NHSN Digital Quality Measures (dQM) FAQs
Frequently Asked Questions
What is NHSNLink?
NHSNLink is an open-source HL7 FHIR application for public health reporting. Through an extensible, configurable query engine, NHSNLink connects securely to a healthcare facility’s EHR via the FHIR API NHSNLink identifies patients of interest from facilities utilizing FHIR standards and passes the data to NHSN for data quality and analytic applications. You can find additional information at about NHSNLink and FHIR.
Does NHSNLink require installation of an external vendor or “third-party” software?
No, you do not need to install or purchase new software. NHSNLink’s architecture minimizes Information Technology requirements for the participating facility.
What data security and privacy procedures are in place for data exchange that involves FHIR and PHI/PII with CDC NHSN?
NHSN has over 20 years of experience in secure and confidential data exchange with over 37,000 U.S. hospitals and other healthcare facilities. Data access and protection provisions are outlined in the NHSN Agreement to Participate and Consent and the NHSN Facility/Group User & Administrator Rules of Behavior. Data are protected by administrative, technical, and physical security controls that safeguard the confidentiality, integrity, and privacy of personal information according to industry-standard policies and federal laws, including the Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Modernization Act (FISMA).
Additionally, NHSNLink safeguards information in the following ways:
- Protected by an OAuth2.0 identity-access management (IAM) service delivered by CDC Secure Access Management Services (SAMS), which includes authentication and role-based access control (RBAC).
- Queries only selected, pre-specified FHIR resources that are available only upon authorization from the facility’s server. Access control is provided on a FHIR resource-by-resource basis.
- Data (including internal NHSNLink app communications) are encrypted in-transit through HTTPS/TLS1.2.
- Data are encrypted at-rest using NIST Advanced Encryption Standard 256 (AES 256)
For information about how Protected Health Information (PHI) and Personally Identifiable Information (PII) is secured within NHSNLink, please visit the security considerations section.
How does NHSNLink differ from Electronic Case Reporting (eCR)?
Both NHSNLink and Electronic Case Reporting (eCR) support CDC’s Data Modernization Initiative by improving data sharing between CDC and its partners, but NHSNLink and eCR have different purposes and serve different public health surveillance needs. NHSNLink support NHSN’s model of national-level surveillance of healthcare events to support quality improvement and benchmarking. eCR supports a model for automated case reporting of reportable public health conditions (e.g., state-reported COVID-19 cases).
Will existing non-dQM measures that NHSN supports be transitioned to dQMs?
Current data-reporting methods will remain in place at this time for existing non-dQMs.
How do I know that my facility’s data are being submitted correctly and all required fields are populated?
There is a screening process that will stop the data from being submitted if required fields are not properly populated. These issues must be resolved before the data can be resubmitted.
Will the new dQMs have analysis and report options that facilities can use to modify and analyze data, like the other measures featured on NHSN?
Yes. dQMs have modifiable analysis, and reports are in the NHSN Reports tab.
How can a facility view line-level data submitted via FHIR?
You can view line-level data on the NHSN Reports tab within the application. You can find measure-specific line-list functionality and features in the analysis resources line list document [PDF – 169 KB].
NHSNLink requires that:
- Your facility has FHIR APIs that are version R4 or higher
- Your facility FHIR vR4 APIs are deployed to your Production environment
- Your facility FHIR vR4 APIs conform to the US Core Data for Interoperability
- Your facility is familiar with your EHR vendor policies for access to your FHIR R4 APIs by third-party applications for public health and regulatory reporting
You can work with your Information Technology and EHR vendor representative to learn more about whether your facility meets these requirements. Additional information about technical specifications will be released soon.