Maximizing Data Security and Confidentiality for Case Surveillance.
-
Upload
hubert-baker -
Category
Documents
-
view
219 -
download
0
Transcript of Maximizing Data Security and Confidentiality for Case Surveillance.
Maximizing Data Security and Confidentiality for Case
Surveillance
Overview
2
Review tenets of privacy, confidentiality and security
Operationalizing security and confidentiality What are some difficulties (and how to overcome them) Why it’s important Following the information to identify weaknesses in
security Tips and hints that can be considered at the site, regional,
and national level
Ensuring security and confidentiality at the different levels of the system Physical Electronic
Session 4 – Privacy and Confidentiality
Privacy, Security and Confidentiality
3 Session 4 – Privacy and Confidentiality
Privacy – Relevant Laws
4
Privacy - know your relevant country-wide laws. Laws that: Describe protection of the HIV data from disclosure
to unauthorized third parties- i.e., who can see patient level data and under what circumstances- any health care provider or just those patient consented to, judges in a law suit?
Directly mention behaviors that transmit HIV Know your country’s laws against same sex sexual
behavior and same sex identity (“buggery” or “gross indecency “ laws) as they impact the willingness of people to test as well as make it clear what the consequences of a release of information could mean to infected/affected persons
If no laws exist – this may be an area for advocacy for development of laws/policies
Session 4 – Privacy and Confidentiality
Privacy –Law and Relationship to HIV Case Surveillance -Benefits
5
Ultimate goal of HIV case surveillance: Count everyone in the country infected with HIV In order to do this “everyone” with HIV must be 1)
tested, 2) diagnosed and 3) reported Benefits:
Surveillance- accurate count for planning and allocation of funds
Prevention- the more you know about your epidemic the better equipped you are to prevent it
Health of PLWH- unless tested and diagnosed can’t get on ART higher viral loads sicker and more infectious
Session 4 – Privacy and Confidentiality
Privacy –Law and Relationship to HIV Case Surveillance – Why Law is Important
6
Without laws that protect persons infected with HIV and behaviors that transmit HIV, people will be hesitant to come forward for testing
Surveillance must insure their confidentiality or your surveillance system will be undermined
Need laws that support testing, diagnosis and reporting
Communities (and CBOs) are your allies and you must work together to create a climate conducive to HIV testing, prevention, care and treatment
Without this your surveillance system will be undermined.
Session 4 – Privacy and Confidentiality
Session 4 Privacy and Confidentiality7
CAREC Security and Confidentiality Guidelines
8
Adapted from CDC’s 2006 HIV Surveillance Security and Confidentiality Guidelines
Five guiding principles
Thirty-five requirements
Session 4 – Privacy and Confidentiality
Session 4 Privacy and Confidentiality9
Guiding Principles
10
1. HIV surveillance information and data will be maintained in a physically secure environment.
2. Electronic HIV surveillance data will be held in a technically secure environment, with the number of data repositories and individuals permitted access kept to a minimum. Operational security procedures will be implemented and documented to minimize the number of staff that have access to personal identifiers and to minimize the number of locations where personal identifiers are stored.
Session 4 – Privacy and Confidentiality
Guiding Principles (continued)
11
3. Individual surveillance staff members and persons authorized to access case-specific information will be responsible for protecting confidential HIV surveillance information and data.
4. Security breaches of HIV surveillance information or data will be investigated thoroughly, and sanctions imposed as appropriate.
5. Security practices and written policies will be continuously reviewed, assessed, and as necessary, changed to improve the protection of confidential HIV surveillance information and data.
Session 4 – Privacy and Confidentiality
Security and Confidentiality Implementation for Surveillance Systems- Common Steps
Session 4 Privacy and Confidentiality12
Assess current data practices Research applicable laws and regulations Create data security protocol based on applicable
guidelines (i.e. ,CAREC) Train surveillance staff on data security protocol
including ramifications for breaches Surveillance staff sign confidentiality agreements Staff receive refresher training, re-sign
agreements and data security protocol is reviewed yearly
Institute a procedure for deliberate and inadvertent breaches Assure you have the support of management to
impose ramifications Without this your policy will have no “teeth” and will
not be taken seriously.
Role Based Access
Session 4 Privacy and Confidentiality13
Make a list of staff positions that need access to patient identifying information and evaluate their process for handling it It helps to make this list specific to roles and not individual people to
communicate the message that “this isn’t about you”; it’s about what information a person in your role needs access to perform the job
Staff who do not use confidential information as part of their jobs but are in the same physical location (e.g., have cubicles in same room) as staff who work with personally identifying information (PII) also need the same training
Staff should have access to the minimum information needed to perform their job
This protects staff as well as the personally identifying information
Site Security
Session 4 Privacy and Confidentiality14
Does the physical set up help or hinder maintaining confidentiality?
Would I feel comfortable testing for HIV in this location? If not, what needs to change to improve set
up?
How does confidential information move between the site and the Ministry of Health? Between Units of the Ministry of Health?
Physical Security
Session 4 Privacy and Confidentiality15
Once a case report form is completed where is it stored? On the desk for anyone passing by to see? In a
locked file cabinet with minimum access? What do staff do with forms they are working with
when they get pulled away from their desk? Leave it out? Put it in a locked drawer?
Are the case report forms mailed? If so, how is it assured that it reaches the intended
recipient and not opened by someone else?
Physical Security
Session 4 Privacy and Confidentiality16
How are case report forms transported between locations?
If it is a long distance what do drivers do with the case report forms when they stop at home? stop for lunch? How are they stored for transport?
How are completed case report forms transported to the next level (regional or national)? Are they kept on the front seat in an open file folder
or are they in the trunk/out of site in a sealed envelope?
Physical Security
Session 4 Privacy and Confidentiality17
If case report form (or any other paper with confidential information) is started and then needs to be discarded how is that done? Ripped up and thrown away? Shredded? Just left on the desk in a pile with other paper that
we don’t know what to do with?
Session 4 Privacy and Confidentiality18
Electronic Security
Session 4 Privacy and Confidentiality19
Who is responsible for entering the data?
Where is the electronic data base maintained? Is it on one computer’s hard drive or a server?
Is the information backed up regularly?
Is email used to communicate confidential information about persons infected with HIV?
Confidentiality Central number? If so how are they answered?
Do they say HIV or STD? What phone numbers are on forms that are given to
HIV+ clients? If the husband of an infected woman finds the form
and calls the number how is the phone answered? Will her HIV/STD status be shared if he asks?
Are staff instructed how to answer the phone? Do they say HIV or STD?
Is voice mail line secure? If not, does voice mail message say not to leave confidential information?
Where does phone bounce if no answer or caller presses 0? How does that person answer?
Training- Ideas to Consider
Session 4 Privacy and Confidentiality21
Include sensitivity training towards people health care workers may perceive as different from themselves: MSM Sex workers Challenge practices that reinforce discrimination
Use scenarios that make it real and concrete Make up a scenario that could happen or use one
that did happen Confidentiality was breached How could it have been prevented How can damage be controlled and kept to a minimum
Ensuring Security and Confidentiality at Different Levels of the System
Different levels of the system should work in concert to protect surveillance data: Reporting site Sub-country regions National coordinating body
22 Session 4 – Privacy and Confidentiality
Reporting sites
Session 4 Privacy and Confidentiality23
Demonstrate why data security matters at the site and how it can be accomplished
Assure safe transfer of data between reporting sites and national surveillance system
Tips: Trainings on data security and confidentiality
can be conducted for reporting sites based on CAREC guidelines, or the data security protocol developed by your MoH
Bring multiple sites together for training to build relationships and allow staff to see they are part of a bigger system
National Level
Session 4 Privacy and Confidentiality24
Foster a national culture where surveillance data is valued and protected
Model safe data practices Engage stakeholders to help build trust in the
surveillance system and those who manage it
Operationalizing Security and Confidentiality – Questions for Discussion
What challenges do you face in your context to implement S&C measures, both in the MoH and in clinics? How to overcome?
How to engage staff and stakeholders
25 Session 4 – Privacy and Confidentiality
Questions for the group
26
How do you make adherence to S&C guidelines a habit and create a culture that supports adherence to S&C guidelines?
How do you investigate breaches of both policy (policy violation) and confidentiality (information about people living with HIV was released)?
Session 4 – Privacy and Confidentiality
Thank You
Working Together to Plan, Implement, and Use
HIV Surveillance Systems