Statutes, codes, and regulations
Kansas Administrative Code
Agency 28 - DEPARTMENT OF HEALTH AND ENVIRONMENT
Article 1 - DISEASES
Section 28-1-26 - Protection of confidentiality of information regarding individuals with HIV infection

Kan. Admin. Regs. § 28-1-26

Download
PDF
Current through Register Vol. 44, No. 2, January 9, 2025
Section 28-1-26 - Protection of confidentiality of information regarding individuals with HIV infection
(a) Definitions. Each of the following terms shall have the meaning specified in this subsection:
(1) "AIDS" means the acquired immune deficiency syndrome.
(2) "Authorized personnel" means individuals who have signed a confidentiality statement.
(3) "Confidentiality statement" means a written statement, dated and signed by an applicable individual, that certifies the individual's agreement to abide by the security policy of a public health agency and this regulation.
(4) "Counseling and testing site" means a site where counseling and testing for HIV infection are available.
(5) "HIV" means the human immunodeficiency virus.
(6) "HIV confidential information" means all combinations of individual data elements or information collected for surveillance purposes pursuant to K.S.A. 65-6002 and amendments thereto, in electronic or hard copy, that could identify anyone with HIV or AIDS, including the name, date of birth, address, and other identifying information.
(7) "HIV confidentiality officer" means the official in a public health agency responsible for implementing and enforcing all the measures to protect HIV confidential information as defined under this regulation.
(8) "HIV infection" means the presence of HIV in the body.
(9) "HIV prevention counseling" and "HPC" mean a client-centered counseling activity designed to assist clients in assessing their risks of acquiring or transmitting HIV and in negotiating a realistic and incremental plan for reducing risk.
(10) "HIV report" means a report of HIV infection or AIDS transmitted to a public health agency pursuant to K.S.A. 65-6002 and amendments thereto.
(11) "Partner counseling and referral services" and "PCRS" mean a prevention and control activity conducted by trained individuals who contact and counsel each individual with HIV infection or AIDS who is reported to the secretary utilizing HPC.
(12) "Public health agency" means any organization operated by any state or local government that acquires, uses, discloses, or stores HIV confidential information for public health purposes.
(13) "Secretary" means the secretary of health and environment.
(14) "Secured area" means the physical confinement limiting the location where HIV confidential information is available.
(15) "Written security policy" means written specifications of the measures adopted to protect HIV confidential information and a description of how to implement these measures.
(b) Each public health agency shall appoint an HIV confidentiality officer, who shall have the authority to make decisions about the agency operations that could affect the protection of HIV confidential information.
(c) HIV confidential information shall be maintained in a secured area that is not easily accessible through a window and that is protected by a locked door. Access to the secured area shall be limited to authorized personnel only, and "Restricted area-No unauthorized access" signs shall be prominently posted. Access to the secured area by cleaning crews and other building maintenance personnel shall be granted only during hours when authorized personnel are available for escort or under conditions in which the data is protected by security measures specified in the written security policy.
(d) Hard copy records containing HIV confidential information shall be kept in a locked cabinet located in a secured area, except when in use by authorized personnel. Records shall not be removed from any secured area without authorization from the HIV confidentiality officer.
(e) All electronic records containing HIV confidential information shall be kept on computers protected by coded, individual passwords and located in a secured area. Each transfer of records onto removable electronic media shall occur only if absolutely necessary for HIV surveillance program operations and shall be required to be authorized by the HIV confidentiality officer. The records shall always be encrypted before the transfer to the removable media. Exchange of HIV confidential information using electronic mail shall be done only if encryption procedures are utilized.
(f) HIV confidential information shall be permanently removed from HIV records as soon as the information is no longer necessary for the purposes of the prevention and control of HIV infection.
(g) Mail containing HIV confidential information shall not include on the envelope or address any reference to the HIV infection, to the HIV virus, or to AIDS.
(h) All telephone conversations in which HIV confidential information is exchanged shall be conducted in a manner that prevents the conversations from being overheard by unauthorized persons.
(i) Each local health officer responsible for a public health agency shall adopt and implement a written security policy related to HIV confidential information consistent with the provisions of this regulation. A copy of the security policy shall be distributed to all authorized personnel.
(j) Access to HIV confidential information shall be restricted to a minimum number of authorized personnel trained in confidentiality procedures and aware of penalties for the unauthorized disclosure of HIV confidential information. The HIV confidentiality officer shall authorize the persons who may have access to HIV confidential information and shall keep a list of these authorized personnel.
(k) Each person authorized to access HIV confidential information shall sign a confidentiality agreement. The HIV confidentiality officer shall maintain a copy of the confidentiality agreement for all authorized personnel.
(l) HIV confidential information shall not be cross-matched with records in other databases if the resulting cross-matched databases do not have equivalent security and confidentiality protections, and penalties for unauthorized disclosure as those for the HIV confidential information.
(m) The use of records containing HIV confidential information for research purposes shall be required to be approved in advance by institutional review boards, and all researchers shall sign confidentiality statements. Information made available for epidemiologic analyses shall not include names or other HIV confidential information and shall not result in the direct or indirect identification of persons reported with HIV and AIDS.
(n) Authorized personnel designated by the secretary shall provide confidential, voluntary PCRS in accordance with this regulation. Any personnel providing PCRS who have reason to believe that a spouse, sex partner, or needle-sharing partner of a person who either is infected with HIV or has AIDS may be exposed to HIV or AIDS and is unaware of this risk of exposure may inform the spouse or partner of the risk of exposure if they do not reveal any identifying information about the original patient, including the name, physical description, time frame, method of transmission, and frequency of exposure.
(o) All communication between public health agencies, both interstate and intrastate, for the purpose of supporting surveillance and PCRS activities, shall disclose information only to the extent necessary to protect the public health pursuant to K.S.A. 65-6002 and amendments thereto.
(p) Each security breach of HIV confidential information shall be investigated by the HIV confidentiality officer, and personnel sanctions and criminal penalties shall be imposed as appropriate. The HIV confidentiality officer shall make an immediate telephone notification to the secretary that a breach of HIV confidential information occurred and shall transmit to the secretary a written report within seven days from the time the breach is discovered.
(q) This regulation shall apply to the following:
(1) All public health agencies engaged in the provision of services to prevent and control HIV or AIDS as specified in K.S.A. 65-6003 and amendments thereto;
(2) all individuals required to send HIV reports to the secretary under K.S.A. 65-6002, and amendments thereto; and
(3) all counseling and testing sites that receive funds from public health agencies.

Kan. Admin. Regs. § 28-1-26

Authorized by K.S.A. 65-101 and 65-6003; implementing K.S.A. 65-6002 and 65-6003; effective Feb. 18, 2000; amended July 7, 2006.