Requirement 31 All staff who are authorized to access surveillance data must be responsible for reporting suspected security breaches. Training of nonsurveillance staff must also include this directive. (GP-3)
Requirement 32 A breach of confidentiality must be immediately investigated to assess causes and implement remedies. (GP-4)
Requirement 33 A breach that results in the release of private information about one or more individuals (breach of confidentiality) should be reported immediately to the Team Leader of the Reporting, Analysis, and Evaluation Team, HIV Incidence and Case Surveillance Branch, DHAP, NCHSTP, CDC. CDC may be able to assist the surveillance unit dealing with the breach. In consultation with appropriate legal counsel, surveillance staff should determine whether a breach warrants reporting to law enforcement agencies. (GP-4)
A breach may be attempted, in progress, done without negative outcome, or done with negative outcome. Attention should be paid to identifying a breach, responding to it, repairing damage, learning from the event, and if necessary revising or enhancing policies and procedures, revising or instituting training, or enhancing physical or operational security.
By keeping a log of breaches and lessons learned from investigating them, the surveillance unit will be able to detect patterns of breaches, track compliance, and incorporate improvements to the security system.
After a breach has been detected, surveillance employees should notify their supervisor who may, depending on the severity of the breach, notify the ORP. Not all security breaches should be reported to CDC. Breaches that do not result in the unauthorized release of private information may be handled at the local/state health department level. However, CDC should be notified of all breaches of confidentiality (i.e., those breaches that result in the unauthorized disclosure of private information with or without harm to one or more individuals). If notified promptly, CDC may be able to provide assistance in responding to the breach in time to avert additional complications both in the state where the breach occurred and in other states. Notification also will allow CDC and the state to give consistent messages when contacted by the media.
|