Way Forward: AHIMA Develops Information Governance Principles to Lead Healthcare Toward Better Data Management

By Sofia Empel, PhD

Picture these scenarios: Jane’s role as health information management (HIM) director recently expanded to include her hospital’s non-clinical information such as human resources, legal, finance, and marketing. According to the senior leadership of John’s health insurance company, he must align their existing information governance (IG) program with the company’s strategic goals. And Carol, who works for a health information exchange (HIE), is charged with building an IG program from the ground up.

Although these health information professionals have three different imperatives, all of them can achieve their objectives using AHIMA’s newly developed Information Governance Principles for Healthcare (IGPHC).

IGPHC Helps Standardize Information Strategy

IGPHC is an information governance framework specific to the healthcare industry which establishes a foundation of best practices for IG programs in the form of eight principles:

  • Accountability
  • Transparency
  • Integrity
  • Protection
  • Compliance
  • Availability
  • Retention
  • Disposition

(Hint: remembering the principles is made easy by using the mnemonic device “A TIP CARD”). A short description of each principle can be found [below].

To appreciate IGPHC, it’s helpful to first understand the concept of IG. AHIMA defines IG as “An organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”

In effect, IGPHC is a group of fundamental norms, values, and rules used to comprehensively govern an organization’s information management strategy, whatever it may be, from cradle to grave. It provides a framework of IG best practices; a model for program development; a means of benchmarking against peers; and a plan for legislative, judicial, accreditation, and organizational policy mapping.

Consider our three scenarios. Jane’s hospital most likely focuses its information management strategy on patient health records, while John’s health insurance company concentrates on reimbursement transactions. And Carol’s HIE probably emphasizes the sharing of data among its members. Although these organizational missions are different, their information governance concerns are the same—complete, current, and accurate information to the right person or entity at the right time.

Considered collectively, the principles of IGPHC paint a picture of what good IG would look like for providers and non-providers alike, big or small, public or private. IGPHC allows an organization to get a high-level view of its IG initiatives. This perspective then can be used internally by the organization to guide its IG actions, and externally by stakeholders to judge the effectiveness of the organization’s IG program.

Principles of the IGPHC

The following is a summary of the eight principles included in the Information Governance Principles for Healthcare (IGPHC). To access the full text of the principles and guidance on implementing them, visit www.ahima.org/topics/infogovernance.

Principle of Accountability

An accountable member of senior leadership, or a person of comparable authority, shall oversee the information governance program and delegate program responsibility for information management to appropriate individuals. The organization should adopt policies and procedures to guide its workforce and agents and ensure that its program can be audited.

Principle of Transparency

An organization’s processes and activities relating to information governance should be documented in an open and verifiable manner. Documentation shall be available to the organization’s workforce and other appropriate interested parties within any legal or regulatory limitations and consistent with the organization’s business needs.

Principle of Integrity

An information governance program shall be constructed so the information generated by, managed for, or provided to the organization has a reasonable and suitable guarantee of authenticity and reliability.

Principle of Protection

An information governance program must ensure that the appropriate levels of protection from breach, corruption, and loss are provided for information that is private, confidential, secret, classified, essential to business continuity, or otherwise requires protection.

Principle of Compliance

An information governance program shall be constructed to comply with applicable laws, regulations, standards, and organizational policies.

Principle of Availability

An organization shall maintain information in a manner that ensures timely, accurate, and efficient retrieval.

Principle of Retention

An organization shall maintain its information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements.

Principle of Disposition

An organization shall provide secure and appropriate disposition for information no longer required to be maintained by applicable laws and the organization’s policies.

Why IGPHC Needed to Be Developed

AHIMA recognized that the five “Vs” of data—volume, variety, veracity, velocity, and value—are substantially different in an electronic environment than a paper one. Electronic data require not only a bottom-up approach to information management, but also a top-down approach using information governance.

It’s important to know the difference between governance and management. Governance is strategic, while management is tactical. Governance is top-down and answers “what needs to happen,” while management is bottom-up and addresses “how to get it done.” Governance sets organizational goals, direction, and limitations, whereas management oversees the day-to-day operations of the organization.

With this in mind, AHIMA set out to establish a set of comprehensive IG principles to guide organizations that interact with and manage healthcare information. Some examples of these organizations include healthcare service providers in all settings and non-providers such as information exchanges, claims administrators, payers, and researchers. The data that need to be governed encompasses all the information of a given organization, both clinical and non-clinical, and in all formats, both electronic and analog.

AHIMA developed the IGPHC specifically for a broad range of healthcare organizations—regardless of type, location, or size—to govern information across all functions of the organization.

Developing IGPHC Required a Balance of Priorities

AHIMA gathered together healthcare industry leaders and IG experts from other industries to adapt the IGPHC from ARMA International’s “Generally Accepted Recordkeeping Principles.” The IGPHC Taskforce developed the principles, and afterward two groups vetted them independently: the IG Advisory Group and the AHIMA-appointed review group. The IGPHC Task Force then revised the IGPHC according to those recommendations.

These thought leaders developed IGPHC based on practical experience, information theory, and legal doctrine inside and outside healthcare. The areas of expertise represented were HIM, records and information management (RIM), information governance, informatics, health information exchange (HIE), quality improvement, medicine, nursing, information technology (IT), law, privacy, security, and financial operations.

The IGPHC Task Force considered values important to healthcare such as accuracy, timeliness, accessibility, and integrity when developing the principles. They also accounted for the many competing interests of information stakeholders such as workforce, regulators, auditors, patients, and society. The group then distilled all of this detail down to eight IG principles, which were created to be applicable across all healthcare industry organizations.

IGPHC and the Organization

As a best practice framework, IGPHC assists organizations in operating effectively while ensuring compliance with legal requirements and other duties and responsibilities. By promoting robust and repeatable processes, IGPHC helps establish policy, prioritize investments, determine accountabilities, protect information with suitable controls, and more generally reduce risk.

Think about the implications to the above scenarios of having one authoritative IG source, namely IGPHC, and then consider the healthcare industry more generally. According to IGPHC, the information initiatives of Jane, John, and Carol in the above scenarios require long-term and overarching policies, elevating their projects from operational to strategic perspectives. More importantly, IGPHC alerts organizations to the need for comprehensive information governance across an industry sometimes too bogged down by “how” (tactics) to determine “what” (strategy).

Maturity Model Evaluates Information Governance

AHIMA’s Information Governance Maturity Model provides a scalable IG framework so organizations can access what they are doing well and where they need improvement when using the eight IGPHC principles. The model organizes and measures IG risks in a structure that can be easily understood and implemented by many different stakeholders and audited periodically.

The maturity model allows a healthcare organization to assess its processes and procedures according to IG best practices and a clear set of external benchmarks. Maturity for each IGPHC principle is ranked on a scale from one to five, with one being “sub-standard” and five being “transformational.”

Most organizations will not be at the same level of maturity for each principle, which is not only expected but acceptable. Sometimes an organization may even be in-between levels, scoring a 4.5 in accountability, for example. Few, if any, organizations will score 5 in every category, much less even one, since information governance is a continuous improvement process.

The maturity model permits an organization to focus on those areas of IG that it deems important. This can be certain principles, a particular part of the organization, or even a specific process or procedure. This type of scalability promotes a natural progression of IG improvement in terms of expectations and, more importantly, resources.

Knowing a maturity level for each IGPHC principle allows an organization to improve in that area and make decisions for future actions based on its risk appetite. The maturity model can be used for gap analysis, benchmarking, risk assessment, and program evaluation and development.

The maturity model is expected to be available by the end of the year. Watch AHIMA’s website, www.ahima.org, for more details.

IGPHC and the Practitioner

Healthcare information professionals benefit from IGPHC by using it for IG program development, benchmarking, compliance initiatives, and auditing. IGPHC can be applied repeatedly and in similar circumstances, allowing the information professional to practice consistently and confidently.

Further, IGPHC resonates with senior leadership when it’s used as a framework to connect the organization’s values with its actions. The principles—either individually or collectively—provide common “talking points” for a large variety of stakeholders, including the practitioner, senior leadership, IT, compliance, and legal, to get on the same page and move forward together with an information governance project. Furthermore, by using AHIMA’s associated maturity model (see sidebar above), a practitioner can help guide the organization’s future IG decision-making and actions by tracking their progress against IG Maturity Model benchmarks.

Remember Jane, John, and Carol? IGPHC could help them determine “what” needs to be done based on their organization’s objectives. Then they could use the maturity model to measure where the organization’s IG is today, determine where it should be in the future, and develop priorities for “how” remediation and improvement will be accomplished. Afterward, they can follow-up with routine monitoring, periodic reassessments, and regular audits to ensure IG compliance and to promote continuous improvement.

Information in the 21st Century

For many years the healthcare industry has acknowledged that information management is becoming increasingly complex—volume is increasing, variety is unparalleled, veracity is sometimes questionable, velocity is lightning fast, and value is increasing. For these reasons, AHIMA’s IGPHC and its associated IG Maturity Model are powerful tools in the governance and management of organizational information.

Like other frameworks, IGPHC is not intended to be prescriptive, nor is it intended to be used in the same way by every organization every time. The purpose of IGPHC is to provide points of reference for generally agreed upon IG best practices in order to conduct operations effectively while ensuring compliance with legal requirements and other duties and responsibilities. In fact, good information governance increases quality of care and patient safety, improves population health, increases operational efficiency and effectiveness, and reduces costs.

What would Jane, John, and Carol say about IGPHC? That it’s good for the organization, good for the information professional, and good for the healthcare industry.

Sofia Empel (sempel@infocentricstrategies.com) is president and chief information governance consultant at InfoCentric Strategies and a member of the AHIMA Information Governance Principles for Healthcare Task Force

Article citation:
Empel, Sofia. "Way Forward: AHIMA Develops Information Governance Principles to Lead Healthcare Toward Better Data Management" Journal of AHIMA 85, no.10 (October 2014): 30-32.