Please see the attached PDF (from the International Federation of Health Information Management Associations) and seek other sources if you wish to answer the following questions – the PDF will help answer the questions.
please view “Data Governance Vs. Information Governance”, a seminar by a consulting firm from July 2021
1.What are the drivers (needs, reasons for) of information governance (IG) and data governance (DG)?
2. How do the differences between these drivers frame the different purposes and functions between information governance and DG?
3. Are information governance and DG the same thing, at odds with each other, or complementary? Explain and defend your answer.
4. What are possible synergies between information governance and DG?
Revi
s
iting Information
Governance
OCTOBER 20
21
Disclaimer
This whitepaper reflects the views of the International Federation of Health Information Management Associations (IFHIMA), and not necessarily its sponsors, partners,
affiliates or members. This whitepaper offers no legal nor consulting advice. IFHIMA is not responsible for actions taken as a result of reading or using the whitepaper.
IFHIMA is not liable for the contents of external links. Responsibility for external links belongs to their operators.
About IFHIMA
The International Federation of Health Information Management As-
sociations (IFHIMA) is a non-governmental organization (NGO) in official
relations with the World Health Organization (WHO). The Federation
acts as the global voice of the health information management profes-
sion, supporting the importance of education and training, high quality
health data, and privacy of health information. IFHIMA is committed to
the advancement of health information management practices and the
development of its members for the purpose of improving health data and
health outcomes.
• Would you like to keep informed on IFHIMA? Sign up here.
• Did someone kindly share this whitepaper with you? You can get your
own digital copy here as a free download.
• Yes! You may share – reprint with permission when you use this citation:
IFHIMA Fosters Planning for Information Governance with Global Case
Studies, Copyright International Federation of Health Information Man-
agement Associations (IFHIMA), October 2021, Reprint with permission.
Notice
©2021 International Federation of Health Information Management As-
sociations. This IFHIMA publication is subject to copyright and permission
must be sought for reproduction of content. Direct enquiries to:
marketing@ifhima.org
Revisiting Information
Governance
Healthcare Transformation Requires
Trusted Information ………………………………………………….
3
The Importance of Information Governance ………………..
4
Information Governance as Stewardship …………………….
5
Stewardship Foundations …………………………………………..5
Governance as Ground Rules and Guardrails ……………….
6
IG Framework to Ensure Success ……………………………….6
IG and Health Information Management Practice ………..6
Trigger Events …………………………………………………………..
7
IG Learnings from Global Experiences ………………………..7
It’s Time to Start ………………………………………………………
8
Conclusion ……………………………………………………………….8
https://ifhima.org/sign-up-for-ifhima-global-news-whitepaper-and-events/
Revisiting Information Governance | October 2021
3
In 2017, the International Federation of Health
Information Management Associations (IFHIMA)
published a whitepaper with case studies –
Advancing Health Information Governance: A
Global Imperative. The paper offered details
regarding the pressing need for information
governance (IG) with consideration for
transformation in the delivery of health services
brought on by the digitization of data, new
regulations and more.
Then in 2020 COVID-19 shook the world,
especially the world of healthcare. The
disease spread so quickly that even the
experts seemed to be at a loss and
overwhelmed. This crisis forced the
use of technologies that were
formerly on the fringe.
Healthcare at a distance,
telehealth, became
routine. Reliance on
artificial intelligence
and consumer driven
tools, i.e., smartphone
and apps proliferated
in professional and
personal settings. At
many institutions,
health information
management
professionals (HIMs)
moved to remote
settings to continue their
work while taking on new roles
and
responsibilities.
These conditions
and the continuation of transformation of health
service in nations around the world, have made
IG even more challenging and important. That’s
why IFHIMA is revisiting this important and
timely topic.
Healthcare Transformation
Requires Trusted Information
Local and national health services, irrespective
of the maturity of their systems and data use,
are redesigning care delivery and public and
private health services by embracing 21st
century solutions. Redesign is supporting the
shift from illness-based care to wellness. These
priorities involve greater engagement and
inclusion by patients, families, and communities
and have refined approaches to information
access, information sharing, funding, and
reimbursement. Layered on these trends is the
evolving information demands resulting from the
COVID-19 pandemic.
Information is a strategic asset, much like
physical assets – buildings, equipment, and
technology
– and is the essential tool for
transformation.
“Organizations that encourage
staff to think about information and data as a
strategic asset can extract more value from
their systems.”1 Systems mean both technology
and operational processes. Every healthcare
organization needs to optimize its systems – in
other words, optimize its information and data
created or used from its various systems.
In all circumstances, information must
be trustworthy to meet the demands and
strategic transformational goals of healthcare
organizations, their consumers/patients, and
governmental and non-governmental agencies.
Health providers continue to transition
from paper-based to digital health systems.
Developing nations are especially focusing
on this transition through an initial launch
of digital systems or when they are using a
hybrid approach to meet their goals. The hybrid
approach may be a combination of electronic,
imaged, and paper records. A myriad of
approaches is evident in both mature health
environments and developing nations. These
systems support personal wellness and care;
care delivery systems; local, national, and global
public health disease prevention, identification,
and tracking; and information policy
development and improvement initiatives. The
COVID-19 pandemic further demonstrates the
need to create, link, and share data supporting
individual, national and global health.
Digital health information requires focused
management and governance – stewardship
– to address new challenges and risks. Thus,
stewardship through governance requires data
quality and integrity, data access, reporting,
data integration, confidentiality and security,
patient and provider identity management and
lifecycle management. (Stewardship is explored
in IFHIMA’s 2020 whitepaper, Privacy of Health
Information, an IFHIMA Global Perspective.)
Regardless of where organizations or nations
reside on the technology adoption and data
standardization spectrum, it is never too soon
for a ministry of health, a health department, a
large healthcare enterprise, a small ambulatory
Information is a strategic
asset, much like physical
assets – buildings,
equipment, and technology
– and is the essential tool for
transformation.
Revisiting Information Governance | October 2021
4
or primary care clinic or payer organization
to incorporate governance and stewardship
practices.
Information governance (IG) provides the
authority mechanism that sets forth principles
and policies and approves procedures and
technology for how an organization will
exercise its stewardship responsibilities. Most
importantly, a strong IG program serves the
needs of the consumer, patient, and citizen.
The Importance of Information
Governance
The importance and goal of healthcare
transformation is well summarized in this
statement that describes the role of the World
Health Organization (WHO): “To improve equity
in health, reduce health risks, promote healthy
lifestyles and settings, and respond to the
underlying determinants of health.”2
The building blocks supporting these goals
are health records – records of patients’
health status, treatment, and social
determinants of health
(SDOH); and vital
records – birth and
death records.
Health care organizations
are learning that they
need to formalize IG.
According to Health
IT Analytics, “In a
survey released by
AHIMA at the 89th
Annual Exhibit &
Convention, 53 percent
of respondents said
they have information
governance programs
in place or recognize
the need for one. A
scant 14 percent have
initiated organization-
wide IG programs, but
18 percent have some
form of governance activity
underway.”3
The importance of information in transforming
healthcare cannot be overstated. From
electronic health records to smart phone apps
to patient portals to telehealth, information is
driving healthcare decisions at all levels as never
before. For example, the use of telehealth as
a viable care delivery and management option
has grown exponentially during the COVID-19
pandemic. “During the first quarter of 2020, the
number of telehealth visits increased by 50%,
compared with the same period in 2019, with
a 154% increase in visits noted in Surveillance
Week 13 in 2020, compared with the same
period in 2019.”4 With that rapid deployment,
often without advance planning or adequate risk
assessments, came the challenges of network
infrastructure, documentation requirements,
data sharing, and privacy and security. In the
IFHIMA article, Managing Health Information
Privacy During the COVID-19 Pandemic:
Considerations and Perspectives from Around
the Globe, released September 24, 2020, we
discussed how the COVID-19 pandemic has
heightened the need for managing the privacy
of information and the urgency for governance
around it.
Data explosion as a driver for IG
Electronic/digital transformation in healthcare
means that the volume of data is growing
exponentially. “IDC (International Data
Corporation) predicts that our global datasphere
– the digital data we create, capture, replicate
and consume – will grow from approximately 40
zettabytes of data in 2019 to 175 zettabytes in
2025 (with one zettabyte equaling one trillion
gigabytes).”5 Further, “human and machine-
generated data is experiencing an overall 10x
faster growth rate than traditional business data,
and machine data is increasing even more rapidly
at 50x the growth rate.”6 This growth is due to
the growing number of devices, sensors, and
the increasing use of artificial intelligence (AI)
and machine learning (ML). As cloud computing
becomes mainstream, data lakes and data
warehouses are being created to accommodate
the data explosion. Precision medicine in some
countries is defining exact treatments and drugs
through intelligence derived from genomics
and the research and analysis of vast stores of
structured and unstructured data. With this uptick
in data growth comes the need to harness it for
its business value, and, likewise, to determine
what is redundant, obsolete, or trivial (ROT) data,
and ultimately, information.
Information governance
(IG) provides the authority
mechanism that sets forth
principles and policies
and approves procedures
and technology for how
an organization will
exercise its stewardship
responsibilities.
Revisiting Information Governance | October 2021
5
Data Governance: a key IG component
While healthcare may be lagging other industries
in establishing formalized IG programs, some
organizations have elected to focus first on data
governance (DG). DG is an essential dimension
of a comprehensive IG program
due to the increasing data
volume and diverse
use. DG is focused on
the data used across
key applications and
processes (i.e., master
data and metadata),
as well as tools used
in managing data (i.e.,
data dictionaries,
data glossaries, data
integration and data
mapping). DG activities
may include addressing
patient or provider
identifiers, master data and
metadata management, data mapping,
data dictionaries, and data standardization.
DG efforts identify data that is useful and
data that is redundant, obsolete, or trivial and
work to address the appropriate disposition of
ROT data. Creating high quality, trusted data
across an organization is the goal of DG and is
a critical dimension of IG. Data governance is
like information governance in that it requires
formalization around its activities. A DG program
should report to IG and take strategic direction
from the IG program. It is critical that the
goals of DG and IG are aligned and support an
organization’s strategic objectives.
By contrast, the whole patient record, including
narrative content, and the policies that
drive its use, retention and
privacy are all within
the purview of IG.
It is reasonable for
healthcare organizations
to focus first on getting
the data right through
DG, because error is
costly, and trust may
be jeopardized. The
emergence of electronic
health record (EHR)
related errors results
in data being lost or incorrectly
entered, displayed, or transmitted, leading
to loss of information integrity.7 Without solid
DG, one cannot have information integrity.
Information Governance as
Stewardship
Effective stewardship of health information
is an important obligation for all who create,
use, or manage information. “Stewardship is
an ethic relating to the responsible handling
of information; and governance sets forth the
ground rules for execution of this responsibility.”8
Preserving confidentiality is an indisputable
stewardship obligation when the subject of
the information is identifiable. This obligation
remains true when patient or provider identifiers
have been removed from a data set for research
and other purposes. (See whitepaper, Privacy
of Health Information, an IFHIMA Global
Perspective.)
Stewardship Foundatio
n
s
The Principles of Fair Information Practice
(FIPPs) and the Caldicott Principles offer policy
makers around the world guidance in crafting
stewardship frameworks for governing health
and other sensitive information in physical or
digital form. Several of the FIPPs principles
are highlighted in
Figure 1
by the Organization
for Economic Co-operation and Development
(OECD)9 that represents the cooperation of 35
member nations. These nations have adapted
their own laws covering health information with
consideration to local values; they are generally
legislative expression of the FIPP principles.10 11 12
The Caldicott Principles adopted by UK’s
National Health Service (NHS) include eight
key principles shown in Figure 2 that are the
foundation for stewardship practice and can
serve as another important framework in
developing an IG program.
DG is an essential
dimension of a
comprehensive IG program
due to the increasing data
volume and diverse use.
Preserving confidentiality is
an indisputable stewardship
obligation when the subject of
the information is identifiable.
Figure 1
Revisiting Information Governance | October 2021
6
Caldicott Principles, 2020 Update
Justify the
purpose(s)
Every single proposed
use or transfer of
patient identifiable
information
within or from an
organization should
be clearly defined
and scrutinized,
with continuing uses
regularly reviewed,
by an appropriate
guardian.
Don’t use patient
identifiable
information
unless it is
necessary
Patient identifiable
information items
should not be
included unless it
is essential for the
specified purpose(s)
of that flow. The need
for patients to be
identified should be
considered at each
stage of satisfying the
purpose(s).
Use the minimum
necessary
patient-
identifiable
information
Where use of
patient identifiable
information is
essential, the
inclusion of each
individual item of
information should
be considered and
justified so that the
minimum amount
of identifiable
information is
transferred or
accessible as is
necessary for a given
function to be carried
out.
Access to patient
identifiable
information
should be on a
strict need-to-
know basis
Only those individuals
who need access to
patient identifiable
information should
have access to it,
and they should only
have access to the
information items that
they need to see. This
may mean introducing
access controls or
splitting information
flows where one
information flow
is used for several
purposes.
Everyone with
access to patient
identifiable
information
should be
aware of their
responsibilities
Action should be
taken to ensure
that those handling
patient identifiable
information – both
clinical and non-
clinical staff – are
made fully aware of
their responsibilities
and obligations
to respect patient
confidentiality.
Understand and
comply with the
law
Lead the evaluation of
data quality with focus
on ICD-11 coded
data and develop
appropriate queries to
resolve discrepancies
Every use of
patient identifiable
information must be
lawful. Someone in
each organization
handling patient
information should
be responsible
for ensuring that
the organization
complies with legal
requirements.
The principles are fully operationalized through
roles and functions outlined in the 2020
Caldicott Guardians Manual.
13
With stewardship foundations in place, IG can
function to establish principles and policies, to
assess and measure how well they are working,
Revisiting Information Governance | October 2021
7
and to identify when they need to be improved
upon based on new learning or new advances.
Illustrating the accepted global importance of
IG, Gartner defines IG as the specification of
decision rights and an accountability framework
to ensure appropriate behavior in the valuation,
creation, storage, use, archiving and deletion
of information. It includes the processes, roles
and policies, standards and metrics that ensure
the effective and efficient use of information in
enabling an organization to achieve its goals.14
Governance as Ground Rules and
Guardrails
IG provides the authority mechanism that sets
forth principles and policies and approves
procedures and technology for how an
organization will exercise its stewardship
responsibilities. Healthcare organizations set
the scope of governance by determining the
types of information that will be governed
and who has the authority to set policies and
oversee their execution. Health information
management (HIM) plays a key
role in IG by participating
in policy formulation
and/or subsequent
execution.
From a practical
perspective, IG
considers the lifecycle
of the information
from its creation
and integration
through archiving or
destruction. Illustrating
the importance and
practical application,
the Canadian Health
Information Management
Association (CHIMA) has a special
workgroup focused on IG and managing
the lifecycle of data. IG considers the range of
functions including:
• Information design and collection
• Records and content management
• Access
• Quality and integrity of information.
IG requires a multi-stakeholder approach
supported by senior leaders and anchored in a
formal framework.
IG Framework to Ensure Success
There is no one-size-fits-all framework. The
framework should be established to fit within
the culture of the organization. However, the
key components of a framework that should be
considered are executive sponsorship, strategic
committee structure with key stakeholder
membership and designated leadership,
program charter, organization-wide education
plan, policies and procedures, and metrics
and accountabilities. A key requirement for
a successful IG program is the formalized
infrastructure around it. A formalized framework
ensures that
• The right stakeholders are involved;
• There is a reporting and support hierarchy;
• There are documented goals that are aligned
with the organization’s strategic plan; and
• Metrics are in place to show results of the
program and its activities.
Lastly, an organization must create a culture
that supports a multi-disciplinary approach to
establishing information
policy and managing
information as a key asset.
IG and Health Information
Management Practice
Health Information Management (HIM), a
nearly century old profession, has its roots in
monitoring and improving the content of the
health record. HIM focuses on managing the
lifecycle of the record, particularly its protection,
storage, retrieval, and disposition. Information
curation is an important HIM skill with curation
defined as “the act of individuals chartered
with the responsibility to find, contextualize,
and organize information, providing a reliable
context and architecture for the content they
discover and organize.”15 The ability to preserve
information availability, sustain its credibility,
apply the appropriate compliance, and uphold
its integrity are all vital and integral HIM skills.
An organization must create
a culture that supports a
multi-disciplinary approach
to establishing information
policy and managing
information as a key asset.
Revisiting Information Governance | October 2021
8
The changing landscape of health information
capture and distribution channels is providing
new opportunities in the healthcare ecosystem
to maximize information curation and improve
information value. The HIM profession
faces many challenges in managing the
quality and integrity, lifecycle management
and confidentiality and security of digital
information. While grounded in traditional
practices, the scope, tools, and complexities
of HIM practice in a digital health environment
require new skills, competencies, and changes
in how HIM services are staffed and organized.
HIM professionals are recognized as well-
established resources for clinical recordkeeping
with aptitudes that continue to be sharpened,
expanded, and called upon to institute and
execute IG. Their critical knowledge and skills
can be shared across the entire organization
in managing all types of information – clinical,
financial, human resources, contractual,
legal, and other business information. HIM
professionals possess the requisite information
management knowledge and skills to positively
impact the management of information across
the entire healthcare setting.
To realize the full value of digital information
in transforming healthcare, HIM professionals
worldwide must engage in and lead the charge
to improve information. HIM professionals must:
• Lead efforts to advance IG and information
management practices,
• Ensure governance policies and best practices
are applied, and
• Ensure all types of critical information assets
are included as the information lifecycle is
rolled out.
Trigger Events
Perhaps the most difficult part of developing
and executing an IG program is finding the
trigger event that catapults IG to the forefront.
Thus, it’s critical to identify current day triggers
and build the IG program around those, using
them to align with the organization’s strategic
goals. The ability to quickly address current day
triggers in an expeditious and formalized way
will prove the worth of an IG program.
Clearly the COVID-19 pandemic should be seen
a trigger. The need to move quickly in times of
uncertainty is paramount.
Technology adoption and implementation such
as a new electronic record, a data lake, a data
warehouse, or using artificial intelligence or
machine learning might also be seen as trigger
events.
An IG program that is built with stewardship to
deliver accurate health information will enable
health care organizations to respond in both
ordinary and challenging times.
IG Learnings from Global
Experiences
IFHIMA is a powerful network of HIM
professionals from around the world, sharing
best practices for IG and the day-to-day
challenges of managing patient information and
other important health information resources.
In the face of health system change and
transformation, this network has never been
more important. Learning from one another
is the surest way to advance at the pace that
change is required today. To support the
understanding of IG practice and value, HIM
practice and knowledge, four international case
summaries have been included as an appendix
in this paper to demonstrate the need for and
value of IG.
The Case Summaries describe the IG journeys
of Alberta Health Services (AHS) in Canada,
Cabrini Health (Cabrini) in Australia, the Hospital
Corporation of America (HCA) headquartered
Tennessee, USA and Grande Ronde Hospital,
Oregon, USA. They are dynamic stories of
change and learning and these snapshots
convey several important lessons that can be
adapted and adopted by other organizations.
The lessons fall into three general categories:
Purposeful Organizing for IG, Careful Priority
Setting, and Adaptation.
Steering committees will have no trouble
identifying complex, priority information
challenges that benefit from improved
governance. However, particularly in the early
years, it is wise to choose governance initiatives
that will have tangible return on the time and
effort invested or that represent a real risk to the
organization.
As with all transformative change, there is
usually a trigger that is both a threat and an
opportunity. The Case Summaries make clear
Revisiting Information Governance | October 2021
9
one other important lesson. Advancing IG
requires a keen awareness of what is happening
throughout the organization.
It’s Time to Start
Information Governance is critical to
ensuring the trustworthiness of a healthcare
organization’s information for patient care
and other business needs. Health
information management
has traditionally
demonstrated
excellence through cost
effective, consistent
practices carried
out by trained HIM
professionals. The time
is now to ensure that your
organization has an IG program to meet
both operational and strategic priorities. But,
where to start? Below are recommended actions
to move governance forward:
• Learn as much as possible about information
governance and data governance concepts
and practices in healthcare. This white paper
is an excellent start.
• Network with HIM peers to discuss best
practices, top priorities, and lessons learned.
• Share your IG and DG knowledge and
expertise with senior leaders and peers,
• Demonstrate how governance practices
can reduce costs, risks, and can increase
compliance.
• Evaluate how your organization manages
its information and data. Is it managed in
individual departments, business units, and/or
entities? Is it managed with a narrow scope in
mind? Determine if governance practices are
in place, even if in an immature stage.
• Bring forth ideas for where your organization
can begin in evolving current or immature
practices, to mature, optimized procedures
and systems. Look at current processes
around areas such as record retention,
storage, and destruction, seeking
opportunities to improve processes and
reduce costs and risks. Further, identify
areas of inefficiency – areas where there is
redundancy and rework.
• Volunteer to lead the charge! HIM
professionals are fully equipped to be the
expert and take the lead role.
Conclusion
Healthcare always requires trusted information
and with the many factors impacting healthcare
transformation – from transitioning from
illness-based care to wellness care, advances
in the delivery of healthcare, the digitization
of health records, the exponential growth of
data, to the proper sharing of information for
the improvement of health on a global scale –
information governance is needed now more
than ever.
These factors, along with a crisis, such as
a global pandemic, are driving the need to
accelerate the adoption of an IG framework. One
that begins with a commitment from diverse
stakeholders and disciplines across a healthcare
organization.
HIM professionals, are natural stewards of
health information. They have an important
contribution to make in the development and
execution of an IG framework. They possess the
requisite knowledge and skills in management
of information across the entire healthcare
setting.
Through this whitepaper and the other topics
and articles cited within, IFHIMA encourages
the practice of information governance to realize
its vision of “a healthy world enabled by quality
health information.”
Information governance is
needed now more than ever.
Revisiting Information Governance | October 2021
10
References and Endnotes
Advancing Health Information Governance: A Global
Imperative, IFHIMA October 2017
https://ifhimasitemedia.s3.us-east-2.amazonaws.com/wp-
content/uploads/2017/11/20033802/ifhima-ig-whitepaper-
final
Privacy of Health Information, an IFHIMA Global Perspective,
IFHIMA November 2019, updated September 2020
https://ifhimasitemedia.s3.us-east-2.amazonaws.com/
wp-content/uploads/2020/10/02235824/IFHIMA_Privacy_
WP_09_20_final
Managing Health Information Privacy During the COVID-19
Pandemic: Considerations and Perspectives from Around the
Globe, IFHIMA September 2020
https://ifhimasitemedia.s3.us-east-2.amazonaws.com/wp-
content/uploads/2020/09/24215215/IFHIMA-Pandemic-
Privacy-Article-Final-1
1. Advancing Health Information Governance: A Global
Imperative, IFHIMA October 2017
2. Privacy of Health Information, an IFHIMA Global
Perspective, IFHIMA November 2019, updated September
20
20
3. Managing Health Information Privacy During the COVID-19
Pandemic: Considerations and Perspectives from Around
the Globe, IFHIMA September 2020
4. “Data as an Asset: Defining and Implementing a Data
Strategy,” Deloitte Insights, February 25, 2019, Data as an
asset | Deloitte insights
5. World Health Organization, OECD (2015), Health at a
Glance 2015: OECD Indicators, OECD Publishing, Paris.
http://www.who.int/healthpromotion/about/goals/en/
6. Health IT Analytics, xtelligent HEALTHCARE MEDIA,
Information Governance Gaining Ground in Healthcare,
Organizations, Jennifer Bresnick, October 12, 2017,
Information Governance Gaining Ground in Healthcare
Organizations (healthitanalytics.com)
7. Trends in the Use of Telehealth During the Emergence of
the COVID-19 Pandemic — United States, January–March
2020, Centers for Disease Control and Prevention (CDC),
October 30, 2020, Trends in the Use of Telehealth During
the Emergence of the COVID-19 Pandemic — United States,
January–March 2020 | MMWR (cdc.gov)
8. 19 Data and Analytics Predictions Through 2025, Business
2 Community, Tricia Morris, March 15, 2019, 19 Data
and Analytics Predictions Through 2025 – Business 2
Community
9. The Exponential Growth of Data. The Exponential Growth
of Data (insidebigdata.com)
10. Impact of Electronic Health Record Systems on Information
Integrity: Quality and Safety Implications: https://www.
ncbi.nlm.nih.gov/pmc/articles/PMC3797550/
11. Kloss, L. “Information Governance and Management”
Chapter 15: Ethical Health Informatics- Challenges and
Opportunities, 3rd Edition. Ed: Beebe Harman, L. and F.H.
Cornelius. Jones & Bartlett Learning: Burlington MA, p.
393.
12. OECDprivacy.org, is © Ben Gerber 2009, 2010 and is
licensed under a Creative Commons Attribution 3.0
Unported License. http://oecdprivacy.org/
13. Justice and Laws Website, Canada, date modified: 2021-
08-06 http://laws-lois.justice.gc.ca/eng/acts/P-21/index.
htm
l
14. Eur-Lex, Access to European Union Law, April 27,
2016, http://eur-lex.europa.eu/legal-content/EN/
TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.
ENG&toc=OJ:L:2016:119:TOC
15. Health Insurance Portability and Accountability Act of
1996, U.S. Dept. of HHS, https://aspe.hhs.gov/report/
health-insurance-portability-and-accountability-act-1996
16. A Manual for Caldicott Guardians Produced
by the UK Caldicott Guardian Council 2020
TheEightCaldicottPrinciples — The UK Caldicott Guardian
Council (ukcgc.uk)
17. Gartner IT Glossary – Information Governance: http://blogs.
gartner.com/it-glossary/information-governance/
18. Top 5 Librarian Skills: #1 Information Curation”
LiBSource, an LAC Company. https://libsource.com/top-5-
librarian-skills-information-curation/, accessed 7/21/
17
Authors
IFHIMA Information
Governance Work Group:
Lorraine Fernandes, USA,
Chair and IFHIMA Board
Liaison
Cameron Barnes, Australia,
Co-Chair
Linda Kloss, USA, Co-Chair
Mervat Abdelhak, USA
Kelly Abrams, Canada
Kathleen Addison, Canada
Hussein Al-Bishi, Saudi Arabia
John Dickey USA
Judith Jones, USA
Information Governance
update authors:
Lorraine Fernandes, RHIA
Ann Meehan, RHIA
IFHIMA Fosters Planning for ICD-11 Adoption with Global Case Studies
11
Sponsors IFHIMA invites outside organizations to help us offset the cost of producing this paper. We thank these sponsors for their financial contribution and for
supporting our vision for “a healthy world enabled by quality health information.”
We are delighted that they’ve joined the IFHIMA effort to advance high quality
data and Information Governance.
Please visit their websites or social media platforms to learn more about their
commitment to quality health information and global health.
Primeau Consulting Group is a health information management consulting company established to provide high
quality health information services to our clients through the deployment of HIM best practices developed through
extensive experience and knowledge of the health information industry. We offer a variety of customizable,
scalable solutions with unparalleled customer service, delivered by high quality HIM professionals for best results.
PCG provides the following exceptional HIM consulting services:
• Cures Act & Information Blocking Assessment and Consulting Services
• Information Governance Assessments and Consulting
• Interim Management
• Privacy and Security Risk Analysis and HIPAA Training
• HIM Department and Revenue Cycle Assessments
• CDI/Coding Audits
primeauconsultinggroup.com
Platinum
Case Studies
Information Governance Assessment Helps Grande
Ronde Hospital and Clinics Develop an IG Roadmap …. 11
How Data Recovery in the Wake of a Major Health Infor-
mation System Failure Reinforced the Need for Informa-
tion Governance ……………………………………………………..
18
Australian Private Hospital enters a new frontier of Infor-
mation Governance ………………………………………………..
22
Electronically Transmitted Signature Integrity ………….. 25
Revisiting Information Governance | October 2021
13
Information Governance Assessment Helps
Grande Ronde Hospital and Clinics Develop an
IG Roadmap
Summary/Introduction
In the spring of 2020, the Grande Ronde Hospital and Clinics (GRH) Data
Governance Committee held its first meeting to begin its development of a data
governance program. The Committee members quickly realized that they needed
some help getting started. Although the GRH stakeholders valued information,
they soon realized that developing an Information Governance (IG) culture and
aligning their IG initiatives with their strategic goals was an important, yet daunting
project. Members determined the need for some structure, support and guidance to
develop an IG Road Map, but didn’t know where to begin. Although initially the IG
assessment was scheduled to be onsite, with the COVID pandemic unfolding, the
assessment was determined to be better conducted remotely. The IG assessment
was determined to be a critical, strategic project that could not be delayed due to
the pandemic.
Background
Grande Ronde Hospitals and Clinics is located in La Grande, Union County, Oregon
USA and is a 25-bed Critical Access Hospital with 12 Clinics. Since 1907, Grande
Ronde Hospital has led this region in efforts to stabilize and secure rural health care
services for the communities it serves, while also working to improve the quality of
life for all area residents. The service area has over 25,000 residents.
Grande Ronde is an award winning, State and nationally recognized organization that
is not-for-profit and is privately held. Today it employs more than 700 people, all
dedicated to providing quality health care services to patients. The Hospital offers
a broad range of diagnostic, surgical and therapeutic outpatient services, a Level IV
Trauma Emergency Services Department, a Family Birthing Center, Rehabilitation
Therapy Services, Home Health and Hospice care. GRH also operates 12 primary
and specialty care clinics.
Problem Statement
To launch an Information Governance Program, like many organizations, GRH
needed to determine where to begin. Although GRH had begun a data governance
program with a formal committee and a charter, it was limited and had only met
once. “We’ve always recognized the importance of data and information. However,
we did not understand the formal process required to assess what would be
necessary to get our IG Program off to a good start,” says Karli Wright, GRH’s
Director of Business Services. Wright knew that it would not be easy to raise
awareness of Information Governance without a plan. “When we started diving
into the world of Information Governance, it was overwhelming,” recalls Wright.
“We didn’t know which initiatives to include or where we would get the best results.
We also needed to educate ourselves and our leadership team on Information
Governance to break down the silos and optimize our effectiveness.”
Debi Primeau, MA, RHIA,
FAHIMA
Cynthia Doyon, RHIA
Revisiting Information Governance | October 2021
14
GRH identified its overall goals as:
• Align information governance with organizational strategies
• Provide trustworthy, reliable information
• Decrease silos of information
• Create a culture that values information governance
• Develop a Roadmap to begin the IG efforts
GRH’s team members determined help was needed and engaged a consulting
organization to assist them in achieving their goals. A kick-off meeting was
scheduled to provide the necessary education to help the GRH team understand
the importance of information governance and what was needed to begin the
journey. The next step was an IG Assessment. This Assessment was done virtually
due to the COVID-19 pandemic. The IG Assessment consisted of questions about
GRH’s current IG situation. The teams discussed each question as the consulting
company’s experts provided guidance to reach consensus on the answer to
each question. Having these discussions with all the stakeholders enriched the
understanding of governance and helped the organization focus its effort. Multiple
telephone interviews were scheduled with key stakeholders.
Stakeholder groups
Key stakeholders included the following roles: Chief Information & Security
Officer, who served as the Executive Sponsor of GRH’s IG initiative, Chief Medical
Informatics Officer, who served as the IG Lead, other stakeholders included
Director of Analytics, Director of Informatics within the IS Division, Director
Business Services/Revenue Cycle, Compliance & Privacy Officer, Director of Health
Information Management.
Findings
Information Governance Assessment
GRH decided to partner with the consulting firm to assess its Information
Governance (IG) Program. Initially, the assessment was planned to be held onsite,
but with the pandemic impacting travel and face to face meetings, the assessment
was conducted remotely. The consulting firm’s interactive online IG Assessment tool
has seven sections, each with a comprehensive set of questions. Every question was
reviewed, the stakeholders discussed, collaborated and reached consensus on their
response. The questions can be answered with a yes, no or partial response with
comments entered to summarize the discussion. Each section’s score is generated
based on the number of yes, no or partial responses. Upon the completion of
the seven sections and a tabulation of all the responses, an overall score was
determined for the IG Assessment. The IG Assessment generated an action plan
used to develop a road map to help GRH prioritize its initiatives.
Based on the IG Assessment, GRH identified key accomplishments, the importance
of information governance in the organization, as well as strong leadership and
expertise in privacy, security and analytics. The IG Assessment also identified GRH’s
areas of focus including IG structure, policy and procedure management, Legal
Health Record best practices and Role Based Access enhancement.
Revisiting Information Governance | October 2021
15
Sample Questions
(A) Organizational Information Governance
# Topic Question Answer
1 Organizational IG Is the Information Governance (IG)
Program a recognized information
strategy within the organization
Yes
2 Organizational IG Is there a charter for IG Program
activities within the organization?
Yes
3 Organizational IG Is there an established IG Committee
made up of key stakeholders?
Yes
6 Organizational IG Have other IG roles, such as workforce
stewards, been identified, defined and
expectations established?
No
8 Organizational IG Is there a list of IG-relate activities/
projects?
No
9 Organizational IG Are ongoing IG activities and initiatives
as robust as the IG stakeholders would
like?
No
10 Organizational IG Has the IG Program been undertaken
across all business units and
departments of the organization?
No
IG Assessment Results
It showed that there was, however, strong support for the Information Governance
Program and some early stages of adoption had already begun. Privacy and security,
analytics, and information technology are highlighted as areas that indicated
excellent progress being made prior to the assessment.
Key Observation Examples
Privacy and security
• The organization has implemented a set of documented policies and procedures
to apply reasonable and appropriate privacy safeguards to records and systems
with PHI that comply with the HIPAA Privacy and Breach Rules
• The organization maintains standard locations for all privacy and security related
materials and records
• Workforce members have access to policies and procedures relevant to their job role
Revisiting Information Governance | October 2021
16
Analytics
• The organization has a formalized Analytics Team
• The Analytics Team is under the oversight of the Information Management
Oversight Committee (IMOC) and aligned with key stakeholders
Information technology
• The organization has an active, documented security governance committee
• The organization’s IT governance includes all stakeholders, including fiscal,
clinical and administrative staff in making decisions about technology solutions
• The organization ensures workforce training includes protection from and
reporting of malicious software, phishing, hacking, ransomware, insider threats,
log-on attempts monitored, reviewed, sanctions and password security
• The organization has implemented a documented policy/procedure that
governs the removal of hardware, devices and electronic media that contain
electronic protected health information (ePHI) and other sensitive or confidential
information.
Areas of Opportunity Examples
• IG Structure and Management
› Holistic view of Information Governance
› Review/Develop IG Charter
› Reporting to the Board of Directors
• Policies and Procedures
› Inventory
› Gap Analysis
› Development
• IG Legal Health Record
› Identify and document the Designated Record Set (DRS)
› Identify and document the Legal Health Record (LHR)
› Vet the DRS and LHR by Legal Counsel
• Privacy and Security
› Develop role-based access
Revisiting Information Governance | October 2021
17
Grande Ronde Assessment Score by Section and Response
Breakdown
Section
A –
Organizational
Information
Governance
17 71 36.5 51 6 7 4
B – Managing
Organization
Information*
30 94 37 39 6 12 12
C – IG & Related
Policies &
Procedures*
18 69 10.5 15 0 13 5
D – IG Legal
Health Records*
11 36 1.5 4 0 10 1
E – IG Privacy &
Security
17 62 50.5 81 11 1 5
F – IG Analytics 12 39 29 74 9 2 1
G – Information
Technology
30 104 72 69 16 5 9
*Focus Areas of
Opportunity
OVERALL 135 475 237 50 48 50 37
Assessment Becomes Key Compliance Step
The IG Assessment provided GRH with a baseline score and specific action items
to develop an IG Road Map, focusing on key initiatives for success. Use of the IG
Assessment findings and recommendations helped drive GRH to establish policies,
manage accountability, protect its information and prioritize its strategic goals.
Wright said, “although we were disheartened with our overall initial score, we were
reminded by the consulting team that our IG efforts had only just begun. Most
importantly, we now had a Road Map to take us to future success. Additionally,
we now have the tools and guidance to continue our journey in developing our
information Governance Program and we better recognize and value information as
an organizational strategic asset.”
Q
ue
st
io
ns
Po
ss
ib
le
Po
in
ts
Po
in
ts
Ea
rn
ed
To
ta
l
Ye
s
re
sp
on
se
s
N
o
re
sp
on
se
s
Pa
rt
ia
l
Re
sp
on
se
s
Revisiting Information Governance | October 2021
18
Recommendations/Solution
Results Summary
Based on the findings at GRH and industry leading practices, the following areas
were considered as priorities for initial information governance efforts.
• Recognize current organizational IG best practices
• Reduce IG silos through improved communication and collaboration
• Identify opportunities for IG improvement
• Develop an IG Action Plan
• Ensure organization’s information will be trustworthy, reliable, compliant, meets
regulatory requirements and supports business decisions
Detailed IG Assessment Findings and Recommendations
Examples
Organizational IG Structure and Management
IG Oversight Committee: This group should provide oversight and management of all
information decisions across the organization. It should define and approve the IG
charter. This group should also review the baseline Assessment results and develop
an IG Road Map, prioritizing IG-related projects and initiatives. Having a formalized
oversight group should not only drive decisions around information governance,
but should also define staff roles, responsibilities, education and accountabilities
across the entire organization. Currently, the Information Management Oversight
Committee (IMOC) serves loosely in this role. Formalizing and transitioning IMOC
to the Information Governance Committee would allow Grande Ronde to have a
bi-directional reporting relationship with Data Governance, Analytics, and other
designated workgroups report to the IG Committee. The IG Committee should
report workgroup goals, metrics, and summaries to the Governing Board and other
executive groups within the organization.
Business Process Data Ownership: Another critical requirement for a successful
Information Governance Program is to break down barriers caused by
compartmentalized data decisions exhibited in the various business units of the
organization. This is a cultural change but must be addressed early on to ensure data
ownership is appropriately defined and delegated and that the Data Governance
Program ultimately drives and oversees data decisions.
Revisiting Information Governance | October 2021
19
Additional Recommendations Examples
Formalize executive IG structure
• Prioritize projects based on the organization’s strategic initiatives with
consideration for those that are mission critical, possible quick wins, risk
reduction, cost avoidance and return on investment
• Develop role-specific IG education in annual, refresher and department-specific
training
• Integrate IG principles and competencies into the culture of the organization
through updates on IG-related projects and successes
Legal health record
• Conduct an inventory of all electronic health record systems
• Conduct an inventory of all paper records
• Vet by Legal Counsel
Privacy and security
• Update job descriptions
• Assign access based upon job roles/need to know
Lessons Learned
Tapping into ongoing support
Wright says, “The consulting firm’s services reflect our intention to create a culture
of compliance and one that values information. Information Governance is an
ongoing priority for us and it requires collaboration, communication, education
and accountability,” Wright adds, “The IG Assessment has allowed us to focus our
efforts on the right initiatives and stay on track with Information Governance—which
in turn supports our organization and our patients.”
Conclusion
GRH learned many things from the remote IG Assessment and its collaborative
process. Not only did the online assessment tool provide GRH with the IG
assessment results, it also helped develop and prioritize initiatives to ensure its
IG Program is on the right track for success. The team benefited by having support
from Senior leadership to drive the IG Program and ensure it is aligned with the
organization’s strategic goals. While effective IG takes time, GRH achieved good
progress in its initial efforts and now has a roadmap to move forward.
Revisiting Information Governance | October 2021
20
Executive Summary/Introduction:
On July 11, 2012, the province of Alberta experienced one of the largest information
technology (IT) down times in its history. A transformer failed inside a third-party
communication and data centre in Calgary, Alberta, Canada, setting off the sprinkler system
and causing damage to several major communication servers. The centre hosted many
government, healthcare, and private industry IT infrastructures. As a result, access to and
flow of information was compromised and critical communication services were interrupted.
The transformer failure caused widespread Alberta Health Services (AHS) IT
network system disruption. The systems were inaccessible for more than 36 hours.
Radio stations were off the air, internet and telephone service was down, and many
city and provincial government computer networks were affected. The Calgary
Zone was the hardest hit with approximately 200 non-functioning applications.
Calgary city officials activated a municipal emergency plan and AHS activated their
zone emergency operation centre. Using information governance and information
management principles, ingenuity, and a spirit of cooperation, staff were able to
respond to the situation in a controlled manner and implement recovery procedures
once the system was back online.
Background/Statement of Problem:
The province of Alberta (AB) has a single health authority responsible for providing
health services to over 3 million Albertans. Alberta Health Services (AHS) has
almost 100,000 employees with an additional 16,800 volunteers and 8,020
physicians. Programs and services are offered at over 400 facilities throughout
the province, including hospitals, clinics, continuing care facilities, mental health
facilities, and community health sites. There are approximately 8,100 acute care
beds, 21,700 continuing care beds/spaces, plus equity partnership in 40 primary
care networks.
When the sprinkler system was triggered during the July 12th fire, major
government and healthcare applications automatically shut down.
The main AB government and AHS information applications or operations affected included:
• AB government Person Directory that issues Unique Lifetime Identifiers (ULIs).
ULIs are the primary provincial identifier to link person specific information across
the health system including health information exchange (HIE);
• Registry offices including services around person identification and vital statistics
(e.g., person identity, birth and death registries);
• Admission, Discharge, and Transfer (ADT) System (i.e., the software application
that locates and tracks patients/clients throughout the Calgary Zone);
• Laboratory, Diagnostic Imaging (DI), Pharmacy, Triage, Operating Room Manager,
Public Health, Emergency Medical Services (EMS), Regional on Call Application for
Physicians, and staff scheduling.
As an organization that embraces information governance principles for healthcare,
AHS had downtime and recovery procedures in place for all affected systems.
How Data Recovery in the Wake of a Major
Health Information System Failure Reinforced
the Need for Information Governance
Kelly Abrams, PhD, CHIM
Vice President
Canadian College of
Health Information
Management
Kathleen Addison, CHIM
Senior Provincial
Director
Health Information
Management Alberta
Health Services
Shirley Learmonth, MA,
CHIM,
Director, Health
Information
Management (Retired)
Alberta Health Services
Revisiting Information Governance | October 2021
21
Stakeholder Group:
The team leading the downtime and reconciliation process involved individuals
from diverse backgrounds. Clinical staff, HIM, IT, and senior executives from AHS,
Foothills Medical Center, Calgary Zone, Southern AB and Health Link, worked
together to ensure ongoing service. Supporting staff included Application and
Interface Specialists from IT, and clinical operational staff from Lab, DI, Pharmacy,
and Clinical Operations.
As a key stakeholder and the business owner of the ADT system (foundational and
critical to other affected applications), HIM co-led the reconciliation strategy and
was a crucial participant and fundamental contributor in all meetings.
Findings:
The first step towards mitigating the situation was to set up a command centre and
a means of communication. A major incident teleconference line was set up and a
zone emergency operation centre launched. AHS HIM initiated regular conference
calls with representatives participating in the major incident and the emergency
call centre. A command centre was established at Foothills Medical Centre, one
of the largest hospitals in the Calgary Zone. Text messaging was still available as
was access to some Gmail accounts, so these applications became the means of
communicating non-confidential information.
HIM service challenges during the event included moving to manual processes
during a time of restricted communication which resulted in:
• Limited accessibility of up-to-date reference information (e.g., procedures, shared
drives, contact information),
• Inconsistency in the manual tracking of patients affecting accuracy of patient census
• Limited ability to validate status of patients with Bed Management service.
Mitigation of patient safety concerns was a priority. Due to the large number of systems
and interfaces affected, the Calgary Zone clinical information system (CIS) was taken
off-line as many of the connecting systems were not operational. Patient identification
labels were unable to be printed. Some duplicate health record numbers were assigned
by mistake and some clinical requisitions were missing the health record number.
After functioning in a paper environment for more than 36 hours, AHS servers
were restored and permission was granted to begin the reconciliation process
(i.e., data entry and validation). Clinical informatics and HIM Services developed a
reconciliation strategy to ensure appropriate sequencing for the restart of clinical
applications, to reduce the potential impact to patient safety and care delivery. The
challenges post-event centred on the retrospective entry and validation of data, and
complexity of the business reconciliation processes.
The ADT system is foundational to all the other clinical applications and the data
had to be accurate before any other application could begin their recovery process.
Patients admitted, transferred, and discharged during the system downtime had to
be retrospectively entered into the ADT system in a sequential time and date order
and validated.
HIM Services facilitated the process with cross-site teams working in close
partnership with IT and clinical program areas. Back entry and validation of patient
and clinical information took several days for some of the affected applications.
Revisiting Information Governance | October 2021
22
Staff involved in the reconciliation process had to have the necessary experience
and training to understand the implications and reasoning behind the process,
and had to have the proper information system access. Training requirements and
appropriate system access limited the ability to bring in additional staff. Clinical
staff experienced frustration with perceived delays in action because they did not
understand the complexity of the reconciliation process.
Recommendation/Solution:
The CIS reconciliation process started with the creation of three main overarching
principles:
1. Accuracy and integrity of ADT data is foundational for accurate information in all
other clinical information systems.
2. Sequencing and coordination of the reconciliation processes must be controlled
and managed to ensure the integrity of clinical data in all applications.
3. Only individuals proficient in the CIS application and with the appropriate level
of system access can perform the reconciliation process. Professional licensing
regulations may apply to some applications.
Due to the number of applications involved and the extended downtime, the scope of
reconciliation was significant and unique. End user access to any applications reliant on
an ADT interface followed an identified sequence of recovery post-reconciliation. For
example, AHS used the following reconciliation priority rankings in the ADT system:
• Priority 1:
› Inpatients
› Patients presently in the Emergency Departments
› Patients presently in the Day Surgery Units
• Priority 2:
› Emergency patients seen and discharged from the ED during the downtime
› Day Surgery patients treated and discharged during the downtime
• Priority 3:
› Ambulatory care patients seen in outpatient clinics during the downtime
End user access to secondary applications that did not rely on an ADT feed could
occur at any time as long as the resources required did not detract from the priority
application recovery.
Communication and monitoring remained strong throughout the reconciliation
process. The clinical conference call line was used to monitor the reconciliation
phases, which ensured appropriate sequencing of system recovery and allowed
for the provision of clinical system updates. Hourly ADT reconciliation status
updates were provided to the technical bridge teams to coordinate the recovery of
applications according to the approved sequence priority.
Collaboration throughout the crisis was instrumental in maintaining services.
Revisiting Information Governance | October 2021
23
Lessons Learned:
Many opportunities for improvement and lessons learned emerged from this
incident. The following descriptions are some, but certainly not all, of the lessons
learned.
1. Communication is key. The downtime process for bed management identified
several challenges including confusion over the ‘owner’ of the census, how to
consistently track patients in a manual system, and how to communicate updated
patient location lists. It is imperative that appropriate and accurate fax contact
fan-out lists are available and accessible. Consistent messaging is necessary to
support who can and who cannot be using the system, and when they can be
using the system. A priority listing of what systems come back online and in what
order is imperative to ensure data integrity.
2. A validation plan for person identification is needed, especially for newborns. A
downtime process for the Unique Lifetime Identifiers should be considered.
3. Standardized documentation and processes must be in place to support back
entry of data and the organization of paperwork for revalidation. Staff must be
able to access the procedures so that second-guessing of manual processes does
not occur. For example, critical passwords should not be stored in email systems
as these may not be accessible when needed.
Conclusion:
IG provides an opportunity to build a framework for practice that would engender
trust in the Canadian healthcare system and its information management practices.
An IG practice framework would provide the checks and balances essential for
accountability and ongoing improvement in information management practices,
particularly important during unexpected technological downtime (CHIMA, Iron
Mountain, 2017). Healthcare jurisdictions should embrace information governance/
information management principles and leading practices to ensure healthcare data
is managed throughout its lifecycle (Abrams, Learmonth, Gibson, 2017). Policies
and procedures must be in place to ensure the integrity and quality of information
and data.
Orientation and ongoing refreshers of downtime procedures and processes are
important for all staff and clinicians. Downtime procedures must be stored so as to
be accessible when needed most. The scenarios used in downtime orientation and
training should be based on a worst-case scenario, as no two downtimes are the
same. Cross training of staff on key reconciliation processes should be considered.
Above all, be prepared. This could happen to you!
References:
• Abrams, K.J., Learmonth, S., Gibson, C.J. 2017. The Canadian Health Information Management
Lifecycle. London, ON: Canadian Health Information Management Association.
• Canadian Health Information Management Association, Iron Mountain. 2017. Information
Governance for Canadian Healthcare. Positioning the work of the CHIMA IG Summit Participants
within the Evolving Framework of Information Governance for Canada: A summary document.
London, ON: Canadian Health Information Management Association.
Revisiting Information Governance | October 2021
24
Executive Summary / Introduction:
In an increasingly complex and competitive Australian health care environment,
where huge amounts of data both structured and unstructured are being created,
the need to “manage and use” this information, rather than just collect and store
it, is vitally important for strategic planning, privacy and security, and many other
reasons vital to the management of a hospital.
Cabrini Health is a five-site acute and sub-acute hospital organization with
approximately 720 beds with most clinical specialties being treated by largely
Visiting Medical Officer / Consultant medical staff. Cabrini also currently has an aged
care facility, medical imaging and pathology businesses, as well as the Cabrini Linen
Service and Cabrini Technology which incorporates a number of business lines.
Background / Statement of Problem:
In general, health can lag other industries in IG but the amount of data within
health organizations and the importance of being able to understand the data is
paramount. This is particularly pertinent with regard to patient experience, strategic
planning, predictive analytics and staff satisfaction all of which can be impacted
heavily by IG.
The complexity and breadth of Cabrini’s services supports the need to establish
Information Governance (IG) principles across all facets of the business wherever
possible. Recognizing the problems was a necessary first step for IG.
• An externally appointed consultant review of the Human Resources (HR), also
known as people and culture function, identified several issues within HR, as well
as downstream problems in areas like Business Intelligence (BI) where reporting
accuracy and consistency was compromised.
• Different parts of the business have different definitions for similar aspects of the
business and some variation is needed due to the variety of businesses. However,
different definitions need greater visibility.
• There was a general lack of corporate knowledge about IG with a need to educate
all staff from the chief executive on down.
• The IG role is part time making it difficult to be pro-active and strategic.
Stakeholder Group:
Cabrini key stakeholders included the Executive Director, Commercial Services and
Business Systems, Performance Monitoring and Improvement, and the director
of Health Information Services, who subsequently took the lead for Information
Governance.
Findings:
The core group that included members from HR, BI, IT, payroll, along with an external
consultant, became our IG team. Beginning with HR data, numerous issues were
identified and prioritized. Slowly the list was worked through. Many of the issues were
resolved and monitoring tools were put into place so as to minimize reoccurrences.
Australian Private Hospital enters a new frontier
of Information Governance
Cameron A. Barnes
Director, Health
Information Services and
Information Governance
Cabrini Health
Melbourne, Australia.
Revisiting Information Governance | October 2021
25
Cabrini has no fewer than twenty High Value Data Systems. Data quality issues were
identified throughout by working system by system. A data quality tool was deployed
to analyze and report on data quality problems regarding patient demographic data
including address, email and mobile (“cell”) number. Double UR numbers (unique
patient identifying numbers) were also tackled including user education.
Recommendation / Solution:
Apart from the remediation and prevention type of work there was the requirement
to improve and build more of an IG culture within the Hospital. This is a work in
progress and one that is an ongoing challenge.
• Despite a great deal of communication, the capacity and appetite for such
initiatives can quickly wane, especially when “life gets in the way” and these types
of initiatives can lose visibility.
• There was also the requirement for a number of foundation stones of IG to be put
in place. The first of these was the IG Policy that addresses the requirements for
executing, maintaining and improving the organization’s information governance
capacity and staff member’s roles and responsibilities.
• A Data Governance, Information Technology Executive Committee was convened
which was chaired by the chief executive with all executives attending as well as
a number of other key staff. Our research had informed us that without C-Suite
buy-in, our work would flounder; this was something we obviously did not wish
to occur. A Data Governance Working group was also convened which contained
more operational staff.
• The High Value Data Systems data stewards and owners for each of our
information systems was also agreed to at this point, as were data definitions of
two of our significant data sets – finance and human resources.
• The data definitions were particularly problematic and this probably shines a light
on why IG is so important. The lack of consistency continually meant that reports
were being stated as “wrong” when in effect the figure was not wrong but the
application and different uses of the term FTE was wrong. This lead to a mistrust
of data that was routinely displayed in our Business Intelligence tool. Once
definitions are established, the subsequent challenge is to ensure that the reader
of the report knows which definition is being used.
• A data governance framework was also established to provide the principles,
guidelines, standards and processes to ensure ongoing improvement of data
quality so that information relied upon for decision making has integrity with the
vision being simply “right data at the right time.”
Revisiting Information Governance | October 2021
26
Lessons Learned:
It is safe to say that the lessons learnt were many and they continue to be learnt.
There is no doubt that many of the principles of IG are absolutely borne out in day to
day operational issues and these include:
• The need for C-Suite involvement;
• Dealing with bite-sized issues initially to get runs on the board and building
momentum;
• Use the expertise of others where possible;
• And prioritize the implementation of data definitions.
The scope and challenge of IG requires full time focus. It is difficult to do when
one has an already challenging position. Although there have been some good
achievements along the way and reasonable levels of support from senior leaders,
it takes application and the time to develop the new skills required to advance IG
across a complex organization.
References:
• AHIMA – 2014 Information Governance in Healthcare
• Data Governance – A Team Game, K. Moysey, Deloitte 2013
• https://www.healthcatalyst.com/healthcare-data-governance-practices
Revisiting Information Governance | October 2021
27
Executive Summary/Introduction
The Hospital Corporation of America (HCA) has over 160 hospitals across 20
US states. HCA has a corporate office in Nashville, TN. The corporate office has
organizational units that are responsible for setting company standards. This
includes the centralized Information Technology & Services model and the Clinical
Services Group (CSG) that established clinical best practices. Within CSG is the
Clinical Informatics Systems Governance and Operations Department (CI-SGO)
responsible for electronic health record (EHR) maintenance, usage, and governance.
CI-SGO governance is accountable to uphold information integrity, which includes
authorship of documentation, namely, electronic signatures. In this case, such
authorship involves attributing the origination or creation of a particular unit of
information (or an entry) to a specific individual or entity acting at a particular
time1. HCA had adopted a historical approach that required detailed “due diligence”
to determine the validity of electronic signature capabilities from an external
organization’s system before endorsing those entries through an interface. These
practices were first applied at a corporate level and then were rolled out to the
hospital divisions; division offices, in turn, rolled out the practices to the hospitals.
Background
Clinical information interfaces containing EHR entries were evaluated using
established criteria. External systems were required to meet this criteria in order to
transmit authenticated entries to HCA HISs. If the findings of the evaluation were
negative, the entry—and its accompanying signature—could still be transmitted and
populate the HIS. However, the HIS’s technical mechanics would not mark the entry
as final; therefore indicating it as an incomplete (or unauthenticated/unsigned) entry
per the HIS’s definition of a finalized entry.
As a result, the organization had a large volume of entries that did not have a “final”
entry status in the HIS which dated back slightly more than 10 years. However,
these entries did reflect an electronic signature when viewed, printed, or otherwise
produced pursuant to information release requests. Therefore, complying with
reproducibility standards and customary industry recordkeeping practices. It was
then determined that the external organization signature validity evaluation criteria
had not been updated for at least a decade. When the initial criteria was developed
it was felt that the organization had an obligation to perform a stringent level of
evaluation on its inherent systems and hold other entities to the same signature
integrity requirements.
Statement of Problem
Documenting and imposing such stringent criteria for the generation of electronic
signatures in foreign systems jeopardized the organization’s recordkeeping
credibility. This was evidenced by the voluminous number of non-finalized entries
and the organization’s inability to uniformly govern the evaluation and processes
for accepting entries attributed with externally generated electronic signatures.
Audit trails and HIS indicators did not reflect authenticated entries, which had a
potential for detection during electronic legal discovery. A challenge was also posed
with regard to system downtime and recovery. This being that unsigned entries
constituted an active account. Automated system redundancy and restorative
Electronically Transmitted Signature Integrity
John Dickey, MSHI, RHIA
Director, Clinical
Informatics
HCA Corporate Clinical
Services Group
Revisiting Information Governance | October 2021
28
processes were required to cycle through all active accounts in order to back up or
restore the system.
Guaranteeing data integrity is complex, this case exemplifies that data systems
needed reengineering and accompanying process improvements. A cross-domain
deliberation was required to produce outcomes that address system and process
design and uphold patient safety, quality care, regulatory compliance, privacy/
security standards adherence, applicable medical-legal considerations and
mitigation of institutional risks. Resulting outcomes were to be recorded in an open
and verifiable manner. Memorialization documentation evidenced the organization’s
“due diligence” and provided transparency to the organization’s leadership,
workforce members, and other appropriate interested parties in accordance with
legal obligations. Because of the varying parties involved and the widespread
impact, an organized governance effort was needed to evaluate an approach
according to HCA’s strategic visions.
Stakeholder Groups:
These challenges affected various roles within the organization. Information
Technology & Services (IT&S) had the responsibility to (1) evaluate and certify
interfaces carrying electronic signatures, (2) configure the system to mark the
incoming transmitted entries accordingly, and (3) to restore the system when
an outage occurred. Health Information Management (HIM) was responsible
for ensuring the permanent record reflected final signed entries using system
indicators. Quality/Patient Safety and Legal were invested to ensure that any
remediation efforts were well vetted and the right “due diligence” was applied to
uphold any patient-risk or legal consideration.
Findings:
Internal legal counsel engaged external advisement regarding the organization’s
responsibility to accept electronic signatures from external entities. It was
determined that “unless an apparent abnormality could be deduced from a
customary level of ‘due diligence,’ neither federal nor state laws prohibited the
organization from presuming that electronic signatures were otherwise invalid.” A
review of the current organization’s requirements for accepting external signatures
determined that it was outdated as many of the regulations and accrediting bodies
now hold all healthcare entities to higher electronic signature veracity standards (i.e.
Uniform Electronic Transactions Act2 and 21 CFR Part 113).
It was determined that accreditation and auditing agencies have the right to inquire
about the methods in place to ensure the integrity of an electronic authentication
(signature) within the medical record. It was felt that this could be met in one of two
ways. Either: (1) performing “due diligence” during the initial integration activities
to ensure the source system (vendor) meets compliance requirements set forth by
the facility that outline signature integrity; or (2) developing a company Ethics and
Compliance Policy that outlines proper authentication integrity safeguards, with vendors
entering into an organizational contract that designates adherence to signature integrity.
Revisiting Information Governance | October 2021
29
Recommendation/Solution:
The topic was presented to the company’s Clinical Information Governance
Committee. A subcommittee was commissioned to perform further investigation
and recommend a proposed solution. This subcommittee was made up of
representatives from Clinical Quality Standards, IT&S, HIM, Legal, Information
Protection, Architecture Security, and CI-SGO.
It was determined the best approach for remediation would be to revise the current
certification process as well compose a Risk Assessment Toolkit that could be used
by a division or individual facility to assess the external system/vendor capability
for electronic signature integrity. A three-year monitoring cycle was incorporated.
Some of the items were standardized and required across the company, while other
components were left to the interpretation of division/facility approving bodies. This
allowance supported a governance structure that could be realistically enforced
at the division or facility levels instead of at the company level. If requirements
were not met, the toolkit included a provision for exceptions. In such instances, the
division/facility approving body could determine to accept the signatures, however,
would document the justifications using a Risk Acceptance Protocol (RAP) and
Risk Acceptance Form (RAF). The RAF is signed by division/facility executives to
evidence the justification as formally acknowledged and documented. The signed
RAF is retained to support decisions that were made should there be a need to
produce evidentiary documentation in response to future inquiry.
Lessons Learned:
Once the new evaluation and certification standard was developed, insufficient
time and effort were expended on strategizing a plan and performing subsequent
execution, socialization, and implementation. It was determined that further
harnessing of existing communication channels to effectively cascade messaging
would have led to increased adoption and success4. It was found that many of the
companies’ divisions/facilities continued to operate under the previous guidelines
and, therefore, continued to generate incomplete entries.
Conclusion:
Approaching the problem with well-established governance principles that provided
a systematic approach in which evidentiary documentation could be produced, and
allowed for autonomy and flexibility at the division/facility level, proved to work best
in this situation. Mitigation challenges to information integrity in today’s healthcare
environment should be considered part of an information ecosystem rather than at
an individual organization level. As interoperability of information becomes more
and more integrated, a solid approach should be applied that recognizes information
integrity, credibility, and an overall responsibility to accountable recordkeeping.
References
• Downing, Kathy. “Electronic Signature, Attestation, and Authorship (2013 update)” (AHIMA Practice
Brief, October 2013) http://library.ahima.org/doc?oid=107151#.WSBrZOvyvDc
• Uniform Electronic Transactions Act (1999) http://www.uniformlaws.org/shared/docs/electronic%20
transactions/ueta_final_99
• Electronic Records; Electronic Signatures, 21 C.F.R § 11; https://www.accessdata.fda.gov/scripts/
cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11&showFR=1&subpartNode=21:1.0.1.1.8.3
• Factors Influencing Best-Practice Guideline Implementation: Lessons Learned from Administrators,
Nursing Staff, and Project Leaders. http://onlinelibrary.wiley.com/doi/10.1111/j.1741-
6787.2007.00106.x/full
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
