Data Security and Confidentiality

What to know

All newly hired staff must sign confidentiality agreements for data security before being given access to identifiable information, as well as an annual renewal of that agreement.

Data security and confidentiality guidelines

Standards for the collection, sharing, and security of HIV, viral hepatitis, STD, and TB data can be found in the National Center for HIV, Viral Hepatitis, STD and TB Prevention (NCHHSTP) Data Security and Confidentiality Guidelines.

These guidelines require that all newly hired staff sign confidentiality agreements before being given access to identifiable information; they also require annual renewal of that agreement.1 Programs may need to develop a specialized confidentiality agreement meeting their program's needs for those engaged in internet activities. See Appendix J for examples of confidentiality agreements.

Because screen names, email addresses, and telephone numbers are considered personal identifying information (2 C.F.R. § 200.79) and are to be held to the same levels of confidentiality as a patient's first name and surname, programs offering IPS typically require DIS to sign additional agreements regarding the specific use of technology. For example, programs create policies describing the acceptable use of technology for PS, including what websites, apps, and social networking sites may be used for PS, what information can be shared or discussed over these mediums, expected professional and behavioral standards, and consequences for violations of the policy. These policies may also indicate whether staff may conduct IPS from personal computers and devices and other structural limitations. For examples of an acceptable use agreement, see below and Appendix K.

Some programs may require a non-networked computer (a computer with internet access that is separate from the internal network) in order to protect servers from viruses or unauthorized intrusions; this may alleviate IT networking concerns about security breaches.

Example of acceptable use for accessing restricted websites

Maryland Department of Health and Mental Hygiene

Agreement for Accessing Restricted Websites

Purpose

During the course of their normal job duties, staff members that perform Internet Partner Services (IPS) are often required to access websites that are restricted and may contain adult oriented material. This agreement has been developed to establish clear expectations when restricted sites are to be accessed while performing IPS, and the consequences for acting outside of these expectations. All staff performing IPS must sign this agreement prior to being granted access to restricted websites

Agreement

  1. I agree to access restricted websites for official business only.
  2. I understand all passwords are confidential.
  3. I understand I must not disclose passwords to anyone other than an authorized individual, nor may I make any password accessible to persons other than my immediate supervisor or an equally authorized co-worker.
  4. I understand passwords are for official business only, and I will not use website passwords, profiles, pages, avatars, email accounts, or other technology for any personal endeavors.
  5. I understand I am not to use my personal home computer for any endeavors related to official department business.
  6. I understand that my use of department equipment such as a computer or a cell phone will be monitored.
  7. I understand I must document my internet activities, dates, times, and sites visited on the Internet-Based Partner Services Website Log Sheet.
  8. I understand I am to print out all correspondence and keep a copy in a place designated by my supervisor.
  9. I understand all correspondence must conform to existing policies and procedures regarding Internet-Based Partner Services.
  10. I understand I will be subject to disciplinary action should I engage in any activities on restricted websites outside the boundaries of my job requirements.

I have read, understand, and agree to comply with this agreement.

Employee Name ___________________________ Date_________________

Some programs may require a non-networked computer (a computer with internet access that is separate from the internal network) in order to protect servers from viruses or unauthorized intrusions; this may alleviate IT networking concerns about security breaches.

  1. Centers for Disease Control and Prevention. Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action. Atlanta, GA: U.S. Department of Health and Human Services, Centers for Disease Control and Prevention; 2011. Retrieved from https://www.cdc.gov/nchhstp/programintegration/docs/PCSIDataSecurityGuidelines.pdf