Maximizing Data Security and Confidentiality for Case Surveillance

Maximizing Data Security and Confidentiality for Case

Surveillance

Overview

2

Review tenets of privacy, confidentiality and security

Operationalizing security and confidentiality What are some difficulties (and how to overcome them) Why it’s important Following the information to identify weaknesses in

security Tips and hints that can be considered at the site, regional,

and national level

Ensuring security and confidentiality at the different levels of the system Physical Electronic

Session 4 – Privacy and Confidentiality

Privacy, Security and Confidentiality

3 Session 4 – Privacy and Confidentiality

Privacy – Relevant Laws

4

Privacy - know your relevant country-wide laws. Laws that: Describe protection of the HIV data from disclosure

to unauthorized third parties- i.e., who can see patient level data and under what circumstances- any health care provider or just those patient consented to, judges in a law suit?

Directly mention behaviors that transmit HIV Know your country’s laws against same sex sexual

behavior and same sex identity (“buggery” or “gross indecency “ laws) as they impact the willingness of people to test as well as make it clear what the consequences of a release of information could mean to infected/affected persons

If no laws exist – this may be an area for advocacy for development of laws/policies


Privacy –Law and Relationship to HIV Case Surveillance -Benefits

5

Ultimate goal of HIV case surveillance: Count everyone in the country infected with HIV In order to do this “everyone” with HIV must be 1)

tested, 2) diagnosed and 3) reported Benefits:

Surveillance- accurate count for planning and allocation of funds

Prevention- the more you know about your epidemic the better equipped you are to prevent it

Health of PLWH- unless tested and diagnosed can’t get on ART higher viral loads sicker and more infectious


Privacy –Law and Relationship to HIV Case Surveillance – Why Law is Important

6

Without laws that protect persons infected with HIV and behaviors that transmit HIV, people will be hesitant to come forward for testing

Surveillance must insure their confidentiality or your surveillance system will be undermined

Need laws that support testing, diagnosis and reporting

Communities (and CBOs) are your allies and you must work together to create a climate conducive to HIV testing, prevention, care and treatment

Without this your surveillance system will be undermined.


Session 4 Privacy and Confidentiality7

CAREC Security and Confidentiality Guidelines

8

Adapted from CDC’s 2006 HIV Surveillance Security and Confidentiality Guidelines

Five guiding principles

Thirty-five requirements



Guiding Principles

10

1. HIV surveillance information and data will be maintained in a physically secure environment.

2. Electronic HIV surveillance data will be held in a technically secure environment, with the number of data repositories and individuals permitted access kept to a minimum. Operational security procedures will be implemented and documented to minimize the number of staff that have access to personal identifiers and to minimize the number of locations where personal identifiers are stored.


Guiding Principles (continued)

11

3. Individual surveillance staff members and persons authorized to access case-specific information will be responsible for protecting confidential HIV surveillance information and data.

4. Security breaches of HIV surveillance information or data will be investigated thoroughly, and sanctions imposed as appropriate.

5. Security practices and written policies will be continuously reviewed, assessed, and as necessary, changed to improve the protection of confidential HIV surveillance information and data.


Security and Confidentiality Implementation for Surveillance Systems- Common Steps


Assess current data practices Research applicable laws and regulations Create data security protocol based on applicable

guidelines (i.e. ,CAREC) Train surveillance staff on data security protocol

including ramifications for breaches Surveillance staff sign confidentiality agreements Staff receive refresher training, re-sign

agreements and data security protocol is reviewed yearly

Institute a procedure for deliberate and inadvertent breaches Assure you have the support of management to

impose ramifications Without this your policy will have no “teeth” and will

not be taken seriously.

Role Based Access


Make a list of staff positions that need access to patient identifying information and evaluate their process for handling it It helps to make this list specific to roles and not individual people to

communicate the message that “this isn’t about you”; it’s about what information a person in your role needs access to perform the job

Staff who do not use confidential information as part of their jobs but are in the same physical location (e.g., have cubicles in same room) as staff who work with personally identifying information (PII) also need the same training

Staff should have access to the minimum information needed to perform their job

This protects staff as well as the personally identifying information

Site Security


Does the physical set up help or hinder maintaining confidentiality?

Would I feel comfortable testing for HIV in this location? If not, what needs to change to improve set

up?

How does confidential information move between the site and the Ministry of Health? Between Units of the Ministry of Health?

Physical Security


Once a case report form is completed where is it stored? On the desk for anyone passing by to see? In a

locked file cabinet with minimum access? What do staff do with forms they are working with

when they get pulled away from their desk? Leave it out? Put it in a locked drawer?

Are the case report forms mailed? If so, how is it assured that it reaches the intended

recipient and not opened by someone else?

Physical Security


How are case report forms transported between locations?

If it is a long distance what do drivers do with the case report forms when they stop at home? stop for lunch? How are they stored for transport?

How are completed case report forms transported to the next level (regional or national)? Are they kept on the front seat in an open file folder

or are they in the trunk/out of site in a sealed envelope?

Physical Security


If case report form (or any other paper with confidential information) is started and then needs to be discarded how is that done? Ripped up and thrown away? Shredded? Just left on the desk in a pile with other paper that

we don’t know what to do with?


Electronic Security


Who is responsible for entering the data?

Where is the electronic data base maintained? Is it on one computer’s hard drive or a server?

Is the information backed up regularly?

Is email used to communicate confidential information about persons infected with HIV?

Confidentiality Central number? If so how are they answered?

Do they say HIV or STD? What phone numbers are on forms that are given to

HIV+ clients? If the husband of an infected woman finds the form

and calls the number how is the phone answered? Will her HIV/STD status be shared if he asks?

Are staff instructed how to answer the phone? Do they say HIV or STD?

Is voice mail line secure? If not, does voice mail message say not to leave confidential information?

Where does phone bounce if no answer or caller presses 0? How does that person answer?

Training- Ideas to Consider


Include sensitivity training towards people health care workers may perceive as different from themselves: MSM Sex workers Challenge practices that reinforce discrimination

Use scenarios that make it real and concrete Make up a scenario that could happen or use one

that did happen Confidentiality was breached How could it have been prevented How can damage be controlled and kept to a minimum

Ensuring Security and Confidentiality at Different Levels of the System

Different levels of the system should work in concert to protect surveillance data: Reporting site Sub-country regions National coordinating body


Reporting sites


Demonstrate why data security matters at the site and how it can be accomplished

Assure safe transfer of data between reporting sites and national surveillance system

Tips: Trainings on data security and confidentiality

can be conducted for reporting sites based on CAREC guidelines, or the data security protocol developed by your MoH

Bring multiple sites together for training to build relationships and allow staff to see they are part of a bigger system

National Level


Foster a national culture where surveillance data is valued and protected

Model safe data practices Engage stakeholders to help build trust in the

surveillance system and those who manage it

Operationalizing Security and Confidentiality – Questions for Discussion

What challenges do you face in your context to implement S&C measures, both in the MoH and in clinics? How to overcome?

How to engage staff and stakeholders


Questions for the group

26

How do you make adherence to S&C guidelines a habit and create a culture that supports adherence to S&C guidelines?

How do you investigate breaches of both policy (policy violation) and confidentiality (information about people living with HIV was released)?


Thank You

Working Together to Plan, Implement, and Use

HIV Surveillance Systems

Documents

Maximizing Data Security and Confidentiality for Case Surveillance