Confidentiality Security Statement

Att_7(b) NHSS_ Complete AoC_Final updated 102621 per amendment_CSpacket.pdf

National HIV Surveillance System (NHSS)

Confidentiality Security Statement

OMB: 0920-0573

Document [pdf]
Download: pdf | pdf
National HIV Surveillance System (NHSS)

Attachment 7(b)
HIV Surveillance Confidentiality Security Statement and Access Packet

CONFIDENTIALITY SECURITY STATEMENT
FOR THE NATIONAL HUMAN IMMUNODEFICIENCY VIRUS (HIV)
SURVEILLANCE SYSTEM (NHSS) AND SURVEILLANCE-RELATED DATA
(INCLUDING SURVEILLANCE INFORMATION, CASE INVESTIGATIONS,
TRANSMISSION CLUSTER INVESTIGATIONS, SUPPLEMENTAL SURVEILLANCE
PROJECTS, RESEARCH ACTIVITIES, AND EVALUATIONS)
October 2019
The HIV Incidence and Case Surveillance Branch (HICSB) and the Behavioral and Clinical
Surveillance Branch (BCSB), Division of HIV/AIDS Prevention (DHAP), National Center for
HIV/AIDS, Viral Hepatitis, STD, and TB Prevention (NCHHSTP) in the Office of Infectious
Diseases (OID), have received approval for another extension of a 308(d) Assurance of
Confidentiality protection for data collected through the National HIV Surveillance System
(NHSS) and Surveillance-Related Data (including surveillance information, case investigations,
transmission cluster investigations, supplemental surveillance projects, research activities, and
evaluations) conducted under cooperative agreements with state, city and territorial health
departments. This extension is due to expire June 2023.
Because of this Assurance of Confidentiality, documents and files which contain patient-level
information on persons reported as having HIV infection or having been exposed to HIV
infection, for example in the case of infants born to HIV-infected mothers, or individual-level
data from surveillance surveys, case investigations, transmission cluster investigations and
evaluation studies, are considered confidential materials and must be safeguarded to the greatest
extent possible. The confidentiality of HIV surveillance program data collected at the local and
state levels is protected under state/territorial law, rule, or regulation. Although patient and
physician names, street addresses, phone numbers, or other directly identifying information, are
not routinely reported to CDC by health departments, HIV surveillance case reports and other
surveillance-related data are highly sensitive, and may have the potential to indirectly identify
infected individuals. Therefore, these HIV surveillance and surveillance-related data have a need
for 308(d) protection, and require a high level of safeguards.
Protected Information
It is the professional, ethical and legal responsibility of all DHAP authorized users of protected
HIV surveillance and surveillance-related data, who participate in activities jointly approved by
CDC and the sponsoring public health or academic institution, and the like, who are granted
access to data from HIV surveillance program activities, to protect the confidentiality of data on
all persons reported as having HIV or participating in CDC-sponsored surveys, investigations, or
studies related to HIV surveillance. This document describes the procedures and practices that
DHAP intends to use to protect the confidentiality of the data collected as part of HIV
surveillance program activities, including related laboratory and epidemiologic data collected for

investigations, whether they are sponsored by HICSB or BCSB or at the request of or in
collaboration with health departments.
Portions of the data analysis and programming work supporting this project are performed under
contract. Therefore, we have included reference to contractors in the Assurance of
Confidentiality Statement and this Confidentiality Security Statement. The Office of Grants
Services and Office of Acquisition Services should include appropriate reference to 308(d)
Assurance of Confidentiality protection requirements in applicable cooperative agreements,
grants and contracts that support this work. All contractor staff undergo limited background
investigations prior to performing any work at CDC.
Authorized Users of Protected Information
The applicable HICSB or BCSB Branch Chief or their designee authorizes access and use of
protected HIV surveillance and surveillance-related data. Authorized users of HIV surveillance
and surveillance-related data include permanent employees of HICSB, BCSB, LB, QSDMB,
their contractors, other authorized staff (e.g., NCHHSTP staff involved in transmissions cluster
investigations, Information Technology Services Office (ITSO) staff who access or support
servers with protected data, data management personnel) and other authorized agents. Other
authorized agents include guest researchers, fellows, visiting scientists, authorized external
collaborating researchers, interns and graduate students. Authorized users are required to
maintain and protect at all times the confidentiality of records that may come into their presence
or under their control. In particular, authorized users of protected information may not discuss,
reveal, present, or confirm to external parties information on, or characteristics of, individual
cases, or small numbers of cases or clusters, in any manner that could directly or indirectly
identify any individual on whom a record is maintained by an HIV surveillance program. In
addition, authorized users of protected information must abide by the data re-release agreements
between CDC, the Council of State and Territorial Epidemiologists (CSTE), and individual
state/territorial health departments. To assure that authorized users of protected information are
aware of this responsibility and the penalties for failing to comply, each person will be required
to read and sign a Nondisclosure Agreement applicable to full-time equivalent staff members
(FTEs), contractors, or guest researchers (See Attachments 2, 3, 4) assuring that all information
in HIV surveillance program records and related files will be kept confidential, and used only for
public health purposes.
Training and Oversight
Annual confidentiality training is mandatory for all authorized users of protected information.
All staff working on surveillance program activities are required to take annual security and
confidentiality training that includes review of the assurance of confidentiality, and security and
confidentiality procedures. Authorized users of protected information shall be required to sign
confidentiality agreements on an annual basis. It shall be the responsibility of the Technical and
Business Stewards to provide for in-person and/or on-line training as needed and to obtain signed
agreements from employees, contractors, and other authorized individuals who are granted
access to HIV surveillance information.

The Business Steward has general responsibility for the operation and integrity of the system(s)
and activities covered by this Assurance. The Business Steward for HIV surveillance program
activities is the Chief, HICSB, DHAP (Dr. Angela L. Hernandez); alternate is the Deputy Chief,
HICSB, DHAP (Magan Pearson) (Acting). The Business Steward for Behavioral and Clinical
Surveillance program activities is the Chief, BCSB, DHAP (Dr. Joseph Prejean); alternate is
Deputy Chief, BCSB, DHAP (Melissa Cribbin). The Technical Stewards are Patricia Sweeney,
Epidemiologist, HICSB; Melissa Cribbin, Deputy Branch Chief, BCSB; Kimberly Crenshaw,
Lead, Data Management Team, QSDMB; and William M. Switzer, Lead, Molecular
Epidemiology Team, LB. Technical stewards serve as points of contact for the Assurance and
breach reporting, conduct training and track compliance and ensure implementation of standard
operating procedures within each branch.
Nondisclosure and Data Release Restriction Agreements
Attachment 2 is the FTE Nondisclosure Agreement that all CDC employees participating in HIV
surveillance program activities will sign. Attachment 3 is the Contractor Nondisclosure
Agreement—Safeguards for Individuals and Establishments Against Invasions of Privacy.
Contracts needed to support HIV surveillance program activities contain 308(d) clauses, and all
contractor employees with access to the data are required to sign this agreement. Attachment 4 is
the Non-CDC Employee 308(d) Pledge of Confidentiality for students, guest researchers and
other non-FTEs. Attachment 5 is the HIV Surveillance and Surveillance-Related Data Release
Policy. Attachment 6 is the Agreement to Abide by Restrictions on Release of HIV Surveillance
and Surveillance–Related Data Collected and Maintained by DHAP which must be signed by
authorized staff granted access to records, files and databases containing HIV surveillance and
surveillance-related information. The provisions of Attachment 5 and 6 have been negotiated
between CDC, CSTE, and individual state/territorial health departments. Attachment 7 is the
Request for Access to HIV Surveillance and Surveillance-Related Databases form. Originals of
these documents will be retained by HICSB, BCSB, QSDMB and LB who will be responsible
for tracking completion of training and forms. Documentation of forms and training completion
for other authorized staff (outside of those branches) will be maintained by HICSB. Compiled
information on training compliance will be made available for review upon request by
Confidentiality Unit Staff in the Office of the CDC Associate Director for Science.
Documentation listing contractors will be maintained and should be made available to the DHAP
contract technical monitors by the Technical Stewards.
Restrictions on Use of Information and Safeguarding Measures
Information collected in the course of conducting HIV surveillance and surveillance-related
program activities, including case investigations, transmission cluster investigations,
supplemental surveillance projects, research activities, evaluations and other activities as
specified in the Description of Covered Activities (Attachment 1) will be used only for public
health purposes. Surveillance information reported to CDC will be used primarily for public
health statistical, epidemiologic, and analytic summaries and for public health evaluations in
which no individual or institution on whom a record is maintained can be identified, and
secondarily, for special public health research or investigations of the characteristics of

populations suspected or confirmed to be at increased risk for infection with HIV and of the
natural history and epidemiology of HIV to inform public health activities and shall not
otherwise be divulged or made known in any manner that could result in the direct or indirect
identification of any individual on whom a record is maintained.
Except in rare and unusual circumstances, records or data containing names or other personally
identifying information for individual patients will not be received by DHAP on any records
from HIV surveillance program activities. Although data collection forms that CDC provides to
HIV surveillance cooperative agreement recipients to use in HIV case reporting or CDCsponsored surveillance projects or activities may enable the collection of personal identifiers at
the local, state, or territorial level, these identifiers will be removed before data are transmitted to
DHAP.
In unusual circumstances, such as investigations of cases involving rare or unusual modes of
HIV transmission or potential threats to public health (e.g. unusual strains of HIV that may be
undetected through routine screening of the blood supply, breakthrough infections in persons on
HIV pre-exposure prophylaxis) in which expert CDC staff participate with local/state/territorial
health department staff at their invitation, CDC staff may, with appropriate prior supervisory
approval, retain records with information that identifies patients, physicians or other health care
providers, laboratory personnel and other records necessary to the conduct of the epidemiologic
investigation. Such records require additional physical and electronic protections; must be
maintained in a locked file cabinet in a locked room which is secured by restricted access and if
in electronic form, must be encrypted, retained in a secure environment, and stored using secure,
CDC approved methods. Electronic data are transmitted via the Secure Access Management
Services (SAMS) or other secure file transport mechanism implemented or approved by CDC.
All data transmissions must be encrypted after deleting patient and physician identifiers. In all
circumstances, only the minimum identifying information necessary to the conduct of the
investigation shall be maintained. Disclosure of identifying information from such investigations
is prohibited, except as provided in the Assurance of Confidentiality. In addition, confidential
information related to investigations including laboratory test results and epidemiologic data may
not be released without the authorization of the jurisdiction(s) involved in the investigation in
accordance with data release policies.
Data collection forms will contain only assigned patient identification numbers and may contain
computer-generated soundex codes from patient surnames, or other state-assigned codes.
However, because these are 308(d) protected data, they will be transmitted to CDC in a secure
and confidential manner. Hard copies of data collection forms may only be transmitted to CDC
DHAP staff if identifying information has been removed and records placed in sealed envelopes
marked “confidential.” Following data entry and verification, as soon as feasible, such hard
copies should be shredded or destroyed.
Authorized users of protected information are responsible for protecting all confidential records
containing information that could potentially identify, directly or indirectly, any person on whom
a record is maintained from visual observation, from theft, or from accidental loss or

misplacement due to carelessness. All reasonable precautions will be taken to protect
confidential surveillance data.
All contractor personnel will receive project-specific training in confidentiality procedures, in
addition to the training and background investigations they must receive/undergo prior to being
hired by the contractor. All contractors must be located and their records maintained in a
physically secure environment with appropriate oversight by the technical monitor.
If a local/state/territorial health department inadvertently fails to remove personal identifiers of
individual patients, their family members or sexual or drug-using partners, or health care
providers before forwarding hard copies or electronic copies of forms to DHAP, or incorrectly
enters such identifying data into comments fields, DHAP staff will immediately delete the
identifiers, remind health department personnel of the appropriate procedures to follow to delete
such identifiers prior to transmitting records and forms to CDC, and report the incident to the
technical steward, branch management, and the NCHHSTP Information Systems Security
Officer (ISSO) as needed.
Except as needed for operational purposes, photocopies of confidential records are not to be
made. If photocopies are necessary, care should be taken that all copies and originals are
recovered from the copy machines and work areas. Correspondence or hard-copy files containing
sensitive information, e.g., regarding an epidemiologic case investigation, shall be maintained in
a locked file cabinet. All confidential paper records will be destroyed as soon as operational
requirements and records retention schedule permits by shredding the documents using a crosscutting shredder or secured shredding container service provided by DHAP.
E-mail, memoranda, reports, publications, and presentations that contain data collected through
HIV surveillance program activities shall not contain data or information that could directly or
indirectly identify any person on whom a record is maintained by CDC. In particular, specific
details of case and transmission cluster investigations, or specific geographic identifying
information is highly sensitive material. It shall be the responsibility of each authorized user of
protected information who is granted access to sensitive surveillance information to safeguard
such data. Only the minimum information necessary to conduct their duties will be made
available to authorized users of protected information. Conversations via telephone or
telecommunications application software with local/state/territorial health department personnel
that include discussions of sensitive information shall be conducted discreetly, preferably in
private, walled offices.
CDC is in compliance with applicable federal law requiring the protection of federal computer
networks from cybersecurity risks like hacking, internet attacks, and other security weaknesses,
computer network experts working for, or on behalf, of the government, may intercept and
review information sent through government networks for cyber threats if the information sent
through the government network triggers a cyber threat indicator.

Enhanced Protection of Electronic Files
All data will be protected in confidential computer files. The following safeguards are
implemented to protect HIV surveillance files so that the accuracy and the confidentiality of the
data can be maintained:
Computer files containing programs, documents, or confidential data will be stored in computer
systems that are protected from accidental alteration and unauthorized access. Computer files
will be protected by password systems, access controls which can be audited, virus detection
procedures, and routine backup procedures. Data stored at state and local health departments
using CDC-supplied software designed to manage and analyze data for surveillance program
activities are protected by security requirements that each recipient must certify it complies with
before any cooperative agreements can be awarded; the software ensures that the data
transmitted to CDC will be in a format that is compatible with the security and confidentiality
requirements of the HIV surveillance databases maintained by CDC.
The data centers maintained by ITSO and CDC contractors comply with federal policies,
statutes, regulations, and other directives for the collection, maintenance, use, and dissemination
of data, including the Department of Health and Human Services Automated Information
Systems Security Program, the Computer Security Act of 1987 (Public Law 100-235), the EGovernment Act of 2002 (Public Law 107-347), and the Federal Information Security
Modernization Act of 2014 (FISMA 2014) (Public Law 113-283). Additionally, the data centers
also are in compliance with CDC's OCISO Security Architecture Design and Principles policy.
The data centers currently operate under Windows 2012 (or later) with Active Directory.
Security features implemented include physical controls, user ID and password protection,
mandatory password changes, limited logins, user rights/file attribute restrictions and virus
protection.
Use of encrypted CDC computers to support state and local cluster investigations must be
implemented in accordance with standard operating procedures. Upon completion of the
investigation, transfer of the data to state and local jurisdictions and deletion of all related data
from CDC computers and sanitation are to be ensured.
HIV surveillance data will be entered into computer files by staff at state and local health
departments and encrypted files will be transmitted electronically via SAMS to DHAP QSDMB
staff for uploading into the servers at the Chamblee Data Center. Data that fall within the scope
of the Medical Monitoring Project (MMP) or National HIV Behavioral Surveillance (NHBS)
will be encrypted and transmitted electronically to CDC via secure transfer mechanisms operated
by CDC or its contractor. DHAP employees or contractors, and any ITSO or other CDC
employees or contractors who service or maintain the systems or components necessary to
support data management of HIV surveillance program files, will be granted access to the files
only upon express written approval by a Business Steward (Chief, HICSB or BCSB) or their
designee. Designated data stewards in HICSB and BCSB are authorized by the Business
Stewards to provide access to data via the Multi-User Share Tool (MUST). Technical and
Business Stewards will review the list of authorized users with data stewards on at least an

annual basis to delete persons no longer needing access. The data steward(s) for HICSB are Scott
Cope, John Gerstle, Baskaran Govindarajan, Patrick Minor, Anna Satcher Johnson and Patricia
Sweeney; for QSDMB, Kimberly Crenshaw; and for BCSB, Jason Craw, Teresa Finlayson and
Ying Su.
Encrypted backup copies of data will be made by the data center disk backup system. Backup
storage services are provided under a separate CDC-wide contract. Contractor facilities and staff
are subject to the same federal policies, statutes, regulations, and other directives, as well as to
departmental and CDC security policies, which apply to CDC data center servers and staff.
Access to backup disks are restricted to ITSO and contract staff responsible for maintaining the
backup procedures.
Dissemination of Data from HIV Surveillance Program Activities
State and local health departments receive confirmation of their transmittals of data to CDC.
DHAP HICSB, BCSB, LB, and QSDMB staff are responsible for timely dissemination of
aggregate data at the national level, consistent with the data release policies described in
Attachment 4. Data will generally be reported only in aggregate or summary form including
restrictions on small cell sizes and geographic identifiers; such data could not be used to
indirectly identify an individual. Modes of disseminating data include reports, articles in the
MMWR, peer-reviewed publications, public-use slide sets, and public use data sets. DHAP
HICSB, BCSB, LB, and QSDMB staff may provide HIV surveillance or surveillance-related
data in response to special requests from Congress, the Department of HHS, other government
agencies, and other programs within CDC on a priority basis with the approval of the Director,
DHAP or the Business Stewards.
Data may also be analyzed and disseminated by external collaborators and their contracted
agents with appropriate authorization and in collaboration with CDC DHAP branches. External
collaborators are those with whom DHAP has existing cooperative agreements or contracts
involving the collection or analysis of the surveillance data. Requests for such access to the data
and subsequent analysis and dissemination must be made according to the procedures outlined in
Attachments 4 and 5 of the Confidentiality Security Statement.
In limited circumstances, restricted data sets could be made available to external researchers with
approval of the appropriate branch chief, and each relevant project area contributing data to the
project. These requests would also be subject to the procedures outlined in Attachments 4 and 5
of the Confidentiality Security Statement.
Records Disposition for the National Archives and Records Administration
Records will be kept according to applicable CDC Records Retention Schedules. All CDC
Records Control Schedules are media neutral and therefore are applicable to all records
regardless of format. Records having met their records retention schedule should be disposed of
appropriately. For example, paper records containing personal identifiable information (PII)
should be shredded prior to recycling. Records may be kept longer for programmatic purposes.
If 308(d) records for this project are sent to the Federal Records Center for temporary storage (in

which CDC maintains control of the data), the SF 135 form will state: "This accession contains
records protected by a confidentiality assurance under Section 308(d) of the PHS Act." The SF
135 form will indicate that the records can be released only to authorized staff and indicate who
is authorized to access the records (e.g., Branch Chief, Project Lead, staff from a specific office).
No records will be sent to the National Archives and Records Administration (NARA) for
permanent storage unless a public use data set can be created. Otherwise, in accordance with the
Assurance of Confidentiality (Public Health Service Act (PHSA) Section 308(d)) the data will be
kept by CDC with applicable restrictions enforced.

Confidentiality Security Statement Attachment 1
ASSURANCE OF CONFIDENTIALITY
FOR THE NATIONAL HUMAN IMMUNODEFICIENCY SYNDROME (HIV)
SURVEILLANCE SYSTEM (NHSS) AND SURVEILLANCE-RELATED DATA
(INCLUDING SURVEILLANCE INFORMATION, CASE INVESTIGATIONS,
TRANSMISSION CLUSTER INVESTIGATIONS, SUPPLEMENTAL SURVEILLANCE
PROJECTS, RESEARCH ACTIVITIES, AND EVALUATIONS)
DESCRIPTION OF COVERED ACTIVITIES
July 2021
The National HIV Surveillance System (NHSS) provides important information about the
epidemiology of HIV infection and is the scientific basis for prevention and control
recommendations. Through the HIV Incidence and Case Surveillance Branch (HICSB) and the
Behavioral and Clinical Surveillance Branch (BCSB), the Division of HIV/AIDS Prevention
(DHAP), CDC provides financial support, technical consultation and analytic tools to state and
local health departments for HIV surveillance and surveillance-related activities. These activities
include designing, implementing, maintaining, and evaluating HIV surveillance programs at the
state and local levels and investigating unusual reports and clusters of HIV transmission,
surveillance-related activities that characterize behaviors and clinical outcomes among HIVinfected persons and behaviors among persons at risk for HIV infection in accordance with CDC
guidelines and recommendations.
Data collected as part of the National HIV Surveillance System and surveillance-related data
projects are used widely to monitor patterns of HIV infection and infection with other infectious
disease pathogens (e.g., sexually transmitted infections, hepatitis viruses), detect and respond to
HIV transmission clusters, identify individuals in need of engagement of or re-engagement to
care, describe behaviors and clinical outcomes of persons with HIV or at risk for HIV, and target
HIV prevention and care efforts. HIV surveillance including adult/adolescent and pediatric case
reports of persons diagnosed with HIV infection, together with clinical and laboratory data
provide information on the spectrum of HIV disease. Molecular HIV surveillance data including
laboratory data on drug resistance and HIV-1 subtypes provide population-based data used to
determine trends in transmission of drug resistance and the geographic distribution of subtypes in
the U.S. HIV nucleotide sequence data are used for identifying recent and ongoing HIV
transmission clusters to better focus prevention efforts. Surveillance data are also used to
identify unusual or special cases requiring additional follow-up and to assess attributes of the
performance of the surveillance system such as reporting completeness, timeliness, accuracy and
validity. Supplemental data are also collected through related projects that extend and enhance
the HIV case report data. Projects include follow-up investigations of persons with no identified
risk (NIR), cases of public health importance (COPHI) such as cases with possible unusual
transmission circumstances, and unusual clinical or laboratory test results. In addition, projects

such as mortality studies, projects involving HIV-related opportunistic infections, HIV biobehavioral surveillance, surveillance evaluation studies, perinatal exposure surveillance, and
other supplemental HIV surveillance including HIV clinical outcomes surveillance, evaluation of
HIV testing, counseling and referral practices, and related research projects are also conducted.
Research projects have IRB-approved protocols as required, and health departments are required
to use uniform data collection methods, instruments and software to permit CDC to aggregate the
data nationally.
A brief description of current surveillance program activities and research projects follows. In
the future, other related data collection activities and projects may be added, and some activities
may be discontinued, because all activities respond to the increasing knowledge base of HIV and
the evolving need for data to plan for specific prevention and control interventions. Addition or
deletion of activities will be done only with the express approval of the Chief, HIV Incidence
and Case Surveillance Branch (HICSB), DHAP, NCHHSTP or the Chief, Behavioral and
Clinical Surveillance Branch (BCSB), DHAP, NCHHSTP. Once data collection is completed,
the protection for participants lasts in perpetuity and therefore remains throughout any ongoing
or future data analyses.
Surveillance-related Activities: In addition to routine information provided by adult/adolescent
and pediatric case reports, including molecular HIV surveillance data, these activities are done as
part of follow-up of cases reported through NHSS including special investigations and
evaluations.
Follow-up investigations of persons with no identified risk, unusual transmission, clinical
or laboratory findings, and HIV transmission clusters. CDC-developed protocols and
criteria are used to conduct epidemiologic and laboratory investigations of cases that may
have rare or previously unidentified modes of HIV transmission, unusual clinical
manifestations, unusual laboratory test results, or molecular HIV sequence data that
indicate recent or rapidly growing HIV transmission clusters. These include, but are not
limited to, transfusion and transplant-related cases, cases of HIV transmitted in
occupational settings, cases of HIV-2 infection, cases transmitted through female-tofemale sexual contact, cases with potentially unusual HIV strain variants, cases with
clinical evidence of HIV infection but negative HIV test results, investigation of false
positive clusters and discordant results, and breakthrough infections in the presence of
pre-exposure prophylaxis. Investigations of recent or rapidly growing HIV transmission
clusters identified using molecular HIV sequence data reported as part of HIV
surveillance activities are also conducted to focus and assess HIV prevention efforts of
state and local health departments.
Evaluation of the performance of the surveillance system. Evaluations include critical
review of surveillance methodologies and redirection of resources to those case-finding
methods that are the most productive. CDC assists states by providing matching and
analysis tools necessary for state health departments in the conduct of routine intrastate

and interstate de-duplication activities to improve accuracy of surveillance data. In
addition, surveillance data are analyzed to discover possible under reporting and delays in
reporting, monitor data quality, and assess completeness of reporting by comparing
surveillance registries with alternate databases that are not routinely used for case finding
(e.g., Medicaid databases). Surveillance programs routinely re-abstract demographic,
risk, laboratory, and clinical data from a representative sample of records to assess the
quality and validity of information collected.
Perinatal HIV Exposure Reporting and Follow-up. HIV surveillance programs collect
data on infants born to HIV-infected mothers because these infants are at risk for HIV
infection and require early interventions to prevent HIV-related opportunistic infections.
Data include maternal HIV test history, prenatal, intrapartum and neonatal antiretroviral
therapy, and other variables relevant to the evaluation of recommended actions to prevent
perinatal HIV transmission and to facilitate follow-up to identify perinatally-acquired
cases of HIV. Perinatal HIV Exposure Reporting (PHER) includes data collected on
exposed infants as well as infants who are infected, and their HIV-infected mothers. In
PHER, infants known to be HIV-exposed will be monitored after birth up to 18 months of
age to determine the HIV infection status of the child and progression to HIV, stage 3
(AIDS). PHER, along with pediatric case surveillance will allow CDC and local health
departments to better characterize perinatal HIV infections in the U.S.
Supplemental Surveillance Projects: Using population-based methods of collecting data, these
projects characterize persons at increased risk for HIV infection and persons living with HIV
infection to assess the impact of HIV within individual health jurisdictions and nationally.
Supplemental Surveillance Projects include:
HIV-related Mortality Studies. Supplemental reviews of medical records of deaths
among persons reported with HIV or AIDS, routine reviews of death certificates to
enhance case ascertainment and update vital status, and periodic matching of HIV
surveillance databases to death registries are conducted to ensure that the HIV
surveillance system provides data relevant to efforts to prevent premature death from
HIV. As highly effective treatments for HIV infection become increasingly more
available, efforts to prevent severe morbidity leading to death from HIV require
additional efforts to understand factors associated with HIV-related deaths (e.g., late
testing, lack of access to care, failing therapies, lack of adherence to treatment regimens).
Project(s) for which data collection has ended and analysis is ongoing:
Monitoring of Perinatal HIV Prevention. Supplemental reviews of medical records of
mother/infant pairs to assess counseling and testing, prenatal care, and treatment,
longitudinal follow-up of HIV-infected infants to assess infection status, initiation of
HIV-related care, and long-term outcomes. This includes but is not limited to enhanced

perinatal surveillance (EPS) activities for which data collection ended in 2011 and
analysis is ongoing. Similar data collection will continue with a reduced number of data
elements collected on the Perinatal HIV Exposure Report form as part of PHER. We
anticipate that over the next several years, data collection for PHER will become more
integrated with routine HIV case surveillance. Therefore, we have combined description
of these activities under Perinatal HIV Exposure Reporting under Surveillance-related
activities.
HIV Clinical Outcomes Surveillance: Using population-based methods of collecting data,
these projects characterize behaviors and clinical outcomes among HIV-infected persons within
individual health jurisdictions and nationally. Clinical outcomes surveillance projects include:
Medical Monitoring Project (MMP). MMP is a population-based interview and medical
record abstraction project designed to produce nationally representative data on people
living with diagnosed HIV in the United States. Project areas collect behavioral and
clinical outcomes data to assess the met and unmet needs for treatment and other services
and conduct evaluation and cognitive testing of survey domains. Data are weighted to
represent the population of persons living with diagnosed HIV and are both nationally
and locally representative. Data are used to inform prevention and care planning groups,
providers of HIV care, people living with HIV and others to advocate for reducing the
gaps in existing resources.
Project(s) for which data collection has ended and analysis is ongoing:
Case-Surveillance-Based Sampling (CSBS) Project. CSBS was a pilot of a nationally
representative surveillance system for all HIV-diagnosed persons in the United States
both in and out of HIV care conducted in 5 project jurisdictions. Data collection included
linkage to case surveillance data and patient interview, and medical record abstraction
regarding sensitive topics such as sexual behaviors, drug and alcohol use, and clinical
outcomes. The CSBS Project was intended to evaluate a method of sampling participants
for MMP to help guide the future direction of MMP and efforts to monitor progress
toward the National HIV/AIDS Strategy objectives related to linkage to and retention in
care. Data collection for this project ended in May 2015 and data analysis is ongoing.
Adult/Adolescent Spectrum of Disease (ASD) Project. The ASD project was conducted
from 1990 until 2004 to describe the spectrum of HIV disease and subsequent mortality
among persons with different levels of immunosuppression and to monitor the use and
effectiveness of recommended prophylactic interventions and antiretroviral and
antimicrobial therapies. Results from the study have been useful in determining how best
to expand the AIDS surveillance case definition, describing the rate of development of
various opportunistic illnesses in HIV-infected persons, evaluating the effectiveness of
prophylaxis for Pneumocystis carinii pneumonia and other interventions to delay or
prevent the onset of HIV-related opportunistic illnesses, and guiding Public Health

Service recommendations for the treatment of HIV-infected patients. Data collection for
this project ended in June 2004 and data analysis is ongoing.
Survey of HIV Disease and Care. Changes in prophylactic and therapeutic interventions
made it essential for CDC to provide representative supplemental clinical surveillance
information so that health departments could use the information in concert with their
core HIV/AIDS surveillance data to better describe changing trends in the epidemic and
allocate resources accordingly. The project provided several states/territories with the
ability to accurately estimate the met and unmet needs for treatment and other medical
services in their communities. This project served as the pilot for the current Medical
Monitoring Project. Data collection ended in January 2004 and data analysis is ongoing.
Supplement to HIV/AIDS Surveillance (SHAS) Project. SHAS was a facility-based (and
in some cases a population-based) interview project conducted beginning in 1990 in 12
locations to collect additional data on persons reported through HIV/AIDS surveillance.
During 2000, 3 additional areas were added to the project. Data from this project have
been important for planning and evaluating prevention and care programs and in
collecting behavioral surveillance data. Participating surveillance programs use a
standardized questionnaire designed in collaboration with CDC to interview persons
reported with HIV and AIDS through routine case surveillance. Data collection for this
project ended in June 2004 and data analysis is ongoing.
Never in Care (NIC) Project. NIC identified, located and interviewed persons with
diagnosed HIV infection who did not receive care within 3 months of their diagnosis.
The interviews collected information on HIV testing history, health seeking behaviors,
and access and barriers to health care. Blood samples were obtained and tested for CD4,
HIV viral load and antiretroviral resistance to determine participants' care needs.
Information collected has been used to understand reasons HIV-infected persons delay
initiation of care and to assist in the development of appropriate interventions to get
persons into care in a timely manner. Data collection ended in August 2010 and data
analysis is ongoing.
HIV Behavioral Surveillance: HIV behavioral surveillance data may be collected from the
general population, persons at high risk for infection, and those who are infected. Examples of
groups at high risk for infection include, but are not limited to men who have sex with men,
persons who inject drugs, and heterosexuals of low income living in jurisdictions with high
prevalence of HIV. Behavioral surveillance data are used to monitor prevalence and trends in
sexual behaviors, drug use, HIV testing, and use of HIV prevention and care services.
Behavioral Surveillance Projects include:
National HIV Behavioral Surveillance System (NHBS). NHBS is CDC’s comprehensive
system for conducting behavioral surveillance among persons at highest risk for HIV
infection in the U.S. Interviews, HIV testing, and other testing (e.g., hepatitis or STD
testing) are conducted among populations at high risk for HIV including, but not limited

to: men who have sex with men, persons who inject drugs, and heterosexuals at increased
risk for HIV infection living in Metropolitan Statistical Areas (MSAs) with the highest
HIV prevalence. Data on additional populations (e.g., young men who have sex with
men, transgender persons) are collected in participating behavioral surveillance areas as
funding permits. NHBS focuses on monitoring prevalence and trends in HIV risk
behaviors, HIV testing, exposure to and use of prevention services, and other HIVassociated outcomes. NHBS data are electronically collected via portable computers and
are submitted to and managed by a CDC-funded Data Coordinating Center (DCC).
NHBS data on a national level are reported in annual surveillance summaries and other
reports and are used to monitor national HIV prevention strategies. On a local level,
NHBS data are used to prioritize and evaluate HIV-related prevention activities.
Injection Drug Use Surveillance Project (IDU-SP). IDU-SP is a surveillance system
developed to strengthen the capacity of Syringe Services Programs (SSPs) to contribute
to national HIV behavioral surveillance and to monitor local drug use. Outcomes of the
project include: 1) improved health outcomes for people who inject drugs (PWID); 2)
reduced incidence of infectious disease resulting from injection drug use; and 3) reduced
injection drug use and other high-risk substance use. The system includes a biobehavioral survey of PWID and their peers who use drugs to monitor risk practices,
access and use of prevention services, prevalence of HIV and HCV infections, and
prevalence of other health outcomes related to injection drug use. The project is
conducted as a Cooperative Agreement with the University of Washington. SSPs are
recruited from the North American Syringe Exchange Network (NASEN) list of SSPs.
PWID and their peers will be recruited directly from the SSPs using a respondent-driven
sampling method.
Types of data collected via IDU-SP which is in-step with the current purpose of the AoC
includes sensitive information from people who use illicit substances, specifically people
who inject drugs. People who inject drugs are at high risk for a host of negative sequelae
including infectious diseases such as viral hepatitis and HIV, endocarditis and other
bacterial infections, wound abscesses, cellulitis, and overdose. The mode of transmission
necessitates the collection of sensitive data regarding drug use and sexual practices. Other
sensitive data are collected because the specific behaviors, experiences or conditions have
been shown to be associated with negative consequences of injection drug use or noninjection drug use of injectable drugs (e.g., smoking or snorting heroin). The IDU-SP also
includes the collection of medical information related to infectious disease status, STD
diagnosis and testing, hepatitis diagnosis and vaccinations; overdose; history of
incarceration; and violence. Injecting drugs and associated behaviors are highly
stigmatized and, in some instances, criminal activities. Protecting the confidentiality and
identity of participants is critical to the integrity of this surveillance project.
.

Directly identifying information will not be shared with CDC. Although the IDU-SP
project does not link direct identifiers to survey data, some information might be
considered indirectly identifying if it were to be combined with other information. We
have implemented all the steps we could identify to reduce the likelihood of
unintentionally identifying an individual. However, there may be some unanticipated
remaining risk since data is reported at the individual level and includes sensitive
information on drug use, risk behaviors, and HIV test results. Data collected, both locally
and at CDC, are stored and accessed by a survey identification number. The main data
collection components include the eligibility screener, behavioral survey, and specimen
collection for HIV and HCV testing, which will all be conducted by trained project
staff. The approved Project Determination Form indicates that the project is deemed to
be public health surveillance and thus, it does not require human subjects’ review by the
CDC IRB.
The data will be entered locally into a REDCap database which will be used to transmit
surveillance data without direct identifiers to CDC using the SFTP. Databases submitted
through the SFTP will be encrypted before being sent to CDC and password protected
with limited number of staff within CDC and at the collaborating site having access.
Biweekly meetings between the collaborator and CDC staff will maintain strict data
protection for the data collected, transmitted, and stored with restricted access in
accordance with procedures outlined in the Assurance of Confidentiality Security
Statement.
Project(s) for which data collection has ended and analysis is ongoing:
Web-based HIV Behavioral Surveillance (WHBS). WHBS involved internet-based
interviews of men who have sex with men. WHBS data were collected electronically via
a secure website managed by a CDC-funded contract. The goals for WHBS were to
assess prevalence of and trends in risk behaviors for HIV infection, HIV testing
behaviors, and exposure to, use of, and impact of HIV prevention services among internet
using MSM in the 50 U.S. states and affiliated U.S. territories. Data from WHBS are used
for tracking national trends in risk behaviors, HIV testing, and access to and utilization of
HIV prevention services. Data collection for this project ended in August 2012 and data
analysis is ongoing.
Behavioral Assessments and Rapid Testing (BART). The purpose of the Behavioral
Assessment and Rapid Testing project was to implement event-based rapid testing and
behavioral assessments as a strategy for reducing HIV transmission and increasing HIV
prevention among 1) African Americans at large social events; 2) men who have sex with
men (MSM) attending gay pride events in small- and medium-sized cities; 3) minority
MSM attending gay pride events; and 4) young African Americans attending black spring
break parties and festivals. Objectives included increasing awareness of HIV status
among at-risk persons, and characterizing the prevalence of unrecognized HIV infection.

Behavioral and testing data have been used to inform HIV prevention services and policy
at the local, state, and national levels. Data collection for this project ended in December,
2010 and data analysis is on-going.
HIV Testing Survey (HITS). HITS included interviews of persons at risk for HIV
including STD clinic clients, out-of-treatment drug users, gay men in social venues, and
other vulnerable at-risk populations. This study evaluated how well HIV case
surveillance data represented the HIV-infected population and sought to identify the
reasons that persons with HIV or at-risk for HIV infection may seek or defer HIV testing
and HIV-related health care to improve the targeting of HIV prevention and testing
messages, and the role HIV testing and reporting policies may play in those decisions.
Data collection for this project ended in June 2003 and data analysis is ongoing.
Evaluation of HIV Testing, Counseling and Referral Practices: Evaluations of HIV testing,
counseling, and referral practices are an integral part of HIV surveillance in the United States.
These projects involve evaluating newly developed HIV testing methodologies and counseling
practices. They also assist in providing data to help monitor the implementation of these new
practices in different populations and settings. The evaluation projects take two main forms:
Evaluation of New HIV Testing Methods. These projects are used to evaluate the
performance and application of diagnostic technologies to improve HIV testing practices
and incidence estimation in the United States and abroad. These projects include the
evaluation of new HIV tests or combinations of tests, application of existing tests in
different settings, methods to detect acute HIV infection, methods for confirmation of
HIV infection, and the establishment of seroconversion panels for future HIV test
evaluation.
Evaluation of the Implementation of New HIV Testing, Counseling and Referral
Practices. These projects involve the demonstration and evaluation of new strategies for
HIV testing, counseling, and referral practices. Data collected through these projects
provide information on how new practices are implemented in different clinical and nonclinical settings. These evaluation projects will be used to develop effective models to
extend new practices broadly throughout the United States.
Other HIV Surveillance-related Projects, Research Investigations, and Activities: Over
time, our understanding of the natural history and epidemiology of HIV has increased. Effective
prevention and treatment interventions have been demonstrated to reduce infection, disease and
death from HIV. HIV surveillance data have guided the development of guidelines for disease
control and prevention and are the basis for allocating resources for programs and services to
prevent and treat HIV, and new testing, diagnostic and treatment methods continue to develop
and change rapidly. The rapidly evolving nature of information about HIV requires the ability to
add or delete variables from the case report forms and data collection instruments for

supplemental surveillance projects, investigations, and research activities, and implement
additional surveillance-related activities as new problems emerge, new epidemiologic questions
arise, or new data are required to ensure that CDC and state and local health departments can
mount an effective public health response. The addition or deletion of data collection activities
is accomplished only under the express approval of the branch chief responsible for the activity,
specifically either the Chief, HIV Incidence and Case Surveillance Branch (HICSB) or the
Chief, Behavioral and Clinical Surveillance Branch (BCSB), Division of HIV/AIDS Prevention,
National Center for HIV, Viral Hepatitis, STD, and TB Prevention.

Confidentiality Security Statement Attachment 2
FTE NONDISCLOSURE AGREEMENT
(308(d) Assurance of Confidentiality for CDC Employees involved in
HIV surveillance and surveillance-related activities)
October 2019
The success of CDC’s operations depends upon the voluntary cooperation of states and U.S.dependent areas, of establishments, and of individuals who provide the information required by
CDC programs under an assurance that such information will be kept confidential and be used
only for epidemiological or statistical purposes.
When confidentiality is authorized, CDC operates under the restrictions of Section 308(d) of the
Public Health Service Act which provides in summary that no information obtained in the course
of its activities may be used for any purpose other than the purpose for which it was supplied,
and that such information may not be published or released in a manner in which the
establishment or person supplying the information or described in it is identifiable unless such
establishment or person has consented.
“I am aware that unauthorized disclosure of confidential information is punishable under Title
18, Section 1905 of the U.S. Code, which reads:
‘Whoever, being an officer or employee of the United States or of any department or agency
thereof, publishes, divulges, discloses, or makes known in any manner or to any extent not
authorized by law any information coming to him in the course of his employment or official
duties or by reason of any examination or investigation made by, or return, report or record made
to or filed with, such department or agency or officer or employee thereof, which information
concerns or relates to the trade secrets, processes, operations, style of work, or apparatus, or to
the identity, confidential statistical data, amount or source of any income, profits, losses, or
expenditures of any person, firm, partnership, corporation, or association; or permits any income
return or copy thereof or any book containing any abstract or particulars thereof to be seen or
examined by any person except as provided by law; shall be fined not more than $1,000, or
imprisoned not more than one year, or both; and shall be removed from office or employment.’
“I understand that unauthorized disclosure of confidential information is also punishable under
the Privacy Act of 1974, Subsection 552a (i) (1), which reads:
‘Any officer or employee of any agency, who by virtue of his employment or official position,
has possession of, or access to, agency records which contain individually identifiable
information the disclosure of which is prohibited by this section or by rules or regulations
established thereunder, and who knowing that disclosure of the specific material is so prohibited,
willfully discloses the material in any manner to any person or agency not entitled to receive it,
shall be guilty of a misdemeanor and fined not more than $5,000.’

“My signature below indicates that I have read, understood, and agreed to comply with the above
statements.”
________________________

__________________________

Typed/Printed Name

Signature

_________________________________
National Center/Institute/Office/Branch
Rev. October 2019, based on CDC 0.979 (E) 10/2012

________________
Date

Confidentiality Security Statement Attachment 3
Contractor Nondisclosure Agreement
Safeguards for Individuals and Establishments
Against Invasions of Privacy
October 2019
In accordance with Subsection (m) of the Privacy Act of 1974 (5 U.S.C. 552a) and Section
308(d) of the Public Health Service Act (42 U.S.C. 242m), the contractor is required to comply
with the applicable provisions of the Privacy Act and to undertake other safeguards for
individuals and establishments against invasions of privacy.
To provide these safeguards in performance of the contract, the contractor shall:
1.

Be bound by the following assurance:
Assurance of Confidentiality

In accordance with Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the
contractor assures all respondents that the confidentiality of their responses to this information
request will be maintained by the contractor and CDC and that no information obtained in the
course of this activity will be disclosed in a manner in which the individual or establishment is
identifiable, unless the individual or establishment has consented to such disclosure, to anyone
other than authorized staff of CDC.
2.

Maintain the following safeguards to assure that confidentiality is protected by contractor’s
employees and to provide for the physical security of the records:
a. After having read the above assurance of confidentiality, each employee of the
contractor participating in this project is to sign the following pledge of confidentiality:
I have carefully read and understand the assurance which pertains to the confidential
nature of all records to be handled in regard to this HIV surveillance or surveillancerelated activity. As an employee of the contractor I understand that I am prohibited by
law from disclosing any such confidential information which has been obtained under the
terms of this contract to anyone other than authorized staff of CDC. I understand that any
willful and knowing disclosure in violation of the Privacy Act of 1974 is a misdemeanor
and would subject the violator to a fine of up to $5,000.

b. To preclude observation of confidential information by persons not employed on the
project, the contractor shall maintain all confidential records that identify individuals or
establishments or from which individuals or establishments could be identified under
lock and key.
Specifically, at each site where these items are processed or maintained, all confidential
records that will permit identification of individuals or establishments are to be kept in
locked containers when not in use by the contractor’s employees. The keys or means of
access to these containers are to be held by a limited number of the contractor’s staff at
each site. When confidential records are being used in a room, admittance to the room is
to be restricted to employees pledged to confidentiality and employed on this project. If
at any time the contractor’s employees are absent from the room, it is to be locked.
c. The contractor and his professional staff will take steps to insure that the intent of the
pledge of confidentiality is enforced at all times through appropriate qualifications
standards for all personnel working on this project and through adequate training and
periodic follow up procedures.
3.

Print on the data collection form or questionnaire in a clearly visible location and in clearly
visible letters the following notice of the confidential treatment to be accorded the
information on the questionnaire by any individual who may see it:
Confidential Information
Information contained on this form which would permit identification of any individual or
establishment has been collected with a guarantee that it will be held in strict confidence by
the contractor and CDC, will be used only for purposes stated in this project, and will not be
disclosed or released to anyone other than authorized staff of CDC without the consent of
the individual or the establishment in accordance with Section 308(d) of the Public Health
Service Act (42 U.S.C. 242m).

4.

On a letter or other form that can be retained by the individual or the establishment, or on
the questionnaire form itself if it is a self-administered questionnaire, inform in clear and
simple terms each individual or establishment asked to supply information:
a. That the collection of the information by CDC and its contractor is authorized by
Sections 304 and 306 of the Public Health Service Act (42 U.S.C.242b and 242k);
b. Of the purpose or purposes for which the information is intended to be used, clearly
stating that the records will be used solely for epidemiological or statistical research and
reporting purposes;

c. Of the routine uses that may be made of the information, including all disclosures
specified in the “Federal Register” for this system of records which may be applicable to
this project;
d. That participation is voluntary and there are no penalties for declining to participate in
whole or in part; and
e. That no information collected under the authority of Sections 304 and 306 of the Public
Health Service Act (42 U.S.C. 242b and 242k) may be used for any purpose other than
the purpose for which it was supplied, and such information may not be published or
released in other form if the particular individual or establishment supplying the
information or described in it is identifiable to anyone other than authorized staff of
CDC, unless the individual or establishment has consented to such release.
(The voluntary disclosure by the respondent of requested information after being informed of
preceding paragraphs a through d is an acknowledgment of the uses and disclosures contained in
paragraph c.)
5.

Release no information from the data obtained or used under this contract to any person
except authorized staff of CDC.

6.

By a specified date, which may be no later than the date of completion of the contract, return
all project data to CDC or destroy all such data, as specified by the contract.
_____________________________
(Typed/printed Name)
_____________________________
(Signature)
_____________________________
(Date)

Confidentiality Security Statement Attachment 4
NON-EMPLOYEE 308(d) PLEDGE OF CONFIDENTIALITY
(308(d) Assurance of Confidentiality for Non-CDC employees)
October 2019
I, as a non-CDC Employee (e.g., Guest Researcher, Visiting Fellow, Student, Trainee, employee
of a federal agency other than CDC, etc.) may be given access to personally identifiable data,
preliminary data from other projects, proprietary data (for example, information from a
manufacturer that is used to assess a cluster of adverse events), or pre-decisional information that
is covered by Section 308(d) of the Public Health Service Act (42 U.S.C. 242m). As a condition
of this access, I am required to comply with the following safeguards for individuals and
establishments against invasions of privacy.
1. I agree to be bound by the following assurance:
In accordance with Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), all
respondents are assured that their responses will be kept confidential. No information obtained
in the course of this activity will be disclosed in a manner in which the individual or
establishment supplying the information or described in it is identifiable, unless the individual or
establishment has consented to such disclosure, to anyone other than authorized staff of CDC or
staff covered under this 308(d) Assurance. Additionally, data unrelated to specific patients that
includes preliminary data from other projects, proprietary data, and pre-decisional data are to be
kept confidential, unless CDC provides written authorization to release this information (i.e.,
CDC provides clearance to publish a scientific manuscript).
2. I agree to maintain the following safeguards to assure that confidentiality is protected and
to provide for the physical security of the records:
To preclude observation of confidential information by persons not authorized to have access to
the information on the project, I shall maintain all records that identify individuals or
establishments or from which individuals or establishments could be identified in locked
containers or protected computer files when not under immediate supervision by me or another
authorized member of the project. The keys or means of access to these containers or files are
not to be given to anyone other than CDC-authorized staff. I further agree to abide by any
additional requirements imposed by CDC for safeguarding the identity of individuals and
establishments.

My signature below indicates that I have carefully read and understand this agreement and the
assurance, which pertains to the confidential nature of the study records. As a(n)
(_________________________) (e.g., visiting scientist, guest researcher, fellow, trainee,
employee of a federal agency other than CDC), I understand that I am prohibited from disclosing
any such confidential information that has been obtained under this project to anyone other than
authorized staff of CDC or persons covered under this 308(d) Assurance. I understand that any
disclosure in violation of this Confidentiality Pledge will lead to termination of my employment,
fellowship, training experience, or scientific collaboration with the HIV Incidence and Case
Surveillance Branch (HICSB) and the Behavioral and Clinical Surveillance Branch (BCSB),
Division of HIV/AIDS Prevention (DHAP), National Center for HIV/AIDS, Viral Hepatitis,
STD, and TB Prevention (NCHHSTP) as well as other penalties.

_______________________________________
(Typed/Printed Name)
_______________________________________
(Signature)
_______________________________________
(Date)

Confidentiality Security Statement Attachment 5
POLICY FOR RELEASE OF CENTERS FOR DISEASE CONTROL AND
PREVENTION (CDC) HIV SURVEILLANCE AND SURVEILLANCE-RELATED DATA
October 2019
Description of the system
The National HIV Surveillance System (NHSS) is comprised of HIV case reports submitted on a
voluntary basis to CDC by the 50 states, the District of Columbia, Puerto Rico and U.S.
dependent areas (e.g., American Samoa, Guam, Northern Mariana Islands, the Republic of Palau,
and the U.S. Virgin Islands).
National HIV Behavioral Surveillance (NHBS) collects behavioral and biological data on
samples of persons at increased for HIV (men who have sex with men, persons who inject drugs,
and heterosexual at increased risk) in U.S. cities with high HIV burden in rotating cycles.
Participants are sampled using methods designed to reach hidden or stigmatized populations.
The Medical Monitoring Project (MMP) collects behavioral and clinical data on a nationally
representative sample of persons living with a diagnosis of HIV infection through interviews and
medical record abstraction.
Encrypted case reports and other surveillance-related data are received electronically using
standardized reporting forms and software. The data from state and local health departments are
decrypted and the CDC databases are updated on a regular basis to include all cases received and
processed through the last day of the previous cycle. Personally identifying information on each
case is deleted prior to transfer to CDC and cases are identified at the national level only by
soundex code based on patient’s surname, date of birth, and a state-assigned patient
identification number.
The HIV Incidence and Case Surveillance Branch (HICSB), the Behavioral and Clinical
Surveillance Branch (BCSB), the Laboratory Branch (LB), and the Quantitative Sciences and
Data Management Branch (QSDMB) of the Division of HIV/AIDS Prevention (DHAP) maintain
databases on individuals at risk for, or have received a diagnosis of, HIV infection. These
databases include information from case reports, case investigations, transmission cluster
investigations, related surveillance databases, surveys, and data from medical records,
laboratories or public health databases.
All surveillance and surveillance-related data collected and maintained by the DHAP HICSB,
BCSB, LB, and QSDMB must be managed, presented, published and released in accordance
with strict adherence to the standards for confidentiality and security consistent with the
principles and guidelines for HIV case report data. These principles and guidelines must be
strictly followed as geographic and small-cell data may be indirectly identifying when combined
with detailed information contained in case reports, questionnaires, or from laboratory or medical
records.

Restrictions on release of data
HIV surveillance data and data from surveillance-related projects, evaluation studies, and case
investigations are collected under Sections 304 and 306 of the Public Health Service Act (42
U.S.C. 242b and 242k) and are protected at the national level by an Assurance of Confidentiality
(Section 308(d) of the Public Health Service Act, 42 U.S.C. 242 m(d)), which prohibits
disclosure of any information that could be used to directly or indirectly identify individuals
whose records are contained in the NHSS and surveillance-related databases. This prohibition
has led to the formulation of guidelines for data release. The guidelines reflected in this policy
and related standard operating procedures represent a balance between the potential for
inadvertent disclosure and the need for CDC/DHAP to be responsive to information requests
having legitimate public health application. The data re-release policies were developed jointly
by CDC and the Council of State and Territorial Epidemiologists (CSTE). Each state or local
HIV Surveillance Coordinator and state epidemiologist signed a data re-release agreement with
CDC and selected the level of geographic specificity (e.g., state, county, size of metropolitan
statistical area (MSA) or other geographic area) at which CDC may report data on HIV cases
residing in that state. These principles and restrictions should also be applied to other
surveillance or surveillance-related data and information collected and maintained by the DHAP
HICSB, BCSB, or LB Specific surveillance activities may have additional data-release
requirements that are specified in their respective protocols. In the absence of project specific
data release policies or agreements with project areas, these restrictions apply.
As a general rule, requests from the public, the media, and other government agencies for
state/local data will be referred to the local area for reply. There are two reasons for this: 1) local
health departments can release their HIV surveillance data in accordance with locally established
policies and procedures, and 2) due to the delay between the date of diagnosis and report to
CDC, the local health department data are more current than those contained in the NHSS
database. However, CDC may release data to the public, for presentation in oral and written
publications, and otherwise make data available for epidemiologic and public health purposes
within the guidelines specified and described in the document “Agreement to Abide by
Restrictions on Release of Surveillance Data...” When publishing or presenting state/local data,
CDC staff should notify the local areas in advance whenever possible. Outside the bounds of
these guidelines, CDC will not release, in any format, state, county, MSA, or U.S. dependent
area-specific data without the consent of the appropriate state or local health departments.
Access to the database
DHAP HICSB and BCSB are charged with the responsibility of maintaining the security and
confidentiality as well as the scientific integrity of CDC HIV surveillance and surveillancerelated databases. Access to data beyond that available for public use is limited, through
controlled-access groups, to members of the DHAP HICSB and BCSB, and selected members of
the DHAP QSDMB, LB, and their contractors and other authorized agents. In limited
circumstances, CDC staff outside these groups or external project collaborators may be granted
access on an as-needed basis, at the discretion of the appropriate branch chief. External
collaborators are those with whom DHAP has existing cooperative agreements or contracts

involving the collection or analysis of these surveillance data. To conduct analyses, staff must
submit an analysis proposal which must be approved through the applicable branch management.
Templates for analysis and manuscript proposals are available from BCSB and HICSB for these
requests. To obtain access and conduct analyses, others outside the CDC branches mentioned
above must do the following:
1. Pose a specific research question.
2. Estimate the time required for their analysis/access.
3. Agree in writing to abide by DHAP policies and procedures on data release and sign the
“Nondisclosure Agreement”, the “Request for Access...”, and the “Agreement to Abide by
Restrictions...” documents or other documents as required for specific projects that contain
the policies and guidelines for use of HIV surveillance and related data. Completion of
annual Assurance training is required if access to surveillance datasets is necessary,
consistent with branch policies and procedures.
4. Provide an outline on their proposed methodology including names of variables to be
used in the analysis.
5. Collaborate with staff of HICSB or BCSB in analysis, presentation, and publication of
the results of their analysis. In some cases, access to national data by collaborators may
be designed as part of the project protocol, and should be agreed to by all collaborators
on the project.
6. Submit all reports, publications, and presentations to DHAP clearance and crossclearance channels.
Alternatives to access of NHSS or other surveillance-related data
To reduce the burden on HICSB, BCSB, LB, and QSDMB staff, other CDC staff persons
requesting HIV surveillance data are encouraged to use publicly available reports, slide sets, and
the NCHHSTP AtlasPlus. CDC staff that use HIV surveillance data for policy development,
resource allocation, research prioritization and other public health purposes are advised to
consult with HICSB or BCSB staff to ensure appropriate interpretation of the data. CDC staff
that present or publish HIV surveillance data should adhere to CDC policies for clearance and
cross-clearance to ensure that data are presented and interpreted consistently and accurately.
1. The HIV Surveillance Report is published annually. The report is a collection of tables
describing the characteristics of persons with diagnosed HIV infection and infections with
stage 3 (AIDS) classifications in the United States and dependent areas. The report includes
data on age, sex, race/ethnicity, and transmission category, and by state, region of residence,
metropolitan statistical area (if greater than 500,000 population), and dependent area. This
report is updated annually to include data on diagnoses that have occurred through December
31 (of a given year) and reported to CDC through June 30 (of the following year).

2. DHAP produces numerous supplemental reports, special reports, slides sets, fact sheets,
MMWR articles, and peer-reviewed publications. These products conform to this datarelease policy and criteria outlined in the re-release agreements. DHAP surveillance
publications can be accessed through the CDC website at www.cdc.gov/HIV or by contacting
HICSB at (404)-639-2050 or BCSB at (404) 639-2090.
3. The NCHHSTP AtlasPlus provides an interactive platform for accessing HIV surveillance
data, allowing users to observe trends and patterns by creating detailed reports, maps, and
other graphics. Currently, AtlasPlus provides interactive maps, graphs, tables, and figures
showing geographic patterns and time trends of HIV infection, stage 3 (AIDS)
classifications, viral hepatitis, tuberculosis, chlamydia, gonorrhea, and primary and
secondary syphilis surveillance data. Data are currently available at the national level as well
as state/dependent-area level. The NCHHSTP AtlasPlus can be accessed at
https://www.cdc.gov/nchhstp/atlas/index.htm.
4. State-specific data can also be accessed through state/local health department websites. A
listing of websites for state/local health departments can be found on the last page of
DHAP’s annual HIV Surveillance Report. DHAP surveillance publications and the
NCHHSTP AtlasPlus can be accessed through the CDC website at
http://www.cdc.gov/hiv/topics/surveillance/index.htm
5. The DHAP HICSB and BCSB, wishing to be responsive to specific data requests having
important public health application, will consider requests for data and complete analyses on
data that cannot be retrieved using production materials. For requests requiring HICSB,
BCSB, or in some cases QSDMB or LB response, submission in written format must be
submitted to assist in ensuring an appropriate response. Due to limited resources, processing
requests for data is not guaranteed and data will be supplied only if their release does not
conflict with current disclosure prohibitions. Initial requests may be taken verbally but
requesters will be encouraged to submit their queries in writing to ensure an appropriate
response.
Consideration will be given to verbal requests from:
•

The Executive Branch; Members of Congress and their staffs; senior staff from other
Federal agencies (HUD, HRSA, SAMHSA); the states; associations serving the states
(e.g., ASTHO, CSTE, NASTAD); other public institutions of CDC interest (e.g., The
Red Cross and National Hemophilia Foundation); and selected CDC staff serving
these constituencies.

•

The NCHHSTP, Program Planning & Policy Coordination Office or DHAP Office of
Policy, Planning and Communications.

Other parties and individuals should submit requests in written format to the chief of
either HICSB or BCSB, or one of their designees. Due to limited resources, processing of
data requested cannot be guaranteed. Responses and request fulfillment are at the
discretion of the branch chief.

Confidentiality Security Statement Attachment 6
AGREEMENT TO ABIDE BY RESTRICTIONS ON RELEASE OF HIV
SURVEILLANCE AND SURVEILLANCE-RELATED DATA COLLECTED AND
MAINTAINED BY THE DIVISION OF HIV/AIDS PREVENTION (DHAP)
October 2019
I, ___________________________, understand that data collected by the Centers for Disease
Control and Prevention (CDC) through the National HIV Surveillance System (NHSS) and
related surveillance activities, projects, and case investigations under Sections 304 and 306 of the
Public Health Service Act (42 U.S.C. 242b and 242k) are protected at the national level by an
Assurance of Confidentiality (Section 308(d) of the Public Health Service Act, 42 U.S.C.
242m(d)), which prohibits disclosure of any information that could be used to directly or
indirectly identify any individual on whom a record is maintained by CDC. This prohibition has
led to the formulation of the following guidelines for release of HIV surveillance and
surveillance-related data collected on such persons to which, in accepting access to data not
considered public-use, I agree to adhere. These guidelines represent a balance between the
potential for inadvertent disclosure and the need for CDC/DHAP to be responsive to information
requests having legitimate public health application, and reflect input from DHAP subject matter
experts, statisticians, and approval of state and local surveillance programs. In particular,
variables that identify geographic units or facilities have the potential to indirectly identify
individuals.
Therefore, I will not release, either inside or outside CDC, state/territorial, MSA, city, county, or
other geographic area-specific data in any format (e.g., publications, presentations, slides,
interviews) without the consent of the appropriate state or local agency, except as consistent with
the format described in this document and related HICSB and BCSB standard operating
procedures. Specifically, in accordance with the terms of written data re-release agreements
between CDC, the Council of State and Territorial Epidemiologists (CSTE), and individual
state/territorial health departments AND in accordance with the principles of the Assurance of
Confidentiality for HIV surveillance and surveillance-related data authorized under Section
308(d) of the U.S. Public Health Service Act:
Levels of data release:
National and regional level — I am permitted to release national and regional aggregate data
without cell size or denominator restrictions. Data will include (but not be limited to) multiple
cross tabulations by geographic level, sex at birth (or current gender if available, for
national/regional level analyses only), race/ethnicity (based on Office of Management and
Budget (OMB) categories), age group, transmission category (or exposure category), and year.
These include the variables outlined below and may include other variables reported to the
National HIV Surveillance System, Medical Monitoring Project (MMP) or National HIV
Behavioral Surveillance.

State level (including the District of Columbia and Puerto Rico) — For any state, the District
of Columbia, and Puerto Rico. I am permitted to release one-way frequencies, two-way, threeway, and four-way stratifications of variables of interest (including sex at birth, age group,
race/ethnicity and transmission/exposure category) by location (i.e., states) and year with the
denominator rule suppressing data for stratum-specific populations of size <100 according to the
level of release specified in the state’s data re-release agreement. I understand that the
stratifications released may vary by jurisdiction and will review and release data according to
each jurisdiction’s agreed level of release. A summary listing of specified release levels for each
state is available from the Data Analysis and Dissemination Team, HICSB.
o No numerator suppression rule will be applied.
o For strata where a population size is not available in the U.S. Census (e.g.,
transmission/exposure category) the size of the underlying population that is most
similar to the group will be checked before data are released. For example, for black
men who have sex with men, the underlying population of black men will be checked
for that geographic area.
o If the totals could inadvertently disclose a case through back-calculation by
subtraction, secondary or complementary suppression will be done by either 1)
combining two or more categories of data (e.g., aggregation of values within the
stratification parameter) or 2) excluding all data in a subcategory (e.g., blocking
disaggregation below a pre-selected value for the stratification parameter) across
multiple states.
o Any requests for data beyond this data-release agreement will require permission by
the applicable health department.
Geographic Areas with ≥500,000 population — For areas with ≥500,000 population,
including MSAs, counties cities and other geographic areas, I am permitted to release oneway frequencies, two-way, three-way, and four-way stratifications of variables of interest
(including sex at birth, age group, race/ethnicity and transmission/exposure category) by location
(e.g., MSAs, counties cities and other geographic areas) and year with the denominator rule
suppressing data for stratum-specific populations of size <100 according to the level of release
specified in the state’s data re-release agreement. I understand that the stratifications released
may vary by jurisdiction and will review and release data according to each jurisdiction’s agreed
level of release. A summary listing of specified release levels for each state is available from the
Data Analysis and Dissemination Team, HICSB.
o No numerator suppression rule will be applied.

o For strata where a population size is not available in the U.S. Census (e.g.,
transmission category) the underlying population that is most similar to the group will
be checked before release. For example, for black men who have sex with men, the
underlying population of black men will be checked for that geographic area.
o If the totals could inadvertently disclose a case through back-calculation by
subtraction, secondary or complimentary suppression will be done by either 1)
combining two or more categories of data (e.g., aggregation of values within the
stratification parameter) or 2) excluding all data in a subcategory (e.g., blocking
disaggregation below a pre-selected value for the stratification parameter) across
multiple areas.
o Any requests for data beyond this data release agreement will require permission by
the applicable health department.
Geographic areas with 50,000 – 499,999 population — I will review the data re-release
agreements and most current standard operating procedures for applicable areas and restrictions
in collaboration with the HICSB or BCSB Chief or the Data Analysis and Dissemination Team
Leader, HICSB before releasing any data for geographic areas with 50,000 – 499,999 population.
I understand that the stratifications released may vary by jurisdiction and will review and release
data according to each jurisdiction’s agreed level of release. A summary listing of specified
release levels for each state is available from the Data Analysis and Dissemination Team,
HICSB.
o A denominator rule of <100 will be applied for all frequencies and stratifications in
areas with 50,000 – 499,000 population (i.e., when the stratum-specific population is
<100 for a subgroup, count data will not be presented). In addition, data will be
suppressed when numerators are 1-4 (i.e., cells with 1 – 4 will not be presented).
o For strata where a population size is not available in the U.S. Census (e.g.,
transmission category) the underlying population that is most similar to the group will
be checked. For example, for black men who have sex with men, the underlying
population of black men will be checked for that geographic area.
o Any requests for data beyond this data release agreement will require permission by
the applicable health department.
Counties <50,000 population — Data will not be released for any area/location with <50,000
population other than counties. I will review the data re-release agreements and most current
standard operating procedures for applicable areas and restrictions in collaboration with the
HICSB or BCSB Chief or the Data Analysis and Dissemination Team Leader, HICSB before
releasing any data for counties with <50,000 population. I understand that the stratifications

released may vary by jurisdiction and will review and release data according to each
jurisdiction’s agreed level of release. A summary listing of specified release levels for each state
is available from the Data Analysis and Dissemination Team, HICSB.
o A denominator rule of <100 will be applied for all frequencies and stratifications in
counties <50,000 (i.e., when the stratum-specific population size is <100 for a
subgroup, count data will not be presented). In addition, data will be suppressed when
numerators are 1-4 (i.e., cells with 1-4 will not be presented).
o For strata where a population size is not available in the U.S. Census (e.g.,
transmission category) the underlying population that is most similar to the group will
be checked. For example, for black men who have sex with men, the underlying
population of black men will be checked for that geographic area.
o Any requests for data beyond this data-release agreement will require permission by
the applicable state health department.
Dependent areas of American Samoa, Guam, Northern Mariana Islands, the Republic of
Palau and the U.S. Virgin Islands — I am only permitted to release and present data at the U.S.
dependency level. The release of data below the U.S. dependency level or for additional
dependent areas other than the five areas listed above will require permission by the applicable
health department(s).
o It is permissible to release totals (cumulative and annual) and one-way frequencies
(cumulative only) of sex at birth, age group, race/ethnicity or transmission by location
(i.e., U.S. dependency). No suppression rules will be applied.
Data stability requirements for release of all data regardless of level of analysis — I will
include a cautionary note on stability for all levels of analyses when numbers are less than 12 or
rates are calculated based on numbers less than 12, or when trends or estimates are determined to
be unstable or unreliable through other statistical methods (e.g., relative standard error).
Variables permitted for release and stratification examples: — Any requests for variables
other than those listed below will require approval by the HICSB Chief or Data Analysis and
Dissemination Team Leader, HICSB or BCSB Chief or Behavioral Surveillance or Clinical
Outcomes Team Leaders, BCSB as appropriate:
General
•

Location (United States, region, U.S. dependent area, state, MSA, county, city) based on
standard definitions

•

Year (report, diagnosis, death, prevalence, stage of disease, infection (incidence),
perinatal exposure)

Demographic/transmission
•

Sex at birth (or current gender at the national/regional level only, when available)

•

Age group (using 5-year groups or larger for state-level and smaller geographic
populations; at diagnosis, or calculated age at end of year for prevalence)

•

Race/ethnicity (based on OMB classification)

•

Transmission or exposure category (as defined in HIV Surveillance Report)

Stratifications (examples)
1-way
•

Race/ethnicity

•

Sex at birth (or current gender at the national/regional level only, when available)

•

Age group

•

Transmission category1

•

2-way

•

Sex at birth (or current gender at the national/regional level only) and age group

•

Sex at birth (or current gender at the national/regional level only) and race/ethnicity

•

Age group and race/ethnicity

•

Age group and transmission category

•

Transmission category and race/ethnicity

•

Transmission category and sex at birth (or current gender at the national/regional level
only)

3-way

1

•

Transmission category by age group and race/ethnicity

•

Transmission category by age group and sex at birth (or current gender at the
national/regional level only)

For the purpose of this agreement, we are considering stratifications at the variable level. Note that “male-to-male
sexual contact” and the dual “male-to-male sexual contact and injection drug use” transmission categories include
stratification by sex (i.e., include only men) but will be treated as a single variable for data releases.

•

Transmission category by sex at birth (or current gender at the national/regional level
only) and race/ethnicity

•

Race/ethnicity by sex at birth (or current gender at the national/regional level only) and
age group

4-way
•

Transmission category by age group, race/ethnicity, and sex at birth (or current gender at
the national/regional level only)

Data release and publication:

•

I understand that release of data not specifically permitted by this agreement is
prohibited unless written permission is first obtained from the appropriate branch chief
(HICSB or BCSB), Division of HIV/AIDS Prevention

•

When presenting or publishing state-, city-, county-, MSA-, or dependent area-specific
data in accordance with the restrictions outlined above, I will inform the appropriate
state(s) and local health department(s) in advance of the release of state or local data, so
as to afford them the opportunity to anticipate local queries and prepare their response.

•

When presenting or publishing data from surveillance-related studies, investigations, or
evaluations, I will adhere to the principles and guidelines outlined in this agreement and
related HICSB and BCSB standard operating procedures.

•

Publication of a manuscript in a journal or as part of conference proceedings requires a
CDC clearance of that manuscript, even if an abstract for that manuscript was previously
cleared.

Release of geocoded HIV surveillance data:

•

Any re-release of geocoded HIV surveillance data that identifies the geographic area
below the state or U.S. dependent-area level is subject to written approval of the
applicable health department(s) (re-release of data can be in the form of peer and nonpeer reviewed manuscripts, technical reports, manuals, and presentations).

•

All publications using geocoded data must be cleared through DHAP HICSB clearance.

Data Security:
1. I agree to follow standard operating procedures for maintaining security and
confidentiality of surveillance and surveillance-related data.
2. I will not give my access password to any person.
3. I will treat all data at my desk site confidentially and maintain in a locked file cabinet
records that could directly or indirectly identify any individual on whom CDC maintains
a record. Sensitive identifying information from special case investigations will only be
maintained in a locked file cabinet in a locked room which has restricted access.
4. I will keep all hard copies of data runs containing small cells locked in a file cabinet
when not in use, shredding them when they are no longer necessary to my analysis.
5. I will not produce a “back-up” data file of HIV case surveillance data or related databases
maintained by DHAP.
6. I will not remove electronic files, records or databases from the worksite, or access them
remotely from home or other unofficial/unapproved off-worksite location.
7. I will not remove hard copies of case reports, survey instruments, laboratory reports,
confidential communications, or any records containing sensitive data and information or
the like from the worksite.
8. I will not remove from the worksite tabulations or data in any format that could directly
or indirectly identify any individual.
9. I will maintain confidentiality of records on individuals in all discussions,
communications, e-mails, tabulations, presentations, and publications (and the like) by
using only the minimum information necessary to describe the individual case.

10. I will not release data to the press or media without pre-screening of the request by the
NCHHSTP, Program Planning & Policy Coordination Office or the DHAP Office of
Policy, Planning and Communications.
11. I am responsible for obtaining IRB review of projects when appropriate.
12. I will abide by HICSB and BCSB telework policies that prohibit accessing Assurance
covered data while teleworking.
I have read this document, “Agreement to Abide by Restrictions on Release of HIV
Surveillance and Surveillance-Related Data...” and the attached document “Policy for
Release of Centers for Disease Control and Prevention (CDC) HIV Surveillance and
Surveillance-related Data,” and I agree to abide by them. Failure to comply with this
agreement may result in disciplinary action, including possible termination of employment.
Signed: __________________________________________ Date: ______________________
(Requestor)
CIO, Division, Branch _______________________________
Approved: ________________________________________ Date: ______________________
Chief, (HICSB/BCSB), DHAP, NCHHSTP or designee
Revised October 2019

Confidentiality Security Statement Attachment 7
REQUEST FOR ACCESS TO HIV SURVEILLANCE AND SURVEILLANCERELATED DATABASES MAINTAINED BY THE DIVISION OF HIV/AIDS
PREVENTION (DHAP)
October 2019
Requests for access may be made using this form or by email. Please include the information
below in any email request for access. All requests should be made by the appropriate team lead
or will include information indicating supervisory approval.
Name: ______________________________ User ID: _______________
Date of Request: _______________________

Branch: _____________

List required data sets and access groups (if known):
Justification for Access:
Supervisory Certification:
I certify that it is a necessary part of the above staff member’s official duties to have access to
the National HIV Surveillance System and related surveillance databases. I have advised this
employee of the confidentiality of these data and have attached a signed “Agreement to Abide by
Restrictions on Release of Data”.
______________________________
Supervisor’s Signature
Approval:
______________________________________
Chief, (HICSB/BCSB), DHAP or designee
----- ---------------------------------------------------------For HICSB, BCSB or QSDMB Use Only (retain signed copies of “Request for Access...” and
“Agreement to Abide by Restrictions...” forms and copies of MUST requests or emails to
helpdesk.)
MUST action granting access submitted on ______________ (date) by ___________
MUST access deleting access submitted on ______________ (date) by ___________


File Typeapplication/pdf
AuthorRush, Joseph (CDC/OD/OADS)
File Modified2022-08-08
File Created2022-08-08

© 2024 OMB.report | Privacy Policy