Governance Taking Center Stage

By Bruce Johnson

Across healthcare, the demand and pressures for access to data are now overwhelming organizations.  In many organizations, the only access to structured data for performing analysis was being conducted by the resources in Finance.  More recently, the demands for providing external reporting of core measures and demonstration of meaningful use have inundated organizations while the financial pressures facing the world have forced organizations to look at business operations for process improvement.  In organizations where research has been conducted, access to data has historically often been finding it any way you can, exposing security and privacy gaps.

A combination of a lack of data being captured, the increasing need for information access, and new security regulations around data and its usage has many organizations searching to understand what to do and how to do respond quickly and safely.  These functions are at the center of the roles and responsibilities of governance and oversight.

While technical architectures and solutions are never easy, the biggest challenge in addressing these needs seems to be development and engagement of business/clinical governance.  Implementing data security, access rights, and providing technical solutions is an IT requirement, but defining what, how, who, and where is not.  In healthcare, there has traditionally been a lack of formal governance and that seems to stem from the challenges with getting access to key clinical/business domain experts – those that can effectively define data and all of its characteristics as well as who can access it and how.  This is an industry with resources that are stretched very thin, have significant time demands, and has small financial margins to work with.  This often leaves IT stuck with trying to define the rules instead of focusing on building the solution.


Healthcare’s Unique Challenges

While it is always good to take best practice examples from other industries, it is also prudent to understand the unique aspects to the industry you are in.  Healthcare has several dynamics that make governance more complex and challenging than other industries.  Let’s take a high-level look at some of these:

  • Breadth of systems needs
    • Unlike other industries – unique systems for many individual areas of practice and associated services abound.  Having massive numbers of systems often causes confusion and similar tools being deployed for the same need.  This is often magnified by the geographic dispersion of offices – i.e. identical areas of practice in two different sites may have completely different systems for billing, registration, EMR, etc…
    • Systems costs – while all industries have the need for comprehensive solutions to run their businesses, it is rare that other industries incur software costs like what the healthcare industry does.  While almost all industries need ERP vendors, healthcare also has the Electronic Medical Record (EMR) that frequently cost in the $100s of Millions to implement, sometimes even Billions.
  • External files – while many organizations have external information they want to leverage on clients/customers, healthcare has an overabundance of external files and tools that they need to both run their business and to improve the quality of care they provide.  Again, with the volumes of needs, it is common to see organizations pay multiple times for enterprise licenses of shared data sets – like the USDA nutrients database, Social Security Death Index, CPT codes (Current Procedural Terminology), Pharmacy vendor lists, and many others.
  • Reporting/analysis needs – As I have shared in many previous articles, the reporting and analysis demands around healthcare data are extensive.  These demands cover areas like internal operational management and analysis, external regulatory reporting, quality improvement efforts, practice management, and even medical research.  Yet, with HIPAA (Health Insurance Portability and Accountability Act) and data privacy/security concerns, organizations must be careful who gets to see what data and make sure they have auditing to back up their processes and controls.
  • Data breadth and depth – the type of data that can be collected in healthcare is extremely wide and very deep.  This includes extensive volumes of data with many varying measurements, lots of views of data, and complex data types (like unstructured notes, images, and genomics).  There are also many various standards and vocabularies that tie/connect to clinical data that must be considered.
  • Budget – IT budgets in healthcare are similar or even less than IT budgets in other industries.  Even though the number of systems to implement and maintain is much greater than that of most other industries, the budgets don’t change to accommodate that.  The other impact of high numbers of systems is the infrastructure (servers/network/disk/etc…) required to support them.  Recent comments from organizations I have worked with report that up to 70% of IT costs are infrastructure related.


Governance In General

So what does governance in healthcare need to look like?  Traditionally, healthcare organizations saw needs and acquired solutions that would fit them.  Often the person or clinical area with the need would see and acquire software directly related to it in order to solve a specific need/demand.  Unfortunately, that is how many healthcare organizations came to have hundreds or even thousands of independent systems that were in no way linked together.  EMR vendors have tried to lead providers to believe that they can solve all data capture needs.  While they have made great strides and are improving significantly in process and completeness, the reality is that there are just too many specialty areas and unique data needs that a comprehensive offering isn’t feasible.

There are many different characteristics of healthcare organizations that dictate the formality, attention, and rigor required of governance.  The most critical factor is that it is right sized to your organization, where you are at, and where you need to go.  That being considered, there are five main focus areas that all healthcare organizations should establish to some extent:

  • Oversight:  Having business, clinical, and research leadership accountable and overseeing the connection between processes, workflows, data, and information systems is a precursor to having a responsible, responsive, and cost effective corporate culture.  This oversight group is led by a key executive level person and has many various responsibilities, but basically oversees all planning and activities for the 4 other focus areas listed below.  The main key here is that this group is not an IT committee, nor is it led by IT.  In fact, only a maximum of 1 or 2 IT resources should attend – A key IT leader (like a CIO) and an expert data resource with broad knowledge of the organization and an understanding of enterprise data and data architectures.
  • Data:  This group should be focused on the capture, management, and usage of data across the enterprise.  Figure 1 shows a comprehensive data approach that serves many needs across healthcare and where data governance is critical to make it accurate, secure, and valuable to all those that use it.  This group is typically led by a Chief Data Steward who is a non-IT person with extensive knowledge of the enterprise.  This group should work closely with IT resources that build source systems, establish data models/designs, any data warehousing activities, as well as working with key business areas that need data for reporting and analysis activities.


Figure 1


  • Security:  Ensuring the protection and valid access to all data captured within a healthcare organization is very difficult without a formal data architecture.  The presence of an enterprise data architecture and systems architecture certainly makes governance much easier to implement and manage, but it is usually only organizations that have taken governance seriously that would have those items anyway.  This group should be chaired by someone from Compliance/Privacy, Auditing, or IRB.  It would have a close relationship with IT and with the Chief Data Steward.  Key functions of this group would include policy creation and management, auditing processes and producing formal results.  An IT Security Officer should exist (a part-time role) that provides all of the reports and implements any access permissions and restrictions defined by this group.
  • Solutions:  This is the IT resources who build the systems that are used to capture, manage, and deliver data across the organization.  With usage of data by data warehousing/analytic solutions often driving data capture requirements, this is typically driven and heavily attended by data warehousing resources.  Key interaction points overseeing all solutions include Security and Data Stewardship leaders.
  • Process:  As solutions are defined, tested, and rolled out to clinical/research areas within healthcare organizations, there is a need for ownership and coordination by resources outside of IT.  Typically IT resources are not experts at these aspects of systems delivery and to be honest, do we really want them getting direct calls from physicians that don’t understand the data, don’t believe it, or don’t know how to fit the workflow in with their practice.  Resources are needed that can work directly with clinical areas on training, planning, helping with adoption, etc…  One example of this type of resource is a quality specialist.  This resource works closely with Quality/Safety offices, typically has a clinical background, and generally knows the resources and areas that use the systems and tools.  These resources are often closely connected to data stewards (sometimes even in that organization) and also IT.

Figure 2 shows a sample governance structure for a healthcare organization that covers both practice and research.  A more in-depth analysis of this governance structure and the various details in how to staff and implement it is a topic for a follow on paper.


Figure 2


Key Guidance

One thing any organization, no matter what industry, how large, how established, or how desperate needs to remember in creating a plan for implementing effective governance is to be pragmatic.  Probably the most common failure in implementing governance in healthcare organizations is the drive to create the best governance organization possible.  This takes years of establishing and maturing to accomplish.  No organization can develop plans, entrench resources, and move from a place with no governance to a mature governance overnight – although those that try will spend lots of time, money, and ultimately become very frustrated.  This is a surefire recipe for bringing projects and other progress across your organization to a screeching halt.



While there have been very small pockets within some organizations, healthcare is just now beginning to understand the value and put energy to the definition, collection, and oversight of data and technology.  Some organizations have formalized their approach to governance and are building processes that enable them to stay focused and coordinated in their efforts to contain overall costs, increase continuity/standardization, and decrease time to delivery.  This has positive effects on all future projects/needs and helps minimize any one-off spending on pet-projects that don’t fit the organizational key mission and strategy.  They become more effective, focused, and truly find a way to do more with less.

With this increased focus and examples of success, can a formal title like CGO (Chief Governance Officer) be far off?  I hope not.

About the Author

Bruce has over 20 years of IT experience focused on data / application architecture, and IT management, mostly relating to Data Warehousing. His work spans the industries of healthcare, finance, travel, transportation, retailing, and other areas working formally as an IT architect, manager/director, and consultant. Bruce has successfully engaged business leadership in understanding the value of enterprise data management and establishing the backing and funding to build enterprise data architecture programs for large companies. He has taught classes to business and IT resources ranging from data modeling and ETL architecture to specific BI/ETL tools and subjects like “getting business value from BI tools”. He enjoys speaking at conferences and seminars on data delivery and data architectures. Bruce D. Johnson is the Managing director of Data Architecture, Strategy, and Governance for Recombinant Data (a healthcare solutions provider) and can be reached at

Free Expert Consultation