200 likes | 209 Views
This presentation provides an overview of guiding principles and program requirements in the Technical Guidance for HIV/AIDS Surveillance Programs Volume III: Security and Confidentiality Guidelines. It highlights best practice procedures for access and physical security, electronic transfer, and data sharing to ensure security and confidentiality. The potential issues and barriers for sharing HIV surveillance data are also discussed, along with ways to facilitate data sharing.
E N D
Security and Confidentiality Guidelines for HIV/AIDS Surveillance 2008 STD Prevention Conference March 13, 2008 Chicago, Illinois Patricia Sweeney, MPH HIV Incidence and Case Surveillance Branch Division of HIV/AIDS Prevention Centers for Disease Control and Prevention
Objectives • Provide an overview of guiding principles and program requirements in the Technical Guidance for HIV/AIDS Surveillance Programs Volume III: Security and Confidentiality Guidelines • Highlight select best practice procedures for access and physical security, electronic transfer, and data sharing to ensure security and confidentiality • Discuss potential issues and barriers that exist for the sharing of HIV surveillance data • Discuss ways to facilitate data sharing
Background • HIV/AIDS surveillance has a long history concerning confidentiality issues • First assurance of confidentiality obtained in 1984 • Consideration of a broad range of issues have resulted in development of comprehensive confidentiality and security policies and procedures both for state surveillance programs and at CDC • Guidelines for security and confidentiality for HIV/AIDS surveillance (Appendix C.) formalized in 1998, revised Technical Guidance January 2006
Context for Confidentiality Protections for Public Health Data • Legal protections exist at various levels • Federal • Assurance of confidentiality • State and local levels • Statutes, regulations, and case law • Additional policies, procedures and guidelines for confidentiality and security • HHS/CDC Guidelines • ORP Certification • State and local security, confidentiality and data release policies
HIV/AIDS SurveillanceSecurity and Confidentiality Guidelines • Describes program requirements, security recommendations/considerations and best practices • Intended for local, state, staff and contractors funded to perform HIV/AIDS surveillance activities and all sites where the HIV/AIDS reporting system (HARS or eHARS) is maintained • Includes guidance on policy development, responsibilities, training, physical security, and data security • Available on the CDC website: http://www.cdc.gov/hiv/topics/surveillance/ resources/guidelines/index.htm
HIV/AIDS Surveillance Security and Confidentiality Guidelines 5 Guiding Principles • HIV/AIDS data will be maintained in a physically secure environment • Electronic data will be held in technically secure environment with minimum access • Staff with authorized access will be responsible for protecting confidential data • Security breaches will be investigated thoroughly with sanctions when appropriate • Security practices and written policies will be continuously reviewed and changed to improve protections
35 Program Requirements • Mandatory • Certified annually by the Overall Responsible Party (ORP) for each cooperative agreement grantee • State minimum standard that all staff with access to confidential data must achieve • Do not stipulate penalties, as they are the responsibility and within the purview of the ORP
Physical Security • Stresses personal responsibility • All physical locations containing electronic or paper copies of surveillance data must be enclosed inside a locked, secured area with limited access [not only the paper/electronic registry] • Workspace for individuals with access to surveillance information must be within a secure locked area/screens protected from view • Paper copies limited and secured • Any notes with identifiers--or potential identifiers--need to be locked in a file cabinet in a locked room • Any output that could breach confidentiality (small cells, etc.) needs to be locked up • Shred paper when no longer needed • Document retention policies important
Data Security • Personal identifiers must be removed if data taken out of secure area • Only minimum information necessary to complete the task and not include terms easily associated with HIV • Analysis datasets must be held securely by using protective software • Security software controls for electronic data include password protections, user identification etc.
Electronic Data Transfer • Encryption required for electronic transfer of confidential data (standards defined in the guidelines (128 bit minimum )) • Ancillary databases must be encrypted when not in use • Use encryption and SDN for transmitting data to CDC • Email and Faxing of case-specific information is strongly discouraged • Never email or FAX anything considered to be confidential, sensitive, or potentially identifying
Security and Confidentiality Policies • Policies should be in writing • Describe methods for reviewing practices and evolving technologies • Name an ORP • Define a data release policy • Policies should define role based access for surveillance staff • Access to confidential data limited to authorized individuals • Can include persons inside and outside surveillance unit • Can also describe access to limited or restricted datasets
Authorization/Access Controls • Authorized individuals • Complete annual security and confidentiality training • Sign specific confidentiality statements • Accept individual responsibility for • maintaining security and confidentiality • challenging those without authorization • reporting breaches
Access and Data Sharing with Programs Outside HIV Surveillance • No specific prohibition • Access limited to those authorized by ORP based on expressed and justifiable public health need • Access for non-public health purposes only granted to the extent required by law • Must certify that the level of security in other programs is equivalent to those outlined in HIV/AIDS Surveillance Security and Confidentiality Guidelines • Must not compromise or impede surveillance activities • Must not affect the public perception of confidentiality of the surveillance system
Access and Data Sharing with Programs Outside HIV Surveillance (continued) • Prior to establishing linkages programs should define objectives, propose methods, specify the data shared, and compare available strategies • Develop plans in consultation with community partners, particularly in areas with prior agreements on name-based HIV reporting • Must be consistent with existing laws and regulations • Must include ongoing evaluation of approaches and assessment of confidentiality and security practices • Some proposed uses/analyses may require IRB approval
What is all the talk about?Has something changed in HIV surveillance’s requirements on sharing data? • Revised CDC Partner service guidelines promote the value of using of HIV case reports to initiate partner services • Specify use only when security and confidentiality standards are met • Includes standards based on HIV/AIDS Surveillance Security and Confidentiality Guidelines with some modifications • Differences in partner services guidelines reflect accommodation for field activities
What is all the talk about?Has something changed in HIV surveillance’s requirements on sharing data? • HIV/AIDS Surveillance guidelines have not changed but additional guidance needed regarding how programs can approach sharing data • Older HIV/AIDS surveillance guidance • stresses the primary use for surveillance data is for monitoring trends and not for case management • states no requirement for surveillance programs to share individual reports • Recent CDC efforts to promote integration of HIV Hepatitis, STD and TB programs
Electronic Data Linkage • Linkage of surveillance records with other databases semiannually or annually to identify unreported cases and for evaluation is encouraged • Protocols defining minimum information required, how performed, secure methods used, roles, and intended data use • Conducted by authorized staff • Encryption of data using packages meeting Advanced Encryption Standard (AES) when transporting confidential data or when not in use
How can programs facilitate sharing of data? • Familiarize programs with CDC Security and Confidentiality Guidelines • Work to bring program security in line with CDC security and confidentiality guidelines • Collaborate on development of protocols and procedures prior to initiating data sharing • Seek input from applicable partners in the community and medical and public health providers • Recognize some solutions may require additional effort and compromise • Plan and execute a pilot
Conclusion • Current requirements for HIV/AIDS surveillance are outlined in the Technical Guidance for HIV/AIDS Surveillance Programs Vol.III Security and Confidentiality Guidelines • Useful as programs consider changes in policies and procedures around data sharing • Changes in policies and procedures are a collaborative process with shared goal of preserving security and confidentiality and maximizing usefulness of data • Additional guidance necessary to assist programs in achieving data sharing goals
Additional Confidentiality and Data Release Resources • CDC/ATSDR Policy on Releasing and Sharing Data • CDC-ATSDR-CSTE Data Release Guidelines for Re-release of State Data • UNAIDS guidelines on protecting confidentiality of HIV information http://data.unaids.org/pub/Manual/2007/confidentiality_security_interim_guidelines_15may2007_en.pdf