Relating Effective Information Governance and Litigation

Legal consequences abound at every corner in healthcare. This monthly column presents examples of what those consequences can be.


As stated in the preamble of AHIMA’s Information Governance Principles for HealthcareTM (IGPHC), “AHIMA defines information governance as an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.” What does this description of information governance (IG) mean in the context of litigation? A couple thoughts include:

  1. There is no reason to know about or be concerned with IG as long as it functions properly. In other words, in my view IG gets on the judicial “radar” only when it fails in some way that is relevant to a given litigation.
  1. In the litigation context, IG must encompass the means to deal with actual or reasonably anticipated litigation, that is, when the duty to preserve relevant information arises.
  1. IG comes into play when a healthcare provider cannot preserve anything unless the provider knows (1) what information the provider has, (2) where the information is, and (3) how to preserve the information consistent with what I call the “legal hold.” This is what I mean by “effective” IG.

 

Let’s put effective IG into the reality of the ever-increasing volume and variety of information. Effective IG means being able to do what I described above. It must also mean something else: knowing when to dispose of information. This requires the provider to know:

  • What the provider has
  • Where the PHI is located
  • What the current value of the PHI is

 

For example:

  • Assume that 80 percent of information kept by a provider falls within the provider’s definition of a “record.” What does the “non-record” information consist of? Why is it being retained?
  • Assume that certain business-related information is defined to be a record and retained. What is the “shelf life” of that information? Why is the information retained after it has lost value?
  • Assume that certain information has lost its value but that someone within the organization retains the information in the expectation that the information may have some value in the future. What might be the consequences of doing so?

 

How can information that is retained but has little or no value become a liability?

  • Cost
    1. Storage costs may be decreasing, but do overall storage costs increase as more information is created and retained?
    2. What if the hardware or software employed in the information’s retention becomes unserviceable or otherwise obsolete?
  • Litigation
    1. What if the information becomes subject to a legal hold?
    2. How does a provider decide whether a “source” has information subject to a legal hold if the source cannot be accessed or can only be accessed with difficulty?
    3. All of which might “hit” the judicial radar because of a possible failure to preserve the information, the cost of review and production of the information, and/or potential spoliation.
  • Embarrassment
    1. What if the information becomes public and the disclosure leads to negative consequences for the provider?
  • Data breach
    1. What if the information becomes the subject of a data breach?
    2. What should a provider do in the event of a breach?

 

Retention of information when there is no current known reason to retain that information can lead to:

  • “Corporate amnesia,” or “we don’t know what it is or why we have it”
  • Over-preservation of information if a duty to preserve arises

 

With all this in mind, effective IG requires:

  • Accountability
  • Transparency
  • Integrity
  • Protection
  • Compliance
  • Availability
  • Retention
  • Disposition

 

These attributes, not surprisingly, are included in the “P” in IGHPC. How providers respond to the IGPHC may vary, but any response should consider what “effectiveness” means. Future Legal e-Speaking articles will use the IGPHC to explore what effective IG could mean.

Acknowledgment

AHIMA thanks ARMA International for use of the following in adapting and creating materials for healthcare industry use in IG adoption: Generally Accepted Recordkeeping Principles® and the Information Governance Maturity Model. www.arma.org/principles. ARMA International 2013.

References

AHIMA. “Information Governance Principles for Healthcare (IGPHC)TM.” 2014. http://research.zarca.com/survey.aspx?k=SsURPPsUSVsPsPsP&lang=0&data=.

 

Editor’s note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as advice.

Ron Hedges, JD, is a former US Magistrate Judge in the District of New Jersey and is currently a writer, lecturer, and consultant on topics related to electronic information.

Submit a Comment

Your email address will not be published. Required fields are marked *