Security and Confidentiality Practices - Houston Dept. of Health and Human Services Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance Houston Dept. of Health and Human Services November 1, 2006 The findings and conclusions in this presentation are those of the authors and do not necessarily represent the views of the Centers for Disease Control and Prevention.
Security and Confidentiality A major concern of HIV/AIDS surveillance staff at HDHHS, DSHS, and CDC. Our purpose is to have secure and confidential collection, storage, usage, and transmission of sensitive HIV/AIDS case information.
What has to be Reported to the Health Dept? HIV diagnostic tests AIDS diagnostic tests and opportunistic infections/malignancies Patient name, address, sex, race, disease onset, probable source of infection, other requested related information, and treatment/services referrals
Who has to Report to the Health Dept? Physicians, dentists Chief administrative officers of a hospital, medical facility, penal institution Persons in charge of a blood bank, mobile clinic, clinical laboratory Medical directors of testing and counseling sites, community-based organizations Class B misdemeanor for failure to report
What comes into the Health Dept? Electronic lab reports Hard copies of lab reports, physician/clinic reports, death certificates, HIV medication reports, HIV reports from other surveillance programs – by mail, faxes highly discouraged, no allowed Telephone reports from physicians
What goes out of the Health Dept? De-identified aggregate reports Raw data to DSHS via secure data network using encrypted files. Copies of reports sent by mail to DSHS. DSHS transfers de-identified data to the CDC
What stays in the Health Dept? Paper copies in locked cabinets in locked file room with no windows on 4 th floor of a limited access building. Physical access limited to HIV/AIDS Surveillance personnel. Server in a locked room with no windows on 4 th floor. Computer access limited to HIV/AIDS Surveillance personnel. Can only be accessed on the 4 th floor. No wi-fi access.
Security and Confidentiality Various legal protections exist, for example: –Federal assurance of confidentiality under section 308(d) of the Public Health Service Act –The federal Health Insurance Portability and Accountability Act (HIPAA) of –Texas Health and Safety Code and the Texas Administrative Code
Program Requirements for Security and Confidentiality Mandated by CDC as a condition of funding. Must be certified annually by the Overall Responsible Party (ORP).
Five Guiding Principles 1.Physically secure environment. 2.Maintain electronic data in technically secure environment and minimize staff and locations with access to data and personal identifiers. 3.Individual staff responsibility. 4.Breaches investigated, sanctions imposed 5.Practices and policies updated (quality improvement).
Thoughts to Consider…. Policies and procedures dealing with paper, electronic, or other types of information. Training is critical. Limited access to work area. Paper copies maintained in secure file room. Physically secure building (1st floor window office?).
More Thoughts to Consider…. Program requirements address IT issues, laptops, “other devices”, communications. No such thing as a totally secure fax or transmission. Encrypt files. –Ancillary files with identifiers –Internal data transfers –Electronic line lists
Potential Sources of Risk Viewing, transmitting or moving identified information (electronically, hard copies, fax, cell camera phones). Physical access to secure area. Communications (verbal, electronic, written, , telephones). Lack of training and/or agreements.
Data Release Policy One way street! Provisions to protect against public access to raw data or data tables that include small denominator populations that could be indirectly identifying.
Limit Access Limit the number of people that can access confidential surveillance information.
Training Every individual with access to surveillance data must attend initial security training and be retrained annually. A signed confidentiality statement must be documented in the employee’s personnel file. IT staff and contractors who require access to data must undergo the same training as surveillance staff and sign the same agreements.
Individual Responsibility All staff are individually responsible for protecting data. This responsibility includes protecting keys, passwords, and codes that would allow access to confidential information or data.
Computer monitors should not be observed by unauthorized personnel.
Phone conversations should not be capable of being overheard.
Physical Security All physical locations containing electronic or paper copies of surveillance data must be enclosed inside a locked, secured area with limited access.
Shredding Paper Documents Surveillance staff must shred documents containing confidential information before disposing of them.
Electronic Data Transfers Confidential surveillance data or information must be encrypted before electronic transfer via a secure data network – no transfer. CDC strongly discourages the use of fax or for electronic transfer of data.
Encrypt, encrypt, encrypt!
Going somewhere?
Carrying Data Data carried to and from the field must be in a locked briefcase or in data encrypted computer devices and returned to the office at the end of the day.
Data Access Control Access to raw surveillance data for other than routine surveillance purposes is contingent upon: – Demonstrated need for names – Institutional Review Board (IRB) approval –Signing a confidentiality statement regarding rules of access and final disposition of the information.
Sharing Data with Other Surveillance Programs ORP must weigh benefits and risk of allowing access to data. Security of other program must be equivalent. For example, public health follow-up of HIV cases, TB Control
Laptops, PDAs, & Portable Storage Devices Laptops and other portable devices (e.g., PDAs, tablet personal computers, floppies, thumb drives) that receive or store surveillance information with personal identifiers must incorporate the use of encryption software.
Hard disks, diskettes, and thumb drives that contain identifying information must be cleaned before they are to be used for other purposes or they must be destroyed before disposal.
Security Breaches All staff who are authorized to access surveillance data must be responsible for reporting suspected security breaches. A breach of confidentiality must be immediately investigated to assess causes and implement remedies.