Transcription
Information Governance: TheNext Evolution of Privacy andSecurityKathy Downing, MA, RHIA, CHPS, PMPSr. Director Information GovernanceAHIMA IGAdvisors www.IGIQ.comTwitter: HIPAAqueen#IGNOW 2015
Objectives Define information governance anddiscuss how it is used across industries Outline how the IG Principles ofCompliance and Information Protectionlay a framework for enterprise wideinformation governance Define how security and privacy officerstransform into Chief InformationGovernance Officers 2015 2015
2015 IGI Annual ReportIGI Annual Report2015 is available at:www.Iginitiative.com 2015 2015
Why Information Governance is ImportantIG PrinciplesFor tion 2015 2015
What Will Trust in Our Information Enable? 2015 2015
2015 IGI Annual ReportIGI Annual Report 2015 is available at: www.iginiative.com 2015 2015
Information Governance for HealthcareAHIMA DefinitionAn organization-wide framework for managinginformation throughout its lifecycle and forsupporting the organization’s strategy,operations, regulatory, legal, risk, andenvironmental requirements. 2015 2015
Information Governance for Healthcare1ORGANIZATION‐WIDE4ALL TYPES—ORGANIZATION23ALL TYPES—INFO 2015 2015ALL MEDIA
IG Adoption – FindingsAHIMA Survey 1260 Survey respondents, allhealthcare, predominantly US 44% Have established IGoversight bodies and 16% arein process of establishingthem 36% Have designated seniorexecutive sponsors 38% Have included IGobjectives in strategic goals 44% Report modest orsignificant IG progressSource 2015 Cohasset Associates AHIMA InformationGovernance in HealthCare, Professional Readiness andOpportunity 2015 2015Capgemini Survey 1000 Survey respondents,9 industries, 10 countries 43% Restructuring to exploitdata opportunities 33% Have appointed a C‐Levelleader and 19% ofrespondents will do so within12 monthsSource: Ralf Teschner, Capgemini Blog, 3/12/15 –CDO IS IG IR IE
AHIMA’s InformationGovernance AdoptionModel Competencies 2015 2015
AHIMA IG Adoption Model TM Five‐Level Model Defines characteristics of governance practices atadvancing levels of maturity Rooted in IG best practices, standards andrequirements Introduces constructs of IG Organizational “CoreCompetencies” that are enumerated byperformance‐driven “markers” 2015
AHIMA IG Adoption Model TMBroad use of the Adoption Model will enable: A recognized scoring mechanism for IG adoption levels Peer group benchmarking An indication of trustworthiness of an organization’sinformation An indication of partnerships desirability for accountablecare, preferred provider networks, and informationexchange participation 2015
2015 IGI Annual ReportIGI Annual Report2015 is available at:www.iginiative.com 2015 2015
Information Governance Office (IGO) IG Infrastructure is Critical to Success– Senior Leadership Support– Budget– IG Awareness Across Organization– Multi‐Disciplinary IG Committee Reporting toGoverning Body– CIGO (Chief Information Governance Officer) 2015 2015
Evolution of the IG Senior Leader – Chief InformationGovernance Officer (CIGO) New Role or Included in an Established Role– Focused on the business benefits of the organization’sinformation– Sits in the business, but has a solid understanding of datatechnology and information architecture– Involved in board‐level discussions on strategy– Owns and drives Information Strategy, InformationGovernance, Information Risk and Information Exploitation 2015 2015
Information Governance – How could it help? It’s a shift to a larger focus– If your organization has a breach and patientinformation is not the target of the attackthere is still reputational damage and localconcern. IG creates enterprise wide effort toprotect information, not just clinicalinformation. 2015 2015
IG Principle of ProtectionAppropriate levels of protectionfrom breach, corruption and lossmust be provided for informationthat is private, confidential,secret, classified, essential tobusiness continuity, or otherwiserequires protection.Must address all sources, all media andmust apply throughout the life of theinformation.AHIMA.ORG/INFOGOV 2015
Security Roles and Information Governance Security Officers often focus efforts on:– Clinical data– Electronic data Expansion of the security officer’s role toInformation Governance– All data, all media, all locations, all types– Involvement in business continuity anddisaster recovery planning– Involvement in access management 2015 2015
Privacy Roles and Information Governance HIPAA privacy rule 2003 Privacy Officer, Privacy Official in Place Time to expand this role outside of clinicalinformation. Enterprise wide standards Enterprise wide access Paper and electronic 2015 2015
Privacy and SecurityThe Insider Threat Consider the insider threatMaliciousAccidentalSolution– Trust and policy are not enough.– Organizations must invest in security, risk,and information governance training andenforcement. 2015 2015
Where Does Information Governance Start?Analyze sensitive data: Discover and classify sensitive data – anduncover compliance risks – automatically Know who is accessing data, spot anomalies,and stop data loss with real‐time data,application, and file activity monitoring Rapidly analyze data usage patterns touncover and remediate risks 2015 2015
Risk Assessment and Information Governance 2015 2015
Information Governance for Mobile Devices Information Governance for mobilecomputing can include building securityinto the mobile applications. Are your nurses texting your physicians? How are they identifying patients? Do you offer encrypted texting options? 2015 2015
Information Governance Mobile Device Policy Requires a cross functional IG team Clarify how mobile devices are being used– EHR Access– Financial system access– Email Consider legal and compliance issues Consider Mobile Device Management Develop your Communications and TrainingPlan Update and Fine‐Tune – this one can’t stay onthe shelf! 2015 2015
Breach Investigation Process – not just for PHI25 2015 2015
Breach Response / Incident ManagementTeam 2015Chief Information OfficerChief Information Security OfficerChief Medical Information OfficerCorporate Compliance OfficerDirector, Health Information & PrivacyDirector, Internal AuditDirector, Office of Institutional AssurancesDirector, Risk ManagementGeneral CounselHospital PresidentSCRI PresidentResearch Integrity OfficerVP Human ResourcesVP Marketing & CommunicationsLeaders from affected departments
Information Governance & Social Media Not just Facebook! Web Publishing– Blogs, wikispaces– microblogging (twitter) Social Networking – LinkedIn File Sharing / storage– Google drive– Drop Box– Photo libraries 2015 2015
Biggest Risks of Social Media Lack of a Social Media Policy– Who can use social media– What they can state / discuss– Training is key Employees – accidental or intentional Legal Risks– This risk is avoidable with an informationgovernance policy, guidelines, monitoring 2015 2015
IG Social Media Guideline Examples Specifies authorized individuals Clear distinctions between business and personaluse of social media and whether a person canuse social media while at work. Strictly forbids any profanity, statements thatcould be defamatory, inflammatory, Outlines sanctions Draws clear rules on use of company logos Instructs employees shall not have anexpectation of privacy when using social mediafor company purposes. Outlines negative impact on brand. 2015 2015
Social Media Will Be Governed According toPolicy In Gartner's report from March of 2013 onthe "Six Questions to Drive RecordsManagement in Your Social Initiatives," it isclearly stated that social media contentrequires records management, just like allother content, but many organizations don'tknow how to create an effectivemanagement process. In 2015, more organizations will look toincorporate social media content in theirpolicy definition and explore methods onenforcing the policy across the varioussystems. 2015 2015
Information is an Organizational Asset Information is being created at a pacefaster than organizations can analyze andextract value from it, which means that thepotential value of the information may befar greater than the actual value anorganization is able to derive. Organizations simply cannot afford toignore the value of their information assets. 2015 2015
Where IG Begins: Information asset inventoryInformation asset classificationTotal cost of ownershipManaged inventory of informationInformation Lifecycle Management– Retention & Destruction 2015 2015
2015 IGI Annual ReportIGI Annual Report2015 is available at:www.iginiative.com 2015 2015
New Leaders Will Continue to Emerge /The Evolution of the Privacy and Security Officer In the last few years, there has been atremendous uptick in the creation ofinformation governance steeringcommittees; however, there is still a needfor an executive in each organization todrive the information governance initiativeacross their company. This executive must have the authority (andoversight) to manage the program. 2015 2015
Wrap Up 2015 2015Compliance Privacy Security Chief Information Governance Officer
IG PulseRate – a quick check into yourorganization’s IG maturity. Free instant assessment of the maturity level of IG in yourorganization available at www.IGIQ.com Review and rate the key success measures that impactorganizational IG maturity Evaluate your organization’s strengths and help identifyweaknesses that may be impeding your organization’s pathto enterprise information governance 2015 2015
IG for HealthCare: Recommended Reading AHIMA. “Information GovernancePrinciples for Healthcare ” 2014.Chicago, IL. AHIMA, 2014. Available at:www.ahima.org/infogov Enterprise Health Information Managementand Data Governance, 2015. Merida LJohns, PhD, RHIA. ARMA International. “GenerallyAccepted Recordkeeping Principles”.ARMA International, 2013. Available atwww.arma.org The Information Governance Initiative. “TheInformation Governance Initiative AnnualReport”. 2014 and 2015 . New York, NY.www.IGinitiative.com Cohasset Associates and AHIMA. “A Callto Adopt Information GovernancePractices.” 2014 Information Governancein Healthcare. Minneapolis, MN. Cohasset Associates, 2015. CohassetAssociates and AHIMA. “ProfessionalReadiness and Opportunity” 2015Information Governance in Healthcare.Minneapolis, MN. Cohasset Associates,2015.The Joint Commission. “InformationManagement (IM) Chapter”,Comprehensive Accreditation Manual forHospitals, 2014, Oakbrook Terrace, IL: TheJoint Commission, 2014, pp.IM-1—IM-10. The Sedona Conference. “Commentary onInformation Governance” The SedonaConference Working Group Series. Aproject of The Sedona Conference Working Group on Electronic DocumentRetention and Production (WGI) 2015 2015Implementing Health InformationGovernance, 2015. Linda Kloss, MA,RHIA, FAHIMA
Resources The Final HITECH Omnibus Rule(January 25, �25/pdf/2013‐01073.pdf Combined HIPAA/Omnibus ative/combined/index.html U.S. Department of Health and Human Services Office forCivil Rights: HIPAA Administrative Simplification ‐ 45 CFRParts 160, 162, and 164 Information Governance, 2014. Robert F. Smallwood38 2015 2015
2015
to Adopt Information Governance Practices.” 2014 Information Governance in Healthcare. Minneapolis, MN. Cohasset Associates, 2015. Cohasset Associates and AHIMA. “Professional Readiness and Opportunity” 2015 Information Governance in Healthcare. Minneapolis, MN. Cohasset Associates, 2015. Implem
