Risk Avoidance: The Case to Justify Data Governance
One of the most common questions Healthcare leaders across the country as me is “How did any one of the many Collibra healthcare customers ‘justify’ the investments for their data governance program?” It’s tempting to respond with the classic consulting response of “it depends” or to dive into the details of each customer. But the frequency of the question has led me to take a broader look at the state of Healthcare data and information governance and find common threads in how customers justify data governance.
Not surprisingly, the justifications for data and information governance in healthcare fall into the same three categories as they do for virtually all our customers: Risk Avoidance, Increased Value, and Decreased Cost.
While virtually every organization pulls from each of these categories to justify data governance initiatives, this discussion will focus on Risk and Risk Avoidance. We’ll look at how Collibra customers leverage Increased Value and Decreased Cost to justify their data governance investments in subsequent articles.
Of course, saying that a seven-plus figure, multi-year investment in consultants, staff, technology, and change management because it decreases risk or decreases costs is hardly enough to convince most Healthcare CEOs and board members to drop the hundreds of other projects (that also promise to decrease risk) and make data governance the number one priority. So let’s dig a bit deeper to look at a few of the ways that a well-funded data governance program can address each of these areas. The need for more effective data governance is universal across all types and sizes of healthcare organizations. Notice that I didn’t say that every healthcare organization needs more data governance. Although I’d argue that today, few healthcare organizations suffer from too much governance.
Clinical Risk Avoidance
For years, organizations have understood the potential risks of using data improperly in the clinical decision process. Many have erected Byzantine processes and systems to manage clinical data in and around the patient record. And with current land rush into analytics and data-driven healthcare, organizations are frequently moving data from tightly-controlled electronic medical record (EMR) systems into new analytic platforms, big data environments, 3rd party analytic applications, and data sharing with Accountable Care Organizations ACOs) and countless external organizations. Most organizations have well thought out plans and process to minimize risk of data loss and data breach associated with these new analytic tools and technologies.
However, the familiar old risks of misuse of clinical data in these new environments are not well-mitigated. I’m not talking about the intentional misuse of clinical data for financial benefit. Rather, the far more likely unintentional misuse of clinical data resulting from lack of understanding as to the meaning and provenance of clinical data.
To mitigate this risk as both the owner and consumer of clinical data, organizations must leverage their governance teams to ensure they are documenting, maintaining, and making available the critical context and meaning throughout the lifecycle of this clinical data. Practically, this means they should have:
- Accurate, accessible definitions of clinical concepts
- Transparency to inclusion and exclusion criteria for patient populations
- Flexible, clinically-driven management of reference data from simple gender codes to complex, structured, clinical vocabularies such as SNOMED and LOINC
Once clinical data moves beyond the EMR and EMR vendor-provided analytics, organizations must deal with the potential risk of unintentional misuse of clinical data. Some organizations are clinging to vendor-provided analytics solutions in hopes of managing these risks by staying within the vendor’s “walled garden.” But history and the reality of today’s healthcare market make it clear that this strategy has severe limitations in the face of how organizations must leverage clinical data in new ways to compete and thrive.
Financial and Regulatory Risk Avoidance
Healthcare can learn from the lessons of other industries such as Financial Services about the importance of data governance in avoiding financial and regulatory risk. For financial services companies, the real and significant risks of poor data governance have direct and demonstrable risks. Regulators are demanding both transparency and accuracy in reporting through tightened regulations such as BCBS 239 — the Basel Committee on Banking Supervision’s regulation number 239. The objective of this regulation was to strengthen banks’ risk aggregation capabilities and internal reporting practices. Released in early 2013, BCBS 239 sets forth a number of principles to define regulator risk reporting expectations:
- Institutions should have accurate, reliable reports available in a timely manner for both business-as-usual and crisis decision making
- Reports should be comprehensive, easy to understand, and flexible enough to meet ad hoc requests
- Data architecture and IT infrastructure should support reporting frequency requirements (daily – and even quicker) as well as crisis reporting
- Limitations in data and report quality should be transparent to report users
For my Healthcare readers, I’m sure that you are wondering what all of this has to do with you. The parallels are really quite simple. Financial institutions must provide regulatory reporting to regulators in much the same way that healthcare organizations must provide information to state and federal regulators (as well as external organizations). Although in the Healthcare provider world, many of these reports take the form of quality reporting to CMS and the private payers. And certainly the Healthcare payers have a plethora of regulatory reporting requirements to the states.
In the face of the recent financial meltdown, financial regulators have supported legislation that mandates that financial institutions provide adequate governance around reports provided to governmental oversight bodies. Fortunately, healthcare organizations are not facing this same level of regulatory scrutiny (yet). But the importance of regulatory reporting to the bottom line is not insignificant. For a hospital system, performance and quality reporting can impact CMS reimbursements by up to 5.5% — an amount greater than the operating margin of hospital systems.
So practically, what does governance do to address these financial risks?
- Allows healthcare systems to more accurately align or “map” internal data to that expected by payers. For example, helping to ensure that all of the stroke patients are properly included or excluded from quality reports.
- Enables organizational visibility into the quality of data used in regulatory and quality reporting and enables effective, targeted efforts to improve data quality problems.
- Provides a structure for improvements in the data collection, aggregation, preparation and submission processes. Just as with the objectives behind most of the quality reporting initiatives, measuring and tracking the improvements to the data handling and data governance and yield improvements in those processes.
- CMS has studied the challenges associated with electronic quality reporting and has cited collaboration and communication as one of the most significant opportunities for improvement in the accuracy of quality reporting. Effective governance puts in place the processes and systems to facilitate collaboration and communication around data and data issues.
- Engage the proper stakeholders at each point in the process from the initial point of data capture in the clinical workflow through final signoff or attestation of adherence to specific measures. Organizations need the ability to quickly adapt data workflows to involve clinical, administration, and technical resources in every stage of the quality and regulatory reporting processes.
While your organization may use a vendor-provided solution for preparing and submitting your regulatory and quality reporting, we know that these programs will continue to expand even if federal regulation wanes over the next four years. The foundational shifts towards more data-driven financial relationships have taken root.
Without question, you will find other specific data risks that your governance program needs to mitigate. Some of those areas may include the need for governance of data sharing agreements or determining who has access to PHI data. I suggest that you start to capture these areas of risk and evaluate them based on the likelihood of occurrence and potential impact of the risk. Depending on your organization, the need to quantify and measure these risks will vary. But once you have started to capture areas of risk created by and around your data, you can begin to prioritize and quantify those items of the highest risk. And in most cases, you will find that improving the effectiveness of your data governance program is one of the fastest and least costly ways to mitigate these risks.
What data risks are you uncovering as you look to justify data governance?