Chapter 3

Information Governance Principles

Udsing guiding principles to drive your information governance (IG) program can help educate stakeholders, focus efforts, and maintain consistency.

The Sedona Conference® Commentary on Information Governance

The Sedona Conference® is a group of mostly legal and technology professionals that meets periodically and develops commentary and guidance on e-discovery, electronic records, IG, and related issues. They have developed 11 general principles of IG, ¹ which provide guidance on the expectations and aims of IG programs. These principles can further an IG team’s understanding of IG and can be used from an introductory “IG Awareness Training” session to the early stages of your program launch. A good exercise is to have team members re-write these principles in their own words, and then hold discussions about how each of these principles would apply to their departmental IG efforts, and the overall IG program:

1.Organizations should consider implementing an IG program to make coordinated decisions about information for the benefit of the overall organization that address information-related requirements and manage risks while optimizing value.

2.An IG program should maintain sufficient independence from any particular department or division to ensure that decisions are made for the benefit of the overall organization.

3.All information stakeholders should participate in the IG program.

4.The strategic objectives of the IG program should be based upon a comprehensive assessment of information-related practices, requirements, risks, and opportunities.

5.An IG program should be established with the structure, direction, resources, and accountability to provide reasonable assurance that the program’s objectives will be achieved.

6.The effective, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any IG program.

7.When IG decisions require an organization to reconcile conflicting laws or obligations, the organization should act in good faith and give due respect to considerations such as privacy, data protection, security, records and information management, risk management, and sound business practices.

8.If an organization has acted in good faith in its attempt to reconcile conflicting laws and obligations, a court or other authority reviewing the organization’s actions should do so under a standard of reasonableness according to the circumstances at the time such actions were taken.

9.An organization should consider reasonable measures to maintain the integrity and availability of long-term information assets throughout their intended useful life.

10.An organization should consider leveraging the power of new technologies in its IG program.

11.An organization should periodically review and update its IG program to ensure that it continues to meet the organization’s needs as they evolve.

Smallwood IG Principles Applied to Healthcare Organizations

The following 10 IG Principles are the result of the author’s research and consulting efforts over the past decade, where a great deal of practical information on IG program successes, failures, and Best Practices was synthesized, analyzed, and distilled.

These 10 IG principles must be adhered to as general guidelines for IG programs to succeed:

1.Value information as an asset. Just as any healthcare organization has physical assets like buildings, lab and diagnostic equipment, computers, software, and patient beds, etc., which have value, information collected and analyzed also has value. The formal management of information assets with the goal of monetizing and leveraging that information is clearly outlined in the book, Infonomics: How to Monetize, Manage, and Measure Information as an Asset for Competitive Advantage (Routledge, 2017), written by Gartner’s Doug Laney. It is necessary to identify and map out information assets so that confidential information including protected health information (PHI) and personally identifiable information (PII) may be secured directly, so that if hackers are able to get inside the organization’s firewall, this information is encrypted and unreadable. The IG steering committee must also explore analytic tools that could help to maximize information value, which may come in the form of reducing medical mistakes and improving patient outcomes, improving patient satisfaction, improving operational efficiency, reducing legal costs, improving compliance capabilities, and other related benefits. In addition, clear policies must be established for the secure access and use of information, and those policies must be communicated regularly and crisply to employees, with constant reinforcement. This includes conveying the value and risk of information, and the consequences of violating IG policies.

2.Stakeholder consultation. IG programs are, by nature, cross-functional efforts. Those who work most closely to information are the ones who best know why it is needed and how to manage it, so business units must be consulted in IG policy development. Health information management (HIM) professionals know the details and nuances of managing patient records. They should be deeply involved in electronic health record (EHR) governance efforts, which should be at the core of IG programs in healthcare as saving lives and improving patient outcomes are paramount. Effective EHR governance also leads to reduced costs and improved operational efficiency. So HIM professionals must be an active part of IG programs and their input into the policymaking process is critical. HIM professionals must also work hand-in-hand with privacy and legal professionals to ensure patient privacy is protected vigilantly. Privacy has become even more important globally with the implementation of Europe’s General Data Protection Regulation (GDPR), which applies to any organization conducting business with European citizens, regardless of location. Increased privacy protections for U.S. consumers are also being formed by state legislatures and voter initiatives. In-house legal council should be a key player in IG programs and the legal team must be consulted on a variety of legal, regulatory, privacy, and litigation issues as IG program efforts involve all these areas. Further, IG programs can cut electronic discovery collection and review costs and make the legal hold notification (LHN) process more streamlined and effective. The IT department must play a major role as technology is leveraged in IG program efforts. Healthcare organizations have historically been behind the curve in implementing information technology, compared to other business segments. And healthcare organizations are attacked more frequently by hackers since PHI can be worth more than 10 times what credit card information is worth. This underscores the need for a robust cyber-security program, including security awareness training, to offset information risks. It is clear that cross-functional stakeholder consultation is a necessary component of IG programs.

3.Information integrity. The patient–provider relationship is based on trust, and that trust includes ensuring that accurate patient information is created, and also kept secure. IG programs focus heavily on information quality, from the ground up, beginning with data governance. Data governance techniques and tools focus on creating clean, accurate, non-duplicate data in database tables so that downstream reports and analyses are more trusted and accurate. In the U.S., the problem created by the rush to implement EHR systems and show “meaningful use” by the January 1, 2014, deadline (as specified by The American Recovery and Reinvestment Act) was that many systems were implemented without proper planning and as a result, many EHR systems are filled with inaccurate data. This scenario lends itself to increasing the rate of medical mistakes and causing suboptimal outcomes, injury, or even death to patients. Information integrity considers the consistency of methods used to create, retain, preserve, distribute, and track information. Information integrity means there is the assurance that information is accurate, correct, and authentic. From a legal standpoint, enabling information technologies and data stewardship polices must support the effort to meet legal standards of admissibility and preserve the integrity of information to guard against claims that it has been altered, tampered with, or deleted (called “spoliation”). Audit trails must be kept and monitored to ensure compliance with IG policies to ensure information integrity.

4.Information organization and classification. This means that not only must patient records be organized in a standardized taxonomy with a specified metadata approach, but that all information, including nonclinical business information across the healthcare enterprise must be organized in a standardized way, categorizing all information, and semantically linking it to related information. It also means creating a records retention schedule (RRS) that spells out how long the PHI as well as business information (e.g. e-mail, e-documents, spreadsheets, reports) should be retained and how it is to be disposed of or archived (disposition). Further, it means developing departmental file plans which are logical and help end users conduct more complete and accurate searches for information. More progressive organizations will go further and implement an Information Asset Register (IAR) to track information assets.

5.Information security and privacy. This again focuses on the trust proposition between patient and provider. Information security must be in place before information privacy can be assured. This means that every attempt must be made to secure PHI and PII in all three states: at rest, in motion, and in use. It means that the organization should conduct regular security awareness training (SAT), which can include staged phishing and spear phishing attacks to see if employees handle them properly, and to coach them on mistakes they may make during the test. Ransomware is also a problem. When rogue players launch ransomware attacks, they typically encrypt the storage drives of the healthcare organization and demand a modest payment by bitcoin. To offset this risk a complete backup of your entire information system must be made daily and kept physically separate from your network, offline. Additional cyber-security hygiene measures are needed to protect information from damage, theft, or alteration by malicious outsiders and insiders as well as non-malicious (accidental) actions that may compromise information. For instance, an employee may lose a laptop with confidential information, but if proper IG policies are enforced using security-related information technologies, the information can be kept secure. This can be done by access control methods, data or document encryption, deploying information rights management (IRM) software, using remote digital shredding capabilities, and implementing enhanced auditing procedures. Information privacy awareness training should also be conducted, including updates on federal and state legal requirements. Information privacy is closely related to information security and is critical when dealing with PHI and PII and other sensitive information, such as race or religion.

6.Information accessibility. Information accessibility must be balanced with information security concerns. Information accessibility includes making the information as simple as possible to locate and access, which involves not only an intuitive user interface but also utilizing enterprise search principles, technologies, and tools. It further includes basic access controls, such as password management, identity and access management (IAM), and delivering information to a variety of hardware devices. Accessibility to information is essential not only in the short term but also over time. Maintaining patient records for perhaps decades requires consideration of long-term digital preservation (LTDP) planning, tools, and methods in accordance with international, technology-neutral standards. Today, LTDP capabilities can be provided through cloud service providers, which keep a number of copies of the information (5–6 typically) on Amazon or Microsoft cloud servers, spread around the world, to reduce the risk of loss. There are privacy implications to this global approach, especially with GDPR legislation, and they must be researched.

7.Information control. An enterprise RRS is a key foundational element of IG programs. Non-record information must also be categorized and scheduled. Then a standardized, automated LHN process must be put in place to assign data stewards and lock down information that may be requested in legal proceedings. In addition, key information control technologies must be deployed to control the access, creation, updating, and printing of data, documents, and reports. These technologies include several types of software: EHR, document management, document analytics, report management, and workflow. Additional security software including encryption should be deployed to protect confidential or sensitive information.

8.Information governance monitoring and auditing. Early on in the development of an IG program a concerted effort must be made to develop metrics to objectively measure program progress and employee conformance with IG polices. To ensure that guidelines and policies are being followed, especially regarding patient privacy and cyber-security hygiene, information access and use must be monitored. To guard against claims of legal spoliation, the use of e-mail, social media, cloud computing, and report generation should be logged (recorded or archived) in real time and maintained as an audit record. Technology tools such as document analytics can track how many documents users access and print and how long they spend doing so.

9.Executive sponsorship. Once again, due to the cross-functional, collaborative nature of IG programs, this is the most crucial factor in IG program success. This is especially true in the healthcare arena, where various clinical specialties which may have their own proprietary information systems are represented. No IG effort will survive and be successful if it does not have an accountable, responsible executive sponsor. The sponsor must develop the business case for IG early on, establish a budget, then assemble the steering committee and drive the effort. The executive sponsor must pay periodic attention to the IG program, monitoring progress based on metrics and milestones. The IG program lead, or perhaps even a Chief IG Officer, manages the IG program on a day-to-day basis, bringing in the executive sponsor only when support is needed for a particular issue. The executive sponsor must clear obstacles for the IG program lead and IG steering committee, while actively communicating the goals and business objectives that the IG program addresses, while keeping upper management informed on progress, particularly when accomplishing milestones.

10.Continuous improvement. IG programs are not one-time projects but rather ongoing programs, akin to a workplace safety program. (In fact, the information security aspects of an IG program could actually be termed “information safety.”) The IG program is a major change management effort, which requires a major training and communications effort. Progress in the IG program must be reviewed periodically and adjusted to account for gaps or shortcomings, as well as changes in the business environment, technology usage, or business strategy.

Using these 10 principles as guidelines will help to communicate with stakeholders and the IG steering committee what IG is, why it is needed, what it involves, and how to fashion an IG program that is successful. It is essential to continually reinforce the importance of these principles during the course of an IG program, and measure how well the organization is doing in these 10 critical areas.

There are also other sets of principles that apply to IG efforts and can help provide a more complete understanding of IG programs, especially early in the IG program development process. These IG principles reflect, reinforce, and expand on the previous sets.

Recordkeeping Principles

Records and information management (RIM) and particularly health information management (HIM) are key facets of an IG program in healthcare, based on surveys of IG professionals and published case studies. In 2009, the records management association ARMA International published a set of eight Generally Accepted Recordkeeping Principles ^®, often referred to as “The Principles” ² (or sometimes “GAR Principles”), to foster awareness of good recordkeeping practices. These principles have been used as the foundation for a maturity model, which is somewhat mischaracterized as an IG maturity model, since in fact it was clearly developed as a recordkeeping maturity model. As such, the status of organizations’ RIM programs can be assessed based on a scale of 1–5, with 1 being the lowest (Substandard) and 5 being the highest (Transformational). When the assessment is complete, an improvement roadmap can be developed to map out the steps needed to improve RIM functions.

In 2014, the American Health Information Management Association (AHIMA), adopted and adapted ARMA’s Generally Accepted Recordkeeping Principles^® and renamed them, again, somewhat inaccurately, as the Information Governance Principles for Healthcare ^® (IGPHC). Mostly, the words “information governance” have been substituted for “recordkeeping,” but the definition of The Principles remains largely the same, and they can be applied to both clinical and nonclinical information recordkeeping across the healthcare enterprise.

The eight IGPHC^® are:

1.Accountability. A senior executive (or person of comparable authority) oversees the IG program and delegates program responsibility to appropriate individuals. ³

2.Transparency. The processes and activities of an organization’s IG program are documented in a manner that is open and verifiable and is available to all personnel and appropriate interested parties. Documentation shall be made readily available to employees and appropriate third parties.

3.Integrity. An IG program shall be constructed so the information created, managed, or provided to the organization has a reasonable and suitable guarantee of authenticity and reliability. “Integrity of information, which is expected by patients, consumers, stakeholders, and other interested parties such as investors and regulatory agencies, is directly related to the organization’s ability to prove that information is authentic, timely, accurate, and complete. For the healthcare industry, these dimensions of integrity are essential to ensuring trust in information.” ⁴

4.Protection. An IG program must provide a reasonable level of protection for information against breaches, damage, theft, and internal bad actors, especially for information that is private, confidential, sensitive, secret, classified, or for vital records which are critical to disaster recovery. All information, whether it is electronic or physical (e.g. paper, microfilm) must be appropriately protected from its initial creation through its lifecycle.

5.Compliance. The IG program shall be constructed to comply with applicable laws, regulations, standards, and the organization’s policies. All organizations must comply with applicable legal and regulatory requirements. “Some healthcare requirements warrant special attention and consideration. For example, laws governing privacy and confidentiality, and fraud and abuse are particularly important to healthcare organizations.” ⁵

6.Availability. An organization shall maintain information in a manner that ensures timely, efficient, and accurate retrieval. Being able to do so impacts stakeholder trust. Securely delivering the right information to the right people at the right time, a key tenet of IG, requires a focus on availability, balancing information access needs with cyber-security and privacy requirements and concerns.

7.Retention. An organization shall maintain its information for an appropriate time, taking into account legal, regulatory, fiscal, operational, risk, and historical requirements. Information must be available for retrieval during its active lifecycle, within its retention period. Information lifecycles must be managed for both clinical and nonclinical information, irrespective of its storage medium.

8.Disposition. An organization shall provide secure and appropriate disposition for information that is no longer required to be maintained by applicable laws and the organization’s policies. ⁶ Disposition includes not only destruction, but also transfer in ownership or long-term archiving of information. Disposition “applies not only to patient health records and data, but many other types of information such as meeting minutes, credentialing files, agreements, financial records, human resource information, and privileged information such as that related to quality assurance.” ⁷ Bear in mind that business units may request retention of information longer than is required by law or statute, for business reasons such as knowledge management (KM), or historical/longitudinal research.

The IGPHC apply to all sizes of healthcare organizations, in both the private and public sectors, and can be used to establish consistent practices across business units.

Information Security Principles

Principle of Least Privilege

The Principle of Least Privilege (POLP) is an important cyber-security maxim that means users should only be given access to the bare minimum permissions and information needed to do their job. ⁸ Under POLP, users are only given access to the files needed to perform their job function. POLP should be used to control who has access to which information, on which devices, and when.

The CIA Triad

The CIA triad (sometimes referred to as the AIC triad to avoid confusion with the U.S. government spy agency) depicts the three “most crucial components” of information security. ⁹

Confidentiality (roughly equivalent to IGPHC^® #4, Protection) means that access to private and sensitive information is tightly controlled so that only authorized personnel have access to it. Integrity (the same as IGPHC^® #3) means that information has a reasonable assurance of being accurate, reliable, and trusted, throughout its lifecycle. Availability (the same as IGPHC^® #6) is the concept that information can be reliably and consistently accessed and retrieved by authorized employees, which requires that software patches and updates are implemented in a timely way, and that hardware is maintained regularly.

Privacy Principles

The Generally Accepted Privacy Principles (GAPP) were developed jointly by the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) through the AICPA/CICA Privacy Task Force. These principles can be used to guide the privacy aspects of an IG program. The field of information privacy is rapidly changing, and the International Association of Privacy Professionals (IAPP) is quite active globally with conferences, workshops, and training. Nevertheless, the 10 Generally Accepted Privacy Principles have been accepted by the privacy profession. The 10 Generally Accepted Privacy Principles and their criteria are: ¹⁰

These 10 principles can be applied by healthcare organizations to establish and maintain the privacy aspects of their IG programs.

Utilizing the various sets of complementary IG principles to help educate stakeholders and guide the IG program will help to keep the scope of the program focused by providing some guidelines to keep it on track that help ensure the success of the program.

Chapter Summary: Key Points

■ The Sedona Conference Commentary on Information Governance provides 11 principles to consider when implementing IG programs.

■ Cross-functional collaboration is needed for IG policies to hit the mark and be effective.

■ Lines of authority, accountability, and responsibility must be clear for the IG program to succeed.

■ Adhering to good IG practices includes data governance techniques and technologies to ensure quality data.

■ Information form and formats should be standardized and classified according to a corporate taxonomy.

■ Sensitive information must be secured its three states: at rest, in motion, and in use.

■ Information accessibility includes making it as simple as possible to locate and access info.

■ Deploy software to control the access to, creation, updating, and printing of information.

■ Information access and use must be monitored and audited, especially regarding confidential and sensitive information.

■ No IG effort will survive and be successful if it does not have an accountable, responsible executive sponsor.

■ IG programs are not one-time projects but rather ongoing programs.

■ AHIMA’s Information Governance Principles for Healthcare® (IGPH) can be used to guide HIM programs and as a general reference for HIM and RIM aspects of IG programs.

■ The Principle of Least Privilege (POLP) is an important cyber-security maxim that means users should only be given access to the bare minimum permissions and information needed to do their job.

■ The CIA information security triad includes Confidentiality, Integrity, and Availability, three principles which can be mapped back to the IGPH® from AHIMA.

■ Patient privacy is a major issue in healthcare and a key aspect of IG programs. Privacy considerations should be injected into daily business processes. The 10 Generally Accepted Privacy Principles provide guidance for privacy programs.

Notes

1. “The Sedona Conference Commentary on Information Governance,” The Sedona Conference,October 2014, https://thesedonaconference.org/publication/The%20Sedona%20Conference%C2%AE%20Commentary%20on%20Information%20Governance.

2. “Generally Accepted Recordkeeping Principles,” ARMA International, 2009, www.arma.org/garp/copyright.cfm.

3. “Information Governance Principles for Healthcare (IGPHC),” AHIMA, 2014, http://www.ahima.org/~/media/AHIMA/Files/HIM-Trends/IG_Principles.ashx.

4. Ibid.

5. Ibid.

6. “Information Governance Maturity Model,” ARMA International, 2009, www.arma.org/garp/Garp%20maturity%20Model%20Grid%20(11x23).pdf.

7. “Information Governance Principles for Healthcare (IGHC),” AHIMA, 2014, http://www.ahima.org/~/media/AHIMA/Files/HIM-Trends/IG_Principles.ashx.

8. Margaret Rouse, “Principle of Least Privilege,” TechTarget.com, http://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP.

9. Margaret Rouse, “Confidentiality, Integrity, and Availability (CIA Triad),” TechTarget.com, http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA.

10. “Generally Accepted Privacy Principles (GAPP,” CIPPGuide.org, https://www.cippguide.org/2010/07/01/generally-accepted-privacy-principles-gapp/.