Information Explosion

By Allison J. Bloom, Esq. & Melissa G. Dederer, IGP, CRM
Information is at the center of everything an organization does, and records (a subset of information) are evidence of what the organization does. How an organization manages its information, including its records, can directly affect its ability to successfully compete in the marketplace, comply with regulations, survive an investigation or audit, and recover from disaster. The implementation of new technologies adds yet another layer of factors for considertaion. Every agency should be mapping and tracking its information and preplanning for new technology initiatives with an eye toward better records management and information governance.
 

As discussed in the February 2014 issue of EMS Insider, the ultimate goal of healthcare reform in the long term is to create a seamless, universal, interoperable electronic health record system for all Americans. But managing, tracking and maintaining electronic health records is only the tip of the information “iceberg” for EMS agencies; there are many other types of information and records that need to be managed, tracked and maintained.

 

Records & information management

 

A records and information management (RIM) program is necessary for organizations to proactively (instead of reactively) manage all of their information, regardless of format or location. Think of it as the “tactical approach” with regards to information. By having and adhering to an RIM program, organizations are demonstrating that they are taking “reasonable” steps to manage their information (a defensible position). The program also shows that your organization is following best practices to be able to comply with regulations, survive an investigation or audit, and better recover from a disaster. A records management program is the systematic control of recorded information, from creation, to use and maintenance, through to the final disposition (usually destruction).

 

With the proliferation of information, organizations need to take a look at how they are managing all of their data. Otherwise, they will find themselves overwhelmed with the amount of data they maintain and the staggering costs that result from this information explosion. Some organizations are further ahead than others with managing a high volume of information. How have they accomplished this? They have implemented records management programs, and some have even begun to add information governance to their repertoire.

 

RIM programs are tactical–the “how” of information management. Records management is the discipline of managing an organization’s assets–its records–and is something every organization can (and should) implement, even at its barest minimum (i.e., something is better than nothing).

 

At the very least, a records management program should include a records management policy, procedures describing how to comply with the policy, and a records retention schedule.

 

Records management policy

 

As an example, a records management policy should contain:

 

“¢ A statement that refects the organization’s commitment to good records and information management;

 

“¢ The scope of who and what aspects of the organization’s business the policy covers; roles and responsibilities (for example, the chief is ultimately responsible for the management of records and information, has authorized the policy and promotes compliance with the policy, and employees–whether paid or volunteer–are responsible for the creation and/or management of records and information and must comply with the policy);

 

“¢ A statement affrming that the policy will be communicated to all employees and that training will be provided on the aspects of the policy; and,

 

“¢ An endorsement from senior management (a statement affirming that the chief or other senior manager with responsibility for records information and management has endorsed the policy).

 

The policy may also include definitions of records and non-records to help employees understand what the company considers to be records and what are non-records. It is not uncommon for organizations to require employees to review the policy on an annual basis and attest to the fact that they understand and will comply with the policy.

 

Compliance procedures

 

Procedures should be well documented and accessible to employees so that they can comply with the policy. Procedures provide a standardized method for employees to manage their records, from creation to final disposition. The procedures document can be something as simple as a workfow chart to something more descriptive. The document can be broken down into stages: active, inactive, and final disposition.

 

Active stage: The active stage is when an employee has identified some information that meets the definition of a record and needs to follow the RIM policy. The procedures document should describe how the employee can manage that record. For example, if it is an email, the procedure will discuss where to retain the email; if it is a paper (or other physical) record, the procedures document discusses how and where to manage that information.

 

Inactive Stage: The inactive stage occurs when a record must still be retained for business, financial, legal or regulatory reasons, but does not need to be immediately accessible to employees. In this stage, it may be the responsibility of a particular person within the organization to manage it (for example, in the case of closed employee files, a human resources person would manage the files). If the records are paper (or some other physical format) they may be sent to an off-site facility. If the record is electronic, your IT person or department may move it offline to a less expensive storage medium, yet still be able to retrieve it if needed.

 

Final Disposition Stage: The final disposition stage discusses how a record will be officially “disposed,” which, as previously stated, usually means destruction. However, there are instances where a record may have been deemed a piece of information that the company needs to retain permanently (for example, certain OSHA records, Articles of Incorporation, bylaws and certain financial records).

 

Records retention schedule

 

Another component of a records management program is the records retention schedule (RRS). This document describes the different types of records that the organization has and defines how long each type of record needs to be retained. It is developed based on legal records retention requirements under federal, state and sometimes local laws and regulations, and should involve the assistance and approval of legal counsel.

 

Development and compliance with the RRS is a critical piece of the RIM life-cycle, and one that is often overlooked or avoided–usually due to fear of not having some piece of information available if it is needed or requested. However, the “save everything” mentality is actually more of a risk to an organization than properly destroying records according to an established policy and schedule. The reality is there is no such thing as truly “saving everything.” Voicemail messages and seemingly unimportant emails get deleted, scraps of paper with phone messages or notes that have been transcribed into a more formal document get thrown out, etc. And, every so often, someone within an organization gets the idea that they are going to “clean out” the file cabinets to make more room.

 

Without an RRS for guidance, the risk to the organization is that a) records may be destroyed prematurely, or b) some records may be properly destroyed, but others that should have also been are not, thereby exposing the organization to possible sanctions in the event of an audit, investigation or lawsuit when there is a “gap” in the records it is able to produce. For example, the computer backup system overwrites every 30 days, but there are boxes of dusty old computer backup tapes from 20 years ago sitting in a storage closet. The fact that the more current data is routinely overwritten (i.e., destroyed)–even if done in accordance with a written policy–while older information still exists, may open the organization up to liability.

 

The RRS should be easily available to all employees so they can take reasonable steps to comply with the RIM program.

 

Information governance

 

Information governance (IG) involves not just records management; it also ensures integrity and reliability of an organization’s information. While an RIM program is a foundational element that can help organizations gain control over the massive explosion of information, IG, on the other hand, uses records management as a foundation and takes information management to the next level by addressing how an organization’s information assets are managed to support company goals. It is therefore strategic rather than tactical. IG includes establishing ownership and accountability for the RIM program, defining metrics to be used to ensure compliance, and managing the lifecycle of information (providing a defensible disposition). IG also includes fostering collaboration among key stakeholders, including legal, compliance, IT, records management and business units.

 

A properly implemented IG program in conjunction with a RIM program improves accessibility and search capabilities while ensuring appropriate controls (for example, providing proper access to the right people at the right time). It can ensure that compliance obligations are met, reduce risks to the organization and result in improved information use and better company outcomes.

 

Remember that some of the major focuses of healthcare reform are accountability, transparency and accuracy of information and data. There is no better time than now for organizations to review their current information-related activities and get started with a records management program. The volume of information is going to continue to increase and organizations need to be able to control that growth. An RIM program is the best place to begin. And implementing an IG program helps to ensure that the organization’s information is properly accessible when needed.

 

This article only scratches the surface. Be sure to consult with an attorney and an RIM/IG professional to review your organization’s specific needs and obtain appropriate advice on these and related issues.

 
Melissa G. Dederer, IGP, CRM, is a certified information governance professional and certified records manager specializing in information governance and records management with more than 20 years of records and information management, project management and automation experience. She currently serves on ARMA International’s Board of Directors. Contact her via email at mgdederer@gmail.com.

No posts to display