Data Governance and Ownership: HIT and the Imperative of Strong Electronic Health Vendor Relationships

December 2016

By Rene S. Cabral-Daniels, JD, MPH, CEO of Community Care Network of Virginia, Inc.

Recent healthcare literature is replete with articles regarding the importance of paying greater attention to healthcare data. Many suggest a healthcare organization’s ability to harness data value is the fulcrum to the organization’s success or failure. While these articles encourage greater use of healthcare data, they often fail to inform health entities of the importance of assuring proper data ownership as well as stewardship, integrity and dissemination.

Data requirements: what they are and what they aren’t
Healthcare leaders may mistakenly believe that compliance with the Health Insurance Portability and Accountability Act (HIPAA) health data protection sections insulate them from any potential legal claims. HIPAA is an important, albeit complex, federal law that addresses both health data protection as well as confidential handling of protected health information (PHI). The determination of data ownership as well as necessary PHI protection is further complicated by the use of electronic health records (EHR). Health records no longer reside on a shelf in a doctor’s office but can now be shared by few keystrokes on a computer. EHR usage changes the parameters of astute data governance responsibility from one concerned with data ownership to one focused on data stewardship.

Recent legislation promoting quality-based payments such as the Medicare Access & CHIP Reauthorization Act (MACRA) and the 824-page final rule describing implementation assure the use of electronic health records will continue to grow. The parameters of this growth are carefully prescribed in section 1848(o)(2)(A)(iii) of MACRA and the definition of “meaningful EHR user” under 42 CFR 495.4, which require eligible professionals to report on Clinical Quality Measures selected by the Centers for Medicare and Medicaid Services using only certified EHR technology, as part of being a meaningful EHR user under the Medicare EHR Incentive Program.

EHR use by providers is already rather substantial. According to the Office of the National Coordinator for Health Information Technology, in 2015, 96 percent of all non-federal acute care hospitals possessed certified health IT. While small rural and small urban hospitals had the lowest rates at 94 percent, 96 percent of critical access hospitals had certified health IT. Clearly, EHR vendors and their products are an integral part of data usage and PHI confidentiality, the keystones of data governance efforts.

Data governance: key component of care delivery models
Many healthcare organizations struggle with data governance. A 2014 American Health Information Management Association (AHIMA) survey of over 1,000 healthcare professionals revealed only 11% characterize their data governance programs as being mature while over 50% of the respondents did not have governance practices in place.[i]
The Health Information Management and Systems Society (HIMSS) has an excellent resource on overcoming data governance obstacles. The article is entitled, “A Roadmap to Effective Data Governance: How to Navigate Five Common Obstacles” and defines data governance as “the exercise of decision-making and authority for data-related matters.” [ii] The article analogizes the importance of having an effective data governance program seamlessly embedded within the overall management and operational practices to patient safety as an integrated component of a comprehensive care delivery model in any healthcare system. One obstacle identified is not addressing data governance from an enterprise perspective, which can perpetuate data integrity challenges.
Data integrity: accuracy, quality, and completeness
Assuring data integrity is certainly an essential component of data governance. Data integrity is defined by the Department of Health and Human Services’ Office of Civil Rights as “the property that data or information have not been altered or destroyed in an unauthorized manner.” Note that the alteration is not limited to intentional alteration; unintentional or mistaken alteration can compromise data integrity.
Data integrity is particularly challenging for both providers and EHR vendors when it concerns patient identity. Accurate patient identity is an imperative. Health information exchange cannot be accomplished in a manner that assures integrity without first assuring patient identity integrity. AHIMA defines patient identity integrity as “the accuracy, quality, and completeness of demographic data attached to or associated with an individual patient. This includes the accuracy and quality of the data as it relates to the individual, as well as the correctness of the linking or matching of all existing records for that individual within and across information systems.” While data integrity must be the cornerstone of any institutional health provider’s data governance principles, individual healthcare providers must communicate often with their EHR vendors to be certain that the correct patient’s health information is the information being exchanged.
Data dissemination: the call to collaborate with vendors
The final area regarding data governance concerns data dissemination. This area has the greatest potential for achieving excellence for providers by nurturing a strong partnership with EHR vendors. Data dissemination is occurring at unprecedented rates, and its future upward trajectory is projected to be even greater. MACRA includes a provision that expands the availability of Medicare claims data which took effect on July 1, 2016. This section expands how qualified entities will be allowed to use and disclose Medicare data under the qualified entity program.

Another MACRA provision that advances data dissemination is one that aligns with earlier efforts promoting interoperability. The tenets of the Certified EHR Technology criteria, which promote application programming interfaces that allow for interoperable data sharing necessary for big data analytics and population health management, will likely be coupled with MACRA’s Advancing Care Information (ACI). ACI will count for 25 percent of the Merit-Based Incentive Payment System (MIPS) attestation score in the first year of participation. MIPS advances population health management and care coordination by utilizing health IT that relies on open application programming interfaces (APIs) and an app-based approach to technology. Because APIs can be customized, providers will need to join forces with EHR vendors if they are to realize the financial benefits afforded by MIPS.

In summary, true data governance will not be possible without a strong partnership with EHR vendors. The partnership must go far beyond payment for services and assuring a business associate agreement (BAA) is executed. The BAA must be customized so that both parties have a meeting of the minds regarding data governance and other important factors that are memorialized in writing. Strong data governance must involve meaningful EHR vendor participation if it is to be sustainable.  

Community Care Network of Virginia, Inc. (CCNV), a community health center-owned and governed provider network, was legally incorporated as a statewide network organization in 1996 consistent with the Affiliation Policies of the Bureau of Primary Health Care. CCNV has a long, successful history of providing integrated, network-based services and programs to Virginia’s health centers, including the acquisition and implementation of a centralized practice management system, help desk, and support infrastructure commencing in 1999. Rene Cabral-Daniels currently serves on the NCHN board of directors.

[1] Cohasset Associates, "2014 Information Governance in Healthcare Survey." American Health Information Management Association, May 2014; at  
[2] See 'definitions of Data Governance.' The Data Governance Institute; at