Download:
pdf |
pdfAttachment 8 (b)
National HIV Surveillance System (NHSS)
OMB # 0920-0573
HIV/AIDS Security Statement and Data Access Packet
1
�CONFIDENTIALITY SECURITY STATEMENT
FOR SURVEILLANCE OF ACQUIRED IMMUNODEFICIENCY SYNDROME (AIDS)
AND INFECTION WITH HUMAN IMMUNODEFICIENCY VIRUS (HIV) AND
SURVEILLANCE-RELATED DATA (INCLUDING SURVEILLANCE INFORMATION,
CASE INVESTIGATIONS AND SUPPLEMENTAL SURVEILLANCE PROJECTS,
RESEARCH ACTIVITIES, AND EVALUATIONS)
(Revised June 2010)
The HIV Incidence and Case Surveillance Branch (HICSB) and the Behavioral and Clinical
Surveillance Branch (BCSB), formerly known as the Surveillance Branch, in the Division of
HIV/AIDS Prevention (DHAP), National Center for HIV, Viral Hepatitis, STD, and TB
Prevention (NCHHSTP) in the Coordinating Center for Infectious Diseases (CCID) have
received approval for another extension of a 308(d) Assurance of Confidentiality protection for
data collected through surveillance activities entitled “Surveillance of Acquired
Immunodeficiency Syndrome (AIDS) and Human Immunodeficiency Virus (HIV) and
Surveillance-related Data (including surveillance information, case investigations, and
supplemental surveillance projects, research activities, and evaluations)” and conducted under
cooperative agreements with state, city and Territorial health departments. This extension is due
to expire November 2012. Because of this Assurance of Confidentiality, documents and files
which contain patient-level information on persons reported as having HIV infection or AIDS or
as exposed to HIV-infection in the case of infants born to HIV-infected mothers, or individuallevel data from surveillance surveys, case investigations, and evaluation studies, are considered
confidential materials and must be safeguarded to the greatest extent possible. The
confidentiality of HIV/AIDS Surveillance program data collected at the local and state levels is
protected under state/Territorial law, rule, or regulation. Although patient and physician names,
addresses, phone numbers, or other directly identifying information, are not routinely reported to
CDC by health departments, HIV/AIDS surveillance case reports and other surveillance-related
study data are highly sensitive, and may have the potential to indirectly identify infected
individuals. Therefore, these HIV/AIDS surveillance and related data have a need for 308(d)
protection, and the security requirement is rated as high.
It is the professional, ethical and legal responsibility of each DHAP HICSB, BCSB, and
Quantitative Sciences and Data Management Branch (QSDMB) permanent employee, their
contractors, guest researchers, fellows, visiting scientists, research interns and graduate students
who participate in activities jointly approved by CDC and the sponsoring academic institution,
and the like, who are granted access to data from HIV/AIDS Surveillance program activities to
protect the right to confidentiality of all persons reported as having HIV/AIDS or participating in
CDC-sponsored surveys, investigations, or studies related to HIV/AIDS surveillance. This
document describes the procedures and practices that DHAP intends to use to protect the
confidentiality of the data collected as part of the HIV/AIDS Surveillance program, whether it is
sponsored by HICSB or BCSB.
Portions of the data analysis and programming work which support this project are performed
�under contract. Therefore, we have included reference to contractors in the Assurance of
Confidentiality Statement and this Confidentiality Security Statement. The Procurement and
Grants Office should include appropriate reference to 308(d) Assurance of Confidentiality
protection requirements. All contractor staff undergo limited background investigations prior to
performing any work at CDC.
Authorized staff of the DHAP HICSB, BCSB, and QSDMB, their contract staff and other
authorized agents (e.g. laboratory personnel in NCID, data management personnel in CCID or
staff in the Information Technology Service Organization-ITSO) are required to maintain and
protect at all times the confidentiality of records that may come into their presence and under
their control. In particular, they may not discuss, reveal, present, or confirm to external parties
information on, or characteristics of, individual cases, or small numbers of cases, in any manner
that could directly or indirectly identify any individual on whom a record is maintained by an
HIV/AIDS Surveillance program. To assure that they are aware of this responsibility and the
penalties for failing to comply, each DHAP HICSB, BCSB, and QSDMB staff member who is
granted access to surveillance records or related files, their contract staff and other authorized
agents, as well as ITSO staff and contractors who support the servers in the Data Centers which
contain such data, will be required to read and sign a Nondisclosure Agreement (CDC 0.979),
assuring that all information in HIV/AIDS Surveillance program records and related files will be
kept confidential and will be used only for epidemiologic or statistical purposes. All staff
working on surveillance program activities are required to attend annual security and
confidentiality training that includes review of the assurance of confidentiality, and security and
confidentiality procedures. Signed agreements will be obtained at this time from each staff
person who is authorized to access HIV/AIDS surveillance records. Confidentiality training
shall be conducted annually and participation in such training shall be mandatory for all persons
granted access to surveillance program records and related files; HICSB, BCSB, and QSDMB
staff, their contractors and other authorized agents (such as ITSO staff) shall be required to sign
confidentiality agreements on an annual basis. It shall be the responsibility of the Technical and
Business Stewards to provide for interim training and obtaining signed authorizations from
employees, contractors, and other authorized individuals who are granted access to HIV/AIDS
surveillance records prior to the next annual confidentiality training session.
The Business Steward for HIV/AIDS Surveillance program activities is the Chief, HIV Incidence
and Case Surveillance Branch, DHAP (Dr. H. Irene Hall); alternate is the Deputy Chief, HIV
Incidence and Case Surveillance Branch, DHAP (Pamela Gruduah ). The Business Steward for
Behavioral and Clinical Surveillance program activities is the Chief, Behavioral and Clinical
Surveillance Branch, DHAP (Dr. James Heffelfinger); alternate is Deputy Chief, Behavioral and
Clinical Surveillance Branch, DHAP (Dawn Gnesda). The Technical Stewards are Patricia
Sweeney, Epidemiologist, HIV Incidence and Case Surveillance Branch, and Sam Costa, Deputy
Chief, Quantitative Sciences and Data Management Branch.
In Attachment 1 is the Nondisclosure Agreement that all CDC employees participating in
HIV/AIDS surveillance program activities will sign. The originals will be retained by HICSB,
BCSB, and QSDMB within DHAP and will be made available for review upon request by
Confidentiality Unit Staff in the Office of the CDC Associate Director for Science . In
�Attachment 2 are the “Request for access to the Enhanced HIV/AIDS reporting system (eHARS)
and other Surveillance databases” and the “Agreement to abide by restrictions on release of
surveillance data collected and maintained by the Division of HIV/AIDS Prevention Surveillance and Epidemiology” both of which must be signed by all HICSB, BCSB, and
QSDMB staff, their contractors and other authorized agents who are granted access to records,
files and databases containing information from HIV/AIDS surveillance case reports. The
provisions of Attachment 2 have been negotiated between CDC, the Council of State and
Territorial Epidemiologists, and individual state/Territorial health departments. The originals
will be retained by HICSB, BCSB or QSDMB and will be made available for review upon
request by Confidentiality Unit Staff in the Office of the CDC Associate Director for Science .
In Attachment 3 is the Contractor’s Pledge of Confidentiality entitled “Safeguards for individuals
and establishments against invasions of privacy.” Contracts needed to support HIV/AIDS
surveillance program activities contain 308(d) clauses, and all contractor employees with access
to the data are required to sign this contractor pledge. Originals of these documents will also be
retained by HICSB, BCSB, and QSDMB and will be made available for review upon request by
Confidentiality Unit Staff in the Office of the CDC Associate Director for Science.
Documentation listing contractors will be maintained and should be available to the DHAP
Contract Technical Monitor.
Restrictions on Use of Information and Safeguarding Measures:
Information collected in the course of conducting HIV/AIDS Surveillance program
activities will be used only for epidemiologic or statistical purposes and shall not
otherwise be divulged or made known in any manner that could result in the direct or
indirect identification of any individual on whom a record is maintained.
Except in rare and unusual circumstances, records or data containing names or other
personally identifying information for individual patients will not be received by DHAP
on any records from HIV/AIDS surveillance program activities. Although data collection
forms that CDC provides to HIV/AIDS surveillance cooperative agreement recipients to
use in HIV/AIDS case reporting or CDC-sponsored surveillance projects or activities
may enable the collection of personal identifiers at the local, state, or territorial level,
these identifiers will be removed before transmittal to DHAP.
In unusual circumstances, such as investigations of cases involving rare or unusual modes
of HIV transmission or potential threats to public health (e.g. unusual strains of HIV that
may be undetected through routine screening of the blood supply) in which expert CDC
staff participate with local/state/territorial health department staff at their invitation, CDC
staff may retain records with information that identifies patients, physicians or other
health care providers, laboratory personnel and other records necessary to the conduct of
the epidemiologic investigation. Such records require additional protection, and may not
be retained at employee workstations but must be maintained in a locked file cabinet in a
locked room which is secured by restricted access. In all circumstances, only the
minimum identifying information necessary to the conduct of the investigation shall be
�maintained. Disclosure of identifying information from such investigations is prohibited,
except as provided in the Assurance of Confidentiality.
Data collection forms will contain only state assigned patient identification numbers and
may contain soundex codes generated from patient surnames, or other state-assigned
codes. However, because these are 308(d) protected data, they will be transmitted to
CDC in a secure and confidential manner. Hard copies of data collection forms may only
be transmitted to CDC staff of DHAP if identifying information has been stripped and
records placed in sealed envelopes marked “confidential.” Following data entry and
verification, as soon as feasible such hard copies should be shredded or destroyed.
Electronic data are transmitted via the Secure Data Network (SDN) or via storage media
using couriers which can track shipments and which require authorized signatures for
delivery. All data transmissions are automatically encrypted by software that generates
the transfer files after automatically deleting patient and physician identifiers.
DHAP HICSB, BCSB, and QSDMB staff, their contractors and other authorized agents
are responsible for protecting all confidential records containing information that could
potentially identify, directly or indirectly, any person on whom a record is maintained
from eye observation, from theft, or from accidental loss or misplacement due to
carelessness. All reasonable precautions will be taken to protect confidential surveillance
data.
All contractor personnel will receive project-specific training in confidentiality
procedures, in addition to the training and background investigations they must
receive/undergo prior to being hired by the contractor. All contractors and their records
must be maintained in a physically secure environment with appropriate oversight by the
technical monitor.
If a local/state/territorial health department inadvertently fails to remove personal
identifiers of individual patients, their family members or sexual or drug-using partners,
or health care providers before forwarding hard copy forms to DHAP, or incorrectly
enters such identifying data into comments fields, DHAP staff will immediately delete
the identifiers, and remind health department personnel of the appropriate procedures to
follow to delete such identifiers prior to transmitting records and forms to CDC.
Except as needed for operational purposes, photocopies of confidential records are not to
be made. If photocopies are necessary, care should be taken that all copies and originals
are recovered from the copy machines and work areas. Correspondence containing
sensitive information, e.g., regarding an epidemiologic case investigation, shall be
maintained in a locked file cabinet. All confidential paper records will be destroyed as
soon as operational requirements permit by shredding the documents.
E-mail, memoranda, reports, publications, slides, and presentations that contain data
collected through HIV/AIDS surveillance program activities shall not contain data or
information that could directly or indirectly identify any person on whom a record is
�maintained by CDC. In particular, specifics of case investigations, or specific
geographic identifying information is highly sensitive material. It shall be the
responsibility of each DHAP HICSB, BCSB, or QSDMB staff member, their contractors
or other authorized agents who are granted access to sensitive surveillance information to
safeguard such data. Only the minimum information necessary to conduct the CDC staff
member’s or contractor’s specific job-related duties shall be accessed. Telephone
conversations with local/State/Territorial health department personnel that include
discussions of sensitive information shall be conducted discreetly, preferably in private
walled offices.
Enhanced Protection of Computerized Files:
All data will be protected in confidential computer files. The following safeguards are
implemented to protect HIV/AIDS Surveillance files so that the accuracy and the confidentiality
of the data can be maintained:
Computer files containing programs, documents, or confidential data will be stored in
computer systems that are protected from accidental alteration and unauthorized access.
Computer files will be protected by password systems, access controls which can be
audited, virus detection procedures, and routine backup procedures. Data stored at state
and local health departments using CDC-supplied software designed to manage data for
surveillance program activities are protected by security requirements that each grantee
must certify it complies with before any cooperative agreements can be awarded; the
software ensures that the data transmitted to CDC will be in a format that is compatible
with the security and confidentiality requirements of the HIV/AIDS surveillance
databases maintained by CDC.
The CDC Data Centers maintained by ITSO comply with Federal policies, statutes,
regulations, and other directives for the collection, maintenance, use, and dissemination
of data, including the Department of Health and Human Services Automated Information
Systems Security Program, the Computer Security Act of 1987 (Public Law 100-235), the
E-Government Act of 2002 (Public Law 107-347), and the Federal Information Security
Management Act (FISMA). Additionally, the CDC Data Centers also are in compliance
with CDC's OCISO ADP Security Policy. The CDC Data Centers currently operate
under Windows 2008 with Active Directory. Security features implemented include user
ID and password protection, mandatory password changes, limited logins, user rights/file
attribute restrictions and virus protection.
Data will be entered into computer files by staff at state and local health departments and
transmitted electronically via encrypted files to DHAP QSDMB staff for uploading from
QSDMB offices into the servers at the Chamblee Data Center. DHAP employees or
contractors, and any ITSO or other CDC employees or contractors who service or
maintain the systems or components necessary to support data management of HIV/AIDS
surveillance program files, will be granted access to the files only upon express written
approval by a Business Steward (Chief, HICSB or BCSB). The list of authorized users
�will be maintained by the Data Center administrator, and the Technical and Business
Stewards who will review the list on at least an annual basis to delete persons no longer
needing access. Access is removed when staff no longer require it by notification to the
Data Center administrator by the Technical or Business Stewards.
Backup copies of data will be made by the Data Center tape backup system. Backup
services are provided under a separate CDC-wide contract. Contractor facilities and staff
are subject to the same Federal policies, statutes, regulations, and other directives, as well
as to departmental and CDC security policies, which apply to CDC Data Center servers
and staff. Access to backup tapes is restricted to ITSO staff responsible for maintaining
the backup procedures.
Dissemination of Data from HIV/AIDS Surveillance program activities
State and local health departments receive confirmation of their transmittals of data to CDC.
DHAP HICSB, BCSB, and QSDMB staff are responsible for timely dissemination of aggregate
data at the national level, consistent with the data release policies described in Attachment A2.
Data will generally be reported only in aggregate form as summary statistics including
restrictions on small cell sizes and geographic identifiers; such statistics could not be used to
indirectly identify an individual. Modes of disseminating data include reports, articles in the
MMWR, publications, public use slide sets, and public use data sets. DHAP HICSB, BCSB, and
QSDMB staff may provide data in response to special requests from Congress, the Department
of HHS, other government agencies, and other programs within CDC on a priority basis with the
approval of the Director, DHAP or the Business or Technical Stewards.
Data may also be analyzed and disseminated by external collaborators and their contracted
agents with appropriate authorization and in collaboration with CDC DHAP Branches. External
collaborators are those with whom DHAP has existing cooperative agreements or contracts
involving the collection or analysis of this surveillance data. Requests for such access to the data
and subsequent analysis and dissemination must be made according to the procedures outlined in
Attachment 2b of the Security Statement.
In limited circumstances, restricted data sets could be made available to external researchers with
approval of the appropriate branch chief, and each relevant project area contributing data to the
project. These requests would also be subject to the procedures outlined in Attachment 2b of the
Security Statement as amended in July 2004.
Records Disposition for the National Archives and Records Administration
Records that are determined to be permanently valuable are sent to the National Archives and
Records Administration (NARA). Transfers of such records and files will be done in accordance
with the May 1996 agreement stating that CDC will transfer to NARA all permanent data sets in
accordance with approved schedules contained in part IV of the CDC Records Control Schedule
�B-321, with the exception of identifying information collected under an Assurance of
Confidentiality agreement as specified under the Public Health Service Act, Sections 301(d) and
308(d).
�Confidentiality Security Statement Attachment 1
NONDISCLOSURE AGREEMENT
(308(d) Assurance of Confidentiality for CDC/DHAP Employees)
The success of CDC’s operations depends upon the voluntary cooperation of States, of
establishments, and of individuals who provide the information required by CDC
programs under an assurance that such information will be kept confidential and be
used only for epidemiological or statistical purposes.
When confidentiality is authorized, CDC operates under the restrictions of Section
308(d) of the Public Health Service Act which provides in summary that no information
obtained in the course of its activities may be used for any purpose other than the
purpose for which it was supplied, and that such information may not be published or
released in a manner in which the establishment or person supplying the information or
described in it is identifiable unless such establishment or person has consented.
“I am aware that unauthorized disclosure of confidential information is punishable under
Title 18, Section 1905 of the U.S. Code, which reads:
‘Whoever, being an officer or employee of the United States or of any department
or agency thereof, publishes, divulges, discloses, or makes known in any manner or
to any extent not authorized by law any information coming to him in the course of
his employment or official duties or by reason of any examination or investigation
made by, or return, report or record made to or filed with, such department or
agency or officer or employee thereof, which information concerns or relates to the
trade secrets, processes, operations, style of work, or apparatus, or to the identity,
confidential statistical data, amount or source of any income, profits, losses, or
expenditures of any person, firm, partnership, corporation, or association; or
permits any income return or copy thereof or any book containing any abstract or
particulars thereof to be seen or examined by any person except as provided by
law; shall be fined not more than $1,000, or imprisoned not more than one year, or
both; and shall be removed from office or employment.’
“I understand that unauthorized disclosure of confidential information is also punishable
under the Privacy Act of 1974, Subsection 552a (i) (1), which reads:
‘Any officer or employee of any agency, who by virtue of his employment or official
position, has possession of, or access to, agency records which contain individually
identifiable information the disclosure of which is prohibited by this section or by
rules or regulations established thereunder, and who knowing that disclosure of the
specific material is so prohibited, willfully discloses the material in any manner to
any person or agency not entitled to receive it, shall be guilty of a misdemeanor and
�fined not more than $5,000.’
“My signature below indicates that I have read, understood, and agreed to comply with
the above statements.”
________________________
Typed/Printed Name
__________________________
Signature
________________________
National Center/Institute/Office
CDC 0.979 (E), Rev.9/2001, CDC Adobe Acrobat 9.0 electronic Version, 12/2008
Rev. June 2010, based on CDC 0.979 (E) 9/2001
________________
Date
�Confidentiality Security Statement Attachment 2a
CENTERS FOR DISEASE CONTROL AND PREVENTION
National Center for HIV, Viral Hepatitis, STD, TB Prevention
Division of HIV/AIDS Prevention
Request for Access to enhanced HIV/AIDS Reporting System (eHARS) and
Other Surveillance Databases
Name: ______________________________
User ID: _______________
Date of Request:_______________________ CIO/Div/Br: _____________
Type of Access Required: _____ R (Read Only)
_____ RWM (Read, Write, Modify)
Access Requested until ______________ (date)
List required data sets and access groups (if known):
Justification for Access:
Supervisory Certification:
I certify that it is a necessary part of the above staff member’s official duties to have
access to the eHARS and related Surveillance databases. I have advised this
employee of the confidentiality of these data and have attached a signed “Agreement to
Abide by Restrictions on Release of Data”.
_______________________________
Supervisor’s Signature
Approval:
________________________________________
Chief, (HICSB/BCSB), DHAP or designee
----- ---------------------------------------------------------For HICSB, BCSB or QSDMB Use Only (retain signed copies of “Request for access...”
and “Agreement to abide by restrictions...” forms and copies of emails to helpdesk.)
Email to helpdesk requesting access sent on ___________ (date) by ____________
Email to helpdesk deleting access sent on ______________ (date) by ___________
�Agreement to abide by restrictions on release of surveillance data collected and
maintained by the Division of HIV/AIDS Prevention
I, ___________________________, understand that data collected by CDC through the
HIV/AIDS surveillance system and related surveillance activities, projects, and case
investigations under Sections 304 and 306 of the Public Health Service Act (42 U.S.C.
242b and 242k) is protected at the national level by an Assurance of Confidentiality
(Section 308(d) of the Public Health Service Act, 42 U.S.C. 242m(d)), which prohibits
disclosure of any information that could be used to directly or indirectly identify any
individual on whom a record is maintained by CDC. This prohibition has led to the
formulation of the following guidelines for release of HIV/AIDS case reports and
supplemental data collected on such persons to which, in accepting access to data not
considered public-use, I agree to adhere. These guidelines represent a balance
between potential for inadvertent disclosure and the need for the CDC/DHAP to be
responsive to information requests having legitimate public health application. In
particular, variables that identify geographic units or facilities have the potential to
indirectly identify individuals.
Therefore, I will not release, either inside or outside CDC, State/Territorial, MSA, city or
county specific data in any format (e.g., publications, presentations, slides, interviews)
without the consent of the appropriate State or local agency, except as consistent with
the format described below and presented in detail in the written documentation for the
AIDS Public Information Data Set (AIDS PIDS). Specifically, in accordance with the
terms of written agreements between CDC, the Council of State and Territorial
Epidemiologists (CSTE), and individual State/Territorial health departments AND in
accordance with the principles of the Assurance of Confidentiality for HIV/AIDS
surveillance and related data projects authorized under Section 308d of the U.S. Public
Health Service Act:
•
I am permitted to release national and regional tabulations, from the HIV/AIDS
surveillance database in either narrative or tabular format.
•
For cases in adults/adolescents > 13 years of age, for MSA’s with greater than
500,000 population, I may release multiple-way cross tabulations of 14
variables using the categories and conditions listed in the current AIDS PIDS for
the rectangular data file.
•
For any State, the District of Columbia, or MSA with greater than 500,000
population, I may release 2-way cross tabulations of 8 variables using the
categories listed in the current AIDS PIDS if cell sizes are all greater than 3. If
cells containing information on 3 or fewer cases are produced, I agree to either
delete those cells and all summaries using those cells from the table, or insert in
any cell of 3 or less, the notation “less than or equal to 3."
•
For any MSA with greater than 100,000 population in selected States
�designated in the current AIDS PIDS, I may release 2-way cross tabulations of 8
variables using the categories and conditions listed in the current AIDS PIDS if
cell sizes are all greater than 3. If cells containing information on 3 or fewer
cases are produced, I agree to either delete those cells and all summaries using
those cells from the table, or insert in any cell of 3 or less, the notation “less than
or equal to 3."
•
For individual counties or health districts in selected States designated in the
current AIDS PIDS, I may release one-way frequencies of 3 variables (age,
race/ethnicity, and sex) subject to the small cell size restriction described above.
•
I understand that release of data not specifically permitted by this agreement is
prohibited unless written permission is first obtained from the appropriate
Branch Chief (HICSB or BCSB), Division of HIV/AIDS Prevention - Surveillance
and Epidemiology.
•
When presenting or publishing state, city, county, or MSA-specific data in
accordance with the restrictions outlined above, I will inform the appropriate
state and local health departments in advance of the release of state or local
data, so as to afford them the opportunity to anticipate local queries and prepare
their response.
•
When presenting or publishing data from surveillance-related studies,
investigations, or evaluations, I will adhere to the principles and guidelines
outlined in this agreement.
I also agree to the following:
I will not give my access password to any person.
I will treat all data at my desk site confidentially and maintain records that could directly
or indirectly identify any individual on whom CDC maintains a record in a locked file
cabinet. Sensitive identifying information from special case investigations will only be
maintained in a locked file cabinet in a locked room which has restricted access.
I will keep all hard copies of data runs containing small cells locked in a file cabinet
when not in use, shredding them when they are no longer necessary to my analysis.
I will not produce a “back-up” data file of HIV/AIDS case surveillance data or related
databases maintained by DHAP.
I will not remove electronic files, records or databases from the worksite, or access
them remotely from home or other off-worksite location.
I will not remove hard copies of case reports, survey instruments, laboratory reports,
�confidential communications, or any records containing sensitive data and information
or the like from the worksite.
I will not remove from the worksite tabulations or data in any format that could directly or
indirectly identify any individual.
I will maintain confidentiality of records on individuals in all discussions,
communications, e-mails, tabulations, presentations, and publications (and the like) by
using only the minimum information necessary to describe the individual case.
I will not release data to the press or media without pre-screening of the request by the
Office of Communications, NCHHSTP.
I am responsible for obtaining IRB review of projects when appropriate.
User ID: __________________
Purpose of investigation (provide a brief statement):
Database(s) to be accessed:
Estimated time needed for data access/analysis:
I have read this document, “Agreement to abide by restrictions on release of
data...” and the attached document “Release of CDC HIV/AIDS Surveillance and
Related Data,” and I agree to abide by them. Failure to comply with this
agreement may result in disciplinary action, including possible termination of
employment.
Signed: __________________________________ Date: ______________________
(Requestor)
CIO, Division, Branch _______________________________
Approved: ________________________________ Date: ______________________
Chief, (HICSB/BCSB), DHAP, NCHHSTP or designee
Revised June 2010
�Confidentiality Security Statement Attachment 2b
RELEASE OF CDC HIV/AIDS SURVEILLANCE AND RELATED DATA
Description of the system
The HIV/AIDS Reporting System (HARS) surveillance database is composed of
HIV/AIDS case reports submitted on a voluntary basis to CDC by the 50 States, the
District of Columbia, U.S. dependencies and possessions, and certain independent
nations in free association with the U.S.
Encrypted case reports are received electronically using a standardized reporting form
and software. The data from state and local health departments are decrypted and the
CDC HARS database is updated on a regular basis to include all cases received and
processed through the last day of the previous cycle. Identifying information on each
case is deleted prior to transfer to CDC and cases are identified at the national level
only by soundex code based on patient’s surname, date of birth, and a state-assigned
patient identification number.
The HIV Incidence and Case Surveillance Branch (HICSB), the Behavioral and Clinical
Surveillance Branch (BCSB) and the Quantitative Sciences and Data Management
Branch (QSDMB), DHAP maintain a large number of databases on individuals at risk for
or diagnosed with HIV infection including case reports, case investigations, related
surveillance databases, surveys, and data from medical records or public health
databases.
All data collected and maintained by the HICSB, BCSB, and QSDMB must be
managed, presented, published and released in accordance with strict adherence to the
standards for confidentiality and security consistent with the principles and guidelines
for HIV and AIDS case report data. In particular, geographic and small cell data may be
indirectly identifying when combined with detailed information contained in case reports,
questionnaires, or from laboratory or medical records.
Restrictions on release of data
HIV/AIDS surveillance data and data from surveillance-related projects, evaluation
studies and case investigations are collected under Sections 304 and 306 of the Public
Health Service Act (42 U.S.C. 242b and 242k) and are protected at the national level by
an Assurance of Confidentiality (Section 308(d) of the Public Health Service Act, 42
U.S.C. 242 m(d)), which prohibits disclosure of any information that could be used to
directly or indirectly identify individuals whose records are contained in the HARS
surveillance database. This prohibition has led to the formulation of guidelines for data
release. The guidelines represent a balance between the potential for inadvertent
disclosure and the need for the CDC/DHAP to be responsive to information requests
having legitimate public health application. Guidelines for data release are described in
�detail in the documentation for the AIDS Public Information Data Set (AIDS PIDS)
http://www.cdc.gov/hiv/topics/surveillance/resources/software/apids/index.htm. The
guidelines were developed jointly by CDC and the Council of State and Territorial
Epidemiologists (CSTE). Each State epidemiologist was surveyed and elected the level
of geographic specificity (State, county, health district, size of MSA) at which CDC may
report data on HIV/AIDS cases residing in that State. These principles and restrictions
should also be applied to other data and information collected and maintained by the
DHAP HICSB or BCSB.
As a general rule, requests from the public, the media, and other government agencies
for State/local data will be referred to the local area for reply. There are two reasons for
this. First, local health departments can release their HIV/AIDS surveillance data in
accordance with locally established policies and procedures. Second, the delay
between the date of diagnosis and report to CDC ensures that local health department
data are more current than that contained in the CDC HIV/AIDS surveillance database.
However, CDC may release data to the public, for presentation in oral and written
publications, and otherwise make data available for epidemiologic and public health
purposes within the guidelines specified in the AIDS PIDS and described in the
document “Agreement to abide by restrictions on release of data...” When publishing
or presenting State/local data, CDC staff should notify the local areas in advance
whenever possible. Outside the bounds of these guidelines, CDC will not release, in
any format, State, county, health district, or MSA specific data without the consent of the
appropriate State or local health departments.
Access to the data base
The DHAP HICSB and BCSB are charged with the responsibility of maintaining the
security and confidentiality as well as the scientific integrity of the surveillance data
base. Access to data beyond that available for public use is limited, through password
protection, to members of DHAP HICSB and BCSB, and selected members of the
DHAP QSDMB, their contractors and other authorized agents. In limited circumstances,
CDC staff outside these groups or external project collaborators may be granted access
on an as needed basis, at the discretion of the appropriate Branch Chief. External
collaborators are those with whom DHAP has existing cooperative agreements or
contracts involving the collection or analysis of this surveillance data. To obtain access,
others outside the CDC Branches mentioned above must do the following:
1. Pose a specific research question.
2. Estimate the time required for their analysis/access.
3. Agree in writing to abide by DHAP policies on data release and sign the
“Nondisclosure agreement”, the “Request for access...”, and the “Agreement to
abide by restrictions...” documents that contain the policies and guidelines for
use of HIV/AIDS surveillance and related data.
�4. Provide an outline on their proposed methodology including names of variables
to be used in the analysis.
5. Collaborate with staff of the HIV Incidence and Case Surveillance Branch or
Behavioral and Clinical Surveillance Branch in analysis, presentation, and
publication of the results of their analysis. In some cases, access to national
data by collaborators may be designed as part of the project protocol, and should
be agreed to by all collaborators on the project.
6. Submit all reports, publications, presentation to DHAP clearance and crossclearance channels.
Alternatives to access to the eHARS data
To reduce the burden on HICSB, BCSB, and QSDMB staff, other CDC staff
requesting HIV/AIDS surveillance data are encouraged to use publicly available
reports, slide sets, and the AIDS PIDS. CDC staff that use HIV/AIDS Surveillance
data for policy development, resource allocation, research prioritization and other
public health purposes are advised to consult with HICSB or BCSB staff to ensure
appropriate interpretation of the data. CDC staff that present or publish HIV/AIDS
surveillance data should adhere to CDC policies for clearance and cross-clearance
to ensure that data are presented and interpreted consistently and accurately.
1. The HIV/AIDS SURVEILLANCE Report is published annually. The report is a
collection of tables and figures describing the characteristics of HIV/AIDS
cases in the United States. The report includes national data on age, sex,
race, and transmission category, and annual AIDS incidence by State and
metropolitan statistical area (MSA) if greater than 500,000 population. This
report is updated to include data reported to CDC through December 31
annually.
2. DHAP produces numerous supplemental reports, MMWR articles, and peerreviewed publications. Copies can be obtained from the HICSB at (404)-6392050, or the BCSB at (404) 639-2090.
3. The AIDS Public Information Data Set is distributed in microcomputer format.
The dataset is updated annually and contains a record for each AIDS case
reported to CDC in a single data file containing variables extracted from
CDC’s national AIDS surveillance data base. The variables are formatted so
as not to release patient data that could directly or indirectly identify the
individual. The tables for the United States, individual States, MSAs and
county or health districts contain frequency tables and cross tabulations of a
small number of variables extracted from the AIDS data base. Included is
one set of tables for the entire United States, one set for each state and the
�District of Columbia. All MSAs with 500,000 or more population are included
in the data set. Selected MSAs between 100,000 and 500,000, and selected
counties or health districts are included in the data set, based on the data
release policies of the individual states.
4. DHAP surveillance publications and the AIDS PIDS can be accessed through
the CDC website at
http://www.cdc.gov/hiv/topics/surveillance/resources/software/apids/index.htm
and also through the National Prevention Information Network (NPIN) at
http://www.cdcnpin.org/scripts/hiv/surv.asp
5. The DHAP HICSB and BCSB, wishing to be responsive to specific data
requests having important public health application, will consider requests for
data and data analysis which cannot be responded to using production
materials. For requests requiring HICSB, BCSB, or in some cases QSDMB
response, submission in written format is preferred to assist in ensuring an
appropriate response. Due to limited resources, response to requests for
data is not guaranteed and data will be supplied only if its release does not
conflict with current disclosure prohibitions. Consideration will be given to
verbal requests from:
•
The Executive Branch; Members of Congress and their staffs; senior
staff from other Federal agencies; the States; associations serving the
States (e.g., ASTHO, CSTE, NASTAD); other public institutions of
CDC interest (e.g., The Red Cross and National Hemophilia
Foundation); and selected CDC staff serving these constituencies.
•
The Press after screening by NCHHSTP, Office of Communications.
After screening, requests will be taken verbally but requesters will be
encouraged to submit their queries in writing to ensure an appropriate
response.
Other parties and individuals should submit requests in written format to the
Chief of either HICSB or BCSB, or one of their designees. Due to limited
resources, response cannot be guaranteed. The AIDS Public Information Data
Set and published materials will be suggested as an alternative resource.
�Confidentiality Security Statement Attachment 3
Safeguards for Individuals and Establishments
Against Invasions of Privacy
In accordance with Subsection (m) of the Privacy Act of 1974 (5 U.S.C. 552a) and
Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the contractor is
required to comply with the applicable provisions of the Privacy Act and to undertake
other safeguards for individuals and establishments against invasions of privacy.
To provide these safeguards in performance of the contract, the contractor shall:
1.
Be bound by the following assurance:
Assurance of Confidentiality
In accordance with Section 308(d) of the Public Health Service Act (42
U.S.C. 242m), the contractor assures all respondents that the
confidentiality of their responses to this information request will be
maintained by the contractor and CDC and that no information obtained in
the course of this activity will be disclosed in a manner in which the
individual or establishment is identifiable, unless the individual or
establishment has consented to such disclosure, to anyone other than
authorized staff of CDC.
2.
Maintain the following safeguards to assure that confidentiality is protected by
contractor’s employees and to provide for the physical security of the records:
a.
After having read the above assurance of confidentiality, each
employee of the contractor participating in this project is to sign the
following pledge of confidentiality:
I have carefully read and understand the assurance which pertains
to the confidential nature of all records to be handled in regard to
this survey. As an employee of the contractor I understand that I
am prohibited by law from disclosing any such confidential
information which has been obtained under the terms of this
contract to anyone other than authorized staff of CDC. I
understand that any willful and knowing disclosure in violation of
the Privacy Act of 1974 is a misdemeanor and would subject the
violator to a fine of up to $5,000.
b.
To preclude observation of confidential information by persons not
employed on the project, the contractor shall maintain all
confidential records that identify individuals or establishments or
�from which individuals or establishments could be identified under
lock and key.
Specifically, at each site where these items are processed or
maintained, all confidential records that will permit identification of
individuals or establishments are to be kept in locked containers
when not in use by the contractor’s employees. The keys or means
of access to these containers are to be held by a limited number of
the contractor’s staff at each site. When confidential records are
being used in a room, admittance to the room is to be restricted to
employees pledged to confidentiality and employed on this project.
If at any time the contractor’s employees are absent from the room,
it is to be locked.
c.
3.
The contractor and his professional staff will take steps to insure
that the intent of the pledge of confidentiality is enforced at all times
through appropriate qualifications standards for all personnel
working on this project and through adequate training and periodic
follow up procedures.
Print on the questionnaire in a clearly visible location and in clearly visible letters
the following notice of the confidential treatment to be accorded the information
on the questionnaire by any individual who may see it:
Confidential Information
Information contained on this form which would permit identification of any
individual or establishment has been collected with a guarantee that it will
be held in strict confidence by the contractor and CDC, will be used only
for purposes stated in this project, and will not be disclosed or released to
anyone other than authorized staff of CDC without the consent of the
individual or the establishment in accordance with Section 308(d) of the
Public Health Service Act (42 U.S.C.242m).
4.
On a letter or other form that can be retained by the individual or the
establishment, or on the questionnaire form itself if it is a self-administered
questionnaire, inform in clear and simple terms each individual or establishment
asked to supply information:
a.
That the collection of the information by CDC and its contractor is
authorized by Sections 304 and 306 of the Public Health Service
Act (42 U.S.C.242b and 242k);
b.
Of the purpose or purposes for which the information is intended to
be used, clearly stating that the records will be used solely for
�epidemiological or statistical research and reporting purposes;
c.
Of the routine uses that may be made of the information, including
all disclosures specified in the “Federal Register” for this system of
records which may be applicable to this project;
d.
That participation is voluntary and there are no penalties for
declining to participate in whole or in part; and
e.
That no information collected under the authority of Sections 304
and 306 of the Public Health Service Act (42 U.S.C. 242b and
242k) may be used for any purpose other than the purpose for
which it was supplied, and such information may not be published
or released in other form if the particular individual or establishment
supplying the information or described in it is identifiable to anyone
other than authorized staff of CDC, unless the individual or
establishment has consented to such release.
(The voluntary disclosure by the respondent of requested
information after being informed of preceding paragraphs a through
d is an acknowledgment of the uses and disclosures contained in
paragraph c.)
5.
Release no information from the data obtained or used under this contract to
any person except authorized staff of CDC.
6.
By a specified date, which may be no later than the date of completion of the
contract, return all project data to CDC or destroy all such data, as specified by
the contract.
_____________________________
(Typed/printed Name)
_____________________________
(Signature)
_____________________________
(Date)
�
| File Type | application/pdf |
| File Title | Microsoft Word - Attachment 8 b cover.doc |
| Author | smh1 |
| File Modified | 2012-10-29 |
| File Created | 2012-09-10 |