Is it appropriate to include a client's full name, date of birth, and Social Security Number in an email to the HMIS Team?

• A. Yes, include the full details to ensure accuracy.
• B. No, never email such information; only the Unique Identifier (UID) should be sent via email.
• C. Yes, but only if the email is encrypted.
• D. Only with the client's explicit consent in writing.

Answer: (B)

Protecting client privacy and secure data sharing is essential: email is not a secure channel for sensitive PII. Sending a client’s full name, date of birth, and Social Security Number by email creates a real risk of interception, misdelivery, or unauthorized access, which can lead to a confidentiality breach. The safest, policy-aligned approach is to reference the client only with the Unique Identifier (UID) in email communications. The UID lets staff locate the correct record in HMIS without exposing sensitive details, preserving privacy while still enabling coordination. If information must be shared beyond the UID, use approved secure channels (such as encrypted portals or secure file transfers) and share the minimum necessary data. Even with consent, transmitting such identifiers via email is not considered best practice due to ongoing security risks.