Information Governance

HSA 520: Health Information Systems

Abstract

Information governance addresses accountability in knowing who is responsible for what, what information you have, where the information is, what you need to do with the information, and who can make decisions about access to the information. It is designed to govern the acquisition, management, retention, and disposal of the data. The goal of information governance is to ensure that all information, whether structured or unstructured, is used efficient and effectively and that it enables the healthcare organization to accomplish its strategic goals. Information governance is led by executive leadership at the enterprise level. All of the accountability measures in the world cannot guarantee that information management will not fail, thereby putting patient security and privacy at risk (Warner, 2013).

Information Governance

Unlike most businesses and industries, health care is about life and death. Health care information is a critical resource. In fact, it is considered the lifeblood of any organization providing health care services (Warner 2013). Health care organizations cannot provide safe, effective, and high-quality care if their information is not properly understood and utilized appropriately. In other words, the information must be appropriately governed. Information Governance is also about managing the redundant, outdated, and trivial information to ensure effectiveness, efficiency, and financial benefits; it becomes costly for organizations not to manage resources. Systems designers, vendors, and end-users must remember that all information is not created equal which means that the various types of information have different values to the health care organization (Warner, 2013).

Though governance may be easy to explain, it is a very complex process. This is largely due to the amount of information a business receives, processes, stores, and retrieves on a daily basis. If the organizations makes a mistake with the information it receives or if information technology fails, the cost to the organization can be huge. Their compliance to regulatory guidelines, their ability to maximize health information, and customer service are all impacted. Most importantly, the privacy and security of their patient health information may be at risk.

When Information Technology Fails

Health care information technology (HIT) is designed, developed and implemented to increase patient care by providing relevant, timely, accurate, reliable, available, and accessible information for patient care (Tan & Payton, 2010). One cannot overemphasize the significance of HIT and its continuous innovation. While information management (IM) is crucial for any organization, there is no guarantee that it can prevent information technology (IT) from failing.

There are many reasons for why IT fails: lack of training, unreliable infrastructure, lack of interoperability, insufficient data visualizations, unreliable infrastructure, they are not user friendly, inefficient management, and lack of management and employee input, are just a few of the many reasons information technology fails. More often than not, the failure of technology is largely due to improper use – deliberate and undeliberate. A Florida hospital is a prime example of information technology failure.

The statement presented from a Florida hospital revealed that two of its employees allegedly printed documents containing patient information. While this may seem normal since it was a hospital and they were employees at the hospital, it was outside of their normal job duties. This means they were not authorized to print the patients’ information (Snell, 2015). Health care facilities work hard putting systems in place to ensure their patient privacy and security is not breached, especially not done intentionally by their own employees. The face sheets (cover sheets) printed by the employees are actually summaries of the patients’ medical record. The sheet may contain the resident’s name, social security number and the date of birth, address, phone number, emergency contact(s), diagnosis, physician’s name, funeral home, and payer source(s).

The hospital worked tirelessly to protect the patient’s rights and provide top-quality care, but the incident had a great impact on the organization’s operations and patient information protection and privacy. The fact that the incident required the intervention of law enforcement was embarrassing in itself, especially since the hospital was notified of the incident by law enforcement (Snell, 2015). In fact, the hospital was informed that patient information had been inappropriately accessed for a little over two years. Law enforcement put a hold on the patients’ records which meant the hospital could not inform the patient’s about the potential security issue.

Though the hospital had no evidence that the patients’ information was misused, they still had to send out notification letters informing their patients of the incident and offer a dedicated call center in the event the patients had any concerns or questions about the incident (Snell, 2015).

Does this violate the HIPAA notification process?

This incident brings up an interesting issue with the HIPAA data breach notification process. While local law enforcement may have been conducting their own investigation, HIPAA requires covered entities to notify individuals of a potential breach of unsecured PHI. Individual notifications must be provided “without unreasonable delay” and in no case later than 60 days following the discovery of a breach, according to HHS.

However, there are also three exceptions to the breach definition. The first exception concerns the unintentional acquisition, access, or use of PHI by a covered entity or business associate employee. If the incident happened accidentally, and was made “in good faith” and still within an organization’s authority, it might not be considered a breach.

“The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates,” according to HHS.

The final exception applies if the CE or its business associate believes that the unauthorized party who received the information would not have been able to retain the information, an exception could potentially be made.

While it is not yet clear how the Florida Hospital incident took place with the separate law enforcement investigation, it is important for covered entities to be aware of the federal requirements before a breach takes place. http://healthitsecurity.com/news/patient-phi-compromised-by-florida-hospital-employees

http://www.infogovbasics.com/

http://www.infogovbasics.com/what-is-infogov/ (excellent information)

With the Economic Stimulus bill recently enacted into law by President Barack Obama, and recent relaxation of the Stark Rules allowing hospitals to subsidize up to 85% of implementation costs of EHR, many are renewing their interest in an EHR purchase.  But while many are excited about the encouraging subsidies available, others are still fearful of undertaking such a complex project after hearing about others “horror stories”.

Many health organizations are wondering what is fact and fiction when it comes to EHR failures. What are the true factors that contribute to the de-installations and or lack of return on investment on EHR? In this article we will be reviewing the common factors to most EHR implementation failures and expose what can be done to avoid these pitfalls.

The following are the top 10 biggest contributors to an EHR failure for some of the products available in the market place today:

Lack of strong follow-up from the EHR vendor:

After Go-live date, some practices begin to sense that the honeymoon period is over. Faced with new work-flow challenges and staff not always sure what to-do, most resort to a guess on how to perform certain tasks. This results into a growing frustration and lack of confidence of the product begins to show.

Lack of training:

With a constant reminder of budgets and economic downturn, some practices often resort to reducing training hours and utilize more self discovery. With some computer illiteracy, many realize that they are still not comfortable with the product and don’t know enough to resolve some of the obstacles they face with the EHR.

Unreliable infrastructure:

While many of the subsidies have reduced actual implementation and licensing costs of an EHR, weak and unreliable IT infrastructure tends to sabotage the success of the project. In many cases, the system’s slow response, unreliable wireless and reoccurring outages leave a terrible after taste of the EHR when it should be the fault of the lack of infrastructure.

Not very user friendly:

While all care providers and clinical staff understand that when they are seeing patients all their attention is rightfully given to their patient, but too often they fall victim to the overwhelming screens, 2 dozen buttons to click or all the flashing indicators reminding them that they have more work to follow-up on.

Lack of interoperability:

It is clear that interoperability is “essential” for coordination of care and reduction of medical errors. Unfortunately many software makers lack the capital and expertise to arm their products with the ability to enable practice to participate in exchanging electronic health records within their community or just simply with a nearby hospital or IDN.  In addition, it has been stated time after time that one of the ARRA’s goals is to promote exchange of healthcare information to improve patient care.

Slow and painful ROI:

Statistic after statistic show us that adoption rates for EHR have been slow, despite the growing enthusiasm. In some cases, incentive payments can provide a boost, but often we find that citing a positive ROI is largely anecdotal. While upfront costs can range from 10,000 to 25,000.00 per provider in costs, it can take from 3 to 4 years before an actual positive ROI is seen in some cases.

Same problems under the hood with a new coat of paint:

As a developer I am guilty of trying to recycle my own applications. For some cases I would perform a face-lift on the interface still utilizing the same core engine. Unfortunately this trend has contributed to lack of new functionality and features for some of the EHR / PMS products being used today. By simply changing a 10 year old product screen from black DOS screen to a “Windows” based program does not promote much innovations or fixes for problem areas. Many practices are still facing outdated functionalities and lack of new and much improved and newly discovered efficiencies.

Lack of insufficient data visualizations:

Whether a healthcare organization is looking to identify the most common CPT codes used, performing internally RAC audits, or simply identifying trends in patient outcome measures, medical organizations are looking to EHR vendors to answer the calling.  But with very few able to provide access and usable data, many are faced with the reality that data visualization is nothing but a dream. It is hard to truly understand the power of information, but as stated in a recent article in the BusinessWeek written by Maria Popova: “Ultimately, data visualization is more than complex software or the prettying up of spreadsheets. It’s not innovation for the sake of innovation. It’s about the most ancient of social rituals: storytelling. It’s about telling the story locked in the data differently, more engagingly, in a way that draws us in, makes our eyes open a little wider and our jaw drop ever so slightly. And as we process it, it can sometimes change our perspective altogether.“

Lack of or unreliable integration:

In the current healthcare environment, there are many connecting devices, entities and stakeholders. Whether you are ordering blood work or waiting for a pathology report to be downloaded integration is the glue that holds it all together. In certain cases, missing labs, down interfaces and failure of communication can lead to dangerous and risky outcomes for the practice. Many of these situations lead to frustration and mistrust of the technology and products.

Loss of confidence:

At the center of it all, lack of staff buy-in poses the most common management mistake made that leads to complete EHR implementation failure. Many leaders discover after working hard in making sure the right product was selected for the right price, they find that their staff is not confident in the adopted direction of the management. This leads the practice to face significant struggles. Ultimately, every staff member needs to buy-in to the change and for this to occur successfully it is important to involve everyone in the process and ensuring they are part of the solution.

It is commonly cited that the practice should hold most of the blame for the failures of EHR projects and implementation. But who are we kidding here; it is like asking an IT engineer to manage a busy restaurant’s kitchen just because they watched few episodes of Hell’s Kitchen. The burden of an unsuccessful EHR should be shared amongst the product vendors who have far more experience in project management and technology as well as the team effort of an EHR committee from within the practice. Both parties must commit to proper education up front, continued education and follow-ups to ensure that the product is being used the way it should be. The success of the project will benefit both the vendor and customer. http://www.healthcareitinsider.com/ehr/top-10-ehr-failure-contributing-factors/

It is not uncommon to read commentaries from healthcare thought leaders about healthcare IT projects that fail, either failing to meet objectives, failing to come in on time/on budget, or failing entirely. Within the provider community there seems to be an abundance of anecdotal stories of EHR and other technology failures. Some of these stories are perpetuated by the EHR software vendors themselves. Right after a practice has had a very promising demo from software vendor A, software vendor B comes in and says, righteously, “Oh, we just deinstalled system A in a practice. It was a disaster but now they are very happy.”

These stories, some no doubt real and some perhaps not, tend to stir up angst about healthcare IT projects in general and EHRs in particular.

However, it is useful to look at HIT project horror stories in the bigger picture of all IT projects, across all industries. According to general studies of IT project success, the following rather dismal statistics are the norm:

• Roughly 1/3 of all major IT projects meet user expectations, financial budgets, and timeframes;
• Roughly 1/3 of all major IT projects are only marginally successful;
• Roughly 1/3 of all major IT projects fail in one or more of three major areas — expectations, timeframes, and/or financial budgets.

(Source: Betts, M., “Why IT Project Fail,” Computerworld, Volume 37, Issue 34 (2003; online))

Why do IT projects fail? Here are the major reasons, and they affect not only healthcare but other industries as well:

Poor planning, and unrealistic time or resource estimates: We have met with medical practices that have not even begun their analysis of EHR vendors who have said, “We are going to go live by August 15.” They have set themselves up for failure. We also had a practice that wanted to make sure they had their most experienced and knowledgeable people involved with the EHR project. But when it came time to allocate those resources, the practice said those people were too valuable to the practice. So they put less-experienced people on the project, which negatively impacted its success.

Unclear goals and objectives: It is critical to understand and clearly define the goals and objectives of a project. For example, for an EHR implementation, a reasonable goal is to have X number of providers using the system by Y date. Another one would be to eliminate X number of paper charts by a certain date.

Objectives changing during the project: Many times a practice will substantially change its structure in the middle of an IT project, and not re-scope the IT project accordingly. They may add or reduce providers. They may align themselves with a new hospital or clinic, or add a completely new line of medical services. This needs to be taken into account with any HIT implementation that may be going on.

Lack of executive support and user involvement: The members of any organization can be divided into one of three camps: (1) champions who are fully committed to the project’s success; (2) those who are opposed to the change; (3) those who are in the middle — think of them as fully supportive of whichever side “wins.” In a medical practice, the fence-sitters in the third group can actually spell disaster. Their tacit support when everything looks promising will wither when the real hard work starts, and they will usually be some of the first who say, “I told you this wouldn’t work.”

Failure to communicate and act as a team: This is closely related to the previous issue, but it can manifest itself in slightly different ways. Withholding important communications, or failing to read and understand communications, is a recipe for failure.

Inappropriate skills: Frequently the people assigned to an EHR implementation get selected because they can spell IT. And sometimes only those who are gung-ho are on the team. There needs to be a balance of experience and skill level across all departments and functions — clinical, business office, billing, scheduling, supplies, etc.

It is critical that all the appropriate skills, planning, and management go into an HIT project before, during, and after implementation. Failure to understand and avoid the problems that plague all IT projects will almost guarantee certain failure.

http://www.physicianspractice.com/blog/why-do-healthcare-it-projects-fail

Using the Internet or Strayer University databases, research health care organizations / providers that have recently had a significant information technology failure, and complete this assignment.

http://scholars.law.unlv.edu/cgi/viewcontent.cgi?article=1482&context=nlj

http://cci.drexel.edu/faculty/ssilverstein/cases/ (good info)

http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2732244/ (this one)

http://www.ncbi.nlm.nih.gov/books/NBK61963/

https://search.yahoo.com/yhs/search?p=HIT+failure+causes+problems+for+hospital&ei=UTF-8&hspart=mozilla&hsimp=yhs-002

http://www.radiologyinfo.org/en/info.cfm?pg=article-patient-privacy

https://search.yahoo.com/yhs/search?p=IT+failure+puts+patient+privacy+and+security+at+risk&ei=UTF-8&hspart=mozilla&hsimp=yhs-002

https://search.yahoo.com/yhs/search?p=HIT+failure+put+PHI+at+risk&ei=UTF-8&hspart=mozilla&hsimp=yhs-002

http://www.bloomberg.com/news/articles/2013-06-05/states-hospital-data-for-sale-puts-privacy-in-jeopardy (actual cases)

https://www.ncha.org/healthcare-topics/legal/patient-information

http://www.lincolnshire.gov.uk/local-democracy/information-governance/

Write a seven to eight (7-8) page paper in which you:

Determine the key factors contributing to the failure in question. Next, analyze how the failure impacted both the organization’s operations and patient information protection and privacy.

Analyze the leadership team’s reaction to the failure, and indicate whether the leadership took sufficient measures to deal with various stakeholder groups impacted by the failure. Provide support for the rationale.

Take a position on whether the health care provider that you identified should either develop a custom application or select a proprietary system. Provide support for the rationale.

Recommend at least three (3) best practices that any organization could adopt in order to avoid such a failure in the future. Provide support for the recommendation.

Suggest how health care leaders can use project metrics and portfolio management to ensure operational efficiency and effectiveness. Provide specific examples to support the response.

Analyze a government intervention into health care businesses, meant to ensure that health care and patient information is secure and thus to minimize information breaches and technology failures. Argue for or against such intervention. Support the position.

Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

“We deeply apologize for the inconvenience this may cause our patients,” the statement read. “Rest assured, we investigated the matter internally and have taken measures to ensure this type of incident does not occur again by continuing to enhance security safeguards and reinforcing education with our staff on the importance of handling patient information.”

• Analyze the leadership team’s reaction to the failure, and indicate whether the leadership took sufficient measures to deal with various stakeholder groups impacted by the failure. Provide support for the rationale. The involvement of key business stakeholders in the governance body is critical. Someone not directly in IT should be fighting for that HR system, in other words, in the meeting. That doesn’t mean, of course, that the answer will be yes, because the organization as a whole may indeed have higher priorities and there are limited resources as always. It should mean, though, that if the answer is no, the answer is no, and it’s not a ticket to go out and build things on HR’s own. http://www.zdnet.com/article/information-silos-and-it-governance-failure/

Affected patients will also be offered identity theft protection and credit monitoring services. If individuals believe that their information was potentially compromised, but have not received a notification letter by April 16, 2015, they are urged to reach out to the hospital.

Having the right type of software is essential for running a business as efficiently as possible in the global marketplace. When it comes to choosing software for business purposes, or even creating a website, you generally have one of two choices when it comes to choosing a software platform. You can choose to use proprietary software that is trademarked and likely requires you to obtain or purchase a license, or you can use open-source software, which is free software that you can download and pay no licensing fees to use. Advantages and disadvantages exist to using both.

• Take a position on whether the health care provider that you identified should either develop a custom application or select a proprietary system. Provide support for the rationale.

One advantage to using a proprietary-software system is that you will generally be able to take advantage of the software company’s customer service department for troubleshooting and setup purposes. Proprietary software may have more features that appeal to the business owner. For example, some word processing programs may integrate website-development features or features compatible with other proprietary software made by the same manufacturer. Additionally, proprietary software is generally tailored to meet a market need, whereas this is not always the case with open-source software. Open-source software is often cheaper, if not free. Although the customer support may not be available with open-source software, its wide distribution means that you may be able to gain help from a large number of users on the Internet via forums or other information sources. As problems arise, fast bug and security fixes are often available for open-source software.

Expense is one of the major drawbacks of a proprietary-software package. Because the software company needs to sell its product to survive, it will generally charge a licensing fee to the company that needs to utilize its product. Depending upon the nature of the software, this licensing fee can be fairly expensive, especially in comparison to open-source software. If any fees are required for open-source software, they are usually required for the software itself, but not necessarily for ongoing licensing maintenance.

Another disadvantage to proprietary software in comparison to open-source software is that the software makes the business owner too heavily dependent upon the developer. The company that develops the product can create the product in such a way that only its own programmers and developers understand the code that makes the software work. This means that the licensee will generally not be able to turn to other business owners and users for help with the product.

Proprietary software products are not usually as adaptable to the constantly changing needs of the business owner. The complicated coding of proprietary software often makes it difficult to adapt to changes in the marketplace. Open-source software, however, tends to be much quicker to adapt to these types of changes and often provides the business owner with more flexibility to adapt it to his own situation. Proprietary developers are sometimes slow to provide fixes for any bugs that their software may have. http://smallbusiness.chron.com/advantages-three-disadvantages-proprietary-system-vs-open-platform-38010.html

https://search.yahoo.com/yhs/search?p=custom+application+versus+proprietary+software&ei=UTF-8&hspart=mozilla&hsimp=yhs-002

Recommend at least three (3) best practices that any organization could adopt in order to avoid such a failure in the future. Provide support for the recommendation.

A governance committee comprised of one or more members from each department in the health care facility is one recommendation for improving the application of systems theory to health care IM/IT governance and planning. The committee could set outcome objectives for the clinicians on the committee. One of the objectives could be regulatory compliance as it relates to documentation. A series of case studies is another recommendation. Case studies can be used to determine business benefits that are direct results of IT governance and planning (e.g., improved health care outcomes). The strategy should identify opportunities for the active involvement of stakeholders in developing the governance approach, planning and implementing IT management changes, and building specific change objectives/targets into personal performance plans (NCC, 2005). It is also recommended that the organization utilizes practices that predict the highest levels of performance.

Suggest how health care leaders can use project metrics and portfolio management to ensure operational efficiency and effectiveness. Provide specific examples to support the response.

Analyze a government intervention into health care businesses, meant to ensure that health care and patient information is secure and thus to minimize information breaches and technology failures. Argue for or against such intervention. Support the position.

Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Conclusion

References

NCC. (2005). IT governance: Developing a successful governance strategy: A best practice

guide for decision makers in IT. Retrieved from http://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/Developing-a-Successful-Governance-Strategy.pdf

Snell, E. (2015). Patient PHI compromised by Florida hospital employees. Retrieved from

http://healthitsecurity.com/news/patient-phi-compromised-by-florida-hospital-employees

Tan, J. & Payton, F. C. (2010). Adaptive health management information systems: Concepts,

cases, and practical applications. (3rd ed.). Sudbury, MA: Jones and Bartlett

Warner, D. (2013). IG 101: What is information governance? Journal of AHIMA. Retrieved from

http://journal.ahima.org/2013/12/04/ig-101-what-is-information-governance/