Conduct research on the current gaps of in

31

Chapter 4

Who Should Be Part of an information Governance team?

IG programs require cross-functional collaboration; however, IG teams or steering committees from each individual healthcare organization will have a slightly different makeup depending on program focus and objectives, organizational IG maturity, staffing, budget resources, competi- tive posture, and other factors.

A formal IG Program Charter must be drafted and signed off on by the executive sponsor. The program charter lays out the purpose and scope of the program, goals and objectives, report- ing structure of the IG steering committee, SMEs and sub-committees, frequency of meeting, and other key guidelines.

Selection of the executive sponsor is a critical starting point. The executive sponsor must make the business case for the IG program and make IG steering committee selections along with the IG Lead. It is advisable that a deputy or associate executive sponsor also be named to build in durability and continuity to the IG program, in the event that the executive sponsor leaves or is terminated. This is also true of the IG Lead.

iG is an Umbrella Program

IG can be thought of as an overall umbrella program that manages or “governs” information access, risk, quality, protection, privacy, and the information lifecycle across the enterprise. IG is a

Information Governance for Healthcare Professionals Who Should Be Part of an Information Governance Team?

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-08-27 15:57:23.

C o p yr

ig h t ©

2 0 1 8 . P

ro d u ct

iv ity

P re

ss . A

ll ri g h ts

r e se

rv e d .

32 ◾ Information Governance for Healthcare Professionals

broad policy framework for enforcing information compliance and accountability, with progress mea- sured by agreed-upon metrics. These metrics must be developed with the input of stakeholders so that they are not only relevant and meaningful, but also accepted by the end users and IG team members.

Having better quality and more trusted information helps improve decision-making and com- pliance capabilities while reducing information risk. Formally embedding an IG program ensures that resources, including budget and management time, are spent to maximize information value while minimizing information risks and costs.

Leveraging Models and Frameworks There are several IG models and frameworks that can help to inform the selection and develop-

ment of an IG steering committee.

the iG Reference Model The core IG steering committee group must include Legal, IT, HIM and RIM, Cyber-security, and

Privacy, at a minimum, provided the organization has these basic functions represented in the organizational structure. (And if these functions are not represented in an organization of today, they should be).

There is precedent for this foundational structure, when looking at the Information Governance Reference Model (IGRM). The IGRM is a simple graphic tool developed by EDRM.net, ARMA International, and the Compliance, Governance, & Oversight Council (CGOC) in consultation with thousands of end users. The IGRM graphically displays the key impact areas of IG programs, shows unified governance and process transparency, and depicts the relationship between infor- mation assets, duty, and value, which can help to educate IG program stakeholders early on and to spur discussion of IG’s cross-functional nature.1

Business pro�t

Value

Create, use

Asset

Privacy and security

risk

Duty Legal risk

RIM risk

Duty: Legal obligation for speci�c information

Asset: Speci�c container of information

Value: Utility or business purpose of speci�c information

Information Governance Reference Model (IGRM) Linking duty + value to information asset = e�cient, e�ective management

IT e�ciency

Dispose

Store, secure

Retain archive

Hold, discover

Policy integration

Uni�e d governance

Process transpar enc

y

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-08-27 15:57:23.

C o p yr

ig h t ©

2 0 1 8 . P

ro d u ct

iv ity

P re

ss . A

ll ri g h ts

r e se

rv e d .

Who Should Be Part of an Information Governance Team? ◾ 33

Take note that there is one more group depicted, which is “Business” or business units. The key business unit(s) included in the IG program may reflect a focus on data governance, EHR governance, patient privacy, or reducing legal costs, and will vary based on a particular healthcare organization’s structure, business objectives, and business scenario. Business units provide critical input in IG policy development efforts.

HIM and the governance of EHR information are fundamental to reducing medical mistakes, improving patient outcomes, improving patient satisfaction and retention, reducing litigation and associated costs, and improving overall population health. There may be other business units that are high priority, such as the Business Office function, where improvements in operational effi- ciency can yield significant economic benefits. Beyond that, business units with the highest litiga- tion costs or most difficulty with finding information for everyday tasks, litigation requests, or compliance audits are good places to look for high priority pilot projects under the umbrella of the overall lG program.

Some additional key departments that should be represented on the next tier of the IG steering committee, (depending on the organizational structure and business scenario), may be:

◾ Finance/CFO. Often overlooked is the idea that poor IG can lead to major data breaches and dramatic losses in patient/customer confidence, revenues, and market value of the orga- nization. The case can be made that the CFO shares a fiduciary responsibility to ensure that proper IG controls are in place to help safeguard the organization’s information assets. Also, the CFO will know the status of budgets and can possibly make adjustments or transfers to invest in needed IG program steps. And once IG controls are in place, Infonomics principles may be applied to gain new value or even monetize information.

◾ Chief Data Officer (CDO)/Data governance. As quality clinical data is critical for deliver- ing value and improving patient outcomes and overall population health, this is a key role. All other downstream reports and analytics depend on having clean, accurate, non-duplicate data, so it is critical to have a data governance effort that focuses on capturing accurate data at the source. This can be challenging in healthcare, with the variety of proprietary clinical and laboratory devices that do not always adhere to industry standard data formats.

◾ Risk management. Managing information risk is core to IG efforts. You can see “Risk” noted as a focus in the IGRM graphic under “Legal,” “Privacy & Security,” and “RIM.” If the organization has a formal risk management department, their involvement in the IG program will be valuable. Some organizations may wish to use the ISO 31000 Risk Management standard to guide efforts.

◾ Compliance. HIPAA compliance is critical and HIPAA audits can result in major fines. Compliance efforts focus both externally, regarding regulations and statutory requirements, and internally, to ensure employees follow company policies and procedures, as well as exter- nally imposed requirements.

◾ Human resources. Since IG programs are change management (CM) efforts, HR is central to the communications and training strategy to help embed IG considerations like pri- vacy and security into routine business processes. Emphasizing compliance with IG policies and procedures in employee performance reviews will involve working with HR to develop meaningful metrics. Training should be conducted regularly and consistently, using mul- tiple modalities.

◾ Change management. If the organization has a formal CM function, this group can play a key role, as all IG programs are fundamentally CM efforts. Often an external consultant can assist in developing the CM plan to complement IG efforts.

.

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-08-27 15:57:23.

C o p yr

ig h t ©

2 0 1 8 . P

ro d u ct

iv ity

P re

ss . A

ll ri g h ts

r e se

rv e d .

34 ◾ Information Governance for Healthcare Professionals

◾ Analytics. Applying advanced analytics to clean, accurate data can yield a variety of benefits in healthcare, namely the improvement of clinical outcomes and financial performance. Additional advances can be made in improving patient satisfaction and perhaps even some new insights and innovations in patient care. Further, there may be new ways to improve operational efficiency, and beyond that, monetize and leverage aggregated or anonymized data with suppliers or business partners. “Harnessing the value of information is one of the foundational purposes of IG, but an IG program also must balance the goals of analytics against information risks and retention requirements.”2

◾ Audit. The Audit department can play a key role in measuring IG program progress based on meaningful, pre-established metrics which have been developed and approved by the IG team. Metrics provide management feedback for continual improvement and program fine- tuning. Audit findings can provide crucial input for decision-making within an IG program.

introducing the information Governance Adoption Model™ for Healthcare

In February, 2016, AHIMA launched healthcare’s first Information Governance Adoption Model™ (IGAM) via IGHealthRate™, an assessment tool.3 The IGAM is an extension and expan- sion of the IG Reference Model, although it does not go so far as to diagram inter-relationships and reflect the roles of risk (specifically, information risk) and change management, which are key components of IG programs.

The IG Adoption Model™ can help spur discussion in the beginning stages of IG program planning, and can also assist in highlighting key areas for representation in the IG Program Steering Committee.

According to AHIMA, the 10 IG organizational competencies depicted in the model can be assessed based on key markers on a scale of IGAM Level 1™ (lowest, least mature) to IGAM Level 5™ (highest), to determine maturity levels and to conduct a gap analysis to determine the tasks needed to move the organization up the maturity scale to the desired level of improvement.

Awareness and adherence

Enterprise info mgnt.

IG performance

Analytics

IT governance

Data governance

Legal and regulatory

AHIMA’s Information Governance Adoption Model

(IGAM) competencies

IG structure

Strategic alignment

Privacy and security

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-08-27 15:57:23.

C o p yr

ig h t ©

2 0 1 8 . P

ro d u ct

iv ity

P re

ss . A

ll ri g h ts

r e se

rv e d .

Who Should Be Part of an Information Governance Team? ◾ 35

Analyzing the iGAM™ for iG team Staffing In the IGAM™ we can see that, as with the IG Reference Model, Privacy and Security are

represented, as is Legal & Regulatory. Also, Data Governance and Analytics are represented, furthering the argument to include representation of these functions on the IG steering commit- tee. IT governance, that is, leveraging frameworks (e.g. CoBIT5) in the IT department to make it more efficient and accountable, while getting results that contribute to organizational business objectives, is also represented. The employee in charge of IT governance, likely the CIO, should be considered a major stakeholder. The CIO is also accountable for enterprise information manage- ment (EIM), a major aspect of IG.

IG structure and strategic alignment are mostly responsibilities of the executive sponsor and IG Lead, with input from the entire committee. IG performance could be measured quantitatively by the CFO or an internal audit professional, and monitored by the Executive Sponsor.

IG awareness is largely the job of the Executive Sponsor and IG Lead, with assistance from HR or the training department. IG Adherence and IG Performance should be monitored by the Executive Sponsor using established metrics, perhaps audited by the CFO or an internal auditor.

In Summary

It is abundantly clear that implementing IG programs requires a cross-functional approach to facilitate sharing and leveraging information. IG has a wide reach and effective IG brings together stakeholders from across the organization and builds on their synergies to better govern and opti- mize information.

Information governance programs are heavily focused on information quality, security, and privacy. As a cross-functional discipline, it is challenging to muster and manage scarce resources to address enterprise issues that do not belong clearly to established functional groups like IT or Legal. Managing and prioritizing these information asset challenges requires the same type of planning and control used historically for deploying and managing capital assets. Managing and leveraging information assets means that new opportunities and value may be found that can provide a sustainable competitive advantage to the organization.4

Major executive Sponsor Role Throughout this book, one key fact is emphasized repeatedly: Securing a sponsor at the execu-

tive management level is critical—it is the most important factor for IG success. In fact, it is so important it may be advisable to name a separate deputy executive sponsor, or to have the IG steering committee chair also serve as a deputy or co-executive sponsor.

Strong executive sponsorship is a key IG Best Practice. Program failure is a great risk with- out an active and engaged executive sponsor. Such a program likely will fade or fizzle out or be relegated to the back burner. Without strong high-level leadership, when things go awry, finger pointing and political games may take over, impeding progress and cooperation.

According to studies, the two most common IG executive sponsors are General Counsel and the CIO. Sometimes IG programs are led by an organization’s General Counsel, and they may be well-versed in privacy law, but they may not have the technology competencies to understand exactly how to apply complex new IG-enabling technologies, and they may have a basic under- standing of retention schedules but are not well-versed in HIM Best Practices. Sometimes IG

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-08-27 15:57:23.

C o p yr

ig h t ©

2 0 1 8 . P

ro d u ct

iv ity

P re

ss . A

ll ri g h ts

r e se

rv e d .

36 ◾ Information Governance for Healthcare Professionals

programs are led by the CIO, who may be well-versed in security and aware of privacy issues, but often CIOs and HIM managers don’t speak the same language: a “record” means something totally different to a CIO than to a HIM manager; also, legal research is not the CIO’s job and the general counsel will always have to make those decisions anyway.

Executives must be on board and a primary executive sponsor driving the IG effort is needed in order to garner the necessary resources to develop and execute the strategic IG plan. That execu- tive must be held accountable for the development and execution of the plan.

Resources are needed—time, human capital, budget money, new technologies. The first is a critical element: It is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict and consistent follow-up, support, and com- munication. In fact, IG program progress should be measured in performance reviews of key players on the IG steering committee and for stakeholder groups.

The executive sponsor serves at least six key purposes in an IG program:

1. Budget. The executive sponsor ensures an adequate financial commitment is made to see that project milestones are met and lobbies for additional expenditures when change orders are made or cost overruns occur.

2. Planning and control. The executive sponsor sets direction and tracks accomplishment of specific, measurable business objectives.

3. Decision‑making. The executive sponsor makes or approves crucial decisions and resolves issues that are escalated for resolution.

4. Expectation management. The executive sponsor must manage expectation, since success is quite often a stakeholder perception.

5. Anticipation. Every project that is competing for resources can run into unforeseen block- ages and objections. Executive sponsors run interference and provide political might for the IG Lead or program manager (PM) to lead the project to completion, through a series of milestones.

6. Approvals. The executive sponsor signs off when milestones and objectives have been met and signs contracts for the acquisition of new information technologies and services.

The higher level the executive sponsor is in the organization, the better. The CEO wields the most authority, and some IG programs are sponsored by the CEO, particularly where there has been a major breach, costly litigation, or major regulatory fines. With CEO sponsorship come many of the key elements needed to complete any successful project, including allocated manage- ment time, management priority, and budget money.

Critical and Sometimes Fickle Executive Sponsor Role

There may be a clear executive sponsor at some point early on but when that person realizes they will be held accountable for the performance of groups outside their direct control (and com- petitors at their corporate level can then sabotage progress), they might look for cover and find a way to postpone, de-prioritize, or kill the IG program. Focusing efforts on clearly established business objectives will largely reduce this inherent problem of conflicting agendas. (Having a deputy executive sponsor will also shore up the executive sponsor role).

Sometimes all an unenthusiastic executive sponsor has to do is wait for the natural inertia of the over-sized and lethargic IG steering committee to weigh things down, and soon other projects and programs that are more routine and cost-justifiable in the short term take resources from the

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-08-27 15:57:23.

C o p yr

ig h t ©

2 0 1 8 . P

ro d u ct

iv ity

P re

ss . A

ll ri g h ts

r e se

rv e d .

Who Should Be Part of an Information Governance Team? ◾ 37

IG effort. It then may fade into the background until there is a new litigation disaster, major com- pliance failure, massive security breach, or other such negative IG drivers.

According to surveys and research, the implementation of an IG program is more and more often being driven by the Legal department, General Counsel or Assistant General Counsel, or the chief information officer (CIO). Other IG programs may be led by the chief risk officer, chief information security officer (CISO), or, ideally, as the Sedona Conference has recommended, a Chief IG Officer (CIGO).

The CIGO must have the mandate and authority to drive the program forward and should have overlapping skillsets that include expertise in e-discovery, cyber-security, information pri- vacy, data governance, health information management (HIM) and general records management, IT, and business operations.

the emerging Role of the CiGo A key challenge is that because of the interdisciplinary requirements for implementing IG, no

one seems to want to own IG. It touches on parts of the strengths of a CIO or General Counsel or HIM Manager or Information Security Manager or Chief Compliance Officer, but it also requires that they go out of their comfort zone into new areas.

So where should IG reside? Who should be in charge of an IG program? There is a need for a new job title to pull all these disciplines together into a cohesive IG pro-

gram: CIGO. This has been promoted by the Sedona Conference® and other organizations. The CIGO should be a highly competent manager who has broad operations experience and

competencies: near-expert not only in IT, but also legal and compliance issues, data governance tools and methods, HIM issues, privacy issues, information security tools and techniques, and business issues. They must also have outstanding communications and management skills. That is a challenging job description.

A CIGO can act in a coordinating function, but lacking authority, their efforts will likely be met with resistance. Because of its requirements, the organization can leverage the authority of the executive sponsor, or even consider granting the CIGO authority over the CIO, chief infor- mation security officer (CISO), chief privacy officer (CPO), and even CFO. The CIGO could be very nearly a chief operations officer (COO), and that is an option for whom the CIGO reports to, if not the EVP of Risk—or even the Administrator or CEO. It is a crucial job that mostly is not being filled. However, there is a great need for it, and it due to its focus, a well-prepared CIGO could lead the IG effort and produce consistent, tangible results.

Assigning team Roles and Responsibilities The executive sponsor must designate an IG Lead or program manager—perhaps even a Chief

IG Officer—and depending on the focus of the IG effort, that person could come from one of several areas including legal, infosec, risk management, HIM/records management, or IT.

When assigning the roles and responsibilities of the remainder of the IG team, the easy deci- sion is to have IG team representatives take responsibility for the functional areas of their exper- tise. Nevertheless, there will be overlap, and it is best to have some pairs or small workgroups teamed up to gain the broadest amount of input and optimum results.

This will also facilitate cross-training. For instance, inside legal counsel may be responsible for rendering the final legal opinions, but not being an expert in HIM or document management or risk

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-08-27 15:57:23.

C o p yr

ig h t ©

2 0 1 8 . P

ro d u ct

iv ity

P re

ss . A

ll ri g h ts

r e se

rv e d .

38 ◾ Information Governance for Healthcare Professionals

management means they could benefit from input of others in specialized functional areas, which will inform them and help narrow and focus their legal research. So when performing the basic research as to which regulations and laws apply to the organization regarding security, retention, and preservation of patient records and PII, the initial research could be conducted by the HIM or records manage- ment head, in consultation with the corporate archivist and CIO, with the results of their findings and recommendations drafted and sent to the legal counsel. The draft report may offer up several alterna- tive approaches that need legal input and decisions. Then the legal department can conduct their own, focused research, and make final recommendations with consideration given to the organization’s legal strategy, business objectives, financial position, and applicable laws and regulations.

The result of the research, consultation, and collaboration of the IG team should be a final draft of the IG strategic plan (see Chapter 9 for more detail). It will still need more input and development to align the plan with business objectives, an analysis of internal and external driv- ers, applicable Best Practices, competitive analysis, applicable information technology trends, an analysis and inclusion of the organization’s culture, and other factors.

Caveat: the importance of a tiered iG Steering Committee for expediency

When reviewing research and anecdotal observations on IG programs it is clear that often IG efforts are slow to start, can get delayed or put on hold, and then re-start, and that sometimes the IG effort is abandoned, put on a shelf. Then later, executives realize that the “IG problem” (e.g. deaths and injury from medical mistakes, non-compliance fines, risks of colossal information breaches, soaring litigation costs, failure to capitalize on emerging opportunities by leveraging analytics) is not going away—so the IG program re-starts again.

One of the root causes of sluggish IG efforts is the basic failure to structure the IG steering commit- tee properly, and to consider the realities of group dynamics, corporate politics, scheduling, and program management.

Since IG efforts are by nature cross-functional and require the involvement of key stakeholder groups, IG steering committees can become large and unwieldy. Also, the politics can become crippling, causing progress to slow and threatening the continuation of the IG program.

In practice, there have been IG steering committees of 15, 18, even 20 or more individuals representing the various functional groups in a large organization. Managing the needs and inputs of this broad swath of stakeholders is inherently challenging.

Due to the expanse of an IG program, the IG program team or steering committee should be set up with a tiered structure. The core departments driving the IG program, or “top tier” should be:5

◾ Legal. Because legal considerations are paramount, the legal department must be deeply involved and perhaps lead the IG program. Legal is best represented at a high level by the General Counsel, Assistant GC, or a senior legal officer. Legal costs and liabilities can soar with poor IG, further underscoring the importance of efficient legal functions. Further, Legal must implement “litigation response protocols” and drive e-discovery efforts—which inherently involve IT and records management policies, two other core stakeholders in IG programs. The legal department also must provide guidance on privacy breach response protocols and render opinions on privacy matters to ensure compliance.

◾ Information technology. IT is key to IG efforts, as IG requires IT for data and IT gov- ernance, and for tracking sensitive information, applying automated controls, auditing,

F., Smallwood, Robert. Information Governance for Healthcare Professionals : A Practical Approach, Productivity Press, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/franklin-ebooks/detail.action?docID=5515223. Created from franklin-ebooks on 2022-08-27 15:57:23.

C o p yr

ig h t ©

2 0 1 8 . P

ro d u ct

iv ity

P re

ss . A

ll ri g h ts

r e se

rv e d .

Who Should Be Part of an Information Governance Team? ◾ 39

implementing business process redesign, and more. Organizations must leverage IT to improve efficiencies and monitor the effectiveness of the IG program. Also, IT must work with Legal, HIM, and RIM to preserve the organization’s electronically stored information (ESI) in legal matters.

◾ Health Information Management (HIM) and Records and Information Management (RIM). The HIM department is responsible for managing patient health records in accor- dance with privacy laws and retention regulations. Safeguarding these records is mission- critical and a key factor in maintaining patient trust. RIM is responsible for maintaining corporate business records to ensure compliance with applicable statutory and regulatory requirements. HIM and RIM must also work with Legal to execute e-discovery functions.

◾ Information Security. “InfoSec” or “cyber-security” is responsible for keeping the organiza- tion’s databases and confidential information secure, and providing policy input, techniques, and IT to prevent the loss of intellectual property (IP). InfoSec has played an increasingly greater role in IG programs due to colossal data breaches, privacy concerns, and reputational risk;

◾ Privacy. The Privacy group must conduct research and provide policy guidance for the handling of protected health information (PHI), personally identifiable information (PII), credit card information (PCI), and other sensitive patient and employee information. The goal is to have privacy considerations “baked in” to everyday business processes, so that, “privacy by design” may be achieved.6 This is a key aim of IG programs.

The tiered strategy can be employed to make these IG planning teams more effective, agile, and accountable: A tiered IG steering committee with staggered meeting requirements will bring in only those needed to a meeting, while not wasting everyone else’s time.

Otherwise, the IG program initiative will follow the same predictable and sluggish cycle it did before, only with a slightly different set of players.

Below are some guidelines for structuring an IG steering committee for better results:

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.