AHIMA Releases Info Governance FrameworkOutlines Eight Core Principles for Safeguarding Information
The American Health Information Management Association has released a framework of eight key principles to help guide healthcare organizations in their information governance. Important elements of data privacy and security are woven throughout.
"By following information governance principles, organizations conduct their operations effectively, while ensuring compliance with legal requirements and other duties and responsibilities," notes AHIMA's Information Governance Principles for Healthcare. AHIMA is a professional association of about 71,000 health information management and health informatics professionals.
Important elements involved in safeguarding data privacy and security are included in the eight core principles outlined in AHIMA's information governance framework. Those principles are:
- Accountability: An accountable member of senior leadership shall oversee the information governance program and delegate responsibility for information management to appropriate individuals.
- Transparency: An organization's processes and activities relating to information governance shall be documented in an open and verifiable manner.
- Integrity: An information governance program shall be constructed so the information generated by, managed for, and provided to the organization has a reasonable and suitable guarantee of authenticity and reliability.
- Protection: An information governance program must ensure that the appropriate levels of protection from breach, corruption and loss are provided for information that is private, confidential, secret, classified, essential to business continuity, or otherwise requires protection/
- Compliance: An information governance program shall be constructed to comply with applicable laws, regulations, standards and organizational policies.
- Availability: An organization shall maintain information in a manner that ensures timely, accurate and efficient retrieval.
- Retention: An organization shall maintain its information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, risk and historical requirements.
- Disposition: An organization shall provide secure and appropriate disposition for information no longer required to be maintained by applicable laws and the organization's policies.
"Healthcare organizations have an obligation to treat information as an asset and to define the policies and practices for governing use of that information," said AHIMA CEO Lynne Thomas Gordon.
Some security and privacy experts say information governance is an area where many healthcare entities fall short, as is evident in many large data breaches that involve failing to properly train staff, neglecting to encrypt mobile devices, or overlooking establishing best practices for quickly addressing software vulnerabilities.
"In a normal business, you're trying to balance information technology with business requirements," says attorney Ron Raether, partner at the law firm Faruki Ireland & Cox, P.L.L., in a recent interview with Information Security Media Group. But in healthcare, there are additional complexities, including workflow needs of physician and nurses, and, especially, ensuring the safety of patients. "Trying to find that balance of accountability and empowerment, especially in a healthcare environment, can be particularly tricky," he says.
The AHIMA framework notes that information governance applies not only to clinical data, such as electronic health records systems that contain patients' protected health information, but to all data and information systems.
Security expert Andrea Hoy, CEO of the consulting firm A. Hoy & Associates, says some healthcare organizations are inconsistent in how they protect PHI versus other data. "A good governance strategy would ensure that appropriate processes were in place that addressed all areas of the organization, and the data those areas have access to," she says.
To protect data, the framework stresses "it is imperative that appropriate safeguards be clearly defined in organizational policy and that compliance be monitored. Measures to protect information must also include physical security of computing and access devices or any equipment containing private, secret, or confidential information or intellectual property of the organization."
Also, when disposing of information, regardless of the source or media, "appropriate protection must be considered in defining the process." For example, the workforce should: implement reasonable safeguards to limit incidental disclosures of PHI and PII; receive training on disposal policies and procedures; not abandon information in containers accessible by the pubic or other unauthorized persons; and provide validation of disposal method.
Inappropriate disposal of PHI has resulted in several large breaches, including one that led to a recent $800,000 HIPAA settlement between the Department of Health and Human Services and Parkview Health System, a not-for-profit organization serving northeast Indiana and northwest Ohio.
The settlement involved an incident in June 2009 involving the paper medical records of 5,000 to 8,000 patients that were left unattended in cardboard boxes on the driveway of the physician's home.