Att H3_NHSN 308d Request for Extension and Amendment

Memo Request for Amendment of the Assurance of Confidentiality

Memorandum

Date: September 14, 2015

To: Joseph Rush Jr., Confidentiality Administrator, OADS/OSI

From: Daniel Pollock, Surveillance Branch Chief, DHQP/NCEZID

Subject: Request for Extension and Amendment of Assurance of Confidentiality for the National Healthcare Safety Network (NHSN)

This is an official request for amendment and extension of the Assurance of Confidentiality under Public Health Services Act Section 308(d) for the National Healthcare Safety Network

1. Background Information

The National Healthcare Safety Network (NHSN) is a surveillance system used by CDC, healthcare facilities, state and local health departments, the Centers for Medicare and Medicaid Services, and other public and private sector organizations for collection, analysis, and reporting data on healthcare-associated infections (HAIs), other adverse healthcare events, antimicrobial use and resistance, adherence to prevention guidelines, and use of antimicrobial stewardship programs. NHSN began as a voluntary system in October 2005, with approximately 300 hospitals participating. Since its inception, participation in NHSN has increased to over 16,000 healthcare facilities, and most of this growth is attributable to state mandates that require healthcare facilities in their jurisdiction to report data to NHSN and Centers for Medicare and Medicaid Services (CMS) requirements for healthcare facilities to report to NHSN as part of CMS quality measurement and incentive payment programs.

Some but not all of the data submitted to NHSN pursuant to state or CMS requirements are publicly reported as healthcare-facility summary measures by states or CMS. Currently, 33 states and Washington, DC, require healthcare facilities in their jurisdiction to report to NHSN, and the CMS Inpatient Quality Reporting Program, Hospital Acquired Conditions Program, Hospital Value Based Purchasing Program, and the End-Stage Renal Disease Quality Incentive Program all require healthcare facilities to report to NHSN as part of CMS’ public reporting and payment requirements. Still, many healthcare facilities participate in NHSN voluntarily, and many healthcare facilities that are required by their state or CMS to submit data to NHSN also report data to the system that are not publicly reported as healthcare-facility summary measures. As a result, the data that healthcare facilities submit to NHSN are a mix of data that are publicly reported by states or CMS and data that are not publicly reported, either because they are submitted voluntarily to NHSN or are not included in publicly reported summary measures. This “Request for Extension and Amendment of Assurance of Confidentiality for the National Healthcare Safety Network (NHSN) is intended to cover those data that healthcare facilities submit to NHSN that are (1) reported voluntarily to the system, or (2) not publicly reported as summary measures by either states or CMS.

The purposes of NHSN are to:

• Collect data from healthcare facilities in the United States to permit valid estimation of the magnitude of adverse events among patients or residents and healthcare personnel.

• Collect data from a sample of healthcare facilities in the United States to permit valid estimation of the adherence to practices known to be associated with prevention of these adverse events.

• Analyze and report collected data to permit recognition of trends at the local, state, and national levels.

• Provide facilities with risk-adjusted metrics that can be used for inter-facility comparisons and local quality improvement activities.

• Assist facilities in developing surveillance and analysis methods that permit timely recognition of patient or resident and healthcare worker safety problems and prompt intervention with appropriate measures.

• Conduct collaborative research studies with NHSN member facilities (e.g., describe the epidemiology of emerging healthcare-associated infection [HAI] and pathogens, assess the importance of potential risk factors, further characterize HAI pathogens and their mechanisms of resistance, and evaluate alternative surveillance and prevention strategies).

• Facilitate recruitment of facilities into high priority collaborative evaluations that seek to identify new ways to prevent or control antimicrobial resistance or prevent healthcare-associated infections by providing facility identifiers to federal agencies and peer-reviewed, CDC-approved research projects for potential participation in studies, including comparative effectiveness assessments.

• Comply with legal requirements – including but not limited to state or federal laws, regulations, or other requirements – for mandatory reporting of facility-specific adverse event, prevention practice adherence, and other public health data.

• Enable healthcare facilities to report data via NHSN to the U.S. Center for Medicare and Medicaid Services (CMS) in fulfillment of CMS’s quality measurement reporting requirements for those data.

• Provide data to CDC-supported healthcare quality improvement projects for purposes of identifying improvement opportunities, initiating or maintaining improvement efforts, and measuring the impact of those efforts.

• Provide state and local health departments with information that identifies the facilities in their state that participate in NHSN.

• Provide to state and local health departments, at their request, facility-specific, NHSN data for surveillance, prevention, or mandatory public reporting.

The first Assurance of Confidentiality for NHSN was granted on March 31, 2005, and the first extension and amendment was granted on September 24, 2010 to assure confidentiality of data that healthcare facilities submit voluntarily to NHSN.

2. Reason for the Request:

The data that healthcare facilities submit to NHSN that are not publicly reported as summary measures by a state or CMS are invaluable data for surveillance of healthcare-associated infections, other adverse healthcare events, antimicrobial use and resistance, use of prevention guidelines, and use of antimicrobial stewardship programs. These data are essential to understand the magnitude and distribution of adverse events, identify prevention gaps and quality improvement opportunities, and to evaluate the impact of interventions. However, because of the sensitivity of these data, the reputation of healthcare facilities and their ability to attract patients and otherwise conduct business may be seriously compromised if the non-publicly reported data were released, because these data may be misinterpreted by the lay public. Further, if the non-publicly reported data includes information on individual patients and is unprotected by an assurance of confidentiality, healthcare facilities are at risk of having information used against them by the plaintiff’s attorneys in a lawsuit.

The proposed amendment is to provide confidentiality protection for all data that healthcare facilities submit to NHSN that are not publicly reported by a state or CMS. The scope of the confidentiality protection covers data submitted to NHSN for all components and modules.

Key NHSN staff:

Branch Chief and Business Steward – Daniel Pollock

Technical Steward – Barry Rhodes

Project Officer – Kimberly Dobson

3. Utilization of Confidentiality Protection:

308(d) Assurance of Confidentiality has been invoked to prevent disclosure of data in responses to multiple FOIA requests.

4. Why Confidentiality Protection is still needed

The ability to obtain information from hospitals and other healthcare facilities to prevent adverse events and improve care will be severely impaired without assurance of confidentiality for data that are not publicly reported by a state or CMS. If the data submitted to NHSN are to be complete and accurate, healthcare facilities must be forthcoming and surveillance personnel must have access to any and all relevant data sources. Healthcare facilities that perceive a threat of public disclosure of data that are not publicly reported by a state or CMS might opt to minimize or obstruct surveillance, which in turn would undermine NHSN’s ability to provide accurate and useful data for purposes of safeguarding patients and preventing adverse healthcare outcomes.