Versions Compared

Version Old Version 21 New Version 22
Changes made by

Emily Kraus

Emily Kraus

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Policies and procedures to inform data-related activities were developed by the NACHC Clinical Affairs team in partnership with other NACHC teams and external partners. These policies and procedures can be applied to any activities where data of any kind is received, collected, or generated, referred to as 'informatics work' hereinafter. 

What Does Data Governance Mean to NACHC? 

There are many definitions of data governance. NACHC defines data governance as a framework to guide the usability, integrity and security of data and to instill trust in the use of data and data-related sources across systems. At NACHC, the data governance infrastructure encompasses a decision-making body, rules (policies and procedures), decision rights (how we “decide how to decide”), accountabilities, and enforcement methods for people and information systems as they perform information-related processes.

Our data governance infrastructure framework focuses on how NACHC uses processes, policies, procedures, and communication tools that ensure that data received from outside organizations and collected by NACHC is used to improve the health of individual patients and tell the health center story. 

Data Governance Decision-Making 

NACHC's data-related work is overseen by a Data Governance Council ('GC'). The GC does not provide direct informatics project oversight, but does make recommendations and decisions about project participation, implementation, and the informatics architecture used to carry out informatics projects. A description of the NACHC data and informatics architecture is available here

The GC meets monthly and includes nine members who represent 1) NACHC leadership, regulatory, and analytic staff, and 2) external data partners and project partners who represent a range of perspectives and collective expertise in clinical care, informatics, data science, and population health. Details of the GC membership, scope, and operations (e.g., scope, voting) are defined in a charter

Governance Domains and Guiding Principles

There are four domains of governance that are relevant to NACHC's informatics work: data governance, information governance, software governance, and partnership governance. While these policies and procedures are focused on data governance, some aspects of information governance, software governance, and partnership governance may be relevant.

...

Section 1: Governance Approach

Roles 

NACHC conducts informatics work in partnership with data partners and project partners. 

...

A project partner is an organization who participates in or supports informatics work by providing subject matter expertise, funding, vendor services, or other technical assistance. Vendor services may include analysis which can require direct access to project data.

Project Structure

NACHC organizes and tracks informatics work in projects. A project is established for each unique dataset that is housed by NACHC. When NACHC is performing many distinct analytic services on a given dataset, multiple projects may be established. Each project has a Confluence website which defines the project team, provides links to relevant project documentation and agreements, location of project data, and tracks project progress.  Projects have regular status meetings. Minutes and meeting materials from status meetings are made available on Confluence.  At the start of each project, a project team is identified and includes members of the the data contributor and NACHC staff and documented on the project Confluence page. Additionally, members of the project team who will have access to project data are identified at the project inception. As the project team evolves through the project lifecycle, the project team is updated on Confluence and in project-related documentation, as appropriate.

Shared Data 

There are two types of data that may be shared with NACHC.

De-identified data is data that has been “stripped of all HIPAA defined identifiers” which includes Personally Identifiable Information (PII) and Protected Health Information (PHI). 

A limited data set (LDS) is data that has been “stripped of all HIPAA identifiers, except age/dates and city/state/zip”. 

Identified data sets which include PHI identified beyond that which would qualify as a LDS and are not accepted by NACHC at this time. 

Informatics Services

NACHC's informatics services can include subject matter expertise, technical assistance, data management, and analysis services, which are defined in the table below.  Most informatics projects involve multiple informatics services. 

Subject matter expertiseTechnical assistanceData managementAnalysis services
  • Providing guidance materials and sharing knowledge with data  partners on how best to collect, store, and use their data
  • Coaching and assisting data partners to improve the quality of their data collection and use 
  • Receiving, ingesting, standardizing and normalizing, cleaning, and transforming data from partners into a format and structure best suited for analysis
  • Mapping and normalizing disparate data structures and formats into a common data model
  • Conducting data quality activities and identifying data quality issues 
  • Performing analysis on one or multiple datasets to assess a prescribed outcome or outcomes (e.g., the percent of women who received contraception counseling)
  • Calculate a predefined quality measure (e.g., the percent of screening-eligible patients who were screened)

 Most informatics projects involve multiple informatics services. 


Work Products and Attribution

Informatics work generates the following work products: data quality results, analytic results, value sets, measure definitions, and recommendations. Work products are owned by all members of the project team and can be shared in manuscripts, abstracts, slides, and guidance documents. How and to whom work products are attributed is discussed with all project partners at the outset and as the project evolves to ensure that attribution of work projects is accurate and equitable.  

Identification

...

There are three types of data that may be shared with NACHC.

...

of

...

A limited data set (LDS) is data that has been “stripped of all HIPAA identifiers, except age/dates and city/state/zip” - a LDS DUA is required when HIPAA authorization for the data sharing has not been obtained from the participants. If participants have signed a HIPAA authorization that allows for the data sharing, a DUA referencing a LDS is not necessary. It is rare that HIPAA authorization has been collected from patients for a NACHC project as most projects are secondary data analysis.

Identified data set includes PHI identified beyond that which would qualify as a LDS. A DUA cannot be used to facilitate sharing a PHI dataset. Instead, a BAA (Business Associate Agreement) or other agreement is appropriate if the participants have not signed a HIPAA authorization for the data sharing. Currently NACHC is not engaged in any informatics project where an identified dataset is being received. 

Currently, NACHC receives only de-identified data and limited datasets. Notably, these levels of identification are focused on patient identification and do not address identification of health centers, which can also be sensitive but does not fall under HIPAA (see next section).

Identification of Health Centers

If and how health centers are identified is addressed in

Health Centers in Work Products

TBD

Section 2: Contracts and Regulatory

...

NACHC has a DUA template that has been vetted and approved by NACHC legal council. Alternatively, data partners are welcome to request the use of their institutional DUA template that can be customized for the project by NACHC staff. A process to initiate a DUA is documented below.

De-identified data does not require a data use agreement (DUA); however some data partners may require a DUA just to cover their transmission of the data to another entity. PII is a subset of PHI and the list of 18 data elements that are considered PHI are documented in the HIPAA Safe Harbor definition. To be considered de-identified, all 18 identifiers must be removed. Some data partners participate in date-shifting of encounter dates.  

- a LDS DUA is required when HIPAA authorization for the data sharing has not been obtained from the participants. If participants have signed a HIPAA authorization that allows for the data sharing, a DUA referencing a LDS is not necessary. It is rare that HIPAA authorization has been collected from patients for a NACHC project as most projects are secondary data analysis.

DUA Responsibilities 

When NACHC is the provider of the data:

...

    1. NACHC project lead completes the NACHC DUA Checklist to determine if a DUA is needed. This should occur as part of the project's initiation.
    2. The checklist is reviewed with data partner at an early project meeting to confirm the need for a DUA and level of identification of a dataset
    3. Once completed, the DUA checklist is stored in the project Confluence page. 
    4. If the DUA checklist identified a need for a DUA, the checklist is shared with the NACHC contract officer to begin the creation of a project-specific DUA.

Section 3: Requests

Section 4: Other Governance Topics 

Institutional Review Board (IRB)

...