Download: docx | pdf

REQUEST FOR EXTENSION AND AMENDMENT OF ASSURANCE OF CONFIDENTIALITY FOR THE National Healthcare Safety Network

DIVISION OF HEALTHCARE QUALITY PROMOTION

NATIONAL CENTER FOR EMERGING AND ZOONOTIC INFECTIOUS DISEASES

Original Application Approval: March 31, 2005

Extension Requested: March 15, 2010

Extension and Amendment Application Finalized: August 24, 2010

A. Purpose of the Project

The National Healthcare Safety Network (NHSN) is a surveillance system used to gather national data on healthcare-associated adverse events, associated risk and preventive factors, and antimicrobial use and resistance. NHSN is managed by the Division of Healthcare Quality Promotion (DHQP) at the Centers for Disease Control and Prevention (CDC). NHSN assists DHQP in fulfilling its mission to:

Protect patients, protect healthcare personnel, and promote safety, quality, and value in the healthcare delivery system by providing national leadership for measuring, validating, interpreting, and responding to data relevant to healthcare outcomes, healthcare-associated infections/antimicrobial resistance, related adverse events, and medical errors among patients and healthcare personnel.¹

NHSN began as a voluntary surveillance system in 2005. However, since its launch that year, NHSN increasingly has served as the operational system for compliance with mandatory healthcare-associated infection (HAI) reporting requirements established by states. By 2010, 21 states had opted to use NHSN as the operational system for mandatory reporting by healthcare facilities in their jurisdictions, and additional states are expected to follow with similar use of NHSN for mandatory reporting purposes. In addition, the Center for Medicare and Medicaid Services (CMS) will require Medicare-eligible acute care hospitals to report HAI data to CMS via NHSN beginning with hospital discharges occurring January 1, 2011 as part of the Inpatient Prospective Payment System (IPPS) quality data reporting program. Further, federal legislative proposals could establish mandatory reporting of HAI data on the federal level. Still, many healthcare facilities, even in states with mandatory reporting requirements, submit at least some HAI data to NHSN voluntarily. As a result, the HAI data reported to NHSN are a mix of data reported voluntarily and mandatorily. This “Request for Extension and Amendment of Assurance of Confidentiality for National Healthcare Safety Network” is intended to cover those data that are voluntarily provided by healthcare facilities to DHQP through the NHSN and not data that are either (1) mandated by state or federal laws, regulations, or other requirements, or (2) requested by state agencies for surveillance or prevention purposes.

The NHSN consists of four components - Patient Safety, Healthcare Personnel Safety, Biovigilance, and eSurveillance (electronic surveillance). The specific Patient Safety Component protocols included in this submission are: central line-associated primary bloodstream infection, central line insertion practices adherence, ventilator-associated pneumonia, catheter-associated urinary tract infection, dialysis event, surgical site infection, post-procedure pneumonia, multidrug resistant organism and Clostridium difficile-associated disease module, high risk inpatient influenza vaccination module, and the antimicrobial use and resistance option. For the Healthcare Personnel Safety Component, the blood and body fluid exposures and exposure management module and the influenza vaccination and exposure module are included in this submission. For the Biovigilance Component, the hemovigilance module is included in this submission.

In general, the data reported under the Patient Safety Component protocols are used to (1) determine the magnitude of the healthcare-associated adverse events under study, trends in the rates of the events, distribution of pathogens trends in the adherence to prevention practices, and (2) to detect changes in the epidemiology of adverse events resulting from new medical therapies and changing patient risks. Additionally, reported data are used to describe the epidemiology of antimicrobial use and resistance and to understand the relationship of antimicrobial therapy to this growing problem. Under the Healthcare Personnel Safety Component protocols, data on events--both positive and adverse--are used to determine (1) the magnitude of adverse events in healthcare personnel and (2) compliance with immunization and sharps injuries safety guidelines. Under the Biovigilance Component, data on adverse reactions and incidents associated with blood transfusions will be used to provide national estimates of adverse reactions and incidents. Participating healthcare facilities in the NHSN include all types of acute-care hospitals and other selected healthcare facilities (e.g., outpatient dialysis centers, ambulatory surgery centers). The surveillance data collected by the NHSN will be linked to CDC guidelines and other educational resources to create a “knowledge system” to support local and national efforts to promote safety among patients and healthcare personnel. Eventually, all venues where patient care is delivered will be encouraged to participate.

Objectives

The first 5 objectives listed below are original to NHSN. We are adding a sixth objective to synchronize with the current and anticipated future landscape of HAI of mandatory reporting.

1. To provide a national Internet-based system to collect data on measures of healthcare quality affecting patients and healthcare personnel from U.S. healthcare institutions.

2. To provide a knowledge system consisting of data analysis, feedback of institution-specific data, and linkage of data with guidelines and educational materials, to facilitate quality promotion efforts.

3. To collect data needed to make national burden estimates and assist DHQP and CDC in setting priorities and allocating resources.

4. To support studies to expand the scope of the Network, make it simpler and more efficient, and make improved use of technology for data collection.

5. By creating a repository of information from healthcare facilities, to act as a link between healthcare facilities and public health agencies.

6. To comply with legal requirements - including but not limited to state or federal laws, regulations, and other requirements - for mandatory reporting of healthcare facility-specific healthcare-associated infections, prevention practice adherence, and other public health data.

The sections below describe the need for NHSN to be covered by the assurance of confidentiality. Since NHSN is an ongoing surveillance system, we request the maximum time period be allotted for this assurance.

B. Justification

1. Extent to which the assurance of confidentiality is important to protection of the individual or institution.

Although NHSN is used by some states to implement mandatory HAI reporting requirements and may be used to comply with federal regulations or requirements for reporting facility-specific, healthcare-associated infections and other public health data, healthcare data voluntarily submitted to NHSN outside the scope of mandatory reporting can shed further light on healthcare-associated adverse events and their risk factors. This voluntarily provided data on healthcare-associated adverse events are essential to continuing to understand the extent of the problem within individual healthcare settings and nationally. For example, most state mandates restrict data reporting to intensive care units, but hospitals report data on specialty care areas (such as bone marrow transplant and long term acute care areas) and general wards (http://www.cdc.gov/nhsn/PDFs/dataStat/2009NHSNReport.PDF). These data were lacking in the CDC’s National Nosocomial Infections Surveillance system, the predecessor to NHSN, and have been very well received by the infection prevention community as a needed advancement of the field. In addition, the voluntarily provided data are used in quality-monitoring programs to institute relevant prevention and control measures. The reputation of the healthcare institution and its ability to attract patients and otherwise conduct business may be seriously compromised if these voluntarily provided data were released, since they can easily be misinterpreted by the lay public. Further, if this voluntarily provided data includes information on individual patients and is unprotected by an assurance of confidentiality, healthcare institutions are at risk of having information used against them by the plaintiff’s attorneys in a lawsuit.

The ability to voluntarily obtain information from hospitals and other healthcare facilities as well as those of individual healthcare institutions to improve the quality of healthcare will be severely impaired without assurance of confidentiality.

Because NHSN includes voluntary collection of data about identifiable patients and healthcare institutions, all of the voluntarily collected data in the NHSN are considered sensitive. Voluntarily provided data are collected on individual patients using a variety of sources and the occurrence of an adverse event is determined by applying accepted criteria to the collected data. If the data are to be accurate, healthcare institutions must be candid and surveillance personnel must have access to any and all relevant data sources. Healthcare institutions that perceive a threat of public disclosure of their voluntarily provided identifiable data can easily reduce their adverse event rates by minimizing or obstructing surveillance, which would result in undermining NHSN’s ability to provide accurate and useful data for the nation.

2. Extent to which the individual or establishment will not furnish or permit access to it unless an assurance of confidentiality is given.

Outside of the data that are mandated to be provided to NHSN by applicable state or federal law, regulations and/or other requirements, further participation in NHSN is open to all qualifying healthcare institutions and is voluntary. It is unlikely that any healthcare institution would voluntarily provide data to NHSN if an assurance of confidentiality cannot be provided to such data; a critical national source for data on the quality of healthcare would cease to exist. At the time of enrollment, healthcare institutions will be provided with a document setting out the coverage of the 308(d) statement of assurance of confidentiality.

3. Extent to which the information cannot be obtained with the same degree of reliability from sources that do not require an assurance.

It is not possible to obtain the levels and types of data that can be used for calculating rates on adverse events that are adjusted for risk factors and stratified by various patient and institutional groups from any source other than the healthcare institutions themselves. CDC has developed the protocols for NHSN and provides instructional materials on data collection methods, an Internet-based data entry and analysis system, and training courses. Trained surveillance personnel who are given clear instructions and ongoing technical support are necessary for the collection of reliable data on adverse events associated with healthcare. Therefore, the existing set up for NHSN is the only feasible way to obtain valid data for this consolidated surveillance system. Any institution that delivers healthcare would be reluctant to voluntarily release this level and type of information without an Assurance of Confidentiality.

4. Extent to which the information is essential to the success of the particular statistical or epidemiological project and is not duplicative of other information gathering activities of the Department.

CDC is unaware of any other group in the Department that is systematically and routinely gathering data on adverse events that can be used to calculate risk-adjusted rates for comparison purposes. Without NHSN, the Department would not have a mechanism for monitoring trends in adverse event rates, nor the ability to determine whether prevention efforts have been successful. The Department has established nine national 5-year prevention targets for healthcare-associated infections and deemed the measurement system for six of them to be NHSN (see Appendix G, HHS Action Plan to Prevent Healthcare-Associated Infections at http://www.hhs.gov/ophs/initiatives/hai/actionplan/index.html).

5. Extent to which the giving of the assurance of confidentiality might restrain CDC from carrying out any of its responsibilities.

An assurance of confidentiality will not restrain CDC from carrying out its public health responsibilities because at the time of enrollment into NHSN, healthcare institutions will be required to sign an agreement to participate which stipulates that they agree to provide all data that are legally required to be provided or requested by their state and that they will report outbreaks or other problems of public health importance identified through the surveillance system and for which they are contacted by CDC to their local health authorities.

NHSN data that have been aggregated and are without institution or patient identifiers will be provided to organizations that need to monitor and assess healthcare quality.

In addition, as recent legislation shows, the type of information being collected in the NHSN has been determined to be critical to monitoring and assessing healthcare quality in various healthcare settings. That legislation provides validation to the objectives of the NHSN. The legislation, though, requires certain information be collected by CDC and made available to the public; NHSN will also work to voluntarily obtain a greater level of data from individual healthcare settings. This Assurance would act to provide protection to those data which are voluntarily provided by participating institutions.

6. Extent to which the giving of the assurance of confidentiality outweighs the disadvantages of doing so.

The only disadvantage to assuring confidentiality is CDC’s inability to acknowledge by name the participating healthcare institutions in publications. Participating institutions demonstrate their commitment to improving the quality of healthcare by allocating considerable personnel and other resources to collecting and reporting data. Most hospitals have taken pride in being a part of the predecessors of NHSN and it is no different with NHSN. Acknowledging the participating institutions could motivate them to provide high quality data and to remain involved with the system. However, because the benefits of assurance of confidentiality far outweigh its disadvantage, the participants in the predecessor surveillance systems have been satisfied with remaining anonymous in publications. Finally, the inherent value of surveillance data lies in their ability to be aggregated according to similar risk groups. Conclusions are drawn from the data itself, not through identification of the specific sources. Thus, identifying participating healthcare institutions by CDC would be counterproductive.

C. Confidentiality Assurance Statement for the National Healthcare Safety Network

Data on adverse outcomes associated with healthcare will be collected by the Centers for Disease Control and Prevention (CDC), an agency of the United States Department of Health and Human Services, through the National Healthcare Safety Network (NHSN). A portion of the data collected in NHSN will be data which healthcare institutions are legally mandated to provide to CDC and will be made available as mandated by those state or federal laws, regulations and/or other requirements. However, another portion of the data collected in NHSN will be data that healthcare institutions voluntarily provide to CDC. This Confidentiality Assurance Statement is intended to cover those data which are voluntarily provided by healthcare facilities to NHSN and not data mandated by state or federal laws, regulations, or other requirements, or requested by state agencies for surveillance or prevention purposes.

Institutions will report these voluntarily-provided data to the NHSN using the protocols from the Patient Safety, Healthcare Personnel Safety, Biovigilance, and eSurveillance Components. Participating institutions will choose the protocol(s) they wish to use and voluntarily report in accordance with the NHSN data collection and reporting requirements. The voluntarily provided data will be submitted to CDC using the Internet. Data from the Patient Safety Component may include, in part, information about the presence of a healthcare-associated infection, the risk factors, name of the infectious agent and antibiotic susceptibility patterns, and outcome. Information about the characteristics of participating hospitals as well as monthly summary or other denominator data on the patient population being monitored will also be collected. Facility and patient demographic information are included in the voluntarily-provided data. Similar data would be voluntarily provided under the other NHSN Components.

The voluntarily-provided data will be used by CDC to describe the epidemiology of adverse outcomes associated with healthcare in the United States, including trends of hospital infection rates, antimicrobial resistance, and to develop benchmarks for healthcare-associated adverse outcomes in specific patient populations with similar infection risks that can be used for comparison purposes. The individual hospitals will internally measure their quality of care by comparing their rates against aggregated data from the NHSN system. Except as mandated by applicable state or federal laws, regulations and/or other requirements, the data will be aggregated and published without personal (including provider and patient names) or institutional identifiers in statistical and analytic summaries and epidemiologic studies.

The voluntarily provided information collected by CDC or its contractors as part of this surveillance system that would permit identification of patients or healthcare institutions is collected and maintained under Sections 304 and 306 of the Public Health Service (PHS) Act (42 USC 242b, 242k) with an assurance that it will be held in strict confidence in accordance with Section 308(d) of the PHS Act (42 USC 242m(d)). Such data will be used only for the purposes stated in this Assurance, and it will not otherwise be disclosed or released without the consent of the parties who were given this Assurance. No information from this data will be disclosed even after death of the patients in this surveillance system. Voluntarily provided information will not be disclosed to consumer advocacy groups; insurance companies; any party involved in civil, criminal, or administrative litigation; agencies of federal, state, or local government; or any other member of the public.

The assurance of confidentiality stated on NHSN data collection forms will read as follows:

Assurance of Confidentiality: The voluntarily provided information obtained in this surveillance system that would permit identification of any individual or institution is collected with a guarantee that it will be held in strict confidence, will be used only for the purposes stated, and will not otherwise be disclosed or released without the consent of the individual, or the institution in accordance with Sections 304, 306 and 308(d) of the Public Health Service Act (42 USC 242b, 242k, and 242m(d)).

D. Confidentiality Security Statement for National Healthcare Safety Network

The Division of Healthcare Quality Promotion (DHQP) is renewing a 308(d) Assurance of Confidentiality for certain voluntarily provided data to be collected within DHQP’s National Healthcare Safety Network (NHSN). Because of this Assurance, certain documents and files that contain names and other information identifying a single healthcare institution or patient will be considered confidential materials and will be safeguarded to the greatest extent possible. Because the voluntarily provided data are highly sensitive and include personally identifiable information (PII) the potential adverse impact of a breach in confidentiality is high and calls for level 3 authentication of remote NHSN users. It is the moral and legal responsibility of each DHQP and contract staff member working on NHSN to protect the right to confidentiality of healthcare institutions participating in NHSN and their patients as provided by this Assurance. This document describes the procedures and practices that DHQP uses to protect the confidentiality of the voluntarily provided data collected as part of this surveillance system and covered by this Assurance.

The contractor who developed the NHSN Internet interface using the Public Health Information Network (PHIN) architecture as the system platform, as well as any contractor who may have access to any element of the voluntarily provided NHSN data that permits identification of patients or institutions, are included under 308(d) protection. We have included reference to them in the Confidentiality Assurance Statement and this Confidentiality Security Statement. When any new contract is contemplated, the DHQP Business Steward for NHSN will notify the CDC Confidentiality Officer so that arrangements can be made with the Procurement and Grants Office to include appropriate 308(d) clauses in the contract and to obtain the required 308(d) confidentiality pledges from all contractor employees associated with the network.

DHQP and contract staff are required to maintain and protect at all times the confidential records that may come into their presence and under their control. To assure that they are aware of this responsibility and the penalties for failing to comply, each member of the DHQP/NHSN staff must read and sign a Nondisclosure Agreement (CDC 0.979), assuring that all information identifying an individual healthcare institution or patient that is subject to this Assurance will be kept confidential and will be used only for epidemiologic or statistical purposes. When confidentiality authorization is obtained, DHQP staff² working on this network will be required to attend a training session at which the confidentiality procedures for the project will be discussed in greater detail by the NHSN Business Steward or his designee. Signed agreements will be obtained at this time.

The Lead Subject Matter Experts for the NHSN are Daniel Pollock, MD, Teresa Horan, MPH, Dawn Sievert, PhD, Tara MacCannell, PhD, Joseph Perz, DrPH, Priti Patel, MD, Nimalie Stone, MD, and Matthew Kuehnert, MD. The Lead IT Technical Steward for the NHSN is Barry Rhodes, PhD, and the Business Steward is Daniel Pollock, MD.

Attachment 1 is the Nondisclosure Agreement that all DHQP FTE staff on the project will sign. The originals will be retained by DHQP, with copies at the Management Analysis and Services Office (MASO). Attachment 2 is the contractor’s pledge of confidentiality, called “Safeguards for Individuals and Establishments against Invasion of Privacy”. For NHSN contractors, 308(d) clauses will be added to the contract and all contractor employees with access to the voluntarily provided data that are subject to this Assurance will be required to sign this contractor pledge. Originals of these documents will be retained by PGO with copies on file at DHQP and MASO.

Restrictions on Use of Information and Safeguarding Measures

These measures apply to the voluntarily provided data collected by NHSN subject to this Assurance and not data which are mandated by state or federal laws, regulations, or other requirements.

• Information voluntarily collected in the course of conducting NHSN will be used only for the purposes of carrying out the project and shall not be divulged or made known in any manner except as necessary for the project, unless written approval from personnel at the participating healthcare institutions is received.

• Data will be transmitted from participating healthcare institutions to CDC by using Internet-based data entry screens provided by CDC or by transmitting data from a computer database created and maintained by the facility. Personal identifiers will be received by CDC.

• Data will be encrypted as they are transmitted over the Internet using Secure Socket Layer technology.

• Access to all confidential data collection aspects of NHSN will require the use of a digital certificate via CDC’s Secure Data Network or will require use of a password issued via CDC’s Secure Access Management System (SAMS).

• Data will be stored in password-protected files on secure computers stored in locked, authorized-access-only rooms.

• NHSN staff is responsible for protecting all confidential records from eye observation, from theft, or from accidental loss or misplacement due to carelessness. All reasonable precautions will be taken to protect confidential project data.

• All contractor personnel will receive training in confidentiality procedures.

• Recording of all data or creation of databases for transmission, for this project will be conducted on-site at the participating healthcare institutions. In the future, data may be obtained from entities outside the institution (e.g., commercial laboratory); in such cases, this security statement applies.

• DHQP staff will receive certain personal identifying information on patients, and adverse outcomes information identified by the voluntarily participating healthcare institutions, which is now protected by 308(d). All staff working with the voluntarily provided data subject to this Assurance are not to divulge any identifying information about project participants to anyone other than personnel at the participating healthcare institution or authorized project staff on a “need to know” basis to conduct official business. In general conversation outside the workplace, neither the identifying information, the nature of the data collected, nor the means by which they are collected should be discussed in any detail.

• When not in use by authorized NHSN staff, all hard copy material and physical media containing confidential data will be stored in locked containers, file cabinets, or rooms. Access to locked storage areas will be limited to authorized project staff. This procedure will apply to all physical media containing confidential data, including printouts and diskettes. When confidential records are in use, they must be kept out of sight of persons not authorized to work with these records.

• Except as needed for operational purposes, printouts of confidential records are not to be made. If printouts are necessary, care should be taken that all copies and originals are recovered from the copy machines and work areas. All confidential paper records will be destroyed as soon as operational requirements permit by shredding the documents.

Enhanced Protection of Computerized Files

These protections apply to the voluntarily provided data collected by NHSN subject to this Assurance and not data which are mandated by state or federal laws, regulations, or requirements, or requested by state agencies for surveillance or prevention purposes.

.

All voluntarily provided data will be protected in confidential computer files. The following safeguards are implemented to protect NHSN files so that the accuracy and the confidentiality of the data can be maintained:

• Computer files containing programs, documents, or confidential data will be stored in computer systems that are protected from accidental alteration and unauthorized access. Computer files will be protected by password systems, controlled sharing, and routine backup procedures.

• DHQP complies with several Federal policies, statutes, regulations, and other directives for the collection, maintenance, use, and dissemination of data, including the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy as implemented under the HHS Information Security Program and the Federal Information Security Act of 2002 (Public Law 107-347). DHQP currently operates under the protections of the CDC WAN and incorporates Active Directory security features. Additionally, the WAN is in compliance with CDC's Information Technology Security Plan Program and includes user ID and password protection; mandatory password changes; limited logins; user rights/file attribute restrictions and virus protection among other features.

• DHQP employees or contractors will be granted access to the files only upon express approval by the Business Steward. Access will be granted for the time indicated on the approval request.

Dissemination of Project Results

Participating healthcare institutions will have access to their own data for the purposes of managing them (e.g., view, add, edit, delete records) and for analyzing them. Individual patients will not receive any reports from DHQP with respect to the voluntarily-provided data.

Except for data mandated by state or federal laws, regulations or other requirements to be made available in publications or reports for public distribution, NHSN data will be reported only in aggregate form with summary statistics such as mean rates per 100 patient-months, percentiles, and relative risks; such statistics could not be used to identify a given healthcare institution.

Records Disposition for the National Archives and Records Administration

After analyses of the project are complete, if the records are determined to be permanently valuable, a public use data tape will be sent to the National Archives and Records Administration (NARA). This transfer will be done in accordance with the May 1996 agreement stating that CDC will transfer to NARA all permanent data sets in accordance with approved schedules contained in part IV of the CDC Records Control Schedule B‑321, with the exception of identifying information collected under an assurance of confidentiality agreement as specified under the Public Health Service Act, Sections 301(d) and 308(d).

If 308(d) records for this project are being sent to the Federal Records Center for temporary storage (in which CDC maintains control of the data), they will be clearly identified as 308(d) protected records. The SF 135 will state: "This accession contains records protected by a confidentiality assurance under Section 308(d) of the PHS Act." The boxes will have a label stating: "This accession contains records protected by a confidentiality assurance under Section 308(d) of the PHS Act. The records can be released only to authorized staff from the Division of Healthcare Quality Promotion (DHQP) at the Centers for Disease Control and Prevention with responsibility for the project entitled “National Healthcare Safety Network."

Attachment 1. Nondisclosure Agreement (308(d) Assurance of Confidentiality for CDC/DHQP Employees)

The success of CDC’s operations depends upon the voluntary cooperation of States, of establishments, and of individuals who provide the information required by CDC programs under an assurance that such information will be kept confidential and be used only for epidemiological or statistical purposes.

When confidentiality is authorized, CDC operates under the restrictions of Section 308(d) of the Public Health Service Act which provides in summary that no information obtained in the course of its activities may be used for any purpose other than the purpose for which it was supplied, and that such information may not be published or released in a manner in which the establishment or person supplying the information or described in it is identifiable unless such establishment or person has consented.

“I am aware that unauthorized disclosure of confidential information is punishable under Title 18, Section 1905 of the U.S. Code, which reads:

“Whoever, being an officer or employee of the United States or of any department or agency thereof, publishes, divulges, discloses, or makes known in any manner or to any extent not authorized by law any information coming to him in the course of his employment or official duties or by reason of any examination or investigation made by, or return, report or record made to or filed with, such department or agency or officer or employee thereof, which information concerns or relates to the trade secrets, processes, operations, style of work, or apparatus, or to the identity, confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association; or permits any income return or copy thereof or any book containing any abstract or particulars thereof to be seen or examined by any person except as provided by law; shall be fined not more than $1,000, or imprisoned not more than one year, or both; and shall be removed from office or employment.”

“I understand that unauthorized disclosure of confidential information is also punishable under the Privacy Act of 1974, Subsection 552a (I) (1), which reads:

Attachment 2. Safeguards for Individuals and Establishments against Invasions of Privacy

In accordance with Subsection (m) of the Privacy Act of 1974 (5 U.S.C. 552a) and Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the contractor is required to comply with the applicable provisions of the Privacy Act and to undertake other safeguards for individuals and establishments against invasions of privacy.

To provide these safeguards in performance of the contract, the contractor shall:

1. Be bound by the following assurance:

Assurance of Confidentiality

In accordance with Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the contractor assures all respondents that the confidentiality of their voluntary disclosures and responses to the applicable information request will be maintained by the contractor and CDC and that such information obtained in the course of this activity will not be disclosed in a manner in which the individual or establishment is identifiable, unless the individual or establishment has consented to such disclosure, to anyone other than authorized staff of CDC.

2. Maintain the following safeguards to assure that confidentiality is protected by contractor’s employees and to provide for the physical security of the voluntarily provided disclosures and records:

a. After having read the above assurance of confidentiality, each employee of the contractor participating in this project is to sign the following pledge of confidentiality:

“I have carefully read and understand the assurance which pertains to the confidential nature of all voluntarily provided disclosures and records to be handled in regard to this survey. As an employee of the contractor I understand that I am prohibited by law from disclosing any such confidential information which has been obtained under the terms of this contract to anyone other than authorized staff of CDC. I understand that any willful and knowing disclosure in violation of the Privacy Act of 1974 is a misdemeanor and would subject the violator to a fine of up to $5,000”.

b. To preclude observation of confidential information by persons not employed on the project, the contractor shall maintain all confidential records that identify individuals or establishments or from which individuals or establishments could be identified under lock and key.

Specifically, at each site where these items are processed or maintained, all confidential records that will permit identification of individuals or establishments are to be kept in locked containers when not in use by the contractor’s employees. The keys or means of access to these containers are to be held by a limited number of the contractor’s staff at each site. When confidential records are being used in a room, admittance to the room is to be restricted to employees pledged to confidentiality and employed on this project. If at any time the contractor’s employees are absent from the room, it is to be locked.

c. The contractor and his professional staff will take steps to insure that the intent of the pledge of confidentiality is enforced at all times through appropriate qualifications standards for all personnel working on this project and through adequate training and periodic follow up procedures.

3. Print on the questionnaire used to obtain voluntarily provided information in a clearly visible location and in clearly visible letters the following notice of the confidential treatment to be accorded the information on the questionnaire by any individual who may see it:

Confidential Information

Information contained on this form which would permit identification of any individual or establishment has been collected with a guarantee that it will be held in strict confidence by the contractor and CDC, will be used only for purposes stated in this project, and will not be disclosed or released to anyone other than authorized staff of CDC without the consent of the individual or the establishment in accordance with Section 308(d) of the Public Health Service Act (42 U.S.C.242m).

4. On a letter or other form that can be retained by the individual or the establishment, or on the questionnaire form itself if it is a self-administered questionnaire, inform in clear and simple terms each individual or establishment asked to voluntarily supply information:

a. That the collection of the information by CDC and its contractor is authorized by Section 306 of the Public Health Service Act (42 U.S.C.242k);

b. Of the purpose or purposes for which the information is intended to be used, clearly stating that the records will be used solely for epidemiological or statistical research and reporting purposes;

c. Of the routine uses that may be made of the information, including all disclosures specified in the Federal Register for this system of records which may be applicable to this project;

d. That participation is voluntary and there are no penalties for declining to participate in whole or in part; and

e. That no information collected under the authority of Section 306 of the Public Health Service Act (42 U.S.C. 242k) may be used for any purpose other than the purpose for which it was supplied, and such information may not be published or released in other form if the particular individual or establishment supplying the information or described in it is identifiable to anyone other than authorized staff of CDC, unless the individual or establishment has consented to such release.

(The voluntary disclosure by the respondent of requested information after being informed of preceding paragraphs a through d is an acknowledgment of the uses and disclosures contained in paragraph c.)

5. Release no information from the voluntarily provided data obtained or used under this contract to any person except authorized staff of CDC.

6. By a specified date, which may be no later than the date of completion of the contract, return all project data to CDC or destroy all such data, as specified by the contract.

_______________________ __________________________ ________________

Typed/Printed Name Signature Date

E. CDC Human Subjects Review

The CDC Institutional Review Board has determined that NHSN does not require its approval (see Attachments 3 and 4 which are in separate documents).

Attachment 3. Email notification of closure of Protocol 4062 “National Healthcare Safety Network”

Attachment 4. NHSN – Report of End of Human Research Review for Protocol 4062 “National Healthcare Safety Network”

F. Additional Attachments

Attachment 5. NHSN Agreement to Participate and Consent

This document states the purposes of NHSN, the eligibility criteria for participating in NHSN, the data collection and reporting requirements for participation, and the assurance of confidentiality. It must be signed the primary contact persons for any of the components in which the facility is participating as well as by an official authorized to bind the facility to the terms of the agreement (e.g., chief executive officer). DHQP retains a facsimile (scanned image) of the original signed in its secured NHSN files.

All new NHSN facilities will be consented and all existing NHSN facilities will be reconsented. If an existing NHSN facility declines to sign the new consent, the facility will be withdrawn from the system. The new data sharing provisions will apply to data entered after January 1, 2011.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	dap1
File Modified	0000-00-00
File Created	2021-02-01