Texas DSHS HIV/STD/TB Bi-Annual LRP Security Assessment

DSHS requires regional and local health departments who handle HIV, STD, or TB electronic and paper public health data and/or have staff that access DSHS approved secure networks for HIV, STD, or TB staff to conduct a bi-annual security assessment. Each public health entity has an assigned Local Responsible Party (LRP) responsible for ensuring the security and confidentiality of data and data systems for their jurisdiction. LRPs submit the site security assessment twice per year. If there is more than one LRP at your site (i.e., for different diseases), each LRP must submit an assessment.

Select
Caret IconCaret symbol
Phone

Security and Confidentiality Policies & Procedures

Does the agency have written security and confidentiality policies and procedures regarding TB/HIV/STD confidential information?*
Are written security and confidentiality policies and procedures reviewed at least annually and revised as needed?*

In your agency, is there a policy that designates an LRP and assigns responsibilities to the LRP for the security of information that is stored in physical copies and/or various data systems?*
Does the LRP have sufficient authority to make modifications to security and confidentiality polices and procedures to ensure TB/HIV/STD standards are met?*
Does the agency have written policy that describes methods for ongoing review of technological aspects of security practices to ensure that TB/HIV/STD data remain secure in light of evolving technologies?*
Have all personnel with access to TB/HIV/STD confidential information (including IT, janitorial, and volunteer staff) taken the DSHS required security and confidentiality training course within the last year?*
Are security and confidentiality policies and procedures readily accessible to all staff members who have access to confidential information and PHI?*
Select
Caret IconCaret symbol
Are all staff provided training on security and confidentiality polices and procedures and where to find related resources?*
Do policies state that staff are personally responsible for protecting their assigned agency equipment associated with confidential public health information and/or data?*

Privacy Incidents

Are written procedures in place to respond to privacy incidents?*
Is the protocol for notifying appropriate individuals (upper management and/or LRP) of suspected privacy incidents outlined in the policy/procedure?*
Are all suspected violations of confidentiality (i.e. a security infraction that results in the release of private information with or without harm to one or more persons) reported immediately (initial report due 24 hours after discovery) to the LRP?*
Are all privacy incidents of protocol or procedures, regardless of whether personal information was released, investigated immediately (initial report due 24 hour after discovery) to determine causes, and implement remedies?*
Do procedures include a mechanism for consulting with appropriate legal counsel (agency privacy/security department) to determine whether a privacy incident warrants a report to law enforcement agencies?*
If warranted, are law enforcement agencies contacted when a privacy incident occurs?*
To date, have all privacy incidents been reported to DSHS TB/HIV/STD Section Privacy Coordinator?*

Public Health Data

When public health data are shared and/or used are the intended public health purposes and limits of how the data will be used adequately described in the agency's policy and/or data agreement?*
When data are collected and/or shared, do they contain only the minimum information necessary to achieve the stated public health purpose?*
Does your program explore alternatives to using identifiable data before sharing data, such as using anonymized or coded data?*

Signature

Powered by Smartsheet Modern Logo On Light
Privacy Notice|Report Abuse