Security Breaches | Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines | Guidelines | Statistics and Surveillance | Topics

CDC Home > HIV/AIDS > HIV/AIDS Prevention > Topics > Statistics and Surveillance > Guidelines > Technical Guidance for HIV/AIDS Surveillance Programs, Volume III

Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines


	Contributors

	Introduction

	Attachment A

	Attachment B

	Attachment C

	Attachment D

	Attachment E

	Attachment F

	Attachment G

	Attachment H

LEGEND:


		Link to a PDF document

		Link to non-governmental site and does not necessarily represent the views of the CDC

Adobe Acrobat (TM) Reader needs to be installed on your computer in order to read documents in PDF format. Download the Reader.

Security Breaches

Requirement 31 All staff who are authorized to access surveillance data must be responsible for reporting suspected security breaches. Training of nonsurveillance staff must also include this directive. (GP-3)

Requirement 32 A breach of confidentiality must be immediately investigated to assess causes and implement remedies. (GP-4)

Requirement 33 A breach that results in the release of private information about one or more individuals (breach of confidentiality) should be reported immediately to the Team Leader of the Reporting, Analysis, and Evaluation Team, HIV Incidence and Case Surveillance Branch, DHAP, NCHSTP, CDC. CDC may be able to assist the surveillance unit dealing with the breach. In consultation with appropriate legal counsel, surveillance staff should determine whether a breach warrants reporting to law enforcement agencies. (GP-4)

A breach may be attempted, in progress, done without negative outcome, or done with negative outcome. Attention should be paid to identifying a breach, responding to it, repairing damage, learning from the event, and if necessary revising or enhancing policies and procedures, revising or instituting training, or enhancing physical or operational security.

By keeping a log of breaches and lessons learned from investigating them, the surveillance unit will be able to detect patterns of breaches, track compliance, and incorporate improvements to the security system.

After a breach has been detected, surveillance employees should notify their supervisor who may, depending on the severity of the breach, notify the ORP. Not all security breaches should be reported to CDC. Breaches that do not result in the unauthorized release of private information may be handled at the local/state health department level. However, CDC should be notified of all breaches of confidentiality (i.e., those breaches that result in the unauthorized disclosure of private information with or without harm to one or more individuals). If notified promptly, CDC may be able to provide assistance in responding to the breach in time to avert additional complications both in the state where the breach occurred and in other states. Notification also will allow CDC and the state to give consistent messages when contacted by the media.

Last Modified: February 16, 2006
Last Reviewed: February 16, 2006
Content Source:
Divisions of HIV/AIDS Prevention
National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention


	Printer-Friendly Version




	What's New?


	HIV/AIDS A-Z Index


	VIH/SIDA en español


	CDC Responds to HIV/AIDS


	HIV/AIDS E-Publications


	Get E-mail Updates


	Order Free HIV/AIDS Publications

	RSS\| RSS Help


	Media


	Conferences and Trainings


	Key Resources


	Site Map

Home

Policies and Regulations

Disclaimer

e-Government

FOIA

Centers for Disease Control and Prevention, 1600 Clifton Rd, Atlanta, GA 30333, USA
800-CDC-INFO (800-232-4636) TTY: (888) 232-6348, 24 Hours/Every Day - cdcinfo@cdc.gov

Department of Health
and Human Services