Skip to main content

A framework for health information governance: a scoping review

Abstract

Background

As a newly emerged concept and a product of the twenty-first century, health information governance is expanding at a rapid rate. The necessity of information governance in the healthcare industry is evident, given the significance of health information and the current need to manage it. The objective of the present scoping review is to identify the dimensions and components of health information governance to discover how these factors impact the enhancement of healthcare systems and services.

Methods

PubMed, Scopus, Web of Science, ProQuest and the Google Scholar search engine were searched from inception to June 2024. Methodological study quality was assessed using CASP checklists for selected documents. Endnote 20 was utilized to select and review articles and manage references, and MAXQDA 2020 was used for content analysis.

Results

A total of 37 documents, including 18 review, 9 qualitative and 10 mixed-method studies, were identified by literature search. Based on the findings, six core categories (including health information governance goals, advantages and applications, principles, components or elements, roles and responsibilities and processes) and 48 subcategories were identified to form a unified general framework comprising all extracted dimensions and components.

Conclusions

Based on the findings of this scoping review, health information governance should be regarded as a necessity in the health systems of various countries to improve and achieve their goals, particularly in developing and underdeveloped countries. Moreover, in light of the undesirable effects of the coronavirus disease 2019 (COVID-19) pandemic in various countries, the development and implementation of health information governance models at organizational, national and international levels are among the pressing concerns. Researchers can use the present findings as a comprehensive model for developing health information governance models. A possible limitation of this study is our limited access to some databases.

Peer Review reports

Introduction

The value of information in the healthcare industry

The healthcare industry is rapidly evolving while many new demands are emerging, among which there is a fundamental need for accurate and applicable information [1]. The value and importance of information in health organizations stem from their dual missions and goals. Health data and patient information are regarded as valuable sources for researchers to enhance healthcare provision in terms of efficiency, safety and quality [2,3,4,5]. It is acknowledged that high-quality data and information facilitate high-quality care, accurate research, favorable patient outcomes, cost-effective risk assessment and strategic decision-making [6]. Consequently, managing and controlling data and information in health organizations are regarded as the core fundamental requirement in these organizations.

What is information governance?

Timely and effective management of crucial information constitutes a pillar of support for any organization [7]. In this regard, most organizations have devoted time and resources to the development of information governance systems to provide specific solutions at any time or location [7, 8]. The concept of information governance has been around since the early twentieth century when organizations began to develop effective and comprehensive management of data and information. Many consider it to be the effective management of knowledge assets [9, 10]. Information governance is an enterprise-wide accountability framework that promotes appropriate behavior when handling information-related matters [8, 10, 11]. This concept encompasses the processes, rules, standards and criteria that guarantee an organization’s effective and efficient use of information to achieve its goals. Information governance also encompasses the entire information life cycle, including how information is created, stored, used, archived and discarded. In addition, this concept determines who should have access to specific information when and how [1, 4, 6, 12,13,14,15].

Health information governance (HIG)

Information governance in the healthcare industry is a relatively new concept. Primary efforts in this field date back to 1997, when the National Health Service of England (NHS) developed the Caldicott Principles [3]. They initiated the practice of information governance in the health sector in 2002 [16]. Legal, regulatory and information security requirements shape the primary drivers for developing information governance programs in various organizations [16, 17]. In healthcare organizations, however, quality control and confidentiality of the ever-increasing volumes of information are crucial. Therefore, creating information governance programs is essential to improve care quality and achieve satisfactory results for patients and other stakeholders [1, 16].

The necessity of HIG

According to Smallwood: “Bad information [in health] means people could die.” [16]. The United States has the most expensive healthcare in the world; however, medical mistakes are the third reason for death in this country [18]. To explain the necessity of HIG, it is important to consider some experts’ opinions; Smallwood explained in 2019 that one possible reason for the over 250,000 people dying from medical mistakes each year in the U.S. [18] is poor information governance [16]. Moreover, Riegner believes that the cause of major failures and problems during the coronavirus disease 2019 (COVID-19) pandemic is the lack of global information governance [19]. Conversely, a recent book published by OCED Library highlights South Korea, one of the countries with the best results against COVID-19, has one of the strongest health data and information governance [20].

Information governance is essential for enhancing healthcare outcomes in several ways; accurate, reliable and current information greatly benefits population health and care provision by enabling better clinical decision-making and reducing medical mistakes [8, 16, 21]. An example is the electronic health record system that assists medical specialists in accessing information about a patient’s medications, allergies and more [22]. In addition, HIG enables seamless sharing of patient data among different healthcare providers, facilitating better care coordination, especially for patients with complex or chronic conditions who may see multiple specialists [23]. Furthermore, HIG can lead to (1) more efficient healthcare delivery through effective data management [24], (2) enhanced population health management by analyzing big data to identify trends, risk factors and opportunities for preventive care [25], (3) advancements in medical research and treatment protocols [26] and (4) empowerment of patients to play a more active role in their healthcare decisions [21, 24].

HIG best practices

Despite the brief history of HIG, numerous studies have emphasized its significance [16, 27]. In addition to England, some other countries, such as Canada, Australia and the United States, have developed and implemented HIG models [2]. Information Governance Principles for Healthcare (IGPHC) and the associated maturity model, developed in 2014 by the American Health Information Management Association (AHIMA), are among the most recent and comprehensive efforts in this field. IGPHC is a framework that includes eight fundamental principles for HIG [8, 28]. In addition, various models of HIG have been developed based on research reports. Each model introduces specific dimensions and components, mostly built upon the fundamental principles proposed by AHIMA. Slight nuances depend on the study background, aim and geographical location.

Objectives

Apart from the models presented and used by the pioneering countries, no other comprehensive resources were found for studying and obtaining ideas for using or developing novel models of HIG; indeed, despite the booming growth of the healthcare industry, concerns have been raised about the lack of information governance programs [2, 10, 16]. Therefore, the present study aims to:

  1. 1.

    Map the existing literature on HIG models to identify the types of models used by pioneering counties and explore the available resources for developing novel models.

  2. 2.

    Identify the dimensions and components of existing HIG models and identify any potential knowledge gaps.

  3. 3.

    Explore the relationship between HIG factors and the enhancement of healthcare systems and services.

By achieving these objectives, this scoping review will provide a clear understanding of the current landscape of HIG models and their impact on healthcare. It will also identify areas for further research and development of more comprehensive and effective HIG programs.

Methodology

This scoping review was conducted based on the five steps outlined by Arksey and O’Malley [29]: (1) formulating the research question, (2) searching for relevant literature, (3) selection of eligible studies, (4) data extraction and (5) analysing and describing the results. In addition, we followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses Extension for Scoping Reviews (PRISMA-ScR) reporting guidelines [30]. No protocol was registered for this review. The scoping review methodology was selected due to its relevance to the clarification of key concepts in literature and identifying key characteristics or factors related to the concept of HIG [31].

Search strategy and information sources

The search strategy for electronic databases was developed, piloted and refined by the team’s librarians. After finalizing our search in PubMed through an iterative process involving pilot tests, we completed a systematic search of PubMed, Scopus, Web of Science, ProQuest and Google Scholar for relevant published articles up to July 2022 and updated until June 2024; there was no time constraints for publications and records. Furthermore, the reference lists of all included studies were manually scanned to identify any relevant investigations suitable for inclusion. Search strategies by the following two categories of keywords using Boolean operators are presented in ‘Supplementary Table 1, Additional file 1’:

(1) (‘information governance’ OR ‘data governance’ OR ‘knowledge governance’ OR ‘information policy’).

AND (2) (health* OR medical OR clinical OR hospital*).

Eligibility criteria

The criteria for the inclusion and exclusion of articles are listed below (Table 1).

Table 1 Inclusion and exclusion criteria for articles

Study selection

After conducting a literature search, we imported the results into Endnote 20 (Thomson Reuters, New York, NY). Two reviewers used Endnote 20 to screen the articles. After removing duplicates, two reviewers independently read and reviewed the title and abstract of each document to determine if it met the inclusion criteria. Publications that were deemed potentially relevant were retrieved in full text and screened by two independent reviewers. Any disagreements between the reviewers were resolved through discussion. If consensus could not be reached, a third reviewer made the final decision.

Data quality assessment

After the selected articles were rechecked, two independent authors assessed each document using the CASP quality assessment checklists. We have used CASP checklists for review articles, case–control articles and qualitative research, which have 10, 12 and 10 questions, respectively. The validity, results and clinical relevance are the three main areas covered by CASP checklists [32]. We changed the possible answers for each item from yes or no to yes and no or unclear to reflect methodological quality (Supplementary Fig. 1, Additional file 1). All documents with a total score of six or more were considered as the research population. Two of the articles, which scored five, did not meet the required score. However, to prevent potential bias and to include a diverse range of related literature, the reviewers decided to include these articles in the final collection of selected articles.

Data extraction

Eventually, 37 articles underwent in-depth analysis and information extraction after their quality was confirmed. A data charting form was developed and the first 10 articles were piloted by the reviewers. Data extracted included study characteristics (first author, year, country of affiliation, article type, study setting), type of health governance investigated and the summary of the findings. Excel-formatted integrated data charting form was used to compare, combine and classify the results and findings. Data were extracted by a single reviewer and validated by the second reviewer. If any disagreement happened, it was resolved by discussion.

Statistical analysis

The content analysis results of the reviewed articles were arranged in chronological order, and the qualitative data analysis software MAXQDA 2020 was used for the thematic analysis of the findings to achieve more accurate results and to extract valid and documented themes. MAXQDA is suitable for content analysis due to its strong coding capabilities, powerful visual tools, advanced search features and sharing and collaboration features [33]. We primarily have used this software for its ability to share data among reviewers, visually organize codes (especially important due to the wide range and complexity of our study’s data) and help to identify key themes. To prevent any bias, we manually coded the literature and did not use electronic coding tools in MAXQDA to generate the codes. The codes were generated based on the concepts in the text. Then, related codes were grouped together based on their similarities and differences and labelled to form descriptive themes. The main themes were then identified. Data analysis and grouping were independently carried out by two reviewers. Any discrepancies were resolved through discussion with a third reviewer.

Results

Search results

The initial database search resulted in the retrieval of 3955 records. After eliminating inappropriate documents, remaining 37 titles aligned with the objectives were chosen for in-depth inspection, extraction of the dimensions and components and content analysis (see Fig. 1).

Fig. 1
figure 1

PRISMA flow diagram of included studies

Publication characteristics

The characteristics of the articles reviewed are summarized in ‘Supplementary Table 2, Additional file 1.’ The publication date of the chosen articles fell between 2003 and 2024 despite the absence of a certain time limit during the document search phase. The majority of the articles (over 70%) were published between 2011 and 2020. Additionally, the fewest articles were published between 2003 and 2010. The document types were review, mixed-methods and qualitative, respectively. In a scoping review, a wide range of articles can be included, such as review articles, as selected sources. Using a variety of sources can help provide a more comprehensive and in-depth view of the topic under discussion [34,35,36,37]. In most articles, the data collection tool was a literature review, an interview guide, a questionnaire, a data collection (charting) form, or a combination of these. Furthermore, there were eight articles where no information was available about the data collection tool, and these were labelled as ‘not specified’. More than 60% of the articles analysed their data using the content analysis method. Descriptive statistics, inferential statistics, framework analysis and thematic analysis were the other used data analysis methods. Additionally, seven articles did not demonstrate their analysing method, labelled as ‘not specified’ in the table. Sixteen of the Included studies dealt with information governance, 12 with data governance, and the remaining nine examined various aspects of health-related IT governance, digital data governance, indigenous data governance, clinical governance and information security governance.

Findings

The process of classifying and codifying the results yielded six themes or main components (including information governance goals, applications of information governance, principles, components or elements, roles and responsibilities and information governance processes) (Fig. 2).

Fig. 2
figure 2

HIG main components

The goals of information governance in the health system

The first theme extracted from the literature review introduced ‘the goals of HIG’ based on the needs of the health system and information governance stakeholders (see Table 2).

Table 2 Health information governance goals

According to the results, ‘providing high-quality health care’ is the primary goal of health information governance. This goal can subsume and serve as a precondition for the other goals. Effective and efficient management leads to high-quality care, which in turn generates high-quality data, boosts productivity and lowers healthcare costs [6, 38,39,40]. Numerous studies have emphasized that access, security and privacy of highly sensitive health data and information are among the most important goals of HIG [6, 22, 40, 41, 44, 47]. According to our findings, the common objectives of HIG programs in various contexts are aligned with the organizational objectives of healthcare systems, which ultimately lead to client satisfaction and trust. Several studies have stated that gaining and maintaining the clients’ trust is the ultimate goal of HIG and its effectiveness [22, 41, 42, 44, 45, 48].

Advantages and applications of HIG

The second theme derived from the review includes their ‘advantages and applications’, which are related to the system goals and contribute to the realization of those goals. Table 3 presents five primary applications of the HIG systems and their respective constituents.

Table 3 Primary applications of the health information governance
Cost reduction and economic improvement

The first identified category in the theme of advantages and applications of HIG, can be viewed as an application and primary goal not only in health organizations but in all organizations that use information governance programs. This theme is divided into eight subcategories, such as ‘savings in service provision, resource allocation and procurement, time and information costs’ [8, 22, 38, 39, 49, 51, 52]. These categories ultimately emerge within the eighth subcategory labelled ‘business intelligence’ [38]. In fact, business intelligence can be viewed as a concept encompassing the seven preceding subcategories.

Improved quality of and access to healthcare services

According to the second category identified under the advantages and applications, HIG can improve the quality of service delivery in diverse ways within health organizations: planning for the management and optimization of community health by increasing the potential for high-quality health service delivery and fair access to services for different segments of society, improving the ability to follow up on high-quality results, increasing cooperation and interaction with doctors and, thus, reducing medical errors, improving and optimizing the health services received by patients, enhancing the efficiency and effectiveness from various perspectives as regards the health organizations services and interaction with all potential stakeholders, as well as identifying defects and risk management [8, 22, 38, 39, 49].

Management and policymaking at different levels of healthcare organizations

The present study divided the levels of health care organizations for managing and policymaking into macro levels, inter-organizational and organizational levels. At the macro-organizational level, HIG leads to the planning, determination and implementation of rules, policies and standards. Moreover, the specification of roles and responsibilities, approaches related to medical equipment management, restrictions on information access and decision-making processes are among the additional advantages of information governance at the macro level of healthcare organizations [8, 22, 38, 39]. One of the benefits of HIG in inter-organizational management is the monitoring and assessing compliance with rules, as well as the cooperation and competition between organizations [22, 40, 49]. Finally, issues such as improving organizational performance, supporting strategic decisions, resource management, reducing repetitive actions and enhancing patient interaction have been cited as benefits of HIG at the basic organizational level [8, 22, 45, 51].

‘Creation of a culture of trust’ and ‘Information and knowledge management’

These are the last two categories identified in relation to the advantages and applications in the present study. Among the subcategories associated with the theme of establishing a ‘culture of trust’ are the ‘sharing of data and information’ and the ‘consideration of privacy, security and reliability’ [8, 40, 45, 51]. In the realm of ‘information and knowledge management’, data and knowledge are treated as assets, and their potential benefits to an organization are discussed at length. These benefits include, but are not limited to, increased productivity, better decision-making and new avenues for health research [8, 22, 51, 52].

In reviewing the selected studies, we found a consensus regarding the applications of HIG programs; in fact, most studies have mentioned all five applications listed in the table, along with the corresponding components, the only differences being in their scope and depth. The compatibility of applications with the stated HIG goals and definitions is one of the most important aspects of this section’s findings. Gartner’s definition pertains to the applications of information management and the establishment of a culture of trust, which includes roles, policies, standards and criteria that considers effective use of information as a prerequisite for ensuring the achievement of organizational goals [22, 55]. Smallwood also included the accuracy and security of the data in his definition [6, 16]. Donaldson and Walker introduced information governance in 2004 as an organization-wide movement towards confidentiality, integrity and secure access to information [55]. In addition, Panian’s (2010) definition emphasizes adopting management and policy applications, fostering a culture of trust and enhancing the quality and accessibility of healthcare services [43]. The Association of Records Managers and Administrators (ARMA) highlights the policy and management aspects of information governance [39]. Additionally, the AHIMA has pinpointed the importance of information management in the health sector, as reflected in Briggs’ (2013) definition [39].

HIG principles

The principles of HIG, comprising 13 components, emerged as the third theme in this analysis. In this regard, the majority of reviewed studies reflected a consensus. These principles are presented in Table 4.

Table 4 Principles of health information governance

The eight IGPHC principles developed by AHIMA are accountability, transparency, integrity, protection, compliance, availability, retention and disposal [6, 8, 49, 56, 57, 59, 65]. In addition to these eight principles, the developed HIG programs have also developed concepts such as consent, participation, continuous quality improvement, independence and justice and effectiveness and efficiency. In practice, however, there are minor differences in the principles based on the goals and approaches of the programs.

Transparency

The first category under the principles theme is transparency, which presents all decisions, policies and measures related to the use of data in a way that is accessible to stakeholders and the public in an effort to gain and maintain trust [6, 8, 40, 44, 56]. However, it is emphasized that maintaining the confidentiality and controlling access to confidential information does not conflict with transparency, and healthcare organizations should consider their obligations in this regard [56].

Accountability

‘Accountability’ is predicated on the presence of a senior leader who should assist various groups in developing, implementing and updating a comprehensive HIG program [56]. Two applicable digital health governance principles, noted by Marcelo et al. [38], are ‘responsibility and accountability’, where an accountable person is defined as someone who is responsible for making decisions and taking actions related to digital health. The principle of accountability also involves digital health responsiveness to the health system priorities and its ability to balance the competing needs of various stakeholders [38]. Laurie and Sethi have defined responsibility and accountability as fundamental principles in the framework of good health governance. According to their view, this principle refers to the responsible use of health data in scientific studies directed by the goals of the relevant organizations and includes 15 key subareas [46].

Integrity

The third principle of HIG identified in this study is ‘integrity’, ensuring a reasonable and adequate level of information authenticity and reliability for the organization. This principle seeks to ensure the accuracy of information through the design and implementation of governance processes and procedures that govern the production, use and maintenance of information [40, 57, 58].

Protection

‘Protection’ is the fourth category under the theme of HIG principles. It involves ensuring the confidentiality and security of sensitive information, which is essential for strong information governance programs. In various studies, it is emphasized as protection [6, 40, 57, 61, 62, 65], confidentiality [38] or security and confidentiality [58]. According to the principle of protection, information has varying degrees of sensitivity that must be classified and safeguarded throughout its lifetime. Additionally, this information must be protected at the source and throughout the ecosystem of the healthcare organization [57]. The six principles developed by the Caldicott Committee address the use of patients’ personal data and compliance with their security and confidentiality, demonstrating the significance of health data protection [60, 66]. Also, protection is regarded as an essential component of the digital health governance [38, 64].

Compliance

The next principle is ‘compliance’, which requires the information governance system to operate legally and ethically. Neglecting compliance can result in the organization’s inability to deliver quality services [59]. In line with the compliance principle, Willison et al. developed the principle of obedience to the rule of law to gain and maintain public trust [44]. The same definition further highlights the importance of compliance with the rule of law in digital health governance [38].

Availability

In theory, the most important goal of availability is to gain the organization’s trust, as a lack of access to the right information at the right time can put patient care at risk [59]. Marcelo et al. believe that timely access to reliable and high-quality health data improves the surveillance of infectious diseases, enables more targeted allocation of health resources, expedites the response to the community’s healthcare needs and facilitates the monitoring of care quality [38].

Retention and disposal

The ‘retention’ principle can contribute significantly to the success of HIG programs. An organization’s ability to maintain all the necessary information is of utmost importance in light of the fact that organizations produce and store vast amounts of data (mostly electronically) [65]. Retention is one of the accentuated principles in NHS’s HOURS model [58]. Part of the principles of digital data governance refers to the establishment of an independent, long-term data storage and management program [64], which contrasts with HIG’s principle of retention in certain ways. To reduce potential losses and expenses, IGPHC states that certain types of data must be deleted after their retention periods have expired [65]. This highlights the importance of ‘disposal’ as the next HIG principle. Based on this principle, information has a shelf life, and when the organization no longer requires it, it becomes a burden and must be disposed of in accordance with the rules of the retention plan [65].

Consent

‘Consent’ is a route for voicing preferences and the need for being treated with dignity [40]. If consent cannot be obtained for the use of personal data, according to Laurie and Sethi, two specific actions can be taken: anonymizing the data as much reasonably as possible and obtaining permission from an appropriate regulatory body [46]. Anonymization involves removing clients’ identity information from data sets to protect privacy so that they can be used legally for other legitimate purposes [47].

Participation

‘Participation’ is a further category identified in this review under the principles theme, by which anyone affected by the health sector decisions can make their own contributions to this process [38]. When individuals are unable to make decisions about their personal information, it is crucial for them, including patients and other stakeholders, to have the opportunity to have input throughout the governance process [44]. The primary objective is to gain and maintain the stakeholders’ trust.

Continuous quality improvement, independence and effectiveness

According to the ‘continuous quality improvement’ principle, the process of information governance deals with the provision of accurate and up-to-date data and services to establish and uphold trust [44, 51, 64]. Impartiality, fairness, independence and inclusiveness, with the same objective as the quality improvement principle, are intertwined with the fair presentation of the information governance program’s benefits [38, 44]. Finally, ‘effectiveness and efficiency’ were the last category identified in the theme of principles in HIG, which deals with ensuring the fulfilment of the organization’s comprehensive goals and its efficiency in obtaining the highest efficiency as a result of its activities. The ultimate goal of this principle is to gain and maintain the stakeholders’ trust and achieve the organization’s business goals [38, 44].

HIG components or elements

The fourth theme resulting from the study review (i.e. HIG components or elements) consists of 11 components that characterize the fundamental components of information governance models according to the established principles (Table 5).

Table 5 Components or elements of health information governance
Rules, standards and policies

The focus of HIG programs is on the categories of laws, standards and policies, which have been occasionally discussed either as distinct categories or complementary components in some studies. Due to their fundamental proximity and alignment, ‘laws and standards’ were determined to be the first category in this study, followed by ‘policies and guidelines’. Legal requirements and standards are also introduced as the fundamental components of information governance in the ARMA and AHIMA definitions [39, 49]. The Data Governance Institute (DGI) has introduced the laws and rules of interaction, which include policies and standards, as one of its three core categories of governance components in data governance [6]. In addition, other studies have identified legal requirements, policies, standards and implementation of standards as the principal components of HIG programs [48, 54, 61, 62].

Compliance with information governance policies and procedures enables healthcare organizations to meet legal and regulatory requirements and ensures the safety and quality of patient care [57]. Consequently, policies and strategies may be conceived as including rules and standards, the prominent aspects of which may include data protection, freedom of information, confidentiality and information security. Other categories of interest are document and records management, policy for determining the responsibilities of key stakeholders, operational and training directives, the framework for organizational costs, policies related to setting objectives and developing strategic plans [6, 40, 49, 53, 62, 63, 67].

Information management

‘Information management’ addresses the management of the life cycle of information, from production to disposal, which is a crucial issue for health organizations and all organizations. Information management can handle the entire life cycle of information, including how to create, store, use and archive information. In addition, information management determines who should have access to particular information, when and how [6]. Notably, ‘document management’ and ‘quality assurance’ are listed as one of the subcategories of information management in the current study, because information management can also encompass documents. In addition, information life cycle management comprises the following steps: generation and collection, analysis, access and use, storage and organization, dissemination, disposal, exchange, quality management and integrity of information [22, 39, 50].

The remaining three categories in the current study introduced as essential categories for HIG elements are the governance program types. Due to the expansive nature of the concept of information governance, data governance, IT governance and information security governance are introduced as the subsets of information governance in several studies. Moreover, it has been acknowledged that the umbrella term ‘information governance’ subsumes these three governance concepts [22, 40, 49, 58, 62].

Data governance

Data governance is the processes, policies, standards and technologies necessary for an organization to manage and ensure data availability, quality, consistency, auditability and security [43]. Data managers establish policies and procedures governing the definition, accessibility, protection, archiving, ownership and integrity of data to ensure the precision and security of them [6, 16, 52]. Furthermore, since health data is the foundation of any governance process, it is logical to prioritize data governance as one of the primary categories within the HIG elements theme.

Information technology governance

Dong et al. have emphasized that information governance and information technology governance are inseparable in nature. Effective information governance programs require IT assistance to manage information governance policies and processes, engage stakeholders and guarantee data quality. Additionally, information in the IT sector is crucial for identifying the appropriate technology that can support information governance, and technology investments should support the mission and vision of information governance [6]. According to Datskovsky et al., information cannot be trusted unless the technology infrastructure on which it is created, used, maintained and stored is reliable by itself [57]. The category of information technology governance in this study differs from other studies [40, 57] in treating information technology management as a subcategory of information technology governance. This is because the information technology governance category encompasses all other aspects of the concept of information technology management.

Information security governance and risk management

‘Information security governance’ is the third aspect of governance patterns identified in the current study as one of the categories related to the theme of HIG elements. The objective of information security governance in healthcare is to safeguard all health-related data to ensure their confidentiality, availability and integrity. This is crucial to maintain business continuity, reduce risks and demonstrate best practices and compliance [62]. Furthermore, information security governance tended to fully incorporate information security management in an attempt to comply with legal and professional requirements [62]. The first part of the Information Security Management Standard in the NHS HOURS series highlights the information security best practices such as security policy, security organization, asset classification, control, communication, operations, management, access control, systems development and maintenance, business management and compliance. Numerous studies have repeatedly referred to information security aspects, either as a separate category or in conjunction with such categories as laws, policies and standards [39, 51, 58, 60, 62, 66]. Some studies have also recommended information security as a subcategory of risk management [22, 39, 40, 49, 53, 57, 60, 62, 66]. Information security is ascertained as a distinct category from risk management in the present investigation due to its high rate of sensitivity and salience as well as the increasing emphasis on these two facets of information governance. Risk assessment is a security process that entails considering potential threats and risks to data, creating policies and procedures for security officials and other staff to follow and designing appropriate protective measures in the healthcare sector [62]. Recommended methods for risk management involve clear reporting culture, regular risk recording, risk reduction in patient-related processes, quality impact assessments, continuous risk reduction, service speed and scale development and innovation and transformation [53].

Human resource

‘Human resource management’ is another category identified as an element of HIG models that encompasses all processes related to employees and human resources; it is also regarded as an essential and valuable aspect for both the health sector and other organizations. Among the significant issues that must be addressed in this category are employee knowledge and skills, knowledge expansion and training and strategic orientation [50, 53, 54, 62]. In addition, time management and the optimal utilization of employees’ knowledge, skills and competencies are considered as important factors in this field [53]. This category has a direct relationship with the principle of compliance, as workforce training enables individuals to align their activities with policies and help appreciate their significance [57]. Alternatives for participation and consensus may include open meetings, public workshops, national associations, advisory committees, satisfaction surveys, conferences and national health associations [53].

Quality management

In light of the significance of assuring the quality and integrity of healthcare information [22], the next theme of the elements of HIG patterns is ‘the quality management’, which can be characterized by factors such as reducing and adjusting mortality data, improving clinical results, improving research results, positive patient feedback, providing fruitful services and enhancing the treatment goals for appropriate and timely care [53]. Notably, adhering to information governance policies and procedures can assist the organizations in meeting legal requirements and ensuring the safety and quality of patient care [57].

Project and change management

Since the modern era necessitates routine monitoring of the organizational structures and infrastructures [57] to identify and modify possible shortcomings and lower the rate of related risks, ‘the project management and change’ category emerged in the present study as a defining category within the elements of HIG. This category is a combination of ‘the monitoring category’ and ‘audit and change management category’ Rouzbahani et al. [40] reported in their study; in the present study, it is merged into a single component due to overlapping major themes.

Audits

‘The audit category’ is the final category mentioned in the theme of the elements of HIG patterns identified in the current review. In addition to emphasizing the financial and commercial aspects of the organization, this category documents the information-related activities, thereby enhancing the reliability and integrity of the desired information [57]. Better system performance and gaining the satisfaction and trust of stakeholders are the end results of audit cycles in the areas of service provision, financial affairs, research results and information assets, as well as audits of changes adopted in practice.

Roles and responsibilities (of individuals) in HIG programs

Officials, policymakers and executives make up the backbone of ‘the roles and responsibilities’ theme. Table 6 describes the levels and responsibilities of each official, as well as their respective duties.

Table 6 Roles and responsibilities in health information governance programs

Based on the present study, the roles and responsibilities of HIG are presented separately at three organizational levels, as shown in Figs. 3, 4 and 5.

Fig. 3
figure 3

Roles and responsibilities at the organizational senior level

Fig. 4
figure 4

Roles and responsibilities at the organizational middle level

Fig. 5
figure 5

Roles and responsibilities at the organizational operational level

Senior level

The executive director is the first and most crucial role at the senior level. This position is central to the accountability principle of the HIG program and is regarded as the primary position accountable for the program’s design and implementation [56]. Baskaran et al. believe that information governance principles should be communicated downward through a more robust leadership structure than at the board level [68]. The key responsibilities of executive director include: ensuring timely and budget-conscious project completion, taking responsibility for regulatory compliance policies and, most importantly, overseeing the development, implementation and revision of policies and procedures to maintain the organization’s integrity [22, 40, 69]. Chief Executive Officers, Chief Information Officers, Chief Legal Officers and Chief Medical Officers are examples of executive directors who may be accountable for smaller task-related departments [56].

In most cases, the second role and responsibility at the organization’s senior level falls on the senior director of the information governance program. In some studies, this position is referred to as the Caldicott guardian [66, 67], who is typically a senior expert in the health field and has the most significant responsibility for protecting the confidentiality of patient information.

The third senior-level role is the core team with executive leadership, composed of representatives from clinical, business and technology domains. This group is responsible for making final decisions on proposed policy or procedure changes and ensuring the proper resolution of operational or data issues [22, 40]. Principal members oversee the decision-making principles and protocols, organizational barriers, expansion and strengthening of partnerships and interaction with institutions, the needs of stakeholders, as well as the implementation of governance mechanisms [52, 70].

Senior information risk management is the final role identified in the present study for the organization’s senior level. This role, also known as the manager of information-threatening risks, is highly reliant on the regulations and policies of countries. There is a critical emphasis on the importance of stressing context-specific confidentiality and information security protection [49, 67].

Middle-level

Managers of organizational information governance must foster an environment conducive to change and provide employees with precise descriptions of individual responsibilities and penalties for violations. In addition, these managers are responsible for assessing the efficacy of training on information governance and identifying the training needs of employees [68]. Data steward [22, 69], data manager or controller [40] and data protection officer [66, 67] are all terms that have been used to refer to the role of data manager. The data manager or steward reports to superiors on all matters concerning data protection. Among these factors, we can mention information governance risks for the organization, privacy concerns and suggestions for potential changes or updates involving personal data processing [67]. Management of information assets or owners of information assets deals specifically with managing people’s information assets and ensures compliance with policies and laws pertaining to their protection.

Information technology management [22, 67], managing the legal and financial department [22, 68] and quality and compliance management [22] are a few examples of roles at the middle level of an organization sporadically mentioned in various studies. The definition of each responsibility depends on each organization’s context and target policies. Information technology management is responsible for developing and implementing appropriate information security methods and protocols to ensure compliance with data protection laws [67].

Operational-level

The operational level is the third and final organizational level identified in this review, which consists of operations managers and employees who, in practice, must abide by the laws and policies of HIG in conducting their tasks and execute and implement the principles of information governance at this organizational level [40, 67, 68].

Processes in HIG programs

‘The process’, as the final theme emerging from the present review, is a lesser-studied and less-mentioned component of HIG programs. What appears to be the root cause of this phenomenon is the dependence of the process dimensions to the geographical, activity, goal and organizational contexts in which the HIG program is being developed. Renaud’s point of view can be used to corroborate this assertion; he thinks the process is more similar to a delicate tool that needs to be built with care, deployed selectively and used under close supervision in a supportive setting so that human elements are not dehumanized [55]. Therefore, one could argue that the definition of a process and procedure in information governance and HIG programs depends on the activity’s context, the desired field and the organization’s policies. Indeed, it is impossible to determine a fixed and specific procedure for all programs of HIG. The current review has identified four core categories and nine subcategories within the theme of HIG processes based on different processes narrowly developed and reported in previous studies (Table 7). These core categories and subcategories have specified the development and implementation of the information governance program in a comprehensive manner. Policy making, decision-making, planning and implementation begin with an objective assessment of relevant factors such as assets, risk, capability and criteria and progress by a logical sequence that culminates in the monitoring of outcomes following policy implementation and outcome monitoring [6, 38, 55, 62].

Table 7 Health information governance processes

Discussion

This review compiled and analysed previous research on HIG-related programs in an effort to unravel its various facets and constituents. The objective was providing a comprehensive picture of the studies conducted and the programs developed, as well as suggesting a framework encompassing all existing dimensions. The study was conducted with 37 articles selected from the review of related studies, and the results led to the development of six core categories and 48 subcategories for HIG programs. Figure 6 provides a summary of the findings from the review of the articles.

Fig. 6
figure 6

Summary of dimensions and components of HIG programs

The first theme derived from the review of studies identifies ‘the HIG goals’, comprising six subcategories: providing quality healthcare, providing affordable health services, ensuring equitable access to healthcare information and services, preserving data security, meeting legal obligations and fostering trust. Smallwood defines information governance as ‘comprehensive policies and processes to optimize and use information while keeping it secure and complying with legal and privacy obligations, in line with stated organizational business goals.’ [16] Moreover, according to Willison et al., the three primary objectives of HIG are to optimize the use of data to achieve business objectives, to maintain data security and to comply with legal and privacy requirements. In addition, gaining and maintaining the trust of patients, stakeholders, data providers and the general public are described as the objectives for using data in public interest research [44]. According to Kadlec, the main objective of HIG programs is to proactively and effectively manage the increasing volume of information collected and maintained daily [22]. Various studies have pointed to broader goals for HIG programs, such as improving and maintaining the health of the community [38], establishing effective and efficient management of information, improving productivity and effectiveness of services [39], enhancing the desire to maintain a competitive advantage, ensuring better performance and results of organizations and promptly responding to information requests [22]. As reflected by the focal points of the studies as well as goals focused on local and specific fields and after eliminating some overlaps, the current study has identified six comprehensive goals as categories associated with this theme.

The second theme derived from the studies analysed in this review is ‘the advantages and applications of HIG’, comprised five core categories and 39 subcategories. The core areas of focus for this theme are ‘cost containment and economic growth’, ‘healthcare quality and availability’, ‘healthcare management and policymaking at the macro, inter-organizational and organizational levels’, ‘trust building’ and ‘knowledge management’. It is conceivable that the benefits and applications of HIG are logically consistent with the goals of these programs, and the existence of some overlap between these two primary categories is not unanticipated. In his study, Kloss argues that improving organizational performance, reducing costs, and minimizing risks are the true benefits of information governance in organizations [71]. Moreover, according to Willison and colleagues, the expectations and, consequently, the applications of HIG programs from the users’ perspective fall into three primary categories: meeting expectations regarding how to perform and provide services, gaining trust in institutions and individuals, and creating belief in the accuracy and value of health services [44]. Rouzbahani et al. categorized the applications of HIG programs into six categories: improving healthcare and patient safety, reducing costs, enhancing the quality of health information, improving the security and confidentiality of health information, enhancing health information management and boosting the management of healthcare organizations [39]. Additionally, the results of AHIMA’s case studies identified some other applications of the HIG program’s used by the investigated centres [52]. The review of the current literature and the examination of the extracted categories indicate the breadth and frequency of applications and benefits of HIG. Given the young age of governance programs in the health field, it can be acknowledged that some potential benefits have not yet been identified. Therefore, it is anticipated that by expanding the application and use of this important strategy, additional benefits will be identified and implemented over time.

The third theme identified from the present review concerns ‘HIG principles’, with 13 categories as follows: transparency, accountability, integrity, protection, compliance, availability, retention, disposal, consent, participation, continuous quality improvement, independence and justice and effectiveness and efficiency. It is acknowledged that the theme of principles and related categories provide a comprehensive set of common speech and behavioural points for a diverse range of HIG program beneficiaries, allowing everyone to progress in line with the information governance project [8]. The first eight categories were those developed by AHIMA, regarded as fundamental principles in most of the previous studies; the rest of the categories were cumulatively added to literature over time. These principles are among the fundamental topics that have been investigated by research and developed as models of information governance. Accountability, participation and transparency have been cited as principles of health governance by Ibrahimova and Korjonen [53]. Likewise, Lauriea et al. emphasized the principles of transparency and consent as obvious criteria for protecting privacy [47]. Informed by the conceptual work of Lauriea and Sethi, Willison et al. developed eight principles for their governance model: transparency, accountability, obedience to the rule of law, honesty, participation and inclusion, impartiality and independence, effectiveness and accountability and continuous quality improvement [44]. In addition, Rouzbahani et al. have presented a model comprising 12 HIG principles [40]. In the present study, the categories associated with the theme of HIG principles are presented as exhaustively as possible by incorporating all categories highlighted in literature and models developed, as well as by eliminating their likely overlaps with other categories close to other themes or specific domains. Notably, ethical principles are emphasized alongside professional principles in HIG models, with no weighting or differentiation between the categories presented [56, 59, 67].

‘Components or elements of HIG programs’ is the fourth theme identified in the present review, with 11 distinct categories: laws and standards, policies and guidelines, information management, data governance, information technology governance, information security governance, management risk, human resource management, quality management, project and change management and auditing. In his article, Kadlec introduced several HIG components considered by AHIMA, including quality management, regulations, risk reduction, patient participation and business intelligence [22]. Williams considered audit and control, risk management and compliance to be essential components of information governance [62]. Rouzbahani et al. have introduced 13 elements as HIG model components [40]. Ibrajimova and Korjonen noted seven components of clinical governance, including patient participation, staff management, clinical effectiveness, use of information and information technology, education, risk management and audit, in relation to other governance programs [53]. In the present review, an attempt was made to consider all these categories associated with elements of HIG programs, and it appeared that all these elements indeed played a determining role. Given the scope of the introduced elements, it is reasonable to conclude that HIG, as an all-encompassing strategy and umbrella term, embraces other governance programs.

The fifth theme associated with HIG programs is ‘the roles and responsibilities’, denoting the introduction of HIG officials and policymakers at three organizational levels: senior, middle and operational levels. At the senior level, four categories and their respective responsibilities are identified: executive director, senior information governance program manager, core team and senior information risk manager. The middle organizational level includes the categories of the information asset manager, data manager and organizational information governance manager. The operational level of an organization consists of operations managers and employees. According to the model proposed and developed by Baskaran et al., the information governance hierarchy consists of six levels: executive director, financial and functional manager, information governance manager, team leaders of operations management, line managers and employees [68]. Rouzbahani et al. developed a model for Iran’s HIG and incorporated 14 roles and responsibilities into this model, with the Minister of Health assuming the highest role [40]. Haarbrandt et al. introduced the HiGHmed governance platform, where some of the roles considered included the executive board, supervisory board, technical coordination board, project management office, educational board, support and access committee, ethics working group, advisory board and the general assembly [70]. With a different view, Ibragimova and Korjonen detailed three groups of library activities that supported clinical and health governance in healthcare organizations: infrastructure (staff and resources); program management (library products and services); and direct participation (needs assessment, committees, audits, HTA, etc.) [53]. Given that the introduced studies developed their models in distinct domains, the disparity in the hierarchy of responsibilities seems reasonable. The current literature review introduces three levels and nine roles for HIG officials and policymakers, which are the sets of categories introduced in the reviewed studies after eliminating duplicate items and merging the overlapping items.

The final theme introduced in this literature review is that of ‘the processes’ by which HIG programs are developed, implemented and monitored. The associated categories are assessing strategic options, formulating policies, developing plans and tracking progress. In addition, nine subcategories were identified, including asset assessment, risk assessment, capability assessment, criterion assessment, policy development and implementation, internal and external validation, monitoring and change management, stakeholder support, results assessment and reporting. Several studies have described various processes linked to the developed programs in a very limited manner. Governance processes identified in the study by Marcelo et al. include policy and decision-making, planning, resource allocation, coordination and monitoring and evaluation [38]. While asset identification, risk assessment, policy implementation, capability assessment, procedure development, protection and compatibility, criteria assessment and possible external validation are among the six processes introduced by Williams [62], Dong et al. have introduced eight further key processes for information governance: data element definition, data integration, information sharing and accountability, information to information and information from information [6]. Although ‘the processes’ constitute an integral part of HIG programs, it has received less attention than other principles in academic research, because ‘the process’ is highly dependent on the location, activity, goals and overall vision of the organization in which the HIG program is being developed and implemented.

Conclusions

Despite its short history, health information governance has been the focus of several studies which have emphasized its significance, value and necessity. In fact, the development and implementation of national HIG models, particularly in developed nations, is evidence of this claim. The conclusions drawn from a review of the present articles reflect a number of specific aspects. Primarily, the extent and diversity of HIG-related dimensions and components are quite extensive, due to the fact that information governance encompasses the entire health system in the desired area, taking into account all advantages and disadvantages, with the goal of improving the system. Therefore, it requires the experts’ consideration in order to develop impeccable models that function as comprehensively as possible. Second, due to the unique significance and sensitivity of the information within the health organizations, the need to develop HIG models and programs becomes evident, particularly in the present age. Therefore, it can be concluded that developing and underdeveloped nations require the development of information governance models to manage and optimally utilize their health data and information to achieve the national health system goals. Finally, as the COVID-19 pandemic has led to unprecedented death toll since 2020, it appears logical to develop HIG models in order to maintain health system preparation for potential crises in future and to help prevent such tragic outbreaks. For the development of organizational, national and international models, it is our hope that the current literature review serve as a tentative road map and a comprehensive overview by describing the general framework of existing HIG models developed by experts and scientists.

Limitations

Although the scoping review is a valuable tool for comprehensively examining a broad topic such as HIG, it is essential to note the following possible limitations:

  1. 1.

    A scoping review provides an overview of the dimensions and components of the subject. However, a deeper understanding of these dimensions and components may require more focused studies.

  2. 2.

    The findings from the scoping review may not directly address a specific problem or answer a focused question.

  3. 3.

    We encountered difficulties for accessing some databases, but we made a comprehensive effort to search for articles in as many databases as possible.

  4. 4.

    The study tried to include different types of articles to prevent potential bias.

Additionally, it is important to consider that various factors such as technology, policy, regulation and health system structure influence the HIG landscape and related definitions. Therefore, these definitions may vary depending on the context.

The statistical analysis tool used in the study was not considered a limitation, as our purpose was to organize and structure the studies to more accurately identify the concepts. It is also worth noting that the authors manually coded the entire process in the software.

Availability of data and materials

All data generated or analysed during this study are included in this published article [and its supplementary information files].

References

  1. Kadlec L. Coming soon to your healthcare facility: Information governance. A look at healthcare information governance trends through practical case studies. J AHIMA. 2014;85(8):26–32.

    PubMed  Google Scholar 

  2. Hovenga EJ, Grain H. Health information governance in a digital environment. Ios Press; 2013. (ISBN: 97816149929162912).

    Google Scholar 

  3. Caldicott F. Information: To share or not to share. Information governance review. Health Do; 2013. http://collections.crest.ac.uk/id/eprint/9560

  4. Warner D. IG 101: What is information governance? Jurnal Of AHIMA; 2013. https://journal.ahima.org/page/ig-101-what-is-information-governance

  5. Pierotti D, Meehan A. Information governance: an interview with Ann Meehan. RHIA Home Healthc Now. 2017;35(7):402–3. https://doi.org/10.1097/nhh.0000000000000566.

    Article  PubMed  Google Scholar 

  6. Dong L, Keshavjee K. Why is information governance important for electronic healthcare systems? A Canadian experience. J Adv Hum Soc Sci. 2016;2(5):250–60. https://doi.org/10.20474/jahss-2.5.1.

    Article  Google Scholar 

  7. Dogiparthi H. History of information governance. Cumberlands: University of the Cumberlands; 2018. p. 1–20.

    Google Scholar 

  8. Empel S. The way forward. AIHMA develops information governance principles to lead healthcare toward better data management. J Ahima. 2014;85(10):30–2 (quiz 4).

    PubMed  Google Scholar 

  9. Butler M. Keeping information clean: new information governance efforts challenge HIM to sort out dirty data. J AHIMA. 2013;84(11):28–31.

    PubMed  Google Scholar 

  10. Ellington NN. Impact information governance has on healthcare organizations: University of Tennessee Health Science Center; 2018. https://core.ac.uk/download/pdf/234018953.pdf

  11. Beach T, Rana O, Rezgui Y, Parashar M. Governance model for cloud computing in building information management. IEEE Trans Serv Comput. 2013;8(2):314–27. https://doi.org/10.1109/TSC.2013.50.

    Article  Google Scholar 

  12. Kwan H, Riley M, Prasad N, Robinson K. An investigation of the status and maturity of hospitals’ health information governance in Victoria. Aust Health Inf Manag J. 2020. https://doi.org/10.1177/1833358320938309.

    Article  Google Scholar 

  13. Kooper MN, Maes R, Lindgreen ER. On the governance of information: introducing a new concept of governance to support the management of information. Int J Inf Manage. 2011;31(3):195–200. https://doi.org/10.1016/j.ijinfomgt.2010.05.009.

    Article  Google Scholar 

  14. Proença D, Vieira R, Borbinha J. Information governance maturity model. Springer International Publishing Switzerland; 2016. https://doi.org/10.1007/978-3-319-43997-6_2.

    Book  Google Scholar 

  15. Bunker D, Ehnis C, Seltsikas P, Levine L, editors. Crisis management and social media: Assuring effective information governance for long term social sustainability. In: IEEE international conference on technologies for homeland security (HST) . IEEE; 2013. https://doi.org/10.1109/THS.2013.6699008

  16. Smallwood RF. Information governance for healthcare professionals: a practical approach. Boca Raton: Routledge/CRC Press, Taylor & Francis Group; 2019. (978-0-203-70524-7).

    Book  Google Scholar 

  17. Maxcer C. Measuring success of an information governance program not so simple: IronMountain; 2011. http://docs.media.bitpipe.com/io_10x/io_105560/item_570545/Iron%20Mountain_sContentMgt_IO%23105560_EGuide_082012.pdf.

  18. Christensen J, Cohen E. Medical errors may be third leading cause of death in the U.S.: cnn.com; 2016. https://edition.cnn.com/2016/05/03/health/medical-error-a-leading-cause-of-death.

  19. Riegner M. Global information governance in pandemic times: in the geopolitics of global health information, international institutional law is more important than ever. Völkerrechtsblog; 2020. https://doi.org/10.17176/20200410-152747-0.

    Book  Google Scholar 

  20. OECD. Towards an integrated health information system in Korea. OECD; 2022.

    Book  Google Scholar 

  21. Mastaneh Z, Mouseli L. Information governance in heath sector. J Health Manag. 2012;3(3):29–36.

    Google Scholar 

  22. Kadlec L. Coming soon to your healthcare facility: information governance. J Ahima. 2014;85(8):26–32.

    PubMed  Google Scholar 

  23. Buckbee M. Data governance in healthcare: Your complete guide; 2022. https://www.varonis.com/blog/data-governance-in-healthcare.

  24. Tinker A. The top seven healthcare outcome measures and three measurement essentials; 2019. https://www.healthcatalyst.com/insights/top-7-healthcare-outcome-measures.

  25. Seditas K, Dobson H. Data access systems in NHS Scotland: experiences of cancer data utilisation projects. Scotland: Innovative Healthcare Delivery Programme(IHDP); 2019. https://www.ed.ac.uk/usher/ihdp/our-work/information-governance/information-governance-case-studies

  26. Bougnague S. Cloudficient; 2023. https://www.cloudficient.com/blog/what-is-information-governance-in-healthcare-an-overview.

  27. Donaldson A, Walker P. Information governance—a view from the NHS. Int J Med Inf. 2004;73(3):281–4. https://doi.org/10.1016/j.ijmedinf.2003.11.009.

    Article  Google Scholar 

  28. Rouzbahani F. Developing a model of health information governance program for healthcare system of Iran [PhD Thesis]. Tehran: Shahid Beheshti University of Medical Sciences; 2018.

  29. Arksey H, O’Malley L. Scoping studies: towards a methodological framework. Int J Soc Res Methodol. 2005;8(1):19–32. https://doi.org/10.1080/1364557032000119616.

    Article  Google Scholar 

  30. Tricco AC, Lillie E, Zarin W, O’Brien KK, Colquhoun H, Levac D, Moher D. PRISMA Extension for Scoping Reviews (PRISMA-ScR): Checklist and Explanation. Ann Intern Med. 2018;169(7):467–73. https://doi.org/10.7326/M18-0850.

    Article  PubMed  Google Scholar 

  31. Munn Z, Peters MD, Stern C, Tufanaru C, McArthur A, Aromataris E. Systematic review or scoping review? Guidance for authors when choosing between a systematic or scoping review approach. BMC Med Res Methodol. 2018;18:1–7. https://doi.org/10.1186/s12874-018-0611-x.

    Article  Google Scholar 

  32. Critical Appraisal Skills Programme. Critical appraisal tools and resources; 2023. https://casp-uk.net/critical-appraisal-tools-and-resources/.

  33. Literature Review with MAXQDA: VERBI GmbH; 2024. https://www.maxqda.com/literature-review.

  34. Verdejo C, Tapia-Benavente L, Schuller-Martínez B, Vergara-Merino L, Vargas-Peirano M, Silva-Dreyer AM. What you need to know about scoping reviews. Medwave. 2021. https://doi.org/10.5867/medwave.2021.02.8144.

    Article  PubMed  Google Scholar 

  35. Kazi MR, Chowdhury N, Chowdhury M, Turin TC. Conducting comprehensive scoping reviews to systematically capture the landscape of a subject matter. Popul Med. 2021;3:1–9. https://doi.org/10.18332/popmed/143831.

    Article  Google Scholar 

  36. Gottlieb M, Haas MRC, Daniel M, Chan TM. The scoping review: a flexible, inclusive, and iterative approach to knowledge synthesis. AEM Educ Train. 2021;5(3): e10609. https://doi.org/10.1002/aet2.10609.

    Article  PubMed  PubMed Central  Google Scholar 

  37. Peters MDJ, Marnie C, Colquhoun H, Garritty CM, Hempel S, Horsley T, et al. Scoping reviews: reinforcing and advancing the methodology and application. Syst Rev. 2021;10(1):263. https://doi.org/10.1186/s13643-021-01821-3.

    Article  PubMed  PubMed Central  Google Scholar 

  38. Marcelo A, Medeiros D, Ramesh K, Roth S, Wyatt P. Transforming health systems through good digital health governance. Asian Development Bank; 2018. Contract No.: 51. https://doi.org/10.22617/WPS189244-2

  39. Rouzbahani F, Rabiei R, Asadi F, Moghaddasi H, Emami H. Information governance program: a review of applications in healthcare. J Paramed Sci. 2019;10(1):47–55. https://doi.org/10.22037/jps.v9i1.16927.

    Article  Google Scholar 

  40. Rouzbahani F, Asadi F, Rabiei R, Moghaddasi H, Emami H. Developing a model for national health information governance program in Iran. J Med Life. 2020;13(4):510–6. https://doi.org/10.25122/jml-2020-0036.

    Article  PubMed  PubMed Central  Google Scholar 

  41. Holly L, Thom S, Elzemety M, Murage B, Mathieson K, Iñigo Petralanda MI. Strengthening health data governance: new equity and rights-based principles. Int J Health Governance. 2023;28(3):225–37. https://doi.org/10.1108/IJHG-11-2022-0104.

    Article  Google Scholar 

  42. Foy M, Martyn D, Daly D, Byrne A, Aguneche C, Brennan R. Blockchain-based governance models for COVID-19 digital health certificates: a legal, technical, ethical and security requirements analysis. Procedia Comput Sci. 2022;198:662–9. https://doi.org/10.1016/j.procs.2021.12.303.

    Article  PubMed  PubMed Central  Google Scholar 

  43. Bruhn J. Identifying useful approaches to the governance of indigenous data. Int Indigenous Policy J. 2014;5(2):1–32. https://doi.org/10.18584/iipj.2014.5.2.5.

    Article  Google Scholar 

  44. Willison DJ, Trowbridge J, Greiver M, Keshavjee K, Mumford D, Sullivan F. Participatory governance over research in an academic research network: the case of Diabetes Action Canada. BMJ Open. 2019;9(4):1–9. https://doi.org/10.1136/bmjopen-2018-026828.

    Article  Google Scholar 

  45. Were V, Moturi C. Toward a data governance model for the Kenya health professional regulatory authorities. TQM J. 2017. https://doi.org/10.1108/TQM-10-2016-0092.

    Article  Google Scholar 

  46. Laurie G, Sethi N. Towards principles-based approaches to governance of health-related research using personal data. Eur J Risk Regul. 2013;4(1):43–57. https://doi.org/10.1017/S1867299X00002786.

    Article  PubMed  PubMed Central  Google Scholar 

  47. Laurie G, Ainsworth J, Cunningham J, Dobbs C, Jones KH, Kalra D, et al. On moving targets and magic bullets: Can the UK lead the way with responsible data linkage for health research? Int J Med Inform. 2015;84(11):933–40. https://doi.org/10.1016/j.ijmedinf.2015.08.011.

    Article  CAS  PubMed  PubMed Central  Google Scholar 

  48. Li Q, Lan L, Zeng N, You L, Yin J, Zhou X, Meng Q. A framework for big data governance to advance RHINs: a case study of China. IEEE Access. 2019;7:50330–8. https://doi.org/10.1109/ACCESS.2019.2910838.

    Article  Google Scholar 

  49. Rabiei R, Rouzbahani F, Asadi F, Moghaddasi H, Emami H, Rahimi F. Health information governance program: a review on components and principles. Crescent J Med Biol Sci. 2021;8(1):10–4.

    Google Scholar 

  50. Tumulak A, Tin J, Keshavjee K. Towards a unified framework for information and interoperability governance. In: The role of digital health policy and leadership. IOS Press; 2024. https://doi.org/10.3233/shti231310.

    Chapter  Google Scholar 

  51. Paolino AR, McGlynn EA, Lieu T, Nelson AF, Prausnitz S, Horberg MA, et al. Building a governance strategy for CER: the patient outcomes research to advance learning (PORTAL) network experience. Generat Evid Methods Improve Patient Outcomes. 2016;4(2):17. https://doi.org/10.13063/2327-9214.1216.

    Article  Google Scholar 

  52. Nunn S. Driving compliance through data governance. J Am Health Inf Manag Assoc. 2009;80(3):50–1.

    Google Scholar 

  53. Ibragimova I, Korjonen MH. The value of librarians for clinical and health governance (a view from Europe). Int J Health Governance. 2019;24(1):66–88. https://doi.org/10.1108/IJHG-11-2018-0062.

    Article  Google Scholar 

  54. Faridoon A, Kechadi MT. Healthcare Data Governance, Privacy, and Security-A Conceptual Framework. arXiv preprint arXiv:240317648; 2024. https://doi.org/10.48550/arXiv.2403.17648

  55. Renaud K. Clinical and information governance proposes; human fallibility disposes. Clin Governance. 2014;19(2):94–109. https://doi.org/10.1108/CGIJ-01-2014-0001.

    Article  Google Scholar 

  56. Datskovsky G, Hedges R, Empel S. Evaluating the Information governance principles for healthcare: accountability and transparency. J Ahima. 2015;86(2):52–3.

    PubMed  Google Scholar 

  57. Datskovsky G, Hedges R, Empel S, Washington L. Evaluating the information governance principles for healthcare: integrity and protection. J Ahima. 2015;86(4):48–9.

    PubMed  Google Scholar 

  58. Lillywhite TP. Implementing BS7799 in the UK National Health Service. Comput Fraud Secur. 2004;2004(2):4–8. https://doi.org/10.1016/S1361-3723(04)00027-2.

    Article  Google Scholar 

  59. Datskovsky G, Hedges R, Empel S, Washington L. Evaluating the information governance principles for healthcare: compliance and availability. J Ahima. 2015;86(6):54–5.

    PubMed  Google Scholar 

  60. Ryan FS, Cedro MK, Pabari S, Davenport-Jones L, Noar JH. Clinicians’ knowledge and practice of data protection legislation and information management. Br Dent J. 2009;206(2):E4. https://doi.org/10.1038/sj.bdj.2009.53. (discussion 90-1).

    Article  CAS  PubMed  Google Scholar 

  61. Welle Donker F, van Loenen B. How to assess the success of the open data ecosystem? Int J Digital Earth. 2017;10(3):284–306. https://doi.org/10.1080/17538947.2016.1224938.

    Article  Google Scholar 

  62. Williams P. Information governance: a model for security in medical practice. J Dig For Secur Law. 2007;2(1):57–74.

    Google Scholar 

  63. Stahl BC, Rainey S, Harris E, Fothergill BT. The role of ethics in data governance of large neuro-ICT projects. J Am Med Inform Assoc. 2018;25(8):1099–107. https://doi.org/10.1093/jamia/ocy040.

    Article  PubMed  PubMed Central  Google Scholar 

  64. Tiffin N, George A, LeFevre AE. How to use relevant data for maximal benefit with minimal risk: digital health data governance to protect vulnerable populations in low-income and middle-income countries. BMJ Glob Health. 2019;4(2): e001395. https://doi.org/10.1136/bmjgh-2019-001395.

    Article  PubMed  PubMed Central  Google Scholar 

  65. Datskovsky G, Hedges R, Empel S, Washington L. Evaluating the information governance principles for healthcare: retention and disposition. J Ahima. 2015;86(9):50–1.

    PubMed  Google Scholar 

  66. Roch-Berry C. What is a Caldicott guardian? Postgrad Med J. 2003;79(935):516–8. https://doi.org/10.1136/pmj.79.935.516.

    Article  CAS  PubMed  PubMed Central  Google Scholar 

  67. Corporate Information Governance. Information governance policy; 2019. https://www.england.nhs.uk/wp-content/uploads/2019/10/information-governance-policy-v5.1.pdf

  68. Baskaran V, Davis K, Bali RK, Naguib RN, Wickramasinghe N. Managing information and knowledge within maternity services: privacy and consent issues. Inform Health Soc Care. 2013;38(3):196–210. https://doi.org/10.3109/17538157.2012.735732.

    Article  PubMed  Google Scholar 

  69. Shaw-Taylor Y. Making quality improvement programs more effective. Int J Health Care Qual Assur. 2014;27(4):264–70. https://doi.org/10.1108/IJHCQA-02-2013-0017.

    Article  PubMed  Google Scholar 

  70. Haarbrandt B, Schreiweis B, Rey S, Sax U, Scheithauer S, Rienhoff O, et al. HiGHmed–an open platform approach to enhance care and research across institutional boundaries. Methods Inf Med. 2018;57(S01):e66–81.

    PubMed  PubMed Central  Google Scholar 

  71. Kloss LL. Leading innovation in enterprise information governance. J Am Health Inf Manag Assoc. 2013;84(9):34–8.

    Google Scholar 

Download references

Acknowledgements

This work is part of a PhD thesis in Medical Library and Information Science supported and founded by the Iran University of Medical Science, Tehran, Iran. The ethical code is IR.IUMS.REC.1400.1158. We thank Iran University of Medical Science for supporting this research.

Funding

The present study is the funded by Iran University of Medical Sciences(IUMS) (IR.IUMS.REC.1400.1158).

Author information

Authors and Affiliations

Authors

Contributions

S.G.H. performed several tasks, including conceptualization, methodology development, using software, formal analysis, investigation, resource allocation, original draft writing and data curation. S.S. undertakes various activities and roles, including supervision, project administration, funding acquisition and writing reviews. S.P. is involved in various activities, including writing – review and editing, as well as validation, conceptualization, data curation and methodology development. A.T. undertakes various activities and roles, including methodology development, conceptualization and writing – review and editing.

Corresponding author

Correspondence to Shahram Sedghi.

Ethics declarations

Ethics approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary Information

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ghaffari Heshajin, S., Sedghi, S., Panahi, S. et al. A framework for health information governance: a scoping review. Health Res Policy Sys 22, 109 (2024). https://doi.org/10.1186/s12961-024-01193-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s12961-024-01193-9

Keywords