NPRQI collaborates with the Center for Patient Safety (CPS), a federally designated Patient Safety Organization (PSO), to ensure the protection and confidentiality of patient safety data. CPS works alongside NPRQI, its administrative home at the University of Texas, and its technology platform, Nexus, to ensure that each participating organization understands and complies with the Patient Safety Act, which provides oversight and safeguards data.
PSOs create a secure, non-punitive environment for providers to collaborate, ensuring that safety data cannot be used against them.
NPRQI’s data platform offers a robust and secure infrastructure for managing and analyzing data.
How we ensure security and confidentiality
NPRQI is operated by Dell Medical School on behalf of The University of Texas at Austin and supports patient safety and quality improvement activities within the University of Texas security framework. The platform applies HIPAA‑aligned safeguards and operates in alignment with the Patient Safety Quality Improvement Act (PSQIA). Patient‑level data is limited to authorized site‑level users, while broader reporting uses aggregated and de‑identified data with controls to reduce re‑identification risk.
NPRQI encrypts data in transit using HTTPS with Transport Layer Security 1.2 or higher and encrypts data at rest using platform‑managed encryption in approved hosting environments. These controls align with industry standards and applicable NIST guidance and are applied across application services, the data warehouse, and embedded dashboards.
Access to NPRQI is invitation‑based and granted only after application approval, using Django’s secure authentication framework with industry‑standard password hashing. Password complexity and expiration requirements are enforced, reset links and one‑time login links expire, and sessions expire after 60 minutes of inactivity. Secure session cookies are used, and passwords are never stored or transmitted in plaintext.
Authentication to NPRQI uses secure TLS connections, with authorization enforced server‑side through role‑based access control (RBAC). Permissions are limited by role and organizational scope, and all user sessions and REST API calls require authorization validation. All create, read, update, and delete operations are subject to explicit permission checks.
Data access within NPRQI is governed by user role, organizational scope, and aggregation thresholds. Emergency Departments may access their own patient‑level data for authorized use, while state, regional, and national users are restricted to aggregated and de‑identified information. Dashboards are displayed only when minimum thresholds are met and use row‑level security.
Clinical and operational data is transmitted to the NPRQI data warehouse using Fast Healthcare Interoperability Resource‑based messaging and remains encrypted at rest. Data is logically separated between organizations through server‑side authorization and organizational scoping, and performance dashboards use row‑level security to enforce access boundaries.
NPRQI performs regular backups and tests disaster recovery procedures to support system resilience and data integrity. Security‑relevant events are logged and protected from unauthorized access. Systems are continuously monitored for availability, performance, and potential disruptions to support timely detection and recovery.
GET STARTED AND ENROLL TODAY