Most boards have well-established governance processes for oversight of capital expenditures and decisions concerning information and other technology acquisitions. Along with sound IT selection, trustees must begin to pay greater attention to governing enterprisewide information assets. This is a distinct governance function that isn’t being delineated clearly or executed in most health care organizations.

A growing body of research reveals that applying technology to health information management can have unintended consequences. Implementing IT does not automatically ensure that the digitized information is complete, accurate, reliable, secure or used appropriately. These assurances require an organizational-policy framework and formalized strategies for governance of information assets.

Risks, Costs Contained

In research conducted by The Economist in 2008, corporations around the world attributed three types of benefits to their information governance efforts: performance optimization, risk mitigation and cost control.

Businesses with formalized information governance report that better access to and sharing of information improved decision-making and business results. They cite service and product quality gains because information was more accurate and reliable. They also report improved business-risk management and enhanced reputation due to better information security practices. They attribute improved cost control of IT and IT-related services to tighter, more strategic planning and acquisition processes.

Despite these compelling benefits, less than 40 percent of corporations surveyed have formal enterprisewide information governance in place even though 77 percent expect it will be important to their company’s success in the next several years.

Health care has much to learn from other industries’ information-governance efforts. But they don’t take into account the special ethical obligations and complexities that make improved governance of health care data more compelling and urgent. These include:

  • Safe, cost-effective care depends on accurate and complete information.
  • Patients entrust organizations with the safekeeping of their personal health information and share ownership of that data.
  • Independent physicians with admitting privileges create much of the data in medical records, but aren’t appropriately incentivized to ensure the records are complete and compliant.
  • Participation in health information exchanges extends governance obligations to caregivers and stakeholders in the broader network.
  • Information is the basis for quality and cost reporting and to operate as an accountable care organization.
  • Data are critical to public and population health activities.
  • Health information is a highly litigious and regulated sector of our society.
  • Medical identity and other types of fraud are siphoning off resources.

Scope of Oversight

Realizing and protecting the value of information assets requires a framework of policies and procedures for effective management and control of information. Hospital leaders must set the vision and strategy and create a culture that supports effective and ethical use of information. Information governance also requires technology and good IT practices. And it requires oversight by the board.

A useful working definition of information governance for health care organizations is: The leadership and organizational structures, policies, procedures, technology and controls that ensure that patient and other enterprise data and information sustain and extend the organization’s mission and strategies, deliver value, comply with laws and regulations, minimize risk to all stakeholders, and advance the public good.

There are six aspects of information policy to be governed: integrity, access and confidentiality, security, retention, analysis, and use and standards. Governance should include all patient, financial and health care operations data regardless of medium and span the information’s life cycle from creation and capture to archiving and destruction. And with HIEs, organizational policies will need to be aligned with broader network policies.

As with oversight of quality improvement and financial performance, trustees should agree on outcome measures of effective information governance to frame its oversight.

Getting Started

IT consultancy Gartner describes information governance as technically complex, organizationally challenging and politically sensitive. It should not be approached as a project, but rather as the development of an infrastructure that, once established, will require continuous learning and improvement. Further, because it requires active engagement of the clinical and operations staff, it can’t be delegated to the CIO without strong leadership from the board and CEO. With strained budgets, stretched staff resources and competing priorities—including the need to focus on implementation and meaningful use—it would be tempting to delay information governance efforts. Instead, hospitals should take incremental steps that parallel IT investments and the changing health information environment so a sound governance framework is built over time.

Trustees and senior leaders should begin by taking two short-term actions: articulate a vision for how the organization will value and manage its information assets, and incorporate information governance on the organization’s strategy map. Then senior management should form a staff council charged with assessing the current state and building the benefits case for investing in an organizationwide program over time. This will build support and contribute to the early identification of incremental improvements. As with any new strategy, there is much to be gained from the organizational learning that will accrue from this assessment and planning phase and by taking advantage of opportunities at hand. An obvious example is that in planning to meet meaningful use regulations, data reliability and quality metrics, goals and mechanisms must be put in place.

Setting Expectations

Ethical stewardship of patient and other information is in a state of flux. As health care moves from paper records to interconnected EHRs, data is more accessible and distributed. Patients are participants in their care and have a stake in ensuring that their information is accessible, accurate and timely. Laws and regulations are changing to reflect a digital world and this is taking the form of expanding privacy and security laws, electronic discovery for legal proceedings, and new forms of compliance monitoring.

This is the time to strengthen the foundations of information management and governance for health care. Trustees and senior leaders can begin by having a strategic discussion about the organization’s needs and opportunities using the following questions:

  • Who is responsible for the quality of patient information in our EHR?
  • Where are the vulnerabilities in patient privacy, and what strategies are being developed to fix them?
  • How are we fulfilling our obligation to provide patients with access to their information?
  • What is our plan for archival and retention of EHR data?
  • How can we ensure that those who use aggregated digital information have the right skills and knowledge?

EHRs and other information and communication technologies are essential for effective patient care and health system management. Governing and managing the information asset over time and across the enterprise requires trustees’ vision and engagement. There are worthy benefits from doing this well and substantial risks from failing to address data and information as an asset—for the patient, the organization and the public good.

Linda L. Kloss, RHIA (, is president of Kloss Strategic Advisors, Chicago, and the former CEO of the American Health Information Management Association.

Sidebar - Risky Business