Versions Compared

Version Old Version 50 New Version 51
Changes made by

Emily Kraus

Emily Kraus

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page houses the data governance policies and procedures developed by the NACHC data governance council. These policies and procedures can be applied to activities where data is involved but are primarily This page houses the data governance policies and procedures developed by the NACHC data governance council. These policies and procedures can be applied to activities where data is involved but are primarily focused on data sharing that is defined as 1) NACHC receiving data from an external organization,  or 2) NACHC sharing data with an external organization.  

...

NACHC uses data either shared with NACHC by a data partner or collected by NACHC. When NACHC has received data from a data partner, NACHC acts as a data steward. Data stewardship is the collection of practices that ensure an organization’s data is accessible, usable, safe, and trusted. 

Data Shared with NACHC

There are many types of data that may be shared with NACHC including UDS data, clinical data, and membership or other health center data.

...

Identified data sets which include PHI beyond that which would qualify as an LDS and are not accepted by NACHC at this time. 

Membership and Other Health Center Data

Outside of UDS, clinical and financial data, NACHC receives other data from health centers and their partners for specific purposes. Say something about Prepare data? 

...

  

Survey Data (EK to talk to Kathy, Margaret Davis, someone from PPR, Meg Meador, Michelle Proser)

For some projects, NACHC collects its own data, usually in the form of surveys that are completed by health centers or member information. These surveys will be anonymous and do not collect patient identifiers if received or held directly by NACHC. Need to expand this. Talk to Meg.

Requests for Data 

NACHC receives requests for data that are either apart of a new or existing project. NACHC uses a central request process, referred to as a front door, to receive, review, and make determinations on requests from external organizations. Front Door instructions are available here. NACHC will only approve requests that benefit health centers and align with the NACHC vision

Sometimes requests are soliciting a data sharing partnership such as one organization hoping to partner and share data with a health center through support from NACHC.  NACHC is facilitator of information partnerships​ rather than a broker of data​. NACHC strongly prefers building an information partnership with the goal of collaboratively developing a data sharing project that is beneficial to all parties involved.  

Section 3: Statutes, Contracts, and Regulatory

Data Use Agreements (DUAs)

NACHC requires the execution of a data use agreement (DUA) whenever data is being shared with or by NACHC. For projects where a LDS is being shared, a DUA is required by HIPAA. For projects where deidentified data is being shared, a DUA is executed based on NACHC policy. NACHC observes the HIPAA Privacy Rule standards for a DUA. The purposes of a DUA are to:

  • establish the permitted uses and disclosures of the limited data set;
  • identify who may use or receive the information;
  • prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as permitted by law;
  • require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement;
  • require the recipient to report to the covered entity any unauthorized use or disclosure of which it becomes aware;
  • require the recipient to ensure that any agents (including a subcontractor) to whom it provides the information will agree to the same restrictions as provided in the agreement; and
  • prohibit the recipient from identifying the information or contacting the individuals.

Because DUA's require a high level of specificity, each DUA is project-specific and sections of the DUA customized based on project scope and project data. 

  • When NACHC is the provider of data to an outside organization: NACHC has created a DUA template for use with to recipients.  This template may be accessed from the NACHC contracts office. When NACHC is providing a LDS, if any material change is to be made to the NACHC template, or if another party’s version of a DUA is to be used, the NACHC legal council must review and approve the terms of the agreement. 
  • When NACHC is the recipient of the data: If NACHC is the recipient of a LDS of PHI from a non-NACHC source, the NACHC project lead with either use the NACHC DUA template or modify the other party’s Data Use Agreement.  When using another party's DUA, the NACHC project lead is responsible for reviewing the Data Use Agreement and determining if it complies in material terms with the NACHC DUA template.  If the other party’s DUA differs materially from the NACHC DUA template, or if there is any uncertainty, the NACHC legal council must be consulted.

NACHC uses a standard DUA process (Link to instructions and DUA template).

HIPAA 

When NACHC receives clinical data, those data are covered by HIPAA and NACHC, by receipt of that data, is bound by the HIPAA statutory obligations. NACHC is not a covered entity but does receive limited datasets and operate as a business associate. Though the amount of PHI received by NACHC is minimal, NACHC treats all of its data from covered entities as PHI and as such, complies with the relevant security and privacy expectations outlined by HIPAA. 

Section 4: Work Products

Work Products and Attribution

Data results in work products which may include data quality results, analytic results, value sets, measure definitions, and recommendations. Work products are owned by all members of the project team and can be disseminated in manuscripts, abstracts, reports, presentations, and guidance documents. How and to whom work products are attributed is discussed with all project partners at the outset and as the project evolves to ensure that attribution of work projects is accurate and equitable.  

Attribution

Review

DEI in Work Products

TBD. Need some guidance here. 

Identification of Health Centers in Work Products

TBD. Need some guidance here. 

...

 

What are the kinds of survey data. What are the tools. How governance applies to it. 

Some surveys have a higher governance focus than others. For example, evaluation-based surveys for programming and post meeting surveys. 


Other Data

Outside of UDS, clinical data, and survey data, NACHC receives data from health center members and financial data. Over time, these other data sources will be .... thought from julia in chat. 

Requests for Data 

NACHC receives requests for data that are either apart of a new or existing project. For clinical and UDS data, NACHC uses a central request process, referred to as a front door, to receive, review, and make determinations on requests from external organizations. Front Door instructions are available here. NACHC will only approve requests that benefit health centers and align with the NACHC vision


Sometimes requests are soliciting a data sharing partnership such as one organization hoping to partner and share data with a health center through support from NACHC.  NACHC is facilitator of information partnerships​ rather than a broker of data​. NACHC strongly prefers building an information partnership with the goal of collaboratively developing a data sharing project that is beneficial to all parties involved.  

Section 3: Regulatory

HIPAA 

When NACHC receives clinical data, those data are covered by HIPAA and NACHC, by receipt of that data, is bound by the HIPAA statutory obligations. NACHC is not a covered entity but does receive limited datasets and operate as a business associate. Though the amount of PHI received by NACHC is minimal, NACHC treats all of its data from covered entities as PHI and as such, complies with the relevant security and privacy expectations outlined by HIPAA. 

Data Use Agreements (DUAs)

NACHC requires the execution of a data use agreement (DUA) whenever dataset is being shared with or by NACHC. For projects where a LDS is being shared, a DUA is required by HIPAA. For projects where deidentified dataset is being shared, a DUA is executed based on NACHC policy. NACHC observes the HIPAA Privacy Rule standards for a DUA. The purposes of a DUA are to:

  • establish the permitted uses and disclosures of the limited data set;
  • identify who may use or receive the information;
  • prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as permitted by law;
  • require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement;
  • require the recipient to report to the covered entity any unauthorized use or disclosure of which it becomes aware;
  • require the recipient to ensure that any agents (including a subcontractor) to whom it provides the information will agree to the same restrictions as provided in the agreement; and
  • prohibit the recipient from identifying the information or contacting the individuals.

Because DUA's require a high level of specificity, each DUA is project-specific and sections of the DUA customized based on project scope and project data. 

  • When NACHC is the provider of data to an outside organization: NACHC has created a DUA template for use with to recipients.  This template may be accessed from the NACHC contracts office. When NACHC is providing a LDS, if any material change is to be made to the NACHC template, or if another party’s version of a DUA is to be used, the NACHC legal council must review and approve the terms of the agreement. 
  • When NACHC is the recipient of the data: If NACHC is the recipient of a LDS of PHI from a non-NACHC source, the NACHC project lead with either use the NACHC DUA template or modify the other party’s Data Use Agreement.  When using another party's DUA, the NACHC project lead is responsible for reviewing the Data Use Agreement and determining if it complies in material terms with the NACHC DUA template.  If the other party’s DUA differs materially from the NACHC DUA template, or if there is any uncertainty, the NACHC legal council must be consulted.

NACHC uses a standard DUA process (Link to instructions and DUA template).

Section 4: Work Products

Data often results in work products which may include data quality results, analytic results, value sets, measure definitions, abstracts, presentations, manuscripts, and reports. Work products are owned by all members of the project team, including data partners and project partners.

Attribution

Historically, patients and health centers have not always been recognized for their contribution to work products. NACHC believes appropriate attribution of work products that recognizes health center contributions to NACHC work is essential to their mission. How and to whom work products are attributed is discussed with all project partners at the outset and as the project evolves to ensure that attribution of work projects is accurate and equitable.  

Review

In addition to attribution, NACHC guarantees health centers the right to review work products resulting from projects that they participated on before those work products are finalized or publicly disseminated. Depending on the nature of the work product, health center review may be structure as opt-out or a required approval of work products. 

Health Equity and Work Products

Recognizing that health equity is an organizational pillar, NACHC is committed to advancing health equity within work products. Historically, work products have excluded marginalized groups and failed to present data through a health equity lens. In NACHC work, marginalized groups refers to racial/ethnic minorities and individuals sexual orientation and gender identities. NACHC is committed to broadening inclusion of these groups in their work, adopting equitable data collection best practices, and generating work products that call attention to disparities without creating risk of reidentification. However, NACHC recognizes the tension in that the availability of data on these topics is limited and that NACHC may be limited in their ability to describe disparities by data availability.

When underlying data are biased, NACHC recognizes the risk that resulting models or analytic results may also be biased. NACHC prioritizes using datasets that have a representative amount of data from each group and annotating products accordingly to call attention to this important issue.

Identification of Health Centers in Work Products

In general, NACHC does not identify health centers in work products. There are some projects where identification of health centers is appropriate. When health centers need to be identified, NACHC solicits written approval to do so and engages health centers in a thorough review process. 

For some work products that present health center level findings, there could be a risk to health centers to be re-identified by other means, especially with maps or health centers that see special populations. NACHC mitigates this concern with intentional and thorough review as well as small cell suppression.

Section 5: Data Security and Privacy 

Patient data has become increasingly valuable to potential attackers. The rapid and continuous evolution of both healthcare information technology and attacker tools makes data security a constantly moving target, with methods of protection struggling to stay in front of attack efforts. NACHC believes that the security, privacy, and confidentiality of patient and health center data is of paramount importance. As such, NACHC takes a number of steps to ensure data security, protect their environment from security threats, and address security incidents when they occur. A summary of NACHC's data security and privacy policies are available here

...

Federal regulations require that research projects involving human subjects be reviewed by an Institutional Review Board (IRB). According to the FDA, an IRB is an appropriately constituted group that has been formally designated to review and monitor biomedical research involving human subjects. The IRB must approve or determine the project to be exempt or approved prior to the start of any research activities. The IRB cannot provide approval or determinations for research that has already been concluded.

...

The federal regulations define both "research" and "human subject." Research is defined as a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.Studies must be reviewed by an Institutional Review Board (IRB) only if both definitions apply.  A project may involve data from human subjects, but not meet the definition of research and would, therefore, not require an IRB review. Research is defined by federal regulations at 45 CFR 46.102 (Protection of Human Subjects 2009), as "a systematic investigation including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge."

...