/
Use and Storage of Data at NACHC

Use and Storage of Data at NACHC

Owned by Efetobore Omadevuae (Deactivated)
Jun 26, 2024
3 min read

Data Governance: content, quality assurance, Data Governance Council

Data governance, as defined by AHIMA and adopted by NACHC, establishes policies and procedures governing data use within the organization, facilitating compliance, legal efforts, and efficient management of health information. NACHC's need for data governance arises from its involvement in various data-driven initiatives, including the reception of electronic health records (EHR) and administrative data from multiple entities such as Federally Qualified Health Centers (FQHCs), health center-controlled networks ('networks'), and primary care associations (PCAs).

As these datasets often contain protected health information (PHI) and identifiable organizational markers, NACHC recognizes the importance of structured governance to enhance project efficiency. Hence, in 2021, NACHC embarked on a dedicated data governance initiative, enlisting consultant support to facilitate the implementation and formation of a Data Governance Council to create and implement a governance framework for informatics projects and NACHC. The council's responsibilities include evaluating data requests, developing policies, advising on privacy incidents, reviewing data sharing projects, and ensuring long-term governance.

The Data Governance Council is currently prioritizing the development of standardized request and Data Use Agreement (DUA) processes, documenting data security and privacy policies, reporting the receipt of unrequested or unexpected PHI/PII and establishing guiding principles for data use and governance infrastructure.

Data Sharing: NACHC does not share any clinical data in its data warehouse without the express permission of the data owner and approval by the Data Governance Council. To date, no data has been shared with any organization outside of the express purpose of the project itself. These cases are limited to at this time: secure submissions to CDC’s secure public health data warehouse of data sets related to funded projects, transmission of data funded by CDC and OPA to an academic partner (UCSF) for quality measure validation (the express goal of the contract) and transmission of data to an academic partner (ATSU) contracted with NACHC to perform data analysis and evaluation.

 

Data Infrastructure

The Informatics team currently utilizes clinical data for various purposes, including research and analysis, quality Improvement, healthcare analytics and clinical decision support. This data encompasses sensitive information such as patient demographic records, test results, and treatment histories etc. We employ the use of Atlassian platform (Jira/Confluence), FileZilla SSH Transfer protocol (SFTP) to receive data from partners and mostly temporarily stores the data on NACHC’s provided work computers during data analysis and delete any data afterwards from our servers.

Our organization employs a cutting-edge data management infrastructure, prioritizing security and efficiency. We use a CosmosDB server on AWS EC2 for data handling, with strict access control limited to our data team's IPs. Data is stored in encrypted AWS S3 buckets, and our analytics rely on a Databricks instance on AWS EC2, ensuring secure user authentication. We accept data submissions through Confluence or SFTP, offering secure and flexible options. NACHC seeks to utilize secure APIs for this data transfer exclusively in the future and is moving towards pilots of FHIR APIs for data transmission.

 

NACHC Data Upload Process 3-26-24.drawio.png
An overview of current and future iterations of the NACHC Data Upload process. For more information on the new ETL process, please see the diagram below.

We've adopted the AWS Well-Architected Framework to enhance our infrastructure according to best practices. Our security approach includes a Zero Trust framework for rigorous access verification and a restructured data management system for improved security and efficiency, segregating operational accounts by business function.

We comply with HIPAA and the CIS AWS Foundations Benchmark v1.4.0, with all system provisioning automated via AWS CDK and CloudFormation. Administrative access is strictly regulated, and AWS CloudWatch monitors our systems in real-time. Access management is secured through Azure SSO and IAM Identity Centers, complemented by detailed logging and a break-glass protocol.

We're upgrading our data processing with an AWS Glue pipeline for automated data extraction and transformation, ensuring data integrity. Amazon Redshift within a VPC serves as our data warehouse, offering enhanced security.

 

AWS ETL Pipeline 3-26-24.drawio.png
Overview of the new ETL process built in AWS.

 

Future plans include a secure webpage for easier data submission, FHIR server integratiom and integrating AWS Macie for advanced data privacy and breach detection, reaffirming our commitment to data security and integrity.

Dear Confluence Users, If you need support for use of Atlassian tools, please contact informatics@nachc.com whether you have technical issues, need feature assistance, or simply have questions.