320.001 Quality Assurance of Confidentiality for Internal Staff

Procedure Number 320.001
Effective Date  July 3, 2008
Revision Date July 3, 2008
Subject Matter Expert Internal Workgroup
Approval Authority Branch Manager
Signed by Sharon K. Melville, M.D., M.P.H.

1.0 Purpose

The purpose of the Quality Assurance Plan is to establish internal procedures for maintaining confidentiality and ensure compliance with established policies and procedures on data security.

2.0 Authority

Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, Sections 306 and 308(d) of the Public Health Service Act, 42 US Code 242k and 242m(d), Health and Safety Code §81.046, Texas Administrative Code 202 Information Security Standards, DSHS IR-2204 Information Security Policy.

3.0 Background

The HIV/STD Program collects personal and private information from individuals in pursuit of its mission to prevent, treat, and control the spread of HIV and STDs. Valuing customers, stakeholders and the public trust, the HIV/STD Program takes every precaution to protect confidential information and the integrity of systems that contain the information in order to protect the confidentiality of the individual.

4.0 Definitions

4.1 Confidential Information

Any information which pertains to a patient that is intended to be kept in confidence or kept secret and could result in the identification of the patient should that information be released.

4.2 Confidentiality

The ethical principle or legal right that a physician, other health professional, or researcher will prevent unauthorized disclosure of any confidential information relating to patients and research participants.

4.3 Internal

Refers to staff and occurrences located at the DSHS Central Office in Austin, Texas.

4.4 Local Responsible Party (LRP)

An official who accepts responsibility for implementing and enforcing HIV/STD policies and procedures related to security and confidentiality of HIV/STD surveillance, epidemiology, public health follow-up and medication program data and has the responsibility of reporting and assisting in the investigative breach process. A Local Responsible Party will be designated both internally and externally.

Internally the Epidemiology and Surveillance and HIV/STD Prevention and Care Branch managers will be designated as the Local Responsible Parties.

5.0 Responsibilities

5.1 LRP or designee

  1. Coordinate Security Week activities

  2. On a quarterly basis:

    • Review the list of data base authorized users

    • Review building access level privileges

    • Perform risk and vulnerability assessments of the physical environment on a quarterly basis, see Appendix A, and if issues are discovered, follow the Breach Response policy

  3. Maintain a data base of all internal staff, specifically date last security agreement signed, date last received security training, and date of last data security policy conference with supervisor

  4. Ensure a review of the database on a periodic basis to determine what staff are overdue for training, security agreement, and/or security conference, and send reminders to the immediate supervisor of these staff

5.2 Supervisor or designee

  1. Ensure all job descriptions contain a statement on the security requirements

  2. Ensure all performance plans have a universal expectation on confidentiality

  3. Ensure each new employee receives the data security orientation

  4. Ensure each new employee signs the security agreement

  5. Ensure each employee renews the security agreement once yearly

  6. Ensure each employee receives the security training on a yearly basis

  7. Conference once yearly with each and every staff person, either individually or in a group setting to review and discuss the security policies and philosophy

  8. Maintain a hardcopy file of compliance with this QA plan

  9. Enter information about compliance into the centralized data base

  10. Ensure staff involved in data management and dissemination or involved in direct contact with clients and customers take the Human Subjects training once every three years

6.0 Procedures

6.1 Quarterly Assessment of the Physical Environment

On a quarterly basis, the LRP or designee will tour the facility to monitor the security of the physical environment. This assessment would follow the checklist contained in Appendix A.

6.2 Security Awareness Week

Security Awareness Week should be held at least once yearly, and may be implemented more often. Security Week is the time for all staff to renew training, renew security agreements and conference with the supervisor on security policies.

Security Week may also include a range of activities to remind staff of the program philosophy on the importance of confidentiality.

6.3 Yearly Conference with Staff

On a yearly basis, the supervisor will review the security policies and program philosophy on confidentiality with every staff person. This could be implemented on individual basis or in a group setting. If the supervisor opts for a group conference, employees not in attendance must be conference separately. The supervisor sends documentation of this conference to the security officer. Note: All the procedures for the supervisor can be found in Appendix B.

7.0 Documentation

The LRP will maintain documentation of compliance with the security policies and procedures in a centralized database.

6.0 Revision History

Date Action Section
10/8/2014 Converted format (Word to HTML) -


Appendix A

Quarterly Meeting Notes - Local Responsible Party (LRP)

# Issue Yes No Notes
1 Review of the list of authorized users       
2 Security of interior doors       
3 Security of exterior doors      
4 Are confidential papers left unattended on any desktop?       
5 Are all files cabinets containing confidential files locked or behind two locked doors?       
6 Are any computers left unattended, with the user still logged on and the screen is not locked?       
7 Are there any unescorted visitors in the secured areas of the building?       


Appendix B

Yearly Meeting Notes - Supervisor

# Issue Yes No Notes
1 Does a statement about confidentiality appear in the employee’s job description?       
2 Is there an expectation on confidentiality in the employee’s performance plan?      
3 Has the employee signed or renewed the security agreement within the last 12 months?      
4 Has the employee attended the security training within the last 12 months?       
5 Has the supervisor reviewed the security policies and philosophy on confidentiality with the employee within the last 12 months?