INFORMATION GOVERNANCE FOR HEALTH PRIVACY MANAGEMENT

Transcription

1 Banff Health Privacy Summit October 19, 2012 Rick Klumpenhouwer, MA, MAS, CIAPP-M Partner, Cenera INFORMATION GOVERNANCE FOR HEALTH PRIVACY MANAGEMENT

2 The challenge Health providers and health institutions are required to manage privacy, not just do privacy

3 Right of Access and Correction Requests Right of Access and Correction: Duty to Assist Search and retrieval Analysis and severing Response Information Flow Management Collection, use, disclosure accountability Notice Privacy Impact Assessments

4 Security HIA requirements: an IS program Designate a HI security director periodically assess physical, administrative, technical measures Asset Management Intellectual control Security Classification physical/technical control Probability/harm categories Tied into security handling standards Biggest challenge: how do you mark information Privacy Breach Response Identifying, understanding gravity of breach

5 Custody and Control What is health information? Custodian: AHS, Nursing home, AHW, individual health professional Health Information: DTC, Registration, HPI Health Service: Promoting, providing, maintaining health, but not occupational health services Who s responsible for what information? Circle of care Custodians, affiliates, information managers Networked health records

6 What is a good privacy program? operates on some clear principles and values about information; requires intense Click involvement to edit in how Master information systems title and style practices operate on the ground ; more proactive than reactive; a program with ongoing functions, maintenance, goals, assessment and improvement; runs as an information management/governance program

7 Privacy by Design Proactive not Reactive; Preventative not Remedial Privacy as the Default Privacy Embedded into Design Full Functionality Positive-Sum, not Zero-Sum End-to-End Security Lifecycle Protection Visibility / Transparency Respect for Users

8 Information Governance Concept used by UK NHS to integrate patient privacy into the new EHRs they were developing; Manage solutions overlap reduce redundancy of effort Quality measurement need to track progress Participation compliance on issues integrated with, not opposed to, health care objectives A need to bring together privacy and functional requirements operationally, manage development, and measure progress

9 Information Governance Transactional Applications Click to edit Enterprise Master subtitle style Repository Systems Policy Application Winston Chen, A Brief History of Data Governance (2010)

10 Why IG? two main drivers: electronic information systems Use/reuse Stuctured/unstructured data Integrity/accuracy Transaction/Data analysis Digital continuity information regulation Access to information Privacy/Security ediscovery SOX/C-SOX

11 Why IG? Digital IM requires more planning, accountability, application of value. Counter-intuitive: governing information, not information for governing. Governance Elements Surveillance and assessment Decision-making Accountability

12 IG Defined Collaboration of interests Information Governance is the enterprise wide framework that includes the people, processes, and procedures necessary to ensure the preservation, availability, security, confidentiality, and usability an enterprise s information. (David Hill, EMC2) Governance Framework The specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. (Gartner)

13 How?

14 How? Wonderful sentiments, but the real problem is how to implement Still working with existing IM implementation systems: IT development/maintenance Records management Access to Information Privacy/Security Enterprise risk management Archives Just work together harder?

15 How? Managing Assets Model Fixed assets that need to be inventoried, controlled, and made available as need arises IT and records management lifecycle or supply chain Automated workflow, transaction, logistics solutions Compliance to standards regime/audit and enforcement key

16 IBM Supply Chain Management IBM is leading the way by approaching information governance from a supply chain perspective think of information as goods and services in a physical supply chain.

17 Managing Assets Model Problems Is information really a fixed asset? How do you measure success? Forcing a Click system through to edit compliance Master rather subtitle than contributing style to quality outcomes Access and Privacy just one of many competing interests in governance decision-making and assessment

18 Managing Assets Model Problems Is compliance to standards deployment effective? Information management happens at each workstation how do you control that? IG seen as a barrier or even a brake to operations What are the benefits? How do you measure? How do you engage executive sponsors?

19 Information Governance Functional Records Management/Archives Records retention/destruction/integrity control Capture schedules/destruction processes storage and retrieval preservation/continuity Information about information (metadata) Based on records description (classification) Functional context is a key component of records description and control

20 Function-Based Information Governance Functional purpose and context of information the key to organizing, assessing, retrieving, and maintaining information to meet IG needs. Archives Theory Principle of provenance/respect des fonds Purpose and context of the original record creator are essential to preserving the value and meaning of information Policy on collection, use, disclosure, access and security based on function

21 Function as Information Policy Interface IM Function Activities Policy Determinant IT IT systems development, maintenance Functional needs Records management Information capture, availability, and retention Functional needs Access to information Locating, retrieving, and making available information Click relevant/important to edit to citizen Master right of access need subtitle style Functional context as part of relevancy and status decision-making Privacy Appropriate personal information collection, use, disclosure Function (purpose) Security Protecting sensitive information from unauthorized access, loss Functional context Enterprise risk management Identify and mitigate risk to organization and others Functional context Archives Preserve/make available information of long-term value Functional context

22 Function-Based Information Governance Segregate information (schedules, registries) about policy, business functions and information/information systems Apply policy to functions; relate functions to Information Many to many relationships Policy Collection Functions (Taxonomy) Information Health Services Diagnostic Imaging Patient Charts Research Internal Management Verification, eligibility Clinical Trials Technician Education Patient Registration PACS Employee Files Scheduling system

23 Organization Infrastructure Support Functions: HR, Finance, Facilities, Supplies/Services, Information Management Click to PLANNING/DESIGN edit Master title style Function, Activity or Transaction ENGAGING/SERVICING OBJECTS Topics, Clients

24 Functional Language FRUIT LEVEL SHOWS DESCRIPTION RANGE SOURCES EXAMPLE FUNCTION Why Area Scope, SUB-FUNCTION (optional) Why Subject of Activity Role/ Program within Function Openended Openended Legislation, mandates, process charts organization charts, program history, job descriptions PRIMARY CARE Patient Care ACTIVITY How Action, triggered by Transaction with topic or client Closed Standards, process charts, job descriptions interviews, organization charts Diagnosis TASK (optional) How Specific Task within Activity Closed Diagnostic Imaging TRANSACTION with TOPIC OR CLIENT What Object of Activity Static, openended Interviews, records inventory, annual reports Patient X

25 Functional Language Accountability/ Documentation Significance LONG TERM CARE Resident Medical Care PRIMARY CARE Patient Care FINANCE Billing Planning/Design Engaging Servicing Function, Activity or Transaction by which the methods, policies, and eligibility, status, and design of the function are chosen, developed, evaluated and improved Function, Activity or Transaction by which terms of client or object engagement are set or ended. Click to FUNCTIONAL edit Master EXAMPLES subtitle style Planning, developing program and evaluating resident medical programs Planning, designing and reviewing health provider resources, procedures, outcomes Developing and evaluating billing systems, parameters, policy Referrals, placement, scheduling, care planning Diagnosis, assessment, treatment, Billing status, services, insurance status Function, Activity or Transaction by which services are actually delivered to clients or objects, based on terms of engagement Resident examinations, surveillance, medication, therapy Diagnosing problem, repairing, updating Invoicing, billing, receipt

26 Functional IG Perspective/Approach Continuum vs. lifecycle Design in function-based policy to systems Support of function vs. compliance Access and privacy participates in system design to support functional documentation and compliance analysis

27 IG Happy Land From fixed asset to changing product and tool attached to functional context. Success=How well does information support functional needs? From compliance to participation in a function-based policy Access and Privacy as isolated problem to essential component in the solution.