Skip directly to local search Skip directly to A to Z list Skip directly to navigation Skip directly to site content Skip directly to page options
CDC Home

II. Standards and Suggested Practices

C. Data security and client confidentiality

Data security and client confidentiality are fundamental to the development of policies and procedures for CTR data collection and processing. At each phase of the CTR data life cycle, from collection through analysis and utilization, every effort should be made to maintain the integrity of electronic and hard-copy CTR data and the confidentiality of all client information. This section provides general information about security and confidentiality issues related to CTR in order to ensure that client data are used for maximum benefit to public health, with minimum risk of disclosure of client-level information.

What is data security?

Data (or information) security refers to protecting hard-copy and electronic information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

What is confidentiality?

“Confidentiality pertains to the disclosure of personal information in a relationship of trust and with the expectation that it will not be divulged to others in ways that are inconsistent with the original disclosure.”

Centers for Disease Control and Prevention. (2001). Revised guidelines for HIV counseling, testing, and referral. Morbidity and Mortality Weekly Report Recommendations and Reports, 50 (RR-19), 1–58.

Health departments should prepare and provide a written data security and confidentiality protocol to all CTR staff. This data security and confidentiality protocol should be informed by federal and state statutes, regulations, and case law that provide legal protection to HIV/AIDS information, mandate privacy of individually identifiable health information, and describe data storage and disposal policies. In addition to following the federal and state regulations, service providers may be required to follow local regulations. Because the regulations regarding data security and confidentiality can vary by jurisdiction, every health department should become fully aware of all applicable federal, state, and local laws and establish or update policies accordingly. Examples of topics that would be covered in the protocol include definitions of roles for persons authorized to access data, data storage and disposal policies, data release policies and procedures (see Standard H2 in the Data Analysis and Utilization section), security inspections, examples of security breaches, and actions in response to a breach of security or confidentiality. All health department staff should have ready access to this protocol, and it should also be available to service providers.

A written data security and confidentiality protocol should be reviewed and revised regularly to adapt policies and procedures in a changing technological and programmatic environment.

What is a breach of security or client confidentiality?

A breach of security or client confidentiality is a violation that may be malicious or unintentional and can include unauthorized access to, or the use of, protected information. Examples of unintended breaches of data security are inadvertently leaving CTR test forms or client files in an area where unauthorized persons have access, forgetting to lock a file drawer containing sensitive information (even in a secure area), or putting confidential forms in a standard paper waste disposal system instead of a secure shredder. These breaches of security leave data open to a breach of confidentiality.

Breaches of confidentiality occur when exposure of confidential data results in unauthorized access to, or the use of, protected information. Examples of breaches of confidentiality are the theft of confidential test forms or electronic media from an offsite location, such as a briefcase or mobile van, and access to confidential data on electronic systems by hackers or other unauthorized persons, including health department staff members who have not been assigned rights to access the records.

Unintentional breaches of data security may not automatically constitute a breach of confidentiality if the exposure of confidential data did not result in unauthorized access. For example, leaving a client file on a desk is a breach of security because privileged information is left unprotected. However, it would also be a breach of confidentiality if an unauthorized person read the file.

Every breach of security or confidentiality should be reported to the appropriate authority and immediately investigated to assess causes and implement remedies. After a report, the four key steps in response to a breach are (1) contain the breach and do a preliminary assessment, (2) evaluate the risks associated with the breach, (3) consider notifying vulnerable individuals and law enforcement agencies, and (4) prevent future breaches.

The data security and confidentiality protocol should specify penalties for breaches in data security that are consistent with health department personnel policies regarding disciplinary action, such as oral warnings, written reprimands, suspension, and dismissal. Security breaches that do not result in exposure of confidential data to unauthorized persons still should be addressed to prevent future data security failures.


  1. Web site with the state HIV testing laws compendium

    This Web site features a compendium of key state HIV testing laws and policies. State HIV testing laws vary, and many have been revised since the release of CDC’s 2006 Revised recommendations for HIV testing.

  2. Web site with HHS information security program policy (HHS)

    This Web site outlines the policy requirements and staff responsibilities of the department-wide information security program; includes management, operational, and technical information.

  3. Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action. Publication of this document is a milestone in bringing together under one set of guidelines the security and confidentiality of all of our focus diseases. This guidance replaces any disease-specific security and confidentiality guidelines published previously.

Standard C1: Training and oversight of security and confidentiality policies and procedures should take place regularly

All CTR staff should receive comprehensive training in data security and client confidentiality requirements during orientation. Upon completion of training, newly hired staff members are required to sign a written statement of security and confidentiality practices outlined by the health department and in accordance with state law and other mandated practices and procedures. New employees should not be given access to confidential data or receive passwords or keys until the health department has received the signed statement.

Data security and client confidentiality training should include information about

  • Federal, state, and local laws and guidelines
  • The need to maintain data security and client confidentiality
  • Security and confidentiality safeguards
  • Specific office procedures (e.g., protecting staff workstations, passwords, and electronic storage devices)

It is recommended that annual training in security and confidentiality requirements be mandated; at that time, employees can renew their written confidentiality statement. Training attendance should be documented, and signed confidentiality statements should be kept in each employee’s personnel file, which should be updated with periodic performance reviews of adherence to departmental security and confidentiality policies and procedures. When CTR staff leave the health department, it is important that they sign a checklist certifying that they have returned to their supervisor all files, documents, office and file keys, identification badges, phone cards, voice mail passwords, laptop computers, and any other equipment. The signed checklist should be kept in the employee’s permanent personnel file. Some states have delayed employees’ final paycheck due to a failure to comply with these employee departure procedures.


  1. HIV/AIDS confidentiality agreement (California)

    One-page agreement, including a summary of statutes pertaining to confidential public health records and penalties for unauthorized disclosure and an employee confidentiality pledge.

  2. Web site with privacy and security tool box (Colorado)

    This Web site features tools (an incident reporting form, a sensitive information inventory, a facilities security plan, guidelines for workstation and wireless security) that can be used by health departments to develop security and confidentiality training for new employees.

Top of Page

Standard C2: Health departments should have a designated point person whom CTR staff can contact about issues related to the security and confidentiality of HIV/AIDS data.

Health departments should have at least one staff member who has extensive knowledge of federal and state security and confidentiality regulations and who can be contacted for general consultation and in instances of a threat or an identified breach of confidentiality. This role can be assigned to more than one person, especially if various persons have specialized knowledge. For example, one person might be designated to respond quickly to straightforward issues but to pass the response to more complex situations, such as the management of a breach, to another designated security point person who is better equipped to handle those types of situations. Internal health department staff should contact this designated point person, but service providers should go to their usual point of contact at the health department, who would then communicate with the designated security point person.

A designated point person can be responsible for keeping the data security and confidentiality protocol current with changing requirements and evolving technology. This point person should ensure that new staff members sign the written statement of security and confidentiality practices and procedures and ensure that staff members understand their commitment to the signed statement. This person can track staff members who are authorized to access confidential data as well as those who need access but who have not been granted access rights. Also, this person should ensure that departing employees have returned all data storage devices and that their access has been cancelled.


  1. Memorandum of understanding (MOU) for the use of PEMS (CDC)

    Agreement between CDC and PEMS users, which outlines specific agreements regarding data collection, entry, storage, use, sharing, retention and disposal, system security, and access privileges; a good example of a written agreement between a central organization and multiple grantees with respect to security and confidentiality.

  2. PEMS security summary (CDC)

    Information about the security components of PEMS, oversight of those components, activities related to certification and accreditation, user responsibilities, and requirements for the execution of security agreements between CDC and PEMS users.

  3. Rules of behavior for PEMS agency system administrator (CDC)

    This document specifies the formal rules of behavior expected of system administrators and communicates policies and procedures to be followed. These include legal and regulatory requirements, authentication management, and information management.

Top of Page

Standard C3: Health departments should periodically review evolving technology and consider how it may influence current security and confidentiality procedures.

Health departments must consider the rapid advances in information and computer technology, because the dynamic nature of how electronic data are acquired, stored, analyzed, and communicated presents potential new risks for the security and confidentiality of CTR data. Technical guidance for HIV/AIDS surveillance programs—Volume III: security and confidentiality guidelines addresses evolving technologies and provides guidelines related to laptop computers, portable external storage devices, LAN and WAN networks, and the Internet. However, because technology will continue to evolve, these guidelines alone will be insufficient, and health department staff will need to monitor changes in computer and information technology. For example, how might data collection via handheld devices (e.g., personal digital assistants) change security needs?

As health departments offer greater flexibility in the work environment, allowing some employees to work from home, staff members are using new technologies, such as online access to PEMS or other data management systems, from personal computers. Other examples are Web sites that link into work computers, such as GoToMyPC or LogMeIn.

Health department staff should revise security and confidentiality guidelines to include evolving technology and provide additional recommendations, such as implementing password protection and firewalls on personal computers for increased offsite data security. Changes in IT that affect the security and confidentiality of data that are submitted or reported to the health department should be communicated to service providers, and appropriate technical assistance should be provided.


  1. Use of CDC information technology resources CDC-IS-2005-03 (CDC)

    Policy for the use of all IT resources owned by, or operated on behalf of, CDC; describes appropriate personal use of resources, prohibited uses, privacy expectations, and responsibilities.

Top of Page

Standard C4: Health departments should implement client confidentiality and data security practices to maximize clients’ privacy during data collection.

Confidential HIV testing programs must protect the privacy of their clients during CTR sessions and ensure that individual-level client data are not disclosed inappropriately. Health departments also must protect client confidentiality by maintaining the integrity of individual-level client data and ensuring that private information is not accessed by unauthorized persons.

Client confidentiality

Procedures to protect client privacy and confidentiality should include the following:

  • Conduct the counselor-client CTR session in a private area.
  • Turn off ringers on telephones and cell phones during the CTR session so that there are no interruptions and personally identifying information cannot be overheard.
  • During the initial meeting with the client, ask the client how he or she would like to be contacted for follow-up activities (e.g., test results, referral follow-up).
  • Do not use a client’s name in association with an HIV test when in common areas of a CTR service provider facility.
  • Send correspondence to a client (including postal mail, e-mail, and voice messages) without using the terms HIV, AIDS, or specific behavioral information in the communication.
  • Use a mechanism (such as a unique ID number) for confirming the client’s identity to ensure that an unauthorized person is not receiving private information when communicating with a client by telephone, such as a call to set up an appointment to provide test results.
  • Maintain one master list with client names and associated ID numbers. Keep this master list in a double-locked system with extremely limited access.

Data security

Procedures to ensure data security and protect client confidentiality may include the following:

  • When hard-copy test data and records are not being used, store them in a double-locked system (e.g., locked filing cabinet in an office with a locked door) in areas with limited access. All notes and other papers used during a CTR session to record information before completing a test form or entering information into a database should also be kept in a double-locked system.
  • Do not allow clients access to secure areas where confidential information is stored or leave clients alone in any area where confidential information is visible or accessible.
  • Properly dispose of forms and other papers with identifying information (e.g., by shredding).
  • Cancel the access rights of departing employees on their last day of employment.
  • Limit employee access to electronic data on the basis of job role and need for access to individual-level client data.
  • Minimize the number of staff members who have access to personal identifiers and the number of locations where personal identifiers are stored.

Data security for offsite settings

Procedures for data security in settings such as mobile vans, health fairs, and other public venues require the following additional considerations:

  • Retain possession of hard-copy forms or store them in a secure location that is out of plain view when conducting offsite CTR services (e.g., outreach or mobile settings).
  • When traveling with data, use a locked and secured briefcase.
  • Return all data obtained offsite to the service provider site by the end of the day. A staff member should not take data home (except in circumstances in which returning the data to the site would be unsafe or other special circumstances identified by the health department or service provider).
  • Take special care when using laptop computers, handheld computers or personal digital assistants (PDAs), and other handheld or portable devices offsite, because they are vulnerable to theft. Although the device itself would be the likely target of theft, the service provider and the data can be put at risk. One strategy for preventing the theft of electronic devices is to add bulky attachments or bright health department labels so that the device is not as desirable to thieves.
  • Maintain a record of the movements of hardware and electronic media used for data collection and the persons responsible for transporting and returning these devices (e.g., a checkout sheet).
  • Implement technical procedures for using and transporting secure access devices (e.g., key fobs), external storage devices (e.g., compact discs), and laptop computers. These procedures may include storage under lock and key, use of encryption software, and separation of hard drives or decryption keys from laptop computers.


  1. Guidelines for sharing confidential information (Florida)

    Guidelines for medical providers and AIDS service organizations that need to share information to facilitate medical follow-up; includes an example of a consent form, approved by legal counsel, which may be adapted for use in any community.

Top of Page

Standard C5:Health department staff should implement security and confidentiality practices to maximize clients’ privacy and the integrity of the data during data entry, management, and analysis.

Health departments and service providers must protect the privacy of their clients and ensure that individual-level client data are not accessed by unauthorized persons. The following are some of the procedures for ensuring data security and protecting client confidentiality:

  • Maintain a locked drop box for service providers who hand-deliver data forms. This allows service providers to drop off data forms when the health department is closed. Access should be limited to certain health department employees.
  • Require service providers to strip electronic data files of all client-identifying information and then encrypt the files before sending data to the health department.
  • Send client information in an encrypted e-mail with no indication that the e-mail is HIV-related, if e-mailing confidential CTR data is permitted. Some state laws may restrict the e-mailing of confidential CTR data.
  • Implement documented procedures for using and transporting secure-access devices (e.g., key fobs) and external storage devices (e.g., CDs).
  • Minimize the number of staff members who have access to personal identifiers and the number of locations where personal identifiers are stored (e.g., maintain one master list with client names and associated ID numbers in a double-locked system with extremely limited access). Also, limit staff access to electronic data on the basis of job role or function (e.g., determine who has the right to log into the database; add, delete, or update a record; run analyses).
  • Require the use of individual passwords for access to computers used to enter CTR data and establish procedures for creating, changing, and safeguarding passwords (e.g., changing personal passwords periodically, not storing passwords on the workstation because that practice increases the risk that the password will be compromised). Also, require different passwords to log into computer systems, servers or networks, and data entry and management software applications. Program the system so that multiple staff members cannot log in using the same default login password because a default password increases the risk that the password will be compromised (especially important because staff members should have varying levels of access throughout the system).
  • Enter and store HIV data on a standalone computer connected to a secure server without Internet access. The general recommendations are to evaluate the security of every element of the computer system (e.g., software, desktop computers, servers, data storage, and portable devices) and to base decisions about data systems on the avoidance of unauthorized access (e.g., opt for local servers instead of Web-based systems, which are more vulnerable to hacking; use software with built-in protection features).
  • Implement a records retention policy that includes the methods and scheduling of the disposal of CTR data. This policy should include procedures for the disposal of hard-copy forms and the removal of data from electronic storage devices before they are available for reuse.
  • Properly dispose (e.g., by shredding) of hard-copy forms and other papers with identifying information. Before destroying forms, your department may opt to digitally scan forms for future reference. These digital scans should be stored in a secure location.
  • Sanitize electronic storage devices so that data cannot be retrieved by clicking Undelete or using data retrieval software. CDs and other storage devices containing CTR data must be sanitized or physically destroyed before being reassigned to non-CTR staff, or sent offsite for repair. If the storage device will not be used again it should be physically destroyed (e.g., by incineration).
  • Implement policies and procedures governing all servers in a network. Topics should include name and location of servers; network protocols; users, groups, and roles that permit access to data and physical servers; authentication protocols; e-mail and Web hosting; remote access; data located on each server; and administrative safeguards.
  • Establish a formal approval system for staff members’ requests for access to computer networks and software packages used for confidential data. Health department managers should provide access to employees on a limited basis (e.g., job role or function).
  • Establish a data release policy requiring a thorough examination of data requests before providing data sets to internal and external users. The policy should address mechanisms to track to whom data have been released. Very specific requests for data tables with small denominator populations, which risk identifying individual clients, should be denied or provided with less specificity than requested (see Standard H2 in the Data Analysis and Utilization section).
  • Establish a data backup system to restore data in the event of a data loss due to a natural disaster (e.g., tornado, flood, or fire) or the corruption or accidental deletion of files.


  1. HIV surveillance program confidentiality and data security policy (Michigan)

    Surveillance policy, including relevant security and confidentiality requirements, such as maintenance of information, security investigations, release of information, oath of confidentiality, data transfers, and access to information.

  2. Retention guidelines for HIV medical records (Michigan)

    This document provides counselors and administrators with guidelines for maintaining HIV/AIDS medical records and describes records retention schedules.

  1. Sensitive but unclassified information CDC-IS-2005-02 (CDC)

    Policy and procedures for safeguarding (storing, disseminating, and protecting) data and documents that are sensitive enough to require protection but that may not be designated as classified information.

    Special considerations for data security and client confidentiality in clinical settings

    Staff in clinical settings, who are experienced in handling medical information and issues of patient privacy, should be well prepared to maintain the security of HIV testing data and protect client confidentiality. Most of the recommended best practices described in this section can be applied to clinical settings. One special issue to consider is that clinical providers may be reluctant to report the names of HIV-positive patients to public health departments. Health departments should be clear about what personal identification information must be submitted from clinical settings to health departments and emphasize data security precautions required for data entry and management.

    In clinical settings that use electronic medical records, several precautions should be taken to maintain data security. Clinicians must safeguard the warehousing and retention of electronic medical records, particularly if data are warehoused offsite. For databases that are accessed by multiple entities, security measures that have been described in this section must be implemented (e.g., limiting access to a few authorized individuals, requiring unique passwords, blocking access to fields to which a user has not been granted rights). Clinicians using electronic medical records should review the American Medical Association’s guiding principles for collecting and using electronic medical records and claims data.

  2. American Medical Association (AMA) guiding principles for electronic medical records

    Principles of collection, use, and warehousing of electronic medical records and claims data; includes summary of related AMA policy.

Top of Page

Resources will be made available in the future


National HIV/AIDS Strategy Updates Access to U.S. Government HIV / AIDS information The U.S. Government's Official Web PortalDepartment of Health and Human Services
Centers for Disease Control and Prevention   1600 Clifton Road Atlanta, GA 30329-4027, USA
800-CDC-INFO (800-232-4636) TTY: (888) 232-6348 - Contact CDC–INFO
A-Z Index
  1. A
  2. B
  3. C
  4. D
  5. E
  6. F
  7. G
  8. H
  9. I
  10. J
  11. K
  12. L
  13. M
  14. N
  15. O
  16. P
  17. Q
  18. R
  19. S
  20. T
  21. U
  22. V
  23. W
  24. X
  25. Y
  26. Z
  27. #