2.5 Information Governance and Record Retention

Information Governance vs. Data Governance

Information governance (IG) is the enterprise-wide accountability framework and decision rights that treat information as a strategic organizational asset — spanning policy, value, risk, and lifecycle across all information. Data governance (DG) is the narrower discipline within IG that manages the accuracy, definition, structure, and quality of the data itself. The exam trap: IG is the broad, board-level program; DG is the operational subset.

IG distinguishes a progression: data are raw facts (a blood pressure of 150/95); information is data with context (that reading flagged as hypertensive for this patient); knowledge is information applied to guide decisions (a treatment protocol). Data stewardship assigns named individuals responsibility for specific data domains, ensuring accountability for quality and appropriate use.

AHIMA's Eight IGPHC Principles

AHIMA's Information Governance Principles for Healthcare (IGPHC) adapts the ARMA Generally Accepted Recordkeeping Principles to healthcare. Memorize all eight (mnemonic "A TIP CARD"):

1. Accountability — a senior leader oversees the IG program.
2. Transparency — IG processes are documented and open.
3. Integrity — information is authentic and reliable.
4. Protection — privacy, security, and confidentiality are safeguarded.
5. Compliance — IG complies with laws, regulations, and policies.
6. Availability — information is timely, accurate, and retrievable.
7. Retention — information is kept for the appropriate length of time.
8. Disposition — information is securely destroyed or transferred when no longer needed.

Note the pairing of Retention (keep long enough) and Disposition (dispose properly) — both appear as answer choices, and mixing them up is a common error.

Retention Schedules and Destruction

A retention schedule specifies how long each record type is kept, based on the stricter of state law, federal rules, statute of limitations, accreditation, and operational need. Common benchmarks (verify against state law, which often controls):

Destruction must be secure and irreversible: shredding/pulping/incineration for paper, degaussing or certified data-wiping for electronic media. Always document with a certificate of destruction (date, method, records destroyed, witnesses). Destruction must be in the normal course of business per the schedule — never selective.

Record Lifecycle, Legal Hold, and Metadata

The record lifecycle runs creation → maintenance/use → retention → disposition (destruction or permanent archival). IG ensures controls at each phase.

A legal hold (litigation hold) suspends routine destruction the moment litigation is reasonably anticipated; relevant records must be preserved regardless of the retention schedule. Destroying records under hold — or any records relevant to pending litigation — is spoliation, which carries court sanctions and adverse-inference penalties.

Metadata is "data about data" — the audit-trail attributes (who created/viewed/modified an entry, and when). Metadata proves record integrity and authenticity and is itself discoverable in e-discovery, so it must be retained with the record. Together, retention schedules, legal holds, destruction documentation, and metadata operationalize the IGPHC principles of Retention, Disposition, Integrity, and Availability.

Building an IG Program and e-Discovery

A functioning IG program is accountability-driven: an executive sponsor (often a Chief Information Governance Officer or the HIM director) chairs a cross-functional IG steering committee spanning HIM, IT, compliance, legal, privacy, and clinical leaders. AHIMA's Information Governance Adoption Model (IGAM) measures organizational maturity across competencies so leaders can benchmark and improve.

IG directly supports e-discovery — the identification, preservation, collection, and production of electronically stored information (ESI) in litigation. The EDRM (Electronic Discovery Reference Model) describes that workflow, and the Federal Rules of Civil Procedure govern it. When a legal hold is issued, the organization must preserve not only the clinical content but also the metadata and audit logs, because opposing counsel can challenge a record's authenticity.

The takeaway: IG is the governance umbrella; retention, destruction, legal hold, and e-discovery are the operational gears that keep healthcare information trustworthy, available, and legally defensible across its entire lifecycle.

Why IG Pays Off, and the Master Patient Index Connection

IG is not paperwork for its own sake — AHIMA frames it as risk reduction and value creation. A mature program lowers litigation exposure (defensible destruction and reliable legal holds), cuts storage cost (records purged on schedule rather than hoarded), strengthens data quality for analytics and value-based payment, and protects patient trust through consistent privacy and security. Poor IG, by contrast, shows up as overlays in the MPI, orphaned legacy systems no one can retire, and inconsistent retention that invites both over-retention risk and premature loss of needed records.

Records management (the operational handling of records) sits inside IG, which sits inside the broader enterprise information management strategy. For the RHIT, anchor the hierarchy: enterprise strategy → information governance → data governance and records management → the day-to-day controls of retention schedules, secure destruction, legal holds, metadata, and stewardship. Mastering this chain ties Data Content and Structure to every other domain on the exam.