1 / 32

Security and Confidentiality Practices - Houston Dept. of Health and Human Services

Security and Confidentiality Practices - Houston Dept. of Health and Human Services. Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance Houston Dept. of Health and Human Services November 1, 2006

oriel
Download Presentation

Security and Confidentiality Practices - Houston Dept. of Health and Human Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security and Confidentiality Practices - Houston Dept. of Health and Human Services Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance Houston Dept. of Health and Human Services November 1, 2006 The findings and conclusions in this presentation are those of the authors and do not necessarily represent the views of the Centers for Disease Control and Prevention.

  2. Security and Confidentiality • A major concern of HIV/AIDS surveillance staff at HDHHS, DSHS, and CDC. • Our purpose is to have secure and confidential collection, storage, usage, and transmission of sensitive HIV/AIDS case information.

  3. What has to be Reported to the Health Dept? • HIV diagnostic tests • AIDS diagnostic tests and opportunistic infections/malignancies • Patient name, address, sex, race, disease onset, probable source of infection, other requested related information, and treatment/services referrals

  4. Who has to Report to the Health Dept? • Physicians, dentists • Chief administrative officers of a hospital, medical facility, penal institution • Persons in charge of a blood bank, mobile clinic, clinical laboratory • Medical directors of testing and counseling sites, community-based organizations • Class B misdemeanor for failure to report

  5. What comes into the Health Dept? • Electronic lab reports • Hard copies of lab reports, physician/clinic reports, death certificates, HIV medication reports, HIV reports from other surveillance programs – by mail, faxes highly discouraged, no email allowed • Telephone reports from physicians

  6. What goes out of the Health Dept? • De-identified aggregate reports • Raw data to DSHS via secure data network using encrypted files. Copies of reports sent by mail to DSHS. • DSHS transfers de-identified data to the CDC

  7. What stays in the Health Dept? • Paper copies in locked cabinets in locked file room with no windows on 4th floor of a limited access building. Physical access limited to HIV/AIDS Surveillance personnel. • Server in a locked room with no windows on 4th floor. Computer access limited to HIV/AIDS Surveillance personnel. Can only be accessed on the 4th floor. No wi-fi access.

  8. Security and Confidentiality • Various legal protections exist, for example: • Federal assurance of confidentiality under section 308(d) of the Public Health Service Act • The federal Health Insurance Portability and Accountability Act (HIPAA) of 1996. • Texas Health and Safety Code and the Texas Administrative Code

  9. Program Requirements for Security and Confidentiality • Mandated by CDC as a condition of funding. • Must be certified annually by the Overall Responsible Party (ORP).

  10. Five Guiding Principles • Physically secure environment. • Maintain electronic data in technically secure environment and minimize staff and locations with access to data and personal identifiers. • Individual staff responsibility. • Breaches investigated, sanctions imposed • Practices and policies updated (quality improvement).

  11. Thoughts to Consider…. • Policies and procedures dealing with paper, electronic, or other types of information. • Training is critical. • Limited access to work area. • Paper copies maintained in secure file room. • Physically secure building (1st floor window office?).

  12. More Thoughts to Consider…. • Program requirements address IT issues, laptops, “other devices”, communications. • No such thing as a totally secure fax or email transmission. • Encrypt files. • Ancillary files with identifiers • Internal data transfers • Electronic line lists

  13. Potential Sources of Risk • Viewing, transmitting or moving identified information (electronically, hard copies, fax, cell camera phones). • Physical access to secure area. • Communications (verbal, electronic, written, email, telephones). • Lack of training and/or agreements.

  14. Data Release Policy • One way street! • Provisions to protect against public access to raw data or data tables that include small denominator populations that could be indirectly identifying.

  15. Limit Access • Limit the number of people that can access confidential surveillance information.

  16. Training • Every individual with access to surveillance data must attend initial security training and be retrained annually. • A signed confidentiality statement must be documented in the employee’s personnel file. • IT staff and contractors who require access to data must undergo the same training as surveillance staff and sign the same agreements.

  17. Individual Responsibility • All staff are individually responsible for protecting data. • This responsibility includes protecting keys, passwords, and codes that would allow access to confidential information or data.

  18. Computer monitors should not be observed by unauthorized personnel.

  19. Phone conversations should not be capable of being overheard.

  20. Physical Security • All physical locations containing electronic or paper copies of surveillance data must be enclosed inside a locked, secured area with limited access.

  21. Shredding Paper Documents • Surveillance staff must shred documents containing confidential information before disposing of them.

  22. Electronic Data Transfers • Confidential surveillance data or information must be encrypted before electronic transfer via a secure data network – no email transfer. • CDC strongly discourages the use of fax or email for electronic transfer of data.

  23. Encrypt, encrypt, encrypt!

  24. Going somewhere?

  25. Carrying Data • Data carried to and from the field must be in a locked briefcase or in data encrypted computer devices and returned to the office at the end of the day.

  26. Data Access Control • Access to raw surveillance data for other than routine surveillance purposes is contingent upon: • Demonstrated need for names • Institutional Review Board (IRB) approval • Signing a confidentiality statement regarding rules of access and final disposition of the information.

  27. Sharing Data with Other Surveillance Programs • ORP must weigh benefits and risk of allowing access to data. • Security of other program must be equivalent. • For example, public health follow-up of HIV cases, TB Control

  28. Laptops, PDAs, & Portable Storage Devices • Laptops and other portable devices (e.g., PDAs, tablet personal computers, floppies, thumb drives) that receive or store surveillance information with personal identifiers must incorporate the use of encryption software.

  29. Hard disks, diskettes, and thumb drives that contain identifying information must be cleaned before they are to be used for other purposes or they must be destroyed before disposal.

  30. Security Breaches • All staff who are authorized to access surveillance data must be responsible for reporting suspected security breaches. • A breach of confidentiality must be immediately investigated to assess causes and implement remedies.

More Related