The Office of eHealth Innovation convened the April Health IT Data Governance Work Group to walk members through a draft Homeless Management Information System (HMIS) data-sharing agreement for the Colorado Social Health Information Exchange (COSHI), focusing on consent, permitted uses, security and retention.

The review matters because the agreement would let HMIS data — including client enrollment, assessments, referrals and contact information — be shared through COSHI with credentialed care coordinators and other authorized recipients to support immediate care coordination for people experiencing homelessness.

Karen Yanki, Data Governance Lead with the Office of eHealth Innovation, opened the discussion by outlining the governance structure for COSHI and the two agreement tracks built for participation: a data-sharing agreement for providers and a data-use agreement for recipients. "My name's Karen Yanki, and I work with the Office of eHealth Innovation, and I'm the Data Governance Lead for the Colorado Social Health Information Exchange," she said. Yanki noted the state is using a dedicated vendor and a multi-year contract to build the system.

State staff described how the HMIS arrangement would work: HMIS system owners would sign an MOU and a data-sharing agreement with COSHI that authorizes sharing HMIS fields to COSHI; COSHI would in turn share data with authorized recipients who sign an MOU and a data-use agreement tailored to the recipient's needs. Yanki told the group that, "after review by our state lawyers, they felt that the release of information that HMIS does is sufficient to count as consent to share." The group was asked to provide feedback on that approach from both an organizational and a citizen perspective.

The draft agreement excerpts reviewed in the meeting covered several operational areas:

- Data use and restrictions: COSHI would have a limited right to use HMIS data for the appendix-defined purpose; COSHI is prohibited from selling or leasing provider data and must share only with authorized third-party end users who have signed required agreements. The agreement lists possible legal frameworks that may apply (for other use cases) such as HIPAA, 42 CFR part 2 and CJIS, but staff said those do not apply to the HMIS use case as presented.

- Security incidents and breach response: COSHI would investigate incidents, comply with legal notification requirements and be responsible for required breach notifications under the agreement. Participant questions focused on how misuse (inappropriate access or review) would be detected and handled; staff said misuse protections and enforcement are addressed more specifically in the recipient data-use agreements and in access-control policies that will be a topic for a future meeting.

- Retention and termination: The draft appendix states COSHI may retain individual profile data indefinitely for service-improvement metrics, while other HMIS data would be retained up to three years and then de-identified. The agreement term as discussed is one year with automatic renewals up to five years unless either party gives 60 days' written notice; providers may suspend or terminate the agreement immediately if COSHI breaches obligations.

- Appendix (use case specifics): The HMIS appendix enumerates categories of fields proposed for sharing — client identification, enrollments, assessments, referrals, coordinated entry, address and household contact information — and cites the McKinney-Vento Homeless Assistance Act and the 2004 HMIS Data and Technical Standards final notice as the legal/regulatory authorities guiding the dataset.

Community members and work group participants raised operational concerns. Danny (a community member from Del Norte) warned that care coordination can be time-sensitive: "It might take a week if my provider shut off the agreement. Here I am sitting in limbo," he said, stressing the potential harm if a provider withdraws data while someone awaits assistance. Other participants asked how COSHI will monitor inappropriate access and what enforcement steps recipients face if staff misuse data; state staff replied that recipient responsibilities and monitoring will be established in data-use agreements and access-control policies and flagged cybersecurity as a separate topic requiring deeper review.

State staff also addressed the relationship between COSHI and the Colorado Department of Health Care Policy & Financing (HCPF). Staff said HCPF is a primary funder through its CMS relationship and that the COSHI system is being developed to sit outside of HCPF's operational data environment, hosted under state Office of Information Technology controls, to keep social-health data separated and secured.

Participants were asked to add feedback via an online mural/multi-user board during the session. Staff said they will summarize and categorize the comments, then present the collated input at the next meeting and schedule follow-up sessions specifically for cybersecurity, misuse enforcement, and the recipient data-use agreements.

The meeting closed with staff asking the work group to prioritize three management buckets for the coming work: data standardization, privacy and consent protections, and community engagement (training and funding support for community-based organizations).