Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Practices in security and confidentiality of HIV/AIDS patients’ information: A national survey among staff at HIV outpatient clinics in Vietnam

  • Nguyen Khac Hai,

    Roles Conceptualization, Data curation, Formal analysis, Investigation, Methodology, Project administration, Resources, Software, Validation, Visualization, Writing – original draft, Writing – review & editing

    Affiliation Hanoi Medical University, Hanoi, Vietnam

  • Saranath Lawpoolsri,

    Roles Methodology, Resources, Supervision, Writing – review & editing

    Affiliation Mahidol University, Department of Tropical Hygiene, Bangkok, Thailand

  • Podjanee Jittamala,

    Roles Methodology, Resources, Supervision, Writing – review & editing

    Affiliation Mahidol University, Department of Tropical Hygiene, Bangkok, Thailand

  • Phan Thi Thu Huong,

    Roles Methodology, Resources, Supervision, Writing – review & editing

    Affiliation Vietnam Authority of HIV/AIDS Control, Ministry of Health, Hanoi, Vietnam

  • Jaranit Kaewkungwal

    Roles Conceptualization, Formal analysis, Funding acquisition, Methodology, Project administration, Resources, Software, Supervision, Validation, Visualization, Writing – original draft, Writing – review & editing

    jaranit.kae@mahidol.ac.th

    Affiliation Mahidol University, Department of Tropical Hygiene, Bangkok, Thailand

    ORCID http://orcid.org/0000-0001-7916-8460

Practices in security and confidentiality of HIV/AIDS patients’ information: A national survey among staff at HIV outpatient clinics in Vietnam

  • Nguyen Khac Hai, 
  • Saranath Lawpoolsri, 
  • Podjanee Jittamala, 
  • Phan Thi Thu Huong, 
  • Jaranit Kaewkungwal
PLOS
x

Abstract

Introduction

Breach of confidentiality or invasion of privacy from the collection and use of medical records, particularly those of patients with HIV/AIDS or other diseases sensitive to stigmatization, should be prevented by all related stakeholders in healthcare settings. The main focus of this study was to assess practices regarding security and confidentiality of HIV-related information among staff at HIV outpatient clinics (HIV-OPCs) in Vietnam.

Methods

A descriptive cross-sectional study was conducted at all 312 HIV-OPCs across the country using an online survey technique.

Results

In general, the staff practices for securing and protecting patient information were at acceptable levels. Most staff had proper measures and practices for maintaining data security; however, the protection of patient confidentiality, particularly for data access, sharing, and transfer still required improvement. Most HIV-OPC staff had good or moderate knowledge and positive perceptions towards security and confidentiality issues. Staff who were not trained in the practice of security measures differed significantly from those who were trained (OR: 3.74; 95%CI: 1.44–9.67); staff needing improved knowledge levels differed significantly from those with good (OR: 5.20; 95%CI: 2.39–11.32) and moderate knowledge levels (OR: 5.10; 95%CI: 2.36–11.00); and staff needing improved perception levels differed significantly from those with good (i.e., with 100% proper practices) and moderate perception levels (OR: 5.67; 95%CI: 2.93–10.95). Staff who were not trained in the protection of data confidentiality differed significantly from those who were trained (OR: 2.18; 95%CI: 1.29–3.65).

Conclusions

Training is an important factor to help raise the levels of proper practices regarding confidentiality and security, to improve knowledge and raise awareness about change among staff. The operation and management of HIV treatment and care in Vietnam are currently transitioning from separate healthcare clinics (HIV-OPC) into units integrated into general hospitals/healthcare facilities. The findings of this study highlight topics that could be used for improving management and operation of information system and revising guidelines and regulations on protection measures/strategies for data security and confidentiality of HIV/AIDS patients by Vietnam health authorities or other countries facing similar situations. Secure infrastructure and secure measures for data access and use are very important, worthwhile investments. The provision of continuous training and active enforcement and monitoring of the practices of healthcare personnel might lead to an improved understanding and acknowledegement of the importance of national policies/guidelines regarding HIV-related patient information.

Introduction

Over 70% of people living with HIV (PLHIV) are concentrated in Sub-Saharan Africa and the Asia-Pacific [1, 2]. In Vietnam, HIV/AIDS is one of the 10 main causes of death [3]. In the last quarter of 2014, the Vietnamese government has committed to the HIV treatment target, the United Nations (UN) “90-90-90” program, which aims to stop the HIV pandemic by AD 2030. That means “90% of people living with HIV will know their HIV status, 90% of people who know their status are on HIV treatment, and 90% of all people on treatment will have undetectable levels of HIV in their body (known as viral suppression)” [4]. Vietnam has made a concerted effort to increase the number of PLHIV to participate in antiretroviral therapy (ART) programs at local healthcare facilities, and the numbers have been increasing [5]. At the end of 2015, there were over 227,000 PLHIV in Vietnam, particularly those belonging to high-risk groups [6]. However, to join the ART program, patients must reveal their personal identifiable information—name, age, detailed address, national identification number, HIV status profile, etc. Several studies have identified associations between social stigma and the confidentiality/security of HIV/AIDS patient information [710]. Confidentiality is a concern for individuals seeking HIV-related healthcare services; when personal health information is not confidential or secure, HIV/AIDS patients are often reluctant to engage with these services [1112].

The use of patient-identifiable data must strike a balance between maximizing the benefits of data usage and minimizing potential harm owing to inadvertent or malicious release of sensitive data [12]. Vietnam has adopted regulations and guidelines ensuring the security and confidentiality of HIV-related information; these include Decision No. 4159/QD-BYT, dated 13/10/2014, on the security of electronic health information at health facilities and the health industry [13], and the Health Ethics Regulation [14], among others.

Confidentiality and security measures are valuable because they reflect autonomy and control over personal information and free patients from the burdens of stigma, inequality, and discrimination [15]. Confidentiality concerns an individual’s right to protection of their data during storage, transfer, and use. Security is a collection of technical approaches that address issues covering physical, electronic, and procedural aspects of protecting any information that is collected [16]. Any breach of confidentiality or invasion of privacy should be prevented by all stakeholders. A study in Vietnam revealed that non-confidential healthcare processes can lead to serious consequences [17]. Although there have been numerous campaigns aimed at educating the public about HIV/AIDS, both globally and locally in Vietnam, evidence of the negative impacts of HIV-related stigma and discrimination are still reported [18].

In Vietnam, an HIV/AIDS care and ART program was established in 2000 by creating 312 HIV outpatient clinics (HIV-OPCs) nationwide. These clinics provide services exclusively for HIV patients, and patients at these clinics must provide personal identifiable-information to clinic staff. While Vietnam has escaped poverty and become increasingly prosperous, funding for HIV/AIDS programs has decreased rapidly with clearly reduced donor-sponsor support. This changing situation has obliged the Vietnam HIV/AIDS prevention system to be more streamlined [19]. The HIV-OPC system, which had been a separate HIV clinical setting, is currently in transition, and from 2017 will be gradually integrated into hospitals/general healthcare facilities. The change in management of the organization and delivery of ART and other HIV/AIDS services is a direct result of the reduction in donor funding. The operation and management resources for the HIV/AIDS program have to be increasingly subsidized by the Vietnamese government rather than the donors, and health insurance would be mandated to cover the cost of HIV patient treatment. At a hospital, HIV patients would be examined and treated like all other patients, while the distribution of antiretroviral (ARV) drugs would be implemented at the commune health station where patients live [19,20]. Personal health information will increasingly be shared with the health insurance agency when ARV drugs are administered and controlled under health insurance [5]. In addition, the data-sharing strategy has permitted health workers at the commune or hospital ward level to identify who is currently undergoing ARV treatment [21].

A balance is needed between the collection and sharing of individual-level data with the protection and safeguarding of such data, to optimize clinical care and to monitor and evaluate HIV services. The Joint United Nations Programme on HIV/AIDS (UNAIDS) investigated 98 mid- and low-income countries; reports varied substantially on issues of information governance and privacy, data storage and availability, data access, and data transfer [12, 22]. Several guidelines and standards on data security and confidentiality exist to facilitate the sharing and use of HIV surveillance data, covering access and roles, data sharing, physical and electronic data security, and security breaches [2328]. No evidence-based information currently exists on how these concerns have been implemented in HIV-healthcare services in Vietnam. This study was conducted as a national survey, particularly among healthcare providers at HIV-OPCs, and focused on assessing healthcare staff practices regarding security/confidentiality of HIV-related information. In addition, staff personal characteristics, as well as their knowledge and perception levels regarding security measures and protection of data confidentiality, were assessed to determine their associations with practice activities.

Materials and methods

Population and samples

The target population for this study comprised staff working at HIV-OPCs. With respect to sample size, we required at least 384 participants for a confidence interval of 95%, with a 50% planned proportion estimate and absolute precision of 5%. The study was conducted at all 312 HIV-OPCs in Vietnam, with the expectation of about two staff members at each HIV-OPC participating in the study.

Survey instrument

A descriptive cross-sectional study design was applied using an online survey, during March-June 2016. A structured questionnaire was used (S1 Appendix), with the content divided into four parts: Personal Information, Knowledge, Perception, and Practice. Items on the questionnaire were developed by adopting concepts, regulations of UNAIDS/PEPFAR (the United States President's Emergency Plan for AIDS Relief), and guidelines and regulations in Vietnam regarding confidentiality and security of HIV-related information, including policy and governance, data collection, data storage, data access and sharing, data transfer, and system security [12, 16, 2330].

Data collection and analysis

An e-mail containing a link to an online questionnaire was sent to the heads of the 312 HIV-OPCs, who then forwarded the link to their HIV-OPC staff. Staff members were asked to participate voluntarily in the study by completing the online form, which was automatically submitted to a database.

For the portion of the survey addressing knowledge (10 items), 1 point was given for each correct answer. Mean scores for knowledge were classified into three subgroups: Good (8–10 points), Moderate (6–7 points), and Needs Improvement (≤ 5 points). For the portion querying perception (9 five-point Likert scale items), a positive perception was established as responses of “Agree” and “Strongly Agree” with positive items, or “Disagree” and “Strongly Disagree” with negative items. Three subgroups for perception were also established: Good (8–9 points), Moderate (6–7 points), and Needs Improvement (≤ 5 points). To measure practice levels, the four-point Likert scale options were Always (≥ 80%), Often (≥ 50%), Rarely (< 50%), and Never (0%). Scoring of practice statements ranged from 1 to 4 for positive items and the reverse for negative items, respectively. The average scores were calculated for two sets of practices; i.e., security measures (4 items) and protection of data confidentiality (3 items). The average scores for the two types of practice were then classified into two subgroups representing staff with “proper practices” at an acceptable level (mean score ≤ 2) and “need improvement” practices (means score > 2).

Descriptive statistics were used to describe the characteristics, knowledge, perception, and practices of the respondents. Chi-square tests were used to compare the proportions between subgroups. Logistic regression was used to assess the strength of associations between respondent characteristics and their knowledge and perception levels with the levels of practices for security measures and protection of data confidentiality.

Ethical considerations

The study was approved by the Vietnam Authority of HIV/AIDS Control, Ministry of Health of Vietnam, and the Ethics Committee of the Faculty of Tropical Medicine, Mahidol University, Thailand. For the first part on the online questionnaire, study participants who followed a link on the questionnaire were clearly informed of the study’s purpose, risks and benefits, and their voluntary involvement. Respondents were informed that they could stop at any time while completing the survey, that all data were kept confidential and secure and with no respondent identities, and that their answers to the survey would not affect their job.

Results

Respondent characteristics

From all 312 HIV-OPCs in 63 provinces, 400 staff from 238 (76%) in 56 (89%) provinces responded to the online survey (Table 1). Respondents included 178 (44.5%) doctors, 23 (5.8%) pharmacists, 154 (38.5%) nurses, and 45 (11.3%) administrative/other healthcare personnel. Among these professionals, 212 (53.0%) were female; higher female percentages were found among all professional categories, except doctors. Ages ranged from 21 to 60 years; age distributions varied across different professions. The distributions of time working in the HIV field and time working at the HIV-OPCs, also varied across professions. Overall, 296 (74.0%) of respondents had never been trained in data security and confidentiality. Based on their correct answers to the 10-items measuring knowledge of general principles and Vietnamese regulations on security and confidentiality of HIV data, the HIV-OPC staff were classified into three subgroups: 173 (43.2%) had good knowledge, 180 (45.0%) moderate knowledge, and 47 (11.8%) needed improvement. Although there was no statistically significant difference between the different professions, higher percentages of good knowledge were found among doctors and administrative/other professionals. Similarly, based on their ratings for the 9 items measuring perceptions regarding perceived benefits and threats to protect data security and confidentiality of HIV data, the HIV-OPC staff were classified into three subgroups: 104 (26.0%) had good perception, 185 (46.2%) moderate perception, and 111 (27.8%) needed improvement. Again, no statistically significant difference was evident between professions, but a higher percentage of good perception level was found among administrative/other professionals.

Practices for protection and safeguarding of confidential PLHIV information

Regarding security measures (Table 2), about 90% of HIV-OPC staff always kept patients’ paper records in a secured location. For entering patient data on personal computers, about 75% did not do so, but another 8% always or often did it while 17% rarely did so. About 53% of HIV-OPC staff followed the policy of periodically changing password while another half rarely or never did so. For practices of safeguarding the system, 40% of staff always and 42% often installed antivirus-software on computers containing HIV data.

The practices on protection of confidential data of the HIV patients were not fully compliant with the national policy and regulation (Table 2). For data sharing and transfer, 64% of respondents never sent reports containing HIV-related information via unauthenticated networks whereas 14% often or always did so. About 58% of respondents never shared patient information with other trusted healthcare personnel for consultation purposes; however, 8% often or always did so. Comparing across professional categories (table not shown), there were differences among professionals in this area: 70% of pharmacists never shared such information compared with 56%–60% of nurses and doctors and 47% of other staff; 7% of doctors and 13% of nurses often or always did so. In practice, up to 46% of respondents never obtained consent from the patient to share their personal information with others, whereas about 39% always or often did so. No significant differences were reported among professionals (table not shown).

Associations of staff characteristics with security and confidentiality practices

The associations of staff characteristics with their practices on security measures and protection of patient data confidentiality were analysed separately (Tables 3 and 4). From the average scores of their practice rating on 4-items regarding security measures, the HIV-OPC staff were classified into two subgroups: 348 (87%) had proper practice and 52 (13%) needs improvement in their current practices (Table 3). Male and female staff were not statistically significant in their practices. Similarly, there were no statistically significant differences among professionals, though lower percentage of pharmacists who had proper practice scores was observed. Time working in HIV field and time working at OPC were not significantly associated with proper practices on security measures; however, percentages of proper practices appeared to increase with longer working time. Staff who were not trained on security were significantly different from those who were trained (OR: 3.74; 95%CI: 1.44–9.67). Staff with needs improvement knowledge level were significantly different from those with good knowledge level (OR: 5.20; 95%CI: 2.39–11.32) and moderate knowledge level (OR: 5.10; 95%CI: 2.36–11.00). Similarly, staff with needs improvement perception level were significantly different from those with good perception level (with 100% proper practices) and moderate perception level (OR: 5.67; 95%CI: 2.93–10.95).

thumbnail
Table 3. Associations of practices on security measures, according to different staff characteristics.

https://doi.org/10.1371/journal.pone.0188160.t003

thumbnail
Table 4. Associations of practices on protection of confidentiality, according to different staff characteristics.

https://doi.org/10.1371/journal.pone.0188160.t004

From the average scores of their practice rating on 3-items regarding protection of patient data confidentiality, the HIV-OPC staff were classified into two subgroups: 264 (66%) had proper practice and 136 (34%) needs improvement in their practices (Table 4). Again, the staff practices regarding protection of data confidentiality were not significantly associated with sex, professional categories, time working in HIV field and at OPC, Staff who were not trained on such issues were significantly different from those who were trained (OR: 2.18; 95%CI: 1.29–3.65). Regarding the protection of data confidentiality, knowledge and perception levels were not significantly associated with such practices, even though the percentages of staff with proper practices were lower among those with needs improvement than the ones with moderate and good knowledge or perception levels.

Discussion

The results of this study suggested that security and confidentiality practices among HIV-OPC staff potentially increase the risk of revealing patient information. There has been a question whether separate HIV clinical settings, as compared with general hospital settings, would result in a greater or lower risk of breaching confidentiality. With the new approach when the treatment of ARV is conducted at a public health facility and ARV drugs are administered by a commune health station, HIV/AIDS patients are exposed to several different levels of healthcare personnel and other people, including non-HIV-infected patients. Therefore, the risk of exposing confidential information is higher, and ensuring security and confidentiality is more difficult. Before the changes in policy and management in 2017, all HIV-OPCs operated as separate units; the HIV information management software was a specific system and different from the information management system used at the public hospital and general healthcare facilities. From 2017 onwards, when the integration of HIV-OPCs into public hospital settings is implemented, a good management information system is essential to ensure the security and confidentiality of HIV/AIDS patients data that become part of the large information systems normally used in general hospitals. In the literature, an exit survey demonstrated that some integrated sites had raised concerns about patient confidentiality [31]. A study of awareness, experiences, and attitudes among staff in clinical settings suggested different environments might lead to leaks of confidential information, including the lack of private rooms for patient examination and the use of public-access computerized systems [32]. Even where a system is physically secure, multidisciplinary staff not involved in HIV/AIDS patient care may have access to detailed patient information [15, 32]. However, it can be concluded that any setting has a potential for violating patient confidentiality, if appropriate protective measures are not in place.

The majority of HIV-OPC staff had good or moderate levels of knowledge (88%) and positive perceptions (72%) regarding issues about security measures and disclosing/ensuring patient confidentiality. It should be noted that their knowledge and perception levels on such issues did not differ across profession categories, which may have different roles and responsibilities for accessing and using patient information. The professionals also did not differ in terms of training in security and confidentiality issues; however, only about a quarter of all professionals had been trained.

As a general rule in data security measures, personal information should be collected, stored, and disseminated in accordance with applicable national regulations [33]. Several guidelines for HIV programs have suggested planning and management for both physical and data security [13, 2330, 33, 34]. One study reported that 80% of AIDS surveillance offices in the United States have a security guard during non-working hours and 44% have fireproof cabinets [35]. Vietnam has similar regulations and guidelines on physical security for HIV/AIDS surveillance [13, 34, 36, 37]. As a simple physical security measure in this study, nearly all staff (90%) were well aware of and practiced keeping patients’ paper records in secured locations, which requires no complex information technology or skill. On the contrary, about 25% of HIV-OPC staff had entered patient data on personal computers; the practices for electronic data security that require computer applications/and/or electronic services had raised a risk management concern, since only 14% of staff rigorously changed passwords periodically and about 40% always installed and used antivirus software on computers containing patient data. These policies should be emphasized and enforced. Implementation of other manageable data security measures should be considered, as in another study showing that about 74% of HIV/AIDS offices in the United States installed security locks and 54% installed specialized software to control computer access [35].

Regarding protection of confidentiality of patient information in practice, about 39% of HIV-OPC staff always or often obtained patient consent before sharing personal information. However, for staff who reported never obtaining consent, this might be partially because these personnel had no role in using such information. In other studies in Vietnam [38, 39], 38% of PLHIVs reported that their HIV status had been disclosed without their consent. This incidence, varying from 15%-50%, was also reported in other Asian and African countries [4042]. Interestingly, a study among medical students reported that about three-fourths believed they had the right to inform the sexual partner of an HIV-positive patient of the patient’s HIV status [43]; however, another recent study reported that 70% of community members recommended maintaining patient confidentiality [44]. Confidentiality of patient information is based on trust between healthcare providers and their patients [15]. The general principle justifying the reasons for access and disclosure of minimum patient-identifiable information should be that it is acceptable only when absolutely necessary and on a strict need-to-know basis [12, 15, 22]. About 58% of HIV-OPC staff never shared patient information with other trusted healthcare personnel for consultation purposes, but some doctors and nurses often or always did so. This reflects a common practice among doctors and nurses, who have direct access to patient records for providing treatment and care, thus raising the potential for breaching patient confidentiality. The administrative staff who perform patient registration and pharmacists who request certain information about a patient’s condition might sometimes disclose patient information. A study among homo/bisexual men indicated that disclosure of their HIV status was used as a mechanism for coping with the disease [45]. Similarly, a study among clinical staff stated that they felt justified in disclosing information to other health personnel on a need-to-know basis [32]. A study among HIV/AIDS patients and other stakeholders in healthcare services suggested that the acceptability of data sharing depends on trust in how the data will be used [46]. As suggested in all guidelines, there should be appropriate technical and organizational measures in place to prevent unauthorized use and transfer of data to unrelated settings [2327]. About one-third of HIV-OPC staff had shared/transferred patient information via unsecured mechanisms. It is critical to consider the protection of patient information as the responsibility of healthcare providers [47]; therefore, more robust methods should be implemented, including encryption and strong authentication mechanisms [23, 26].

In examining the associations of HIV-OPC staff characteristics with their security and confidentiality practices, differences were observed among those who had been trained and those who had not. Those who had been trained on the concepts of data security and safeguarding patient data by the Vietnam Ministry of Health had better practices for both security measures and protection of personal health information. A systematic literature review reported that the implementation of legal requirements in dealing with security and confidentiality of sensitive data was mostly due to non-technical measures, including education/training program and raising awareness of such issues [48]. In another systematic review study identifying the needs of healthcare professionals to receive effective training in patients’ information confidentiality, it was suggested that health authorities must address the needs and provide training on the policies pertaining to confidentiality while the healthcare personnel need to have the proper skill set to ensure the security and confidentiality of patient health records [49]. The best solution for compliance with policies regarding security and confidentiality was to offer healthcare professionals educational tools, whereby healthcare organizations would provide regular updates to all professional health staff regarding the policies and procedures to prevent the exposure of sensitive data [48]. There were some studies reported the associations of poor training on security and confidentiality which could affect care [50,51]. It was suggested that investment in training with standardized educational materials was needed at the commencement of employment and on the job [52,53]. In this study, about 25% of HIV-OPC staff were fully trained, but 87% of them appeared to have proper security practices and 66% for the protection of data confidentiality. This may due to health authorities’ enforcement of policies and procedures governing access to and use of personal health data. However, it is still important to acknowledge that those who were trained had better practices, and thus training programs are needed, since some personnel may either be untrained or trained but not fully understand the importance of this matter. Moreover, technical support staff may be required to change personnel behaviors.

Knowledge and perceptions regarding the security and confidentiality of patient information were found to affect the proper practices of HIV-OPC staff, particularly regarding to security measures. Although there were no statistically significant differences for practices of protection of personal health information, the trends appeared to be similar—staff with moderate/good knowledge and perceptions had better practices for safeguarding patient data. Compared with 58% of the general population in a semi-urban setting in another study [54], 88% of HIV-OPC staff had good or moderate knowledge about the confidentiality of HIV-information. However, healthcare providers are expected to have good, rather than moderate, levels of knowledge in this regard. Moreover, different people may have different perceptions of what should be considered sensitive information; thus, it is important to have standards when providing care services to ensure compliance with and responsibility for the administration, monitoring, and evaluation of patient information [55]. To change the perception or attitude of staff members, they must recognize and understand what and why changes are needed. Highlighting the importance of information confidentiality and security measures is essential, as is building relevant technical skills.

The findings of this study reflect the classic theories of associations between knowledge and perception with awareness and behavior. Behavioral theories have also suggested that training is important as it would have positive associations with knowledge, beliefs, perceptions, and behaviors [56, 57]; therefore, arranging continual training on guidelines and regulations related to data security and confidentiality may help improve practices at the healthcare settings, at existing HIV-OPCs or integrated general healthcare hospitals.

Vietnam has regulations for the prevention and control of disclosure of HIV-identifiable information, and penalties for violations of the law [58], but the enforcement and monitoring of the guideline requirements/procedures have not been thorough. Adopting core standards of other countries for data security and confidentiality could be beneficial for HIV-OPC management in Vietnam. For example, stringent core technical standards implemented by the Centers for Disease Control and Prevention [23,26] include the following: (1) Healthcare providers with access to patient-identifiable data should attend data security/confidentiality training annually, and (2) newly hired staff should sign, and all other personnel re-sign, a confidentiality agreement annually. Core standards for data sharing and release include, for example, assessment of risks and benefits of sharing data if the data are to be shared beyond the originally stated purpose. However, a study across several countries concluded that successful development and implementation of guidance requires strong collaboration at local and national levels [12].

Limitations of the study

Several limitations should be acknowledged in this study. First, we used an observational survey design, and could only assess associations, not causation, between practices and potential factors, such as knowledge and perceptions. Second, several other organizational and structural factors might influence staff practices. As suggested in one guideline, the privacy and security of electronic health information might depend on the following: administrative safeguards, physical safeguards, organizational standards, and policies and procedures [59]. It should also be noted that “professions” was used as a proxy indicator of different types of OPC staffs using or accessing to confidential patient information but it may not reflect the actual respective roles and levels of responsibility among the respondents in handling such information.

Conclusions

In general, the practices among HIV-OPC staff for securing and protecting patient information were at acceptable levels. Most staff had proper practices for maintaining data security; however, protection of patient confidentiality, particularly for data access, sharing, and transfer, still needed improvement. Most HIV-OPC staff had good or moderate knowledge and positive perceptions towards security and confidentiality issues. Staff with good and moderate knowledge and perception tended to engage in proper practices more often than those needing improvement. Training in data security and confidentiality is an important factor for better practices, as it would also improve knowledge and raise awareness about the need to change the perceptions/attitudes of those needing improvement.

As the operation and management of HIV treatment and care in Vietnam is in transition from separate healthcare clinics (HIV-OPCs) into units integrated into general hospitals/healthcare facilities, the findings of this study suggest issues that might be useful for revising guidelines and regulations by Vietnam health authorities or other countries in similar situations. In planning for development and implementation of the computerized system and case-management procedures during this transition period, one should take into consideration, and have clear strategies to ensure, information confidentiality/safety/security and the benefits for HIV patients. Although there are many advantages to this transition approach, concerns involve the confidentiality of data that might engender patient stigma and discrimination. One of the critical questions of concern in the plan is how to ensure the security and confidentiality of HIV patients’ information when this information will be shared with third parties, especially health insurance officers and other health workers at general hospitals and commune health stations where HIV patients are administered ARV drugs. Secured infrastructure and data access and use measures are a very important and worthwhile investment. The provision of continuous training and active enforcement and monitoring of the practices of healthcare personnel, in either HIV-OPC settings or HIV/AIDS units integrating into general hospitals should improve understanding and acknowledegement of the importance of national policies and guidelines regarding HIV-related patient information.

Supporting information

Acknowledgments

This project was funded by a grant from the Rockefeller Foundation and the Faculty of Tropical Medicine, Mahidol University, Thailand. The authors would like to extend their thanks to the funders for supporting the graduate students in the Biomedical and Health Informatics program at Mahidol University. Sincere appreciation goes to all heads of the HIV-OPCs and the staff at all of the clinics in Vietnam, the key groups participating in the study, for their time and willingness to respond.

References

  1. 1. UNAIDS. Fact sheet HIV/AIDS. 2015. http://www.unaids.org/en/resources/campaigns/HowAIDSchangedeverything/factsheet.
  2. 2. UNAIDS. AIDS by the numbers. 2015. http://www.unaids.org/en/resources/documents/2015/AIDS_by_the_numbers_2015
  3. 3. CDC. Vietnam Factsheet. 2014. https://www.cdc.gov/globalhealth/countries/vietnam/
  4. 4. UNAIDS. Viet Nam is the first country in Asia to commit to new HIV treatment targets 2014 http://www.unaids.org/en/resources/presscentre/featurestories/2014/october/20141027vietnamtargets
  5. 5. Vietnam Authority of HIV/AIDS Control. Optimizing Viet Nam’s HIV Response: An Investment Case. 2014. http://www.aidsdatahub.org/sites/default/files/publication/Vietnam_investment_case_2014.pdf.
  6. 6. Vietnam Authority of HIV/AIDS Control. National HIV/AIDS prevention and Control report. 2015. http://vaac.gov.vn/Cms_Data/Contents/Vaac/Folders/Solieubaocao/Solieu/~contents/BCG2DGP6NQ77KBCX/Bao-cao-HIV_AIDS-nam-2015-va-nhiem-vu-trong-tam-nam-2016_final.pdf.
  7. 7. Nyblade L, Jain A, Benkirane M, Lohiniva AL, McLean R, Varas-Dıaz N, et al. A brief, standardized tool for measuring HIV-related stigma among health facility staff: results of field testing in China, Dominica, Egypt, Kenya, Puerto Rico and St. Christopher & Nevis. J Int AIDS Soc. 2013; 16(Suppl 2):18718. pmid:24242266
  8. 8. Loutfy M, Tharao W, Logie C, Aden MA, Chambers LA, Abdelmaseh M, et al. Systematic review of stigma reducing interventions for African/Black diasporic women. J Int AIDS Soc. 2015;18:19835. pmid:25862565
  9. 9. Hagey JM, Akama E, Ayieko J, Bukusi EA, Cohen CR, Patel RC. Barriers and facilitators adolescent females living with HIV face in accessing contraceptive services: a qualitative assessment of providers’ perceptions in western Kenya. J Int AIDS Soc 2015;18:20123. pmid:26385854
  10. 10. Risher K, Adams D, Sithole B, Ketende S, Kennedy C, Mabusa X, et al. Sexual stigma and discrimination as barriers to seeking appropriate healthcare among men who have sex with men in Swaziland. J Int AIDS Soc. 2013;16(Suppl 2):18715. pmid:24242263
  11. 11. Nixon SA, Cameron C, Hanass-Hancock J, Simwaba P, Solomon PE, Bond VA, et al. Perceptions of HIV-related health services in Zambia for people with disabilities who are HIV-positive. J Int AIDS Soc. 2014;17:18806. pmid:24763077
  12. 12. Beck EJ, Gill W, De Lay PR. Protecting the confidentiality and security of personal health information in low- and middle-income countries in the era of SDGs and Big Data. Glob Health Action. 2016; 9(1): 32089. pmid:28156880
  13. 13. Vietnam Ministry of Health. Quyết định Ban hành quy định về đảm bảo an toàn thông tin y tế điện tử tại các đơn vị trong ngành y tế. Vietnam Ministry of Health; 2014. No.: 4159/QĐ-BYT. http://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Quyet-dinh-4159-QD-BYT-2014-Quy-dinh-dam-bao-an-toan-thong-tin-y-te-dien-tu-256976.aspx. Vietnamese.
  14. 14. Vietnam Ministry of Health. Quyết định về việc ban hành "Quy định về y đức". Vietnam Ministry of Health; 1996. No.: 2088/BYT-QĐ. http://thuvienphapluat.vn/van-ban/The-thao-Y-te/Quyet-dinh-2088-BYT-QD-Quy-dinh-ve-Y-duc/40182/noi-dung.aspx. Vietnamese.
  15. 15. Allen, AL. Confidentiality: An Expectation in Health Care. Faculty Scholarship. 2008: 186. http://scholarship.law.upenn.edu/faculty_scholarship/186
  16. 16. UNAIDS/PEPFAR. Interim Guidelines on Protecting the Confidentiality and Security of HIV Information: Proceedings from a Workshop, 15–17 May 2006, Geneva, Switzerland; 2007. http://data.unaids.org/pub/manual/2007/confidentiality_security_interim_guidelines_15may2007_en.pdf
  17. 17. Oosterhoff P, Hardon AP, Nguyen TA, Pham NY, Wright P. Dealing with a positive result: routine HIV testing of pregnant women in Vietnam. AIDS Care. 2008 Jul;20(6):654–9. pmid:18576166
  18. 18. Grossman CI, Stangl AL. Editorial: Global action to reduce HIV stigma and discrimination. J Int AIDS Soc. 2013 Nov 13;16(3 Suppl 2):18881. pmid:24242269
  19. 19. News VN. How VN will control AIDS absent foreign funds 2017 http://vietnamnews.vn/society/health/372704/how-vn-will-control-aids-absent-foreign-funds.html#dXZFjZiBDdlspP47.97
  20. 20. Masaya Kato caNHL, Bui Duc Duong, Do Thi Nhan, Thi Thuy Van Nguyen, Nguyen Huu Hai, Le Minh Giang, Do Mai Hoa, Nguyen Thanh Van, Amitabh B. Suthar, Chris Fontaine, Patrick Nadol, Ying-Ru Lo, and Michelle S. McConnell. Enhancing the Benefits of Antiretroviral Therapy in Vietnam: Towards Ending AIDS. NCBI. 2014 https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4264957/pdf/11904_2014_Article_235.pdf
  21. 21. Vietnam Authority of HIV/AIDS Control. Vietnam AIDS response progress report. 2014. http://www.aidsdatahub.org/Vietnam-Global-AIDS-Response-Progress-Report-2014.
  22. 22. Beck EJ, Mandalia S, Harling G, Santas XM, Mosure D, Delay PR. Protecting HIV information in countries scaling up HIV services: a baseline study. J Int AIDS Soc. 2011 Feb 6;14:6. pmid:21294916
  23. 23. Centers for Disease Control and Prevention. Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action. Atlanta (GA): U.S. Department of Health and Human Services, Centers for Disease Control and Prevention; 2011. https://www.cdc.gov/nchhstp/ProgramIntegration/docs/PCSIDataSecurityGuidelines.pdf
  24. 24. Connecticut Department of Public Health, HIV/STD/TB/Hepatitis Surveillance Programs. Confidentiality Guidelines for HIV/STD/TB/Hepatitis Surveillance Programs; 2017. http://www.ct.gov/dph/lib/dph/infectious_diseases/tb/pdf/ct_security_confidentiality_guidelines.pdf
  25. 25. Divisions of HIV Prevention and Care, STD Prevention and Control, Tuberculosis Control, and Infectious Diseases and Outbreaks, Alabama Department of Public Health,. HIV Security and Confidentiality Policy; 2016. http://www.adph.org/aids/assets/HIV_Security_Confidentiality_Policy_2016.pdf
  26. 26. Centers for Disease Control and Prevention and Council of State and Territorial Epidemiologists. Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines. Atlanta, Georgia: Centers for Disease Control and Prevention; 2006. https://doh.sd.gov/diseases/assets/SecurityConfidentiality3.pdf
  27. 27. Brito-Mutunayagam SL, Fernando I. Security concerns to be considered when downloading human immunodeficiency virus/sexually transmitted disease related smartphone applications. J Med Internet Res. 2013;15(10):e222. pmid:24100134
  28. 28. Cohen J, Ezer T. Human rights in patient care: a theoretical and practical framework. Health Hum Rights. 2013;15(2):7–19. pmid:24421170
  29. 29. Vietnamese National Assembly. Law on HIV/AIDS Prevention and Control; 2006. http://thuvienphapluat.vn/van-ban/The-thao-Y-te/Law-No-64-2006-QH11-of-June-29-2006-on-HIV-AIDS-prevention-and-control/80633/tieng-anh.aspx?tab=1. Vietnamese.
  30. 30. Vietnamese Government. Nghị định Quy định chi tiết thi hành một số điều của Luật Phòng, chống nhiễm vi rút gây ra hội chứng suy giảm miễn dịch mắc phải ở người (HIV/AIDS). 2007. No.: 108/2007/NĐ-CP. http://vanban.chinhphu.vn/portal/page/portal/chinhphu/hethongvanban?class_id=1&mode=detail&document_id=30661. Vietnamese.
  31. 31. Church K, Wringe A, Fakudze P, Kikuvi J, Simelane D, Mayhew SH; Integra Initiative. Are integrated HIV services less stigmatizing than stand-alone models of care? A comparative case study from Swaziland. J Int AIDS Soc. 2013;16:17981. pmid:23336726
  32. 32. Cross S, Sim J. Confidentiality within physiotherapy: perceptions and attitudes of clinical practitioners. J Med Ethics. 2000;26(6):447–53. pmid:11129846
  33. 33. Kurtz G. EMR confidentiality and information security. J Healthc Inf Manag. 2003 Summer;17(3):41–8. pmid:12858596
  34. 34. Vietnam Ministry of Health. Thông tư Quy định về điều kiện hoạt động Y tế trên môi trường mạng. 2014. No.: 53/2014/TT-BYT. http://www.moh.gov.vn/legaldoc/pages/LegalDocument.aspx?ItemID=533. Vietnamese.
  35. 35. Torres Carl G., Tumer Mark E., Harkess John R, and Istre Gregory R. Security Measures for AIDS and HIV. Am J Pub Health. 1991;81(2): 210–1.
  36. 36. Vietnam Ministry of Health. Hướng dẫn quản lý, điều trị và chăm sóc HIV/AIDS. 2015. No.: 3047/QĐ-BYT. http://mch.moh.gov.vn/van-ban/van-ban-phap-quy/van-banbieu-mau/Huong-dan-quan-ly-dieu-tri-va-cham-soc-HIV-AI. Vietnamese.
  37. 37. Vietnam Ministry of Health. Thông tư Hướng dẫn điều kiện và phạm vi chuyên môn của cơ sở y tế điều trị bằng thuốc kháng HIV. 2011. No.: 09/2011/TT-BYT. http://moj.gov.vn/vbpq/lists/vn%20bn%20php%20lut/view_detail.aspx?itemid=26298. Vietnamese.
  38. 38. Vietnam National Network of People Living With HIV. People Living with HIV Stigma Index. 2014. http://www.aidsdatahub.org/sites/default/files/highlight-reference/document/PLHIV_Stigma_Index_in_2014_in_Viet_Nam.pdf.
  39. 39. Vietnam National Network of People Living With HIV. Viet Nam Stigma Index. 2012. http://www.stigmaindex.org/sites/default/files/reports/Vietnam%20People%20Living%20with%20HIV%20Stigma%20Index%20%20Report%202012.pdf.
  40. 40. UNAIDS, GNP+, IPPF, ICWG. People Living with HIV Stigma Index in Asia Pacific Regional. 2011. http://www.unaids.org/sites/default/files/media_asset/20110829_PLHIVStigmaIndex_en_0.pdf.
  41. 41. Varga CA, Sherman GG, Jones SA. HIV-disclosure in the context of vertical transmission: HIV-positive mothers in Johannesburg, South Africa. AIDS Care. 2006;18(8):952–60. pmid:17012085
  42. 42. Chandra PS, Deepthivarma S, Manjula V. Disclosure of HIV infection in south India: patterns, reasons and reactions. AIDS Care. 2003;15(2):207–15. pmid:12856342
  43. 43. Tesic V, Kolaric B, Begovac J. Attitudes towards HIV/AIDS among fourth-year medical students at the University of Zagreb Medical School—better in 2002 than in 1993 but still unfavorable. Coll Antropol. 2006;30 Suppl 2:89–97.
  44. 44. Ali Muhammad Ghafoo, Ahmad Muhammad Owais. Knowledge, attitude and practices regarding HIV/AIDS among the community of Rawalpindi and Islamabad, Pakistan. Int J Res Med Sci. 2015;3(11):3080–3.
  45. 45. Holt R, Court P, Vedhara K, Nott KH, Holmes J, Snow MH. The role of disclosure in coping with HIV infection. AIDS Care. 1998;10(1):49–60. pmid:9536201
  46. 46. Maiorana A, Steward WT, Koester KA, Pearson C, Shade SB, Chakravarty D, Myers JJ. Trust, confidentiality, and the acceptability of sharing HIV-related patient data: lessons learned from a mixed methods study about Health Information Exchanges. Implementation Science 2012;7:34. pmid:22515736
  47. 47. Erickson J, Millar S. Caring for patients while respecting their privacy: Renewing our commitment. Online J Issues Nurs. 2005;10(2):2. pmid:15977975.
  48. 48. Fernแndez-Alemแn JL, Senor IC, Lozoya PAO, Toval A. Security and privacy in electronic health records: A systematic literature review. Journal of Biomedical Informatics 46 (2013) 541–562. (http://ac.els-cdn.com/S1532046412001864/1-s2.0-S1532046412001864-main.pdf?_tid=c36b11c0-80b8-11e7-865e-00000aacb35e&acdnat=1502691850_7b561d024c0f16e6aa8aa3adf84b6d80) pmid:23305810
  49. 49. VanderMolen J, Prince A, Neu E, DeKraker R. Employee Confidentiality Training for the Electronic Health Record: A Systematic Review of Literature. Educational Perspectives in Health Informatics Information Management, Fall 2015. (http://eduperspectives.ahima.org/employee-confidentiality-training-for-the-electronic-health-record-a-systematic-review-of-literature/)
  50. 50. Fernando J, Dawson L. The health information system security threat lifecycle: an informatics theory. Int J Med Inform 2009;78(12):815–26. pmid:19783203
  51. 51. Fernando J, Dawson L. Clinician assessments of workplace security training—an informatics perspective. eJHI 2008;3(1):e7.
  52. 52. Farzandipour M, Sadoughi F, Ahmadi M, Karimi I. Security requirements and solutions in electronic health records: lessons learned from a comparative study. J Med Syst 2010;34(4):629–42 pmid:20703917
  53. 53. Wiljer D, Urowitz S, Apatu E, DeLenardo C, Eysenbach G, Harth T, et al. Patient accessible electronic health records: exploring recommendations for successful implementation strategies. J Med Internet Res 2008;10(4):e34. pmid:18974036
  54. 54. Naing Cho M, Hakim Mohd, Tze Yee Daniel Ang, Mun Koo Ray, Yung Tan Chang, Jian Kong Keat and Suet Kuan Sara Siew. HIV/AIDS-related Knowledge, Attitudes and Perceptions: A Cross-Sectional Household survey. Southeast Asian J Trop Med Public Health. 2010;41(4):952–60. pmid:21073071
  55. 55. Gostin LO, Turek-Brezina J, Powers M, Kozloff R. Privacy and security of health information in the emerging health care system. Health Matrix Clevel. 1995;5(1):1–36. pmid:10141742
  56. 56. Twente, University of. Health Belief Model 2016. https://www.utwente.nl/cw/theorieenoverzicht/Theory%20Clusters/Health%20Communication/Health_Belief_Model/
  57. 57. Tarkang EE, Zotor FB. Application of the Health Belief Model (HBM) in HIV Prevention: A Literature Review. Cent Afr J Pub Health 2015;1(1):1–8.
  58. 58. Vietnam Government. Decree No. 176/2013/ND-CP on sanctioning administrative violations in the field of health. Vietnam Government; 2013. http://moj.gov.vn/vbpq/Lists/Vn%20bn%20php%20lut/View_Detail.aspx?ItemID=28820. Vietnamese.
  59. 59. The office of the National Coordinator for Health Information Technology, Department of Health & Human Services, USA,. Guide to Privacy and Security of Electronic Health Information; 2015. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf