Responsibilities | Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines | Guidelines | Statistics and Surveillance | Topics

CDC Home > HIV/AIDS > HIV/AIDS Prevention > Topics > Statistics and Surveillance > Guidelines > Technical Guidance for HIV/AIDS Surveillance Programs, Volume III

Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines


	Contributors

	Introduction

	Attachment A

	Attachment B

	Attachment C

	Attachment D

	Attachment E

	Attachment F

	Attachment G

	Attachment H

LEGEND:


		Link to a PDF document

		Link to non-governmental site and does not necessarily represent the views of the CDC

Adobe Acrobat (TM) Reader needs to be installed on your computer in order to read documents in PDF format. Download the Reader.

Responsibilities

Requirement 10 In compliance with CDC's cooperative agreement requirement, the ORP must certify annually that all program requirements are met. (GP-2)

Requirement 11 Each member of the surveillance staff and all persons described in this document who are authorized to access case-specific information must be knowledgeable about the organization's information security policies and procedures. (GP-3)

Requirement 12 All staff who are authorized to access surveillance data must be responsible for challenging those who are not authorized to access surveillance data. (GP-3)

Many programs consider the area of personal responsibility as a potential area of concern because the actions of individuals within a surveillance system are much more difficult to proscribe than operational practices. This area represents one of the most important aspects of holding data in a secure and confidential fashion, but the development of objective criteria for assessing the degree of personal responsibility in individual staff members may be difficult.

The program requirements in this area may be evaluated objectively by using a series of questions supervisors pose during the annual review of security measures with staff. Input from staff can be obtained through such questions as these:

How often do you find the need to reference local or CDC security policies or standards?
Do you know who (by job position or name) should have access to the secure surveillance area? How would you approach someone who was entering the secured room whom you believe was not authorized access? Have you had any occasion to challenge such a person?
To whom should security irregularities be reported? What are some examples of what would constitute an irregularity? What irregularities would not need to be reported, if any?
Who else needs access to your computer for any reason? For example, do family members or other staff members ever need to use your workstation? Do you ever need to lend your key to a secured area to another member of the health department staff for after-hours access to the building? Who else knows your computer passwords?

Requirement 13 All staff who are authorized to access surveillance data must be individually responsible for protecting their own workstation, laptop, or other devices associated with confidential surveillance information or data. This responsibility includes protecting keys, passwords, and codes that would allow access to confidential information or data. Staff must take care not to infect surveillance software with computer viruses and not to damage hardware through exposure to extreme heat or cold. (GP-3)

Surveillance staff should avoid situations that might allow unauthorized persons to overhear or see confidential surveillance information. For example, staff should never discuss confidential surveillance information in the presence of persons who are not authorized to access the data. Staff working with personal identifiers should have a workspace that does not allow phone conversations to be overheard or paperwork and computer monitors to be observed by unauthorized personnel. Ideally, only staff with similar roles and authorizations would be permitted in a secure, restricted area.

Access the information system (network logon, establish connection),
Activate specific system commands (execute specific programs and procedures; create, view, or modify specific objects, programs, information system parameters). The policy should include provisions for periodic review of access authorizations. Note that CDC's HIV/AIDS Reporting System does not have the ability within the application to establish access times.

The policy could limit access to sensitive data to specified hours and days of the week. It should also state types of access needed, which could be linked to roles defined for those with access. For example, epidemiologists may have access to data across programs that do not include identifiers.

Additionally, the policy should cover restrictions on access to the public Internet or e-mail applications while accessing surveillance information. Accidental transmission of data through either of these systems can be avoided if they are never accessed simultaneously. Similarly, intruders can be stymied in attempts to access information if it is not available while that connection is open.

The policy should establish rules that ensure that group authenticators (administrators, super users, etc.) are used for information system access only when explicitly authorized and in conjunction with other authenticators as appropriate. The policy should express similar rules for individual users to ensure that access to identifiable data is allowed only when explicitly authorized and in conjunction with other authenticators as appropriate. The policy should document the process for assigning authorization and identify those with approval authority. Information technology (IT) authorities granting access must obtain approval from the ORP or designee before adding users, and they should maintain logs documenting authorized users. The ORP or a designee should periodically review user logs.

Requirement 9 A policy must outline procedures for handling incoming mail to and outgoing mail from the surveillance unit. The amount and sensitivity of information contained in any one piece of mail must be kept to a minimum. (GP-2)

The U.S. Mail and other carrier services are commonly used for the movement of paper copies of information. There are many ways that project areas can protect the confidentiality of an HIV-infected individual when using the mail. For example, when surveillance staff and providers are mailing information (e.g., case report forms) to the central office, the policy could require that names and corresponding patient numbers be sent in one envelope, while the remaining information referenced by the corresponding patient number is sent in another envelope. In addition, the terms 'HIV' or 'AIDS' should not necessarily be included in either the mailing address or the return address. Mailing labels or pre-addressed, stamped envelopes may be supplied to field staff and providers to encourage this practice and to ensure the use of the correct mailing address. Whenever confidential information is mailed, double envelopes should be used, with the inside envelope clearly marked as confidential.

Because of the potential number of entries on a given paper copy line list, programs must exercise extreme caution if they find it necessary to mail a paper list. Procedures for mailing lists, including the amount and type of information permitted in any one mailing, must be clearly outlined in the local policy. Two methods that surveillance programs currently employ to minimize risk when using the mail are (1) to generate lists containing names without references to HIV or AIDS or (2) to remove the names from the list and mail them separately from the other sensitive information.

Last Modified: February 16, 2006
Last Reviewed: February 16, 2006
Content Source:
Divisions of HIV/AIDS Prevention
National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention


	Printer-Friendly Version




	What's New?


	HIV/AIDS A-Z Index


	VIH/SIDA en español


	CDC Responds to HIV/AIDS


	HIV/AIDS E-Publications


	Get E-mail Updates


	Order Free HIV/AIDS Publications

	RSS\| RSS Help


	Media


	Conferences and Trainings


	Key Resources


	Site Map

Home

Policies and Regulations

Disclaimer

e-Government

FOIA

Centers for Disease Control and Prevention, 1600 Clifton Rd, Atlanta, GA 30333, USA
800-CDC-INFO (800-232-4636) TTY: (888) 232-6348, 24 Hours/Every Day - cdcinfo@cdc.gov

Department of Health
and Human Services