INFOR IN ORMATION MATION GO GOVERN ERNAN ANCE CE FOR OR HEALT - PowerPoint PPT Presentation

Banff Health Privacy Summit October 19, 2012 Rick Klumpenhouwer, MA, MAS, CIAPP-M Partner, Cenera INFOR IN ORMATION MATION GO GOVERN ERNAN ANCE CE FOR OR HEALT LTH PRI RIVA VACY CY MANAGEM AGEMEN ENT

The challenge Health providers and health institutions are required to “manage privacy”, not just “do privacy” Click to edit Master title style Click to edit Master subtitle style

Right of Access and Correction Requests Right of Access and Correction: • Duty to Assist Click to edit Master title style • Search and retrieval • Analysis and severing • Response Click to edit Master subtitle style Information Flow Management • Collection, use, disclosure accountability • Notice • Privacy Impact Assessments

Security HIA requirements: an IS program • Designate a HI security director Click to edit Master title style • “periodically assess” physical, administrative, technical measures Asset Management • Intellectual control physical/technical control Click to edit Master subtitle style Security Classification • Probability/harm categories • Tied into security handling standards • Biggest challenge: how do you “mark” information Privacy Breach Response • Identifying, understanding gravity of breach

Custody and Control What is health information? • Custodian: AHS, Nursing home, AHW, individual health professional Click to edit Master title style • Health Information: DTC, Registration, HPI • Health Service: Promoting, providing, maintaining health, but not occupational health services Who’s responsible for what information? Click to edit Master subtitle style • “Circle of care” • Custodians, affiliates, information managers • Networked health records

What is a good privacy program? operates on some clear principles and values about information; requires intense involvement in how information systems and practices operate “on Click to edit Master title style the ground”; more proactive than reactive; Click to edit Master subtitle style a program with ongoing functions, maintenance, goals, assessment and improvement; runs as an information management/governance program

Privacy by Design Proactive not Reactive; Preventative not Remedial Click to edit Master title style Privacy as the Default Privacy Embedded into Design Click to edit Master subtitle style Full Functionality – Positive-Sum, not Zero-Sum End-to-End Security – Lifecycle Protection Visibility / Transparency Respect for Users

Information Governance Concept used by UK NHS to integrate patient privacy into the new EHRs they were developing; Click to edit Master title style • Manage solutions overlap – reduce redundancy of effort Click to edit Master subtitle style • Quality measurement – need to track progress • Participation – compliance on issues integrated with, not opposed to, health care objectives A need to bring together privacy and functional requirements operationally, manage development, and measure progress

Information Governance Click to edit Master title style 1960-1990 1990-2005 2005- Enterprise Click to edit Master subtitle style Transactional Policy Repository Applications Application Systems Winston Chen, A Brief History of Data Governance (2010)

Why IG? two main drivers: Click to edit Master title style electronic information systems • Use/reuse • Stuctured/unstructured data Click to edit Master subtitle style • Integrity/accuracy • Transaction/Data analysis • Digital continuity information regulation • Access to information • Privacy/Security • eDiscovery • SOX/C-SOX

Why IG? Digital IM requires more planning, accountability, application of value. Click to edit Master title style Counter-intuitive: governing information, not information for governing. Governance Elements Click to edit Master subtitle style • Surveillance and assessment • Decision-making • Accountability

IG Defined Collaboration of interests Click to edit Master title style Information Governance is the enterprise wide framework that includes the people, processes, and procedures necessary to ensure the preservation, availability, security, confidentiality , and usability an enterprise’s information. (David Hill, EMC2) Click to edit Master subtitle style Governance Framework The specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. (Gartner)

How? Click to edit Master title style Click to edit Master subtitle style

How? Wonderful sentiments, but the real problem is how to implement Click to edit Master title style Still working with existing IM implementation systems: • IT development/maintenance • Records management Click to edit Master subtitle style • Access to Information • Privacy/Security • Enterprise risk management • Archives Just work together harder?

How? Managing Assets Model Fixed assets that need to be inventoried, controlled, and made available as need arises Click to edit Master title style IT and records management lifecycle or “supply chain” Click to edit Master subtitle style Automated workflow, transaction, logistics solutions Compliance to standards regime/audit and enforcement key

IBM Supply Chain Management Click to edit Master title style Click to edit Master subtitle style IBM is leading the way by approaching information governance from a supply chain perspective – think of information as goods and services in a physical supply chain.

Managing Assets Model – Problems Is information really a fixed asset? Click to edit Master title style How do you measure success? Click to edit Master subtitle style Forcing a system through compliance rather than contributing to quality outcomes Access and Privacy just one of many competing interests in governance decision-making and assessment

Managing Assets Model – Problems Is compliance to standards deployment effective? Click to edit Master title style • Information management happens at each workstation – how do you control that? • IG seen as a “barrier” or even a “brake” to operations • What are the benefits? How do you measure? Click to edit Master subtitle style • How do you engage executive sponsors?

Information Governance Functional Records Management/Archives • Records retention/destruction/integrity control Click to edit Master title style – Capture – schedules/destruction processes – storage and retrieval Click to edit Master subtitle style – preservation/continuity Information about information (metadata) • Based on records description (classification) • Functional context is a key component of records description and control

Function-Based Information Governance Functional purpose and context of information the key to organizing, assessing, retrieving, and maintaining information to meet IG needs. Click to edit Master title style Archives Theory • Principle of provenance/respect des fonds Click to edit Master subtitle style • Purpose and context of the original record creator are essential to preserving the value and meaning of information Policy on collection, use, disclosure, access and security based on function

Function as Information Policy Interface IM Function tion Activi vities ties Poli licy y Dete termi rminant IT IT systems development, maintenance Functional needs Click to edit Master title style Records management Information capture, availability, and retention Functional needs Locating, retrieving, and making available information Functional context as part of relevancy and Access to information Click to edit Master subtitle style relevant/important to citizen right of access need status decision-making Privacy Appropriate personal information collection, use, disclosure Function (purpose) Security Protecting sensitive information from unauthorized access, loss Functional context Enterprise risk management Identify and mitigate risk to organization and others Functional context Archives Preserve/make available information of long-term value Functional context

Function-Based Information Governance Segregate information (schedules, registries) about policy, business functions and information/information systems Apply policy to functions; relate functions to Information Click to edit Master title style Many to many relationships Policy Functions Information Click to edit Master subtitle style Collection (Taxonomy) Health Diagnostic Patient Services Imaging Charts Research Clinical PACS Trials Internal Employee Technician Management Files Education Verification, Patient Scheduling eligibility Registration system

Organization Infrastructure Support Functions: HR, Finance, Facilities, Supplies/Services, Information Management PLANNING/DESIGN Click to edit Master title style Function, Click to edit Master subtitle style Activity or Transaction ENGAGING/SERVICING OBJECTS Topics, Clients