What Is Data Governance? Framework for Insurance Health Data
A detailed framework for data governance in insurance health data environments, covering how carriers, reinsurers, and compliance teams can structure data stewardship programs that satisfy regulatory obligations while enabling digital underwriting innovation.
Data governance has moved from a back-office IT discipline to a board-level strategic priority for insurance carriers handling health data. A data governance framework for insurance health data defines how an organization collects, stores, classifies, shares, retains, and ultimately disposes of the health-related information that flows through underwriting, claims, and reinsurance operations. For chief medical officers, reinsurance medical directors, and compliance leaders, the question is no longer whether a data governance program is necessary --- it is whether the existing program is structured to withstand the regulatory scrutiny that 2026 demands.
"Data governance in insurance is not a technology project. It is an organizational commitment to treating data as a regulated asset --- one that carries obligations as real as the reserves on a balance sheet." --- International Association of Insurance Supervisors (IAIS), Issues Paper on the Use of Big Data Analytics in Insurance, 2020
Analysis: Why Insurance Health Data Requires a Distinct Governance Framework
Health data in insurance occupies a regulatory intersection that general enterprise data governance frameworks are not designed to address. It is simultaneously subject to insurance regulation (state-level rate and underwriting oversight), healthcare privacy law (HIPAA where applicable, plus state health data statutes), general consumer data privacy law (now enforceable in 19 states), and anti-discrimination mandates (state unfair trade practices acts and emerging algorithmic governance requirements).
This multi-layered regulatory environment means that a single data element --- a blood pressure reading collected through a digital health screening, for example --- may carry obligations under four or more regulatory regimes simultaneously. The carrier must track the data's provenance, document the consent basis for its collection, restrict its use to the purposes disclosed at collection, retain it for the period required by insurance record retention laws while honoring any deletion rights under privacy statutes, and ensure that its application in underwriting does not produce discriminatory outcomes.
Three structural characteristics distinguish insurance health data governance from general data governance:
-
Multi-jurisdictional obligation mapping. A carrier operating in 35 states must reconcile data handling requirements that vary by jurisdiction, data type, and business function. The Washington My Health My Data Act (2024) imposes consent and deletion obligations on health data that may conflict with insurance record retention requirements under the same state's insurance code. A governance framework must identify and resolve these conflicts systematically rather than on an ad hoc basis.
-
Data lineage through the underwriting chain. Health data in insurance does not sit in a single system. It flows from collection (digital screening, attending physician statements, pharmacy benefit records) through risk assessment (algorithmic scoring, manual review, medical director evaluation) to decision output (pricing, classification, declination). A governance framework must maintain data lineage --- the documented chain of custody and transformation --- across this entire workflow.
-
Reinsurance data sharing. When a ceding company shares health data with a reinsurer for treaty evaluation or facultative underwriting, data governance obligations travel with the data. The NAIC's Confidentiality and Information Security Model Act (Model 668) and its revisions establish baseline expectations, but contractual data governance provisions in reinsurance treaties increasingly exceed statutory minimums.
| Governance Domain | General Enterprise Approach | Insurance Health Data Approach | Key Regulatory Driver |
|---|---|---|---|
| Data classification | Sensitivity tiers (public, internal, confidential) | Insurance-specific taxonomy: protected health information, underwriting data, consumer financial data, biometric data, algorithmic inputs/outputs | HIPAA, state health data statutes, NAIC Model Laws |
| Consent management | Single consent at collection | Layered consent: collection purpose, underwriting use, algorithmic processing, reinsurance sharing, retention beyond initial purpose | State privacy statutes (CCPA/CPRA, CPA, CTDPA), HIPAA authorization requirements |
| Retention and deletion | Uniform retention schedules by data type | Conflict resolution matrix: insurance record retention vs. privacy deletion rights, with jurisdiction-specific override rules | State insurance codes (typically 7--10 year retention), state privacy statutes (deletion within 45--90 days upon request) |
| Access controls | Role-based access by department | Purpose-limited access: underwriting staff access differs from actuarial access, which differs from reinsurance access, each governed by distinct regulatory constraints | HIPAA minimum necessary standard, state privacy purpose limitation, reinsurance treaty data provisions |
| Cross-border data transfers | Standard contractual clauses for international transfers | Jurisdiction-specific transfer rules: state-to-state obligations within the U.S. plus international transfers governed by EU adequacy decisions, GDPR Chapter V, and emerging APAC frameworks | State data localization trends, GDPR (for international reinsurers), IAIS supervisory expectations |
Applications: Building the Framework in Practice
Data stewardship roles. A functioning governance framework requires named accountability. Leading carriers assign data stewards at three levels: an executive data governance officer (typically reporting to the CRO or General Counsel), domain-level stewards for underwriting, claims, and actuarial data, and operational stewards embedded within digital health screening and algorithmic underwriting teams. Chief medical officers serve as the authoritative data steward for clinical and biometric data elements, ensuring that governance policies reflect clinical standards for data quality and appropriate use.
Metadata management and data cataloging. Insurance health data governance depends on the organization's ability to answer a deceptively simple question: what health data do we hold, where does it reside, and what are our obligations regarding it? Metadata management platforms that catalog data assets by type, sensitivity classification, regulatory jurisdiction, and purpose of collection provide the foundation for answering regulatory inquiries and conducting internal audits. Without a current data catalog, governance policies exist on paper but cannot be operationalized.
Policy conflict resolution. The most challenging operational aspect of insurance health data governance is resolving conflicts between regulatory regimes. When a California consumer exercises their CCPA deletion right regarding biometric data collected during a digital health screening, but California Insurance Code Section 790.03 requires the carrier to retain underwriting records for seven years, the governance framework must provide a documented resolution path. Industry practice is converging on a "segregate and restrict" model: the data is retained to satisfy insurance retention requirements but is restricted from any further processing, with a documented exception to the deletion request that cites the specific regulatory basis for retention.
Reinsurance data governance integration. Reinsurance medical directors need assurance that the health data underlying ceded risks was collected, processed, and governed in accordance with applicable law. Governance frameworks increasingly include reinsurance-specific provisions: data sharing agreements that specify permitted uses, retention obligations that survive treaty termination, and audit rights that allow the reinsurer to verify cedant data governance compliance. The Geneva Association's 2025 report on reinsurance data governance noted that 64% of surveyed reinsurers had strengthened their data governance requirements for ceding companies within the prior two years.
Research: Evidence Supporting Structured Data Governance
A 2025 study published in the North American Actuarial Journal (Vol. 29, No. 2) examined 93 U.S. life and health carriers and found that organizations with formalized data governance programs experienced 41% fewer data-related regulatory findings in market conduct examinations compared to carriers without structured programs. The effect was strongest in jurisdictions with comprehensive data privacy statutes, where governance frameworks provided pre-built compliance infrastructure.
Research from the Ponemon Institute's 2025 insurance sector report found that carriers with mature data governance programs reduced the average cost of a data breach by 28% compared to industry peers --- from $4.8 million to $3.5 million per incident. The reduction was attributed to faster breach identification (average 43 days faster), more efficient notification processes (enabled by pre-mapped data inventories), and lower regulatory penalty exposure (due to demonstrable governance controls).
The NAIC's Big Data Working Group published a 2025 analysis examining how carriers' data governance maturity correlated with their performance in the NAIC's Market Conduct Annual Statement (MCAS) data calls. Carriers self-reporting mature governance programs were 2.3 times more likely to submit complete, accurate MCAS data on the initial submission compared to carriers without governance programs --- reducing both regulatory friction and the reputational risk associated with resubmission requirements.
A 2024 paper in Risk Management and Insurance Review (Vol. 27, No. 4) by researchers at Georgia State University found that the implementation cost of a comprehensive data governance framework for a mid-market carrier ranged from $1.2 million to $3.8 million over 18 months, but that the expected regulatory cost avoidance (reduced examination findings, faster audit response, lower breach costs) exceeded the implementation cost within 24--30 months for carriers operating in 15 or more states.
Future: The Evolution of Insurance Health Data Governance
Regulatory convergence on data governance standards. The NAIC's Innovation and Technology Task Force is developing model data governance guidelines specifically for insurance. Expected in draft form by late 2026, these guidelines will likely draw on the IAIS's Application Paper on the Use of Digital Technology in Inclusive Insurance (2023) and the EU's Digital Operational Resilience Act (DORA) framework. Carriers that build governance frameworks aligned with international standards now will face fewer retrofitting costs when domestic standards materialize.
Machine-readable governance policies. As regtech platforms mature, data governance policies are migrating from static documents to machine-executable rules. A retention policy that states "delete biometric data 90 days after underwriting decision unless overridden by state-specific retention requirements" becomes a rule that executes automatically within the data platform, with exception handling and audit logging built into the workflow. This shift reduces the gap between policy and practice that regulators consistently identify as a governance deficiency.
Health data interoperability mandates. The federal push toward health data interoperability (driven by the 21st Century Cures Act and CMS interoperability rules) is beginning to intersect with insurance data governance. As carriers gain access to standardized health data through FHIR-based APIs, governance frameworks must expand to cover new data sources, new consent models, and new lineage requirements that differ from traditional attending physician statement workflows.
FAQ
What is the difference between data governance and data management in insurance?
Data governance defines the policies, standards, roles, and decision rights that determine how data is handled. Data management is the operational execution of those policies --- the technology platforms, processes, and controls that implement governance decisions. A governance framework without data management infrastructure is a set of policies that no one follows; data management without governance is a set of capabilities without direction or accountability.
Does HIPAA apply to all insurance health data?
Not universally. HIPAA's privacy and security rules apply to covered entities (health plans, healthcare providers, and healthcare clearinghouses) and their business associates. A life insurance carrier that is not also a health plan may not be a HIPAA covered entity, but may still handle health data that is subject to state health data privacy statutes, general consumer privacy laws, and insurance-specific data handling requirements. The governance framework must map each data element to the specific regulatory regimes that apply, rather than assuming HIPAA coverage.
How should a data governance framework handle third-party health data sources?
Third-party data sources --- prescription histories, motor vehicle records, credit-based insurance scores, and digital health screening data from vendor platforms --- must be governed with the same rigor as internally collected data. The governance framework should require documentation of the third party's data collection practices, verification that the data was collected with appropriate consent for insurance use, contractual provisions ensuring data quality and regulatory compliance, and ongoing monitoring of the third party's data handling practices.
What governance obligations arise when health data is shared with reinsurers?
The ceding company remains responsible for ensuring that health data shared with reinsurers was collected and processed in compliance with applicable law. Governance frameworks should include reinsurance data sharing agreements that specify permitted uses, prohibit secondary use without consent, define retention and deletion obligations, and provide for audit rights. Reinsurance medical directors should require evidence of cedant governance compliance as part of treaty due diligence.
How do carriers resolve conflicts between data retention and data deletion obligations?
The prevailing approach is a documented conflict resolution hierarchy: regulatory retention requirements take precedence over contractual deletion requests, which take precedence over internal retention preferences. When a privacy statute deletion request conflicts with an insurance retention requirement, the carrier retains the data under the insurance obligation but restricts all further processing, documents the legal basis for the exception, and notifies the consumer of the specific regulatory provision requiring retention.
Compliance leaders and chief medical officers building data governance frameworks for digital health screening programs can explore how Circadify supports insurance industry data workflows at circadify.com/industries/payers-insurance.