Stress Testing Health Information Management and Governance

In the engineering field, stress analysis is a discipline that determines whether materials and structures can safely withstand a range of forces or loads. Evidence is mounting that current structures and methods for managing health information are under stress and not adequate for the digital era. Each week brings new reports signaling systemic deficits in information stewardship, integrity, and life cycle management. Anecdotal evidence from health care organizations underscores the need for new approaches to enterprise information management (IM). 

Enterprise IM and information governance are essential strengthening strategies to address a range of information stressors. This article offers a framework that can be used to take stock of which stress fields are currently under reasonable control in your organization and which will benefit from more targeted attention.  It challenges organizations to approach IM and information governance from the perspective of asset management focusing on gaining real value from investments in EHRs and other information and communication technologies.  

Implementing I.T. does not automatically ensure that information is complete, accurate, reliable, secure or used appropriately. In fact, research shows that data errors and other information- related unintended consequences may impede safe use of technology.  Most health care organizations need more robust policy frameworks and formalized strategies for IM and information governance. These are important disciplines for any organization seeking to improve the safe and effective use of I.T.  

Revisiting Information Management and Governance

Contemporary Information management practices rest on three key principles:  Information Asset Management, Enterprise Information Management, and Information Governance.

First, enterprise information should be managed as a valued asset on par with other critical assets (physical, human resource, financial, intellectual property). The information assets of the health care organization include medical records, but also e-mails, Web content, business data, images, video and other content in both physical and digital form. Health care organizations are eager to use data to improve patient care and operations, but their behaviors don’t always match this stated goal. Too often information management is a secondary concern. The quality of information and how it is handled depends on the preference of the process owner.  When information is not viewed as an asset—including board of trustee mechanisms for oversight---synergies are lost, politics trump mission, and it is difficult to realize return on investments.  Sound familiar?

Second, an information asset approach requires explicit structures, policies, processes, technology and controls which taken together describes the discipline of enterprise information management (EIM).  The scope of EIM may be expanded as information assets come under better control, but the nexus of healthcare EIM are the primary and secondary patient data, structured and unstructured, residing in enterprise and departmental systems regardless of media. Billing and payment information, e-mail, personal health record data, employee and contractor information, quality improvement data, health information exchange and other information must begin to be viewed as elements of the information asset mosaic and managed accordingly.  


SIDEBAR: Systemic Evidence

  • According to the HHS Office of Civil Rights, during the first 15 months under new breach notification requirements about 7.8 million individuals were affected by large data breaches due to theft,  intentional unauthorized access, use, or disclosure, human error, or loss of media. 
  • Researchers found that about one in 10 computer-generated prescriptions received by a commercial outpatient pharmacy chain in three states in 2008 included at least one error, of which a third had potential for harm.  This rate is consistent with the literature on manual handwritten prescription error rates.
  • Industry experts estimate current error rates for provider maintained master person indices (MPIs) are between 7 and 10 percent, and HIEs report that identity management is a top level operational challenge. 
  • The Centers for Medicare & Medicaid Services reported to Congress that the national Medicare fee for service billing error rate for FY 2010 was 10.5 percent, or $34.3 billion in estimated improper claims payments.  
  • More than 500,000 Americans were victims of medical identity theft in 2009, and the incidence is on the rise.

    The third principle is that of information governance. According to Gartner, enterprise information management (EIM) is an essential organizational discipline and information governance is a crucial building block of EIM. Information governance is becoming a key focus for businesses in other information intensive and regulated sectors, particularly those such as financial services, energy and utilities, and pharmaceuticals.  Like all effective governance, Information Governance begins with the boards of trustees and senior leaders.

    Taken together, IAM, EIM and IG have potential to mitigate risk, improve organizational performance and reduce costs. In research conducted by The Economist, businesses with formalized information governance report improved decision-making and business results due to better access to information and improved information-sharing. They cite service and product quality gains because information is more accurate and reliable. They also report improved business risk management and enhanced reputation due to better information security practices. They attribute improved cost control of I.T. and I.T.-related services because of tighter and more strategic planning and acquisition processes.

    The Building Blocks of EIM

    There are four functional building blocks for healthcare EIM:  information integrity, information use, confidentiality and protection, records and information life cycle.   As shown the Figure 1 Framework these functions are encircled by Information Governance which ensures that reasonable management structures, policies, processes, technologies, training, and controls are in place for each function. 

    Information integrity is the continuous improvement of the value of the information asset by ensuring that data and content are accurate, reliable, up to data, consistent and is “fit for use.”  Information integrity begins with data architecture, definitions and relationships, including metadata, and data capture processes. It ensures that the provenance or lineage of data is captured and that processes for error correction and amendments preserve the story about the data.  Auditing is an important function and one that requires a deep understanding of both the consequence of particular types of data and events such as interface or system upgrades that can compromise data.

    This framework calls out information use as a distinct EIM function to underscore the range of highly complex applications and the importance of preparing, supporting and learning from authorized users who must act on data.   The clinical use of electronic health records is the impetus for data quality and data governance activities in many hospitals.  Quality improvement is a use that traditionally produces important insights about data quality.  New focus on clinical analytics is another important source of insight about data quality. So too are clinical documentation improvement programs, patient access to personal health records, and health information exchange.  While many hospitals identify issues about data quality from these and other applications, too often the dots are not being connected and linked to an enterprise IM policy and process response.

    The use of clinical data for coding and billing is a data quality use case that has gotten more rigorous over the years, particularly with the RAC audit procedures.  The impact of ICD-10 represents a new stress point for information integrity management and information use but it also represents a real opportunity to take EIM approach, rather than viewing it merely as a regulatory change.   

    Confidentiality and data protection functions continue to grow in complexity with the explosion of digital data, secondary use databases, health information exchange and information seekers. As the scale of breaches attests, structures, policies, processes, technologies, training, and controls have generally not kept pace with the issues that challenge our ability to preserve and protect data. 

    As part of an EIM, confidentiality and protection of data seeks to ensure that personal health information and business information are available only to authorized person and used only for authorized purposes and that security risks and vulnerabilities are proactively managed.  The key functions for this building block are access controls, privacy practices, security, authentication, business continuity and the range of compliance audits.

    Health care is understandably focused on the capture and use of structured and unstructured data so issues of retention and disposition of data and records is not a front burner issue.  In fact, the digital information creates a propensity to adopt a ‘keep it all’ attitude, even if this increases risks without corresponding benefit. Life cycle management is a fundamental EIM building block because there is significant cost and performance associated with keeping it all.  Further, legacy data of marginal use presents risks in legal discovery.   

    This EIM building block creates a common understanding of the life cycle of patient medical record and other key business records and explicit plans and processes for their retention and disposition accounting for clinical and business needs and legal and regulatory requirements for creation and maintenance.


    SIDEBAR: Frequently Heard …

    • “We have implemented an EHR, but we still don’t have access to the data we need to improve."
    • "The patient’s story in the EHR is incomplete and hard to access."
    • "Data formats vary across systems so we need control of our own data."
    • "We don't have time/ tools/ skills to  manage data quality and organize data for analysis."
    • "It’s not clear who owns information policy."
    • "I hope we aren’t targeted for a HIPAA audit  because we are behind in performing our own security audit.”

    Information governance is akin to an accountability wrapper for EIM.  A useful definition that speaks to the unique importance of information governance in health care organizations is:

    To ensure that the organization has the leadership and organizational structures, policies, procedures, technology and controls for enterprise information management that represent the highest standards for legal, ethical, and business practice to serve patients, stakeholders and advance the public good.   

    Governance of information assets has become every bit as important to advancing the organization’s mission as other dimensions of governance and effective governance should be driven by boards of directors and senior leadership. In fact, many hospital boards are now holding senior management accountable for steps being taken to avoid breaches of data.  Information exchange and greater transparency and public accountability for outcomes and cost raise the stakes. Senior leadership and boards should begin now to articulate their vision for information governance and EIM.


    Healthcare organizations are identifying gaps in current policies and practices and are finding solutions that may or may not be optimum or sustainable and may not reflect best IM practices.  An organization may have strong processes and policies in place in certain area, e.g. security audits, error correction or amendments but have no formalized policies for processes for data quality control.  Few examples exist of comprehensive approach to managing and governing patient and other information assets. 

    Strengthening EIM is not a project to be commissioned or a technology to be acquired.  It is a discipline to be built and improved upon over time. It begins with raising awareness and initiating a dialogue about how you manage high value information assets. Given resource constraints, strengthening EIM will be accomplished through incremental change and organizational learning.  But the first step should be an assessment of areas that represent real risk or an impediment to progress. 

    Finally, a Word about the Health Information Management Professional in Enterprise Information Management

    The impact of technology on the traditional role of health information management professionals has been profound and continues to evolve. 

    Some incorrectly forecast that HIM functions would be unnecessary with EHRs.  Automated workflow has replaced paper archival processing and more routine work is at least computer-assisted, but the scope and diversity of HIM roles is exploding.   

    Technology has the effect of pushing IM functions closer to the business process and we see that occurring in many organizations. Thus we see HIM specialists distributed and embedded where needed throughout the organizations, managing EHR applications, revenue cycle processes, privacy, data management, end user education, data analytics, and so on. We also see HIM corporate leaders coordinating functions across the entities.  

    HIM leaders are also raising awareness of the need for a more complete enterprise view of IM that is highly user and results focused. The future for HIM is bright, but the challenges of getting to sound EIM remain substantial. Strong collaboration of the information specialists (HM, informatics and IT), clinical and business operations leader will be key. 

    Linda L. Kloss, MA, RHIA (, is president at Kloss Strategic Advisors, Chicago. She is the former CEO of the American Health Information Management Association.





    For reprint and licensing requests for this article, click here.