Versions Compared

Version Old Version 65 New Version Current
Changes made by

Emily Kraus

Efetobore Omadevuae

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page houses the data governance policies and procedures developed by the NACHC data governance council. These policies and procedures can be applied to activities where data is involved but are primarily focused on data sharing that is defined as 1) NACHC receiving data from an external organization,  or 2) NACHC sharing data with an external organization.  

...

There are four domains of governance that are relevant to NACHC's informatics work: data governance, information governance, software governance, and partnership governance. While these policies and procedures are focused on data governance, some aspects of information governance, software governance, and partnership governance may be relevant. Within those domains, NACHC adheres to eight governance principles: accountability, transparency, integrity, protection, compliance, availability, retention, and disposition as identified by the American Health Information and Management Association (AHIMA). Relevant governance topics  topics are addressed below. 

Section 1: Governance Approach

Amy Flowers (Unlicensed) Lets add the definitions here.

Data Governance Decision-Making 

NACHC's organization-wide data management, privacy, and security practices and infrastructure is directed and managed by the information technology (IT) department.

Within that context, NACHC operates a Data Governance Council ('GC') to advise on data sharing. The GC does not provide direct project oversight, but does make recommendations and decisions about project participation, implementation, and the technical architecture used to carry out data sharing. A description of the NACHC technical architecture is available here link now working. 

The GC meets monthly and includes members who represent 1) NACHC leadership, regulatory, and analytic staff, and 2) external data partners and project partners who represent a range of perspectives and collective expertise in clinical care, informatics, data science, and population health. Details of the GC membership, scope, and operations are defined in a charter. 

Project Structure

NACHC structures and executes research and quality improvement work using a project structure meaning research projects and quality improvement projects. 

...

A project partner is an organization who participates in or supports projects with that involve data sharing by providing subject matter expertise, funding, vendor services, or other technical assistance. The CDC and HRSA are to common project partners. Project partners may perform Common project partners may include federal agencies like CDC and HRSA, private companies such as John Snow International, and universities like Johns Hopkins University or AT Still University.

When project partners are providing services or technical assistance, they may perform project-related analyses or create project related data products (i.e., manuscripts, abstracts, or reports) which can require direct access to project data. 

Every project is different. Depending on the scope of the project, a project may have one or multiple datasets from one or more data partners. For each project, the project data is defined as the data that will be shared by data partners with NACHC. Based on the project data, the analytic results that will be derived from project data and data products are also defined. Generally, analytic results and data products are either generated by NACHC or project partners. 

An example figure illustrating the flow of data in a project with two data partners is shown below.  

Image Modified



Services

Projects involving data sharing can also include the following informatics and analytic services: subject matter expertise, technical assistance, data management, and analysis services, which are defined in the table below.  Most projects involve multiple services. 

Subject matter expertiseTechnical assistance*Data managementAnalysis services*
  • Providing guidance materials and sharing knowledge with data  data partners on how best to collect, store, and use their data
  • Sharing best practices from the field
  • Creating and sharing tools for a specific use case
  • Identifying translatable resources
  • Coaching and assisting data partners to improve the quality of their data collection and use 
  • Providing educational programming to cultivate knowledge and build capacity with partners
  • Coaching external and internal requestors in refining analytic requests to be more actionable and purpose driven
  • Improving the use and quality of analytic planning and documentation
  • Receiving, normalizing, and transforming data from partners into a format and structure aligned with analytic goals 
  • Mapping and normalizing disparate data structures and formats into a common data model
  • Conducting data quality activities and identifying data quality issues 
  • Performing analysis on one or multiple datasets to assess a prescribed outcome or outcomes (e.g., the percent of women who received contraception counseling)
  • Calculate a quality measure (e.g., the percent of screening-eligible patients who were screened)


...

NACHC uses data either shared with NACHC by a data partner or collected by NACHC. When NACHC has received data from a data partner, NACHC acts as a data steward. Data stewardship is the collection of practices that ensure an organization’s data is accessible, usable, safe, and trusted. 

Data Shared with NACHC

There are many types of data that may be shared with NACHC including UDS data, survey data, clinical data , and membership or other health center dataAlso may include writing, publishing and disseminating results.

UDS Data

NACHC receives UDS data from HRSA that includes health-center level information on a variety of topics including services, staff, capacity, and financial data so that NACHC can perform analyses on behalf of HRSA and FQHCs to describe the health center landscape and services. The UDS data that NACHC receives includes some data that is available publicly and some sensitive data that only NACHC holds. UDS data does not contain PHI but is sensitive. Sharing UDS data with NACHC occurs under a cooperative agreement with HRSA which is overseen by the Director of Knowledge Management and Learning (Currently Margaret Davis). The parameters of UDS data sharing and use are defined in two HRSA agreements (Authorization letter, NACHC DUA). Included  Included in these documents are explicit directions about how findings from the UDS data should be communicated in a way that protects the identity of health centers and their patients. 

...

Identified data sets which include PHI beyond that which would qualify as an LDS and Identified data sets which include PHI are not accepted by NACHC at this time.  

Survey Data 

NACHC collects data through surveys or assessments of health centers, primary care associations, patients, and other stakeholders. Health centers and their patients have been historically surveyed and researched excessively. NACHC is committed to only collecting data  data when the survey methods are rigorous, the survey questions are of high quality, and the survey topic will add value to health centers and the community that they serve. NACHC is also committed to collecting, storing, and using survey data based on industry best practices. 

The terms survey and assessment are not interchangeable, but both are used within NACHC. A survey generally means a longer set of questions within a research project. Assessments are generally shorter and the results are intended to be used for advocacy. Notably, the term survey triggers additional restrictions and requirements when administered within a project with federal funding. NACHC considers data from assessments to be apart of survey data and the below survey data policies. Meeting evaluation questions and tools are not considered surveys by NACHC. 

...

Outside of UDS, clinical data, and survey data, NACHC receives data from health center members and financial data. Over time, these other data sources will be incorporated into the broader NACHC data governance portfolio.

Requests for Data 

NACHC receives requests for data that are either a part of a new or existing project. For clinical and UDS data, NACHC uses a central request process, referred to as a front door, to receive, review, and make determinations on requests from external organizations. Front Door instructions are available hereavailable. update with SOP when avail  NACHC will only approve requests that benefit health centers and align with the NACHC vision


Sometimes requests are soliciting a data sharing partnership such as one organization hoping to partner and share data with a health center through support from NACHC.  NACHC is facilitator of information partnerships​ rather than a broker of data​. NACHC strongly prefers building an information partnership with the goal of collaboratively developing a data sharing project that is beneficial to all parties involved.  

...

Data Use Agreements (DUAs)

A Data Use Agreement (DUA) is an agreement that governs the sharing of data between research collaborators who are covered entities under the HIPAA privacy rule. A DUA establishes the ways in which the information in a limited data set may be used by the intended recipient, and how it is protected. NACHC requires the execution of a data use agreement (DUA) whenever dataset is being shared with or by NACHC. For projects where a LDS is being shared, a DUA is required by HIPAA. For projects where deidentified dataset is being shared, a DUA is executed based on NACHC policy. NACHC observes the HIPAA Privacy Rule standards for a DUA. The purposes of a DUA are to:

...

NACHC uses a standard DUA process (Instructions and DUA template available hereInsert new template SOP process).

Section 4: Work Products

Data often results in work products which may include data quality results, analytic results, value sets, measure definitions, abstracts, presentations, manuscripts, and reports.

Research 

Amy Flowers (Unlicensed) lets work on this.

Quality Improvement 

From quality improvement projects, work products are collectively owned by NACHC, the data partners who contributed data to the work product, and other project partners that supported the project. Once approved by all parties, these products may be used and disseminated widely so that many may benefit from what was learned.

Attribution

Historically, patients and health centers have not always been recognized for their contribution to work products. NACHC believes appropriate attribution of work products that recognizes health center contributions to NACHC work is essential to their mission. How and to whom work products are attributed is discussed with all project partners at the outset and as the project evolves to ensure that attribution of work projects is accurate and equitable.  

Review

In addition to attribution, NACHC guarantees health centers the right to review work products resulting from projects that they participated on before those work products are finalized or publicly disseminated. Depending on the nature of the work product, health center review may be structure as opt-out or a required approval of work products. 

Health Equity in Work Products

Recognizing that health equity is an organizational pillar, NACHC is committed to advancing health equity within work products. Historically, work products have excluded marginalized groups and failed to present data through a health equity lens. In NACHC work, marginalized groups refers to racial/ethnic minorities and individuals sexual orientation and gender identities. NACHC is committed to broadening inclusion of these groups in their work, adopting equitable data collection best practices, and generating work products that call attention to disparities without creating risk of reidentification. However, NACHC recognizes the tension in that the availability of data on these topics is limited and that NACHC may be limited in their ability to describe disparities by data availability.

When underlying data are biased, NACHC recognizes the risk that resulting models or analytic results may also be biased. NACHC prioritizes using datasets that have a representative amount of data from each group and annotating products accordingly to call attention to this important issue.

Identification of Health Centers in Work Products

In general, NACHC does not identify health centers in work products. There are some projects where identification of health centers is appropriate. When health centers need to be identified, NACHC solicits written approval to do so and engages health centers in a thorough review process. 

For some work products that present health center level findings, there could be a risk to health centers to be re-identified by other means, especially with maps or health centers that see special populations. NACHC mitigates this concern with intentional and thorough review as well as small cell suppression.

Section 5: Data Security and Privacy 

Patient data has become increasingly valuable to potential attackers. The rapid and continuous evolution of both healthcare information technology and attacker tools makes data security a constantly moving target, with methods of protection struggling to stay in front of attack efforts. NACHC believes that the security, privacy, and confidentiality of patient and health center data is of paramount importance. As such, NACHC takes a number of steps to ensure data security, protect their environment from security threats, and address security incidents when they occur. A summary of NACHC's data security and privacy policies are available here

NACHC adheres to data security standards defined in the HIPAA security rule (45 CFR Part 160), the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the Common Agreement (Section 12), Not every part of these three resources apply directly to NACHC's work with data, thus NACHC complies and aligns with them to the degree that they apply.  

Section 6: Research

The following topics apply specifically to NACHCs use of data for human subjects research.

Federal regulations require that research projects involving human subjects be reviewed by an Institutional Review Board (IRB). According to the FDA, an IRB is an appropriately constituted group that has been formally designated to review and monitor biomedical research involving human subjects. The IRB must approve or determine the project to be exempt or approved prior to the start of any research activities. The IRB cannot provide approval or determinations for research that has already been concluded.

IRB review and approval is required for projects that:

  • Meet the definition of research
  • Involve human subjects and
  • Include any interaction or intervention with human subjects or involve access to identifiable private information

...

Work products can include a project dataset, that could be shared or retained with other project partners, depending on the restrictions. Specifically, data from clinical sources that are bound by data use agreements may be restricted by those agreements in their ability to be shared with other parties. Further, data use agreements can require that clinical data are destroyed after the agreement expires or when the project concludes.

Ownership and Attribution

Ownership and attribution of work products is project dependent. From quality improvement projects that use data from health health centers, work products are collectively owned by NACHC, the data partners who contributed data to the work product, and other project partners that supported the project. Once approved by all parties, these products may be used and disseminated widely so that many may benefit from what was learned. For research projects, data that is collected by NACHC is generally owned by NACHC. 

Historically, patients and health centers have not always been recognized for their contribution to work products. NACHC believes appropriate attribution of work products that recognizes health center contributions to NACHC work is essential to their mission. How and to whom work products are attributed is discussed with all project partners at the outset and as the project evolves to ensure that attribution of work projects is accurate and equitable.  

NACHC recommends that each project define work products and discuss ownership and attribution with all project stakeholders early in the project planning process. 

Review

For some work products, engaging a wider group of organizations in review before publication is appropriate.

When health center data has been used for a quality improvement project, NACHC guarantees health centers the right to review work products resulting from projects that they participated on before those work products are finalized or publicly disseminated. Depending on the nature of the work product, health center review may be structure as opt-out or a required approval of work products.  


Health Equity in Work Products

Recognizing that health equity is an organizational pillar, NACHC is committed to advancing health equity within work products. Historically, work products have excluded marginalized groups and failed to present data through a health equity lens. In NACHC work, marginalized groups refers to racial/ethnic minorities and individuals sexual orientation and gender identities. NACHC is committed to broadening inclusion of these groups in their work, adopting equitable data collection best practices, and generating work products that call attention to disparities without creating risk of reidentification. However, NACHC recognizes the tension in that the availability of data on these topics is limited and that NACHC may be limited in their ability to describe disparities by data availability.

When underlying data are biased, NACHC recognizes the risk that resulting models or analytic results may also be biased. NACHC prioritizes using datasets that have a representative amount of data from each group and annotating products accordingly to call attention to this important issue.

Identification of Health Centers in Work Products

In general, NACHC does not identify health centers in work products. There are some projects where identification of health centers is appropriate. When health centers need to be identified, NACHC solicits written approval to do so and engages health centers in a thorough review process. 

For some work products that present health center level findings, there could be a risk to health centers to be re-identified by other means, especially with maps or health centers that see special populations. NACHC mitigates this concern with intentional and thorough review as well as small cell suppression.

Section 5: Data Security and Privacy 

Patient data has become increasingly valuable to potential attackers. The rapid and continuous evolution of both healthcare information technology and attacker tools makes data security a constantly moving target, with methods of protection struggling to stay in front of attack efforts. NACHC believes that the security, privacy, and confidentiality of patient and health center data is of paramount importance. As such, NACHC takes a number of steps to ensure data security, protect their environment from security threats, and address security incidents when they occur. A summary of NACHC's data security and privacy policies are available here

NACHC adheres to data security standards defined in the HIPAA security rule (45 CFR Part 160), the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the Common Agreement (Section 12), Not every part of these three resources apply directly to NACHC's work with data, thus NACHC complies and aligns with them to the degree that they apply.  

Section 6: Research

The following topics apply specifically to NACHCs use of data for human subjects research.

Federal regulations require that research projects involving human subjects be reviewed by an Institutional Review Board (IRB) only if both definitions apply.  A project may involve data from human subjects, but not meet the definition of research and would, therefore, not require an IRB review. Research is defined by federal regulations at 45 CFR 46.102 (Protection of Human Subjects 2009), as "a systematic investigation including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge."

Helpful IRB and Research Guidance:

NACHC projects that include research are reviewed by an IRB to ensure that the human subjects’ research is ethical.  In some cases, an exemption determination is required for publication of results from non-research projects. IRB approvals are not retroactive meaning the data collection or analysis cannot begin until the IRB approval has been granted.

Acknowledging that some projects are clearly research while others are not clearly research or non-research, NACHC delegates the responsibility of determining if the project is research and which (if any) of the NACHC research data governance policies apply to the project lead. 

The Common Rule

Federal Regulation 45 CFR 46 “Protection of Human Subjects”, referred to as the Common Rule, is an anchor regulatory text on which investigators and institutional review boards (IRBs) rely and must comply to protect human subjects in research. NACHC research projects comply with this Common Rules guidance on the types of research and required use of an IRB.

Primary Investigator

NACHC projects which are research in nature have a defined primary investigator (PI) who is responsible for ensuring the project adheres to research policies. The PI leads and manages the research team engaged in any part of the research project. NACHC PIs complete a battery of research related training with the CITI program.

Institutional Review Board

NACHC does not operate their own IRB. Instead NACHC partners with external IRBs such as AT Still Research Institute for their IRB needs. Any changes in the research dataset, data use, or data products are considered a change to the research project and require an amendment to the IRB protocol is submitted.

...

. According to the FDA, an IRB is an appropriately constituted group that has been formally designated to review and monitor biomedical research involving human subjects. The IRB must approve or determine the project to be exempt or approved prior to the start of any research activities. The IRB cannot provide approval or determinations for research that has already been concluded.

IRB review and approval is required for projects that:

  • Meet the definition of research
  • Involve human subjects and
  • Include any interaction or intervention with human subjects or involve access to identifiable private information

The federal regulations define both "research" and "human subject." Research is defined as a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Studies must be reviewed by an Institutional Review Board (IRB) only if both definitions apply.  A project may involve data from human subjects, but not meet the definition of research and would, therefore, not require an IRB review. Research is defined by federal regulations at 45 CFR 46.102 (Protection of Human Subjects 2009), as "a systematic investigation including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge."

Helpful IRB and Research Guidance:

NACHC projects that include research are reviewed by an IRB to ensure that the human subjects’ research is ethical.  In some cases, an exemption determination is required for publication of results from non-research projects. IRB approvals are not retroactive meaning the data collection or analysis cannot begin until the IRB approval has been granted.

Acknowledging that some projects are clearly research while others are not clearly research or non-research, NACHC delegates the responsibility of determining if the project is research and which (if any) of the NACHC research data governance policies apply to the project lead. 

The Common Rule

Federal Regulation 45 CFR 46 “Protection of Human Subjects”, referred to as the Common Rule, is an anchor regulatory text on which investigators and institutional review boards (IRBs) rely and must comply to protect human subjects in research. NACHC research projects comply with this Common Rules guidance on the types of research and required use of an IRB.

Primary Investigator

NACHC projects which are research in nature have a defined primary investigator (PI) who is responsible for ensuring the project adheres to research policies. The PI leads and manages the research team engaged in any part of the research project. NACHC PIs complete a battery of research related training with the CITI program.

Institutional Review Board

NACHC does not operate their own IRB. Instead NACHC partners with external IRBs such as AT Still Research Institute for their IRB needs. Any changes in the research dataset, data use, or data products are considered a change to the research project and require an amendment to the IRB protocol is submitted.

Informed Consent

For research projects where data is collected directly from individuals, NACHC uses a consent form to inform participants of the benefits and risks of research participation and documents participant consent. Consent is required before data collection can begin.

...

Research data are stored securely in a project specific location (i.e., SharePoint) and transmitted using secure methods (e.g., SFTP, Dropbox). Only the research team has access to the research data for a given project. Transmission methods are determined based on the preferences of the PI and the project partners. Research project produce data products which are de-identified and shared with project team and relevant stakeholders outside of NACHC through Confluence.  

Section 7:

...

 Definitions

For the purpose of discussing data governance, NACHC observes the following definitions.

Research:

Quality Improvement:

Evaluation:

Research:

Research refers to a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Research involves the collection and analysis of data to answer a specific question or to test a hypothesis, often with the intention of publishing the results to inform the broader field. It adheres to rigorous methodological standards and often requires ethical review and approval.

Quality Improvement (QI):

Quality Improvement is a systematic, formal approach to the analysis of practice performance and efforts to improve it. In healthcare, QI involves the continuous study and improvement of processes to enhance patient outcomes, service efficiency, and staff satisfaction. QI projects are typically local, specific to a particular organization or practice, and aim to bring immediate benefits by refining existing processes and procedures. Unlike research, QI does not aim to generate generalizable knowledge but rather focuses on improving quality and performance in a specific context.

Evaluation:

Evaluation is the systematic assessment of the design, implementation, and outcomes of a program, policy, or initiative. The purpose of evaluation is to determine the effectiveness, efficiency, and impact of the subject being evaluated. Evaluation involves the collection and analysis of information to understand the strengths and weaknesses of an initiative, inform decision-making, and guide future planning. Evaluations can be formative (to improve a program during its development) or summative (to assess the overall impact after implementation).