The Business Case for Information Governance

March 2016

By Todd L. Dietrich and Karen A. Schuler

Healthcare depends upon reliable and accurate information. Not only are privacy and compliance issues at stake, but inaccessible or corrupted data can also jeopardize patient safety. Establishing an Information Governance (IG) program is critical to protecting sensitive data and providing quality care.

What Is Information Governance?
At BDO, we define IG as an organization’s ability to leverage information as an enterprise asset by developing strategies and policies that optimize and secure its data, records and information.

An IG program encompasses everything from records management to compliance and risk management to litigation response and e-Discovery, as well as cyber security, IT architecture and overall operational excellence.

Why Information Governance in Healthcare
Healthcare records have distinct statutory and regulatory requirements relating to privacy, confidentiality, availability and integrity. In their Information Governance Principles for Healthcare document, the American Health Information Management Association (AHIMA) notes that governing of clinical and operational healthcare records:
  • Improves quality of care and patient safety
  • Improves population health
  • Increases operational efficiency and effectiveness
  • Reduces cost
  • Reduces risk
While the last three items are somewhat universal, the impact IG has on individual patient and public health is unique to healthcare and underscores its importance to the industry.

Regulatory Compliance
As in many other consumer-facing industries, healthcare organizations accumulate Personally Identifiable Information (PII). The management of PII is regulated by statutes at the federal and local levels. As one of the most regulated industries, healthcare is also subject to additional statutes and regulations, most notably the Health Insurance Portability and Accountability Act (HIPAA). What elevates the importance of IG in healthcare is that organizations also accumulate highly sensitive Protected Health Information (PHI), as defined and regulated by HIPAA. Under the HIPAA Security Rule, healthcare organizations must meet a number of requirements to ensure that the confidentiality, integrity and availability of electronic PHI (e-PHI) are protected. Under these requirements, organizations must:
  • Identify and analyze potential risks to e-PHI
  • Implement policies and procedures for authorizing role-based access to e-PHI and preventing unauthorized access to e-PHI transmitted over an electronic network
  • Implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain e-PHI
  • Train employees regarding security policies and procedures, and apply appropriate sanctions as necessary
  • Conduct periodic assessments of how well security policies and procedures meet HIPAA’s requirements
The healthcare industry’s reliance on third-party vendors also creates IG demands, including specific policies and controls to protect the flow and exchange of information across the network without any loss of integrity. Managing these vendors to ensure they meet the organization’s retention and disposition requirements while maintaining the availability of the data is a critical component of the overall IG program.

Healthcare organizations must also grapple with managing and protecting data in the cloud; ensuring that records are stored in a consistent manner; validating the appropriate and timely disposal of records and information; and establishing and enforcing an acceptable accuracy rate when scanning or digitizing handwritten notes. These demands, along with HIPAA’s requirements, essentially mandate the implementation of an IG program. Without a framework in place, healthcare organizations can’t adequately protect their patients’ data―or their patients’ health.