Skip Navigation LinksSkip Navigation Links
Centers for Disease Control and Prevention
Safer Healthier People
Blue White
Blue White
bottom curve
CDC Home Search Health Topics A-Z spacer spacer
Blue curve MMWR spacer

Persons using assistive technology might not be able to fully access information in this file. For assistance, please send e-mail to: Type 508 Accommodation and the title of the report in the subject line of e-mail.

Appendix D

Guiding Principles and Standards for Record Keeping and Data Collection, Management, and Security for Partner Services Programs for HIV Infection, Syphilis, Gonorrhea, and Chlamydial Infection

Sharing data regarding cases of human immunodeficiency virus (HIV) or any other type of sexually transmitted disease (STD) between surveillance and prevention programs can help maximize the number of persons who are offered partner services. The five guiding principles and 32 program standards outlined in this appendix are essential to ensuring the confidentiality and security of shared data. These standards were adapted from CDC and Council of State and Territorial Epidemiologists Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines (available at Most of the standards in this appendix directly reflect the requirements in the technical guidelines. However, to better adapt the guidelines to partner services programs, certain standards have been modified or excluded based on input from the Partner Services Surveillance and Program Connections Workgroup and other committee members.

All program standards and security considerations should be based on the following five guiding principles:

Guiding Principle 1. Partner services information and data should be maintained in a physically secure environment.

Guiding Principle 2.
Electronic partner services data should be held in a technically secure environment, with the number of data repositories and persons permitted access kept to a minimum. Operational security procedures should be implemented and documented to minimize the number of staff members who have access to personal identifiers and to minimize the number of locations where personal identifiers are stored.

Guiding Principle 3.
Individual program staff members and persons authorized to access case-specific information are responsible for protecting confidential partner services case information and data; these persons will face legal action for confidentiality violations.

Guiding Principle 4.
Security breaches of partner services information or data will be investigated thoroughly and sanctions imposed as appropriate.

Guiding Principle 5.
Security practices and written policies will be reviewed and assessed continuously and, as necessary, changed to improve the protection of confidential partner services case information and data.

Partner services programs should adhere to the following program standards when developing area-specific guidelines, policies, and procedures for individual-level record keeping and data collection, management, and security:

Standard 1. All policies and procedures must be written and reviewed at least annually and revised as needed.

Standard 2. A policy must name the persons who act as the overall responsible party (ORP) for the security of the data that might be stored in various data systems.

Standard 3. A policy must describe the methods for review of security practices for data. Included in the policy should be a requirement for an ongoing review of evolving technology to ensure that information and data remain secure.

Standard 4. The ORP must certify annually that these standards are met.

Standard 5. Access to and use of individual-level information must be defined in a data-release policy.

Standard 6. Policies must be readily accessible to any staff members having access to confidential, individual-level data.

Standard 7. A policy must define the roles and access level for all persons with authorized access and describe which standard procedures or methods will be used when accessed.

Standard 8. All authorized staff members must sign a confidentiality statement annually. Newly hired staff members must sign a confidentiality statement before access to individual-level information and data is authorized.

Standard 9. A policy must outline procedures for handling incoming mail and faxes to the programs and outgoing mail and faxes from the programs. The amount and sensitivity of information contained in any piece of correspondence must remain minimal.

Standard 10. All persons who are authorized to access individual-level information must be knowledgeable about the organization's information security policies and procedures.

Standard 11. All staff members authorized to access individual-level information must be responsible for questioning persons who attempt to access this information but who are not authorized to do so.

Standard 12. All staff members who are authorized to access individual-level information are responsible for protecting their own computer workstation, laptop computer, or other devices with confidential, individual-level information or data. This responsibility includes protecting keys, passwords, and codes that would allow access to confidential information or data. Staff members must be careful not to infect program software with computer viruses and not to damage hardware through exposure to extreme heat or cold.

Standard 13. Every person with access to individual-level information or data must attend security training annually or pass an annual proficiency test. The date of the training or test must be documented in the employee's personnel file. Information technology (IT) staff members and contractors who require access to information and data must undergo the same training as partner services program staff members and sign the same agreements. This requirement applies to any staff members with access to servers, workstations, backup devices, etc.

Standard 14. To the extent possible, workspace for persons working with individual-level information must be within a secure, locked area.

Standard 15. Paper records and copies of individual-level information and data must be stored inside locked file cabinets that are inside a locked room with limited access.

Standard 16. Program staff members must shred documents containing confidential information before disposing of them. Shredders should be of commercial quality, preferably with a crosscutting feature.

Standard 17. Partner services analysis data sets must be stored securely with protective software (i.e., software that controls the storage, removal, and use of the data), and personal identifiers should be removed when possible.

Standard 18. Partner services information and data transfers and methods for data collection must be approved by the ORP and incorporate the use of access controls. Individual-level information and data must be encrypted before electronic transfer. When possible, databases and files with individual-level data must be encrypted when not in use.

Standard 19. When individual-level partner services information and data are electronically transmitted, any transmission that does not incorporate the use of an encryption package meeting the encryption standards of the National Institute of Standards and Technology (available at and approved by the ORP must not contain identifying information or use terms easily associated with HIV, AIDS, or any other type of STD. The terms HIV and AIDS, terms that specifically identify other STDs, or specific behavioral information must not appear anywhere in the context of the transmission, including the sender and recipient address and label.

Standard 20. When partner services information with personal identifiers or data are taken from secured areas and included in line lists or supporting notes, in either electronic or paper format, the documents must contain the least amount of information needed for completing a given task and, if possible, coded to disguise any information that could easily be associated with HIV, AIDS, or any other type of STD.

Standard 21. Individual-level information or data with personal identifiers must not be taken to private staff members' residences unless specific, documented permission is granted or the transfer is permitted according to a written policy established by the program manager or ORP.

Standard 22. Prior approval must be obtained from the program manager or approved procedures must be followed when planned business travel precludes the return of information with personal identifiers to the secured area by the close of business on the same day.

Standard 23. Access to any partner services program information or data containing names for research purposes (i.e., for other than routine program purposes) must be contingent on a demonstrated need for the names, institutional review board (IRB) approval, and the signing of a confidentiality statement regarding rules of access and final disposition of the information. Access to partner services program information or data without names for research purposes beyond routine program activities might still require IRB approval, depending on the numbers and types of variables requested in accordance with local data release policies.

Standard 24. Access to any secured areas where individual-level partner services information are stored must be limited to authorized persons as documented within policies and procedures (e.g., cleaning or maintenance staff members).

Standard 25. Access to confidential partner services information and data by personnel outside the partner services program must be limited to those authorized based on an expressed and justifiable public health need, must not compromise or impede program activities, must not affect the public perception of confidentiality of the data system, and should be approved by the ORP.

Standard 26. Access to partner services information and data with identifiers by those who maintain other disease data stores should be limited to those for whom the ORP has weighed the benefits and risks of allowing access and can certify that the level of security established is equivalent to these standards.

Standard 27. Access to partner services information or data for purposes unrelated to public health (e.g., litigation, discovery, or court order) can only be granted to the extent required by law.

Standard 28. All staff members who are authorized to access partner services information and data must be responsible for reporting suspected security breaches. Non-program staff members also must be informed of this directive.

Standard 29. Any breach of protocol or procedures, regardless of whether personal information was released, must be investigated immediately to assess causes and implement remedies.

Standard 30. A breach of confidentiality (i.e., a security infraction that results in the release of private information with or without harm to one or more persons) must be reported immediately to the ORP. In consultation with appropriate legal counsel, partner services staff members should determine whether a breach warrants reporting to law enforcement agencies.

Standard 31. Laptop computers and other portable devices (e.g., personal digital assistants [PDAs], other handheld devices, and tablet personal computers [tablet PCs]) that receive or store partner services program information or data with personal identifiers must have encryption software. Program information with identifiers must be encrypted and stored on an external storage device or on the laptop removable hard drive. The external storage device or hard drive containing the information must be separated from the laptop and held securely when not in use. The decryption key cannot be on the laptop. Other portable devices without removable or external storage components must use encryption software that meets federal standards.

Standard 32. All removable or external storage devices containing partner services information or data that contains personal identifiers must 1) include only the minimum amount of information necessary to accomplish assigned tasks as determined by the program manager; 2) be encrypted or stored under lock and key when not in use; and 3) be sanitized immediately after a given task (excludes devices used for backups). Before any device containing sensitive data is taken out of a secured area, the information or data must be encrypted. Methods for sanitizing a storage device must ensure that the information cannot be retrievable using "undelete" or other data-retrieval software. Hard drives that contain identifying information must be sanitized or destroyed before computers are labeled as excess or surplus, reassigned to non-program staff members, or sent off site for repair.

Use of trade names and commercial sources is for identification only and does not imply endorsement by the U.S. Department of Health and Human Services.

References to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement of these organizations or their programs by CDC or the U.S. Department of Health and Human Services. CDC is not responsible for the content of pages found at these sites. URL addresses listed in MMWR were current as of the date of publication.

All MMWR HTML versions of articles are electronic conversions from typeset documents. This conversion might result in character translation or format errors in the HTML version. Users are referred to the electronic PDF version ( and/or the original MMWR paper copy for printable versions of official text, figures, and tables. An original paper copy of this issue can be obtained from the Superintendent of Documents, U.S. Government Printing Office (GPO), Washington, DC 20402-9371; telephone: (202) 512-1800. Contact GPO for current prices.

**Questions or messages regarding errors in formatting should be addressed to

Date last reviewed: 10/23/2008


Safer, Healthier People

Morbidity and Mortality Weekly Report
Centers for Disease Control and Prevention
1600 Clifton Rd, MailStop E-90, Atlanta, GA 30333, U.S.A


Department of Health
and Human Services