Confidentiality: VAWA, FVPSA, and VOCA
The Violence Against Women Act (VAWA) and the Family Violence Prevention and Services Act (FVPSA) contain strong confidentiality provisions that limit the sharing of victims' personally identifying information, including entering information into public records and databases.
These provisions affirm confidentiality practices that protect the safety and privacy of victims of domestic violence, dating violence, sexual assault, and stalking. The following provides some basic information about these provisions.
1. How do federal VAWA, FVPSA, and VOCA provisions protect victim information?
The U.S. Congress has legally codified the importance of victim confidentiality in two sections of VAWA and in FVPSA:
VAWA
o Universal Grant Conditions: Nondisclosure of Confidential or Private Information (VAWA 2013 Section 3: 34 USC §12291 (a)(20) & (b)(2)
o VAWA amended the McKinney-Vento Homeless Assistance Act at (42 U.S.C. 11363) (VAWA 2005, Section 605)
FVPSA 42 U.S.C. 10406(c)(5)
Additionally, the Department of Justice has implemented supporting regulations on victim confidentiality for VAWA grantees at 28 CFR 90.4, and for VOCA grantees at 28 CFR 94.115.
2. How do VAWA Section 3, FVPSA, & VOCA confidentiality provisions protect victim information?
VAWA Section 3, FVPSA, & VOCA regulations prohibit sharing personally identifying information about victims without informed, written, reasonably time-limited consent. VAWA & VOCA also prohibit disclosure of individual information without written consent. These confidentiality grant conditions also prohibit programs from making the signing of a release a condition of service. Additionally, no program can share personally identifying information to comply with Federal, Tribal, or State reporting, evaluation, or data collection requirements.
These provisions do allow survivors to make a request that their personal confidential information be shared by a victim service provider for a specific purpose by completing a time-limited, informed, and written release. The release of information (specific and time-limited) must be for services requested by the survivor and they must be fully informed of all possible consequences of disclosure, as well as alternative ways to meet their needs without having to consent to release of confidential information.
VAWA, FVPSA, & VOCA also permit limited sharing when required by state law or a valid court mandate, and in either circumstance the VAWA/FVPSA/VOCA-funded program must protect the survivor’s information as much as possible. Because permissive child abuse reporting is not a mandate, it is not allowed. If case law creates a duty to warn about serious physical injury, then VAWA regulations count that as a court mandate. Always check with your state coalition to assess if any child abuse law or common law duty to warn actually mandates reporting by individuals in a VAWA/FVPSA/VOCA-funded program.
VAWA and VOCA regulations clarify that grantees must not disclose, reveal, or release any personally identifying information regardless of whether the information has been encoded, encrypted, hashed, or otherwise protected. Additionally, VAWA regulations require grantees to make reasonable efforts to prevent the inadvertent disclosure of identifying and individual information, especially when making use of any third-party database, or internal database managed by an outside company. If VAWA, FVPSA, or VOCA grantees put personally identifying victim information into databases and the identifying information is readable by people outside of the victim services unit (including outside tech companies), the grantees are disclosing the victim information and risk both the safety of survivors and the program’s funding. The prohibition on disclosure in an outside database also applies to a homeless management information system (HMIS).
3. What HMIS (Homeless Management Information Systems) related provisions are included in VAWA?
VAWA amended the McKinney-Vento Homeless Assistance Program to protect victims’ personally identifying information by preventing local victim service programs from putting personally identifying information about victims into HMIS. Even if the personally identifying information is encoded or scrambled, programs are still not allowed to disclose it.
Additionally, over 30 U.S. states have advocate confidentiality laws that prevent local programs from disclosing identifying information about victims, encrypted or otherwise. Where state protections are stronger than the VAWA amendment to McKinney-Vento, those stronger protections must be followed.
Victim service providers receiving HUD funds must use a comparable database that adheres to the same technology data standards as mainstream HMIS systems. Victim service providers must provide aggregate information in reports to HUD. Information in these reports must be non-identifying, which can include aggregate totals or other demographic information that does not identify a victim. Since it is possible to identify many victims in rural states or small communities with only ethnicity or age and zip code, the information that victim service providers can share must be carefully scrutinized and limited. In addition, non-personally identifying information must be further protected by being "de-identified, encrypted, or otherwise encoded."
HUD issued a proposed rule on HMIS and an interim rule on HMIS for ESG grantees. Neither the proposed nor the interim rule have been finalized as of this writing, but they give the best instruction on how programs should comply with data collection and protect confidentiality. HUD grantees must comply with the 2014 HMIS Data Dictionary and 2014 HMIS Data Manual. Although victim service providers are only required to submit aggregate details in reports, they must, according to HUD, collect all of the same data elements as mainstream HMIS systems. NNEDV continues to work with HUD to reduce the collection of information that is not used or useful. When using a comparable database with these additional required elements, it’s critical to inform survivors that they have the right to refuse to answer any of the questions without impact to the services they receive. Programs should take extra steps to ensure the security of all information collected and retained for this purpose.
4. Which of these VAWA and FVPSA provisions apply to my program?
The confidentiality provisions in VAWA and FVPSA apply to all grantees and subgrantees funded by the Violence Against Women Act (VAWA) or the Family Violence Prevention and Services Act (FVPSA). Most local domestic violence programs receive VAWA and FVPSA funding through Office on Violence Against Women (OVW) grants and the Department of Health and Human Services (HHS), respectively. The state domestic violence or sexual assault coalition can help determine if a program receives VAWA or FVPSA funding.
VAWA 2013 clarified that all VAWA grantees must document their compliance with the confidentiality and privacy provisions.
Since VAWA amended the McKinney-Vento Homeless Assistance Act to prohibit all victim service providers from entering personally identifying information into an HMIS database, victim service providers who belong to Continuums of Care cannot share personally identifying information about victims. They also cannot be punished by having their funds withheld or application incentives removed for complying with this law or any State law.
5. How is "victim service providers" defined in McKinney-Vento, as amended by VAWA?
Victim service providers include nonprofit organizations whose primary mission is to provide services to victims of domestic violence, dating violence, sexual assault or stalking, such as rape crisis centers, domestic violence shelters, and transitional housing programs. This also includes faith-based programs and homeless shelters that have specific victim services programs or umbrella organizations that have specific victim services programs as a part of its organization. In those programs, confidentiality protections only extend to the specific program in question, unless the larger organization receives VAWA or FVPSA funds and is therefore subject to those protections.
6. Who gets the benefit of these confidentiality protections?
The confidentiality protections set forth in these federal laws and grant conditions apply to any survivor who (1) requests services (regardless if they are provided services or not), (2) is receiving services, or (3) has received services in the past.
VAWA 2013 further clarified that a minor or a person with a legally appointed guardian who is permitted by law to receive services without the parents’ or guardian’s consent may release information on her/his own without additional parental or guardian consent.
7. How can we help protect victims who use other services that don’t have similar confidentiality protections?
It’s important to discuss the differences in confidentiality protections among community services with survivors so they can make informed decisions. For example, victims are not automatically exempt from having their personal information entered into HMIS when they use other HUD-funded services, although they do have a right to opt-out. It is critical that advocates educate victims about their right to decline having any information about them entered into an HMIS system and also educate other HUD-funded agencies to provide full notice and obtain explicit, informed consent. All survivors should have the opportunity to decline any or all electronic HMIS entry – whether the information is "scrambled," "hidden" or "open." NNEDV continues to work with Congress and other national homeless organizations to protect all victims who use HUD-funded services.