Who Should Be Part of an Information Governance Team?
IG programs require cross-functional collaboration; however, IG teams or steering committees from each individual healthcare organization will have a slightly different makeup depending on program focus and objectives, organizational IG maturity, staffing, budget resources, competitive posture, and other factors.
A formal IG Program Charter must be drafted and signed off on by the executive sponsor. The program charter lays out the purpose and scope of the program, goals and objectives, reporting structure of the IG steering committee, SMEs and sub-committees, frequency of meeting, and other key guidelines.
Selection of the executive sponsor is a critical starting point. The executive sponsor must make the business case for the IG program and make IG steering committee selections along with the IG Lead. It is advisable that a deputy or associate executive sponsor also be named to build in durability and continuity to the IG program, in the event that the executive sponsor leaves or is terminated. This is also true of the IG Lead.
IG can be thought of as an overall umbrella program that manages or “governs” information access, risk, quality, protection, privacy, and the information lifecycle across the enterprise. IG is a broad policy framework for enforcing information compliance and accountability, with progress measured by agreed-upon metrics. These metrics must be developed with the input of stakeholders so that they are not only relevant and meaningful, but also accepted by the end users and IG team members.
Having better quality and more trusted information helps improve decision-making and compliance capabilities while reducing information risk. Formally embedding an IG program ensures that resources, including budget and management time, are spent to maximize information value while minimizing information risks and costs.
Leveraging Models and Frameworks
There are several IG models and frameworks that can help to inform the selection and development of an IG steering committee.
The core IG steering committee group must include Legal, IT, HIM and RIM, Cyber-security, and Privacy, at a minimum, provided the organization has these basic functions represented in the organizational structure. (And if these functions are not represented in an organization of today, they should be).
There is precedent for this foundational structure, when looking at the Information Governance Reference Model (IGRM). The IGRM is a simple graphic tool developed by EDRM.net, ARMA International, and the Compliance, Governance, & Oversight Council (CGOC) in consultation with thousands of end users. The IGRM graphically displays the key impact areas of IG programs, shows unified governance and process transparency, and depicts the relationship between information assets, duty, and value, which can help to educate IG program stakeholders early on and to spur discussion of IG’s cross-functional nature. 1
Take note that there is one more group depicted, which is “Business” or business units. The key business unit(s) included in the IG program may reflect a focus on data governance, EHR governance, patient privacy, or reducing legal costs, and will vary based on a particular healthcare organization’s structure, business objectives, and business scenario. Business units provide critical input in IG policy development efforts.
HIM and the governance of EHR information are fundamental to reducing medical mistakes, improving patient outcomes, improving patient satisfaction and retention, reducing litigation and associated costs, and improving overall population health. There may be other business units that are high priority, such as the Business Office function, where improvements in operational efficiency can yield significant economic benefits. Beyond that, business units with the highest litigation costs or most difficulty with finding information for everyday tasks, litigation requests, or compliance audits are good places to look for high priority pilot projects under the umbrella of the overall lG program.
Some additional key departments that should be represented on the next tier of the IG steering committee, (depending on the organizational structure and business scenario), may be:
■ Finance/CFO. Often overlooked is the idea that poor IG can lead to major data breaches and dramatic losses in patient/customer confidence, revenues, and market value of the organization. The case can be made that the CFO shares a fiduciary responsibility to ensure that proper IG controls are in place to help safeguard the organization’s information assets. Also, the CFO will know the status of budgets and can possibly make adjustments or transfers to invest in needed IG program steps. And once IG controls are in place, Infonomics principles may be applied to gain new value or even monetize information.
■ Chief Data Officer (CDO)/Data governance. As quality clinical data is critical for delivering value and improving patient outcomes and overall population health, this is a key role. All other downstream reports and analytics depend on having clean, accurate, non-duplicate data, so it is critical to have a data governance effort that focuses on capturing accurate data at the source. This can be challenging in healthcare, with the variety of proprietary clinical and laboratory devices that do not always adhere to industry standard data formats.
■ Risk management. Managing information risk is core to IG efforts. You can see “Risk” noted as a focus in the IGRM graphic under “Legal,” “Privacy & Security,” and “RIM.” If the organization has a formal risk management department, their involvement in the IG program will be valuable. Some organizations may wish to use the ISO 31000 Risk Management standard to guide efforts.
■ Compliance. HIPAA compliance is critical and HIPAA audits can result in major fines. Compliance efforts focus both externally, regarding regulations and statutory requirements, and internally, to ensure employees follow company policies and procedures, as well as externally imposed requirements.
■ Human resources. Since IG programs are change management (CM) efforts, HR is central to the communications and training strategy to help embed IG considerations like privacy and security into routine business processes. Emphasizing compliance with IG policies and procedures in employee performance reviews will involve working with HR to develop meaningful metrics. Training should be conducted regularly and consistently, using multiple modalities.
■ Change management. If the organization has a formal CM function, this group can play a key role, as all IG programs are fundamentally CM efforts. Often an external consultant can assist in developing the CM plan to complement IG efforts.
■ Analytics. Applying advanced analytics to clean, accurate data can yield a variety of benefits in healthcare, namely the improvement of clinical outcomes and financial performance. Additional advances can be made in improving patient satisfaction and perhaps even some new insights and innovations in patient care. Further, there may be new ways to improve operational efficiency, and beyond that, monetize and leverage aggregated or anonymized data with suppliers or business partners. “Harnessing the value of information is one of the foundational purposes of IG, but an IG program also must balance the goals of analytics against information risks and retention requirements.” 2
■ Audit. The Audit department can play a key role in measuring IG program progress based on meaningful, pre-established metrics which have been developed and approved by the IG team. Metrics provide management feedback for continual improvement and program fine-tuning. Audit findings can provide crucial input for decision-making within an IG program.
Introducing the Information Governance Adoption Model™ for Healthcare
In February, 2016, AHIMA launched healthcare’s first Information Governance Adoption Model™ (IGAM) via IGHealthRate™, an assessment tool. 3 The IGAM is an extension and expansion of the IG Reference Model, although it does not go so far as to diagram inter-relationships and reflect the roles of risk (specifically, information risk) and change management, which are key components of IG programs.
The IG Adoption Model™ can help spur discussion in the beginning stages of IG program planning, and can also assist in highlighting key areas for representation in the IG Program Steering Committee.
According to AHIMA, the 10 IG organizational competencies depicted in the model can be assessed based on key markers on a scale of IGAM Level 1™ (lowest, least mature) to IGAM Level 5™ (highest), to determine maturity levels and to conduct a gap analysis to determine the tasks needed to move the organization up the maturity scale to the desired level of improvement.
Analyzing the IGAM™ for IG Team Staffing
In the IGAM™ we can see that, as with the IG Reference Model, Privacy and Security are represented, as is Legal & Regulatory. Also, Data Governance and Analytics are represented, furthering the argument to include representation of these functions on the IG steering committee. IT governance, that is, leveraging frameworks (e.g. CoBIT5) in the IT department to make it more efficient and accountable, while getting results that contribute to organizational business objectives, is also represented. The employee in charge of IT governance, likely the CIO, should be considered a major stakeholder. The CIO is also accountable for enterprise information management (EIM), a major aspect of IG.
IG structure and strategic alignment are mostly responsibilities of the executive sponsor and IG Lead, with input from the entire committee. IG performance could be measured quantitatively by the CFO or an internal audit professional, and monitored by the Executive Sponsor.
IG awareness is largely the job of the Executive Sponsor and IG Lead, with assistance from HR or the training department. IG Adherence and IG Performance should be monitored by the Executive Sponsor using established metrics, perhaps audited by the CFO or an internal auditor.
It is abundantly clear that implementing IG programs requires a cross-functional approach to facilitate sharing and leveraging information. IG has a wide reach and effective IG brings together stakeholders from across the organization and builds on their synergies to better govern and optimize information.
Information governance programs are heavily focused on information quality, security, and privacy. As a cross-functional discipline, it is challenging to muster and manage scarce resources to address enterprise issues that do not belong clearly to established functional groups like IT or Legal. Managing and prioritizing these information asset challenges requires the same type of planning and control used historically for deploying and managing capital assets. Managing and leveraging information assets means that new opportunities and value may be found that can provide a sustainable competitive advantage to the organization. 4
Throughout this book, one key fact is emphasized repeatedly: Securing a sponsor at the executive management level is critical—it is the most important factor for IG success. In fact, it is so important it may be advisable to name a separate deputy executive sponsor, or to have the IG steering committee chair also serve as a deputy or co-executive sponsor.
Strong executive sponsorship is a key IG Best Practice. Program failure is a great risk without an active and engaged executive sponsor. Such a program likely will fade or fizzle out or be relegated to the back burner. Without strong high-level leadership, when things go awry, finger pointing and political games may take over, impeding progress and cooperation.
According to studies, the two most common IG executive sponsors are General Counsel and the CIO. Sometimes IG programs are led by an organization’s General Counsel, and they may be well-versed in privacy law, but they may not have the technology competencies to understand exactly how to apply complex new IG-enabling technologies, and they may have a basic understanding of retention schedules but are not well-versed in HIM Best Practices. Sometimes IG programs are led by the CIO, who may be well-versed in security and aware of privacy issues, but often CIOs and HIM managers don’t speak the same language: a “record” means something totally different to a CIO than to a HIM manager; also, legal research is not the CIO’s job and the general counsel will always have to make those decisions anyway.
Executives must be on board and a primary executive sponsor driving the IG effort is needed in order to garner the necessary resources to develop and execute the strategic IG plan. That executive must be held accountable for the development and execution of the plan.
Resources are needed—time, human capital, budget money, new technologies. The first is a critical element: It is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict and consistent follow-up, support, and communication. In fact, IG program progress should be measured in performance reviews of key players on the IG steering committee and for stakeholder groups.
The executive sponsor serves at least six key purposes in an IG program:
1.Budget. The executive sponsor ensures an adequate financial commitment is made to see that project milestones are met and lobbies for additional expenditures when change orders are made or cost overruns occur.
2.Planning and control. The executive sponsor sets direction and tracks accomplishment of specific, measurable business objectives.
3.Decision-making. The executive sponsor makes or approves crucial decisions and resolves issues that are escalated for resolution.
4.Expectation management. The executive sponsor must manage expectation, since success is quite often a stakeholder perception.
5.Anticipation. Every project that is competing for resources can run into unforeseen blockages and objections. Executive sponsors run interference and provide political might for the IG Lead or program manager (PM) to lead the project to completion, through a series of milestones.
6.Approvals. The executive sponsor signs off when milestones and objectives have been met and signs contracts for the acquisition of new information technologies and services.
The higher level the executive sponsor is in the organization, the better. The CEO wields the most authority, and some IG programs are sponsored by the CEO, particularly where there has been a major breach, costly litigation, or major regulatory fines. With CEO sponsorship come many of the key elements needed to complete any successful project, including allocated management time, management priority, and budget money.
Critical and Sometimes Fickle Executive Sponsor Role
There may be a clear executive sponsor at some point early on but when that person realizes they will be held accountable for the performance of groups outside their direct control (and competitors at their corporate level can then sabotage progress), they might look for cover and find a way to postpone, de-prioritize, or kill the IG program. Focusing efforts on clearly established business objectives will largely reduce this inherent problem of conflicting agendas. (Having a deputy executive sponsor will also shore up the executive sponsor role).
Sometimes all an unenthusiastic executive sponsor has to do is wait for the natural inertia of the over-sized and lethargic IG steering committee to weigh things down, and soon other projects and programs that are more routine and cost-justifiable in the short term take resources from the IG effort. It then may fade into the background until there is a new litigation disaster, major compliance failure, massive security breach, or other such negative IG drivers.
According to surveys and research, the implementation of an IG program is more and more often being driven by the Legal department, General Counsel or Assistant General Counsel, or the chief information officer (CIO). Other IG programs may be led by the chief risk officer, chief information security officer (CISO), or, ideally, as the Sedona Conference has recommended, a Chief IG Officer (CIGO).
The CIGO must have the mandate and authority to drive the program forward and should have overlapping skillsets that include expertise in e-discovery, cyber-security, information privacy, data governance, health information management (HIM) and general records management, IT, and business operations.
A key challenge is that because of the interdisciplinary requirements for implementing IG, no one seems to want to own IG. It touches on parts of the strengths of a CIO or General Counsel or HIM Manager or Information Security Manager or Chief Compliance Officer, but it also requires that they go out of their comfort zone into new areas.
So where should IG reside? Who should be in charge of an IG program?
There is a need for a new job title to pull all these disciplines together into a cohesive IG program: CIGO. This has been promoted by the Sedona Conference® and other organizations.
The CIGO should be a highly competent manager who has broad operations experience and competencies: near-expert not only in IT, but also legal and compliance issues, data governance tools and methods, HIM issues, privacy issues, information security tools and techniques, and business issues. They must also have outstanding communications and management skills. That is a challenging job description.
A CIGO can act in a coordinating function, but lacking authority, their efforts will likely be met with resistance. Because of its requirements, the organization can leverage the authority of the executive sponsor, or even consider granting the CIGO authority over the CIO, chief information security officer (CISO), chief privacy officer (CPO), and even CFO. The CIGO could be very nearly a chief operations officer (COO), and that is an option for whom the CIGO reports to, if not the EVP of Risk—or even the Administrator or CEO. It is a crucial job that mostly is not being filled. However, there is a great need for it, and it due to its focus, a well-prepared CIGO could lead the IG effort and produce consistent, tangible results.
Assigning Team Roles and Responsibilities
The executive sponsor must designate an IG Lead or program manager—perhaps even a Chief IG Officer—and depending on the focus of the IG effort, that person could come from one of several areas including legal, infosec, risk management, HIM/records management, or IT.
When assigning the roles and responsibilities of the remainder of the IG team, the easy decision is to have IG team representatives take responsibility for the functional areas of their expertise. Nevertheless, there will be overlap, and it is best to have some pairs or small workgroups teamed up to gain the broadest amount of input and optimum results.
This will also facilitate cross-training. For instance, inside legal counsel may be responsible for rendering the final legal opinions, but not being an expert in HIM or document management or risk management means they could benefit from input of others in specialized functional areas, which will inform them and help narrow and focus their legal research. So when performing the basic research as to which regulations and laws apply to the organization regarding security, retention, and preservation of patient records and PII, the initial research could be conducted by the HIM or records management head, in consultation with the corporate archivist and CIO, with the results of their findings and recommendations drafted and sent to the legal counsel. The draft report may offer up several alternative approaches that need legal input and decisions. Then the legal department can conduct their own, focused research, and make final recommendations with consideration given to the organization’s legal strategy, business objectives, financial position, and applicable laws and regulations.
The result of the research, consultation, and collaboration of the IG team should be a final draft of the IG strategic plan (see Chapter 9 for more detail). It will still need more input and development to align the plan with business objectives, an analysis of internal and external drivers, applicable Best Practices, competitive analysis, applicable information technology trends, an analysis and inclusion of the organization’s culture, and other factors.
Caveat: The Importance of a Tiered IG Steering Committee for Expediency
When reviewing research and anecdotal observations on IG programs it is clear that often IG efforts are slow to start, can get delayed or put on hold, and then re-start, and that sometimes the IG effort is abandoned, put on a shelf. Then later, executives realize that the “IG problem” (e.g. deaths and injury from medical mistakes, non-compliance fines, risks of colossal information breaches, soaring litigation costs, failure to capitalize on emerging opportunities by leveraging analytics) is not going away—so the IG program re-starts again.
One of the root causes of sluggish IG efforts is the basic failure to structure the IG steering committee properly, and to consider the realities of group dynamics, corporate politics, scheduling, and program management.
Since IG efforts are by nature cross-functional and require the involvement of key stakeholder groups, IG steering committees can become large and unwieldy. Also, the politics can become crippling, causing progress to slow and threatening the continuation of the IG program.
In practice, there have been IG steering committees of 15, 18, even 20 or more individuals representing the various functional groups in a large organization. Managing the needs and inputs of this broad swath of stakeholders is inherently challenging.
Due to the expanse of an IG program, the IG program team or steering committee should be set up with a tiered structure. The core departments driving the IG program, or “top tier” should be: 5
■ Legal. Because legal considerations are paramount, the legal department must be deeply involved and perhaps lead the IG program. Legal is best represented at a high level by the General Counsel, Assistant GC, or a senior legal officer. Legal costs and liabilities can soar with poor IG, further underscoring the importance of efficient legal functions. Further, Legal must implement “litigation response protocols” and drive e-discovery efforts—which inherently involve IT and records management policies, two other core stakeholders in IG programs. The legal department also must provide guidance on privacy breach response protocols and render opinions on privacy matters to ensure compliance.
■ Information technology. IT is key to IG efforts, as IG requires IT for data and IT governance, and for tracking sensitive information, applying automated controls, auditing, implementing business process redesign, and more. Organizations must leverage IT to improve efficiencies and monitor the effectiveness of the IG program. Also, IT must work with Legal, HIM, and RIM to preserve the organization’s electronically stored information (ESI) in legal matters.
■ Health Information Management (HIM) and Records and Information Management (RIM). The HIM department is responsible for managing patient health records in accordance with privacy laws and retention regulations. Safeguarding these records is mission-critical and a key factor in maintaining patient trust. RIM is responsible for maintaining corporate business records to ensure compliance with applicable statutory and regulatory requirements. HIM and RIM must also work with Legal to execute e-discovery functions.
■ Information Security. “InfoSec” or “cyber-security” is responsible for keeping the organization’s databases and confidential information secure, and providing policy input, techniques, and IT to prevent the loss of intellectual property (IP). InfoSec has played an increasingly greater role in IG programs due to colossal data breaches, privacy concerns, and reputational risk;
■ Privacy. The Privacy group must conduct research and provide policy guidance for the handling of protected health information (PHI), personally identifiable information (PII), credit card information (PCI), and other sensitive patient and employee information. The goal is to have privacy considerations “baked in” to everyday business processes, so that, “privacy by design” may be achieved. 6 This is a key aim of IG programs.
The tiered strategy can be employed to make these IG planning teams more effective, agile, and accountable: A tiered IG steering committee with staggered meeting requirements will bring in only those needed to a meeting, while not wasting everyone else’s time.
Otherwise, the IG program initiative will follow the same predictable and sluggish cycle it did before, only with a slightly different set of players.
Below are some guidelines for structuring an IG steering committee for better results:
1.Recruit a strong executive sponsor (and perhaps a deputy executive sponsor). A clear leader who has authority can help focus IG efforts and deliver results in the form of early wins to keep feeding and growing the IG program. The executive sponsor should be apprised of progress and should sign off on milestones and major policy decisions as they are presented to them by a small subset of leaders from the IG steering committee. Due to the importance of the executive sponsor, and the fact that turnover does occur and can hinder program progress, it is advisable to consider naming a “deputy” executive sponsor as a backup support.
2.Form a high-level “decision committee.” This can be a group of three, four, or at the most, five leaders from the functional areas most involved in IG efforts. They are the ones who are to be held accountable for delivering results and keeping the IG program on track. They should meet regularly, probably weekly, to drive the IG program forward. Their focus should be on focus, that is, directing the efforts of the IG steering committee and delegating specific tasks to ensure tangible results are delivered from small early wins and the IG program expands in a logical way that focuses on meeting business objectives.
3.Form subject matter expert (SME) teams using cross-functional team members. In a sort of matrix organizational structure, create teams to center effort on key areas of IG impact, and to cross-train each other. For instance, the e-discovery readiness team should include members from Legal staff, but also (depending on the business scenario) HIM, Records Management, IT, and perhaps the business unit that is most involved or embroiled in litigation. The Data Governance (DG) SME team must include the DG lead, but also members from Privacy, Security, IT, and key business units. Recommendations from the SME teams should be made to the decision committee for final deliberation, and then presented to the executive sponsor for sign-off and approval (or rejection to re-work the approach).
4.Keep all members of the IG steering committee updated. Committee members should be regularly updated on program status, progress, and decisions. Do not waste committee members’ time with a meeting when an e-mail or update to the intranet or collaborative site will do.
5.Convene the entire IG steering group only when necessary—perhaps every two weeks in the initial phases of the IG program, and then at least monthly following the IG program launch. The meeting of the entire group should be scheduled so that it does not conflict with IG steering committee members’ schedules to the extent possible.
Additional tips: For those who cannot attend a formal IG program meeting, provide a video conference or at least a conference call link, and for those who cannot attend even remotely, a recording of the meeting. Do not allow excuses for non-participation. Also, ensure that tasks and progress of the IG program effort are tied directly to stated business objectives.
Stay focused and do not waste IG steering committee members’ time. Lay out a reporting and meeting schedule that makes sense and structure the IG team into more agile, accountable units which can meet on their own and not waste others’ time.
Chapter Summary: Key Points
■ Implementing IG programs requires a cross-functional approach.
■ The IG Reference Model provides a starting point for IG steering committee staffing.
■ The IG Adoption Model™ from AHIMA can assist in IG steering committee staffing decisions, and also in planning and IG maturity assessments.
■ The top tier of an IG steering committee should include: Legal, IT, HIM/RIM, Information Security, and Privacy.
■ A tiered IG steering committee keeps it more nimble and able to make decisions.
■ Due to the interdisciplinary requirements for implementing IG, no one wants to own IG.
■ IG programs require a strong executive sponsor.
■ Chief IG Officer (CIGO) is a new title for a person heading up IG programs.
■ The CIGO must be proficient in legal issues, cyber-security, HIM, privacy, and more.
1. “Information Governance Reference Model,” EDRM.net, https://www.edrm.net/frameworks-and-standards/information-governance-reference-model.
2. Jason R. Baron and Amy R. Marcos, “Information Governance: Establishing a Program and Executing Initial Projects,” Practical Law, October/November 2015, 24–33 (pp. 27–28).
3. “Information Governance Offers a Strategic Approach for Healthcare (Updated),” Practice Brief, Journal of AHIMA 86, no. 11 (November 2015): 56–59.
4. Ibid.
5. Jason R. Baron and Amy R. Marcos, “Information Governance: Establishing a Program and Executing Initial Projects,” Practical Law, October/November 2015, 24–33 (p. 26).
6. Ann Cavoukian, “The 7 Foundational Principles,” PrivacyByDesign.ca, January 2011, https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf.