NACHC is committed to a trusting and mutually beneficial relationship with organizations from whom data are received (‘Data Partners’). Governance refers to the policies and procedures that instill trust and clearly defined roles and responsibilities between Data Partners and NACHC. 

The purpose of this webpage is to describe NACHC's perspective on data governance and provide documentation that supports NACHC partners.

Approach

NACHC has defined a governance approach that is customized for each project and Data Partner’s needs. NACHC only accepts limited datasets and de-identified datasets from Data Partners, as defined by the HIPAA Privacy Rule Safe Harbor guidelines. De-identified datasets do not contain any of the 18 elements of protected health information (PHI). Limited datasets may contain only selected attributes of PHI: 5-digit ZIP codes, dates, and ages over 90 years of age. NACHC shares the responsibility with Data Partners to ensure that datasets are properly prepared with respect to PHI and identifiers. 

Though Safe Harbor guidelines are very conservative and reduce the risk of reidentification to very low, the risk is not zero. As such, NACHC takes additional measures to ensure that data are received and stored securely, only used for its intended purpose, and only accessible to the minimum necessary individuals. 

HIPAA’s Minimum Necessary Rule states that Data Partners should only transmit the minimum amount of data that is necessary for a project. As such, NACHC and Data Partners are both responsible for assuring that the minimum necessary data are being exchanged and that data exchange meets the requirements of all federal and state regulations as well as organizational policies. 

NACHC requires a data use agreement (DUA) for sharing data in order to ensure that expectations of Data Partners and NACHC are clearly defined. Regardless of the project, NACHC commits to the following: 

• NACHC only receives data through HIPAA-compliant secure tools and offers those to Data Partners as part of project participation
• NACHC stores data securely with Amazon Web Services 
• NACHC adheres to data management standards and best practices
• NACHC does not attempt to re-identify patients 
• NACHC collaborates with Data Partners and project partners to clean, transform, and validate data to ensure accurate interpretation 
• NACHC only uses data for approved uses, as defined in the project contract and DUA
• NACHC does not perform analysis beyond the project scope without approval from Data Partners, but when additional opportunities arise, NACHC will bring those opportunities to Data Partners for review
• NACHC presents project data in aggregate form unless Data Partners have agreed to display data at the health center level 
• NACHC does not sell data
• NACHC will offer Data Partners the opportunity to review any new work products where their data was used
• NACHC responds to project-related analytic or informational requests from Data Partners 
• NACHC will destroy data upon the request of Data Partners who are free to terminate data sharing at any time 

Data Governance Documents

Data governance documents prepared by NACHC for external use are available here and include:

uses data for research, policy, public health, and quality improvement to tell the health center story. Data products such as reports, infographics, abstracts, and manuscripts are generated to advocate for health center resources and support. The purpose of this document is to define NACHC’s data roles and responsibilities for NACHC staff, organizations sharing data with NACHC, and other interested parties. An appendix devoted to research specific rules and principles is included.

What Kinds of Data Does NACHC Use?

NACHC uses data from multiple internal and external sources to describe health systems, populations, and care delivery. Data may be at the patient/individual level or aggregated to the health center level. Examples of such data include data from:

• Health information technology systems like population health tools, apps or external datasets,
• Electronic health records (EHRs) and claims,
• External reporting systems like the Uniform Data Service (UDS), and
• Qualitative tools such as surveys, assessments, and interviews.

NACHC’s Data Responsibility

NACHC has both data owner and data steward responsibilities. NACHC is an owner of the data they collect  through surveys, assessments and other methods. Though not protected health information, these data may contain sensitive information and require protection and oversight. For data from outside organizations (referred to as data partners), NACHC is a data steward. That means NACHC is accountable to data partners for keeping data safe in accordance with relevant statutes, standards and best practices. Even when NACHC stores data from others, data partners retain control over the use of their data and can request the data redacted or destroyed. NACHC is responsible for tracking how data are used and providing timely feedback to data partners on how data can be improved. To meet these expectations, NACHC:

• Secures approval from data partners for data use and reuse outside the original project scope,
• Adheres to data sharing, privacy and security best practices and guidelines,
• Executes Data Use Agreement or other appropriate agreement to define the parameters of data exchange and approved use(s),
• Trains staff on relevant topics (e.g., research, data security, and use standards), and
• Implements processes to monitor NACHC’s adherence to data policies and procedures.

Data Sharing Agreements

For all projects involving shared data, NACHC enters into data sharing agreements (e.g., Data Use Agreements) to define the terms of partnership, clarify what data are shared and define the purpose(s) for which data may be used. Though data sharing agreements are not always required by law, these agreements define  expectations and hold organizations accountable. Data sharing agreements are time bound to ensure that projects have an end date after which data sharing concludes and data are destroyed. Data sharing agreements are specific - whenever a project changes, the data sharing agreement must be amended. For clinical data, relevant language from the Health Insurance Portability and Accountability Act of 1996 must be included (See Data Use Agreements for NACHC Partners).

Governance and Best Practices – Keeping Data Safe

To ensure NACHC is adhering to best practices, a Data Governance Council is appointed to advise on data sharing and data use across the NACHC organization. This Council meets monthly to discuss data sharing work, address data-related issues, and ensure that appropriate policies and procedures in place and current. Policies and procedures are re-evaluated regularly as statutory requirements, best practices and standards evolve.

Guiding Principles and Accountability

Building trust in data sharing with partners is essential to NACHCs work. NACHC commits to the following guiding principles:

1. Data collected by and shared with NACHC is used for research, quality improvement, public health, and evaluation that aims to improve the lives of populations served by healthcare organization as described by the Quintuple Aim. NACHC shares the results and products of data analysis with contributing health centers so many may benefit from what is learned.
2. All data requests received by NACHC from an external organization are processed through a centralized process and evaluated by the Data Governance Council for feasibility, completeness and fit. A data request is a defined ask received by NACHC for a dataset or the creation of analytic results for a specific purpose. Only requests that demonstrate a benefit to health centers and their patients are approved. When NACHC receives a request to use shared data outside of the scope of the original project and data use agreement, NACHC includes the data partner in the decision-making about that data request. NACHC will never fulfill a data request without the consent of all involved parties.
3. NACHC adheres to applicable laws, regulations and policies pertaining to data sharing and use, including the policies of its data partners. NACHC maintains data governance policies which document how NACHC fulfills the requirements of applicable laws and best practices (available upon request). For clinical data, NACHC adheres to HIPAA standards identifiers and does not accept any personally identifiable information from partners.
4. NACHC executes a data sharing agreement for projects including shared data. Any deviation from the agreement is disclosed to data partners in a timely fashion. Deviations may result in loss of access to data or penalties.
5. To ensure that research is ethical and safe, NACHC follows the guidance of the Common Rule and the relevant Institutional Review Board (IRB) when data are used for research.
6. NACHC staff share responsibility with data partners for keeping data safe.NACHC requires that staff receive regular training on data governance and security best practices. Written policies exist to guide staff when a data-security related event occurs. NACHC offers support and expert recommendations to health centers and other partners about how to keep their data safe.
7. NACHC maintains a secure environment with appropriate safeguards to keep data safe. In the rare instance of a data security event, NACHC follows federal and state laws and regulations to remediate the issue.
8. NACHC will never attempt to reidentify or contact individuals from datasets. NACHC will never sell data received from others unless a contract is in place with a data owner for that express purpose.
9. Sharing data products is a crucial part of a mutually beneficial data sharing relationship. Data products undergo a deidentification process. Data products are first shared with data partners for review and approval before being disseminated more broadly to stakeholders.