Integrated Security and Confidentiality Guidelines for Surveillance Data and Protected Health Information

PCSI Success Stories

Strengthening Collaboration and Service Integration in San Francisco

As part of the San Francisco Department of Public Health’s (SFDPH) Program Collaboration and Services Integration (PCSI) Initiative, implemented in 2010, SFDPH formed a Data Systems Work Group to develop recommendations to improve health information sharing in support of integrated services. Prior to this effort, SFDPH’s Population Health Division (PHD)* had four separate surveillance programs, each focused on one disease, including TB, STD, HIV, and other communicable diseases. Each had a different data system and functioned autonomously even though they all functioned under the same health department. What resulted were separate guidelines for data security and confidentiality that created barriers to sharing data. To share information, each section had to develop separate Memorandums of Understanding that involved time and effort of numerous staff. Depending on the condition, information sharing was frequent (e.g., STD and HIV), annual (e.g., TB and HIV), or sporadic based on special data reports (e.g., HIV and HCV).

Program Description

The Data Systems Work Group was charged with streamlining this process, establishing one uniform set of guidelines for data security and confidentiality that met the standards of the health department policies and procedures. This was a unifying effort that created better relationships among the programs.

During this transition period, CDC published the updated “Data Security and Confidentiality Guidelines” to be applied to all communicable diseases. While the Work Group’s main goal was to create one uniform policy to share public health surveillance data within the Division, another important goal was to now comply with CDC’s Data Security and Confidentiality Guidelines.

Before establishing the Guidelines, SFDPH followed these steps to start the process:

  • Met as a workgroup to develop definitions for different kinds of data to ensure that participants could speak a common language using a common vocabulary.
  • Conducted an assessment survey that came from CDC’s Data Security and Confidentiality Guidelines. The instrument was turned into an easy yes/no checklist and compared across the programs.
  • Included information from the existing SFDPH policy and mapped it to the corresponding sections of the survey.
  • Coordinated a workgroup meeting to discuss the survey results and see where differences were across the programs.
  • Wrote the guidelines with input from SFDPH policies, programmatic input, and CDC’s Data Security and Confidentiality Guidelines.

Lessons Learned

The CDC Security and Confidentiality Assessment Checklist proved to be an invaluable tool. It formed the basis for discussion on differences and commonalities. The results were compared and discussed as a group. The SFDPH Data Systems Working Group members were surprised to discover that the differences were not as significant as they first thought. If there were differences, they were there for a good reason. For example, CDC guidelines require a cross-cutting shredder, which one of the SFDPH sites did not have; however, the site leveraged the hospital’s contract for secure hard copy data disposal using large locked bins whose contents were shredded in a confidential manner. Additionally, research was done to look at existing SFDPH policies; these policies apply to PHD as well as the bigger clinical, behavioral, and mental health services divisions that make up the entire Department.

The SFDPH Data Systems Working Group successfully developed security and confidentiality guidelines for the Population Health Division that are aligned with local policies as well as CDC guidelines. After reviewing the SFDPH policies, the Data Systems Work Group decided to adhere most closely with existing policies, and then fill in gaps where CDC guidelines had more specific requirements. This collaborative effort resulted in integrated security and confidentiality guidelines that facilitate data sharing within PHD which will maximize data use for public health action and provide integrated and comprehensive services.


*PHD is the arm of the SFDPH responsible for the public health mandates and functions of the City and County of San Francisco; this includes environmental health, emergency preparedness and response, and the promotion and prevention of chronic and communicable diseases.

1CDC Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs

For more information, please contact:
Israel Nieves
PCSI Coordinator Director, Policy Unit HIV Prevention Section San Francisco Department of Public Health


Printable PDF versionpdf icon of PCSI Success Story


Get Tested - Find a Testing Site Near You
Atlas Plus - Explore Interactive CDC Data
CDC 24/7 - Protecting America's Safety, Health, and Security
Page last reviewed: April 28, 2014