AHIMA Releases Information Governance Principles for Healthcare
- The American Health Information Management Association (AHIMA) recently published its Information Governance Principles for Healthcare (IGPHC). AHIMA determined that there are eight core principles involving data privacy and security for healthcare organizations to consider.
Read through the main points of privacy and security emphasis in AHIMA’s IGPHC:
Accountability
According to AHIMA, accountability means “an accountable member of senior leadership, or a person of comparable authority” will oversee the information governance program and also delegate information management program responsibilities to others.
A basic premise of sound information governance is that within each organization a senior leader is formally designated as responsible for the overall program development and its implementation. The senior leader is accountable for ensuring the information governance program aligns with and supports the goals and strategies of the organization. The senior leader is also accountable for ensuring appropriate resources are allocated to support the program.
Transparency
Healthcare organizations have to be clear in defining their governance practices to ensure that users are aware of appropriate information uses.
The clearest and most durable evidence of the organization’s operations, decisions, activities, and performance are its records and information. An information governance program includes its information management and information control policies and procedures. To ensure the confidence of interested parties, records documenting the information governance program must themselves adhere to the fundamentals of information management.
Documentation should include program governance principles and processes and activities undertaken to implement the program records, while being available to interested parties.
Integrity
An organization’s ability to prove that information is authentic, timely, accurate, and complete is critical in the healthcare arena. Organizations will want to take these items under consideration:
- Adherence to the organization’s policies and procedures
- Appropriate workforce training on information management and governance
- Reliability of information
- Admissibility of records for litigation purposes
- Acceptable audit trails
- Reliability of systems that control information
Protection
AHIMA sees information protection as taking a few different forms. Using tools such as user authentication, key card access restrictions, and other relevant measures, each system should have the ability to enable security access control management. Another form is data loss prevention, as inappropriate viewing of e-mailed, downloaded, uploaded, or otherwise proliferated data is a major problem. To help avoid these types of disclosures, organizations should:
- Implement reasonable safeguards to limit incidental disclosures of PHI and PII
- Receive training on disposal policies and procedures
- Not abandon or dispose of information, particularly PHI or PII or other private information in containers that are accessible by the public or other unauthorized persons
- Provide validation of disposal method, time, date, and accountable party
Compliance
An information governance program should be built to comply with applicable laws (such as HITECH or HIPAA), regulations, standards, and organizational policies. AHIMA advises that organizations know the information being input into records is being done so in a compliant manner, with controls in place to monitor adherence.
Availability
An organization would be smart to maintain information in a manner that ensures timely, accurate, and efficient retrieval. This includes metadata, backups, conversion, and migration.
Retention
While considering legal, regulatory, fiscal, operational, risk, and historical requirements, an organization must develop an information retention schedule.
Disposition
Disposition is not limited to only destruction, but also pertains to a permanent change in information ownership, including transfer as a result of a merger or acquisition of another hospital, clinic, or physician practice.
Read the whole list of principles here.
