Section 5.7 Maintain

Section 5 Maintain—HIE Data Stewardship - 1

HIE Data Stewardship

Learn about the principles of data stewardship as adopted by the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology.

Time needed: 2 hours
Suggested prior tools: NA

How to Use

Review the concepts described for data stewardship. Use the tips included as you advance your facility’s use of health information technology (HIT) and as you consider the potential for participating in a health information exchange (HIE) organization, typically called an HIO.

Data Stewardship Defined

Data stewardship is an important concept when considering how an organization should manage its data assets.

·  “Stewardship,” as defined in the Random House Webster’s College Dictionary, refers to the responsibility for taking care of something one does not own. For example, a bank is a steward of the funds that an individual deposits in the bank.

·  “Data stewardship,” as defined by “Search Data Management” (June 6, 2013), is the management and oversight of an organization’s data assets to help provide users with high-quality data that is easily accessible in a consistent manner. Data stewardship provides for the coordination and implementation of data usage and security policies as determined by an organization’s data governance initiatives. “Health data stewardship” has become increasingly important—not only to ensure privacy protection, but also to ensure that the data used to make decisions are sound, and properly maintained and retained. The Robert Wood Johnson Foundation (in HSR: Health Services Research, October 2010) proposed that data stewardship that provides guidance for de-identification, aggregation, storage, acquisition, and use of health care data provides a solution to the struggle between privacy and access concerns about health care information.

Application of Data Stewardship to HIE Organizations

As your skilled nursing facility approaches any use of HIT, the principles espoused in data stewardship should provide guidance for not only protected health information (PHI) as described under HIPAA and in your role as a covered entity, but for all individually identifiable health information (IIHI).

As you approach participation in an HIO, recognize that although many participants are likely to be HIPAA-covered entities (including health plans, health care clearinghouses, and covered providers) or business associates that are accountable directly to the HIPAA regulations, some participants may not be accountable to HIPAA or more stringent state consent requirements. These may include providers who do not file electronic claims with Medicare, employers, consumers, and commercial personal health record (PHR) vendors. HIOs themselves are defined by law as business associates.

  1. Business associate contract is the basic HIPAA agreement for covered entities to use when engaging other parties to perform work for them. This is the fundamental contract the HIE organization should have with members that are HIPAA-covered entities.
  2. Data use agreement is a HIPAA requirement when a limited data set is exchanged with another party for research, public health, or health care operations. The limited data set is individually identifiable health information from which most, but not all, HIPAA-specified identifiers have been removed. Although most HIOs will want to exchange PHI, at least with the HIPAA-covered entities, there may be other uses that can be made of a limited data set that would benefit the HIO.
  3. Data sharing agreement is not described by HIPAA, but is being used by data-sharing parties in HIOs. The agreement usually indicates: the criteria for data access; whether there are any conditions for certain types of use; specific standards with which the data sharing must conform (privacy, security, and other technical standards); and whether the data may be de-identified, aggregated, and re-used. This is particularly important because when PHI is de-identified, it is no longer protected under HIPAA. Although there are many covered entities that find it distasteful for organizations with whom they have entrusted PHI to de-identify and sell such information, this may be an important source of revenue for an HIO that can support its work to exchange important information that can support health care services.
  4. Participation agreement is another agreement unique to HIOs that specifies the terms of the relationship between parties in an HIO and the roles, rights, and responsibilities of each party to the HIO. Signing this agreement usually means that each participant will adhere to the policies and procedures of the HIO.
  5. Data Use and Reciprocal Services Agreement (DURSA) The DURSA is the legal, multi-party trust agreement that is entered into voluntarily by all entities, organizations, and federal agencies that want to engage in electronic health information exchange using the national eHealth Exchange. It has also been adopted (and, in some cases, modified) by some state HIOs. It provides a set of national standards, services, and policies developed in coordination with the Office of the National Coordinator for Health IT (ONC). See more at: http://www.nationalehealth.org/dursa#sthash.WE29QP9Y.dpuf. The Agreement reflects consensus among the state, federal and private entities who were involved in the development of the DURSA regarding the following issues:

o Multi-Party Agreement

o Participants Actively Engaged in Health Information Exchange

o Privacy and Security Obligations

o Requests for Information Based on a Permitted Purpose

o Duty to Respond

o Future Use of Data Received from Another Participant

o Respective Duties of Submitting and Receiving Participants

o Autonomy Principle for Access

o Use of Authorizations to Support Requests for Data

o Participant Breach Notification

o Mandatory Non-Binding Dispute Resolution

o Allocation of Liability Risk

Copyright © 2014 Updated 03-19-2014

Section 5 Maintain—HIE Data Stewardship - 2