Security and Confidentiality Practices - Houston Dept. of Health and Human Services

Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH

HIV/AIDS SurveillanceHouston Dept. of Health and Human Services

November 1, 2006

The findings and conclusions in this presentation are those of the authors and do not necessarily represent the views of the Centers for Disease Control and Prevention.

Security and Confidentiality A major concern of HIV/AIDS surveillance

staff at HDHHS, DSHS, and CDC. Our purpose is to have secure and

confidential collection, storage, usage, and transmission of sensitive HIV/AIDS case information.

What has to be Reported to the Health Dept?

HIV diagnostic tests AIDS diagnostic tests and opportunistic

infections/malignancies Patient name, address, sex, race, disease

onset, probable source of infection, other requested related information, and treatment/services referrals

Who has to Report to the Health Dept?

Physicians, dentists Chief administrative officers of a hospital,

medical facility, penal institution Persons in charge of a blood bank, mobile

clinic, clinical laboratory Medical directors of testing and counseling

sites, community-based organizations

Class B misdemeanor for failure to report

What comes into the Health Dept? Electronic lab reports Hard copies of lab reports, physician/clinic

reports, death certificates, HIV medication reports, HIV reports from other surveillance programs – by mail, faxes highly discouraged, no email allowed

Telephone reports from physicians

What goes out of the Health Dept? De-identified aggregate reports Raw data to DSHS via secure data network

using encrypted files. Copies of reports sent by mail to DSHS.

DSHS transfers de-identified data to the CDC

What stays in the Health Dept? Paper copies in locked cabinets in locked

file room with no windows on 4th floor of a limited access building. Physical access limited to HIV/AIDS Surveillance personnel.

Server in a locked room with no windows on 4th floor. Computer access limited to HIV/AIDS Surveillance personnel. Can only be accessed on the 4th floor. No wi-fi access.

Security and Confidentiality Various legal protections exist, for example:

– Federal assurance of confidentiality under section 308(d) of the Public Health Service Act

– The federal Health Insurance Portability and Accountability Act (HIPAA) of 1996.

– Texas Health and Safety Code and the Texas Administrative Code

Program Requirements for Security and Confidentiality

Mandated by CDC as a condition of funding.

Must be certified annually by the Overall Responsible Party (ORP).

Five Guiding Principles1. Physically secure environment.2. Maintain electronic data in technically

secure environment and minimize staff and locations with access to data and personal identifiers.

3. Individual staff responsibility.4. Breaches investigated, sanctions imposed5. Practices and policies updated (quality

improvement).

Thoughts to Consider…. Policies and procedures dealing with paper,

electronic, or other types of information. Training is critical. Limited access to work area. Paper copies maintained in secure file room. Physically secure building (1st floor window

office?).

More Thoughts to Consider…. Program requirements address IT issues,

laptops, “other devices”, communications. No such thing as a totally secure fax or

email transmission. Encrypt files.

– Ancillary files with identifiers– Internal data transfers– Electronic line lists

Potential Sources of Risk Viewing, transmitting or moving identified

information (electronically, hard copies, fax, cell camera phones).

Physical access to secure area. Communications (verbal, electronic,

written, email, telephones). Lack of training and/or agreements.

Data Release Policy One way street!

Provisions to protect against public access to raw data or data tables that include small denominator populations that could be indirectly identifying.

Limit Access

Limit the number of people that can access confidential surveillance information.

Training Every individual with access to surveillance data

must attend initial security training and be retrained annually.

A signed confidentiality statement must be documented in the employee’s personnel file.

IT staff and contractors who require access to data must undergo the same training as surveillance staff and sign the same agreements.

Individual Responsibility All staff are individually responsible for

protecting data. This responsibility includes protecting

keys, passwords, and codes that would allow access to confidential information or data.

Computer monitors should not be observed by unauthorized personnel.

Phone conversations should not be capable of being overheard.

Physical Security All physical locations containing electronic

or paper copies of surveillance data must be enclosed inside a locked, secured area with limited access.

Shredding Paper Documents Surveillance staff must shred documents

containing confidential information before disposing of them.

Electronic Data Transfers Confidential surveillance data or

information must be encrypted before electronic transfer via a secure data network – no email transfer.

CDC strongly discourages the use of fax or email for electronic transfer of data.

Encrypt, encrypt, encrypt!

Going somewhere?

Carrying Data Data carried to and from the field must be in

a locked briefcase or in data encrypted computer devices and returned to the office at the end of the day.

Data Access Control Access to raw surveillance data for other

than routine surveillance purposes is contingent upon:– Demonstrated need for names– Institutional Review Board (IRB) approval– Signing a confidentiality statement regarding

rules of access and final disposition of the information.

Sharing Data with Other Surveillance Programs

ORP must weigh benefits and risk of allowing access to data.

Security of other program must be equivalent.

For example, public health follow-up of HIV cases, TB Control

Laptops, PDAs, & Portable Storage Devices

Laptops and other portable devices (e.g., PDAs, tablet personal computers, floppies, thumb drives) that receive or store surveillance information with personal identifiers must incorporate the use of encryption software.

Hard disks, diskettes, and thumb drives that contain identifying information must be cleaned before they are to be used for other purposes or they must be destroyed before disposal.

Security Breaches All staff who are authorized to access

surveillance data must be responsible for reporting suspected security breaches.

A breach of confidentiality must be immediately investigated to assess causes and implement remedies.