Confidentiality and Security Confidentiality and Security Issues in ART & MTCT Clinical Issues in ART & MTCT Clinical

Monitoring SystemsMonitoring Systems

Meade Morgan and Xen SantasMeade Morgan and Xen SantasInformatics TeamInformatics Team

Surveillance and Infrastructure DevelopmentSurveillance and Infrastructure DevelopmentGlobal AIDS Program, CDCGlobal AIDS Program, CDC

31 March 200431 March 2004WHO,GenevaWHO,Geneva

Definition of TermsDefinition of Terms

ConfidentialityConfidentiality– Assuring that medical information will be used Assuring that medical information will be used

only for appropriate care and treatment of only for appropriate care and treatment of individuals individuals and populations.and populations.

SecuritySecurity– The protections (policy, physical, and where The protections (policy, physical, and where

appropriate, electronic) which assure that no appropriate, electronic) which assure that no breaches in the confidentiality of medical breaches in the confidentiality of medical information will occur.information will occur.

The Current SituationThe Current SituationLocal health facilitiesLocal health facilities– Staff responsible for medical care may lack sufficient Staff responsible for medical care may lack sufficient

training in or understanding of the importance of training in or understanding of the importance of maintaining confidentiality or security of medical maintaining confidentiality or security of medical records; records;

– Physical protections around records systems may be Physical protections around records systems may be inadequate or unaffordableinadequate or unaffordable

Log books are often readily accessible by unauthorized staffLog books are often readily accessible by unauthorized staff

Multiple copies of potentially sensitive information exist Multiple copies of potentially sensitive information exist throughout larger facilitiesthroughout larger facilities

– Cultural norms may not sufficiently discourage Cultural norms may not sufficiently discourage inappropriate disclosure of informationinappropriate disclosure of information

The Current SituationThe Current Situation

National programsNational programs– Statistical data abstracted for program monitoring and Statistical data abstracted for program monitoring and

improvement may contain information that improvement may contain information that inadvertently identifies individuals. This can be inadvertently identifies individuals. This can be directly, e.g., through disclosure of patient identifiers directly, e.g., through disclosure of patient identifiers (name, address, identification numbers such as SSN), (name, address, identification numbers such as SSN), or indirectly, by allowing for cross matching with other or indirectly, by allowing for cross matching with other available data sets which contain identifiers).available data sets which contain identifiers).

– Medical data need to be shared across institutions Medical data need to be shared across institutions when patients move from one provider to another, but when patients move from one provider to another, but this increases the risk of inappropriate disclosure.this increases the risk of inappropriate disclosure.

Developing RecommendationsDeveloping RecommendationsReview existing guidelines, models, toolsReview existing guidelines, models, toolsDefine specific data/program needsDefine specific data/program needs– what’s useful to share across programs, facilities, levelswhat’s useful to share across programs, facilities, levels– what degree of detail produces unique identifierswhat degree of detail produces unique identifiers

Determine reasonable riskDetermine reasonable risk– Likelihood of disclosureLikelihood of disclosure– Likelihood of harm from disclosureLikelihood of harm from disclosure

Balance competing requirementsBalance competing requirementsAction stepsAction steps

Existing GuidelinesExisting GuidelinesWHO guidelines?WHO guidelines?Other diseases (TB?)Other diseases (TB?)European standards?European standards?– Human Rights Act of 1998Human Rights Act of 1998

U.S. standardsU.S. standards– Public Health ActPublic Health Act– HIPAA (1996, Privacy rule published 2003)HIPAA (1996, Privacy rule published 2003)– Security and Confidentiality Guidelines for HIV/AIDS Surveillance (1998)Security and Confidentiality Guidelines for HIV/AIDS Surveillance (1998)

Numerous electronic security standards (e.g., NIST, Carnegie Numerous electronic security standards (e.g., NIST, Carnegie Mellon)Mellon)– Need to pick the proper ones, but they do existNeed to pick the proper ones, but they do exist– Many commercial solutions for electronic security exist (some at little or Many commercial solutions for electronic security exist (some at little or

no cost)no cost)

Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act

Are there relevant lessons from the U.S.?Are there relevant lessons from the U.S.?

In the U.S., HIPAA mandates strict rules on In the U.S., HIPAA mandates strict rules on medical recordsmedical records– (Electronic) information may only be shared with (Electronic) information may only be shared with

formal patient consentformal patient consent

There are two exceptionsThere are two exceptions– Public health needsPublic health needs– Law enforcement/national securityLaw enforcement/national security

Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act

Organized around 4 overlapping categories:Organized around 4 overlapping categories:Administrative proceduresAdministrative proceduresPhysical safeguards Physical safeguards Protection for data at restProtection for data at restProtection for data in transitProtection for data in transit

From HIPAA security rule, Health care providers are From HIPAA security rule, Health care providers are required to:required to:– ““Ensure the confidentiality, integrity, and availability of …health Ensure the confidentiality, integrity, and availability of …health

information the … entity creates, receives, maintains, or information the … entity creates, receives, maintains, or transmits.”transmits.”

– ““Protect against any reasonably anticipated threats…”Protect against any reasonably anticipated threats…”– ““Protect against any reasonably anticipated uses…”Protect against any reasonably anticipated uses…”– ““Ensure compliance … by its workforce”Ensure compliance … by its workforce”

Excerpts from the U.S. Public Health Excerpts from the U.S. Public Health Service Act, Section 308d Service Act, Section 308d

(paraphrased)(paraphrased)““information in the system that would information in the system that would identify an individual is collected with a identify an individual is collected with a guarantee that it will be held in strict guarantee that it will be held in strict confidence.”confidence.”““information reported for statistical information reported for statistical purposes will be sent without identifiers purposes will be sent without identifiers that might either directly or indirectly that might either directly or indirectly identify individuals”identify individuals”

U.S. Security and Confidentiality Guidelines U.S. Security and Confidentiality Guidelines for HIV/AIDS Surveillancefor HIV/AIDS Surveillance

Consist of 35 requirements programs must meet Consist of 35 requirements programs must meet (via self-certification) as a condition of (via self-certification) as a condition of continued fundingcontinued funding

Includes various examples of how each Includes various examples of how each requirement is being met by specific programsrequirement is being met by specific programs

Group neatly into three categories:Group neatly into three categories:– PolicyPolicy– PhysicalPhysical– ElectronicElectronic

U.S. Security and Confidentiality Guidelines U.S. Security and Confidentiality Guidelines for HIV/AIDS Surveillancefor HIV/AIDS Surveillance

Examples:Examples:– Standard operational policies and procedures must be in writing.Standard operational policies and procedures must be in writing.

– IInformation must be accessible only be individuals requiring that nformation must be accessible only be individuals requiring that information for patient care, reporting, or program managementinformation for patient care, reporting, or program management

– Information must be kept inside a locked roomInformation must be kept inside a locked room– Rooms must not be easily accessible by windowRooms must not be easily accessible by window– Copies of information must be housed inside locked file cabinetsCopies of information must be housed inside locked file cabinets– Information must be de-identified if taken out of the secured area Information must be de-identified if taken out of the secured area

for the purpose of data analysis.for the purpose of data analysis. – Electronic databases must have appropriate security (password Electronic databases must have appropriate security (password

protection, encryption, etc.)protection, encryption, etc.)

Four ModelsFour Models

Open ModelOpen Model– Access to all systems is initially available; access to Access to all systems is initially available; access to

confidential or sensitive information is prohibited on a confidential or sensitive information is prohibited on a case-by-case basiscase-by-case basis

Closed ModelClosed Model– Access to all systems is initially prohibited; permission Access to all systems is initially prohibited; permission

to access information must be granted as requested to access information must be granted as requested an authorizedan authorized

Broken ModelBroken Model– Access to all systems is available even though Access to all systems is available even though

prohibitedprohibited

No ModelNo Model

Information Needs for Public HealthInformation Needs for Public Health

Traditional surveillanceTraditional surveillance

Improving program delivery – monitoring Improving program delivery – monitoring and evaluationand evaluation

Resistance monitoringResistance monitoring

Striking a BalanceStriking a Balance

Information Must be Accessible to Provide Appropriate Care

Information Must be Protected to Prevent Harm to the Patient

Practical ConsiderationsPractical Considerations

Clear understanding by health workers on what Clear understanding by health workers on what information must be kept confidentialinformation must be kept confidential– Written policiesWritten policies– TrainingTraining– EvaluationEvaluation

Clear understanding on security proceduresClear understanding on security procedures– Written policiesWritten policies– TrainingTraining– EvaluationEvaluation

Practical Considerations Practical Considerations (continued)(continued)

Agreements on reporting requirements to the Agreements on reporting requirements to the district, provincial, national, and international district, provincial, national, and international levelslevels– Current WHO indicators are at the aggregate level Current WHO indicators are at the aggregate level

only and pose virtually no risk to confidentialityonly and pose virtually no risk to confidentiality– Systems (paper and electronic) that support sharing Systems (paper and electronic) that support sharing

of clinical records across sites may pose a riskof clinical records across sites may pose a riskIncludes systems where patients carry paper recordsIncludes systems where patients carry paper records

electronic databases represent an added riskelectronic databases represent an added risk

Possible Next StepsPossible Next Steps

How critical is the need to develop How critical is the need to develop guidance?guidance?

Who are are relevant stakeholders?Who are are relevant stakeholders?

Best methods for building consensus?Best methods for building consensus?

Time frame?Time frame?

PEPFAR has made funding available to PEPFAR has made funding available to support activity in this area.support activity in this area.