Page 1 of 2 214.645 Reporting system of HIV-positive persons -- Confidentiality and reporting requirements -- Reporting system surveillance, assessment, and restrictions. (1) The Cabinet for Health and Family Services shall establish a system for reporting, by the use of the person's name, of all persons who test positive for the human <br>immunodeficiency virus (HIV) infection. The reporting shall include the data <br>including, but not limited to, CD4 count and viral load, and other information that <br>are necessary to comply with the confidentiality and reporting requirements of the <br>most recent edition of the Centers for Disease Control and Prevention's (CDC) <br>Guidelines for National Human Immunodeficiency Virus Case Surveillance. As <br>recommended by the CDC, anonymous testing shall remain as an alternative. If less <br>restrictive data identifying requirements are identified by the CDC, the cabinet shall <br>evaluate the new requirements for implementation. (2) The reporting system established under subsection (1) of this section shall: (a) Use the same confidential name-based approach for HIV surveillance that is used for AIDS surveillance by the cabinet; (b) Attempt to identify all modes of HIV transmission, unusual clinical or virologic manifestations, and other cases of public health importance; (c) Require collection of the names and data from all private and public sources of HIV-related testing and care services; and (d) Use reporting methods that match the CDC's standards for completeness, timeliness, and accuracy, and follow up, as necessary, with the health care <br>provider making the report to verify completeness, timeliness, and accuracy. (3) Authorized surveillance staff designated by the cabinet shall: (a) Match the information from the reporting system to other public health databases, wherever possible, to limit duplication and to better quantify the <br>extent of HIV infection in the Commonwealth; (b) Conduct a biennial assessment of the HIV and AIDS reporting systems, insure that the assessment is available for review by the public and any state or <br>federal agency, and forward a copy of the assessment to the Legislative <br>Research Commission and the Interim Joint Committee on Health and <br>Welfare; (c) Document the security policies and procedures and insure their availability for review by the public or any state or federal agency; (d) Minimize storage and retention of unnecessary paper or electronic reports and insure that related policies are consistent with CDC technical guidelines; (e) Assure that electronic transfer of data is protected by encryption during transfer; (f) Provide that records be stored in a physically secluded area and protected by coded passwords and computer encryption; (g) Restrict access to data a minimum number of authorized surveillance staff who are designated by a responsible authorizing official, who have been Page 2 of 2 trained in confidentiality procedures, and who are aware of penalties for <br>unauthorized disclosure of surveillance information; (h) Require that any other public health program that receives data has appropriate security and confidentiality protections and penalties; (i) Restrict use of data, from which identifying information has been removed, to cabinet-approved research, and require all persons with this use to sign <br>confidentiality statements; (j) Prohibit release of any names or any other identifying information that may have been received in a report to any person or organization, whether public or <br>private, except in compliance with federal law or consultations with other <br>state surveillance programs and reporting sources. Under no circumstances <br>shall a name or any identifying information be reported to the CDC; and (k) Immediately investigate any report of breach of reporting, surveillance, or confidentiality policy, report the breach to the CDC, develop <br>recommendations for improvements in security measure, and take appropriate <br>disciplinary action for any documented breach. (4) The cabinet shall require any physician, advanced practice registered nurse, or medical laboratory that receives a report of a positive test for the human <br>immunodeficiency virus to report that information by reference to the name in <br>accordance with the procedure for establishing name reporting required by the <br>cabinet in an administrative regulation. Effective: July 15, 2010 <br>History: Amended 2010 Ky. Acts ch. 85, sec. 75, effective July 15, 2010. -- Amended 2005 Ky. Acts ch. 99, sec. 469, effective June 20, 2005. -- Amended 2004 Ky. Acts <br>ch. 102, sec. 4, effective July 13, 2004. -- Created 2000 Ky. Acts ch. 432, sec. 4, <br>effective July 14, 2000.
Page 1 of 2 214.645 Reporting system of HIV-positive persons -- Confidentiality and reporting requirements -- Reporting system surveillance, assessment, and restrictions. (1) The Cabinet for Health and Family Services shall establish a system for reporting, by the use of the person's name, of all persons who test positive for the human <br>immunodeficiency virus (HIV) infection. The reporting shall include the data <br>including, but not limited to, CD4 count and viral load, and other information that <br>are necessary to comply with the confidentiality and reporting requirements of the <br>most recent edition of the Centers for Disease Control and Prevention's (CDC) <br>Guidelines for National Human Immunodeficiency Virus Case Surveillance. As <br>recommended by the CDC, anonymous testing shall remain as an alternative. If less <br>restrictive data identifying requirements are identified by the CDC, the cabinet shall <br>evaluate the new requirements for implementation. (2) The reporting system established under subsection (1) of this section shall: (a) Use the same confidential name-based approach for HIV surveillance that is used for AIDS surveillance by the cabinet; (b) Attempt to identify all modes of HIV transmission, unusual clinical or virologic manifestations, and other cases of public health importance; (c) Require collection of the names and data from all private and public sources of HIV-related testing and care services; and (d) Use reporting methods that match the CDC's standards for completeness, timeliness, and accuracy, and follow up, as necessary, with the health care <br>provider making the report to verify completeness, timeliness, and accuracy. (3) Authorized surveillance staff designated by the cabinet shall: (a) Match the information from the reporting system to other public health databases, wherever possible, to limit duplication and to better quantify the <br>extent of HIV infection in the Commonwealth; (b) Conduct a biennial assessment of the HIV and AIDS reporting systems, insure that the assessment is available for review by the public and any state or <br>federal agency, and forward a copy of the assessment to the Legislative <br>Research Commission and the Interim Joint Committee on Health and <br>Welfare; (c) Document the security policies and procedures and insure their availability for review by the public or any state or federal agency; (d) Minimize storage and retention of unnecessary paper or electronic reports and insure that related policies are consistent with CDC technical guidelines; (e) Assure that electronic transfer of data is protected by encryption during transfer; (f) Provide that records be stored in a physically secluded area and protected by coded passwords and computer encryption; (g) Restrict access to data a minimum number of authorized surveillance staff who are designated by a responsible authorizing official, who have been Page 2 of 2 trained in confidentiality procedures, and who are aware of penalties for <br>unauthorized disclosure of surveillance information; (h) Require that any other public health program that receives data has appropriate security and confidentiality protections and penalties; (i) Restrict use of data, from which identifying information has been removed, to cabinet-approved research, and require all persons with this use to sign <br>confidentiality statements; (j) Prohibit release of any names or any other identifying information that may have been received in a report to any person or organization, whether public or <br>private, except in compliance with federal law or consultations with other <br>state surveillance programs and reporting sources. Under no circumstances <br>shall a name or any identifying information be reported to the CDC; and (k) Immediately investigate any report of breach of reporting, surveillance, or confidentiality policy, report the breach to the CDC, develop <br>recommendations for improvements in security measure, and take appropriate <br>disciplinary action for any documented breach. (4) The cabinet shall require any physician, advanced practice registered nurse, or medical laboratory that receives a report of a positive test for the human <br>immunodeficiency virus to report that information by reference to the name in <br>accordance with the procedure for establishing name reporting required by the <br>cabinet in an administrative regulation. Effective: July 15, 2010 <br>History: Amended 2010 Ky. Acts ch. 85, sec. 75, effective July 15, 2010. -- Amended 2005 Ky. Acts ch. 99, sec. 469, effective June 20, 2005. -- Amended 2004 Ky. Acts <br>ch. 102, sec. 4, effective July 13, 2004. -- Created 2000 Ky. Acts ch. 432, sec. 4, <br>effective July 14, 2000.
Page 1 of 2 214.645 Reporting system of HIV-positive persons -- Confidentiality and reporting requirements -- Reporting system surveillance, assessment, and restrictions. (1) The Cabinet for Health and Family Services shall establish a system for reporting, by the use of the person's name, of all persons who test positive for the human <br>immunodeficiency virus (HIV) infection. The reporting shall include the data <br>including, but not limited to, CD4 count and viral load, and other information that <br>are necessary to comply with the confidentiality and reporting requirements of the <br>most recent edition of the Centers for Disease Control and Prevention's (CDC) <br>Guidelines for National Human Immunodeficiency Virus Case Surveillance. As <br>recommended by the CDC, anonymous testing shall remain as an alternative. If less <br>restrictive data identifying requirements are identified by the CDC, the cabinet shall <br>evaluate the new requirements for implementation. (2) The reporting system established under subsection (1) of this section shall: (a) Use the same confidential name-based approach for HIV surveillance that is used for AIDS surveillance by the cabinet; (b) Attempt to identify all modes of HIV transmission, unusual clinical or virologic manifestations, and other cases of public health importance; (c) Require collection of the names and data from all private and public sources of HIV-related testing and care services; and (d) Use reporting methods that match the CDC's standards for completeness, timeliness, and accuracy, and follow up, as necessary, with the health care <br>provider making the report to verify completeness, timeliness, and accuracy. (3) Authorized surveillance staff designated by the cabinet shall: (a) Match the information from the reporting system to other public health databases, wherever possible, to limit duplication and to better quantify the <br>extent of HIV infection in the Commonwealth; (b) Conduct a biennial assessment of the HIV and AIDS reporting systems, insure that the assessment is available for review by the public and any state or <br>federal agency, and forward a copy of the assessment to the Legislative <br>Research Commission and the Interim Joint Committee on Health and <br>Welfare; (c) Document the security policies and procedures and insure their availability for review by the public or any state or federal agency; (d) Minimize storage and retention of unnecessary paper or electronic reports and insure that related policies are consistent with CDC technical guidelines; (e) Assure that electronic transfer of data is protected by encryption during transfer; (f) Provide that records be stored in a physically secluded area and protected by coded passwords and computer encryption; (g) Restrict access to data a minimum number of authorized surveillance staff who are designated by a responsible authorizing official, who have been Page 2 of 2 trained in confidentiality procedures, and who are aware of penalties for <br>unauthorized disclosure of surveillance information; (h) Require that any other public health program that receives data has appropriate security and confidentiality protections and penalties; (i) Restrict use of data, from which identifying information has been removed, to cabinet-approved research, and require all persons with this use to sign <br>confidentiality statements; (j) Prohibit release of any names or any other identifying information that may have been received in a report to any person or organization, whether public or <br>private, except in compliance with federal law or consultations with other <br>state surveillance programs and reporting sources. Under no circumstances <br>shall a name or any identifying information be reported to the CDC; and (k) Immediately investigate any report of breach of reporting, surveillance, or confidentiality policy, report the breach to the CDC, develop <br>recommendations for improvements in security measure, and take appropriate <br>disciplinary action for any documented breach. (4) The cabinet shall require any physician, advanced practice registered nurse, or medical laboratory that receives a report of a positive test for the human <br>immunodeficiency virus to report that information by reference to the name in <br>accordance with the procedure for establishing name reporting required by the <br>cabinet in an administrative regulation. Effective: July 15, 2010 <br>History: Amended 2010 Ky. Acts ch. 85, sec. 75, effective July 15, 2010. -- Amended 2005 Ky. Acts ch. 99, sec. 469, effective June 20, 2005. -- Amended 2004 Ky. Acts <br>ch. 102, sec. 4, effective July 13, 2004. -- Created 2000 Ky. Acts ch. 432, sec. 4, <br>effective July 14, 2000.
