Subject Matter Experts. Approval Authority Signed by

Transcription

1 ARIES User Policy HIV/STD Policy Number HIV/STD Effective Date June 15, 2006 Revision Date July 7, 2010 Subject Matter Experts Approval Authority Signed by Services Data Internal Workgroup HIV Care Services Group Manager BVCOG Note: While DSHS has not updated this published document, it is NOT a draft but the policy currently if force. 1.0 Purpose To provide guidance to Administrative Agencies (AA) regarding appropriate user(s) for the AIDS Regional Information and Evaluation System (ARIES) data application. 2.0 Authority Ryan White Care ACT, 2009; Texas Health and Safety Code, Chapter 12, , , Chapter 85, ; Texas Administrative Code (TAC), Title 1, Part 10, Chapter 202, Subchapter C Security Standards for State Agencies; Information Resources Management Act, Texas Government Code Definitions AIDS Regional Information and Evaluation System (ARIES) ARIES is web-based, client-level software that Ryan White and/or State Services HIV Providers use to report all Ryan White and State services provided to Ryan White eligible clients. Administrative Agency (AA) Entity under contractual agreement with the Department of State Health Services (DSHS) to manage and distribute federal and state funds to HIV Service Provider(s). Data Managers Staff at the Administrative Agency responsible for providing support to local organizations using ARIES to report their service delivery activities. HIV Service Provider Organization(s) under contractual agreement with AA to provide HIV-related medical and psychosocial support services to person(s) living with HIV/AIDS. Housing Opportunities for Persons with AIDS (HOPWA) Program HUD's Office of HIV/AIDS Housing manages the HOPWA program in collaboration with 44 state and area CPD offices in providing guidance and program oversight. The Office works with other HUD offices to ensure that all HUD programs and initiatives are responsive to the special needs of people with HIV/AIDS. HOPWA funding provides housing assistance and related supportive services. Ryan White HIV/AIDS Program Program authorized in 1990 and administered by the U.S. Department of Health and Human Services (HHS), Health Resources and Services Administration (HRSA), HIV/AIDS Bureau (HAB). The program is for those who do not have sufficient health care coverage or financial resources for coping with HIV disease. Federal funds are awarded to agencies HIV/STD Prevention and Care Branch 1

2 HIV/STD located around the country, which in turn deliver care to eligible individuals under funding categories called Parts. 4.0 Policy It is the policy of the DSHS HIV Care Services Group that only users described in this policy will gain access to the ARIES system and data thereby securing, protecting, and maintaining client confidentiality. 5.0 Persons Affected This policy applies to the Administrative Agency Data Managers who grant access to ARIES system. 6.0 Responsibilities 6.1 APPROPRIATE USERS AA data managers will only give access to users working at agencies that receive Ryan White, HOPWA, or State Service funds to provide HIV services. Users should gain access to client-level data only when there is a direct and ongoing need that will improve and benefit client care and services. Access to client-level data may be given to supervisory or program management personnel at a service provider or the AA if the information is necessary for performing oversight of client services (e.g., granting a case management supervisor access to allow for review of case information and notes). 6.2 INAPPROPRIATE USERS An AA data manager must not create users at agencies that are not HIV service providers or grant users access to client-level data through ARIES unless necessary to facilitate delivery of services to the client. AA must not create users whose sole need for access relates to surveillance, research, grant reporting, or other ancillary uses for these data. 6.3 EXCEPTIONS Consideration of users not meeting criteria above will be a case-by-case decision by DSHS. 7.0 Procedures The AA must develop local procedures to implement this policy, and on an annual basis submit it within their Data Improvement Plan for approval to DSHS. Assignment of users permissions and rights must be consistent with ARIES Security Policy guidelines established by DSHS. 8.0 Revision History Date Action 06/25/2006 Original policy 07/07/10 Policy renumbered; expanded the definitions section and deleted sections relating to security (see ARIES security policy) HIV/STD Prevention and Care Branch 2

3 HIV/STD Policy Number Effective Date August 18, 2010 ARIES Security Policy Revision Date August 18, 2010 Subject Matter Expert Approval Authority Signed by Services Data Internal Workgroup HIV Care Services Group Manager 1.0 Purpose This policy defines security standards for protecting the confidential information collected and maintained in ARIES by the HIV/STD program associated with HIV Care Services Data Group. This policy addresses the administrative, physical, and technical safeguards for the security of ARIES and confidentiality of client information. This policy describes the actions required of the Texas Department of State Health Services (DSHS) HIV/STD Program, Administrative Agencies, and service provider agencies which handle confidential client information collected and reported through ARIES. This policy also outlines procedures for data managers to use when authorizing, assigning roles, rights, and permissions to users, securing data and systems physically, as well as electronically. 2.0 Background In fulfilling its mission to facilitate and assess need for HIV services, the DSHS HIV/STD program, its contractors and external partners obtain confidential information regarding individuals they serve. These individuals trust that the HIV/STD program will take every precaution to protect that information in order to ensure their confidentiality. The HIV/STD program and Administrative Agency must be vigilant in maintaining the integrity of the system (ARIES) that contain this confidential information. 3.0 Authority Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C; Texas Government Code 2054, Information Resources Management Act 4.0 Definitions Administrative Agency (AA) Entity under contractual agreement with the Department of State Health Services to manage and distribute federal and state funds to HIV Service Provider(s) AIDS Regional Information and Evaluation System (ARIES) Web-based, client-level software that Ryan White and State Services HIV Providers use to report all Ryan White and State Services provided to Ryan White eligible clients. Authorized User Individuals employed by an Administrative Agency or service provider, who in order to carry out their assigned duties have been granted access to confidential information. Breach of Confidentiality A breach of protocol that results in the improper disclosure of confidential information: 1) accidentally or purposefully released verbally, electronically, or by paper medium, to an entity or person that by law does not have a right or need to know, or 2) purposefully accessed either in person or electronically by an entity or person that by law does not have a right or need to know. HIV/STD Prevention and Care Branch 1

4 HIV/STD Breach of Protocol A departure from the established policies and procedures that may result in the improper disclosure of confidential information; an infraction or violation of a standard or obligation; this includes any unauthorized use of data, including de-identified data. Advanced Encryption Standard The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is capable of using cryptographic keys of 128, 192 and 256 bits to encrypt and decrypt data. Confidential Information Any information which pertains to a patient that is intended to be kept in confidence or secret which if released could result in the identification of the patient. Confidentiality The ethical principle or legal right patients and research participants have that ensures their confidential information is protected from unauthorized disclosure by physicians, other health professionals or researcher with whom they have share this information. Data Managers Staff at the Administrative Agency responsible for providing support to local organizations using ARIES to report their service delivery activities. Encryption The manipulation or encoding of information so that only parties intended to view the information can do so. There are many ways to encrypt information; most commonly available systems involve public key and symmetric key cryptography. Local Responsible Party (LRP) An individual who accepts responsibility for implementing and enforcing ARIES security and confidentiality polices and procedures and has the responsibility of reporting and assisting in the investigative breach process. Negligence Negligence is the failure to use reasonable care. It is the failure to do (or not to do) something that a reasonably prudent person would do (or not do) under like circumstances. A departure from what an ordinary reasonable member of the community would do in the same community. Negligence is a 'legal cause' of damage if it directly, and in natural and continuous sequence, produces or contributes substantially to loss, injury, or damage, so it can reasonably be said that if not for the negligence, the loss, injury, or damage would not have occurred. Password Protected When files and directories are password protected from unauthorized access, a personal identifier and password must be entered by requiring users before access is allowed. Personal Identifier A datum or collection of data which allows the possessor to determine the identity of a single individual with a specified degree of certainty; a personal identifier may permit the identification of an individual within a given database. Bits of data, when taken together, may be used to identify an individual. Personal identifiers may include name, address or place of residence, social security number, telephone number, fax number, and exact date of birth. Protected Health Information (PHI) Any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIV/STD Prevention and Care Branch 2

5 HIV/STD Removable Storage Device A device that allows for the transportation of electronic information; there are many types including, but not limited to: USB port flash drives (memory sticks), diskettes, CD-ROMS, zip disks, tapes, smart cards, and removable hard drives. Secured Area A confined physical space within the AA or service provider agency where ARIES data and information are located with entry limited to staff with authorized access. Secured Socket Layers A cryptographic system that uses two keys to encrypt data a public key known to everyone and a private or secret key known only to the recipient of the message and allows a secure connection between a client and a server, over which any amount of data can be sent securely. Security The protection of surveillance data and information systems, for the purposes of (1) preventing unauthorized release of identifying surveillance information or data from the systems (e.g., preventing a breach of confidentiality) and (2) protecting the integrity of the data by preventing accidental data loss or damage to the systems. Security includes measures to detect, document, and counter threats to the confidentiality or integrity of the systems. Service Provider Agency Organization(s) under contractual agreement with AA to provide HIV-related medical and psychosocial support services to person(s) living with HIV/AIDS. Service Provider Agencies are required to enter relevant data into ARIES per their contractual agreement with the AA. Suspected Breach An alleged infraction or violation of a standard that may result in unauthorized disclosure of confidential information. Wi-Fi (Wireless Fidelity) Refers to wireless network components that are based on one of the Wi-Fi Alliance's standards. The Wi-Fi Alliance created the standard so that manufacturers can make wireless products that work with other manufacturers' equipment. This equipment uses high-frequency radio waves rather than wires to communicate. Wi-Fi is commonly used to wirelessly access the Internet or a local network. 5.0 Policy It is the policy of DSHS HIV Care Services that ARIES and the information collect in ARIES is protected and maintained to ensure patient confidentiality. 6.0 Persons Affected/Applicability This policy applies to all Administrative Agency data managers and other ARIES authorized users who could potentially view and/or have access to ARIES and confidential information. 7.0 Responsibilities AA data managers must ensure all users are authorized and that each authorized user has the correct permissions within the system. For example, users who do not need to see medical or risk information should not be given rights to those screens. The data manager must limit access to ARIES data through assignment of user permissions HIV/STD Prevention and Care Branch 3

6 HIV/STD appropriate for a user s role. In addition, AA data manager must maintain a list of ARIES users, monitor user rights on a quarterly basis or when an employee changes position and make appropriate changes as needed. The data manager at the Administrative Agency is the Local Responsible Party (LRP) and is responsible for ensuring that an individual is designated as an LRP at each service provider site. Internally, at DSHS, the HIV/STD Comprehensive Services Branch Manager is designated as the LRP. The LRP will be responsible for implementing and enforcing security and confidentiality polices and procedures and for investigating suspected breaches. Only DSHS and AA data managers have rights to ARIES Report/Export. The AA data managers must not grant ARIES Report/Export rights to any other users. The AA data managers must not grant unnecessary access to users within ARIES to run reports and export data. AA data managers are responsible for ensuring that authorized users understand: ARIES users are individually responsible for ensuring that the confidential information they work with is protected. This responsibility includes protecting all passwords, keys, and codes that enable access to confidential information; ARIES users are responsible for reporting possible security risks to the LRP; ARIES users are individually responsible for protection of his/her own desk/work area, workstation, laptops or other devices associated with confidential information; ARIES users are responsible for challenging and reporting those persons who are not authorized to access confidential information; Confidential information gained in the course of work activity will not be divulged to unauthorized persons; and Upon resignation or termination, all confidential information and keys or devices that enable access to physical and electronic locations where confidential information may be stored must be returned to his/her immediate supervisor. 8.0 Procedures 8.1 Procedures for AA Data Managers The AA data managers must develop local policy and procedures to implement this policy including those associated with authorization of users and authorization of user permissions according to role. Additionally, AA data managers must also develop plans for how they will ensure that ARIES user and security policies are followed by AA staff, service provider agencies, and subcontracting personnel who use ARIES. AA data managers make certain: Each user has an individual login and security certificate, no login names or certificates can be shared, nor should generic login names be created. All users prior to being given access to ARIES successfully complete confidentiality and security training, sign a confidentiality agreement that affirms individual responsibility for keeping client information and data confidential, and sign an assurance that they have reviewed security policies and procedures relevant to their position. The confidentiality and assurance agreements must be signed annually. The original must be stored in the employee s personnel file and a copy must be maintained by the employee. The date(s) of the training(s) must be documented in the employee s personnel file. HIV/STD Prevention and Care Branch 4

7 HIV/STD Revoke the user s rights within the ARIES system and contact DSHS staff by telephone and to revoke user rights immediately after a user leaves employment or no longer requires access to ARIES. 8.2 Procedures for ARIES Data Requests Releases of electronic client level data files to third parties for grant development, research, needs assessment, creation of reports or any other purpose must not be made without DSHS approval, and DSHS reserves the right to require that the party requesting the data submit the request to DSHS Institutional Review Board if the request appears to be related to research or includes a request for the release of client identifying information. Routine requests for utilization reports and aggregate profiles of clients served from staff other than funded providers or AA staff may be released without consultation with DSHS. However, aggregate profiles of client characteristics that include cross-tabulated tables with cells that contain fewer than 10 clients should be released only after such cells have been redacted and replaced with a mark indicating a small cell count precludes inclusion of the specific figure. 9.0 Physical Security 9.1 Building Security All confidential information must be maintained in a secure area. No remote access is allowed. A secure area is an area that is protected by at least one level of physical security, although it is preferable that such information be maintained behind two levels of physical security. Examples of physical security levels include a secured access card reader, locked door or a security guard. The physical security of the building containing the confidential information must be approved by both the provider LRP and the AA data manager. 9.2 Computer Workstations All computer workstations with access to ARIES data must be physically located in a secure area. No laptops or other portable computing devices can be programmed to have ARIES access without DSHS approval and only if they abide by 12.0 & 12.1 in this document. Workstations with access to ARIES must be password protected at the Windows login level and have a password protected screensaver program installed and activated. The screensaver should be set to automatically activate in 5 minutes or less when the workstation is not in active use. Passwords must comply with DSHS-published password guidelines found at: Computer passwords are unique to the authorized user and must not be shared with others. If a password s security is in doubt, it must be changed immediately. Authorized users are responsible for locking computer workstations (Ctrl/Alt/Delete - Lock Workstation) when a workstation is left unattended. No one should access a computer or network using another person s access without written authorization. Computer screens must not be readily observable by non-authorized users as they pass through the office area or approach reception desk. Security HIV/STD Prevention and Care Branch 5

8 HIV/STD screens may be installed on computer monitors to prevent viewing of information on the computer screen by anyone other than authorized user. ARIES must not be accessed or worked with on any computer that is not secure. This includes no remote access such as Go To My PC or VPN Any client-level information or aggregate reports which could potential identify a client should not be transmitted by . Protected Health Information can be ed via an attachment that is encrypted and password protected as long as the password is delivered through a phone call or in a separate that does not contain any identifying information or the words HIV and/or AIDS. If a client or provider s about their specific case, it is best practice to the person back and ask them to call the provider directly. Staff should not include any identifiers within the that pertain to HIV or AIDS, such as the program name or descriptions within their signature block Handling Electronic Data 11.1 Electronic Data Access Access to ARIES will only be granted as defined in the user policy. ARIES may be accessed solely by the person whose name is on the ARIES certificate used. Logins and certificates will be approved only for individual users; no generic or shared logins will be approved. Certificates will not be installed on roaming Windows profiles. Network drives containing confidential information must have controls in place that enable access to only authorized users. Staff may not attempt to access any data, program, or system for which they do not have approved authorization Electronic Data Transmission Only DSHS and AA data managers have rights to ARIES Report/Export. AA data managers must not grant ARIES Report/Export rights to any other users. AA data managers must ensure and monitor confidential data exported for the purpose of evaluation, monitoring, or quality assurance by the submitting agency or the AA are physically and electronically secure and disposed of properly. Exported confidential information for the purpose of evaluation, monitoring, or quality assurance with the AA or the submitting agency must not be taken to private residence unless specific permission has been granted by the state LRP. Likewise, remote access of a work computer from home in order to access ARIES is prohibited Removable, External Storage Devices All staff authorized to access confidential information must be individually responsible for protecting their assigned portable devices including, but not limited to: PDA, blackberries, cell phones, flash drives, diskettes, CD-ROMS, zip disks, tape backups, removable hard drives, smart cards, and/or GPS systems. HIV/STD Prevention and Care Branch 6

9 HIV/STD Laptops Laptops used as work computer fall under the same confidentiality and security guidelines as indicated under section 10.0 Physical Security. ARIES security certificates will be installed on laptop computers only with DSHS approval and under the following requirements: There is a signed ARIES Laptop Agreement that can be obtained from AA; DSHS approves the signed agreement; The laptop user has a separate signed statement indicating receipt and understanding of laptop agreement/requirements; The laptop is docked; The laptop does not leave the office; and The laptop does not have a wireless Internet connection Removable Storage Devices All confidential information placed on a removable storage device must be encrypted using encryption software meeting Federal Information Processing Standards (FIPS) for the Advanced Encryption Standard (AES), FIPS- 197, and password protected. Passwords must be stored separately from the device. When taking confidential data stored in removable storage devices from one secure area to another secure area, data must be encrypted, minimized to the essential data required, and stored on devices that are kept secure. Any removable storage device containing confidential information is to be stored following the physical and electronic standards of this document. Removable storage devices containing confidential information must not be taken to a private residence unless specific permission has been granted by the state LRP. Acceptable methods of sanitizing diskettes and other storage devices that previously contained sensitive data include overwriting or degaussing (demagnetizing) before reuse. Alternatively, the diskettes and other storage devices may be physically destroyed (e.g., by incineration, shredding). Such physical destruction would include the device, not just the plastic case around the device Personal Storage Devices (PDA)/Blackberries/Cell Phones PDA, Blackberries or cell phones will not be used to access, store or transmit confidential information Evolving Technology If the security guidelines specified in this policy do not cover evolving technology, it is the responsibility of the AA data managers or service provider LRP to seek the guidance of DSHS Revision History Date Action Section August 18, 2010 This is a new policy all HIV/STD Prevention and Care Branch 7

10

11 ARIES Data Managers Core Competencies HIV/STD Policy Number HIV/STD Effective Date March 27, 2000 Revision Date August 18, 2010 Subject Matter Experts Approval Authority Signed by Services Data Internal Workgroup HIV Care Services Group Manager 1.0 Purpose Although the ARIES is centralized, the Department of State Health Services (DSHS) directs local Administrative Agencies to maintain on staff local data managers who are to train and assist local users and assure the quality and use of the data in ARIES. This policy establishes ARIES Data Manager Core Competencies. These core competencies are intended to provide guidance on the required activities and standards and the knowledge, skills, and abilities needed in a local ARIES data manager. Additionally, core competencies were developed to enhance the quality and utility of data entered onto and retrieved from the AIDS Regional Information and Evaluation System (ARIES). 2.0 Authority Ryan White Care ACT, 2009; Texas Health and Safety Code (HSC) ; HSC ; HSC ; HSC ; Texas Administrative Code, chapter 25, Definitions AIDS Regional Information and Evaluation System (ARIES) ARIES is web-based, client-level software that Ryan White and State Services HIV Providers use to report all Ryan White and State Services provided to Ryan White eligible clients Administrative Agency (AA) Entity under contractual agreement with the Department of State Health Services (DSHS) to manage and distribute federal & state funds to HIV Service Providers Data Managers Staff at the Administrative Agency responsible for providing support to local organizations using ARIES to report their service delivery activities HIV Service Provider Organization(s) under contractual agreement with AA to provide HIV-related medical and psychosocial support services to person(s) living with HIV/AIDS Ryan White HIV/AIDS Program Program authorized in 1990 and administered by the U.S. Department of Health and Human Services (HHS), Health Resources and Services Administration (HRSA), HIV/AIDS Bureau (HAB). The program is for those who do not have sufficient health care coverage or financial resources for coping with HIV disease. Federal funds are awarded to agencies located around the country, which in turn deliver care to eligible individuals under funding categories called Parts. HIV/STD Prevention and Care Branch 1

12 HIV/STD Policy It is the policy of DSHS that AA data managers are required to perform certain activities and possess certain knowledge, skills, and abilities which includes but is not limited to managing and overseeing data collecting, reporting, and the Uniform Reporting System ARIES. 5.0 Persons Affected This policy applies to the Administrative Agencies and the AA data managers. 6.0 AA Core Competencies 6.1 Competency in Developing Local Policy and Procedures The AA data managers must develop local policy and procedures to implement all policies relating to ARIES and the data collected through ARIES. The local level includes AA staff, service provider agencies, and subcontractors. 6.2 Competency in Providing Training and Technical Assistance AA data managers must: provide effective ARIES training and technical assistance to staff at AA and service provider agencies who use ARIES; consult with ARIES personnel at DSHS for assistance on complex technical questions and relay information to local users; provide presentations, briefings and training sessions on ARIES operations for subcontractors and in-house personnel; and ensure ARIES computers meet or exceed necessary software and hardware requirements for current and future needs. 6.3 Competency in Establishing Local Physical & Electronic Security Data managers must ensure the physical and electronic security is maintained at a local level as set forth in DSHS ARIES User Policy and ARIES Security Policy. The AA data managers must develop local policy and procedures to implement DSHS ARIES User Policy and ARIES Security Policy. AA data managers must also develop plans for how they will ensure that ARIES user and security policies are followed by AA staff and service provider agencies. 6.4 Competency in Data Quality Monitoring and Improvement AA data managers must ensure data entered into ARIES must be of high quality as established in DSHS Data Improvement Plans Policy. The AA data managers must develop local policy and procedures to implement DSHS ARIES Data Improvement Plans. ARIES data managers must monitor the completeness, accuracy and timeliness of ARIES data for the AA overall and for each individual service provider and the completeness of aggregate and client-level reports required by HRSA. In addition, data managers are responsible for preparing the Data Improvement Plan, which sets goals for improvement and maintenance of ARIES data quality. HIV/STD Prevention and Care Branch 2

13 HIV/STD Competency in Providing Data-Driven Strategic Support Work with AA staff to determine the information needed to support AA decision making and contract monitoring. Develop a set of standard and customized reports and queries to provide this information, agree upon an internal schedule for the production of these reports, and implement that schedule. This may require using software outside of ARIES to produce the requested data. Provide assistance in interpretation of these reports as necessary. The data manager must ensure that providers enter data for aggregate and client-level reports required by HRSA each year. HRSA-required aggregate-level and client-level data reports must be submitted to DSHS 15 business days prior to the grantee submission deadline. 7.0 Revision History Date Action 03/27/2000 Original policy /18/2010 Policy renumbered; expansion of definitions section; outline of the five core competency areas HIV/STD Prevention and Care Branch 3

14

15 ARIES Data Improvement Plan Policy Number HIV/STD Effective Date August 18, 2010 Revision Date August 18, 2010 Subject Matter Expert Approval Authority Signed by Services Data Internal Workgroup HIV Care Services Group Manager 1.0 Purpose This policy provides guidance to Administrative Agencies (AA) regarding requirements for the annual submission of an ARIES (AIDS Regional Information and Evaluation System) Data Improvement Plan (DIP). 2.0 Background ARIES was created to facilitate reporting of information on the delivery of HIV medical and psychosocial supportive services by agencies receiving Ryan White and State Services funds. As a condition of their grant awards, Ryan White HIV/AIDS Program grantees are required to report data on clients, services provided, and expenditures. In order for these data to be useful to planners, monitors, evaluators, and policy makers, the data must be of high quality. The Department of State Health Services (DSHS) HIV Care Services Group must ensure Administrative Agencies ARIES data entries are timely, complete, and accurate. 3.0 Authority Ryan White Care ACT, 2009; Texas Health and Safety Code, Chapter 12, , , Chapter 85, Definitions Administrative Agency (AA) Entity under contractual agreement with the Department of State Health Services to manage and distribute federal and state funds to HIV Service Provider Agencies AIDS Regional Information and Evaluation System (ARIES) Web-based, client-level software that Ryan White and/or State Services HIV Providers use to report all Ryan White and State services provided to Ryan White eligible clients. Assessment of Accuracy of Reports A systematic and routine assessment of the degree to which ARIES entries are valid, and reflect actual services, costs, client characteristics, and health status indicators. Assessment of Completeness of Reports Routine examination of client records within ARIES to assure all applicable required fields have entries. Breach of Confidentiality A breach of protocol that results in the improper disclosure of confidential information. The result is confidential information being: 1) accidentally or purposefully released verbally, electronically, or by paper medium, to an entity or person that by law does not have a right or need to know, or 2) purposefully accessed either in person or electronically by an entity or person that by law does not have a right or need to know. HIV/STD Prevention and Care Branch 1

16 HIV/STD Eligible Reporting Scope Ryan White HIV/AIDS program data that includes all clients receiving services eligible to be paid for with Ryan White HIV/AIDS program funds, regardless of whether Ryan White HIV/AIDS Program funds were actually used to pay for the services. Fee for Service Fee-for-service is a standard business model where services are unbundled and paid for separately. Providers are paid a specified amount for each service provided. Funding Stream A source of available funds for client services associated with a contract. Health Resources and Services Administration (HRSA) An agency of the U.S. Department of Health and Human Services is the primary Federal agency for improving access to health care services for people who are uninsured, isolated or medically vulnerable. Service Provider Agency Organization(s) under contractual agreement with AA to provide HIV-related medical and psychosocial support services to person(s) living with HIV. Service Provider Agencies are required to enter relevant data into ARIES per their contractual agreement with the AA. 5.0 Policy It is the policy of DSHS HIV Care Services that each AA must submit, implement, and report progress towards DIP goals. 6.0 Responsibilities ARIES data managers must monitor the completeness, accuracy and timeliness of ARIES data for the AA overall and for each individual service provider and the completeness of aggregate and client-level reports required by HRSA. In addition, data managers are responsible for preparing the Data Improvement Plan, which sets goals for improvement and maintenance of ARIES data quality. The DIP is submitted by April 1 of every year to DSHS HIV Care Services Group. Additionally, the AA must implement the DIP and report progress towards goals by submitting quarterly updates to DSHS HIV Care Services Group as outlined in the contract. DSHS must approve each AA s DIP. 7.0 Procedures The AA must develop local procedures to implement this policy. 8.0 DIP Requirements The DIP should include: 1. A plan and implementation for providing training to contracted service providers as well as AA staff; 2. Description of procedures for receiving and responding to requests for technical assistance associated with ARIES; 3. Plans for site visits and data quality audits, including a description of the methods to be used at audits; 4. Plans for routinely assessing the following domains of data quality: Timeliness of ARIES data entry; Validity of ARIES data; Completeness of ARIES data; and Completeness of aggregate and client-level reports required by HRSA. 5. Identification of areas needing improvement relating to data quality and establishment of goals for improvement of data quality in any or all of the above HIV/STD Prevention and Care Branch 2

17 HIV/STD domains. When setting goals for areas not meeting minimum data quality requirements set forth in this policy, the DIP should establish progressively increasing goals aimed at meeting the minimum requirements. 6. Data managers are required to maintain minimum data quality requirements in areas where minimum requirements are already being met. The DIP should include an acknowledgement and commitment towards maintaining minimum data quality requirements for areas where minimum requirements are already being met. 9.0 Data Quality Minimum Requirements Establishing DIP goals requires data managers to continuously monitor ARIES data for the overall AA and for each service provider agency. Each service provider agency is required to submit data into ARIES for clients as defined by HRSA eligible reporting scope. Data managers may focus improvement efforts for the domains of data quality on selected service providers with deficiencies or across service providers on selected fields to achieve improvements data quality. Each AA s plan for routinely assessing the domains of data quality must include the following types of monitoring and assessment for DSHS and HRSA required data elements: 1. Timeliness of ARIES Data Entry Data managers must routinely assess the timeliness of ARIES data entry, and work with HIV service providers with consistently late entries to improve timeliness. Entries associated with medications, ambulatory/outpatient medical care and laboratory services, including the cost for these services, must be entered within 30 days of the date of the service/encounter. Client descriptive information and information associated with other service entries, including cost of service, must be entered into ARIES within 5 business days from date of service/encounter. 2. Validity of ARIES Data Data managers must verify the information in randomly selected ARIES records against documentation/records available at the service site on at least an annual basis. A random sample selection of ARIES records must consist of 10% or at least 10 records within a specified review period. This should include validating the information on services delivered and values of health indicators, such as CD4 and viral load test reports, if included in the record. The methods and schedule for conducting audits must be specified by the AA in the DIP, which may be satisfied through reference to written policy or procedure at the AA. 3. Completeness of ARIES data: A) Missing/Unknown Data DSHS and HRSA required data elements must not contain more than 5 percent missing or unknown. Data managers must ensure integrity of ARIES data by analyzing unknown, missing, invalid data fields by running reports and evaluating data entry procedures at HIV service providers. DSHS and HRSA required data elements must not contain more than 5 percent missing or unknown. HIV/STD Prevention and Care Branch 3

18 HIV/STD B) Duplicate Client In order to avoid creating duplicate clients, data managers should ensure that all fields used to construct the Unique Record Number (URN) and extended URN have no missing values in order to avoid duplicated clients. Data managers must routinely assess degree of duplication within client records and work with DSHS to assure that known duplicate client records and entries are eliminated from the system or merged across records. C) Cost Reporting The ARIES data manager must ensure that all service entries have a cost in the cost field for service entries. These costs can be based on fee for service, unit cost or a good faith cost calculation. AA must provide guidance and technical assistance to service providers to assure that services reported within ARIES are attributed appropriately to the various funding streams available for services. This is especially important when multiple funding streams are available to support the delivery of any one service within a service provider. 4. Completeness of RDR and RSR Annual Performance Reports Data managers must notify service providers of the requirement to report all eligible services reported for all eligible clients and assess conformity to this requirement (eligible reporting scope) DIP Quarterly Updates Progress reports should include an outline of the method and timeline to address and resolve identified areas needing improvement each quarter. After DSHS provides the AA data managers with written feedback regarding its quarterly DIP performance, the AA must provide a response in written format to DSHS within 10 days of receiving DSHS feedback Revision History Date Action Section July 7, 2010 This is a new policy all HIV/STD Prevention and Care Branch 4