pcs i data security guidelines

7/27/2019 Pcs i Data Security Guidelines

1/72

National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention

Data Security andConfdentiality Guidelinesfor HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs:

Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action


2/72


3/72

Data Security andConfidentiality Guidelinesor HIV, Viral Hepatitis, Sexually Transmitted Disease,and Tuberculosis Programs:

Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action

Suggested Citation: Centers or Disease Control and Prevention. Data Security andCon dentiality Guidelines or HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs:

Standards to Facilitate Sharing and Use o Surveillance Data or Public Health Action.Atlanta (GA): U.S. Department o Health and Human Services, Centers or Disease Control and Prevention; 2011


4/72

This report was prepared by

Security and Confdentiality Guidelines Subgroupo CDCs NCHHSTP Surveillance Work Group:

Patricia Sweeney, Sam Costa;Division o HIV/AIDS Prevention

Hillard Weinstock , Patrick Harris, Nicholas Ga ga;Division o STD Prevention

Kashi Iqbal;Division o Viral Hepatitis

Lilia Manangan, Suzanne Marks;Division o TB Elimination

Gustavo Aquino;O ce o the Director, NCHHSTP

This publication lists non- ederal resources in order to provide additional in ormation toconsumers. The views and content in these resources have not been ormally approved by the U.S. Department o Health and Human Services (HHS). Listing these resources isnot an endorsement by HHS or its components.


5/72

Table o Contents

I. Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

II. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

III. About this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

IV. Using this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

V. Bene ts, Risks, and Costs o Sharing Data and Maintaining Security and Con dentiality . . . . . .9

VI. Guiding Principles or Data Collection, Storage, Sharing, and Use to Ensure Security

and Con dentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

VII. Standards or Data Collection, Storage, Sharing, and Use to Ensure Security

and Con dentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

VIII. Re erences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

IX. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Appendix A. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Appendix B. Checklists or Assessment o Data Security and Con dentiality Protections . . . . . . . .43

Appendix C. Data Sharing Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Appendix D. Sample Certi cation Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

Appendix E. Suggested Outline or a Policy on Data Con dentiality, Security,

Sharing and Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Appendix F. Guidelines or the Use o Facsimile Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

Appendix G. Ensuring Data Security in Nontraditional Work Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63


6/72


7/72

1

I. Executive SummaryA goal o CDCs National Center or HIV/AIDS, Viral Hepatitis, STD, and TB Prevention (NCHHSTP)

is to strengthen collaborative work across disease areas and integrate services that areprovided by state and local programs* or prevention o HIV/AIDS, viral hepatitis, other sexuallytransmitted diseases (STDs), and tuberculosis (TB). A major barrier to achieving this goal is thelack o standardized data security and con dentiality procedures, which has o ten been cited asan obstacle or programs seeking to maximize use o data or public health action and provideintegrated and comprehensive services.

Maintaining con dentiality and security o public health data is a priority across all public healthprograms. However, policies vary and although disease-speci c standards exist or CDC- undedHIV programs, similarly comprehensive CDC standards are lacking or viral hepatitis, STD, and TB prevention programs. Success ul implementation o common data protections in stateand local health departments with integrated programs suggest implementation o commondata security and con dentiality policies is both reasonable and easible. These programs havebene ted rom enhanced success ul collaborations citing increased completeness o keydata elements, collaborative analyses, and gains in program e ciencies as important bene ts.Despite the potential bene ts, however, policies have not been consistently implementedand the absence o common standards is requently cited as impeding data sharing anduse. Adoption o common practices or securing and protecting data will provide a criticaloundation and be increasingly important or ensuring the appropriate sharing and use o dataas programs begin to modi y policies and increasingly use data or public health action.

This document recommends standards or all NCHHSTP programs that, when adopted, willacilitate the secure collection, storage, and use o data while maintaining con dentiality.Designed to support the most desirable practices or enabling secure use o surveillancedata or public health action and ensuring implementation o comprehensive evidence-based prevention services, the standards are based on 10 guiding principles that provide theoundation or the collection, storage, and use o these public health data. They address veareas: program policies and responsibilities, data collection and use, data sharing and release,physical security, and electronic data security. Intended or use by state and local healthdepartment disease programs to in orm the development o policies and procedures, thestandards are intentionally broad to allow or di erences in public health activities and responseacross disease programs.

The standards, and the guiding principles rom which they are derived, are meant to serve as the

oundation or more detailed policy development by programs and as a basis or determiningi and where improvements are needed. The process includes seven main steps: designatingan overall responsible party; per orming a standards-based initial assessment o data securityand con dentiality protections; developing and maintaining written data security policies andprocedures based on assessment ndings; developing and implementing training; developingdata-sharing plans or agreements as needed; certi cation o adherence to standards; and

*State and local is inclusive o state, tribal, local and territorial health departments and agencies.


8/72

2

per orming periodic reviews o policies and procedures. NCHHSTP- unded programs will also berequired to veri y their adherence to the standards through submission o certi cation statements.CDC will work with state and local health departments to monitor the implementation o theguidelines and evaluate their impact on securing data, acilitating data use, and increasingprogram e ectiveness.

This document refects the combined e orts o NCHHSTPs Surveillance Workgroup members,composed o surveillance leaders rom NCHHSTPs Division o HIV/AIDS Prevention (DHAP),Division o Viral Hepatitis (DVH), Division o STD Prevention (DSTDP), and Division o TB Elimination(DTBE). The work was in ormed by consultation with state and local public health leaders andpublic health organizations representing HIV, viral hepatitis, STD and TB disease disciplines (seeAcknowledgements section). The document supersedes previously published security andcon dentiality guidelines or HIV surveillance and establishes data security and con dentialitystandards or viral hepatitis, STD, and TB. Establishment o these standards that apply to allsurveillance activities in all o the Centers divisions will acilitate collaboration and serviceintegration among NCHHSTP- unded programs with minimal risk o inappropriate release o con dential, identi able surveillance data or misuse o those data in pursuit o legitimate publichealth purposes.

II. Introduction The true value o surveillance is measured by its impact on public health action and practice. 1 Public health agencies at all levels have broad authority to collect, store, and use personalhealth in ormation to identi y, report, and control health threats and to plan, implement, andevaluate public health programs and services. The public trusts that any personal or con dentialin ormation collected as part o public health activities will be held securely and con dentiallyand will be used or legitimate public health purposes. Although protections exist through variouslaws, policies and procedures, these protections vary across jurisdictions 2-4 and sometimes evenwithin public health organizations. 5

A goal o CDCs National Center or HIV/AIDS, Viral Hepatitis, STD, and TB Prevention (NCHHSTP) isto strengthen collaborative work across disease areas and integrate services that are provided byprograms or prevention o HIV/AIDS, viral hepatitis, other sexually transmitted diseases (STDs), andtuberculosis (TB).6 A major barrier to achieving this goal is the lack o standardized data securityand con dentiality procedures, which has o ten been cited as an obstacle or programs seeking tomaximize use o data or public health action and provide integrated and comprehensive services. 7 Although disease-speci c standards exist or CDC- unded HIV programs, 8,9 similarly comprehensiveCDC standards are lacking or viral hepatitis, STD, and TB prevention programs.


9/72

3

CDC established data security and con dentiality guidelines or CDC- unded HIV surveillanceprograms in state and local* health departments in 1998 8 and updated the guidelines in 2006. 9 The guidelines emphasize the protection o surveillance data and prohibit HIV surveillanceprograms rom sharing data with programs that lack equivalent data security and con dentialityprotections. These restrictions on data sharing had the unintended consequence o inhibitingthe ability o some local health departments to link clients to appropriate treatment andprevention services. 7,10

In 2008, CDC published updated recommendations or programs providing partner services orHIV, syphilis, gonorrhea, and chlamydial in ections. The document includes recommendationsrelated to record keeping, data collection, data management, and data security that were basedon previously published HIV surveillance guidelines. 11 The partner services recommendationsencourage data linkage and sharing between public health service-provision preventionprograms and disease-reporting surveillance systems. The recommendations suggest that sharingo individual-level surveillance data can help acilitate the timely provision o partner services butalso underscore the need or well-de ned security and con dentiality policies and procedures.Despite the potential bene ts, however, these have not been consistently implemented.

In addition, CDC cooperative agreements with TB programs require that policies and proceduresmust be in place to protect the con dentiality o all TB surveillance case reports and les. TBprograms should also collaborate with HIV/AIDS programs to conduct at least annual TB and AIDSregistry matches to ensure completeness o reporting o HIV and TB coin ected patients to bothsurveillance systems. However, this collaboration has been hampered by perceived di erences inpolicies and procedures to protect HIV test results.

This document does not speci y details o how, what or when data should be shared but rather

establishes standards o data protection across programs that should be in place. Intendedor use by state and local health department disease programs to in orm the development o policies and procedures, the standards are intentionally broad to allow or necessary di erencesin public health activities and response across disease programs. The extent to which dataare used or public health interventions and ollow-up with individuals, and to which healthdepartment programs interact or share data with reporting physicians and health providers, willvary according to established program practices.

This document refects the combined e orts o NCHHSTPs Surveillance Workgroup members,composed o surveillance leaders rom NCHHSTPs Division o HIV/AIDS Prevention (DHAP),Division o Viral Hepatitis (DVH), Division o STD Prevention (DSTDP), and Division o TB Elimination(DTBE). The document supersedes previously published guidelines or HIV surveillance andpartner services and establishes up-to-date data security and con dentiality standards o viralhepatitis, STD, and TB.

*State and local is inclusive o state, tribal, local and territorial health departments and agencies.


10/72

4

Key De nitions Used in this Document

Data sharing: Granting certain individualsor organizations access to data that containpersonally identi able in ormation with theunderstanding that personally identi able orpotentially identi able data cannot bere-released urther unless a special data-sharingagreement governs the use and re-release o the data and is agreed upon by the receivingprogram and the data provider(s).

Data-sharing agreement: Mechanism by which adata requestor and data provider can de ne the termso data access that can be granted to requestors.

Data release: Dissemination o data either in a public-use le or as a result o an ad hoc request which resultsin the data steward no longer controlling the use o the data. Data may be released in a variety o ormatsincluding, but not limited to, tables, microdata (personrecords), or online query systems.

Data dissemination: Any mechanismby which data are made available to users.Includes mechanisms whereby data arereleased to users as well as mechanismswhereby data are made available withoutbeing released.

Personally identi able in ormation: As de ned byNational Institute o Standards and Technology SpecialPublication 800-34, Guide To Protecting The Con dentialityo Personally Identi able In ormation : Any in ormationabout an individual maintained by an agency, including (1)any in ormation that can be used to distinguish or trace anindividuals identity, such as name, social security number,date and place o birth, mothers maiden name, or biometricrecords; and (2) any other in ormation that is linked or linkableto an individual, such as medical, educational, nancial, andemployment in ormation. 12

Adapted rom: CDC/ATSDR data release guidelines and procedures or re-release o state-provided data. 4 See glossary in Appendix A or additional de nitions o terms used in this document.


11/72

5

III. About this Document This document recommends standards or data security, con dentiality, and use across surveillanceand program areas or HIV, viral hepatitis, STD, and TB prevention in state and local health jurisdictions.

The standards support the most desirable practices or enabling secure use o data and ensuringcomprehensive preventive services while being broad enough to allow or di erences in publichealth activities by disease program. The standards address ve areas: program policies andresponsibilities, data collection and use, data sharing and release, physical security, and electronicdata security.

The standards are based on 10 guiding principles that provide the oundation or the collection,storage, and use o surveillance data or public health action. The guiding principles are derived romexisting CDC policies and guidelines, model and existing legislation, and rom related work, includingcurrent security and con dentiality principles or NCHHSTPs HIV surveillance programs and practicalapplication o ethics in public health surveillance. 8,9,11,13-20Similar principles have been proposed as

part o a national strategy21

consistent with public health values22,23

to ensure the privacy and securityo public health data at all levels.

The standards are intended to apply to public health programs unded by NCHHSTP (includingthose o state and local health departments and their contractors) that are responsible or collecting,storing, and using surveillance data and to any entities with which these programs share data. Thestandards address the use o both identi able (i.e., personally identi able in ormation [PII]) andnonidenti able data and may include: data used or epidemiologic investigations; data used tolink patients with partner services, appropriate treatment, interventions, and other health services;and data used or case management and program evaluation. Because the use o identi able datarequires a higher level o protection than the use o nonidenti able data, the document includesspeci c standards or the sharing o identi able data. Key de nitions or data sharing, data release,data release agreement, data dissemination, and personally identi able in ormation are highlighted inthe box above and additional terms are provided in the Glossary (Appendix A).

IV. Using this DocumentActive data stewardship involves developing proactive policies, procedures, and training to ensurethat public health data are collected, stored, and used appropriately. To that end, policies relatedto the security and sharing o data should be reviewed regularly and changed as needed. Thedata standards and the guiding principles rom which they are derived are meant to serve as theoundation or more detailed policy development by programs and as a basis or determining i and

where improvements are needed. Key components o data security and con dentiality, sharing, anduse policy development are outlined below.

Overall Responsible Party (ORP) A high-ranking o cial should be identi ed to accept overallresponsibility or implementing and en orcing data security, con dentiality and sharing standards. This o cial should have the authority to make decisions about program operations that might a ectprograms authorizing, accessing or using the data, and should serve as the contact or public healthpro essionals regarding security and con dentiality policies and practices. I the required span o control is not under a single persons purview, several persons can serve in the capacity o ORP as anORP panel.


12/72

6

Initial Assessment o Data Security and Con dentiality Protections This document isintended to serve as a planning resource or use by state and local public health programs todevelop or upgrade their data security and con dentiality policies and procedures. An initialassessment will be particularly use ul or state and local public health programs that currently lack data security and con dentiality policies and procedures.

A team led by the ORP should conduct an initial assessment o current data securityand con dentiality protections. The team should include:

Program managers, directors, or equivalent leaders rom participating programs

Other representatives o participating programs who may provide insight on accessrequirements and procedures or certain jobs or duties (e.g., surveillance sta , DIS datamanagers)

Sta members with technical expertise in data security

In ormation technology (IT) sta should be involved at an early stage to ensure that theyunderstand the data security and con dentiality standards and are ully engaged in the overallprocess. This involvement is critical as areas move to more centralized IT services and, in somecases, outsourced IT services.

The initial assessment should include the ollowing steps:

Identi y key individuals and designate an ORP or ORP panel

Review current security and con dentiality-related materials (e.g., written policies,procedures)

Review relevant state and local laws that might a ect data security and

con dentiality policies Identi y any policies or procedures that are either sources o data security weaknesses orbarriers to in ormation sharing and consult standard operating procedures (SOPs) romother programs that might be use ul sources o ideas or suggestions or procedural changes

Review any history o data security breaches or near-breaches, and associatedlessons learned

Assess physical security and de ne the secure area

Assess electronic security protections and methods o electronic data trans er and storage

Assess actors related to security o in ormation in the eld

Assess training needs

Sample checklists or conducting initial and comprehensive assessments are provided in Appendix B.


13/72

7

Data Security and Con dentiality Policies and Procedures Programs required by NCHHSTPto meet these guidelines are responsible or developing and maintaining written, program-speci cdata security and con dentiality policies and standard operating procedures, based on theseguidelines, the assessment ndings and in the context o state and local laws. Legislative andregulatory barriers to these standards should be addressed. State health department programsshould work collaboratively with local health departments and public health partners involvedin surveillance and prevention-related activities to maintain equivalent standards to the extentpossible. State programs that subcontract directly with local health department programsmay include compliance with these guidelines in their contractual arrangements. Local healthdepartments that share data with state health departments should share data using the securemethods outlined in this document. NCHHSTP- unded programs may provide assistance to privateproviders and laboratories in implementing secure methods or reporting case data. Providers andlaboratories should be encouraged to establish policies and procedures and regular training ondata security and con dentiality, according to these standards.

When public health data are collected or used as part o ederally unded research, they are alsosubject to the ederal policy or the protection o human subjects as described in the Code o Federal Regulations, Title 45, Part 46.24

Training Sta members authorized to access and use public health data are responsible oradhering to their programs data security and con dentiality policies and procedures and shouldreceive ongoing training on an annual basis on the appropriate collection, storage, use, anddissemination o data as de ned by these policies.

Data-Sharing Plans Shared data acilitates identi cation o populations at risk or multiplein ections and the design and implementation o programs that comprehensively address

identi ed needs. A written plan can serve as a starting point or discussions about data sharingbetween or among public health programs. A data-sharing plan should include:

Intent and scope o data sharing

Potential bene ts (including projected e ciencies) and risks o sharing, bene ts and risks o not sharing, and methods to monitor these bene ts and risks

Methods that will be used to share data and roles and responsibilities o sta involved

Minimum data elements needed to achieve the objective(s), including need or PII

Steps that will be taken to ensure the con dentiality and security o shared data

Provisions or physical and electronic security

How shared data will be used, analyzed, published, released, and retained/destroyed

Con dentiality agreements

Knowledge and training requirements including annual training or sta who have access toPII and non-PII data


14/72

8

Although a written plan might not seem necessary between programs in the same healthdepartment or in integrated programs, having a plan in writing can help in resolving any conficts.A more ormal agreement, such as a data-sharing agreement or Memorandum o Understanding(MOU) may be required in certain circumstances (e.g., sharing outside the health department orwith another public health organization). Programs can consult legal experts in their organizationsto determine the need or a ormal agreement.

Appendix C includes an example o one method o data sharing to improve program e cienciesand efectiveness.

Certi cation Programs are required to sel -certi y their adherence to the standards or ensuringthe security, con dentiality, and appropriate use o the data they collect, store, and share. Thecerti cation statement should:

Identi y one or more persons as the ORP or ensuring adherence to the standards

Attest to adherence to all standards, or explain any lapsesI lapses, describe steps to meet the standards in the uture

Describe policies and procedures instituted to ensure continued adherence to thestandards

NCHHSTP will describe the certi cation process in applicable program announcements. NCHHSTPwill conduct periodic reviews o the data security, con dentiality and sharing procedures o grantrecipients during routine site visits and provide technical assistance as needed.

A suggested ormat or a certi cation statement is provided in Appendix D.

Periodic and Ongoing Reviews and Assessments Programs should review their datasecurity, con dentiality, and sharing policies and procedures at least annually or sooner i improved technologies or legislative/regulatory changes occur and revise as necessary. Inaddition, they should periodically assess whether other changes in personnel, programs,organizations, or priorities require changes in policies and procedures. For example, changesin ederal standards or encryption could a ect existing policies and procedures and requireso tware updates or other revisions.

Programs should also review their data-sharing plans or agreements periodically in light o improved technologies and revise as necessary. Tracking the security and con dentiality trainingo sta members authorized to access data, including documenting and storing their signedcon dentiality agreements, should also be part o ongoing assessment activities.


15/72

9

V. Benefts, Risks, and Costs o Sharing Data andMaintaining Security and Confdentiality

There is a balance that must be maintained between protecting the individual and the public rom

disease and protecting individuals con dentiality and right to privacy. Both are vital to enhancingthe publics health and maintaining the publics trust. Programs that have and ollow consistentguidelines or the collection, storage, and use o HIV, viral hepatitis, STD, and TB data may reassureindividuals, and the public, that sharing data or public health action will not compromisecon dentiality.

Adherence to harmonized standards or data security across programs will enhance the abilityto share data without compromising con dentiality. As programs consider how best to meetthese standards, it is help ul to consider the bene ts, risks, and costs. The public health bene ts o sharing data among HIV, viral hepatitis, STD, and TB programs include the ollowing:

Early case detection and accurate and timely reporting o diseases

Improved e ciencies in use o human and nancial resources to achieve programobjectives

Improved projections o human and nancial resources or disease programs andspeci c projects

Improved opportunities to in orm providers and patients about standards o care andneeds or additional care

Enhanced quality o surveillance data across programs

Improved documentation and reporting o co-morbidities, leading to better patient

management and partner services Better understanding o patients health status to ensure comprehensive care and avoidredundant services and missed opportunities or prevention

Increased understanding o how epidemics interact synergistically (syndemics),geographically, within population subgroups, or within groups engaging in speci edhigh-risk behaviors

Identi cation o speci c populations that need outreach with consistent messagesand targeted testing and service provision


16/72

10

Although data sharing has many bene ts, there are also some risks. Despite the public healthcommunitys excellent track record in managing sensitive data, security breaches can occur.Harmonized data security and con dentiality standards among programs, and a commitment

to en orcing them, can, however, minimize these risks. Breaches involving electronic data withidenti able in ormation (e.g., human error resulting in reports going to the wrong patient orprovider or databases being stolen or accessed illegally) might cause greater harm because morein ormation about more individuals is released. There ore, procedures or electronic data securitymust be developed. However, there are also some risks to not sharing data. Individuals might notreceive prevention services, clients might not receive appropriate treatment, clients might notreceive treatment at all, and disease transmission might increase.

Costs associated with improvements in data security can be a barrier to data sharing. Toacilitate data sharing, hardware and so tware systems need to be compatible. Electronictrans er o data needs to be per ormed securely. Storage o data needs to be secure andremain con dential at all levels. Additional computer programming support may be requiredto acilitate secure data sharing across programs, conduct data matches, meet systemsrequirements, and de-duplicate data.

VI. Guiding Principles or Data Collection, Storage, Sharing,and Use to Ensure Security and Confdentiality The 10 principles below are intended to guide NCHHSTP- unded programs in developing datasecurity and con dentiality policies. The principles should guide the collection, storage, and use o data or legitimate public health purposes. Legitimate public health purposes can be de ned as apopulation-based activity or individual e ort aimed primarily at the prevention o injury, disease, or

premature mortality. This term also re ers to the promotion o health in the community, including1) assessing the health needs and status o the community through public health surveillance andepidemiologic research; 2) developing public health policy; and 3) responding to public healthneeds and emergencies. Public health purposes can include analysis and evaluation o conditionso public health importance and evaluation o public health programs. The principles alsounderpin the data security standards de ned in the ollowing section.


17/72

11

TEN GUIDING PRINCIPLES FOR DATA COLLECTION, STORAGE, SHARING,AND USE TO ENSURE SECURITY AND CONFIDENTIALITY

1. Public health data should be acquired, used, disclosed, and stored orlegitimate public health purposes.

2. Programs should collect the minimum amount o personallyidenti able in ormation necessary to conduct public health activities.

3. Programs should have strong policies to protect the privacy andsecurity o personally identi able data.

4. Data collection and use policies should re ect respect or the rightso individuals and community groups and minimize undue burden.

5. Programs should have policies and procedures to ensure the qualityo any data they collect or use.

6. Programs have the obligation to use and disseminate summary datato relevant stakeholders in a timely manner.

7. Programs should share data or legitimate public health purposesand may establish data-use agreements to acilitate sharing data in atimely manner.

8. Public health data should be maintained in a secure environmentand transmitted through secure methods.

9. Minimize the number o persons and entities granted access toidenti able data.

10. Program o cials should be active, responsible stewards o publichealth data.

Adapted rom: Lee, LM, Gostin, LO. Ethical collection, storage, and use o public health data: a proposal or nationalprivacy protection. JAMA 2009;302:8284


18/72

12

VII. Standards or Data Collection, Storage, Sharing, andUse to Ensure Security and Confdentiality The ollowing standards are based on the 10 guiding principles listed in the previous section.

They represent recommended standards to ensure the security, con dentiality, and appropriateuse, including sharing, o data collected by NCHHSTP- unded programs.

The standards are grouped into ve topical areas: program policies and responsibilities; datacollection and use; data sharing and release; physical security; and electronic data security. Eachstandard is ollowed by a brie background or explanatory statement and a set o questions toguide programs in policy development and implementation.

1.0 PROGRAM POLICIES AND RESPONSIBILITIESSTANDARD 1.1 Develop written policies and procedures on data security andcon dentiality; review policies and procedures at least annually; revise them asneeded; and ensure their review by and accessibility to all sta members havingauthorized access to con dential individual-level data.

Programs should develop and maintain written policies and procedures on data security andcon dentiality. Written policies and procedures should include:

Review o applicable laws and regulations

Description o applicable data (include details on types o records, systems, and reports)

Roles and responsibilities o persons with authorized access to the data

Applicable con dentiality agreements

Controls or data management, security, and access (physical and electronic)

Address when use o privacy advice or reminder is appropriate (i.e., when to includeprivacy advice at the point o in ormation use on orms, in ormation collectiondevices, systems, le cabinets, etc.)

Speci ed policies applicable to trainees, students, volunteers, visitors, and cleaningand security sta .

Provisions to limit disclosure and prevent indirect release o PII

Guidance on data sharingPolicies should be introduced to new sta members, students, and volunteers during orientationand reviewed with all sta members during annual training sessions. Sta members should alsobe noti ed o any changes or updates to data security policies.

See Appendix E or a suggested outline o a policy or data security, con dentiality, sharing and use.


19/72

13

G U I D I N G Q U E S T I O N S :

Does the program have written policies and procedures on data securityand con dentiality?

Are the policies and procedures consistent with the standards in this document?

Are the policies and procedures available and accessible to program sta ?

Are sta trained in the policies and procedures and alerted to any revisions?

STANDARD 1.2 Designate a person or persons to act as the overall responsible party(ORP) or the security o public health data your program collects or maintains, andensure that the ORP is named in any policy documents related to data security.

The purpose o naming an ORP is to increase program accountability or data security. TheORP should have the authority to modi y programs and policies to meet the standards in thisdocument. The ORP can be selected rom the program, section, or agency level. The agencysorganizational structure might demand designating more than one person as ORP (i.e., an ORPpanel). The ORP(s) may also choose to have data releases or proposed data sharing activitiesreviewed by a group o designated individuals to acilitate the review process and ensure the risksand bene ts o the proposed activities are considered and make recommendations.


Has an ORP been designated and named in all relevant policy documents?

Does the ORP have authority to modi y data security policies and prodedures or compliancewith the standards in this document?

STANDARD 1.3 Ensure that data security policies de ne the roles and access levelso all persons with authorized access to con dential public health data and theprocedures or accessing data securely.

Access to surveillance data needs to be planned. The number o people with access to identi ablein ormation should be kept to a minimum, and de-identi ed data should be used or routineanalyses whenever possible. Operational security procedures should be devised to minimize the

number o people with access to con dential data. Written procedures should speci y how to obtainauthorization or access to both PII and de-identi ed data.


Is authorized access granted based on the data users need to know?

Is the number o persons with access to PII kept to a minimum?


20/72

14

STANDARD 1.4 Ensure that data security policies require ongoing reviews o evolving technologies and include a computer back-up or disaster recovery plan.

Because the technology used to secure data is constantly evolving, in ormation technology and

security pro essionals should be included in the development and review o data security policiesand procedures. Policies should include plans or a secondary, secure, o -site computer operationthat can go into e ect in the event o a catastrophic ailure at the primary location. The NationalInstitute o Standards and Technology Special Publication 800-34, Contingency Planning Guide orFederal In ormation Systems contains guidance on contingency planning or IT resources and isavailable at: http://csrc.nist.gov/publications/PubsSPs.html .25


Have persons with technical expertise in in ormation and system security been consulted toensure that data security policies and procedures are adequate?

Do policies and procedures include a disaster recovery plan?

STANDARD 1.5 Ensure that any breach o data security protocol, regardlesso whether personal in ormation was released, is reported to the ORP andinvestigated immediately. Any breach that results in the release o PII tounauthorized persons should be reported to the ORP, to CDC, and, i warranted tolaw en orcement agencies.

Guidelines or a risk-based approach or protecting con dentiality o PII, including respondingto breaches (incident response), are described in the National Institute o Standards and

Technology Special Publication 800-122, Guide to Protecting the Con dentiality o PersonallyIdenti able In ormation available at http://csrc.nist.gov/publications/ . 12 The data securitypolicy should include procedures or reporting suspected breaches, including who to noti yabout a suspected breach. Sta members should be amiliar with the programs de nition o asecurity breach. Sta members should review procedures during annual security training. A logo security breaches and lessons learned during investigations o breaches might be use ul inrevising security policies.

Breaches that do not result in the release o PII can be handled within programs. Breaches thatresult in unauthorized disclosure o PII require immediate consultation with legal counsel andnoti cation o high-level authorities in the agency to ensure appropriate action. There are ederal

requirements or reporting breaches o PII involving ederal data or ederal supported systems.For instance, based on OMB Memorandum 06-19 ( http://www.whitehouse.gov/sites/de ault/ les/omb/memoranda/ y2006/m06-19.pd ),26 i PII rom a ederally supported system were to bereleased to, or stolen by, unauthorized persons, that breach must be reported to ederal securityo cials within one hour o its discovery. For NCHHSTP, the designated person is the In ormationSystem Security O cer (ISSO) or the Center. Both the ISSO and the CDC program contact need tobe noti ed immediately.
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2006/m06-19.pdfhttp://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2006/m06-19.pdfhttp://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2006/m06-19.pdfhttp://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2006/m06-19.pdfhttp://csrc.nist.gov/publications/http://csrc.nist.gov/publications/PubsSPs.html


21/72

15


Are procedures in place to respond to breaches in data security?

Does the data security policy identi y the person to be noti ed i a breach is suspected? Are sta members amiliar with the programs de nition o a security breach?

STANDARD 1.6 Ensure that sta members with access to identi able public healthdata attend data security and con dentiality training annually.

All sta members (including IT personnel, contractors, and mail room and custodial sta ) requiregeneric security awareness training to ensure and support a culture o con dentiality, but sta whohave access to PII require additional training speci c to their responsibilities and level o authorizedaccess to PII. Training should cover:

Personal responsibilities

Procedures or ensuring physical security o PII

Procedures or electronically storing and trans erring data

Policies and procedures or data sharing

Procedures or reporting and responding to security breaches

Review o relevant laws and regulations

All sta should have documentation o completion o their training. Programs are responsible ormaintaining this documentation in their personnel les.


Is security training required or new sta members and annually or all sta members?

Are there speci c modules related to job responsibilities? For example, mail room andcustodial sta would have di erent training components based on job duties and likelihoodo access to con dential material.

Does the training cover the standards in this document?

Does the training include a review o physical and electronic data security procedures,con dentiality procedures, and release and sharing procedures on an ongoing basis?

Is attendance at the training sessions documented? Are training materials updated as needed?


22/72

16

STANDARD 1.7 Require all newly hired sta members to sign a con dentialityagreement be ore being given access to identi able in ormation; require all sta members to re-sign their con dentiality agreements annually.

All sta (including IT, mail room, and custodial sta ) should sign a nondisclosure or con dentialityagreement stating that the employee agrees not to release PII to any unauthorized persons. Theagreement should be maintained in the employees personnel le. A con dentiality agreementshould be required be ore assigning passwords or keys that allow access to PII. Policies andprocedures should address sta out-processing and relinquishment o authorized access.

G U I D I N G Q U E S T I O N :

Are all sta members required to sign a con dentiality agreement be ore they are grantedaccess to PII?

STANDARD 1.8 Ensure that all persons who have authorized access to con dentialpublic health data take responsibility or 1) implementing the programs datasecurity policies and procedures, 2) protecting the security o any device in theirpossession on which PII are stored, and 3) reporting suspected security breaches.

The data security responsibilities o sta members should be incorporated into their con dentialityagreements and reviewed during annual training. Supervisors should consider includingsecurity-related questions in annual per ormance reviews as a way o gauging sta membersunderstanding o their data security responsibilities.

Responsibilities o persons with authorized access to PII include but are not limited to:

Protecting keys, passwords, and codes that would acilitate unauthorized access to PII

Taking appropriate action to avoid in ecting computer systems with virusesand other malware

Protecting computers and devices rom extreme heat and cold

Protecting mobile devices and storage media rom loss or the t

Appropriate use o personal computers and storage devices

Appropriate removal o data rom secure acilities


Are the data security responsibilities o sta members outlined in their con dentiality agreements?

Are these responsibilities reviewed annually?

Are sta members aware o relevant data security policies? Have they completedsecurity training?

Do sta members know how, and to whom, to report suspected security breaches or instances o unauthorized access? Are they amiliar with the criteria or reporting and investigation?


23/72

17

STANDARD 1.9 Certi y annually that all data security standards have been met.

Programs should sel -certi y annually and work collaboratively with CDC to address any problemareas. At a minimum, programs should provide a statement that:

Identi es the ORP

Attests to the programs adherence to the data security standards

Cites policies and procedures that document adherence to these standards

Documents any reasons or non-adherence, with plans or remediation


Has an ORP been named?

Has a statement attesting to adherence to the standards been provided?

Is a list o con dentiality and security policies and procedures available upon request?

2.0 DATA COLLECTION AND USESTANDARD 2.1 Clearly speci y the purpose or which the data will be collected.

Written policies and procedures should describe the intended public health purposes orcollecting data and the scope and limits o the data collection activities when data are shared orused. A legitimate public health purpose includes e orts to prevent disease or premature death or

promote health among members o a community through activities such as: Assessing the health needs and health status o a community through public healthsurveillance and epidemiologic research

Developing public health policy

Responding to public health needs and emergencies

Evaluating public health programs


What is the rationale or the proposed data collection?

What is the intended use or the data?

What are the limits on how the data may be used?

Is the proposed data collection likely to lead to a reduction in morbidity and mortality ratesthrough targeting o public health interventions without creating undue burdens?

Is the proposed data collection signi cantly di erent rom other approved public health datacollection e orts?


24/72

18

STANDARD 2.2 Collect and use the minimum in ormation needed to conductspeci ed public health activities and achieve the stated public health purpose.

Be ore implementing data-collection or data-sharing activities, public health practitioners should

speci y minimum data elements and consider whether collection and use o personally identi abledata will be necessary to achieve their public health goal.

The minimum in ormation requirement will vary based on the activity. For example, certainpersonal identi ers are required or activities requiring ollow-up with individuals; or partnerservices, that might include name and locating in ormation such as an address, in addition toother in ormation deemed critical or the investigation. When considering a new data-collectionor data-sharing e ort, consider the ollowing guidelines:

Speci y minimum data elements, and include only the in ormation needed to achieve thepublic health goal(s).

Minimize or avoid collecting in ormation just because it might be o later use or becauseit is easily accessible.

Re er to similar high-quality data-collection e orts or data-sharing activities withproven success.

Avoid unnecessary retention or creation o multiple data collections or data managementsystems (the more collections/systems, the greater the complexity o security management).


What is the minimum amount o demographic, geographic, and health-related data needed toaccomplish the public health goal o the proposed data collection?

Are all proposed data elements justi able in terms o their contribution toward achieving thepublic health goal?

Are key data elements similar enough to those collected through previous data collectione orts to allow needed comparisons?

STANDARD 2.3 Collect personally identi able data only when necessary; usenonidenti able data whenever possible.

Identi able data require a higher standard o protection than nonidenti able data. Collectionand use o identi able data are justi able i the data are to be used or a public health purposethat cannot be achieved through the use o nonidenti able data. Published standards andrecommended practices or maintaining con dentiality o PII and de-identi cation o data can beused to guide policy development. 12, 18, 27-32


25/72

19


Is the use o PII necessary to achieve the public health goal o the proposed data collection?

Have possible alternatives to using identi able data, such as using anonymized data,been explored?

What are the risks and bene ts o using identi able data?

What is the scienti c reliability and validity o identi able data when used or thepurposes proposed?

When should in ormed consent be obtained, and what should be done when obtainingin ormed consent is not easible?

Can identi ying in ormation be separated rom other sensitive in ormation by the useo a meaningless common identi er?

STANDARD 2.4 Ensure that data that are collected and/or used or public healthresearch are done in accordance with stipulations in Common Rule, Title 45, Part46 o the Code o Federal Regulations, which includes obtaining both institutionalreview board (IRB) approval or any proposed ederally unded research andin ormed consent o individuals directly contacted or urther participation.

The use o identi able data or research is contingent on a demonstrated need or the data,IRB approval, and the signing o a con dentiality agreement regarding rules o access and naldisposition o the in ormation. The use o nonidenti able data or research is generally permissiblebut might still require IRB approval, depending on the amount and type o data requested.Programs should consult applicable guidance on research versus practice and human subjectsregulations. 24,33


What procedures are in place to determine whether a proposed use o identi able public healthdata constitutes research requiring IRB review?

Has the proposed research been determined to serve a legitimate public health purpose?

Has the proposed research been submitted or appropriate review and evaluationby an IRB?

What e orts have been made to in orm the public or a ected communities about researchinvolving identi able data?


26/72

20

3.0 DATA SHARING AND RELEASE

STANDARD 3.1 Limit sharing o con dential or identi able in ormation to those

with a justi able public health need; ensure that any data-sharing restrictions do notcompromise or impede public health program or disease surveillance activities andthat the ORP or other appropriate ofcial has approved this access.

This standard applies to the sharing o data with other public health entities that might needroutine access to the data or a related public health unction. For example, a TB surveillance unitand HIV unit that routinely match case registries to update case in ormation might require somereciprocal access to each others in ormation. Or, a partner services program might need access tolimited in ormation on newly reported HIV cases to initiate partner services. Such access shouldbe authorized by the ORP(s) o the program(s) maintaining the data and limited to the minimumnumber o persons, and amount o in ormation necessary.

When proposing changes to policies a ecting access to public health data, i the changes aresigni cantly di erent rom standard practices or controversial, it is good practice to rst seek inputrom members o a ected communities, medical providers, and/or other key stakeholders to ensurethat the proposed changes do not adversely a ect public trust in, or the integrity o , the publichealth system.

For any routine, authorized sharing o in ormation, programs should veri y:

Appropriateness o sharing

Integrity o the in ormation shared

Identity o the recipient

Security o the method through which the in ormation will be shared


Is access to PII necessary to achieve a speci ed public health unction?

Have steps been taken to limit access to the ewest number o persons necessary?

Is in ormation sharing reduced to the minimum in ormation necessary?

Do procedures by which data will be accessed include adequate data security andcon dentiality protections?

STANDARD 3.2 Assess the risks and bene ts o sharing identi able data or otherthan their originally stated purpose or or purposes not covered by existing policies.

Public health interventions and research o ten rely on the use o shared data. However, strict normso privacy and con dentiality must govern any sharing o data, and de-identi ed data should beused whenever possible. Data should be shared only or legitimate public health purposes and alldata sharing must comply with applicable laws and regulations. See Glossary in Appendix A or ade nition o legitimate public health purposes.


27/72

21

Determining whether proposed data sharing is legitimate o ten involves ethical questions. Anautonomous body composed o persons amiliar with ethics in public health surveillance mayprovide insight and eedback on proposed activities. 34 Several models o ethical decision-makingmight provide use ul, practical guidance or decisions on data use .35-39

Begin by identi ying the public health ethics issues in the speci c situation, including thoserelated to risks and bene ts, public health goals, stakeholders, and precedent cases.

Generate and compare di erent options or courses o action and the ethical rationale oreach. Choose the best option and justi y the chosen course o action.

Evaluate the selected action to determine i the desired outcome was achieved.


Have all alternatives to sharing such data been explored?

Is the sharing o identi able data necessary?

Is the proposed use within the scope o your data-release policy and or a legitimate publichealth purpose?

Have the security and con dentiality standards o the requesting party been assessed? Arethe standards adequate?

Does the entity receiving identi able data have in place con dentiality and security standardsthat meet the standards outlined in this document?

STANDARD 3.3 Ensure that any public health program with which personallyidenti able public health data are shared has data security standards equivalent tothose in this document.

Con dentiality can be compromised i data are shared with programs that lack adequate securityand con dentiality protections.

Share data only a ter the ORP(s) has weighed the bene ts and risks o allowing access.

Share data only with programs that have written policies and procedures establishing datasecurity and con dentiality protections equivalent to those in this document.

G U I D I N G Q U E S T I O N S : Does the program accessing the data have written security and con dentiality policies and

procedures?

Have the policies and procedures been reviewed and ound to be consistent with thestandards in this document?


28/72

22

STANDARD 3.4 Ensure that public health in ormation is released only or purposesrelated to public health, except where required by law.

Programs should establish data release policies and procedures that delineate any exceptional

circumstances that may warrant the release o identi able data and how the con dentiality o such data will be protected. Programs can develop routine disclosure procedures that outline aprocess or reviewing routine disclosures. 40 Review procedures could include designating a groupo persons, including the ORP(s) to review nonroutine data releases. Be ore allowing nonroutinedisclosures, policies could include a brie period o contemplation, or timeout, be ore releasingdata to minimize risk o improper disclosure. 40

Programs should not release PII to anyone outside o public health except in circumstancesinvolving signi cant risk o harm to the public or i required by law. Even when required, only theminimum in ormation should be released. The ORP and legal counsel o the program(s) controllingthe data should review any request or PII to determine the speci c data, i any, that must be

released. In some instances, the in ormation requested may be available rom other sources. Whenin ormation is ordered or release as part o a judicial proceeding, any release or discussion o in ormation should occur in closed judicial proceedings, i possible.


Is the release o identi able data to o cials in law en orcement, immigration control, or publicwel are management justi ed by an imminent threat to individuals or populations or othercompelling circumstances?

Have all possible alternatives to the use o identi able data been examined be ore the releaseo such data?

Has a legal analysis been conducted by the health departments legal counsel?

What non-public health use o the data is required or allowed by law?

STANDARD 3.5 Establish procedures, including assessment o risks and bene ts,or determining whether to grant requests or aggregate data not covered byexisting data-release policies.

Procedures could include a process designating a group o persons to review requests that areoutside the stated policy. Any data release must be or a legitimate public health purpose and inaccordance with applicable laws and regulations.

G U I D I N G Q U E S T I O N :

Are there precedents or the requested release o data? I so, how were thoseprecedent cases handled?


29/72

23

STANDARD 3.6 Disseminate nonidenti able summary data to stakeholders assoon as possible a ter data are collected.

Written policies should address procedures or the dissemination o nonidenti able summary data

to stakeholders and the public. Summary data should be disseminated in a manner that acilitatesunderstanding by a ected populations and illuminates the compounding impact o syndemics.

Since some aggregate data could be used to identi y individuals, policies should usually restrictrelease o certain data elements to avoid a con dentiality breach. Wider public access andsearchability o databases (e.g., death records and obituaries) increases the capability to re-identi yother de-identi ed data. Consideration should be given to consulting with de-identi cationexperts prior to release when in doubt. In some instances, the obligation to use the data tohelp members o demographic groups examine trends and burden o disease or public healthplanning might outweigh the risk o possible stigma that could be associated with someaggregate data. For example, the release o data showing high rates o alcohol and drug use in

a small community, although potentially stigmatizing, must be weighed against the potentialadditional resource planning and allocation or drug and alcohol treatment services that couldresult rom such a release.


Have data dissemination plans been described? What e orts have been made to ensure thatnonidenti able data are disseminated regularly and in a timely manner?

Are procedures in place to assess the use ulness o data dissemination e orts?

What precautions have been taken to ensure that the disseminated data are not presented inways that may indirectly identi y individuals?

STANDARD 3.7 Assess data quality be ore disseminating data.

Evaluations o data quality should occur during collection, management, analysis, and use toensure su ciently accurate and valid data. The quality o public health data is critical to the validityo public health policies and actions based on these data.

Guidance on ensuring data quality is provided in the HHS Guidelines or Ensuring the Quality o In ormation Disseminated to the Public, Part D, CDC and the Agency or Toxic Substances andDisease Registry (ATSDR). Quality assurance mechanisms described in the document include

internal reviews, external reviews, merit reviews, and peer reviews. Programs may also consultwith independent researchers and experts in areas such as data collection and data analysis;maintain ongoing contact with data users and participate in con erences and workshops to assessthe needs o potential data users; and use a wide variety o dissemination mechanisms to makestatistical and analytic in ormation broadly accessible. 41


30/72

24

STANDARD 3.8 Ensure that data-release policies de ne purposes or which the datacan be used and provisions to prevent public access to raw data or data tables thatcould contain indirectly identi ying in ormation.

The main challenge in developing responsible data-release policies is to balance the need to makedata available to a broad audience and in a timely manner with the need to protect individualprivacy. Data-release policies should address:

Purpose and types o data (e.g., de-identi ed, patient-level, and aggregate) that can be released

Intended audience

Rules or suppression

Rules or dissemination o aggregate data products

Physical and electronic (including IT) controls to ensure data security

Mechanisms and procedures or requesting data and considering data requests Suggested ormats or data-use agreements

Use ul standards or data-release and data-sharing refect principles and policies outlined in theCDC/ATSDR Policy on Releasing and Sharing Data,13 the CDC-CSTE Intergovernmental Data ReleaseGuidelines Working Group Report: CDC/ATSDR Data Release Guidelines and Procedures or Re-release o State-Provided Data. 4 The CDC/ATSDR policy provides guidance aimed at balancing thedesire to disseminate data as broadly as possible with the need to maintain high standards andprotect con dential in ormation, while also ensuring compliance with applicable ederal regulationsand guidelines. The O ce o Management and Budgets (OMB) Federal Committee on StatisticalMethodology, Statistical Policy Working Paper 22: Report on Statistical Disclosure Limitation

Methodology also provides use ul guidance or developing data release policies.31


Do the data-release policies address the ollowing?

Roles and responsibilities o program personnel, including any con dentialityagreements they must sign and any training they must receive

Access procedures and authorization rules

Descriptions o the data and to whom, and in what ormat, they can be released

Procedures or data release

Speci c requirements or sharing identi able data

Mechanisms or data release, including rules or minimizing disclosure suchas cell-size restrictions

Disposition o data a ter they have been used or a stated purpose

Do data release plans include mechanisms or evaluating the use ulness o released dataand whether the release o data is causing undue burden on individuals or communities?


31/72

25

4.0 PHYSICAL SECURITY

STANDARD 4.1 To the extent possible, ensure that persons working with hard copies

o documents containing con dential, identi able in ormation do so in a secure,locked area.

Physical access controls should be in place to protect hard-copy data and computer equipment.Operational security procedures should be devised to minimize the number o storage locations inwhich PII is held.

Minimum Secure Area

Work space with limited access or only necessary sta

Locked le cabinets that are large and heavy enough to render them immobile

A designated location within the work space where con dential conversations may be held

Enhanced Security Con gurations

A dedicated, secure area accessible only via locked door with limited key or keycarddistribution to minimal sta

Double-locked le cabinets that are large and heavy enough to render them immobile

A workstation/table equipped with a telephone and computer to handle data withinthe secure space

A dedicated, secure room would be the pre erred location or con dential, secured data stored inlocked, immobile cabinets. Additionally, this space could provide a table or work station or sta to conduct con dential telephone conversations. In the absence o a dedicated, secure room, areasonable alternative could be an area which is accessible only rom within the surveillance area tohouse immobile, locked le cabinets. I necessary, one secure le cabinet could be shared by severalsmall programs within a jurisdiction i they have the same data security standards.

I data must be stored or used in less than ideally secure work areas, the security o these areas shouldbe improved as much as possible. For example, in many workplaces con dentiality is improvedby requiring paper documents with con dential in ormation to be kept locked in desk drawerswhen not in use or when a worker is away rom his or her desk. Security might also be improved byrecon guring cubicles, o ce partitions, and requiring con dential phone conversations to take placein a private room. This is not an exhaustive list o improvements, but it shows that creative thinkingmay be needed to turn an open work area into a more secure workplace.

In the course o public health work, and in the evolving modern work environment, con dentialdata may be handled not only outside the secure work area, but o -site, in the eld, or in telework/ remote sites (see Appendix G or guidelines on working in nontraditional settings).


32/72

26

It is critical that project areas develop and implement protocols or telework, remote work, and eldwork, in addition to core con dentiality and security policies. Even i these work activities have notyet been implemented in a project area, provisions should be made or their uture implementationby including them in the current protocols.


Are hard copies o con dential or identi able data kept in a secure area?

Are physical controls adequate to ensure that paper copies o material containing identi abledata are secured in lockable ling cabinets within a locked secured area with controlled access?

STANDARD 4.2 Ensure that documents containing con dential in ormation are

shredded with crosscutting shredders be ore disposal.Crosscutting eatures are needed to ensure con dential in ormation cannot be recovered.See National Institute o Standards and Technology Special Publication 800-88, Guidelines orMedia Sanitation, available at http://csrc.nist.gov/publications / , or discussion o shredding anddestruction o paper and other media. 42 Contracting with a document-shredding service may bean option or some programs. I a service is used, be sure that documents are shredded on site andin the presence o a sta member. In all cases, a contract shredding or disposal company must bebonded, and due diligence should be taken in the selection o the company.


Do sta members have access to a crosscutting shredder? Is there a records-retention policy governing disposal o paper copies o con dential in ormation?

STANDARD 4.3 Ensure that data-security policies and procedures address handlingo paper copies, incoming and outgoing mail, long-term paper storage, and dataretention. The amount o con dential in ormation in all such correspondence shouldbe kept to a minimum and destroyed when no longer needed.

Policies should address retention o paper copies. I electronic copies exist, paper copies can bedestroyed when no longer needed, in accordance with established health department policies.Provisions should be made to destroy copies using methods described in Standard 4.2.


Do policies describe procedures or managing incoming and outgoing mail containingcon dential in ormation?

Do procedures speci y minimum in ormation criteria or paper copies?

What data retention policies apply to the data?
http://csrc.nist.gov/publicationshttp://csrc.nist.gov/publications


33/72

27

STANDARD 4.4 Limit access to secure areas that contain con dential public healthdata to authorized persons, and establish procedures to control access to secureareas by non-authorized persons.

Data security policies and procedures should speci y who has access to secure areas. Policiesand procedures must also address the need or access by unauthorized persons (e.g., cleaning,maintenance, and security sta ). Programs might consider providing cleaning crews with accessto secure areas only when authorized sta members are present or when con dential materials arestored and protected.


Do policies adequately describe who has access to secure areas?

Do data security policies and procedures address access to secure areas and le storage areasby cleaning crews and maintenance sta ?

Are procedures in place to control access to secure areas by other unauthorized personnel?

STANDARD 4.5 Ensure that program personnel working with documentscontaining PII in the eld 1) return the documents to a secure area by close o business, 2) obtain prior approval rom the program manager or not doing so, or 3)ollow approved procedures or handling such documents.

Simple physical the t is a major cause o health in ormation breaches. Transportation and useo PII outside o secure areas should, there ore, be minimized and care ully controlled. Programsemploying eld workers should establish speci c procedures or:

Working with PII outside o secure areas

Obtaining or documenting a managers approval to do so

Physically securing documents containing PII that remain in sta custody a ter usualwork hours


Do policies include procedures or securing documents containing PII when they cannot bereturned to a secure work site by the close o business?

Do policies outline speci c reasons, permissions and physical security procedures or using,transporting and protecting documents containing PII in a vehicle or personal residence?


34/72

28

STANDARD 4.6 Ensure that documents with line lists or supporting notes containthe minimum amount o potentially identi able in ormation [PII] necessary and,i possible, that any potentially identi able data are coded to prevent inadvertentrelease o PII.

To the extent possible, PII should not be removed rom a secure location or accessed roman unsecure area. However, some public health activities (e.g., eld investigations and serviceprovision) require taking such in ormation into unsecure areas. In these situations, the use o PIIshould be limited and appropriate security measures implemented.


Is access to public health notes and investigation in ormation containing identi able data limitedto personnel requiring the in ormation or an approved purpose?

Are con dential data elements coded?

5.0 ELECTRONIC DATA SECURITY

Implementation o electronic data security standards will be conducted in a rapidly evolvingtechnological environment. While technology is changing, the ollowing elements will remainimportant to consider when developing policies.

Access: Access to surveillance data needs to be planned in advance. Access groups can be setup in virtually all IT environments, which will allow the program to designate users with di erent

levels and types o rights. Programs should speci y who has access to various data, under whatcircumstances, and how the identity o users are authenticated. For example, they might stipulatethat identi able data should be accessed only rom a properly secure network server ratherthan rom local workstations. Isolated segments or domains can be implemented, which limitsaccess to those in selected groups. They also might limit the times during which data can beaccessed, restrict the copying or downloading o data, and set up other controls as needed. Dueto the technical nature o these control measures, IT personnel should be involved in the initialassessment and both the ormulation and implementation o electronic data security policies. Appendix G also addresses electronic data security issues.

Encryption and Backups: Although encryption may not be needed or data on a production

registry or surveillance data system located within a secure area and separate rom anynetworks, encryption is still recommended. Any data in such a registry or system do need tobe encrypted be ore being transmitted or downloaded to approved locations and while beingused in the eld on laptops or similar devices. Although surveillance databases and other leswith identi ying in ormation need to be backed up, back-up databases and les should beencrypted in accordance with ederal encryption standards and stored in a secure location.Bonded storage companies can be used to store back-up les o identi able data as long asthe data are encrypted according to standard operating procedures. Encryption is one meanso increasing data security. Backup data should also be encrypted be ore being copied to a


35/72

29

secure location. All encryption methods need to meet standards detailed in Federal In ormationProcessing Standards (FIPS) Publication 197, Advanced Encryption Standard (AES).(See http://csrc.nist.gov/publications/ ps/ ps197/ ps-197.pd . ) 43

Evolving Technologies: Many public health workers handle PII in the eld while pursuing publichealth activities, and as technology continues to evolve, use o PDAs, electronic tablets, andnotebook computers may involve data stored on portable devices. Programs must there oreplan or migration rom paper-oriented to electronic systems that meet established and evolvingelectronic and procedural security standards. Forward-looking con dentiality and securityprotocols should include provisions or phones, PDAs, tablets, and workbooks that take client-identi ed data to the eld and allow or real-time updates, reporting, and data entry rom eldsites as well as by medical sta in examination rooms. These protocols should also provideaccountability measures to ensure that sta members employ this secured, con dential data inappropriate locations while in the eld. Programs may review National Institute o Standards and Technology Special Publication 800-124, Guidelines on Cell Phone and PDA Security, available athttp://csrc.nist.gov/publications/ ) when developing policies. 44

Surveillance programs will be increasingly using electronic medical records and electroniclaboratory records to complete case reports. Many health departments already have or areconsidering public health in ormation exchanges which have the potential to enhance surveillancedata collections. When implementing these activities programs should ensure secure methods areused and policies and procedures ensure security and con dentiality o data. Additional resourceson electronic data exchange can be ound at http://www.cdc.gov/ehrmeaning uluse/ and thepublic health in ormation network ( http://www.cdc.gov/phin/ ) .

Secure Transmission: Data to be transmitted across de ned, secure boundaries should be

transmitted through the use o secure methods, such as secure data networks (SDNs), virtualprivate networks (VPNs), and secure le transport protocol (SFTP). Although these methods canbe used to encrypt data in transit, they do not encrypt data be ore they are sent or a ter they arereceived. There ore, i either the sender or the recipient o the data is not part o a de ned securityzone appropriate or sensitive data, data should be encrypted by another method prior to beingtransmitted. Since transmission o data via cell phones or PDAs is similarly insecure, identi ablein ormation should also not be sent with these devices.

STANDARD 5.1 Ensure that analysis data sets that can be accessed rom outsidethe secure area are stored with protective so tware (i.e., so tware that controls data

storage, removal, and use), and veri y removal o all personal identi ers.Analysis data sets should be stored on a separate server or segmented local area network (LAN).At a minimum, analysis data sets should be located on a virtual server and all personal identi ersshould be removed. The inclusion o sensitive or potentially linkable data elements such as a labID, accession number, or case report number should be limited to those required or analysis andshould not be included in analysis data sets. Given the increasing ability to re-identi y records bymatching between multiple publically accessible databases, consultation with a de-identi cationexpert may be use ul be ore making de-identi ed databases publically available.

Encryption o analysis data sets, when not in use, is not necessary i personally identi able data
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdfhttp://csrc.nist.gov/publications/http://www.cdc.gov/ehrmeaningfuluse/http://www.cdc.gov/phin/)http://www.cdc.gov/phin/)http://www.cdc.gov/ehrmeaningfuluse/http://csrc.nist.gov/publications/http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf


36/72

30

elements have been removed. However, encryption is recommended as additional protectionrom accidental or purpose ul misuse.


Are roles assigned to selected individuals to create analysis data sets to minimize thenumber created?

What measures have been taken to ensure that analysis data sets are created, stored, andaccessed securely?

Do data security policies describe the data elements that may be included in analysis data sets?

STANDARD 5.2 Ensure that any electronic trans er o data is approved by the ORPand subject to access controls, and that identi able data are encrypted be ore beingtrans erred. This standard applies particularly to situations in which data are obtained electronically romsources outside the health department (e.g., electronic laboratory data, electronic health records,Web-based systems, hospitals, and other large providers). Extracts rom these systems shouldmeet the minimum security standards outlined in this document. Electronic records shouldbe protected through security devices such as sign-on passwords, encryption, and audit trails.External sources should be encouraged to review their procedures. Approved data trans ermethods should be used when designing electronic reporting mechanisms or laboratories,providers, etc.

As possible, data with PII should be encrypted while in transit and when at rest. Ideally, data-trans ers should be done over a secure data network (SDN), virtual private network (VPN)connection with certi cates on both the sending and the receiving ends, or similar secureconnection. At a minimum, data trans er should be per ormed via a secure application such as ale trans er protocol (FTP) or which certi cation is required on at least one end.

Electronic les being stored or uture use (e.g., ancillary data and working laboratory data sets)should be encrypted until needed. I these les are needed outside the secure area, use o real-time encryption or an equivalent method o protection is recommended.


Are routine electronic trans ers o data containing identi able data done through securemethods, and are data encrypted be ore trans er?

Are encryption methods that meet Advanced Encryption Standards (AES) always used to moveidenti able public health data? (See http://csrc.nist.gov/publications/ ps/ ps197/ ps-197.pd .)

Are ancillary or working data sets containing PII encrypted when not in use?
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdfhttp://csrc.nist.gov/publications/fips/fips197/fips-197.pdf


37/72

31

STANDARD 5.3 Be ore trans erring electronic data containing PII, ensure that thedata have been encrypted with use o an encryption package that meets AdvancedEncryption Standard (AES) criteria and that the data trans er has been approved bythe appropriate program ofcial or ORP. No electronic data containing identi yingin ormation should be trans erred without being encrypted.

PII must be sa eguarded to maintain con dentiality. The pre erred method o securingdata is with whole-device encryption that ul lls FIPS 140-2 standards available athttp://csrc.nist.gov/publications/ ps/ ps140-2/ ps1402.pd . Device encryption ensures thatremnants o any les that were opened or deleted rom the device are ully secure. Fileencryption is adequate only when used in connection with proper physical protections. The leastappropriate security measure is to rely totally on physical protection and should be used onlyin highly secure and restricted environments. The decision to use physical protections over anencryption solution is a risk-based decision, as these protections cannot completely remove therisk o the t or loss o sensitive data.

Con dential, individual-level public health data should be trans erred via more secure electronictrans er methods, personal communication, or hard-copy mail delivery when at all possible. At aminimum, programs that choose to ax paper documents containing PII should take steps to makeit as secure as possible. Partners who submit identi able data to health departments also need tobe in ormed o acceptable methods o trans er. Guidelines or the use o acsimile machines areincluded in Appendix F.

E-mailing o unencrypted personally identi able in ormation is not allowed. Unintended release o con dential unencrypted e-mail may result. E-mail inadvertently might be sent to an unintendedrecipient, and even an encrypted e-mail might result in unintended access. Health departmentsmust also adhere to relevant sunshine laws regarding access to government e-mails. I publicaccess to e-mail is required, the process o publicly contesting the release o in ormation is notlikely to play out well to the general public.


Has identi ying in ormation been removed rom unencrypted data be ore they aretrans erred electronically?

Are encryption methods that meet AES standards always used in the trans er o identi able data?

Are procedures in place or limiting axing o con dential data? I axes are used, what

additional procedures are in place to secure the in ormation and ensure that it is sent tothe intended recipient only?

Do data policies address e-mailing o public health data?

Is identi ying in ormation always removed rom data or encrypted prior to the data beingsent by e-mail?
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdfhttp://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdfhttp://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf


38/72

32

STANDARD 5.4 Use encryption so tware that meets ederal AES standards toencrypt data with PII on all laptops and other portable devices that receive orstore public health data with personal identi ers.

PII on a laptop must be encrypted and stored on an external storage device or removable harddrive. The external storage device or hard drive containing the data must be separated rom thelaptop and held securely when not in use. The decryption key must not be on the laptop. Portabledevices without removable or external storage components must have encryption so tware thatmeets ederal AES standards. All removable or external storage devices containing identi ablepublic health data must:

Include only the minimum amount o in ormation necessary to accomplish assigned tasksas determined by the designated o cial or ORP

Be encrypted or stored under lock and key when not in use

Be sanitized immediately ollowing a given task (except or those used as back-ups)

Be ore any portable device containing sensitive data is removed rom a secure area, the datamust be encrypted. Methods used to sanitize a storage device must ensure that any data on thedevice cannot be retrieved by using undelete or data retrieval so tware. Hard drives, fash driv