CDC Home

National Healthcare Safety Network (NHSN)

Facility/Group Administrator Rules of Behavior

In order to participate in the NHSN , you must read and agree to abide by the following rules of
behavior for safeguarding the system’s security. Scroll through the document below and click on
Agree or Do Not Agree button. To print a copy of the rules, click on the Print button.


National Healthcare Safety Network (NHSN), a surveillance system of the Centers for Disease Control and Prevention (CDC), allows participating healthcare facilities to enter data associated with healthcare safety, such as surgical site infections, antimicrobial use and resistance, bloodstream infections, dialysis incidents, and healthcare worker vaccinations. NHSN provides analysis tools that generate reports using the aggregated data (reports about infection rates, national and local comparisons, etc). NHSN also provides links to best practices, guidelines, and lessons learned.

NHSN processes and stores a variety of sensitive data that are provided by healthcare facilities. This information requires protection from unauthorized access, disclosure, or modification based on confidentiality, integrity, and availability requirements. These “Rules of Behavior” apply to all users of the NHSN web-based computer system.


Rules of Behavior establish standards that recognize knowledgeable users are the foundation of a successful security plan. Non-compliance with these rules will be enforced through sanctions equal to the level of infraction. Sanctions can include a written or verbal warning and possible removal of system access. NHSN will enforce the use of penalties against any user who willfully violates any NHSN or federal system security (and related) policy as appropriate. Users are also responsible for reporting security incidents, or any incidents of suspected fraud, waste, or misuse of NHSN systems to the CDC NHSN administrator.

The objective of the NHSN Rules of Behavior document is to summarize laws and guidelines from HHS and other Federal documents, most specifically OMB Circular A-130, Subsection (m) of the Privacy Act of 1974 (U.S.C. 552a) and Section 308(d) of the Public Health Service Act (U.S.C. 242m). It defines the rules of behavior in terms of policy and responsibility for the intended audience of CDC NHSN team members and NHSN facility/group member users.


What are Rules of Behavior?

Rules of behavior are part of a comprehensive program to provide complete information security. These guidelines were established to hold users accountable for their actions and responsible for information security. Rules of behavior establish behavioral standards in recognition of the fact that knowledgeable users are the foundation of a successful security program.

Who is Covered by these Rules?

These rules extend to CDC NHSN team members and their authorized contractors and agents (e.g., guest researchers, students) and NHSN facility/group member users.

The rules of behavior are not to be used in place of existing policy, rather they are intended to enhance and further define the specific rules each user must follow while accessing NHSN. The rules are consistent with the policy and procedures described in this document, and include but are not limited to, the following directives:

  • Privacy Act

  • Freedom of Information Act

  • Section 508 of the Workforce Investment Act of 1998

  • Computer Security Act Public Law 100-235

  • E-Government Act Public Law 107-347

  • Paperwork Reduction Act of 1995

  • Clinger-Cohen Act of 1996

  • CDC’s Public Health Information Network (PHIN)

  • CDC’s Secure Data Network (SDN)

  • Secure Access Management System (SAMS)

  • National Institute of Standards and Technology (NIST) publications

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)

  • HHS AISSP Handbook

  • Member-specific data security, privacy and confidentiality regulations, policies

  • State statutes.

What are Penalties for Non-compliance?

Non-compliance with these rules will be enforced through sanctions appropriate with the level of infraction. Users who do not comply with the prescribed Rules of Behavior are subject to penalties that can be imposed under existing policy and regulation, including suspension of system privileges.

Policy Rules

Legal, Regulatory, and Policy Requirements

Information handled by the system includes sensitive information about a member facility and its patients and/or healthcare personnel. The loss, misuse, or unauthorized access to or modification of information in the system could result in a loss of confidentiality or privacy. If integrity of NHSN data were adversely affected, it would negatively impact decision-making and scientific data analysis.

Statement of System Policy

Each user is responsible for helping to prevent unauthorized use of, and access to, system resources. This duty includes complying with all stated policy requirements, taking due care and reasonable precautions when handling system data or using system resources, and in the management and protection of system authentication controls (passwords, SAMS grid cards, etc.). When in doubt, users are strongly encouraged to contact the SAMS or NHSN help desk (see Contact Information table, Section 4, Page 11).

CDC SAMS and NHSN administrators may periodically monitor both the system and user activities for purposes including, but not limited to, troubleshooting, performance assessment, usage patterns, indications of attack or misuse and the investigation of a complaint or suspected security incident. Users are provided access to the NHSN through SAMS for the purpose of facilitating CDC's public health mission. Because CDC is responsible for maintaining security for all systems accessible through SAMS, it has the authority under federal and state laws to monitor all users' communications on SAMS, even with remote equipment. This statutory authority is based on ensuring the appropriateness of such communications and for that purpose random computer checks may be done.

User Responsibilities

Ethical Conduct

NHSN stores a variety of sensitive data. This sensitive information requires protection from unauthorized access, disclosure, or modification based on confidentiality, integrity, and availability requirements. System users should exercise due care to preserve data integrity and confidentiality and take reasonable precautions to ensure the protection of data from unauthorized access or use.

Specifically, any personally identifiable information entered into this system must not be used for anything other than the intended purpose. System administrators are to ethically conduct all monitoring activities and avoid any unnecessary or unauthorized breach of user privacy.

Authentication Management

Users will access NHSN through the CDC Secure Access Management System (SAMS). Users will ensure the security of their SAMS pass phrase and grid card (if applicable). Users who believe their SAMS pass phrase or grid card have been compromised in any way will immediately inform the SAMS Help Desk. Users will supply a SAMS pass phrase that meets the SAMS pass phrase requirements. Sharing of a SAMS pass phrase or grid card is strictly prohibited. Once logged into the Secure Access Management System each NHSN user will have a unique User Name and password for the NHSN system. Each user is responsible for protecting their password. Passwords should not be shared as users are responsible for all actions performed with their account. Passwords must be at least seven characters in length and must contain at least one capital letter, one lower case letter, and one number. System and State administrators will never ask for your password and cannot retrieve your password for you. Each user is required to report to administrators immediately upon discovery of their account credentials being compromised or suspect they have been compromised.

Information Management and Document Handling

Hard copy system documents (i.e. reports, print-outs, etc.) should be handled in a way that conforms to federal or state data security, privacy and confidentiality regulations, policies and statutes.

General System Access and Usage

When a facility or group is enrolled into NHSN, CDC will assign to it an NHSN facility ID number or NHSN group ID number, and invite the facility or group administrator to register with SAMS for accessing and completing NHSN enrollment.

Facility or group administrators are initially given access rights upon activation of their facility/group in the NHSN (final step of the enrollment process). Administrators have all access rights and can update facility/group information and add, modify, and delete users within their facility/group, as well as assign those users specific roles and access rights.

Users are required to notify the Facility/group administrator of changes in job status that might affect the appropriateness of continued access.

Users are assigned roles and accompanying access rights to various parts of the application by their NHSN facility administrator. Roles include that of Analyst, Data Reporter or both. The role of Administrator can also be granted to a user. The CDC NHSN administrator has access rights to all data in all facilities.

  • Users will access the system through the CDC's SAMS, which requires the user to go through an identity proofing process.

  • When accessing the system through SAMS, the user must also be approved to access the NHSN program within SAMS.

  • The user is responsible for notifying NHSN facility/group administrator or CDC NHSN administrator of any changes in job status (promotion, demotion, transfer, termination, etc.) that might affect the appropriateness of continued access.

Awareness and General Incident Reporting

Facility administrators should be vigilant for and have responsibility for reporting suspicious events, system misuse, suspected compromise or loss. These should be reported to the CDC NHSN administrator at


NHSN facility administrators should train themselves and their users using this document and other available materials regarding the need for and how to maintain system security.


System users are prohibited from the disclosure of information about the system, its architecture, function, or security controls and may not attempt to bypass system security controls. Also, users are prohibited from any activity that conflicts with local data security and confidentiality.

  • Do not attempt to access any data or programs on the NHSN system for which you do not have authorization.

  • Do not engage in, encourage, conceal any “hacking” or “cracking,” denial of service, unauthorized tampering, or unauthorized attempted use of (or deliberate disruption of) any computer system within the NHSN system.

  • Do not purposely engage in any activity with the intent to:

    • Degrade the performance of the system

    • Deprive an authorized user access to a resource

    • Obtain or attempt to obtain extra resources beyond those allocated

    • Circumvent security measures in order to gain access to any automated system for which proper authorization has not been granted.

Additional Rules for Administrators

Facility and group administrators have added responsibilities to ensure the secure operation of NHSN.

Specific Responsibilities

  • Ensure that adequate physical and administrative safeguards are operational within their areas of responsibility and that access to information and data is restricted to authorize personnel, on a need to know basis.

  • Verify that users have received appropriate security training before allowing access to NHSN.

  • Document and investigate known or suspected security incidents or violations and report them to the NCID ISSO, CISO, and systems owner.


To obtain system-related assistance (help desk, vendor support, system management, etc.) users should contact one of the following:



SAMS Help Desk

NHSN Help Desk


When new versions of this document are released, the system business or technical steward will provide a revised copy to all users and request an acknowledgement of receipt. If users do not provide an acknowledgement or feedback within a reasonable time, they will be considered to have given tacit approval to the revised document. User comments, feedback, questions, or objections will be considered for integration into further revisions.

Acknowledgement and Agreement

I have read and agree to comply with the terms and condition governing the appropriate and allowed use of NHSN as defined by this document, applicable agency policy, and Federal law. I understand that infractions of these rules will be considered violations of CDC standards of conduct and may result in disciplinary action including the possibility of supervisory notification, suspension of system privileges, and/or criminal and civil prosecution.

The act of acknowledgement and agreement signifies a clear understanding of the NHSN Rules of Behavior document and that the signer will conform to the rules provided therein.

I acknowledge receipt of, understand my responsibilities, and will comply with the rules of behavior for NHSN.

This is a U.S. Government computer system, which may be accessed and used only for official government business by authorized personnel. Unauthorized access or use may subject violators to criminal, civil, and/or administrative action. There is no right to privacy on this system. All information on this computer system may be monitored, intercepted, recorded, read, copied, and shared by authorized personnel for official purposes including criminal investigations. Access or use of this system, whether authorized or unauthorized, constitutes consent to these terms. (Title 18, U.S.C.) The U.S. Government's Official Web PortalDepartment of Health and Human Services
Centers for Disease Control and Prevention   1600 Clifton Rd. Atlanta, GA 30333, USA
800-CDC-INFO (800-232-4636) TTY: (888) 232-6348, 24 Hours/Every Day -

A-Z Index

  1. A
  2. B
  3. C
  4. D
  5. E
  6. F
  7. G
  8. H
  9. I
  10. J
  11. K
  12. L
  13. M
  14. N
  15. O
  16. P
  17. Q
  18. R
  19. S
  20. T
  21. U
  22. V
  23. W
  24. X
  25. Y
  26. Z
  27. #