With a few exceptions -- the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act, to name two -- the discourse has been more academic than practical. But the public go-live of the Patient Protection and Affordable Care Act (PPACA) in September brought the issue to the forefront.
A wider net than you think
The PPACA is lengthy and covers more territory than there's space to discuss here. But the PPACA includes language involving the three pressure points we have raised – data management, information governance and compliance -- and the way the requirements are written often point to ramifications for organizations active in sectors other than healthcare. For example:
- SEC. 399II [42 U.S.C. 280–1]: COLLECTION AND ANALYSIS OF DATA FOR QUALITY AND RESOURCE USE
MEASURES: "The Secretary shall collect and aggregate consistent data on quality and resource use
measures from information systems used to support healthcare delivery."
The data cited here has to come from somewhere, and that "somewhere" is from healthcare providers whose already complicated compliance capabilities have become only more challenging as they wrestle with the particulars of data formatting and transfer.
- SEC. 3101 [42 U.S.C. 300k]. DATA COLLECTION, ANALYSIS AND QUALITY: "The Secretary shall ensure [that] all data collected … is protected (i) under privacy protections that are at least as broad as those that the Secretary applies to other health data under the regulations promulgated under [HIPAA]; and (ii) from all inappropriate internal use by any entity that collects, stores or receives the data, including use of such data in determinations of eligibility … in health plans, and from other inappropriate uses.
HIPAA compliance is already bedeviling information professionals in healthcare, insurance, human resources (HR) and other arenas that are involved in the creation or protection of personal health information, and its roots in privacy protection and appropriate use are at the very heart of governance and records management in general. While this isn't new, HIPAA's extension to cover eligibility may well be, as the scope is being broadened to encompass patient income and other financial information as well. As a result, the act's influence ripples far beyond healthcare.
Thanks to our growing interconnectedness, activities in one area increasing are affecting those in others.
These clauses illustrate our three-part convergence. By calling for the collection and aggregation of consistent data, the SEC. 399II addresses the need for data management, which enables the kind of reporting the new law requires. By requiring privacy protections, the SEC. 3101 centers on governance, which embodies the art and science of curating and safeguarding information. And by virtue of their federal authority, both are about compliance, which is adherence to government, industry or internal rules, regulations or best practices.
The PPACA is even more significant because the information and intelligence it encompasses is derived from a multiplicity of content stores (databases, document repositories, file cabinets) and involves any industry that creates or stores healthcare-related information (which is to say, all of them!). This universality will accelerate the already widely anticipated melding of data management, governance and compliance.
Both sides of the compliance coin
How you approach this issue depends on your role in your organization; it fundamentally cuts in two directions.
From a business/operations perspective, the obvious first step is to study the relevant regulations to identify and understand what your compliance requirements are. From here, the task is to ensure the organization operates accordingly and the information infrastructure properly supports the desired outcome.
From the standpoint of technology/architecture, however, the first step is to inventory the features and functions of existing technologies and match them with those suggested or specified in the new regulations. Next, IT professionals need to have a conversation with business managers to ensure the system's capabilities are in line with operational needs.
Whatever the starting point, the result should be that business and IT units agree on compliance requirements and how the system will meet them. Generally speaking, the questions are more plentiful than the answers at the start, including the following:
- Which databases need to be included? Which repositories? Any shared drives?
- Is the information stored in each place organized and tagged using the same logic and vocabulary?
- Who's responsible for the care and feeding of each piece of information identified?
- Are there audit trails associated with the capture, use and sharing of this information?
These queries have been asked for some time, but they have generally been raised in separate jurisdictions that each had their own narrow take on data management, governance and compliance. Led by the PPACA, inquiries will probably become more holistic as the act's tentacles help spread the combined concepts further into IT, which has to connect all the involved systems, and into the myriad business units that trade in health services-related information (e.g., HR for benefits management, accounting for payroll deductions, etc.)
Speaking a common language
The first step along the path typically requires developing a shared vocabulary -- namely, how operations leaders, technology staff and compliance managers characterize the information at the center of the radar screen, and the ways this information needs to be tracked, managed and reported on to satisfy auditors.
More on information governance
Creating a business case for ECM
Using records management for SharePoint control
Standardizing on an appropriate lexicon is critical because of the precision it provides, but the exercise generally requires a lengthy negotiation as well. There are multiple viewpoints and resources (enterprise databases, document repositories and legal dictionaries) -- each with its own vernacular -- to be accommodated.
In the end, having a well-controlled vocabulary enables the creation of a complete and accurate set of metadata tags that then can find, trace and inspect the use of information in light of an organization's compliance requirements. This consistency is one of governance's greatest goals, and it is critical for efficient data management in contexts -- like the PPACA -- that require the finding, consolidating and reporting on data stored in multiple places. So deciding on a common language is key to achieving the three-part harmony the act promotes.
The constant of change
The abilities to bridge business and IT and to apply consistent descriptors to all kinds of data are gifts that keep on giving. Not only do they pay dividends in the immediate term, but they allow for rapid responsiveness down the road when new regulations alter or add to the compliance load. Just as the Affordable Care Act followed HIPAA by some years, so will some other initiative burst on the scene and force adjustments in the way data is managed and information is governed.
By considering the suggestions presented here, you can exploit today's activity to help your organization remain compliant without having to start anew, and avoid along the way the trepidation associated with converging data and information management requirements.
This was first published in November 2013