When you think about sensitive healthcare data, you tend to think of patient healthcare records. And you’d be right to think that. However, there’s also a clear need for information governance in other healthcare information and communication systems. The failure to do so could result in unexpected, and quite unpleasant, outcomes. I recently read an article on the importance of information governance in healthcare that really caught my attention. The gist of the article is that the American Health Information Management Association (AHIMA) has declared that information governance is now something that cannot be ignored by the healthcare industry given growth in data volumes of both medical records and non-medical records. The article also stated that based on a 2015 survey over 55% of healthcare companies either have made little progress in IG or it flatly is not a company priority.
I am personally taken back a bit to hear these statements, even in an industry as notoriously slow to adopt new technology as the healthcare industry. Not that they’re entirely to blame, though; the core mission of the industry is to save lives first, and focus on all other issues later. But I say this for a variety of reasons, but specifically because of the risk involved with not having IG as well potential opportunity to generate more revenue or at least cut costs with IG.
The risk side has two factors in play: (1) the risk of litigation, as well as (2) the risk of sensitive information being breached. Healthcare companies get sued 8 days a week and have to constantly produce content for eDiscovery cases from up to thousands of employees at once. Without a foundation of systematic IG practices and architecture, this process is massively expensive. It also makes it difficult to find content, and subsequently increases costs of locating that data. So while electronic healthcare records (EHRs) typically have their own secure systems, that’s not the whole picture. The emails and other documents that the healthcare organizations use during daily business also have the potential for legally relevant and sensitive data. It’s this data – not necessarily the EHR – that is at risk.
Here’s the thing: everyone knows that patient health records, protected by HIPAA, need to be rigorously secured. The mature EHR software market reflects that, with a wide variety of highly capable products. But there also can be a TON of sensitive information present in the other electronic communications of the organization. With doctor-patient email programs now commonplace, we’re seeing a lot of PII that exists outside the EHR repository. So it’s time to architect IG strategy and systems for “everything else.” With the increasing frequency of data breaches, this information becomes at high risk of falling into the wrong hands given its value to the hackers. It MUST be locked down and governed so that in the worst case scenario of being breached, at least you know what’s been compromised.
As healthcare institutions look to become more efficient and save money, information governance offers an opportunity to help streamline numerous processes including billing and storing non-EHR personal data. It’s time to expand governance beyond the EHR bubble. AHIMA says as much with the quote ““It’s not just about EHRs but the flow of information to coding, billing, and other parts of the organization. As we go to value-based care, it’s all about the data and quality outcomes.” Without information governance, the data quality suffers and ultimately creates a roadblock for streamlining these processes.
As healthcare organizations continue to consolidate in efforts to save money, they will undoubtedly realize how much effective IG programs save them money but also help generate more cash. For their sake, I hope this realization comes soon.