Information Security

Safeguarding Data in the NCBP System

Safeguarding personally identifiable information (PII), protected health information (PHI), and other proprietary data is a key concern of all members of the Collaborative and the NCBP System subscribers. While NCBP neither requires nor desires that users load first-level PHI into the NCBP System, we have designed the system to protect any uploaded PII from unauthorized access. Our cloud-based system is currently hosted on Amazon Web Services (AWS) in a secure, HIPAA-compliant environment.

For an overview of common information security questions from NCBP’s subscribers, download our Data Use & Access FAQ.

HIPAA COMPLIANCE

The initial full assessment of HIPAA compliance is being conducted by a nationally recognized HIPAA audit firm. This firm will be available for consultation with any Collaborative partner or subscriber needing further information. NCBP will be fully HIPAA compliant. For more information, download our Data Use & Access FAQ. You can also learn more about how AWS protects health-related data stored in the cloud by reading their HIPAA Compliance Whitepaper.

DATA PROTECTION & SHARING

How are data sets used in the system?

To provide the earliest possible warning of public health events of significance, the NCBP System generates alerts of anomalous events using analytics on both the categorical data and free text contained in your data sets. You can use your data to identify and map syndromes within the system. The NCBP System contains a number of predefined syndromes that are of interest to the preparedness community, including opioid overdose, respiratory illness, influenza-like illness (ILI), GI illness, and constitutional syndromes . You can also generate custom, user-defined syndromes using the predefined symptom list or text search. Examples of user-defined syndromes have included motor vehicle crashes with injury, stroke, cardiac arrest, STEMI, gunshots, Ebola syndrome, opioid-related emergencies, and naloxone use.

Who can access data sets in the NCBP System?

The NCBP System’s user access rules and processes allow your data owners to set rules regarding the visibility of your core data to other system users, enabling you to share de-identified core data with other public health entities if desired. Derivative information from your uploaded data, including event counts and anomalous signals, is intended to be shared among all subscribers to the NCBP System. Because the sharing of detailed signals among adjacent jurisdictions has a clear public health purpose – to enable rapid adjudication of the signals and anomalies identified by the system – we must maintain a proper and legally compliant balance between confidentiality and information sharing.

Does the NCBP System contain PII and PHI?

The NCBP System is hosted in a secure, HIPAA-compliant environment to protect PII and PHI from unauthorized access. NCBP recommends that data owners/managers prepare their data for import into the NCBP System by first stripping all fields containing PII and removing names and personal numbers from text records. Prior to our ETL (extract, transform, load) process, we will perform additional de-identification routines on your data. Even with PII removed from uploaded data, the combination of certain data elements (such as time, date/location of service, and demographics) may result in limited data set PHI that must also be protected from unauthorized access.

Can identifiable information ever be accessed by users?

Any PII that is uploaded and extracted will be retained in the secure system environment per HIPAA data retention rules, but will not be accessible by system users. HIPAA requires that, in a public health emergency, records can be examined by public health officials if it is in the public’s interest. That retention requirement may be met by the original data owner.