Techncial Guidance for HIV Surveillance Programs
Total Page:16
File Type:pdf, Size:1020Kb
Technical Guidance for HIV/AIDS Surveillance Programs Volume III: Security and Confidentiality Guidelines DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Disease Control and Prevention HIV/AIDS Surveillance Guidelines — Security and Confidentiality All material contained in this document is in the public domain and may be used and reprinted without permission; citation of the source is, however, appreciated. Suggested Citation Centers for Disease Control and Prevention and Council of State and Territorial Epidemiologists. Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines. Atlanta, Georgia: Centers for Disease Control and Prevention; 2006. The document is available at http://www.cdc.gov/hiv/surveillance.htm. ii January 2006 HIV/AIDS Surveillance Guidelines — Security and Confidentiality Contents — Security and Confidentiality Introduction ........................................................................................................ 1-1 Existing Protections............................................................................................ 1-1 Purpose of Guidelines........................................................................................ 1-2 Policies............................................................................................................... 1-5 Scope............................................................................................................. 1-2 Requirements and Standards ........................................................................ 1-3 Guiding Principles.......................................................................................... 1-4 Responsibilities .................................................................................................. 1-9 Training .............................................................................................................1-11 Physical Security...............................................................................................1-11 Data Security.................................................................................................... 1-13 Data Movement ........................................................................................... 1-14 Sending Data to CDC .................................................................................. 1-17 Transferring Data between Sites ................................................................. 1-18 Local Access................................................................................................ 1-18 Central, Decentral, and Remote Access...................................................... 1-22 Security Breaches............................................................................................ 1-23 Laptops and Portable Devices ......................................................................... 1-24 Removable and External Storage Devices....................................................... 1-26 Attachment A.................................................................................................... 1-27 Attachment B.................................................................................................... 1-33 Attachment C ................................................................................................... 1-39 Attachment D ................................................................................................... 1-41 Attachment E.................................................................................................... 1-43 Attachment F.................................................................................................... 1-51 Attachment G ................................................................................................... 1-69 Attachment H ................................................................................................... 1-81 January 2006 iii HIV/AIDS Surveillance Guidelines — Security and Confidentiality Notes ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ iv January 2006 HIV/AIDS Surveillance Guidelines — Security and Confidentiality Contributors This document, Technical Guidance for HIV/AIDS Surveillance Programs, was developed by the HIV Incidence and Case Surveillance Branch of the Division of HIV/AIDS Prevention, National Center for HIV, STD, and TB Prevention, Centers for Disease Control and Prevention in collaboration with the Council of State and Territorial Epidemiologists. The CDC/CSTE Advisory Committee provided oversight and leadership throughout the entire process. Workgroup contributors consisted of state and local health department representatives. Irene Hall, CDC, and Eve Mokotoff, CSTE, led the development. Members of the CDC/CSTE Advisory Committee CDC: Pamela Gruduah, Irene Hall, Martha Miller CSTE: Gordon Bunch, California; Dena Ellison, Virginia; Jim Kent, Washington; Eve Mokotoff, Michigan; Stanley See, Texas Chairs of Workgroups, CDC Michael Campsmith, Data Analysis and Dissemination Sam Costa, Security and Confidentiality Irene Hall, Data Quality Laurie Kamimoto, Electronic Reporting Lata Kumar, Data Dictionary Martha Miller, Overview Kathleen McDavid, HIV Risk Factor Ascertainment Ruby Phelps, Case Residency Assignment Richard Selik, Death Ascertainment Richard Selik, Record Linkage Suzanne Whitmore, Perinatal and Pediatric Case Surveillance CDC Contributors Lori Armstrong, Mi Chen, Betsey Dunaway, John Gerstle, Kate Glynn, Irene Hall, Felicia Hardnett, David Hurst, Jennie Johnston, Danielle Kahn, Tebitha Kajese, Laurie Kamimoto, Kevin Lyday, Martha Miller, Andy Mitsch, Michelle Pan, Richard Selik, Amanda Smith, Damien Suggs, Patricia Sweeney, Kimberly Todd, Will Wheeler, Suzanne Whitmore, Irum Zaidi. State and Local Health Department Contributors and Reviewers Alabama: Anthony Merriweather, Danna Strickland; California-Los Angeles: Gordon Bunch, Mi Suk Harlan, Virginia Hu, Ann Nakamura; California-San Francisco: Ling Hsu, Maree Kay Parisi, Sandra Schwarcz; District of Columbia: Gail Hansen, Kompan Ngamsnga; Florida: Becky Grigg, Lorene Maddox; Illinois-Chicago: Margarita Reina; Indiana: Jerry Burkman; Iowa: Randy Mayer; Louisiana: Joseph Foxhood, Greg Gaines, William Robinson, Debbie Wendell, Amy Zapata; Massachusetts: Maria Regina Barros; January 2006 v HIV/AIDS Surveillance Guidelines — Security and Confidentiality Michigan: Elizabeth Hamilton, Nilsa Mack, Eve Mokotoff, Yolande Moore; Minnesota: Luisa Pessoa-Brandao, Tracy Sides; New Hampshire: Chris Adamski; New Jersey: Wogayehu Afework, Linda Dimasi, Abdel Ibrahim, John Ryan; New York City: Melissa Pfeiffer, Judy Sackoff; New York State: Alexa Bontempo, Kathleen Brousseau, Donna Glebatis; Ohio: Sandhya Ramachandran; Oklahoma: Mark Turner; Pennsylvania: Bonnie Krampe, Ming Wei; South Carolina: Dana Giurgiutiu; Texas: Thomas Barnabas, Dianna Highberg, Roy Reyna, Stanley See, Jan Veenstra; Virginia: Dena Ellison; Washington: Maria Courogen; Washington-Seattle & King County: Amy Bauer, Jim Kent; Wisconsin: Loujean Steenberg. vi January 2006 HIV/AIDS Surveillance Guidelines — Security and Confidentiality HIV/AIDS Surveillance Guidelines — Security and Confidentiality Introduction This document supersedes the October 1998 version of “Guidelines for HIV/AIDS Surveillance, Appendix C: Security and Confidentiality.” It reflects CDC's recommendation as best practices for protecting HIV/AIDS surveillance data and information. It details program requirements and security recommendations. These requirements, recommendations, and practices are based on discussions with HIV/AIDS surveillance coordinators, CDC’s Divisions of STD Prevention and TB Elimination, and security and computer staff in other Centers and Offices within CDC, and on reviews by state and local surveillance programs. This document requires each cooperative agreement grantee to designate an Overall Responsible Party (ORP). The ORP will have the responsibility for the security of the surveillance system (including processes, data, information, software, and hardware) and may have liability for any breach of confidentiality. The ORP should be a high-ranking public health official. This official should have the authority to make decisions about surveillance operations that may affect programs outside of HIV/AIDS surveillance. The ORP is responsible for determining how surveillance information will be protected when it is collected, stored, analyzed, released, and dispositioned. Although there are many sources of surveillance information (e.g., medical charts, insurance forms, behavioral