Guidelines on Protecting the Confidentiality and Security of HIV Information: Proceedings from a Wor

1
Guidelines on Protecting the Confidentiality and
Security of HIV Information Proceedings from a
Workshop in Geneva, May 2006

• Strategies for Building National-Scale
  Longitudinal Patient Monitoring Systems for HIV
  Treatment and Care in PEPFAR Countries
• Lusaka, Zambia
• October 3, 2007
• Xenophon M. Santas
• Global AIDS Division, CDC-Atlanta
• xsantas_at_cdc.gov
• Eddy Beck, EVA UNAIDS, Geneva
• becke_at_unaids.org

2
Presentation Overview

• Background
• Definition of terms
• Framework elements and scope of coverage
• Physical
• Electronic
• Procedural
• Legal and ethical considerations
• Context
• The Geneva workshop
• Aims
• Participants
• Process
• Outputs
• Next steps

3
Definition of Terms

• Privacy
• a legal concept, and refers to the protection
  that has been accorded to an individual to
  control both access to and use of personal
  information. Privacy protections vary from one
  jurisdiction to another and are defined by law
  and regulations. Privacy protections provide the
  overall framework within which both
  confidentiality and security are implemented.
• Confidentiality
• relates to organizational policies and procedures
  developed and implemented to safeguard the
  privacy of individuals when storing,
  transferring, and using their data, given that
  individuals, especially when using
  publicly-funded health services, may be
  considered to have rights as well as
  responsibilities while using such services.
• Security
• the collection of technical approaches that
  address issues covering physical, electronic, and
  procedural aspects of information protection, and
  which assure that no breaches in the
  confidentiality of information will occur.

4
Elements of the Framework

• Physical security
• Electronic security
• Data in transit
• Data at rest
• Procedural security
• Ethical and legal considerations
• Data release policies and procedures

5
Scope of Coverage

• Communities, non-governmental organizations
  (NGOs)
• Health and other facilities
• Sub-national (district/regional/provincial/
  state), national
• National data repositories or data warehouses
• International organizations

6
Striking a Balance
The most secure systems are also the most useless
(e.g. releasing only national-level data is more
secure than releasing local data). Cost of
implementation must be weighed against the both
the likelihood of harm and the severity of
harm. Continuous vigilance is required to ensure
an appropriate balance between the mission of
public health, which is to serve the populations
health, and its ethical obligations to serve the
community and safeguard privacy.
7
Physical Security (1)

• All physical locations containing electronic or
  paper copies of surveillance data must be
  enclosed inside a locked, secured area with
  limited access
• Paper copies of surveillance information
  containing identifying information must be housed
  inside locked filed cabinets that are inside a
  locked room.

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
8
Physical Security (2)

• Each member of the surveillance staff must shred
  documents containing confidential information
  before disposing of them. Shredders should be of
  commercial quality with a crosscutting feature
• Rooms containing surveillance data must not be
  easily accessible by window

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
9
Electronic Security (1)

• An analysis dataset must be held securely by
  using protective software (i.e., software that
  controls the storage, removal, and use of the
  data)
• Data transfers must be approved by the
  Security and Confidentiality Officer and
  incorporate the use of access controls.
  Confidential surveillance data or information
  must be encrypted before electronic transfer
  using an encryption package meeting the
  Advanced Encryption Standard (AES) encryption
  standards
• Laptops and other portable devices (e.g.,
  personal digital assistants PDAs, other
  handheld devices, and tablet personal computers
  PCs) that receive or store surveillance
  information with personal identifiers must
  incorporate the use of encryption software

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
10
Electronic Security (2)

• Must address at minimum
• Encryption
• Authentication
• Role-based access
• System availability
• Disaster recovery

11
Procedural Security (1)

• Policies must be in writing
• A policy must name the individual who is the
  Security and Confidentiality Officer (SCO) for
  the organization
• A policy must incorporate provisions to protect
  against public access to raw data or data tables
  that include small denominator populations that
  could be indirectly identifying
• All authorized staff must annually sign a
  confidentiality statement

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
12
Procedural Security (2)

• All staff with access to data must be
  individually responsible for protecting their own
  workstation, laptop, or other devices. This
  responsibility includes protecting keys,
  passwords, and codes
• Confidential information must have personal
  identifiers removed (an analysis dataset) if
  taken out of the secured area or accessed from an
  unsecured area
• All staff who are authorized to access
  confidential data must be responsible for
  reporting suspected security breaches

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
13
Legal and Ethical Considerations (1)

• Access to any confidential information
  containing names for research purposes must be
  contingent on a demonstrated need for the names
  and Institutional Review Board (IRB) approval
• Access to confidential information or data for
  non-public health purposes, such as litigation,
  discovery, or court order, must be granted only
  to the extent required by law

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
14
Legal and Ethical Considerations (2)

• Must also include specific guidance on how to
  produce analysis data sets and/or data
  dissemination strategies which address how to
  balance the need for protection with the need to
  describe the epidemiologic trends and/or
  programming progress
• Statistical techniques
• Graphical techniques

15
The Current Situation (1)

• Local health facilities
• Staff responsible for medical care may lack
  sufficient training in or understanding of the
  importance of maintaining confidentiality or
  security of medical records
• Physical protections around records systems may
  be inadequate or unaffordable
• Log books are often readily accessible by
  unauthorized staff
• Multiple copies of potentially sensitive
  information exist throughout larger facilities
• Cultural norms may not sufficiently discourage
  inappropriate disclosure of information

16
The Current Situation (2)

• National programs
• Statistical data abstracted for program
  monitoring and improvement may contain
  information that inadvertently identifies
  individuals. This can be directly, e.g., through
  disclosure of patient identifiers (name, address,
  identification numbers such as Social Security
  number), or indirectly, by allowing for cross
  matching with other available data sets which
  contain identifiers).
• Medical data need to be shared across
  institutions when patients move from one provider
  to another, but this increases the risk of
  inappropriate disclosure.

17
The Current Situation (3)

• Few middle- and lower-income countries have
  systematically addressed and developed guidelines
  on
• Data collection (consent opt-out/opt-in)
• Storage
• Transfer
• Use of HIV related information
• Maintain the operational integrity of the systems

18
The Current Situation (4)

• Among industrialized countries that have.
• US
• UK
• Australia
• Cultural/societal differences
• e.g., US opt-in vs. UK opt-out
• varying societal norms of privacy

19
The Geneva Workshop, May 2006 (1)

• Aims
• To develop consensus on a draft set of guidelines
  to ensure confidentiality and security of HIV
  related information collected for patient
  management and monitoring, and program and HIV
  services monitoring and evaluation as part of
  scaling-up HIV services in middle- and
  lower-income countries.
• To develop methods to pilot and implement these
  guidelines within countries.

20
The Geneva Workshop, May 2006 (2)

• Workshop Participants
• Country program managers,
• Country-based IT people,
• IT experts specializing in relevant areas,
• Users of data (clinicians, statisticians or
  epidemiologists)
• Ethicists legal experts
• HIV-infected community members

21
The Geneva Workshop, May 2006 (3)

• Process
• Wide range of participants were invited to attend
  workshop
• Wide range of existing published material,
  primarily from the U.S., U.K., and Australia was
  made available to participants, for critique re
  its suitability in lower- and middle-income
  countries
• After brief number of introductory presentations,
  including a number of country presentations, the
  participants divided into 5 groups
• The working groups reported back their
  conclusions second half of day 2
• On the morning of day 3, conclusions of the 5
  working groups were integrated
• Draft report was produced on the basis of these
  integrated conclusions

22
The Geneva Workshop, May 2006 (4)

• The 5 working groups
• Community and NGOs
• Health care and other facilities
• Sub-national (district/regional/provincial/state)
  and national level
• National data repositories or data warehouses
• International organizations
• All the groups addressed each framework topic
• Physical security
• Electronic security (at rest during transfer)
• Procedural security
• Legal and ethical considerations

23
Workshop Output Interim Guidance (1)

• Executive summary
• Aim
• Background
• Objectives
• Methods
• HIV confidentiality and security principles
• Technical guidelines
• Recommendations
• Next steps

24
Workshop Output Interim Guidance (2)

• Appendices
• 1. List of participants
• 2. Geneva workshop agenda
• 3. Glossary
• 4. Sample threat analyses (incomplete)
• 5. Sample institutional policies and procedures
  (incomplete)
• 6. Self assessment tools (incomplete, but also
  see bibliography)
• 7. Bibliography

25
Workshop Output Interim Guidance (3)

• HIV Confidentiality and Security Principles
• to assure that health data are used to serve the
  improvement of health, as well as the reduction
  of harm, for all people, healthy and not
  healthy. 
• Pursuing this goal involves an ongoing process of
  refining the balance between  
• a) maximizing of benefits benefits that can and
  should come from the wise and fullest use of
  data, and
• b) protection from harm harm that can result
  from either malicious or inadvertent
  inappropriate release of individually
  identifiable data.

26
Workshop Output Interim Guidance (4)

• Technical Guidelines
• Types of data (identifiable, anonymized,
  psuedo-anonymized)
• Organization and procedures
• Collection of personally identifiable data
• Storage of confidential data
• Use of data
• Dissemination of information
• Disposal of information

27
Technical Guidelines Examples (1)

• Types of data
• Personal Identified Data individual level
  information that includes personal identifiers
  such as names and addresses. These data are
  generally obtained at the point of care
• Pseudo-anonymized Data individual level
  information stripped of certain identifiers,
  like names, addresses, etc. This identifying
  information is often replaced with a randomized
  identifier or key
• Aggregated Data such data are based on
  aggregating individual level information,
  obtained from communities, health facilities, or
  data warehouses, into an indicator.
• Non-Personal Data all levels need to deal with
  information on facilities, geographic data,
  information on drugs and drug supplies, and other
  logistic information

28
Technical Guidelines Examples (2)

• Organization and procedures
• 6.2.1 Within each country, institutions must
  develop guidelines to ensure confidentiality and
  security of HIV-related information, covering all
  levels operative within that countrys or
  institutions healthcare system, and the
  different types of data collected, stored and
  used. Such a policy document must be in writing
  and widely distributed, available both in paper
  and electronic formats.
• 6.2.6 To ensure that all authorized individuals
  remain knowledgeable about the security policies,
  every individual with access to confidential HIV
  data must attend data security training at
  regular intervals.

29
Technical Guidelines Examples (3)

• Collection of personally identifiable data
• 6.3.1 When such data are collected, decisions
  regarding which personal data are to be collected
  and stored must be based on the medical needs of
  the patient, the requirements of public health,
  and the requirements of program monitoring and
  evaluation. Data collection from persons using
  community or health facility services is
  primarily aimed at enabling good quality
  treatment and care over time and between sites.
  The use of individual data for program monitoring
  and evaluation or research must be covered by
  culturally appropriate statutory legislation with
  explicit individual consent, statutory sanctioned
  measures to use individual data without explicit
  patient consent, or a combination.

30
Technical Guidelines Examples (4)

• Storage of confidential data
• 6.4.2 Procedures should be in place to monitor
  the use of the system where the data are stored
  in order to detect potential or actual security
  breaches.
• 6.4.3 Threat or disaster analyses need to be
  performed to assess all potential events which
  could increase the risk of inadvertent release of
  data or the destruction of these data at sites
  housing HIV data, such as acts of vandalism,
  fires, earthquakes, or typhoons. Appropriate
  preventive measures need to be taken.
• 6.4.9 all data stored need to be backed up,
  usually at physically separate facilities, to
  prevent loss or damage to the stored data, and to
  enable data recovery in the event of natural
  disaster or other data loss.

31
Technical Guidelines Examples (5)

• Use of data
• 6.5.1 When data are to be used in a
  pseudo-anonymized form, they should be stripped
  of personal identifiers as soon and as close as
  possible to the actual source of the raw
  information.
• 6.5.8 Workspace for individuals with access to
  medical records or HIV program information must
  also be situated within a secure area.
• 6.5.10 When data are transferred electronically,
  data in transit need to be encrypted using
  appropriate protocols. This may include message
  encryption, use of secured sessions, secured
  internet lines, or two-factor authentication.

32
Technical Guidelines Examples (6)

• Dissemination of Information
• 6.6.2 A written data release policy should exist
  and be reviewed at regular intervals. This needs
  to define the purpose and uses of HIV data,
  outline which data elements can be released and
  for which purpose, and must include provisions to
  protect small denominator population.
• 6.6.3 With increased use of mapping tools for
  geographic display of data analyses, data release
  policies must take special care not to indirectly
  identify individuals via too precise location on
  geographical displays, i.e., they must
  incorporate available geographic masking
  techniques for display of confidential
  information.
• 6.6.6 Access to HIV information for non-public
  health purposes, for instance for legal issues,
  should be granted only in circumstances involving
  the threat of imminent danger of grave physical
  harm to individuals or populations.

33
Technical Guidelines Examples (7)

• Disposal of Information
• 6.7.1 If old records are going to be kept, they
  will need to be stored ensuring full
  confidentiality and security of HIV information.
• 6.7.2 If records are to be destroyed, both paper
  and electronic records should be destroyed,
  including all data backups.
• 6.7.4 A written data archival policy should be
  produced.

34
Workshop Output Interim Guidance (5)

• 12 Recommendations, including
• 7.8 National organizations at all levels of the
  healthcare system and international organizations
  must identify a security and confidentiality
  officer (SCO) to be ultimately responsible for
  the confidentiality and security of HIV
  information within that organization.
•  7.9 Funding organizations should comply with
  these standards and have an obligation to make a
  portion of the funding available to implement
  them, sufficient to assure adequate protection of
  the data collected and used, and to require that
  maintaining these standards are a condition for
  funding of any implementing partners or agencies.

35
Next Steps (1)

• Interim Guidelines have been reviewed by
• Workshop participants
• U.S. Centers, for Disease Control and Prevention
• U.S. Presidents Emergency Plan for AIDS Relief
  (PEPFAR)
• Joint United Nations Programme on HIV/AIDS
  (UNAIDS).
• Interim Guidelines have been published by UNAIDS
• Still to be completed three appendices
• Sample threat analyses
• Sample institutional policy and procedures
• Self-assessment tools
• Pilot the Interim Guidelines countries and among
  grant recipients

36
Next Steps (2)

• Develop self-appraisal tools
• Questionnaire developed and piloted to assess
  whether countries and organizations have
  developed and implemented confidentiality and
  security guidelines
• Distribute questionnaire to countries with UNAIDS
  Monitoring and Evaluation Officers
• Distribute questionnaire to PEPFAR implementing
  partners/grant recipients
• Incorporate feedback from countries and from
  PEPFAR implementing partners into the Guidelines
• Develop capacity building strategy for
  implementation of the Guidelines

37
(No Transcript)