Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Confidentiality Guidelines for HIV/AIDS Surveillance

Published byVirginia Long Modified over 6 years ago

Similar presentations

Presentation on theme: "Security and Confidentiality Guidelines for HIV/AIDS Surveillance"— Presentation transcript:

1 Security and Confidentiality Guidelines for HIV/AIDS Surveillance
2008 STD Prevention Conference March 13, 2008 Chicago, Illinois Patricia Sweeney, MPH HIV Incidence and Case Surveillance Branch Division of HIV/AIDS Prevention Centers for Disease Control and Prevention

2 Objectives Provide an overview of guiding principles and program requirements in the Technical Guidance for HIV/AIDS Surveillance Programs Volume III: Security and Confidentiality Guidelines Highlight select best practice procedures for access and physical security, electronic transfer, and data sharing to ensure security and confidentiality Discuss potential issues and barriers that exist for the sharing of HIV surveillance data Discuss ways to facilitate data sharing For longer training, will go into more detail, but just touch on some of these issues today. Historical documents, as well as these are in br_sb drive, as well as in m:\share drive, under Confidentiality and data release related documents. Also, the entire packet is also available there. BETSEY’s

3 Background HIV/AIDS surveillance has a long history concerning confidentiality issues First assurance of confidentiality obtained in 1984 Consideration of a broad range of issues have resulted in development of comprehensive confidentiality and security policies and procedures both for state surveillance programs and at CDC Guidelines for security and confidentiality for HIV/AIDS surveillance (Appendix C.) formalized in 1998, revised Technical Guidance January 2006 Historical documents, as well as these are in br_sb drive, under Confidentiality and data release related documents. Also, the entire packet is also available there.

4 Context for Confidentiality Protections for Public Health Data
Legal protections exist at various levels Federal Assurance of confidentiality State and local levels Statutes, regulations, and case law Additional policies, procedures and guidelines for confidentiality and security HHS/CDC Guidelines ORP Certification State and local security, confidentiality and data release policies Historical documents, as well as these are in br_sb drive, under Confidentiality and data release related documents. Also, the entire packet is also available there.

5 HIV/AIDS Surveillance Security and Confidentiality Guidelines
Describes program requirements, security recommendations/considerations and best practices Intended for local, state, staff and contractors funded to perform HIV/AIDS surveillance activities and all sites where the HIV/AIDS reporting system (HARS or eHARS) is maintained Includes guidance on policy development, responsibilities, training, physical security, and data security Available on the CDC website: resources/guidelines/index.htm

6 HIV/AIDS Surveillance Security and Confidentiality Guidelines
5 Guiding Principles HIV/AIDS data will be maintained in a physically secure environment Electronic data will be held in technically secure environment with minimum access Staff with authorized access will be responsible for protecting confidential data Security breaches will be investigated thoroughly with sanctions when appropriate Security practices and written policies will be continuously reviewed and changed to improve protections

7 35 Program Requirements Mandatory
Certified annually by the Overall Responsible Party (ORP) for each cooperative agreement grantee State minimum standard that all staff with access to confidential data must achieve Do not stipulate penalties, as they are the responsibility and within the purview of the ORP

8 Physical Security Stresses personal responsibility
All physical locations containing electronic or paper copies of surveillance data must be enclosed inside a locked, secured area with limited access [not only the paper/electronic registry] Workspace for individuals with access to surveillance information must be within a secure locked area/screens protected from view Paper copies limited and secured Any notes with identifiers--or potential identifiers--need to be locked in a file cabinet in a locked room Any output that could breach confidentiality (small cells, etc.) needs to be locked up Shred paper when no longer needed Document retention policies important

9 Data Security Personal identifiers must be removed if data taken out of secure area Only minimum information necessary to complete the task and not include terms easily associated with HIV Analysis datasets must be held securely by using protective software Security software controls for electronic data include password protections, user identification etc.

10 Electronic Data Transfer
Encryption required for electronic transfer of confidential data (standards defined in the guidelines (128 bit minimum )) Ancillary databases must be encrypted when not in use Use encryption and SDN for transmitting data to CDC and Faxing of case-specific information is strongly discouraged Never or FAX anything considered to be confidential, sensitive, or potentially identifying

11 Security and Confidentiality Policies
Policies should be in writing Describe methods for reviewing practices and evolving technologies Name an ORP Define a data release policy Policies should define role based access for surveillance staff Access to confidential data limited to authorized individuals Can include persons inside and outside surveillance unit Can also describe access to limited or restricted datasets

12 Authorization/Access Controls
Authorized individuals Complete annual security and confidentiality training Sign specific confidentiality statements Accept individual responsibility for maintaining security and confidentiality challenging those without authorization reporting breaches

13 Access and Data Sharing with Programs Outside HIV Surveillance
No specific prohibition Access limited to those authorized by ORP based on expressed and justifiable public health need Access for non-public health purposes only granted to the extent required by law Must certify that the level of security in other programs is equivalent to those outlined in HIV/AIDS Surveillance Security and Confidentiality Guidelines Must not compromise or impede surveillance activities Must not affect the public perception of confidentiality of the surveillance system

14 Access and Data Sharing with Programs Outside HIV Surveillance (continued)
Prior to establishing linkages programs should define objectives, propose methods, specify the data shared, and compare available strategies Develop plans in consultation with community partners, particularly in areas with prior agreements on name-based HIV reporting Must be consistent with existing laws and regulations Must include ongoing evaluation of approaches and assessment of confidentiality and security practices Some proposed uses/analyses may require IRB approval

15 What is all the talk about
What is all the talk about? Has something changed in HIV surveillance’s requirements on sharing data? Revised CDC Partner service guidelines promote the value of using of HIV case reports to initiate partner services Specify use only when security and confidentiality standards are met Includes standards based on HIV/AIDS Surveillance Security and Confidentiality Guidelines with some modifications Differences in partner services guidelines reflect accommodation for field activities

16 What is all the talk about
What is all the talk about? Has something changed in HIV surveillance’s requirements on sharing data? HIV/AIDS Surveillance guidelines have not changed but additional guidance needed regarding how programs can approach sharing data Older HIV/AIDS surveillance guidance stresses the primary use for surveillance data is for monitoring trends and not for case management states no requirement for surveillance programs to share individual reports Recent CDC efforts to promote integration of HIV Hepatitis, STD and TB programs

17 Electronic Data Linkage
Linkage of surveillance records with other databases semiannually or annually to identify unreported cases and for evaluation is encouraged Protocols defining minimum information required, how performed, secure methods used, roles, and intended data use Conducted by authorized staff Encryption of data using packages meeting Advanced Encryption Standard (AES) when transporting confidential data or when not in use

18 How can programs facilitate sharing of data?
Familiarize programs with CDC Security and Confidentiality Guidelines Work to bring program security in line with CDC security and confidentiality guidelines Collaborate on development of protocols and procedures prior to initiating data sharing Seek input from applicable partners in the community and medical and public health providers Recognize some solutions may require additional effort and compromise Plan and execute a pilot

19 Conclusion Current requirements for HIV/AIDS surveillance are outlined in the Technical Guidance for HIV/AIDS Surveillance Programs Vol.III Security and Confidentiality Guidelines Useful as programs consider changes in policies and procedures around data sharing Changes in policies and procedures are a collaborative process with shared goal of preserving security and confidentiality and maximizing usefulness of data Additional guidance necessary to assist programs in achieving data sharing goals

20 Additional Confidentiality and Data Release Resources
CDC/ATSDR Policy on Releasing and Sharing Data CDC-ATSDR-CSTE Data Release Guidelines for Re-release of State Data UNAIDS guidelines on protecting confidentiality of HIV information

Download ppt "Security and Confidentiality Guidelines for HIV/AIDS Surveillance"

Similar presentations

Copyright © Healthcare Quality Quest, 2013. Proposed standards for a national clinical audit — How we got involved and what we have learned.

Copyright © Healthcare Quality Quest, Proposed standards for a national clinical audit — How we got involved and what we have learned.
Using Data for Programs:

Using Data for Programs:
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
ICPSR and the Data Seal of Approval: A Case Study Mary Vardigan Assistant Director, ICPSR October 8, 2013.

ICPSR and the Data Seal of Approval: A Case Study Mary Vardigan Assistant Director, ICPSR October 8, 2013.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.

Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
Contractor Management and ISO 14001:2004

Contractor Management and ISO 14001:2004
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
IS Audit Function Knowledge

IS Audit Function Knowledge
Coordinating Center Overview November 18, 2010 SPECIAL DIABETES PROGRAM FOR INDIANS Healthy Heart Project Initiative: Year 1 Meeting 1.

Coordinating Center Overview November 18, 2010 SPECIAL DIABETES PROGRAM FOR INDIANS Healthy Heart Project Initiative: Year 1 Meeting 1.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Informed Consent and HIPAA Tim Noe Coordinating Center.

Informed Consent and HIPAA Tim Noe Coordinating Center.
ISO 9000 Certification ISO 9001 and ISO 9000.3.

ISO 9000 Certification ISO 9001 and ISO
Workshop: The State of National Governance Relative to the International Health Regulations (2005) Ottawa, Canada, 20-21 September 2006 Overview: United.

Workshop: The State of National Governance Relative to the International Health Regulations (2005) Ottawa, Canada, September 2006 Overview: United.
Security and Confidentiality Practices - Houston Dept. of Health and Human Services Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance.

Security and Confidentiality Practices - Houston Dept. of Health and Human Services Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance.
Created May 2, 20081 Division of Public Health Managing Records What is a Record? What is a Records Retention & Disposition Schedule? Why is this Important?

Created May 2, Division of Public Health Managing Records What is a Record? What is a Records Retention & Disposition Schedule? Why is this Important?
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Federalwide Assurance Presentation for IRB Members.

Federalwide Assurance Presentation for IRB Members.
April 23, 20101 Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts 617.526.9658.

April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

Similar presentations

Ads by Google