Background: Health information governance (IG) in Australian hospitals was hitherto unexplored.
Objectives: To determine hospitals' health IG status and maturity in Victoria, Australia, identify drivers and barriers affecting IG adoption, examine electronic health data breach response plan usage and assess employees' electronic data breach awareness.
Method: Mixed-methods descriptive study utilising an online survey of directors - clinical/health information services and chief health information managers (HIMs) in Victorian hospitals, ≥50 beds.
Results: Response rate: 42.9% (n = 36). Fifty percent (n = 17) of respondent-hospitals had an IG program. IG equally supported decision-making and risk identification and prevention. The greatest potential organisational damages from system disruption or failure were information loss (66.7%) and clinical risks (63.9%). HIMs in 15 (55.6%) hospitals had knowledge to monitor and detect electronic data breaches. Staff in 19 (70.4%) hospitals knew who to inform about a suspected breach. Most hospitals had mature health information-related IG practices, most (88.9%, n = 24) provided IG-related education, 77.8% (n = 21) regularly reviewed data breach response plans. The strongest IG drivers were privacy-security compliance and changes to data capture or documentation practices (82.8%, n = 24); the greatest barriers were implementation complexity (57.1%, n = 16) and cost (55.6%, n = 15).
Conclusion: These baseline Australian data show 50% of respondent-hospitals had no formal health IG program. Privacy-security compliance, and audits, needed improvement; however, most hospitals had well-developed medical record/health information IG-relevant schedules, policies and practices. HIMs, the professionals most engaged in IG, required upskilling in electronic data breach detection.
Keywords: computer security; cybersecurity; electronic health records; electronic medical record; health information governance; health information management; health information manager; health information security; medical record; patient data privacy.