Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 12 Next »


The data governance policies and procedures were developed by the NACHC Clinical Affairs team in partnership with other NACHC teams and external partners. These policies and procedures are intended to apply to any project where data of any kind is received, collected, or generated, referred to as 'informatics projects' hereinafter. 

Governance Committee

NACHC's use of data received from partners and collected by NACHC are overseen by a Governance Committee ('GC'). The GC does not provide direct informatics project oversight, but does make recommendations and decisions about project participation, implementation, and the informatics architecture used to carry out informatics projects. A description of the NACHC data and informatics architecture is available here

The GC meets quarterly and includes between 8 and 10 members who represent 1) NACHC leadership and analytic staff, and 2)external data partners and project partners who represent a broad range of perspectives and collective expertise in clinical care, informatics, data science, and population health. The chairperson of the governance committee is Julia Skapic and the vice chairperson is Ron Yee. Ad-hoc GC meetings may be convened for time-sensitive issues. Details of the governance committee membership, scope, and operations (e.g., scope, voting) are defined in a committee charter (need to link this)

Section 1: Governance Approach

Governance Domains and Guiding Principles

There are four domains of governance that are relevant to NACHC's work: data governance, information governance, software governance, and partnership governance. Within those domains, NACHC adheres to eight governance principles: accountability, transparency, integrity, protection, compliance, availability, retention, and disposition. Definitions of each are available on a related site. Governance topics within each domain and principle are addressed in the policies and procedures below. 

Roles and Responsibilities

NACHC conducts data and informatics work in partnership with data partners and project partners. 

A data partner is an organization owning and/or providing data to NACHC which can include organizations providing direct health services such as federally qualified health centers (FQHCs), primary care association (PCA), or health center controlled network (HCCN). FQHCs are data owners in that they own the data collected by their organization. PCAs and HCCNs do not collect clinical data but serve as a data steward for clinical data provided by their members and contribute data on behalf of their member organizations. Federal agencies such as the Health Resources and Services Administration may also be a data partner, providing data to NACHC on behalf of FQHCs (example: UDS data). 

A project partner is an organization who participates in or supports informatics projects by providing subject matter expertise, funding, vendor services, or other technical assistance. Vendor services may include analysis which can require direct access to project data.

Data partners and project partners are members of the project team. Both project partners and data partners have responsibilities, depending on their level of access and role. add more here about responsibilities.

Informatics Service

NACHC's informatics team provides subject matter expertise, technical assistance, data management, and analysis services. Subject matter expertise includes providing guidance to data partner or project partners on how best to collect, store, and use their data. Technical assistance includes coaching data partners to improve the quality of their data collection and use. Data Management includes receiving, ingesting, standardizing and normalizing, cleaning, and transforming data from partners into a format and structure best suited for analysis.  Analysis services include performing analysis on one or multiple datasets to assess a prescribed outcome or outcomes (e.g., the percent of women who received contraception counseling), calculate a predefined quality measure (e.g., the percent of screening-eligible patients who were screened). When combining datasets from multiple data partners, analysis can include mapping and normalizing disparate data structures and formats into one common data model and linking patients (see Linkage section).

The informatics team generates the following work products: analytic results, value sets, measure definitions, written abstracts and manuscripts, and guidance documents. 

Project Structure

NACHC organizes and tracks data-related work in projects. A project is established for each unique dataset that is housed by NACHC. When NACHC is performing many distinct analytic services on a given dataset, multiple projects may be established. Each project has a Confluence website which defines the project team, provides links to relevant project documentation and agreements, location of project data, and tracks project progress.  Projects have regular status meetings. Minutes and meeting materials from status meetings are made available on Confluence.  At the start of each project, a project team is identified and includes members of the the data contributor and NACHC staff and documented on the project Confluence page. Additionally, members of the project team who will have access to project data are identified at the project inception. As the project team evolves through the project lifecycle, the project team is updated on Confluence and in project-related documentation, as appropriate.

Identification of Data 

There are three types of data that may be shared with NACHC.

De-identified data is data that has been “stripped of all HIPAA defined identifiers” which includes Personally Identifiable Information (PII) and Protected Health Information (PHI). De-identified data does not require a data use agreement (DUA); however some data partners may require a DUA just to cover their transmission of the data to another entity. PII is a subset of PHI and the list of 18 data elements that are considered PHI are documented in the HIPAA Safe Harbor definition. To be considered de-dientified, all 18 identifiers must be removed. Some data partners participate in date-shifting of encounter dates.  

A limited data set (LDS) is data that has been “stripped of all HIPAA identifiers, except age/dates and city/state/zip” - a LDS DUA is required when HIPAA authorization for the data sharing has not been obtained from the participants. If participants have signed a HIPAA authorization that allows for the data sharing, a DUA referencing a LDS is not necessary. It is rare that HIPAA authorization has been collected from patients for a NACHC project as most projects are secondary data analysis.

Identified data set includes PHI identified beyond that which would qualify as a LDS. A DUA cannot be used to facilitate sharing a PHI dataset. Instead, a BAA (Business Associate Agreement) or other agreement is appropriate if the participants have not signed a HIPAA authorization for the data sharing. Currently NACHC is not engaged in any informatics project where an identified dataset is being received. 

Section 2: Contracts and Regulatory

Data Use Agreements (DUA)

Because a LDS is still PHI, the HIPAA Privacy Regulations contemplate that the privacy of individuals will be protected by requiring covered entities (e.g.,health centers) to enter into DUAs with recipients of the LDS (NACHC). The data use agreement must meet standards specified in the Privacy Regulations. The purpose of a DUA, as required by HIPAA, is to:

  • establish the permitted uses and disclosures of the limited data set;
  • identify who may use or receive the information;
  • prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as permitted by law;
  • require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement;
  • require the recipient to report to the covered entity any unauthorized use or disclosure of which it becomes aware;
  • require the recipient to ensure that any agents (including a subcontractor) to whom it provides the information will agree to the same restrictions as provided in the agreement; and
  • prohibit the recipient from identifying the information or contacting the individuals.

Because DUA's require a high level of specificity, each DUA is project-specific. DUAs can be two party, meaning between NACHC and a data contributor, or multi-party, meaning between NACHC and multiple data contributors. Additionally, DUA's can include a reciprocity clause so that the DUA functions in both directions, a data partner sharing data with NACHC and NACHC sharing data with a data partner.

NACHC has a DUA template that has been vetted and approved by NACHC legal council. Alternatively, data partners are welcome to request the use of their institutional DUA template that can be customized for the project by NACHC staff. A process to initiate a DUA is documented below.

DUA Responsibilities 

When NACHC is the provider of the data:

NACHC has drafted a DUA for use by those who wish to disclose a LDS to recipients.  This template may be accessed from the NACHC contracts office. When NACHC is providing a LDS, if any material change is to be made to the NACHC template, or if another party’s version of a DUA is to be used, the NACHC legal council must review and approve the terms of the agreement. 

When NACHC is the recipient of the data:

If NACHC is the recipient of a LDS of PHI from a non-NACHC source, the NACHC project lead with either use the NACHC template or be asked to sign the other party’s Data Use Agreement.  When using another party's DUA, the NACHC project lead is responsible for reviewing the Data Use Agreement and determining if it complies in material terms with the NACHC DUA template.  If the other party’s DUA differs materially from the NACHC DUA template, or if there is any uncertainty, the NACHC legal council must be consulted.

Process to Initiate a Data Use Agreement (DUA)

Not all projects require a DUA but each project where data is being shared should consider the need for a data use agreement upon project initiation. The following process is recommended. 

    1. NACHC project lead completes the NACHC DUA Checklist to determine if a DUA is needed. This should occur as part of the project's initiation.
    2. The checklist is reviewed with data partner at an early project meeting to confirm the need for a DUA and level of identification of a dataset
    3. Once completed, the DUA checklist is stored in the project Confluence page. 
    4. If the DUA checklist identified a need for a DUA, the checklist is shared with the NACHC contract officer to begin the creation of a project-specific DUA.



  • No labels

Dear Confluence Users, If you need support for use of Atlassian tools, please contact informatics@nachc.com whether you have technical issues, need feature assistance, or simply have questions.