|
Requirement 1 Policies must be in writing. (GP-2)
Requirement 2 A policy must name the individual who is the Overall Responsible Party (ORP) for the security system. (GP-2)
The name of the individual who is designated as the ORP, rather than an organizational position, must be provided to CDC annually. The rationale is to increase accountability and help ensure that the individual knows his/her responsibilities as ORP.
Requirement 3 A policy must describe methods for the review of security practices for HIV/AIDS surveillance data. Included in the policy should be a requirement for an ongoing review of evolving technology to ensure that data remain secure. (GP-5)
As part of a review and quality improvement procedure, sites may consider a self-administered procedure by using the Security and Confidentiality Program Requirement Checklist shown in
Attachment H (or a similar form tailored for local use) and refer to the log of breaches.
Requirement 4 Access to and uses of surveillance information or data must be defined in a data release policy. (GP-2)
Requirement 5 A policy must incorporate provisions to protect against public access to raw data or data tables that include small denominator populations that could be indirectly identifying. (GP-2)
Data release policies outline the types of data that can be released and who is authorized to receive the data. For example, with regard to matching HIV/AIDS cases to cases in other data stores (e.g., TB, STD, or vital statistics), the policy should specify what the purpose is, how this is done, who performs the matching, what results are released, how the results should be stored, and who receives the results.
This policy establishes the rules to be implemented to ensure that information is allowed to flow within the information system and across system boundaries only as authorized. Data release, by definition, suggests that information about an HIV-infected individual is available for distribution. A data release policy has to balance the inherent purpose of HIV/AIDS surveillance data with the confidentiality of any HIV-infected individual reported for surveillance purposes. Therefore, any HIV/AIDS surveillance data release policy must be written with two questions in mind. First, which data elements can be released about any case patient that would not identify the individual if pieced together? Second, what purposes are consistent with the reasons for which the data were originally collected?
With regard to the first question, certain information containing patient identifying data elements (including elements such as patient's name, address, and social security number) may never be released for public distribution. Care must also be taken to ensure that information released cannot be linked with other databases containing additional information that can be used to identify someone. However, in developing a data release policy, state and local HIV/AIDS surveillance programs should be aware that several data elements that are not inherently identifying could be linked together to identify an individual. For example, when releasing data on a community with relatively few members of a racial/ethnic group (e.g., Asian/Pacific Islanders or American Indians/Alaska Natives), a risk factor group (e.g., persons with hemophilia), or an age group (e.g., >50 years old or specifying the date of birth or death), surveillance staff should be careful that release of aggregate data on the distribution of HIV-infected individuals by these categories could not suggest the identity of an individual. Time periods also need to be considered when developing a data release policy. Output from cases reported cumulatively (since 1981) better hides any individual's identity than output from cases reported within the past 12 months. Therefore, care should be taken in deciding how both the numerator and the denominator are defined when developing a data release policy.
Traditionally, surveillance data are released as aggregated data. As a rule, CDC will not release national aggregated data in tables when the number of records reflected in a cell falls below a minimum size, depending on sensitivity of the data. Some states have similar cell size restrictions. Most states consider the denominator size of the population under analysis and may release small cells under certain circumstances. However, as described previously, even cell size limitations could allow for inferential identification of an individual. Care should also be taken in graphic presentation of data. For example, geographic information systems (GIS) allow for relatively accurate dot mapping of observations. Care must be taken that graphic (like numeric) presentation of data cannot permit the identification of any individual by noting pinpoint observations of HIV cases at, for example, the county, ZIP code, or census tract level. Other considerations in developing data release policies include the need for state surveillance programs to assure that their data release policies are consistent with state confidentiality laws, and to include clear definitions of terms used in the data release policy (e.g., personal identifier, population size, and time period). For a complete discussion covering this issue, refer to the chapter on <Data Analysis and Dissemination>.
The second issue that should guide the development of a data release policy is to consider the purpose for which the data were originally collected. To be consistent with the federal Assurance of Confidentiality under which CDC collects HIV data and the purpose for which CDC provides support to states to conduct surveillance, no HIV surveillance information that could be used to identify an individual should be available to anyone for nonpublic health purposes. Examples include the release of individual-level data to the public; to parties involved in civil, criminal, or administrative litigation; for commercial purposes; or to nonpublic health agencies of the federal, state, or local government. Surveillance data are collected to monitor trends in the epidemic on a population-based level. However, some state and local surveillance programs have chosen to share individual case reports with prevention and care programs to initiate referrals to services. Additionally, some surveillance programs use surveillance data to initiate follow-up for supplemental public health research. Programs that choose to establish these linkages should do so without compromising the quality or security of the surveillance system and should establish principles and procedures for such practices in collaboration with providers and community partners. Programs that receive surveillance information should be subject to the same penalties for unauthorized disclosure and must maintain the data in a secure and confidential manner consistent with CDC surveillance guidelines. Additionally, activities deemed to be research should get appropriate human subjects approvals consistent with state and local health department procedures. A discussion on using HIV surveillance data to initiate referrals to prevention or treatment services is available in the document Integrating HIV and AIDS Surveillance: A Resource Manual for Surveillance Coordinators - Toolkit 5, Using HIV Surveillance Data to Document Need and Initiate Referrals, found in
Attachment G. Several other CDC resources and guidance documents are available online to inform local discussions, including
HIV Partner Counseling and Referral Services: Guidance,
HIV Prevention Case Management: Guidance, resources on evaluation of HIV prevention programs, and more at
http://www.cdc.gov/topics/surveillance/resources/guidelines/. The HIV Incidence and Case Surveillance Branch is currently working on ethical guidelines for the use of public health data for HIV/AIDS. Please contact your HIV surveillance program consultant for additional information on these guidelines.
Requirement 6 Policies must be readily accessible by any staff having access to confidential surveillance information or data at the central level and, if applicable, at noncentral sites. (GP-2)
As security questions arise in the course of surveillance activities, staff must have ready access to the written policies. In most circumstances, having a copy of the written policies located within the surveillance unit would satisfy this requirement. Computer access to an electronic version of the policies also may be acceptable. The key is for staff to have quick access to policies as security and confidentiality questions arise.
Requirement 7 A policy must define the roles for all persons who are authorized to access what specific information and, for those staff outside the surveillance unit, what standard procedures or methods will be used when access is determined to be necessary. (GP-2)
Requirement 8 All authorized staff must annually sign a confidentiality statement. Newly hired staff must sign a confidentiality statement before access to surveillance data is authorized. The new employee or newly authorized staff must show the signed confidentiality statement to the grantor of passwords and keys before passwords and keys are assigned. This statement must indicate that the employee understands and agrees that surveillance information or data will not be released to any individual not granted access by the ORP. The original statement must be held in the employee's personnel file and a copy given to the employee. (GP-2)
The policy should establish rules to ensure that only designated individuals, under specified conditions, can
- Access the information system (network logon, establish connection),
- Activate specific system commands (execute specific programs and procedures; create, view, or modify specific objects, programs, information system parameters). The policy should include provisions for periodic review of access authorizations. Note that CDC's HIV/AIDS Reporting System does not have the ability within the application to establish access times.
The policy could limit access to sensitive data to specified hours and days of the week. It should also state types of access needed, which could be linked to roles defined for those with access. For example, epidemiologists may have access to data across programs that do not include identifiers.
Additionally, the policy should cover restrictions on access to the public Internet or e-mail applications while accessing surveillance information. Accidental transmission of data through either of these systems can be avoided if they are never accessed simultaneously. Similarly, intruders can be stymied in attempts to access information if it is not available while that connection is open.
The policy should establish rules that ensure that group authenticators (administrators, super users, etc.) are used for information system access only when explicitly authorized and in conjunction with other authenticators as appropriate. The policy should express similar rules for individual users to ensure that access to identifiable data is allowed only when explicitly authorized and in conjunction with other authenticators as appropriate. The policy should document the process for assigning authorization and identify those with approval authority. Information technology (IT) authorities granting access must obtain approval from the ORP or designee before adding users, and they should maintain logs documenting authorized users. The ORP or a designee should periodically review user logs.
Requirement 9 A policy must outline procedures for handling incoming mail to and outgoing mail from the surveillance unit. The amount and sensitivity of information contained in any one piece of mail must be kept to a minimum. (GP-2)
The U.S. Mail and other carrier services are commonly used for the movement of paper copies of information. There are many ways that project areas can protect the confidentiality of an HIV-infected individual when using the mail. For example, when surveillance staff and providers are mailing information (e.g., case report forms) to the central office, the policy could require that names and corresponding patient numbers be sent in one envelope, while the remaining information referenced by the corresponding patient number is sent in another envelope. In addition, the terms 'HIV' or 'AIDS' should not necessarily be included in either the mailing address or the return address. Mailing labels or pre-addressed, stamped envelopes may be supplied to field staff and providers to encourage this practice and to ensure the use of the correct mailing address. Whenever confidential information is mailed, double envelopes should be used, with the inside envelope clearly marked as confidential.
Because of the potential number of entries on a given paper copy line list, programs must exercise extreme caution if they find it necessary to mail a paper list. Procedures for mailing lists, including the amount and type of information permitted in any one mailing, must be clearly outlined in the local policy. Two methods that surveillance programs currently employ to minimize risk when using the mail are (1) to generate lists containing names without references to HIV or AIDS or (2) to remove the names from the list and mail them separately from the other sensitive information.
|
