- Healthcare data privacy and security is one of the top industry challenges, but a comprehensive and holistic information governance (IG) program can be essential in overcoming it. Information governance is not often considered with cybersecurity, but AHIMA experts maintain that the two are more closely tied than healthcare employees may often think.
AHIMA’s 2017 Information Governance Survey found that 30 percent of healthcare professionals said that analytics was the IG competency with which they were the most familiar or knowledgeable. Awareness and adherence (25 percent), data governance (18.4 percent), and privacy and security (15.5 percent) were the next top familiar areas.
IG is a way to advance privacy and security, as well as cybersecurity efforts in healthcare, AHIMA IG Advisors Senior Director Kathy Downing, MA, RHIA, told HealthITSecurity.com. A key reason for that is that information governance takes a holistic view of data.
“A lot of times, because of HIPAA and other regulations, we have a siloed view when we think of privacy and security,” Downing said. “Meaning, we need privacy programs to meet HIPAA compliance. We need to follow the security rule and check off the list of risk assessment administrative safeguard.”
When organizations do that, it is often done in a silo, she added. Entities may be looking at protecting ePHI or protecting human resources information. Information governance as a program is an enterprise-wide program that looks at all information, whether it’s electronic, paper, microfilm, photos, or voice files. All of the information across the organization is considered, Downing stressed.
“That’s the reason you take a more robust, more holistic view of record retention, for example,” she explained. “I don’t want to have a record retention policy that’s siloed to clinical information. I would look for an enterprise record retention policy and an information governance program.”
Record retention is a security issue, Downing continued. The concept of keeping everything forever, and not having EHR vendors with the ability to destroy information after that retention period has lapsed, is a real key cybersecurity issue.
“We have legacy systems in healthcare that are no longer supported,” she stated. “The vendor could be out of business. They’re causing us risk from hackers and others on the outside, because they don’t take security patches.”
“Or, the vendor no longer supports that software,” Downing continued. “They’ll get a patch to it when they get to it. And that’s just all over healthcare.”
Information governance is very much security related, which is why AHIMA included privacy and security as one of the 10 key competencies in its healthcare model.
“Privacy and security is a competency. Regulatory and legal is also a competency,” she said. “They play together in that compliance realm of meeting all of the requirements needed for any regulation, not just related to privacy and security.”
The AHIMA survey asked respondents about their knowledge level of the IG adoption model competency. Downing admitted that she was troubled that only 15 percent said they felt they were familiar and knowledgeable as the model relates to privacy and security.
“We weren’t asking them if they were experts, but, certainly if we’re doing what we should be doing across healthcare, 99 percent of the people should say, ‘We’re familiar and knowledgeable with privacy and security,’” she said.
While privacy and security did make one of the top four knowledge areas overall, Downing stated it was an area that AHIMA had thought would be even higher up on the list.
“What that may be showing is that the people who are most interested in information governance, and were most willing to complete our survey, were those in the analytics field,” she posited. “We expected to see a lot of privacy and security officers leading up information governance in the organization, because it really does help with the overall privacy and security program.”
“But what we’re seeing is more of the data analytics, chiefs medical information officers, CIOs—those types of leaders are really bringing the system in and enlisting themselves as the leader for information governance,” Downing continued.
Healthcare organizations do have more privacy and security awareness efforts in place right now, she said. Entities are considering cybersecurity measures and how those measures are interacting with electronic health records.
“What are the ways we should be capturing data? What are your responsibilities around information capture, access, use, storage, etc?” she stated. “Those are all information governance conversations, even down to cybersecurity.”
Having information governance conversations, starting from the executive level and working downward, is critical.
“When we have the conversation with our staff about bringing it all together, it’s important that people can understand down to the very lowest staff member that they’ve got a responsibility around information,” Downing said. “They should only access and use what they need. They shouldn’t click on a phishing email. All of those pieces really come together.”
“That awareness piece, I do recognize for all of healthcare, we’ve got so much effort in that area.”