Versions Compared

Version Old Version 26 New Version 27
Changes made by

Emily Kraus

Emily Kraus

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Data governance policies and procedures to inform data-related activities were developed by the NACHC Clinical Affairs team in partnership with other NACHC teams and external partners. These policies and procedures can be applied to any activities where data of any kind is received, collected, or generated, referred to as 'informatics work' hereinafter. 

What Does Data Governance Mean to NACHC? 

NACHC defines data governance as a framework to guide the usability, integrity and security of data and to instill trust in the use of data and data-related sources across systems. At NACHC, the data governance infrastructure encompasses a decision-making body, rules (policies and procedures), decision rights (how we “decide how to decide”), accountabilities, and enforcement methods for people and information systems as they perform information-related processes.

Our data governance framework focuses on how NACHC uses process, policy, and effective communication to ensure that data received from outside organizations and collected by NACHC are used to improve the health of individual patients and tell the health center storyThere are four domains of governance that are relevant to NACHC's informatics work: data governance, information governance, software governance, and partnership governance. While these policies and procedures are focused on data governance, some aspects of information governance, software governance, and partnership governance may be relevant.

Within those domains, NACHC adheres to eight governance principles: accountability, transparency, integrity, protection, compliance, availability, retention, and disposition as identified by the American Health Information and Management Association (AHIMA). Definitions of each are available on a related site. Relevant topics within each governance domain are addressed below

Data Governance Decision-Making 

NACHC's data-related informatics work is overseen by a Data Governance Council ('GC'). The GC does not provide direct informatics project oversight, but does make recommendations and decisions about project participation, implementation, and the informatics technical architecture used to carry out informatics projects. A description of the NACHC data and informatics architecture is available here

The GC meets monthly and includes nine members who represent 1) NACHC leadership, regulatory, and analytic staff, and 2) external data partners and project partners who represent a range of perspectives and collective expertise in clinical care, informatics, data science, and population health. Details of the GC membership, scope, and operations (e.g., scope, voting) are defined in a charter

Governance Domains and Guiding Principles

There are four domains of governance that are relevant to NACHC's informatics work: data governance, information governance, software governance, and partnership governance. While these policies and procedures are focused on data governance, some aspects of information governance, software governance, and partnership governance may be relevant.

Within those domains, NACHC adheres to eight governance principles: accountability, transparency, integrity, protection, compliance, availability, retention, and disposition as identified by the American Health Information and Management Association (AHIMA). Definitions of each are available on a related site. Relevant topics within each governance domain are addressed below. 

Section 1: Governance Approach

...

A data partner is an organization owning and/or providing sharing data to with NACHC which can include organizations providing direct health services such as federally qualified health centers (FQHCs), primary care associations (PCA), or health center controlled networks (HCCN). FQHCs are data owners in that they own the data collected by their organization. PCAs and HCCNs do not collect clinical data but serve as a data steward for clinical data provided by their members and contribute data on behalf of their member organizations. Federal agencies such as the Health Resources and Services Administration may also be data partners, providing data to NACHC on behalf of FQHCs (example: UDS data). 

...

NACHC organizes and tracks informatics work in projects. A project is established for each unique dataset Depending on the scope of the project, a project may have one or multiple datasets from one or more data partners that is housed by NACHC. When NACHC is performing many distinct analytic services on a given dataset, multiple projects may be established. Each project has a Confluence website which defines the project team, provides links to relevant project documentation and agreements, location of project data, and tracks project progress.  Projects have regular status meetings. Minutes and meeting materials from status meetings are made available on Confluence.  At the start of each project, a project team is identified and includes members of the the data contributor and NACHC staff and documented on the project Confluence page. Additionally, members of the project team who will have access to project data are identified at the project inception. As the project team evolves through the project lifecycle, the project team is updated on Confluence and in project-related documentation, as appropriate.

Data

Informatics work involves either data collected by NACHC or shared with NACHC. 

...

Data Collected by NACHC

For some informatics projects, NACHC collects its own data, usually in the form of surveys that are completed by health centers. Do we want to say any more here?

Data Shared with NACHC

There are two types of data that may be shared with NACHC.

De-identified data is data that has been “stripped of all HIPAA defined identifiers” which includes Personally Identifiable Information (PII) and Protected Health Information (PHI). PII is a subset of PHI and the list of 18 data elements that are considered PHI are documented in the HIPAA Safe Harbor definition. To be considered de-identified under HIPAA, all 18 identifiers must be removed. Some data partners participate in date-shifting of encounter to remove real dates.  

A limited data set (LDS) is data that has been “stripped of all HIPAA identifiers, except age/dates and city/state/zip”. 

Identified data sets which include PHI identified beyond that which would qualify as a LDS and are not accepted by NACHC at this time. 

Included in data shared with NACHC are the UDS datasets that are counts at the health center level. These data are deidentified according to HIPAA but are sensitive and do identify health centers. A UDS-specific data use agreement stipulates how UDS data can be used by NACHC (where would this be found)?

Informatics Services

NACHC's informatics services can include work includes the following services: subject matter expertise, technical assistance, data management, and analysis services, which are defined in the table below.  Most informatics projects involve multiple informatics services. 

...

Informatics work generates the following work products: data quality results, analytic results, value sets, measure definitions, and recommendations. Work products are owned by all members of the project team and can be shared deseminated in manuscripts, abstracts, reports, slidespresentations, and guidance documents. How and to whom work products are attributed is discussed with all project partners at the outset and as the project evolves to ensure that attribution of work projects is accurate and equitable.  

Identification of Health Centers in Work Products

TBD. Need some guidance here. 

Section 2: Contracts and Regulatory

Contracts 

At NACHC,  Contracts and DUAs are separate....

HIPAA 

According to HIPAA, NACHC is not a covered entity. However, NACHC receives limited and deidentified datasets from covered entities. Though the amount of PHI received by NACHC is minimal, NACHC treats all of its data from covered entities as PHI and as such, complies with the expectations of business associates as relevant security and privacy expectations outlined by HIPAA. 

Data Use Agreements (DUAs)

NACHC requires the execution of a data use agreement (DUA) whenever EHR data is being shared with NACHC. For projects where a LDS is being shared, a DUA is required by HIPAA. For projects where deidentified data is being shared, a DUA is executed based on NACHC policy.

The NACHC observes the HIPAA Privacy Regulations define the Rule standards for a DUA. The purposes of a DUA are to:

...

Because DUA's require a high level of specificity, each DUA is project-specific. DUAs can be two party, meaning between NACHC and a data contributor, or multi-party, meaning between NACHC and multiple data contributors. Additionally, DUA's can include a reciprocity clause so that the DUA functions in both directions, a data partner sharing data with NACHC and NACHC sharing data with a data partner.

NACHC has a DUA template that has been vetted and approved by NACHC legal council. Alternatively, data partners are welcome to request the use of their institutional DUA template that can be customized for the project by NACHC staff. A process to initiate a DUA is documented below.

...

parties. The structure and contents of a DUA are customized based on project structure and needs. 

  • When NACHC is the provider of the data:

...

  •  NACHC has drafted a DUA for use by those who wish to disclose a LDS to recipients.  This template may be accessed from the NACHC contracts office. When NACHC is providing a LDS, if any material change is to be made to the NACHC template, or if another party’s version of a DUA is to be used, the NACHC legal council must review and approve the terms of the agreement. 
  • When NACHC is the recipient of the data:

...

  •  If NACHC is the recipient of a LDS of PHI from a non-NACHC source, the NACHC project lead with either use the NACHC template or be asked to sign the other party’s Data Use Agreement.  When using another party's DUA, the NACHC project lead is responsible for reviewing the Data Use Agreement and determining if it complies in material terms with the NACHC DUA template.  If the other party’s DUA differs materially from the NACHC DUA template, or if there is any uncertainty, the NACHC legal council must be consulted.

Process to Initiate a Data Use Agreement (DUA)

Not all projects require a DUA but each project where data is being shared should consider the need for a data use agreement upon project initiation. The following process is recommended. NACHC has a DUA template that has been vetted and approved by NACHC legal council. Alternatively, data partners are welcome to request the use of their institutional DUA template that can be customized for the project by NACHC staff. A process to initiate a DUA is documented below.

  1. NACHC project lead completes the NACHC DUA Checklist to determine if a DUA is needed. This should occur as part of the project's initiation.
  2. The checklist is reviewed with data partner at an early project meeting to confirm the need for a DUA and level of identification of a dataset.
  3. Once completed, the DUA checklist is stored in the project Confluence page. 
  4. If the DUA checklist identified a need for a DUA, the checklist is shared with the NACHC contract officer to begin the creation of a project-specific DUA.
  5. NACHC populate the DUA with project specific information and share with other parties for comment
  6. NACHC receives and integrates comments and recirculates to other parties and NACHC legal until DUA is ready for signature
  7. DUA is signed by other party(ies) and returned to NACHC for counter signature and execution
  8. DUA is executed by NACHC legal and executed agreement is shared with all parties

Section 3: Data Security and Privacy

Need to add content here.

Section 4: Other Governance Topics 

Requests

NACHC receives many requests for data that has already been shared with them for an existing project or a request for data related to a new project. Additionally, NACHC receives requests for information partnership meaning a desire from one organization to work partner and share data with a health center and a desire for NACHC to support that partnership. All requests through support from NACHC.  

Requests for data or information partnerships that include data sharing are evaluated by the data governance council GC which meets monthly. Requests can be submitted here. Requests ​must be well defined meaning that they include a clear detailed description of what data is desired, how the data will be used, the type of use (e.g., research, surveillance, quality improvement or other) and how the request aligns with the NACHC vision and benefits health centers. Incomplete requests that do not include this information cannot be evaluated by the and will be returned to the requester. Requesters will be notified ​of an approval or denial within one week of the data governance council meeting. ​

For requests of data that NACHC has received for other projects, NACHC is not a data owner but a steward of data from other contributing organizations​. Thus ​a request ​approval from ​NACHC's data governance council is the first in a series of required approvals. Approved request will be shared with with the originating data contributor contributor ​and if approved by the data contributor, a data use agreement to define the parameters of the data exchange must be executed before before any data can be shared. 
Nachc ​is a facilitator
NACHC is facilitator of information partnerships​ rather than a broker of data​.
Nachc recommends
NACHC strongly prefers building an information partnership with the goal of collaboratively developing a data sharing project that is beneficial to all parties involved.
 

...

  

Institutional Review Board (IRB)

NACHC adheres to the Office for Human Research Protections regulations (45 CFR part 46) of human subjects research. NACHC informatics work is primarily quality improvement (QI) in nature which OHRP provides specific IRB guidelines. In general, OHRP states that QI is not human subjects research. Research is defined as systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.  When QI projects do not align with this research definitions, HHS regulations for the protection of human subjects do not apply and there is no requirement under these regulations for such activities to undergo review by an IRB, or for these activities to be conducted with provider or patient informed consent.

...