Confidentiality and Security Confidentiality and Security Issues in ART & MTCT Clinical Issues in ART & MTCT Clinical
Monitoring SystemsMonitoring Systems
Meade Morgan and Xen SantasMeade Morgan and Xen SantasInformatics TeamInformatics Team
Surveillance and Infrastructure DevelopmentSurveillance and Infrastructure DevelopmentGlobal AIDS Program, CDCGlobal AIDS Program, CDC
31 March 200431 March 2004WHO,GenevaWHO,Geneva
Definition of TermsDefinition of Terms
ConfidentialityConfidentiality– Assuring that medical information will be used Assuring that medical information will be used
only for appropriate care and treatment of only for appropriate care and treatment of individuals individuals and populations.and populations.
SecuritySecurity– The protections (policy, physical, and where The protections (policy, physical, and where
appropriate, electronic) which assure that no appropriate, electronic) which assure that no breaches in the confidentiality of medical breaches in the confidentiality of medical information will occur.information will occur.
The Current SituationThe Current SituationLocal health facilitiesLocal health facilities– Staff responsible for medical care may lack sufficient Staff responsible for medical care may lack sufficient
training in or understanding of the importance of training in or understanding of the importance of maintaining confidentiality or security of medical maintaining confidentiality or security of medical records; records;
– Physical protections around records systems may be Physical protections around records systems may be inadequate or unaffordableinadequate or unaffordable
Log books are often readily accessible by unauthorized staffLog books are often readily accessible by unauthorized staff
Multiple copies of potentially sensitive information exist Multiple copies of potentially sensitive information exist throughout larger facilitiesthroughout larger facilities
– Cultural norms may not sufficiently discourage Cultural norms may not sufficiently discourage inappropriate disclosure of informationinappropriate disclosure of information
The Current SituationThe Current Situation
National programsNational programs– Statistical data abstracted for program monitoring and Statistical data abstracted for program monitoring and
improvement may contain information that improvement may contain information that inadvertently identifies individuals. This can be inadvertently identifies individuals. This can be directly, e.g., through disclosure of patient identifiers directly, e.g., through disclosure of patient identifiers (name, address, identification numbers such as SSN), (name, address, identification numbers such as SSN), or indirectly, by allowing for cross matching with other or indirectly, by allowing for cross matching with other available data sets which contain identifiers).available data sets which contain identifiers).
– Medical data need to be shared across institutions Medical data need to be shared across institutions when patients move from one provider to another, but when patients move from one provider to another, but this increases the risk of inappropriate disclosure.this increases the risk of inappropriate disclosure.
Developing RecommendationsDeveloping RecommendationsReview existing guidelines, models, toolsReview existing guidelines, models, toolsDefine specific data/program needsDefine specific data/program needs– what’s useful to share across programs, facilities, levelswhat’s useful to share across programs, facilities, levels– what degree of detail produces unique identifierswhat degree of detail produces unique identifiers
Determine reasonable riskDetermine reasonable risk– Likelihood of disclosureLikelihood of disclosure– Likelihood of harm from disclosureLikelihood of harm from disclosure
Balance competing requirementsBalance competing requirementsAction stepsAction steps
Existing GuidelinesExisting GuidelinesWHO guidelines?WHO guidelines?Other diseases (TB?)Other diseases (TB?)European standards?European standards?– Human Rights Act of 1998Human Rights Act of 1998
U.S. standardsU.S. standards– Public Health ActPublic Health Act– HIPAA (1996, Privacy rule published 2003)HIPAA (1996, Privacy rule published 2003)– Security and Confidentiality Guidelines for HIV/AIDS Surveillance (1998)Security and Confidentiality Guidelines for HIV/AIDS Surveillance (1998)
Numerous electronic security standards (e.g., NIST, Carnegie Numerous electronic security standards (e.g., NIST, Carnegie Mellon)Mellon)– Need to pick the proper ones, but they do existNeed to pick the proper ones, but they do exist– Many commercial solutions for electronic security exist (some at little or Many commercial solutions for electronic security exist (some at little or
no cost)no cost)
Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act
Are there relevant lessons from the U.S.?Are there relevant lessons from the U.S.?
In the U.S., HIPAA mandates strict rules on In the U.S., HIPAA mandates strict rules on medical recordsmedical records– (Electronic) information may only be shared with (Electronic) information may only be shared with
formal patient consentformal patient consent
There are two exceptionsThere are two exceptions– Public health needsPublic health needs– Law enforcement/national securityLaw enforcement/national security
Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act
Organized around 4 overlapping categories:Organized around 4 overlapping categories:Administrative proceduresAdministrative proceduresPhysical safeguards Physical safeguards Protection for data at restProtection for data at restProtection for data in transitProtection for data in transit
From HIPAA security rule, Health care providers are From HIPAA security rule, Health care providers are required to:required to:– ““Ensure the confidentiality, integrity, and availability of …health Ensure the confidentiality, integrity, and availability of …health
information the … entity creates, receives, maintains, or information the … entity creates, receives, maintains, or transmits.”transmits.”
– ““Protect against any reasonably anticipated threats…”Protect against any reasonably anticipated threats…”– ““Protect against any reasonably anticipated uses…”Protect against any reasonably anticipated uses…”– ““Ensure compliance … by its workforce”Ensure compliance … by its workforce”
Excerpts from the U.S. Public Health Excerpts from the U.S. Public Health Service Act, Section 308d Service Act, Section 308d
(paraphrased)(paraphrased)““information in the system that would information in the system that would identify an individual is collected with a identify an individual is collected with a guarantee that it will be held in strict guarantee that it will be held in strict confidence.”confidence.”““information reported for statistical information reported for statistical purposes will be sent without identifiers purposes will be sent without identifiers that might either directly or indirectly that might either directly or indirectly identify individuals”identify individuals”
U.S. Security and Confidentiality Guidelines U.S. Security and Confidentiality Guidelines for HIV/AIDS Surveillancefor HIV/AIDS Surveillance
Consist of 35 requirements programs must meet Consist of 35 requirements programs must meet (via self-certification) as a condition of (via self-certification) as a condition of continued fundingcontinued funding
Includes various examples of how each Includes various examples of how each requirement is being met by specific programsrequirement is being met by specific programs
Group neatly into three categories:Group neatly into three categories:– PolicyPolicy– PhysicalPhysical– ElectronicElectronic
U.S. Security and Confidentiality Guidelines U.S. Security and Confidentiality Guidelines for HIV/AIDS Surveillancefor HIV/AIDS Surveillance
Examples:Examples:– Standard operational policies and procedures must be in writing.Standard operational policies and procedures must be in writing.
– IInformation must be accessible only be individuals requiring that nformation must be accessible only be individuals requiring that information for patient care, reporting, or program managementinformation for patient care, reporting, or program management
– Information must be kept inside a locked roomInformation must be kept inside a locked room– Rooms must not be easily accessible by windowRooms must not be easily accessible by window– Copies of information must be housed inside locked file cabinetsCopies of information must be housed inside locked file cabinets– Information must be de-identified if taken out of the secured area Information must be de-identified if taken out of the secured area
for the purpose of data analysis.for the purpose of data analysis. – Electronic databases must have appropriate security (password Electronic databases must have appropriate security (password
protection, encryption, etc.)protection, encryption, etc.)
Four ModelsFour Models
Open ModelOpen Model– Access to all systems is initially available; access to Access to all systems is initially available; access to
confidential or sensitive information is prohibited on a confidential or sensitive information is prohibited on a case-by-case basiscase-by-case basis
Closed ModelClosed Model– Access to all systems is initially prohibited; permission Access to all systems is initially prohibited; permission
to access information must be granted as requested to access information must be granted as requested an authorizedan authorized
Broken ModelBroken Model– Access to all systems is available even though Access to all systems is available even though
prohibitedprohibited
No ModelNo Model
Information Needs for Public HealthInformation Needs for Public Health
Traditional surveillanceTraditional surveillance
Improving program delivery – monitoring Improving program delivery – monitoring and evaluationand evaluation
Resistance monitoringResistance monitoring
Striking a BalanceStriking a Balance
Information Must be Accessible to Provide Appropriate Care
Information Must be Protected to Prevent Harm to the Patient
Practical ConsiderationsPractical Considerations
Clear understanding by health workers on what Clear understanding by health workers on what information must be kept confidentialinformation must be kept confidential– Written policiesWritten policies– TrainingTraining– EvaluationEvaluation
Clear understanding on security proceduresClear understanding on security procedures– Written policiesWritten policies– TrainingTraining– EvaluationEvaluation
Practical Considerations Practical Considerations (continued)(continued)
Agreements on reporting requirements to the Agreements on reporting requirements to the district, provincial, national, and international district, provincial, national, and international levelslevels– Current WHO indicators are at the aggregate level Current WHO indicators are at the aggregate level
only and pose virtually no risk to confidentialityonly and pose virtually no risk to confidentiality– Systems (paper and electronic) that support sharing Systems (paper and electronic) that support sharing
of clinical records across sites may pose a riskof clinical records across sites may pose a riskIncludes systems where patients carry paper recordsIncludes systems where patients carry paper records
electronic databases represent an added riskelectronic databases represent an added risk
Possible Next StepsPossible Next Steps
How critical is the need to develop How critical is the need to develop guidance?guidance?
Who are are relevant stakeholders?Who are are relevant stakeholders?
Best methods for building consensus?Best methods for building consensus?
Time frame?Time frame?
PEPFAR has made funding available to PEPFAR has made funding available to support activity in this area.support activity in this area.
Top Related