HIV/AIDS surveillance is the joint responsibility of many participants in the health care system. Among the participants are state and local health department surveillance programs; public and private institutions providing clinical, counseling, and laboratory services; individual health care providers; persons at risk for HIV infection; and persons with HIV or AIDS. The ability of state and local surveillance programs to collect, store, use, and transmit sensitive HIV/AIDS case information in a secure and confidential manner is central to the program's acceptability and success. The importance of data security has been a long-established component of these guidelines. Various federal and state statutes, regulations, and case law provide legal protection of HIV/AIDS surveillance information. Among these safeguards are a right to informational privacy under the Fifth and Fourteenth Amendments to the Constitution, and federal assurance of confidentiality (under § 308(d) of the Public Health Service Act and various state and local protections).

The dynamic nature of information technology is a critical consideration in developing security policies and procedures that will be used to meet the requirements and standards described in these guidelines. The HIV/AIDS surveillance system was created before the development of technologies such as laptops, portable external storage devices, and the Internet, all of which can be potential sources for security breaches. Now, all state and local health departments should routinely assess the changing world of computer technology and adjust security policies and procedures to protect against potential new risks. CDC is available to provide technical consultation on technology and security issues.