The Centers for Disease Control and Prevention (CDC) has released guidelines to assist states in the design and implementation of effective systems to track the course of the HIV epidemic. In the wake of recent treatment advances, which have slowed the progression from HIV to AIDS for many individuals, data on AIDS cases alone can no longer be reliably used to direct prevention efforts to communities currently at greatest risk. To address the need for information to ensure effective targeting of prevention services, in September 1997, CDC called for all states and territories to conduct HIV case surveillance as an extension of their AIDS surveillance programs.
As of November 1999, thirty-four states and the Virgin Islands(1) had implemented HIV surveillance using the same reporting system for both HIV and AIDS cases; two of these states conduct pediatric surveillance only. Four additional states(2) and Puerto Rico use coded unique identifiers for HIV case reporting. Washington State is using a combination approach. The Guidelines for National HIV Surveillance, Including Monitoring for HIV Infection and Acquired Immunodeficiency Syndrome are designed to advise states on the best practices to ensure both quality and confidentiality of HIV data.
The Guidelines represent the culmination of a lengthy effort by CDC, in conjunction with communities and public health partners nationwide, to address emerging information needs and issues surrounding the effective implementation of HIV reporting. The recommendations were designed to ensure that systems address several goals including:
The guidance document outlines performance criteria to ensure the quality and confidentiality of HIV data. These criteria are described in detail in the recommendations, but include strict confidentiality procedures and protections (e.g., computer encryption, physical security, limited access, and penalties for abuse) and quality standards for data to ensure completeness (over 85% of diagnoses must be reported), timeliness (over 66% of diagnoses are reported within 6 months of diagnosis), unduplicated reports (less than 5% of cases should be duplicate reports of a single case), and the ability to follow-up with providers on cases of public health importance (e.g., unusual modes of transmission or strains). These standards should ensure that funding agencies and affected communities alike can continue to rely on surveillance data to accurately represent the impact of the epidemic and the need for prevention and treatment services.
Based on published evaluations to date, CDC has concluded that name-based HIV surveillance systems are currently the most likely system to meet the necessary performance standards and provide the quality data necessary to direct community prevention and treatment programs. CDC therefore advises that state and local surveillance programs use the same name-based approach for HIV surveillance as is currently used for AIDS surveillance nationwide.
CDC's policy does allow for flexibility if states wish to implement alternative systems. CDC has and will continue to provide financial and technical assistance to states working to design systems that rely on codes or "unique identifiers" (UIs) rather than names. Given the importance of these data for directing services and care to individuals with HIV infection, all states will be required to meet the specified performance criteria to ensure both the quality and confidentiality of the data.
During the next few years, CDC will assist states in implementing HIV surveillance systems, evaluating current performance levels, revising systems as necessary, and reassessing performance. After this transition period, CDC will evaluate and award proposals for federal funding of state and local surveillance programs based on their capacity to meet the performance standards. At that time, CDC will work with states to adopt surveillance methods that will enable them to achieve these standards.
While there is widespread support for expanded HIV reporting, many people still have concerns regarding name-based reporting of HIV infection. Concerns about name-based HIV reporting have focused largely on confidentiality, potential non-public health uses of data, the impact of reporting on test-seeking behavior, and access to anonymous testing.
CDC recognizes these concerns and the greater sensitivity of HIV case data. CDC has worked for several years to evaluate and address these issues. The agency has conducted several scientific assessments and has consulted with a diverse group of individuals and organizations from the scientific, public health, and AIDS advocacy communities. The Guidelines present the results of these assessments in more detail, but several key steps have been taken, including the following:
Over the past few years, CDC has been working to evaluate additional measures at the state level that could further strengthen confidentiality protections. CDC has recently reviewed state reporting programs and has developed enhanced standards to be used in developing local confidentiality plans. Local programs are required to meet these performance standards and must ensure confidentiality as a condition of funding. One important security measure CDC will make available to states is the option of using a double-keyed encryption program. With this system, names and other identifying information may only be accessed with both the key (password) held by the state and the key held by CDC. CDC will hold the second key under an Assurance of Confidentiality under Section 308(d) of the Public Health Service Act. This act governs how CDC uses or releases surveillance data shared with CDC by the states. Under this act, CDC is prohibited from providing its key to a state planning to use HIV/AIDS surveillance data for non-public health purposes.
Additionally, to assess the strength of local confidentiality laws that protect HIV data, the Council of State and Territorial Epidemiologists requested that Georgetown/Johns Hopkins Public Health Law Project review local laws and regulations. All states and many localities have legal safeguards of confidentiality for government-held data, and these laws were found to provide greater protection than laws protecting the confidentiality of health information held by private health care providers. Most states also have specific statutory protections for public health data related to HIV. However, state legal protections vary widely.
The Georgetown University Law Center developed model legislative language to protect confidential, identifiable information held by state and local public health departments against unauthorized and inappropriate use, while still allowing the use of surveillance information to accomplish legitimate public health objectives. States that plan to implement HIV case surveillance should consider adopting the model legislation, if necessary to strengthen the current level of protection of public health data.
Additionally, CDC has conducted a 3-year evaluation of social security number-based, non-named, unique identifier (UI) reporting systems in Maryland and Texas. The evaluation, published in the January 9, 1998, Morbidity and Mortality Weekly Reports, found a number of reports with incomplete codes (approximately 30%-40%), low rates of completeness in reporting (approximately 25%-50% complete), difficulty in conducting follow-up on specific cases, and the absence of behavioral risk data in this system. In this evaluation, neither state was able to assess the level of duplicate case reports or the ability to reliably link to other public health databases (e.g., death registries). A more recent evaluation conducted by Maryland found a higher level of completeness from a publicly funded counseling and testing site than documented in the previous study. Maryland continues to report HIV cases by UI codes and AIDS cases by name. Since conducting this evaluation, Texas has amended its regulations and has been conducting name-based HIV reporting since January 1999.
Additional research on other UI codes was conducted by CDC in collaboration with health departments in Los Angeles and New Jersey. These and other state-based studies have failed to identify a code that performs as well as name-based methods. Moreover, for the follow-up of UI-based cases, providers may maintain logs or other forms of documentation linking the UI to the name-based medical records. This process may pose additional confidentiality risks if physician-held surveillance registries are not protected by state confidentiality statutes or are located in non-secure areas.