Protecting HIV information in countries scaling up HIV services: a baseline study

Background Individual-level data are needed to optimize clinical care and monitor and evaluate HIV services. Confidentiality and security of such data must be safeguarded to avoid stigmatization and discrimination of people living with HIV. We set out to assess the extent that countries scaling up HIV services have developed and implemented guidelines to protect the confidentiality and security of HIV information. Methods Questionnaires were sent to UNAIDS field staff in 98 middle- and lower-income countries, some reportedly with guidelines (G-countries) and others intending to develop them (NG-countries). Responses were scored, aggregated and weighted to produce standard scores for six categories: information governance, country policies, data collection, data storage, data transfer and data access. Responses were analyzed using regression analyses for associations with national HIV prevalence, gross national income per capita, OECD income, receiving US PEPFAR funding, and being a G- or NG-country. Differences between G- and NG-countries were investigated using non-parametric methods. Results Higher information governance scores were observed for G-countries compared with NG-countries; no differences were observed between country policies or data collection categories. However, for data storage, data transfer and data access, G-countries had lower scores compared with NG-countries. No significant associations were observed between country score and HIV prevalence, per capita gross national income, OECD economic category, and whether countries had received PEPFAR funding. Conclusions Few countries, including G-countries, had developed comprehensive guidelines on protecting the confidentiality and security of HIV information. Countries must develop their own guidelines, using established frameworks to guide their efforts, and may require assistance in adapting, adopting and implementing them.


Background
Many middle-and lower-income countries are scaling up HIV prevention, treatment, care and support services within the context of Universal Access [1] and achieving the Millennium Development Goals [2]. This involves collecting individual-level data, which enable individuals to be tracked over time within and between sites for clinical management, and can also provide information for monitoring or evaluating services. Paper-based and electronic information systems, increasingly developed and used in these countries, must ensure the confidentiality and security of these data, yet allow relatively easy access to such data for both service provision and monitoring and evaluation.
Confidentiality and security must be ensured for data collection, storage, use and dissemination within countries and at international levels. This includes the physical protection of data to guard against environmental threats, such as floods, fire or other environmental threats, and the protection needed to guard against inappropriate use by humans of sensitive information, whether due to inadvertent or deliberate activities.
To improve health outcomes and reduce harm, individual health data must be used to inform healthcare. This involves an ongoing process of refining the balance between: a) Maximizing benefits that can and should come from the wise and fullest use of data b) Minimizing the harm that can result from either malicious or inadvertent inappropriate release of individually identifiable data.
These potential benefits and harms may accrue to individuals, groups or institutions. While longitudinal paper-based or electronic patient health data repositories can provide the basic information to monitor and evaluate service provision, they also provide opportunities for breaches in confidentiality of individual records in consolidated and centrally accessible data. These considerations motivated the development of a set of principles or guidelines, which, independent of context, may help maintain the balance between maximizing benefit and minimizing harm. To assist countries in addressing this critical issue, a consensus workshop was held in Geneva, Switzerland, in May 2006, attended by national and international experts, which resulted in the development and publication of the Joint United Nations Programme on HIV/AIDS (UNAIDS) and the US President's Emergency Plan for AIDS Relief (PEP-FAR) Interim Guidelines on Protecting the Confidentiality and Security of HIV Information [3].
The issues described and the solutions proposed by the Interim Guidelines go well beyond HIV-information systems [4], and they were developed with the intention that the guidelines would also be relevant for health sector-wide information systems [5].
The Interim Guidelines focus on the three interrelated concepts of privacy, confidentiality and security, all of which affect the protection of sensitive data. Privacy is both a legal and an ethical concept. The legal concept refers to the legal protection that has been accorded to an individual, based on human rights principles [3], to control both access to and use of personal information; it provides the overall framework within which both confidentiality and security are implemented. Confidentiality relates to the right of individuals to have their data protected during collection, storage, transfer and use in order to prevent unauthorized disclosure of that information to third parties. Security refers to a collection of technical approaches that address issues covering physical, electronic and procedural aspects of protecting information collected as part of the scale up of HIV services. Security must support protection of data from both inadvertent and malicious inappropriate disclosure, and minimize data outages due to system failure and user errors.
The focus of this study was, therefore, to assess how middle-and lower-income countries have so far dealt with securing the confidentiality of HIV information through the development of privacy laws, which cover the different types of data collected through their HIV clinical care monitoring and evaluation systems, and the specific security measures identified within the data collection, storage, transfer and analysis process.

Methods
In September 2007, questionnaires were sent out to field staff present in all 80 countries with UNAIDS offices, which covered 98 middle-and lower-income countries as some of the offices covered more than one country. UNAIDS staff, in conjunction with relevant country staff employed through PEPFAR, were asked to identify the most appropriate country professional(s) to complete the questionnaire. Respondents were contacted by the UNAIDS staff, and UNAIDS or PEPFAR staff were asked to facilitate completion of the questionnaire by country professionals. Questionnaires were returned to the respective UNAIDS country staff member, who reviewed the responses and followed up when necessary with the country respondent.
Subsequently, the completed questionnaires were forwarded to the UNAIDS Secretariat in Geneva. In Geneva, questionnaires were reviewed and if queries arose, country staff was again contacted to try to obtain answers to the queries. Questionnaires were initially piloted in four countries, subsequently revised, and English, French, Russian, Spanish and Portuguese language versions produced. The data collection period was from September 2007 to April 2008.
A substantial number of country respondents indicated that their countries had already developed such guidelines, while the majority acknowledged that such guidelines did not yet exist in their countries. For this reason, two questionnaires were developed at the request of the country respondents themselves: one for countries that reportedly had developed relevant guidelines (G-countries); and another one for countries that had not yet developed such guidelines but intended to do so (NG-countries). Whether a G-country or NG-country questionnaire was to be completed was agreed after discussions between the country respondent and their UNAIDS liaison officer. The two questionnaires covered similar topics, with questions for G-countries phrased in terms of "have you included...", whereas questions for NG-countries were phrased in terms of "would you include...".
Each questionnaire covered the following three areas: 1. The existence of privacy laws in the country 2. The extent to which countries have been able to develop and implement a national HIV monitoring and evaluation system as part of the Three Ones principles that promote better coordination of national responses to their HIV epidemic [6] 3. The physical and electronic protection of data, the conditions of the use of data and release of analyses based on these data.
These areas covered the various measures highlighted in the Interim Guidelines that countries can take to scale up services while improving the confidentiality and security of HIV information.
Some of the analyses produced compared responses between G-and NG-countries. The responses from NG-countries can be interpreted as those topics that respondents would "ideally" like to see included in future guidelines and can be characterized as a "vision statement". The responses from G-countries, meanwhile, provided some "reality check" in terms of what policies countries had actually developed and implemented. The null-hypothesis tested in this study was that there were no significant differences in terms of the guidelines that G-countries had developed and those that NG-countries indicated that they would include in the future.
Questions were aggregated into six related categories, each of which dealt with an important measure for securing the confidentiality of HIV information: information governance, country policies, data collection, data storage, data transfer and data access. The scoring system assigned "1" to a positive response, while negative or missing responses received a score of "0". Scores were summed and then standardized so that scores for each category ranged from 0 to 100, where a score of 100 indicated positive responses to all items. Standardization allowed the individual category scores to be compared across respondents.
Standardized composite country scores are presented as median and interquartile (IQR) ranges. Associations between country scores and country HIV prevalence [7], gross national income (GNI) per capita [8], Organization for Economic Cooperation and Development (OECD) income classification [9] and funding received from PEPFAR were investigated.
Comparisons were analysed using non-parametric tests, including the Chi-square test with Yates' correction, Mann-Whitney U and Kruskal-Wallis tests. Standardized composite scores were analysed using univariate or multivariable regression analyses; all analyses were performed using either OpenEpi [10] or SAS Version 9.1.2 [11]. All p-values presented are two-tailed.

Results
Seventy-seven completed country questionnaires were returned, 21 from G-countries and 56 from NG-countries, a response rate of 80%. Of the 77 responding countries, 45% were OECD low-income countries, 39% low-middleincome countries and 15% upper-middle-income countries.
All countries reported that they had developed a national strategic HIV plan; all G-countries and 54 (95%) NG-countries reported that they had established a national AIDS coordinating authority. Eighteen (86%) G-countries and 44 (77%) NG-countries reported that they had established a national HIV monitoring and evaluation (M&E) system. In terms of the type of data collected through these M&E systems, of the 63 countries that completed this question, all reported that they collected health sector data, 91% collected data on social services, 88% collected geographical information, 86% educational information, 64% economic data and 61% labour data. No significant differences were observed between responses from G-and NG-countries.

Aggregated analyses
When comparing G-and NG-countries in terms of the aggregate categories, statistically significant higher scores were observed for G-countries compared with NG-countries for information governance (p < 0.01) (Table 1). Conversely, for country policies, data collection, storage, access and transfer categories, NG-countries scores were statistically significantly higher compared with G-countries (Table 1).
No statistically significant associations were observed between country score and HIV prevalence or per capita GNI (Table 2). Similarly, no statistically significant differences were observed in terms of countries scores for the various OECD countries (Table 3), nor between countries that had received PEPFAR funding and those that did not (Table 4).

Existing country guidelines
G-countries were asked to provide copies of their relevant policy documents: 13 (62%) countries did so. However, none of these documents provided the degree of detailed guidance described in the Interim Guidelines [3]. Most of the existing guidelines required the strict maintenance of medical confidentiality surrounding HIV-related information, indicating that consent was frequently required for testing and sometimes for sharing HIV information with other professionals or individuals.
Confidentiality exemptions were most commonly made for the purposes of statutory monitoring and reporting, medical referrals and to inform sexual partners. Of the 57 NG-countries, 33 (59%) indicated that they intended to develop their own guidelines, and 10 (29%) reported that they had already started this process.

Privacy laws
Eighteen (90%) G-countries indicated that they had existing privacy laws, compared with 31 (57%) NG-countries [p < 0.02]. Concerning the requirement to obtain consent for collecting individual data for routine government analyses, 17 (81%) G-countries indicated that such consent was required compared with 30 (54%) NG-countries [p = 0.05]. When asked about collecting data for research purposes, 19 (91%) G-countries and 45 (82%) NG-countries indicated that individual consent was required for the collection of research data, a difference that was not statistically significant.

Selected confidentiality and security issues
Guidelines on data collection, storage, access, transfer, analysis, use and feedback, which G-countries had included in their policy documents, were similar to those that the NG-countries mentioned that they would include. However, 12 (75%) G-countries reported that data backup and data recovery were covered in their guidelines, while 51 (98%) NG-countries indicated that they would include such topics [p < 0.02]. For data disposal, 11 (65%) G-countries had this covered in their guidelines compared with 49 (96%) NG-countries [p < 0.005] that indicated that they would include this topic.
Seventeen (89%) G-countries and 52 (100%) NG-countries reported that confidentiality needed to be maintained when collecting individual information in a clinical setting. Three G-countries and eight NG-countries reported that this could be done in a secluded area of an open room, while 13 (68%) G-countries reported that this should be done in a closed room compared with 49 (93%) NG-countries [p < 0.05].
Ten (56%) G-countries and 50 (96%) NG-countries [p < 0.0005] reported that the installation of anti-virus software on all computers is, or should be, part of the guidelines. Countries that recognized the need for antivirus software also identified the need to regularly update such programmes.
Three (17%) G-countries had reported that they had created steering groups to oversee implementation of guidelines on data collection, storage, analysis, use and release, while 42 (81%) NG-countries [p < 0.00005] indicated that they would do so in future. Such an oversight role was considered to be appropriate for health or community facilities, sub-national or national government facilities and national data warehouses.
Concerning the removal of personal identifiers before transferring information to data repositories or warehouses for monitoring and evaluation of services, 11 (65%) G-countries had incorporated this in their policies compared with 51 (98%) NG-countries [p < 0.002] that claimed that they would include them in future guidelines. Provisions for accessing stored information by academics or other stakeholders for specific analyses or projects was reportedly encouraged by 13 (72%) G-countries, while 49 (94%) NG-countries [p < 0.05] indicated that they would include provisions for such access in future guidelines.

Discussion
Few countries scaling up HIV services had developed guidelines on protecting the confidentiality and security of HIV information at the time of completing the survey. The Interim Guidelines cover three aspects: privacy, confidentiality and security. Based on the feedback from country informants, the relationship between these three is not always understood. For example, 49 countries claimed to have developed privacy laws, including 55% of countries that claimed not to have developed guidelines. It is notable that in the countries that reportedly had developed policy guidelines, their implementation lacked the breadth and depth of those set out in the published UNAIDS/PEPFAR Interim Guidelines [3]. The only area in which the G-countries scored higher than the NG-countries was the information governance category, which included the more likely existence of privacy laws in G-countries compared with NG-countries. However, countries may face practical challenges that hinder adoption of certain aspects of the guidelines, while the generally higher scores for NG-countries may also reflect the fact that NG-countries have so far not fully appreciated the level of effort needed to develop comprehensive measures to protect the confidentiality and security of personal HIV information.
The majority of countries without guidelines reported that they wanted to develop such guidelines, while some claimed to have started this process. However, respondents who completed the questionnaire for NG-countries may have treated the questionnaire as a "wish-list", and not all areas described in the Interim Guidelines may be included once countries have developed their own guidelines. This suggests that the implementation of different aspects of such guidelines may pose practical difficulties in resource-limited countries, and that donor countries or international agencies must assist in the adaptation, adoption and implementation in these countries.
For example, the finding that G-countries had included virus protection and data backup procedures into their local policies less frequently than NG-countries intended to do in future policies could be due to the fact that countries lack the resources to maintain such procedures. It could also be due to an under appreciation of the important role that simple and affordable data protections procedures can play in assuring the consistent availability of electronic information systems.
Similarly, no associations were observed between country scores and HIV prevalence, GNI per capita and OECD country ranking. While one could argue that the better-off countries have more resources to implement such measures, this association did not hold. The extreme example of this is that even many industrialized countries have not developed such guidelines, although privacy laws may be more developed in a number of these countries. That countries like the US and UK have recently stepped up activities in this areas may well be related to the fact that they have had numerous examples where personal information has found its way into the hands of unauthorized third parties [12][13][14]. While the response rate for this survey was high, a number of limitations exist. UNAIDS and PEPFAR staff were asked to get the relevant host country professionals to complete the questionnaires, which may not have been possible in all countries. Even if country professionals completed the questionnaire, not all of them may have been cognisant of all existing legal or other relevant policies in their country. Furthermore, given that the survey dealt with a range of diverse but related issues, some informants may have developed "answering fatigue".
The issue of maintaining the confidentiality and security of HIV information is very important but remains a neglected policy area in many countries. In a number of countries, the fact that government officials were asked to complete the questionnaire facilitated raising the issue of confidentiality and security of HIV information for the first time, and catalyzed stakeholders into action.

Conclusions
Given the persistence of stigma and discrimination in many countries towards HIV infection and people living with HIV (PLHIV) [15], confidentiality concerns may deter people from being tested for HIV or using services available to PLHIV or people affected by HIV [16,17]. If governments and health professionals can ensure the confidentiality and security of HIV information collected in community or health facilities and information repositories like national data warehouses, more people may come forward to be tested or use services created to serve PLHIV or people affected by HIV [18]. On the whole, PLHIV and people affected by HIV appreciate the need for the availability of accurate and contemporary information to improve clinical management and to monitor and evaluate services, as indicated by the strong involvement that PLHIV had in developing the Interim Guidelines and subsequent responses [18]. One step towards achieving confidentiality and security of HIV information is for more countries to appreciate the breath and depth required to ensure the protection of personal HIV information and to adapt, adopt and implement local guidelines on protecting the confidentiality and security of HIV information in line with their cultural and socio-economic contexts, using the published Interim Guidelines [3] to guide their efforts and having the resources to do so.