Page 1 of 5
Administrative (Non-Clinical) Policy
This administrative policy applies to the operations and staff of the University of Wisconsin Hospitals and
Clinics Authority (UWHCA) as integrated effective July 1, 2015, including the legacy operations and
staff of University of Wisconsin Hospital and Clinics (UWHC) and University of Wisconsin Medical
Policy Title: Access to Enterprise Data for Analytics
Policy Number: 1.49
Effective Date: March 1, 2017
The purpose of this policy is to clarify which UW Health employees, units and departments are able to
access enterprise data and databases that store information obtained in the course of delivering patient
care or operating the businesses that comprise UW Health. This policy is one component in UW Health’s
support of an analytics data infrastructure that meets both best practice and regulatory security and
privacy requirements, while providing appropriate data analytics resources to individuals and departments
for administrative, operational and research purposes.
Analytics is the discovery and communication of meaningful patterns in data. Analytics
methodologies can be used to in healthcare to describe, predict, and improve business
performance and patient care outcomes. Similarly, clinical research hypotheses can be tested
using analytic methodologies across data from many patient records.
B. Departmental Data Owner
Some data sources have an obvious or implied departmental owner, and in such cases those
owners have full rights to make use of their own data sources, notwithstanding any provisions in
this policy. For example, each entity’s Human Resources departments access their own employee
databases for broad operational and analytic purposes. Similarly, each entity’s Fiscal departments
access their own accounting systems for various purposes.
C. UW Health Clinical Data Sources
Any digital data obtained, processed and stored by the multiple computerized systems and data
warehouses used for patient care. Clinical data sources include, but are not limited to, the
1. Chronicles-Epic transactional systems/database (patient care data)
2. Clarity–Epic analytical database (patient care data)
4. Avatar and Press Ganey–Patient experience datasets
D. UW Health Business Data Sources
Any digital data created, processed and stored by the multiple computerized systems and data
warehouses used for UW Health business purposes. Business data sources include, but are not
limited to, the following:
1. PeopleSoft Human Resources (instances from UWHC, UWMF, and SMPH)
Page 2 of 5
2. PeopleSoft Financials
3. Chronicles–Epic transactional systems/database (billing, payment, claims data)
4. Clarity–Epic analytical database (billing, payment, claims data)
E. UW Health Research Data Sources
Any digital data created, processed and stored by the multiple computerized systems and data
warehouses used for UW Health research purposes. Research data sources include, but are not
limited to, the following:
F. Externally Regulated Data
Any digital data acquired by UW Health from an external source, where usage of the data is
subject to restrictions under legal agreement or governmental regulation. Externally Regulated
Data include, but are not limited to, the following:
1. Center for Medicare and Medicaid Claims Data
2. Federal Health Insurance Exchange Data (insurance coverage and membership data)
3. Wisconsin Department of Health Services Data
4. Wisconsin Hospital Association Claims Data
G. UW-Health Data Warehouse Environment (DWE)
The UW Health Data Warehouse Environment is the official repository for data collected from
multiple sources across UW Health. The UW Health DWE may house data centrally, or may
retrieve data from affiliated data marts. The purpose of the DWE is to provide seamless access to
data for the purpose of secondary data analysis. The UW Health DWE includes, but is not limited
1. EDW (Enterprise Data Warehouse)–Developed and maintained by Enterprise Analytics,
and used as a source for clinical, administrative, quality and research data as appropriate.
2. i2b2–Implemented and operated by Enterprise Analytics, in order to offer “ad hoc”
access to primarily de-identified data.
H. UW Affiliated Covered Entity
The University of Wisconsin Affiliated Covered Entity (ACE) comprises the University of
Wisconsin Hospitals and Clinics, University of Wisconsin Medical Foundation, and a subset of
the University of Wisconsin-Madison (including clinical components of the School of Medicine
and Public Health, the School of Nursing, the School of Pharmacy-clinical units only, and the
Waisman Center-clinical units only). The definition of the ACE changes from time to time, but
this policy will always apply to the ACE as it is defined over time.
I. Organized Health Care Arrangement
The University of Wisconsin Hospitals and Clinics, University of Wisconsin Medical Foundation,
and Unity Health Insurance comprise an Organized Healthcare Arrangement (OHCA). Under the
HIPAA Privacy Rule, an OHCA exists when multiple entities subject to HIPAA share protected
health information to manage and benefit their common enterprise. Under an OHCA, UWHC,
UWMF, and Unity may share protected health information for our joint health care operations.
The UW Health formal IT and Informatics governance structure overseen by the Information
Technology Executive Committee, and including multiple steering committees assigned to
specific content areas. The committee responsible for this development and oversight of this
policy is the Data Governance and Business Intelligence Steering Committee.
K. UW-Health Core Analytics Service Groups
1. UW Health Information Services, including Enterprise Analytics
2. UWMF Decision Support
3. Quality, Safety, and Innovation (QSI)
Page 3 of 5
4. Programs or businesses contracted to provide analytic services to UW Health, including
the Health Innovation Program (HIP) and the central SMPH Information Technology
L. Honest Broker
An honest broker is an entity that keeps sets of confidential, sensitive, or proprietary data, but
distributes parts of those data sets to other entities that should not have access to the entire data
set. An honest broker also confirms the person requesting the data has met applicable
requirements for access, such as Institutional Review Board approval/exemption for research
uses, or other approvals as relevant for other proposed uses of data.
This policy applies to employees, faculty, contracted workers, students, and any other members
of the workforce of the ACE and OHCA. It also applies to employees of entities that have
contracted to provide analytic services to members of the ACE or OHCA.
This policy applies to UW Health enterprise clinical, business, and research data, as well as
externally regulated data acquired by UW Health, that has been aggregated and stored for
analytics purposes. It does not apply to storage of or access to data for routine business operations
or patient care. It also does not apply to a departmental data owner’s access to the department’s
own primary data sources.
1. Sharing of protected health information (PHI) within the ACE is a “use” for which no
accounting of disclosures under the HIPAA Privacy Rule is currently required.
2. Sharing of PHI within the OHCA to support joint healthcare operations (but not for other
purposes) is a “use” for which no accounting of disclosures under the HIPAA Privacy
Rule is currently required.
3. Sharing of PHI outside the ACE or OHCA, even with other parts of UW-Madison, is a
“disclosure,” and in some circumstances requires an accounting of disclosures that must
be provided to a patient upon request.
4. Maintaining an accurate accounting of disclosures of PHI, of users outside the
ACE/OHCA would be resource intensive and cost prohibitive.
5. Under the HIPAA Security Rule, members of the ACE and OHCA are required to record,
monitor, and audit access to PHI to confirm uses are permissible and minimally
6. To facilitate compliance with these HIPAA requirements, analytical access to enterprise
data is limited to the ACE, OHCA, or entities that have contracted to provide analytic
services to member of the ACE or OHCA.
7. Similarly, business data other than PHI often contain sensitive, strategic, or proprietary
information requiring adequate security controls. Therefore, all aggregated data defined
by this policy is subject to the same governance, oversight, and stewardship requirements
when used for analytic purposes.
D. Out of Scope: The following data sources are out of scope of this policy, but may be addressed in
1. Patient registries
2. Clinical data created by or stored in ancillary clinical systems, but not currently
interfaced or transferred to Health Link.
Page 4 of 5
IV. POLICY ELEMENTS
A. Data Access for Core Analytics Service Groups
The Core Analytics Service Groups are responsible for:
1. Acting as primary custodians of key raw and processed data sets,
2. Providing data analytics services to UW Health,
3. Managing data within the databases they have been assigned,
4. Assuring access to those data sets can be audited,
5. Acting as an honest broker between end users and the DWE, and
6. Segregating data to fulfill specific purposes (for example, a data mart, universe, or view)
and building/managing presentation tools for end users to use for less technical, self-
service analytics queries on subsets of data,
7. Complying with externally imposed data regulations, such as data destruction
These responsibilities include regular and emergency updates, quality assurance, security,
and data validation, transformation, standardization, and harmonization. As such, once all
training has been completed successfully, and credentials have been obtained, members
of these teams have unlimited access to applicable DWE databases for purposes of
fulfilling their job responsibilities.
B. Data Access for Individuals or Teams
Two options exist for use of UW Health enterprise data.
1. Individual Access
Individuals who do not work for a Core Analytics Service Group may request access to
an appropriately defined segment (for example, a data mart, universe, or view) of the
DWE. Staff in these roles:
a. may utilize, but not edit, delete or update any information in the DWE,
b. may not access clinical and business data sources directly for analytics purposes,
as those data are (or will be) a subset of the DWE,
c. may not copy data sets from the DWE or place data sets on departmental drives,
unless the data set has first been reviewed and approved by an honest broker.
**Note: Where enterprise data is currently transmitted to and stored on
departmental drives, existing arrangements will be reviewed and modified in
accordance with this policy over time.
2. Shared Resource/Matrixed Reporting Access
Departments who are not a Core Analytics Service Group may also choose to adopt a
shared resourcing model, which embeds a departmental employee in a Core Analytics
Service Group. The department funds the employee so the employee’s services are
dedicated to the department, but the employee has a formally defined matrixed reporting
relationship to a Core Analytics Service Group.
a. These individuals must meet all the hiring eligibility, training, and other
applicable requirements normally applied to other staff members to be a member
of a Core Analytics Service Group.
b. These individuals will be held similarly accountable for proper data management,
use, development, and access methodology as a Core Analytics Service Group
c. No Core Analytics Service Group is required to support a shared
resource/matrixed reporting relationship. Arrangements are context specific, and
written agreements that define how the dual reporting relationship is of benefit to
both parties are required.
Page 5 of 5
C. Data Access Procedure Standardization
All staff with access to data for analytics purposes will follow the same procedures, including the
1. Standard user authentication methods, as defined by UW Health Information Services.
2. Standard and common tools for data manipulation, development, analysis and display.
Users will not be permitted to use tools that are unapproved for use at UW Health.
3. UW Health security and compliance standards.
4. A long-term financial sustainability plan.
5. A business continuity plan.
V. REFERENCES AND PROCEDURES
A. A partial list of procedures to be defined includes:
1. Procedures for tracking and enforcing external data requirements.
2. Procedures for establishing a matrixed relationship.
3. Procedures for requesting an appropriately limited data mart, universe, or view.
4. Approved tools for data manipulation, development, analysis and display, including their
intended purposes, audiences, licensing limitations.
Sr. Management Sponsor: SVP, Chief Information Officer
Author: Health Information Services Sr. Data Security Analyst; Chief Research Information Officer
UWSMPH Senior Management Sponsor: SVP, Chief Information Officer
Unity Senior Management Sponsor: VP, Treasurer and CFO
Approval Committee: UW Health Administrative Policy and Procedure Committee
UW Health Chief Administrative Officer
Previous revision: 022014
Next revision: 032020