Close Server: KOPWWW05 | Not logged in

IG Matters

Information Governance Protection

Achieving AHIMA's principle of protection through privacy and security practices.

Privacy and security practices that support data protection are essential for effective information governance in healthcare. Breaches and other privacy and security incidents in healthcare are on the rise, and some occurrences go undetected. Given the complexity and sensitivity of issues faced by the healthcare industry, organizations must look beyond the laws to advance existing privacy and security practices into full and compliant IG programs.

Understanding Protection 
According to AHIMA's IG principles, an organization's IG program must provide the "appropriate levels of protection from breach, corruption and loss for information that is private, confidential, secret, classified, essential to business continuity, or otherwise requires protection."1 These levels of protection must be applied to information throughout its lifecycle, regardless of medium. This means that "every system, electronic or manual, that generates, collects, stores, transmits, uses, archives and dispositions data and information must be governed with protection in mind."

Protection is critical to building and sustaining trust in information. The various forms of protection include the following: 

  • Proper management of security access controls through use of authentication tools and related measures.
  • Policies and procedures that ensure safeguards and compliance monitoring to prevent information leakage outside the organization.
  • Audit programs to validate management of sensitive information in accordance with organizational policies and procedures, and in compliance with applicable laws and practices.
  • Adherence to security, privacy and confidentiality requirements for final disposition of information, regardless of medium, through the following measures:
    • Implement reasonable safeguards to limit incidental disclosures of PHI.
    • Conduct training on disposal policies and procedures.
    • Ensure proper disposal of information in containers that are inaccessible by the public or unauthorized persons.
    • Provide validation of disposal method, time, date and accountable party.

Information Governance ProtectionWe must realize that health information requires varying degrees of protection as mandated by laws, regulations, and organizational policies and procedures. Merida L. Johns, PhD, RHIA, author of Enterprise Health Information Management and Data Governance, recommends adherence to eight data protection principles when processing personal information. According to these principles, personal data must be:

  • Processed fairly and lawfully in accordance with relevant laws and regulations that apply for processing sensitive personal data.
  • Obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
  • Accurate and up-to-date to support sound decision making, patient safety, availability and overall data integrity.
  • Retained only as long as necessary for its purposes, for the length of time required by business and legal rules, and then disposed of securely.
  • Processed in accordance with the rights of the patients based on relevant laws, regulations, polices and procedures.
  • Secure in accordance with measures to prevent unlawful and/or unauthorized processing and to ensure data is protected against accidental loss and destruction or damage.
  • Retained in the country of origin and not transferred to other countries without proper protection for the rights and freedoms of patients in relation to the processing of personal data.

Achieving Protection Through Privacy and Security
In the latest Ponemon Institute study, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data sponsored by ID Experts, criminal attacks are cited as the new leading cause of data breach in healthcare, with more breaches being attributed to trusted insiders.2 And, most organizations are unprepared to address new threats and lack adequate resources to protect patient data. 

SEE ALSO: AHIMA Releases Information Governance Principles

While HIPAA compliance and preventing breaches are top priorities for IT, technology alone is insufficient to protect the integrity of the record. Ensuring privacy and security controls requires regulated standards and information governance. The following strategies are consistent with AHIMA's recommendations for protecting health information:

  • Implement safeguards to protect against security threats -- breaches, viruses, hacking.
  • Conduct enterprise-wide training and education on protecting PHI according to the organization's policies and procedures as well as state, federal and international laws and regulations.
  • Identify sensitivity levels for certain types of PHI -- such as behavioral health, drug and alcohol, STDs.
  • Establish health information authorization processes to monitor disclosures of PHI by patients/representatives.
  • Adhere to policies and procedures that ensure patient confidentiality.
  • Conduct periodic risk assessment and address identified privacy and security issues.
  • Ensure controls are in place and properly managed for protection, detection and response including:
    • Physical controls to secure equipment and technology
    • Administrative controls to manage selection, development, implementation and maintenance of security measures to protect information
    • Technical security controls to ensure proper access to PHI

Health information is intended to be private, confidential, and used only when essential for continuity of care. HIM professionals must engage senior executives and lead multidisciplinary collaboration to integrate privacy and security into an IG plan that ensures appropriate levels of protection.

Next Up: Compliance
Protection is directly linked with measures required to meet compliance. IG Matters will focus next on the principle of compliance, just as the Office for Civil Rights (OCR) is finally preparing for Phase 2 HIPAA audits. Audit questionnaires have been sent out to selected healthcare providers and their BAs, so now is the time to evaluate and enhance compliance practices.

Rita Bowen is senior vice president of HIM and privacy officer at HealthPort. She can be reached at As AHIMA prepares to release its maturity model later this year, follow the latest updates and find additional resources at


  1. AHIMA. IG Principles. Available at:
  2. ID Experts. Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. Available at:


You Might Also Like...


Achieving the eight information governance principles.

Protecting Patient Portal Information

Building best practices for securing electronic heath records accessed online by consumers.

New HIM Roles in Information Governance

HIM professionals are leading the transformation in healthcare information monitoring.

A New Perspective on Privacy and Security

Healthcare must move beyond compliance to a greater model of IG.

IG Matters Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company