Identifiable data must be protected
The DAC protects individually identifiable health information (PHI) through permitting only certain uses and disclosures of Protected Health Information.
- All DAC users must review the 18 HIPAA Identifiers prior to accessing DAC data.
- Commonly found PHI in DAC data include but are not limited to:
- unique patient/personal identifier (even if it's made up)
- biometric data
- elements of dates <year: date of birth, date of death, date of admission/discharge
- age in years if >89
- zip code of residence
The DAC protects Personally Identifiable Information (PII) according to the terms of CMS DUAs, which requires compliance with SP800-53 National Institute of Standards and Technology (NIST). PII is defined as:
- Information that directly identifies an individual (name, address, social security #, email address, etc.) or;
- Any information that may identify specific individuals in conjunction with other data elements through indirect identification (gender, race, birth date, geographic indicator, & other descriptors)
- Commonly found PII in DAC data include but are not limited to all PHI listed above and NPI/Provider identification information
Unsuppressed data must be protected
Unsuppressed data may not be downloaded, reported, published, shared and/or stored outside of the DAC servers.
- Any documents (manuscript, table, chart, study, report, etc.) created using CMS data must adhere to the minimum cell sizes set forth in the CMS data suppression policy.
- No cell (e.g. admissions, discharges, patients, services, etc.) containing a value of 1 to 10 can be reported directly AND
- No cell can be reported that allows a value of 1 to 10 to be derived from other reported cells or information.
- The cell suppression policy also applies to the reporting of excluded cases.
- Acceptable ways to suppress data include:
- Collapse data to achieve cell value > 10
- Coarsen data to present cell value of 1 to 10