The Rising Need for Data Governance in Healthcare

Healthcare is changing, and it all comes down to data. Leaders in healthcare seek to improve patient outcomes, meet changing business models (including value-based care), and ensure compliance while creating better experiences. Data & analytics represents a major opportunity to tackle these challenges. Indeed, many healthcare organizations today are embracing digital transformation and using data to enhance operations. In other words, they use data to heal more people and save more lives.

How can data help change how care is delivered? Value-based care is a new concept, growing in popularity and transforming the business model. It introduces a new incentivization structure for physicians, which rewards them for the value of their care instead of the quantity of care. The goal is to support better patient outcomes. Hospitals and pharmacies, too, are increasingly considering this model. Leaders are asking how they might use data to drive smarter decision making to support this new model and improve medical treatments that lead to better outcomes.

Yet this is not without risks. Protected health information (PHA) and personally identifiable information (PII) that providers of healthcare and clinical trials manage is pursuant to privacy laws, like the HIPAA, CCPA, and GDPR, which mandate how such data can be used. This data is also a lucrative target for cyber criminals. Healthcare leaders face a quandary: how to use data to support innovation in a way that’s secure and compliant?

Data governance in healthcare has emerged as a solution to these challenges. It defines how data can be collected and used within an organization, and empowers data teams to:

• Maintain compliance, even as laws change

• Uncover intelligence from data

• Protect data at the source

• Put data into action to optimize the patient experience and adapt to changing business models

What is Data Governance in Healthcare?

Data governance in healthcare refers to how data is collected and used by hospitals, pharmaceutical companies, and other healthcare organizations and service providers. It combines people, process, technology, and data within a system founded on transparency and compliance. In this way, it builds human trust in the data while ensuring the data is used properly.

An active data governance framework supports data-driven decision-making. This, in turn, empowers data leaders to better identify and develop new revenue streams, customize patient offerings, and use data to optimize operations.

Whether it’s an out-patient clinic, drug discovery and clinical research lab, or any other organization that provides treatment, tests, rehabilitation, or therapy – data security is critical. Healthcare organizations need to manage and protect sensitive information in a consistent, secure, and organized way.

As Michelle Hoiseth, Chief Data Officer of Parexel, a global provider of biopharmaceutical services, said in a recent interview: “We needed to understand how we could leverage data that was forming in electronic medical record systems, claim systems, and pharmacy claims systems to really see the impact of new treatments.”

For Michelle, step one was “appreciating that your data is an asset to enable your business.” To make good on this potential, healthcare organizations need to understand their data and how they can use it. This means establishing and enforcing policies and processes, standards, roles, and metrics. These systems should collectively maintain data quality, integrity, and security, so the organization can use data effectively and efficiently.

Why Is Data Governance in Healthcare Important?

Healthcare data is valuable and sensitive, so it must be protected. This is why healthcare organizations are subject to strict compliance mandates. These mandates ensure that PHA and PII data are protected and managed properly, so that patients are protected in the event of data breaches.

Yet this same data is critical to improving patient outcomes. It can guide adaptation to changing business models and aid innovation, creating better patient experiences. But again, how you work with this data is subject to compliance scrutiny. The people working with it need guidance if they’re to use it appropriately.

Here is a closer look at some of the leading reasons your team should implement data governance to enable you to use and protect this data:

Ensures High-Quality Data Analysis

Healthcare organizations often have many different databases to manage their diverse data and often have multiple databases handling the same information. However, grouping that data intelligently and making sure the right data is being properly used is a challenge.

Intellectual property, like medical research data, often contains PHI and PHA. For example, in large databases for pharmaceutical companies, medical trial data may include both the pharmaceutical research and the study population’s personal information. Anonymized versions of that data may also be generated and shared, creating multiple data sources with the same information.

Hospitals, too, often collect PII and PHA in multiple systems. Duplicative data is common, as a patient may see more than one specialist or have visits in more than one facility. Storing the same data in multiple places can lead to:

• Human error: mistakes when transcribing data reduce its quality and integrity

• Multiple data structures: different departments use distinct technologies and data structures

Data governance is the solution to these challenges. How can you improve the patient journey, when you don’t have accurate data from every touchpoint of that journey? How can you analyze business models without great operational data from across the organization?

Improving the patient experience requires combining this data to put it into action. Data governance not only provides a transparent framework for correct usage. It ensures quality data forms the foundation of all insights. A mountain of duplicate data can open the door to unintentional non-compliance. It can even diminish the overall quality of the data over time.

Meet Compliance Requirements

State, federal, and regional governments all understand that cybercriminals want PHI and, increasingly PHA. To protect this information, legislative bodies mandate strict rules for handling this sensitive data. Today, lawmakers impose larger and larger fines on the organizations handling this data that don’t properly protect it.

More and more companies are handling such data. No matter where a healthcare organization is located or the services it provides, it will likely host data pursuant to a number of regulatory laws.

Some important compliance regulations include:

• Health Insurance Portability and Accountability Act (HIPAA): US federal law protecting patient data privacy

• General Data Protection Regulation (GDPR): European Union law protecting data subject privacy

• California Privacy Rights Act (CPRA): US state law protecting consumer personal information privacy

• Payment Card Industry Data Security Standard (PCI DSS): Payment industry compliance requirement protecting cardholder data

To meet compliance requirements, healthcare organizations need to know where all sensitive information is located and be able to prove it’s governed effectively.

Protect From Cybercriminals

Cybercriminals have nearly always targeted PHI and are increasingly focusing on healthcare. Whether they want to steal identities, sell data, or hold information hostage, these actors recognize that such data has a financial value.

The 2021 Data Breach Investigations Report found that in healthcare:

• 61% of data breaches were caused by external actors

• 91% of data breaches were financially motivated

• 66% of data breaches involved personal information

• 55% of data breaches involved medical information

An overabundance of data can challenge an entity’s ability to protect it. Indeed, an organization can’t protect information if it doesn’t know what it has or where it lives. Clear data governance policies and processes start with implementing a data catalog and labeling private data accordingly. This knowledge empowers data leaders to take appropriate action to both protect and use it compliantly.

5 Steps for Creating Effective Data Governance in Healthcare

As healthcare organizations grow, they need scalable data governance practices to both keep private data secure and remain financially competitive. From engaging in research to providing emergency care, healthcare organizations must ensure that they can efficiently and effectively use data.

1. Determine Business Goals and Objectives

Healthcare organizations have many data use cases. At the outset, the organization must decide how data governance fits into the business goals and define objectives accordingly. For example, some goals might include:

• Determine competitive strategies

• Increase patient engagement

• Decrease adverse medication effects

• Increase patient telehealth services usage

• Reduce audit times

• Mature security and privacy posture

Each of these goals will require different types of information. To use that information compliantly, data teams must work within a transparent governance framework.

2. Identify, Categorize, and Prioritize Your PHI

PHI is arguably the highest risk data that a healthcare company manages. In order to stay compliant and provide the best patient care possible, identifying and categorizing PHI should be a top data governance priority.

It’s also important to make sure that information is properly categorized across all areas of the organization, including:

• Clinical data

• Lab data

• Payment processing data

Where data lives and how it’s classified will determine how it’s governed. Compliance audits require that sensitive data be marked accordingly, with evidence that demonstrates usage in line with regulatory law.

3. Assess and Assign Privileges and Permissions

Privileges and permissions define who can access what data, and what they may do with it. As a best practice, data access should be governed according to the principle of least privilege. This means limiting access to information as much as possible without getting in the way of someone’s ability to do their job.

The healthcare industry has a growing number of interoperability standards, which dictate how information is stored and shared between devices. Before you assign privileges it’s important to:

• Define types of data that different areas need to access

• Define who within a functional area needs to access the data

• Outline how they can access the data, including details about devices, geographic locations, and time of day

For example, a phlebotomist needs to know the patient’s name and date of birth. However, they may not need access to the patient’s entire medical history. Too much access increases the risk that data can be changed or stolen.

4. Remove Low Quality, Unused, or “Stale” Data

In healthcare especially, data integrity is incredibly important. Low quality, unused, or “stale” data can negatively impact research by skewing findings. From a physician’s perspective, bad data can lead to care issues. For example, outdated patient prescription information can impact a doctor’s diagnosis and treatment plan. Keeping data fresh helps to achieve both care and operational goals.

5. Assign Key Roles and Train Employees

Finally, it’s important to have the right people with the right training in charge of data governance. To do this, you should create teams based on role, including practitioners, IT team members, and finance.

Accountability is important. Every functional area that manages sensitive information needs to ensure that the data managers, data owners, and data analysts understand their responsibilities. Data owners are in charge of their data, and they must know who has access and who should have access.

In addition, adding a Chief Data Officer (CDO) can help maintain best data governance practices. The CDO acts as a point-of-contact within the organization for data managers maintaining the daily activities.

Monitor, Measure, and Continuously Improve

At this point, you should reference back to the goals you set in Step 1. If your goal was to increase patients’ telehealth services usage, for example, you’ll need benchmarks of current usage to measure change with time. Dashboards are useful means to track such change.

Once you have baseline metrics, you can monitor change over time and measure the impact of business efforts on achieving the goals you’ve set. This takes time, attention, and patience! Don’t feel frustrated if you don’t see results immediately.

Finally, data governance is a cycle. As you measure your progress, you may spot areas where you could get better. It’s important you make those changes as you go. This ensures you continuously improve your governance process.

Implement Data Governance in Healthcare with Alation

Whether your healthcare organization is looking to optimize patient care, improve research processes, or meet compliance requirements, data governance is mission-critical. Alation’s data catalog creates a standardized view of assets and ensures consistent data quality. Alation’s Data Governance App then helps you create the policies and procedures needed to make sure that the right data is used and that it is used properly.

For Michelle Hoiseth, Chief Data Officer of Parexel, this approach now means that “People see who is accountable for that data, the viability or quality of that data, classification or other limitations of use. They are then able to create a direct connection with people whose job it is to help them get their data needs met, no matter who you are or where you are in the business”

By consolidating data in a single location and making sure it is used properly, everyone in healthcare, including researchers, clinical trials, and care providers, can make better-informed decisions. Better decisions impact the outcomes for patients, help navigate changing business environments and value-based care and, overall, improve the experiences for everyone in their organization.