Strategic Planning and Best Practices for IG
Start with Business Objectives
The IG team should begin their strategic planning process by listing and prioritizing key organizational objectives. These objectives may be quite broad; keep the list short. Then, put questions up for discussion such as:
“What discrete projects can we form and execute to contribute to the accomplishment of our overall business objectives?”
“What information do we need to help complete and maintain these projects?”
“How long will the information have business value?”
“How can we leverage the business value of this information?”
and so forth.
Align the IG Plan with Strategic Plans
The IG plan must support the achievement of the organization’s business objectives, and therefore should be melded into the overall strategic plan for the organization. Integration with the strategic plan means that pursuing the business objectives in the IG plan are consistent with, and in support of, the enterprise strategic plan.
So, for example, if a particular medical center has been hit with some major lawsuits due to medical mistakes, then a program emphasizing data governance and data quality would directly address medical error issues. Perhaps a new Chief Data Officer position is created, and perhaps new software is needed for data cleansing and scrubbing to reduce the incidence of inaccurate data.
Or if the corporate strategy includes plans for acquiring smaller competitors and folding them into the organization’s structure as operating divisions, then the IG plan must assist and contribute to this effort. Plans for standardizing operating policies and procedures among the new acquisitions must include a consistent, systematized approach to key principles of IG, including stakeholder consultation, user training and communications, and compliance audits.
The IG plan should bring a standard approach across the spectrum of information use and management within the organization and must be forged to accommodate the new acquisitions. This means that patient ID verification policies, privacy notices and policies, litigation readiness policies—even general office policies for e-mail, mobile device use, social media use, cloud collaboration, and storage use—must be consistent and aligned with the overall strategic plan. In other words, the goal is to get all employees on the “same page” and working to support the business objectives of the strategic plan in everyday small steps within the IG plan.
The organization will also have an IT strategic plan, which must be aligned with the organizational strategic plan to support overall business objectives. The IT strategy may be to convert new acquisitions to the internal financial and accounting systems of the organization, and to train newly-acquired employees to use the existing software applications under the umbrella of the IG plan. Or the IT plan may be to move to cloud computing, so cloud-based solutions should be focused upon primarily. Again, the IG plan needs to be integrated with the IT strategy and must consider the organization’s approach to IT.
The result of the process of aligning the IG effort with the IT strategy and the organization’s overall strategic plan will mean, ideally, that employee efforts are more efficient and productive since they are consistently moving toward the achievement of the organization’s overall strategic goals. The organization will be healthier, and will have less dissent and confusion, with clear IG policies that leverage the IT strategy and help pursue overall business objectives.
There are further considerations that must be folded into the IG plan. As every corporate culture is different, and has a real impact on decision-making and operational approaches, it must be considered. Corporate culture includes the organization’s appetite for risk, its use of IT (e.g. forward thinking “first adopter”), its capital investment strategies, and other management actions.
If, say, the organization is conservative and risk averse, it may want to hold off on implementing some emerging e-discovery technologies that can cut costs but also introduce greater risk. Or, if it is an aggressive, progressive, risk-taking organization, it may opt to test and adopt newer e-discovery technologies, under the IT strategy and the umbrella of IG policies. An example may be the use of predictive coding technology in early case assessment (ECA). Predictive coding uses text auto-classification technology and neural technology with the assistance of human input to “learn” which e-documents might be responsive in a particular legal matter, and which may not be. Through a series of steps of testing and checking subsets of the documents, human experts provide input to improve the sorting and selection process. The software uses machine learning (artificial intelligence whereby the software can change and improve on a particular task, as its decision engine is shaped and “trained” by input) to improve its ability to cull through and sort documents.
Predictive coding can reduce e-discovery costs, yet there are risks that the approach can be challenged in court and could, in fact, affect the case adversely. So it is clear to see how a decision on a technology like predictive coding can involve and include elements of the IG plan, IT strategy, and overall organizational strategic plan.
And there are resource issues to consider: How much management time or “bandwidth” is available to pursue the IG plan development and execution? Is there a budget item to allow for software acquisitions and training and communications to support the execution of the IG plan? Obviously, without the allocated management time and budget money, the IG plan cannot be executed.
Survey and Evaluate External Factors
The IG plan is now harmonized and aligned with the organization’s strategic plan and IT strategy, but you are not finished yet, because it cannot survive in a vacuum: organizations must analyze and consider the external business, legal, and technological environment and fold their analysis into their plans.
Analyze Information Technology Trends
IG requires IT to support and monitor implementation of polices, so it matters what is developing and trending in the information technology space. What new technologies are coming online? Is the organization tracking the use of blockchain, artificial intelligence (AI), and the Internet of Things (IoT) in healthcare? Why are they being developed and becoming popular? How do these changes in the business environment that created opportunities for new technologies to be developed affect the organization and its ability to execute its IG plan? How can new technologies assist? Which ones are immature and too risky? These are some of the questions that must be addressed in regard to the changing information technology landscape.
Some changes in information and communications technology (ICT) are rather obvious, such as the trends toward mobile computing, tablet and smartphone devices, cloud storage, and social media use. Each one of these major trends that may affect or assist in implementing IG needs to be considered, and again, this must be done within the framework of the organization’s strategic plan and IT strategy. If the corporate culture is progressive and supportive of remote work and telecommuting, and the organizational strategy aims to lower fixed costs by reducing the amount of fixed office space for employees and moving to a more mobile workforce, then trends in tablet and smartphone computing that are relevant to the organization must be analyzed and considered. Is the organization going to provide mobile devices, or support a bring-your-own-device (BYOD) environment? Which equipment and technologies will be supported? iOS, Android, or both? What is the policy going to be on phone jacking/modification? What is the IG policy regarding confidential documents on mobile devices? Will the organization use encryption extensively? If so, which software? Is the enterprise moving to the cloud computing model? Utilizing social media? What about Big Data? Is the organization going to consider deploying auto-classification and predictive coding technologies? What are the trends that might affect the organization?
There are many, many questions that must be addressed, but the evaluation must be narrowed down to those technology trends that specifically might impact the execution of the IG plan, and rollout of new technology.
On a more granular level, evaluate even supported file and document formats. It gets that detailed, when crafting IG policy. For instance, PDF/A is the standard format for archiving electronic documents. So plans must include long-term digital preservation (LTDP) standards and Best Practices.
Survey Business Conditions and Economic Environment
If the economy is on a down cycle, and particularly if the healthcare business sector has been negatively affected, resources may be scarcer than in better times, and hence, it may be more difficult to get budget approval for necessary program expenses, such as new technologies, staff, contractors, training materials, and so forth. This means the IG plan may need to be scaled back, or its scope reduced. Implementing the plan in a key division rather than attempting an enterprise rollout is the best tactic in tough economic times, and at all times, actually. Start small.
But if things are booming, and the business is growing fast, then budget money for investments in the IG program may be easier to secure, and the goals may be expanded.
IG should be an ongoing program, but it takes time to implement, and it takes resources to execute, audit, and continue to refine. So an executive looking for a quick and calculable payback on the investment may want to focus on narrower areas. For instance, the focus may be entirely on security awareness training, or the legal hold and e-discovery process initially, with business objectives that include reducing pre-trial costs and attorney fees by a certain percentage or amount. It is much easier to see concrete results when focusing on e-discovery, since legal costs are real, and will always be there. However, if the IG effort is broader and improves the ability to organize and search for information faster, and to execute more complete searches to improve the basis for management decision-making, the business case may be more difficult to make. Improved management decision-making will improve the organization’s competitiveness long term, but it may be difficult to cite specific examples where costs were saved or revenues were increased as a result of the “better decisions” that should come about through better information governance.
Analyze Relevant Legal, Regulatory, and Political Factors
In consultation with the legal team or lead, the laws and regulations that affect the organization’s segment in the healthcare industry should be identified. Narrowing the scope of the analysis, those that specifically could impact the governance of information should be considered and analyzed. What absolute requirements do they impose? Where there is room for interpretation, where, legally, does the organization want to position itself? How much legal risk is acceptable? These are the types of questions that legal and risk management professionals can assist in making. Again, legal requirements trump all others.
The decision process must include considerations for the future and anticipated future changes. Changes in the legal and regulatory environment happen based on the political leaders who are in place, and any pending legislation. Therefore, go further and analyze the current political environment, and make some judgments based on the best information, the organization’s culture and appetite for risk, management style, available resources, and other factors. Generally, a more conservative environment means less regulation, and this analysis must also be folded into the IG strategic plan.
Survey and Determine Industry Best Practices
Information governance is a developing hybrid “super discipline” that is a superset of data governance cyber-security, information privacy, HIM and records management, e-discovery, analytics, and more. IG emerged to help manage the explosion in the amount of information that must be managed in today’s increasingly regulated and litigious business environment. As such, Best Practices are still being formed and expanded. This process of testing, proving, and sharing Best Practices will continue for the next decade as Best Practices are expanded, revised, and refined.
The most relevant study of IG Best Practices is one that is conducted for the organization which surveys the organization’s segment of the healthcare industry and even what some of its more progressive competitors are doing in regard to IG. Often, engaging a third-party consultant is the best way to get this accomplished, since they can more easily contact, interview, and research competitors’ practices. But also, there is assistance available from trade associations such as HIMSS, AHIMA, and others which can provide some consensus as to emerging Best Practices in healthcare IG.
Below is a sampling of broad IG Best Practices that will help guide the program. These are a starting point; you must conduct research and uncover Best Practices specific to the goals of the IG program to make them meaningful guidelines to drive the IG effort:
1.Executive sponsorship is crucial. Securing an executive sponsor at the senior management level is key to successful IG programs. It is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict. The executive sponsor must own the business case for the IG program and have a long-term vested interest in its success. It is advisable to also have a deputy executive sponsor to help support the program and assure the durability of IG program leadership.
2.Establish a cross-functional IG council or steering committee. There must be a holistic view of information use in the organization, which seeks to leverage it as an asset and to reduce its risks and costs. At a minimum, there must be representation from Legal, HIM, IT, Privacy, Information Security, Finance, and Human Resources, and depending on the organization and its focus, perhaps other key groups such as Risk Management, Data Governance, Analytics, Knowledge Management, and more.
3.Create a formal IG Program Charter for guidance. It should include the overall mission and goals of the IG program and should list IG committee members and their basic responsibilities, as well as the meeting schedule. It also should show the reporting structure of the IG committee members and delineate their basic program responsibilities. It is advisable to form a small, top-tier “decision committee” to facilitate decisions and recommendations made to the executive sponsor. The IG Program Charter should be signed off on by the executive sponsor.
4.Develop an overall organizational strategy for the IG program. This will ensure there is agreement on the aims and foci of the program and help the various functional groups involved to collaborate and cooperate to execute the IG program strategy. “An over-arching strategy is needed—including patient care, organizational performance and risk mitigation—to establish organization’s goals and priorities, and consistently drive these through information systems and business processes.” 1
5.IG is not a project but, rather, an ongoing program. IG programs are “evergreen” and should eventually become embedded into routine operations. True, there must be discrete projects executed under the overall IG program, which provides an umbrella of guidelines and policies. Performance is monitored and enforced with the support of metrics, information technologies, and audit tools.
Compare the IG program to a workplace safety program which is continuously improved, reinforced, and expanded; every time a new location, team member, piece of equipment, or toxic substance is acquired by the organization, the workplace safety program dictates how that is handled and, if it doesn’t, workplace safety policies/procedures/training need to be updated. The program must be monitored and audited to ensure the program is followed and to make adjustments. The effort never ends. 2
6.Using an IG framework or maturity model is helpful in assessing and guiding IG programs. Various models are offered, perhaps the most comprehensive being the Information Governance Process Maturity Model (IGPMM) from the Compliance, Governance, and Oversight Council (CGOC), released in 2012 and updated and expanded in 2017 to include privacy and data protection obligations, GDPR considerations, a new data security cost lever, cloud computing safeguards, a greater focus on data governance, and other considerations. The IGPMM rates IG programs in detail on 22 processes, with a heavy emphasis on Legal, Privacy, and Security. 3 Other models include AHIMA’s IG Adaption Model and IGHealthRate™, which developed the health sector use; and the Generally Accepted Recordkeeping Principles® (“The Principles”) Maturity Model from ARMA International, which is most appropriately used to evaluate the maturity of general recordkeeping (e.g. in the Business Office).
7.Business processes must be redesigned when implementing electronic health records (EHR) to streamline operations and improve the accuracy and management of electronic protected health information (ePHI). Using EHR fundamentally changes the way people work and greater efficiencies and control can be gained with business process redesign (versus simply using EHR systems as a rote electronic filing cabinet).
8.Leverage analytics to improve clinical decision support planning, decision-making, and outcomes. The entire range of analytics, from descriptive to predictive to prescriptive analytics, must be deployed to fully exploit data value. 4 It is crucial to have a robust data governance program in place to assure data quality so the analytics are accurate. Beyond that, the organization should look for ways to monetize data, either directly or indirectly.
9.Focus data governance efforts heavily on data quality. Improved data quality and availability will help reduce medical errors, improve patient satisfaction, improve population health, and improve financial performance.
10.Creating standardized metadata terms should be part of an IG effort that enables faster, more complete, and more accurate searches and retrieval of records. This is important not only in everyday clinical operations, but also in business operations. Good metadata management also assists in the maintenance of corporate memory and improving accountability in business operations. 5 Using a standardized format and controlled vocabulary provides a “precise and comprehensible description of content, location, and value.” 6 Using a controlled vocabulary means the organization has standardized a set of terms used for metadata elements describing records. This ensures consistency and helps with optimizing search and retrieval functions, as well as meeting e-discovery requests, compliance demands, and other legal and regulatory requirements.
Formulating the IG Strategic Plan
Now comes the time to make sense of all the information and input the IG team has gathered and hammer it into a workable IG strategic plan. This will involve some give-and-take among IG team members, each having their own perspective and priorities. Everyone will be lobbying for their functional group’s view, but it is the job of the executive sponsor to set the tone. They must emphasize organizational business objectives so that the effort does not drag out or turn into a competition but, rather, a well-informed consensus development process that results in a clear, workable IG strategic plan.
Synthesize Gathered Information and Fuse into IG Strategy
The IG team has gathered a great deal of information that needs to be analyzed and distilled into actionable strategies. This process will depend on the expertise and specialized knowledge the IG team brings to the table within the construct of the organizational culture. The IG team must be able to make decisions and establish priorities that bear in mind organizational business objectives and consider a number of influencing factors.
Do not prolong the strategy development process; the longer it becomes, the more key factors influencing it can change.
Aim to develop a strategic plan that is durable enough to withstand changes in the business environment, technology, legislation, and other key influencing factors, but it should be relevant to that snapshot of information that was collected early on. When all the parts and pieces start changing, and require reconsideration, it does not serve the organization well. Focus is needed.
Develop high-level IG strategies for each of the critical areas, including data governance/ePHI quality, information security awareness training, patient privacy, the legal hold process, e-discovery action plans, e-mail policy, mobile computing policy, vital records and disaster planning, and other areas that are important to the organization. Do this first, without regard to the prioritization of these areas, to maintain focus.
Then go through the hard process of prioritizing strategies and aligning them to organizational goal and objectives. This may not be difficult in the beginning. For instance, IG strategies for improving clinical data quality are going to take higher priority than the social media policy, and protecting vital records is paramount to any organization. Yet, as the process progresses it will become more challenging to make tradeoffs and establish priorities. Then tie these strategies to overall organizational goals and business objectives.
A good technique to keep goals and objectives in mind may be to post them prominently in the meeting room where these strategy sessions take place. This will help to keep the IG team focused.
Develop Actionable Plans to Support Organizational Goals and Objectives
Plans and policies to support IG efforts must be developed that identify specific tasks and steps, and define roles and responsibilities for those who will be held accountable for their implementation. Execution is critical, although the team cannot simply create the plan and marching orders: periodic checks and audits must be built in to test that new IG policies are being followed, and that they have hit their mark. Invariably, there will be adjustments, and the adjustments must be continually made to craft the policies for maximum effectiveness and continued relevance in the face of changes in external factors, such as legislation and business competition, and internal changes in management style and structure.
Create New IG Driving Programs to Support Business Goals and Objectives
The IG program needs a spark to ignite action and signal change to employees. If employees do not see changes, understand the “why” of the effort, and how it contributes to overall organizational objectives, they will lack motivation. Launching new sub-programs within the overall IG program is a good way to start. For instance, a new information security awareness training (SAT) initiative can show almost immediate results, as it reduces information risk immediately and on an ongoing basis. Another initiative may focus on ePHI data quality, with the goal of reducing medical errors and improving patient satisfaction. Or the organization may want to revamp the legal hold notification (LHN) process to make it more complete and verifiable, assigning specific employees specific tasks to be accountable for. Part of that effort may be evaluating and implementing new technology assisted review (TAR) processes and predictive coding technology. Working cooperatively on smaller parts of the overall IG program is a way to show real results within defined timeframes. Piecing together a series of program components is the best way to get started and it breaks the overall IG program down into digestible, doable chunks. A small win early on is crucial to maintain momentum and executive sponsorship.
To be clear, the IG team will need to negotiate and agree on the success metrics the program will be measured on in advance.
Draft the IG Strategic Plan and Gain Input from a Broader Group of Stakeholders
Once the pieces of the plan are drafted and the IG team is in agreement that it has been harmonized and aligned with overall organizational goals and objectives, test the waters to see if the plan holds up with a broader audience. Expose a broader group of stakeholders to the plan to gain their input. Perhaps the IG team has become myopic, or has passed over some points that are important to the broader stakeholder audience. So solicit and discuss their input and, to the degree that there is a consensus, refine the IG strategic plan one last time before finalizing it. Bear in mind, though, that it is a living document, a work-in-progress, which will require revisiting and updating to assure it is in step with changing external and internal factors. Periodic auditing and review of the plan will reveal areas that need to be adjusted and revised to keep the plan relevant and effective.
Get Buy-In and Sign-Off and Execute the Plan
Have the executive sponsor sign-off on the IG Strategic Plan. Then present the finalized plan to executive management, preferably including the CEO, and demonstrate what is required and its intended benefits. Field questions and address any concerns to gain broader executive buy-in and perhaps more signatures. Some minor adjustments may be required if there are significant objections, but, if the stakeholder consultation process was executed properly, the plan show be very close to the mark. Then begin the process of implementing the IG strategic plan including regular status meetings and updates, consistent and regular communications and training, and planned audits of activities.
■ The IG team should begin their strategic planning process by listing and prioritizing key organizational objectives.
■ The IG plan must support the achievement of the organization’s business objectives.
■ The IG plan should bring a standard approach across the spectrum of information use and management within the organization.
■ The IG strategic plan must be aligned with the IT strategic plan and the organizational strategic plan to support overall business objectives.
■ The most relevant IG Best Practices to consider are those from the organization’s segment of the healthcare industry.
■ Engaged and invested executive sponsors are necessary for IG program success. It is not possible to require managers to take time out of their other duties otherwise.
■ The executive sponsor must be: (a) directly tied to the success of the program, (b) fully engaged and aware in the program, and (c) actively eliminating barriers and resolving issues.
■ The information risk mitigation plan develops risk reduction options and tasks to reduce specified risks and improve the odds for achieving business objectives.
■ The IG strategic plan must be informed with an assessment of relevant technology trends.
■ Include trends and conditions in the internal and external business environment in IG program planning.
■ Laws and regulations relevant to the organization’s management and distribution of information in all jurisdictions must be considered and included in the IG strategic plan.
■ Legal requirements take priority over all others.
■ Fuse the findings of all the analyses of external and internal factors into the IG strategic plan. Develop strategies and then prioritize them.
■ Create supporting sub-programs to jumpstart the IG program effort. Smaller programs should be able to measure real results based upon metrics that are agreed upon in advance.
■ The executive sponsor must sign off on the IG strategic plan before moving to execute it.
1. “Best Practices by Industry: Healthcare,” InfoGovBasics.com, https://www.infogovbasics.com/best-practices/by-industry/healthcare.
2. Monica Crocker, e-mail to author, June 21, 2012.
3. “Latest CGOC Information Governance Process Maturity Model,” CGOC, https://www.cgoc.com/updated-ig-process-maturity-model-reflects-todays-data-realities-2.
4. AHIMA Staff, “Use Cases Demonstrate Information Governance Best Practices,” Journal of AHIMA website, September 30, 2014, http://journal.ahima.org/2014/09/30/use-cases-demonstrate-information-governance-best-practices/.
5. Kate Cumming, “Metadata Matters,” in Managing Electronic Records, ed. by Julie McLeod and Catherine Hare (London: Facet Publishing, 2005), p. 34.
6. “Electronic Records Management Guidelines,” Minnesota State Archives, www.mnhs.org/preserve/records/electronicrecords/ermetadata.html.