Privacy and Confidentiality Unit:
|
Cover Page
Project Name: |
National Healthcare Safety Network |
Contact information
Principal Investigator:
|
Lauren Wattenmaker |
National Center:
|
NCEZID |
Division:
|
DHQP |
Address:
|
1600 Clifton Rd, MS H16-3, Atlanta, GA 30329 |
Phone:
|
404-718-5842 |
Email:
|
Table of Contents
|
Attachments
List all attachments associated with your project or application (Please note some attachments will vary based on the project): |
Attachment A: Non-Disclosure Agreement Attachment B: Contrator’s Pledge of Agreement Attachment C: Safeguards for Individuals and Establishments against Invasions of Privacy Attachment D: Regulatory Determination (attach actual documents) Attachment E: Agreement to Particpate and Consent |
REQUEST FOR AMENDMENT AND EXTENSION OF ASSURANCE OF CONFIDENTIALITY FOR THE National Healthcare Safety Network
DIVISION OF HEALTHCARE QUALITY PROMOTION
NATIONAL CENTER FOR EMERGING AND ZOONOTIC INFECTIOUS DISEASES
Original Application Approval: March 31, 2005
1st Extension and Amendment Application Approved: September 24, 2010
2nd Extension and Amendment Approved: December 7, 2015
Amendment Approved: November 15, 2017
Extension and Amendment Approval Period: September 2015 – December 2020
Amendment and Extension Request December 2020 approved December 2020 – December 2025
A) Purpose of Project
Describe the programmatic purpose(s) of the project including the type of data to be collected and the uses of the information collected. This section is a summary of the project and should be approximately two pages.
The National Healthcare Safety Network (NHSN) is a domestic tracking and response system used to identify emerging and enduring threats across healthcare, such as COVID-19, healthcare-associated infections (HAIs), and antibiotic-resistant (AR) infections. Managed by the Division of Healthcare Quality Promotion (DHQP) at the Centers for Disease Control and Prevention (CDC), NHSN is the nation’s most comprehensive and established system to capture and analyze infection data, drive improvement in healthcare quality, and stop the spread of deadly pathogens. NHSN assists DHQP in fulfilling its mission to:
Protect patients, protect healthcare personnel, and promote safety, quality, and value in the healthcare delivery system by providing national leadership for measuring, validating, interpreting, and responding to data relevant to healthcare outcomes, healthcare-associated infections/antimicrobial resistance, related adverse events, and medical errors among patients and healthcare personnel.1
NHSN began as a voluntary surveillance system in 2005 with approximately 300 hospitals participating. Since its launch, NHSN enrollment has increased to more than 37,000 facilities in 2020. NHSN increasingly has served as the operational system for compliance with mandatory healthcare-associated infection (HAI) reporting requirements established by states. By 2020, 37 states have opted to use NHSN as the operational system for mandatory reporting by healthcare facilities in their jurisdictions. In addition, the Centers for Medicare and Medicaid Services (CMS) requires HAI reporting to NHSN in several of its Medicare reporting programs, including the Hospital Value-based Purchasing Program, Hospital-Acquired Condition Reduction Program, the Inpatient Rehabilitation Facility Quality Reporting Program, the Long-term Acute Care Hospital Quality Reporting Program, and the End-Stage Renal Disease Quality Incentive Program. Further, federal legislation has established mandatory reporting of COVID-19 data to NHSN.
The purposes of NHSN are to:
Collect data from healthcare facilities in the United States to permit valid estimation of adverse events among patients or residents and healthcare personnel.
Collect data from a sample of healthcare facilities in the United States to permit valid estimation of the adherence to practices known to be associated with prevention of these adverse events.
Analyze and report collected data to permit recognition of trends at the local, state, and national levels.
Provide facilities with risk-adjusted metrics that can be used for inter-facility comparisons and local quality improvement activities.
Assist facilities in developing surveillance and analysis methods that permit timely recognition of patient or resident and healthcare worker safety problems and prompt intervention with appropriate measures.
Conduct collaborative research studies with NHSN member facilities (e.g., describe the epidemiology of emerging healthcare-associated infections [HAIs] and pathogens, assess the importance of potential risk factors, further characterize HAI pathogens and their mechanisms of resistance, and evaluate alternative surveillance and prevention strategies).
Facilitate recruitment of facilities into collaborative evaluations that seek to identify new ways to prevent or control antimicrobial resistance or prevent healthcare-associated infections by providing facility identifiers to federal agencies and peer-reviewed, CDC-approved research projects for potential participation in studies, including comparative effectiveness assessments.
Comply with legal requirements – including but not limited to state or federal laws, regulations, or other requirements – for mandatory reporting of facility-specific adverse event, prevention practice adherence, and other public health data.
Enable healthcare facilities to report data via NHSN to the Centers for Medicare & Medicaid Services (CMS) of the U.S. Department of Health and Human Services (DHHS) in fulfillment of CMS’s quality measurement reporting requirements for those data.
Provide patient-level data and annual facility survey data to CMS that are deemed required data in CMS rule-making and that are used by CMS for its program administration, monitoring and evaluation activities, including validation, appeals review, program impact evaluation, and development of quality measure specifications.
Provide patient- and healthcare facility-level data, including annual facility survey data, to CMS for use by CMS programs in the design, operations, and evaluation of quality improvement programs in which healthcare facilities participate voluntarily.
Provide state, local, and territorial health departments with information that identifies the facilities in their state that participate in NHSN.
Provide to state, local, and territorial health departments, at their request, facility-specific, NHSN data for surveillance, prevention, or mandatory public reporting.
Provide to state, local, and territorial health departments facility-level information to facilitate HAI prevention efforts (e.g., identifying facilities to target for prevention activities), and
Provide patient- and healthcare facility-level data to state or local health departments during an outbreak investigation to assist their case-finding or outbreak control.
Since its inception, participation in NHSN has increased to over 37,000 healthcare facilities, and most of this growth is attributable to state mandates that require healthcare facilities in their jurisdiction to report data to NHSN and CMS requirements for healthcare facilities to report to NHSN as part of CMS quality measurement and incentive payment programs. Still, many healthcare facilities, even in states with mandatory reporting requirements, submit at least some HAI data to NHSN voluntarily. As a result, the HAI data reported to NHSN are a mix of data reported voluntarily and mandatorily.
A list of identifiable or sensitive information the NHSN system collects is described below:
Patients: Patient identification number (may be a medical record number), gender and date of birth. For some patients, birth weight is required.
Healthcare workers: Healthcare worker identification number, gender, date of birth, work location, and occupation.
Facilities: Facility name, address, county, city, state , zip code, telephone number, identifying number (i.e., CMS provider number and/or American Hospital Association identification number and/or Veterans Administration station code), type, ownership category, affiliation with a medical school (y/n), and bed-size characteristics.
Users: Name, address (if different from facility), telephone number, and email address.
Optional information that may be reported to NHSN:
Patients: Social security number, secondary identification number, name, ethnicity, and race.
Healthcare workers: Name, address, work and home phone numbers, email address, born in United States (y/n), ethnicity, race, and date of employment.
Users: Fax number, pager number, and title.
The first Assurance of Confidentiality for NHSN was granted on March 31, 2005, and the first extension and amendment was granted on September 24, 2010, to assure confidentiality of data that healthcare facilities submit voluntarily to NHSN. The second extension and amendment was grated on December 7, 2015, to provide confidentiality protection for all data that healthcare facilities submit to NHSN, for all components and modules that are not publicly reported by a state or CMS. The third amendment was granted on November 15, 2017, to provide confidentiality protection for all data that healthcare facilities submit to NHSN that are used only for the purposes provided above. The purposes of NHSN were updated to reflect an evolving and growing NHSN. The NHSN Assurance of Confidentiality was amended in 2020 to cover those data that are voluntarily provided by healthcare facilities to DHQP through the NHSN and not data that are either (1) mandated by state or federal laws, regulations, or other requirements, or (2) requested by state agencies for surveillance or prevention purposes.
Amendment to include COVID-19 and Neonatal data reported into NHSN
In response to the COVID-19 pandemic, NHSN planned and introduced new COVID-19 modules that enable hospitals, long-term care facilities and ambulatory hemodialysis facilities to report COVID-19 data to NHSN. In turn, NHSN enables state and local health departments to gain immediate access to the COVID-19 data reported by healthcare facilities in their jurisdictions via existing NHSN groups. CDC, state and local health departments, and the federal government response use this surveillance data to prioritize the allocation of resources and response efforts.
CDC’s Division of Healthcare Quality Promotion Surveillance Branch added to the existing NHSN system to add the following distinct COVID-19 reporting modules: a hospital capacity and patient impact COVID-19 module for hospitals, a long-term care facility (LTCF) COVID-19 module, an outpatient dialysis module, and collection of SARS-CoV-2 point-of-care antigen test data from long-term care facilities.
On May 8, 2020, the Centers for Medicare and Medicaid Services (CMS) published an Interim Final Rule with Comment Period to mandate that all approximately 15,600 CMS-certified nursing homes report standard COVID-19 data to NHSN through the LTCF COVID-19 module. As part of this rule, CMS publicly reports facility-level nursing home data. Facilities began to submit data to this module on May 17, 2020 and must submit data through NHSN at least once every seven days. Reporting into the hospital capacity and patient impact COVID-19 module began in March of 2020 and ended on July 15, 2020. Reporting into the dialysis module began in November of 2020.
In addition to NHSN’s response to the pandemic, NHSN’s new Neonatal Component is expected to launch in 2021. This component will focus on premature neonates and the healthcare-associated events that occur as a result of their prematurity. This component will be released with one module, which includes Late Onset-Sepsis and Meningitis, which are common complications of extreme prematurity. There is no manual entry available to users for the new neonatal component. Both numerator and denominator data will be imported into the Clinical Document Architecture (CDA) via electronic data transfer. This will allow users to obtain data submitted via CDA and focus on prevention activities within their respective hospitals or facilities. All data collected in these modules and in the POC initiative fall under the personally identifiable information (PII) previously specified in the hospital acquired infection (HAI) data collected by NHSN.
B) Justification of Need
Describe why it is important to protect the individual or institution with an Assurance of Confidentiality.
First, institutional information that identifies healthcare facilities must be protected because it would compromise the business of these institutions and the facilities would not report into NHSN without an assurance of confidentiality. The reputation of the healthcare institution and its ability to attract patients and otherwise conduct business may be seriously compromised if these voluntarily provided data were released, since they can easily be misinterpreted by the lay public. Further, if this voluntarily provided data includes information on individual patients and is unprotected by an assurance of confidentiality, healthcare institutions are at risk of having information used against them by a plaintiff’s attorneys in a lawsuit. The ability to voluntarily obtain information from hospitals and other healthcare facilities as well as those of individual healthcare institutions to improve the quality of healthcare will be severely impaired without an assurance of confidentiality. If the data are to be accurate, healthcare institutions must be candid and surveillance personnel must have access to all relevant data sources. Healthcare institutions that perceive a threat of public disclosure of their voluntarily provided identifiable data can easily reduce their adverse event rates by minimizing or obstructing surveillance, which would result in undermining NHSN’s ability to provide accurate and useful data for the nation.
Second, NHSN contains healthcare information about individuals which may be sensitive or violate the individual’s privacy if disclosed inappropriately. Names, social security numbers, and medical record numbers, a are just some examples of the types of of the medical information that could cause individual harm if disclosed. Since healthcare worker information is collected, the sensitive nature of that employment information could effect the individual’s employability or insurance if released improperly. As such, individual information in NHSN should be protected from further release.
Describe why the individual or institution will not furnish or permit access to the information unless an Assurance of Confidentiality is issued.
Outside of the data that are mandated to be provided to NHSN by applicable state or federal law, regulations and/or other requirements, further participation in NHSN is open to all qualifying healthcare institutions and is voluntary. It is unlikely that any healthcare institution would voluntarily provide data to NHSN if an assurance of confidentiality cannot protect such data; a critical national source for data on the quality of healthcare would cease to exist. At the time of enrollment, healthcare institutions will be provided with a document setting out the coverage of the 308(d) statement of assurance of confidentiality.
Describe whether or not the information could be obtained with the same degree of reliability from sources that do not require an assurance.
It is not possible to obtain the levels and types of data that can be used for calculating rates on adverse events that are adjusted for risk factors and stratified by various patient and institutional groups from any source other than the healthcare institutions themselves. CDC has developed the protocols for NHSN and provides instructional materials on data collection methods, an Internet-based data entry and analysis system, and training courses. Trained surveillance personnel who are given clear instructions and ongoing technical support are necessary for the collection of reliable data on adverse events associated with healthcare. Therefore, NHSN is the only feasible way to obtain valid data for this consolidated surveillance system. Any institution that delivers healthcare would be reluctant to voluntarily release this level and type of information without an Assurance of Confidentiality.
Describe how the information is essential to the success of the particular statistical or epidemiological project and is not duplicative of other information gathering activities of the Department of Health and Human Services.
CDC is unaware of any other group in the Department that is systematically and routinely gathering data on adverse events that can be used to calculate risk-adjusted rates for comparison purposes. Without NHSN, the Department would not have a mechanism for monitoring trends in adverse event rates, nor the ability to determine whether prevention efforts have been successful. The Department has established nine national 5-year prevention targets for healthcare-associated infections and deemed the measurement system for six of them to be NHSN (see Appendix G, HHS Action Plan to Prevent Healthcare-Associated Infections at http://www.hhs.gov/ophs/initiatives/hai/actionplan/index.html).
Describe how the issuance of the Assurance of Confidentiality might restrain CDC from carrying out any of its responsibilities.
An assurance of confidentiality will not restrain CDC from carrying out its public health responsibilities because at the time of enrollment into NHSN, healthcare institutions will be required to sign an agreement to participate which stipulates that they agree to provide all data that are legally required to be provided or requested by their state and that they will report outbreaks or other problems of public health importance identified through the surveillance system and for which they are contacted by CDC to their local health authorities.
In addition, as recent legislation shows, the type of information being collected in the NHSN has been determined to be critical to monitoring and assessing healthcare quality in various healthcare settings. That legislation provides validation to the objectives of the NHSN. The legislation, though, requires certain information be collected by CDC and made available to the public; NHSN will also work to voluntarily obtain a greater level of data from individual healthcare settings. This Assurance would act to provide protection to those data which are voluntarily provided by participating institutions.
Describe the advantages of assuring confidentiality and how they outweigh the disadvantages.
The only disadvantage to assuring confidentiality is CDC’s inability to acknowledge by name the participating healthcare institutions in publications. Participating institutions demonstrate their commitment to improving the quality of healthcare by allocating considerable personnel and other resources to collecting and reporting data. Most hospitals have taken pride in being a part of the predecessors of NHSN and it is no different with NHSN. Acknowledging the participating institutions could motivate them to provide high quality data and to remain involved with the system. However, because the benefits of assurance of confidentiality far outweigh its disadvantage, the participants in the predecessor surveillance systems have been satisfied with remaining anonymous in publications. Finally, the inherent value of surveillance data lies in their ability to be aggregated according to similar risk groups. Conclusions are drawn from the data itself, not through identification of the specific sources. Thus, identifying participating healthcare institutions by CDC would be counterproductive.
C) Confidentiality Assurance Statement
Data on adverse outcomes associated with healthcare will be collected by the Centers for Disease Control and Prevention (CDC), an agency of the United States Department of Health and Human Services, through the National Healthcare Safety Network (NHSN). A portion of the data collected in NHSN will be data which healthcare institutions are legally mandated to provide to CDC and will be made available as mandated by those state or federal laws, regulations and/or other requirements. However, another portion of the data collected in NHSN will be data that healthcare institutions voluntarily provide to CDC. This Confidentiality Assurance Statement is intended to cover those data which are voluntarily provided by healthcare facilities to NHSN and not data mandated by state or federal laws, regulations, or other requirements, or requested by state agencies for surveillance or prevention purposes.
Institutions will report these voluntarily provided data to the NHSN using the protocols from the Patient Safety, Healthcare Personnel Safety, Biovigilance, Dialysis, Long Term Care, and Outpatient Components. Participating institutions will choose the protocol(s) they wish to use and voluntarily report in accordance with the NHSN data collection and reporting requirements. The voluntarily provided data will be submitted to CDC using the Internet. Data from the Patient Safety Component may include, in part, information about the presence of a healthcare-associated infection, the risk factors, name of the infectious agent and antibiotic susceptibility patterns, and outcome. Information about the characteristics of participating healthcare facilities as well as monthly summary or other denominator data on the patient population being monitored will also be collected. Facility and patient demographic information are included in the voluntarily provided data. Similar data would be voluntarily provided under the other NHSN Components.
The voluntarily-provided data will be used by CDC to describe the epidemiology of healthcare threats and adverse outcomes associated with healthcare in the United States, including trends of hospital infection rates, antimicrobial resistance, and to develop benchmarks for healthcare-associated adverse outcomes in specific patient populations with similar infection risks that can be used for comparison purposes. The individual facilities will internally measure their quality of care by comparing their rates against aggregated data from the NHSN system. Except as mandated by applicable state or federal laws, regulations and/or other requirements, the data will be aggregated and published without personal (including provider and patient names) or institutional identifiers in statistical and analytic summaries and epidemiologic studies.
The voluntarily provided information collected by CDC or its contractors as part of this surveillance system that would permit identification of patients or healthcare institutions is collected and maintained under Sections 304 and 306 of the Public Health Service (PHS) Act (42 USC 242b, 242k) with an assurance that it will be held in strict confidence in accordance with Section 308(d) of the PHS Act (42 USC 242m(d)). Such data will be used only for the purposes stated in this Assurance, and it will not otherwise be disclosed or released without the consent of the parties who were given this Assurance. No information from this data will be disclosed even after death of the patients in this surveillance system. Voluntarily provided information will not be disclosed to consumer advocacy groups; insurance companies; any party involved in civil, criminal, or administrative litigation; agencies of federal, state, or local government; or any other member of the public.
The assurance of confidentiality stated on NHSN data collection forms will read as follows:
Assurance of Confidentiality: The voluntarily provided information obtained in this surveillance system that would permit identification of any individual or institution is collected with a guarantee that it will be held in strict confidence, will be used only for the purposes stated, and will not otherwise be disclosed or released without the consent of the individual, or the institution in accordance with Sections 304, 306 and 308(d) of the Public Health Service Act (42 USC 242b, 242k, and 242m(d)).
D) Confidentiality Security Statement
The Division of Healthcare Quality Promotion (DHQP) is renewing a 308(d) Assurance of Confidentiality for certain voluntarily provided data to be collected within DHQP’s National Healthcare Safety Network (NHSN). Because of this Assurance, certain documents and files that contain names and other information identifying a single healthcare institution or individual will be considered confidential materials and will be safeguarded to the greatest extent possible. Because the voluntarily provided data are highly sensitive and include personally identifiable information (PII), the potential adverse impact of a breach in confidentiality is high and calls for level 3 authentication of remote NHSN users. It is the moral and legal responsibility of each DHQP and contract staff member working on NHSN to protect the right to confidentiality of healthcare institutions participating in NHSN and their patients as provided by this Assurance. This document describes the procedures and practices that DHQP uses to protect the confidentiality of the voluntarily provided data collected as part of this surveillance system and covered by this Assurance.
The contractor who developed the NHSN Internet interface using the Public Health Information Network (PHIN) architecture as the system platform, as well as any contractor who may have access to any element of the voluntarily provided NHSN data that permits identification of patients or institutions, are included under 308(d) protection. We have included reference to them in the Confidentiality Assurance Statement and this Confidentiality Security Statement. When any new contract is contemplated, the DHQP Business Steward for NHSN will notify the CDC Confidentiality Officer so that arrangements can be made with the Procurement and Grants Office to include appropriate 308(d) clauses in the contract and to obtain the required 308(d) confidentiality pledges from all contractor employees associated with the network.
DHQP and contract staff are always required to maintain and protect the confidential records that may come into their presence and under their control. To assure that they are aware of this responsibility and the penalties for failing to comply, each member of the DHQP/NHSN staff must read and sign a Nondisclosure Agreement (CDC 0.979), assuring that all information identifying an individual healthcare institution or patient that is subject to this Assurance will be kept confidential and will be used only for epidemiologic or statistical purposes. When confidentiality authorization is obtained, DHQP staff2 working on this network will be required to attend a training session at which the confidentiality procedures for the project will be discussed in greater detail by the NHSN Business Steward or his designee. Signed agreements will be obtained at this time.
The Lead Subject Matter Experts for the NHSN are Andrea Benin, MD, Jeneita Bell, MD, Maggie Dudeck, MPH, Jonathan Edwards, MStat, Henrietta Smith, MSN, and Lauren Wattenmaker, MPH. The Lead IT Technical Steward for the NHSN is Kent Lemoine, MBA, and the Business Steward is Lauren Wattenmaker.
Attachment 1 is the Nondisclosure Agreement that all DHQP FTE staff on the project will sign. The originals will be retained by DHQP, with copies at the Management Analysis and Services Office (MASO). Attachment 2 is the contractor’s pledge of confidentiality, called “Safeguards for Individuals and Establishments against Invasion of Privacy.” For NHSN contractors, 308(d) clauses will be added to the contract and all contractor employees with access to the voluntarily provided data that are subject to this Assurance will be required to sign this contractor pledge. Originals of these documents will be retained by PGO with copies on file at DHQP and MASO.
Restrictions on Use of Information and Safeguarding Measures
These measures apply to the voluntarily provided data collected by NHSN subject to this Assurance and not data which are mandated by state or federal laws, regulations, or other requirements.
Information voluntarily collected in the course of conducting NHSN will be used only for the purposes of carrying out the project and shall not be divulged or made known in any manner except as necessary for the project, unless written approval from personnel at the participating healthcare institutions is received.
Data will be transmitted from participating healthcare institutions to CDC by using Internet-based data entry screens provided by CDC or by transmitting data from a computer database created and maintained by the facility. Personal identifiers will be received by CDC.
Data will be encrypted as they are transmitted over the Internet using Secure Socket Layer technology.
Access to all confidential data collection aspects of NHSN will require the use of a digital certificate via CDC’s Secure Data Network or will require use of a password issued via CDC’s Secure Access Management System (SAMS).
Data will be stored in password-protected files on secure computers stored in locked, authorized-access-only rooms.
NHSN staff is responsible for protecting all confidential records from eye observation, from theft, or from accidental loss or misplacement due to carelessness. All reasonable precautions will be taken to protect confidential project data.
All contractor personnel will receive training in confidentiality procedures.
Recording of all data or creation of databases for transmission, for this project will be conducted on-site at the participating healthcare institutions. In the future, data may be obtained from entities outside the institution (e.g., commercial laboratory); in such cases, this security statement applies.
DHQP staff will receive certain personal identifying information on individuals, and adverse outcomes information identified by the voluntarily participating healthcare institutions, which is now protected by 308(d). All staff working with the voluntarily provided data subject to this Assurance are not to divulge any identifying information about project participants to anyone other than personnel at the participating healthcare institution or authorized project staff on a “need to know” basis to conduct official business. In general conversation outside the workplace, neither the identifying information, the nature of the data collected, nor the means by which they are collected should be discussed in any detail.
When not in use by authorized NHSN staff, all hard copy material and physical media containing confidential data will be stored in locked containers, file cabinets, or rooms. Access to locked storage areas will be limited to authorized project staff. This procedure will apply to all physical media containing confidential data, including printouts and diskettes. When confidential records are in use, they must be kept out of sight of persons not authorized to work with these records.
Except as needed for operational purposes, printouts of confidential records are not to be made. If printouts are necessary, care should be taken that all copies and originals are recovered from the copy machines and work areas. All confidential paper records will be destroyed as soon as operational requirements permit by shredding the documents.
Enhanced Protection of Computerized Files
These protections apply to the voluntarily provided data collected by NHSN subject to this Assurance and not data which are mandated by state or federal laws, regulations, or requirements, or requested by state agencies for surveillance or prevention purposes.
All voluntarily provided data will be protected in confidential computer files. The following safeguards are implemented to protect NHSN files so that the accuracy and the confidentiality of the data can be maintained:
Computer files containing programs, documents, or confidential data will be stored in computer systems that are protected from accidental alteration and unauthorized access. Computer files will be protected by password systems, controlled sharing, and routine backup procedures.
DHQP complies with several Federal policies, statutes, regulations, and other directives for the collection, maintenance, use, and dissemination of data, including the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy as implemented under the HHS Information Security Program and the Federal Information Security Act of 2002 (Public Law 107-347). DHQP currently operates under the protections of the CDC WAN and incorporates Active Directory security features. Additionally, the WAN is in compliance with CDC's Information Technology Security Plan Program and includes user ID and password protection; mandatory password changes; limited logins; user rights/file attribute restrictions and virus protection among other features.
DHQP employees or contractors will be granted access to the files only upon express approval by the Business Steward. Access will be granted for the time indicated on the approval request.
Dissemination of Project Results
Participating healthcare institutions will have access to their own data for the purposes of managing them (e.g., view, add, edit, delete records) and for analyzing them. Individual patients will not receive any reports from DHQP with respect to the voluntarily provided data.
Except for data mandated by state or federal laws, regulations or other requirements to be made available in publications or reports for public distribution, NHSN data will be reported only in aggregate form with summary statistics such as mean rates per 100 patient-months, percentiles, and relative risks; such statistics could not be used to identify a given healthcare institution.
Records Disposition for the National Archives and Records Administration
After analyses of the project are complete, if the records are determined to be permanently valuable, a public use data tape will be sent to the National Archives and Records Administration (NARA). This transfer will be done in accordance with the May 1996 agreement stating that CDC will transfer to NARA all permanent data sets in accordance with approved schedules contained in part IV of the CDC Records Control Schedule B‑321, with the exception of identifying information collected under an assurance of confidentiality agreement as specified under the Public Health Service Act, Sections 301(d) and 308(d).
If 308(d) records for this project are being sent to the Federal Records Center for temporary storage (in which CDC maintains control of the data), they will be clearly identified as 308(d) protected records. The SF 135 will state: "This accession contains records protected by a confidentiality assurance under Section 308(d) of the PHS Act." The boxes will have a label stating: "This accession contains records protected by a confidentiality assurance under Section 308(d) of the PHS Act. The records can be released only to authorized staff from the Division of Healthcare Quality Promotion (DHQP) at the Centers for Disease Control and Prevention with responsibility for the project entitled “National Healthcare Safety Network."
E) Regulatory Determination
Non-Research Determination
This activity was reviewed by CDC and was conducted consistent with applicable federal law and CDC policy. See e.g., 45 C.F.R. part 46.102(l)(2), 21 C.F.R. part 56; 42 U.S.C. §241(d); 5 U.S.C. §552a; 44 U.S.C. §3501 et seq. The CDC Institutional Review Board has determined that NHSN does not require its approval (see Attachments D for documents 3 and 4).
PRA Determination
The activity was reviewed by CDC and it has been determined that PRA applies to this project. Please provide PRA determination supporting documentation as an attachment and OMB control number if available.
OMB Control No. 0920-0666
Privacy Act Applicability
The activity was reviewed by CDC and it has been determined that the Privacy Act applies to this project. Please provide applicable SORN and most recent PIA as an attachment.
Applicable SORNs:
09-20-0136: Epidemiologic Studies and Surveillance of Disease Problems; and
09-90-2001: Records Used for Surveillance and Study of Epidemics, Preventable Diseases and Problems
Attachments
List all attachments associated with your project or application (Please note some attachments will vary based on the project): |
Attachment A: Non-Disclosure Agreement for Full-Time Employees (FTEs), CDC Fellows and Students Attachment B: Non- Disclosure Agreement for Contractors Attachment C: Safeguards for Individuals and Establishments against Invasions of Privacy Attachment D: Regulatory Determination Attachment E: NHSN Agreement to Participate and Consent
|
ATTACHMENT A
Nondisclosure Agreement (308(d) Assurance of Confidentiality for CDC/DHQP Employees, Fellows, and Students)
The success of CDC's operations depends upon the voluntary cooperation of States, of establishments, and of individuals who provide the information required by CDC programs under an assurance that such information will be kept confidential and be used only for epidemiological or statistical purposes.
''I am aware that unauthorized disclosure of confidential information is punishable under Title 18, Section 1905 of the U.S. Code, which reads:
'Whoever, being an officer or employee of the United States or of any department or agency thereof, publishes, divulges, discloses, or makes known in any manner or to any extent not authorized by law any information coming to him in the course of his employment or official duties or by reason of any examination or investigation made by, or return, report or record made to or filed with, such department or agency or officer or employee thereof, which information concerns or relates to the trade secrets, processes, operations, style of work, or apparatus, or to the identity, confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association; or permits any income return or copy thereof or any book containing any abstract or particulars thereof to be seen or examined by any person except as provided by law; shall be fined not more than $1,000, or imprisoned not more than one year, or both; and shall be removed from office or employment.'
''I understand that unauthorized disclosure of confidential information is also punishable under the Privacy Act of 1974, Subsection 552a (i) (1), which reads:
'Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.'
To provide these safeguards in performance of the agreement, the employee, fellow, or student shall:
Be bound by the following assurance:
Assurance of Confidentiality
In accordance with Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the employee, fellow, or student assures all respondents that the confidentiality of their responses to this information request will be maintained by the employee, fellow, or student and CDC and that no information obtained during this activity will be disclosed in a manner in which the individual or establishment is identifiable, unless the individual or establishment has consented to such disclosure, to anyone other than authorized staff of CDC.
Maintain the following safeguards to assure that confidentiality is protected and to provide for the physical security of the records:
To preclude observation of confidential information by persons not employed on the project, the employee, fellow, or student shall maintain all confidential records that identify individuals or establishments or from which individuals or establishments could be identified under lock and key.
Specifically, at each site where these items are processed or maintained, all confidential records that will permit identification of individuals or establishments are to be kept in locked containers when not in use by the employees. The keys or means of access to these containers are to be held by a limited number of employees. When confidential records are being used in a room, admittance to the room is to be restricted to employees pledged to confidentiality and employed on this project. If at any time the employees are absent from the room, it is to be locked.
If confidential records that permit identification of individuals or establishments must be transmitted electronically, any recipients of the confidential records must also be CDC employees or contractors who have pledged confidentiality by signing this Non- Disclosure Agreement. As a technical matter, electronic transmission must occur only via a CDC-approved, secure file-sharing mechanism such as Multi-User Share Tool (MUST), File Transfer Protocol (FTP) sites, or ShareFile. Identifying information is never to be disclosed in the body of an e-mail.
Each CDC employee, fellow, or student who has access to NHSN information is expected to complete the annual Assurance of Confidentiality Training accessible via the Department of Health and Human Services (HHS) Learning Portal.
The CDC employee, fellow, or student will take steps to ensure that the intent of the pledge of confidentiality is enforced at all times through appropriate qualifications standards for all personnel working on this project and through adequate training and periodic follow-up procedures.
Print on the questionnaire (i.e., NHSN form used for data collection) in a clearly visible location and in clearly visible letters the following notice of the confidential treatment to be accorded the information on the questionnaire by any individual who may see it:
Confidential Information
Information contained on this form which would permit identification of any individual or establishment has been collected with a guarantee that it will be held in strict confidence by the CDC employee, fellow, or student, will be used only for purposes states in this project, and will not be disclosed or released to anyone other than authorized staff of CDC without the consent of the individual or the establishment in accordance with Section 308 (d) of the Public Health Service Act (42 U.S.C.242m).
On a letter or other form that can be retained by the individual or the establishment, or on the questionnaire form itself if it is a self-administered questionnaire, inform in clear and simple terms each individual or establishment asked to supply information:
That the collection of the information by CDC and its contractor is authorized by Section 306 of the Public Health Service Act (42 U.S.C.242k);
Of the purpose or purposed for which the information is intended to be used, clearly stating that the records will be used solely for epidemiological or statistical research and reporting purposes;
Of the routine uses that may be made of the information, including all disclosures specified in the Federal Register for this system of records which may be applicable to this project;
That participation is voluntary and there are no penalties for declining to participate to this project; and
The no information collected under the authority of Section 306 of the Public Health Service Act (42 U.S.C. 242k) may be used for any purpose other than the purpose for which it was supplied, and such information may not be published or released in other form if the particular individual or establishment supplying the information or described in it is identifiable to anyone other than the authorized staff of CDC, unless the individual or establishment has consented to such release.
(The voluntary disclosure by the respondent of requested information after being informed of preceding paragraphs a through d is an acknowledgement of the uses and disclosures contained in paragraph c)
Release no information from the data obtained or used under this contract to any person except authorized staff of CDC
By a specified date, which may be no longer than the date of completion of the contract, return all project data to CDC or destroy all such data, as specified in in this agreement
''My signature below indicates that I have read, understood, and agree to comply with all the statement statements mentioned in this document.”
_____________________________ ____________________________ ____________
Typed/Printed Name Signature Date
Must be a wet, digital, or digitally-
captured/ dynamic signature
_______________________________________________________________
Center/Institute/Office
CDC 0.979
ATTACHMENT B
Nondisclosure Agreement (308(d) Assurance of Confidentiality for Contractors)
In accordance with Subsection (m) of the Privacy Act of 1974 (5 U.S.C. 552a) and Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the contractor is required to comply with the applicable provisions of the Privacy Act and to undertake other safeguards for individuals and establishments against invasions of privacy.
To provide these safeguards in performance of the contract, the contractor shall:
Be bound by the following assurance:
Assurance of Confidentiality
In accordance with Section 308(d) of the Public Health Service Act (42 U.S.C. 242m), the contractor assures all respondents that the confidentiality of their responses to this information request will be maintained by the contractor and CDC and that no information obtained in the course of this activity will be disclosed in a manner in which the individual or establishment is identifiable, unless the individual or establishment has consented to such disclosure, to anyone other than authorized staff of CDC.
Maintain the following safeguards to assure that confidentiality is protected by contractor's employees and to provide for the physical security of the records:
After having read the above assurance of confidentiality, each employee of the contractor participating in this project is to sign the following pledge of confidentiality:
"I have carefully read and understand the assurance which pertains to the confidential nature of all records to be handled in regard to this survey.
As an employee of the contractor, I understand that I am prohibited by law from disclosing any such confidential information which has been obtained under the terms of this contract to anyone other than authorized staff of CDC. I understand that any willful and knowing disclosure in violation of the Privacy Act of 1974 is a misdemeanor and would subject the violator to a fine of up to $5,000".
To preclude observation of confidential information by persons not employed on the project, the contractor shall maintain all confidential records that identify individuals or establishments or from which individuals or establishments could be identified under lock and key.
Specifically, at each site where these items are processed or maintained, all confidential records that will permit identification of individuals or establishments are to be kept in locked containers when not in use by the contractor's employees. The keys or means of access to these containers are to be held by a limited number of the contractor's staff at each site. When confidential records are being used in a room, admittance to the room is to be restricted to employees pledged to confidentiality and employed on this project. If at any time the contractor's employees are absent from the room, it is to be locked.
If confidential records that permit identification of individuals or establishments must be transmitted electronically, any recipients of the confidential records must also be contractor employees or CDC employees who have pledged confidentiality by signing this Nondisclosure Agreement. As a technical matter, electronic transmission must occur only via a CDC-approved, secure file-sharing mechanism such as Multi-User Share Tool (MUST), File Transfer Protocol (FTP) sites, or ShareFile. Identifying information is never to be disclosed in the body of an e-mail.
Each employee of the contractor who has access to NHSN information is expected to complete the annual Assurance of Confidentiality Training accessible via the Department of Health and Human Services (HHS) Learning Portal.
The contractor and his professional staff will take steps to ensure that the intent of the pledge of confidentiality is enforced at all times through appropriate qualifications standards for all personnel working on this project and through adequate training and periodic follow-up procedures.
Print on the questionnaire (i.e., NHSN form) in a clearly visible location and in clearly visible letters the following notice of the confidential treatment to be accorded the information on the questionnaire by any individual who may see it:
Confidential Information
Information contained on this form which would permit identification of any individual or establishment has been collected with a guarantee that it will be held in strict confidence by the contractor and CDC, will be used only for purposes stated in this project, and will not be disclosed or released to anyone other than authorized staff of CDC without the consent of the individual or the establishment in accordance with Section 308(d) of the Public Health Service Act (42 U.S.C.242m).
On a letter or other form that can be retained by the individual or the establishment, or on the questionnaire form itself if it is a self-administered questionnaire, inform in clear and simple terms each individual or establishment asked to supply information:
That the collection of the information by CDC and its contractor is authorized by Section 306 of the Public Health Service Act (42 U.S.C.242k);
Of the purpose or purposes for which the information is intended to be used, clearly stating that the records will be used solely for epidemiological or statistical research and reporting purposes;
Of the routine uses that may be made of the information, including all disclosures specified in the Federal Register for this system of records which may be applicable to this project;
That participation is voluntary and there are no penalties for declining to participate in whole or in part; and
That no information collected under the authority of Section 306 of the Public Health Service Act (42 U.S.C. 242k) may be used for any purpose other than the purpose for which it was supplied, and such information may not be published or released in other form if the particular individual or establishment supplying the information or described in it is identifiable to anyone other than authorized staff of CDC, unless the individual or establishment has consented to such release.
(The voluntary disclosure by the respondent of requested information after being informed of preceding paragraphs a through d is an acknowledgment of the uses and disclosures contained in paragraph c.)
Release no information from the data obtained or used under this contract to any person except authorized staff of CDC.
By a specified date, which may be no later than the date of completion of the contract, return all project data to CDC or destroy all such data, as specified by the contract.
Typed/Printed Name Signature Date
Must be a wet, digital, or digitally-
captured/ dynamic signature
ATTACHMENT C
Agreement of CDC Contractors for Safeguards
Against Invasions of Privacy for Certain Establishments or Persons Covered by an Assurance of Confidentiality
(For use where Contractors/Subcontracts have access to information covered by a 308(d) Assurance of Confidentiality)
Access to data covered by an Assurance of Confidentially, titled ________________________, (“Assurance”) as provided by Section 308(d) of the Public Health Service Act (42 U.S.C. §242m(d)), is necessary for certain projects funded through contract task order number(s) _______________. Consistent with Section 308(d), the contractor is required to give an assurance of confidentiality and to provide for safeguards to assure that confidentiality of the data covered by the Assurance is maintained.
To provide this assurance and these safeguards in performance of the contract, the contractor shall
Be bound by the following assurances:
No information that is identifiable or potentially identifiable to an establishment or person covered by the Assurance and obtained in the course of this activity may be used for any purpose other than the purpose for which it was supplied, unless CDC informs contractor in writing that such establishment or person has consented to its use for such other purposes.
No information that is identifiable or potentially identifiable to an establishment or person covered by the Assurance and obtained in the course of this activity may be disclosed to anyone other than authorized staff of CDC or others noted in the Assurance, unless CDC informs contractor in writing that such establishment or person has consented to its disclosure to such other persons.
No preliminary data from studies or projects that identifies or potentially identifies an establishment or person covered by the Assurance may be disclosed to anyone other than authorized staff of CDC or others noted in the Assurance of Confidentiality statement, unless this information is otherwise in the public domain or CDC has provided written permission for use of this information to be made public. For example, if CDC clears an abstract for a scientific presentation, this constitutes permission for public presentation.
New research study ideas that are not already funded through the above-referenced contract task order may be discussed or presented during calls/meetings as part of normal communications and coordination between CDC and the contractor; should these ideas lead to further activities with information covered by this Assurance, these protections will extend to those activities only if agreed to in writing by CDC.
2. Maintain the following safeguards to assure that the confidentiality provided by Section 308(d) and the Assurance is protected by the contractor and to provide for the physical security of the records:
After having read the above Assurance, each employee of the contractor participating in this project is to sign the following pledge of confidentiality:
I have carefully read and understand the CDC assurance, which pertains to the confidential nature of identifiable or potentially identifiable data covered by the Assurance of Confidentiality to be handled in regard to these studies and reviewed as part of activities under task order _____________________. As an employee of the contractor, I understand that I am prohibited by law from disclosing any such confidential information that identifies or potentially identifies an establishment or person covered by the Assurance of Confidentiality, which has been obtained under the terms of this contract, to anyone other than authorized staff of CDC and that I may use this information only for the purposes for which it was obtained and consistent with the task order.
To preclude observation of confidential information that identifies or potentially identifies an establishment or person covered by the Assurance by persons not employed on the project, the contractor shall maintain all confidential records that identify establishments or persons or from which establishments or persons could be identified under lock and key.
Specifically, at each site where these items are processed or maintained, all confidential records that will permit identification of establishments or persons are to be kept in locked containers when not in use by the contractor’s employees. The keys or means of access to these containers are to be held by a limited number of the contractor staff at each site. When confidential records that will permit identification of establishments or persons are being used in a room, admittance to the room is to be restricted to employees pledged to confidentiality and employed on this project. If at any time the contractor’s employees are absent from the room, it is to be locked.
The contractor and his professional staff will take steps to ensure that the intent of the pledge of confidentiality is always enforced through appropriate qualifications standards for all personnel working on this project and through adequate training and periodic follow-up procedures.
3. Flow down all requirements set forth in this Agreement to all subcontracts and all subcontract employees.
_____________________________
(Typed/printed Name)
_____________________________
(Signature)
_____________________________
(Date)
ATTACHMENT D
Regulatory Determination (attach actual document)
Attachment D (3 and 4). Email notification of closure of Protocol 4062 “National Healthcare Safety Network”
Attachment 4. NHSN – Report of End of Human Research Review for Protocol 4062 “National Healthcare Safety Network”
ATTACHMENT E
NHSN Agreement to Participate and Consent
The National Healthcare Safety Network (NHSN), conducted by the Centers for Disease Control and Prevention (CDC), collects, analyzes, and reports data submitted by healthcare or residential facilities on healthcare-associated adverse events, adherence to prevention practices, and antimicrobial use and resistance. Healthcare or residential facilities may participate in NHSN voluntarily, i.e., on their own initiative and for their own purposes, or as a result of a state or federal reporting requirement. CDC will disclose data submitted to NHSN to other federal agencies and to state health departments in accordance with the scope of their reporting mandates. CDC also will disclose data to state, local, or territorial health departments that are outside the scope of federal or state reporting mandates provided the state, local, or territorial health department has completed a data use agreement with CDC that stipulates the data will be used solely for surveillance and prevention purposes and not for public reporting of facility-specific data or any regulatory or punitive actions against facilities, such as a fine or licensure action. These data disclosures to state, local, or territorial health departments will be made to the extent permissible by federal law.
Purposes of NHSN
The purposes of NHSN are to:
Collect data from healthcare facilities in the United States to permit valid estimation of adverse events among patients or residents and healthcare personnel.
Collect data from a sample of healthcare facilities in the United States to permit valid estimation of the adherence to practices known to be associated with prevention of these adverse events.
Analyze and report collected data to permit recognition of trends at the local, state, and national levels.
Provide facilities with risk-adjusted metrics that can be used for inter-facility comparisons and local quality improvement activities.
Assist facilities in developing surveillance and analysis methods that permit timely recognition of patient or resident and healthcare worker safety problems and prompt intervention with appropriate measures.
Conduct collaborative research studies with NHSN member facilities (e.g., describe the epidemiology of emerging healthcare-associated infections [HAIs] and pathogens, assess the importance of potential risk factors, further characterize HAI pathogens and their mechanisms of resistance, and evaluate alternative surveillance and prevention strategies).
Facilitate recruitment of facilities into collaborative evaluations that seek to identify new ways to prevent or control antimicrobial resistance or prevent healthcare-associated infections by providing facility identifiers to federal agencies and peer-reviewed, CDC-approved research projects for potential participation in studies, including comparative effectiveness assessments.
Comply with legal requirements – including but not limited to state or federal laws, regulations, or other requirements – for mandatory reporting of facility-specific adverse event, prevention practice adherence, and other public health data.
Enable healthcare facilities to report data via NHSN to the Centers for Medicare & Medicaid Services (CMS) of the U.S. Department of Health and Human Services (DHHS) in fulfillment of CMS’s quality measurement reporting requirements for those data.
Provide patient-level data and annual facility survey data to CMS that are deemed required data in CMS rule-making and that are used by CMS for its program administration, monitoring and evaluation activities, including validation, appeals review, program impact evaluation, and development of quality measure specifications.
Provide patient- and healthcare facility-level data, including annual facility survey data, to CMS for use by CMS programs in the design, operations, and evaluation of quality improvement programs in which healthcare facilities participate voluntarily.
Provide state, local, and territorial health departments with information that identifies the facilities in their state that participate in NHSN.
Provide to state, local, and territorial health departments, at their request, NHSN data for surveillance, prevention, or mandatory public reporting.
Provide to state, local, or territorial health departments facility-level information to facilitate HAI prevention efforts (e.g., identifying facilities to target for prevention activities), and provide patient- and healthcare facility-level data to state, local, or territorial health departments during an outbreak investigation to assist their case-finding or outbreak control. This does not replace the requirement for facilities to adhere to state, local, and territorial public health reporting requirements including reporting outbreaks to public health authorities where mandated.
Eligibility criteria
Facilities participating in NHSN must meet the following criteria:
Be a certified or licensed healthcare or residential facility in the United States.
Have email addresses for NHSN users and high-speed Internet connections on the computers they will use to access NHSN.
Comply with secure access control requirements of the system.
Be willing to follow the selected NHSN component protocols exactly and report complete and accurate data in a timely manner during months when reporting data for use by CDC.
Be willing to share such data with CDC for the purposes stated above.
Data Collection and Reporting Requirements for Participation
Once accepted into NHSN, each facility must:
Use the NHSN Internet-based data entry interface and/or data import tools for reporting data to CDC.
Successfully complete an annual survey for each component selected.
Successfully complete one or more modules of the component selected. Successful completion requires the following:
For the selected component, submit a reporting plan each month to inform CDC which, if any, of the modules will be used for that month.
Adhere to the selected module’s protocol(s) exactly as described in the NHSN Manuals during the months when one or more NHSN modules are used. This includes using surveillance methodology appropriate for the module and as described in the protocol.
Report adverse events/exposures, adherence to prevention practices, antimicrobial use and resistance, and appropriate summary or denominator data to NHSN in accordance with the NHSN protocol and as required for the module(s) indicated on the reporting plan.
For those months when no events, procedures, and/or exposures occurred for modules that are followed in-plan, confirm that none occurred.
Assume responsibility for the completeness and accuracy of data submitted to NHSN and pass quality control acceptance checks that assess the data for completeness and accuracy.
Agree to report to state, local, or territorial public health agencies, in accordance with their jurisdictional authorities and responsibilities, potential or confirmed outbreaks that either the facility or CDC identifies from data reported to NHSN.
Failure to comply with these requirements will result in withdrawal from NHSN. Such facilities will be offered the opportunity to download their data before being withdrawn. Six months after withdrawal, a facility may apply for re-enrollment into NHSN.
Dialysis Component Surveillance Specific Requirements:
Once accepted in NHSN, each dialysis facility must:
Agree to have at least one person at the facility with analysis and administrative rights. The designated person will have access and rights to modify and review facility level data.
Agree to report certain events identified in hospitals (i.e., any positive blood culture from a sample collected in the emergency department or on the first or second day of a hospital admission) to NHSN.
There is no fee for participation in NHSN.
Assurance of Confidentiality
The voluntarily provided information obtained in this surveillance system that would permit identification of any individual or institution is collected with a guarantee that it will be held in strict confidence, will be used only for the purposes stated, and will not otherwise be disclosed or released without the consent of the individual, or the institution in accordance with Sections 304, 306 and 308(d) of the Public Health Service Act (42 USC 242b, 242k, and 242m(d)).
CDC is in compliance with applicable federal law requiring the protection of federal computer networks from cybersecurity risks like hacking, internet attacks, and other security weakness; computer network experts working for, or on behalf, of the government, may intercept and review information sent through government networks for cyber threats if the information is sent through the government network triggers a cyber threat indicator.
______________________________________________________________________________
Facility Administrator or Primary Contact(s) – NHSN user(s) with CDC secure access credentials
As the Facility Administrator or Primary Contact(s), I/we consent to follow exactly the selected protocols and report complete and accurate data in a timely manner in order to maintain active status in NHSN. I/we have informed a healthcare organization executive (e.g., Chief Executive Officer, Chief Operating Officer, or Chief Financial Officer) of the terms of this agreement, including CDC’s stated purposes of NHSN and plans for data disclosures. I/we represent that I/we am/are authorized to bind the above-name facility to the terms of this Agreement.
1 Mission statement (partial) of the Division of Healthcare Quality Promotion on http://www.cdc.gov/ncidod/dhqp/about.html
2 DHQP staff for the purposes of this Security Statement document includes DHQP permanent staff and contractors.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | CDC User |
File Modified | 0000-00-00 |
File Created | 2025-07-01 |