INFOR IN ORMATION MATION GO GOVERN ERNAN ANCE CE FOR OR HEALT - - PowerPoint PPT Presentation
Banff Health Privacy Summit October 19, 2012 Rick Klumpenhouwer, MA, MAS, CIAPP-M Partner, Cenera INFOR IN ORMATION MATION GO GOVERN ERNAN ANCE CE FOR OR HEALT LTH PRI RIVA VACY CY MANAGEM AGEMEN ENT The challenge Health
Banff Health Privacy Summit October 19, 2012 Rick Klumpenhouwer, MA, MAS, CIAPP-M Partner, Cenera
Health providers and health institutions are required to “manage privacy”, not just “do privacy”
Information Flow Management
Security HIA requirements: an IS program
physical/technical control
Security Classification
Who’s responsible for what information?
requires intense involvement in how information systems and practices operate “on the ground”; more proactive than reactive; a program with ongoing functions, maintenance, goals, assessment and improvement; runs as an information management/governance program
Proactive not Reactive; Preventative not Remedial Privacy as the Default Privacy Embedded into Design Full Functionality – Positive-Sum, not Zero-Sum End-to-End Security – Lifecycle Protection Visibility / Transparency Respect for Users
Concept used by UK NHS to integrate patient privacy into the new EHRs they were developing;
A need to bring together privacy and functional requirements operationally, manage development, and measure progress
2005- 1990-2005 1960-1990
Transactional Applications Enterprise Repository Systems Policy Application
Winston Chen, A Brief History of Data Governance (2010)
information regulation
Collaboration of interests
Information Governance is the enterprise wide framework that includes the people, processes, and procedures necessary to ensure the preservation, availability, security, confidentiality , and usability an enterprise’s
Governance Framework
The specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. (Gartner)
Just work together harder?
Is information really a fixed asset? How do you measure success? Forcing a system through compliance rather than contributing to quality
Access and Privacy just one of many competing interests in governance decision-making and assessment
Is compliance to standards deployment effective?
Functional Records Management/Archives
– Capture – schedules/destruction processes – storage and retrieval – preservation/continuity
Functional purpose and context of information the key to organizing, assessing, retrieving, and maintaining information to meet IG needs. Archives Theory
value and meaning of information
Policy on collection, use, disclosure, access and security based on function
IM Function tion Activi vities ties Poli licy y Dete termi rminant IT IT systems development, maintenance Functional needs Records management Information capture, availability, and retention Functional needs Access to information Locating, retrieving, and making available information relevant/important to citizen right of access need Functional context as part of relevancy and status decision-making Privacy Appropriate personal information collection, use, disclosure Function (purpose) Security Protecting sensitive information from unauthorized access, loss Functional context Enterprise risk management Identify and mitigate risk to organization and others Functional context Archives Preserve/make available information of long-term value Functional context
Segregate information (schedules, registries) about policy, business functions and information/information systems Apply policy to functions; relate functions to Information Many to many relationships
Functions (Taxonomy) Information Policy Collection
Diagnostic Imaging Patient Charts Health Services Scheduling system Patient Registration Verification, eligibility Internal Management Technician Education PACS Clinical Trials Research Employee Files
OBJECTS
Topics, Clients
Support Functions: HR, Finance, Facilities, Supplies/Services, Information Management Function, Activity or Transaction PLANNING/DESIGN ENGAGING/SERVICING
FRUIT LEVEL SHOWS DESCRIPTION RANGE SOURCES EXAMPLE FUNCTION Why Area Scope, Subject of Activity Open- ended Legislation, mandates , process charts organization charts, program history, job descriptions PRIMARY CARE SUB-FUNCTION (optional) Why Role/ Program within Function Open- ended Patient Care ACTIVITY How Action, triggered by Transaction with topic or client Closed Standards, process charts, job descriptions interviews,
Diagnosis TASK (optional) How Specific Task within Activity Closed Diagnostic Imaging TRANSACTION with TOPIC OR CLIENT What Object of Activity Static,
ended Interviews, records inventory, annual reports Patient X
Planning/Design Engaging Servicing
Accountability/ Documentation Significance
Function, Activity or Transaction by which the methods, policies, and design of the function are chosen, developed, evaluated and improved Function, Activity or Transaction by which eligibility, status, and terms of client or object engagement are set or ended. Function, Activity or Transaction by which services are actually delivered to clients or
terms of engagement
FUNCTIONAL EXAMPLES
LONG TERM CARE Resident Medical Care Planning, developing program and evaluating resident medical programs Referrals, placement, scheduling, care planning Resident examinations, surveillance, medication, therapy PRIMARY CARE Patient Care Planning, designing and reviewing health provider resources, procedures,
Diagnosis, assessment, treatment, Diagnosing problem, repairing, updating FINANCE Billing Developing and evaluating billing systems, parameters, policy Billing status, services, insurance status Invoicing, billing, receipt
Continuum vs. lifecycle Design in function-based policy to systems Support of function vs. compliance Access and privacy participates in system design to support functional documentation and compliance analysis