Proposed Confidentiality and Security Policy for the Std/Hiv Section - Disease Control

PROPOSED CONFIDENTIALITY AND SECURITY POLICY FOR THE STD/HIV SECTION - DISEASE CONTROL & ENVIRONMENTAL EPIDEMIOLOGY DIVISION

DRAFT – January 2008

DRAFT DRAFT DRAFT DRAFT DRAFT

Colorado Department of Public Health and Environment

Disease Control & Environmental Epidemiology Division

4300 Cherry Creek Drive South

Denver, CO 80246

CONTENTS

¨  PURPOSE STATEMENT

I. LEGAL AUTHORITY

State Laws Governing Confidentiality and Data Release

Federal Laws Governing Confidentiality and Data Release

II. POLICY IMPLEMENTATION

Overall Responsible Party

Annual Policy Review

Access to Confidential Data

Data Release Policy

Staff Training Requirements

Physical Security

Mail

Incoming Fax Transmissions

Outgoing Fax Transmissions

Written Correspondence

Telephone Communication

Voicemail

Conversion

E-mail

Confidential Document Management

Maintaining Security and Confidentiality in the Field

Computer Security

Electronic Transmission of Data

Security Breaches

III.  CONFIDENTIALITY AND SECURITY MANAGEMENT TOOLS

Employee Oath of Confidentiality

Data Release Policy (to be revised 2008)

Computer Security Policy

Assurances to STD/AIDS Section (to be revised 2008)

PURPOSE STATEMENT

The Colorado Department of Public Health and Environment (CDPHE) has a legal and fiduciary duty to protect confidential information. Integral to the mission of the Disease Control and Environmental Epidemiology Division (DCEED) and the STD/HIV Section is reviewing and processing public health reports and medical records of persons in the State of Colorado. The ability of the STD/HIV Section to collect, store, use, and transmit sensitive STD/HIV case information in a secure and confidential manner is central to the program’s acceptability and success. Case information may be transmitted verbally, electronically, or via paper documentation. Persons at all levels throughout DCEED may act as custodians to these confidential records. The STD/HIV Section acknowledges the importance of its role in protecting the public’s trust and averting risk to CDPHE.

The STD/HIV Section strives to achieve a working environment that protects confidential public health records by:

¨  Providing reasonable safeguards for securing confidential and sensitive information.

¨  Providing a flexible, comfortable, and secure working environment for an employee that is conducive to communication between professionals.

¨  Providing written uniform standards, guidelines, and procedures to protect against breaches of confidentiality (unintentional or otherwise).

¨  Providing written documentation that supports the Section’s and the Division’s intention to safeguard confidential information.

I. LEGAL AUTHORITY

State Laws Governing Confidentiality and Data Release

The DCEED is the custodian of public health reports and routinely is in possession confidential or sensitive health information.

Colorado Revised Statute (C.R.S.) 25-1-122, “Named reporting of certain diseases and conditions – access to medical records – confidentiality of reports and records” requires health care providers to report certain communicable diseases as determined by the Colorado State Board of Health. It also allows authorized personnel to investigate diseases and conditions, without patient consent, to inspect, have access to, and obtain information from pertinent institutions (hospitals, labs, medical practitioners), while limiting this access to information that is pertinent, relevant, or necessary to the public health investigation. This statute mandates the information be held confidentially, and clearly delineates circumstances in which limited information may be released in the interest of public health. A violation or breach under this statute would be a class 1 misdemeanor. However, 18-4-412, C.R.S specifically defines theft of medical records and makes unauthorized disclosure a felony. Nothing in 25-1-122 C.R.S. shall be construed to apply to cases of AIDS, HIV-related illness, or HIV infection, which are addressed specifically below.

Colorado Revised Statute 25-4-1402 requires that physicians and all other persons treating a case of HIV infection, report cases of HIV, HIV-related illness, and AIDS to the state or local health department. The law specifically provides that these reports will not constitute a violation of the right of privacy or privileged communication. These reports are required to include the name, sex, race, ethnicity, address and date of birth of the patient and the care provider's name and address.

In general, the law allows the release of information in very limited circumstances. The confidentiality of HIV related information is protected by 25-4-1404, C.R.S. and contains very specific language about when information may be released. Case reports are exempt from subpoenas and from release under the Freedom of Information Act. Public health reports are received by the state or local health departments from facilities reporting cases in compliance with the law, and are distinguished from medical records, which are protected from unauthorized disclosure by section 18-4-412, C.R.S. (which makes unauthorized disclosure a felony). Violations of the confidentiality provisions of the AIDS Control Act are misdemeanors.

Federal Laws Governing Confidentiality and Data Release

At the national level, the disease related databases housed at the Centers for Disease Control and Prevention (CDC) are protected by a Federal Assurance of Confidentiality (Sections 306 and 308(d)) of the Public Service Act, 42 U.S.C. 242k and 242m(d), which prohibits disclosure of any information that could be used to directly or indirectly identify patients. CDC does not receive patient name or address from state health departments. The CDC has a policy that restricts the release of any aggregate national surveillance data with small cell sizes, by that organization.

In addition, CDC “Guidelines for HIV/AIDS Surveillance, Appendix C: Security and Confidentiality” reflects CDC’s recommendations as best practices for protecting HIV/AIDS surveillance data and information. This document details program requirements and security recommendations for protecting HIV/AIDS related information.

II. POLICY IMPLEMENTATION

Overall Responsible Party (ORP)

The manager of the DCEED IT program, Ed Trainer, is designated as the ORP. As part of the CDC cooperative agreement application Mr. Trainer will annually certify that all security program requirements are met.

Annual Policy Review

This policy will be reviewed at least annually to ensure that data remain secure as evolving technologies present new challenges. The Security and Confidentiality Checklist Attachment-H included in CDC’s Technical Guidance for HIV/AIDS Surveillance Programs will be used to assist in this annual review.

Access to Confidential STD/HIV Data

Access to all confidential STD/HIV related data should be restricted to authorized STD/HIV Section or DCEED staff. Authorized staff members are those whose job duties require access to STD/HIV related public health records, case reports, or laboratory reports that include patient identifiers. This authorization is based on an expressed and justifiable public health need.

Access to identifiable HIV/AIDS surveillance information must be limited. The program manager and ORP will assess the benefits and risks of allowing access and ensure that the level of security and confidentiality is equivalent to the standards described in this policy.

All STD/HIV section staff members are responsible for questioning and challenging any unauthorized or unescorted person within the secured area of DCEED. If the unauthorized person is not properly identified the employee should attempt to escort the individual to the lobby area. If the employee is uncomfortable with the situation, he/she should contact any supervisor or manager for assistance. If the situation seems to be threatening the employee should disengage and immediately call 9-911.

Data Release Policy

The CDPHE DCEED Data Release Policy (Attachment 1) addresses the release of public health surveillance data for all reportable conditions covered by Colorado Board of Health rules and regulations. This policy sets standards for the release of data and ensures that this release is made in a manner assuring that no person can be identified, except to the extent required by law. Staff should refer to this policy prior to releasing any STD/HIV related data, including but not limited to; statistics, maps, charts, and tables that may be used to identify a specific person.

Staff Training Requirements

All DCEED employees with access to confidential STD/HIV related information are required to attend training on STD/HIV Section confidentiality and security policies and are required to sign a confidentiality agreement (Attachment 2), upon hire and annually thereafter. New employees will not be granted access to confidential information without the signed confidentiality agreement, a copy of which will be provided to each employee, the original will be kept in each employee’s personnel file.

The STD/HIV Section Confidentiality and Security Policy is readily accessible on the department computer network by all staff in the STD/HIV Section shortcuts folder. In addition, a paper copy of the policy is available within the HIV surveillance unit.

Physical Security

CDPHE building A is located at 4300 Cherry Creek Drive South in Denver. At the lobby entrance, visitors must sign in, state their destination, and be given a guest badge. The building is locked during non-business hours and cannot be accessed without the use of a card key.

The DCEED is located on the third floor of CDPHE building A. Access to the third floor is restricted to employees of DCEED. Card keys are issued only to DCEED employees who have signed a confidentiality agreement. All card keys are returned to the unit supervisor upon termination of employment. A DCEED employee must accompany all visitors and unauthorized personnel within the third floor limited access area, at all times.

All confidential paper copy STD/HIV related public health reports and information are stored within a secure registry room, located within the limited access area. Door and alarm codes are necessary to gain access to the registry room, and it is not accessible by window. During normal business hours, the registry room door is kept open as long as an authorized staff member is present inside. If unattended during normal business hours, the registry room alarm may be left unarmed, but the door must be locked. When unattended after business hours, the room must be locked and the alarm armed with the four-digit code assigned to authorized HIV/STD Section staff.

If the alarm is activated, the Glendale Police Department will respond to the third floor restricted access area to investigate. If the alarm is inadvertently activated, the security company will be immediately contacted and informed that the alarm was accidental. To successfully de-activate the alarm, the security company must be provided with a code to assure that the caller is a legitimate employee of the STD/HIV Section. Upon hire, all staff with access to the registry room are provided with the code to cancel the alarm. These codes are changed semi-annually, when a personnel change (affecting any person with access to the registry) occurs, or more often as necessary.

Access to the registry room by cleaning and maintenance staff is granted only during business hours when an authorized staff member is present. All confidential materials should be secured and computer access locked while any unauthorized person is escorted into the registry room.

All STD/HIV Section staff members are individually responsible for protecting their workstation, laptop, or other STD/HIV related information or data. This responsibility includes, but is not limited to, protecting keys, passwords, and codes that would allow access to confidential or sensitive information. Confidential information should not be left unattended in an in-basket or at an unsecured workstation, and should never be placed in a wastebasket, shredding, or recycle container.

When leaving the building, all STD/HIV Section staff should use the log-off option on their computer. In addition, to further reduce the likelihood of unauthorized access, all staff computers that are used to access confidential or sensitive information should be set up with password-protected screensavers. This screensaver should activate after no more than 15 minutes of inactivity.

Under no circumstances should confidential STD/HIV related records be taken out of the restricted access area of DCEED, such as a conference room, core area, restroom, etc, unless they are needed to conduct a disease investigation in a field setting.

Mail

The registry room should receive all laboratory reports of STD/HIV infection, from both public and private labs. The reports are opened and date stamped by the registry staff and, after data entry, placed in the surveillance work assignment box located in the secured registry room as appropriate.

All incoming HIV related case reports (always marked "confidential") from other states are received by the program assistant of the STD/HIV surveillance unit, and placed in the surveillance coordinator's mail slot, located in the secured registry room. These reports are only to be opened by the surveillance coordinator or his/her designee.

The general mailroom for DCEED is a secured area, which is staffed by a DCEED employee during normal business hours, and accessible only by keycard after hours. All non-confidential mail is delivered and stored in the mailroom until retrieved by appropriate personnel.

In the event that it is necessary to mail confidential information or material, the amount and sensitivity of information contained in any one piece of mail must be kept to a minimum. All patient identifiers should be removed and mailed under a separate cover. No reference to disease, risk information, etc. is to be included with the patient identifiers.

Incoming Fax Transmissions

Fax transmissions containing patient information should be directed to the confidential fax number located within the restricted access area in the registry room whenever possible. The fax cover page should contain a statement about confidentiality. If the receptionist in the DCEED welcome area receives a confidential fax transmission, the recipient should be immediately contacted to retrieve the document. Documents received but not retrieved, or received after the close of business are secured in the locked DCEED mailroom overnight, which is accessible only by keycard.

Outgoing Fax Transmissions

Fax transmissions containing patient information should only be sent from the fax located in the secured area within the registry room. The fax cover page should contain a statement about confidentiality. Confidential information should never include identifying information that is directly linked to an STD or HIV. This should be communicated separately to the recipient. Prior to sending a fax, the staff member should verify with the recipient the security of the receiving site, and ensure the recipient is awaiting the transmission whenever possible.

Guidelines for faxing confidential or sensitive information should be posted near all faxes utilized for sending or receiving confidential information.

Written Correspondence

Confidentiality may be breached by program identification on envelopes. Attention must be paid to the return address mail code, return address label, and other information within the correspondence (e.g. window envelopes that have too large of an opening). Pre-addressed envelopes used for laboratory or provider reporting should not contain the words HIV/AIDS or STD.

Telephone Communication

Telephone communication of confidential information should only be made to an authorized person. The identity of the person should be verified by asking specific questions, record searching the surveillance call list, or by return call to the person’s organization. Staff should never give information to anyone whom they cannot positively identify. Attention should be paid to keeping conversations within the range of the office space.

Voicemail

In communicating with healthcare providers, health departments, etc, telephone messages which include patient identifiers (i.e. names, social security numbers) should not be left on any voice mail system if they identify any specific disease or condition. In addition, staff voice mail messages should instruct callers not to leave identifiable information, because voicemail systems are not entirely secure.

Conversation