Confidentiality

The National Center for Health Statistics (NCHS) takes the security and confidentiality of the data we collect, especially personally identifiable information (PII), very seriously. In fact, we have a legal requirement to ensure the protection of these data.

NCHS and its agents are required by law to keep all data regarding patients and facilities strictly confidential and to use these data only for research and statistical purposes as stated by Section 308(d) of the Public Health Service Act [42 United States Code 242m (d) and Section 513 of the Confidential Information Protection and Statistical Efficiency Act (PL-107-347]. Willful unauthorized disclosure of confidential information is punishable as a Class E felony with fines of up to $250,000 and 5 years imprisonment, or both. This penalty applies to both NCHS staff and its agents.

All NCHS contractors are agents and under legally binding agreements to comply with all requirements for safeguards, access, and disclosure. NCHS staff and its agents are required to complete annual training on confidentiality requirements and practices—including reporting any breach of confidentiality-- and to sign annual non-disclosure agreements confirming intention to abide by all rules and regulations protecting confidential data. Contractor organizations are required to meet the same administrative, physical, and technical safeguards as NCHS and to agree in writing to the same restrictions and obligations with respect to safeguarding confidential information collected in NHCS.

The HIPAA Privacy Rule permits disclosure of protected health information without patient authorization for public health purposes and research that has been approved by an Institutional Review Board. The IRB at CDC’s NCHS has reviewed and approved all aspects of this study. Participating facilities may rely on the approval of the NCHS IRB for NHCS data activities.

In addition, NCHS complies with the Federal Cybersecurity Enhancement Act of 2015. This law requires the federal government to protect federal computer networks by using computer security programs to identify cybersecurity risks like hacking, internet attacks, and other security weaknesses. If any cybersecurity risk is detected, the information system may be reviewed for specific threats by computer network experts working for the government (or contractors or agents who have governmental authority to do so).

Results of NHCS will be published only in an aggregated manner and all data will be used only for research and statistical purposes.

NHCS participation is voluntary.

These materials provide additional information on confidentiality and data protections of hospitals participating in NHCS and the data they send NCHS:

• IRB Approval Letter [PDF - 33 KB]
• HIPAA Privacy Rule and NHCS operations [PDF -101 KB]
• Data Security Fact Sheet [PDF - 113 KB]

Additional information about confidentiality can be found on the Frequently Asked Questions webpage.