April 2016

Legal Concerns in Information Governance
By Mike Bassett
For The Record
Vol. 28 No. 4 P. 18

General counsel plays a key role in the development of a well-rounded effort.

While the concept of information governance (IG) is quite consistent across different industries, there is no question that health care presents an entirely different kind of challenge when it comes to developing an IG program.

"There's a lot at stake when you're talking about health care," says Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, a consultant and chief privacy officer at Just Associates. "And if you don't have strong information governance policies in place, you could put patient safety at risk."

To make matters even more complex, the health care data are unlike those used in most other industries. "It comes in many different forms," says Lynette Czarkowski, chief operating officer and executive consultant at e4-Services, a health care consulting and services company headquartered in Chicago. "You have structured data, unstructured data, text, video—all these different formats that provide more of a challenge."

In addition, Czarkowski points out there are a number of state- and federal-based regulatory pressures unique to health care, including HIPAA, as well as different types of payment models.

The recent wave of mergers and acquisitions within the industry further complicates matters. "Whenever you see these mergers or acquisitions, you are bringing together a number of different databases," Lucci says. "There has to be some kind of overarching information governance when you have so many different facilities all under one umbrella."

Reaching a Definition
According to AHIMA, "Information governance is a strategic imperative for the future of health care." With that in mind, how should organizations go about implementing or advancing IG initiatives? More specifically, what kind of collaborative role should HIM and legal departments play in pursuing IG objectives?

Mary Beth Haugen, founder and CEO of the Haugen Consulting Group, says organizations pursuing or advancing an IG initiative should start with the basics, which means agreeing on its definition. However, that definition probably differs from organization to organization, Czarkowski says. "My definition is probably going to be different from your definition, and that's OK. But when you are putting together a program of this nature, you definitely need to articulate what your goals are and what your desired outcomes are going to be," she notes.

Is there an accepted definition?

According to the Information Governance Initiative—which describes itself as a cross-disciplinary consortium and think tank dedicated to advancing the adoption of IG practices and technologies through research, publishing, advocacy, and peer-to-peer networking—IG is "the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs."

However it is defined, Czarkowski says health care organizations must recognize the value of their data and then position the information such that it may be converted into assets. IG provides "the rules of the road" that allow this to occur, she says, "but it's really about establishing a set of principles for making your data work for you in the current climate of health care."

That's exactly what AHIMA did in the fall of 2014 when it released a 21-page document titled, "Information Governance: Principles for Healthcare." Its eight principles are, according to the document, designed to "form the foundation for an information governance policy aimed at ensuring that all health care information, clinical and nonclinical, is timely, complete, accurate, and secure."

Specifically, the principles address the following:

• Accountability: An accountable member of senior leadership should oversee the program.

• Transparency: Processes and activities relating to IG should be documented in an open and verifiable manner.

• Integrity: Information generated by, managed for, and provided to the health care organization should be authentic and reliable.

• Protection: The information should be appropriately protected from breach.

• Compliance: An IG program must comply with applicable laws, regulations, and industry and organizational standards.

• Availability: Information must be maintained in such a way that it can be retrieved in a timely, accurate, and efficient manner.

• Retention: Information must be retained for an appropriate time subject to legal, regulatory, fiscal, operational, risk, and historical requirements.

• Disposition: Information no longer required should be disposed of securely.

Law and Order
From an HIM perspective, those principles serve as the go-to manifesto, says Ron Hedges, JD. "But when you think of everything that is in those principles—accountability, transparency, security—a lot of it might be technical in nature, but there will be a legal overlay to it as well."

Consequently, an organization's general counsel is in all likelihood going to be deeply involved with IG issues. "I don't know whether you would say the general counsel is going to be the guy in charge, but he or she will play an essential role and will be involved in all of these issues," Hedges says.

Haugen has witnessed firsthand the importance of legal counsel's input. "Where we've been most successful in the implementation and establishment of a good, solid foundation of an information governance program is when legal counsel has been an active participant," she says.

Czarkowski views IG initiatives much in the same way she does compliance programs. "And what we see in compliance departments in health care organizations—and what I would expect to see in information governance as well—is a hierarchy of involvement that starts with the C-level."

Because general counsel tends to be part of senior leadership, Czarkowski suggests it "has the opportunity to get in on the ground floor in promoting the concept of information governance." However, she warns that general counsel—as well as other actors such as HIM—must promote the initiative in such a manner that it still aligns with the organization's overall strategic goals. Once that's been ensured, steps can be taken to start thinking about IG from a tactical standpoint and how the program should be executed.

Czarkowski says there also should be an understanding that most health care organizations already have aspects of IG in place. "It may not be called that," she says, "but many times middle managers in leading their departments and developing their own strategic goals—particularly in HIM—are planning to or have already enacted strategies, policies, and procedures that align with information governance concepts such as data retention and data integrity. They are probably already in place."

A well-oiled IG initiative must take all of this activity into account, leverage it, and adopt an approach that aligns it with the organization's overall goals, Czarkowski adds.

HIM and General Counsel
Haugen warns that there may be potential conflicts between HIM and general counsel, making it imperative that both parties agree on a definition of IG from the outset. That means general counsel must understand how IG works not only from a big-picture, organizational standpoint but also from a bird's-eye perspective, she adds.

"[General counsel] needs to understand the nitty gritty and how data become information," Haugen says. "Making decisions about information governance without understanding the small stuff is a recipe for failure. For example, legal counsel should understand that data can reside in five different databases and several different applications, and that going in to correct something or delete it may not be too simple and could involve the use of a lot of manpower. So we want to make sure that legal counsel isn't sending directives without understanding how they can be achieved."

Lucci points out that HIM is the one department "that sees the entire record, so legal counsel should be able to collaborate with HIM to get a sense of what they are seeing on a daily basis. That way they can update, modify, or tweak existing information governance policies."

At the same time, Haugen says HIM professionals must recognize and respect the expertise that legal counsel brings to the table. "We need to be able to somehow come up with a language that both can speak and understand," she says.

Hedges says collaboration on IG initiatives should go beyond general counsel and HIM. "I would suspect that the job of the general counsel would be to look at the legal aspects of everything," he says. "We're talking about, for example, health information management, IT, and HIPAA issues. And a lot of organizations have privacy and security officers so, depending on the organization, it's not going to involve just the general counsel and health information management. There are going to be a number of actors getting together to put together some kind of format that works."

Haugen points out that general counsel acts as a kind of mediating force to bring together an organization's various factions, many of which will have different views regarding IG's role. "I have an HIM perspective, so I'm interested in the integrity of the data and where it flows throughout the organization," she says. "But IT is going to have a different perspective. General counsel can take a step back and help bridge those differences.

A Formal Process
Hedges recommends using the AHIMA guidelines as a framework from which an exemplary IG initiative can be built. "If you look at the AHIMA principles, you're really talking about a table of organization," he says. "And in thinking about it from a litigation point of view, there needs to be accountability—and that's not just for litigation but that goes for everything else as well."

For example, who is responsible for security issues? Who is the go-to person when contracts are negotiated? Hedges points out that, according to the Amended Federal Rules of Civil Procedure, the avoidance of sanction depends on taking reasonable steps to avoid the loss of information. "Reasonable steps mean—as a general proposition—that whatever you do, you do it in writing, document it, and monitor it," he says.

From a legal perspective, the development of an IG program must be "coherent," Hedges says, adding that the preservation of relevant information is critical, particularly when it comes to litigation. But unless providers know all the types of information it houses, its location, and how to preserve it, an IG program will be incapable of meeting its legal obligations.

From a legal standpoint, Haugen believes a key factor is establishing a clear understanding and definition of a legal medical record "so you can apply all of the necessary legal and regulatory requirements to that record." However, she cautions that health care organizations may end up focusing on information that has relatively little value from a legal and regulatory standpoint—a result that would in all likelihood be unnecessarily costly.

In an August 2015 column in the Journal of AHIMA, Hedges made a similar point about retaining information that doesn't fall within the provider's definition of a legal record or has lost its value. An effective IG program, he said, should be able to identify the value of an organization's data to allow it to mitigate issues such as cost, litigation, and data breaches.

"Retention of information when there is no current known reason to retain that information can lead to 'corporate amnesia,' where the organization loses track of what some of its retained information represents—or why they even have it," he wrote. An effective IG program can help organizations avoid this problem.

The State of IG
How prevalent are IG programs across the industry? "I think most health care organizations are all over the board on this," Hedges says. "I think it is something they aspire to do, but in reality, a lack of resources—whether it's personnel-wise, cultural, or physical—may make it difficult to achieve what I think is the ideal situation."

Czarkowski believes health care organizations are becoming more adept at implementing IG programs. She salutes those that have successfully incorporated IG as a strategy that aligns with and helps achieve wider organizations goals.

— Mike Bassett is a freelance writer based in Holliston, Massachusetts.

 

AHIMA RELEASES IG ASSESSMENT TOOL
AHIMA's newest information governance (IG) offering—IGHealthRate (http://ighomepage.herokuapp.com/hrinfopage.html)—will help organizations assess and score their maturity in adopting IG, a strategic imperative for improving patient care and population health, and reducing health care costs.

IGHealthRate is a comprehensive assessment tool that provides measurements, benchmarks, and coaching to continually improve an IG program. Aligned with AHIMA's Information Governance Adoption Model (IGAM), IGHealthRate assesses and scores an organization using 10 IG organizational competencies. Each competency includes multiple key markers that define essential aspects of the competency that must be demonstrated to achieve maturity. The ultimate goal for health care organizations is to achieve IGAM Level 5 validation, which means IG has been integrated into their overall infrastructure and business processes.

"A robust and mature IG program not only ensures the quality and integrity of health information, but it [also] directly contributes to safe, quality care. As organizations mature in their information governance, they will see returns on investment, including improved insights and confidence in data-driven decision making," says AHIMA CEO Lynne Thomas Gordon, MBA, RHIA, CAE, FACHE, FAHIMA. "As IG awareness continues to grow, it's important that organizations understand where their IG opportunities exist and develop a roadmap for IG maturity to realize additional benefits. As part of AHIMA's comprehensive efforts to advance IG in health care, IGHealthRate will help organizations move along on this path."

A subscription-based product, IGHealthRate gives organizations a structured approach to becoming competent in IG, achieving a level of maturity that demonstrates they value and trust their information to make a difference in patient care, in their communities, and with their business partners. As part of IGHealthRate, organizations can demonstrate their IG program's excellence by having AHIMA's IGAdvisors validate their program's achievement in reaching IGAM Level 5. Organizations can then use the IGAM Level 5 emblem on their website and other organizational materials to highlight their IG implementation success.

"Achieving AHIMA IGAM Level 5 gives organizations a competitive advantage and shows the public and health care industry that they have successfully implemented enterprisewide IG, that they trust their information, and that appreciation of the value and impact of information is ingrained throughout its operations," says Deborah Green, RHIA, MBA, AHIMA executive vice president and chief innovation and global services officer. "This is critical to health care organizations because reliable data and information are central to addressing ever-present challenges and to transforming health care."

When assessing an organization's IG maturity level, an IGAdvisors expert consulting team will conduct a comprehensive validation of the program to confirm that the 10 IG health care competencies are achieved.

For additional information, visit www.IGIQ.org.

— Source: AHIMA