Invisible Information Governance
By Sandra Nunn, MA, RHIA, CHP
For The Record
Vol. 27 No. 5 P. 12
Look closely; many of the functions required for an effective information governance effort may already be in place.
When faced with the idea of another large-scale endeavor such as an information governance effort, most health care executives are quick to demur. They already are up to their ears in projects involving the Affordable Care Act, the increasingly demanding meaningful use stages, security and HIPAA compliance challenges, and numerous reimbursement concerns. On top of these items, executives face staff shortages, complex technical challenges related to health information exchange, and huge classification changes, including moving from ICD-9 to ICD-10.
The term "information governance" is bandied about so much in the industry today that it's difficult to recall that it simply means managing data and records in a secure, high-integrity manner. Rather than ramping up for yet another high-dollar effort replete with new software and/or expensive consulting fees, savvy organizations are considering how they can leverage existing efforts to build an information governance initiative from within. In fact, the perfect place to plant the governance seed may be within the current records management function.
A Mature Framework
A fully developed information governance framework has an identified structure to handle everything from the most complex, high-impact decisions to more trivial, operational-level questions. Most beginning management students have studied hierarchical organization structures that travel down from the executive/strategic suites through tactical levels (business units) to operational levels.
Information governance decisions can be divvied out in this manner, although there are health care organizations that are flatter and more team based. In the robust Alberta Health Services Information Management Governance Framework, an information management advisory group (upper level) oversees the work of six full-fledged committees that control access, security, and confidentiality; information standards adoption; identification and encounter management; clinical documentation; records management; and data integrity/quality. In turn, these groups are supported by a staff devoted entirely to information governance.
The committees make decisions and develop processes, policies, and procedures relevant to their particular domain, including the following:
• The access, security, and confidentiality committee enforces validation of physicians' fax numbers.
• The information standards adoption committee considers admission, discharge, and transfer messaging specifications to facilitate patient information reconciliation among community contributors to health information repositories.
• The identification and encounter management committee oversees task groups that work on issues such as "person directory access," registration/scheduling standards, and business processes.
• The clinical documentation committee constructs a documentation framework.
• The records management committee works on the transfer of patient records.
• The data integrity/quality committee tackles issues such as the standardization of system code sets.
The Alberta Health Services Information Management Governance Framework serves as a model to other organizations less endowed with funding or staff to undertake such an effort. One of its foundations—something it has in common with most health care organizations—is a successful, well-run records management committee. There is scarcely a health care organization today that does not have an EHR committee, with many also sporting an enterprise records committee as well. These routine structures, along with a capable decision framework, can lead organizations to an inexpensive information governance solution.
Most health care organizations already have an information governance decision structure in place, a hierarchy featuring executive, tactical, and operational layers. Information domains often can be deduced from reviewing the organization's record retention schedule, which is usually developed through the records management function. Therefore, identification of the information domains for governance purposes is a done deal. A retention schedule is built by records management to reflect information repositories such as clinical, human resources, finance, and plant services.
Using records management as a foundation, an initial information governance effort can profit from EHR and records management committees. The EHR committee identifies electronic records content and defines the legal health record and the designated record set. A decision structure relating to these most important functions is certain to exist.
Clinicians, who are responsible for the EHR's clinical content, must work with HIM to define documentation templates. The development of data dictionaries and the metadata built into the EHR present a golden opportunity to initiate a data quality effort, including identifying the stewards who will be charged with maintaining integrity.
The same applies to the master patient index, a technology present in every hospital that links the components of the EHR. Putting it under the guidance of the data integrity group that reports to the information governance committee is a logical and easy step.
In her book Implementing Health Information Governance: Lessons from the Field, Linda Kloss, MA, RHIA, CAE, FAHIMA, lists the following six essential governance and information management practices with regard to the EHR:
• determine what constitutes the record;
• determine and document who is authorized to create the official record's content;
• determine how the record will be prepared and authenticated;
• determine how the record, once completed, can be updated and changed;
• determine who will be given access to patient records; and
• determine how the EHR will be retained and destroyed.
This strategy requires a working EHR or records management committee to create policies and procedures to ensure that these practices are initiated and enforced. The committee can be, and sometimes already is, the beginning of an information governance council. Kloss' recommendations can be applied to the management of any record, whether from finance, human resources, or plant services.
In the March issue of the Journal of AHIMA, Ron Hedges, JD, reviews AHIMA's Information Governance Principles for Healthcare by applying them to a single record—in this case, the EHR's response to litigation. Regarding accountability, the first principle, Hedges notes that a senior leader who is intimately involved in the implementation and development of the EHR may be the best choice for assuming the governance position.
Hedges also recommends the initiative feature "documented and approved policies and procedures," with many of the guidelines developed to govern the EHR being excellent models that can be applied to all data and records. For example, policies and procedures developed to limit EHR access to those treating the patient or acting on the organization's behalf (HIM, quality management) can provide a foundation to overall access control, which fulfills AHIMA's Protection best practice. Other protection best practices focus on methods to control loss of information and reconstruction of lost information, an issue any records management committee likely would have already addressed. The cost is minimal to extend existing privacy and security measures to protection measures.
Other protection solutions that can be incorporated into an information governance framework include rules pertaining to the transfer of hard copy and electronic records, and the type of media used to store critical records long term.
If data and records fail to be available on time, much of what matters in terms of information access is lost. This is where acquisition and construction of an EHR can provide an important template to an information governance council. One of the most important attributes of information governance is accumulating enough funds and skilled human resources to launch and sustain the initiative. The complex multiyear budgeting and staffing required for a successful EHR implementation provide the perfect model on which to develop a budgeting process for an information governance effort that—like an EHR project—will outlast its initial budget and require continued funding for the life of the organization. As such,
information governance leaders would be interested in metrics describing timely, accurate, and efficient data retrieval.
Information governance policy can be modeled on the guidelines regarding when physicians must complete their medical records. Completeness must be defined for each record type with specific staff assigned to ensure compliance prior to publication on websites or transferal to other information systems. Governance specialists also must focus on policies and measurements to document the information that ensures a working health information exchange is both timely and accurate.
Retention and Disposition
Eventually, these two principles apply to all data and information. A key cost control function of information governance is deciding which data to retain, for how long, and on what media. Other considerations include accessibility, security, and disposition method. A records management group, which already will have addressed these concerns, can lend support to the creation of a complete retention schedule and disposition policies and procedures.
Governance also can determine when upgrades must be applied to information systems and when they must be abandoned in favor of newer software offering greater functionality. A governance group can help organizations decide whether to select a best-of-breed system that may have interoperability issues or whether clinically specific functionality has to be sacrificed to reduce cost and enable easier long-term retention and disposition. At some point, governance leaders must decide where data and records from legacy systems will be archived or whether they qualify for destruction.
Building Future Invisibility
In a 2006 presentation, Denise A.D. Bedford, PhD, senior information officer for World Bank, offered a picture of the future for invisible records management when she stated that information governance leaders needed to create "an information context in which records management occurs every day in the work environment, without people having to think about it, and it satisfies the standards of records managers." The emphasis is not on a vast information governance effort but rather on automating records management to make it an integral part of the business process. A core part of information governance is building an invisible, automated, and compliant records management platform.
As the amount of health information, both human- and machine-generated, continues to grow and requirements become more onerous, traditional records management will not be able to keep pace. "Records managers must now monitor multiple systems and design records schedules to suit different information types and contexts: structured data, semistructured data, and unstructured data," Bedford said in her presentation. In other words, records managers must be capable of creating metadata repositories from which metadata can be automatically applied to templates into which knowledge workers can record data and text.
Each EHR template and document type must include sufficient information (metadata) to allow them to be properly sorted and filed. Metadata can also be built in to execute the required records management activities as the file moves through the care continuum, including designating it as a record or for disposal according to preestablished retention guidelines.
Information governance professionals can engage domain experts to create business rules to determine which file becomes the official record and which files are duplicates or drafts worthy of automatic deletion. This can be turned into an automated process so health care workers won't have responsibility for records management functions. In the future, it's possible that health care staff will create the required data and documents, including authentication, to build the EHR via one or more information systems. Records managers will work with metadata repository specialists to determine what metadata will be embedded into the EHR components when saved by the documenter. It also is possible that each EHR component could carry the master metadata of the "whole" wherever it goes if and when it is fragmented or reused for secondary data purposes.
It should be pointed out that the implementation of automated tools to assist in records management practices does not imply the lack of need for skilled records managers. These professionals oversee the information management lifecycle of all records, regardless of domain, and ensure proper controls are in place to guarantee timeliness, accuracy, and completeness.
Records managers can start to implement high-integrity, automated information through the following steps:
• Develop templates (using a forms committee model, if one exists).
• Manage EHR content and other records through existing committees.
• Create metadata repositories beginning with data dictionaries and data repositories.
• Examine relative record data sets for electronic records storage considerations.
• Use the current guidelines for EHR and records management to develop business rules.
Records managers must eventually develop reporting tools and be prepared to transition from records management to a focus more on enterprise information governance.
— Sandra Nunn, MA, RHIA, CHP, is a contributing editor at For The Record and principal of KAMC Consulting in Albuquerque, New Mexico.