Evaluating the Information Governance Principles for Healthcare: Compliance and Availability

By Galina Datskovsky, PhD; Ron Hedges, JD; Sofia Empel, PhD; and Lydia Washington, MS, RHIA

Editor’s Note: This is the third in a series of four articles that discuss the eight Information Governance Principles for Healthcare.

AHIMA’s new Information Governance Principles for Healthcare (IGPHC) provide a framework for healthcare organizations to leverage information in order to achieve the organization’s goals and conduct their operations effectively while ensuring compliance with legal requirements and other duties and responsibilities.

IGPHC is a set of eight principles that, when considered in whole or in part, is intended to inform an organization’s information governance (IG) strategy. The following is the third of four articles that explores the meaning and intent of the principles—focusing on the Compliance and Availability principles.

Compliance Principle

The compliance principle is indisputable. It states: “An information governance program shall be constructed to comply with applicable laws, regulations, standards, and organizational policies.” In a healthcare context, such compliance requires particular attention to laws that govern the privacy of patients as well as the confidentiality of information about them and treatment they receive.

Billing compliance, in which coded and other types of data and information is used to substantiate payment to providers for healthcare services and avoid allegations of possible fraud or abuse, is also a major area of healthcare compliance. The compliance principle is intended to enable an organization to demonstrate that its activities are being conducted in a lawful and ethical manner and that its information management systems comply with legal and regulatory requirements. According to IGPHC, every organization should:

• Know what information should be entered into its records to demonstrate its activities are being conducted in a lawful manner.
• Enter that information into its records in a manner consistent with laws and regulations.
• Maintain its information in the manner and for the time prescribed by law or organizational policy.
• Maintain information to facilitate patient care.
• Develop internal controls to monitor adherence to rules, regulations, and program requirements, thus assessing and ensuring compliance.

Healthcare organizations are subject to myriad rules and regulations, some that are imposed externally by law and others that are self-imposed for the benefit of the business. A failure to comply with any of these rules and regulations could have serious consequences for an organization, such as reputational harm, monetary loss, and, in extreme instances, criminal penalties. These consequences highlight the importance of compliance. An organization’s information management and governance systems and processes can—and should—be a means to demonstrate its compliance with the rules and regulations applicable to it. An organization can also fail to provide quality services when compliance is not appropriately taken into account.

Availability Principle

The availability principle is straightforward: “An organization shall maintain information in a manner that ensures timely, accurate, and efficient retrieval.” After all, if the ability to retrieve information is impaired—either because retrieval is untimely or incomplete—both trust in the organization and its operations will be diminished. When the right information is not available at the right time, patient care may be compromised. Availability is important to various stakeholders within and outside any healthcare organization. According to IGPHC, those stakeholders include:

• The healthcare team, patients, and other caregivers
• Authorized members of the workforce and others authorized consistent with regulations
• Legal and compliance authorities for discovery and regulatory review purposes
• Internal and external reviewers for purposes including but not limited to: payer audit, financial audit, case management, and quality assurance

The nature of information within healthcare organizations today—including information available from affiliates—complicates availability. Organizations must search for information in continually increasing volumes of data, as well as multiple information systems, including manual systems. The proliferation of various types of electronic information likewise complicates availability. In an electronic environment, availability requires organizations to:

1. Understand and use metadata to describe, explain, locate, and retrieve information
2. Back up information on a periodic basis to ensure against loss
3. Guard against obsolescence of existing hardware or software
4. Dispose of obsolete or redundant information in an appropriate manner
5. Maintain information in such a way as to facilitate retrieval of the right information in a timely manner

Availability is essential, but ensuring availability is no simple task. Healthcare information for patient care must be managed for maximum searchability using metadata, indexing, and other tools. Increasingly, it must be available from outside the four walls of an organization enabled through the use of standards for interoperability and health information exchange. Time is of the essence in providing patient care in both emergency and non-emergency situations, and it is incumbent upon healthcare organizations to ensure speedy retrievability of patients’ accurate health history, diagnostic results, and previous treatment information, no matter where it is located in order to provide efficient and cost effective care.

Compliance and Availability are Related, Improve IG

Information must be created and maintained in a manner consistent with the rules by which a healthcare organization operates. That consistency should be measured through the systems and processes by which an organization manages information. To be measured and utilized effectively, information must be made available in a manner that is trustworthy. Trustworthiness reflects an organization’s ability to meet its goals and, at the same time, to demonstrate its compliance with the rules by which it operates. The principles of compliance and availability thus operate in tandem to establish trust by patients, regulators, and others with whom the organization interacts.

In the second installment of this series, the authors noted that “information must have integrity to be useful and to be depended on for decision-making” and that “information must be protected to maintain integrity.”

Similarly, compliance and availability enable information to be trustworthy. Compliance ensures that information is created and maintained in an environment that complies with the rules of the road under which healthcare organizations function. Availability allows for the meaningful retrieval and use of information. Information that is consistent with rules and regulations and that can be accessed in a timely and reliable manner furthers information governance under the IGPHC.

Galina Datskovsky (gdatskovsky@gmail.com) is CEO, North America, at Covertix. Ron Hedges (r_hedges@live.com) is a former US Magistrate Judge in the District of New Jersey and is currently a writer, lecturer, and consultant on topics related to electronic information. Sofia Empel (sofia.empel@connolly.com) is director, information governance, at Connolly iHealth. Lydia Washington (lydia.washington@ahima.org) is senior director of HIM practice excellence at AHIMA.