The Violence Against Women Act (VAWA) and the Family Violence Prevention and Services Act (FVPSA) contain strong confidentiality provisions that limit the sharing of victims' personally identifying information, including entering information into public records and databases.
These provisions affirm confidentiality practices that protect the safety and privacy of victims of domestic violence, dating violence, sexual assault, and stalking. The following provides some basic information about these provisions.
1. How do federal VAWA and FVPSA provisions protect victim information?
The U.S. Congress has legally codified the importance of victim confidentiality in two sections of VAWA and in FVPSA:
- Universal Grant Conditions: Nondisclosure of Confidential or Private Information (VAWA 2013 Section 3: 42 U.S.C. 13935 (a)(20) & (b)(2)
- VAWA amended the McKinney-Vento Homeless Assistance Act at (42 U.S.C. 11383) (VAWA 2005, Section 605)
- FVPSA 42 U.S.C. 10406(c)(5)
2. How do the VAWA Section 3 and FVPSA confidentiality provisions protect victim information?
VAWA Section 3 and FVPSA prohibit sharing personally identifying information about victims without informed, written, reasonably time-limited consent. These confidentiality grant conditions also prohibit programs from asking survivors to share personally identifying information as a condition of service. Additionally, no program can share personally identifying information to comply with Federal, Tribal, or State reporting, evaluation, or data collection requirements.
These provisions allow survivors to request that their personal confidential information be shared by a victim service provider for a specific purpose through a time-limited, informed, and written release. The release of information (specific and time-limited) must be for services requested by the survivor and they must be fully informed of all possible consequences of disclosure, as well as alternative ways to obtain the service they are requesting.
VAWA and FVPSA also permit limited sharing when mandated by state law or a valid court order, and in either circumstance the VAWA/FVPSA-funded program must protect the survivor’s information as much as possible. Because permissive child abuse reporting is not a mandate, it is not allowed. Always check with your state coalition to assess if any child abuse law actually mandates reporting by individuals in a VAWA/FVPSA-funded program.
The 2013 reauthorization of VAWA clarifies that grantees must not disclose, reveal, or release any personally identifying information regardless of whether the information has been encoded, encrypted, hashed, or otherwise protected.
Given these provisions, VAWA and FVPSA-funded programs are prohibited from disclosing personally identifying victim information to any third party or third-party database, including a homeless management information system (HMIS).
3. What HMIS (Homeless Management Information Systems) related provisions are included in VAWA?
VAWA amended the McKinney-Vento Homeless Assistance Program to protect victims’ personally identifying information by preventing local victim service programs from putting personally identifying information about victims into HMIS. Even if the personally identifying information is encoded or scrambled, programs are still not allowed to disclose it.
Additionally, over 30 U.S. states have advocate confidentiality laws that prevent local programs from disclosing identifying information about victims, encrypted or otherwise. Where state protections are stronger than the VAWA amendment to McKinney-Vento, those stronger protections must be followed.
Victim service providers receiving HUD funds must use a comparable database that adheres to the same technology data standards as mainstream HMIS systems. Victim service providers must provide aggregate information in reports to HUD. Information in these reports must be non-identifying, which can include aggregate totals or other demographic information that does not identify a victim. Since it is possible to identify many victims in rural states or small communities with only ethnicity or age and zip code, the information that victim service providers can share must be carefully scrutinized and limited. In addition, non-personally identifying information must be further protected by being "de-identified, encrypted, or otherwise encoded."
In December 2011, HUD issued a proposed rule on HMIS. The proposed rule will be in effect once it becomes a final rule. Until the rule is final, HUD grantees must comply with the 2004 Technical Standards and the 2010 Data Standards. Although victim service providers are only required to submit aggregate details in reports, they must, according to HUD, collect all of the same data elements as mainstream HMIS systems. NNEDV continues to work with HUD to reduce the collection of information that is not used or useful. When using a comparable database with these additional required elements, it’s critical to inform survivors that they have the right to refuse to answer any of the questions. Programs should take extra steps to ensure the security of all information collected and retained for this purpose.
4. Which of these VAWA and FVPSA provisions apply to my program?
The confidentiality provisions in VAWA and FVPSA apply to all grantees and subgrantees funded by the Violence Against Women Act (VAWA) or the Family Violence Prevention and Services Act (FVPSA). Most local domestic violence programs receive VAWA and FVPSA funding through Office on Violence Against Women (OVW) grants and the Department of Health and Human Services (HHS), respectively. The state domestic violence or sexual assault coalition can help determine if a program receives VAWA or FVPSA funding.
VAWA 2013 clarified that all VAWA grantees must document their compliance with the confidentiality and privacy provisions.
Since VAWA amended the McKinney-Vento Homeless Assistance Act to prohibit all victim service providers from entering personally identifying information into an HMIS database, victim service providers who belong to Continuums of Care cannot share personally identifying information about victims. They also cannot be punished by having their funds withheld or application incentives removed for complying with this law or any State law.
5. How is "victim service providers" defined in McKinney-Vento, as amended by VAWA?
Victim service providers include nonprofit organizations whose primary mission is to provide services to victims of domestic violence, dating violence, sexual assault or stalking, such as rape crisis centers, domestic violence shelters, and transitional housing programs. This also includes faith-based programs and homeless shelters that have specific victim services programs or umbrella organizations that have specific victim services programs as a part of its organization. In those programs, confidentiality protections only extend to the specific program in question, unless the larger organization receives VAWA or FVPSA funds and is therefore subject to those protections.
6. Who gets the benefit of these confidentiality protections?
The confidentiality protections set forth in these federal laws and grant conditions apply to any survivor who (1) requests services (regardless if they are provided services or not), (2) is receiving services, or (3) has received services in the past.
VAWA 2013 further clarified that a minor or a person with a legally appointed guardian who is permitted by law to receive services without the parents’ or guardian’s consent may release information on her/his own without additional parental or guardian consent.
7. How can we help protect victims who use other services that don't have similar confidentiality protections?
It’s important to discuss the differences in confidentiality protections among community services with survivors so they can make informed decisions. For example, victims are not automatically exempt from having their personal information entered into HMIS when they use other HUD-funded services, although they do have a right to opt-out. It is critical that advocates educate victims about their right to decline having any information about them entered into an HMIS system and also educate other HUD-funded agencies to provide full notice and obtain explicit, informed consent. All survivors should have the opportunity to decline any or all electronic HMIS entry – whether the information is "scrambled," "hidden" or "open." NNEDV continues to work with Congress and other national homeless organizations to protect all victims who use HUD-funded services.