Physical Security | Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines | Guidelines | Statistics and Surveillance | Topics

CDC Home > HIV/AIDS > HIV/AIDS Prevention > Topics > Statistics and Surveillance > Guidelines > Technical Guidance for HIV/AIDS Surveillance Programs, Volume III

Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines


	Contributors

	Introduction

	Attachment A

	Attachment B

	Attachment C

	Attachment D

	Attachment E

	Attachment F

	Attachment G

	Attachment H

LEGEND:


		Link to a PDF document

		Link to non-governmental site and does not necessarily represent the views of the CDC

Adobe Acrobat (TM) Reader needs to be installed on your computer in order to read documents in PDF format. Download the Reader.

Physical Security

Requirement 15 All physical locations containing electronic or paper copies of surveillance data must be enclosed inside a locked, secured area with limited access. Workspace for individuals with access to surveillance information must also be within a secure locked area. (GP-1)

Requirement 16 Paper copies of surveillance information containing identifying information must be housed inside locked filed cabinets that are inside a locked room. (GP-1)

Requirement 17 Each member of the surveillance staff must shred documents containing confidential information before disposing of them. Shredders should be of commercial quality with a crosscutting feature. (GP-3)

Maximum security practice dictates that HIV/AIDS surveillance data be maintained on a dedicated file server at only one site in each project area where layers of security protections can be provided in a cost-effective manner. This would obviate the need to duplicate expensive security measures at multiple locations throughout the state. Remote sites that need access to the central surveillance server for surveillance activities could access the server through a secured method (e.g., virtual private network [VPN], or authentication server) set up for authorized users. Analysis databases available to all intrastate jurisdictions would allow the data to be used for analysis and program planning at the local level. As resources permit, CDC technical and financial assistance may be available to assist states in moving to a more centralized surveillance operation. See section Central, Decentral, and Remote Access for details.

CDC recognizes that, for some surveillance programs, it may not be possible at this time to limit the entry of HIV/AIDS data into a reporting system located at a single site. Based on local health department policies and organization, some states have decided to maintain the reporting system in more than one site. If this is the case, every additional reporting system site in the state must meet the same minimum security measures outlined in all of the program requirements.

Because the surveillance system can potentially identify any number of persons with HIV/AIDS within a state (or local jurisdiction if surveillance is decentralized), particular attention to the security of surveillance information is critical. CDC's requirement to house the surveillance information in a locked room is long standing and has been part of the surveillance guidance for many years. Jurisdictions use various security methods to hold HIV/AIDS case data stores, but the minimum security standard is to enclose the surveillance information inside a locked room regardless of the method used. Whether the reporting system resides on a server or workstation, the computer containing the electronic surveillance data must be enclosed inside a locked room. Only authorized surveillance personnel should have access to the locked room. However, depending on the numbers of HIV/AIDS cases reported, the size and role of the surveillance staff, community interest, and health department resources, the ORP may decide that other authorized health department staff may need to work inside the surveillance room.

If the surveillance data reside on a server inside a locked room and not on the hard drive of any individual workstation within the department, the individual workstation (when logged off the network) does not pose a great security risk and would not necessarily have to be located behind a locked door to meet the minimum standard. However, most health departments using Local Area Network (LAN) systems to maintain surveillance data require both the workstation and the server to be located in rooms with doors that lock. LAN accounts with access to identifying information in the reporting system should be limited only to the workstations of those authorized. LAN accounts also should be limited by time of day. See Requirement 7.

The use of cubicles in many office buildings can also present a challenge to creation of a secure area. Cubicles with low walls make it difficult, even within a secure area, to have a telephone conversation without others hearing parts of the conversation. Where necessary, higher cubicle walls with additional soundproofing can be used. When cubicles are part of the office structure, cubicles where sensitive information is viewed, discussed, or is otherwise present should be separated from cubicles where staff without access to this information are located.

When electronic surveillance data with personal identifiers are stored outside of a physically secure area (i.e., a locked room with limited access), or if limited local resources require that surveillance data with personal identifiers stored on a LAN be accessible to nonsurveillance staff, real-time encryption software must be employed. The additional encryption software is designed to keep identifying information encrypted. Should an unauthorized individual gain access to the surveillance database, unencrypted identifying information cannot be viewed. Encryption software that meets federal standards must be used before data are transmitted to CDC. See Attachment C: Federal Encryption Standards and section Sending Data to CDC for details. Encryption requirements would also apply to backup storage media, which are frequently located off-site and could be managed by an outside vendor.

Paper copy data stores must be maintained in a locked cabinet and inside a locked room. If an area chooses to no longer maintain paper copies in locked file cabinets inside a locked room (e.g., because of age or volume), the program should destroy the completed forms after ensuring the data are entered into the reporting system and after they are no longer needed for follow-up. Before destroying the forms, a site may opt to digitally scan forms for future reference. Digitized forms should be secured the same as any other surveillance data. Requirement 15 does not apply to subsets of case report forms, such as those that a surveillance staff member may hold in the course of an investigation, but does apply to paper copy line lists or logbooks that list a large number of reported cases by name in any one jurisdiction. Even if appropriate space is available to properly store all surveillance forms, program staff should consider developing a records retention policy that would describe the record retention and the scheduling of records for destruction after a designated period. Older records offer only limited value, but continue to pose a security risk. Sites should carefully weigh the benefits and risks of retaining any paper copies of case report forms. Such a decision should be predicated on adherence to these security standards, state regulations, and local practice. Once a decision has been made to destroy a case report form, line list, notes, or any other related paper surveillance document, the document must be destroyed in accordance with Requirement 17.

Requirement 18 Rooms containing surveillance data must not be easily accessible by window. (GP-1)

Window access, for the purposes of this document, is defined as having a window that could allow easy entry into a room containing surveillance data. This does not mean that the room cannot have windows; rather, windows need to be secure. If windows cannot be made secure, surveillance data must be moved to a secure location to meet this requirement.

A window with access, for example, may be one that opens and is on the first floor. To secure such a window, a permanent seal or a security alarm may be installed on the window itself. Even if the window does not open, program managers may decide to include extra precautions if, for example, the building does not have security patrols or if the building or neighboring buildings have had breaches. If a project area has a concern about a current or planned physical location, staff can request advice from CDC.

Last Modified: February 16, 2006
Last Reviewed: February 16, 2006
Content Source:
Divisions of HIV/AIDS Prevention
National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention


	Printer-Friendly Version




	What's New?


	HIV/AIDS A-Z Index


	VIH/SIDA en español


	CDC Responds to HIV/AIDS


	HIV/AIDS E-Publications


	Get E-mail Updates


	Order Free HIV/AIDS Publications

	RSS\| RSS Help


	Media


	Conferences and Trainings


	Key Resources


	Site Map

Home

Policies and Regulations

Disclaimer

e-Government

FOIA

Centers for Disease Control and Prevention, 1600 Clifton Rd, Atlanta, GA 30333, USA
800-CDC-INFO (800-232-4636) TTY: (888) 232-6348, 24 Hours/Every Day - cdcinfo@cdc.gov

Department of Health
and Human Services