6 Data Security and Confidentiality

Standards for the collection, sharing, and security of HIV, viral hepatitis, STD, and TB data can be found in the National Center for HIV, Viral Hepatitis, STD and TB Prevention (NCHHSTP) Data Security and Confidentiality Guidelinespdf icon.

These guidelines require that all newly hired staff sign confidentiality agreements before being given access to identifiable information; they also require annual renewal of that agreement.36 Programs may need to develop a specialized confidentiality agreement meeting their program’s needs for those engaged in internet activities. See Appendix J for examples of confidentiality agreements.

Because screen names, email addresses, and telephone numbers are considered personal identifying information (2 C.F.R. § 200.79) and are to be held to the same levels of confidentiality as a patient’s first name and surname, programs offering IPS typically require DIS to sign additional agreements regarding the specific use of technology. For example, programs create policies describing the acceptable use of technology for PS, including what websites, apps, and social networking sites may be used for PS, what information can be shared or discussed over these mediums, expected professional and behavioral standards, and consequences for violations of the policy. These policies may also indicate whether staff may conduct IPS from personal computers and devices and other structural limitations. For examples of an acceptable use agreement, see below and Appendix K.

Example of Acceptable Use for Accessing Restricted Websites

Maryland Department of Health and Mental Hygiene

Agreement for Accessing Restricted Websites


During the course of their normal job duties, staff members that perform Internet Partner Services (IPS) are often required to access websites that are restricted and may contain adult oriented material. This agreement has been developed to establish clear expectations when restricted sites are to be accessed while performing IPS, and the consequences for acting outside of these expectations. All staff performing IPS must sign this agreement prior to being granted access to restricted websites


  1. I agree to access restricted websites for official business only.
  2. I understand all passwords are confidential.
  3. I understand I must not disclose passwords to anyone other than an authorized individual, nor may I make any password accessible to persons other than my immediate supervisor or an equally authorized co-worker.
  4. I understand passwords are for official business only, and I will not use website passwords, profiles, pages, avatars, email accounts, or other technology for any personal endeavors.
  5. I understand I am not to use my personal home computer for any endeavors related to official department business.
  6. I understand that my use of department equipment such as a computer or a cell phone will be monitored.
  7. I understand I must document my internet activities, dates, times, and sites visited on the Internet-Based Partner Services Website Log Sheet.
  8. I understand I am to print out all correspondence and keep a copy in a place designated by my supervisor.
  9. I understand all correspondence must conform to existing policies and procedures regarding Internet-Based Partner Services.
  10. I understand I will be subject to disciplinary action should I engage in any activities on restricted websites outside the boundaries of my job requirements.

I have read, understand, and agree to comply with this agreement.

___________________________                              _________________

Employee Name                                           Date

Some programs may require a non-networked computer (a computer with internet access that is separate from the internal network) in order to protect servers from viruses or unauthorized intrusions; this may alleviate IT networking concerns about security breaches.