Introduction
The most common governance failure mode in healthcare data is not a technical one — it is a people problem. Nobody owns the data. Or rather, everybody owns the data, which means nobody owns the data. When an [ICD-10](/terms/ICD-10) code set is updated and half the organization's reports break, the engineering team blames the business, the business team blames IT, and the compliance team sends a memo. A functioning governance program with clearly defined stewardship and ownership prevents this. Building one requires understanding the difference between the two roles.
The Core Distinction
Data Ownership is accountability. A data owner is the business executive who is ultimately responsible for a data domain — its accuracy, its appropriate use, and its policy compliance. The data owner cannot hide behind "I didn't know."
Data Stewardship is operations. A data steward is the person who does the day-to-day work of governance: maintaining business glossary definitions, reviewing data quality dashboards, approving access requests, and coordinating with engineering when something breaks.
The two roles are often confused because in under-resourced organizations, one person does both. But they should be defined separately because they require different skills, different authorities, and different accountability structures.
Healthcare Data Domains and Who Owns Them
Healthcare organizations typically organize data governance around five or six primary domains. Here is a practical mapping:
| Data Domain | Typical Data Owner | Typical Data Steward | Key Assets |
|---|---|---|---|
| Claims | VP of Claims Operations | Claims Data Analyst / Senior Engineer | 837P, 837I, 835, remittance |
| Clinical | Chief Medical Officer / CMO Designee | Clinical Informatics Analyst | Diagnosis codes, encounter data, lab results |
| Member / Enrollment | VP of Member Services | Enrollment Data Steward | Eligibility files, plan enrollment, demographic data |
| Provider | VP of Network Management | Provider Data Steward | [NPI](/terms/NPI) registry, credentialing, network status |
| Pharmacy | VP of Pharmacy Benefits | Pharmacy Data Steward | [NDC](/terms/NDC) data, formulary, PBM feeds |
| Finance / Actuarial | CFO or VP of Actuarial | Actuarial Data Analyst | IBNR, premium, risk adjustment |
Responsibilities by Role
Data Owner Responsibilities
- Formally approve or reject access requests for their domain
- Set data retention and deletion policies
- Sign off on changes to classification (e.g., promoting a dataset from Internal to PHI-Restricted)
- Represent the domain in governance committee meetings
- Accept accountability when data quality or compliance issues arise
Data owners do not need to understand SQL. They need to understand business risk.
Data Steward Responsibilities
- Maintain the business glossary definitions for their domain
- Monitor data quality dashboards and escalate anomalies
- Review and route access requests to the owner for approval
- Validate that schema changes (new tables, columns, type changes) are documented in the catalog
- Coordinate with engineering on critical data model changes
- Participate in RADV audits, HEDIS validation, and OCR investigations as the subject matter expert
Data Custodian Responsibilities
Data custodians are the engineering team. Their role is to implement the controls defined by owners and stewards:
- Build and maintain the pipelines that produce domain data
- Implement masking, RBAC, and audit logging
- Execute approved schema changes
- Produce data quality metrics that stewards monitor
A RACI for Healthcare Data Governance
A RACI (Responsible, Accountable, Consulted, Informed) makes the role boundaries concrete. This one covers the most common governance activities:
| Activity | Data Owner | Data Steward | Data Custodian | Compliance | Legal |
|---|---|---|---|---|---|
| Approve data access request | A | R | I | C | — |
| Define PHI classification | A | R | C | C | C |
| Business glossary maintenance | C | R/A | I | — | — |
| Schema change approval | C | C | R | I | — |
| Respond to OCR investigation | A | R | C | R | R |
| Data retention policy | A | C | R | C | C |
| HEDIS / RADV audit support | C | R | C | I | — |
| Data quality incident response | A | R | R | I | — |
Assigning Ownership Across Clinical, Claims, and Operational Data
Clinical Data: The CMO Problem
Clinical data is politically sensitive. Physicians resist being "governed" by a data committee. The practical approach is to designate a Clinical Informatics Officer or equivalent as the data owner — someone with clinical credibility who also understands data systems. Stewardship then sits with the clinical informatics team, not with data engineering.
The biggest stewardship challenge in clinical data is code set management. ICD-10-CM updates annually. LOINC updates biannually. SNOMED updates continuously. The steward for clinical data must own the process of updating code set reference tables and communicating downstream impacts.
Claims Data: The Volume Problem
Claims data stewardship fails because of scale. A large payer processes tens of millions of claims per year. No steward can review every anomaly. The solution is exception-based monitoring — automated data quality rules (duplicate claim check, service date outlier, diagnosis-procedure mismatch) that surface only the issues requiring human judgment.
Operational Data: The Ownership Vacuum
Operational data (CRM records, call center logs, prior authorization workflows) often has no clear owner because it crosses multiple business units. Assign ownership by the system of record: whoever owns the Epic module or the Facets configuration owns the data that comes from it.
Building the Governance Committee
A governance committee is not a bureaucracy — it is a standing forum where owners, stewards, and compliance meet quarterly to:
- Review open data quality incidents
- Approve major schema changes that cross domain boundaries
- Adjudicate access disputes
- Review the data inventory for gaps
Keep it small (8–12 people maximum), time-boxed (90 minutes per session), and decision-focused. If a governance committee becomes a reporting meeting, stewards will stop attending.
Key Takeaways
- Data owners are accountable executives; data stewards are operational practitioners. Conflating the two roles produces neither good governance nor clear accountability.
- Assign ownership by domain, not by table or column — the granularity becomes unmanageable and nobody enforces it.
- A RACI is the fastest way to surface and resolve ownership disputes before they become governance failures.
- Clinical data stewardship requires managing annual code set updates (ICD-10, LOINC, SNOMED) — build that process explicitly into the steward role.
- Use the Naming Auditor to enforce column naming standards across domains — the steward for each domain should review naming audit output before any DDL deploys.
mdatool Team
The mdatool team builds free engineering tools for healthcare data architects, analysts, and engineers working across payer, provider, and life sciences data.
More in Data Governance
SOC 2 Type II for Healthcare Data Platforms: What Engineers Need to Know
SOC 2 Type II is increasingly a vendor requirement and a customer expectation for healthcare data platforms. Here is what engineers need to implement — beyond what the auditors tell you.
Read more21st Century Cures Act: Data Architecture Requirements for Health IT Teams
The 21st Century Cures Act is not just a compliance checkbox — it mandates specific technical capabilities around open APIs, information blocking prohibition, and patient data access. Here is what your data architecture must deliver.
Read moreCMS Interoperability Rule Compliance: What Your Data Architecture Must Support
CMS-9115-F and its successors are not just policy — they are architectural requirements. Patient Access API, Provider Directory API, payer-to-payer exchange, and prior auth APIs each require specific technical capabilities your data team must build.
Read moreReady to improve your data architecture?
Free tools for DDL conversion, SQL analysis, naming standards, and more.