By Mary Butler
Between 2015 and 2016, information governance (IG) went from being an esoteric concept to a new way of life for some healthcare professionals. In 2015, AHIMA recruited 11 healthcare organizations, including vendors, hospitals, physician practices, and regional health information organizations, to follow or “pilot” AHIMA’s Information Governance Adoption Model (IGAM).
Last year these forward-thinking organizations immersed themselves in the day-to-day strategies and principles that drive the IGAM in a quest to strengthen the integrity and value of their organization’s information, and serve as an example for their healthcare peers. While it’s still early in the journey for most of these organizations, the lessons they’ve learned so far and the early challenges they encountered are illuminating for those who have yet to take the IG plunge.
The IGAM is designed so that users of the framework can choose from multiple entry points. These entry points are the 10 core competencies that are essential for a successful IG infrastructure. However, there are three “must do” areas that organizations interested in IG can get started on right away, according to the model. These initiatives can garner some early wins for IG supporters and can be parlayed into broad organizational and executive support for an expanded IG program.
The IG must-dos, according to the developers of the IGAM, are:
- Creating an information asset inventory
- Starting a data governance initiative
- Refining record retention schedules and projects
Vendors Jump Aboard the IG Bandwagon
As Sally Beahan, MHA, RHIA, director of HIM at the University of Washington Medicine, and her team have delved deeper into information governance in their organization, they have increasingly asked their vendors and business associates to step up their own governance policies as well. One positive benefit of UW Medicine’s information asset inventory and lifecycle management efforts is that it identified opportunities for improvement with vendor contracts.
“The best example we can all relate to is dictation. Most of us outsource our dictation to an outside company and they keep those dictation voice files forever,” Beahan says.
She now asks that her dictation vendor destroy all of the files UW Medicine sends them, which they now have to pay for because the vendor’s databases aren’t designed for easy disposal of files. Beahan has told vendors that they should be prepared as more providers tackle IG.
“They’re like ‘Thanks for bringing this up, we haven’t thought about this.’ We’re trying to educate them too. This is where HIM leadership is going to start asking these questions and if they can think about it ahead of time, we’re all going to gain,” Beahan says.
Going forward Beahan would like to have new vendors sign agreements similar to Business Associate Agreements (BAA), which are usually used for HIPAA compliance, only with the agreements focusing on lifecycle management.
“I’m envisioning that it would look similar to a BAA, and that we would embed that at the beginning of every single contract that we create, with any vendor that has to do with data and information assets and all of those things. And what a beautiful thing to be able to put that stopgap at the very beginning,” Beahan says.
Like UW Medicine, the release of information vendor Bactes was an early adopter of AHIMA’s IG tools. Bactes executives know that it’s important to be able to use information efficiently and effectively to achieve business objectives and make better decisions in today’s healthcare market. Bactes President Jim Bailey says hospitals and providers are very concerned about the security practices affecting the healthcare industry, but don’t always have the time to research their vendors’ practices. If Bactes has the ability to prove their IG efforts to their partners, it will foster collaboration, information sharing, and decision making, and give them a competitive advantage over other vendors.
“I think the challenge that many hospitals have is that they’re just trying to keep up and it’s hard for them to be proactive on IT privacy and security around topics like IG,” Bailey says. “A vendor that has taken the time and effort to maximize their information and its governance will be a greater asset and better partner.”
Project #1: Information Asset Inventory
Creating an information asset inventory is a foundational activity whether an organization is trying to implement an IG program or is simply doing a risk analysis, says Dan Rounds, president of Immersive, a company that helps healthcare organizations with information management, lifecycle management, and data governance.
An information asset inventory is a tool that lists all of the information owned by an organization. The list would include a number of details regarding each asset. Some of the information gathered would relate to the operating/functional unit or department (human resources, finance, health information management [HIM], etc.), the database owner, asset name, type of information (electronic, paper, removable media), the information’s availability, security, integrity, and its record retention period. Having the master information asset inventory list readily available will allow organizations to treat their information as the valuable asset that it is throughout its entire lifecycle. This allows for organizations to make informed business decisions based on their trustworthy and reliable information.
“We think about it [an information asset inventory] as a starting point for anything around lifecycle management… You need to understand what you have in order to understand what you’re held to, and apply data lifecycle management principles to them,” Rounds says. “For instance, if you haven’t done a systems inventory or an inventory of your business associates or any kind of inventory, it’s awfully hard to include them in a risk management program.”
Creating an information asset inventory was key for the University of Washington Medicine (UW Medicine). It was so important that Christine Taylor, records officer, and Sally Beahan, MHA, RHIA, director of HIM at UW Medicine, recruited three HIM students to help work on the inventory as part of their college capstone project. UW Medicine is an integrated delivery system that is home to three public hospitals, another affiliated hospital, clinics, a school of medicine, an airlift service, and other provider types. Beahan and Taylor began their information asset inventory before they started working with AHIMA on IG—and maintaining the inventory has significantly helped their IG efforts.
Taylor says the project was a good fit for HIM students because they would be able to get a sense of the scope and breadth of working with enterprise information management. Students were able to understand where medical records fit in amongst all the types of records in a healthcare system. Taylor and Beahan developed a survey and questionnaire for their project, trained the students on those tools, and then allowed the students to sit in on interviews that the HIM staff were conducting. Each database owner was slated for an interview; these owners were spread out through the various departments of the organization. With the large number of necessary interviews, the students were eventually able to conduct these on their own.
So far, the students, UW Medicine record management staff, and Taylor and Beahan have used their survey and questionnaire to interview 200 people in their system and have identified 450 database applications system-wide. Interestingly, the interviewing is not done and there are still many more to conduct. While UW Medicine hopes to complete their interviews by July 2017, their organization is already reaping benefits from the project. Taylor says they’ve discovered record series that are now being added to their retention schedule and objectively identifying just how many systems feed into UW Medicine’s electronic health record (EHR) system. (See this month’s Road to Governance column for more information about the HIM students’ work at UW Medicine.)
“The work that Christine’s team is doing is bringing the conversation about what information governance is to the forefront,” Beahan says. “And it’s helping us get our customers, users, clients, and colleagues on board, if you will, around why you need to be thinking about this a different way than we have in the past.”
Project #2: Data Governance Initiative
Savvy HIM professionals know that data governance and information governance are not the same thing, yet Immersive’s Rounds, who consults with companies doing data governance projects, says many people confuse the two. Data governance is more granular and smaller—and some might say “easier” in scale—than IG. Data governance focuses on the actual creation of pieces of data, while information governance focuses on using all of that data and transforming it into trustworthy and reliable information. According to Rounds, a lot of data lifecycle management activities fall under that data governance bucket.
When doing a data governance project, ask the following: How is a data element used? Where is it used? How is it created? Does it have integrity? Once a person knows the answer to these questions, the data can be used more effectively. For example, record retention schedules and projects on master data management and metadata management are examples of data governance because, “You have to manage data if you keep it. You don’t have to spend time and energy managing it if you don’t [keep it],” Rounds says.
Kyle McElroy, MS-HAS, RHIA, assistant vice president of HIM at Iasis Healthcare, found that the patient matching cleanup that was part of his organization’s IG initiatives proved to be a good way to demonstrate some quick wins in IG.
“Finding that single patient and merging those records together and getting them in the same location—which HIM professionals pretty much do all the time—that’s a pretty quick win if you can apply some cost avoidance to this,” McElroy says.
IG’s Tie to Interoperability
Louis Galterio, MBA, CPHIMS, FHIMSS, president and founder of the regional health information organization (RHIO) Suncoast Health, chose to be one of the first organizations to adopt AHIMA’s information governance (IG) tools and resources because of the nature of a RHIO’s work. RHIOs like Suncoast, which started out serving southwest Florida, bring together healthcare providers, payers, laboratories, and public health departments to facilitate information exchange in a given region. This capability requires interoperability amongst all of the different types of stakeholders. Galterio estimates that Suncoast has approximately 1,000 clients, including hospitals and physician practices.
But Galterio stresses that interoperability as a concept is much broader than ensuring that two or more EHRs can “talk” to each other. “It’s not just interoperability of software, but interoperability of all moving pieces,” Galterio says. “If you have multiple components of anything, and they’re not all held to the same high standards of quality, then somewhere along the line you’ve just increased the chances of something going wrong by a whole lot. Information governance takes all of those pieces and puts them on an equal playing field of quality, which I think is very important.”
Since RHIOs are subject to government certifications, Galterio says the government expects them to be “pristine” in everything that they do. Therefore, IG impacts interoperability “by getting as close to scrubbing the data that goes from department to department,” he says.
Galterio says that since implementing IG his organization has been able to make decisions more quickly and with a higher degree of confidence. Most importantly, he’s avoided paying fines and being audited.
“How do you put a value on that?” he asks.
Project #3: Record Retention Schedules and Projects
Another part of McElroy’s IG plan involved record retention. Iasis is headquartered in Franklin, TN, but has hospitals spread across the United States including Utah, Arizona, and Texas. McElroy said he wanted a good organizational view of all the records owned by the integrated system in one location. And as his company transitions to a new EHR for its electronic records, McElroy wanted to make sure existing paper records were in order.
Iasis collaborated with a third-party record retention company that worked with hospital staff to do an inventory of where paper records were stored. They did walkthroughs of the hospitals and took steps to determine if there were records stored in sheds or warehouses off of hospital campuses.
“This is a surprising operation. You would think that you wouldn’t find a lot, but you uncover these cabinets and rooms where there’s information. Making sure we’re identifying and making a plan for that known inventory is really important,” McElroy says.
The benefits of inventorying an organization’s records and identifying records that can be destroyed were clear for McElroy. Being able to terminate storage contracts with the places where older records that no longer have a business purpose can be destroyed can provide a huge cost savings. Designing a timeline for record destruction is helpful and helps to ensure that the organization is compliant with both state and federal record retention laws.
Ongoing Challenges in IG Adoption
While AHIMA’s IG team members have seen clear successes and improvements in the organizations that have chosen to adopt AHIMA’s tools, other organizations are still experiencing internal resistance to change. This means that HIM professionals are going to have to focus on education.
Katherine Downing, MA, RHIA, CHPS, PMP, senior director of information governance at AHIMA, says that one of the universal IG challenges that HIM professionals are having is getting all the right people in an organization to understand and support IG.
“The collaborative aspect is the piece that people tend to miss,” Downing says.
Also, getting people to understand why they need to move forward with IG is difficult. Downing feels that the difference between being reactive and planning proactive efforts is key—and the answer to “why do this now?” For example, people need to be proactive with risk and breach management because being reactive means that a big problem has already occurred. In the case of a breach, there are a lot of costs associated with mitigating risks and breaches. That is the reactive approach. A proactive approach would include implementing a proactive monitoring system to detect breaches, employing a breach response team, and having the proper policies and procedures in place for risk management. Often times, organizations are already working on IG-related projects but these projects aren’t recognized as “IG.” If an organization can compile all of the current projects that can also be considered IG, they can gain the leverage necessary for executive support.
“Time, resources are crunched right now—a lot going on in hospitals. Until you show dollars and cents it is hard to get people to believe it (IG) is worthwhile,” Downing says.
Rounds says part of the trouble for HIM and IG may stem from the fact that HIM isn’t very visible in a lot of organizations. Where he’s seen HIM be successful is when they pair up with physicians on an IG-related initiative. Since it can be hard to get an enterprise-wide IG program going, Rounds advises HIM professionals to take on smaller problems that require their unique skill set.
“Find something to latch yourself to. Find something tactical, of high value within the organization, and gain that credibility, gain that visibility to the organization by tackling that, leading that, spearheading that or maybe just contributing to it,” Rounds says. “That’s how you start to change culture and perceptions over time.”
Mary Butler (firstname.lastname@example.org) is associate editor at the Journal of AHIMA.
"Three Practical IG Projects You Should Implement Today"
Journal of AHIMA