NACHC uses data for research, policy, public health, and quality improvement to tell the health center story. Data products such as reports, infographics, abstracts, and manuscripts are generated to advocate for health center resources and support. The purpose of this document is to define NACHC’s data roles and responsibilities for NACHC staff, organizations sharing data with NACHC, and other interested parties. An appendix devoted to research specific rules and principles is included.

What Kinds of Data Does NACHC Use?

NACHC uses data from multiple internal and external sources to describe health systems, populations, and care delivery. Data may be at the patient/individual level or aggregated to the health center level. Examples of such data include data from:

• Health information technology systems like population health tools, apps or external datasets,
• Electronic health records (EHRs) and claims,
• External reporting systems like the Uniform Data Service (UDS), and
• Qualitative tools such as surveys, assessments, and interviews.

NACHC’s Data Responsibility

NACHC has both data owner and data steward responsibilities. NACHC is an owner of the data they collect  through surveys, assessments and other methods. Though not protected health information, these data may contain sensitive information and require protection and oversight. For data from outside organizations (referred to as data partners), NACHC is a data steward. That means NACHC is accountable to data partners for keeping data safe in accordance with relevant statutes, standards and best practices. Even when NACHC stores data from others, data partners retain control over the use of their data and can request the data redacted or destroyed. NACHC is responsible for tracking how data are used and providing timely feedback to data partners on how data can be improved. To meet these expectations, NACHC:

• Secures approval from data partners for data use and reuse outside the original project scope,
• Adheres to data sharing, privacy and security best practices and guidelines,
• Executes Data Use Agreement or other appropriate agreement to define the parameters of data exchange and approved use(s),
• Trains staff on relevant topics (e.g., research, data security, and use standards), and
• Implements processes to monitor NACHC’s adherence to data policies and procedures.

Data Sharing Agreements

For all projects involving shared data, NACHC enters into data sharing agreements (e.g., Data Use Agreements) to define the terms of partnership, clarify what data are shared and define the purpose(s) for which data may be used. Though data sharing agreements are not always required by law, these agreements define  expectations and hold organizations accountable. Data sharing agreements are time bound to ensure that projects have an end date after which data sharing concludes and data are destroyed. Data sharing agreements are specific - whenever a project changes, the data sharing agreement must be amended. For clinical data, relevant language from the Health Insurance Portability and Accountability Act of 1996 must be included (See Data Use Agreements for NACHC Partners).

Governance and Best Practices – Keeping Data Safe

To ensure NACHC is adhering to best practices, a Data Governance Council is appointed to advise on data sharing and data use across the NACHC organization. This Council meets monthly to discuss data sharing work, address data-related issues, and ensure that appropriate policies and procedures in place and current. Policies and procedures are re-evaluated regularly as statutory requirements, best practices and standards evolve.

Guiding Principles and Accountability

Building trust in data sharing with partners is essential to NACHCs work. NACHC commits to the following guiding principles:

1. Data collected by and shared with NACHC is used for research, quality improvement, public health, and evaluation that aims to improve the lives of populations served by healthcare organization as described by the Quintuple Aim. NACHC shares the results and products of data analysis with contributing health centers so many may benefit from what is learned.
2. All data requests received by NACHC from an external organization are processed through a centralized process and evaluated by the Data Governance Council for feasibility, completeness and fit. A data request is a defined ask received by NACHC for a dataset or the creation of analytic results for a specific purpose. Only requests that demonstrate a benefit to health centers and their patients are approved. When NACHC receives a request to use shared data outside of the scope of the original project and data use agreement, NACHC includes the data partner in the decision-making about that data request. NACHC will never fulfill a data request without the consent of all involved parties.
3. NACHC adheres to applicable laws, regulations and policies pertaining to data sharing and use, including the policies of its data partners. NACHC maintains data governance policies which document how NACHC fulfills the requirements of applicable laws and best practices (available upon request). For clinical data, NACHC adheres to HIPAA standards identifiers and does not accept any personally identifiable information from partners.
4. NACHC executes a data sharing agreement for projects including shared data. Any deviation from the agreement is disclosed to data partners in a timely fashion. Deviations may result in loss of access to data or penalties.
5. To ensure that research is ethical and safe, NACHC follows the guidance of the Common Rule and the relevant Institutional Review Board (IRB) when data are used for research.
6. NACHC staff share responsibility with data partners for keeping data safe.NACHC requires that staff receive regular training on data governance and security best practices. Written policies exist to guide staff when a data-security related event occurs. NACHC offers support and expert recommendations to health centers and other partners about how to keep their data safe.
7. NACHC maintains a secure environment with appropriate safeguards to keep data safe. In the rare instance of a data security event, NACHC follows federal and state laws and regulations to remediate the issue.
8. NACHC will never attempt to reidentify or contact individuals from datasets. NACHC will never sell data received from others unless a contract is in place with a data owner for that express purpose.
9. Sharing data products is a crucial part of a mutually beneficial data sharing relationship. Data products undergo a deidentification process. Data products are first shared with data partners for review and approval before being disseminated more broadly to stakeholders.