Title: Guidelines on Protecting the Confidentiality and Security of HIV Information: Proceedings from a Wor
1Guidelines on Protecting the Confidentiality and
Security of HIV Information Proceedings from a
Workshop in Geneva, May 2006
- Strategies for Building National-Scale
Longitudinal Patient Monitoring Systems for HIV
Treatment and Care in PEPFAR Countries - Lusaka, Zambia
- October 3, 2007
- Xenophon M. Santas
- Global AIDS Division, CDC-Atlanta
- xsantas_at_cdc.gov
- Eddy Beck, EVA UNAIDS, Geneva
- becke_at_unaids.org
2Presentation Overview
- Background
- Definition of terms
- Framework elements and scope of coverage
- Physical
- Electronic
- Procedural
- Legal and ethical considerations
- Context
- The Geneva workshop
- Aims
- Participants
- Process
- Outputs
- Next steps
3Definition of Terms
- Privacy
- a legal concept, and refers to the protection
that has been accorded to an individual to
control both access to and use of personal
information. Privacy protections vary from one
jurisdiction to another and are defined by law
and regulations. Privacy protections provide the
overall framework within which both
confidentiality and security are implemented. - Confidentiality
- relates to organizational policies and procedures
developed and implemented to safeguard the
privacy of individuals when storing,
transferring, and using their data, given that
individuals, especially when using
publicly-funded health services, may be
considered to have rights as well as
responsibilities while using such services. - Security
- the collection of technical approaches that
address issues covering physical, electronic, and
procedural aspects of information protection, and
which assure that no breaches in the
confidentiality of information will occur.
4Elements of the Framework
- Physical security
- Electronic security
- Data in transit
- Data at rest
- Procedural security
- Ethical and legal considerations
- Data release policies and procedures
5Scope of Coverage
- Communities, non-governmental organizations
(NGOs) - Health and other facilities
- Sub-national (district/regional/provincial/
state), national - National data repositories or data warehouses
- International organizations
6Striking a Balance
The most secure systems are also the most useless
(e.g. releasing only national-level data is more
secure than releasing local data). Cost of
implementation must be weighed against the both
the likelihood of harm and the severity of
harm. Continuous vigilance is required to ensure
an appropriate balance between the mission of
public health, which is to serve the populations
health, and its ethical obligations to serve the
community and safeguard privacy.
7Physical Security (1)
- All physical locations containing electronic or
paper copies of surveillance data must be
enclosed inside a locked, secured area with
limited access - Paper copies of surveillance information
containing identifying information must be housed
inside locked filed cabinets that are inside a
locked room.
From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
8Physical Security (2)
- Each member of the surveillance staff must shred
documents containing confidential information
before disposing of them. Shredders should be of
commercial quality with a crosscutting feature - Rooms containing surveillance data must not be
easily accessible by window
From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
9Electronic Security (1)
- An analysis dataset must be held securely by
using protective software (i.e., software that
controls the storage, removal, and use of the
data) - Data transfers must be approved by the
Security and Confidentiality Officer and
incorporate the use of access controls.
Confidential surveillance data or information
must be encrypted before electronic transfer
using an encryption package meeting the
Advanced Encryption Standard (AES) encryption
standards - Laptops and other portable devices (e.g.,
personal digital assistants PDAs, other
handheld devices, and tablet personal computers
PCs) that receive or store surveillance
information with personal identifiers must
incorporate the use of encryption software
From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
10Electronic Security (2)
- Must address at minimum
- Encryption
- Authentication
- Role-based access
- System availability
- Disaster recovery
11Procedural Security (1)
- Policies must be in writing
- A policy must name the individual who is the
Security and Confidentiality Officer (SCO) for
the organization - A policy must incorporate provisions to protect
against public access to raw data or data tables
that include small denominator populations that
could be indirectly identifying - All authorized staff must annually sign a
confidentiality statement
From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
12Procedural Security (2)
- All staff with access to data must be
individually responsible for protecting their own
workstation, laptop, or other devices. This
responsibility includes protecting keys,
passwords, and codes - Confidential information must have personal
identifiers removed (an analysis dataset) if
taken out of the secured area or accessed from an
unsecured area - All staff who are authorized to access
confidential data must be responsible for
reporting suspected security breaches
From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
13Legal and Ethical Considerations (1)
- Access to any confidential information
containing names for research purposes must be
contingent on a demonstrated need for the names
and Institutional Review Board (IRB) approval - Access to confidential information or data for
non-public health purposes, such as litigation,
discovery, or court order, must be granted only
to the extent required by law
From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
14Legal and Ethical Considerations (2)
- Must also include specific guidance on how to
produce analysis data sets and/or data
dissemination strategies which address how to
balance the need for protection with the need to
describe the epidemiologic trends and/or
programming progress - Statistical techniques
- Graphical techniques
15The Current Situation (1)
- Local health facilities
- Staff responsible for medical care may lack
sufficient training in or understanding of the
importance of maintaining confidentiality or
security of medical records - Physical protections around records systems may
be inadequate or unaffordable - Log books are often readily accessible by
unauthorized staff - Multiple copies of potentially sensitive
information exist throughout larger facilities - Cultural norms may not sufficiently discourage
inappropriate disclosure of information
16The Current Situation (2)
- National programs
- Statistical data abstracted for program
monitoring and improvement may contain
information that inadvertently identifies
individuals. This can be directly, e.g., through
disclosure of patient identifiers (name, address,
identification numbers such as Social Security
number), or indirectly, by allowing for cross
matching with other available data sets which
contain identifiers). - Medical data need to be shared across
institutions when patients move from one provider
to another, but this increases the risk of
inappropriate disclosure.
17The Current Situation (3)
- Few middle- and lower-income countries have
systematically addressed and developed guidelines
on - Data collection (consent opt-out/opt-in)
- Storage
- Transfer
- Use of HIV related information
- Maintain the operational integrity of the systems
18The Current Situation (4)
- Among industrialized countries that have.
- US
- UK
- Australia
- Cultural/societal differences
- e.g., US opt-in vs. UK opt-out
- varying societal norms of privacy
19The Geneva Workshop, May 2006 (1)
- Aims
- To develop consensus on a draft set of guidelines
to ensure confidentiality and security of HIV
related information collected for patient
management and monitoring, and program and HIV
services monitoring and evaluation as part of
scaling-up HIV services in middle- and
lower-income countries. - To develop methods to pilot and implement these
guidelines within countries.
20The Geneva Workshop, May 2006 (2)
- Workshop Participants
- Country program managers,
- Country-based IT people,
- IT experts specializing in relevant areas,
- Users of data (clinicians, statisticians or
epidemiologists) - Ethicists legal experts
- HIV-infected community members
21The Geneva Workshop, May 2006 (3)
- Process
- Wide range of participants were invited to attend
workshop - Wide range of existing published material,
primarily from the U.S., U.K., and Australia was
made available to participants, for critique re
its suitability in lower- and middle-income
countries - After brief number of introductory presentations,
including a number of country presentations, the
participants divided into 5 groups - The working groups reported back their
conclusions second half of day 2 - On the morning of day 3, conclusions of the 5
working groups were integrated - Draft report was produced on the basis of these
integrated conclusions
22The Geneva Workshop, May 2006 (4)
- The 5 working groups
- Community and NGOs
- Health care and other facilities
- Sub-national (district/regional/provincial/state)
and national level - National data repositories or data warehouses
- International organizations
- All the groups addressed each framework topic
- Physical security
- Electronic security (at rest during transfer)
- Procedural security
- Legal and ethical considerations
23Workshop Output Interim Guidance (1)
- Executive summary
- Aim
- Background
- Objectives
- Methods
- HIV confidentiality and security principles
- Technical guidelines
- Recommendations
- Next steps
24Workshop Output Interim Guidance (2)
- Appendices
- 1. List of participants
- 2. Geneva workshop agenda
- 3. Glossary
- 4. Sample threat analyses (incomplete)
- 5. Sample institutional policies and procedures
(incomplete) - 6. Self assessment tools (incomplete, but also
see bibliography) - 7. Bibliography
25Workshop Output Interim Guidance (3)
- HIV Confidentiality and Security Principles
- to assure that health data are used to serve the
improvement of health, as well as the reduction
of harm, for all people, healthy and not
healthy. - Pursuing this goal involves an ongoing process of
refining the balance between - a) maximizing of benefits benefits that can and
should come from the wise and fullest use of
data, and - b) protection from harm harm that can result
from either malicious or inadvertent
inappropriate release of individually
identifiable data.
26Workshop Output Interim Guidance (4)
- Technical Guidelines
- Types of data (identifiable, anonymized,
psuedo-anonymized) - Organization and procedures
- Collection of personally identifiable data
- Storage of confidential data
- Use of data
- Dissemination of information
- Disposal of information
27Technical Guidelines Examples (1)
- Types of data
- Personal Identified Data individual level
information that includes personal identifiers
such as names and addresses. These data are
generally obtained at the point of care - Pseudo-anonymized Data individual level
information stripped of certain identifiers,
like names, addresses, etc. This identifying
information is often replaced with a randomized
identifier or key - Aggregated Data such data are based on
aggregating individual level information,
obtained from communities, health facilities, or
data warehouses, into an indicator. - Non-Personal Data all levels need to deal with
information on facilities, geographic data,
information on drugs and drug supplies, and other
logistic information
28Technical Guidelines Examples (2)
- Organization and procedures
- 6.2.1 Within each country, institutions must
develop guidelines to ensure confidentiality and
security of HIV-related information, covering all
levels operative within that countrys or
institutions healthcare system, and the
different types of data collected, stored and
used. Such a policy document must be in writing
and widely distributed, available both in paper
and electronic formats. - 6.2.6 To ensure that all authorized individuals
remain knowledgeable about the security policies,
every individual with access to confidential HIV
data must attend data security training at
regular intervals.
29Technical Guidelines Examples (3)
- Collection of personally identifiable data
- 6.3.1 When such data are collected, decisions
regarding which personal data are to be collected
and stored must be based on the medical needs of
the patient, the requirements of public health,
and the requirements of program monitoring and
evaluation. Data collection from persons using
community or health facility services is
primarily aimed at enabling good quality
treatment and care over time and between sites.
The use of individual data for program monitoring
and evaluation or research must be covered by
culturally appropriate statutory legislation with
explicit individual consent, statutory sanctioned
measures to use individual data without explicit
patient consent, or a combination.
30Technical Guidelines Examples (4)
- Storage of confidential data
- 6.4.2 Procedures should be in place to monitor
the use of the system where the data are stored
in order to detect potential or actual security
breaches. - 6.4.3 Threat or disaster analyses need to be
performed to assess all potential events which
could increase the risk of inadvertent release of
data or the destruction of these data at sites
housing HIV data, such as acts of vandalism,
fires, earthquakes, or typhoons. Appropriate
preventive measures need to be taken. - 6.4.9 all data stored need to be backed up,
usually at physically separate facilities, to
prevent loss or damage to the stored data, and to
enable data recovery in the event of natural
disaster or other data loss.
31Technical Guidelines Examples (5)
- Use of data
- 6.5.1 When data are to be used in a
pseudo-anonymized form, they should be stripped
of personal identifiers as soon and as close as
possible to the actual source of the raw
information. - 6.5.8 Workspace for individuals with access to
medical records or HIV program information must
also be situated within a secure area. - 6.5.10 When data are transferred electronically,
data in transit need to be encrypted using
appropriate protocols. This may include message
encryption, use of secured sessions, secured
internet lines, or two-factor authentication.
32Technical Guidelines Examples (6)
- Dissemination of Information
- 6.6.2 A written data release policy should exist
and be reviewed at regular intervals. This needs
to define the purpose and uses of HIV data,
outline which data elements can be released and
for which purpose, and must include provisions to
protect small denominator population. - 6.6.3 With increased use of mapping tools for
geographic display of data analyses, data release
policies must take special care not to indirectly
identify individuals via too precise location on
geographical displays, i.e., they must
incorporate available geographic masking
techniques for display of confidential
information. - 6.6.6 Access to HIV information for non-public
health purposes, for instance for legal issues,
should be granted only in circumstances involving
the threat of imminent danger of grave physical
harm to individuals or populations.
33Technical Guidelines Examples (7)
- Disposal of Information
- 6.7.1 If old records are going to be kept, they
will need to be stored ensuring full
confidentiality and security of HIV information. - 6.7.2 If records are to be destroyed, both paper
and electronic records should be destroyed,
including all data backups. - 6.7.4 A written data archival policy should be
produced.
34Workshop Output Interim Guidance (5)
- 12 Recommendations, including
- 7.8 National organizations at all levels of the
healthcare system and international organizations
must identify a security and confidentiality
officer (SCO) to be ultimately responsible for
the confidentiality and security of HIV
information within that organization. - 7.9 Funding organizations should comply with
these standards and have an obligation to make a
portion of the funding available to implement
them, sufficient to assure adequate protection of
the data collected and used, and to require that
maintaining these standards are a condition for
funding of any implementing partners or agencies.
35Next Steps (1)
- Interim Guidelines have been reviewed by
- Workshop participants
- U.S. Centers, for Disease Control and Prevention
- U.S. Presidents Emergency Plan for AIDS Relief
(PEPFAR) - Joint United Nations Programme on HIV/AIDS
(UNAIDS). - Interim Guidelines have been published by UNAIDS
- Still to be completed three appendices
- Sample threat analyses
- Sample institutional policy and procedures
- Self-assessment tools
- Pilot the Interim Guidelines countries and among
grant recipients
36Next Steps (2)
- Develop self-appraisal tools
- Questionnaire developed and piloted to assess
whether countries and organizations have
developed and implemented confidentiality and
security guidelines - Distribute questionnaire to countries with UNAIDS
Monitoring and Evaluation Officers - Distribute questionnaire to PEPFAR implementing
partners/grant recipients - Incorporate feedback from countries and from
PEPFAR implementing partners into the Guidelines - Develop capacity building strategy for
implementation of the Guidelines
37(No Transcript)