About 2 — NPC-QIC

NPC-QIC Data Security Statement

The security of your child’s data is a top priority for NPC-QIC. All data is collected and stored in REDCap (Research Electronic Data Capture) on servers located at Cincinnati Children’s Hospital Medical Center (CCHMC). These servers are physically secured with controlled access, have full redundancy, and are covered by an institutional business continuity/data recovery (BC/DR) plan. CCHMC employs industry standard anti-virus and anti-malware products on all systems, conducts firewall and network traffic monitoring and inspections, and performs quarterly testing to detect and address system vulnerabilities and weaknesses. CCHMC has a System Security Plan (SSP) in place based on the NIST 800-53 rev4 moderate standard as required by the Federal Information Security Management Act (FISMA) along with other standard and regulatory requirements.

All user activity is tracked and logged within the NPC-QIC database in REDCap and cannot be edited or deleted. A unique username and password are required for each user, and all users are required to use multi-factor authentication to access the database. Users access is restricted to see only data for patients consented at their center. All users are required to complete training and are confirmed to be participating in NPC-QIC at their center before access to the database is granted.

To further protect the your child's data, NPC-QIC collects a limited amount of PHI (Protected Health Information): Zip Code at Birth, Date of Birth, and Procedure Dates (e.g. Admission Date, Surgery Date, Discharge Date). We do not collect your child’s name, address, or MRN.

NPC-QIC accepts requests from member centers for datasets to be used for research; member centers have all signed a Data Use Agreement specifying how data will be handled, used and protected by their center. All research dataset requests are reviewed by a committee of NPC-QIC clinicians, leaders, and statisticians. If approved, datasets are securely provided in de-identified format that prohibit identifying a patient's center affiliation and limited to only the data necessary to fulfill the research purpose.

Additional information about data security and use can be found in your Informed Consent form. If you have any questions or concerns, please contact the person listed in your Informed Consent form.