September 27, 2024

Protecting Privacy and Confidentiality

Centers for Disease Control and Prevention (CDC) protects privacy and confidentiality in accordance with federal laws.
CDC uses Certificates of Confidentiality and other resources to protect identifiable and potentially identifiable information.

Overview

Centers for Disease Control and Prevention (CDC) commits to protecting the privacy and confidentiality of the information we have, in accordance with federal laws. The Privacy and Confidentiality Unit (PCU) provides guidance on privacy and confidentiality for all federally funded and supported activities through consultation and issuance of Assurances of Confidentiality to CDC programs.

Privacy

CDC provides technical support and education to CDC employees; grantees; partners; and state, Tribal, and local health departments on:

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
The Family Educational Rights and Privacy Act (FERPA).
Other federal privacy laws.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy Rule (45 CFR Parts 160 and 164) regulates the use and disclosure of individually identifiable health information, called protected health information (PHI), by covered entities. The Privacy Rule protects all PHI transmitted or maintained in any form or medium (e.g. electronic, paper, or oral) by a covered entity or its business associates. It excludes certain educational and employment records.

The Privacy Rule gives individuals certain rights in respect to their health information including, but not limited to, the right to inspect and request corrections or amendments to their PHI. The Privacy Rule requires covered entities to notify individuals of their privacy rights and how their PHI will be used and disclosed.

The Privacy Rule generally prohibits the use or disclosure of PHI without the written authorization from the individual; however, there are several exceptions to this requirement including disclosures for public health activities.

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. Health care information is generally part of the education record. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives parents certain rights regarding their child's education record. These rights include the right to inspect and request corrections to the record. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

FERPA generally prohibits the disclosure of any personally identifiable information contained in an education record without the appropriate written consent. FERPA offers limited exceptions to this requirement.

Confidentiality

Certificates of Confidentiality

Certificates of Confidentiality (CoCs) protect the privacy of research participants by prohibiting disclosure of identifiable and potentially identifiable research information, with limited exceptions.

Any investigator or institution issued a CoC shall not:

Disclose or provide covered information, in any federal, state, or local civil, criminal, administrative, legislative, or other proceeding.
Disclose or provide covered information to any other person not connected with the research.

CDC investigators with a CoC may ONLY disclose identifiable and potentially identifiable information in the following circumstances:

If required by other federal, state, or local laws, such as for reporting of communicable diseases.
If the subject consents.
For the purposes of scientific research that is compliant with human subjects' regulations.

CoCs cover any CDC-funded research project collecting or using identifiable and potentially identifiable information, in compliance with Section 301(d) of the Public Health Service Act (PHSA). All CDC-funded research activities are automatically issued a CoC through their award. No physical certificate will be issued. The CoC will apply as a term and condition of award. This applies to:

Grants.
Cooperative Agreements.
Contracts.
CDC-sponsored intramural research.

For research activities enrolling human participants, CDC requires investigators to inform participants of the CoC protections and the limits to those protections.

Assurance of Confidentiality

An Assurance of Confidentiality (AoC) is a formal confidentiality protection authorized under Section 308(d) of the PHSA. CDC investigators use it to collect or maintain sensitive identifiable information from individuals and institutions. The law states that no identifiable information may be used for any purpose other than the purpose for which it was supplied. The exception is if such institution or individual consented to that disclosure. Protected information includes identifiable information on institutions or individuals who are the subjects of non-research, public health activities with an approved AoC.

CDC implements agency AoC protection for public health activities conducted by CDC investigators that involve the collection or maintenance of identifiable information. This protection allows CDC programs to assure individuals and institutions involved in non-research activities (e.g., surveillance) that those conducting the activity will protect the confidentiality of the identifiable data collected.

Disclosures can be made without individual authorization only for purposes stated at the time of data collection or specifically consented to thereafter by each of the parties provided the promise of confidentiality.