Local Access

Requirement 26 Access to any surveillance information containing names for research purposes (that is, for other than routine surveillance purposes) must be contingent on a demonstrated need for the names, an Institutional Review Board (IRB) approval, and the signing of a confidentiality statement regarding rules of access and final disposition of the information. Access to surveillance data or information without names for research purposes beyond routine surveillance may still require IRB approval depending on the numbers and types of variables requested in accordance with local data release policies. (GP-1)

Most analyses of HIV/AIDS surveillance data do not require IRB approval; in fact, most such analyses do not require the inclusion of identifying information in the data sets. Occasionally, investigators from other health department units or academia want to conduct supplemental studies using reported case patients as their study population. Additionally, clinic-based researchers may want to obtain additional information on their patients. In these cases, the researcher should submit a request for the data set to the HIV/AIDS surveillance coordinator. The surveillance coordinator should then refer to the local data release policy to determine if any of these types of data sets can be released. Data containing patients' names are not normally released for research purposes; further, the data release policy should anticipate that even data not containing names could be used to breach an individual's confidentiality if data sets are created or can be created that could indirectly identify any individual (e.g., a data set of all Asian hemophiliacs with AIDS in a county with a low Asian population and low morbidity).

Under certain circumstances and in accordance with local data release policies, the surveillance coordinator should refer the researcher to the Chair of the IRB. If the Chair determines that an IRB should be convened, both the researcher and surveillance coordinator must abide by the ruling. The IRB may approve the release of an analysis data set. Before a researcher obtains access to a data set, the surveillance coordinator must obtain a signed statement from the researcher certifying that he or she will comply with standards outlined in the local security policy. Signing this statement should indicate that the researcher (1) understands the penalties for unauthorized disclosure, (2) assures that the data will be stored in a secured area, and (3) agrees to sanitize or destroy any diskettes or other storage devices that contained the data set when the research project is completed. If the researcher is a member of the HIV/AIDS surveillance unit and already has a signed confidentiality statement on file, there is no need to sign an additional statement.

Under a signed assurance of confidentiality (see Attachment D), the HIV/AIDS surveillance information received by CDC that permits the identification of any individual is collected with a guarantee that it (1) will be held in strict confidence, (2) will be used only for purposes stated in the assurance, and (3) will not otherwise be disclosed or released without the consent of the individual in accordance with sections 306 and 308(d) of the Public Health Service Act.

Analysis databases or data sets that are released to individuals who work outside the secured area must be held securely until the data are approved for release. For example, health department epidemiologists or statisticians who do not work in the secured area often use analysis databases for routine analysis. The computers used in these circumstances must have protective software (e.g., user ID and password protection) to maintain data securely. Other robust authentication methods also may be used since the examples described are only the minimum required. Encryption software is not required with analysis databases because they are considered much less sensitive than those that contain names or other personal identifiers. Analysis data are still considered sensitive, since it may be possible to identify individuals by using particular combinations of reporting system variables. For that reason, analysis data should not be taken home, and all the results of all analyses performed by using reporting system variables must be approved for release as outlined in the surveillance unit's data release policy.

Requirement 27 Access to any secured areas that either contain surveillance data or can be used to access surveillance data by unauthorized individuals can only be granted during times when authorized surveillance or IT personnel are available for escort or under conditions where the data are protected by security measures specified in a written policy and approved by the ORP. (GP-1)

If unauthorized personnel (e.g., cleaning or maintenance crews) are allowed access to the secured area during times when surveillance staff are not present, then more stringent security measures must be employed inside the secured area to meet the program requirements. Under such circumstances, computerized surveillance information and data stored on one or more stand-alone computers or accessible via a LAN-connected workstation must be held securely with access controls in place, such as boot-up passwords that prevent unauthorized access to the computer's hard drive by booting from a system disk, encryption software, or storing the data on removable devices that can be locked away before allowing unauthorized personnel access. If surveillance information is stored on a LAN server, accounts with authorized access should be restricted by time of day and day of week. See Requirement 7.

Managing keys or keypad codes to a secure area is difficult when personnel who receive the keys or codes are not directly supervised by the surveillance unit. Because of staff turnover in cleaning crews, the number of people who may be given keys or codes to the secure area may multiply over time. The more people with keys and codes, the greater the risk to the system. While tracking who has a key or code in this scenario can be difficult, it is recommended that a method of tracking and logging the issuance of keys or codes be implemented. It is further recommended that if an accurate accounting of all keys or codes to a secure area cannot be made, that the lock or code to that area be changed and issued using the tracking and logging method developed.

While many surveillance programs do not routinely grant access to the secured area to cleaning crews or maintenance staff, program requirements can be met even if cleaning crews are granted access without authorized escort, provided added measures (as discussed previously) are employed. The added measures must be named and described in the local security policy. For example, the policy might state that in lieu of escorting cleaning crews and other maintenance staff inside the secured area after hours, the surveillance unit will implement additional documented security measures to provide for enhanced data protection.

Requirement 28 Access to confidential surveillance information and data by personnel outside the surveillance unit must be limited to those authorized based on an expressed and justifiable public health need, must not compromise or impede surveillance activities, must not affect the public perception of confidentiality of the surveillance system, and must be approved by the ORP. (GP-1)

The primary function of HIV/AIDS surveillance is the collection and dissemination of accurate and timely epidemiologic data. Areas that elect to establish linkages to other public health programs for prevention or case management should develop policies and procedures for sharing and using reported data that ensure the quality and security of the surveillance system. These programs should be developed in consultation with providers and community partners, such as their prevention planning groups. Recipients of surveillance information must be subject to the same training requirements and penalties for unauthorized disclosure as surveillance personnel.

Before establishing any program's linkage to confidential surveillance data, public health officials should define the public health objectives of the linkage, propose methods for the exchange of information, specify the type of surveillance data to be used, estimate the number of persons to be served by the linkage based on the availability of resources, outline security and confidentiality procedures, and compare the acceptability and effectiveness of basing the prevention programs on individual HIV/AIDS surveillance case reports to other strategies. The ORP must have the final approval of proposed linkages, since the ORP is ultimately responsible for any breach of confidentiality.

Prevention programs that use individual HIV/AIDS surveillance case data should evaluate the effectiveness of this public health approach. On an ongoing basis, programs also should assess confidentiality policies, security practices, and any breaches of confidentiality. Individual HIV/AIDS case reports should not be shared with programs that do not have well-defined public health objectives or with programs that cannot guarantee confidentiality.

Requirement 29 Access to surveillance information with identifiers by those who maintain other disease data stores must be limited to those for whom the ORP has weighed the benefits and risks of allowing access and can certify that the level of security established is equivalent to the standards described in this document. (GP-2)

Security is compromised if other programs that lack adequate standards to protect the security and confidentiality of the data are granted access to HIV/AIDS surveillance data or information and use that access to add HIV/AIDS data to their systems.

Linking records from the surveillance data with records from other databases semiannually or annually is encouraged to identify cases not previously reported, such as cases identified through TB surveillance or cancer surveillance. This provides a systematic means to evaluate the performance of health department surveillance and to take action to strengthen weaknesses in systems as they are identified. For example, programs can plan site visits with those providers who do not comply with state reporting laws to stimulate more timely and complete reporting.

Before the linkage of surveillance data, protocols should be discussed and developed. The protocol should address how the linkage will be performed using methods that are secure, who will analyze the results, and how the information will be used to improve the selected surveillance systems.

Requirement 30 Access to surveillance information or data for non-public health purposes, such as litigation, discovery, or court order, must be granted only to the extent required by law. (GP-2)

Some state laws mandate access to HIV/AIDS surveillance information for purposes other than law enforcement or litigation activities. For example, some states require school officials or prospective parents to be notified when they enroll or adopt HIV-infected children. However, the surveillance unit is not necessarily required to release the information just because it is requested by law enforcement or other officials. Access should be granted only to the extent required by law and not beyond any such requirement.

Any request for surveillance information for law enforcement purposes should be reviewed by the ORP with the appropriate program area's legal counsel to determine what specific information, if any, must be released from records maintained solely for epidemiologic purposes. Medical information may be available to the courts from less convenient but more appropriate sources. When information is ordered released as part of a judicial proceeding, any release or discussion of information should occur in closed judicial proceedings, if possible.

Back to top

Central, Decentral, and Remote Access

The most secure protection for HIV/AIDS surveillance data is having only one centralized database in each state. Centralized data stores are those in which all electronic records of HIV/AIDS cases are stored in only one location within each state. Although not a program requirement, all states currently using the electronic reporting system in more than one location are strongly encouraged to move toward centralized operations where the electronic reporting system is deployed. As new software systems are deployed, CDC will provide technical and financial assistance to facilitate this transition.

Centralization of HIV/AIDS surveillance data within a state has clear benefits. First, centralized data stores offer greater security. Although having several HIV/AIDS surveillance databases throughout a state may have offered advantages in the past, those advantages may be outweighed by the risk of a security breach. Without centralization, most local jurisdictions must either mail copies of case reports to the state or mail external storage devices. Security risks are associated with both methods of data movement.

Centralized data stores add efficiency by improving case matching. With a centralized database, remote surveillance staff may conduct matches against the statewide database, thereby reducing intrastate duplicates and minimizing unnecessary field investigations of cases already reported elsewhere in the state.

Centralized systems may cost less to maintain. States with HIV/AIDS data systems in multiple locations must devote resources for providing technical assistance to surveillance staff at satellite locations. Finally, a centralized platform may support parallel surveillance systems (e.g., TB and STD). In other words, the hardware used for centralized systems could enhance surveillance activities for other diseases without increasing access to the HIV/AIDS database or compromising existing database security in any way.

Technologies such as browser-based applications, the Internet, Wide-Area Networks (WANs), and advances in data encryption technology and firewalls have made centralization of HIV/AIDS surveillance data more feasible.

New browser-based applications have numerous technical access controls, including authentication of the individual attempting access, assignment/restriction of access rights at the variable/field level, and assignment/restriction of access to functional components (role-based privileges). Use of a centralized database allows data entry and data analysis directly from the remote location while preventing access to non-authorized uses. Further, the capacity exists to assign access rights and privileges to staff just as is done in a decentralized system. In addition to these access controls, centralized systems can be configured to limit access by allowing only those connections originating from an authorized person using an authorized workstation.

A centralized database can be accessed using a WAN or the Internet, both of which have advantages and disadvantages. A WAN often uses transmission facilities provided by common carriers, such as telephone companies to establish a dedicated, private, and permanent point-to-point connection between satellite or remote offices and the central database, an option that may be cost-prohibitive for some states. All communications between points must still be password protected, and communications must be encrypted using methods that meet the data encryption standards set forth in this guidance.

Use of the Internet does not require dedicated phone lines and establishes temporary point-to-point connections over a public medium. This would be a less expensive alternative but, because the Internet is a public medium, a Virtual Private Network (VPN) must be established to guard against intrusion during communications. In addition to establishing a VPN, these communications must also be encrypted using methods that meet the data encryption standards set forth in this guidance. Additionally, firewalls must be in place to prevent unauthorized access.

When properly configured, a centralized system allows each local jurisdiction complete access to their HIV/AIDS data while prohibiting access by outside jurisdictions. A local jurisdiction can conduct local-level data analyses directly from a central dataset, or they may download a de-identified dataset for analysis.

If centralization is not yet feasible, each satellite site should maintain only cases within their jurisdiction. For matching case notifications, sites may consider the utility of maintaining limited data on out-of-jurisdiction cases receiving care and/or reported in their jurisdiction. Further, states are encouraged to consider limiting, as much as possible, the number of satellite locations.

Back to top