Data Protections for CDR Activities

Public health data are the foundation of public health practice and essential to helping people live healthy lives. CDR data help identify rapid HIV transmission and improve services at individual, network, and systems levels.

Protecting people’s privacy and confidentiality is an essential part of using public health data. Federal, state, and territorial laws and policies protect public health data as do health department policies and processes. Some cities have additional data protections.

Protecting data during CDR activities

Follow federal, state, territorial, and local data protection guidelines

CDC has strong security measures to ensure the privacy and confidentiality of people with HIV. An Assurance of Confidentiality provides strong protection for HIV public health data at CDC. This assurance guarantees that information is used only for the purposes stated and is not disclosed or released without consent.

State, territorial, and local health departments must comply with CDC Data Security and Confidentiality Guidelines. Health departments should regularly reassess data protections and enhance policies and procedures, ensuring that CDR-related data are strongly protected.

Ensure strong data protections

Key data protections partners include health department legal counsel, information technology staff, privacy officers, and the overall responsible party. HIV surveillance and prevention programs should collaborate with these partners to develop a shared understanding of:

  • Processes for reviewing data release requests, including staff roles and responsibilities.
  • Protections to prevent release of HIV public health data for non-public health purposes (for example, criminal or immigration-related uses).
  • Opportunities to strengthen these protections.
  • Interpretations and implications of state or local laws and policies governing data protections and release.

Health department legal counsel has an important role in interpreting laws and policies governing data protections and release. Interpretation should aim to protect the privacy and confidentiality of people with HIV. Health department legal counsel should partner with state or local government counsel to maximize protections, especially when responding to requests. Community partners can also provide input to strengthen data protections.

Provide staff training for people working with HIV data. Training can cover the importance of data protections and privacy, including sensitivities around HIV cluster data.

Capacity building assistance is available to support health departments to assess and strengthen data protections.

District of Columbia HIV/AIDS Data Privacy Protection and Health Occupation Revision Clarification Amendment Act of 2022

 To further strengthen data protections, states can take policy action to legally prevent certain types of data sharing. For example, DC Health’s CDR community engagement revealed limited knowledge about HIV surveillance, even among audiences familiar with HIV prevention. HIV agency leadership collaborated with health department legal counsel and government relations staff to increase knowledge and strengthen data protections.

These efforts ultimately led to passing the HIV/AIDS Data Privacy Protection and Health Occupation Revision Clarification Amendment Act of 2022. The act updated previous legislation to include language stating:

All identifying information obtained, collected, or created by the Department under this subchapter shall not be discoverable or admissible as evidence in a civil or criminal action unless the person about whom the information pertains gives his or her prior written permission.”

D.C. Law 24-170. HIV/AIDS Data Privacy Protection and Health Occupation Revision Clarification Amendment Act of 2022. | D.C. Law Library (

Use public health data only for public health purposes

Health departments shouldn’t release identifiable HIV data for non-public health purposes, except where required by law. Even if required by law, only the minimum required information should be released. For more information, see Standard 3.4 of the CDC Data Security and Confidentiality Guidelines.

Carefully consider whether to share data for research purposes

Health departments should discuss with HIV planning groups whether, and under what circumstances, to share HIV sequences for research purposes. Research conducted with HIV public health data should serve a legitimate public health purpose.

When considering sharing sequences for research purposes, health departments should engage institutional review and data governance boards. Ensure they are aware of the ethical and community considerations regarding HIV sequences. If health departments then choose to share even deidentified sequences with academic partners for research purposes, consider obtaining individual informed consent. Some health departments have decided, following their local community’s input, not to share even deidentified sequences externally.

For more information, see Standard 2.4 of the CDC Data Security and Confidentiality Guidelines.

Don’t release data to public databases

CDC does not release HIV sequence data to GenBank or other public sequence databases. Health departments and their academic partners should never release HIV sequence data collected through HIV surveillance publicly. Do not submit even deidentified HIV sequence data to public databases without consent from each person with a sequence included.

Protect privacy when communicating about CDR

Communicating with partners and the public is an important part of CDR work. Before communicating about clusters, consider what information each audience needs to take appropriate action.

Protecting privacy when communicating with the public

When communicating with the public about clusters, do not share individual-level data. Only share information describing clusters or groups experiencing rapid transmission, not individuals. Use caution to avoid any stigmatizing language.

For more information, see Communicating About CDR.

Protecting privacy when communicating with partners

When discussing cluster-related data with non-health department partners, protect the privacy of people with HIV. Unless data sharing agreements are in place, only share cluster- or population-level data. Cluster-level data discussed with partners should be limited to the information necessary to understand service gaps and potential interventions. Also consider population size and cell counts to ensure confidentiality of people represented in data. Avoid using molecular network diagrams, which are easy to misinterpret, for communicating with partners.

Data sharing for response

During a response, health departments may need to share data with other local health departments, neighboring jurisdictions, or community-based organizations. Secure data sharing can support collaboration to conduct testing, partner services, and linkage to care or other services. When considering sharing, ensure that other organizations have data security standards that meet CDC Data Security and Confidentiality Guidelines (see Standard 3.3). Data sharing agreements (DSAs) or memoranda of understanding (MOUs) can provide important protections.

Data sharing with other health departments

Data sharing with neighboring health departments can ensure continuity of prevention and care services where people frequently cross state lines. Secure sharing can also support response to multijurisdictional clusters.  Health departments may have DSAs or MOUs in place with neighboring state, local, and territorial jurisdictions. When establishing agreements for secure data sharing, health departments should consider data protection laws and processes in the neighboring jurisdictions.

Data sharing with community-based organizations

Community-based and health care organizations can be important partners in conducting response activities. Many activities can be conducted without a need for person-level data. If person-level data (for example, a line list) must be shared for response, health departments must establish DSAs or MOUs. Establishing DSAs or MOUs with key partners in advance can support rapid response to clusters. Contract mechanisms or agreements can strengthen oversight and compliance with data protections guidelines.