Data Governance in Healthcare: From Policy to Operational Reality
What healthcare data governance takes in practice: ownership, data quality, and the named owners that make clinical AI safe to deploy instead of blocking it.
Healthcare leaders often assess a clinical model based on its real-time performance. However, the model’s foundations offer more insight. Take, for example, a 2019 study published in Science concerning a specific population health algorithm that was deployed for millions. This study revealed the algorithm had a tendency to underestimate the healthcare needs of Black patients. This phenomenon is largely thanks to the algorithm’s ‘learning’ of healthcare spending trends, where spending actually reflected patients’ access to care, rather than patients’ medical needs. The algorithm did precisely what it was designed to do. Given the constraints of the situation, the algorithm was presented with data that expressed something different, and no one intervened to question whether the data expressed what the algorithm assumed.
Unfortunately, this remains an under-appreciated aspect of healthcare data governance. The majority of oversight is focused on the model and its vendor. The data that underpins the model is neglected, despite it containing years of legacy decisions. Consequently, the model will treat these decisions as absolute, irreversible truths. At Hutchins Data Strategy Consultants, we become acquainted with these challenges from the health systems with whom we engage, many for the first time, after dashboards or models fail to gain the trust of end users.
Why Most Programs Fail: Policy Instead of Practice
Most healthcare data programs are developed under pressing circumstances. One week there are complaints regarding inconsistent multiple patient records for clinical staff. The following week, researchers are unable to access previously recorded lab data because of its fragmentation. An email-backed record causes a privacy officer to discover a gap in an audit trail. Responses to these urgent circumstances are, unfortunately, strikingly similar. An executive task force is created, and six months later a lengthy framework document fills inboxes while the policies remain in the drafting stage.
What happens after this point is critical for determining the success of the program. The document is received. The technology and clinical teams acknowledge it. The organization continues to operate the same way. Data stewards are appointed but are still expected to perform their regularly assigned duties. A council meets quarterly and after two years, the framework has been forgotten.
The same pattern continues to occur because the operational aspect is treated like the development of a policy. The work is treated like a project when it is a practice that needs to be continuously upheld. When data governance is mentioned, the creation of systems and documentation is what most leaders envision. The surface level aspects of data governance are not the end goals. The real work of data governance is the enforcement of data ownership through the daily activities of the data producers and consumers.
Four Segments of a Healthcare Data Governance Framework
Numerous healthcare data governance frameworks are created by various stakeholders. Most offer an ideal versus a practical model that accounts for real-world resource constraints. A framework earns the right to exist when it articulates the specifics of roles and responsibilities, the model for issue escalation, and the metrics that will be tracked. Absent these details, guiding principles, such as the one for increasing data quality, look good in a presentation but are entirely ineffective.
Interrelated to Ownership (the first component) are the following three components. Ownership first requires an assignment of responsibility (data governance) to specific individuals for defined data domains. Within the context of healthcare, the data domains of most concern are patient identity, clinical, financial, and operational data. Within each of those data domains, there exists stewardship supported by an understanding of the relevant data and the systems that either produce or consume the data.
The second component, with Ownership, is the establishment of Standards. These represent a unifying enterprise-wide constructed framework of data, and reconciliation of clinical and all other financial and operational data and their respective terminologies. This work is slow and often unattractive. It remains the foundational element of all subsequent healthcare data analytics and AI processes and applications.
Process, as the third component, relies on Standards for reference. Governance Structures require defined and documented Standards to maintain and manage Quality and Analytics processes. Without Standards, governance structures become obsolete and ignored.
Measurement closes the loop. Oversight should create data quality metrics, data issue resolution time, data steward engagement, and the increasing trust of data for analytics. These metrics should be included in operational reviews with all other performance metrics. If the data team is the only audience for a report, it has lost its purpose.
What the Evidence Says About the Data Behind AI
The Food and Drug Administration (FDA) has addressed this in its Good Machine Learning Practice and centered data origin and data quality principles for safe model building. If a health system cannot say where its training data has come from, or how it will be monitored post-launch, it is building on unchartered land.
The Agency for Healthcare Research and Quality (AHRQ) found measures based on incomplete or biased data can appear to be authoritative, but do not have the authority to make a decision. The Coalition for Health AI (CHAI) has elevated data quality assurance to a foundational element of trustworthy AI. The National Academy of Medicine, in its learning health system, has identified data as a shared institutional asset; thus, data with no owner and no steward creates a blind spot for a model built on it.
A 2026 systematic review reported in npj Digital Medicine analyzed 35 healthcare AI oversight frameworks, and nearly all frameworks shared the same deficiency. For all organizations, the biggest gap was the post-deployment controls, monitoring, and incident response, which was the most notable gap for all frameworks. A mapping review published in Social Science and Medicine highlighted the problem of traceability, which is a direct result of the AI pipeline’s opacity. When something goes wrong, it is nearly impossible to trace a decision to its origin.
Governance is What Makes a Health System AI-Ready
Missing oversight is what creates the bulk of the challenges related to AI adoption in the healthcare sector. Data is housed in silos, and inconsistencies abound. No ownership exists for resolving the issues, and as a result, models produce results that are distrusted by clinicians, and the initiative halts.
A health system is made AI-ready by addressing that oversight gap. The first step is establishing Policy, which creates the rules. Setting a Policy is not enough. Process must be established to carry those rules into consistent workflows. Finally, technology is brought in to automate the enforcement and monitoring of the rules. From that point forward, the workforce begins to view data quality as an integral part of their work as opposed to an additional burden. The most common failure is the establishment of policy without a corresponding process. This results in the creation of charters and data dictionaries, among other artifacts, with little to no improvement. Data catalogs and tools for monitoring data quality are important, and their value will only be brought to light when the required people and process are present. An unused catalog is an expensive shelf.
The benefits are obvious. A health system with robust data governance will be able to determine if its data allows for a new use case in a matter of days. In a matter of months? That’s a competitive disadvantage. Systems which consider data governance the first step toward health care AI move into production. Systems which consider data governance an administrative burden get stuck in an endless cycle of pilots.
Data Stewards
This isn’t addressed by a new platform. Health systems which handle this well have begun identifying data stewards. The data steward is the person who is notified about upgrades to the laboratory system and has the authority to determine if a dependent model is allowed to be used. Stewardship provides the authority for the governance of specific data elements to a named person. Most health systems have a governance policy that mandates data stewardship. Very few of them have named a data steward who has the authority to govern the data that the model is reliant on.
That authority also must be substantive. Real AI governance is not an engineering challenge. It is a leadership challenge. The 2025 Joint Commission and CHAI recommendations concerning the responsible use of AI call for named governance and continued oversight of AI systems post-validation, and each of those tasks is a leadership responsibility. For the second year in a row, ECRI, the former Emergency Care Research Institute, has identified AI in the top ten health technology threats because of systems which perform well in a validation context and subsequently fail in an operational context due to a lack of oversight.
A few visible characteristics define a mature program. Stewards have dedicated time for the role and the standing to prevent a system change that would impact the data they govern. A single inventory of data assets exists. From this inventory, data asset owners and stewards can see each array’s contents, update frequency, and access control. Quality checks are embedded in the systems for data creation and manipulation. A data pipeline halts when a clinical code becomes meaningless, instead of surfacing the problem in an audit several months down the line.
What Health Systems Must Decide
Policies are changing to reflect this. By January 1, 2026, certain states have shifted burden of disclosure and ownership requirements onto practitioners and deployers instead of committees. Texas has made a legislative first. Texas now mandates patients be provided a written explanation of the use of AI and the naming of the practitioner involved. The Texas Attorney General has enforcement authority. Questions moving through state legislatures now focus on who is accountable, instead of whether a review process was conducted.
Over the next couple of years, health systems will invest in more clinical models. Each model will presume the data that supports it is stable and known. Most system leaders acknowledge the model that they will procure, but fewer can articulate the status of the underlying data. The health systems that dominate this market will name a person to each clinical model and empower that person to halt the model when the data feed changes and to oversee the quality of the data on an ongoing basis rather than in response to an adverse incident involving a patient.
Good data governance in healthcare is often behind the scenes. For the living inventory and governance to be effective, data quality must be good. For the vast majority of health systems, the first question is rarely regarding which model to procure. It is a question of whether they can today, and with certainty, name the person who owns the data each clinical model relies upon. The systems that can name these data owners will gain more value from an ordinary model than systems that procure an advanced model and allow the data to go ungoverned. If you cannot name this person, that is where your work efforts must begin.
Authoritative sources
Have a data or AI challenge like this?
A 30-minute call is enough to tell whether we're the right fit.
Frequently asked questions
What is healthcare data governance?
The people, policies, and standards that make clinical and operational data accurate, secure, and usable, so analytics, AI, and reporting can rely on it.
What are the core components of a healthcare data governance framework?
Four that work together: named ownership and stewardship, shared data standards and definitions, source-level data quality gates, and governed access, run operationally rather than written once and filed.
Why do most healthcare data governance programs fail?
They define committees and documents but never assign operational ownership or tie data quality to specific decisions, so nothing changes after the kickoff.
How does data governance make a health system AI-ready?
AI models inherit the quality of their inputs. Governance fixes consistency, lineage, and access at the source, which is what makes predictive and ambient AI safe to deploy and scale.
Where should we start if we have no governance today?
Start where the pain is, the decisions being made on bad data right now, and build ownership and quality checks around those before attempting an enterprise-wide rollout.