Information Governance Principles for Healthcare

Information Governance Principles for Healthcare (IGPHC)™

3AHIMA

INFORMATION GOVERNANCE Principles for Healthcare (IGPHC)™

Information Governance Principles for Healthcare (IGPHC)™

1

INFORMATION GOVERNANCE Principles for Healthcare (IGPHC)™

Preamble ………………………………………………………………………………………………3

Principle of Accountability ………………………………………………………………….5

Principle of Transparency ……………………………………………………………………6

Principle of Integrity ……………………………………………………………………………7

Principle of Protection…………………………………………………………………………9

Principle of Compliance ……………………………………………………………………. 10

Principle of Availability ……………………………………………………………………… 11

Principle of Retention ……………………………………………………………………….. 12

Principle of Disposition …………………………………………………………………….. 14

IGPHC™ Glossary of Selected Terms ………………………………………………… 15

Acknowledgements…………………………………………………………………………… 19

©2014 by the American Health Information Management Association

Information Governance Principles for Healthcare (IGPHC)™

2 AHIMA

PREAMBLE Complete, current, and accurate information is essential for any organization in the healthcare industry to achieve its goals. Adoption of an information governance program underscores the organization’s commitment to managing its information as a valued strategic asset. Governance of clinical and operational information:

■ Improves quality of care and patient safety ■ Improves population health ■ Increases operational efficiency and effectiveness ■ Reduces costs ■ Reduces risk

Information governance helps manage and control information by supporting the organization’s activities and ensuring compliance with its duties. Drawing from definitions of Gartner and ARMA International, AHIMA defines information governance as an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements. Information governance establishes policy, prioritizes investments, values and protects informa- tion assets, and determines accountabilities for managing information, making it an imperative for healthcare. It also promotes objectivity through robust, repeatable processes insulated from individ- ual, organizational, political, or other biases, and then protects information with suitable controls. By following information governance principles, organizations conduct their operations effectively, while ensuring compliance with legal requirements and other duties and responsibilities.

Healthcare as a Unique Information Environment

Trust plays a critical role in healthcare delivery. Patients entrust their personal information to healthcare organizations, creating distinct requirements for confidentiality, privacy, and security. These organizations, regardless of their roles in healthcare, must earn the confidence of patients and society, through a firm commitment to ethical and responsible handling of personal information. Embedded in trust is the expectation of information integrity, which depends on the completeness and correctness of data. Heightened focus on integrity to ensure confidence in information is demanded by the nature of healthcare, changes in care delivery and payment models, the increasing adoption of electronic systems, and the importance of reliable information exchange. Healthcare organizations have an obligation to define uses of information and to define the policies and practices for governing use of the information. This includes protected health information, personally identifiable information, de-identified and anonymized information, aggregate and detailed information used to satisfy mandatory or voluntary reporting purposes, operational needs, secondary uses of data/information, and other uses based on the role and mission of the organization. Research is fundamental to advancing the science of medicine. New guidelines, protocols, treatments, interventions and wellness insights, all developed through research, are essential to elevating population health. Research, whether focused on clinical care, delivery systems, or payment models, depends on trusted information.

“ Trust plays a critical role in healthcare delivery. Patients entrust their personal information to healthcare organizations, creating distinct requirements for confidentiality, privacy, and security. These organizations, regardless of their roles in healthcare, must earn the confidence of patients and society, through a firm commitment to ethical and responsible handling of personal information.”

Information Governance Principles for Healthcare (IGPHC)™

3AHIMA AHIMA

Healthcare organizations must value and govern not only their clinical, but their nonclinical information, such as human resources, operational, financial, legal, and marketing information. Reliable information is essential to reducing healthcare delivery costs and improving operational efficiencies. For these reasons, establishing and implementing principles for the governance of clinical and nonclinical information, in all formats and on all media, increases in significance. The healthcare ecosystem consists of a variety of organizations and stakeholders, who share common goals. These organizations encompass healthcare providers, as well as nonproviders. Providers include all types and settings of healthcare service organizations. Nonproviders include organizations such as information exchanges, health plans, third party administrators, data clearinghouses, and other information intensive organizations. Indeed, an organization’s entire workforce, including employed and contracted individuals, and where applicable all members of its nonemployed medical and professional staffs, are accountable for the responsible and ethical handling of information. The responsibility for practicing in accordance with organization’s governance policies and procedures extends to outsourced services and their workforces, as well as to business partners and affiliates who use information or handle any aspect of information management for the organization. Challenges facing the healthcare industry include:

■ Expanding numbers of electronic systems/applications in use within and across organizations, ■ Growing volume and variety of data and information, ■ Expanding uses of healthcare information, ■ Proliferation of medical devices creating data for which reliable integration into systems/applications is essential,

■ State of interoperability across devices and systems, and ■ Reliability of shared and exchanged information.

These challenges and complexities underscore the need for information governance, and the need for their due consideration in its adoption. The adherence to information and technology standards across healthcare is compelled, as standards are crucial to information use and exchange given the imperatives of integrity, security and interoperability.

■ Despite the diversity in the healthcare industry, information across the various types of organizations can be governed using eight principles: accountability, transparency, integrity, protection, compliance, availability, retention, and disposition. These principles can be adopted in any organization within the healthcare industry.

Information Governance Principles for Healthcare

The principles of information governance, known as the Information Governance Principles for Healthcare (IGPHC)™, are comprehensive and written broadly. They do not set forth a legal rule for which strict adherence is required by every organization in every circumstance, but are intended to be interpreted and applied depending upon an organization’s type, size, role, mission, sophistication, legal environment, and resources. The IGPHC™ are based on practical experience, information theory, and legal doctrine within healthcare and further informed by other established practices and tenets from areas such as quality improvement, safety, risk management, compliance, data governance, information technology governance, privacy, and security.  They are grounded in several common, yet essential, values embedded in healthcare—accuracy, timeliness, accessibility, and integrity. These values serve the best interests of the healthcare information consumer, from providers to nonproviders, from researchers to public health officials, from information exchanges to policymakers, from claims administrators to payers, and from patients to society.

“ The adherence to information and technology standards across healthcare is compelled, as standards are crucial to information use and exchange given the imperatives of integrity, security and interoperability. ”

Information Governance Principles for Healthcare (IGPHC)™

4 AHIMA

AHIMA has convened healthcare industry stakeholders and leaders, as well as information governance experts from other industries to articulate the IGPHC™ through adaptation of ARMA International’s Generally Accepted Recordkeeping Principles. Based on the general principles which apply to all industries, the IGPHC™ are specifically aimed at healthcare industry organizations. Therefore, the IGPHC™ apply not only to the governance of healthcare information, but also to the governance of information across all functions of organizations in the healthcare industry. The adoption of these principles by an organization reflects a dedication to strengthen its information governance, and increase its effectiveness for the benefit of its patients, stakeholders, and society. These principles form the basis upon which every effective information governance program is built, measured, and eventually judged. Therefore, it is in the best interest of patients, other consumers, society, and all organizations in the healthcare ecosystem, that there is full awareness of the Information Governance Principles for Healthcare (IGPHC)™ and that information assets be managed in accordance with them.

PRINCIPLE OF ACCOUNTABILITY An accountable member of senior leadership, or a person of comparable authority, shall oversee the information governance program and delegate program responsibility for information management to appropriate individuals. The governing body of the organization is ultimately accountable for the adoption of information governance practices and should require regular reporting by the designated member of senior leadership. The organization should adopt policies and procedures to guide its workforce and agents and ensure its program can be audited and continually improved to support the organization’s goals. An information governance program should:

■ Establish an information governance structure for program development and implementation ■ Designate a qualified accountable person to develop and implement the program ■ Document and approve policies and procedures to guide its implementation ■ Remediate identified issues ■ Enable auditing as a means of demonstrating the organization is meeting its obligations to both internal and external parties

A basic premise of sound information governance is that within each organization a senior leader is formally designated as responsible for the overall program development and its implementation. The senior leader is accountable for ensuring the information governance program aligns with and supports the goals and strategies of the organization. The senior leader is also accountable for ensuring appropriate resources are allocated to support the program. Governance should be established throughout the organization, utilizing a collaborative approach, with input of stakeholders, business process owners, and domain experts, assigning defined roles and responsibilities to workforce members. It should be clear where responsibilities reside and how the chain of command builds, implements, and updates the information governance program. For example, sub-committees can be designated to help build policies, define and implement technology, or improve the information governance program.

P

“ Governance should be established throughout the organization, utilizing a collaborative approach, with input of stakeholders, business process owners and domain experts, assigning defined roles and responsibilities to workforce members.”

Information Governance Principles for Healthcare (IGPHC)™

5AHIMA AHIMA

To assist the workforce in understanding how to implement information governance practices, it is essential that policies and procedures are documented, formally approved, and communicated. The workforce should be continuously trained in program policies and any relevant updates to standardize information governance practices across the organization and to reinforce compliance with and standardization of practices. A senior leader at an appropriate level of authority shall oversee program compliance monitoring/audit and improvement. Audits should be performed to determine the following:

■ The workforce demonstrates program awareness ■ The workforce is trained in information governance practices, policies, and responsibilities ■ Information is appropriately protected, accessed, stored, and released with a properly documented audit trail

■ Information is available when and where it is needed ■ Information is retained for the right amount of time and properly dispositioned when no longer required

■ Policies are up-to-date, adopted, and cover all types of information in all media

An organization’s information governance audit should be reported to its board of directors, trustees, audit committee, or other appropriate governing body, committee, or individual to show adherence in accordance with its program requirements and the organization’s goals.

PRINCIPLE OF TRANSPARENCY An organization’s processes and activities relating to information governance shall be documented in an open and verifiable manner. Documentation shall be available to the organization’s workforce and other appropriate interested parties within any legal or regulatory limitations, and consistent with the organization’s business needs. Transparency of the organization’s governance practices must extend to definitions of appropriate information uses and the processes for ensuring compliance with policies on appropriate information use. The clearest and most durable evidence of the organization’s operations, decisions, activities, and performance are its records and information. An information governance program includes its information management and information control policies and procedures. To ensure the confidence of interested parties, records documenting the information governance program must themselves adhere to the fundamentals of information management. These records should:

■ Document the principles and processes that govern the program ■ Accurately and completely record the activities undertaken to implement the program ■ Be available to legitimately interested parties in a timely and reasonable manner

The information documented in these records and the extent to which they are available to interested parties will vary depending upon the nature and circumstances of the organization. For example, healthcare organizations have a legitimate need to protect confidential and proprietary information. Therefore, procedures shall be put in place to control access to protected information, whether it relates to the confidentiality of information or the confidentiality of proprietary processes. Various parties have a legitimate interest in understanding the information governance program activities and processes. In addition to the organization itself and its workforce, those parties include, but are not limited to, patients and consumers, government authorities, auditors and investigators, litigants, and for some organizations, the general public.

P “ The clearest and most durable

evidence of the organization’s operations, decisions, activities, and performance are its records and information.”

Information Governance Principles for Healthcare (IGPHC)™

6 AHIMA

Complex and highly regulated records and information management systems may require extensive records documenting their governance. Simple systems may require only a few. In each case, however, the rationale and results should be clear to legitimately interested parties. Each organization must therefore create and manage the records documenting its information governance program to ensure its structure, processes, and practices are apparent, understandable, and reasonably available to legitimately interested parties.

PRINCIPLE OF INTEGRITY An information governance program shall be constructed so the information generated by, managed for, and provided to the organization has a reasonable and suitable guarantee of authenticity and reliability. Integrity of information, which is expected by patients, consumers, stakeholders, and other interested parties such as investors and regulatory agencies, is directly related to the organization’s ability to prove that information is authentic, timely, accurate, and complete. For the healthcare industry, these dimensions of integrity are essential to ensuring trust in information. For safety, quality of care, and compliance with applicable voluntary, regulatory and legal requirements, integrity of information should include at least the following considerations:

■ Adherence to the organization’s policies and procedures ■ Appropriate workforce training on information management and governance ■ Reliability of information ■ Admissibility of records for litigation purposes ■ Acceptable audit trails ■ Reliability of systems that control information

Information from External Sources

It is critical that organizations determine their responsibilities and processes for classifying and managing information received from other sources. A healthcare organization’s information may contain patient or other business information that originated from another healthcare organization. For example, copies of selected patient reports are often sent by one healthcare provider to another where a patient is admitted. Information received from the previous provider is then incorporated into the patient’s health record at the receiving organization. Organizations must comply with re-disclosure responsibilities under all relevant laws.

Information Governance Policies and Procedures

Adherence to information governance policies and procedures that have been approved by senior management is essential to an organization’s ability to achieve legal and regulatory compliance, as well as consistently carrying out information governance practices. If adherence to policies and procedures is not substantiated, records may be at risk of not being accepted as having evidentiary value.

Appropriate Training on Information Management and Governance

The organization shall provide training to all workforce members, and outsourced or contracted individ- uals when appropriate, on the meaning and importance of compliance with its policies and procedures.

P

“ Information governance incorporates the governance of data. As data are the building blocks of information, information cannot be reliable if the data are not reliable.”

Information Governance Principles for Healthcare (IGPHC)™

7AHIMA AHIMA

Reliability of Information

Organizations should define and apply consistent information governance practices throughout the information lifecycle. This helps ensure information is managed in the usual and ordinary course of business, and in a manner which ensures integrity and compliance with accepted industry standards for quality. Given the variety, complexity, and risks associated with information assets, the lifecycle practices should incorporate a means of classifying and valuing information. Reliability of information is of paramount importance in the delivery of healthcare services. Based on the nature and type of healthcare organization, measures to ensure reliability of data and information should be built in to processes and systems for creation and capture, processing, and other applicable stages of the information’s lifecycle. Such measures will promote quality of care, patient safety, and operational efficiency. Examples of such ongoing measures include field-specific data edits built into systems/applications; monitoring and correction of vendor identity errors and patient identity errors; monitoring and correction of documentation completeness and data accuracy; and ongoing data quality controls. Information governance incorporates the governance of data. As data are the building blocks of information, information cannot be reliable if the data are not reliable. Data and information are inextricably linked, and the goals of information governance will not be achieved if practices do not ensure trustworthy data. In the governance of data, the organization should define expected attributes of data quality, and the practices and responsibilities for achieving those attributes.

Acceptable Audit Trails

Audit trails are essential in proving reliability of the information and in proving that practices to achieve quality attributes are in place. Therefore, acceptable audit and quality assurance processes should be in place and verifiable. These should be designed to audit and reinforce measures for ensuring the reliability and integrity of information.

Reliability of the Systems

The information systems must be reliable to ensure validity and integrity of the content. Therefore hardware, network infrastructure, software, storage, and other components should be monitored for reliability of performance, and prompt action taken to mitigate identified problems and risks. Formal change control processes should be part of maintaining a reliable information environment. These change control processes should require testing of functionality, and validation of data and all appropriate metadata. Given the number of disparate systems, applications, and medical devices in use within and across healthcare delivery organization, and the frequency with which data and information are exchanged, diligence around adherence to interoperability standards is critical to enabling information reliability.

“ Integrity of information, which is expected by patients, consumers, stakeholders and other interested parties such as investors, and regulatory agencies, is directly related to the organization’s ability to prove that information is authentic, timely, accurate, and complete.”

Information Governance Principles for Healthcare (IGPHC)™

8 AHIMA

PRINCIPLE OF PROTECTION An information governance program must ensure the appropriate levels of protection from breach, corruption and loss are provided for information that is private, confidential, secret, classified, essential to business continuity, or otherwise requires protection. These levels of protection must be applied to information, regardless of medium, from the moment it is created to the moment it reaches or exceeds its retention period and is appropriately dispositioned. Therefore, every system, electronic or manual, that generates, collects, stores, transmits, uses, archives, and dispositions data and information must be governed with protection in mind. Information generated or managed by an organization requires varying degrees of protection, as mandated by laws, regulations, and/or organizational policies. An organization’s governance should also mandate processes to ensure continued operation and continued protection, during and after periods of failure or disruption. Information protection takes multiple forms. First, each system must enable management of security access controls. Only members of the workforce and other authorized parties with the appropriate levels of access or security clearance may access information relevant to their roles or duties. Reliably protecting electronic and physical assets requires use of tools such as user authentication, key card access restrictions, and other relevant measures. This also requires that as the workforce and other authorized parties transition in status or job function, respective level of access is changed immediately to a level appropriate to the new role and duties. Second, protection requires preventing information, regardless of medium, from leaking outside the organization, either by physical or electronic means. This includes ensuring that electronic information cannot be inappropriately viewed, e-mailed, downloaded, uploaded, or otherwise proliferated— intentionally or inadvertently, even by individuals with legitimate access to the system. For example, a managed file transfer technology can reduce workforce contact with protected health information (PHI), personally identifiable information (PII) or other protected information, using automated file transfers. It is imperative that appropriate safeguards be clearly defined in organizational policy and that compliance be monitored. Measures to protect information must also include physical security of computing and access devices or any equipment containing private, secret, or confidential information or intellectual property of the organization. Security, privacy and confidentiality requirements (rules, regulations, policies) should be observed when determining a method for the final disposition of information, regardless of source or media. Whether that disposition is archival, transfer to another organization, preservation for permanent storage, or destruction, appropriate protection must be considered in defining the process. For example, the workforce should:

■ Implement reasonable safeguards to limit incidental disclosures of PHI and PII ■ Receive training on disposal policies and procedures ■ Not abandon or dispose of information, particularly PHI or PII or other private information in containers that are accessible by the public or other unauthorized persons

■ Provide validation of disposal method, time, date, and accountable party Finally, an organization’s audit program should have a clear process to validate whether sensitive information is being handled in accordance with the organization’s policies and procedures, and should be compliant with applicable laws and business practices.

P “ Every system, electronic or manual, that generates, collects, stores, transmits, uses, archives, and dispositions data and information must be governed with protection in mind.”

Information Governance Principles for Healthcare (IGPHC)™

9AHIMA AHIMA

PRINCIPLE OF COMPLIANCE An information governance program shall be constructed to comply with applicable laws, regulations, standards, and organizational policies. It is the duty of every organization to comply with applicable legal and regulatory requirements; those for maintaining and managing health information and those for managing other organizational information. Some healthcare requirements warrant special attention and consideration. For example, laws governing privacy and confidentiality, and fraud and abuse are particularly important to healthcare organizations. An organization’s credibility and legal standing rest upon its ability to demonstrate that it conducts its activities in a lawful manner and manages information risks effectively. The absence of information, or poor quality of information required to demonstrate this damages an organization’s credibility and may impair its standing in legal matters or jeopardize its ability to conduct business. The duty of compliance affects systems and processes for information management and governance in two ways: 1. The information management systems and processes should contain information showing the

organization’s activities are conducted in an ethical and lawful manner. 2. The information management systems themselves are subject to legal and regulatory requirements,

such as medical coding standards, security access controls, and transaction audit logs.

It follows from this that every organization should: ■ Know what information should be entered into its records to demonstrate its activities are being conducted in a lawful manner.

■ Enter that information into …