Guidelines on Protecting the Confidentiality and Security of HIV Information: Proceedings from a Wor - PowerPoint PPT Presentation


PPT – Guidelines on Protecting the Confidentiality and Security of HIV Information: Proceedings from a Wor PowerPoint presentation | free to view - id: 1e6d18-OTA4N


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Guidelines on Protecting the Confidentiality and Security of HIV Information: Proceedings from a Wor


Guidelines on Protecting the Confidentiality and Security of HIV Information: ... housing HIV data, such as acts of vandalism, fires, earthquakes, or typhoons. ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 38
Provided by: DHA128


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Guidelines on Protecting the Confidentiality and Security of HIV Information: Proceedings from a Wor

Guidelines on Protecting the Confidentiality and
Security of HIV Information Proceedings from a
Workshop in Geneva, May 2006
  • Strategies for Building National-Scale
    Longitudinal Patient Monitoring Systems for HIV
    Treatment and Care in PEPFAR Countries
  • Lusaka, Zambia
  • October 3, 2007
  • Xenophon M. Santas
  • Global AIDS Division, CDC-Atlanta
  • Eddy Beck, EVA UNAIDS, Geneva

Presentation Overview
  • Background
  • Definition of terms
  • Framework elements and scope of coverage
  • Physical
  • Electronic
  • Procedural
  • Legal and ethical considerations
  • Context
  • The Geneva workshop
  • Aims
  • Participants
  • Process
  • Outputs
  • Next steps

Definition of Terms
  • Privacy
  • a legal concept, and refers to the protection
    that has been accorded to an individual to
    control both access to and use of personal
    information. Privacy protections vary from one
    jurisdiction to another and are defined by law
    and regulations. Privacy protections provide the
    overall framework within which both
    confidentiality and security are implemented.
  • Confidentiality
  • relates to organizational policies and procedures
    developed and implemented to safeguard the
    privacy of individuals when storing,
    transferring, and using their data, given that
    individuals, especially when using
    publicly-funded health services, may be
    considered to have rights as well as
    responsibilities while using such services.
  • Security
  • the collection of technical approaches that
    address issues covering physical, electronic, and
    procedural aspects of information protection, and
    which assure that no breaches in the
    confidentiality of information will occur.

Elements of the Framework
  • Physical security
  • Electronic security
  • Data in transit
  • Data at rest
  • Procedural security
  • Ethical and legal considerations
  • Data release policies and procedures

Scope of Coverage
  • Communities, non-governmental organizations
  • Health and other facilities
  • Sub-national (district/regional/provincial/
    state), national
  • National data repositories or data warehouses
  • International organizations

Striking a Balance
The most secure systems are also the most useless
(e.g. releasing only national-level data is more
secure than releasing local data). Cost of
implementation must be weighed against the both
the likelihood of harm and the severity of
harm. Continuous vigilance is required to ensure
an appropriate balance between the mission of
public health, which is to serve the populations
health, and its ethical obligations to serve the
community and safeguard privacy.
Physical Security (1)
  • All physical locations containing electronic or
    paper copies of surveillance data must be
    enclosed inside a locked, secured area with
    limited access
  • Paper copies of surveillance information
    containing identifying information must be housed
    inside locked filed cabinets that are inside a
    locked room.

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
Physical Security (2)
  • Each member of the surveillance staff must shred
    documents containing confidential information
    before disposing of them. Shredders should be of
    commercial quality with a crosscutting feature
  • Rooms containing surveillance data must not be
    easily accessible by window

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
Electronic Security (1)
  • An analysis dataset must be held securely by
    using protective software (i.e., software that
    controls the storage, removal, and use of the
  • Data transfers must be approved by the
    Security and Confidentiality Officer and
    incorporate the use of access controls.
    Confidential surveillance data or information
    must be encrypted before electronic transfer
    using an encryption package meeting the
    Advanced Encryption Standard (AES) encryption
  • Laptops and other portable devices (e.g.,
    personal digital assistants PDAs, other
    handheld devices, and tablet personal computers
    PCs) that receive or store surveillance
    information with personal identifiers must
    incorporate the use of encryption software

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
Electronic Security (2)
  • Must address at minimum
  • Encryption
  • Authentication
  • Role-based access
  • System availability
  • Disaster recovery

Procedural Security (1)
  • Policies must be in writing
  • A policy must name the individual who is the
    Security and Confidentiality Officer (SCO) for
    the organization
  • A policy must incorporate provisions to protect
    against public access to raw data or data tables
    that include small denominator populations that
    could be indirectly identifying
  • All authorized staff must annually sign a
    confidentiality statement

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
Procedural Security (2)
  • All staff with access to data must be
    individually responsible for protecting their own
    workstation, laptop, or other devices. This
    responsibility includes protecting keys,
    passwords, and codes
  • Confidential information must have personal
    identifiers removed (an analysis dataset) if
    taken out of the secured area or accessed from an
    unsecured area
  • All staff who are authorized to access
    confidential data must be responsible for
    reporting suspected security breaches

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
Legal and Ethical Considerations (1)
  • Access to any confidential information
    containing names for research purposes must be
    contingent on a demonstrated need for the names
    and Institutional Review Board (IRB) approval
  • Access to confidential information or data for
    non-public health purposes, such as litigation,
    discovery, or court order, must be granted only
    to the extent required by law

From CDC / HIV Incidence and Case Surveillance
Branch, Technical Guidance for HIV/AIDS
Surveillance Programs, Volume III Security and
Confidentiality Guidelines.
Legal and Ethical Considerations (2)
  • Must also include specific guidance on how to
    produce analysis data sets and/or data
    dissemination strategies which address how to
    balance the need for protection with the need to
    describe the epidemiologic trends and/or
    programming progress
  • Statistical techniques
  • Graphical techniques

The Current Situation (1)
  • Local health facilities
  • Staff responsible for medical care may lack
    sufficient training in or understanding of the
    importance of maintaining confidentiality or
    security of medical records
  • Physical protections around records systems may
    be inadequate or unaffordable
  • Log books are often readily accessible by
    unauthorized staff
  • Multiple copies of potentially sensitive
    information exist throughout larger facilities
  • Cultural norms may not sufficiently discourage
    inappropriate disclosure of information

The Current Situation (2)
  • National programs
  • Statistical data abstracted for program
    monitoring and improvement may contain
    information that inadvertently identifies
    individuals. This can be directly, e.g., through
    disclosure of patient identifiers (name, address,
    identification numbers such as Social Security
    number), or indirectly, by allowing for cross
    matching with other available data sets which
    contain identifiers).
  • Medical data need to be shared across
    institutions when patients move from one provider
    to another, but this increases the risk of
    inappropriate disclosure.

The Current Situation (3)
  • Few middle- and lower-income countries have
    systematically addressed and developed guidelines
  • Data collection (consent opt-out/opt-in)
  • Storage
  • Transfer
  • Use of HIV related information
  • Maintain the operational integrity of the systems

The Current Situation (4)
  • Among industrialized countries that have.
  • US
  • UK
  • Australia
  • Cultural/societal differences
  • e.g., US opt-in vs. UK opt-out
  • varying societal norms of privacy

The Geneva Workshop, May 2006 (1)
  • Aims
  • To develop consensus on a draft set of guidelines
    to ensure confidentiality and security of HIV
    related information collected for patient
    management and monitoring, and program and HIV
    services monitoring and evaluation as part of
    scaling-up HIV services in middle- and
    lower-income countries.
  • To develop methods to pilot and implement these
    guidelines within countries.

The Geneva Workshop, May 2006 (2)
  • Workshop Participants
  • Country program managers,
  • Country-based IT people,
  • IT experts specializing in relevant areas,
  • Users of data (clinicians, statisticians or
  • Ethicists legal experts
  • HIV-infected community members

The Geneva Workshop, May 2006 (3)
  • Process
  • Wide range of participants were invited to attend
  • Wide range of existing published material,
    primarily from the U.S., U.K., and Australia was
    made available to participants, for critique re
    its suitability in lower- and middle-income
  • After brief number of introductory presentations,
    including a number of country presentations, the
    participants divided into 5 groups
  • The working groups reported back their
    conclusions second half of day 2
  • On the morning of day 3, conclusions of the 5
    working groups were integrated
  • Draft report was produced on the basis of these
    integrated conclusions

The Geneva Workshop, May 2006 (4)
  • The 5 working groups
  • Community and NGOs
  • Health care and other facilities
  • Sub-national (district/regional/provincial/state)
    and national level
  • National data repositories or data warehouses
  • International organizations
  • All the groups addressed each framework topic
  • Physical security
  • Electronic security (at rest during transfer)
  • Procedural security
  • Legal and ethical considerations

Workshop Output Interim Guidance (1)
  • Executive summary
  • Aim
  • Background
  • Objectives
  • Methods
  • HIV confidentiality and security principles
  • Technical guidelines
  • Recommendations
  • Next steps

Workshop Output Interim Guidance (2)
  • Appendices
  • 1. List of participants
  • 2. Geneva workshop agenda
  • 3. Glossary
  • 4. Sample threat analyses (incomplete)
  • 5. Sample institutional policies and procedures
  • 6. Self assessment tools (incomplete, but also
    see bibliography)
  • 7. Bibliography

Workshop Output Interim Guidance (3)
  • HIV Confidentiality and Security Principles
  • to assure that health data are used to serve the
    improvement of health, as well as the reduction
    of harm, for all people, healthy and not
  • Pursuing this goal involves an ongoing process of
    refining the balance between  
  • a) maximizing of benefits benefits that can and
    should come from the wise and fullest use of
    data, and
  • b) protection from harm harm that can result
    from either malicious or inadvertent
    inappropriate release of individually
    identifiable data.

Workshop Output Interim Guidance (4)
  • Technical Guidelines
  • Types of data (identifiable, anonymized,
  • Organization and procedures
  • Collection of personally identifiable data
  • Storage of confidential data
  • Use of data
  • Dissemination of information
  • Disposal of information

Technical Guidelines Examples (1)
  • Types of data
  • Personal Identified Data individual level
    information that includes personal identifiers
    such as names and addresses. These data are
    generally obtained at the point of care
  • Pseudo-anonymized Data individual level
    information stripped of certain identifiers,
    like names, addresses, etc. This identifying
    information is often replaced with a randomized
    identifier or key
  • Aggregated Data such data are based on
    aggregating individual level information,
    obtained from communities, health facilities, or
    data warehouses, into an indicator.
  • Non-Personal Data all levels need to deal with
    information on facilities, geographic data,
    information on drugs and drug supplies, and other
    logistic information

Technical Guidelines Examples (2)
  • Organization and procedures
  • 6.2.1 Within each country, institutions must
    develop guidelines to ensure confidentiality and
    security of HIV-related information, covering all
    levels operative within that countrys or
    institutions healthcare system, and the
    different types of data collected, stored and
    used. Such a policy document must be in writing
    and widely distributed, available both in paper
    and electronic formats.
  • 6.2.6 To ensure that all authorized individuals
    remain knowledgeable about the security policies,
    every individual with access to confidential HIV
    data must attend data security training at
    regular intervals.

Technical Guidelines Examples (3)
  • Collection of personally identifiable data
  • 6.3.1 When such data are collected, decisions
    regarding which personal data are to be collected
    and stored must be based on the medical needs of
    the patient, the requirements of public health,
    and the requirements of program monitoring and
    evaluation. Data collection from persons using
    community or health facility services is
    primarily aimed at enabling good quality
    treatment and care over time and between sites.
    The use of individual data for program monitoring
    and evaluation or research must be covered by
    culturally appropriate statutory legislation with
    explicit individual consent, statutory sanctioned
    measures to use individual data without explicit
    patient consent, or a combination.

Technical Guidelines Examples (4)
  • Storage of confidential data
  • 6.4.2 Procedures should be in place to monitor
    the use of the system where the data are stored
    in order to detect potential or actual security
  • 6.4.3 Threat or disaster analyses need to be
    performed to assess all potential events which
    could increase the risk of inadvertent release of
    data or the destruction of these data at sites
    housing HIV data, such as acts of vandalism,
    fires, earthquakes, or typhoons. Appropriate
    preventive measures need to be taken.
  • 6.4.9 all data stored need to be backed up,
    usually at physically separate facilities, to
    prevent loss or damage to the stored data, and to
    enable data recovery in the event of natural
    disaster or other data loss.

Technical Guidelines Examples (5)
  • Use of data
  • 6.5.1 When data are to be used in a
    pseudo-anonymized form, they should be stripped
    of personal identifiers as soon and as close as
    possible to the actual source of the raw
  • 6.5.8 Workspace for individuals with access to
    medical records or HIV program information must
    also be situated within a secure area.
  • 6.5.10 When data are transferred electronically,
    data in transit need to be encrypted using
    appropriate protocols. This may include message
    encryption, use of secured sessions, secured
    internet lines, or two-factor authentication.

Technical Guidelines Examples (6)
  • Dissemination of Information
  • 6.6.2 A written data release policy should exist
    and be reviewed at regular intervals. This needs
    to define the purpose and uses of HIV data,
    outline which data elements can be released and
    for which purpose, and must include provisions to
    protect small denominator population.
  • 6.6.3 With increased use of mapping tools for
    geographic display of data analyses, data release
    policies must take special care not to indirectly
    identify individuals via too precise location on
    geographical displays, i.e., they must
    incorporate available geographic masking
    techniques for display of confidential
  • 6.6.6 Access to HIV information for non-public
    health purposes, for instance for legal issues,
    should be granted only in circumstances involving
    the threat of imminent danger of grave physical
    harm to individuals or populations.

Technical Guidelines Examples (7)
  • Disposal of Information
  • 6.7.1 If old records are going to be kept, they
    will need to be stored ensuring full
    confidentiality and security of HIV information.
  • 6.7.2 If records are to be destroyed, both paper
    and electronic records should be destroyed,
    including all data backups.
  • 6.7.4 A written data archival policy should be

Workshop Output Interim Guidance (5)
  • 12 Recommendations, including
  • 7.8 National organizations at all levels of the
    healthcare system and international organizations
    must identify a security and confidentiality
    officer (SCO) to be ultimately responsible for
    the confidentiality and security of HIV
    information within that organization.
  •  7.9 Funding organizations should comply with
    these standards and have an obligation to make a
    portion of the funding available to implement
    them, sufficient to assure adequate protection of
    the data collected and used, and to require that
    maintaining these standards are a condition for
    funding of any implementing partners or agencies.

Next Steps (1)
  • Interim Guidelines have been reviewed by
  • Workshop participants
  • U.S. Centers, for Disease Control and Prevention
  • U.S. Presidents Emergency Plan for AIDS Relief
  • Joint United Nations Programme on HIV/AIDS
  • Interim Guidelines have been published by UNAIDS
  • Still to be completed three appendices
  • Sample threat analyses
  • Sample institutional policy and procedures
  • Self-assessment tools
  • Pilot the Interim Guidelines countries and among
    grant recipients

Next Steps (2)
  • Develop self-appraisal tools
  • Questionnaire developed and piloted to assess
    whether countries and organizations have
    developed and implemented confidentiality and
    security guidelines
  • Distribute questionnaire to countries with UNAIDS
    Monitoring and Evaluation Officers
  • Distribute questionnaire to PEPFAR implementing
    partners/grant recipients
  • Incorporate feedback from countries and from
    PEPFAR implementing partners into the Guidelines
  • Develop capacity building strategy for
    implementation of the Guidelines

(No Transcript)