More so than any other sector, data governance in healthcare is mission-critical. In many cases, accurate and secure data can have life and death implications.
Protecting consumer data has always been important. As more of our lives have become digital, from finances to medical records, governments everywhere have had to implement more stringent legislation to protect consumers data. No where is that more important and stringent than in healthcare.
Data governance is about the collection, storage, processing of data, and specifically the means whereby an organization keeps that secure, and controls access. Healthcare data covers a wide range of records. From payment and insurance records to biological test results, EKGs, MRIs, drug prescriptions, and dozens of other key data points.
Not only do patients expect privacy, and the peace of mind that their records are being looked after, timely and appropriate decisions about patient care can’t be made unless data is looked after. Governments, medical bodies and other oversight organizations expect high-levels of data compliance too. But when it comes to patients, key decisions are going to be made based on the data. Hence the crucial nature of data governance in this sector.
Although from a cybersecurity and compliance perspective, it’s easy for organizations to think of data and information governance as the same thing, they aren’t.
Data governance, is effectively, the data at a granular level. Everything from Patient IDs to blood test results, to prescriptions. In healthcare, data governance is all about securing those individual pieces of data, whether storing or transmitting between organizations in the sector.
Whereas, information governance focuses on the processes and systems that are used in the patient-related decision making process. It’s more about the architecture of the information management than the granular data within the system itself. However, combined, both have an impact on patient care and the healthcare ecosystem.
Healthcare runs on data. Overall, there are trillions of individual pieces of medical data globally. Everyone has medical data of some kind. Even before people are born there are records. Imagine every doctors visit, and other medical interaction in your life, then multiply that by the world’s population; that is why data governance is such a big issue.
Here are a few examples of the types of data the healthcare sector uses everyday:
In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) is designed to safeguard the privacy and security of medical records, and everything medical related for patients and other stakeholders in the healthcare sector.
The HIPAA specifically protects protected health information (PHI). It is the responsibility of “covered entities”; hospitals, medical practices, insurers, and any third-party companies that manage and process data for them, that have the legal responsibility to safeguard and protect that data.
In the event of a data breach, when and if patient records are exposed, even to those within a healthcare organization that shouldn’t have access to those particular records, fines can be issued. In 2018, the Office of Civil Rights (OCR) levied $28 million worth of HIPAA on healthcare organizations, depending on the number of PHI records exposed.
Alongside fines, there are a series of complicated legislative burdens placed on healthcare organizations, making data governance a C-suite compliance-related issue even when everything is running smoothly.
Alongside HIPAA, there is a new data governance law that came into effect on January 1, 2020. The California Consumer Privacy Act of 2018 (CCPA) is similar to GDPR in Europe (and SHIELD in New York State; comes into effect on March 21, 2020); they are all designed to give consumers, and therefore patients, more control of the data organizations have. Beyond more consumer/patient control and rights, the size, scale and seriousness of the fines for data breaches have increased, making them a more problematic burden for healthcare organizations.
Not only do healthcare companies need to maintain compliance with HIPAA, now there is the CCPA to consider. Alongside SHIELD, which is similar, for organizations with customers in New York State. Healthcare organizations are now dealing with a movement that wasn’t as much of an issue five years ago: bring your own device (BYOD).
As healthcare companies have evolved, iterating and adapting into leaner models, more doctors and other processionals are using their own devices. CIOs and other senior leaders responsible for data, compliance, security and IT need to factor this in when planning data governance policies.
As both laws are designed to ensure data compliance, governance and security, there is natural synergy between them. In many ways, healthcare organizations wont be doing anything different as a result of CCPA.
Consequently of lobbying during the legislative process, HIPAA-covered entities and CMIA-covered healthcare providers are effectively exempt from making further efforts to comply with the CCPA. This is, however, only on the provision that these companies “maintain patient information in the same manner as medical information or protected health information.”
In effect, nothing will change, unless healthcare organizations fail to protect data according to the rules already laid down in HIPAA guidelines. Patients, on the other hand, could still take civil action if companies have failed to comply with CCPA, alongside other compliance action that can be taken by the relevant bodies.
Implementing data governance in healthcare is a process. Successful implementation requires investment and effort from a range of senior leaders and departments, including compliance, security, governance, and IT.
Working with a vendor the follows a proven model helps ensure data governance projects are implemented successfully. Here is the process we recommend and know works:
#1: Assess. What are the organisational, operational and compliance reasons for data governance? Has this been tried before, and if so, what went wrong? Set the vision first, before moving ahead with designing a strategy.
#2: Roadmap. Who is involved in this project? Who are the stakeholders and front-line staff this is going to impact directly and even indirectly? Give everyone who needs to know oversight at every level, and a plan to move forward with.
#3: Communicate. Before, during and after the development and implementation roadmap, make sure data governance changes are communicated across the stakeholder matrix. That way, those who will be impacted will know in advance of changes that impact them.
#4: Implement, align and measure. Depending on the size, scale and complexity, data governance projects can take several months to implement (if not longer). During that process, communication with stakeholders is key. Once in-place, training is essential to embed new ways of working, alongside an analytics process to ensure a new data governance culture is taking hold.
Engineers, data analytics and developers turn the vision for data governance into a reality, designing the architecture and cybersecurity that makes compliance possible.
In the healthcare sector, data asset management is mission critical. With the right data governance strategies in place, decision-making can be made more effective across an organisation. Healthcare leaders know data governance should be improved, but struggle to understand where data lives (and how it’s accessed); how to adequately protect it; and develop the right resources to manage healthcare data.
With the right team of engineers and analytics in place, healthcare organisations can re-assess and redesign the storage, transmission and access to data assets.
Copyright © 2020 GreenM, Inc. All rights reserved.
We’ll send only useful articles and case studies to your inbox!