Part 2: BDO's Approach to Information Governance

February 2017

In March 2016, we blogged about “The Business Case for Information Governance in Healthcare.” Prior to that, we developed a standard Information Governance framework to provide guidance to organizations around governance, data quality, security, availability, management and the alignment of data and information across the enterprise.

Now we’re taking a step back to more closely examine those pillars and how they align throughout an organization. This framework aims to help organizations align their business, legal, technology and operational needs with the creation, use and management of data and information. While transferrable to any industry, the framework is particularly useful for healthcare organizations that must govern and enforce policies surrounding the creation, use and management of protected health information (PHI) and personally identifiable information (PII).

We worked closely with Healthcare Organizations (HCOs) to develop, document, and implement policies and procedures that impact each of the pillars within this framework. Here’s how each pillar impacts HCOs:
  1. Overall governance is necessary for the development and/or updating of an organization’s policies to properly reflect the current state of the business and ensure all requirements are being met.

    Monitoring regulations and managing compliance is especially important. HCOs, and in many instances even their suppliers, must actively monitor for PHI to ensure compliance with international, state and local regulations, including industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  1. Data quality is a necessity to ensure that all business units and departments can deliver meaningful data to the organization.

    It also ensures that duplicative, outdated and otherwise unnecessary data is disposed of, thereby increasing the overall quality of the data that is retained. It’s especially important for healthcare organizations because low-quality or unnecessary data can negatively impact patient outcomes.
  1. Data protection and security is critical to prevent unauthorized access and ensure data is not exposed or vulnerable.

    Threats can be internal or external; each requires unique approaches to maintain integrity and confidentiality. Common approaches include:
  1. Detailed policy development, maintenance and enforcement. Continually update policies such as Acceptable Use and Data Security/Protection to reflect current technologies and ensure compliance is audited and non-compliance enforced.
  2. Adoption of a holistic view of data security to ensure holes or gaps are identified.
  3. Develop response and contingency plans to address breaches.
  1. Availability means the organization’s data is readily accessible to support business initiatives in a timely and efficient manner. Knowledge management and records management functions can help ensure availability.
  1. Ensure management of information throughout its lifecycle and verify disposal as prescribed by policy.

    Once data retention and disposition policies are established, enforcement and routine auditing are necessary to verify they are being properly implemented. It is not enough to establish a retention policy and schedule—HCOs must also implement and carry out disposition when retention expires. If the need to keep data has expired, don’t keep it.
  1. Ensure alignment of data and its use with multiple business functions.

    Making sure each business unit has access to the data and the appropriate tools or applications to use the data to complete its business functions. One approach is deploying a Master Data Management (MDM) system so that your organization has one Master Patient Index (MPI) and all records correspond to the MPI. MDM systems centralize much, or in some instances all, of an organization’s critical data.