Attachment H | Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines | Guidelines | Statistics and Surveillance | Topics

CDC Home > HIV/AIDS > HIV/AIDS Prevention > Topics > Statistics and Surveillance > Guidelines > Technical Guidance for HIV/AIDS Surveillance Programs, Volume III

Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines


	Contributors

	Introduction

	Attachment A

	Attachment B

	Attachment C

	Attachment D

	Attachment E

	Attachment F

	Attachment G

	Attachment H

LEGEND:


		Link to a PDF document

		Link to non-governmental site and does not necessarily represent the views of the CDC

Adobe Acrobat (TM) Reader needs to be installed on your computer in order to read documents in PDF format. Download the Reader.

Attachment H: Security and Confidentiality Program Requirement Checklist

State:_________________ Site:________________

Person completing form__________________ Date:__________

Guiding Principles

Guiding Principle 1 HIV/AIDS surveillance information and data will be maintained in a physically secure environment. Refer to sections Physical Security and Removable and External Storage Devices.

Guiding Principle 2 Electronic HIV/AIDS surveillance data will be held in a technically secure environment, with the number of data repositories and individuals permitted access kept to a minimum. Operational security procedures will be implemented and documented to minimize the number of staff that have access to personal identifiers and to minimize the number of locations where personal identifiers are stored. Refer to sections Policies, Training, Data Security, Access Control, Laptops and Portable Devices, and Removable and External Storage Devices.

Guiding Principle 3 Individual surveillance staff members and persons authorized to access case-specific information will be responsible for protecting confidential HIV/AIDS surveillance information and data. Refer to sections Responsibilities, Training, and Removable and External Storage Devices.

Guiding Principle 4 Security breaches of HIV/AIDS surveillance information or data will be investigated thoroughly, and sanctions imposed as appropriate. Refer to section Security Breaches.

Guiding Principle 5 Security practices and written policies will be continuously reviewed, assessed, and as necessary, changed to improve the protection of confidential HIV/AIDS surveillance information and data. Refer to sections Policies and Attachment H.

Requirements

(Initial items as completed)

___ Requirement 1: Policies must be in writing. (GP-2)

___ Requirement 2: A policy must name the individual who is the Overall Responsible Party (ORP) for the security system. (GP-2)

___ Requirement 3: A policy must describe methods for the review of security practices for HIV/AIDS surveillance data. Included in the policy should be a requirement for an ongoing review of evolving technology to ensure that data remain secure. (GP-5)

___ Requirement 4: Access to and uses of surveillance information or data must be defined in a data release policy. (GP-2)

___ Requirement 5: A policy must incorporate provisions to protect against public access to raw data or data tables that include small denominator populations that could be indirectly identifying. (GP-2)

___ Requirement 6: Policies must be readily accessible by any staff having access to confidential surveillance information or data at the central level and, if applicable, at noncentral sites. (GP-2)

___ Requirement 7: A policy must define the roles for all persons who are authorized to access what specific information and, for those staff outside the surveillance unit, what standard procedures or methods will be used when access is determined to be necessary. (GP-2)

___ Requirement 8: All authorized staff must annually sign a confidentiality statement. Newly hired staff must sign a confidentiality statement before access to surveillance data is authorized. The new employee or newly authorized staff must show the signed confidentiality statement to the grantor of passwords and keys before passwords and keys are assigned. This statement must indicate that the employee understands and agrees that surveillance information or data will not be released to any individual not granted access by the ORP. The original statement must be held in the employee's personnel file and a copy given to the employee. (GP-2)

___ Requirement 9: A policy must outline procedures for handling incoming mail to and outgoing mail from the surveillance unit. The amount and sensitivity of information contained in any one piece of mail must be kept to a minimum. (GP-2)

___ Requirement 10: In compliance with CDC's cooperative agreement requirement, the ORP must certify annually that all program requirements are met. (GP-2)

___ Requirement 11: Each member of the surveillance staff and all persons described in this document who are authorized to access case-specific information must be knowledgeable about the organization's information security policies and procedures. (GP-3)

___ Requirement 12: All staff who are authorized to access surveillance data must be responsible for challenging those who are not authorized to access surveillance data. (GP-3)

___ Requirement 13: All staff who are authorized to access surveillance data must be individually responsible for protecting their own workstation, laptop, or other devices associated with confidential surveillance information or data. This responsibility includes protecting keys, passwords, and codes that would allow access to confidential information or data. Staff must take care not to infect surveillance software with computer viruses and not to damage hardware through exposure to extreme heat or cold. (GP-3)

___ Requirement 14: Every individual with access to surveillance data must attend security training annually. The date of training must be documented in the employee's personnel file. IT staff and contractors who require access to data must undergo the same training as surveillance staff and sign the same agreements. This requirement applies to any staff with access to servers, workstations, backup devices, etc. (GP-3)

___ Requirement 15: All physical locations containing electronic or paper copies of surveillance data must be enclosed inside a locked, secured area with limited access. Workspace for individuals with access to surveillance information must also be within a secure locked area. (GP-1)

___ Requirement 16: Paper copies of surveillance information containing identifying information must be housed inside locked filed cabinets that are inside a locked room. (GP-1)

___ Requirement 17: Each member of the surveillance staff must shred documents containing confidential information before disposing of them. Shredders should be of commercial quality with a crosscutting feature. (GP-3)

___ Requirement 18: Rooms containing surveillance data must not be easily accessible by window. (GP-1)

___ Requirement 19: Surveillance information must have personal identifiers removed (an analysis dataset) if taken out of the secured area or accessed from an unsecured area. (GP-1)

___ Requirement 20: An analysis dataset must be held securely by using protective software (i.e., software that controls the storage, removal, and use of the data). (GP-1)

___ Requirement 21: Data transfers and methods for data collection must be approved by the ORP and incorporate the use of access controls. Confidential surveillance data or information must be encrypted before electronic transfer. Ancillary databases or other electronic files used by surveillance also need to be encrypted when not in use. (GP-1)

___ Requirement 22: When case-specific information is electronically transmitted, any transmission that does not incorporate the use of an encryption package meeting the Advanced Encryption Standard (AES) encryption standards and approved by the ORP must not contain identifying information or use terms easily associated with HIV/AIDS. The terms HIV or AIDS, or specific behavioral information must not appear anywhere in the context of the communication, including the sender and/or recipient address and label. (GP-2)

___ Requirement 23: When identifying information is taken from secured areas and included on line lists or supporting notes, in either electronic or hard copy format, these documents must contain only the minimum amount of information necessary for completing a given task and, where possible, must be coded to disguise any information that could easily be associated with HIV or AIDS. (GP-1)

___ Requirement 24: Surveillance information with personal identifiers must not be taken to private residences unless specific documented permission is received from the surveillance coordinator. (GP-1)

___ Requirement 25: Prior approval must be obtained from the surveillance coordinator when planned business travel precludes the return of surveillance information with personal identifiers to the secured area by the close of business on the same day. (GP-1)

___ Requirement 26: Access to any surveillance information containing names for research purposes (that is, for other than routine surveillance purposes) must be contingent on a demonstrated need for the names, an Institutional Review Board (IRB) approval, and the signing of a confidentiality statement regarding rules of access and final disposition of the information. Access to surveillance data or information without names for research purposes beyond routine surveillance may still require IRB approval depending on the numbers and types of variables requested in accordance with local data release policies. (GP-1)

___ Requirement 27: Access to any secured areas that either contain surveillance data or can be used to access surveillance data by unauthorized individuals can only be granted during times when authorized surveillance or IT personnel are available for escort or under conditions where the data are protected by security measures specified in a written policy and approved by the ORP. (GP-1)

___ Requirement 28: Access to confidential surveillance information and data by personnel outside the surveillance unit must be limited to those authorized based on an expressed and justifiable public health need, must not compromise or impede surveillance activities, must not affect the public perception of confidentiality of the surveillance system, and must be approved by the ORP. (GP-1)

___ Requirement 29: Access to surveillance information with identifiers by those who maintain other disease data stores must be limited to those for whom the ORP has weighed the benefits and risks of allowing access and can certify that the level of security established is equivalent to the standards described in this document. (GP-2)

___ Requirement 30: Access to surveillance information or data for nonpublic health purposes, such as litigation, discovery, or court order, must be granted only to the extent required by law. (GP-2)

___ Requirement 31: All staff who are authorized to access surveillance data must be responsible for reporting suspected security breaches. Training of nonsurveillance staff must also include this directive. (GP-3)

___ Requirement 32: A breach of confidentiality must be immediately investigated to assess causes and implement remedies. (GP-4)

___ Requirement 33: A breach that results in the release of private information about one or more individuals (breach of confidentiality) should be reported immediately to the Team Leader of the Reporting, Analysis, and Evaluation Team, HIV Incidence and Case Surveillance Branch, DHAP, NCHSTP, CDC. CDC may be able to assist the surveillance unit dealing with the breach. In consultation with appropriate legal counsel, surveillance staff should determine whether a breach warrants reporting to law enforcement agencies. (GP-4)

___ Requirement 34: Laptops and other portable devices (e.g., personal digital assistants [PDAs], other handheld devices, and tablet personal computers [PCs]) that receive or store surveillance information with personal identifiers must incorporate the use of encryption software. Surveillance information with identifiers must be encrypted and stored on an external storage device or on the laptop's removable hard drive. The external storage device or hard drive containing the data must be separated from the laptop and held securely when not in use. The decryption key must not be on the laptop. Other portable devices without removable or external storage components must employ the use of encryption software that meets federal standards. (GP-1)

___ Requirement 35: All removable or external storage devices containing surveillance information that contains personal identifiers must:

(1) include only the minimum amount of information necessary to accomplish assigned tasks as determined by the surveillance coordinator,

(2) be encrypted or stored under lock and key when not in use, and

(3) with the exception of devices used for backups, devices should be sanitized immediately following a given task. Before any device containing sensitive data is taken out of the secured area, the data must be encrypted. Methods for sanitizing a storage device must ensure that the data cannot be retrievable using Undelete or other data retrieval software. Hard disks that contained identifying information must be sanitized or destroyed before computers are labeled as excess or surplus, reassigned to nonsurveillance staff, or before they are sent off-site for repair. (GP-1)

Last Modified: February 16, 2006
Last Reviewed: February 16, 2006
Content Source:
Divisions of HIV/AIDS Prevention
National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention


	Printer-Friendly Version




	What's New?


	HIV/AIDS A-Z Index


	VIH/SIDA en español


	CDC Responds to HIV/AIDS


	HIV/AIDS E-Publications


	Get E-mail Updates


	Order Free HIV/AIDS Publications

	RSS\| RSS Help


	Media


	Conferences and Trainings


	Key Resources


	Site Map

Home

Policies and Regulations

Disclaimer

e-Government

FOIA

Centers for Disease Control and Prevention, 1600 Clifton Rd, Atlanta, GA 30333, USA
800-CDC-INFO (800-232-4636) TTY: (888) 232-6348, 24 Hours/Every Day - cdcinfo@cdc.gov

Department of Health
and Human Services