2 (Universal Data Elements) and Section 3 (Program-Specific Data Elements) of the
2014 Notice. All other sections of the 2014 notice remain in effect.”
Collier County CRN – Standard Operating Procedures Manual
65 | P a g e
SOP#: 06-030 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: DATA OWNERSHIP POLICIES AND PROCEDURES
Policy: All data usage is governed by the owners of the data.
Standard: Data entered into the CRN or submitted to the CRN Lead Agency for the
purposes of the CRN initiative shall be considered owned by the client and
agency that collected the information.
Purpose: To define data ownership.
Scope: System-wide.
Guidelines:
The client ultimately retains ownership of any identifiable client-level information that is stored
within the CRN. If the client consents to share data, the client, or agency, on behalf of the client,
has the right to later revoke permission to share his/her data without affecting his/her right to
service.
Identifiable client-level data may only be stored and accessed within the CRN in accordance with
the client notification and consent procedures in SOP 03-030: CRN User Access Levels and SOP
03-060: Client Notification Policies and Procedures.
In cases where agencies and clients agree to share identifiable client-level data, this information
may only be shared in accordance with SOP 03-060: CRN Client Notification Policies and
Procedures, SOP 03-080: CRN Interagency Data Sharing, and SOP 03-090: CRN Information
Sharing Referral Procedures
If the relationship between the CRN and a Direct Partner Agency is terminated, the agency will
retain ownership of the identifiable client-level data that has been submitted to the CRN. The
CRN staff shall make reasonable accommodations to assist a Direct Partner Agency to export
their data in a format that is usable in an alternative database. In this circumstance, any agency-
entered client-level data must be de-identified in order to remain in the CRN database. This de-
identified information shall remain available to the CRN Lead Agency for analytical purposes.
For the purposes of de-identification, the personal identification number shall not be considered
an identifying data element if it is not stored with any other personal identifiers.
Collier County CRN – Standard Operating Procedures Manual
66 | P a g e
SOP#: 06-040 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: DATA CLASSIFICATION POLICIES AND PROCEDURES
Policy: All data entered into or generated by CRN shall be managed according to their
classification system.
Standard: All data must be classified public, internal, or confidential. All data must be
handled per its classification. Failure to handle data properly is a violation of this
policy.
Purpose: To define data classifications.
Scope: System-wide.
Guidelines:
Definitions
Public Data: Information published per Data Release policies. See SOP# 06-060.
Internal Data: Information scheduled, but not yet approved, for publication. Examples include
draft reports, fragments of data sets, or data without context.
Confidential Data: Information that identifies clients contained within the database. Examples
include social security number, name, address, or any other information that can be leveraged to
identify a client. Specific identifiable data elements are described in the CRN Data Collection
Requirements SOP# 03-070.
Procedures for Transmission and Storage of Data
Public Data does not require security controls.
Internal Data is accessible only to internal employees. No auditing is required. No special
requirements are necessary for the destruction of this data. This data must be stored securely and
can be transmitted via internal or first class mail.
Confidential Data requires encryption at all times. It must be magnetically overwritten and the
destruction must be verified by database administrator. Hardcopies of confidential data must be
produced only for specific, short-term analysis and appropriately destroyed following completion
of the task. This data can only be delivered by hand to data owner.
Collier County CRN – Standard Operating Procedures Manual
67 | P a g e
SOP#: 06-050 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: CRN DATA USES AND DISCLOSURES POLICIES AND
PROCEDURES
Policy: All CRN stakeholders will follow the data disclosure policies and procedures to
guide the use and disclosure of client information stored in or generated by the
CRN.
Standard: This policy establishes the CRN Lead Agency-approved uses and disclosures for
CRN client data.
Purpose: To define minimum standards for data disclosure.
Scope: System-wide.
Guidelines:
Each CRN Partner Agency must comply with the following Uses and Disclosures, as outlined in
the standard CRN Notice of Uses and Disclosures. A Partner Agency has the right to establish
additional uses and disclosures if they do not conflict with the CRN Lead Agency-approved uses
and disclosures.
Privacy Notice Requirement
Each agency must either adopt the standard CRN Notice of Uses and Disclosures or develop an
alternative Agency Privacy Notice that incorporates the content of the standard CRN notice.
Every agency must post the notice and/or provide a copy of the notice to each client, in
accordance with SOP 03-060: CRN Client Notification and Consent Procedures. If an agency
maintains a public web page, the agency must post the current version of its privacy notice on the
web page.
An agency’s Privacy Notice must:
- Specify all potential uses and disclosures of client personal information;
- Specify the purpose for collecting the information;
- Specify the period of time for which the data will be retained at the agency and the
method for disposing of it or removing identifiers from personal information that is not in
current use seven years from when it was created or last modified;
- State the process and applicability of amendments, and commit to documenting all
privacy notice amendments;
Collier County CRN – Standard Operating Procedures Manual
68 | P a g e
- Offer reasonable accommodations for persons with disabilities and/or language barriers
throughout the data collection process
- Allow the individual the right to inspect and to have a copy of their client record and
offer to explain any information that the individual may not understand; and
- Specify a procedure for accepting and considering questions or complaints about the
privacy and security policies and practices.
SOP#: 06-050 Title: CRN DATA USES AND DISCLOSURES POLICIES AND
PROCEDURES Page 2
CRN Lead Agency-approved Uses and Disclosures
CRN client data may be used or disclosed for (1) case management, (2) administrative, (3)
billing, and (4) analytical purposes. Uses involve sharing parts of client information with
persons within an agency. Disclosures involve sharing parts of client information with persons
or organizations outside of an agency.
Case Management Uses and Disclosures: Agencies may use or disclose client
information for case management purposes associated with providing or coordinating
services. Unless a client requests that his/her record remain hidden, personal identifiers
will be disclosed to other CRN agencies so other agencies can easily locate the client’s
record if he/she goes to them for services. Beyond personal identifiers, each agency can
only share client information with other agencies with written client consent.
Administrative Uses and Disclosures: Agencies may use client information internally
to carry out administrative functions, including but not limited to legal, audit, personnel,
oversight and management functions. Client information will be stored on a central case
management database; as such, client information will be disclosed for system
administration purposes to CRN Project Manager/System Administrator and Data
Systems International employees or other contractors who administer the central
database.
Billing Uses and Disclosures include functions related to payment or reimbursement for
services. An example might include generating aggregate reports for the people and
organizations that fund an agency. A client’s personal information may be disclosed for
billing purposes if required by the service providers.
Analytical Uses and Disclosures: Agencies may use client information for internal
analysis. An example would be analyzing client outcomes to evaluate program
effectiveness. Agencies will disclose client personal identifiers to the central system
administrators for uses related to creating an unduplicated database on clients served
within the system, ultimately resulting in the creation of de-identified personal
information. Agencies may also disclose portions of a client’s information without the
personal identifiers for analytical purposes related to analyzing client data, including , but
not limited to, understanding trends in homelessness and needs of persons who are
Collier County CRN – Standard Operating Procedures Manual
69 | P a g e
homeless, and assessing the implementation of the Continuum’s 10-Year Plan to End
Homelessness.
In accordance with the Housing and Urban Development Data and Technical Standards Final
Notice, a client’s information may also be used or disclosed for such purposes: 1) as required by
law; 2) as necessary to avert a serious threat to health or safety; 3) to report victims of abuse,
neglect or domestic violence; 4) academic research purposes; and 5) law enforcement purposes
only in response to a lawful court order, court-ordered warrant, subpoena or summons issued by
a judicial office or a grand jury subpoena.
SOP#: 06-050 Title: CRN DATA USES AND DISCLOSURES POLICIES
AND PROCEDURES
Page 3
A client record will be stored on the Bowman Service Point CRN system with personal
identifiers.
Clients have right to request the CRN Privacy & Security Policies from the CRN Lead Agency
or via a User Agency.
Collier County CRN – Standard Operating Procedures Manual
70 | P a g e
SOP#: 06-060 Revision: Prepared by: CRN
Approval Date: Pending Revision Date: Revised by:
Title: DATA RELEASE POLICIES AND PROCEDURES
Policy: All CRN stakeholders will follow the data release policies and procedures to
guide the release of client information stored in or generated by the CRN.
Standard: Data must be categorized as confidential or internal unless it meets the data
release policy.
Purpose: To define standards and circumstances for data release.
Scope: System-wide.
Guidelines:
Client-identified data
No identifiable client data will be released to any person, agency, or organization that is not the
owner of said data for any purpose other than those specified in SOP 06-050: CRN Data Uses
and Disclosure Policies and Procedures without written permission from the owner.
Data Release Criteria
CRN client data will only be released in aggregate or anonymous client-level data formats for
purposes beyond those specified in SOP 06-050: CRN Data Uses and Disclosure Policies and
Procedures, per the criteria specified below.
Aggregate Data Release Criteria:
- All data must be anonymous, by removal of all identifiers and all information that could
be used to infer an individual or household’s identity;
- Aggregate Data must represent sixty percent (60%) of the clients in that universe
(program, agency, subpopulation, geographic area, etc.), unless otherwise required for the
Congressional AHAR;
- Only Partner Agencies can authorize release of aggregate, program-specific information
beyond the standard reports compiled by the Continuum of Care for funding purposes.
There will be full access to aggregate data for all participating agencies;
- Parameters of the aggregate data (e.g. where the data originates, what it includes and
what it does not include) will be presented to those requesting aggregate data; and
- Released aggregate data will be made available in the form of an aggregate report or as a
raw dataset
Collier County CRN – Standard Operating Procedures Manual
71 | P a g e
SOP#: 06-060 Title: DATA RELEASE POLICIES AND PROCEDURES
Page 2
Anonymous Client-level Data Release Criteria:
- All data must be anonymous by removal of all identifiers and all information that could
be used to infer an individual or household’s identity;
- Program specific information will not be released without the written consent of the
agency’s Executive Director; and
- Parameters of the data (e.g. where the data originates, what it includes and what it does
not include) will be presented to those requesting aggregate data.
Data Release Process
Beyond individual agency reports or Continuum of Care reports on its funded programs, the
CRN Lead Agency Executive Director must approve data for public classification and release.