Scope

The security standards presented here are intended to apply to local, state, and territorial staff and contractors funded through CDC to perform HIV/AIDS surveillance activities and at all sites where an HIV/AIDS reporting system is maintained.

Although designed for HIV/AIDS surveillance activities, these security standards may serve as a model for other programs to use in reviewing or upgrading security protocols that are appropriate for their overall procedures and mission. Although health care providers who are the source of surveillance information are not under an obligation to follow these security standards, local and state surveillance staff may nevertheless suggest portions of these standards to providers to foster a shared stewardship of sensitive information by promoting security and confidentiality protections in provider settings.

Providers concerned with the Health Insurance Portability and Accountability Act (HIPAA) may use these guidelines as a foundation for their HIPAA compliance policies; however, these guidelines are not a guarantee of HIPAA compliance within a provider setting. Providers need to use their own resources to evaluate their everyday compliance. HIV/AIDS surveillance programs should remind providers that HIPAA permits public health reporting requirements and that providers are still subject to relevant laws, regulations, and public health practices, as described in the MMWR available from http://www.cdc.gov/mmwr/PDF/wk/mm52SU01.pdf. Surveillance staff can also find answers to many frequently asked questions regarding HIPAA and public health at the Office of Civil Rights Web site at http://www.hhs.gov/ocr/hipaa.

The HIV/AIDS surveillance system was not designed for case management purposes, and CDC does not provide surveillance funds to states to support case management or referral services. However, some states and territories have chosen to use information from individual case reports to offer voluntary referrals to prevention and care services, including partner notification assistance. The confidentiality and security issues associated with the provision of those services are outside the scope of this document. When considering such releases of individual-level data from the HIV/AIDS reporting system to other HIV prevention and care programs, state and local health officials should have mechanisms in place to inform and receive input from community members, such as prevention planning groups. Officials must require that recipients of surveillance information have well-defined public health objectives and that they have compared the effectiveness of using confidential surveillance data in meeting those objectives with other strategies. Furthermore, recipients of surveillance information must be subject to the same training and penalties for unauthorized disclosure as surveillance staff.

Data collected by sites through surveillance activities and reported to CDC originate in health care provider, institutional, and laboratory settings. From these sources, confidential information on persons with HIV/AIDS may be obtained in accordance with state law, regulation, or rule. The convenience of having HIV/AIDS surveillance data should not be considered a justification for using it for nonpublic health purposes in preference to more appropriate sources of individual-level data. State and local HIV/AIDS surveillance programs must develop data release policies that include restrictions on the use of surveillance data for nonpublic health purposes. Refer to the Policies section of this document for policy requirements.

A separate set of protections covers HIV/AIDS surveillance information and data maintained at CDC. To protect the confidentiality of persons reported with HIV/AIDS, local and state surveillance program staff do not send names and other specific identifying information to CDC. Additional protections are provided by exemptions to the Freedom of Information Act of 1966 (specifically U.S.C. 552(b)[6]) and by the Privacy Act of 1974. Most importantly, the Assurance of Confidentiality authorized by 308(d) of the Public Health Service Act enables CDC to withhold disclosure of any HIV/AIDS surveillance-related information. A copy of the Assurance of Confidentiality statement can be found in Attachment D. Any HIV/AIDS-related human subject research (as distinguished from routine HIV/AIDS surveillance) conducted or supported by CDC must be approved by an Institutional Review Board (IRB). A key condition of IRB approval is that provisions must be in place to protect the privacy of subjects and to maintain the confidentiality of data.

Back to top

Requirements and Standards

The requirements and standards in this document are designed for state and local HIV/AIDS surveillance agencies to use as both a guide to the surveillance staff and a basis for corrective action when conduct falls below the required minimum standards as stated in the various requirements. These guidelines also define the standard of conduct that the public should expect of HIV/AIDS surveillance staff in protecting private and sensitive information. Attending to the details of good public health practice creates a professional environment for surveillance staff. Good public health practice dictates that HIV/AIDS surveillance data are used only for the purposes for which they were collected.

This document is divided into security-related topics. Each topic contains both program requirements and discussions that serve to either explain the requirement or offer security considerations that will help comply with the requirement.

Program requirements are mandatory, and the ORP will certify them annually. See Requirement 10. Each requirement states the minimum standard that surveillance staff must achieve. Falling below this standard could result in corrective action. These standards do not prescribe the penalty that should result from a violation of a program requirement. The ORP, considering the nature of the offense, the surrounding circumstances, local policy, and state law, should determine those decisions. Discipline may range from an employee reprimand to criminal charges.

Additional security considerations, unlike the program requirements, are aspirational and represent the objectives that each member of the surveillance staff should strive to achieve. They comprise a body of principles that surveillance staff can rely upon for guidance in many specific situations. For a list of additional security considerations, refer to Attachment A: Additional Laptop Security Considerations and Attachment B: Additional Security and Policy Considerations.

Back to top

Guiding Principles

The five guiding principles listed next are the backbone upon which all program requirements and security considerations are derived. The applicable guiding principle is referenced at the end of each program requirement (e.g., GP-1), so a reader can determine the principle that is being addressed by the requirement.

Guiding Principle 1

HIV/AIDS surveillance information and data will be maintained in a physically secure environment. Refer to sections Physical Security and Removable and External Storage Devices.

Guiding Principle 2

Electronic HIV/AIDS surveillance data will be held in a technically secure environment, with the number of data repositories and individuals permitted access kept to a minimum. Operational security procedures will be implemented and documented to minimize the number of staff that have access to personal identifiers and to minimize the number of locations where personal identifiers are stored. Refer to sections Policies, Training, Data Security, Access Control, Laptops and Portable Devices, and Removable and External Storage Devices.

Guiding Principle 3

Individual surveillance staff members and persons authorized to access case-specific information will be responsible for protecting confidential HIV/AIDS surveillance information and data. Refer to sections Responsibilities, Training, and Removable and External Storage Devices.

Guiding Principle 4

Security breaches of HIV/AIDS surveillance information or data will be investigated thoroughly, and sanctions imposed as appropriate. Refer to section Security Breaches.

Guiding Principle 5

Security practices and written policies will be continuously reviewed, assessed, and as necessary, changed to improve the protection of confidential HIV/AIDS surveillance information and data. Refer to sections Policies and Security and Confidentiality Program Requirement Checklist.

Also included in the document are a series of attachments that provide specific information on various topics that would be either too detailed or inappropriate in the body of this document. The following eight documents are attached:

• Attachment A: Additional Laptop Security Considerations
• Attachment B: Additional Security and Policy Considerations
• Attachment C: Federal Encryption Standards
• Attachment D: CDC Assurance of Confidentiality
• Attachment E: Sample Employee Oath - Texas
  • Sample Employee Oath - Seattle/King County
  • Sample Employee Oath - Louisiana
• Attachment F: Glossary of Surveillance and Technical Terms
• Attachment G: Using HIV Surveillance Data to Document Need and Initiate Referrals
• Attachment H: Security and Confidentiality Program Requirement Checklist

Back to top