Electronic health records have become standard across many healthcare organizations, while mobile devices with access to these records proliferate. Thanks to the advent of mobile health and cloud computing technologies, many organizations are now having to secure massive amounts of healthcare data. Consequently, information governance in healthcare organizations has become increasingly important.
The American Health Information Management Association (AHIMA) has released a framework of Information Governance Principles for Healthcare (IGPHC). The goal of this resource is to set up a framework to identify risks and areas for improvement:
“As a best practice framework, IGPHC assists organizations in operating effectively while ensuring compliance with legal requirements and other duties and responsibilities. By promoting robust and repeatable processes, IGPHC helps establish policy, prioritize investments, determine accountabilities, protect information with suitable controls, and more generally reduce risk.”
How to Build a Solid Information Governance Program
The framework is meant to discuss eight core information governance best practices:
- Accountability – having senior oversight on the information governance program
- Transparency – setting up documentation that is open and verifiable
- Integrity – having information that’s reliable
- Protection – safeguarding information from breach, corruption or loss
- Compliance – adherence to applicable laws, regulations, standards and policies. This is, as you can see, a suggestion to go beyond basic compliance standards
- Availability – know how to identify, locate, and retrieve required information
- Retention – maintaining data only for an appropriate period of time
- Disposition – securely disposing of data that no longer is needed
AHIMA suggests that organizations measure themselves against these core principles. In addition, they plan to release a self-evaluation tool at year-end to assist in this. The core principles of the IGPHC also re-iterate many core tenets of Absolute’s own three-pronged approach to data security: policy, education and layered technology. In our whitepaper, Best Practices for Healthcare Data Breach Prevention, we discuss many specific ways you can achieve data protection and compliance, as well as other best practices.
Healthcare Information Governance from a Legal Perspective
While AHIMA’s framework offers a valuable base to discuss data management and security, the legal considerations should also be considered. As AHIMA notes in its IGPHC, “governance” implies a top-down approach to data, by setting organizational goals, direction, and limitations around data. It follows that effective data security would also be top-down. We believe that top-down security should include the support and involvement of the board C-level executives and the legal department.
Ron Hedges, JD recently discussed the impact that an effective information governance (IG) program has from a legal perspective. He suggests that IT and the legal department need to coordinate on information governance. Legal should be involved in areas including: the establishment of a data management and security policy, the prioritization of investments, the securing of data assets, and the determination of accountability. If we’re talking about data security and data breaches, it’s imperative that legal do more than just deal with compliance after-the-fact. Instead, integrate compliance as part of the whole information governance program.
The article brings up many other legal considerations for complicated data scenarios that healthcare organizations should consider. For example, how do you determine what is a “record” and what is not? What is the shelf-life of business information? What are the consequences of holding onto data that has lost its value? Although the article on AHIMA talks more to litigation than to compliance-related issues, it brings up many questions about data handling that are pertinent to the discussion of data security.
Absolute Data & Device Security (DDS) is the industry standard for persistent endpoint security and data risk management solutions. Ensure and prove compliance, maintain accountability and respond to appropriately to security incidents. Learn more about our healthcare solutions here.