21st Century Oncology breach, 5, 8
Accountability of information, 24
Advanced data analytics, 47
AICPA, see American Institute of Certified Public Accountants (AICPA)
AMAM, see Analytics Adoption Model for Analytics Maturity (AMAM)
American Institute of Certified Public Accountants (AICPA), 25
American Recovery and Reinvestment Act, 4, 21
Analytics, 34, 56, 62, 82, 119
advanced data, 47
content, 48
descriptive, 47
diagnostic, 47
document, 46
predictive, 47
prescriptive, 47
Analytics Adoption Model for Analytics Maturity (AMAM), 13
Anna Karenina principle, 51
Anthem Health breach, 5, 45, 53, 119
Artificial intelligence, 56, 78, 79, 95
Associates in Psychiatry and Psychology (APP), ransomware attacks, 6–7
Audit department, 34
Availability of information, 24, 25, 101
BAA, see Business associate agreement (BAA)
BI, see Business intelligence
BPMS, see Business process management suites (BPMS)
Breaches
Anthem Health breach, 5
data breach cost per capita, 56
Excellus BlueCross BlueShield, 5, 53
Molina Healthcare, 5
Premera BlueCross, 5
preparedness and patient trust, 57–58
types, 58
Bring-your-own-device (BYOD), 67, 79
Building the Business Case, 117–118
Bupa, 57
Business associate agreement (BAA), 66–69, 99
Business drivers, for IG Programs, 61
Business intelligence (BI), 47, 48, 119, 127
Business process management suites (BPMS), 46
BYOD, see Bring-your-own-device (BYOD)
CA, see Content analytics (CA)
Canadian Institute of Chartered Accountants (CICA), 25
CCMM, see Continuity of Care Maturity Model (CCMM)
CDO, see Chief Data Officer (CDO)
CFR, see Code of Federal Regulations (CFR)
CGOC, see Compliance, Governance, and Oversight Council (CGOC)
Change management (CM), 14, 33, 42, 43, 45
Chief Data Officer (CDO), 33, 52
Chief Information Governance Officer (CIGO), 37, 89
Chief information officer (CIO), 35, 37, 96
Chief information security officer (CISO), 37, 96, 101
CIA triad, 25
CICA, see Canadian Institute of Chartered Accountants (CICA)
CIGO, see Chief Information Governance Officer (CIGO)
CIO, see Chief information officer (CIO)
CISO, see Chief information security officer (CISO)
CM, see Change management (CM)
Code of Federal Regulations (CFR), 68, 99, 116, 125
Communications, IG program, 44–45, 87–88
Compliance, Governance, and Oversight Council (CGOC), 12
Compliance for information, 24
Content analytics (CA), 48
Continuity of Care Maturity Model (CCMM), 13
Continuous improvement, 23, 43, 90
Continuous process improvement (CPI), 89–90
CPI, see Continuous process improvement (CPI)
Cross-functional collaboration, for IG, 15, 118
Cross-functional IG team, 42
Cyber-security, 4, 8, 12, 39, 53
in healthcare, 95
hygiene, 22
DAM, see Database activity monitoring (DAM)
Dark web, 56
Database activity monitoring (DAM), 46
Data breach cost per capita, 56
Data cleansing, 14–15, 77, 119
Data governance (DG), 14–16, 21, 33, 52, 119
in healthcare organizations, 52
information governance versus, 14–15
Data loss prevention (DLP), 46
Data Protection Act (U.K.) 1998, 4
Data Security and Protection Toolkit, 3
De-duplication, 14
Delivering information, 22
Descriptive analytics, 47
DG, see Data governance (DG)
Diagnostic analytics, 47
Digital signatures, 46
Disposition of information, 24
DLP, see Data loss prevention (DLP)
Document analytics, 46
Document labeling, 46
Domestic Data Protection Act 2018, 4
Early case assessment (ECA), 47–48
ECA, see Early case assessment (ECA)
ECM, see Enterprise content management (ECM)
EFSS, see Enterprise File Synch and Share (EFSS)
EHR systems, see Electronic health record (EHR) systems
Electronically stored information (ESI), 39, 60, 61, 126, 127
Electronic document security, 45–46
Electronic health record (EHR) systems, 4–6, 20, 33, 46, 52, 87
Electronic Patient Record Maturity Model (EPRMM), 13
Enterprise content management (ECM), 47, 53
Enterprise File Synch and Share (EFSS), 47
Enterprise risk management (ERM), 69
EPRMM, see Electronic Patient Record Maturity Model (EPRMM)
Erie County Medical Center (ECMC), 57–58
ERM, see Enterprise risk management (ERM)
ESI, see Electronically stored information (ESI)
Essays and case studies, in IG
Anticipating Conflicts in Your IG Program, 120–121
Are Health Information Exchanges Properly Safeguarding ePHI? A Case Study, 97–102
25 Exciting Things to Do with an Information Asset Register, 106–109
IG Education Is Key to Success, 118–119
IG Insight: The Soft Stuff Is the Hard Stuff, 119–120
IG Problem in Healthcare, 95–96
Information Governance and Brand Management: A Critical Link, 121
Information Governance by Design: “Baking” IG into Everyday Processes, 121–122
Long-Term Digital Preservation in IG Programs: Advice from the Pharmaceutical and Biotechnology World, 114–118
Privacy and Data Protection Officers: Implementing the EU General Data Protection Regulation, 109–114
Veteran Advice on Getting Your IG Program Launched, 122–123
Where Do You Keep Your Crown Jewels? Identifying, Classifying and Managing Your Information Assets, 102–106
Excellus BlueCross BlueShield breach, 5
Executive sponsors, 23, 31, 35–40, 42
assigning team roles and responsibilities, 37–38
business case and, 55
versus IG program manager, role, 43–44
purposes in IG program, 36
recruitment, 52
Expected value (EV) calculation, 69
FACR, see File analysis, classification, and remediation (FACR)
File analysis, classification, and remediation (FACR), 15, 47, 119
Finance/CFO, 33
GAPP, see Generally Accepted Privacy Principles (GAPP)
GDPR, see General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR), 4, 21, 55, 109, 113
Generally Accepted Privacy Principles (GAPP), 25–28
Generally Accepted Recordkeeping Principles®, 23
Healthcare Insurance Portability and Accountability Act (HIPAA)
Breach Notification Rule, 57, 63
and business associate agreements, 66–68
fines in 2017, 67
violations, 66
Healthcare organizations
population health milestones and metrics, 57
Smallwood IG principles applied to, 20–23
in U.S., 4
Health information management (HIM), 20, 33, 39, 52, 87
HealthMap software, 56
Heat map, 70
HIM, see Health information management (HIM)
HIPAA, see Healthcare Insurance Portability and Accountability Act (HIPAA)
HR, see Human resources (HR)
IAM, see Identity and access management (IAM)
IAR, see Information Asset Register (IAR)
Identity and access management (IAM), 22, 46
IG, see Information governance (IG)
IG Adoption Model™, 13
IGAM, see Information Governance Adoption Model™ (IGAM)
IGF, see Information Governance framework (IGF)
IGHealthRate™ tool, 34
IG Lead, 42
IG leaders in healthcare, 43
IGPHC, see Information Governance Principles for Healthcare® (IGPHC)
IGPMM, see Information Governance Process Maturity Model (IGPMM)
IG Process Maturity Model (IGPMM), 12–13
IGRM, see Information Governance Reference Model (IGRM)
ILM, see Information lifecycle management (ILM)
Infonomics: How to Monetize, Manage, and Measure Information as an Asset for Competitive Advantage, 20
Information
accessibility, 22
as asset, 20
control, 22
integrity, 21
Information Asset Register (IAR), 21
Information Asset Valuation (IAV) software, 62
Information Governance Adoption Model™ (IGAM), 34–35, 52–53
Information Governance framework (IGF), 12–13, 41–48
change management, 45
communications and training plan, 44–45
executive sponsor role versus IG program manager, 43–44
leaders in healthcare, 43
role of executive sponsor, 44
Information governance (IG), 3
availability, 11
business drivers for, 61
cross-functional collaboration for, 15
definitions, 11
essays and case studies in, 95–123
information risk planning for, 65–73
lifecycle, 13
monitoring and auditing, 22
optimization, 11
organization’s strategy, 14–15
organization-wide, 12
policy, 14
secure, 11
Sedona Conference® commentary on, 19–20
stakeholders, 12
Information Governance Principles for Healthcare® (IGPHC), 23–24
Information Governance Process Maturity Model (IGPMM), 16, 53
Information Governance Reference Model (IGRM), 32–34
Information lifecycle management (ILM), 4
Information organization and classification, 21
Information privacy, 21–22, 25, 59
awareness training for, 59
milestones and metrics, 59
Information rights management (IRM), 22, 45–46
Information risk planning, 65; see also Risk planning process
benefits, 66
Information security, 4, 21–22
CIA triad, 25
principle of least privilege, 25
InfoSec, 39
Integrity of information, 24, 25, 101
Internet of Things (IoT), 4, 79, 88, 95
IoT, see Internet of Things (IoT)
IRM, see Information rights management (IRM)
ISO 9000, quality guidelines for healthcare, 13
ISO 22301 for business continuity, 13
ISO 27001/2 for information security, 13, 53
ISO 31000 for risk management, 13, 33
ISO 38500 for IT governance, 13
KM, see Knowledge management (KM)
Knowledge management (KM), 24, 73, 81, 108, 118
Laney, Doug, 20
Launching accelerators, of IG programs, 52–53
Legal defense, 53
Legal hold notification (LHN), 21, 53, 60, 68
Legal operations
costs reduction, 60
milestones and metrics, 60
update Legal Hold Notification, 60
Legal requirements, 22
LHN, see Legal hold notification (LHN)
Long-term digital preservation (LTDP), 22, 79, 114–115
LTDP, see Long-term digital preservation (LTDP)
Machine learning, 56
MACRA, see Medicare Access and CHIP Reauthorization Act (MACRA)
Master data management (MDM), 48
Maturity Model for Electronic Medical Record (MMEMR), 13
MDM, see Master data management (MDM); Mobile device management (MDM)
Medical devices breach, 58
Medicare Access and CHIP Reauthorization Act (MACRA), 13
Merit-based Incentive Payment System (MIPS), 13
Mid-Michigan Physicians Imaging Center, 5, 57
MIPS, see Merit-based Incentive Payment System (MIPS)
MMEMR, see Maturity Model for Electronic Medical Record (MMEMR)
Mobile device management (MDM), 47
Molina Healthcare breach, 5, 57
Monitoring and accountability, in IG program, 88–89
National Health Service (NHS), 3, 110
NHS, see National Health Service (NHS)
Operational efficiency, 43, 59–60
milestones and metrics, 60
Organization-wide view, of IG, 12
Pacific Alliance Medical Center (PAMC), 58
Password management, 22
Patient privacy, 4, 12, 15, 21, 59, 87
Personal health information (PHI), 4, 5, 20, 39
Personally identifiable information (PII), 5, 20, 39
PHI, see Personal health information (PHI)
PII, see Personally identifiable information (PII)
PM, see Program Manager (PM)
Policy, IG programs, 14
POLP, see Principle of least privilege (POLP)
Population health milestones and metrics, 57
Premera BlueCross breach, 5
Prescriptive analytics, 47
Principle of least privilege (POLP), 25
Print security, 46
Privacy
information, milestones and metrics, 59
safeguards, 59
Protection for information, 4, 20, 24
RACI matrix, 51
Ransomware-as-a-Service kit, 68
Ransomware attacks, 5, 6–7, 67
Erie County Medical Center, 57–58
Pacific Alliance Medical Center, 58
preparedness and patient trust, 57–58
WannaCry, 67
Recordkeeping principles, 23–25
Records and information management (RIM), 23, 39
Records Retention Citation Service, 68
Records retention schedule (RRS), 21
Redundant, outdated, and trivial (ROT), 59–60
Regulatory compliance, 4, 9, 60
Responsibility Assignment Matrix, 51
Retention of information, 24
RIM, see Records and information management (RIM)
Risk analysis, 65
Risk management, 12, 13, 15, 33, 37, 59
Risk map, 70
Risk planning process
likelihood assessment, 65, 69–71
mitigation plan, execution of, 65, 72–73
policies, creating/updating, 65, 71
responsibilities, assigning, 65, 72
ROT, see Redundant, outdated, and trivial (ROT)
RRS, see Records retention schedule (RRS)
SAT, see Security awareness training (SAT)
Security awareness training (SAT), 12, 22, 58, 71, 83
Security vulnerability/penetration testing software, 46
Sedona Conference® commentary, on IG, 19–20
Sensitive information
personal health information, 4, 5
personally identifiable information, 5
Smallwood IG principles, to healthcare organizations, 20–23
continuous improvement, 23
executive sponsorship, 23
information accessibility, 22
information as asset, 20
information control, 22
information governance monitoring and auditing, 22
information integrity, 21
information organization and classification, 21
information security and privacy, 21–22
stakeholder consultation, 20–21
SME, see Subject matter expert (SME)
Soft costs, 62
Software
advanced data analytics, 47
BPMS, 46
CA, 48
DAM, 46
digital signatures, 46
DLP, 46
document analytics, 46
ECM, 53
FACR, 47
file analysis classification and remediation, 15
HealthMap, 56
IAV, 62
IGHealthRate™, 34
for information control, 22
information rights management, 22
MDM, 48
mobile device management, 47
records and information management, 23
security vulnerability/penetration testing, 46
stream messaging, 46
Spoliation, 21
Staffing continuity plan, 89
Stakeholder consultation, 20–21
Stakeholders, IG, 12
Strategic planning process
business conditions and economic environment, survey for, 79–80
business objectives, 77
buy-in and sign-off and execute plan, 84
feedback of stakeholders on draft plan, 84
IG strategic plan, formulation of, 82
industry best practices, survey for, 80–82
information technology trends, analysis of, 79
legal, regulatory, and political factors, analysis of, 80
plans and policies to support IG, 83
programs to support business goals and objectives, 83–84
synthesize information and fuse into IG strategy, 82–83
Stream messaging, 46
Subject matter expert (SME), 39–40
for business conditions and economic environment, 79–80
for industry best practices, 80–82
TAR, see Technology assisted review (TAR)
Technologies
advanced data analytics, 47
BPMS, 46
data loss prevention, 46
document analytics, 46
document labeling, 46
ECM, 47
EHR, 46
FACR, 47
information rights management, 22, 45–46
machine learning, 56
MDM, 47
stream messaging, 46
Technology assisted review (TAR), 83
Tiered IG steering committee, 38–40
Training
for information privacy, 59
plan, IG program, 44–45, 87–88
security awareness training (SAT), 12, 22, 58, 83
Transparency of information, 24
U.K. Freedom of Information Act 2000, 68–69
U.S. Freedom of Information Act (FOIA), 68
Unstructured information, 15, 129