Case Study # 2 As the Director of the Informatics Division at Good Health Hospit
ID: 125664 • Letter: C
Question
Case Study # 2 As the Director of the Informatics Division at Good Health Hospital, you’ve been tasked with putting together an Information Governance Committee at your hospital. Being that there are numerous state of the art IT systems and a newly implemented EMR at your hospital, Senior Administration is looking for an organized IG committee to make decisions on standardized data, monthly standardized reports, strategic decision data etc. in an effort to improve patient care and improve the financial position within the hospital. Your boss, the CIO, has asked you to co-chair this committee with her. There is a concern that Senior Administration is viewing this as an IT committee and it appears there is a lack of understanding about Information Governance. Being an Information Governance expert you know that your work is cut out for you on this one and this is a great, but critical, opportunity for you.
Questions:
1. In three to four pages please list the positions within the hospital that you feel should be on your IG Committee. (Typically 10-15 positions, that are comprised of Administration, Clinical, IT and Financial to name a few).
2. After each position you should list the role the person will have on the committee.
3. Also spell out what is the main purpose and major functions of the committee. You need to ensure that all IT projects and go lives get approved through this committee.
Explanation / Answer
Information Governance is the multi-disciplinary enterprise accountability framework that ensures the appropriate behavior in the valuation of information and the definition of the roles, policies, processes, and metrics required to manage the information lifecycle, including defensible disposition.
All too often we see the terms “Information Governance” and “Records and Information Management” used synonymously. While the records and information management function is a part Information Governance, other critical components need to be considered equally.
The associated diagram depicts the various types of content, and its repositories, that are overseen by the activities of Information Governance
1.In three to four pages please list the positions within the hospital that you feel should be on your IG Committee.
In order for Information Governance to become institutionalized in an organization, it requires guidance and oversight by a cross-functional, senior level Information Governance Council (Council) that meets on a routine basis, at least quarterly. To be most effective, the Council should not exceed 10 individuals. Selected members should be able to represent the functions fulfilled by the following roles, some of which may not exist in your organization. In order to keep the size of the Council to 10 members, certain members may need to be able to represent other roles. For example, your Legal member may be able to speak for the Litigation Officer and the Compliance Officer.
• Executive Sponsor: CIO, or a designee
• Legal (Office of the General Counsel)
• Chief Data Officer
• Chief Health Information Officer
• Discovery or Litigation Officer
• Risk Management
• Compliance Officer
• (Global) Records and Information Manager
• Chief Data Privacy Officer
• Information Technology Security Leader
• Information Technology Infrastructure/Architecture Leader
• Critical Line of Business/Business Unit Leader(s)
• International (Regional) Leaders
The Council is responsible for approving an enterprise wide Information Governance strategy, developing operating procedures for the Council, providing guidance about technology and standards, assisting in the securing of funds, and advocating the business value of information governance at the C-Suite and Board levels of the organization.
It is important to consider your corporate culture in order to strike the correct balance in the Council membership, participation and collaboration. While support is needed from your most senior leaders, given their span of responsibility, they may not be able to directly manage all of the obligations of the Council. Moreover, it may be best to create sub-committees or other working groups that report into the Council that take responsibility for specific topics or business lines.
The notion of a multi-tiered Information Governance leadership structure is particularly relevant for industries with varied and numerous lines of business situated within a complex geographical footprint. The executive sponsor or the senior-level Council would determine the need for, and composition of, the subject and/or region specific Councils. In addition, the Councils may assign cross-functional working teams assembled to address a particular topic, such as the creation of standards for line of business self assessments. In any event, the different tiers of Councils or working teams must be organized in such a way that they roll-up to and are held accountable to the ultimate owner of the Information Governance Program.
2. After each position you should list the role the person will have on the committee.
• Executive Sponsor: CIO, or a designee
As recommended earlier, the Information Governance Council is a mix of diverse functions all bringing different functional requirements to the process. One of the most important best practices we can recommend is the designation of an executive sponsor. The lack of a clearly defined executive sponsor is one of the top reasons why earlier attempts at forming an effective Information Governance Program are often unsuccessful.
For some Organizations the recently emerging role of Chief Data Officer is responsible for information lifecycle management as well as sponsorship of the Information Governance Council. This senior executive position provides the level of advocacy needed to ensure that the company stays focused and committed not only to data analytics or data warehousing, but also to the processes that manage and house various types of information (RIM, Cloud, Email, Apps Management, big data, social media.).
The selection of the Council members must be given special consideration. Its composition should be made up of members of various departments and functional areas, but not the senior most executives. Earlier attempts to implement Information Governance Programs have been stalled — or failed — as a result of having senior management with no business line input sitting on the Council. It may make sense to rotate Council members on a periodic basis, for example every 18 – 24 months, to maintain interest.
• Legal (Office of the General Counsel)
The Legal function is responsible for determining the risk profile of an organization based on litigation exposures, international privacy requirements, intellectual property protection, working environment, and more. They should be intimately involved in the development and approval of the organization’s records retention schedule and RIM Policy; designation of privacy classifications (confidential, public.); rules for management of email, social media, mobile devices, etc.; communication of any changes to the organization through mergers, acquisitions, and divestitures; approvals for defensible disposition; communication to the RIM and IT teams related to any changes to new rules and regulations; and collaboration with key Information Governance stakeholders.
• Chief Data Officer/ Chief Data Privacy Officer/ Chief Health Information Officer
The goal of the Chief Data Office function, and specifically the role of the Chief Data Officer (Chief Health Information Officer in the Healthcare Industry), is to assist businesses and other functions in ensuring a consistent and controlled approach to the development and use of enterprise information assets and critical data elements across an organization. The Chief Data Office is responsible for guiding the establishment of processes and systems sufficient to create, maintain, and share data in compliance with an organization’s data standards and external regulations/laws. He or she is the governing authority, along with Enterprise Data Governance Council Members, that implements a framework of controls that support effective and efficient management of data.
The Chief Data Office partners with Data Governance Officers assigned to the functions and businesses across the organization. On data governance/data management practice assessments through various tools such as the Data Maturity Model, Data Quality platform, and Data Standards implementation plans.
• Discovery or Litigation Officer
The Discovery function is responsible for the communication, instruction, and coordination with business units and/or individuals related to information that must be located, preserved, and produced to satisfy litigation requirements. They may also be responsible for managing Freedom of Information Act requests in countries such as the UK. This function should regularly update designated custodians (typically business owners and IT) on the status of the “holds” on information, including when information can be released for normal lifecycle management; apprise RIM and IT teams when there are any changes to discovery requirements; and institute a repeatable process with associated guidelines to manage the spectrum of simple through complex litigation.
• Risk Management
The Risk function is responsible for the protection of the organization’s brand, finances, and operations by managing and mitigating risk exposures. This requires a full understanding of the organization’s risk profile (litigation, investigations, regulatory requirements, protection of private information, protection of intellectual property.) They should be involved with Legal in the creation of “acceptable use” policy and with IT to develop acceptable disaster recovery and business continuity processes; selection of SaaS/Cloud providers; provide on-going education of employees regarding prevention of risk-related activities; provide input to Key Risk Indicators; conduct periodic risk assessments; and work closely with RIM, Legal, and IT to destroy information that is no longer required.
• Compliance Officer
The Compliance function is responsible for ensuring that the organization is aware of, and meets the requirements of rules and regulations imposed by a variety of authorities (federal, state/provincial, and local governments; regulatory agencies; data privacy authorities and industry groups.) They should be involved in determining internal metrics and controls; establishing an enterprise-wide audit program; and responding to and managing requests from regulators, auditors, investigators, customers, and other third parties.
• (Global) Records and Information Manager
The Records and Information Management (RIM) function is responsible for the development and publication of the RIM Program policy for paper and electronic records. It includes providing implementation support through training and on-going communications; determining and gathering of metrics to determine compliance; cost containment through information lifecycle awareness and storage options, and destruction execution; participation on IT projects for software review and implementation; establishment of a support system for lines of business to include a records coordinator network; staying abreast of trends in RIM (Cloud, big data, BYOD.); and communication/collaboration with key stakeholders to determine policy/approach.
As business-level self-governance becomes institutionalized, the RIM department must create a “self-service” environment from which businesses can “pull” the information they need to comply with RIM Information Governance requirements. Information Governance will necessitate the evolution of this function from providing records-centric guidance to being inclusive of all information record or not.
• Information Technology Security Leader
The Information Privacy function is responsible for managing the risks and business impacts of privacy laws and policies and responding to regulator and consumer concerns over the use of personally identifiable information, including medical data and financial information, and laws and regulations for the use and safeguarding of information. This role involves selecting and implementing technology as well as staying informed of international privacy law and its impact on records management.
The Information Security function is responsible for the development, implementation, and management of the organization’s security vision, strategy, policy, and programs. They are responsible for policy creation; technology selection and implementation; monitoring and informing parties about malware, breaches, hacking, etc.; formally communicating policies and procedures to the business; enabling security standards dictated by customers, such as the government; informing the necessary parties when there are issues with breaches; issuing data classification codes (in conjunction with Legal); and remaining compliant with ISO and other regulatory bodies, as required.
• Information Technology Infrastructure/Architecture Leader:
The Information Technology (IT) function is fundamental to the success of Information Governance. While traditionally this function was focused on technology and infrastructure, it is shifting to be more aligned with the business and its objectives. To that end, the Information Governance goal of IT is to increase the ability to efficiently manage the high volume of data being created and received, and to eliminate costs, particularly around redundant technologies and storage. They need to provide leadership for the proper protection and authentication of data and its availability for use, preservation, and disposition. The role also requires collaboration with RIM, Risk, and Compliance to determine appropriate disaster recovery and business continuity plans. The IT function must collaborate with all other Information Governance roles to understand the requirements of each when it comes to technology selection and deployment.
The Information Architecture function focuses on the organization of information and database development to support the business needs. It includes designing complex, shared information systems; involvement in the selection and management of cloud-based services; support in creating archives for email and social media content; and support for building efficient websites and intranet sites to support RIM.
• Critical Line of Business/Business Unit Leader(s)
The Business (lines of business, business units and/or departments) function is responsible for compliance with the Information Governance policies. The management of information through its lifecycle is most efficient when it acquires the attributes, tags, indices or metadata necessary for compliance as close to its creation as possible. Examples of such metadata are: flagging a piece of information as being confidential, or containing personally identifiable information, or that it is an official business record belonging to a specific category of information. A common complaint of business lines is that records management “gets in the way” of doing business. To that end, IT and RM should work closely with the businesses to determine how they can best take control of their information through technology and process in the least intrusive way.
The line of business is in the best position to determine the “value” of the information they create, maintain, or receive beyond that of its “official” use. Certain types of records may be used to determine marketing trends, track quality control issues over time, expand customer profiles, identify “bad actors” in a regulated environment. Once again, RIM should work with the businesses to help determine value and how to manage valuable information in a secure and compliant manner.
There is an emerging movement to make business units responsible for self-governance for a variety of corporate requirements or imperatives, including RIM. This is particularly the case in large, geographically dispersed organizations with diverse business lines. The business expectation is to “pull” the information required to self govern from sources such as RIM and Legal.
• International (Regional) Leaders
Since Information Governance should extend across an organization’s entire enterprise, there must be proper representation on the Council. This is most often a representative from a region (i.e., Asia Pacific, EMEA, and North America) that can speak to the concerns of the different jurisdictions within the region.
3. Also spell out what is the main purpose and major functions of the committee. You need to ensure that all IT projects and go lives get approved through this committee.
Information Governance Principles
It’s no secret that initiatives that drive increased operational efficiencies and allow for flexibility to accommodate changing regulations are very popular in today’s financial organizations. Establishing a strong Information Governance Program will allow for just that. A critical first step is to define a set of core principles that will permeate your Information Governance Program and processes. These should include elements such as:
• Educate all employees regarding their Information Governance duties and responsibilities.
• Confirm the authenticity and integrity of information.
• Recognize that the official record is electronic (unless otherwise specified).
• Store information in an enterprise-approved system or record-keeping repository.
• Classify information under the correct record code.
• Control the unnecessary proliferation of information.
• Dispose of information when it reaches the end of its legal and operational usefulness.
• Secure customer and enterprise confidential/personally identifiable information.
• Comply with subpoena, audit, and discovery requests for information.
• Align all lines of business systems and applications to Information Governance standards.
• Ensure that third parties that hold customer or enterprise information comply with your organization's Enterprise Information Governance standards.
The Information Governance Model (see above diagram) represents the functional areas that are directly responsible for the governance of information across an enterprise. The Model also weights the involvement of the functional constituents: Business and IT have larger, more complex roles, Legal and RIM slightly less, and Information Privacy and Security share the smallest component as they are more specifically focused in their duties. This is not to minimize the importance that Information Privacy and Security has in the Information Governance model, in fact, in some industries, such as financial services, the Privacy and Security areas will play a greater role due to the abundance of regulations in place to protect the sensitive and confidential nature of information created and received in the course of business.
Information Governance is a framework that is supported by people, processes, and technology. It is laudable in its effort to pull together what may have been previously disparate functions across an organization in order to create a consistent, compliant, and collaborative approach to managing information for risk, cost, and its value to the organization. The Information Governance Program construction will be different from company to company, but its intent should remain firm.
Information Governance is not a project with a defined time span, but a program with requisite support from executives. Most institutions will go through many iterations implementing and administering the Information Governance Program, including the establishment of a Governance Council. It is important to go into the process with the understanding that there is no “silver bullet” or all-inclusive piece of technology that will provide your institution with instant governance over the entirety of your information.
The Information Governance Program needs to be adaptable as the business and regulatory environments change. Merger, acquisition, and divestiture activity is common in many industries and may result in potential new lines of business, new geographic locations, new technology, cultural and organizational shifts, new members to sit on the Council, and much more. It is important to remember that Information Governance is a framework — it is not static and must reflect current and emerging requirements for the management and use of information as an asset, and potential liability, of the organization.