Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure Development Global AIDS Program, CDC 31 March 2004 WHO,Geneva
Definition of Terms Confidentiality –Assuring that medical information will be used only for appropriate care and treatment of individuals and populations. Security –The protections (policy, physical, and where appropriate, electronic) which assure that no breaches in the confidentiality of medical information will occur.
The Current Situation Local health facilities –Staff responsible for medical care may lack sufficient training in or understanding of the importance of maintaining confidentiality or security of medical records; –Physical protections around records systems may be inadequate or unaffordable Log books are often readily accessible by unauthorized staff Multiple copies of potentially sensitive information exist throughout larger facilities –Cultural norms may not sufficiently discourage inappropriate disclosure of information
The Current Situation National programs –Statistical data abstracted for program monitoring and improvement may contain information that inadvertently identifies individuals. This can be directly, e.g., through disclosure of patient identifiers (name, address, identification numbers such as SSN), or indirectly, by allowing for cross matching with other available data sets which contain identifiers). –Medical data need to be shared across institutions when patients move from one provider to another, but this increases the risk of inappropriate disclosure.
Developing Recommendations Review existing guidelines, models, tools Define specific data/program needs –what’s useful to share across programs, facilities, levels –what degree of detail produces unique identifiers Determine reasonable risk –Likelihood of disclosure –Likelihood of harm from disclosure Balance competing requirements Action steps
Existing Guidelines WHO guidelines? Other diseases (TB?) European standards? –Human Rights Act of 1998 U.S. standards –Public Health Act –HIPAA (1996, Privacy rule published 2003) –Security and Confidentiality Guidelines for HIV/AIDS Surveillance (1998) Numerous electronic security standards (e.g., NIST, Carnegie Mellon) –Need to pick the proper ones, but they do exist –Many commercial solutions for electronic security exist (some at little or no cost)
Health Insurance Portability and Accountability Act Are there relevant lessons from the U.S.? In the U.S., HIPAA mandates strict rules on medical records –(Electronic) information may only be shared with formal patient consent There are two exceptions –Public health needs –Law enforcement/national security
Health Insurance Portability and Accountability Act Organized around 4 overlapping categories: Administrative procedures Physical safeguards Protection for data at rest Protection for data in transit From HIPAA security rule, Health care providers are required to: –“Ensure the confidentiality, integrity, and availability of …health information the … entity creates, receives, maintains, or transmits.” –“Protect against any reasonably anticipated threats…” –“Protect against any reasonably anticipated uses…” –“Ensure compliance … by its workforce”
Excerpts from the U.S. Public Health Service Act, Section 308d (paraphrased) “information in the system that would identify an individual is collected with a guarantee that it will be held in strict confidence.” “information reported for statistical purposes will be sent without identifiers that might either directly or indirectly identify individuals”
U.S. Security and Confidentiality Guidelines for HIV/AIDS Surveillance Consist of 35 requirements programs must meet (via self-certification) as a condition of continued funding Includes various examples of how each requirement is being met by specific programs Group neatly into three categories: –Policy –Physical –Electronic
U.S. Security and Confidentiality Guidelines for HIV/AIDS Surveillance Examples: –Standard operational policies and procedures must be in writing. –I nformation must be accessible only be individuals requiring that information for patient care, reporting, or program management –Information must be kept inside a locked room –Rooms must not be easily accessible by window –Copies of information must be housed inside locked file cabinets –Information must be de-identified if taken out of the secured area for the purpose of data analysis. –Electronic databases must have appropriate security (password protection, encryption, etc.)
Four Models Open Model –Access to all systems is initially available; access to confidential or sensitive information is prohibited on a case-by-case basis Closed Model –Access to all systems is initially prohibited; permission to access information must be granted as requested an authorized Broken Model –Access to all systems is available even though prohibited No Model
Information Needs for Public Health Traditional surveillance Improving program delivery – monitoring and evaluation Resistance monitoring
Striking a Balance Information Must be Accessible to Provide Appropriate Care Information Must be Protected to Prevent Harm to the Patient
Practical Considerations Clear understanding by health workers on what information must be kept confidential –Written policies –Training –Evaluation Clear understanding on security procedures –Written policies –Training –Evaluation
Practical Considerations (continued) Agreements on reporting requirements to the district, provincial, national, and international levels –Current WHO indicators are at the aggregate level only and pose virtually no risk to confidentiality –Systems (paper and electronic) that support sharing of clinical records across sites may pose a risk Includes systems where patients carry paper records electronic databases represent an added risk
Possible Next Steps How critical is the need to develop guidance? Who are are relevant stakeholders? Best methods for building consensus? Time frame? PEPFAR has made funding available to support activity in this area.