HIV/AIDS surveillance is the joint responsibility of many participants in the
health care system. Among the participants are state and local health department
surveillance programs; public and private institutions providing clinical,
counseling, and laboratory services; individual health care providers; persons
at risk for HIV infection; and persons with HIV or AIDS. The ability of state
and local surveillance programs to collect, store, use, and transmit sensitive
HIV/AIDS case information in a secure and confidential manner is central to the
program's acceptability and success. The importance of data security has been a
long-established component of these guidelines. Various federal and state
statutes, regulations, and case law provide legal protection of HIV/AIDS
surveillance information. Among these safeguards are a right to informational
privacy under the Fifth and Fourteenth Amendments to the Constitution, and
federal assurance of confidentiality (under § 308(d) of the Public Health
Service Act and various state and local protections).
The dynamic nature of
information technology is a critical consideration in developing security
policies and procedures that will be used to meet the requirements and standards
described in these guidelines. The HIV/AIDS surveillance system was created
before the development of technologies such as laptops, portable external
storage devices, and the Internet, all of which can be potential sources for
security breaches. Now, all state and local health departments should routinely
assess the changing world of computer technology and adjust security policies
and procedures to protect against potential new risks. CDC is available to
provide technical consultation on technology and security issues. |