Introduction to the Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs CSTE.

Slides:



Advertisements
Similar presentations
UCSC History. UCSC: A brief history 60s University Placement Committee A lot of field trips/interaction with employers.
Advertisements

The Individual Health Plan Essential to achieve educational equality for students with health management needs Ensures access to an education for students.
Understanding Capacity Building Assistance
Environmental Management System Implementation
[Organisation’s Title] Environmental Management System
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Child Safeguarding Standards
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
Quality Management within the Clinical Research Process
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
CFP Information Call: Addressing Policy Barriers for State and Local Health Departments when Implementing the PCSI Strategy Audio Instructions: ,
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Supportive Services for Veteran Families (SSVF) Data Bigger Picture Updated 5/22/14.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Environmental Management Systems An Overview With Practical Applications.
Security Controls – What Works
Presented at Annual Conference of the American Evaluation Association Anaheim, CA, November 2011 Lessons Learned about How to Support Outcomes Measurement.
Developing a Records & Information Retention & Disposition Program:
1 How ready are you to change prevention? Preparing an agency for Prevention with Positives.
Supportive Services for Veteran Families (SSVF) Data
PM Summit Overview Daniel Vitek MBA, PMP – Consultant to CDC.
ASPEC Internal Auditor Training Version
Security and Confidentiality Practices - Houston Dept. of Health and Human Services Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance.
Created May 2, Division of Public Health Managing Records What is a Record? What is a Records Retention & Disposition Schedule? Why is this Important?
Complying With The Federal Information Security Act (FISMA)
Assessment of Program Evaluation Activities in Tuberculosis Control Programs — United States, 2009–2010 Silvia M. Trigoso, MPH Fellow, Public Health Prevention.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Community Feedback and Involvement in [Health Department’s] Proposed Data to Care Program [Name of Provider Session Date of Provider Session]
Basics of OHSAS Occupational Health & Safety Management System
HIPAA PRIVACY AND SECURITY AWARENESS.
Program Collaboration and Service Integration: An NCHHSTP Green paper Kevin Fenton, M.D., Ph.D., F.F.P.H. Director National Center for HIV/AIDS, Viral.
Colorado Children and Youth Information Sharing (CCYIS) Educational Stability Summit April 10, 2015.
IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
Integrated Security & Confidentiality (S&C) Guidelines Across Programs: It Does Work National Security & Confidentiality Guidelines Webinar April 10, 2012.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Patient Protection and Affordable Care Act March 23, 2010.
Chicago Department of Public Health Rahm Emanuel Mayor Bechara Choucair, MD Commissioner Integrated Security and Confidentiality Guidelines for HIV and.
Gustavo Aquino, MPH Associate Director for Program Integration National Center for HIV/AIDS, Viral Hepatitis, STD and TB Prevention Program Collaboration.
Crosswalk of Public Health Accreditation and the Public Health Code of Ethics Highlighted items relate to the Water Supply case studied discussed in the.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
ETHICAL ISSUES SURROUND ELECTRONIC COMMUNICATIONS Unit 3.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
12 Developing a Web Site Section 12.1 Discuss the functions of a Web site Compare and contrast style sheets Apply cascading style sheets (CSS) to a Web.
Partnership Analysis & Enhancement Tool Kit Cindy S. Soloe Research Triangle Institute (RTI) April Y. Vance Centers for Disease Control and Prevention.
Webinar for FY 2011 i3 Grantees February 9, 2012 Fiscal Oversight of i3 Grants Erin McHughJames Evans, CPA, CGFM, CGMA Office of Innovation and Improvement.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Program Implementation MM.DD.YY. To comply with the OHSA and regulations To demonstrate management's commitment to health and safety To show employees.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
FORUM GUIDE TO SUPPORTING DATA ACCESS FOR RESEARCHERS A STATE EDUCATION AGENCY PERSPECTIVE Kathy Gosa, Kansas State Department of Education.
1 PARCC Data Privacy & Security Policy December 2013.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
HIV/STD Partner Services Recommendations Cindy Getty & Rheta Barnes Divisions of HIV/AIDS Prevention & STD Prevention National Centers for HIV/AIDS, Viral.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
1 Auditing Your Fusion Center Privacy Policy. 22 Recommendations to the program resulting in improvements Updates to privacy documentation Informal discussions.
Wisconsin Department of Health Services Purchase of Services Contract Guide Julie Anstett and Lucinda Champion Friday, May 6, 2016 Wisconsin Department.
Critical Program Movement: Integration of STD Prevention with Other Programs Kevin Fenton, MD, PhD, FFPH Director National Center for HIV/AIDS, Viral Hepatitis,
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
Nassau Association of School Technologists
Obligations of Educational Agencies: Parents’ Bill of Rights
Introduction to the Federal Defense Acquisition Regulation
Refuah Community Health Collaborative (RCHC) PPS
Disability Services Agencies Briefing On HIPAA
Security and Confidentiality Guidelines for HIV/AIDS Surveillance
Neopay Practical Guides #2 PSD2 (Should I be worried?)
TRACE INITIATIVE: Confidentiality, Data Security, and Procedures for Protocol Violation or Adverse Event.
Review of Recommendations for Partner Services
Presentation transcript:

Introduction to the Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs CSTE Webinar April 10, 2012 Patricia Sweeney, MPH HIV Incidence and Case Surveillance Branch Centers for Disease Control and Prevention National Center for HIV, Viral Hepatitis, STD & TB Prevention Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action

Development of CDC Guidance and Program Standards for Security and Confidentiality In 1998, CDC established specific security and confidentiality guidelines for HIV surveillance programs in state and local health departments. In 2006, HIV surveillance guidelines were updated to better conform to new and evolving technology. In 2008, CDC published recommendations for programs providing partner services for HIV and STDs that included standards for record keeping, data collection, management, and security. In 2011, CDC published Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs.

Need Varied protections across programs and jurisdictions Lack of uniform security protections cited as a barrier to sharing data Increased need for accurate and timely data to respond to the National HIV/AIDS Strategy Identified as Program Collaboration and Service Integration (PCSI) priority area

2011 NCHHSTP Data Security and Confidentiality Guidelines Establishes standards to ensure appropriate collection, storage, sharing, and use of data across surveillance and program areas for NCHHSTP Replaces previous guidelines for HIV surveillance programs and establish standards for Viral Hepatitis, STD and TB programs Implementation of common standards across programs will allow for increased use of HIV surveillance data for public health action Guidelines.pdf

Scope Applicable to CDC-NCHHSTP funded programs and their contractors. Programs required to develop and maintain written policies and standard operating procedures. To facilitate data sharing, the guidelines cover both use of identifiable and non-identifiable surveillance data. Programs will certify annually to meet these standards.

NCHHSTP Data Security and Confidentiality Guidelines Content 10 Guiding Principles Standards – Program Policies and Responsibilities – Data Collection and Use – Data Sharing and Release – Physical Security – Electronic Data Security Conducting Initial and Periodic Assessments Outline for Data Sharing Plans Appendices – Fax – Non-traditional work settings – Partner Services – Certification materials

Ten Guiding Principles for the Collection, Storage, Use, and Sharing of Data 1.Collect, share, and use data for legitimate public health purposes. 2.Collect, share, and use the minimum amount of identifiable information necessary. 3.Establish policies that protect the privacy and security of personally identifiable data. 4.Policies should reflect respect for the rights of individuals and community groups and and minimize undue burden. 5.Establish policies and procedures to ensure data quality.

Ten Guiding Principles (continued) 6.Disseminate summary data as to relevant stakeholders in a timely manner. 7.Programs should share data for legitimate public health purposes and may use data use agreements to facilitate sharing data. 8.Ensure that public health data are maintained in a secure environment and transmitted through secure methods. 9.Minimize the number of individuals and entities granted access to identifiable data. 10.Provide active, responsible stewardship of public health data..

Initial Assessments A baseline review of current policies and procedures to identify gaps and barriers. Steps: – Identify key individuals and designate an Overall Responsible Party (ORP). – Review current security related materials and relevant laws and regulations. – Identify policies or procedures that are barriers to information sharing or sources of data security weaknesses. – Consult standard operating procedures (SOPs) from other programs. – Review history of data security breaches or near-breaches and lessons learned – Assess physical security and define the secure area. – Assess electronic security, protections, and methods of data transfer and storage. – Address factors related to security of information in non-traditional work environments including teleworking, field work, and remote work. – Assess current training needs.

Guidelines for Use of Fax 1.Faxing of identifiable information is allowed but should be avoided if possible. 2.Limit the amount of sensitive and confidential data as much as possible. 3.Establish fax policy and procedures based on federal regulations, state laws and consultation with legal counsel. 4.Take appropriate steps to ensure fax transmission is sent to the appropriate destination. Place faxes in secure areas. 5.Provide education and training to all staff on the agency’s fax policies and procedures. This includes private providers and laboratories. 6.Require all faxes be sent with a cover sheet containing sender and recipient names, contact information, confidentiality disclaimer along with instructions if fax received in error. 7.Fax transmission failures should be checked in the internal log of the facsimile machine to obtain the number in which fax was sent. 8.Locate fax machines in secure areas. 9.SOPs should indicate how the information received is maintained and how the original paper fax is destroyed.

Guidelines for Nontraditional Work Settings Telework – Work space with limited access in a private area. – Should not have hard-copy storage of client data. – Space should be configured to allow confidential conversations. – Electronic data security restrictions required when dealing with PII. – Encryption software equal to software used in the regular workplace. – Must have a secure Wi-Fi connection. Field Work – Establish a plan for migration from paper to electronic data meeting standards set. – Establish provisions for phones, PDAs, tablets and workbooks that take client data to the field and allow for real-time updates. – Establish accountability policy to ensure staff comply while in the field. Remote work – Ensure the work site is made as secure as possible in terms of physical plant, electronic, and procedural security.

Data Sharing Plans Serves as a starting point for discussion of data sharing and may serve as a discussion for a formal agreement. Plans should include the following: – Objective of the data sharing. – The minimum data elements necessary to achieve the objective, including whether identifiable data will be needed. – How data is to be transported. – Discuss the potential risks and benefits of data sharing. – Steps to ensure security and confidentiality of shared data. – Physical and electronic security measures to be taken when data are transferred and received. – Descriptions of how shared data will be used, analyzed, published, released, retained or destroyed.

Certification Process Programs should certify standards annually by providing a statement that includes: – Identifying the overall responsible party (ORP). – Attests to adherence to data security standards. – Citing specific procedures and policies used to document adherence to the standards. Standards not met should be documented and plans to address these standards should be outlined. Programs should work collaboratively with CDC to address any problem areas.

Frequently Asked Questions Will there be additional funding? – CDC is committed to assisting programs in meeting the standards through TA and funding to the extent possible. $2M in supplemental funding was already made available in 2011 through HIV Surveillance. Additional supplement now available – application deadline April 23, Does everyone need to comply to the standards? Do the guidelines apply to prevention funded activities? – Yes and yes. All programs funded by NCHHSTP will be required to implement these guidelines for personally identifiable or potentially personally identifiable information and this will be incorporated into core funding announcements. Surveillance programs, prevention programs, and programs that they share data with are within the scope of the guidelines. Do programs need to have a separate secure room? – No, each program does not necessarily need to have a separate secure room, but they do need to house data in a secure physical area with limited access. Some areas may have a secure section of a floor or an entire floor. Guidance for conducting the initial assessment will help you enhance your current space if needed. Is faxing allowed? – Yes. However, faxing of PII is discouraged. If you must FAX guidance is provided on ways you can minimize risk. Do we have to develop data sharing agreements? – Not necessarily, but they may be useful. Programs may decide to have an agreement based on the activity and programs involved. Where can I get a copy of the guidelines? – Download a copy from the NCHHSTP website under PCSI – Other implementation tools will be added. Post questions to