HIV Surveillance Confidentiality Security Statement and Data Access Packet

Att 7b_HIV Surveillance Confidentiality Security Statement and Data Access Packet.pdf

National HIV Surveillance System (NHSS)

HIV Surveillance Confidentiality Security Statement and Data Access Packet

OMB: 0920-0573

Document [pdf]
Download: pdf | pdf
National HIV Surveillance System (NHSS)

Attachment 7b.
HIV Surveillance Confidentiality Security Statement and Data Access Packet

CONFIDENTIALITY SECURITY STATEMENT
FOR THE NATIONAL HUMAN IMMUNODEFICIENCY VIRUS (HIV)
SURVEILLANCE SYSTEM (NHSS) AND SURVEILLANCE-RELATED DATA
(INCLUDING SURVEILLANCE INFORMATION, CASE INVESTIGATIONS,
SUPPLEMENTAL SURVEILLANCE PROJECTS, RESEARCH ACTIVITIES, AND
EVALUATIONS)
(Revised July 2016)

The HIV Incidence and Case Surveillance Branch (HICSB) and the Behavioral and Clinical
Surveillance Branch (BCSB),Division of HIV/AIDS Prevention (DHAP), National Center for
HIV/AIDS, Viral Hepatitis, STD, and TB Prevention (NCHHSTP) in the Office of Infectious
Diseases (OID) have received approval for another extension of a 308(d) Assurance of
Confidentiality protection for data collected through the National HIV Surveillance System and
Surveillance-related Data (including surveillance information, case investigations, supplemental
surveillance projects, research activities, and evaluations) and conducted under cooperative
agreements with state, city and territorial health departments. This extension is due to expire
February 2018. Because of this Assurance of Confidentiality, documents and files which contain
patient-level information on persons reported as having HIV infection or having been exposed to
HIV-infection in the case of infants born to HIV-infected mothers, or individual-level data from
surveillance surveys, case investigations, and evaluation studies, are considered confidential
materials and must be safeguarded to the greatest extent possible. The confidentiality of HIV
Surveillance program data collected at the local and state levels is protected under state/territorial
law, rule, or regulation. Although patient and physician names, addresses, phone numbers, or
other directly identifying information, are not routinely reported to CDC by health departments,
HIV surveillance case reports and other surveillance-related data are highly sensitive, and may
have the potential to indirectly identify infected individuals. Therefore, these HIV surveillance
and related data have a need for 308(d) protection, and the security requirement is rated as high.
It is the professional, ethical and legal responsibility of each DHAP HICSB, BCSB, and
Quantitative Sciences and Data Management Branch (QSDMB) permanent employee, their
contractors, guest researchers, fellows, visiting scientists, research interns and graduate students
who participate in activities jointly approved by CDC and the sponsoring academic institution,
and the like, who are granted access to data from HIV surveillance program activities to protect
the right to confidentiality of all persons reported as having HIV or participating in CDCsponsored surveys, investigations, or studies related to HIV surveillance. This document
describes the procedures and practices that DHAP intends to use to protect the confidentiality of
the data collected as part of the HIV surveillance program, whether it is sponsored by HICSB or
BCSB.
Portions of the data analysis and programming work which support this project are performed
under contract. Therefore, we have included reference to contractors in the Assurance of
Confidentiality Statement and this Confidentiality Security Statement. The Procurement and
Grants Office should include appropriate reference to 308(d) Assurance of Confidentiality
protection requirements. All contractor staff undergo limited background investigations prior to
performing any work at CDC.

Authorized staff of the DHAP HICSB, BCSB, and QSDMB, their contract staff and other
authorized agents (e.g. CDC laboratory and data management personnel, or staff in the
Information Technology Service Organization-ITSO) are required to maintain and protect at all
times the confidentiality of records that may come into their presence and under their control. In
particular, they may not discuss, reveal, present, or confirm to external parties information on, or
characteristics of, individual cases, or small numbers of cases, in any manner that could directly
or indirectly identify any individual on whom a record is maintained by an HIV Surveillance
program. To assure that they are aware of this responsibility and the penalties for failing to
comply, each DHAP HICSB, BCSB, and QSDMB staff member who is granted access to
surveillance records or related files, their contract staff and other authorized agents, as well as
ITSO staff and contractors who support the servers in the data centers which contain such data,
will be required to read and sign a Nondisclosure Agreement applicable to either FTEs or
Contractors (See Attachments 1 and 2), assuring that all information in HIV surveillance
program records and related files will be kept confidential and will be used only for
epidemiologic or statistical purposes. All staff working on surveillance program activities are
required to take annual security and confidentiality training that includes review of the assurance
of confidentiality, and security and confidentiality procedures. Signed agreements will be
obtained at this time from each staff person who is authorized to access HIV surveillance
records. Confidentiality training shall be conducted annually and participation in such training
shall be mandatory for all persons granted access to surveillance program records and related
files. HICSB, BCSB, and QSDMB staff, their contractors and other authorized agents (e.g.,
ITSO staff) shall be required to sign confidentiality agreements on an annual basis. It shall be
the responsibility of the Technical and Business Stewards to provide for in person and/or on-line
training as needed and obtaining signed authorizations from employees, contractors, and other
authorized individuals who are granted access to HIV surveillance records prior to the next
annual confidentiality training session.
The Business Steward for HIV Surveillance program activities is the Chief, HIV Incidence and
Case Surveillance Branch, DHAP (Dr. H. Irene Hall); alternate is the Deputy Chief, HIV
Incidence and Case Surveillance Branch, DHAP (Kim Safford). The Business Steward for
Behavioral and Clinical Surveillance program activities is the Chief, Behavioral and Clinical
Surveillance Branch, DHAP (Dr. Joseph Prejean); alternate is Deputy Chief, Behavioral and
Clinical Surveillance Branch, DHAP (Dawn Gnesda). The Technical Stewards are Patricia
Sweeney, Epidemiologist, HIV Incidence and Case Surveillance Branch, and Kimberly
Crenshaw, Lead, Data Management Team, Quantitative Sciences and Data Management Branch.
Attachment 1 is the FTE Nondisclosure Agreement that all CDC employees, students, guest
researchers, and fellows participating in HIV surveillance program activities will sign. The
originals will be retained by HICSB, BCSB, and QSDMB within DHAP and will be made
available for review upon request by Confidentiality Unit Staff in the Office of the CDC
Associate Director for Science. Attachment 2 is the Contractor Nondisclosure Agreement Safeguards for individuals and establishments against invasions of privacy. Contracts needed to
support HIV surveillance program activities contain 308(d) clauses, and all contractor employees
with access to the data are required to sign this agreement. Attachment 3 is the HIV
Surveillance and Surveillance-related Data Release Policy. Attachment 4 is the agreement to
abide by restrictions on release of HIV surveillance and surveillance –related data collected and
maintained by the DHAP which must be signed by all HICSB, BCSB, and QSDMB staff, their

contractors and other authorized agents who are granted access to records, files and databases
containing HIV Surveillance and Surveillance-related information. The provisions of
Attachment 3 and 4 have been negotiated between CDC, the Council of State and Territorial
Epidemiologists, and individual state/territorial health departments. Attachment 5 is the request
for access to HIV Surveillance and Surveillance-related Databases form. Originals of these
documents will be retained by HICSB, BCSB, and QSDMB and will be made available for
review upon request by Confidentiality Unit Staff in the Office of the CDC Associate Director
for Science. Documentation listing contractors will be maintained and should be available to the
DHAP Contract Technical Monitor.

Restrictions on Use of Information and Safeguarding Measures
Information collected in the course of conducting HIV Surveillance program activities will be
used only for epidemiologic or statistical purposes and shall not otherwise be divulged or made
known in any manner that could result in the direct or indirect identification of any individual on
whom a record is maintained.
Except in rare and unusual circumstances, records or data containing names or other personally
identifying information for individual patients will not be received by DHAP on any records
from HIV surveillance program activities. Although data collection forms that CDC provides to
HIV surveillance cooperative agreement recipients to use in HIV case reporting or CDCsponsored surveillance projects or activities may enable the collection of personal identifiers at
the local, state, or territorial level, these identifiers will be removed before transmittal to DHAP.
In unusual circumstances, such as investigations of cases involving rare or unusual modes of
HIV transmission or potential threats to public health (e.g. unusual strains of HIV that may be
undetected through routine screening of the blood supply) in which expert CDC staff participate
with local/state/territorial health department staff at their invitation, CDC staff may retain
records with information that identifies patients, physicians or other health care providers,
laboratory personnel and other records necessary to the conduct of the epidemiologic
investigation. Such records require additional protection, and must be maintained in a locked file
cabinet in a locked room which is secured by restricted access. In all circumstances, only the
minimum identifying information necessary to the conduct of the investigation shall be
maintained. Disclosure of identifying information from such investigations is prohibited, except
as provided in the Assurance of Confidentiality.
Data collection forms will contain only state assigned patient identification numbers and may
contain soundex codes generated from patient surnames, or other state-assigned codes.
However, because these are 308(d) protected data, they will be transmitted to CDC in a secure
and confidential manner. Hard copies of data collection forms may only be transmitted to CDC
staff of DHAP if identifying information has been stripped and records placed in sealed
envelopes marked “confidential.” Following data entry and verification, as soon as feasible,
such hard copies should be shredded or destroyed. Electronic data are transmitted via the Secure
Access Management Services (SAMS) or other secure file transport mechanism implemented or
approved by CDC. All data transmissions must be encrypted after deleting patient and physician
identifiers.

DHAP HICSB, BCSB, and QSDMB staff, their contractors and other authorized agents are
responsible for protecting all confidential records containing information that could potentially
identify, directly or indirectly, any person on whom a record is maintained from eye observation,
from theft, or from accidental loss or misplacement due to carelessness. All reasonable
precautions will be taken to protect confidential surveillance data.
All contractor personnel will receive project-specific training in confidentiality procedures, in
addition to the training and background investigations they must receive/undergo prior to being
hired by the contractor. All contractors and their records must be maintained in a physically
secure environment with appropriate oversight by the technical monitor.
If a local/state/territorial health department inadvertently fails to remove personal identifiers of
individual patients, their family members or sexual or drug-using partners, or health care
providers before forwarding hard copy forms to DHAP, or incorrectly enters such identifying
data into comments fields, DHAP staff will immediately delete the identifiers, and remind health
department personnel of the appropriate procedures to follow to delete such identifiers prior to
transmitting records and forms to CDC, and report the incident to the technical monitor, branch
management, and NCHHSTP Information System Security Officer (ISSO) as needed.
Except as needed for operational purposes, photocopies of confidential records are not to be
made. If photocopies are necessary, care should be taken that all copies and originals are
recovered from the copy machines and work areas. Correspondence containing sensitive
information, e.g., regarding an epidemiologic case investigation, shall be maintained in a locked
file cabinet. All confidential paper records will be destroyed as soon as operational requirements
permit by shredding the documents.
E-mail, memoranda, reports, publications, slides, and presentations that contain data collected
through HIV surveillance program activities shall not contain data or information that could
directly or indirectly identify any person on whom a record is maintained by CDC. In
particular, specific details of case investigations, or specific geographic identifying information
is highly sensitive material. It shall be the responsibility of each DHAP HICSB, BCSB, or
QSDMB staff member, their contractors or other authorized agents who are granted access to
sensitive surveillance information to safeguard such data. Only the minimum information
necessary to conduct the CDC staff member’s or contractor’s specific job-related duties shall be
accessed. Telephone conversations with local/state/territorial health department personnel that
include discussions of sensitive information shall be conducted discreetly, preferably in private
walled offices.

Enhanced Protection of Computerized Files
All data will be protected in confidential computer files. The following safeguards are
implemented to protect HIV Surveillance files so that the accuracy and the confidentiality of the
data can be maintained:
Computer files containing programs, documents, or confidential data will be stored in
computer systems that are protected from accidental alteration and unauthorized access.
Computer files will be protected by password systems, access controls which can be

audited, virus detection procedures, and routine backup procedures. Data stored at state
and local health departments using CDC-supplied software designed to manage data for
surveillance program activities are protected by security requirements that each grantee
must certify it complies with before any cooperative agreements can be awarded; the
software ensures that the data transmitted to CDC will be in a format that is compatible
with the security and confidentiality requirements of the HIV surveillance databases
maintained by CDC.
The data centers maintained by ITSO and CDC contractors comply with federal policies,
statutes, regulations, and other directives for the collection, maintenance, use, and
dissemination of data, including the Department of Health and Human Services
Automated Information Systems Security Program, the Computer Security Act of 1987
(Public Law 100-235), the E-Government Act of 2002 (Public Law 107-347), and the
Federal Information Security Management Act (FISMA). Additionally, the data centers
also are in compliance with CDC's OCISO ADP Security Policy. The data centers
currently operate under Windows 2008 with Active Directory. Security features
implemented include physical controls, user ID and password protection, mandatory
password changes, limited logins, user rights/file attribute restrictions and virus
protection.
Data will be entered into computer files by staff at state and local health departments and
transmitted electronically via encrypted files to DHAP QSDMB staff for uploading from
QSDMB offices into the servers at the Chamblee Data Center. DHAP employees or
contractors, and any ITSO or other CDC employees or contractors who service or
maintain the systems or components necessary to support data management of HIV
surveillance program files, will be granted access to the files only upon express written
approval by a Business Steward (Chief, HICSB or BCSB). Authorized users will be
maintained by the Data Stewards via the Multi-User Share Tool (MUST), and the
Technical and Business Stewards will review the list on at least an annual basis to delete
persons no longer needing access. Access is removed when staff no longer require it by
removal of the user through the use of the MUST tool by the Technical or Business
Stewards.
Encrypted backup copies of data will be made by the data center tape backup system.
Backup storage services are provided under a separate CDC-wide contract. Contractor
facilities and staff are subject to the same federal policies, statutes, regulations, and other
directives, as well as to departmental and CDC security policies, which apply to CDC
data center servers and staff. Access to backup tapes is restricted to ITSO and contract
staff responsible for maintaining the backup procedures.

Dissemination of Data from HIV Surveillance Program Activities
State and local health departments receive confirmation of their transmittals of data to CDC.
DHAP HICSB, BCSB, and QSDMB staff are responsible for timely dissemination of aggregate
data at the national level, consistent with the data release policies described in Attachment 3.
Data will generally be reported only in aggregate form as summary statistics including
restrictions on small cell sizes and geographic identifiers; such statistics could not be used to

indirectly identify an individual. Modes of disseminating data include reports, articles in the
MMWR, peer-reviewed publications, public use slide sets, and public use data sets. DHAP
HICSB, BCSB, and QSDMB staff may provide data in response to special requests from
Congress, the Department of HHS, other government agencies, and other programs within CDC
on a priority basis with the approval of the Director, DHAP or the Business or Technical
Stewards.
Data may also be analyzed and disseminated by external collaborators and their contracted
agents with appropriate authorization and in collaboration with CDC DHAP Branches. External
collaborators are those with whom DHAP has existing cooperative agreements or contracts
involving the collection or analysis of the surveillance data. Requests for such access to the data
and subsequent analysis and dissemination must be made according to the procedures outlined in
Attachments 3 and 4 of the Confidentiality Security Statement.
In limited circumstances, restricted data sets could be made available to external researchers with
approval of the appropriate branch chief, and each relevant project area contributing data to the
project. These requests would also be subject to the procedures outlined in Attachment 3 and 4
of the Security Statement.

Records Disposition for the National Archives and Records Administration
Records that are determined to be permanently valuable are sent to the National Archives and
Records Administration (NARA). Transfers of such records and files will be done in accordance
with the May 1996 agreement stating that CDC will transfer to NARA all permanent data sets in
accordance with approved schedules contained in part IV of the CDC Records Control Schedule
B-321, with the exception of identifying information collected under an Assurance of
Confidentiality agreement as specified under the Public Health Service Act, Sections 301(d) and
308(d).

Confidentiality Security Statement Attachment 1
FTE NONDISCLOSURE AGREEMENT
(308(d) Assurance of Confidentiality for CDC/DHAP Employees)

The success of CDC’s operations depends upon the voluntary cooperation of states, of
establishments, and of individuals who provide the information required by CDC
programs under an assurance that such information will be kept confidential and be
used only for epidemiological or statistical purposes.
When confidentiality is authorized, CDC operates under the restrictions of Section
308(d) of the Public Health Service Act which provides in summary that no information
obtained in the course of its activities may be used for any purpose other than the
purpose for which it was supplied, and that such information may not be published or
released in a manner in which the establishment or person supplying the information or
described in it is identifiable unless such establishment or person has consented.
“I am aware that unauthorized disclosure of confidential information is punishable under
Title 18, Section 1905 of the U.S. Code, which reads:
‘Whoever, being an officer or employee of the United States or of any department
or agency thereof, publishes, divulges, discloses, or makes known in any manner or
to any extent not authorized by law any information coming to him in the course of
his employment or official duties or by reason of any examination or investigation
made by, or return, report or record made to or filed with, such department or
agency or officer or employee thereof, which information concerns or relates to the
trade secrets, processes, operations, style of work, or apparatus, or to the identity,
confidential statistical data, amount or source of any income, profits, losses, or
expenditures of any person, firm, partnership, corporation, or association; or
permits any income return or copy thereof or any book containing any abstract or
particulars thereof to be seen or examined by any person except as provided by
law; shall be fined not more than $1,000, or imprisoned not more than one year, or
both; and shall be removed from office or employment.’
“I understand that unauthorized disclosure of confidential information is also punishable
under the Privacy Act of 1974, Subsection 552a (i) (1), which reads:
‘Any officer or employee of any agency, who by virtue of his employment or official
position, has possession of, or access to, agency records which contain individually
identifiable information the disclosure of which is prohibited by this section or by
rules or regulations established thereunder, and who knowing that disclosure of the
specific material is so prohibited, willfully discloses the material in any manner to
any person or agency not entitled to receive it, shall be guilty of a misdemeanor and
fined not more than $5,000.’

“My signature below indicates that I have read, understood, and agreed to comply with
the above statements.”
________________________
Typed/Printed Name

__________________________
Signature

_________________________________
National Center/Institute/Office/Branch
Rev. February 2013, based on CDC 0.979 (E) 10/2012

________________
Date

Confidentiality Security Statement Attachment 2 Contractor Non-Disclosure Agreement
Safeguards for Individuals and Establishments
Against Invasions of Privacy
In accordance with Subsection (m) of the Privacy Act of 1974 (5 U.S.C. 552a) and
Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the contractor is
required to comply with the applicable provisions of the Privacy Act and to undertake
other safeguards for individuals and establishments against invasions of privacy.
To provide these safeguards in performance of the contract, the contractor shall:
1.

Be bound by the following assurance:
Assurance of Confidentiality
In accordance with Section 308(d) of the Public Health Service Act (42
U.S.C. 242m), the contractor assures all respondents that the
confidentiality of their responses to this information request will be
maintained by the contractor and CDC and that no information obtained in
the course of this activity will be disclosed in a manner in which the
individual or establishment is identifiable, unless the individual or
establishment has consented to such disclosure, to anyone other than
authorized staff of CDC.

2.

Maintain the following safeguards to assure that confidentiality is protected by
contractor’s employees and to provide for the physical security of the records:
a.

After having read the above assurance of confidentiality, each
employee of the contractor participating in this project is to sign the
following pledge of confidentiality:
I have carefully read and understand the assurance which pertains
to the confidential nature of all records to be handled in regard to
this survey. As an employee of the contractor I understand that I
am prohibited by law from disclosing any such confidential
information which has been obtained under the terms of this
contract to anyone other than authorized staff of CDC. I
understand that any willful and knowing disclosure in violation of
the Privacy Act of 1974 is a misdemeanor and would subject the
violator to a fine of up to $5,000.

b.

To preclude observation of confidential information by persons not
employed on the project, the contractor shall maintain all
confidential records that identify individuals or establishments or
from which individuals or establishments could be identified under
lock and key.

Specifically, at each site where these items are processed or
maintained, all confidential records that will permit identification of
individuals or establishments are to be kept in locked containers
when not in use by the contractor’s employees. The keys or means
of access to these containers are to be held by a limited number of
the contractor’s staff at each site. When confidential records are
being used in a room, admittance to the room is to be restricted to
employees pledged to confidentiality and employed on this project.
If at any time the contractor’s employees are absent from the room,
it is to be locked.
c.

3.

The contractor and his professional staff will take steps to insure
that the intent of the pledge of confidentiality is enforced at all times
through appropriate qualifications standards for all personnel
working on this project and through adequate training and periodic
follow up procedures.

Print on the questionnaire in a clearly visible location and in clearly visible letters
the following notice of the confidential treatment to be accorded the information
on the questionnaire by any individual who may see it:
Confidential Information
Information contained on this form which would permit identification of any
individual or establishment has been collected with a guarantee that it will
be held in strict confidence by the contractor and CDC, will be used only
for purposes stated in this project, and will not be disclosed or released to
anyone other than authorized staff of CDC without the consent of the
individual or the establishment in accordance with Section 308(d) of the
Public Health Service Act (42 U.S.C.242m).

4.

On a letter or other form that can be retained by the individual or the
establishment, or on the questionnaire form itself if it is a self-administered
questionnaire, inform in clear and simple terms each individual or establishment
asked to supply information:
a.

That the collection of the information by CDC and its contractor is
authorized by Sections 304 and 306 of the Public Health Service
Act (42 U.S.C.242b and 242k);

b.

Of the purpose or purposes for which the information is intended to
be used, clearly stating that the records will be used solely for
epidemiological or statistical research and reporting purposes;

c.

Of the routine uses that may be made of the information, including
all disclosures specified in the “Federal Register” for this system of
records which may be applicable to this project;

d.

That participation is voluntary and there are no penalties for
declining to participate in whole or in part; and

e.

That no information collected under the authority of Sections 304
and 306 of the Public Health Service Act (42 U.S.C. 242b and
242k) may be used for any purpose other than the purpose for
which it was supplied, and such information may not be published
or released in other form if the particular individual or establishment
supplying the information or described in it is identifiable to anyone
other than authorized staff of CDC, unless the individual or
establishment has consented to such release.
(The voluntary disclosure by the respondent of requested
information after being informed of preceding paragraphs a through
d is an acknowledgment of the uses and disclosures contained in
paragraph c.)

5.

Release no information from the data obtained or used under this contract to
any person except authorized staff of CDC.

6.

By a specified date, which may be no later than the date of completion of the
contract, return all project data to CDC or destroy all such data, as specified by
the contract.
_____________________________
(Typed/printed Name)

_____________________________
(Signature)
_____________________________

Confidentiality Security Statement Attachment 3
POLICY FOR RELEASE OF CENTERS FOR DISEASE CONTROL AND
PREVENTION (CDC) HIV SURVEILLANCE AND SURVEILLANCE-RELATED DATA

Description of the system
The National HIV Surveillance System (NHSS) is comprised of HIV case reports
submitted on a voluntary basis to CDC by the 50 states, the District of Columbia, and
U.S. dependent areas (e.g., American Samoa, Guam, Northern Mariana Islands,
Puerto Rico, the Republic of Palau, and the U.S. Virgin Islands).
Encrypted case reports and other surveillance related data are received electronically
using standardized reporting forms and software. The data from state and local health
departments are decrypted and the CDC databases are updated on a regular basis to
include all cases received and processed through the last day of the previous cycle.
Personally identifying information on each case is deleted prior to transfer to CDC and
cases are identified at the national level only by soundex code based on patient’s
surname, date of birth, and a state-assigned patient identification number.
The HIV Incidence and Case Surveillance Branch (HICSB), the Behavioral and
Clinical Surveillance Branch (BCSB) and the Quantitative Sciences and Data
Management Branch (QSDMB) of the Division of HIV/AIDS Prevention (DHAP)
maintain a large number of databases on individuals at risk for or diagnosed with HIV
infection including case reports, case investigations, related surveillance databases,
surveys, and data from medical records, laboratories or public health databases.
All data collected and maintained by HICSB, BCSB, and QSDMB must be managed,
presented, published and released in accordance with strict adherence to the
standards for confidentiality and security consistent with the principles and guidelines
for HIV case report data. These principles and guidelines must be strictly followed as
geographic and small cell data may be indirectly identifying when combined with
detailed information contained in case reports, questionnaires, or from laboratory or
medical records.

Restrictions on release of data
HIV surveillance data and data from surveillance-related projects, evaluation studies,
and case investigations are collected under Sections 304 and 306 of the Public Health
Service Act (42 U.S.C. 242b and 242k) and are protected at the national level by an
Assurance of Confidentiality (Section 308(d) of the Public Health Service Act, 42
U.S.C. 242 m(d)), which prohibits disclosure of any information that could be used to
directly or indirectly identify individuals whose records are contained in the NHSS and
surveillance related databases. This prohibition has led to the formulation of guidelines
for data release. The guidelines reflected in this policy and related standard operating
procedures represent a balance between the potential for inadvertent disclosure and
the need for CDC/DHAP to be responsive to information requests having legitimate

public health application. The data release policies were developed jointly by CDC and
the Council of State and Territorial Epidemiologists (CSTE). Each state or local HIV
Surveillance Coordinator and state epidemiologist was surveyed and elected the level
of geographic specificity (e.g., state, county, size of MSA or other geographic area) at
which CDC may report data on HIV cases residing in that state. These principles and
restrictions should also be applied to other data and information collected and
maintained by the DHAP HICSB or BCSB. Specific surveillance activities may have
additional data release requirements that are specified in their respective protocols. In
the absence of project specific data release policies or agreements with project areas,
these restrictions apply.
As a general rule, requests from the public, the media, and other government
agencies for state/local data will be referred to the local area for reply. There are two
reasons for this: 1) local health departments can release their HIV surveillance data in
accordance with locally established policies and procedures, and 2) the delay between
the date of diagnosis and report to CDC ensures that local health department data are
more current than those contained in the NHSS database. However, CDC may
release data to the public, for presentation in oral and written publications, and
otherwise make data available for epidemiologic and public health purposes within the
guidelines specified and described in the document “Agreement to abide by
restrictions on release of surveillance data...” When publishing or presenting
state/local data, CDC staff should notify the local areas in advance whenever possible.
Outside the bounds of these guidelines, CDC will not release, in any format, state,
county, MSA, or U.S. dependent area-specific data without the consent of the
appropriate state or local health departments.

Access to the database
The DHAP HICSB and BCSB are charged with the responsibility of maintaining the
security and confidentiality as well as the scientific integrity of the surveillance
database. Access to data beyond that available for public use is limited, through
password protection, to members of DHAP HICSB and BCSB, and selected members
of the DHAP QSDMB, their contractors and other authorized agents. In limited
circumstances, CDC staff outside these groups or external project collaborators may
be granted access on an as-needed basis, at the discretion of the appropriate branch
chief. External collaborators are those with whom DHAP has existing cooperative
agreements or contracts involving the collection or analysis of these surveillance data.
To obtain access, others outside the CDC Branches mentioned above must do the
following:
1. Pose a specific research question.
2. Estimate the time required for their analysis/access.
3. Agree in writing to abide by DHAP policies and procedures on data release and
sign the “Nondisclosure agreement”, the “Request for access...”, and the
“Agreement to abide by restrictions...” documents or other documents as

required for specific projects that contain the policies and guidelines for use of
HIV surveillance and related data.

4. Provide an outline on their proposed methodology including names of variables
to be used in the analysis.
5. Collaborate with staff of the HICSB or BCSB in analysis, presentation, and
publication of the results of their analysis. In some cases, access to national data
by collaborators may be designed as part of the project protocol, and should be
agreed to by all collaborators on the project.
6. Submit all reports, publications, presentation to DHAP clearance and crossclearance channels.

Alternatives to access of NHSS or other surveillance related data
To reduce the burden on HICSB, BCSB, and QSDMB staff, other CDC staff persons
requesting HIV surveillance data are encouraged to use publicly available reports,
slide sets, and the NCHHSTP Atlas. CDC staff that use HIV surveillance data for
policy development, resource allocation, research prioritization and other public health
purposes are advised to consult with HICSB or BCSB staff to ensure appropriate
interpretation of the data. CDC staff that present or publish HIV surveillance data
should adhere to CDC policies for clearance and cross-clearance to ensure that data
are presented and interpreted consistently and accurately.
1. The HIV Surveillance Report is published annually. The report is a collection
of tables and figures describing the characteristics of persons diagnosed with
HIV infection and stage 3 (AIDS) classifications in the United States and
dependent areas. The report includes data on age, sex, race/ethnicity, and
transmission category, and by state, region of residence, metropolitan
statistical area (if greater than 500,000 population), and dependent area. This
report is updated annually to include data diagnosed through December 31
(of a given year) and reported to CDC through June 30 (of the following year).
2. DHAP produces numerous supplemental reports, slides sets, fact sheets,
MMWR articles, and peer-reviewed publications. DHAP surveillance
publications can be accessed through the CDC website at www.cdc.gov/HIV
or by contacting HICSB at (404)-639-2050 or BCSB at (404) 639-2090.

3. The NCHHSTP Atlas provides an interactive platform for accessing HIV
surveillance data, allowing users to observe trends and patterns by creating
detailed reports, maps, and other graphics. Currently, the Atlas provides
interactive maps, graphs, tables, and figures showing geographic patterns
and time trends of HIV infection, stage 3 (AIDS) classifications, viral hepatitis,
tuberculosis, chlamydia, gonorrhea, and primary and secondary syphilis

surveillance data. Data are currently available at the national level as well as
state/dependent area level. The NCHHSTP Atlas can be accessed at
http://www.cdc.gov/nchhstp/atlas/.
4. State-level data can also be accessed through state/local health department
websites. A listing of websites for state/local health departments can be found
on the last page of DHAP’s annual HIV Surveillance Report. DHAP
surveillance publications and the NCHHSTP Atlas can be accessed through
the CDC website at http://www.cdc.gov/hiv/topics/surveillance/index.htm
5. The DHAP HICSB and BCSB, wishing to be responsive to specific data
requests having important public health application will consider requests for
data and data analysis which cannot be responded to using production
materials. For requests requiring HICSB, BCSB, or in some cases QSDMB
response, submission in written format is preferred to assist in ensuring an
appropriate response. Due to limited resources, response to requests for data
is not guaranteed and data will be supplied only if their release does not
conflict with current disclosure prohibitions. Consideration will be given to
verbal requests from:
•

The Executive Branch; Members of Congress and their staffs; senior
staff from other Federal agencies (HUD, HRSA, SAMHSA); the states;
associations serving the states (e.g., ASTHO, CSTE, NASTAD); other
public institutions of CDC interest (e.g., The Red Cross and National
Hemophilia Foundation); and selected CDC staff serving these
constituencies.

•

The NCHHSTP, Program Planning & Policy Coordination Office or
DHAP Office of Policy, Planning and Communications. After
screening, requests will be taken verbally but requesters will be
encouraged to submit their queries in writing to ensure an appropriate
response.

Other parties and individuals should submit requests in written format to the Chief of
either HICSB or BCSB, or one of their designees. Due to limited resources, response
cannot be guaranteed. Responses and request fulfillment are at the discretion of the
Branch Chief.

Confidentiality Security Statement Attachment 4
AGREEMENT TO ABIDE BY RESTRICTIONS ON RELEASE OF HIV
SURVEILLANCE AND SURVEILLANCE-RELATED DATA COLLECTED AND
MAINTAINED BY THE DIVISION OF HIV/AIDS PREVENTION (DHAP)
I, ___________________________, understand that data collected by the Centers for
Disease Control and Prevention (CDC) through the National HIV Surveillance System
(NHSS) and related surveillance activities, projects, and case investigations under
Sections 304 and 306 of the Public Health Service Act (42 U.S.C. 242b and 242k) are
protected at the national level by an Assurance of Confidentiality (Section 308(d) of the
Public Health Service Act, 42 U.S.C. 242m(d)), which prohibits disclosure of any
information that could be used to directly or indirectly identify any individual on whom a
record is maintained by CDC. This prohibition has led to the formulation of the following
guidelines for release of HIV case reports and supplemental data collected on such
persons to which, in accepting access to data not considered public use, I agree to
adhere. These guidelines represent a balance between potential for inadvertent
disclosure and the need for CDC/DHAP to be responsive to information requests having
legitimate public health application. In particular, variables that identify geographic units
or facilities have the potential to indirectly identify individuals.
Therefore, I will not release, either inside or outside CDC, state/territorial-, MSA-, city,county-, or other geographic area-specific data in any format (e.g., publications,
presentations, slides, interviews) without the consent of the appropriate state or local
agency, except as consistent with the format described in this document and related
HICSB and BCSB standard operating procedures. Specifically, in accordance with the
terms of written agreements between CDC, the Council of State and Territorial
Epidemiologists (CSTE), and individual state/territorial health departments AND in
accordance with the principles of the Assurance of Confidentiality for HIV surveillance
and surveillance-related data authorized under Section 308d of the U.S. Public Health
Service Act:
Levels of data release:
•

National and regional level — I am permitted to release national and regional
aggregate data without cell size or denominator restrictions.

•

State level (including the District of Columbia and Puerto Rico) — For any
state, the District of Columbia, and Puerto Rico, I am permitted to release one-way
frequencies and two-way stratifications of variables of interest (including sex, age
group, race/ethnicity and transmission category) by location and year (e.g., living
HIV cases by year*state * sex*race) with the denominator rule suppressing data for
stratum-specific populations with less than 100. No numerator suppression rule will
be applied.
o For strata where a population is not available in the U.S. Census (e.g.,
transmission category) the underlying population that is most similar to the
group will be checked before data are released. For example, for black men

who have sex with men, the underlying population of black men will be
checked for that geographic area.
o If the totals could inadvertently disclose a case through back-calculation by
subtraction, secondary or complementary suppression will be done by either
1) combining two or more categories of data (e.g., aggregation of values
within the stratification parameter) or 2) excluding all data in a subcategory
(e.g., blocking disaggregation below a pre-selected value for the stratification
parameter) across multiple states.
•

Dependent areas of American Samoa, Guam, Northern Mariana Islands, the
Republic of Palau and the U.S. Virgin Islands. — I am only permitted to release
and present data for U.S. dependent areas at the country or territory levels. The
release of data below the country or territory level or for additional dependent areas
other than the five areas listed above will require permission by the applicable health
department(s).
o It is permissible to release totals (cumulative and annual) and one-way
frequencies (cumulative only) of sex, age group, race/ethnicity and
transmission by location (e.g., country) (e.g., adults and adolescents living
with diagnosed HIV infection*country*race/ethnicity; stage 3 (AIDS)
classifications*year*country). No suppression rules will be applied at the
country level.

•

MSAs, counties, cities, and other geographic areas with ≥500,000 population
— For areas with ≥500,000 population, I am permitted to release one-way
frequencies and two-way stratifications of variables of interest (including sex, age
group, race/ethnicity and transmission category) by location and year (e.g., living
with HIV ever classified as stage 3 (AIDS) by year*MSA * sex*race) with the
denominator rule suppressing data for stratum-specific populations with less than
100. No numerator suppression rule will be applied.
o For strata where a population is not available in the U.S. Census (e.g.,
transmission category) the underlying population that is most similar to the
group will be checked before release. For example, for black men who have
sex with men, the underlying population of black men will be checked for that
geographic area.
o If the totals could inadvertently disclose a case through back-calculation by
subtraction, secondary or complimentary suppression will be done by either
1) combining two or more categories of data (e.g., aggregation of values
within the stratification parameter) or 2) excluding all data in a subcategory
(e.g., blocking disaggregation below a pre-selected value for the stratification
parameter) across multiple areas.

•

Geographic areas with 50,000 – 499,999 population — I will review the data rerelease agreements and most current standard operating procedures for applicable
areas and restrictions in collaboration with HICSB or BCSB Branch Chief or the
Research and Dissemination Team Leader, HICSB before releasing any data for

geographic areas with 50,000 – 499,999 as the approval of release of data for this
population differs by state.
o General suppression rules for areas with 50,000 – 499,999:
• A denominator rule of <100 will be applied for all frequencies and
stratifications with stratum-specific population denominators <100 in
areas with 50,000 – 499,000 population (i.e., when the stratum-specific
population is <100 for a subgroup, count data will not be presented). In
addition, data will be suppressed when numerators are <5 (e.g., cells
with 0 – 4 will not be presented).
• For strata where a population is not available in the U.S. Census (e.g.,
transmission category) the underlying population that is most similar to
the group will be checked. For example, for black men who have sex
with men, the underlying population of black men will be checked for
that geographic area.
• Any requests for data beyond this data release agreement will require
permission by the applicable health department.
•

Counties <50,000 population — I will review the data re-release agreements and
most current standard operating procedures for applicable areas and restrictions in
collaboration with the HICSB or BCSB Branch Chief or the Research and
Dissemination Team Leader, HICSB before releasing any data for counties with
<50,000 population as the approval of release of data for this population differs by
state.
o General suppression rules for counties <50,000 population:
• A denominator rule of <100 will be applied for all frequencies and
stratifications with stratum-specific population denominators <100 in
counties <50,000 (i.e., when the stratum-specific population is <100 for
a subgroup, count data will not be presented). In addition, data will be
suppressed when numerators are <5 (e.g., cells with 0 – 4 will not be
presented).
• For strata where a population is not available in the U.S. Census (e.g.,
transmission category) the underlying population that is most similar to
the group will be checked. For example, for black men who have sex
with men, the underlying population of black men will be checked for
that geographic area.
• Any requests for data beyond this data release agreement will require
permission by the applicable state health department.

•

Data stability requirements for release of all data regardless of level of
analysis — I will include a cautionary note on stability for all levels of analyses when
estimated numbers are less than 12 or rates are calculated based on numbers less
than 12.
o A notation in either technical notes or footnotes will read “Reported numbers
less than 12, as well as estimated numbers (and accompanying rates and
trends) based on these numbers, should be interpreted with caution because
the numbers have underlying relative standard errors greater than 30% and
are considered unreliable.”

Variables permitted for release: — Any requests for variables other than those listed
below will require approval by the HICSB Chief or Research and Dissemination Team
Leader or BCSB Chief or Behavioral Surveillance or Clinical Outcomes Team Leaders,
BCSB as appropriate:
General
• Location (e.g. U.S., region, state, Metropolitan Statistical Area, county,
dependent area) based on standard definitions
• Year (year of diagnosis [HIV or stage 3 (AIDS) classifications], death,
prevalence, or report)
Demographic/transmission
• Age group (5-year or 10-year age group, at diagnosis, or calculated age at end of
year for prevalence or at death for deaths)
• Race/ethnicity (based on OMB classification)
• Sex
• Transmission or exposure category (see HIV Surveillance Report)

Data release and publication:
•
•

•

I understand that release of data not specifically permitted by this agreement is
prohibited unless written permission is first obtained from the appropriate
Branch Chief (HICSB or BCSB), Division of HIV/AIDS Prevention
When presenting or publishing state-, city-, county-, MSA-, or dependent areaspecific data in accordance with the restrictions outlined above, I will inform the
appropriate state(s) and local health department(s) in advance of the release of
state or local data, so as to afford them the opportunity to anticipate local
queries and prepare their response.
When presenting or publishing data from surveillance-related studies,
investigations, or evaluations, I will adhere to the principles and guidelines
outlined in this agreement and related HICSB and BCSB standard operating
procedures.

Release of geocoded HIV surveillance data:
•

•
•

Any re-release of geocoded HIV surveillance data that identifies the geographic
area below the state or for territory or country level for dependent areas is
subject to written approval of the applicable health department(s) (re-release of
data can be in the form of peer and non-peer reviewed manuscripts, technical
reports, manuals, and presentations).
All publications using geocoded data must be cleared through DHAP HICSB
clearance.
Publication of a manuscript in a journal or as part of conference proceedings
requires a CDC clearance of that manuscript, even if an abstract for that
manuscript was previously cleared.

Data Security:
1. I will not give my access password to any person.
2. I will treat all data at my desk site confidentially and maintain in a locked file
cabinet records that could directly or indirectly identify any individual on whom
CDC maintains a record. Sensitive identifying information from special case
investigations will only be maintained in a locked file cabinet in a locked room
which has restricted access.
3. I will keep all hard copies of data runs containing small cells locked in a file
cabinet when not in use, shredding them when they are no longer necessary to
my analysis.
4. I will not produce a “back-up” data file of HIV case surveillance data or related
databases maintained by DHAP.
5. I will not remove electronic files, records or databases from the worksite, or
access them remotely from home or other unofficial/unapproved off-worksite
location.
6. I will not remove hard copies of case reports, survey instruments, laboratory
reports, confidential communications, or any records containing sensitive data
and information or the like from the worksite.
7. I will not remove from the worksite tabulations or data in any format that could
directly or indirectly identify any individual.
8. I will maintain confidentiality of records on individuals in all discussions,
communications, e-mails, tabulations, presentations, and publications (and the
like) by using only the minimum information necessary to describe the individual
case.
9. I will not release data to the press or media without pre-screening of the request
by the NCHHSTP, Program Planning & Policy Coordination Office or DHAP
Office of Policy, Planning and Communications.
10. I am responsible for obtaining IRB review of projects when appropriate.

User ID: __________________
Purpose of investigation (provide a brief statement):

Data base(s) to be accessed:

Estimated time needed for data access/analysis:

I have read this document, “Agreement to abide by restrictions on release of HIV
Surveillance and Surveillance-related data...” and the attached document “Policy
for Release of Centers for Disease Control and Prevention (CDC) HIV Surveillance
and Surveillance-related Data,” and I agree to abide by them. Failure to comply
with this agreement may result in disciplinary action, including possible
termination of employment.
Signed: __________________________________ Date: ______________________
(Requestor)
CIO, Division, Branch _______________________________
Approved: ________________________________ Date: ______________________
Chief, (HICSB/BCSB), DHAP, NCHHSTP or designee

Revised February 2013

Confidentiality Security Statement Attachment 5
CENTERS FOR DISEASE CONTROL AND PREVENTION
National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention
Division of HIV/AIDS Prevention
Request for Access to HIV Surveillance and Surveillance-related Databases
Name: ______________________________ User ID: _______________
Date of Request:_______________________ Branch : _____________

List required data sets and access groups (if known):

Justification for Access:

Supervisory Certification:
I certify that it is a necessary part of the above staff member’s official duties to have
access to the National HIV Surveillance System and related surveillance databases. I
have advised this employee of the confidentiality of these data and have attached a
signed “Agreement to Abide by Restrictions on Release of Data”.
______________________________
Supervisor’s Signature
Approval:
________________________________________
Chief, (HICSB/BCSB), DHAP or designee
----- ---------------------------------------------------------For HICSB, BCSB or QSDMB Use Only (retain signed copies of “Request for access...”
and “Agreement to abide by restrictions...” forms and copies of MUST requests or
emails to helpdesk.)
MUST action granting access submitted on ____________

(date) by ____________

MUST access deleting access submitted on ______________ (date) by ___________


File Typeapplication/pdf
File Modified2019-06-03
File Created2015-06-11

© 2024 OMB.report | Privacy Policy