NHCS Participant Privacy and Confidentiality

Key points

  • The National Center for Health Statistics takes protecting patient privacy and hospital confidentiality very seriously.
  • Specific legal protections safeguard private and confidential information collected by the National Hospital Care Survey (NHCS).
  • The Health Information Portability and Accountability Act (HIPAA) allows NHCS to collect these data.
National Hospital Care Survey logo

Privacy protections

The National Center for Health Statistics takes participant and patient privacy very seriously. We do not release the names of participating hospitals or their patients to anyone. This protects the privacy of facilities and the patients and communities they serve.

Only our employees working directly on the National Hospital Care Survey, our specially designated agents (including contractors managing the survey), and our full research partners can see information collected in the survey that could be used to identify facilities or patients.

Anyone else can only use your data after all information that could identify your hospital and patients has been removed. All information that relates to or potentially describes identifiable characteristics of hospitals and their patients is combined with other facilities' information before it is released. This protects everyone's identity.

Legal protections

National Center for Health Statistics staff, contractors, agents, and full research partners will not disclose or release responses in identifiable form without the consent of the individual or establishment in accordance with—

In accordance with CIPSEA, every National Center for Health Statistics employee, contractor, and agent has taken an oath and is subject to a jail term of up to five years, a fine of up to $250,000, or both if they willfully disclose ANY identifiable information about you.

The National Center for Health Statistics also complies with the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. §§ 151 and 151 note), which protects federal information systems from cybersecurity risks by screening their networks.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 allows hospitals to participate in studies like NHCS for public health purposes.

The HIPAA Privacy Rule [HIPAA regulations (45 CFR 164.501)] recognizes—

  1. The legitimate need for public health authorities and others responsible for ensuring the public’s health and safety to have access to protected health information to conduct their missions, and
  2. The importance of public health reporting by covered entities in identifying threats to the public and individuals.

The Privacy Rule permits—

  1. Protected health information disclosures without a written patient authorization for specified public health purposes to public health authorities legally authorized to collect and receive the information for such purposes, and
  2. Disclosures that are required by state and local public health or other laws.