Attachment T – NCHS Confidentiality Letter
Centers for Disease Control and Prevention
National Center for Health Statistics
3311 Toledo Road
Hyattsville, Maryland 20782
The National Hospital Care Survey (NHCS), conducted by the National Center for Health Statistics (NCHS), Centers for Disease Control and Prevention (CDC) is an electronic data collection, gathering Uniform Bill (UB) 04 administrative claims data or electronic health records data from sampled hospitals. NHCS will have two data collection components, inpatient and ambulatory. Patient identifiers for both components are collected to enable linkage to birth and death records, data from the Centers for Medicare & Medicaid Services (CMS), data from the Department of Housing and Urban Development (HUD), and data from the Department of Veterans Affairs (VA).
The purpose of this letter is to more fully address issues of possible concern to participating facilities, such as disclosure of patient protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (PL 104-191), safeguards, use and disclosure of data, and dissemination of information by NCHS.
Special provisions within HIPAA permit hospitals to provide data to public health entities such as CDC/NCHS for public health purposes. The HIPAA Privacy Rule (45 CFR Part 160 and Part 164, subparts A and E) recognizes (i) the legitimate need for public health authorities and others responsible for ensuring the public’s health and safety to have access to protected health information to conduct their missions, and (ii) the importance of public health reporting by covered entities in identifying threats to the public and individuals. The Privacy Rule permits (i) protected health information disclosures without written patient authorization for specified public health purposes, to public health authorities legally authorized to collect and receive the information for such purposes; and (ii) disclosures that are required by state and local public health or other laws [HIPAA regulations (45 CFR 164.501)]. Thus, HIPAA permits hospitals to participate in studies of this nature for public health purposes. Because contractors serve as authorized agents of NCHS, it is permissible to disclose data to NCHS contractors for the purposes of this project.
NHCS information is stored and processed by automated information systems that have been subjected to CDC’s security authorization process. All federal requirements concerning administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of confidential data collected in the NHCS are met. Data are transmitted to NCHS and its contractors by secure data networks, and no data are transmitted unless encrypted. Once received, confidential data are housed on a server with access restricted to authorized users.
NCHS and its agents are required by law to keep all data regarding patients and facilities strictly confidential and to use these data only for statistical purposes as stated by Section 308(d) of the Public Health Service Act [42 United States Code 242m(d)] and [Section 513 of the Confidential Information Protection and Statistical Efficiency Act (Pub. L. No. 115-435, 132 Stat. 5529 § 302)]. Willful unauthorized disclosure of confidential information is punishable as a Class E felony with fines of up to $250,000 and 5 years imprisonment, or both. This penalty applies to both NCHS staff and its agents. All NCHS contractors are agents and under legally binding agreements to comply with all requirements for safeguards, access and disclosure. NCHS staff and its agents are required annually to complete training on confidentiality requirements and practices—including reporting any breach of confidentiality-- and to sign annual non-disclosure agreements confirming intention to abide by all rules and regulations protecting confidential data. Contractor organizations are required to meet the same administrative, physical and technical safeguards as NCHS and to agree in writing to the same restrictions and obligations with respect to safeguarding confidential information collected in the NHCS.
The NCHS Ethics Review Board (ERB) has approved this study to be in compliance with NCHS Practices and Procedures.
NCHS has contracted with Westat to conduct hospital recruitment and data collection for NHCS.
All information collected by the NHCS will be the property of NCHS and will be kept strictly confidential. The identity of specific hospitals or individual patients will not be released in any manner except to NCHS staff, contractors, and agents—only when required and with necessary controls. Results of the study will be published only in an aggregated manner that will not allow identification of any individual hospital or patient. Information intended for inclusion in public use microdata files is reviewed by the NCHS Disclosure Review Board to ensure the risk of disclosure of information that would permit the identification of an individual patient or hospital is minimized. Although linkage of patient information to birth and death records, data from the CMS, data from HUD, and data from the VA are planned, there will be no contact with patients. NCHS linkage activities are tightly controlled and survey information is separated from the minimal set of linkage keys prior to linkage. Direct personally identifiable information is kept separate from other survey information and access is highly restricted in a secure physical environment. The ERB at CDC’s NCHS has reviewed and approved all NCHS linkage activities.
NCHS understands the expectations of data providing facilities to safeguard PHI collected by the NHCS and is committed to safeguarding information entrusted to us.
Sincerely,
Donna Miller, M.S.
NCHS Confidentiality Officer
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | Appendix H Induction letter |
Author | Christine Lucas |
File Modified | 0000-00-00 |
File Created | 2024-07-27 |