Confidentiality and Security
Issues in ART & MTCT Clinical
Monitoring Systems
Meade Morgan and Xen Santas
Informatics Team
Surveillance and Infrastructure Development
Global AIDS Program, CDC
31 March 2004
WHO,Geneva
Definition of Terms
Confidentiality
– Assuring that medical information will be used
only for appropriate care and treatment of
individuals and populations.
Security
– The protections (policy, physical, and where
appropriate, electronic) which assure that no
breaches in the confidentiality of medical
information will occur.
The Current Situation
Local health facilities
– Staff responsible for medical care may lack sufficient
training in or understanding of the importance of
maintaining confidentiality or security of medical
records;
– Physical protections around records systems may be
inadequate or unaffordable
Log books are often readily accessible by unauthorized staff
Multiple copies of potentially sensitive information exist
throughout larger facilities
– Cultural norms may not sufficiently discourage
inappropriate disclosure of information
The Current Situation
National programs
– Statistical data abstracted for program monitoring and
improvement may contain information that
inadvertently identifies individuals. This can be
directly, e.g., through disclosure of patient identifiers
(name, address, identification numbers such as SSN),
or indirectly, by allowing for cross matching with other
available data sets which contain identifiers).
– Medical data need to be shared across institutions
when patients move from one provider to another, but
this increases the risk of inappropriate disclosure.
Developing Recommendations
Review existing guidelines, models, tools
Define specific data/program needs
– what’s useful to share across programs, facilities,
levels
– what degree of detail produces unique identifiers
Determine reasonable risk
– Likelihood of disclosure
– Likelihood of harm from disclosure
Balance competing requirements
Action steps
Existing Guidelines
WHO guidelines?
Other diseases (TB?)
European standards?
– Human Rights Act of 1998
U.S. standards
– Public Health Act
– HIPAA (1996, Privacy rule published 2003)
– Security and Confidentiality Guidelines for HIV/AIDS
Surveillance (1998)
Numerous electronic security standards (e.g., NIST,
Carnegie Mellon)
– Need to pick the proper ones, but they do exist
– Many commercial solutions for electronic security exist (some at
little or no cost)
Health Insurance Portability and
Accountability Act
Are there relevant lessons from the U.S.?
In the U.S., HIPAA mandates strict rules on
medical records
– (Electronic) information may only be shared with
formal patient consent
There are two exceptions
– Public health needs
– Law enforcement/national security
Health Insurance Portability and
Accountability Act
Organized around 4 overlapping categories:
Administrative procedures
Physical safeguards
Protection for data at rest
Protection for data in transit
From HIPAA security rule, Health care providers are
required to:
– “Ensure the confidentiality, integrity, and availability of …health
information the … entity creates, receives, maintains, or
transmits.”
– “Protect against any reasonably anticipated threats…”
– “Protect against any reasonably anticipated uses…”
– “Ensure compliance … by its workforce”
Excerpts from the U.S. Public Health
Service Act, Section 308d
(paraphrased)
“information in the system that would
identify an individual is collected with a
guarantee that it will be held in strict
confidence.”
“information reported for statistical
purposes will be sent without identifiers
that might either directly or indirectly
identify individuals”
U.S. Security and Confidentiality Guidelines
for HIV/AIDS Surveillance
Consist of 35 requirements programs must meet
(via self-certification) as a condition of continued
funding
Includes various examples of how each
requirement is being met by specific programs
Group neatly into three categories:
– Policy
– Physical
– Electronic
U.S. Security and Confidentiality Guidelines
for HIV/AIDS Surveillance
Examples:
– Standard operational policies and procedures must be in writing.
– Information must be accessible only be individuals requiring that
–
–
–
–
–
information for patient care, reporting, or program management
Information must be kept inside a locked room
Rooms must not be easily accessible by window
Copies of information must be housed inside locked file cabinets
Information must be de-identified if taken out of the secured area
for the purpose of data analysis.
Electronic databases must have appropriate security (password
protection, encryption, etc.)
Four Models
Open Model
– Access to all systems is initially available; access to
confidential or sensitive information is prohibited on a
case-by-case basis
Closed Model
– Access to all systems is initially prohibited; permission
to access information must be granted as requested
an authorized
Broken Model
– Access to all systems is available even though
prohibited
No Model
Information Needs for Public Health
Traditional surveillance
Improving program delivery – monitoring
and evaluation
Resistance monitoring
Striking a Balance
Information Must be
Accessible to Provide
Appropriate Care
Information Must be
Protected to Prevent
Harm to the Patient
Practical Considerations
Clear understanding by health workers on what
information must be kept confidential
– Written policies
– Training
– Evaluation
Clear understanding on security procedures
– Written policies
– Training
– Evaluation
Practical Considerations
(continued)
Agreements on reporting requirements to the
district, provincial, national, and international
levels
– Current WHO indicators are at the aggregate level
only and pose virtually no risk to confidentiality
– Systems (paper and electronic) that support sharing
of clinical records across sites may pose a risk
Includes systems where patients carry paper records
electronic databases represent an added risk
Possible Next Steps
How critical is the need to develop
guidance?
Who are are relevant stakeholders?
Best methods for building consensus?
Time frame?
PEPFAR has made funding available to
support activity in this area.