Health Information Management

A privacy and information security governance model

HIM-HIPAA Insider, August 11, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

A governance operating model describes the structure, oversight responsibilities, and infrastructure for a program or functional area. Structure includes program design, reporting relationships, and oversight committee charter and membership. Program oversight responsibilities lie with the board, the oversight ­committee, senior leaders, and managers responsible for daily program operations. Infrastructure refers to the policies, procedures, and processes associated with a program.

Effective privacy and information security programs start with attention to governance. Governance refers to the roles and responsibilities established by the board and senior leadership to direct and oversee the program, based on an organization's mission, goals, and requirements for protecting information assets.
The following guidelines are helpful when establishing and measuring privacy and information security structure and processes with governance as the foundation:
1. Establish governance that includes and specifies the oversight role of the board of ­directors. The board is responsible for privacy and security oversight. This includes ensuring that risk analysis and risk mitigation activities are considered integral to an organization's overall risk profile. Board bylaws and operating rules must address privacy and information security oversight.
2. Select a board committee to oversee the privacy and information security program. Address privacy and information security program oversight responsibilities in the committee's charter. Privacy and information security oversight can be assigned to risk, safety, quality, or compliance and audit committees. This decision depends on committee structure and board member skills that can guide the programs.
3. Train new and established board members and senior leaders. As with other areas of board oversight, privacy and information security concerns may change over time. New risks, changes in technology, EHR development, patient portals, and patient engagement are just a few examples of developments that can affect an organization's privacy and information security program. Finding time to become knowledgeable about privacy and information security as key risk areas may be challenging for board members, but doing so is essential. Effective and robust privacy and information security is necessary to avoid reputation, regulatory, and financial risk.
This article is adapted from The Complete Guide to Healthcare Privacy and Information Security Governance, published by HCPro, a division of BLR.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular