If your organization provides domestic violence services, you know that the protection of client data is of utmost importance. VAWA and other legislation requires that technology vendors safeguard client records to ensure appropriate access to and use of data, and to ensure that victims’ consent is recorded prior to storing or sharing their data.
Client information and case management systems, including those designed for domestic violence programs or organizations, can facilitate client safety and mitigate privacy and security risk. And yet, concerns about data protection in digital systems supporting victims’ services organizations can make the selection of a long-term technology partner challenging.
The right technological solution can deliver the following benefits:
Vendors that are HIPAA-compliant will have the technical, physical, and administrative safeguards that facilitate compliance with VAWA. However, beyond this, you should ask your vendor how they accommodate privacy and consent requirements under VAWA, and how they can work with you to meet subpoena requests of client files and data retention requirements. For a more extensive list of security questions to ask vendors, click here!
Although some organizations have concerns about storing data in the cloud, SaaS providers actually provide better privacy and security safeguards than on-premise solutions because they use economies of scale to cost effectively provide state-of-the-art-security rather than passing on costs and risks to your organization.
Authentication and Password Security
Systems supporting victims’ services should be equipped with two-factor authentication, user-managed password resets, automatic locking for repeated failed login attempts, automatic timeouts for inactivity once logged in, self-managed password resets, encrypted passwords, visibility into who has logged into and out of the system, on-screen user and time stamps, and audit logs of user activity.
Auditing and Reports
Digital systems housing victim data should also allow for clear audit trails around data creation, viewing, editing, and deleting information in a way that is easily reported on. System access logs should be readily available and vendors should be able to provide assurance that no data is accessed by staff except as explicitly authorized and requested by you. Your system should also store things like staff training records, NDAs, and qualifications to facilitate easy auditing and ensure compliance with policies and legislation.
Role-Based Access to Client Information
One of the best ways to protect information is to prevent everyone except explicitly authorized users from accessing client files or sensitive data within them. Systems that can protect data by default and allow an organization to define which client files and parts of client files staff have access to ensure that viewing, editing, and deleting information is only possible as per your organization’s policies and compliance requirements. Detailed role-based security should allow for appropriate restrictions, while also ensuring that service providers can access the information they require and share information appropriately any time they need to.
Detailed and Appropriate Data Capture
Data security is not just about confidentiality, it is also about data availability; having the right data at the right time to support victims’ safety and documented consent to collaborative service delivery. Systems should support data capture for the full range of services provided, from crisis calls to counselling, advocacy and accompaniment, legal and housing support, shelter stays, children’s services, information and referral services, and even educational and outreach programs. Having a single source of truth for victims’ records, including children or other family members, ensures a seamless and collaborative care experience where information does not have to be repeated and requests and needs can be responded to quickly and effectively. Documenting work with third-party providers such as lawyers, housing authorities, medical staff, and others ensures that a comprehensive record of the services provided and their outcomes is captured in one place. Tracking a victim’s journey to getting help can ensure that no one slips through the cracks and ensure that proper documentation and consents are obtained in a systematic way with dates and signatures, captured electronically or uploaded as an attachment. Storing safety plans, written informed consents, and other documentation right in a client’s file where they can be easily referenced ensures victims’ needs and wishes are met and ensures organizational compliance with legislation like VAWA.
Safety-Driven Collaboration and Workflows
Finally, digital systems that offer workflow and collaboration tools with alerts and notifications can also contribute to a better and safer client experience where staff can set safety flags, set reminders and notifications, and escalate responses based on manual or automated triggers. System facilitated decision support around things like responses to risk assessment results or incidents can contribute to a victim’s safety, and having information shared appropriately can improve your client’s experience with your organization.