214.645 Reporting system of HIV-positive persons -- Confidentiality and reporting requirements -- Reporting system surveillance, assessment, and restrictions. (1) The Cabinet for Health and Family Services shall establish a system for reporting, by the use of the person's name, of all persons who test positive for the human immunodeficiency virus (HIV) infection. The reporting shall include the data including, but not limited to, CD4 count and viral load, and other information that are necessary to comply with the confidentiality and reporting requirements of the most recent edition of the Centers for Disease Control and Prevention's (CDC) Guidelines for National Human Immunodeficiency Virus Case Surveillance. Anonymous testing shall remain as an alternative. If less restrictive data identifying requirements are identified by the CDC, the cabinet shall evaluate the new requirements for implementation. (2) The reporting system established under subsection (1) of this section shall: (a) Use the same confidential name-based approach for HIV surveillance that is used for AIDS surveillance by the cabinet; (b) Attempt to identify all modes of HIV transmission, unusual clinical or virologic manifestations, and other cases of public health importance; (c) Require collection of the names and data from all private and public sources of HIV-related testing and care services; and (d) Use reporting methods that match the CDC's standards for completeness, timeliness, and accuracy, and follow up, as necessary, with the health care provider or the provider's designee making the report to verify completeness, timeliness, and accuracy. (3) Authorized surveillance staff designated by the cabinet shall: (a) Match the information from the reporting system to other public health databases, wherever possible, to limit duplication and to better quantify the extent of HIV infection in the Commonwealth; (b) Conduct a biennial assessment of the HIV and AIDS reporting systems, insure that the assessment is available for review by the public and any state or federal agency, and forward a copy of the assessment to the Legislative Research Commission and the Interim Joint Committee on Health and Welfare; (c) Document the security policies and procedures and insure their availability for review by the public or any state or federal agency; (d) Minimize storage and retention of unnecessary paper or electronic reports and insure that related policies are consistent with CDC technical guidelines; (e) Assure that electronic transfer of data is protected by encryption during transfer; (f) Provide that records be stored in a physically secluded area and protected by coded passwords and computer encryption; (g) Restrict access to data a minimum number of authorized surveillance staff who are designated by a responsible authorizing official, who have been trained in confidentiality procedures, and who are aware of penalties for unauthorized disclosure of surveillance information; (h) Require that any other public health program that receives data has appropriate security and confidentiality protections and penalties; (i) Restrict use of data, from which identifying information has been removed, to cabinet-approved research, and require all persons with this use to sign confidentiality statements; (j) Prohibit release of any names or any other identifying information that may have been received in a report to any person or organization, whether public or private, except in compliance with federal law or consultations with other state surveillance programs and reporting sources. Under no circumstances shall a name or any identifying information be reported to the CDC; and (k) Immediately investigate any report of breach of reporting, surveillance, or confidentiality policy, the CDC, develop recommendations for improvements in security measure, and take appropriate disciplinary action for any documented breach. the breach report to (4) The cabinet shall require any physician, advanced practice registered nurse, designee, or medical laboratory that receives a report of a positive test for the human immunodeficiency virus to report that information by reference to the name in accordance with the procedure for establishing name reporting required by the cabinet in an administrative regulation. Effective: June 27, 2019 History: Amended 2019 Ky. Acts ch. 134, sec. 3, effective June 27, 2019. -- Amended 2010 Ky. Acts ch. 85, sec. 75, effective July 15, 2010. -- Amended 2005 Ky. Acts ch. 99, sec. 469, effective June 20, 2005. -- Amended 2004 Ky. Acts ch. 102, sec. 4, effective July 13, 2004. -- Created 2000 Ky. Acts ch. 432, sec. 4, effective July 14, 2000.