PFA

The implementation plan will first include an understanding of the environment of the business within the patient insurance section. This includes an understanding of the record types within the department and the data that is consolidated by different parties and sections in the patient insurance department. According to Williams et al. (2013), understanding the environment within which a program will be implemented is essential because it helps in development of a wider scope of the project.

Product (Service) familiarization is the second important element of the framework. According to Veiga & Eloff (2007), information governance and data consolidation forms a product that stakeholders within the hospital should understand deeply in order to develop a wider view of its importance in the hospital operations. A product familiarization workshop can help the organization in creating awareness of the product especially within the patient insurance department.

The framework also includes product definition and specification. According to Lomas (2010), product definition and specification in information governance includes defining the components of the information governance program such as data inputs that may include patient names, names of insurers, insurance plans, and other components of the product. This also includes a definition of the features such as confidentiality, information privacy, rank security, and auditing of the information.

The last component of the framework is an implementation roadmap, which includes all the stages and phases that the information governance program will move through in its implementation. The implementation for an information governance program in City General Hospital is viewed as an eighteen-month project, which creates the necessity for phasing and planning the project effectively enough to ensure its implementation is on schedule. This framework includes general areas of implementation with the discovery and brainstorming aspects implemented during the project phases.

Strategy for Information Governance Program

Inorder to implement a good information governance program, the following strategies

will be implemented:

1. Business alignment strategy where the IG program is mainly aligned to how the hospital works

2. Value delivery strategy where the IG program is aligned to how it will improve the Department

3. Performance management strategy where the IG program is aligned to performance of staff and the hospital

4. Resources management strategy where the IG program is used to improve and create better efficiency in resource management

5. Risk management strategy where the IG program is used as a tool to minimize and eliminate risks in the patient insurance department

Mission Statement

Our mission statement defines our goals for the current IG Plan. On basis of our current state evaluation, the mission statement lists out what we aiming to achieve today in a clear and concise manner. (Reference)[footnoteRef:1] [1: Reference - Information Governance - What IT Pros Need to Know - https://www.youtube.com/watch?v=l0tQ77_zcu8]

1. Visibility and Transparency

a. We need to clearly and effectively communicate business goals and policies to all the employees.

b. Creating and mandating trainings for all the resources in various aspects such as Documenting, Reporting, Storing, and Sharing of information.

c. Creating an workflow that encourages communication within the departments in an effective manner.

2. Enforcement and Compliance

a. Revisiting compliance laws for state and federal laws and formulate policies for each department and create training resources for the same.

b. Enforcing audits with clear evaluation goals for each department in terms of information and data handling.

3. Storage Management

a. Defining better access controls at every electronic data creation point as well as reporting to cover accurate and relevant data.

b. Define better controls over storage of data to avoid any missing or inaccurate data, thereby maintaining Data Integrity.

4. Retention and Disposition

a. Define guidelines for creating effective data retention and disposition policies, while maintaining compliance to the retention laws and regulations.

5. Privacy & Security

a. Defining better security controls over all information, whether in transit or at rest.

b. Using Defense-in-Depth approach to secure the databases and limit the access of data with an effective authorization hierarchy.

For the timelines or schedules of IG Program implementation, see Table 1:

Table 1: The Patient Insurance department record Types

For City General Hospital, the first step in implementation of the IG program is formation of the IG steering committee. This committee will include all the stakeholders that are key in implementation of the IG program in the patient insurance department. According to Hearld et al. (2008), a good IG steering committee should have internal and external stakeholders as well as specialists with a clear understanding of IG and how it fits in a department or an organization. For the patient insurance department, these will include patient representation, patient insurance managers, insurance company representation, representation of the senior management, legal counsel, risk officer, compliance officer, and IG specialists. The formation of this team will take one month.

The second step will be setting the goals and objectives for the information governance program. The goals and objectives for the patient insurance department includes creation of secure, identifiable, accurate, and accessible information, development of policies and procedures as well as principles for information access, risk management for the information stored, and information access level specification to ensure metered access is enabled. This step will take one month.

The thirds step in the implementation is departmental assessment. According to Jiang et al. (2009), information governance should be implemented in line with the resources and capabilities of an organization or a unit and where the resources are not available. They should be developed during the implementation process. Departmental assessment includes looking at the existing technology and its sufficiency, looking at the human resources and their skills, looking at the existing procedures and policies, and estimation of whether the available resources are sufficient for the information governance program to be implemented in the organization. This analysis includes ensuring that patient and insurer data is available in a format that can facilitate ease of implementation of the program. This assessment is complex hence it will take two months to complete.

The fourth step is creation of awareness, policies, and procedures for information governance. According to Choi et al. (2006), the human resources should be aware of the need and use of information governance in the patient insurance section because of the need to ensure full buy-in into the IG program within the organization. The policies and procedures will include information access policies, password policies, data sharing policies, data protection policies, access levels including metered access, procedures for changing and assigning access levels, data addition and removal policies and procedures, and data security procedures including the process involved in data protection. These policies and procedures ensure that the patient insurance information is not only safe but also accessible when and if needed under specified laws and procedures. This is one of the most important phases, which will take 5 months to complete.

The fifth step in the implementation is the implementation of the information governance infrastructure within the organization. Implementation of infrastructure includes actually setting up the information governance structures and assignment of roles as well as development of rules and procedures for the IG program. An understanding of the data types will be important in this implementation. For this, functional area ‘Patient Insurance’ in Table 2 has been chosen.

Table 2: The Patient Insurance department record Types

During this stage, the technology and procedures will also be implemented within the department. This creates efficiency, access ease, as well as proper rules and regulations for the access of information. A draft of the rules and regulations that the department should adhere to during the course of using the information available is also undertaken during this step.

The last step in the implementation is training, development, capacity building, and sustainability. According to Jiang et al. (2009), the human resources should be trained on information governance in order to understand how to use and apply the available information in their daily routines as well as understand their roles and responsibilities in the security of the information., and sustainability. Sustainability includes a plan of how the IG program for the patient insurance department will integrate with the rest of the departments and the organizational vision and data systems.

Roles and Responsibilities - Patient Insurance Department (IG Program)

The roles and responsibilities within the department are shown in the table below, which is a tabular representation of the departmental organization chart.

IG Program Policies and Procedures

With the IG program implemented in the patient insurance department, policies that govern information access and the general use of the system will be important. The following policies will guide the use of the IG program in the department:

Laws and Regulations that will be applied and adhered to

The first law that must be adhered to is data privacy and data protection. The data that will move through the IG system is huge and includes personally identifiable information, detailed and aggregate information, protected health information, and de-identified information. Protection and privacy of this information is important hence, information privacy rules and regulations will be adhered to throughout the use of IG in the patient insurance department.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 will also be adhered to during the implementation and use of the IG program in the hospital. This law gives people the freedom to move with their insurance from job to job hence the hospital will consider possible change of jobs for the patients in the records.

The department will also need to adhere to the Gramm Leach Bliley Act that governs the protection of personal identification information of people by all organizations that may possess such information. More so, in case of accident and emergency patients whose information cannot be accessed with ease, understanding the Driver’s Privacy Protection Act, which governs and protects information gathered by state departments on motor vehicles can help to ensure patients in the system are treated faster. Implementing the system in the patient insurance department will need the department to list the next of kin for the patients, which means the department should adhere to the Telephone Consumer Protection Act (TCPA) before authorizing any calls to the next of kin.

In case of data breach, the California Data Security Breach Reporting, which has been adopted within majority of the states in the US, will be applicable hence important. Customers should be informed on time in case of such a breach. The department will also apply the Sarbanes-Oxley Act especially when carrying out due diligence to ensure that all the patients are protected from any insurer who may not be trustworthy.

The last law that will be observed is the accountability and audit law. Regular audit for the systems and resources applied in the IG program is important in ensuring they remain compliant and adhere to all information principles.

The principle of accountability will also be observed in the department. Every person who accesses and uses the information should be accountable for his or her use of the information accessed in order to create responsibility (Silic & Back, 2013). This is one way to ensure that the data and information accessed is used responsibly across the department.

The principle of compliance will be observed where every user of the information will be required to understand all the data related laws and regulations and ensure they are compliant. Compliance will ease the security of information and ensure confidence in the IG system.

Records Management Laws

Records Management

Department Interviews

Department interviews are to be conducted with the department managers and policy management liaisons to identify business function and current state of the records management with the respective department.

General Interview Questionnaire[footnoteRef:6] [6: Figure-9.3. Smallwood, Robert F.. Information Governance: Concepts, Strategies, and Best Practices (Wiley CIO) (p. 166). Wiley. Kindle Edition.]

1. What is the mandate of this department?

2. What is the mandate of this department?

3. What is the reporting structure of this organization?

4. Are there any existing records management policy? Guidelines? Procedures?

5. What is the current level of awareness within employees on their responsibilities for records management?

6. Does the department have a classification or file plans?

7. Is the department subject to audits? Internal or External? What agencies conducts audits?

8. How are old and obsolete data managed within the department? Is there a documented process of handling such data?

9. If there is a records disposition schedule, who is responsible for disposing the data? What degree of reliance is placed over resources for deletion of data? Is the deletion process monitored?

10. Does the department share any data with other internal departments? Or External Agencies? What degree of data is shared? Is there a documented process of securely sharing the data?

11. How are paper and physical records managed?

· Patient Insurance

Department specific questionnaire:

1. How is the data being collected from the patient, i.e. once data is collected from the patient how does it come to your department?

2. How many external vendors does this department work with?

3. Does this department follow the information sharing regulations mandated by Health Insurance Portability and Accountability Act (HIPPA)?

4. To what degree is the information being shared internally among other groups as well as externally with third-party vendors?

5. Is there a records manager liaison that ensures data integrity at each level?

Department Surveys

Department surveys are done within all the employees of the respective department. Department surveys identifies the knowledge of employees on data management, how much the set policies and operations differ, and finally what are the missing pieces. Below given is a general survey form that can be utilized for each department and for both electronic/non-electronic data.

A general Information Survey Form[footnoteRef:7]: [7: Figure 9.1 and 9.2 - Smallwood, Robert F.. Information Governance: Concepts, Strategies, and Best Practices (Wiley CIO) (p. 163). Wiley. Kindle Edition.]

-- Department Information --

1. What is the reporting structure of the department?

2. Who is the department liaison for the records inventory?

3. Who is the IT or business analyst liaison?

-- Identifying Information --

1. What systems are used to create, collect, report, and destroy data?

2. System ID or control number

3. Resources responsible for administering the monitoring systems.

4. Type of data collected, created, or stored.

5. Business function, unit, or agency supported by the applications/systems used.

6. Description of functions of software applications used

-- System Inputs/Outputs --

1. Primary source of data inputs.

2. Major outputs of system (e.g. recordings, reports)

3. Informational content (all applicable): Description of data; applicability of data (people, places, things); geographic information; time span; update cycle; applications the system supports; how data are manipulated; key unit analysis for each file; public use or not? Information shared or not?

4. Hardware configuration.

5. Software environment, including revision levels, operating systems, databases, firmware, current known vulnerabilities, and so forth.

6. Any classification scheme or file plan that is in place?

7. Location and volume of records collected, created, or stored.

-- Record Requirements --

1. Are there any external agencies that impose guidelines, standards, or other requirements?

2. Are their specific legislative requirements for creating or maintaining records?

3. Is there a departmental records retention schedule?

4. What are the business considerations that drive recordkeeping? Regulatory requirements? Legal requirements?

5. Any existing records management policy? Guidelines? Procedures?

6. How are non-records managed?

7. Are any records in the department confidential or sensitive? How are they indicated or set apart?

8. Is there a disaster recovery policy in place?

9. Is the department subject to audits? Internal or External?

10. How are records stored?

Online? Offline? On-site? Off-site? One location? Multiple locations?

11. How does the department ensure that records remain accessible, readable, and useable throughout their scheduled retention period?

12. Are there guidelines for destroying obsolete records?

13. Is there an authorization or management sign-off structure in place for data disposition?

14. How does disposition occur? Are electronic deletions verified?

15. What extent does the department rely on each individual to destroy e-records?

-- Records Holds --

1. What principles govern decisions for determining the scope of records that must be held or frozen for an audit or investigations?

2. How is the hold or freeze communicated to employees?

3. How are records placed on hold protected?

Taxonomy

Below is a template taxonomy that should be implemented within the respective departments. Thesaurus provides key definitions. Department codes identify unique departmental codes. File plan lists a detailed file plan structure. Business process identifies a template for creating the flow and hierarchy of departmental processes.

· Thesaurus

Departmental Codes:

Primary Departmental Code is classified by a unique two-digit alphabetic code.

Sub-Departmental Code is classified by a unique two-digit alphabetic code within department code.

File Plan:

File Plan provides a standard structure for record creation and maintenance. The document Identifiers defined under a File Plan are unique and a standard for all data throughout the organization.

Primary Document Type Identifier (ID) is a two-digit numeric code at the beginning of Primary document type.

Document Sub-Type ID is a numeric code followed by the primary document ID and a period – ex. 11.1 where 1 is sub-ID.

Document ID is a numeric code followed by document sub-type ID and a period – ex. 11.1.5 where 5 is document ID

Business Process:

Business Process presents a standard work-flow of an organizational department pertaining to records management.

· Department Codes

IN – Insurance

PIN – Patient Insurance

SIN – Staff Insurance

10 – Primary Document Type ID

10.1 – Document Sub-type ID

10.1.1 – Document ID

· Sample File Plan:

10 Insurance Details

10.1 Patient Details

10.1.1 Patient Information

· Personal details of the patient

· Insurance firm of the patient

· Length of the cover

· Contact details of the patient

10.1.2 Beneficiary & Next of Kin

· Name and Address of the next of kin

· Contact details and instructions

· Next of kin relation to insurance

10.1.3 Patient Health History Records

· Previous admissions

· Cause for previous admissions

· Previous diagnosis

· Previous treatments

· Recurrent admission causes

10.2 Patient Insurance Information

10.2.1 Insurer Details

· Name of the Insurer

· Contact of the Insurer

· Address of the Insurer

· Hospital contractual information

· Acceptability of the Insurer

10.2.2 Policy Details

· Commencement of the policy

· Terms & Conditions

· Services Covered

· Premiums and their payment

· Policy validity

10.2.3 Patient Insurance History

· Insurance utilization in the past

· Insurance utilization facilities

· Premium consistency

· Insurer recommendation

10.2.4 Eligibility Details

· Treatment eligibility

· Eligibility statement

· Accountability statement

10.2.5 Uncovered Quota Details

· Value of uncovered quota

· Billing of uncovered quota

· Sample Business Process

Figure 1 - Business Process

Metadata

Below is a Metadata template that should be implemented within the respective departments. Thesaurus provides key definitions. Metadata Components identifies a template for creating Metadata and provides basis of final record presentation. Retention and Disposition schedule identifies a template for creating and co-relating a data retention and disposition schedule with metadata and file plan.

· Thesaurus

Record Status reflects if the record is in active or inactive state. A record cannot be inactive until it has passed through retention sign-off, and cannot remain active once passed disposition sign-off.

Record Series reflects a unique record identifier. It is comprised of

Dept. ID_+_Sub-Dept. ID_+_Doc Type ID_+_ Doc Sub-Type ID_+_Doc #

All the fields could be attained from File Plan. Document Number (#) is created by year YYYY + A unique number between [ 1 & 100, 000]. The unique number series is reset to 1 as soon as the year progresses.

Record Creation Date & Time reflects the creation data and time of record creation.

Record Trigger reflects an even due to which the record has been created. These events are pre-defined and each department requests their own events with IT.

Record Hold reflects a department code that has placed a hold on the record. Until the hold is cleared the record is frozen. A reason for hold is to be manually provide by the requestor and should be subjective enough.

Dept., Sub-Dept., Record Type, and Record Sub-Type are attained from the Record Series data.

Record Content:

Requestor/Creator Name reflects the name of an individual who created the record.

Unique ID of the Creator – Employee ID

Content contains a form, or text information.

Associated Entities reflects each entity associated with the record. For example: all physicians, nurses, surgeons associated to a single patient would be listed here and would have access to this record. It also reflects any changes made to this record by any entity.

Record Tags:

Tags are Two to Three-word descriptive tags that can be used as unique search function. Multiple tags can be assigned to a single record.

Retention Status reflects a unique code obtained from retention schedule + its brief description.

Retention Period reflects total retention period obtained from retention schedule, retention applicable or in-affect date (past, present, future).

Retention Sign-off reflects all signatory entities that approved the respective retention.

Disposition Status reflects a unique code obtained from retention schedule + its brief description.

Disposition Period reflects total retention period obtained from retention schedule, retention applicable or in-affect date (past, present, future).

Disposition Sign-off reflects all signatory entities that approved the respective retention.

· Metadata Components

Record Status

Active

Inactive

Record Series

Department (Dept.) Identifier (ID)

Sub-Dept. ID

Document Type ID

Document Sub-Type ID

Document Number (#)

Record Creation Date & Time

MM/DD/YYYY HH:MM:SS

Record Trigger

Employee Fire/Hire

Complaint Filed

Repair Request

….

Record Hold

Dept. ID + Sub-Dept. ID

Hold Reason (manual entry)

Dept.

Sub-Dept.

Record Type

Record Sub-Type

Record Content

Creator/Requestor Name

Unique ID

Content (File, raw text, etc.)

Associated Entities + Last change made MM/DD/YYYY

Record Tags

Inventory Records

Power Generators

Imaging Document

Indoor Equipment

Outdoor Equipment

Accounts

Vendor Contracts

…..

Retention Status

Retention Codes

Retention Period

xx years total

date MM/DD/YYYY retention in affect

Retention Sign-off

Signatory Entities

Disposition Status

Disposition Codes

Disposition Period

xx years total

date MM/DD/YYYY disposition in affect (past, present, future)

Disposition Sign-off

Disposition Entities

· Sample Record

Figure 2 - Sample Record Type

Retention & Disposition Schedule

Retention and Disposition of data is a key aspect of the records management. Data retained shorter than mandatory timeframe would be “Spoliation”, data stored longer than suggested timeframe could become a “liability”. Hence, it crucial to identify a retention and disposition schedule for each and every record type throughout an organization.

· Thesaurus

Retention signifies the data to be retained and a Schedule pertaining to it signifies the time period of the respective retention.

Disposition signifies disposing of data when being categorized as inactive (not being actively utilized) and a Schedule pertaining to that signifies a specific action to be taken to dispose-off the data after a given time period.

Unique Codes for retention and disposition signifies an action associated to that code.

· Components

Retention Codes

(R) – Retain for x years

(D) – Delete after x years

Disposition Codes

(A) – Archive for x years

(D) – Delete after x years

(OF) – Archive off-site for x years

(ON) – Archive on-site for x years

· Sample Retention Schedule

Figure 3 - Sample Retention Schedule

Conclusion

Issues Addressed: Internal issues to CITY hospital were outlined along with external healthcare issues. Evaluation of Current State: City hospitals lacks in infrastructure related to healthcare data collection and storing which is at high risk while the hospital is growing along with NKY healthcare market. Risk Assessment was performed on various functional departments and IG team found the most risky, data can be breached, where data is not within regulated compliance. After all assessment the IG team has come up with the IG Strategy & Timeline and how this step by step plan is going to get implemented with 18 months divided into various phases, where roles & responsibilities are defined to align with hospital mission and vision, with this framework was outline to draft the policies & procedures and legal and compliance to abide by the state and federal regulation. With this proposal we would also have audit team in place to monitor the progress of the plan frameout for CITY HospitalIG Strategy & Timeline

`

References

Choi, Y. B., Captain, K.E., Krause, J.S., & Streeper, M.M. (2006). Challenges associated with privacy in health care industry: implementation of HIPAA and the security rules. Journal of Medical Systems, 30(1), 57-64.

Hagmann, J. (2013). Information governance - beyond the buzz. Records Management Journal, 23(3), 228-240. doi:http://dx.doi.org/10.1108/RMJ-04-2013-0008

Hearld, L.R., Alexander, J.A., Fraser, I., & Jiang, H.J. (2008). How do hospital organizational structure and processes affect quality care? A critical review of research methods. Medical Care Research and Review, 65(3), 259-299.

Jiang, Y., Raghupathi, V., & Raghupathi, W. (2009). Web-based corporate governance information disclosure: An empirical investigation. Information Resources Management Journal, 22(2), 50-68. doi:http://dx.doi.org/10.4018/irmj.2009092203

Lomas, E. (2010). Information governance: Information security and access within a UK context. Records Management Journal, 20(2), 182-198. doi:http://dx.doi.org/10.1108/09565691011064322

Silic, M., & Back, A. (2013). Factors impacting information governance in the mobile device dual-use context. Records Management Journal, 23(2), 73-89. doi:http://dx.doi.org/10.1108/RMJ-11-2012-0033

Veiga, A. D., & Eloff, J. H. P. (2007). An information security governance framework. Information Systems Management, 24(4), 361-372.

Williams, S. P., Hardy, C. A., & Holgate, J. A. (2013). Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective. Electronic Markets, 23(4), 341-354. doi:http://dx.doi.org/10.1007/s12525-013-0137-3

https://www.wcpo.com/money/local-business-news/kentucky-court-reverses-ruling-on-new-medical-facility-in-nky