• DSHS HIV/STD Program

    Post Office Box 149347, MC 1873
    Austin, Texas 78714

    Phone: (512) 533-3000

    E-mail the HIV/STD Program

    E-mail data requests to HIV/STD Program - This email can be used to request data and statistics on HIV, TB, and STDs in Texas. It cannot be used to get treatment or infection history for individuals, or to request information on programs and services. Please do not include any personal, identifying health information in your email such as HIV status, Date of Birth, Social Security Number, etc.

    For treatment/testing history, please contact your local Health Department.

    For information on HIV testing and services available to Persons Living with HIV and AIDS, please contact your local HIV services organization.

302.001

Release of TB/HIV/AIDS and STD Data

Policy
Policy Number  302.001
Effective Date  April 9, 1999
Revision Date  January 21, 2016
Subject Matter Expert Surveillance Specialist
Approval Authority  TB/HIV/STD Section Director
Signed by  Felipe Rocha, M.S.S.W.

1.0 Purpose

This policy describes guidelines for the release or publication of data associated with HIV/AIDS, STD and TB surveillance, epidemiologic, public health follow-up, and the Texas HIV Medication Program (THMP). This policy aligns with requirements in the DSHS HIV and STD Program Operating Procedures and Standards (POPS) (www.dshs.texas.gov/hivstd/pops/), the Centers for Disease Control and Prevention’s (CDC) Program Operations Guidelines for STD Prevention, (www.cdc.gov/std/program/overview.pdf), and the CDC’s Technical Guidance for HIV/AIDS Surveillance Programs (Atlanta, GA; 2006) wherever possible and/or appropriate.

 

2.0 Authority

All information obtained and compiled by DSHS related to a disease report is confidential and may be used or released only as permitted by Health and Safety Code §81.046. Additionally, DSHS is legally bound by federal assurances of confidentiality (Sections 306 and 308(d) of the Public Health Service Act, 42 US Code 242k and 242m(d)) which prohibit disclosure of any information that could be used to directly or indirectly identify patients. This policy has been written in accordance with the Health and Safety Codes §81.046 and §81.103 and the Texas Administrative Codes Title 25 §97.146 and §98.13.

 

3.0 Definitions

Aggregate Data: data which are based on combining individual level information; Aggregate data may contain potentially identifying information, particularly if the aggregated data are very detailed or for a small subset of individuals.

Central Office: the TB/HIV/STD Section, Department of State Health Services (DSHS) main office located in Austin, Texas.

Confidential Information: any information which pertains to a patient that is intended to be kept in confidence or kept secret and could result in the identification of the patient should that information be released.

Confidentiality: the ethical principle or legal right that a physician or other health professional or researcher will prevent unauthorized disclosure of any confidential information relating to patients and research participants.

De-identified (Pseudo-anonymous) Data: individual record-level data which has been stripped of personal identifiers (e.g., name, address, social security number) but may contain potentially identifying information (e.g., age, sex, race/ethnicity, locality information) that when combined with other information may identify an individual. If the combining of information could identify an individual, these data are considered confidential.

Demographics: refers to selected population characteristics, including race/ethnicity, sex, and age.

External: entities outside of the DSHS Central Office that the HIV/STD Program contracts with or works in association with to conduct public health activities related to HIV/STD surveillance, epidemiology, public health follow-up and the medication program.

Fifty Rule: refers to the acceptable threshold for the release of aggregate HIV/AIDS and STD surveillance, epidemiologic, and public health follow-up data. The underlying population of the statistic released must be a population of greater than fifty people. The underlying population must also be at least twice the number of cases.

Geocode: is a representation format of a geospatial coordinate measurement used to provide a standard representation of an exact geospatial point location at, below, or above the surface of the earth at a specified moment of time.

Geographic Information System (GIS): is an information system capable of integrating, storing, editing, analyzing, sharing, and displaying geographically-referenced data.

Institutional Review Board (IRB): is a group that has been formally designated to approve, monitor, and review biomedical and behavioral research involving humans with the aim to protect the rights and welfare of the subjects.

Local Responsible Party (LRP): an official who accepts responsibility for implementing and enforcing HIV/STD policies and procedures related to the security and confidentiality of HIV/STD surveillance, epidemiology, public health follow-up and medication program data and information and has the responsibility of reporting and assisting in the investigative breach process.

Overall Responsible Party (ORP): a public official with sufficient authority to make decisions about statewide TB/HIV/STD surveillance operations. The ORP is responsible for the security and confidentiality of the TB/HIV/STD surveillance system.

Personal Identifier: a datum or collection of data which allows the possessor to determine the identity of a single individual with a specified degree of certainty; a personal identifier may permit the identification of an individual within a given database. Bits of data, when taken together, may be used to identify an individual. Personal identifiers may include name, address or place of residence, social security number, telephone number, fax number, and exact date of birth.

Population: a group of people defined by demographic characteristics such as age, race, sex, or location of residence.

Potentially Identifying Information: information which, when combined with other information, could potentially identify an individual or individuals. This includes but is not limited to such information as medical record/case numbers and demographic or locality information that describe a small subset of individuals (e.g., block data, zip codes, race/ethnicity data).

Surveillance: the ongoing and systematic collection, analysis, and interpretation of health data in the process of describing and monitoring a health event. This information is used for assessing public health status, triggering public health action, defining public health priorities and evaluating programs.

TB/HIV/STD Section: a Section in the DSHS Division of Laboratories and Infectious Disease Services which includes: the HIV/STD Prevention and Care Branch, the TB/HIV/STD Epidemiology and Surveillance Branch, and the TB and Refugee Health Services Branch.

 

4.0 Policy

The policy of DSHS is to ensure that HIV/AIDS, STD, and TB data are released and/or published while maintaining patient confidentiality. The policy is also to ensure that individual record-level data containing personal identifiers are only released with proper legal authority. TB/HIV/STD staff must assess the potential impact of proposed data releases on confidentiality, and staff responsible for the release of TB/HIV/STD data must take steps to prevent the identification of individuals.

 

5.0 Persons Affected

Person affected are DSHS employees and external entities that have access to TB/HIV/STD surveillance, epidemiologic, public health follow-up and THMP data.

 

6.0 Responsibilities

The Local Responsible Party (LRP) is responsible for implementing and enforcing these data release guidelines. For the TB, HIV and STD, the managers of the TB/HIV/STD Epidemiology and Surveillance Branch, the HIV/STD Prevention and Care Branch, and the TB and Refugee Health Services Branch are the LRP, each responsible for the proper release of the information originating from that program area. The TB/HIV/STD Epidemiology and Surveillance Branch Manager will be responsible for the proper release of TB/HIV/STD surveillance and epidemiologic data. The HIV/STD Prevention and Care Branch Manager will be responsible for the proper release of THMP data and information. The LRPs are jointly responsible for the proper release of public health follow-up data.

Regional programs and agencies contracting with the Program for surveillance or public health follow up must designate an LRP to oversee the release of TB/HIV/STD data from their program. Regional programs and contractors that handle HIV/STD surveillance, epidemiologic, and public health follow-up data must develop a policy that is at least as restrictive as the DSHS TB/HIV/STD Section’s policy outlining guidelines for the release of local TB/HIV/STD data or they may choose to adopt the TB/HIV/STD Section’s policy.

 

7.0 Data Release Guidelines

7.1 Aggregate Data

7.1.1 Fifty Rule

Aggregated HIV/AIDS, STD, and TB surveillance, epidemiologic, and public health follow-up data may be released if the underlying population consists of more than fifty people. Furthermore, the underlying population must be at least twice the number of cases. The size of the underlying population must be verified through the U.S. Census Bureau or the Center for Disease Control and Prevention’s Center for Health Statistics. Tables consisting of cells that do not satisfy the Fifty Rule are acceptable for release if those cells have been suppressed. Additional cells may also need to be suppressed to prevent the derivation of the suppressed data. Alternatively, data are acceptable for release if pooled to span a longer time period (i.e., 3 or 5 year periods) if doing so would satisfy the Fifty Rule. Another option is to collapse data categories if the data has been stratified by one or more categories, such as sex or age. When population data are not available, the DSHS TB/HIV/STD Epidemiology and Surveillance Branch Manager should be consulted. All data released by the regional programs and contractors can be released with the approval of the LRP at the local program.

 

7.1.2 Geographic Data

Data depicted on a map should be consistent with the aforementioned Fifty Rule. Geographic areas with populations that do not satisfy the Fifty Rule must be aggregated with data from one or more other geographic areas, although mapped data points with values of zero are acceptable for release.

The release of data in a map format created with GIS should not be accompanied by the individual layers and corresponding attribute tables used in the production of the map. The map should be released as a stand-alone image of a final product (e.g., JPEG format).

 

7.1.3 Medication Program Exception

The THMP may release aggregate program utilization and cost data without adherence to the Fifty Rule. Sub-county level data or stratified data must be reviewed and approved by the THMP manager or designee prior to release. All requests for THMP aggregate data will be processed by THMP staff and tracked by the THMP manager.

 

7.1.4 Responding to Requests for Aggregate

Requests for data present an opportunity for direct interaction between the TB/HIV/STD Branches and our customers in the public, the media, the legislature, and other public health agencies. DSHS staff handling data requests should extend the most professional, courteous, accurate and rapid service available. The following procedure provides guidance for fulfilling data requests. DSHS recommends that regional and contracting programs create procedures for handling and tracking data requests that are similar.

Customers commonly initiate data requests via telephone or e-mails. An assigned staff member will work with the customer to complete the data request by clearly defining the specifics of the data requested. For requests of data that the TB/HIV/STD Branches do not have, program staff should refer the customer to other sources when possible. Key criteria for defining data requests may include:

  • Disease(s) or diagnosis
  • Reported cases versus diagnosed cases
  • Number of cases, rates, or both
  • Time period
  • Geographic location(s)
  • Demographic crosstabs (e.g., age, sex, race, risk group, etc) or restrictions (e.g., living cases, male cases, female cases, etc)
  • Date the data request must be completed

Occasionally, the customer may not know how to define the data needed. In such cases, the assigned staff member may help define the request based on the question(s) the customer is trying to answer. For formal Public Information requests, assigned staff members are not permitted by state law to inquire about why the request is being made.

The assigned staff member will gather the customer’s contact information, including e-mail address or fax number, in order to send the data. In general, assigned staff members should accept and meet the customer’s deadline for receiving the data. If the deadline is unusually short, cannot be met, and/or another deadline cannot be negotiated, staff should consult the LRP.

When completing data requests, assigned staff members should save the syntax and output files in a folder for future reference. These files are recorded in the data request tracking log to allow others to use or modify them for future requests. The requested data are most often saved in an electronic file format (e.g., Excel, Word, html, etc.) and e-mailed to the customer. All data files should be clearly annotated, including titles and notes to thoroughly describe what the data represent. Additional notes should also be included to describe any special circumstances or limitations of the data, such as why some cells are suppressed. If the data results are complete and follow the guidelines in this policy, they may be sent to the customer along with the staff member’s contact information. If the data results are complete and follow the guidelines described in this policy, they may be sent to the customer along with the staff member’s contact information.

 

7.1.5 Zip Code and Census Tract Level Data

Aggregate counts of diagnosed and/or prevalent cases of HIV, STDs, and TB may be released at the zip code or census tract level if the underlying population denominator meets the aforementioned “Rule of 50”. The Rule of 50 for zip code and census tract level data will be verified against the most recent U.S. Census ACS 5-year estimates from Table DP05.

  • To ensure identifying information is not released, only data on single stratum will be released at the zip code and census tract level. For example, TB cases in males in a particular zip code may be released, but not males ages 20-24.

  • Rates may be released for stratum that meet the Rule of 50. Rates should be calculated using population estimates from the Summary File SF1 of the most recent U.S. Decennial Census.

 

7.2 De-identified Individual Record-Level Data

The TB/HIV/STD Branches rarely release de-identified individual record-level data. These data are only released for research or public health purposes, and these data shall only be released with a data sharing agreement in place and upon receiving approval from the LRP.

 

7.2.1 Geocoded Data

Individual record-level data consisting of geocoded address data for release in a map format or data file should not contain the geographic coordinates of addresses. Instead, individual addresses will identify the geographic level (e.g. county, census tract) to which they were geocoded.

 

7.2.3 Registry Matching

Confidential TB/HIV/STD surveillance, epidemiologic, and public health follow-up data are routinely matched with data in other disease registries (e.g., cancer, tuberculosis) and data systems to improve data quality as a part of routine disease surveillance. TB/HIV/STD data may not be released to other programs for matching. Rather, the comparison of disease registries and other program data should be accomplished by the TB/HIV/STD Program staff. The LRP is responsible for ensuring that data sharing agreements are in place when data are shared for matching purposes and are consistent with TB/HIV/STD Program policies pertaining to the release of data.

 

7.2.4 De-identified Data Requests

De-identified individual record-level data are only released upon approval by the LRP. Customers commonly initiate data requests via telephone or e-mail. For TB/ HIV/STD
surveillance, epidemiologic, and public health follow-up data requests, customers must sign Data Release and Confidentiality Agreements prior to receipt of data. The Data Release and Confidentiality Agreements will specify:

  • the permitted uses, disclosures, and final disposition of the data
  • who is permitted to use or receive the data
  • that the data recipient will use appropriate safeguards to prevent use or disclosure of the information outside that specified by the Data Release and Confidentiality Agreements

The dataset will be prepared by assigned staff and provided to the customer via secured means upon approval by the LRP. The LRP or designee will file the paperwork associated with the request and enter the request in the Data Release Tracking Log. The LRP or designee will provide the customer with a signed copy of the Data Release Agreement and must store hard copies of the agreement. Follow-up will be conducted with customers who receive individual record-level data to ensure that the data and any additional data files created have been properly destroyed on their stated project completion date.

All THMP data requests will be processed by THMP staff and tracked by the THMP manager.

External sites should develop and use their own data release agreement for local individual record-level requests, or the external sites may choose to use the DSHS Data Release Agreement.

Handling Requests for Research Purposes - Requests for individual record-level data from the TB/HIV/STD Epidemiology and Surveillance Branch for research purposes must be reviewed and approved by the DSHS Institutional Review Board (IRB) and the Local Responsible Party. Procedures for submitting data requests to the DSHS IRB can be found at www.dshs.texas.gov/irb/.

The requestor must also obtain approval from an IRB at the institution responsible for oversight of the research program. Prior to releasing datasets, all personal identifiers must be removed. Datasets that contain potentially identifying information must be maintained by the recipient in a manner consistent with the most current DSHS confidentiality and security guidelines regarding physical and electronic security. The staff of the research institution must comply with all security and confidential training requirements.

Upon approval by the IRBs, Data Release and Confidentiality Agreements must be signed prior to releasing the data (See Appendix A). The Data Release Agreement must specify the length of time that the research institution will maintain the data. All the data must be removed from all electronic files and hard copies at the conclusion of the timeframe specified in the Data Release Agreement. The research institution must provide documentation that these data have been destroyed in a confidential manner.

Requests for THMP individual record-level data for research purposes must be reviewed by the DSHS IRB.

 

7.3 Personally Identified Individual Record-Level Data

The TB/HIV/STD Section strongly discourages the release of individual patient records that contain personal identifiers. In very limited circumstances, a patient’s personal records may be released to providers, legal entities, and/or directly to the patient. The TB/HIV/STD Section may also disclose individual patient data for public health purposes.

 

7.3.1 Patient Records

For requests through the TB/HIV/STD Epidemiology and Surveillance Branch, providers, patients and/or their lawyers may request only data relating to the patient. HIV/STD public health follow-up data will not be released to patients, providers, or legal entities under any circumstances, as those data contain partner information.

 

7.3.2 Public Health Purposes

Following routine matching of confidential TB/HIV/STD surveillance, epidemiologic, and public health follow-up data with data in other disease registries, the TB/HIV/STD Section may provide the other program with data on persons who are also diagnosed with TB, or a STD including HIV. The LRP is responsible for ensuring that data sharing agreements are in place when data are shared and are consistent with TB/HIV/STD Section policies pertaining to the release of data and maintaining confidentiality of the data.

 

7.3.3 THMP

Due to statutory provisions protecting the confidentiality of the manufacturers’ drug pricing data (Federal Omnibus Budget Reconciliation Act of 1990 and in Section 340B of the Public Health Services Act, 42 U.S.C. 256B), drug pricing lists are considered restricted and cannot be released. Client records containing personal identifiers may be released to treating physicians, servicing pharmacies, contractors, the patient, or other programs as necessary for the client to obtain services. THMP routinely shares THMP data with pharmacy benefit manager contractors, Medicare, and Medicaid. The LRP is responsible for ensuring that data sharing agreements or appropriate contracts are in place when THMP data are shared.

 

7.4 Personally Identified Individual Record-Level Data

7.4.1 Requests From Legal Entities

Requests for individual TB/HIV/STD surveillance, epidemiologic, or THMP patient records initiated via court orders, subpoenas, or legal counsel for a patient must be directed to the DSHS Office of General Counsel. Patients and/or their lawyers must sign a medical record release form before any data are released. The LRP must see the medical record release form and approve before data is released.

For external sites, these form of requests should be directed to their agency health attorneys and the TB/HIV/STD Section security officer needs to be notified. The local LRP must see the medical record release form and approve before data is released.

 

7.4.2 Requests by Patients or Providers

Providers requesting patient records or patients requesting their own records through the TB/HIV/STD Epidemiology and Surveillance Branch must be directed to the DSHS Office of General Counsel. A medical record release form must be signed by the patients and the LRP must see the medical release form and approve before data is released. Requests for THMP client records do not need to be directed to the DSHS Office of General Counsel.

For external sites, these form of requests must be directed to their agency health attorneys. A medical record release form must be signed by the patient and the LRP must see the medical release form and approve before data is released.

 

8.0 Data Request Tracking

8.1 TB, HIV, or STD Surveillance Data

During and/or immediately following a request for data, the assigned staff member completing the request will document the request in the Request Log. Providing documentation of data requests in a centralized location allows the TB/HIV/STD Section to quantify who its customers are and how they are being served. In addition, by identifying contact names and file information, future requests for repeat or similar data can be fulfilled more efficiently.

Requests from internal DSHS staff should be documented in the same manner as requests from external consumers.

 

8.2 Handling Requests from Special Customers

Staff should respond to requests from the media by following Policy Number AA-5007 (http://online.dshs.state.tx.us/content.aspx?id=4890).

All DSHS staff who receive a legislative request should notify the appropriate Branch Manager immediately. Before responding to a legislative request, staff must obtain approval from the appropriate Branch Manager prior to releasing data. Immediately following the completion of a legislative request, a Legislative Contact Report should be e-mailed. At minimum, this report will be submitted to the assigned staff member’s supervisor, the Branch Managers of the TB/HIV/STD Epidemiology and Surveillance Branch, the HIV/STD Prevention and Care Branch, the TB and Refugee Health Services Branch, the Manager of the TB/HIV/STD Section.

This report should contain the following information:

Who made the request – which Legislator’s office, contact person’s name, telephone number and other contact information

When the request was received

What the question or issue was that prompted the request

Summary of the response or copy of data released

Any future follow-up required

Name and contact information for the employee that responded to the request

Staff who receive an Open Records or Public Information Act request should follow Policy Number AA-5007 (http://online.dshs.state.tx.us/content.aspx?id=4890) and notify their Branch Manager of the request.

 

9.0 Revision History

Date Action Section
Revision History
9/1/2017Changed "TB/HIV/STD Unit" to "TB/HIV/STD Section" to reflect new program designation-
1/21/2016 Added section 7.1.5 Zip Code and Census Tract Level Data 7.1.5
9/4/2014 Numerous revisions throughout All
Converted format (Word to HTML) -
11/9/2009 Clarification that local policy must be at least as restrictive as DSHS policy 6.0
Clarification that the local LRP can approve data released at the local program level 7.1.1
7/2/2008 Extensive revision too numerous to list, therefore treated as new policy. Previously, this policy was numbered as 020.061 N/A

 


Last updated September 8, 2017