Pia

National Healthcare Safety Network (NHSN)

OMB Control No. 0920-1317

Privacy Act Checklist

The NHSN consists of five components: Patient Safety, Healthcare Personnel Safety, Biovigilance, Long-Term Care Facility, and Dialysis. In general, the data reported under the Patient Safety Component protocols are used to (1) determine the magnitude of the healthcare-associated adverse events under study, trends in the rates of the events, in the distribution of pathogens, and in the adherence to prevention practices, and (2) to detect changes in the epidemiology of adverse events resulting from new medical therapies and changing patient risks. Additionally, reported data will be used to describe the epidemiology of antimicrobial use and resistance and to understand the relationship of antimicrobial therapy to this growing problem. Under the Healthcare Personnel Safety Component protocols, data on events--both positive and adverse--are used to determine (1) the magnitude of adverse events in healthcare personnel and (2) compliance with immunization and sharps injuries safety guidelines. Under the Biovigilance Component, data on adverse reactions and incidents associated with blood transfusions are used to provide national estimates of adverse reactions and incidents. The Long-Term Care Facility (LTCF) Component more specifically and appropriately captures data from the residents of skilled nursing facilities. Reporting methods have been created by using forms from the Patient Safety Component as a base, with modifications to specifically address the nuances of LTCF residents. The Dialysis Component was developed in order to separate reporting of dialysis events from the Patient Safety Component. This component tailors the NHSN user interface for dialysis users to simplify their data entry and analyses processes as well as provide options for expanding the Dialysis Component in the future to include dialysis surveillance in settings other than outpatient facilities.

One new component will be added to NHSN within the next year: Outpatient Procedure. The new Outpatient Procedure Component will be developed to gather data on the impact of infections and other outcomes related to outpatient procedures that are performed in settings such as Ambulatory Surgery Centers (ASCs), Hospital Outpatient Departments (HOPDs), and physicians’ offices. Three event types will be monitored in this new component: Same Day Outcome Measures, Prophylactic Intravenous (IV) Antibiotic Timing, and Surgical Site Infections (SSI).

The surveillance data are typically obtained by designated and trained staff, primarily registered nurses in infection control or occupational health or transfusion medicine laboratory personnel who routinely access administrative and clinical services reports and medical records, make observations during ward and patient rounds, and verbally discuss patients’ conditions with direct caregivers. Persons with training in other healthcare disciplines such as medical technology and microbiology also perform surveillance. Information on antibiotic resistance of clinical isolates and antimicrobial use is reported from the clinical laboratory and pharmacy, respectively.

Items of information to be collected include surveillance data related to various healthcare-associated adverse events and trends. Examples of these items are medical information and notes, medical records numbers, date of birth, gender, and biological specimen information. Personal identifying information is collected for one of two purposes. The information is used to either a) enumerate a specific event and minimize duplication (e.g., medical record number) and b) analyze risk factors related to the event data being collected (e.g., date of birth and gender). Data are reported to CDC and CDC aggregates the data for national surveillance and public health practice evaluation purposes.

For the participating healthcare institutions, data are collected in this system for the purposes of local surveillance and program evaluation. DHQP aggregates the data for national surveillance and public health practice evaluation purposes. No primary research will be conducted as part of this data collection effort and no patient consent forms will be used. Although this is not a research project, this Protocol was submitted for ethical review to the CDC Institutional Review Board (IRB) and was approved (Protocol #4062, exp. 05/18/05.) The most recent request for amendment and continuation was approved on 08/29/06 and expired on 05/18/07. Subsequently, in consultation with NCEZID senior staff, the program was advised that the activities of the NHSN are surveillance and evaluation of public health practice and that IRB review is no longer required, therefore the protocol has been closed (Attachment F).

An Assurance of Confidentiality is granted for all data collected under NHSN. Accordingly, “the voluntarily provided information obtained in this surveillance system that would permit identification of any individual or institution is collected with a guarantee that it will be held in strict confidence, will be used only for the purposes stated, and will not otherwise be disclosed or released without the consent of the individual, or the institution in accordance with Sections 304, 306 and 308(d) of the Public Health Service Act (42 USC 242b, 242k, and 242m(d)).”

The use of the NHSN is both voluntary and mandated. State legislatures have mandated the use of the NHSN for public reporting of healthcare-acquired infections by healthcare facilities in their state. The Office of the General Counsel (OGC) believes that NHSN, as it is currently being utilized by CDC, is not a Privacy Act system of records and provides case law to support this determination (Henke v. U.S. Department of Commerce and Fisher v. NIH). Specifically, the OGC stated that "The CDC NHSN system is similar to the computerized information in both the Henke and Fisher cases. While CDC has the capability to retrieve data by personal identifier, CDC does not, as a matter of practice or policy, retrieve data in this way. Specifically, the primary practice and policy of CDC regarding NHSN data is to retrieve data by the name of the hospital or other non-personal identifier, not an individual patient, for surveillance and public health purposes. Furthermore, patient identifiers are not necessary for NHSN to operate, and CDC does not regularly or even frequently use patient names to obtain information about these individuals."

While the Privacy Act is not applicable, in accordance with the stringent safeguarding that must be in place for 308(d) assurance of confidentiality protected projects, safeguarding are still in effect. These include: requiring the use of a password issued via CDC’s Secure Access Management System for access to the application; data encryption using Secure Socket Layer technology; and lastly, storage of data in password protected files on secure computers in locked, authorized-access-only rooms.

This data collection effort is consistent with the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), which expressly permits disclosures without individual authorization to public health authorities authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to public health surveillance, investigation, and intervention.