319.001 Data Management and Security External Quality Assurance Plan

Procedure Number	319.001
Effective Date	July 3, 2008
Revision Date	July 3, 2008
Subject Matter Expert	Internal Workgroup
Approval Authority	Branch Manager
Signed by	Sharon K. Melville, M.D., M.P.H.

1.0 Purpose

The purpose of the External Quality Assurance Plan is to ensure that DSHS contractors and external collaborators adhere to established DSHS HIV/STD policies and procedures regarding the management and security of HIV/AIDS surveillance, epidemiological, public health follow-up and Texas Medication Program data.
 

2.0 Background

The DSHS HIV/STD program, its contractors and external collaborators obtain personal and confidential information regarding individuals they serve by virtue of fulfilling its mission to prevent, treat and control the spread of HIV, STDs and other communicable diseases. The public trusts that the HIV/STD program will take every precaution to protect that information in order to retain their confidentiality. The HIV/STD program must be vigilant in maintaining the integrity of systems that contain personal information. To this aim, the DSHS HIV/STD program has updated and expanded its policies and procedures surrounding data management and security. The External Quality Assurance Plan will help ensure adherence to these protocols through a six point plan:

• Revised and standardized contract language

• Updated Site Review Tools for contractors that receive site reviews

• The creation of a Self Assessment Tool for entities that do not get routine site reviews

• The addition of security related information in periodic activity reports

• Revised HIV and STD Program Operating Procedures and Standards (POPS)

• Review and possible revision of Service Level Agreements (SLA)
   

3.0 Definitions

Authorized User - Those individuals employed by the program who, in order to carry out their assigned duties have been granted access to confidential information.

Breach of Confidentiality - A breach of protocol that results in the improper disclosure of personally identified information. The result is confidential information being: 1) accidentally or purposefully released verbally, electronically, or by paper medium, to an entity or person that by law does not have a right or need to know, or 2) purposefully accessed either in person or electronically by an entity or person that by law does not have a right or need to know.

Breach of Protocol - A condition of departure from the established policies and procedures that does not result in any known improper disclosure of confidential information; an infraction or violation of a standard or obligation. This includes any unauthorized use of data, including de-identified data.

Central Office - The HIV/STD Program, Department of State Health Services (DSHS) main office located in Austin, Texas.

Confidential Information - Any information which pertains to a patient or establishment that is intended to be kept in confidence or kept secret and could result in the identification of the patient should that information be released.

Confidentiality - The ethical principle or legal right that a physician or other health professional or researcher will prevent unauthorized disclosure of any confidential information relating to patients and research participants.

External - Entities outside of the DSHS Central Office that the HIV/STD program contracts with or works in association with to conduct public health activities related to HIV/STD surveillance, epidemiology, public health follow-up and the medication program.

Internal - Refers to staff and occurrences located at DSHS Central Office in Austin, Texas.

Local Responsible Party (LRP) - An official who accepts responsibility for implementing and enforcing HIV/STD polices and procedures related to the security and confidentiality of HIV/STD surveillance, epidemiology, public health follow-up and medication program data and information. The LRP has the responsibility of reporting and assisting in the investigative breach process.

Secured Area - A confined physical space where HIV/STD data and information are located with entry limited to staff with authorized access; the secured area is usually defined by hard, floor-to-ceiling walls with a locking door and may include additional measures (e.g., alarms, security personnel).

Security - The protection of surveillance data and information systems with the purposes of (1) preventing unauthorized release of identifying surveillance information or data from the systems (e.g., preventing a breach of confidentiality) and (2) protecting the integrity of the data by preventing accidental data loss or damage to the systems. Security includes measures to detect, document, and counter threats to the confidentiality or integrity of the systems.

Surveillance - The ongoing and systematic collection, analysis and interpretation of health data in the process of describing and monitoring a health event; this information is used for assessing public health status, triggering public health action, defining public health priorities and evaluating programs.

Suspected Breach - An alleged infraction or violation of a standard that may result in unauthorized disclosure of confidential information.
 

4.0 Responsibilities

A Local Responsible Party (LRP) will be designated both internally and externally. Internally, the Epidemiology and Surveillance Branch Manager and the HIV/STD Prevention and Care Branch will be designated as the LRP. Internal LRP will be responsible for matters concerning internal security as well as acting as a key resource on issues concerning external security. Externally, the contractor or collaborator will establish an LRP and they will be responsible for ensuring that HIV/STD data management and security policies are in place, contributing security related QA through site reviews, periodic reports, or self assessments, reporting and investigating suspected security breaches, and acting as a liaison to the appropriate internal LRP.
 

5.0 Quality Assurance Procedures - Contract Language 

Currently, all contracts between DSHS and its various external HIV/STD partners contain some language pertaining to data management and security. However, as DSHS moves toward more comprehensive and well documented data security policies, procedures and expectations, contract language will need to be updated to reflect these changes. While individual contracts will contain language specific to the project, it is important for language pertaining to security to be consistent across contracts for ease of understanding and to project a sense of uniformity and importance with regards to safeguarding HIV/STD data.

The following contains suggested revisions to language pertaining to data management and security under the sections where they typically occur in DSHS contracts for HIV/AIDS surveillance, HIV/AIDS epidemiologic projects, STD prevention and control and the Texas Medication Program. This language would need to be included when a new contract is created for a project involving confidential HIV/STD data or the next time an existing contract is up for renewal.

5.1 Statement of Work

Contractor shall comply with all applicable federal and state laws, rules, regulations, standards, policies and guidelines, including, but not limited to: (Note – If any of the documents below would not apply to the project in question, they may be removed from the language for that contract.)

• Chapters 81 and 85 of the Health and Safety Code;

• Relevant portions of Chapter 6A (Public Health Service) of Title 42 (The Public Health and Welfare) of the United States Code, as amended;

• Title 25 Texas Administrative Code (TAC) Chapter 97, Subchapter F;

• DSHS Standards for Public Health Services, revised January 2004;

• HIV/AIDS Surveillance Manual of Operating Procedures;

• DSHS HIV/AIDS and STD Program Operating Procedures and Standards;

• Centers for Disease Control and Prevention (CDC), STD Program Operations Guidelines;

• CDC Guidelines for HIV/AIDS Surveillance.

Contractor shall comply with all other applicable policies adopted by the DSHS Program.

Contractor must notify DSHS within forty-eight (48) hours of any personnel actions involving project staff. These include but are not limited to:

• Counseling for misconduct regarding violations of personnel, project, state, and/or federal policies, procedures, rules, requirements, or laws

Contractor shall require staff to attend training, conferences, and meetings as directed by DSHS Program. Contractor shall document all training to DSHS including demonstration that such staff have received annual training on:

• Data Security and Confidentiality - All new hires shall have completed a security and confidentiality training prior to working with confidential information in coordination with DSHS policy.
   

5.2 Reporting

Contractor shall comply with periodic site reviews by DSHS. (For contractors that are subject to site reviews.)

Contractor shall complete the DSHS Data Management and Security Self Assessment Form on an annual basis. (For contractors that are not subject to site reviews.)
 

5.3 Special Provisions

Due to the sensitive and highly personal nature of HIV/STD-related information, Contractor shall require its personnel to strictly adhere to the General Provisions, Confidentiality Article. General Provisions, Confidentiality Article, Security of Patient or Client Records Section, is revised to include the following:

Neither Contractor nor any sub recipient shall transfer a client or patient record through any means, including electronically, to another entity or person, or sub recipient without written consent from the client or patient, or someone legally authorized to act on his or her behalf; however, DSHS may require Contractor, or any sub recipient, to transfer a client or patient record to DSHS if the transfer is necessary to protect either the confidentiality of the record or the health and welfare of the client or patient.

DSHS shall have access to a client or patient record in the possession of Contractor, or any sub recipient, under authority of the Health and Safety Code, Chapters 81 and 85, and the Medical Practice Act, Texas Occupations Code, Chapter 159. In such cases, DSHS shall keep confidential any information obtained from the client or patient record, as required by the Health and Safety Code, Chapter 81, and Texas Occupations Code, Chapter 159.
 

5.4 Confidentiality

This special section, as seen in some contracts, is redundant and unnecessary now that the DSHS security and confidentiality policies and procedures have been updated. The recommendation is to include the following in this section:

Contractor shall designate a Local Responsible Party (LRP) who has the overall responsibility for ensuring the security of the HIV/STD confidential information maintained by their program.

• The LRP will ensure that policies/procedures are in place for handling confidential information, the release of confidential HIV/STD data, and the response to suspected breaches of protocol and/or confidentiality. Local policies and procedures must comply with DSHS policies and procedure or the DSHS policies and procedures may be adopted.

• The LRP must ensure that security policies are reviewed annually and that evolving technology is reviewed on an on-going basis to ensure that the program’s data remain as secure as possible.

• The LRP must approve any HIV/STD program staff requiring access to confidential information maintained by the HIV/STD Program. The LRP will grant authorization to persons who have a work-related need to view confidential information.

• The LRP must maintain a list of persons who have been granted authorization to view and work with confidential information. The LRP will review authorized user lists annually. All staff with access to confidential information will have a signed copy of the confidentiality agreement on file and updated annually.

• The LRP will ensure that all staff with access to confidential information will be trained on security policies and procedures before access to confidential information is granted and that this training will be renewed on an annual basis.

• The LRP will investigate all suspected breaches of confidentiality in consultation with the DSHS LRP and send a completed Breach Report Form to the DSHS LRP for each suspected breach.
   

6.0 Quality Assurance Procedures - Site Review Tools

Site reviews are formal evaluations of the surveillance and public health follow-up activities of HIV/AIDS and STD surveillance contractors by DSHS Central Office. Reviews occur every one to two years based on the site’s most recent performance level. Site reviews usually include a pre-visit portion in which program management makes certain data and documents available to the review team, and an on-site portion conducted in the program office.

In its current form, the pre-visit portion of the HIV/AIDS surveillance site review tool contains no items related to data management and security. It is the recommendation of the External QA Plan team that the pre-visit site review include a request for the program to submit:

• A copy of the table of contents from their policy and/or procedure manual to show that they have data management and security protocols in place.

• A copy of any Suspect Breach Report Forms written up during the review period.

The on-site portion of the review tool for HIV/AIDS surveillance contractors contains components related to data management and security under both the A. MANAGEMENT and B. SECURITY sections. It is recommended that the tool be revised to move all of the security related items under the SECURITY section and to update the individual rating items to the following, which take into account revisions to DSHS security policies and procedures.

1. A Local Responsible Party (LRP) has been designated for all matters concerning data management and security.

2. HIV/STD data management and security policies are in place and available to staff.

3. All personnel with access to confidential information (including IT staff) have signed confidentiality statements on file and are updated annually.

4. All personnel with access to confidential information (including IT staff) have received initial data security training as well as an annual update.

5. Compliance with data security protocols are part of employee performance reviews.

6. The LRP maintains a list of authorized users with access to confidential data.

7. Confidential data are:

   • Maintained in a secured area

   • Confidential documents are not left in plain sight

   • Shredded before disposal

8. Access to the secured area where confidential data is kept is limited to those approved by the LRP.

9. Confidential data is stored on stand alone computers or on a secure drive of computers on a secure network.

10. Computers with confidential information have power-on and screensaver passwords.

11. Any confidential data taken out of the building secured area are:

    • Minimized to the essential data required

    • Stored on devices that are kept secure

    • Encrypted

12. Any confidential data transmissions to DSHS or other approved partners are encrypted and transmitted via secured means.

13. Requests for data are:

    • Handled according to the established Release of HIV/STD Data policy

    • Tracked in a data request log

    • Data release agreements signed when necessary

14. All suspected breaches were reported, investigated and followed up on according to policy.

15. Management and/or the LRP Program periodically review compliance with established data management and security policies.

The STD surveillance pre-visit site review tool already requests programs to provide a copy of the table of contents from their policy and/or procedure manual to show that they have data management and security protocols in place. It is recommended that an item be added to request copies of any Suspect Breach Report Forms written up during the review period to bring the pre-visit tool up-to-date.

The on-site portion of the STD surveillance review tool currently only addresses security related items in three places. Under A. MANAGEMENT, personnel folders are checked for the presence of a confidentiality statement and records security procedures, among other things. Under H. SURVEILLANCE, the following two items are rated:

1. Program has a records security protocol in writing and conducts periodic reviews to determine compliance with protocols.

2. Processed and unprocessed lab and morbidity reports are kept in a single locking file cabinet.

The recommendation for revision to the STD surveillance site review tool is to create a new section entitled SECURITY, and include each of the suggested items listed above under the HIV/AIDS site review tool.
 

7.0 Self Assessment Tool

Contractors for projects other than HIV/AIDS or STD surveillance may or may not be subject to site reviews. In these cases, the gap in data management and security quality assurance may be covered with the Self Assessment Tool. It is recommended that annual completion of the attached Self Assessment Tool be required in the REPORTING section of contracts with external collaborators that do not receive site reviews. The items on the self assessment are identical to those in the suggested revisions to the HIV/AIDS and STD surveillance site review tools.
 

8.0 Periodic Activity Reports

HIV/AIDS surveillance contractors are required to submit a quarterly progress report which includes a section entitled Security Issues. Currently this section is completely open ended and provides no guidance regarding the types of information that should be reported. Inserting the following guidance into the Security Issues section of the report should elicit more response from HIV/AIDS contractors.

Data management and security – describe significant events or initiatives related to data security and confidentiality. Examples of things to include are training issues, changes in physical or computer security, or suspected breaches.

STD surveillance contractors are required to submit semi-annual narratives and reports. Currently the narrative format does not include a section where programs are instructed to address any security issues but the draft version of the 2008 format will include a section identical to that of HIV/AIDS surveillance described above, under III. B. Surveillance and Data Management.

HIV/STD contracts dealing with non-surveillance projects or programs are frequently required to submit periodic activity reports in a format determined by DSHS. It is the recommendation of the External QA Plan team that at minimum, the above item addressing significant events or initiatives related to data management and security be included in the format.
 

9.0 Programs Operating Procedures and Standards

The HIV and STD Program Operating Procedures and Standards (POPS) contains numerous references to DSHS data management and security policies and procedures. As this is a critical document for the day to day operation of many external collaborators, the entire POPS will need a thorough revision to bring the confidentiality language up to date with the new policies and procedures created through the charter process.
 

10.0 Service Level Agreements (SLA)

Service Level Agreements (SLA) with DSHS Regional Offices outline HIV/STD surveillance responsibilities for non-contract external collaborators. If the SLA is revised in the future, it is recommended that language pertaining to HIV/STD security and confidentiality be reviewed and possibly revised as need to bring it in line with current policies and procedures.
 

11.0 Implementation

Each of the five components of the External Quality Assurance Plan has its own timeline for implementation:

• Revised and standardized contract language – The suggested changes to existing contracts covering confidential HIV/STD data would be made the next time the contracts are renewed. This language would also be included in any new contracts developed that involve confidential data.

• Updated Site Review Tools for contractors that receive site reviews – Site review tools for HIV/AIDS and STD surveillance contractors are currently being revised by DSHS Central Office. The suggested revisions to the site review tools should be included in this revision for upcoming 2008 site visits.

• The creation of a Self Assessment Tool for entities that do not get routine site reviews – A draft of the Self Assessment Tool has already been created as a part of creating the quality assurance plan. The Self Assessment Tool will not be implemented for contractors until their next contract renewal when the requirement to completed the assessment is included in the REPORTING section of the contractor who are not subject to site reviews. Following implementation, an initial Self Assessment will be completed at the contract start date and then follow every six months after.

• The addition of security related information in periodic activity reports – Templates for periodic activity reports from HIV/AIDS and STD surveillance sites are currently being revised by DSHS Central Office. The suggested revision to the Security section should be included in this revision for 2008 reporting. It is recommended that any periodic report templates for non-surveillance contractors include the revision suggested in 5.4 above for 2008 reports as well.

• Revised HIV and STD Program Operating Procedures and Standards (POPS) – The POPS is in need of major revision to bring it in line with new policies and procedures. It is recommended that this revision be completed within three months of the completion of the HIV/STD Data Management and Security Charter Project.

• Review and possible revision of Service Level Agreements (SLA) – If the SLA is updated in the future, it is recommended that they be reviewed and possibly revised to bring them in line with current HIV/STD data security policies and procedures.
   

12.0 Revision History

Date	Action	Section
10/8/2014	Converted format (Word to HTML)	-