compliance briefing · board approval requested01 / 08
Meridian Health System · Board Briefing on Data Governance

Stop asking whether AI vendors
can be trusted with patient data
Approve a governance framework instead

In the last six months Meridian shared identifiable patient records with 14 external vendors. Only 3 of those connections sit behind a current Business Associate Agreement mapped to a data-loss-prevention control.

What this briefing asks of the board tonight

Ratify the four-tier Data Governance Framework, suspend the two research pilots operating past their approval date, and authorize the Chief Compliance Officer to shut down non-compliant vendor access without a further board vote.
Prepared by the Office of Compliance · For board vote.

section · data flow02 / 08
Chapter One

Follow the record

A single emergency-department visit touches 11 systems before the chart closes.
Every hop is a chance for protected health information to leave a controlled boundary.

exposure levels · 3 tiers03 / 08

Three data flows, three exposure levels

Tier 1 · Green

Governed & logged

Care-team access inside the electronic health record, role-based, audit-logged, minimum-necessary enforced.
Risk: acceptable and monitored

Tier 2 · Amber

Vendor-shared under BAA

Imaging AI, billing clearinghouse, population-health analytics — contracts exist but DLP coverage is partial.
Risk: contractual, not technical

Tier 3 · Red

Ungoverned pilot access

Two research pilots and one care-coordination app pull full records with no BAA renewal on file.
Risk: reportable breach exposure

162,000 patient records currently sit in Tier 3

Internal audit (March 2026) found this figure exceeds our entire annual outpatient volume. Remediation is required within 45 days to stay ahead of the next OCR audit cycle.

policy as enforcement04 / 08
Don't govern by memo · govern by machine-enforced policy

One access policy, four tiers,
enforced at the gateway

# data-governance-policy.yaml · enforced at the API gateway
tier_1_internal_clinical:
  - systems: [epic_ehr, pharmacy_system]
    control: role_based_access + minimum_necessary

tier_2_vendor_baa:
  - systems: [imaging_ai, billing_clearinghouse, population_health]
    control: dlp_scan + signed_baa + quarterly_audit

tier_3_research_pilot:
  - systems: [research_registry, care_coordination_app]
    control: irb_approval AND deidentification AND 90_day_review

forbidden_always:
  - "phi export to personal email"
  - "unencrypted usb transfer"
  - "vendor access without a signed baa"
evidence · cost of inaction05 / 08

One settlement costs 14x the governance program

OCR's 2025 median settlement for uncontrolled vendor access was $4.2M. The proposed governance office costs $310K per year to run.

OCR settlement $4.2M Governance program $310K / yr Median OCR settlement, uncontrolled access Governance office · annual operating cost A single prevented incident over a 3-year horizon pays for the governance program more than 4 times over.
risk control checklist06 / 08

7 controls the board must confirm are in force

Every Tier 2/3 vendor has a current signed BAA on file, verified quarterly.
DLP scanning blocks PHI leaving the network without exception, logged to the compliance dashboard.
!
Two research pilots are still operating past their IRB renewal date — access suspended pending board sign-off.
The breach-response runbook designates the CCO as incident commander with a 24-hour OCR notification clock.
!
Vendor risk assessments are 8 months overdue for 3 of the 14 active integrations.
All care-team access requires MFA and is logged to an immutable audit trail retained for 6 years.
!
No standing board-level data governance committee currently exists to own this policy after tonight.
decision requested tonight07 / 08

Three approvals the board must give tonight

1 · Approve the framework

Ratify the
four-tier policy

Adopt the Data Governance Framework as binding institutional policy, effective immediately.

2 · Approve the moratorium

Suspend overdue
pilots, recertify BAAs

Halt the two overdue research pilots and recertify all 14 vendor BAAs within 45 days.

3 · Approve the committee

Charter a standing
governance committee

Chartered committee chaired by the CCO, reporting quarterly to the full board.

Approval reduces exposure, not optics

This framework does not eliminate risk. It gives the board a defensible record that Meridian identified its exposure and acted before a regulator had to point it out.

recorded for the board minutes08 / 08
Motion to approve the Data Governance Framework

so · moved

Framework effective today · Vendor recertification due in 45 days · Committee's first report due next quarter.