Attachment K: Confidentiality Letter
Centers for Disease Control and Prevention
National Center for Health Statistics
3311 Toledo Road
Hyattsville, Maryland 20782
The National Hospital Care Survey (NHCS), conducted by the National Center for Health Statistics (NCHS), Centers for Disease Control and Prevention (CDC) is an electronic data collection, gathering Uniform Bill (UB) 04 administrative claims data or electronic health records data from sampled hospitals. NHCS will have two data collection components, inpatient and ambulatory. Patient identifiers for both components are collected to enable linkage to birth and death records and to data from the Centers for Medicare & Medicaid Services (CMS).
The purpose of this letter is to more fully address issues of possible concern to participating facilities, such as disclosure of patient protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (PL 104-191), safeguards, use and disclosure of data, and dissemination of information by NCHS.
Special provisions within HIPAA permit hospitals to provide data to public health entities such as CDC/NCHS for public health research purposes. The HIPAA Privacy Rule (45 CFR Part 160 and Part 164, subparts A and E) recognizes (i) the legitimate need for public health authorities and others responsible for ensuring the public’s health and safety to have access to protected health information to conduct their missions, and (ii) the importance of public health reporting by covered entities in identifying threats to the public and individuals. The Privacy Rule permits (i) protected health information disclosures without written patient authorization for specified public health purposes, to public health authorities legally authorized to collect and receive the information for such purposes; and (ii) disclosures that are required by state and local public health or other laws [HIPAA regulations (45 CFR 164.501)]. Thus, HIPAA permits hospitals to participate in studies of this nature for public health purposes. Because contractors serve as authorized agents of NCHS, it is permissible to disclose data to NCHS contractors for the purposes of this project. HIPAA also permits covered entities to obtain the documentation and rely on the approval of one IRB or privacy board. The IRB at CDC’s NCHS has reviewed and approved all aspects of this study. Participating facilities may rely on the approval of the NCHS IRB for the NHCS data activities.
NHCS is certified and accredited by CDC as a Moderate system. All federal requirements concerning administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of confidential data collected in the NHCS are met. Data are transmitted to NCHS and its contractors by secure data networks, and no data are transmitted unless encrypted. Once received, confidential data are housed on a server with restricted access.
NCHS and its agents are required by law to keep all data regarding patients and facilities strictly confidential and to use these data only for research and statistical purposes as stated by Section 308(d) of the Public Health Service Act [42 United States Code 242m(d) and Section 513 of the Confidential Information Protection and Statistical Efficiency Act (PL-107-347]. Willful unauthorized disclosure of confidential information is punishable as a Class E felony with fines of up to $250,000 and 5 years imprisonment, or both. This penalty applies to both NCHS staff and its agents. All NCHS contractors are agents and under legally binding agreements to comply with all requirements for safeguards, access and disclosure. NCHS staff and its agents are required annually to complete training on confidentiality requirements and practices—including reporting any breach of confidentiality-- and to sign annual non-disclosure agreements confirming intention to abide by all rules and regulations protecting confidential data. Contractor organizations are required to meet the same administrative, physical and technical safeguards as NCHS and to agree in writing to the same restrictions and obligations with respect to safeguarding confidential information collected in the NHCS.
NCHS has contracted with Westat to conduct hospital recruitment for NHCS and CGI Federal, Inc.
to conduct data collection.
All information collected by the NHCS will be the property of NCHS and will be kept strictly confidential. The identity of specific hospitals or individual patients will not be released in any manner except to NCHS staff, contractors, and agents—only when required and with necessary controls. Results of the study will be published only in an aggregated manner that will not allow identification of any individual hospital or patient. Information intended for inclusion in public use microdata files is reviewed by the NCHS Disclosure Review Board to ensure the risk of disclosure of information that would permit the identification of an individual patient or hospital is minimized. Although linkage of patient information to birth and death records and to data from the Centers for Medicare & Medicaid Services (CMS) is planned, there will be no contact with patients. NCHS linkage activities are tightly controlled and survey information is separated from the minimal set of linkage keys prior to linkage. Direct personally identifiable information is kept separate from other survey information and access is highly restricted in a secure physical environment. The IRB at CDC’s NCHS has reviewed and approved all NCHS linkage activities.
NCHS understands the expectations of data providing facilities to safeguard PHI collected by the NHCS and is committed to safeguarding information entrusted to us.
Sincerely,
Donna Miller
NCHS Confidentiality Officer
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | Appendix H Induction letter |
Author | Christine Lucas |
File Modified | 0000-00-00 |
File Created | 2021-11-05 |