Sharing data regarding cases of human immunodeficiency virus (HIV) or any other type of sexually transmitted
disease (STD) between surveillance and prevention programs can help maximize the number of persons who are offered
partner services. The five guiding principles and 32 program standards outlined in this appendix are essential to ensuring
the confidentiality and security of shared data. These standards were adapted from CDC and Council of State and
Territorial Epidemiologists Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality
Guidelines (available at http://www.cdc.gov/hiv/topics/surveillance/resources/guidelines/guidance/index.htm).
Most of the standards in this appendix directly reflect the requirements in the technical guidelines. However, to better adapt the guidelines to
partner services programs, certain standards have been modified or excluded based on input from the Partner Services Surveillance
and Program Connections Workgroup and other committee members.
All program standards and security considerations should be based on the following five guiding principles:
Partner services programs should adhere to the following program standards
when developing area-specific guidelines,
policies, and procedures for individual-level record keeping and data collection, management, and security:
Standard 1. All policies and procedures must be written and reviewed at least annually and revised as needed.
Standard 2. A policy must name the persons who act as the overall responsible party (ORP) for the security of the data
that might be stored in various data systems.
Standard 3. A policy must describe the methods for review of security practices for data. Included in the policy should be
a requirement for an ongoing review of evolving technology to ensure that information and data remain secure.
Standard 4. The ORP must certify annually that these standards are met.
Standard 5. Access to and use of individual-level information must be defined in a data-release policy.
Standard 6. Policies must be readily accessible to any staff members having access to confidential, individual-level data.
Standard 7. A policy must define the roles and access level for all persons with authorized access and describe which
standard procedures or methods will be used when accessed.
Standard 8. All authorized staff members must sign a confidentiality statement annually. Newly hired staff members must
sign a confidentiality statement before access to individual-level information and data
is authorized.
Standard 9. A policy must outline procedures for handling incoming mail and faxes to the programs and outgoing mail
and faxes from the programs. The amount and sensitivity of information contained in any piece of correspondence must
remain minimal.
Standard 10. All persons who are authorized to access individual-level information must be knowledgeable about
the organization's information security policies and procedures.
Standard 11. All staff members authorized to access individual-level information must be responsible for questioning
persons who attempt to access this information but who are not authorized to do so.
Standard 12. All staff members who are authorized to access individual-level information are responsible for protecting
their own computer workstation, laptop computer, or other devices with confidential, individual-level information or data.
This responsibility includes protecting keys, passwords, and codes that would allow access to confidential information or
data. Staff members must be careful not to infect program software with computer viruses and not to damage hardware
through exposure to extreme heat or cold.
Standard 13. Every person with access to individual-level information or data must attend security training annually or pass
an annual proficiency test. The date of the training or test must be documented in the employee's personnel file.
Information technology (IT) staff members and contractors who require access to information and data must undergo the same training
as partner services program staff members and sign the same agreements. This requirement applies to any staff members
with access to servers, workstations, backup devices, etc.
Standard 14. To the extent possible, workspace for persons working with individual-level information must be within
a secure, locked area.
Standard 15. Paper records and copies of individual-level information and data must be stored inside locked file cabinets
that are inside a locked room with limited access.
Standard 16. Program staff members must shred documents containing confidential information before disposing of
them. Shredders should be of commercial quality, preferably with a crosscutting feature.
Standard 17. Partner services analysis data sets must be stored securely with protective software (i.e., software that
controls the storage, removal, and use of the data), and personal identifiers should be removed when possible.
Standard 18. Partner services information and data transfers and methods for data collection must be approved by the ORP and incorporate the use of access controls. Individual-level information and data must be encrypted before electronic
transfer. When possible, databases and files with individual-level data must be encrypted when not in use.
Standard 19. When individual-level partner services information and data are electronically transmitted, any
transmission that does not incorporate the use of an encryption package meeting the encryption standards of the National Institute
of Standards and Technology (available at http://csrc.nist.gov/groups/stm/cmvp/standards.html) and approved by the
ORP must not contain identifying information or use terms easily associated with HIV, AIDS, or any other type of STD.
The terms HIV and AIDS, terms that specifically identify other STDs, or specific behavioral information must not
appear anywhere in the context of the transmission, including the sender and recipient address and label.
Standard 20. When partner services information with personal identifiers or data are taken from secured areas and
included in line lists or supporting notes, in either electronic or paper format, the documents must contain the least amount
of information needed for completing a given task and, if possible, coded to disguise any information that could easily
be associated with HIV, AIDS, or any other type of STD.
Standard 21. Individual-level information or data with personal identifiers must not be taken to private staff
members' residences unless specific, documented permission is granted or the transfer is permitted according to a written policy
established by the program manager or ORP.
Standard 22. Prior approval must be obtained from the program manager or approved procedures must be followed
when planned business travel precludes the return of information with personal identifiers to the secured area by the close
of business on the same day.
Standard 23. Access to any partner services program information or data containing names for research purposes (i.e.,
for other than routine program purposes) must be contingent on a demonstrated need for the names, institutional review
board (IRB) approval, and the signing of a confidentiality statement regarding rules of access and final disposition of the
information. Access to partner services program information or data without names for research purposes beyond routine program
activities might still require IRB approval, depending on the numbers and types of variables requested in accordance with local
data release policies.
Standard 24. Access to any secured areas where individual-level partner services information are stored must be limited
to authorized persons as documented within policies and procedures (e.g., cleaning or maintenance staff members).
Standard 25. Access to confidential partner services information and data by personnel outside the partner services
program must be limited to those authorized based on an expressed and justifiable public health need, must not compromise
or impede program activities, must not affect the public perception of confidentiality of the data system, and should be
approved by the ORP.
Standard 26. Access to partner services information and data with identifiers by those who maintain other disease data
stores should be limited to those for whom the ORP has weighed the benefits and risks of allowing access and can certify that
the level of security established is equivalent to these standards.
Standard 27. Access to partner services information or data for purposes unrelated to public health (e.g., litigation,
discovery, or court order) can only be granted to the extent required by law.
Standard 28. All staff members who are authorized to access partner services information and data must be responsible
for reporting suspected security breaches. Non-program staff members also must be informed of this directive.
Standard 29. Any breach of protocol or procedures, regardless of whether personal information was released, must
be investigated immediately to assess causes and implement remedies.
Standard 30. A breach of confidentiality (i.e., a security infraction that results in the release of private information with
or without harm to one or more persons) must be reported immediately to the ORP. In consultation with appropriate
legal counsel, partner services staff members should determine whether a breach warrants reporting to law enforcement agencies.
Standard 31. Laptop computers and other portable devices (e.g., personal digital assistants [PDAs], other handheld
devices, and tablet personal computers [tablet PCs]) that receive or store partner services program information or data with
personal identifiers must have encryption software. Program information with identifiers must be encrypted and stored on an
external storage device or on the laptop removable hard drive. The external storage device or hard drive containing the
information must be separated from the laptop and held securely when not in use. The decryption key cannot be on the laptop.
Other portable devices without removable or external storage components must use encryption software that meets federal standards.
Standard 32. All removable or external storage devices containing partner services information or data that contains
personal identifiers must 1) include only the minimum amount of information necessary to accomplish assigned tasks as
determined by the program manager; 2) be encrypted or stored under lock and key when not in use; and 3) be sanitized immediately
after a given task (excludes devices used for backups). Before any device containing sensitive data is taken out of a secured
area, the information or data must be encrypted. Methods for sanitizing a storage device must ensure that the information cannot
be retrievable using "undelete" or other data-retrieval software. Hard drives that contain identifying information must be
sanitized or destroyed before computers are labeled as excess or surplus, reassigned to non-program staff members, or sent off site
for repair.
