For the past 3 years, the Privacy Point column has focused primarily on privacy and security -- issues, challenges, priorities along with strategies to promote compliance and mitigate risk. During that time, the HIPAA Omnibus Rule was piloted and refined in 2013 and 2014, with Sept. 23, 2014 as the final date for all business associate agreements to comply with the current regulations. With procedures in place for that phase of compliance, the focus is now shifting to the value of information governance (IG) in healthcare.
Going Beyond Compliance
Despite decades of privacy and security regulations, many organizations lack proper governance and management practices to address ever-increasing risks and threats. According to the Identity Theft Resource Center, approximately 42 percent of major data breaches reported during 2014 were attributed to healthcare organizations. That's a stunning statistic. And security risks may be on the rise for 2015, especially if the HHS Office for Civil Rights (OCR) follows through with its random audit program to assess compliance with HIPAA privacy, security and breach notification rules.
Traditional privacy and security solutions are not sufficient to address rapidly emerging risks and threats. Data and security breaches and compliance penalties point to inadequate control of information. Establishing proper controls requires effective IG that ensures protection of trusted information. Compliance alone is not enough.
AHIMA's IG principles recommend a proactive, collaborative, interdisciplinary approach. Privacy and security must be viewed from a new perspective -- as foundational components of an enterprise-wide information governance model.
Former AHIMA CEO, Linda Kloss, MA, RHIA, FAHIMA and author of Implementing Health Information Governance: Lessons from the Field, states: "Leading organizations understand that governance and management of privacy and security must be in full compliance, but must also build trust and transparency through ethical stewardship practices that may go beyond compliance ... They also understand that a compliance mindset does not fully serve the interests of the patients they serve ... Their sound governance of privacy and security considers ethical compliance and fiduciary responsibilities."
As the demand for trusted information increases, leading healthcare organizations are moving from a compliance approach to a broader IG perspective aimed at improved quality of care and organizational performance. Fortunately, AHIMA has taken the lead toward a smarter, strategic maturity model. And HIM professionals are best qualified to educate all stakeholders on the value and responsibility of stewardship -- privacy and security, risk management, and overall data integrity -- critical components of trust in information.
Advancing IG through Collaborative Leadership
While some organizations have taken steps to initiate an IG program, most are still in the infancy stage of implementing consistent and collaborative IG practices. Whether your organization is just beginning or in the process of refining its program, here are four strategies for advancing IG:
- Assess existing policies, procedures and systems for capturing, processing, delivering and storing data. Set priorities to build a program aligned with your organization's goals.
- Engage an executive sponsor by showing the business value of IG -- quality of care, cost reduction, compliance, improved patient outcomes, risk mitigation, accurate reimbursement.
- Create an interdisciplinary team including HIM, IT, compliance, C-suite, revenue cycle, legal and risk management.
- Develop a plan for implementing the AHIMA principles.
HIM professionals already know the value of IG. Their knowledge, skills and experience will advance enterprise-wide information governance through strong collaborative leadership.
Focusing on the Essentials
Once an IG framework is established, organizations should focus more closely on the essential elements of an effective program-privacy and security, quality and integrity, data capture, records management, availability and use of information. While privacy and security concerns continue to occupy center stage, each component is an integral part of a greater IG model.
In the coming months, IG Matters will delve deeper into the various aspects of each component, including the following:
- Clean master patient index (MPI) -- Ensuring a high level of MPI integrity must be a top priority for enterprise-wide IG programs. Preventing errors and inconsistencies is critical to patient safety.
- Data dictionary and data map -- Both tools are key to understanding the source and meaning of data across systems.
- Best practices to promote data integrity -- Quality and integrity management are the foundation for trust in information.
- Interdisciplinary education -- Ongoing education regarding privacy and security, risk management, and quality of information builds a culture of IG.
In today's evolving regulatory environment, healthcare providers cannot afford the risks of ineffective management and governance of information. That is why 2015 must be the year of IG in healthcare. And HIM is ready to lead the way.
Rita Bowen is senior vice president of HIM and privacy officer at HealthPort. She can be reached at email@example.com.
(Author's note: Welcome to the IG Journey)
With many thanks to all the dedicated followers of Privacy Point, I now invite you to join the IG journey. Throughout 2015, IG Matters will focus on strategies for building and sustaining a successful program, the essential elements of IG, lessons learned from case study organizations, and more. Your ideas for future topics are most welcome.