Versions Compared

Version Old Version 30 New Version 31
Changes made by

Julia Skapik

Emily Kraus (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Data governance policies and procedures to inform data-related activities were developed by the NACHC Clinical Affairs team in partnership with other NACHC teams and external partners. These policies and procedures can be applied to any activities where data is received, collected, or generated, referred to as 'informatics work' hereinafter.

...

De-identified data is data that has been “stripped of all HIPAA defined identifiers” which includes Personally Identifiable Information (PII) and Protected Health Information (PHI). PII is a subset of PHI and the list of 18 data elements that are considered PHI are documented in the HIPAA Safe Harbor definition. To be considered de-identified under HIPAA, all 18 identifiers must be removed. Some data partners participate in date-shifting to remove real encounter and birth dates.  

A limited data set (LDS) is data that has been “stripped of all HIPAA identifiers, except age/dates and city/state/zip”. 

Identified data sets which include PHI identified beyond that which would qualify as a LDS and are not accepted by NACHC at this time. Included in data shared with NACHC are the UDS datasets that are counts at the health center level. These data are deidentified according to HIPAA but are sensitive and do identify health centers. A UDS-specific data use agreement stipulates how UDS data can be used by NACHC – Emily Kraus (Unlicensed) this document exists at an organizational level and we believe the language should come from the HRSA-NACHC agreement. 

UDS Data

NACHC receives UDS data from HRSA that includes health-center level information on a variety of topics including services, staff, capacity, and financial data. The UDS data that NACHC receives includes some data that is available publicly and some sensitive data that only NACHC receives. Sharing UDS data with NACHC occurs under a cooperative agreement with HRSA which is overseen by Margaret Davis. The parameters of UDS data sharing and use are defined in a letter of agreement available here Margaret Davis we should add a link to the current LOA and DUA. Included in the LOA are explicit directions about how findings from the UDS data should be communicated in a way that protects the identity of health centers. 

UDS data does not contain PHI but is sensitive and requires physical, technical, and administrative safeguards. The UDS data is stored security in the Amazon cloud and only individuals who have signed a UDS specific DUA are permitted to access and use the UDS data. 

Need a sentence here about who can ask questions of the UDS data and what the expectations are around it. Does Margaret get

Informatics Services

NACHC's informatics work includes the following services: subject matter expertise, technical assistance, data management, and analysis services, which are defined in the table below.  Most informatics projects involve multiple informatics services. 

...

According to HIPAA, NACHC is not a covered entity. However, NACHC receives limited and deidentified de-identified datasets from covered entities. Though the amount of PHI received by NACHC is minimal, NACHC treats all of its data from covered entities as PHI and as such, complies with the relevant security and privacy expectations outlined by HIPAA. 

...

Section 4: Other Governance Topics 

Requests

NACHC receives many requests for data that has already been shared with them for an existing project or a request for data related to a new project. Additionally, NACHC receives requests for information partnership meaning a desire from one organization to partner and share data with a health center through support from NACHC.  

Requests for data or information partnerships are evaluated by the GC which meets monthly. Requests can be submitted hereEmily Kraus (Unlicensed) Efetobore Omadevuae (Deactivated) can help you with this Requests ​must be well defined meaning that they include a detailed description of what data is desired, how the data will be used, the type of use (e.g., research, surveillance, quality improvement or other) and how the request aligns with the NACHC vision and benefits health centers. Incomplete requests cannot be evaluated by the and will be returned to the requester. Requesters will be notified ​of an approval or denial within one week of the data governance council meeting. ​

For requests of data that NACHC has received for other projects, NACHC is not a data owner but a steward of data from other contributing organizations​. Thus ​a request ​approval from ​NACHC's data governance council is the first in a series of required approvals. Approved request will be shared with the originating data contributor ​and if approved by the data contributor, a data use agreement to define the parameters of the data exchange must be executed before any data can be shared. 
NACHC is facilitator of information partnerships​ rather than a broker of data​. NACHC strongly prefers building an information partnership with the goal of collaboratively developing a data sharing project that is beneficial to all parties involved.  

...