CDC Guidelines for Improved Data on U.S. HIV Epidemic
The Centers for Disease Control and Prevention (CDC) has released guidelines to assist states in the design and implementation of effective systems to track the course of the HIV epidemic. In the wake of recent treatment advances, which have slowed the progression from HIV to AIDS for many individuals, data on AIDS cases alone can no longer be reliably used to direct prevention efforts to communities currently at greatest risk. To address the need for information to ensure effective targeting of prevention services, in September 1997, CDC called for all states and territories to conduct HIV case surveillance as an extension of their AIDS surveillance programs.
As of November 1999, thirty-four states and the Virgin Islands(1) had implemented HIV surveillance using the same reporting system for both HIV and AIDS cases; two of these states conduct pediatric surveillance only. Four additional states(2) and Puerto Rico use coded unique identifiers for HIV case reporting. Washington State is using a combination approach. The Guidelines for National HIV Surveillance, Including Monitoring for HIV Infection and Acquired Immunodeficiency Syndrome are designed to advise states on the best practices to ensure both quality and confidentiality of HIV data.
The Guidelines represent the culmination of a lengthy effort by CDC, in conjunction with communities and public health partners nationwide, to address emerging information needs and issues surrounding the effective implementation of HIV reporting. The recommendations were designed to ensure that systems address several goals including:
- the provision of accurate and reliable data to effectively direct HIV prevention and treatment programs to affected communities;
- the strict confidentiality of HIV data, including controlled access and strong penalties for abuse; and
- continued support for anonymous testing options so that systems do not deter individuals at risk from accessing HIV testing, treatment, and prevention services.
Criteria for Quality and Confidentiality
The guidance document outlines performance criteria to ensure the quality and confidentiality of HIV data. These criteria are described in detail in the recommendations, but include strict confidentiality procedures and protections (e.g., computer encryption, physical security, limited access, and penalties for abuse) and quality standards for data to ensure completeness (over 85% of diagnoses must be reported), timeliness (over 66% of diagnoses are reported within 6 months of diagnosis), unduplicated reports (less than 5% of cases should be duplicate reports of a single case), and the ability to follow-up with providers on cases of public health importance (e.g., unusual modes of transmission or strains). These standards should ensure that funding agencies and affected communities alike can continue to rely on surveillance data to accurately represent the impact of the epidemic and the need for prevention and treatment services.
Based on published evaluations to date, CDC has concluded that name-based HIV surveillance systems are currently the most likely system to meet the necessary performance standards and provide the quality data necessary to direct community prevention and treatment programs. CDC therefore advises that state and local surveillance programs use the same name-based approach for HIV surveillance as is currently used for AIDS surveillance nationwide.
CDC's policy does allow for flexibility if states wish to implement alternative systems. CDC has and will continue to provide financial and technical assistance to states working to design systems that rely on codes or "unique identifiers" (UIs) rather than names. Given the importance of these data for directing services and care to individuals with HIV infection, all states will be required to meet the specified performance criteria to ensure both the quality and confidentiality of the data.
During the next few years, CDC will assist states in implementing HIV surveillance systems, evaluating current performance levels, revising systems as necessary, and reassessing performance. After this transition period, CDC will evaluate and award proposals for federal funding of state and local surveillance programs based on their capacity to meet the performance standards. At that time, CDC will work with states to adopt surveillance methods that will enable them to achieve these standards.
Efforts to Evaluate and Address Concerns About Name-Based HIV Reporting
While there is widespread support for expanded HIV reporting, many people still have concerns regarding name-based reporting of HIV infection. Concerns about name-based HIV reporting have focused largely on confidentiality, potential non-public health uses of data, the impact of reporting on test-seeking behavior, and access to anonymous testing.
CDC recognizes these concerns and the greater sensitivity of HIV case data. CDC has worked for several years to evaluate and address these issues. The agency has conducted several scientific assessments and has consulted with a diverse group of individuals and organizations from the scientific, public health, and AIDS advocacy communities. The Guidelines present the results of these assessments in more detail, but several key steps have been taken, including the following:
- Evaluation of impact on test-seeking behavior:
CDC studies conducted to date suggest that name-based HIV reporting has not served as a major deterrent to testing. For example, CDC has worked with six health departments to evaluate HIV testing patterns in the twelve months before and the twelve months after the implementation of HIV reporting. In these areas, the number of HIV tests increased in four states, and declined in two. The declines were not statistically significant and followed a decreasing trend in testing that began before the implementation of reporting. However, CDC recognizes that for some people reporting may serve as a deterrent. The agency therefore strongly supports that anonymous testing be made available. As additional areas implement HIV reporting, CDC will conduct ongoing evaluations to monitor the impact of policy changes on testing behaviors.
- Support for anonymous testing:
CDC continues to strongly support anonymous HIV testing and recommends that all states provide anonymous testing options. CDC studies indicate that the lack of anonymous testing serves as a deterrent to testing in some high-risk populations. Unless prohibited by law, CDC requires that states receiving prevention funds make anonymous testing available in order to make testing as accessible as possible. Maintaining anonymous testing sites is important for prevention efforts and will not seriously inhibit our ability to track the epidemic. Most people are diagnosed with HIV infection in care settings where their identities are known, and CDC recommends that individuals who test positive in anonymous settings be promptly referred to treatment and prevention services. Maintaining an anonymous testing option may help ensure that more individuals learn their status, and if infected, seek early treatment and care. HIV home test kits now offer another anonymous testing option in the United States. Anonymous testing is available in publicly-funded counseling and testing sites in all but eleven states(3) and the Virgin Islands. CDC strongly recommends that states not currently offering anonymous testing reevaluate their policies on this issue.
- Strengthening systems to protect confidentiality:
To date, public health departments have maintained an exemplary record in protecting the confidentiality of HIV/AIDS data. Since 1981, there have been few reported breaches of confidentiality of any state reporting system. A breach occurred in Florida that involved a health department employee who, without authorization, revealed names from a registry. The staff member was prosecuted under state law, and CDC has worked closely with the State of Florida to further strengthen its security protections.
Over the past few years, CDC has been working to evaluate additional measures at the state level that could further strengthen confidentiality protections. CDC has recently reviewed state reporting programs and has developed enhanced standards to be used in developing local confidentiality plans. Local programs are required to meet these performance standards and must ensure confidentiality as a condition of funding. One important security measure CDC will make available to states is the option of using a double-keyed encryption program. With this system, names and other identifying information may only be accessed with both the key (password) held by the state and the key held by CDC. CDC will hold the second key under an Assurance of Confidentiality under Section 308(d) of the Public Health Service Act. This act governs how CDC uses or releases surveillance data shared with CDC by the states. Under this act, CDC is prohibited from providing its key to a state planning to use HIV/AIDS surveillance data for non-public health purposes.
Additionally, to assess the strength of local confidentiality laws that protect HIV data, the Council of State and Territorial Epidemiologists requested that Georgetown/Johns Hopkins Public Health Law Project review local laws and regulations. All states and many localities have legal safeguards of confidentiality for government-held data, and these laws were found to provide greater protection than laws protecting the confidentiality of health information held by private health care providers. Most states also have specific statutory protections for public health data related to HIV. However, state legal protections vary widely.
The Georgetown University Law Center developed model legislative language to protect confidential, identifiable information held by state and local public health departments against unauthorized and inappropriate use, while still allowing the use of surveillance information to accomplish legitimate public health objectives. States that plan to implement HIV case surveillance should consider adopting the model legislation, if necessary to strengthen the current level of protection of public health data.
- Evaluation of unique identifier systems:
Beginning in 1993, to assess the feasibility of using alternatives to name-based methods for HIV surveillance, several states implemented reporting of HIV cases or CD4 laboratory results using a variety of numeric codes. Other states tried to conduct case surveillance using codes that were intended for use in case management systems. In 1995, CDC convened a meeting of these states that identified operational, technical and scientific challenges in conducting surveillance using codes.
Additionally, CDC has conducted a 3-year evaluation of social security number-based, non-named, unique identifier (UI) reporting systems in Maryland and Texas. The evaluation, published in the January 9, 1998, Morbidity and Mortality Weekly Reports, found a number of reports with incomplete codes (approximately 30%-40%), low rates of completeness in reporting (approximately 25%-50% complete), difficulty in conducting follow-up on specific cases, and the absence of behavioral risk data in this system. In this evaluation, neither state was able to assess the level of duplicate case reports or the ability to reliably link to other public health databases (e.g., death registries). A more recent evaluation conducted by Maryland found a higher level of completeness from a publicly funded counseling and testing site than documented in the previous study. Maryland continues to report HIV cases by UI codes and AIDS cases by name. Since conducting this evaluation, Texas has amended its regulations and has been conducting name-based HIV reporting since January 1999.
Additional research on other UI codes was conducted by CDC in collaboration with health departments in Los Angeles and New Jersey. These and other state-based studies have failed to identify a code that performs as well as name-based methods. Moreover, for the follow-up of UI-based cases, providers may maintain logs or other forms of documentation linking the UI to the name-based medical records. This process may pose additional confidentiality risks if physician-held surveillance registries are not protected by state confidentiality statutes or are located in non-secure areas.
- All public comments were reviewed and considered:
CDC draft program guidance for expanded HIV/AIDS reporting was published for public comment in December 1998. After the public comment period, the comments were carefully reviewed and considered and the guidelines were subsequently finalized. The Guidelines for National HIV Surveillance are available at CDC's Web site (http://www.cdc.gov) beginning December 10, 1999. As HIV surveillance is expanded, any advances in surveillance technology will be shared widely with state health departments.
- Alabama, Alaska, Arizona, Arkansas, Connecticut (pediatric only), Colorado, Florida, Idaho, Indiana, Iowa, Kansas, Louisiana, Michigan, Minnesota, Mississippi, Missouri, Nebraska, Nevada, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon (pediatric only), South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, West Virginia, Wisconsin, and Wyoming.
- Illinois, Maine, Maryland, and Massachusetts.
- Alabama, Idaho, Iowa, Mississippi, Nevada, North Carolina, North Dakota, South Carolina, South Dakota, Tennessee, and Wyoming.