Security and Confidentiality Guidelines for HIV/AIDS Surveillance 2008 STD Prevention Conference March 13, 2008 Chicago, Illinois Patricia Sweeney, MPH HIV Incidence and Case Surveillance Branch Division of HIV/AIDS Prevention Centers for Disease Control and Prevention

Objectives Provide an overview of guiding principles and program requirements in the Technical Guidance for HIV/AIDS Surveillance Programs Volume III: Security and Confidentiality Guidelines Highlight select best practice procedures for access and physical security, electronic transfer, and data sharing to ensure security and confidentiality Discuss potential issues and barriers that exist for the sharing of HIV surveillance data Discuss ways to facilitate data sharing For longer training, will go into more detail, but just touch on some of these issues today. Historical documents, as well as these are in br_sb drive, as well as in m:\share drive, under Confidentiality and data release related documents. Also, the entire packet is also available there. BETSEY’s

Background HIV/AIDS surveillance has a long history concerning confidentiality issues First assurance of confidentiality obtained in 1984 Consideration of a broad range of issues have resulted in development of comprehensive confidentiality and security policies and procedures both for state surveillance programs and at CDC Guidelines for security and confidentiality for HIV/AIDS surveillance (Appendix C.) formalized in 1998, revised Technical Guidance January 2006 Historical documents, as well as these are in br_sb drive, under Confidentiality and data release related documents. Also, the entire packet is also available there.

Context for Confidentiality Protections for Public Health Data Legal protections exist at various levels Federal Assurance of confidentiality State and local levels Statutes, regulations, and case law Additional policies, procedures and guidelines for confidentiality and security HHS/CDC Guidelines ORP Certification State and local security, confidentiality and data release policies Historical documents, as well as these are in br_sb drive, under Confidentiality and data release related documents. Also, the entire packet is also available there.

HIV/AIDS Surveillance Security and Confidentiality Guidelines Describes program requirements, security recommendations/considerations and best practices Intended for local, state, staff and contractors funded to perform HIV/AIDS surveillance activities and all sites where the HIV/AIDS reporting system (HARS or eHARS) is maintained Includes guidance on policy development, responsibilities, training, physical security, and data security Available on the CDC website: http://www.cdc.gov/hiv/topics/surveillance/ resources/guidelines/index.htm

HIV/AIDS Surveillance Security and Confidentiality Guidelines 5 Guiding Principles HIV/AIDS data will be maintained in a physically secure environment Electronic data will be held in technically secure environment with minimum access Staff with authorized access will be responsible for protecting confidential data Security breaches will be investigated thoroughly with sanctions when appropriate Security practices and written policies will be continuously reviewed and changed to improve protections

35 Program Requirements Mandatory Certified annually by the Overall Responsible Party (ORP) for each cooperative agreement grantee State minimum standard that all staff with access to confidential data must achieve Do not stipulate penalties, as they are the responsibility and within the purview of the ORP

Physical Security Stresses personal responsibility All physical locations containing electronic or paper copies of surveillance data must be enclosed inside a locked, secured area with limited access [not only the paper/electronic registry] Workspace for individuals with access to surveillance information must be within a secure locked area/screens protected from view Paper copies limited and secured Any notes with identifiers--or potential identifiers--need to be locked in a file cabinet in a locked room Any output that could breach confidentiality (small cells, etc.) needs to be locked up Shred paper when no longer needed Document retention policies important

Data Security Personal identifiers must be removed if data taken out of secure area Only minimum information necessary to complete the task and not include terms easily associated with HIV Analysis datasets must be held securely by using protective software Security software controls for electronic data include password protections, user identification etc.

Electronic Data Transfer Encryption required for electronic transfer of confidential data (standards defined in the guidelines (128 bit minimum )) Ancillary databases must be encrypted when not in use Use encryption and SDN for transmitting data to CDC Email and Faxing of case-specific information is strongly discouraged Never email or FAX anything considered to be confidential, sensitive, or potentially identifying

Security and Confidentiality Policies Policies should be in writing Describe methods for reviewing practices and evolving technologies Name an ORP Define a data release policy Policies should define role based access for surveillance staff Access to confidential data limited to authorized individuals Can include persons inside and outside surveillance unit Can also describe access to limited or restricted datasets

Authorization/Access Controls Authorized individuals Complete annual security and confidentiality training Sign specific confidentiality statements Accept individual responsibility for maintaining security and confidentiality challenging those without authorization reporting breaches

Access and Data Sharing with Programs Outside HIV Surveillance No specific prohibition Access limited to those authorized by ORP based on expressed and justifiable public health need Access for non-public health purposes only granted to the extent required by law Must certify that the level of security in other programs is equivalent to those outlined in HIV/AIDS Surveillance Security and Confidentiality Guidelines Must not compromise or impede surveillance activities Must not affect the public perception of confidentiality of the surveillance system

Access and Data Sharing with Programs Outside HIV Surveillance (continued) Prior to establishing linkages programs should define objectives, propose methods, specify the data shared, and compare available strategies Develop plans in consultation with community partners, particularly in areas with prior agreements on name-based HIV reporting Must be consistent with existing laws and regulations Must include ongoing evaluation of approaches and assessment of confidentiality and security practices Some proposed uses/analyses may require IRB approval

What is all the talk about What is all the talk about? Has something changed in HIV surveillance’s requirements on sharing data? Revised CDC Partner service guidelines promote the value of using of HIV case reports to initiate partner services Specify use only when security and confidentiality standards are met Includes standards based on HIV/AIDS Surveillance Security and Confidentiality Guidelines with some modifications Differences in partner services guidelines reflect accommodation for field activities

What is all the talk about What is all the talk about? Has something changed in HIV surveillance’s requirements on sharing data? HIV/AIDS Surveillance guidelines have not changed but additional guidance needed regarding how programs can approach sharing data Older HIV/AIDS surveillance guidance stresses the primary use for surveillance data is for monitoring trends and not for case management states no requirement for surveillance programs to share individual reports Recent CDC efforts to promote integration of HIV Hepatitis, STD and TB programs

Electronic Data Linkage Linkage of surveillance records with other databases semiannually or annually to identify unreported cases and for evaluation is encouraged Protocols defining minimum information required, how performed, secure methods used, roles, and intended data use Conducted by authorized staff Encryption of data using packages meeting Advanced Encryption Standard (AES) when transporting confidential data or when not in use

How can programs facilitate sharing of data? Familiarize programs with CDC Security and Confidentiality Guidelines Work to bring program security in line with CDC security and confidentiality guidelines Collaborate on development of protocols and procedures prior to initiating data sharing Seek input from applicable partners in the community and medical and public health providers Recognize some solutions may require additional effort and compromise Plan and execute a pilot

Conclusion Current requirements for HIV/AIDS surveillance are outlined in the Technical Guidance for HIV/AIDS Surveillance Programs Vol.III Security and Confidentiality Guidelines Useful as programs consider changes in policies and procedures around data sharing Changes in policies and procedures are a collaborative process with shared goal of preserving security and confidentiality and maximizing usefulness of data Additional guidance necessary to assist programs in achieving data sharing goals

Additional Confidentiality and Data Release Resources CDC/ATSDR Policy on Releasing and Sharing Data CDC-ATSDR-CSTE Data Release Guidelines for Re-release of State Data UNAIDS guidelines on protecting confidentiality of HIV information http://data.unaids.org/pub/Manual/2007/confidentiality_security_interim_guidelines_15may2007_en.pdf