Versions Compared

Version Old Version 31 New Version 32
Changes made by

Emily Kraus (Unlicensed)

Emily Kraus (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Data governance policies and procedures to inform data-related activities were developed by the NACHC Clinical Affairs team in partnership with other NACHC teams and external partners. These policies and procedures can be applied to any activities where data is received, collected, or generated, referred to as 'informatics work' hereinafter.

...

Informatics work involves either data collected by NACHC or owned by another organization and shared with NACHC where NACHC acts as a data steward

Data Collected by NACHC

...

TBD. Need some guidance here. 

Section 2: Statutes, Contracts, and Regulatory

Contracts 

At NACHC, Contracts and DUAs are separate....

...

According to HIPAA, NACHC is not a covered entity. However, NACHC receives limited and de-identified datasets from HIPAA covered entities. Though the amount of PHI received by NACHC is minimal, NACHC treats all of its data from covered entities as PHI and as such, complies with the relevant security and privacy expectations outlined by HIPAA. 

Data Use Agreements (DUAs)

...

TEFCA 

Launched in January 2022, TEFCA provides a frameworks for networks to collaborate and share data interoperably. Network to Network collaboration has many similarities to NACHC's informatics work. Thus, NACHC seeks to align with TEFCA when applicable and feasible.

Data Use Agreements (DUAs)

NACHC requires the execution of a data use agreement (DUA) whenever data is being shared with NACHC. For projects where a LDS is being shared, a DUA is required by HIPAA. For projects where deidentified data is being shared, a DUA is executed based on NACHC policy.

...

  1. NACHC project lead completes the NACHC DUA Checklist to determine if a DUA is needed. This should occur as part of the project's initiation.
  2. The checklist is reviewed with data partner at an early project meeting to confirm the need for a DUA and level of identification of a dataset.
  3. Once completed, the DUA checklist is stored in the project Confluence page. 
  4. If the DUA checklist identified a need for a DUA, the checklist is shared with the NACHC contract officer to begin the creation of a project-specific DUA.
  5. NACHC populate the DUA with project specific information and share with other parties for comment
  6. NACHC receives and integrates comments and recirculates to other parties and NACHC legal until DUA is ready for signature
  7. DUA is signed by other party(ies) and returned to NACHC for counter signature and execution
  8. DUA is executed by NACHC legal and executed agreement is shared with all parties

Section 3: Data Security, Privacy, and

...

Confidentiality 

Patient data has become increasingly valuable to potential attackers. The rapid and continuous evolution of both healthcare information technology and attacker tools makes data security a constantly moving target, with methods of protection struggling to stay in front of attack efforts. NACHC believes that the security, privacy, and confidentiality of patient and health center data is of paramount importance. As such, NACHC takes a number of steps to ensure data security, protect their environment from security threats, and address security incidents when they occur. A summary of NACHC's data security and privacy policies are available here. 

NACHC adheres to data security standards defined in the HIPAA security rule, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the Common Agreement (Section 12), to the degree that they apply to the NACHC informatics work. 

Section 4: Other Governance Topics 

Requests

NACHC receives many requests for data that has already been shared with them for an existing project or a request for data related to a new project. Additionally, NACHC receives requests for information partnership meaning a desire from one organization to partner and share data with a health center through support from NACHC.  

Requests for data or information partnerships are evaluated by the GC which meets monthly. Requests can be submitted here. Emily Kraus (Unlicensed) Efetobore Omadevuae (Deactivated) can help you with this Requests ​must be well defined meaning that they include a detailed description of what data is desired, how the data will be used, the type of use (e.g., research, surveillance, quality improvement or other) and how the request aligns with the NACHC vision and benefits health centers. Incomplete requests cannot be evaluated by the and will be returned to the requester. Requesters will be notified ​of an approval or denial within one week of the data governance council meeting. ​

For requests of data that NACHC has received for other projects, NACHC is not a data owner but a steward of data from other contributing organizations​. Thus ​a request ​approval from ​NACHC's data governance council is the first in a series of required approvals. Approved request will be shared with the originating data contributor ​and if approved by the data contributor, a data use agreement to define the parameters of the data exchange must be executed before any data can be shared. 
NACHC is facilitator of information partnerships​ rather than a broker of data​. NACHC strongly prefers building an information partnership with the goal of collaboratively developing a data sharing project that is beneficial to all parties involved.  

...