NACHC is committed to a trusting and mutually beneficial relationship with organizations from whom data are received (‘Data Partners’). Governance refers to the policies and procedures that instill trust and clearly defined roles and responsibilities between Data Partners and NACHC.
The purpose of this webpage is to describe NACHC's perspective on data governance and provide documentation that supports NACHC partners.
Approach
NACHC has defined a governance approach that is customized for each project and Data Partner’s needs. NACHC only accepts limited datasets and de-identified datasets from Data Partners, as defined by the HIPAA Privacy Rule Safe Harbor guidelines. De-identified datasets do not contain any of the 18 elements of protected health information (PHI). Limited datasets may contain only selected attributes of PHI: 5-digit ZIP codes, dates, and ages over 90 years of age. NACHC shares the responsibility with Data Partners to ensure that datasets are properly prepared with respect to PHI and identifiers.
Though Safe Harbor guidelines are very conservative and reduce the risk of reidentification to very low, the risk is not zero. As such, NACHC takes additional measures to ensure that data are received and stored securely, only used for its intended purpose, and only accessible to the minimum necessary individuals.
HIPAA’s Minimum Necessary Rule states that Data Partners should only transmit the minimum amount of data that is necessary for a project. As such, NACHC and Data Partners are both responsible for assuring that the minimum necessary data are being exchanged and that data exchange meets the requirements of all federal and state regulations as well as organizational policies.
NACHC requires a data use agreement (DUA) for sharing data in order to ensure that expectations of Data Partners and NACHC are clearly defined. Regardless of the project, NACHC commits to the following:
- NACHC only receives data through HIPAA-compliant secure tools and offers those to Data Partners as part of project participation
- NACHC stores data securely with Amazon Web Services
- NACHC adheres to data management standards and best practices
- NACHC does not attempt to re-identify patients
- NACHC collaborates with Data Partners and project partners to clean, transform, and validate data to ensure accurate interpretation
- NACHC only uses data for approved uses, as defined in the project contract and DUA
- NACHC does not perform analysis beyond the project scope without approval from Data Partners, but when additional opportunities arise, NACHC will bring those opportunities to Data Partners for review
- NACHC presents project data in aggregate form unless Data Partners have agreed to display data at the health center level
- NACHC does not sell data
- NACHC will offer Data Partners the opportunity to review any new work products where their data was used
- NACHC responds to project-related analytic or informational requests from Data Partners
- NACHC will destroy data upon the request of Data Partners who are free to terminate data sharing at any time
What happens to data once it is received by NACHC?
Instilling confidence and trust among Data Partners requires a clear understanding of what happens to data upon NACHC’s receipt (see figure). Data are received through a secure platform, stored in a raw format, and tagged with metadata to preserve information about its origin. Data are then cleaned, validated, transformed into a format designed for efficient analysis, and stored in a data warehouse. Data may be enriched with auxiliary information or combined with data from other Data Partners. A project-specific dataset is created for analysis and reporting so that the project team is able to access only the data necessary to generate the work products.
Data Governance Documents
Data governance documents prepared by NACHC for external use are available here and include:
- Data Governance Overview
- Data Use Agreement Primer