The Health IT Data Governance Workgroup Meeting held by the Colorado Office of eHealth Innovation on April 25, 2025, focused on the governance and use of health data within the state's health information management systems. Key discussions revolved around the data use and restrictions applicable to the Colorado State Health Information Exchange (COSHI) and its relationship with the Healthcare Policy and Finance (HCFAF).

During the meeting, participants reviewed the guidelines for data sharing, emphasizing that COSHI is permitted to use data strictly for purposes outlined in a designated appendix. The discussion highlighted the importance of maintaining patient privacy, particularly regarding protected health information (PHI). A business associate agreement is required when PHI is involved, ensuring that data sharing complies with legal standards, including HIPAA and other relevant laws.

COSHI is restricted from selling or disclosing data without prior written consent from data providers, except for specific use cases. Access to data is limited to authorized personnel and third parties who have signed a memorandum of understanding (MOU) and a data use agreement. The meeting underscored the necessity for secure data handling and the obligation to inform parties if data is found to be inaccurate or outdated.

A significant point of confusion addressed during the meeting was the relationship between COSHI and HCFAF. While HCFAF is the funding body for the system, COSHI operates independently to ensure the security of social health data, which is treated differently from standard healthcare operations. This distinction is crucial for maintaining the integrity and confidentiality of health data shared among various stakeholders.

The meeting concluded with a call for continued collaboration and clarity among participants, as they navigate the complexities of health data governance in Colorado. The discussions set the stage for future developments in the state's health information systems, emphasizing the importance of secure and compliant data management practices.