Leadership’s Role in Organizational Change

Health care leaders understand their role as change managers. Managing organizational change in health information systems initiatives can be very complex and concurrently rewarding, even when carried out strategically. The way in which data is inputted, stored, accessed, and disseminated is essential to quality patient health outcomes, profit margins, standardization, and strategic planning. When a health information system implementation is completed effectively and efficiently, the result is a quality IT project that is not only ready for the next generation but is ready for new technology convergence.

Evaluate the role of the Project Steering and Review Committees in change management.

Don't use plagiarized sources. Get Your Custom Essay on
Leadership’s Role in Organizational Change
Just from $13/Page
Order Essay

Healthcare Administrationinformation systems

Chapter 12
IT Alignment and Strategic Planning

Information technology (IT) investments serve to advance organizational performance. These
investments should enable the organization to reduce costs, improve service, enhance the
quality of care, and, in general, achieve its strategic objectives. The goal of IT alignment and
strategic planning is to ensure a strong and clear relationship between IT investment decisions
and the health care organization’s overall strategies, goals, and objectives. For example, an
organization’s decision to invest in a new claims adjudication system should be the clear result
of a goal of improving the effectiveness of its claims processing process. An organization’s
decision to implement a care coordination application should be a consequence of its population
health management strategy.

Developing a sound alignment can be very important for one simple reason—if you define the IT
agenda incorrectly or even partially correctly, you run the risk that significant organizational
resources will be misdirected; the resources will not be put to furthering strategically important
areas. This risk has nothing to do with how well you execute the IT direction you choose. Being
on time, on budget, and on specification is of little value to the organization if it is doing the wrong

IT Planning Objectives
The IT strategic planning process has several objectives:

To ensure that information technology plans and activities align with the plans and activities of
the organization; in other words, the IT needs of each aspect of organizational strategy are clear,
and the portfolio of IT plans and activities can be mapped to organizational strategies and
operational needs
To ensure that the alignment is comprehensive; in other words, each aspect of strategy has
been addressed from an IT perspective that recognizes not all aspects of strategy have an IT
component, and not all components will be funded
To identify non-IT organizational initiatives needed to ensure maximum leverage of the IT
initiative (for example, process reengineering)
To ensure that the organization has not missed a strategic IT opportunity, such as those that
might result from new technologies
To develop a tactical plan that details approved project descriptions, timetables, budgets, staffing
plans, and plan risk factors
To create a communication tool that can inform the organization of the IT initiatives that will and
will not be undertaken
To establish a political process that helps ensure the plan results have sufficient organizational
At the end of the alignment and strategic-planning process, an organization should have an
outline that at a high level resembles Table 12.1. With this outline, leadership can see the IT
investments needed to advance each of the organization’s strategies. For example, the goal of
improving the quality of patient care may lead the organization to invest in databases to

measure and report quality, predictive algorithms to identify patients at risk of readmission, and
the EHR.

Table 12.1 IT initiatives linked to organizational goals

Goal IT Initiatives
Research and education Research patient data registry
Genetics and genomics platform
Grants management
Patient care: quality improvement Quality measurement databases
Order entry
Electronic health record
Patient care: sharing data across the system Enterprise master person index
Clinical data repository
Common infrastructure
Patient care: non-acute services Nursing documentation
Transition of care
Financial stability Revenue system enhancements
Payroll-personnel system
Cost accounting

In many ways the content of Table 12.1 is deceiving. It presents a tidy, orderly linkage between
the IT agenda and the strategies of the organization. One might assume this linkage is
established through a linear, rational, and straightforward series of steps. But the process of
arriving at a series of connections similar to those in Table 12.1 is complex, iterative, and at
times driven by politics and instincts.

The development of well-aligned IT strategies has been notoriously difficult for many years, and
there appears to be no reason such an alignment will become significantly easier over time.

Overview of Strategy
Strategy is the determination of the basic long-term goals and objectives of an organization, the
adoption of the course of action, and the allocation of resources necessary to carry out those
actions (Chandler, 1962). Strategy seeks to answer questions such as, where does this
organization need to go, and how will it get there? Where should the organization focus its
management attention and expenditures?

The development of an organization’s strategy has two major components: formulation and
implementation (Henderson & Venkatraman, 1993).

Formulation involves making decisions about the mission and goals of the organization and the
activities and initiatives it will undertake to achieve them. Formulation could involve determining
the following:

Our mission is to provide high-quality medical care.
We have a goal of reducing the cost of care while at least preserving the quality of that care.
One of our greatest leverage points lies in reducing inappropriate and unnecessary care.
To achieve this goal, we will emphasize reducing the number of inappropriate radiology
We will carry out initiatives that enable us to intervene at the time of procedure ordering if we
need to suggest a more cost-effective modality.
We can imagine other goals directed toward achieving this mission. For each goal, we can
envision multiple leverage points, and for each leverage point, we may see multiple initiatives.
The result is an inverted tree that cascades from our mission to a series of initiatives.

Formulation involves understanding competing ideas and choosing between them. In our
example, we could have arrived at a different set of goals and initiatives.

We could have decided to improve quality with less emphasis on care costs. We could have
decided to focus on reducing the cost per procedure. We could have decided to produce
retrospective reports of radiology use by provider and used this feedback to lead to ordering
behavior change rather than intervening at the time of ordering.

In IT, we also have a need for formulation. In keeping with an IT mission to use the technology to
support improvement of the quality of care, we may have a goal to integrate our clinical
application systems. To achieve this goal, we may decide to follow any of the following

Provide a common way to access all systems (single sign-on).
Interface existing heterogeneous systems.
Require that all applications use a common database.
Implement a common suite of clinical applications from one vendor.

Implementation involves making decisions about how we structure ourselves, acquire skills,
establish organizational capabilities, and alter organizational processes to achieve the goals and
carry out the activities we have defined during formulation of our strategy. For example, if we
have decided to reduce care costs by reducing inappropriate procedure use, we may need to
implement one or more of the following:

An organizational unit of providers with health services research training to analyze care
practices and identify deficiencies
A steering committee of clinical leadership to guide these efforts and provide political support
A provider order entry system to provide real-time feedback on order appropriateness
Data warehouse technologies to support analyses of utilization
Using our clinical applications integration example, we may come to one of the following

We need to acquire interface engine technology, adopt HL7 standards, and form an information
systems department that manages the technology and interfaces applications.
We need to engage external consulting assistance for the selection of a clinical application suite
and hire a group to implement the suite.
The implementation component of strategy development is not the development of project plans
and budgets. Rather, it is the identification of the capabilities, capacities, and competencies the
organization will need if it is to carry out the results of the formulation component of strategy.
Vectors for Arriving at IT Strategy
The IT strategy is developed using some combination of four IT strategy vectors:

Organizational strategies
Continuous improvement of core processes and information management
Examination of the role of new information technologies
Assessment of strategic trajectories
By a vector we mean the choice of perspectives and approaches through which an organization
determines its IT investment decisions. For example, the first vector (derived from organization
strategies) involves answering a question such as, “Given our strategy of improving patient
safety, what IT applications will we need?” However, the third vector (determined by examining
the role of new information technologies) involves answering a question such as, “There is a
great deal of discussion about cloud-based applications. Does this approach to delivering
applications provide us with ways to be more effective at addressing some of our organization
challenges?” Figure 12.1 illustrates the convergence of these four vectors into a series of
iterative leadership discussions and debates. These debates lead to an IT agenda.

IT Strategies Derived from Organizational Strategies
The first vector involves deriving the IT agenda directly from the organization’s goals and plans.
For example, an organization may decide it intends to become the low-cost provider of care. It
may decide to achieve this goal through implementation of disease management programs, the
reengineering of inpatient care, and the reduction of unit costs for certain tests and procedures it
believes are inordinately expensive.

The IT strategy development then centers on answering questions such as, “How do we apply
IT to support disease management?” The answers might involve web-based publication of
disease management protocols for use by providers, business intelligence technology to
assess the conformance of care practice to the protocols, provider documentation systems
based on disease guidelines, and CPOE systems that employ the disease guidelines to
influence ordering decisions. An organization may choose all or some of these responses and
develop various sequences of implementation. Nonetheless, it has developed an answer to the
question of how to apply IT in support of disease management.

Most of the time the linkage between organizational strategy and IT strategy involves developing
the IT ramifications of organizational initiatives, such as adding or changing services and
products, growing market share, improving service, streamlining processes, or reducing costs.

At times, however, an organization may decide it needs to change or add to its core
characteristics or culture. The organization may decide it needs its staff members to be more
care-quality or service-delivery or bottom-line oriented. It may decide it needs to decentralize or
recentralize decision making. It may decide to improve its ability to manage knowledge, or it
may not. These characteristics (and there are many others) can point to initiatives for IT.
In cases in which characteristics are to be changed, IT strategies must be developed to answer
questions such as, “What is our basic IT approach to supporting a decentralized
decision-making structure?” The organization might answer this question by permitting
decentralized choices of applications as long as those applications meet certain standards. (For
example, they may run on a common infrastructure or support common data standards.) It
might answer the question of how IT supports an emphasis on knowledge management by
developing an intranet service that provides access to preferred treatment guidelines.

IT Strategies to Continuously Improve Core Processes and Information Management
All organizations have a small number of core processes and information management tasks
that are essential for the effective and efficient functioningof the organization. For a hospital
these processes might include ensuring patient access to care, ordering tests and procedures,
and managing the revenue cycle. For a restaurant these processes might include menu design,
food preparation, and dining room service. For a health plan, information management needs
might point to a requirement to understand the costs of care or the degree to which care
practices vary by physician.

Using the vector of continuous improvement of core processes and information management to
determine IT strategies involves defining the organization’s core processes and information
management needs. The organization measures the performance of core processes and uses
the resulting data to develop plans to improve its performance. The organization defines core
information needs, identifies the gap between the current status and its needs, and develops
plans to close those gaps. These plans will often point to an IT agenda. This vector may be a
result of a strategy discussion, although this is not always the case. An organization may make
ongoing efforts to improve processes regardless of the specifics of its strategic plan. For
example, every year it may establish initiatives designed to reduce costs or improve services.
The organization has decided that, regardless of a specific strategy, it will not thrive if core
processes and information management are something other than excellent.

Table 12.2 illustrates a process orientation. It provides an organization with data on the
magnitude of some problems that plague the delivery of outpatient care. These problems afflict
the processes of referral, results management, and test ordering. The organization may decide
to make IT investments in an effort to reduce or eliminate these problems. For example,
strengthening the decision support for e-prescribing could reduce the prevalence of adverse
drug events (ADEs). Abnormal test results could be highlighted in the EHR to help ensure
patient follow-up.
For every: There appear to be:
1,000 patients coming in for outpatient care 14 patients with life-threatening or serious ADEs

1,000 outpatients who are taking a prescription drug 90 patients who seek medical attention
because of drug complications
1,000 prescriptions written 40 prescriptions with medical errors
1,000 women with a marginally abnormal mammogram 360 who will not receive appropriate
follow-up care
1,000 referrals 250 referring physicians who have not received follow-up information four weeks
1,000 patients who qualified for secondary prevention of high cholesterol 380 will not have an
LDL-C on record within three years

When this vector is used, the IT agenda is driven at least in part by a relentless year-in, year-out
focus on improving core processes and information management needs.

IT Strategies That Rely on New IT Capabilities
The third vector involves considering how new IT capabilities may enable a new IT agenda or
significantly alter the current agenda. For example, telemedicine capabilities may enable the
organization to consider a strategy of extending the reach of its specialists across its catchment
area to improve its population health efforts. Data-mining algorithm advances might enable an
organization to assess different treatment approaches to determine which approaches lead to
the best outcomes.

In this vector, the organization examines new applications and new base technologies and tries
to answer the question, “Does this application or technology enable us to advance our strategies
or improve our core processes in new ways?” For example, advances in sensors and mobile
applications might lead the organization to think of new approaches to providing feedback to the
chronically ill patient. Holding new technologies up to the spotlight of organizational interest can
lead to decisions to invest in a new technology.
An extreme form of this mechanism occurs when a new technology or application suggests that
fundamental strategies (or even the organization’s existence) may be called into question or
may need to undergo significant transformation. In general these strategies lead to a decision to
adopt a new business model. A business model is the combination of an organization’s
decisions about what it will do, how it will do it, and why “the what and how” are of such value
that customers will pay them.

For example, Uber’s business model is that it will get you from point A to point B (the what) but it
will do so in a way that involves “renting” capacity from drivers already on the road and making
the process of ordering a ride and paying for a ride very easy (the how). The what for Uber is no
different than that for a traditional taxi company but the how is very different. Uber’s superior
business model was made possible by new information technologies—the web, mobile devices,
and advanced analytics.

Internet of Things

The Internet of Things is a class of information technology that has several components; things
(people, buildings, equipment, etc.); sensors attached to the things (sensors that measure heat,
acidity, movement, etc.); processors that read and interpret sensor data; and a network (the
Internet usually) that connects sensors and processors to cloud-based (usually) analytics.

There are several potential uses of the Internet of Things in health care:

Monitor equipment utilization and performance; for example, is a part in the MRI about to fail?
Supply management; for example, where is a supply in its transit to the hospital?
Monitoring of environmental data; for example, what is the humidity outside?
Monitoring the physiological status of a patient; for example, is the patient’s blood sugar level too
Process orchestration; for example, is the orderly who needs to take the patient to radiology on
her way?
In an IT strategy discussion, these questions could be raised:

What is the Internet of Things?
What are the possible uses and are those uses mature?
Does the Internet of Things help us advance strategies or suggest new strategies?
If so, what do we do?

IT Strategies Based on Assessment of Strategic Trajectories
Organization and IT strategies invariably have a fixed time horizon and fixed scope. These
strategies might cover a period of time two to three years into the future. They outline a bounded
set of initiatives to be undertaken in that time period. Assessment of strategic trajectories asks
the questions, What do we think we will be doing after that time horizon and scope? Do we think
we will be doing very different kinds of things, or will we be carrying out initiatives similar to the
ones we are pursuing now?

For example, we might be planning to implement a broad portfolio of health care information
technology. The organization believes that through medical advances and preventive care the
number of patients older than one hundred will increase dramatically. The strategic trajectory
discussion asks, “Does this increase in longevity have significant implications for the types of
health care that we deliver and hence on the types of information technology that we

Or we might be in the process of using IT to support joint clinical programs with other hospitals
in the area. These efforts would be greatly helped by the availability of broad interoperability.
However, such pervasive interoperability has proved elusive and may be elusive for a decade.
How would pervasive interoperability affect our IT strategy?

The strategic trajectory discussion can be highly speculative. It might be so forward looking and
speculative that the organization decides not to act today on its discussion. Yet it can also point
to initiatives to be undertaken within the next year to better understand this possible future and to

prepare the organization’s information systems for it. For example, if we believe our information
systems will eventually need to store large amounts of genetic information, it would be worth
understanding whether the new population health systems we will be selecting soon will be
capable of storing and analyzing these data.
The IT Assest
The discussion of vectors and alignment up to this point has focused generally on the
development of an application agenda as the outcome. In other words, the completion of the IT
strategy discussion is an inventory of systems, such as the EHR system, customer relationship
management system, and an enterprise data warehouse, that are needed to further overall
organizational strategies. However, the application inventory is a component of the larger idea of
the IT asset. These areas are discussed in the following sections.

The IT asset is composed of those IT resources that the organization has or can obtain and that
are applied to further the goals, plans, and initiatives of the organization. The IT strategy
discussion identifies specific changes or enhancements to the composition of the asset—for
example, the implementation of a new application—and general properties of the asset that must
exist—for example, high reliability of the infrastructure. The IT asset has four components:
applications, infrastructure, data, and IT staff members.

Applications are the systems that users interact with: for example, scheduling, billing, and EHR
systems. In addition to developing an inventory of applications, the organization may need to
develop strategies regarding properties of the overall portfolio of applications.

For example, if the organization is an integrated delivery system, decisions will need to be made
about the degree to which applications should be the same across the organization. E-mail
systems ought to be the same, but is there a strategic reason to have the same pharmacy
system across all hospitals? Should an organization buy or build its applications? Building
applications is risky and often requires skills that most health care organizations do not
possess. However, internally developed applications can be less expensive and can be tailored
to an organization’s needs.
Strategic thinking may center on the form and rigor of the justification process for new
applications. Formal return on investment analyses may be emphasized so that all application
decisions will emphasize cost reduction or revenue gain. Or the organization may decide to
have a decision process that takes a more holistic approach to acquisition decisions, so that
factors such as improving quality of care must also be considered.

In general, strategy discussions surrounding the application asset as a whole focus on, in
addition to the application inventory, a few key areas:

Sourcing. What are the sources for our applications? And what criteria determine the source to
be used for an application? Should we get all applications from the same vendor or will we use a
small number of approved vendors?

Application uniformity. For large organizations with many subsidiaries or locations, to what
degree should our applications be the same at all locations? If some have to be the same but
some can be different, how do we decide where we allow autonomy? This discussion often
involves a trade-off between local autonomy and the central desire for efficiency and
Application acquisition. What processes and steps should we use when we acquire
applications? Should we subject all acquisitions to rigorous analyses? Should we use a request
for proposal for all application acquisitions? This discussion is generally an assessment of the
extent to which the IT acquisition process should follow the degree of rigor applied to non-IT
acquisitions (of diagnostic equipment, for example).

Infrastructure needs may arise from the strategic-planning process. An organization desiring to
extend its IT systems to community physicians will need to ensure that it can deliver low-cost
and secure network connections. Organizations placing significant emphasis on clinical
information systems must ensure very high reliability of their infrastructure; computerized
provider order entry systems cannot go down.

In addition to initiatives designed to add specific components to the infrastructure—for example,
new software to monitor network utilization—architecture strategies will focus on the addition or
enhancement of broad infrastructure capabilities and characteristics.

Capabilities are defined by completing this sentence: “We want our applications to be able to …”
Organizations might complete that sentence with phrases such as “be accessed from home,”
“have logic that guides clinical decision making,” or “share a pool of consistently defined data.”

Characteristics refer to broad properties of the infrastructure, such as reliability, security, agility,
supportability, integratability, and potency. An organization may be heading into the
implementation of mission-critical systems and hence must ensure very high degrees of
reliability in its applications and infrastructure. The organization may be concerned about the
threats posed by ransomware and denial of service attacks and decide to strengthen the
security of its infrastructure. The asset plans in these cases involve discussions and analyses
that are intended to answer the question, What steps do we need to take to significantly improve
the reliability of our systems or improve security?

Data and information were discussed in Chapter Two. Strategies concerning data may center on
the degree of data standardization across the organization, accountability for data quality and
stewardship, data sources, and determination of database management and analyses

Data strategy conversations may originate with questions such as, We need to better
understand the costs of our care. How do we improve the linkage between our clinical data and

our financial data? Or, we have to develop a much quicker response to outbreaks of epidemics.
How do we link into the city’s emergency rooms and quickly get data on chief complaints?

In general, strategies surrounding data focus on acquiring new types of data, defining the
meaning of data, determining the organizational function responsible for maintaining that
meaning, integrating existing sets of data, and obtaining technologies used to manage, analyze,
and report data.

IT Staff Members
IT staff members are the analysts, programmers, and computer operators who, day in and day
out, manage and advance information systems in an organization. IT staff members were
discussed in Chapter Eight. IT strategy discussions may highlight the need to add IT staff
members with specific skills, such as mobile application developers and population health
implementation staff members. Organizations may decide that they need to explore outsourcing
the IT function in an effort to improve IT performance or obtain difficult-to-find skills. The service
orientation of the IT group may need to be improved.

In general, the IT staff member strategies focus on the acquisition of new skills, the organization
of the IT staff, the sourcing of the IT staff, and the characteristics of the IT department—is it, for
example, innovative, service oriented, and efficient?

A Normative Approach to Developing Alignment and IT Strategy
You may now be asking yourself, how do I bring all of this together? In other words, is there a
suggested approach an organization can take to develop its IT strategy that takes into account
these various vectors? And by the way, what does an IT strategic plan look like?

Across health care organizations the approaches taken to developing, documenting, and
managing an IT strategy are quite varied. Some organizations have well-developed, formal
approaches that rely on the deliberations of multiple committees and leadership retreats. Other
organizations have remarkably informal processes. A small number of medical staff members
and administrative leaders meet in informal conversations to define the organization’s IT
strategy. In some cases the strategy is developed during a specific time in the year, often
preceding development of the annual budget. In other organizations, IT strategic planning goes
on all the time and permeates a wide range of formal and informal discussions.

There is no single right way to develop an IT strategy and to ensure alignment. However, the
process of developing IT strategy should be similar in approach and nature to the process used
for overall strategic planning. If the organization’s core approach to strategy development is
informal, its approach to IT strategy development should also be informal.

Recognizing this variability, a normative approach to the development of IT strategy can be

Strategy Discussion Linkage

Organizational strategy is generally discussed in senior leadership meetings. These meetings
may focus specifically on strategy, or strategy may be a regular agenda item. These meetings
may be supplemented with retreats centered on strategy development and with task forces and
committees that are asked to develop recommendations for specific aspects of the strategy.
(For example, a committee of clinical leadership members might be asked to develop
recommendations for improving patient safety.) These discussions will examine the
organization’s external environment—such as changes in reimbursement and competitive
position—and internal environment—such as operational efficiency, financial health, and clinical
strengths. This examination invariably results in the identification of gaps between the
organization’s desired position and role and its current status. This examination usually includes
a review of the status and capabilities of the organization’s IT capabilities and application

Regardless of their form, the organization’s CIO should be present at such meetings or kept
informed of the discussion and its conclusions. If task forces and committees supplement
strategy development, an IT manager should be asked to be a member. The CIO (or the IT
member of a task force) should be expected to develop an assessment of the IT ramifications of
strategic options and to identify areas where IT can enable new approaches to carrying out the

The CIO will not be the only member of the leadership team who will perform this role. Chief
financial officers (CFOs), for example, will frequently identify the IT ramifications of plans to
improve the revenue cycle. However, the CIO should be held accountable for ensuring the
linkage does occur.

As strategy discussions proceed, the CIO must be able to summarize and critique the IT
agenda that should be put in place to carry out the various aspects of the strategy. Exhibit 12.1
displays an IT agenda that might emerge. Exhibit 12.2 displays a health plan IT agenda that
could result from a strategy designed to improve patient access to health information and
self-service administrative tasks for a health plan.

Exhibit 12.1 IT Initiatives Necessary to Support a Strategic Goal for a Provider
Article I. Strategic Goal

Improve service to outpatients

Article II. Problem

Patients have to call many locations to schedule a series of appointments and services.
The quality of the response at these locations is highly variable.
Locations inconsistently capture necessary registration and insurance information.
Some locations are over capacity, whereas others are underutilized.
Article III. IT Solution

Common scheduling system for all locations
A call center for “one-stop” access to all outpatient services
Development of master schedules for common service groups such as preoperative testing
Integration of scheduling system with electronic data interchange connection to payers for
eligibility determination, referral authorization, and copay information
Patient support material, such as maps and instructions, to be mailed to patients

Exhibit 12.2 IT Initiatives Necessary to Support a Strategic Goal for a Health Plan
Article IV. Strategic Goal

Improve service to subscribers
Reduce costs
Article V. Problem

Subscribers have difficulty finding high-quality health information.
The costs of performing routine administrative transactions such as change of address and
responding to benefits questions is increasing.
Subscriber perceptions of the quality of service in performing these transactions is low.
Article VI. IT Solution

A plan portal that provides:
Health content from high-quality sources
Access to chronic disease services and discussion groups
Subscriber ability to use self-service to perform routine administrative transactions
Subscriber access to benefit information
Functions that enable subscribers to ask questions
Plan ratings of provider quality
A plan-sponsored provider portal that enables:
Subscribers to conduct routine transactions with their provider, such as requesting an
appointment or renewing a prescription
Electronic visits for certain conditions such as back pain
Subscribers to ask care questions of their provider

IT Liaisons
All major departments and functions (for example, finance, nursing, and medical staff
administration) should have a senior IT staff person who serves as the function’s point of
contact. Because these functions examine ways to address their needs (for example, lower
their costs and improve their services), the IT staff person can work with them to identify IT
activities necessary to carry out their endeavors. This identification often emerges with
recommendations to implement new applications that advance the performance of a function,
such as a medication administration record application to improve the nursing workflow. Exhibit
12.3 provides an example of output from a nursing leadership discussion on improving patient
safety through the use of a nursing documentation system.

New Technology Review
The CIO should be asked to discuss, as part of the strategy discussion or in a periodic
presentation in senior leadership forums, new technologies and their possible contributions to
the goals and plans of the organization. These presentations may lead to suggestions that the
organization form a task force to closely examine a new technology. For example, a
multidisciplinary task force could be formed to examine the ability of telehealth to support the
organization’s strategies. Table 12.3 provides an overview of different types of telehealth and an
overall assessment of strategic importance.

Table 12.3 Assessment of telehealth strategic opportunities

Type of Telehealth Potential Strategic Value Level of Support of Organization’s Strategy
Semi-urgent care Enables patients to reach a clinician at any time to get advice on
addressing low acuity health issues, for example, a modest fever of a child Moderate
Remote patient monitoring Supports efforts to manage patient’s with a chronic disease
Fitness monitoring Provides information on a patient’s exercise program Low
Visit substitution Supports conducting visits, for example, surgery follow-up through video
rather than requiring a face-to-face visit High
Clinician consultation Enables clinicians to seek a consult from a remote specialist High
Critical care Provides ability to perform remote stroke assessments and ICU monitoring

Exhibit 12.3 System Support of Nursing Documentation
Section 6.1. Problem Statement
Both the admitting physician(s) and nurse document medication history in their admission note.
Points of failure have been noted:
Incompleteness due to time or recall constraints, lack of knowledge, or lack of clear
documentation requirements
Incorrectness due to errors in memory, transcription between documents, and illegibility
Multiple inconsistent records due to failure to resolve conflicting accounts by different
Most of the clinical information required to support appropriate clinician decision making is
obtained during the history-taking process.
Section 6.2. Technology Interventions and Goals
A core set of clinical data should be made available to the clinician at the point of decision
Principle diagnoses and other medical conditions
Drug allergies
Current and previous relevant medications
Laboratory and radiology reports
Required information should be gathered only once:
Multidisciplinary system of structured, templated documentation

Clinical decision support rules, associated to specific disciplines, should guide gathering
Workflow should support the mobile care giver with integrated wireless access to clinical
Needed applications could be implemented in phases:
Nursing admission assessment
Multidisciplinary admission assessment
Planning and progress
Nursing discharge plan
Multidisciplinary discharge plan

Synthesis of Discussions
The CIO should be asked to synthesize or summarize the conclusions of these discussions.
This synthesis will invariably be needed during development of the annual budget. And the
synthesis will be a necessary component of the documentation and presentation of the
organization’s strategic plan. Table 12.4 presents an example of such a synthesis.

Table 12.4 Summary of IT strategic planning

Strategic Challenge IT Agenda
Capacity and growth management Emergency department tracking
Inpatient electronic bed board
Ambulatory clinic patient
Quality and safety Inpatient order entry
Anticoagulation therapy unit
Online discharge summaries
Medication administration record
Performance improvement Registration system overhaul
Anatomic pathology
Order communication
Transfusion and donor services
Budget management and external reviews Disaster recovery
Joint Commission preparation
Privacy policy review
The organization should expect the process of synthesis will require debate and discussion; for
example, trade-offs will need to be reviewed, priorities set, and the organization’s willingness to
implement embryonic technologies determined. This synthesis and prioritization process can
occur during the course of leadership meetings, through the work of a committee charged to
develop an initial set of recommendations, and during discussions internal to the IT
management team.

An example of an approach to prioritizing recommendations is to give each member of the
committee $100 to be distributed across the recommendations. The amount a member gives to
each recommendation reflects his or her sense of its importance. For example, a member could
give one recommendation $90 and another $10 or give five recommendations $20 each. In the
former case, the committee member believes that only two recommendations are important and
that the first recommendation is nine times more important than the second. In the latter case,
the member believes that five recommendations are of equal importance. The distributed dollars
are summed across the members, with a ranking of recommendations emerging.

The leadership should not feel compelled to accept the ranking as a definitive output. Rather, the
process of scoring will reveal that members of the leadership team will rate recommendations
differently. For example, some members will rate a project as having a high contribution to
patient quality and others will view that contribution as low. The discussion that investigates
these discrepancies can help the team understand the recommendation more fully and lead to a
consensus that strengthens political support for the recommendation. Moreover, if the
leadership team decides to approve a recommendation with a low score, it should ask itself why
it views the recommendation as more important than the score would suggest.

For an example of the scoring of proposed IT initiatives, see Figure 12.2. It lists categories of
organizational goals (for example, enhance patient care), along with goals within the categories.
The leadership of the organization, through a series of meetings and presentations, has scored
the contribution of the IT initiative to the strategic goals of the organization. The contribution to
each goal may be critical (must do), high, moderate, or none. These scores are based on data
but nonetheless are fundamentally judgment calls. The scoring and prioritization will result in a
set of initiatives deemed to be the most important. The IT staff members will then construct
preliminary budgets, staff needs, and timelines for these projects.

Figure 12.3 provides an overview of the timeline for these initiatives and the cost of each.
Management will discuss various timeline scenarios, consider project interdependence, and
ensure that the IT department and the organization are not overwhelmed by too many initiatives
to complete all at once. The organization will use the budget estimates to determine how much
IT it can afford. Often there is not enough money to pay for all the desired IT initiatives, and
some initiatives with high and moderate scores will be deferred or eliminated as projects. The
final plan, including timelines and budgets, will become the basis for assessing progress
throughout the year.

Overall, a core role of the organization’s CIO is to work with the rest of the leadership team to
develop the process that leads to alignment and strategic linkage.

Once all is said and done, the alignment process should produce these results:

An inventory of the IT initiatives that will be undertaken (These initiatives may include new
applications and projects designed to improve the IT asset.)

A diagram or chart that illustrates the linkage between the initiatives and the organization’s
strategy and goals
An overview of the timeline and the major interdependencies between initiatives
A high-level analysis of the budget needed to carry out these initiatives
An assessment of any material risks to carrying out the IT agenda and a review of the strategies
needed to reduce those risks
It is important to recognize the amount and level of discussion, compromise, and negotiation
that go into the strategic alignment process. Producing these results without going through the
preceding thoughtful process will be of little real benefit.
IT Strategy and Alignment Challenges
Creating IT strategy and alignment is a complicated and critical organizational process. The
following sections present a series of observations about that process.

Planning Methodologies
Formal processes and methodologies that help organizations develop IT plans, whether based
on derived linkage or the examination of more fundamental characteristics of organizations, can
be very helpful. If well executed, they can do all of the following:

Lead to the identification of a portfolio of IT applications and initiatives that are well linked to the
organization’s strategy.
Identify alternatives and approaches that might not have been understood without the process.
Contribute to a more thorough analysis of the major aspects of the plan.
Enhance and ensure necessary leadership participation and support.
Help the organization be more decisive.
Ensure the allocation of resources among competing alternatives is rational and politically
Enhance communication of the developed plan.
In addition to formal IT strategic planning methodologies, organizations will often use strategy
frameworks that help them frame issues and opportunities. For example, Porter’s Competitive
Forces Model (Porter, 1980) identifies strategic options such as competing on cost,
differentiating based on quality, and attempting to raise barriers to the entry of other competitors.
By using this model, the organization will make choices about its overall competitive position.

Models such as these help the leadership engage in a broader and more conceptual approach
to strategy development.

Persistence of the Alignment Problem
Despite the apparent simplicity of the normative process we have described and the many
examinations of the topic by academics and consultants, achieving IT alignment has been a top
concern of senior organizational leadership for several decades. For example, a survey of CIOs
from across multiple industries found improving IT alignment with business objectives to be the
number one IT top management priority in 2007 (Alter, 2007). A survey of CIOs in 2015
(Information Management, 2016) found alignment to be, once again, the top concern. There are
several reasons for the persistent difficulty of achieving alignment (Bensaou & Earl, 1998):

Business strategies are often not clear or are volatile.
IT opportunities are poorly understood and new technologies emerge constantly.
The organization is unable to resolve the different priorities of different parts of the organization.
Weill and Broadbent (1998) note that effective IT alignment requires organizational leadership to
clearly understand and strategically and tactically integrate (1) the organization’s strategic
context (its strategies and market position), (2) the organization’s environment, (3) the IT
strategy, and (4) the IT portfolio (for example, the current applications, technologies, and staff
skills). Understanding and integrating these four continuously evolving and complex areas is
exceptionally difficult.

At least two more reasons can be added to this listing of factors that make alignment difficult.
First, the organization may find it has not achieved the gains apparently achieved by others it
has heard or read about, nor have the vendors’ promises of the technologies materialized.
Second, the value of IT, particularly infrastructure, is often difficult to quantify, and the value
proposition is fuzzy and uncertain; for example, what is the value of improved security of

In both these cases the organization is unsure whether the IT investment will lead to the desired
strategic gain or value. This is not strictly an alignment problem. However, alignment does
assume the organization believes it has a reasonable ability to achieve desired IT gains.

The Limitations of Alignment
Although alignment is important, it will not guarantee effective application of IT. Planning
methodologies and effective use of vectors cannot, by themselves, overcome weaknesses in
other factors that can significantly diminish the likelihood that IT investments will lead to
improved organization performance. These weaknesses include poor relationships between IT
staff members and the rest of the organization, incompetent leadership, weak financial
conditions, and ill-conceived IT governance mechanisms. IT strategy also cannot overcome
unclear overall strategies and cannot necessarily compensate for material competitive

If one has mediocre painting skills, a class on painting technique will make one a better painter
but will not turn one into Picasso. Similarly, superb alignment techniques will not turn an
organization limited in its ability to implement IT effectively into one brilliant at IT use. Perhaps
this reason, more than any other, is why the alignment issue persists as a top-ranked IT issue.
Organizations are searching for IT excellence in the wrong place; it cannot be delivered purely
by alignment prowess.

Alignment at Maturity
Organizations that have a history of IT excellence appear to evolve to a state in which their
alignment process has become deeply intertwined with the normal management strategy and
operations discussions. A study by Earl (1993) of organizations in the United Kingdom with a
history of IT excellence found that their IT planning processes had several characteristics.

IT Planning Was Not a Separate Process
IT planning and the strategic discussion of IT occurred as an integral part of the organization’s
strategic planning processes and management discussions.

In these organizations, management did not think of separating out an IT discussion during the
course of strategy development any more than it would run separate finance or human resource
planning processes. IT planning was an unseverable, intertwined component of the usual
management conversation. This would suggest not having a separate IT steering committee.

IT Planning Had Neither a Beginning nor an End
In many organizations, IT planning processes start in a particular month every year and are
completed within a more or less set period. In the studied organizations, the IT planning and
strategy conversation went on all the time. This does not mean that an organization doesn’t
have to have a temporally demarked, annual budget process. Rather, it means that IT planning
is a continuous process that reflects the continuous change in the environment.

IT Planning Involved Shared Decision Making and Shared Learning
IT leadership informed organizational leadership of the potential contribution of new technologies
and the constraints of current technologies. Organizational leadership ensured that IT leadership
understood the business plans, strategies, and their constraints. The IT budget and annual
tactical plan resulted from shared analyses of IT opportunities and a set of IT priorities.

The IT Plan Emphasized Themes
A provider organization may have themes of improving care quality, reducing costs, and
improving patient service. During the course of any given year, IT will have initiatives that are
intended to advance the organization along these themes. The mixture of initiatives will change
from year to year, but the themes endure for many years. Because themes endure year after
year, organizations develop competence in these themes. They become, for example,
progressively better at managing costs and improving patient service. This growing prowess
extends into IT. Organizations become more skilled at understanding which IT opportunities hold
the most promise and at managing implementation of these applications. And the IT staff
members become more skilled at knowing how to apply IT to support such themes as
improving care quality and at helping leadership assess the value of new technologies and

IT Strategy Is Not Always Necessary
There are many times in IT activities when the goal, or the core approach to achieving the goal,
is not particularly strategic, and strategy formulation and strategy implementation are not
needed. Replacing an inpatient pharmacy system, enhancing help desk support, and upgrading
the network, although requiring well-executed projects, do not always require leadership to
engage in conversations about organizational goals or to take a strategic look at organizational
capabilities and skills.

There are many times when it is unlikely that the way an organization achieves a goal will create
a distinct competitive advantage. For example, an organization may decide it needs to provide
personal health records to patients, but it does not expect that that application, or its
implementation, will be so The Challenge of Emerging Technology
The information technology industry in general and the health information technology industry in
particular are ever-changing and evolving. New technologies are being introduced every day.
How does a health care executive know when to support the adoption of the “latest and
greatest” technologies? When does the organization acknowledge its current technologies are
out-of-date and need upgrading? How much of the current literature about new technologies is
“hype”? Which new technologies are likely to survive to become industry standards?

In this textbook we cover specific methods for selecting health care information systems to
meet the health care organizations’ operational needs. The questions posed here are more
general in nature and relate to the technologies on which these systems are built. Take, for
example, the use of smartphones and tablets by health care providers.

Individuals adopted those technologies for personal use with significant spillover into the work
environment. Now hospitals and other health care organizations are purchasing these devices
as a part of their overall information system infrastructure and are facing the challenges
associated with incorporating these devices into their overall systems. At what point should the
health care executives have known that these technologies were here to stay and were
something to be managed? Do the early adopters of the technologies have an advantage or a
disadvantage in the market?

There are no easy answers to these questions, but Gartner, Inc., has developed a useful
framework for health care executives to think about when considering adopting new
technologies. The hype cycle presents a view of how a technology will evolve over time. The
stated purpose is to “provide a sound source of insight to manage its deployment within the
context of . . . specific business goals.” The hype cycle (Figure 12.4) supports organizations in
their decisions to adopt the technology early or wait for further maturation. There are five key
phases to the cycle:

Technology trigger. A potential technology breakthrough kicks things off. Early proof-of-concept
stories and media interest trigger significant publicity. Often no usable products exist and
commercial viability is unproven.

Peak of inflated expectations. Early publicity by proponents of the technology reaches a
crescendo; often with little practical experience using the technology. Some companies take
action; many do not.
Trough of disillusionment. Interest wanes as experiments and implementations fail to deliver on
the hype of the peak. The technology is often immature and users of the technology are just
beginning to learn how to apply the technology to further organizational goals. Producers of the
technology shake out or fail. Investments continue only if the surviving vendors improve their
products to the satisfaction of early adopters.

Slope of enlightenment. More instances of how the technology can benefit the enterprise start to
crystallize and become more widely understood. Second- and third-generation mature products
appear from technology providers. More enterprises fund pilots; conservative companies
remain cautious. The real value of the technology begins to emerge.
Plateau of productivity. Mainstream adoption starts to take off. Criteria for assessing vendor and
product viability are more clearly defined. The technology’s broad market applicability and
relevance are clearly paying off.
superior to a competitor’s personal health record that an advantage accrues to the organization.

Much of what IT does is not strategic, nor does it require strategic thinking. Many IT projects do
not require thoughtful discussions of fundamental approaches to achieving organizational goals
or significant changes in the IT asset.
The Challenge of Emerging Technology
The information technology industry in general and the health information technology industry in
particular are ever-changing and evolving. New technologies are being introduced every day.
How does a health care executive know when to support the adoption of the “latest and
greatest” technologies? When does the organization acknowledge its current technologies are
out-of-date and need upgrading? How much of the current literature about new technologies is
“hype”? Which new technologies are likely to survive to become industry standards?

In this textbook we cover specific methods for selecting health care information systems to
meet the health care organizations’ operational needs. The questions posed here are more
general in nature and relate to the technologies on which these systems are built. Take, for
example, the use of smartphones and tablets by health care providers.
Individuals adopted those technologies for personal use with significant spillover into the work
environment. Now hospitals and other health care organizations are purchasing these devices
as a part of their overall information system infrastructure and are facing the challenges
associated with incorporating these devices into their overall systems. At what point should the
health care executives have known that these technologies were here to stay and were
something to be managed? Do the early adopters of the technologies have an advantage or a
disadvantage in the market?
There are no easy answers to these questions, but Gartner, Inc., has developed a useful
framework for health care executives to think about when considering adopting new
technologies. The hype cycle presents a view of how a technology will evolve over time. The
stated purpose is to “provide a sound source of insight to manage its deployment within the
context of . . . specific business goals.” The hype cycle (Figure 12.4) supports organizations in
their decisions to adopt the technology early or wait for further maturation. There are five key
phases to the cycle:
Technology trigger. A potential technology breakthrough kicks things off. Early proof-of-concept
stories and media interest trigger significant publicity. Often no usable products exist and
commercial viability is unproven.

Peak of inflated expectations. Early publicity by proponents of the technology reaches a
crescendo; often with little practical experience using the technology. Some companies take
action; many do not.
Trough of disillusionment. Interest wanes as experiments and implementations fail to deliver on
the hype of the peak. The technology is often immature and users of the technology are just
beginning to learn how to apply the technology to further organizational goals. Producers of the
technology shake out or fail. Investments continue only if the surviving vendors improve their
products to the satisfaction of early adopters.
Slope of enlightenment. More instances of how the technology can benefit the enterprise start to
crystallize and become more widely understood. Second- and third-generation mature products
appear from technology providers. More enterprises fund pilots; conservative companies
remain cautious. The real value of the technology begins to emerge.
Plateau of productivity. Mainstream adoption starts to take off. Criteria for assessing vendor and
product viability are more clearly defined. The technology’s broad market applicability and
relevance are clearly paying off.

In the strategic discussion of new technologies it is prudent to identify where the technology sits
on the hype cycle. It may be premature to invest at scale in technologies that are the peak of
inflated expectations. The organization may be well served to let the market evolve and the
products mature before it initiates significant investment.

However, the organization may decide that the technology, although immature and cloaked in a
fog of hype, has significant potential and that there is merit to conducting pilots so that the
organization begins to understand the potential of the technology and develop prowess in its
use. For example, the Internet of Things mentioned previously is solidly at the peak of inflated
expectations. However, the organization’s strategy may identify this class of technologies as a
potentially very important contributor to its goal of monitoring the health of people with a chronic
disease. Hence the organization will pilot the technology to better understand the impact of the
technology in improving disease management.

The development of IT alignment and strategic linkage is a complex undertaking. Four vectors,
each complex, must converge. The difficulty of this undertaking is manifest in the frequent citing
of IT alignment in surveys of major organizational issues and problems. There are no simple
answers to this problem. At the end of the day, good alignment requires talented leaders
(including the CIO) who have effective debates and discussions regarding strategies and who
have very good instincts and understandings about the organization’s strategy and the potential
contribution of IT.
Hype Cycle for Healthcare Provider Technologies and Standards
On the Rise

Blue Button+

Real-time health care system
Voice user interface
At the Peak

Natural-language processing (clinical enterprise)
E-prescribing of controlled substances
Logical data warehouse
Clinical communications and collaboration
Consent management
Enterprise file synchronization and sharing
Enterprise fraud and misuse management
Secure text messaging
Health care master data management
Sliding into the Trough

Business continuity management planning
Unified communications
Semantic interoperability/healthcare
Legacy decommissioning
End-user experience monitoring
ICD-10 (US)
Direct messaging
GS1 Healthcare (GDSN)
HL7 Infobutton
Climbing the Slope

Desktop virtualization
Patient self-service kiosks
Positive patient identification
Vendor-neutral archive
Enterprise mobility services
Information life cycle management
Location- and condition-sensing technologies
User administration/provisioning
Enterprise content management
Patient portals
Entering the Plateau

Strong authentication for enterprise access

Medical device connectivity
Source: Gartner (2015). Used with permission.

It appears that organizations that are mature in their IT use have evolved these IT alignment
processes to the point at which they are no longer distinguishable as separate processes. This
observation should not be construed as advice to cease using planning approaches or disband
effective IT steering committees. Such an evolution, to the degree that it is normative, may
occur naturally, just as kids will eventually grow up (at least most of them will).

Alter, A. (2007, Dec.). Top trends for 2008. CIO Insight, 88, 37–40.
Bensaou, M., & Earl, M. (1998). The right mind-set for managing information technology.
Harvard Business Review, 76(5), 119–128.
Chandler, A. (1962). Strategy and structure. Cambridge, MA: MIT Press.
Earl, M. (1993). Experiences in strategic information systems planning. MIS Quarterly, 17(1),
Gartner. (2014, Aug.). Hype cycle for emerging technologies, 2014. Retrieved May 2016 from
Gartner. (2015, July). Hype cycle for healthcare provider technologies and standards, 2015.
Retrieved May 2016 from
Henderson, J., & Venkatraman, N. (1993). Strategic alignment: Leveraging information
technology for transforming organizations. IBM Systems Journal, 32(1), 4–16.
Information Management. (2016). Top 10 CIO concerns. Retrieved April 2016 from
Porter, M. (1980). Competitive strategy. New York, NY: Free Press.
Weill, P., & Broadbent, M. (1998). Leveraging the new infrastructure. Boston, MA: Harvard
Business School Press.

Chapter 13
IT Governance and Management
In this chapter we discuss an eclectic but important set of information technology (IT)
management processes, structures, and issues. Developing, managing, and evolving IT
management mechanisms is often a central topic for organizational leadership. In this chapter
we will cover the following areas:
IT governance. IT governance is composed of the processes, reporting relationships, roles, and
committees that an organization develops to make decisions about IT resources and activities
and to manage the execution of those decisions. These decisions involve issues such as
setting priorities, determining budgets, defining project management approaches, and
addressing IT problems.
IT budget. Developing the IT budget is a complex exercise. Organizations always have more IT
proposals than can be funded. Some proposals are strategically important and others involve
routine maintenance of existing infrastructure, making proposal comparison difficult. Although
complex and difficult, the effective development of the IT budget is a critical management
Management role in major IT initiatives. Senior management has an extremely important role in
ensuring that major IT initiatives succeed and result in desired organizational performance
gains. In other chapters of this book, management process for system selection,
implementation, and value realization were discussed. In this section we discuss risk factors
facing major initiatives and steps management can take to mitigate those risks.
IT effectiveness. Over the years several organizations have demonstrated exceptional
effectiveness in applying IT: American Express, Bank of America, Uber, Amazon, Schwab, and
American Airlines. This chapter discusses what the management of these organizations did that
led to such effectiveness. It also examines the attributes of IT-savvy senior leadership.
IT to improve an organization’s competitive position. IT is often used as a means to improve an
organization’s ability to compete. In this section we will discuss lessons learned from other
industries from their efforts to use IT as a competitive asset.
IT Governance
IT governance refers to the principles, processes, and organizational structures that govern the
IT resources (Drazen & Straisor, 1995). When solid governance exists, the organization is able
to give a coherent answer to the following questions:
Which committees and processes are used to define the IT strategy?
Who sets priorities for IT, and how are those priorities set?
Who is responsible for implementing information system plans, and what principles will guide the
implementation process?
How are IT responsibilities distributed between IT and the rest of the organization and between
centralized and decentralized (local) IT groups in an integrated delivery system?

How are IT budgets developed?
At its core, governance involves the following functions:
Determining the distribution of the responsibility for making decisions, the scope of the decisions
that can be made by different organizational functions, and the processes to be used for making
Defining the roles that various organizational members and committees fulfill for IT—for
example, which committee should monitor progress in an EHR implementation and what is the
role of a department head during the implementation of a new system for his or her department?
Developing IT-centric organizational processes for making decisions in key areas such as
IT strategy development
IT prioritization and budgeting
IT project management
IT architecture and infrastructure management
Defining policies and procedures that govern the use of IT—for example, if a user wants to buy
a new network for use in his or her department, what policies and procedures govern that
Developing and maintaining an effective and efficient IT governance structure is a complex
exercise. Moreover, governance is never static. Continuous refinements may be needed as the
organization discovers imperfections in roles, responsibilities, and processes.
The Foundation of IT Governance
Peter Weill and Jeanne Ross have identified five major areas that form the foundation of IT
governance. The organization’s governance mechanisms need to create structures and
processes for these areas.
IT principles: high-level statements about how IT is used in the business
IT architecture: an integrated set of technical choices to guide the organization in satisfying
business needs. The architecture is a set of policies, procedures, and rules for the use of IT and
for evolving IT in a direction that improves IT support for the organization.
IT infrastructure strategies: strategies for the existing technical infrastructure (and IT support
staff) that ensure the delivery of reliable secure and efficient services
Business application needs: processes for identifying the needed applications
IT investment and prioritization: mechanism for making decisions about project approvals and
Source: Weill and Ross (2004, p. 27).
Governance Characteristics
Well-developed governance mechanisms have several characteristics.
They are perceived as objective and fair. No organizational decision-making mechanisms are
free from politics, and some decisions will be made as part of side deals. It is exceptionally rare

for all managers of an organization to agree with any particular decision. Nonetheless,
organizational participants should generally view governance as fair, objective, well-reasoned,
and having integrity. The ability of governance to govern is highly dependent on the willingness
of organizational participants to be governed.
They are efficient and timely. Governance mechanisms should arrive at decisions quickly, and
governance processes should be efficient, removing as much bureaucracy as possible.
They make authority clear. Committees and individuals who have decision authority should
have a clear understanding of the scope of their authority. Individuals who have IT roles should
understand those roles. The organization’s management must have a consistent understanding
of its approach to IT governance. There always will be occasions when decision rights are
murky, roles are confusing, or processes are unnecessarily complex, but these occasions
should be few.
They can change as the organization, its environment, and its understanding of technology
changes. For example, efforts to implement regional interoperability between EHRs will require
new governance mechanisms that bring representatives from the partnering organizations
together to deal with inter-organizational IT issues such as the allowable uses of shared data.
Governance mechanisms evolve as IT technology and the organization’s use of that technology
IT, User, and Senior Management Responsibilities
Effective application of IT involves the thoughtful distribution of IT responsibilities among the IT
department, users of applications and IT services, and senior management. In general, these
responsibilities address decision-making rights and roles. Although different organizations will
arrive at different distributions of these responsibilities, and an organization’s distribution may
change over time, there is a fairly normative distribution (Applegate, Austin, & McFarlan, 2007).
IT Department Responsibilities
The IT department should be responsible for the following:
Developing and managing the long-term architectural plan and ensuring that IT projects conform
to that plan.
Developing a process to establish, maintain, and evolve IT standards in several areas:
Telecommunications protocols and platforms
Client devices, such as workstations and mobile devices, and client software configurations
Server technologies, middleware, and database management systems
Programming languages
IT documentation procedures, formats, and revision policies
Data definitions (this responsibility is generally shared with the organization function, such as
finance and health information management, that manages the integrity and meaning of the
IT disaster and recovery plans
IT security policies and incident response procedures

Developing procedures that enable the assessment of sourcing options for new initiatives, such
as building versus buying new applications or leveraging existing vendor partner offerings
versus utilizing a new vendor when making an application purchase
Maintaining an inventory of installed and planned systems and services and developing plans
for the maintenance of systems or the planned obsolescence of applications and platforms
Managing the professional growth and development of the IT staff [members]
Establishing communication mechanisms that help the organization understand the IT agenda,
challenges, and services and new opportunities to apply IT
Maintaining effective relationships with preferred IT suppliers of products and services
(Applegate, Austin, & McFarlan, 2007, p. 429)1
The scope and depth of these responsibilities may vary. Some of the responsibilities of the IT
group may be delegated to others. For example, some non-IT departments may be permitted to
have their own IT staff members and manage their own systems. This should be done only with
the approval of senior management. And the IT department should be asked to provide
oversight of the departmental IT group to ensure that professional standards are maintained and
that no activities that comprise the organization’s systems are undertaken. For example, the IT
department can ensure that virus control procedures and software are effectively applied.
In general, the IT department is responsible for making sure that individual and organizational
information systems are reliable, secure, efficient, current, and supportable. IT is also usually
responsible for managing the relationship with suppliers of IT products and services and
ensuring that the processes that lead to new IT purchases are rigorous.
User Responsibilities
IT users (primarily middle managers and supervisors) have several IT-related user
Understanding the scope and quality of IT activities that are supporting their area or function
Ensuring that the goals of IT initiatives reflect an accurate assessment of the function’s needs
and challenges and that the estimates of the function’s resources (personnel time, funds, and
management attention) needed by IT initiatives—to support the implementation of a new
system, for example—are realistic
Developing and reviewing specifications for IT projects and ensuring that ongoing feedback is
provided to the IT organization on implementation issues, application enhancements, and IT
support, ensuring, for example, that the new application has the functionality needed by the user
Ensuring that the applications used by a department are functioning properly, such as by
periodically testing the accuracy of system-generated reports and checking that passwords are
deleted when staff [members] leave the organization
Participating in developing and maintaining the IT agenda and priorities (Applegate, Austin, &
McFarlan, 2007, p. 431)2
These responsibilities constitute a minimal set. In Chapters Six and Seven, we discussed an
additional, and more significant, set of responsibilities during the selection and implementation of
new applications.

Senior Management Responsibilities
The primary IT senior management responsibilities are as follows:
Ensuring that the organization has a comprehensive, thoughtful, and flexible IT strategy
Ensuring an appropriate balance between the perspectives and agendas of the IT organization
and the users—for example, the IT organization may want a new application that has the most
advanced technology, [and] the user department wants the application that has been used in the
industry for a long time
Establishing standard processes for budgeting, acquiring, implementing, and supporting IT
applications and infrastructure
Ensuring that IT purchases and supplier relationships conform to organizational policies and
practices—for example, contracts with IT vendors need to use standard organizational contract
Developing, modifying, and enforcing the responsibilities and roles of the IT organization and
Ensuring that the IT applications and activities conform to all relevant regulations and required
management controls and risk mitigation processes and procedures
Encouraging the thoughtful review of new IT opportunities and appropriate IT experimentation
(Applegate, Austin, & McFarlan, 2007, p. 432)3
Although organizations will vary in the ways they distribute decision-making responsibility and
roles and the ways in which they implement them, problems may arise when the distribution
between groups is markedly skewed (Applegate, Austin, & McFarlan, 2007).
Too much user responsibility can lead to a series of uncoordinated and undermanaged user
investments in information technology. This can result in these problems:
An inability to achieve integration between highly heterogeneous systems
Insufficient attention to infrastructure, resulting in application instability
High IT costs because of insufficient economies of scale, significant levels of redundant activity,
and the cost of supporting a high number of heterogeneous systems
A lack of, or uneven, rigor applied to the assessment of the value of IT initiatives—for example,
insufficient homework may be done and an application selected that has serious functional
Too much IT responsibility can lead to these problems:
Too much emphasis on technology, to the detriment of the fit of an application with the user
function’s need: for example, when a promising application does not completely satisfy the IT
department’s technical standards, IT will not allow its acquisition
Principles for IT Investments and Management

Charlie Feld and Donna Stoddard have identified three principles for effective IT investments
and management. They note that the responsibility for developing and implementing these
principles lies with the organization’s senior leadership.
A long-term IT renewal plan linked to corporate strategy. Organizations need IT plans that are
focused on achieving the organization’s overall strategy and goals. The organization must
develop this IT renewal plan and remain focused, often over the course of many years, on its
A simplified, unifying corporate technology platform. This IT platform must be well architected
and be defined and developed from the perspective of the overall organization rather than the
accumulation of the perspectives of multiple departments and functions.
A highly functional, performance-oriented IT organization. The IT organization must be skilled,
experienced, organized, goal-directed, responsive, and continuously work on establishing great
working relationships with the rest of the organization.
Source: Feld and Stoddard (2004, p. 73).
A failure to achieve the value of an application because of user resistance to a solution imposed
by IT: “We in the IT department have decided that we know what you need. We don’t trust your
ability to make an intelligent decision.”
Too much rigor applied to IT investment decisions; excessive bureaucracy can stifle innovation
A very high proportion of the IT budget devoted to infrastructure to the detriment of application
initiatives as the IT department seeks to achieve ever greater (though perhaps not necessary)
levels of reliability, security, and agility
Reduction in business innovation when IT is unwilling to experiment with new technologies that
might have stability and supportability problems
Either extreme can clearly create problems. And no compromise position will make the IT
department and the IT users happy with all facets of the outcome. An outcome of “the best
answer we can develop but not an answer that satisfies all” is an inevitable result of the
leadership discussion of responsibility and role distribution.
Specific Governance Structures
In any organization there may be a plethora of committees and a series of complex reporting
relationships and accountabilities, all of which need to operate with a fair degree of harmony in
order for governance to be effective. Among them should be five core structures for governing
A board committee responsible for IT
A senior leadership forum that guides the development of the IT agenda, finalizes the IT budget,
develops major IT-centric policies, and addresses any significant IT issue that cannot be
resolved elsewhere
Initiative- and project-specific committees and roles (this was discussed in the chapters on
implementation and value)
IT liaison relationships
A chief information officer (CIO) and other IT staff members (described in Chapter Eight)

The Board
The health care organization’s board holds the fundamental accountability for the performance of
the organization, including the IT function. The board must decide how it will carry out its
responsibility with respect to IT.
At a minimum this responsibility involves receiving a periodic update (perhaps annually) at a
board meeting from the CIO about the status of the IT agenda and the issues confronting the
effective use of IT. In addition, financial information system controls and IT risk mitigation are
often identified and discussed by the board’s audit committee, and the IT budget is discussed by
the finance committee.
Some organizations create an IT committee on the board. Realizing that the usual board agenda
might not always allow sufficient time for discussion of important IT issues and that not all board
members have deep experience in IT, the board can appoint a committee of board members
who are seasoned IT professionals (IT academics, CIOs of regional organizations, and leaders
in the IT industry). The committee, chaired by a trustee, need not be composed entirely of board
members. IT professionals who are not on the board may serve as members, too. This
committee informs the board of its assessments of a wide range of IT challenges and initiatives
and makes recommendations about these issues.
The charter for such a committee might charge the committee to do the following:
Review and critique IT application, technical, and organizational strategies.
Review and critique overall IT tactical plans and budgets.
Discuss and provide advice on major IT issues and challenges.
Explore opportunities to leverage vendor partnerships.
Senior Leadership Organizational Forum
Most health care organizations have a committee called something similar to the executive
committee. Composed of the senior leadership of the organization, this committee is the forum
in which strategy discussions occur and major decisions regarding operations, budgets, and
initiatives are made. It is highly desirable to have the CIO be a member of this committee.
Major IT decisions should be made at the meetings of this committee. These decisions will
cover a gamut of topics, such as approving the outcome of a major system selection process,
defining changes in direction that may be needed during the course of significant
implementations, setting IT budget targets, and ratifying the IT component of the
strategic-planning efforts.
This role does not preclude the executive committee from assigning IT-related tasks or
discussions to other committees. For example, a medical staff leadership committee may be
asked to develop policies regarding physician documentation of the problem list. A committee of
department heads may be asked to select a new application to support registration and

scheduling. A committee of human resource staff members may be charged with developing
policies regarding organizational staff member use of social media sites.
The executive committee, major departments and functions, and several high-level committees
will regularly be confronted with IT topics and issues that do not arise from the organization’s IT
plan and agenda. For example, a board member may ask if the organization should outsource
its IT function. Several influential physicians may suggest that the organization assess a new
information technology that seems to be getting a lot of hype. The CEO may ask how the
organization should (or whether it should) respond to an external event: for example, a new
Institute of Medicine report. The organization may need to address new regulations: for
example, rules being issued by CMS.
Some organizations create an IT steering committee and charge this committee with addressing
all IT issues and decisions. The use of such committees is uneven in health care organizations.
Approximately half have such a committee.
IT Liaison Relationships
All major functions and departments of the organization—for example, finance, human
resources, member services, medical staff affairs, and nursing—should have an IT liaison. The
IT liaison is responsible for the following:
Developing effective working relationships with the leadership of each major function
Ensuring that the IT issues and needs of these functions are understood and communicated to
the IT department and the executive committee
Working with function leadership to ensure appropriate IT representation on function task forces
and committees that are addressing initiatives that will require IT support
Ensuring that the organization’s IT strategy, plans and policies, and procedures are discussed
with function leadership
The IT liaison role is an invaluable one. It ensures that the IT department and the IT strategy
receive needed feedback and that function leaders understand the directions and challenges of
the IT agenda. It also promotes an effective collaboration between IT and the other functions and
The specific governance structures just described are typical in medium-sized and large
provider or payer organizations. In other types of health care settings, these structures will be
A medium-sized physician group might not have a separate board. The physicians and the
practice manager might make up the board and the senior leadership forum. The group might
not need a CIO. Instead the practice administrator might manage contracts and relationships
with companies that provide practice management systems and support workstations and
printers. The practice administrator also might perform all user liaison functions.

Improving Coordination and Working Relationships
Carol Brown and Vallabh Sambamurthy have identified five mechanisms used by IT groups to
improve their coordination and working relationships with the rest of the organization.
Integrators are individuals who are responsible for linking a particular organization department or
function with the IT department. An integrator might be a CIO who is a participant in senior
management forums. An integrator might also be an IT person who is responsible for working
with the finance department on IT initiatives that are centered on that function; such a person
might have a title such as manager, financial information systems.
Groups are committees and task forces that regularly bring IT staff [members] and organization
staff [members] together to work collectively on IT issues. These groups could include, for
example, the information systems steering committee or a standing joint meeting between IT
and nursing to address current IT issues and review the status of ongoing IT initiatives.
Processes are organizational approaches to management activity such as developing the IT
budget, selecting new applications, and implementing new systems. These processes
invariably involve both IT and non-IT staff [members].
Informal relationship building includes a series of activities such as one-on-one meetings, IT
staff presentations at department head meetings, and co-location of IT staff [members] and user
staff [members].
Human resource practices include training IT staff [members] on team building, offering user
feedback to IT staff [members] during their reviews, and having IT staff [members] spend time
in a user area observing work.
Source: Brown and Sambamurthy (1999, p. 68).
A division within a state department of public health would not have a board, but it should have a
forum where division leadership can discuss IT issues. IT decisions might be made there or at
meetings of the leadership of the overall department. Similarly, the CIO for the department might
not have organized IT in a way that results in a division CIO. And the staff members of the
department CIO might provide user liaison functions for the division.
Despite these variations, effective management of IT still requires
A senior management forum where major IT decisions are made
A person responsible for day-to-day management of the IT function and for ensuring that an IT
strategy exists
Mechanisms for ensuring that IT relationships have been established with major organizational
In addition, although the structures will vary, the guidance for the respective roles of the IT
group, users, and management remains the same. The desirable attributes of the person
responsible for IT are unchanged. And the properties of good governance do not change.
IT Budget

Developing budgets is one of the most critical management undertakings; it is the process that
makes strategy real because it involves the commitment of resources. The budget process
forces management to make choices between initiatives and investments and requires analysis
of the scope and impact of any initiative—for example, it forces answers to questions such as,
do we really believe that this initiative enables us to reduce supply costs by 3 percent?
Developing the IT budget is challenging for several reasons:
The IT projects proposed at any one time are eclectic. In addition to the IT initiatives proposed
as a result of the alignment and strategic planning process, other initiatives may be put forward
by clinical or administrative departments that desire to improve some aspect of their
performance. Also on the table may be IT projects designed to improve infrastructure—for
example, a proposal to upgrade servers. These initiatives will all be different in character and in
the return they offer, making them difficult to compare.
Dozens, if not hundreds, of IT proposals may be made, making it challenging to fully understand
all the requests.
The aggregate request for capital and operating budgets can be too expensive. It is not unusual
for requests to total three to four times more money than the organization can afford. Even if it
wanted to fund all of the requests, the organization doesn’t have enough money to do so.
And yet the budget process requires that the organization grapple with these complexities and
arrive at a budget answer.
Capital and Operating
The first category distinguishes between capital and operating budgets. Financial management
courses are the best place to learn about these two categories. In brief, however, capital
budgets are the funds associated with purchasing and deploying an asset. Common capital
items in IT budgets are hardware and applications. Operating budgets are the funds associated
with using and maintaining the asset. Common operating items in IT budgets are hardware
maintenance contracts and the salaries of IT analysts. In an analogous fashion, the purchase of
a car is a capital expense. Gasoline and tune-ups are operating expenses. Both capital and
operating budgets are prepared for IT initiatives.
Support, Ongoing, and New IT
Support refers to those IT costs (staff members, hardware, and software licenses) necessary to
support and maintain the applications and infrastructure that are in place now. Software
maintenance contracts ensure that applications receive appropriate upgrades and bug fixes.
Staff members are needed to run the computer room and perform minor enhancements. Disk
drives may need to be replaced. Failure to fund support activities can make it much more
difficult to ensure the reliability of systems or to evolve applications to accommodate ongoing
needs—for example, adding a new test to the dictionary for a laboratory system or introducing a
new plan type into the patient accounting system.
Ongoing projects are those application implementations begun in a prior year and still under
way. The implementation of a patient accounting system or a care coordination application can

take several years. Hence a capital and operating budget is needed for several years to
continue the implementation.
New projects are just that—there is a proposal for a new application or infrastructure application.
The IT strategy may call for new systems to support nursing. Concerns over network security
may lead to requests for new software to deter the efforts of hackers.
Improve Current Operations or Strategic Plan
Proposals may be directed to improving current operations, perhaps by responding to new
regulations or streamlining the workflow in a department. Proposals may also be explicitly linked
to an aspect of the health care organization’s strategic plan—they might call for applications to
support a strategic emphasis on disease management, for example.
Budget Targets
During the budget process, organizations define targets for the budget overall and for its
components. For example, the organization might state that it would like to keep the overall
growth in its operating budget to 2 percent but is willing to allow 5 percent growth in the IT
operating budget. The organization might also direct that within that overall 5 percent growth, the
budget for support should not grow by more than 3 percent, but the budget for new projects and
ongoing projects combined can grow by 11 percent. Table 13.1 illustrates the application of
overall and selective operating budget targets.
Table 13.1 Target increases in an IT operating budget
Support Operations Strategic Initiatives Overall Target
Ongoing and new 9% 15% 11%
Support 3% 3% 3%
Similarly, targets can be set for the capital budget. For example, perhaps it will be decided that
the capital budget for support should remain flat but that given the decision to invest in an EHR
system, the overall capital budget will increase to accommodate the capital required by the EHR
IT Budget Development
In addition to formulating the categories just described, organizational leadership will need to
develop the process through which the IT budget is discussed, prioritized, and approved. In
other words, it must answer the governance question, what processes will we use to decide
which projects will be approved subject to our targets? An example of a budget process is
outlined in this section and illustrated in Figure 13.1.
This process example has five components.
First, the IT department submits an operating budget to support the applications and
infrastructure that will be in place as of the beginning of the fiscal year (the support budget). This

budget might be targeted to a 3 percent increase over the support budget for the prior fiscal year.
The 3 percent increase reflects inflation, salary increases, a recognition that new systems were
implemented during the fiscal year and will require support, and an acknowledgment that
infrastructure (workstations, remote locations, and storage) consumption will increase. A figure
for capital to support applications and infrastructure is also submitted, and it might be targeted to
be the same as that budgeted in the prior fiscal year. If the support operating and capital budgets
achieve their targets, there is minimal management discussion of those budgets.
Second, IT leadership reviews the strategic IT initiatives (new and ongoing) with the senior
leadership of the organization. This review may occur in a forum such as the executive
committee. This committee, mindful of its targets, determines which strategic initiatives will be
funded. If the budget being sought to support strategic IT initiatives is large or a major increase
over the previous year, there may be discussions about the budget with the board.
Third, the organization must decide which new and ongoing initiatives that improve current
operations—for example, a new clinical laboratory or contract management system—will be
funded. These discussions must occur in the forum where the overall operations budget is
discussed, generally organizational meetings that routinely discuss operations and that include
among their members the managers of major departments and functions. Budget requests for
new IT applications are reviewed in the same conversation that discusses budget requests for
new clinical services or improvement of the organization’s physical plant.
Fourth, the IT strategy budget discussion and the IT operations budget discussion follow a set of
ground rules:
The IT budget is discussed in the same conversations that discuss non-IT budget requests.
This will result in trade-offs between IT expenditures and other expenditures. This integration
forces the organization to examine where it believes its monies are best spent, asking, for
example, Should we invest in this IT proposal or should we invest in hiring staff members to
expand a clinical service? Following this process also means that IT requests and other budget
requests are treated no differently.
The level of analytical rigor required of the IT projects is the same as that required of any other
requested budget item.
When appropriate, a sponsor—for example, a clinical vice president or a CFO—defends the IT
requests that support his or her department in front of his or her colleagues. The IT staff
members or CIO should be asked to defend infrastructure investments—for example, major
changes to the network—but should not be asked to defend applications.
The ground rule that sponsors should present their own IT requests deserves a bit more
discussion, because the issue of who defends the request has several important ramifications,
particularly for initiatives designed to improve current operations. Having this ground rule has the
following results:

It forces assessment of trade-offs between IT and non-IT investments. The sponsor will
determine whether to present the IT proposal or some other, perhaps non-IT, proposal.
Sponsors are choosing which investments are the most important to them.
It forces accountability for investment results. The sponsor and his or her colleagues know that
if the IT proposal is approved, there will be less money available for other initiatives. The
defender also knows that the value being promised must be delivered or his or her credibility in
next year’s budget discussion will be diminished.
It improves management comfort when dealing with IT proposals. Managers can be more
comfortable with the IT proposal if one of their operations colleagues is defending it. The
defender also learns how to be comfortable when presenting IT proposals.
It gets IT out of the role of defending other people’s operation improvement initiatives. However,
the IT function must still support the budget requests of others by providing data on the costs
and capabilities of the proposed applications and the time frames and resources required to
implement them. If the IT function believes that the proposed initiative lacks merit or is too risky,
IT staff members need to ensure that this opinion is heard during the budget approval process.
In the fifth and final step of the process, the operations and strategic budget recommendations
are reviewed and discussed at an executive committee meeting. The executive committee can
accept the recommendations, request further refinement (perhaps cuts) of the budget, or
determine that a discussion of the budget is required at an upcoming board meeting.
Management Role in Major IT Initiatives
The failure rate of IT initiatives is surprisingly high. Project failure occurs when a project is
significantly over budget, takes much longer than the estimated timeline, or has to be terminated
because so many problems have occurred that proceeding is no longer judged to be viable.
Cook (2007) finds that 35 percent of IT projects were successful, whereas 19 percent failed.
The remaining 46 percent delivered a useful product but suffered from budget overruns,
prolonged timetables, and application feature shortfalls.
Cash, McFarlan, and McKenney (1992) note that two major categories of risk confront
significant IT investments: strategy failures and implementation failures. The project failure rates
suggest that management should be more worried about IT implementation than IT strategy. IT
strategy is sexier and more visionary than implementation. However, a very large number of
strategies and visions go nowhere or are diminished because the organization is unable to
implement them.
It is rare that leaders plan to fail. And yet they often do things or don’t do things that increase the
likelihood that a major initiative will fail. At times they don’t appreciate the myriad ways that
projects can go south and hence they fail to take steps to mitigate those risk factors. In the
sections that follow we discuss factors that imperil implementations, factors that can be
Lack of Clarity of Purpose
Any project or initiative is destined for trouble if its objectives and purpose are unclear.
Sometimes the purpose of a project is only partially clear. For example, an organization may

have decided that it should implement an EHR in an effort to “improve the quality and efficiency
of care.” However, it is not really clear to the leadership and staff members how the EHR will be
used to improve care. Will problems associated with finding a patient’s record be solved? Will
the record be used to gather data about care quality? Will the record be used to support
outpatient medication ordering and reduce medication error rates?
All these questions can be answered yes, but if the organization never gets beyond the slogan
of “improve the quality and efficiency of care,” the scope of the project will be murky. The
definition of care improvement is left up to the project participant to interpret. And the scope and
timetable of the project cannot possibly be precise because project objectives are too fuzzy.
Lack of Belief in the Project
At times the objectives are very clear, but the members of the organization are not convinced
that the project is worth doing at all. Because the project will change the work life of many
members and require that they participate in design and implementation, they need to be
sufficiently convinced that the project will improve their lives or is necessary if the organization
is to thrive. They will legitimately ask, what’s in it for me? Unconvinced of the need for the
project, they will resist it. A resistant organization will likely doom any project. Projects that are
viewed as illegitimate by a large portion of the people in an organization rarely succeed.
Insufficient Leadership Support
The organization’s leaders may be committed to the undertaking yet not demonstrate that
commitment. For example, leaders may not devote sufficient time to the project or may decide
to send subordinates to meetings. This broadcasts a signal to the organization that the leaders
have other, “more important” things to do. Tough project decisions may get made in a way that
shows the leaders are not as serious as their rhetoric, because when push came to shove, they
caved in.
Members of the leadership team may have voted yes to proceed with a project, but their votes
may not have included their reservations about the utility of the project or the way it was put
together. Once problems are encountered in the project (and all projects encounter problems),
this qualified leadership support evaporates, and the silent reservations become public
statements such as, “I knew that this would never work.”
Organizational Inertia
Even when the organization is willing to engage in a project, inertia can hinder it. People are
busy. They are stressed. They have jobs to do. Some of the changes are threatening. Staff
members may believe these changes leave them less skilled or with reduced power. Or they
may not have a good understanding of their work life after the change, and they may imagine
that an uncertain outcome cannot be a good outcome.
Projects add work on top of the workload of often already overburdened people. Projects add
stress for often already stressed people. As a result, despite the valiant efforts of leadership and
the expenditure of significant resources, a project may slowly grind to a halt because too many

members find ways to avoid or not deal with the efforts and changes the initiative requires.
Bringing significant change to a large portion of the organization is very hard because, if nothing
else, there is so much inertia to overcome.
Organizational Baggage
Organizations have baggage. Baggage comes in many forms. Some organizations have no
history of competence in making significant organizational change. They have never learned
how to mobilize the organization’s members. They do not know how to handle conflict. They are
unsure how to assemble and leverage multidisciplinary teams. They have never mastered
staying the course over years during the execution of complex agendas. These organizations
are “incompetent,” and this incompetence extends well beyond IT, although it clearly includes IT
An organization may have tried initiatives “like this” before and failed. The proponents of the
initiative may have failed at other initiatives. Organizations have very long memories, and their
members may be thinking something like, “The same clowns who brought us that last fiasco are
back with an even ‘better’ idea.” The odor from prior failures significantly taints the credibility of
newly proposed initiatives and helps to ensure that organizational acceptance will be weak.
Lack of an Appropriate Reward System
Aspects of organizational policies, incentives, and practices can hinder a project. The
organization’s incentive system may not be structured to reward multidisciplinary behavior—for
example, physicians may be rewarded for research prowess or clinical excellence but not for
sitting on committees to design new clinical processes. An integrated delivery system may
have encouraged its member hospitals to be self-sufficient. As a result, management practices
that involve working across hospitals never matured, and the organization does not know how
(even if it is willing) to work across hospitals.
Lack of Candor
Organizations can create environments that do not encourage healthy debate. Such
environments can result when leadership is intolerant of being challenged or has an inflated
sense of its worth and does not believe that it needs team effort to get things done. The lack of a
climate that encourages conflict and can manage conflict means that initiative problems will not
get resolved. Moreover, organizational members, not having had their voices heard, will tolerate
the initiative only out of the hope that they will outlast the initiative and the leadership.
Sometimes the project team is uncomfortable delivering bad news. Project teams will screw up
and make mistakes. Sometimes they really screw up and make really big mistakes. Because
they may be embarrassed or worried that they will be admonished, they hide the mistakes from
the leadership and attempt to fix the problems without “anyone having to know.” This attempt to
hide bad news is a recipe for disaster. It is unrealistic to expect problems to go unnoticed;
invariably the leadership team finds out about the problem and its trust in the project team
erodes. At times leadership has to look in the mirror to see if its own intolerance for bad news in
effect created the problem.

Project Complexity
Project complexity is determined by many factors:
The number of people whose work will be changed by the project and the depth of those
The number of organizational processes that will be changed and the depth of those changes
The number of processes linking the organization and other organizations that will be changed
and the depth of those changes
The interval over which all this change will occur: for example, will it occur quickly or gradually?
If the change is significant in scale, scope, and depth, then it becomes very difficult (often
impossible) for the people managing the project to truly understand what the project needs to do.
The design will be imperfect. The process changes will not integrate well. And many curves will
be thrown in the project’s way as the implementation unfolds and people realize their mistakes
and understand what they failed to understand initially.
Sometimes complex projects disappear in an organizational mushroom cloud. The complexity
overwhelms the organization and causes the project to crash suddenly. More common is “death
by ants”—no single bite (or project problem) will kill the project, but a thousand will. The
organization is overwhelmed by the thousand small problems and inefficiencies and terminates
the undertaking.
Managers should remember that complexity is relative. Organizations generally have developed
a competency to manage projects up to a certain level and type of complexity. Projects that
require competency beyond that level are inherently risky. A project that is risky for one
organization may not be risky for another. For example, an organization that typically manages
projects that cost $2 million, take ten person-years of effort, and affect three hundred people will
struggle with a project that costs $20 million and takes one hundred person-years of effort
(Cash, McFarlan, & McKenney, 1992).
Failure to Respect Uncertainty
Significant organizational change brings a great deal of uncertainty with it. The leadership may
be correct in its understanding of where the organization needs to go and the scope of the
changes needed. However, it is highly unlikely that anyone really understands the full impact of
the change and how new processes, tasks, and roles will really work. At best, leadership has a
good approximation of the new organization. The belief that a particular outcome is certain can
be a problem in itself.
Agility and the ability to detect when a change is not working and to alter its direction are very
important. Detection requires that the organization listens to the feedback of those who are
waist-deep in the change and is able to discern the difference between the organizational noise
that comes with any change and the organizational noise that reflects real problems. Altering
direction requires that the leadership not cling to ideas that cannot work and also be willing to
admit to the organization that it was wrong about some aspects of the change.

Initiative Undernourishment
There may be a temptation, particularly as the leadership tries to accomplish as much as it can
with a constrained budget, to tell a project team, “I know you asked for ten people, but we’re
going to push you to do it with five.” The leadership may believe that such bravado will make the
team work extra hard and, through heroic efforts, complete the project in a grand fashion.
However, bravado may turn out to be bellicose stupidity. This approach may doom a project,
despite the valiant efforts of the team to do the impossible. Another form of undernourishment
involves placing staff members other than the best people on the initiative. If the initiative is very
important, then it merits using the best people possible and freeing up their time so they can
focus on the initiative. An organization’s best staff members are always in demand, and there
can be a temptation to say that it would be too difficult to pull them away from other pressing
They are needed elsewhere and this decision is difficult. However, if the initiative is critical to the
organization, then those other demands are less important and can be given to someone else.
Critical organizational initiatives should not be staffed with the junior varsity.
Failure to Anticipate Short-Term Disruptions
Any major change will lead to short-term problems and disruptions in operations. Even though
current processes can be made better, they are working and staff members know how to make
them work. When processes are changed, there is a shakeout period as staff members adjust
and learn how to make the new processes work well. At times, adjusting to the new application
system is the core of the disruption. A shakeout can go on for months and degrade
organizational performance. Service will deteriorate. Days in accounts receivable will climb.
Balls will be dropped in many areas. The organization can misinterpret these problems as a sign
that the initiative is failing.
Listening closely to the issues and suggestions of the front line is essential during this time.
These staff members need to know that their problems are being heard and that their ideas for
fixing these problems are being acted on. People often know exactly what needs to be done to
remove system disruptions. Listening to and acting on their advice also improves their buy-in to
the change.
Although working hard to minimize the duration and depth of disruption, the organization also
needs to be tolerant during this period and to appreciate the low-grade form of hell that staff
members are enduring. It is critical that this period be kept as short and as pain free as possible.
If the disruption lasts too long, staff members may conclude that the change is not working and
abandon their support.
Lack of Technology Stability and Maturity
Information technology may be obviously immature. New technologies are being introduced all
the time, and it takes time for them to work through their kinks and achieve an acceptable level

of stability, supportability, and maturity. Some forms of social networking are current examples
of information technologies that are in their youth.
Organizations can become involved in projects that require immature technology to play a
critical role. This clearly elevates the risk of the project. The technology will suffer from
performance problems, and the organization’s IT staff members and the technology supplier
may have a limited ability to identify and resolve technology problems. Organizational members,
tired of the instability, become tired of the project and it fails.
In general, it is not common, nor should it often be necessary, for a project to hinge on the
adequate performance of new technology. A thoughtful assessment that a new technology has
potentially extraordinary promise and that the organization can achieve differential value by
being an early adopter should precede any such decision. Even in these cases, pilot projects
that provide experience with the new technology while limiting the scope of its implementation
(which minimizes potential damage) are highly recommended.
Projects can also get into trouble when the amount of technology change is extensive. For
example, the organization may be attempting to implement, over a short period of time,
applications from several different vendors that involve different operating systems, network
requirements, security models, and database management systems. This broad scope can
overwhelm the IT department’s ability to respond to technology misbehavior.
How to Avoid These Mistakes
Major IT projects fail in many ways. However, a large number of these failures can be mitigated
by management attention to risk factors. Few management teams and senior leaders start IT
projects hoping that failure is the outcome. Summarizing our discussion in this section produces
a set of recommendations that can help organizations reduce the risk of IT initiative failure:
Ensure that the objectives of the IT initiative are clear.
Communicate the objectives and the initiative, and test the degree to which organizational
members have bought into them.
Publicly demonstrate conviction by “being there” and showing resolve during tough decisions.
Respect organizational inertia, and keep hammering away at it.
Distance the project from any organizational baggage, perhaps through a thoughtful choice of
project sponsors and managers.
Change the reward system if necessary to create incentives for participants to work toward
project success.
Accept and welcome the debate that surrounds projects, invite bad news, and do not hang those
who make mistakes.
Address complexity by breaking the project into manageable pieces, and test for evidence that
the project might be at risk from trying to do too much all at once.
Realize that there is much you do not know about how to change the organization or the form of
new processes; be prepared to change direction and listen and respond to those who are on the
front line.

Supply resources for the project appropriately, and assign the project to your best team.
Try to limit the duration and depth of the short-term operational disruption, but accept that it will
Ensure and communicate regular, visible progress.
Be wary of new technology and projects that involve a broad scope of information technology
These steps, along with solid project management, can dramatically reduce the risk that an IT
project will fail. However, these steps are not foolproof. Major IT projects, particularly those
accompanied by major organizational change, will always have a nontrivial level of risk.
There will also be times when a review of the failure factors indicates that a project is too risky.
The organization may not be ready; there may be too much baggage, too much inertia to
overcome; the best team may not be available; the organization may not be good at handling
conflict; or the project may require too much new information technology. Projects with
considerable risk should not be undertaken until progress has been made in addressing the
failure factors. Management of IT project risk is a critical contributor to IT success.
IT Effectiveness
Several studies have examined organizations that have been particularly effective in the use of
IT (McAfee & Brynjolfsson, 2008; McKenney, Copeland, & Mason, 1995; Ross, Beath, &
Goodhue, 1996; Sambamurthy & Zmud, 1996; Weill & Broadbent, 1998). Determining
effectiveness is difficult, and these studies have defined organizations that show effectiveness
in IT in a variety of ways. Among them are organizations that have developed information
systems that defined an industry (as Amazon has altered the retail industry, for example),
organizations that have a reputation for being effective over decades (such as Bank of
America), and organizations that have demonstrated exceptional IT innovation (Amazon.com for
The studies have attempted to identify those organizational factors or attributes that have led to
or created the environment in which effectiveness has occurred. In other words, the studies
have sought to answer the question, what are the organizational attributes that result in some
organizations developing truly remarkable IT prowess?
If an organization understands these attributes and desires to be very effective in its use of IT,
then it is in a position to develop strategies and approaches to create or modify its own
attributes. For example, one attribute is having strong working relationships between the IT
function and the rest of the organization. If an organization finds that its own relationships are
weak or dysfunctional, strategies and plans can be created to improve them.
The studies suggest that organizations that aspire to high levels of effectiveness and innovation
in their application of IT must take steps to ensure that the core capacity of the organization to
achieve such effectiveness is developed. It is a critical IT responsibility of organizational
leadership to continuously (year in and year out) identify and accomplish the steps needed to
improve overall effectiveness in IT. The development of this capacity is a challenge different

from the challenge of identifying specific opportunities to use IT in the course of improving
operations or enhancing management decision making. For an analogy, consider running. A
runner’s training, injury management, and diet are designed to ensure the core capacity to run a
marathon. This capacity development is different from developing an approach to running a
specific marathon, which must consider the nature of the course, the competing runners, and
the weather.
Although having somewhat different conclusions (resulting in part from somewhat different study
questions), the studies have much in common regarding capacity development.
Individuals and Leadership Matter
It is critical that the organization possess talented, skilled, and experienced individuals. These
individuals will occupy a variety of roles: CEO, CIO, IT staff members, and user middle
managers. These individuals must be strong contributors.
Although such an observation may seem trite, too often organizations, dazzled by the
technology or the glorified experiences of others, embark on technology crusades and
substantive investments that they have insufficient talent or leadership to effect well. The studies
found that leadership is essential. Leaders must understand the vision, communicate the vision,
be able to recruit and motivate a team, and have the staying power to see large IT
implementations through several years of work with disappointments, setbacks, and political
problems along the way.
Relationships Are Critical
Not only must the individual players be strong but also the team must be strong. There are
critical senior executive, IT executive, and project team roles that must be filled by highly
competent individuals, and great chemistry must exist between the individuals in these distinct
roles. Substitutions among team members, even when involving a replacement by an equally
strong individual, can diminish the team. This is as true in IT innovation as it is in sports. Political
turbulence diminishes the ability to develop a healthy set of relationships among organizational
The Technology and the Technical Infrastructure Both Enable and Hinder
New technologies can provide new opportunities for organizations to embark on major
transformations of their activities. We have seen this in retail and music distribution. This implies
that the health care CIO must have not only superior business and clinical understanding but
also superior understanding of the technology. This does not imply that CIOs must be able to
rewrite operating systems as well as the best system programmers, but it does mean that they
must have superior understanding of the maturity, capabilities, and possible evolution of various
information technologies. Several innovations have occurred because an IT group was able to
identify and adopt an emerging technology that could make a significant contribution to
addressing a current organizational challenge. The studies also stress the importance of
well-developed technical architecture. Great architecture matters. Possessing state-of-the-art
technology can be far less important than having a well-architected infrastructure.

The Organization Must Encourage Innovation
The organization’s (and the IT department’s) culture and leadership must encourage innovation
and experimentation. This encouragement needs to be practical and goal directed: a real
business problem, crisis, or opportunity must exist, and the project must have budgets, political
protection, and deliverables.
True Innovation Takes Time
Creating visionary applications, making major organizational changes, or establishing an
exceptional IT asset takes time and a lot of work. In the organizations studied it often took five to
seven years for the innovation to fully mature and for the organization to recast itself. Innovation
will proceed through phases that are as normative as the passage from being a child to being an
adult. Innovation, similar to the maturation of a human being, will see some variations in timing,
depth, and success in moving through phases.
Evaluation of IT Opportunities Must Be Thoughtful
Visionary and even more pedestrian IT innovations should be analyzed and studied thoroughly.
Nonetheless, organizations engaged in launching a major IT initiative should also understand
that a large amount of vision, management instinct, and “feel” often guides the decision to initiate
investment and continue investment. For example, what is the strategic and clinical value of an
integrated EHR across the continuum? The organization that has had more experiences with IT,
and more successful experiences, will be more effective in the evaluation (and execution) of IT
Processes, Data, and Business Model Change Form the Basis of an IT Innovation
All the strategic initiatives studied were launched from management’s fundamental
understanding of current organizational limitations. Strategic initiatives should focus on the core
elements to be discussed following in this chapter as the basis for achieving an IT-based
advantage: significant leveraging of processes, expanding and capitalizing on the ability to
gather critical data, and enabling new business models. Often an organization can pursue all
three simultaneously.
Alignment Must Be Mature and Strong
The alignment between the IT activities and the business challenges or opportunities must be
strong. It should also be mature in the sense that it depends on close working relationships
rather than methodologies.
The IT Asset Is Critical
Strong IT staff members, well-crafted architecture, and a superb CIO are critical contributors to
success. There is substantial overlap between the factors identified in these studies and the
components of the IT asset.
An overall critical factor in organizations being effective in using IT is the skills and orientation of
senior leadership. Earl and Feeney (2000) assessed the characteristics and behaviors of senior

leaders (in this case CEOs) who were actively engaged and successful in the strategic use of
IT. These leaders were convinced that IT could and would change the organization. They placed
the IT discussion high on the strategic agenda. They looked to IT to identify opportunities to
make significant improvements in organizational performance, rather than viewing the IT agenda
as secondary to strategy development. They devoted personal time to understanding how their
industry and their organization would evolve as IT evolved. And they encouraged other
members of the leadership team to do the same.
Principles for Higher Performance
Robert Dvorak, Endre Holen, David Mark, and William Meehan have identified six principles at
work in a high-performance IT function:
IT is a business-driven line activity and not a technology-driven IT staff function. Non-IT
managers are responsible for selecting, implementing, and realizing the benefits of new
applications. IT managers are responsible for providing cost-effective infrastructure to enable
the applications.
IT funding decisions are made on the basis of value. Funding decisions require thorough
business cases. IT decisions are based on business judgment and not technology judgment.
The IT environment emphasizes simplicity and flexibility. IT standards are centrally determined
and enforced. Technology choices are conservative, and packaged applications are used
wherever possible.
IT investments have to deliver near-term business results. The 80-20 rule is followed for
applications, and projects are monitored relentlessly against milestones.
The IT operation engages in year-to-year operation productivity improvements.
A business-smart IT function and an IT-smart business organization are created. Senior
leadership is involved in and conversant with IT decisions. IT managers spend time developing
an understanding of the business.
Source: Dvorak, Holen, Mark, and Meehan (1997, p. 166).
Earl and Feeney (2000) observed five management behaviors in these leaders:
They studied, rather than avoided, IT. They devoted time to learning about new technologies
and, through discussion and introspection, developed an understanding of the ways in which
new technologies might alter organizational strategies and operations.
They incorporated IT into their vision of the future of the organization and discussed the role of IT
when communicating that vision.
They actively engaged in IT architecture discussions and high-level decisions. They took time to
evaluate major new IT proposals and their implications. They were visibly supportive of
architecture standards. They established funds for the exploration of promising new
They made sure that IT was closely linked to core management processes:

They integrated the IT discussion tightly into the overall strategy development process. This
often involved setting up teams to examine aspects of the strategy and having both IT and
business leaders at the table.
They made sure IT investments were evaluated as one component of the total investment
needed by a strategy. The IT investments were not relegated to a separate discussion.
They ensured strong business sponsorship for all IT investments.
Business sponsors were accountable for managing the IT initiatives and ensuring the success
of the undertaking.
They continuously pressured the IT department to improve its efficiency and effectiveness and
to be visionary in its thinking.
CEOs and other members of the leadership team have an extraordinary impact on the tone,
values, and direction of an organization. Hence, their beliefs and daily behaviors have a
significant impact on how effectively and strategically information technology is applied within an
The Competitive Value of IT
For many years organizations across many industries have attempted to use (and at times
succeeded in using) IT to achieve a competitive advantage. Decades ago airlines used travel
reservation systems as an advantage, listing their flights before those of a competitor. At one
time banks used personal computer–based banking as an IT-based advantage, making it easier
for customers to manage their assets from home and reducing the need to visit a branch bank.
Amazon is a superb example of an organization that used IT to achieve an advantage over its
retail rivals. Amazon was able to offer a very broad range of products without incurring the
expense of setting up hundreds of retail stores.4
Sources of Advantage
These efforts have shown that IT can enable a significant improvement in organizational
performance and assist in achieving an advantage, especially when it is used to leverage core
organizational processes, support the collection of critical data, or enable the development of
new business models.
Leverage of Organizational Processes
Information technology can be applied in an effort to improve organizational processes by
making them faster, less error prone, less expensive, and more convenient. However, improved
organizational competitive position through process gains is not an automatic result of IT
The right processes must be chosen. The leverage of processes is most effective when the
processes being addressed are critical, core processes that customers use to judge the
performance of the organization or to define the core business of the organization.
For example, patients are more likely to judge a provider organization on the basis of its
ambulatory scheduling processes and billing processes than they are on its accounts payable

and human resources processes. Making diagnostic and therapeutic decisions is a core
provider organization process that is the backbone of its business.
Organizations must also examine and redesign processes. If underlying problems with
processes are not remedied, the IT investment can be wasted or diluted. IT applications can
result in existing processes continuing to perform poorly, only faster. Moreover, it can be harder
to fix flawed processes after the application of IT because the new IT-supported process now
has an additional source of complexity, cost, and ossification to address: the new computer
IT can be applied to significant competitive advantage if processes are chosen wisely and are
reengineered skillfully.
Rapid and Accurate Provision of Critical Data
Organizations define critical elements of their plans, operations, and environment. These
elements must be monitored to ensure the plan is working, service and care quality are high, the
organization’s fiscal situation is sound, and the environment is behaving as anticipated. Clearly
data are required to perform such monitoring.
In addition to their utility in monitoring, data can be used to guide management actions.
Internet-based retailers use purchase data to target their advertisements. Providers use data on
care costs and quality to devise initiatives to improve outcomes. However, obtaining and
reporting critical data is not easy.
Data quality may be limited and incomplete. For example, although physicians are using an
EHR, they may not be recording all of a patient’s problems, and many of their entries are
unstructured free text. There may be confusion about which patients belong on specific
physician panels. There can be significant disagreements about the definition of “a visit.”
Using IT to improve performance through the capture of critical data requires addressing
process problems that hinder data capture, developing user incentives to record good data, and
engaging in difficult conversations about data meaning.
Developing New Business Models
A business model refers to an organization’s plans about what it will do, how it will do it, and why
that “what and how” will lead to revenue that will enable the organization to sustain itself. For
example, a hospital will have a business model that looks something like this:
We will cure you of your disease or repair you if you experience trauma (the what).
We will do so by hiring clinicians, providing acute care beds, developing ancillary services such
as the laboratory, and implementing clinical protocols (the how).
You will pay us for doing so (primarily through health insurance).
When IT is used competitively to enable new business models, most of these efforts focus on
the how. For example:

Telehealth visits can be conducted virtually rather than face-to-face, which improves
Uber uses information technology to replace taxi cab employees with renting of driver capacity
by independent contractors and providing a very easy way to order a ride and pay for it (which
lowers Uber’s costs and improves rider convenience).
The Internet of Things enables manufacturers of equipment to monitor equipment performance
to detect potential issues and dispatch repair staff members before the equipment breaks, which
improves the how of maintaining equipment.
At times IT can enable capabilities that were previously impractical. Gathering real-time
physiological data from a patient at home was not practical until the advent of mobile devices
and the Internet. eBay enabled the development of a global auction using the Internet.
Observations on IT Use for Competitive Advantage
IT has been used competitively by hundreds of organizations across a range of industries over
the course of multiple decades. These experiences have taught us several overall lessons.
Obtaining and Sustaining an Advantage
It is very difficult to obtain a competitive advantage based solely on the implementation of a
particular application or technology. Competitors, noting the advantage, are quick to attempt to
copy the application, lure away the original developers, or obtain a version of the application
from the same or different vendor. Moreover, the advantage rarely results from the acquisition of
a system but from skilled process changes that thoughtfully understand how to differentiate an
organization from its competitors.
The advantage does not come from the application system. In an industry in which most
applications can be purchased from a vendor, it is almost impossible for the application to
provide an advantage. If you can buy an EHR from vendor x, so can your competitor, and any
advantage is short-lived.
Any IT-enabled advantage results from using the technology to improve processes, gather
critical data, and define new business models. Advantage lies in the application of the
technology and not the possession of the technology.
Technology Is a Tool
Information technology can provide a competitive advantage. However, IT has no magic
properties. In particular, technology cannot overcome poor strategies, inadequate management,
inept execution, or major organizational limitations. IT implementation cannot overcome badly
managed process change, insufficient political will to standardize data, or faulty business
The early experiences of Internet-based retailers have highlighted the problems created by
sloppy inventory management, poor understanding of customer buying behaviors such as
returning purchases, and insufficient knowledge of customer price tolerance.

Referring physicians will not find valuable and probably will not use a system that gives them
access to hospital data if the consulting physicians at the hospital are remiss in getting their
consult notes completed on time or at all.
McAfee and Brynjolfsson (2008) note a significant separation in the spread in the gross margin,
over time, between those companies performing in the top 25 percent of their industry versus
those performing in the bottom 25 percent as measured by variables such as return on capital
(see Figure 13.2). Beginning in the late 1990s the gap between winners and losers was
McAfee and Brynjolfsson (2008) made two major observations. First, IT had become sufficiently
potent that its ability to advance organizational performance had become very significant. The
personal computers of the 1980s were important but were not powerful enough to enable one
organization to significantly outperform another. However, the Internet, which began to be used
by business in the late 1990s, was powerful enough. Information technology had come of age.
Second, although potent technologies had become available, they were available to all. So why
did the separation in performance occur? Why didn’t all organizations see improvement? The
answer is simple—some organizations were very skilled at leveraging the technology to
improve competitive performance and others were not.
As an analogy, a skilled carpenter and a novice will be similarly effective in constructing a house
if both use crude tools. But if you give them sophisticated tools, the skilled carpenter will
significantly outperform the novice.
When one looks back at organizations that have been effective in the strategic application of IT
over a reasonably long time, one sees what looks like a series of singles punctuated by an
occasional leap, a grand slam (McKenney, Copeland, & Mason, 1995). One doesn’t see a
progression of grand slams or, in the parlance of the industry, killer applications (Downes & Mui,
In the course of improving processes, changing business models, and gathering data,
organizations carry out a series of initiatives that improve their performance. The vast majority
of these initiatives do not by themselves fundamentally alter the competitive position of the
organization, but in the aggregate they make a significant contribution, just as the difference
between a great hotel and a mediocre hotel is not solely the presence of clean sheets or hot
water but one thousand such things.
In addition, at various points in time, the organization may have an insight that leads to a major
leap in its application of IT to its performance. For example, airlines, having developed their initial
travel reservation systems, continued to improve them. At some point they realized that the data
gathered by a reservation system had enormous potency and frequent flyer programs resulted.
Google realized that it had a very large base of users that accessed the site often for searches.
Google could capitalize on this base by introducing other, nonsearch offerings such as YouTube.

No organization has ever delivered a series of killer, or grand slam, applications in rapid
Organizations must develop their IT asset in such a way that they can affect the types of
continuous improvement that managers and medical staff members will see as possible, day in
and day out. For example, in an ideal world an organization would be able to capitalize on the
improvements in ambulatory scheduling that a middle manager thinks up and also be able to
capitalize on a thousand other good ideas and opportunities. The organization must also develop
antennae that sense the possibility of a leap and the ability to focus that enables it to bring about
the systems needed to make the leap. Ensuring that these antennae are working is one of the
key functions of the CIO. The resulting pattern may look like the graph line in Figure
13.3—continuous improvement (singles) in performance using IT punctuated by periodic leaps
or grand slams.
It is also clear that organizations have a limited ability to see more than one leap at a time.
Hence, they should be cautious about visions that are too visionary or that have a very long time
horizon. Organizations have great difficulty understanding a world that is significantly different
from the one they inhabit now or that can be only vaguely understood in the context of the next
leap. We might understand frequent flyer programs now, but they were not well understood, nor
was their competitive value well understood, at the time they were conceived. Moreover, the
organizational changes required to support and capitalize on a leap can take years—five to
seven years at times (McKenney, Copeland, & Mason, 1995).
The management and leadership of an organization play significant roles in determining the
effectiveness of information technology. This chapter discussed the role of developing and
maintaining IT governance mechanisms—the processes, procedures, and roles that the
organization uses to make IT decisions. These decisions cover diverse terrain: budgets, roles,
and responsibility distribution and the process for resolution of IT issues.
The processes and structure of developing the IT budget were reviewed. Budgets are critical.
They turn strategy into reality by providing (or not) the resources needed to carry out the
Management is a major contributor to the success or failure of IT initiatives. The chapter
discusses factors, under management’s control, that often derail IT initiatives and suggested
steps that can be taken to mitigate those factors. The chapter also reviewed attributes of
organizations that have been highly effective in their use of IT for many years.
How Great Companies Use IT
In his seminal book Good to Great, Jim Collins (2001) identified companies that made and
sustained a transition from being a good company to being a great company. His research noted
that these companies had several consistent orientations to IT:

They avoided IT fads but were pioneers in the application of carefully selected technologies.
They became pioneers when the technology showed great promise in leveraging that which
they were already good at doing (their core competency) and that which they were passionate
about doing well.
They used IT to accelerate their momentum toward being a great company but did not use IT to
create that momentum. In other words, IT came after the vision had been set and the
organization had begun to move toward that vision. IT was not used to create the vision and
start the movement.
They responded to technology change with great thoughtfulness and creativity driven by a
burning desire to turn unrealized potential into results. Mediocre companies often reacted to
technology out of fear, adopting it because they were worried about being left behind.
They achieved dramatically better results with IT than did rival companies using the exact same
They rarely mentioned IT as being critical to their success.
They “crawled, walked, and then ran” with new IT even when they were undergoing radical
Finally, the chapter reviewed lessons learned from the use of IT to improve an organization’s
competitive position. Increased competiveness can occur when IT issues are applied to
leverage critical organizational processes, address information needs, and enable new business
models. However, we are reminded that IT is a tool and its use requires skill.
Applegate, L., Austin, R., & McFarlan, W. (2007). Corporate information strategy and
management (7th ed.). Boston, MA: McGraw-Hill.
Brown, C., & Sambamurthy, V. (1999). Repositioning the IT organization to enable business
transformation. Chicago, IL: Society for Information Management.
Cash, J., McFarlan, W., & McKenney, J. (1992) Corporate information systems management:
The issues facing senior executives. Chicago, IL: Irwin.
Collins, J. (2001). Good to great. New York, NY: HarperCollins.
Cook (2007, July 20). How to spot a failing project. CIO. Retrieved November 2008 from
Downes, L., & Mui, C. (1998). Unleashing the killer app. Boston, MA: Harvard Business School
Drazen, E., & Straisor, D. (1995). Information support in an integrated delivery system. Paper
presented at the annual Healthcare Information and Management Systems (HIMSS)
conference, Chicago.
Dvorak, R., Holen, E., Mark, D., & Meehan, W., III. (1997). Six principles of high- performance
IT. McKinsey Quarterly, 3, 164–177.
Earl, M., & Feeney, D. (2000). How to be a CEO for the information age. MIT Sloan
Management Review, 41(2), 11–23.
Feld, C., & Stoddard, D. (2004). Getting IT right. Harvard Business Review, 82(2), 72–79.

McAfee, A., & Brynjolfsson, E. (2008). Investing in the IT that makes a competitive difference.
Harvard Business Review, 86(7–8), 98–107.
McKenney, J., Copeland, D., & Mason, R. (1995). Waves of change: Business evolution through
information technology. Boston, MA: Harvard Business School Press.
Ross, J., Beath, C., & Goodhue, D. (1996). Develop long-term competitiveness through IT
assets. MIT Sloan Management Review, 38(1), 31–42.
Sambamurthy, V., & Zmud, R. (1996). Information technology and innovation: Strategies for
success. Morristown, NJ: Financial Executives Research Foundation.
Weill, P., & Broadbent, M. (1998). Leveraging the new infrastructure. Boston, MA: Harvard
Business School Press.
Weill, P., & Ross, J. (2004). IT governance: How top performers manage IT decision rights for
superior results. Boston, MA: Harvard Business School Press.

Chapter 14
Health IT Leadership Case Studies
Case 1: Population Health Management in Action
Although the integration of patient-centered medical homes and accountable care organizations
into the health system is still emerging—as are best practices and key learnings from these
early efforts—there have been myriad examples demonstrating encouraging returns and
improvement in quality of care. The Patient-Centered Primary Care Collaborative recently
profiled several organizations that have adopted patient health management (PHM) tools and
strategies to address the preventive and chronic care needs of their patient populations.
Bon Secours Virginia Medical Group
Richmond, VA
Provider Type: Multispecialty group practice
Locations: 140
Patients: 25,000 (Virginia)
A pioneer in implementing medical home and accountable care initiatives, Bon Secours has
dedicated itself to executing a sustainable care delivery model that is in alignment with health
care reform across its providers and locations. Bon Secours’s transformation into an
organization that embraces PHM is the result of a systematic strategy to reengineer primary
care practices, integrate new technologies into care team workflows, and engage patients in
their care.
Bon Secours took a leap of faith in implementing these changes, acting on the belief that payers
would come to them if they built a viable model. And payers did. The organization was selected
as an early participant in the Medicare Shared Savings Program. It has also signed value-based
contracts with two commercial payers—CIGNA and Anthem—and is in negotiations with
several more. These contracts provide a financial mechanism to expand and scale the medical
home initiative and support ACO models. This case study examines in more detail Bon
Secours’s approach to position itself to achieve quality outcomes and financial success in the
changing health care environment.
Bon Secours’s Care Team Model
The foundation of Bon Secours’s strategy for value-based care is its medical home
initiative—the Advanced Medical Home Project. The project began as a pilot five years ago.
Since that time, eleven practices have earned NCQA recognition as patient-centered medical
homes. One of the most significant objectives of the Advanced Medical Home Project is to
improve capacity—making it possible for care teams to double the size of their patient panel
without overburdening themselves or sacrificing quality of care.
At the heart of this medical home strategy is the effort to reengineer practices by creating
high-performance physician-led care teams, which requires changes in workflow, new care
coordination activities, and designed delegation of clinical responsibilities across the care team.
To facilitate this process, Bon Secours has invested significantly in embedding care managers

into the primary care team. These nurse navigators are registered nurses (RNs) who are either
board-certified case managers or actively working toward certification.
Each nurse navigator is assigned a panel of approximately 150 high-risk patients. He or she
cultivates a personal relationship with these patients, usually through repeated phone contacts.
Although most outreach is telephonic, navigators have the skill to assess which patients require
face-to-face intervention. And because they are embedded in the practice, they can spend time
with these patients doing assessments, care planning, and education.
Bon Secours’s eHealth Strategies
An important aspect of Bon Secours’s strategy is implementing health information technology
that empowers the care team to efficiently manage the health of their populations. They consider
this technology—standardized across the medical group—as the key to enable them to scale
their system for value-based care. As a first step, Bon Secours implemented an EHR and all its
modules in every practice within the system. This gave them a strong foundation for
documenting care and accessing health records across the enterprise.
Risk stratification. They were able to build a registry that could identify high-risk and
high-utilization patients based on data such as number of medications or frequent visits to the
emergency department. However, the organization recognized the need for a more robust,
scalable registry that would drive efficient population health workflows in their practices and
enable analytics and predictive modeling across multiple clinical conditions.
Integrating their EHR with a PHM platform, Bon Secours is able to aggregate all source data into
a population-wide registry that enables the organization to implement multiple
quality-improvement programs simultaneously. The registry stratifies the population by
risk—providing a total population view while enabling each care team to drill down to the data
they need about cohorts and individual patients. The system enables care teams within the
practice to monitor their patients’ health status and take action by delivering timely and
appropriate care interventions. Because the system automates these interventions, care teams
are able to communicate with many patients at once.
Automated outreach. A significant priority for Bon Secours has been preventing thirty-day
readmissions. The medical group uses an automated outreach system to identify discharged
patients, link them to a primary care provider (PCP), and pinpoint those who are at high risk for
readmission. Flagged patients are then called within twenty-four to seventy-two hours to
reinforce discharge instructions, make sure their medications are reconciled, and set up an
appointment with the primary care team within five to ten days of discharge. Bon Secours will
soon implement a readmissions solution to automate the process of calling discharged patients,
asking them to complete a short assessment, and escalating cases as needed based on their
Personal health records. Another strategy for patient engagement is activating patients on an
electronic personal health record (PHR), which allows patients to view clinical results and
communicate conveniently with their caregivers via e-mail. Bon Secours works to gain

physician consensus on policies that drive the use of PHR: physicians agreed to allow
automatic release of normal results to the PHR, but abnormal results are held for 24 hours to
enable the care team to contact the patient. The organization is relying on physicians and staff
members to get patients active on the PHR to help them sign up on the spot in the exam room.
Challenges and Lessons Learned
Gaining physician buy-in for reengineering practice workflow. The concept of the care team can
be difficult for some physicians because they see themselves as the clinician and the rest of the
team as support staff members. To help physicians embrace the care team and delegate
patient-care tasks, Bon Secours placed tremendous emphasis on physician education. The
organization also allows physicians to adjust some of the standardized care team protocols to
meet the needs of their practice, which fosters ownership of the process and assures
physicians that they remain in control.
Paying for the transition to value-based care. As mentioned previously, Bon Secours
implemented its medical home model with the hope that payers would come to them if they built
a viable program. CIGNA currently gives the organization a per-member per-month (PMPM)
adjustment for care coordination. Anthem, the group’s biggest payer, pays a care coordination
fee and will change to PMPM in the coming year. Several more commercial payers are lined up
to sign contracts with the group. However, this payer involvement is a relatively new
development. For the first few years of the project, Bon Secours shouldered the expense. The
organization is now poised to reap the rewards of its investment.
Bon Secours is also demonstrating significant progress managing its CIGNA population. In the
first six months of their value-based contract, they have achieved a 27 percent reduction in
readmissions and are $1.8 million below their projected spend. They have hit many of their care
quality metrics and need to improve their gap-in-care metrics only slightly to achieve the index
necessary to qualify for gain sharing with CIGNA—a development that will bring a projected
annual savings of $4 million.
Bon Secours’s mantra for the future is “health care without walls.” The organization is
aggressively pursuing remote, noninvasive monitoring for highly acute case management. Their
vision is to bring care outside the four walls of the hospital into the patient’s home using
technology. They are operationalizing a geriatric medical home that will enable patients to age in
place with home visits for preventive and acute management. They are also expanding their
implementation of the PHM platform to include performance measurement at the group, site,
and provider levels; feedback to providers on variance in care; and quality reporting. This added
functionality for analytics and insight on the clinical and administrative levels will help the
organization ensure that it is meeting the triple aim (to improve the patient experience of care,
including quality and satisfaction; to improve the health of populations; and to reduce the per
capita cost of health care).
nnovation Impact
Thirty-day readmission rate for medical home patients was < 2 percent for two years. Patient engagement scores were in the 97th percentile. Patient outreach efforts generated approximately forty thousand unique patient visits for preventive, follow-up, or acute care, leading to $7 million increased revenue. Source: Shaljian, M., & Nielsen, M. (2013). Managing populations, maximizing technology: Population health management in the medical neighborhood. Patient-Centered Primary Care Collaborative. Retrieved from https://pcpcc.org/resource/managing-populations-maximizing-technology. Used with permission. Case 2: Registries and Disease Management in the PCMH Union Health Center (UHC) New York, NY Provider Type: Community Health Center Medical Home NCQA Level 3 Patients: 11,000 Office Visits: 55,000 UHC's Care Team Model Union Health Center (UHC) embraced the patient-centered care team model very early on, which helped ease the transition to new workflows, processes, and features that are critical to change management and quality improvement. UHC clinicians and staff members are assigned to clinical care teams, composed of physicians, nurse practitioners, physician assistants, nurses, medical assistants, and administrative staff members. The practice uses a full capitation model with standard fee-for-service and a fee-for-service plus care management payment model. Ten years ago, UHC instituted the California Health Care Foundation's Ambulatory Intensive Caring Unit (AICU) model, which emphasizes intensive education and self-management strategies for chronic disease patients. The model relies heavily on the role of medical assistants (called patient care assistants or PCAs) and health coaches. Working closely with other members of the care team, PCAs and health coaches review and update patient information in the record, conducting personal outreach and self-management support, and providing certain clinical tasks. For instance, all PCAs have been trained to review measures (e.g., HgbA1C, blood pressure, and LDL cholesterol), provide disease education, and set and review patient health goals. A subset of higher-trained health coaches works more intensely with recently diagnosed diabetic patients or those patients whose condition is not well managed. UHC's eHealth Strategies Patient registries. UHC uses patient registries to identify patients with specific conditions to ensure that those patients receive the right care, in the right place, at the right time. In some instances, they use registries to target cases for chart reviews and assess disease management strategies. For example, patients with uncontrolled hypertension are reviewed to help identify treatment patterns, reveal any need for more provider engagement, and may indicate the need for care team workflow changes. In the future, UHC would like to construct queries that combine diagnosis groups with control groups and stratify patients by risk group. For example, care teams could pull a report of all patients over the age of sixty-five with multiple chronic conditions or recent emergency room admissions. Maximizing time and expertise. UHC uses technology such as custom EHR templates to support PCAs and free up clinicians for more specialized tasks and complex patients. For example, a PCA or health coach taking the blood pressure of a high-risk diabetic patient has been trained to determine whether or not BP is controlled. If it is not controlled, the health coach checks the electronic chart for standard instructions on how to proceed and may carry out instructions noted in the record. Or, if no information is available he or she will consult with another provider to adjust and complete the note. Following all visits with PCAs or health coaches, the patient's record is electronically flagged for review and signed by the primary care physician. Working with medical neighbors. The teams also collaborate with on-site specialists, pharmacists, social workers, physical therapists, psychologists, and nutritionists to enhance care coordination and whole-patient care. UHC has also adopted curbside consultations and e-consults to reduce specialty office visits. For example, if a hypertensive patient has uncontrolled blood pressure, the record is flagged by the PCA for further follow-up with a physician or nurse practitioner, who may opt for an e-consult with the nephrologist to discuss recommendations. UHC also has a specialty coordination team—composed of two primary care physicians, one registered nurse, one PCA, and one health coach—which functions as a liaison between primary and specialty providers. Customized reporting. With their most recent upgrade to a Meaningful Use–certified version of their EHR, UHC will have the capacity to generate standardized Meaningful Use reports. UHC intends to construct queries that generate reports that group diagnosis groups with control groups and identify and manage subgroups of high-risk patients (or risk stratification). For example, care teams can run a report of all patients with diabetes that have an elevated LDL and have not been prescribed a statin. Challenges and Lessons Learned Recruiting staff members with IT and clinical informatics expertise. Over the years, UHC has faced challenges in identifying and recruiting staff members with the right mix of IT and clinical informatics skills. Although effective in troubleshooting routine issues and hardware maintenance, UHC felt there was a clinical data analysis gap. To resolve this, UHC works closely with an IT consultant and also recruited a clinical informatics professional to work with providers and performance improvement staff members. Consistent data entry. UHC's lack of consistent data entry rules and structured data fields led to several challenges in producing reports and tracking patient subgroups. The problem stems from UHC's lack of internal data entry policies as well as the record's design. For instance, UHC cannot run reports on patients taking aspirin because this information may have been entered inconsistently across patient records. Moving forward, UHC will be implementing data entry rules and working closely with their vendor to maximize data capture. Real-time data capture. UHC realized that by the time data reach the team, they may no longer be current. As a workaround they considered disseminating raw reports to clinical teams in real time, followed by tabulated, reformatted data. They are exploring the possibility of purchasing report writing software to streamline the process. Managing multiple data sources. Similar to many practices, UHC pulls data from its billing system and clinical records, causing issues with data extraction. For example, pulling by billing codes does not provide the most accurate data when it comes to clinical conditions, health status, or population demographics. UHC recognized that to reduce errors in identifying patients and subgroups this will require custom reports. Innovation Impact Forty-six percent reduction in overall annual health costs Eighteen percent reduction in total cost of care Significant decline in emergency room visits, hospitalizations, and diagnostic services Significant improvements in clinical indicators for diabetic patients Source: Shaljian, M., & Nielsen, M. (2013). Managing populations, maximizing technology: Population health management in the medical neighborhood. Patient-Centered Primary Care Collaborative. Retrieved from https://pcpcc.org/resource/managing-populations-maximizing-technology. Used with permission Case 3: Implementing a Capacity Management Information System Doctors' Hospital is a 162-bed, acute care facility located in a small city in the southeastern United States. The organization had a major financial upheaval six years ago that resulted in the establishment of a new governing structure. The new governing body consists of an eleven-member authority board. The senior management of Doctors' Hospital includes the CEO, three senior vice presidents, and one vice president. During the restructuring, the CIO was changed from a full-time staff position to a part-time contract position. The CIO spends two days every two weeks at Doctors' Hospital. Doctors' Hospital is currently in Phase 1 of a three-phase construction project. In Phase 2 the hospital will build a new emergency department (ED) and surgical pavilion, which are scheduled to be completed in eleven months. Information Systems Challenge The current ED and outpatient surgery department have experienced tremendous growth in the past several years. ED visits have increased by 50 percent, and similar increases have been seen in outpatient surgery. Management has identified that inefficient patient flow processes, particularly patient transfers and discharges, have resulted in backlogs in the ED and outpatient areas. The new construction will only exacerbate the current problem. Nearly a year ago Doctors' Hospital made a commitment to purchase a capacity management software suite to reduce the inefficiencies that have been identified in patient flow processes. The original timeline was to have the new system pilot-tested prior to the opening of the new ED and surgical pavilion. However, with the competing priorities its members face as they deal with major construction, the original project steering committee has stalled. At its last meeting nearly six months ago, the steering committee identified the vendor and product suite. Budgets and timelines for implementation were proposed but not finalized. No other steps have been taken. Case 4: Implementing a Telemedicine Solution Grand Hospital is located in a somewhat rural area of a Midwestern state. It is a 209-bed, community, not-for-profit entity offering a broad range of inpatient and outpatient services. Employing approximately 1,600 individuals (1,250 full-time equivalent personnel) and having a medical staff of more than 225 practitioners, Grand has an annual operating budget that exceeds $130 million, possesses net assets of more than $150 million, and is one of only a small number of organizations in this market with an A credit rating from Moody's, Standard & Poor's, and Fitch Ratings. Operating in a remarkably competitive market (there are roughly one hundred hospitals within seventy-five minutes' driving time of Grand), the organization is one of the few in the region—proprietary or not-for-profit—that has consistently realized positive operating margins. Grand attends on an annual basis to the health care needs of more than 11,000 inpatients and 160,000 outpatients, addressing more than 36 percent of its primary service area's consumption of hospital services. In expansion mode and currently in the midst of $57 million in construction and renovation projects, the hospital is struggling to recruit physicians to meet the health care needs of the expanding population of the service area and to succeed retiring physicians. Grand has been an early adopter of health care information systems and currently employs a proprietary health care information system that provides (among other components) these services: Patient registration and revenue management EHRs with computerized physician order entry Imaging via a PACS Laboratory management Pharmacy management Information Systems Challenge Since 1995, Grand Hospital has transitioned from being an institution that consistently received many more inquiries than could be accommodated concerning physician practice opportunities to a hospital at which the average age of the medical staff members has increased by eight years. There is a widespread perception among physicians that because of such factors as high malpractice insurance costs, an absence of substantive tort reform, and the comparatively unfavorable rates of reimbursement being paid physician specialists by the region's major health insurer, this region constitutes a “physician-unfriendly” venue in which to establish a practice. Consequently, a need exists for Grand to investigate and evaluate creative approaches to enhancing its physician coverage for certain specialty services. These potential approaches include the effective implementation of IT solutions. The findings and conclusions of a medical staff development plan, which has been endorsed and accepted by Grand's medical executive committee and board of trustees, have indicated that because of needs and circumstances specific to the institution, the first areas of medical practice on which Grand should focus in approaching this challenge are radiology, behavioral health crisis intervention services, and intensivist physician services. In the area of radiology, Grand needs qualified and appropriately credentialed radiologists available to interpret studies twenty-four hours per day, seven days per week. Similarly, it needs qualified and appropriately credentialed psychiatrists available on a 24/7 basis to assess whether behavioral health patients who present in the hospital's emergency room are a danger to themselves or to others, as defined by state statute, and whether these patients should be released or committed against their will for further assessment on an inpatient basis. Finally, inasmuch as Grand is a community hospital that relies on its voluntary medical staff members to attend to the needs of patients admitted by staff members such as some ED personnel, it also needs to have intensivist physicians available around the clock to assist in assessing and treating patients during times when members of the voluntary attending staff members are not present within or immediately available to the intensive care unit. The leadership at Grand Hospital is investigating the potential application of telemedicine technologies to address the organization's need for enhanced physician coverage in radiology, behavioral health, and critical care medicine. Case 5: Selecting an EHR for Dermatology Practice Suppose you've just been hired as the practice administrator of an eight-physician dermatology practice. After several years of contemplation and serious deliberations, the physicians have made the strategic decision to invest in the selection and implementation of a facility-wide EHR system. They also want to replace their practice management system (which includes patient scheduling and billing). It's an older system that is rather clunky. Ideally, they'd like to find an integrated practice management system that has an EHR component. Dan Brown, the current CEO of the physician organization, has very little knowledge of information systems technology. He has been reluctant to move toward an EHR system for many years, primarily because he heard stories from a few his colleagues in other specialty areas who have implemented EHRs in their practices and have found the systems to be highly cumbersome and disruptive to the patient care process. One of his best friends claims he “spends an extra hour or two a night in the office because of the additional time demands of the EHR. He claims the system never seemed to work right.” Brown is convinced that there are not any great dermatology-related EHR products on the market, but with value-based payment looming, and the opportunity to improve quality of patient care, he's open to taking another look. In addition, one of their newest partners, Pam Martin, just finished her residency program where EHRs were an integral part of her training. She is a big champion of the effort to select and implement an EHR. She has offered to help lead the effort. One of the other partners, John Harris, came back from a conference impressed with the vendor presentation from Allscripts and convinced it's the way the practice ought to go. The other physicians are nearing retirement and a little nervous about the possible disruption to the office. Information Systems Challenge Even though the patient records at the dermatology practice are paper-based, the practice has been using computerized practice management systems for patient scheduling and billing for years. Six months ago, they started to have a nurse enter physician-dictated notes into the paper record while in the examination room with the patient. The physician then reviews the notes at the end of the visit or day and signs off on them. This is in an effort to decrease the dictation and transcription that the practice had historically done and to get the nurses and physicians ready for the EHR. The expectation is that nurses will do the bulk of the data entry in the exam room while the physicians are seeing the patients. However, the physicians will have to review the documentation and sign off on all entries. The practice currently has approximately four thousand patient visits per month, including 40 percent Medicare and 10 percent Medicaid. Case 6: Watson's Ambulatory EHR Transition Primary care physicians play a key role in the US health care delivery system. These providers integrate internal and external information with their clinical knowledge to determine the patient's treatment options. An effective ambulatory EHR is critical to supply physicians with the information they need to provide quality care and maximize their efficiency. This case involves the decision-making process to replace an inadequate EHR system in a primary care network owned by a community hospital. The IT challenge reviewed in this case will be the decision-making process that optimizes provider support for the new EHR while addressing the strategic plan requirements of data integration, clinical application, and practice management functionality. Watson Community Association is a private, not-for-profit corporation that operates Watson Community Hospital (WCH), a two hundred–bed acute care facility located in Arizona. WCH has pursued a strategy of employing primary care physicians in their primary service area to provide convenient points of access for patients and to secure a primary care base for the specialists who use the hospital. WCH employs thirty-six physicians and seven mid-level providers in eight clinics, specializing in internal medicine, family practice, infectious disease, and gynecology. Several years ago, the WCH board of directors adopted a plan to implement a system-wide EHR to, among other things, improve patient safety, integrate information from ancillary systems, and provide access to patient information for all WCH caregivers. In addition, the plan calls for an evaluation of the effectiveness of the WCH physician clinic organization's EHR. The WCH clinics currently use the XYZ Data Systems Integrated EHR and Practice Management System. This system has been operational for four years. The XYZ system was chosen because of its compatibility with the hospital's Meditech platform. Physician needs and application functionality were secondary considerations. As a result, physician system adoption and support has been poor. Under prior leadership, the hospital IT department provided limited support for the XYZ EHR. The clinic organization was left to develop its own internal IT capabilities to manage the XYZ system and, as a result, the system has not been routinely updated. The hospital has decided to stay with the Meditech platform to address the IT strategic plan for an integrated EHR. The clinic organization must now evaluate whether it is in their best interest to stay with the XYZ system, with strong Meditech compatibility, or move to a different EHR platform. The path of least resistance from the IT perspective would be to upgrade the XYZ system. This option offers the greatest integration and could be implemented much sooner. A new platform would require an evaluation and selection process and a significant conversion. With either scenario, physician support will be critical to a successful transition. EHR Project Plan The following sections detail a description of the planning process developed by the leadership team to transition to a replacement EHR. Read and critique the plan by answering the questions that follow it. Project Organization The organizational phase of the project will involve establishing a project steering committee and identifying the leadership members who will ensure the project's success. WCH operates eight separate clinics, each with their unique teams and EHR experience. By necessity, the steering committee will need representation from each of these clinics. The project steering committee will likely have twenty to twenty-five members. In addition to provider representatives, the steering committee will also include nurses, medical assistants, and office managers from each clinic. IT representation is critical to the success of the project, and because the department provided poor IT support in the past, the CIO will play an active role on the steering committee. A representative from finance should also participate on the committee, given the importance of billing and collections and other practice management issues. The leadership of the steering committee will ensure that the committee addresses key steps in the process and does so in a timely fashion. Ideally, the committee should be chaired by a provider who is respected within the group, is objective, and is a supporter of EHR technology. Although the clinic organization does not have a provider who meets all of these criteria, a physician with strong peer support and credibility will be selected to cochair the steering committee. To complement the clinical leadership, the CIO will serve as a cochair for the committee, providing technical expertise. This individual has implemented other EHR systems and will bring a structured process to the committee to ensure a thorough evaluation process. Committee Development Organizations often overlook the importance of understanding the emotional climate of a medical practice when implementing an EHR. Therefore, although the first task of the steering committee will be to define the project objectives, the existing concerns about an EHR transition require that a fair amount of time be devoted to addressing the emotional needs of the participants. Listening to practitioners and empathizing with their concerns will be critical to establish trust and overcome resistance during the EHR conversion. To address this important issue, a series of discussion exercises will be used to encourage open dialogue and participant engagement. The first exercise will break the large group into teams of four to five members, and each team will discuss the lessons learned from the XYZ implementation that took place four years previously. Team leaders will be handpicked for their facilitation skills and ability to listen. The group discussions will address the “change readiness” and will surface the major issues associated with the implementation. It will also enable the group members to get to know each other in a less formal setting than the large group. The larger committee will reconvene to discuss their findings and prepare a master list of implementation lessons learned. Although this exercise may raise a number of issues related to implementation, it is also important to openly discuss the current issues with the existing EHR. Once again, small groups will be asked to discuss these issues to ensure participation by all members of the steering committee. Small groups will report out to the large group, and a summary of issues will be developed. This list, as well as the list of implementation issues, will set the stage for a later discussion regarding the scope of the project. Project Scope and Objectives Once the group has had the opportunity to express personal concerns and key issues have been identified, the group can turn its attention to defining the project objectives. Anxious committee members are often tempted to begin discussing whether the steering committee should upgrade this system or consider alternatives. When this occurs, discussions and conclusions are usually based on the emotional attachment to or disappointment with the current system. A more systematic review process will help frame this discussion to ensure the conclusion is based on facts and the needs of the clinic organization. The leadership must guide the committee in developing project objectives that are based on the needs of the organization, not individuals. Returning to the list of implementation and current issues, the group will be asked to prioritize the concerns that were raised. This prioritization will focus the committee on the most pressing issues that must be addressed. With this background work, the committee will be positioned to articulate the goals of the committee. It will also define the scope of the project by determining what the project is and isn't intended to address. Invariably, users will raise issues that may not be solved by an EHR application. It is important that the end users review all issues, even though some of those issues may not prove to be within the scope of the project. Users with unrealistic expectations can end up frustrated and disengaged as the process unfolds. Defining the scope and the objectives clarifies expectations before options are considered. Communication The steering committee will need to establish plans to communicate with the larger audience of clinic users and stakeholders. A plan will be developed that provides this audience with regular updates. The plan must also address how the committee can solicit feedback from stakeholders during the evaluation and selection process. Regular minutes establish the record of the committee's work and provide a means for communicating with stakeholders. Special meetings with individual clinic groups will also be necessary to address rumors or provide more detailed information regarding the process. The steering committee must communicate regularly to ensure information is flowing to individuals. Plan of Work Once project objectives are established, the committee will prepare a plan of work. This plan will outline the specific action steps required to achieve the project objectives and the timeline for their completion. The plan of work focuses on the decision to upgrade the existing XYZ application and remain with a Meditech platform or move to a different software solution. The plan of work provides the steering committee with the road map to achieve its goals. The key steps in the plan of work are identifying possible vendors, establishing system requirements, and completing a request-for-proposal (RFP) process. Vendor identification can occur simultaneously with establishing the project goals. This is a reasonable assertion because it will save time and will engage the clinic representatives in the process. The steering committee will select individuals to attend trade shows to maximize exposure to EHR products. IT staff members will also participate in this review process to address technical requirements and issues. Establishing system requirements is a critical step in the EHR decision-making process. The system requirements identify the needs of the organization and are the basis for the vendor evaluation process. The implementation and current issues lists developed by the committee will be used to develop the system requirements. Each clinic employee will receive a summary of these lists, and staff members will be asked to provide additional input to steering committee representatives. In addition, the IT department will conduct a thorough evaluation of new advancements in EHRs and regulatory requirements that may affect the EMR choice. The first draft of the system requirements will be preliminary. As the steering committee begins to interact with vendors and complete site visits, additional functionality may be added to the requirements. It would not be prudent to submit RFPs to all vendors who claim to have a functional EHR. The steering committee will need to determine the top five to seven vendors, judging by the initial survey of qualified vendors, trade shows, and market information. Well-defined system requirements will need to be established and included in the RFPs. Packaging the system requirements in a format that provides structure for vendor responses and steering committee evaluations of vendor responses will be important, as will establishing a record of documentation throughout the acquisition process. The RFP document will provide the following: Instructions for vendors Organizational objectives Organization background information System goals and requirements The vendors will be required to submit the following: Vendor qualifications Proposed solutions Criteria for evaluating proposals Contractual requirements Pricing and support The vendor review process will also encompass technical calls, vendor fairs, reference checks, site visits, and vendor presentations. These elements of the review process are designed to ensure that sufficient information is gathered to augment the proposals submitted by the vendors. It will not be feasible for all steering committee members to participate in these activities; therefore, individuals will be appointed to participate on their behalf. Prior to reviewing the vendor proposals, the steering committee will develop vendor criteria that can be used to evaluate the proposals. Each member of the steering committee will be asked to score the proposals based on the criteria, and a summary score report will be developed. The WCH CEO will give the final approval to proceed with the conversion based on the report and recommendation from the steering committee. However, the final recommendation of the committee will not be based solely on the score report. Ideally, the final deliberations will involve a robust dialogue based on the mutual trust that has developed over time. Ultimately, the committee will balance its objective assessment of options with its intuition and considerable knowledge of the clinic organization. Conclusion The WCH clinic organization will undergo a significant EHR transition if they upgrade the XYZ system or purchase another product. The process that is outlined in this plan provides the organization the best opportunity to make the right decision for the organization and establish support with key stakeholders for an EHR conversion. A good IT decision-making process requires discipline and objectivity. The structural elements of the process involve leadership, committee structure, system requirements, and a thorough RFP and evaluation process. Case 7: Concerns and Workarounds with a Clinical Documentation System Garrison Children's Hospital is a 225-bed hospital. Its seventy-seven-bed neonatal intensive care unit (NICU) provides care to the most fragile patients, premature and critically ill neonates. The twenty-eight-bed pediatric intensive care unit (PICU) cares for critically ill children from birth to eighteen years of age. Patients in this unit include those with life-threatening conditions that are acquired (trauma, child abuse, burns, surgical complications, and so forth) or congenital (congenital heart defects, craniofacial malformations, genetic disorders, inborn errors of metabolism, and so forth). Garrison is part of Premier Health Care, an academic medical center complex located in the Southeast. Premier Health Care also includes an adult hospital, a psychiatric hospital, and a full spectrum of adult and pediatric outpatient clinics. Within the past six months or so, Premier has implemented an electronic clinical documentation system in its adult hospital. More recently the same clinical documentation system has been implemented at Garrison in pediatric medical and surgery units and intensive care units. Electronic scheduling is to be implemented next. The adult hospital drives the decisions for the pediatric hospital, a circumstance that led to the adult hospital's CPOE vendor being chosen as the documentation vendor for both hospitals. A CPOE system was implemented at Garrison Children's Hospital several years prior to implementation of the electronic clinical documentation system. Information Systems Challenge A pressing challenge facing Garrison Children's Hospital is that nurses are very concerned and dissatisfied with the new clinical documentation system. They have voiced concerns formally to several nurse managers, and one nurse went directly to the chief nursing officer (CNO) stating that the flow sheets on the new system are grossly inadequate and she fears using them could lead to patient safety issues. Lunchroom conversations among nurses tend to center on their having no clear understanding of why the organization is automating clinical documentation or what it hopes to achieve. Nurses in the NICU and PICU seem to be most vocal about their concerns. They claim there is inconsistency in what is being documented and a lack of standardization of content. The computer workstations are located outside the patients' rooms, so nurses generally document their notes on paper and then enter the data at the end of the shift or when they have time. The system support team, consisting of nurses as well as technology specialists, began the workflow analysis, system installation, staff training, and go-live first with a small number of units in the adult hospital and the children's hospital beginning in January. The NICU and PICU did not implement the system until May and June of that year. System support personnel moved rapidly through each unit, working to train and manage questions. The timeline for each unit implementation was based on the number of beds in the unit and the number of staff members to be trained. No consideration was given to staff members' prior experience with computers and keyboarding skills or to complexity of documentation and existing work processes. Although there are similarities between the adult and pediatric settings, there are also many differences in terms of unit design, computer resources (hardware), level of computer literacy, information documented, and work processes, not to mention patient populations. Little time was spent evaluating or planning for these differences and completing a thorough workflow analysis. After the initial units went live, less and less time was spent on training and addressing unit-specific needs because of the demands placed on training staff members to stay on the timeline in preparation for the next system implementation involving electronic scheduling. The clinical documentation system was implemented to the great consternation and dissatisfaction of the end users (physicians, nurses, social workers, and so forth) at Garrison, yet the Premier clinicians are happy with it. Many Garrison physicians and nurses initially refused to use the system, stating it was “unsafe,” “added to workload,” and was not intuitive. A decision to stop using the system and return to the paper documentation process was not then and is not now an option. Physician “champions” were encouraged to work with those who were recalcitrant, and nursing staff members were encouraged to “stick it out” with the hope that system use would “get easier.” As a result, with their concerns and complaints essentially forced underground, Garrison clinical staff members developed workarounds, morale was negatively affected, and the expectation that everyone would eventually “get it” and adapt has not become a reality. Instead, staff members are writing on a self-created paper system and then translating those notes to the computer system; physicians are unable to retrieve important, timely patient information; and the time team members spend trying to retrieve pertinent patient information has increased. There have been clear instances when patient safety has been affected because of the problems with the appropriate use of this system. Case 8: Conversion to an EHR Messaging System Goodwill Health Care Clinic is the clinical arm of Jefferson Health Sciences Center in a large Southern city. The clinic was founded in the early 1950s as a place for faculty physicians to engage in clinical practice. Over the years the clinic has grown to nine hundred faculty physicians and two thousand employees, with over one million patient visits per year. Clinic services are spread across eleven primary care and specialty care units. Each unit operates somewhat independently but shares a common medical record numbering system that enables consolidation of all documentation across units. Paper charts were used until two years ago, when the clinic adopted an EHR system. Goodwill Health Care Clinic uses a centralized call center to receive all patient calls. Patients call a central switchboard to schedule appointments, request medication refills, or speak to anyone in any of the eleven units. Call center staff members are responsible for tracking all calls to ensure that each is dealt with appropriately. Currently the call center uses a customized Lotus Notes system that can be accessed by anyone in the system who needs to process messages. Messages can be tracked and then closed when the appropriate action has been taken. Notes created from closed messages are printed and filed in the appropriate patients' paper records. These notes cannot be accessed via the EHR. Clinic staff members are very comfortable with the current Lotus Notes system, and it is used routinely by all units. Information Systems Challenge Goodwill Health Care Clinic requires all medication lists and refill information to be kept up-to-date in the EHR. Therefore, the existence of the current Lotus Notes system means that the same information must be documented in two locations—first in the call center note and then in the EHR. This leads to duplication of effort and documentation errors. The potential for serious error is present. Physicians and other health care providers look in the EHR for the most up-to-date medication information. Although the adoption of the EHR has been fairly successful, not all units use all of the available components of the EHR. A companion paper record is needed for miscellaneous notes, messages, and so forth. All units are recording office visits into the EHR, but not all have activated the lab results or the prescription writing features. Several units have been experiencing physician resistance to adding more EHR functions. The EHR system has a messaging component that works similar to a closed e-mail system. Messages can be sent, received, and stored by EHR-authenticated users. Pertinent patient care messages are automatically stored in the correct patient record. In addition, the EHR messaging system works seamlessly with the prescription writing module, which includes patient safety checks such as allergy checks and drug interactions. The challenge for Goodwill Health Care Clinic is to implement the messaging feature and prescription writing component (where it is not currently being used) of their current EHR in the call center and the clinical units, replacing the existing Lotus Notes system and improving the quality of the documentation, not only of medication refills but also of all patient-related calls. The long-term goal is to add a patient portal feature where patients can schedule appointments, send messages to their providers, and refill prescriptions electronically. Case 9: Strategies for Implementing CPOE Health Matters is a newly formed nonprofit health system comprising two community hospitals (Cooper Memorial Hospital and Ashley Valley Hospital), nine ambulatory care clinics, and three imaging centers. Since its inception two years ago, the information services (IS) department has merged and consolidated all computer systems under one umbrella. Each of the facilities within the health system is connected electronically with the others through a fiber optic network. The organizational structure of the two hospitals is such that each has its own executive leadership team and board. Seven years ago, the leadership team at Cooper Memorial Hospital made the strategic decision to choose Meditech as the vendor of choice for its clinical and financial applications. The philosophy of the leadership team was to solicit a single-vendor solution so that the hospital could minimize the number of disparate systems and interfaces. Since then, Meditech has been deployed throughout the health system and applications have been kept current with the latest releases. Most nursing and clinical ancillary documentation is electronic, as is the medication administration record. Health Matters does have several ancillary systems that interface with Meditech; these include a picture archiving and communication system (PACS), a fully automated laboratory system, an emergency department tracking board, and an electronic bed board system. The leadership team at Ashley Valley Hospital chose to select non-Meditech products, because at the time Meditech did not offer these applications or its products were considered inadequate by clinicians. However, the current sentiment among the leadership team is to continue to go with one predominant vendor, in this case, Meditech, for any upgrades, new functionality, or new products. The IS group at Health Matters consists of a director of information systems (who reports to the chief financial officer) and fifteen staff members. The IS staff members are highly skilled in networking and computer operations but have only moderate skills as program analysts and project managers. The CEO, Steve Forthright, plans to hire a CIO to provide senior-level leadership in developing and implementing a strategic IS plan that is congruent with the strategic goals of Health Matters. Currently, the senior leadership team at Health Matters has identified the following as the organization's top three IS challenges. The current director of IS has been somewhat involved in discussions related to the establishment of these priorities. To implement successfully computerized provider order entry (CPOE) To increase the variety and availability of computing devices (workstations or handheld devices) at each nursing station To implement successfully medication administration using bar-coding technology Information Systems Challenge The most pressing IS challenge is to move forward with the implementation of CPOE. The decision has already been made to implement the Meditech CPOE application. Several internal and external driving forces are at play. Internally, the physician leaders believe that CPOE will further reduce medication errors and promote patient safety. The board has established patient safety as a strategic goal for the organization. Externally groups such as Leapfrog and the Pacific Business Group on Health have strongly encouraged CPOE implementation. CEO Steve Forthright has concerns, however, because Health Matters does not yet have a CIO on board and he feels the CIO should play a pivotal role. Much of Steve's concern stems from his experience with CPOE implementation at another institution, with a different vendor and product. Steve had organized a project implementation committee, established an appropriate governance structure, and the senior leadership team thought it had “covered the bases.” However, according to Steve, “The surgeons embraced the new CPOE system, largely because they felt the postoperative order sets were easy to use, but the internists and hospitalists rebelled. The CPOE project stalled and the system was never fully implemented.” Steve is not the only person reeling from a failed implementation. The clinical information committee at Health Matters is chaired by Mary White, who was involved in a failed CPOE rollout at another hospital several years ago. She was a strong supporter of the system at the time, but she now speaks of the risks and challenges associated with getting physician buy-in and support throughout the health system. Members of the medical staff at Cooper Memorial Hospital have access to laboratory and radiology results electronically. They have access through workstations in the hospital; most physicians also access clinical results remotely through smartphones. An estimated 35 percent of the physicians take full advantage of the system's capabilities. Almost all active physicians use the PACS to view images, and most use a computer to look up lab values. Fewer than half of the physicians use electronic signatures to sign transcribed reports. Case 10: Implementing a Syndromic Surveillance System Syndromic surveillance systems collect and analyze pre-diagnostic and nonclinical disease indicators, drawing on preexisting electronic data that can be found in systems such as EHRs, school absenteeism records, and pharmacy systems. These surveillance systems are intended to identify specific symptoms within a population that may indicate a public health event or emergency. For example, the data being collected by a surveillance system might reveal a sharp increase in diarrhea in a community and that could signal an outbreak of an infectious disease. The infectious disease epidemiology section of a state's public health agency has been given the task of implementing the Early Aberration Reporting System of the Centers for Disease Control and Prevention. The agency views this system as significantly improving its ability to monitor and respond to potentially problematic bioterrorism, food poisoning, and infectious disease outbreaks. The implementation of the system is also seen as a vehicle for improving collaboration among the agency, health care providers, IT vendors, researchers, and the business community. Information Systems Challenge The agency and its infectious disease epidemiology section face several major challenges. First, the necessary data must be collected largely from hospitals and in particular emergency rooms. Developing and supporting necessary interfaces to the applications in a large number of hospitals is very challenging. These hospitals have different application vendors, diverse data standards, and uneven willingness to divert IT staff members and budget to the implementation of these interfaces. To help address this challenge, the section will acquire a commercial package or build the needed software to ease the integration challenge. In addition, the section will provide each hospital with information it can use to assess its own mix of patients and their presenting problems. The agency is also contemplating the development of regulations that would require the hospitals to report the necessary data. Second, the system must be designed so that patient privacy is protected and the system is secure. Third, the implementation and support of the system will be funded initially through federal grants. The agency will need to develop strategies for ensuring the financial sustainability of the application and related analysis capabilities, should federal funding end. Fourth, the agency needs to ensure that the section has the staff members and tools necessary to appropriately analyze the data. Distinguishing true problems from the noise of a normal increase in colds during the winter, for example, can be very difficult. The agency could damage the public's confidence in the system if it overreacts or underreacts to the data it collects. Case 11: Planning an EHR Implementation The Leonard Williams Medical Center (LWMC) is a 240-bed, community acute care hospital operating in a small urban area in upstate New York. The medical center offers tertiary services and has a captive professional corporation, Williams Medical Services (WMS). WMS is a multispecialty group employing approximately fifty primary care and specialty physicians. WMS has its own board, made up of representatives of the employed physicians. The WMS board nominations for members and officers are subject to the approval of the medical center board. The capital and operating budgets of WMS are reviewed and approved during the LWMC budget process. The WMS board is responsible for governing the day-to-day operations of the group. LWMC serves a population of approximately 215,000. There are five other hospitals in the region. One of these, aligned with a large clinic, is viewed as the primary competitor. In its most recent fiscal year, LWMC had an operating margin of 0.4 percent. LWMC has $40 million in investments and has a long-term debt-to-equity ratio of 25 percent.
Information Systems Challenge
LWMC has been very effective in its IT efforts. It was the first hospital in its region to have a
clinical information system. Bedside computing has been available on the inpatient units since
the 1990s. The CIO and IT department are highly regarded. LWMC has received several
industry recognitions for its efforts.
The LWMC information systems steering committee recently approved the acquisition and
implementation of a CPOE system. This decision followed a thorough analysis of organizational
strategies, the efforts of other hospitals, and the vendor offerings. LWMC is poised to begin this
major initiative.
During a recent steering committee meeting, it was learned that the WMS physicians were
anxious to acquire an EHR system. Two years ago a rival physician group had purchased an
EHR system. WMS, concerned about a competitive threat, obtained approval of $300,000 to
acquire its own EHR. The rival group has since encountered serious difficulties with
implementation and has de-installed the system. This troubled path caused WMS to slow down
its efforts.
Now WMS has decided to return to its plans to implement a certified EHR. The physicians have
begun to look at vendor offerings but have not involved the LWMC CIO and IT staff members.
The physicians have ignored the CIO’s technical and integration advice and requirements during
their EHR search.
The CEO is concerned about the EHR process and its disconnect from the medical center’s IT
Case 12: Replacing a Practice Management System
University Physician Group (UPG) is a multispecialty group practice plan associated with the
College of Osteopathic Medicine (COM). UPG employs 90 physicians and 340 clinical and
business support personnel.
UPG has recently been profitable (with revenue from operations this fiscal year of $32 million
and a retained profit of $500,000 from operations). However, prior year losses make UPG a
break-even organization.

Management and the physicians are focusing on strengthening the fiscal position of the
organization. This focus has led to plans to restructure physician compensation, establish a
self-insurance trust for professional liability, and improve the financial budgeting and reporting
UPG has entered into a preliminary agreement to merge with Northern Affiliated Medical Group
(NAMG). NAMG is a 150-physician multispecialty group located in the same city as UPG.
NAMG holds a contract with the local county hospital to provide indigent care and serve as the
faculty for the graduate medical education programs in family medicine.
Both organizations believe that the merged organization would be able to reduce expenses
through the elimination of redundant functions and, because of greater geographical coverage
and size, would improve their ability to obtain more favorable payer contracts.
Information Systems Challenge
For many years UPG has obtained practice management systems from Gleason Solutions
(GS). The applications are hosted in a GS data center, reducing UPG’s need for IT staff
Prior to the merger, UPG was in the process of examining replacements for GS. UPG had
become displeased because of the GS application failure to incorporate new technologies and
application features, limited ability to generate reports, and inflexible integration approaches to
other applications.
Despite its displeasure, UPG now appears to be on the path to renewing the GS contract. GS
executives have effectively lobbied several important physicians and administrators, and UPG’s
limited cash position makes the GS low-cost financial proposal attractive.
NAMG uses the GS applications and has also been examining replacing the system. NAMG
has a strong IT department and will be providing IT support to the newly merged organization.
After examining the market, NAMG has identified four potential vendors, including GS.
Case 13: Implementing Tele-Psychiatry in a Community Hospital Emergency Department
Westend Hospital is a midsize, not-for-profit, community hospital in the Southeast. Each year,
the hospital provides care to more than twelve thousand inpatients and sixty thousand
emergency department (ED) patients. Over the past decade, the hospital has seen increasing
numbers of patients with mental illness in the ED, largely because of the implementation of the
state’s mental health reform act, which shifted care for patients with mental illness from state
psychiatric hospitals to community hospitals and outpatient facilities. Westend ED has in
essence become a safety net for many individuals living in the community who need mental
health services.

Largely considered a farming community, Westend County has a population of 120,000.
Westend Hospital is the third largest employer in the county. However, Westend is not the only
hospital in the county. The state still operates one of three psychiatric facilities in the county.
Within a five-mile radius of Westend Hospital is a 270-bed inpatient psychiatric hospital, Morton
Hospital. Morton Hospital serves the citizens of thirty-eight counties in the eastern part of the
Westend Hospital is fiscally strong with a stable management team. Anika Lewis has served as
president-CEO for the past fifteen years. The remainder of the senior management team has
been employed with Westend for eight to thirteen years. There are more than 150 active or
affiliate members of the organized hospital medical staff and approximately 1,600 employees.
The hospital has partnered with six outside management companies for services when the
expertise is not easily found locally, including HighTech for assistance with IT services.
In terms of its information systems, Westend Hospital has used Meditech since the 1990s,
including for nursing documentation, order entry, and diagnostic results. The nursing staff
members use bar-coding technology for medication administration and have done so for years.
CPOE was implemented in the ED four years ago and hospital-wide two years ago along with a
certified EHR system.
The Challenge
Westend Hospital has seen increasing numbers of mental health patients in the ED over the
past decade. For the past three years, the ED has averaged one hundred mental health patients
per month. Depending on the level of patient acuity and availability of state- or
community-operated behavioral health beds, the patient may be held in the ED from two hours
to eight days before a safe disposition plan can be implemented.
The ED mental health caseload is also rapidly growing in acuity. Between 20 percent and 25
percent of the behavioral health patients are arriving under court order (involuntary
commitment). The involuntary commitment patients are the most difficult in terms of developing
a safe plan for disposition from the ED. The Westend Hospital’s inpatient behavioral health unit
is currently an adult, voluntary admission unit and does not admit involuntary commitment
patients. The length of stay for involuntary commitment patients in the ED can be quite long. In
some cases, it may take three to four days to stabilize the patient on medication (while in the
ED) before the patient meets criteria for discharge to outpatient care. Approximately 40 percent
of the mental health patients in the ED, both involuntary commitment and voluntary, are
discharged either to home or outpatient treatment.
The psychiatrists and the emergency medicine physicians have met multiple times during the
past six years to develop plans to improve the care of the mental health patients in the ED.
Defining the criteria for an appropriate Westend psychiatrist consultation remains a challenge.
The daily care needs of the mental health patients boarding in the ED are complex. The
physicians have not been able to reach an agreement on this topic. Senior leaders have
suggested that tele-psychiatry may be a partial solution to address this challenge.

Tele-psychiatry as a Strategy
Westend Hospital has chosen to consider contracting with a tele-psychiatry hospital network to
provide tele-psychiatry services in the ED. The network has demonstrated good patient
outcomes and is considered financially feasible at a rate of $4,500 per month. This fee includes
the equipment, management fees, and physician fees. The director of tele-psychiatry in the
hospital network has verbally committed to work very closely with the Westend Hospital team to
ensure a smooth implementation.
Technology to support tele-psychiatry uses two-way, real-time, interactive audio and video
through a secure encrypted wireless network. The patient and the psychiatric provider interact in
the same manner as if the provider were physically present. The provider performing the patient
consultation uses a desktop video conferencing system in the psychiatric office.
Tele-psychiatry as a solution to the mental health crisis in the ED was not immediately
embraced by the medical staff members. They did agree to the implementation of tele-radiology
four years previously. However, the most recent revision of the medical staff bylaws to support
telemedicine explicitly states that the medical executive committee must approve, by a
two-thirds vote, any additional telemedicine programs that may be introduced at the hospital.
The medical staff leaders wanted to preserve their ability to maintain a financially viable medical
practice in the community as well as protect the quality of care.
The idea of tele-psychiatry was introduced to portions of the medical staff. The psychiatrists
realized that tele-psychiatry could relieve them of the burden of daily rounds in the ED for
boarding patients. They were also concerned about their workload when tele-psychiatry was not
The emergency medicine physicians immediately verbalized their disapproval on several levels.
First, they were concerned about the reliability of the technology based on their experiences
over the past several years with video remote interpreting. Then, the emergency medicine
physicians were skeptical about the continued support from the psychiatrists when an in-person
consultation might be clinically necessary.
Physicians outside of the ED and psychiatry could not understand why the current psychiatrists
could not meet the needs of the ED. The barriers to adoption of tele-psychiatry crossed three
arenas: financial, behavioral, and technical. Subsequently, many conversations were conducted.
Eventually, the medical executive committee approved tele-psychiatry as a new patient care
service on June 25 of this year.
Implementation Plan
The CEO appointed the vice president of patient services as the executive sponsor. The
implementation team includes the IT hardware and networking specialist, IT interface
specialists, nursing informatics analyst, ED nurse director, behavioral health nurse director,
assistant vice president patient services, physician clinical systems analyst, and the medical
staff services coordinator. These individuals represent the major activities for implementation:

provider credentialing, physician documentation, equipment and technical support, and patient
care activities. Because of competing projects and psychiatry subject matter expertise, the
executive sponsor will also serve as the project manager.
The mental health crisis affecting the ED is the focal driver for change. Patient safety is at risk.
Barriers to implement tele-psychiatry have been well documented. The strategies to overcome
the barriers include defining the new role for the Westend psychiatrists, developing a process for
ease of access and reliability of equipment for the ED physicians, and development of a plan
when the tele-psychiatry program is not available.
An unexpected barrier has been recently identified. On initiation of the tele-psychiatry provider
credentialing process, the medical staff services coordinator discovered that the bylaws do not
have a provision for credentialing of physician extenders in the telemedicine category. The
tele-psychiatry providers include six board-certified psychiatrists and twelve mental
health–trained nurse practitioners. The medical executive committee has agreed to ask the
medical staff bylaws committee to convene and revise the bylaws accordingly. The original
go-live date of September has been changed to December.
The executive sponsor along with the implementation team will be responsible for managing the
organizational changes necessary to support the introduction of technology and new patient
care flow processes. Managing organizational change will be essential to the success of this
project. Some items in the project will be viewed as incremental change and other items will be
viewed as step-shift change. Communication strategies will be developed to support the
Case 14: Assessing the Value and Impact of CPOE
The University Health Care System is an academic medical center with more than 1,200
licensed beds and more than 9,000 employees. The system comprises the University Hospital,
Winston Geriatric Hospital, Jefferson Rehabilitation Hospital, and two outpatient centers in the
metropolitan area. The system has a history of being a patriarchal, physician-driven
organization. When University Health Care first started taking patients, it was viewed as a
mecca to which community physicians throughout the South referred difficult-to-treat patients.
That referral mentality persisted for decades, so physicians within the system had a difficult time
making the transition to an organization that had to compete for patients with other health care
entities in the region.
In recent years, University Health Care System has evolved and has given physicians
proportionately more clout in decision making, in part because the health care leadership team
has not stepped forward. Creating a balance between clinician providers and administrative
leadership is a real issue. In the midst of the difficulty, both groups have agreed to embark on
the EHR journey. Currently about 55 percent of the system’s patient record is electronic; the
remainder is on paper. The physicians as a whole, however, have embraced technology and
view the EHR as the right road to take in achieving the organization’s goal of providing
high-quality, safe, cost-effective patient care.

Information Systems Challenge
Currently, the University Health Care System is in the midst of rolling out the CPOE portion of
the EHR project. A multidisciplinary decision-making project was established before beginning
the initiative, and leaders and clinicians tried to educate themselves on what the CPOE project
would entail. They were familiar with cases such as one at Cedars-Sinai in which CPOE was
halted after physician uproar over the time it took to use it and patient safety concerns. To help
ensure this did not happen at the University Health Care System, the leadership team decided
to take a slower, phased-in approach. Team members visited similar organizations that had
implemented CPOE, attended vendor user-group conferences, consulted with colleagues from
across the nation, and articulated the following project goals:
Optimize patient safety.
Improve quality outcomes and reduce variation in practice through the use of evidence-based
practice guidelines.
Reduce risk for errors.
Accommodate regulatory standards expectations.
Enhance patient satisfaction.
Standardize processes.
Improve efficiency.
The board has made it very clear that it wants regular updates on the progress of the project and
expects to see what the return on the investment has been.
Case 15: Assessing the Value of Health IT Investment
Five years ago, senior leadership at the Southeast Medical Center made the decision to embark
on the implementation of a host of new clinical applications in the inpatient units enterprise-wide.
The four hospitals that comprise Southeast Medical Center include the Main Adult Hospital, the
Children’s Hospital, McKinsey Hospital, and the Institute of Psychiatry. They contracted with
McKesson to implement the following applications:
ED tracking system
Replacement pharmacy information system
Clinical documentation system (for all nurses and ancillary personnel; does not include
physician notes)
Medication administration using bar-coding technology
Computerized provider order entry (CPOE)
In addition, several administrative applications were implemented, including a new operative
scheduling system and materials management system. They also upgraded their clinical data
repository viewer (referred to as Oacis). All applications are now operational.
Most recently, the board of trustees has approved replacement of Southeast’s ambulatory care
EHR. A system known as EasyDoc (a McKesson product) has been in use for years. However,
the system was viewed by clinicians and IT staff members as antiquated and cumbersome to
navigate. It is also very difficult to retrieve aggregate data from the system. Much of this is

apparently because of its underlying database architecture and structure. EasyDoc also did not
interface with the hospital clinical applications, and leaders were concerned that the system was
not going to enable Southeast to achieve meaningful use criteria.
Clinicians have also been frustrated that Southeast has been using two different EHR systems,
one for inpatient and another for outpatient, and the two don’t interface or give a complete picture
of the patient’s health record. With payment reform and the need to be able to more effectively
manage patient care quality and outcomes, senior leaders recommended, and the board
approved, replacement of the EasyDoc EHR with Epic ambulatory care EHR. The patient
registration and billing system used in ambulatory care will also be replaced with Epic’s practice
management application. Long-term plans are to eventually replace the McKesson clinical
applications with Epic in the inpatient sector as well.
The total cost of ownership for the replacement ambulatory EHR and practice management
system is approximately $30 million. Included in this estimate are not only the software and
hardware upgrades but also the staff members needed to implement and support the new
applications. Replacing the McKesson clinical products with Epic inpatient EHR will cost an
additional $90 million. Again, this is an estimated total cost of ownership.
The primary purpose of the Epic EHR project is to provide clinicians with access to a single,
complete EHR that spans the patient’s continuum of care and improves collaboration and
coordination of care. Community providers and patients will have access to the system.
Community partners (such as primary care providers) will be able to retrieve important patient
information. Currently a local HIE exists that provides ED visit information to all local hospitals.
This is to be expanded to include continuity of care documents (CCDs) and other relevant health
information. Patients will be given access to their health information such as lab tests, X-ray
results, and medications. They will also be able to schedule appointments and pay their bills
online through a patient portal known as MyChart. Southeast physician leaders view patients as
partners in their own care and are pleased to provide them access to information electronically.
Southeast providers treat a large population of patients with multiple chronic conditions.
Managing chronic diseases using evidence-based, real-time support is considered essential. In
addition, Southeast Medical Center has available a secure data warehouse of patient data that
researchers and clinicians will be using more fully in the future to ensure that clinical research
drives best care.
Case 16: The Admitting System Crashes
Jones Regional Medical Center is a large academic health center. With nine hundred beds,
Jones had forty-seven thousand admissions last year. Jones frequently has occupancy in
excess of 100 percent, requiring diversion of ambulances. In addition, Jones had 1,300,000
ambulatory and emergency room visits in the past three years.

Jones is internationally renowned for its research and teaching programs. The IT staff members
at Jones are highly regarded. They support more than three hundred applications and twelve
thousand workstations.
The admitting system at Jones is provided by the vendor Technology Med (TechMed). The
TechMed system supports the master patient index; registration; inpatient charge and payment
entry; medical records abstracting and coding; hospital billing and patient accounting; reporting;
and admission, discharge, and transfer capabilities.
The TechMed system was implemented twelve years ago and uses now-obsolete technology,
including a rudimentary database management system. The organization is concerned about
the fragility of the application and has begun plans to replace the TechMed system two years
from now.
Information Systems Challenge
On December 20, the link between the main data center (where the TechMed servers were
housed) and the disaster recovery center was taken down to conduct performance testing.
On December 21, power was lost to the disaster recovery center, but emergency power was
instantly put in place. However, as a precaution, a backup of the TechMed database was
During the afternoon of December 21, the TechMed system became sluggish and then
unresponsive. Database corruption was discovered. The backup performed earlier in the day
was also corrupt. The link to the disaster recovery data center had not been restored following
the performance testing.
Because there was no viable backup copy of the database, the Jones IT and hospital staff
members began the arduous process of a full database recovery from journaled transactions.
This process was completed the evening of December 22.
The loss of the TechMed system for more than thirty-six hours and the failure during that time of
registration transactions to update patient care and ancillary department systems resulted in a
wide variety of operational problems. The patient census had to be maintained manually.
Reports of results were delayed. Paper orders were needed for patients who were admitted on
December 21 and 22. Charge collection lagged.
Once the TechMed system was restored, additional hospital staff members were brought in to
enter, into multiple systems, the data that had been manually captured during the outage. By
December 25, normal hospital operations were restored. No patient care incidents are believed
to have resulted.
Case 17: Breaching the Security of an Internet Patient Portal

Kaiser Permanente is an integrated health delivery system that serves more than eight million
members in nine states and the District of Columbia. In the late 1990s, Kaiser Permanente
introduced an Internet patient portal, Kaiser Permanente Online (also known as KP Online).
Members can use KP Online to request appointments, request prescription refills, obtain health
care service information, seek clinical advice, and participate in patient forums.
Information Systems Challenge
In August, there was a serious breach in the security of the KP Online pharmacy refill
application. Programmers wrote a flawed script that actually concatenated over eight hundred
individual e-mail messages containing individually identifiable patient information, instead of
separating them as intended. As a result, nineteen members received e-mail messages with
private information about multiple other members. Kaiser became aware of the problem when
two members notified the organization that they had received the concatenated e-mail
messages. Kaiser leadership considered this incident a significant breach of confidentiality and
security. The organization immediately took steps to investigate and to offer apologies to those
On the same day the first member notified Kaiser about receiving the problem e-mail, a crisis
team was formed. The crisis team began a root cause analysis and a mitigation assessment
process. Three days later Kaiser began notifying its members and issued a press release.
The investigation of the cause of the breach uncovered issues at the technical, individual, group,
and organizational levels. At the technical level, Kaiser was using new web-based tools,
applications, and processes. The pharmacy module had been evaluated in a test environment
that was not equivalent to the production environment. At the individual level, two programmers,
one from the e-mail group and one from the development group, working together for the first
time in a new environment and working under intense pressure to quickly fix a serious problem,
failed to adequately test code they produced as a patch for the pharmacy application. Three
groups within Kaiser had responsibilities for KP Online: operations, e-mail, and development.
Traditionally these groups worked independently and had distinct missions and organizational
cultures. The breach revealed the differences in the way groups approached priorities. For
example, the development group often let meeting deadlines dictate priorities. At the
organizational level, Kaiser IT had a very complex organizational structure, leading to what
Collmann and Cooper (2007, p. 239) call “compartmentalized sensemaking.” Each IT group
“developed highly localized definitions of a situation, which created the possibility for failure when
integrated in a common infrastructure.”
Case 18: The Decision to Develop an IT Strategic Plan
Meadow Hills Hospital is a 211-bed acute care hospital with four hundred members on its
medical staff. Meadow serves a population of three hundred thousand. There are three other
similarly sized hospitals in the region. As an organization, Meadow Hills is very well run. It has a
good reputation in the community and is considered to be technically advanced based on its
investments in imaging technology. The organization is also in a strong financial position, with
$238 million in reserves. Meadow Hills has never had an IT strategic plan.

Information Systems Challenge
The IT function reports to the Meadow Hills chief financial officer (CFO). The CEO and other
members of the senior leadership team have largely left IT decisions up to the CFO. As a result,
the organization’s financial systems are very well developed. Computerized provider order entry
(CPOE), an EHR system, and a PACS have not been implemented. IT support for departments
such as nursing, pharmacy, laboratory, imaging, and risk management is limited.
The Meadow Hills IT team is well regarded and the limited IT support for clinical processes has
not drawn complaints from the nursing or medical staff. The organization does not currently
have a CIO.
The CEO has never felt the need to pay attention to IT. However, he is worried that
reimbursement based on care quality will arrive at Meadow Hills soon. He also believes that the
Meadow Hills Clinical Laboratory and Imaging Center would be more competitive if it had
stronger IT support; rival labs and imaging centers are able to offer electronic access to test
results. And he suspects that the lack of IT support may eventually lead to nurses and
physicians choosing to practice elsewhere.
Case 19: Selection of a Patient Safety Strategy
Langley Mason Health (LMH) is located in North Reno County, the largest public health care
district in the state of Nevada, serving an 850-square-mile area encompassing seven distinctly
different communities. The health district was founded in 1937 by a registered nurse and
dietician who opened a small medical facility on a former poultry farm. Today the health system
comprises Langley Medical Center, a 317-bed tertiary medical center and level II trauma center;
Mason Hospital, a 107-bed community hospital; and Mason Continuing Care Center and Villa
Langley, two part-skilled nursing facilities (SNFs); a home care division; an ambulatory surgery
center; and an outpatient behavioral medicine center.
In anticipation of expected population growth in North Reno County and to meet the
state-mandated seismic requirements, LMH developed an aggressive facilities master plan
(FMP) that includes plans to build a state-of-the-art 453-bed replacement hospital for its Langley
Medical Center campus, double the size of its Mason Hospital, and build satellite clinics in four
of its outlying communities. The cost associated with actualizing this FMP is estimated to be $1
billion. Several years ago, LMH undertook and successfully passed the largest health care bond
measure in the state’s history and in so doing secured $496 million in general obligation bonds to
help fund its massive facilities expansion project. The remaining funds must come from revenue
bonds, growth strategies, philanthropic efforts, and strong operational performance over the next
ten years. Additionally, $5 million of routine capital funds will be diverted every fiscal year for the
next five years to help offset the huge capital outlay that will be necessary to equip the new
facilities. That leaves LMH with only $10 million per year to spend on routine maintenance,
equipment, and technology for all its facilities. LMH is committed to patient safety and is building
what the leadership team hopes will be one of the safest hospital-of-the-future facilities. The

challenge is to provide for patient safety and safe medication practices given the minimal capital
dollars available to spend today.
LMH developed an IT strategic plan and identified the following ten goals:
Empower health consumers and physicians.
Transform data into information.
Support the expansion of clinical services.
Expand e-business opportunities.
Realize the benefits of innovation.
Maximize the value of IT.
Improve project outcomes.
Prepare for the unexpected.
Deploy a robust and agile technical architecture.
Digitally enable new facilities, including the new hospital.
Information Systems Challenge
LMH has implemented Phase 1—an enterprise-wide EHR system developed by Cerner
Corporation at a cost of $20 million. Phase 2 of the project is to implement CPOE with
decision-support capabilities. This phase was to have been completed previously, but has been
delayed because of the many challenges associated with Phase 1, which still must be stabilized
and optimized. LMH does have a fully automated pharmacy information system, albeit older
technology, and Pyxis medication-dispensing systems on all units in the acute care hospitals.
Computerized discharge prescriptions and instructions are available only for patients seen and
discharged from the LMH emergency departments.
Currently, the pharmacy and nursing staff members at LMH have been working closely on the
selection of a smart IV pump to replace all of the health system’s aging pumps and have put
forth a proposal to spend $4.9 million in the next fiscal year. Smart pumps have been shown to
significantly reduce medication administration errors, thus reducing patient harm. This
expenditure would consume roughly half of all of the available capital dollars for that fiscal year.
The CIO, Marilyn Chen, understands the pharmacists’ and nurses’ desire to purchase smart IV
pumps but believes the implementation of this technology should not be considered in isolation.
She sees the smart pumps as one facet of an overall medication management capital purchase
and patient safety strategic plan. Marilyn Chen suggests that the pharmacy and nursing
leadership team lead a medication management strategic planning process and evaluate a suite
of available technologies that taken together could optimize medication safety (for example,
CPOE, electronic medication administration records [e-mar], robots, automated pharmacy
systems, bar coding, computerized discharge prescriptions and instructions, and smart IV
pumps), the costs associated with implementing these technologies, and the organization’s
readiness to embrace these technologies. Paul Robinson, the director of pharmacy, appreciates
Marilyn Chen’s suggestion but feels that smart IV pumps are critical to patient safety and that
LMH doesn’t have time to go through a long, drawn-out planning process that could take years
to implement and the process of gaining board support. Others argue that all new proposals

should be placed on hold until CPOE is up and running. They argue there are too many other
pressing issues at hand to invest in yet another new technology.
Case 20: Strategic IS Planning for the Hospital ED
Founded in 1900, Newcastle Hospital today is a 375-bed, not-for-profit community hospital that
serves more than two hundred thousand residents of Newcastle County, New York. The
hospital is approximately thirty miles from midtown Manhattan. It provides a full range of primary
and secondary medical and surgical services and is an affiliate of one of the large New York
City hospital systems for tertiary referrals and select residency programs. Newcastle Hospital
has an independent governing body with 25 trustees, 604 active physicians, and 1,121 full-time
equivalent (FTE) staff members. Revenues of approximately $130 million per year come from
15,600 inpatient admissions, 71,000 outpatient visits, and 65,000 home care visits. Newcastle
Hospital operates in a difficult environment characterized by relatively poor reimbursement and
severe competition. There is one other acute care hospital in the county and a total of thirty-five
others within a twenty-mile radius.
The sentinel event in the hospital’s recent history occurred four years ago—a six-month nursing
strike that alienated the workforce, decimated public confidence, and directly cost at least $19.5
million, effectively eradicating the hospital’s capital reserves. Most of the senior management
was replaced after the strike. When hired, the new CEO and CFO uncovered extensive
inaccuracies that resulted in a reduction of reported net assets by almost $30 million and the
near-bankruptcy of the hospital. The new management restated financial statements, began
resolving extensive litigation, and set out to reestablish immediate operations, future finances,
and a long-term strategy. The new CEO states that “years of board and management neglect,
plus the ravages of the strike complicated recovery, because standards, systems, and middle
managers were universally absent or ineffective.”
Among its many issues, the challenges within the hospital’s emergency department (ED) are
particularly important to the overall recovery effort. The ED is described by the hospital CEO as
the organization’s “financial, clinical, and public relations backbone.” The ED sees 34,000
patients per year and admits 24 percent of them, constituting 51 percent of all inpatient
admissions. In addition, the ED is a clinically distinguished Level II trauma center, with a long
legacy of outcomes that compare favorably against regional, state, and national benchmarks.
Finally, most community members have experience with the ED and consider it a proxy for the
hospital as a whole, whether or not they have experienced an inpatient stay.
Currently, Newcastle ED patient satisfaction compared to patient satisfaction among peer
organizations ranks at the 14th percentile in the Press Ganey New York State survey and the
5th percentile in national surveys. Since the start of the new millennium, three organized
initiatives to improve these results (especially regarding walkouts and waiting times) have failed,
even though two involved prestigious consultants. After the management change, the new CEO
diagnosed two core barriers to overcoming the ED problems: first, inflexibility and unwillingness
to change among the ED physician management group that had been in place for ten years,
and, second, an almost complete absence of the data required to define, measure, and improve

the ED’s service performance. The first barrier was addressed via an RFP process that resulted
in engaging a new physician management group two years ago.
Information Systems Challenge
The present IS challenge follows directly from Newcastle Hospital’s overarching strategic
objectives: “satisfying patients and staff,” “supporting ourselves,” and “getting better every day”
(that is, improving performance). The ED as presently structured has ill-defined manual
processes and no information system. The challenge is selecting an ED information system
with an emphasis on informing, not just automating, key ED processes in order to support the
overall strategic initiatives of the organization.
Several organizational and IT system factors that affect this IT challenge have been identified by
the hospital CEO.
Organizational Factors
Undefined strategy. Newcastle Hospital operated without a formal strategic action plan and
corresponding tactics until two years ago. As a result, systematic prioritization and
measurement of institutional imperatives such as improving the ED did not occur.
Data integrity. Data throughout the hospital were and unreliable. For example, two
irreconcilable daily census reports made timely bed placement from the ED impossible.
Culture. “Looking good,” that is, escaping accountability, was valued more highly than “doing
good,” that is, substantively improving performance. Serious problems in the ED were often
masked or dismissed as anecdotes, even in the face of regulatory citations and six- to
eight-hour waiting times. The previous ED contract had contained no quality standards, and the
ED physicians claimed to be busy “saving lives” whenever their poor service performance was
IT System Factors
IT strategy. Paralleling the hospital, the IS department had no defined strategies, objectives, or
processes. Alignment with hospital strategy and IT performance measurements were not
considered. Although some progress has been made, this remains an area needing attention.
IT governance. There is no IT steering committee at either the board or management level. IT
policies, service-level agreements, decision criteria, and user roles and responsibilities do not
Functionality. The IT applications portfolio is missing critical elements (for example, order entry,
case management, nursing documentation, radiology) that would greatly benefit the ED, even
without a dedicated ED system. The hospital’s core information system is three versions
out-of-date and certain functions have been bypassed by users altogether.

IT infrastructure and architecture. The data center and most IT staff members are located
twelve miles away from the hospital, isolating IT physically and culturally from users and
patients. Software and networks have been arbitrarily and extensively customized over the
years, without documentation, and inadequate hardware capacity has often been given as an
excuse for not pursuing an ED system.
IT organization and resources. IT spending has been, on average, less than 1 percent of the
hospital’s budget and IT staff members have lacked essential training in critical applications and
tools. Newcastle Hospital has been dependent on multiple IT vendors for a variety of
implementation and operations support activities.
Case 21: Board Support for a Capital Project
Lakeland Medical Center is a 210-bed public hospital located in the Southeast. It is governed by
a politically appointed nine-member board and serves a market of approximately one hundred
thousand people. The hospital has been financially successful, but in recent years several
capital investments have not brought high returns. As a result, project investment decisions
became more conservative and oriented toward financial returns. Competitive forces have
continued to grow in the market, and significant internal expense items (such as the
organization’s pension program, paid leave bank, and health insurance program) have put
strains on Lakeland’s financial resources.
Revenue continues to grow at an average rate of about 10 percent each year, but controlling
expenses remains a challenge. Bad debt has grown from $5 million last year to a budgeted
amount of $14 million this year. The hospital continues to accomplish high patient and employee
satisfaction scores, high quality scores, and an A+ credit rating. Debt is approximately $55
million, and cash reserves are approximately $95 million. Total operating revenues are
approximately $130 million. The hospital employs 940 staff members. The average length of
stay is 4.3 days. Annual capital expenditure is $4 million.
Information Systems Challenge
Three years ago, the installation of computed radiography (CR) components to build a picture
archiving and communication system (PACS) began, at an estimated total cost of $1 million.
The following year, $400,000 was spent for additional CR components. Most recently the board
of directors (with three new members) did not approve the request of $1.9 million for completion
of the PACS, saying that it represented far too large a percentage of the organization’s annual
capital budget. Lakeland is still in need of completing the PACS program, with a board that is
unlikely to approve the expenditure.
A number of factors are contributing to the board’s decision not to authorize the additional $1.9
million for completion of the PACS:
Leadership’s inability to guarantee to the board’s satisfaction a financial return on the proposed

The board’s perception that the radiologists are not committed to the hospital and to the
community because none of the radiologists live in the community
The board’s perception that the cardiologists are not committed to the hospital or to the
community; the five cardiologists on staff are considered to be uncooperative among
themselves and not supportive of the hospital’s goals
Poor leadership within the IT department for providing the proper guidance on acquisition and
The board’s philosophy that Lakeland Medical Center should be more high-touch and less
high-tech, and thus there is a philosophical difference over the need for a PACS
Jealousy among the medical staff members that the diagnostic imaging department continues to
obtain capital approvals for large items representing a major percentage of the annual capital
budget; thus, many influential members of the medical staff, such as surgeons, are not
supportive of the expenditure
A few vocal employees speaking directly to board members expressing their concern that the
PACS implementation will result in job loss for them
Leadership’s inability to make a connection between this capital project and the strategic goals
of the organization
The chief of staff, Iesha Brown, firmly believes that a PACS will increase patient and physician
satisfaction because waiting times for results will decrease, enhance patient education, improve
staff member and physician productivity, improve clinical outcomes, improve patient safety,
eliminate lost films, reduce medical liability, assist in reducing patient length of stay, and
increase revenue potential. She believes it is management’s challenge to understand the key
issues of the board and to present the necessary supportive information for ultimate approval of
the PACS program.


n engl j med 372;18 nejm.org april 30, 20151684

hard-working people, including
physicians. But a strategy an-
chored in value is inherently
good for both patients and the
professional satisfaction of those
who care for them.

Strategy demands leaders will-
ing to make these choices, drive
their execution, and bring the
organization along. Leadership
in health care organizations has

tended to be more about steward-
ship than choices, and leader se-
lection has often been based on
research credentials, leaving the
clinical enterprise reliant on mo-
mentum and reputation. But fu-
ture success depends on the abil-
ity of organizations to create value
for patients. Leaders must ensure
that all activities are aligned
around this goal. In the emerging

competitive marketplace, only or-
ganizations that truly understand
strategy will thrive.

Disclosure forms provided by the au-
thors are available with the full text of this
article at NEJM.org.

From Harvard Business School (M.E.P.)
and Harvard Medical School (T.H.L.), Bos-
ton, and Press Ganey, Wakefield (T.H.L.)
— all in Massachusetts.

DOI: 10.1056/NEJMp1502419
Copyright © 2015 Massachusetts Medical Society.

Why Strategy Mat ters Now

Virtual Visits — Confronting the Challenges of Telemedicine
Jeremy M. Kahn, M.D.

Traditionally defined, telemedi-cine is the provision of medi-
cal care remotely by means of au-
diovisual technology. Using such
technology, clinicians can exam-
ine patients and make treatment
recommendations across long
distances. Telemedicine is by no
means a new concept — varie-
ties such as tele radiology and
telepathology that rely on “store-
and-forward” techniques, in which
images are captured and sent to
a different location for later
evaluation, have been around for
more than 30 years. But techno-
logical advances including high-
resolution video cameras and
stable broadband Internet have
helped make real-time telemedi-
cine an increasingly common
mode of health care delivery in
such diverse fields as dermatol-
ogy, neurology, and intensive
care.1 The fact that in 2012
nearly half of U.S. hospitals re-
ported having active telemedi-
cine programs indicates that
telemedicine is now fully within
the mainstream.2

This dramatic expansion has
profound implications for the
health care system. Most impor-
tant, telemedicine has the poten-
tial to substantially expand access
to high-quality health care, over-
coming not only geographic but

also socioeconomic barriers to
care. Just as neurologists can use
telemedicine to treat a patient for
stroke in the emergency depart-
ment of a far-off rural hospital,
primary care physicians can use it
to treat nearby patients who have
difficulty visiting a clinic, such as
nursing home residents or patients
with disabilities. In all these cases,
telemedicine does more than just
enable health care delivery across
distances: it facilitates a kind of
community-based care, improving
access by making health care more
convenient for both patients and

Telemedicine also has the po-
tential to substantially reduce
health care costs. For providers,
using telemedicine may be more
efficient than seeing patients in
brick-and-mortar offices, since it
reduces the time and space needed
to run a medical practice. For pa-
tients, telemedicine can reduce
travel expenses and the opportu-
nity costs associated with obtain-
ing care, such as missed hours or
days of work. For payers, it has the
potential to reduce reimburse-
ments because of reductions in
overall utilization. For example, in
the emergency-department setting,
telemedicine may allow specialists
in regional referral centers to re-
motely treat acutely ill patients

with complex conditions in rural
hospitals, saving the costs of
transport and a second emergency-
department visit.

Despite the many ways in
which telemedicine may transform
health care for the better, it faces a
number of major challenges along
the way. First, there are enduring
concerns about its effectiveness
and cost-effectiveness. The afore-
mentioned benefits are theoretical,
and the actual data to date are far
from convincing. Most studies of
telemedicine are methodological-
ly weak before-and-after studies
that rarely examine patient-cen-
tered outcomes, instead focusing
on feasibility and acceptability to
patients.3 Although these aspects
are important, they are not the
same as — and may not correlate
with — patient-centered outcomes
such as mortality and functional
status. Given these limitations, the
existing literature does not settle
the issue of whether telemedicine
delivers the same outcomes as
face-to-face encounters at either
the same or lower costs.

Second, even in areas where ef-
fectiveness data are available, the
influence of telemedicine varies
greatly depending on where and
how the technology is applied. For
example, studies have shown that
intensive care unit (ICU) telemedi-

n engl j med 372;18 nejm.org april 30, 2015



confronting the challenges of Telemedicine

cine can reduce mortality among
patients receiving critical care
by 15% by expanding access to
trained intensivists.4 However,
whereas some programs substan-
tially reduce mortality, others have
little or no impact.4 Published
studies do little to explain this het-
erogeneity or offer insight into
how programs can become more
effective. Without clear evidence
regarding when and where tele-
medicine is most effective, we risk
wasting scarce health care re-
sources on ineffective programs.

Third, the legal and regulatory
infrastructure for telemedicine has
yet to catch up with the technolo-
gy, which changes on a near-daily
basis. Yesterday’s telemedicine was
basically just traditional face-to-
face visits conducted using video
cameras. Regulatory challenges
such as liability, cross-state licens-
ing, and cross-hospital credential-
ing, although not trivial, were at
least predictable. Tomorrow, pa-
tients will expect more, and the
technology will be there to provide
it, including on-demand health
care delivered through smartphone
applications that transcend state
and even national boundaries. The
current regulatory environment
erects multiple barriers to infor-
mal, distance-based care and is
poorly equipped to keep pace with
such rapid changes.

Fourth, we don’t yet understand
the potential unintended conse-
quences of telemedicine. Some of
these consequences will be finan-
cial: even if a telemedicine encoun-
ter is more efficient than a face-to-
face encounter, to the extent that
telemedicine leads to more en-
counters overall, health care costs
will increase. Other, more subtle,
potential unintended conse-
quences are related to the complex
interpersonal and interprofession-
al relationships that define our
profession.5 In hospital settings,

telemedicine forces nurses to take
orders from physicians they may
never have met, challenging tradi-
tional conceptions of teamwork
and collaboration. In both hospi-
tals and ambulatory settings, tele-
medicine forces patients to accept
medical advice without the benefit
of an in-person encounter to build
trust and rapport.

More broadly, telemedicine
forces us all to reconsider what it
means for a doctor to “see” a pa-
tient, changing the physician–
patient relationship in unpredict-
able ways. Disruptive technologies
are just that — disruptive. No one
can say for certain where they may
take us. Consider the smartphone
dating application Tinder: it allows
users to rapidly sort through hun-
dreds of potential dating partners
on the basis of little more than
a photograph, making matches
when both users indicate an inter-
est. Tinder makes dating quicker,
efficient, and more accessible. But
is it better?

The task for telemedicine pro-
viders will be to tackle these chal-
lenges head-on. We need more
research demonstrating that tele-
medicine improves patient-cen-
tered outcomes and that it can do
so efficiently — not just for indi-
vidual encounters but at the popu-
lation level, without leading to
overuse. Researchers should ex-
plore the crucial issue of context,
studying not only whether tele-
medicine works but also how,
when, and where it works best, to
provide a roadmap for more effec-
tive implementation. We must also
study how to integrate telemedi-
cine into the existing care system
in ways that do not detract from
the interpersonal and interprofes-
sional relationships that we all rec-
ognize are essential to effective,
patient-centered care. As we per-
form this research, we also need
to revise — and perhaps complete-

ly rethink — health care regula-
tions, putting into place a more
flexible system that can protect
patients while fostering continued

Telemedicine will almost cer-
tainly expand in the coming years.
As health care becomes more con-
sumer-driven, tech-savvy patients
will want more flexibility in how
they seek care. And as health care
becomes more value-oriented, ac-
countable care organizations and
other integrated health care pro-
viders will increasingly rely on
technology to improve efficiency.
Telemedicine is uniquely posi-
tioned to address both of these
needs. But in solving some prob-
lems, telemedicine will surely cre-
ate others. Our job is to minimize
the potential harms by insisting
that implementation of telemedi-
cine is based on solid data. That
way, it can lead to health care that
is not just different and more
modern but also better.

Disclosure forms provided by the author
are available with the full text of this arti-
cle at NEJM.org.

From the Department of Critical Care Medi-
cine, University of Pittsburgh School of
Medicine, and the Department of Health
Policy and Management, University of
Pittsburgh Graduate School of Public
Health — both in Pittsburgh.

1. Institute of Medicine. The role of tele-
health in an evolving health care environ-
ment. Washington, DC: National Academies
Press, 2012.
2. Adler-Milstein J, Kvedar J, Bates DW. Tele-
health among US hospitals: several factors,
including state reimbursement and licen-
sure policies, influence adoption. Health Aff
(Millwood) 2014;33:207-15.
3. McLean S, Sheikh A, Cresswell K, et al.
The impact of telehealthcare on the quality
and safety of care: a systematic overview.
PLoS One 2013;8(8):e71238.
4. Wilcox ME, Adhikari NK. The effect of tele-
medicine in critically ill patients: systematic re-
view and meta-analysis. Crit Care 2012;16:R127.
5. Harrison MI, Koppel R, Bar-Lev S. Unin-
tended consequences of information tech-
nologies in health care — an interactive so-
ciotechnical analysis. J Am Med Inform
Assoc 2007;14:542-9.

DOI: 10.1056/NEJMp1500533
Copyright © 2015 Massachusetts Medical Society.

Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.


Health Information Ownership: Legal
Theories and Policy Implications

Lara Cartwright-Smith, Elizabeth Gray, and Jane Hyatt Thorpe*


This Article explores the nature and characteristics of health
information that make it subject to federal and state laws and the existing
legal framework that confers rights and responsibilities with respect to
health information. There are numerous legal and policy considerations
surrounding the question of who owns health information, including
whether and how to confer specific ownership rights to health
information. Ultimately, a legal framework is needed that reflects the
rights of a broad group of stakeholders in the health information
marketplace, from patients to providers to payers, as well as the public’s
interest in appropriate sharing of health information.


I. INTRODUCTION ………………………………………………………….. 208

A. Definitions of Health Information ……………………………. 210
1. Health Information Characteristics ……………….. 210
2. Health Information Types …………………………….. 212

INFORMATION ……………………………………………………………. 214

A. Property law …………………………………………………………. 220
B. Intellectual Property Law ……………………………………….. 225
C. Federal Privacy Law ……………………………………………… 226

1. Constitutional Law ………………………………………. 226
2. HIPAA ………………………………………………………… 228

* The authors thank Jennifer Ansberry, JD, MPH, Maanasa Kona, JD, LLM, and
Resa Cascio, JD, LLM, for their valuable research contributions to this paper.

208 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

3. Other Federal and State Statutes and
Regulations Protecting Health Information
Privacy …………………………………………………. 231
a. The Genetic Information Non-Disclosure

Act of 2008 (GINA) ………………………. 232
b. Privacy Act and FOIA …………………………. 233
c. 42 C.F.R. Part 2 …………………………………. 234

D. Contract Law ………………………………………………………… 235
E. State Law …………………………………………………………….. 236

V. POLICY CONSIDERATIONS ……………………………………………. 237
VI. CONCLUSION …………………………………………………………….. 241


The concept of owning information invokes thoughts of
property and profit. Property ownership means that the owner may
use the property as he or she wishes. The owner may modify it,
destroy it, transfer it by sale or donation, and permit others to use it
according to his or her terms, among other things. However,
ownership of health information is less clear. In some cases, the law
ascribes clear ownership rights over part or all of a health record, but
in other cases, information may be used by a number of parties
without clear ownership rights, even for the person who is the subject
of the information. Stakeholders at the state and federal levels
struggle with these issues as more uses for health information are
developed, technological advancements enable greater mobility, and
accessibility and ownership of health information becomes more
significant, yet the answer to the ownership question remains unclear.
Numerous potential solutions to the health information ownership
question exist. One option would be to allow each person to own the
information held in her personal medical records, even if another
person created the record. Another might be to give ownership of the
patient’s information to the healthcare provider who recorded that
information. Or perhaps the many rights surrounding health
information amount to ownership or make ownership irrelevant in a
highly regulated environment.

This Article will explore the existing laws that confer rights
and responsibilities with respect to health information, discuss
various legal theories of ownership that could apply to health
information, and consider the implications of applying them in the
current health information policy landscape. In Part I, the Article will
explore the nature of health information and the various


characteristics that may make it subject to federal and state
regulation. In Part II, the Article will explore the legal and policy
landscape surrounding health information regulation, considering why
ownership of health information is of particular relevance now. In
Part III, the Article will discuss the various laws and legal theories
that apply to health information, giving full ownership rights or rights
to access, use, and control it. Finally, in Part IV, the Article will
discuss policy considerations surrounding the question of health
information ownership, including the implications of conferring
specific ownership rights over health information. While there is no
one solution to the question of health information ownership, given
the complex bundle of overlapping rights under state and federal laws
that apply, the Article highlights the policy considerations that weigh
against treating health information exclusively as property.
Ultimately, a legal framework is needed that reflects the rights of the
many stakeholders in the health information marketplace, from
patients to providers to payers, as well as the public’s interest in the
appropriate sharing of health information.


In some ways, health information is similar to other types of
personal information: it contains unique details about a particular
individual. Like financial information, it can be used improperly to
discriminate against an individual and, like private photos or personal
thoughts, it can be embarrassing if disclosed publicly. In other ways,
health information is unique. For example, disclosing health
information to others is necessary both for proper medical treatment
of the person who is the subject of the information and also for the
business purposes of potentially many different people or entities,
such as doctors for treatment and billing purposes and health
insurance companies for payment purposes. Health information may
be relevant to third parties, as in the case of communicable diseases or
inheritable genetic conditions. Before considering how laws apply to
health information, it is important to define what health information
is and explain what makes it subject to regulation.

210 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

A. Definitions of Health Information

The most basic definition of health information is any
information concerning the health of at least one person.1 When
considering law and policy, however, the regulated information must
be specifically defined. For example, the physical medical record, the
content of the record, biological samples taken from a person, and data
aggregated from many different people can all be considered “health
information,” but they may be treated differently under the law. Not
all health information is subject to regulation, and information that is
regulated may be subject to laws that overlap or directly contradict
each other.2

1. Health Information Characteristics

There is no single legal framework governing “health
information;” rather, information may be subject to one or more laws
and/or regulations depending on the information’s specific
characteristics. For purposes of applying legal protections and
restrictions, health information can be defined based on a variety of
characteristics, such as its content, its source, and its form. These
characteristics are not mutually exclusive, so that multiple
overlapping rights and obligations may apply to a particular record or
piece of information, complicating the question of ownership.

Content focuses on the substance of the information. The
American Health Information Management Association (AHIMA)
defines health information as “the data related to a person’s medical
history, including symptoms, diagnoses, procedures, and outcomes.”3
This content-based definition is perhaps the broadest possible way to
describe health information, as there are no limitations related to its
source, form, or subject. The Office for the National Coordinator for
Health Information Technology (ONC) uses a slightly narrower
definition, recognizing health information as information about an
individual’s medical condition or history where the information can be
used to identify an individual.4 Indeed, identifiability is a critical

1. What Is Health Information?, AM. HEALTH INFO. MGMT. ASS’N,
http://www.ahima.org/careers/healthinfo [https://perma.cc/8NV9-5VL4] (last visited Oct. 27,
2. See, e.g., Beverly Cohen, Reconciling the HIPAA Privacy Rule with State Laws
Regulating Ex Parte Interviews of Plaintiffs’ Treating Physicians: A Guide to Performing HIPAA
Preemption Analysis, 43 HOUS. L. REV. 1091, 1105–07 (2006).
3. What Is Health Information?, supra note 1.
4. What Is “Health Information” for Purposes of the Mobile Device Privacy and Security
Subsection of HealthIT.gov?, HEALTHIT.GOV, https://www.healthit.gov/providers-


component underlying most federal and state laws and regulations
governing health information.5

Health information can also be categorized by its source, which
refers to the person or the entity that initially collected the information,
as well as the setting in which the information was generated or
collected. Sometimes, the individual subject of the information or the
individual’s family members may be the information collector. Health
information may also be collected by entities providing care, paying for
care,6 performing public health functions, conducting research, or
delivering other services that may incidentally involve healthcare
information, such as those provided by prisons, schools, or
universities. Laws focusing on the source alone may protect
information only in its collected form, meaning the information itself
is not protected but the list, database, or other collected information
format is protected, as in the case of a business record, such as a
patient list. Moreover, these laws may only protect information held
by a certain party, such as a substance abuse treatment facility.

Lastly, the form of medical information indicates the method
by which information is collected and stored. Health information may
be tangible, such as a tissue sample, or intangible, such as an
individual’s memory about his or her health or an individual’s genetic
information. Intangible health information becomes tangible once it is
recorded or extracted from the individual. Tangible health
information is stored digitally or on paper, or as preserved physical
samples, such as those kept in biobanks. Some legal protections and
restrictions apply to health information by virtue of its form or
medium, such as laws granting ownership of a medical record to the
healthcare provider that holds it.7 In that case, the information is
protected health information because it is contained in a medical
record, but the protection may not follow the information once it
leaves the medical record.

[https://perma.cc/72JC-NQT2] (last visited Oct. 27, 2016).
5. See, e.g., Health Insurance Portability and Accountability Act (HIPAA) of 1996 §
1177, 42 U.S.C. § 1320d(6) (2012) (defining an “offense” by referring four times to “identifiable
health information” or “health identifier”).
6. Health insurers, for example, are entities that pay for care, though other entities
may be involved in payment. This would include the federal government when it directly pays
providers to deliver care to a specific population for which it has responsibility, such as veterans.
7. E.g., S.C. CODE ANN. § 44-115-20 (West 2016) (a physician is the owner of medical
records that were made in treating a patient and are in his or her possession, as well as the
owner of records transferred to him or her concerning prior treatment of the patient); V.A. CODE
ANN. § 54.1-2403.3 (West 2016) (medical records maintained by any healthcare provider are the
property of the healthcare provider or the provider’s employer).

212 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

2. Health Information Types

When considering ownership and regulation of health
information, it is important to understand what may be owned or
regulated. Laws may regulate only a certain type of health
information, as in the case of state laws granting ownership of genetic
information to the subject of the information,8 which can complicate
matters if a certain record contains multiple types of information. It
is important to understand the terms used by policymakers and
stakeholders to delineate different types of information because these
definitions may determine what rights and responsibilities apply to
that information.

The medical and health policy communities have adopted
several commonly used terms to define certain types of health
information. The term “clinical data,” for example, refers to health
information collected in a clinical setting by a provider from a patient.9
Clinical data may include patient histories, lab results, x-rays, or
provider notes.10 Clinical data is stored in electronic health records
(EHRs) and electronic medical records (EMRs), paper-based medical
records, and clinical trial records.11

“Administrative data” is information collected from patients by
healthcare stakeholders, such as providers and payers, in connection
with the patient’s care or payment for care.12 Administrative data is
used primarily for business purposes like record keeping or billing and
may include patient demographic and insurance information.13

8. E.g., ALASKA STAT. ANN. § 18.13.010 (West 2016) (“DNA sample and the results of a
DNA analysis are the exclusive property of the person sampled or analyzed.”); COLO. REV. STAT.
ANN. §§ 10-3-1104.6, -1104.7 (West 2016) (indicating genetic information is the property of the
individual); FLA. STAT. § 760.40 (2016) (“[R]esults of . . . DNA analysis, whether held by a public
or private entity, are the exclusive property of the person tested.”); GA. CODE ANN. § 33-54-1
(West 2016) (“Genetic information is the unique property of the individual tested . . . .”); LA.
STAT. ANN. §§ 22:1023, 40:2210 (2016) (“[I]nsured’s or enrollee’s genetic information is the
property of the insured or enrollee . . . .”).
9. Data Resources in the Health Sciences, U. WASH.,
http://guides.lib.uw.edu/hsl/data/findclin [https://perma.cc/3TXB-EQT5] (last visited Nov. 2,
[https://perma.cc/G37Q-LPP2]; see also What Is Health Information?, supra note 1.
2010), http://www.ncbi.nlm.nih.gov/books/NBK54296/ [https://perma.cc/9VDT-SPY9].
12. Id. at 100.
13. Id. at 126.


Administrative data may be found in EHRs and EMRs, paper-based
medical records, and practice management systems.14

Finally, “patient-generated health data” (PGHD) is “health-
related data created, recorded, or gathered by or from patients” or
patients’ family members or other caregivers in non-clinical settings.15
PGHD may be generated or collected by mobile apps, personal health
records (PHRs), and home health equipment that does not
automatically transmit to a provider, such as a blood glucose

Other common terms refer to the content of the information.
“Biospecimens” are physical materials taken from an individual,
including tissue, blood, urine, or other human-derived material,17 as
well as the information derived from the material, such as extracted
DNA.18 A biospecimen can comprise subcellular structures, cells,
tissue, organs, blood, gametes (sperm and ova), buccal swabs,
embryos, fetal tissue, exhaled breath condensate, and waste (urine,
feces, sweat, hair and nail clippings, shed epithelial cells, and
placenta).19 “Genetic information” refers to information about an
individual’s genetic makeup and the genetic makeup of an individual’s
family members, as well as information about the manifestation of a
disease or disorder in an individual’s family members, such as a
family medical history.20 Both biospecimens and genetic information
may be defined and regulated according to their form as well as
content, as in the case of a rule applying only to the physical sample
taken from a body.

14. Id. at 69.
15. Patient-Generated Health Data, HEALTHIT.GOV, https://www.healthit.gov/policy-
researchers-implementers/patient-generated-health-data [https://perma.cc/6QHJ-T7MT] (last
visited Oct. 27, 2016).
16. Id.
http://biospecimens.cancer.gov/bestpractices/2011-NCIBestPractices [https://perma.cc/WAH2-
3WQS] (last visited Oct. 27, 2016).
biospecimen [https://perma.cc/QU9E-CDR4] (last visited June 28, 2016).
59; Jonathan S. Miller, Can I Call You Back? A Sustained Interaction with Biospecimen Donors
to Facilitate Advances in Research, 22 RICH. J.L. & TECH. 1 (2015).
20. Adapted from the definition of “genetic information” set forth in GINA Title I. See
Genetic Information Nondiscrimination Act of 2008 § 201, 42 U.S.C. § 2000ff (2012).

214 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207


In recent years, evolving technology has made health
information more accessible and more meaningful to individual
consumers, providers, payers, and researchers. Value-based
purchasing policies have created incentives for providers to collect,
analyze, and report more data about individual patients.21 Wearable
devices collect and record health information such as activity, heart
rate, and blood sugar level, enabling individuals to monitor, and thus
better manage their own health.22 These and other self-management
tools, such as Consumer Health Informatics (CHI) applications, are
particularly useful for patients with chronic conditions. For example,
researchers have found that the use of such tools can positively affect
health outcomes in the cases of breast cancer, alcohol abuse, smoking
cessation, obesity, diabetes, mental health, and asthma.23 CHI
applications also include electronic PHRs and patient portals, some of
which function as peer interaction systems by which users can
communicate with others who have similar conditions.24 Individuals
may also choose to share personal health information freely online
through websites specifically designed to aggregate information from
patients, such as PatientsLikeMe,25 as well as on social media.26
Providers even share patient information on social media (with
privacy protections in place), essentially crowdsourcing medical
diagnosis and treatment.27

21. See, e.g., Linking Quality to Payment, MEDICARE.GOV,
[https://perma.cc/D5FK-XVJQ] (last visited Oct. 27, 2016).
22. See John Comstock, CES 2016: Running List of Health and Wellness Devices,
MOBIHEALTH NEWS (Jan. 6, 2016), http://mobihealthnews.com/content/ces-2016-running-list-
health-and-wellness-devices [https://perma.cc/U4B3-WSJ2].
http://www.ahrq.gov/downloads/pub/evidence/pdf/chiapp/impactchia [https://perma.cc/8H5Q-
24. Bisk, Defining the Concept of CHI, and Exploring How It Is Democratizing
Healthcare for Patients, USF HEALTH, http://www.usfhealthonline.com/resources/key-
concepts/consumer-health-informatics/#.V2xi0jkrK2x [https://perma.cc/5TET-T7GU] (last visited
Nov. 2, 2016).
25. Live Better, Together!, PATIENTSLIKEME, https://www.patientslikeme.com
[https://perma.cc/R66M-K49F] (last visited Nov. 2, 2016).
26. See Patricia Sanchez Abril & Anita Cava, Health Privacy in a Techno-Social World:
A Cyber-Patient’s Bill of Rights, 6 NW. J. TECH. & INTELL. PROP. 244, 247–48 (2008).
27. See, e.g., Alex Mohensi, Doc APProvED: ‘Instagram for Doctors,’ 36 EMERGENCY
MED. NEWS 22 (2014), http://journals.lww.com/em-
[https://perma.cc/2B9P-GKDX]; see also Esther K. Choo et al., Twitter as a Tool for


Technology is also enabling the use of “big data” drawn from
health records, which promises to improve the quality of healthcare,
allow a greater understanding of patient and provider behaviors, and
even find new treatments for conditions like cancer. “Big data” refers
to very large datasets containing vast quantities of a variety of
information types that arrive and must be processed quickly.28 It also
invites concern about commercial uses by information resellers and
marketers, as well as nefarious uses like identity theft and
discrimination.29 Cybersecurity experts estimate that a stolen medical
record is worth ten times more than stolen credit card information
because of medical information’s greater profit potential.30 In the
legal data market, health information is collected and sold to
companies such as credit bureaus, advertisers, and investigators. An
appendix to a 2013 Government Accountability Office (GAO) report on
information resellers listed characteristics that the credit reporting
company Experian used to identify individuals to include in marketing
lists it created and provided to its clients.31 The characteristics
included an extensive list of heath conditions, including potentially
sensitive conditions like Alzheimer’s disease, cancer, clinical
depression, diabetes, erectile dysfunction, epilepsy, irritable bowel
syndrome, menopause, Parkinson’s disease, and prostate problems.32
The business of gathering health data for commercial purposes can be
significant; for example, IMS Health, one of the leading providers of
such intelligence, reported approximately $1.5 billion in annual
revenue for its information segment in each of the last five years.33
IMS Health draws information from a variety of sources, including
over 500 million patient medical records and over fourteen million
healthcare providers and organizations (Figure 1). These millions of

Communication and Knowledge Exchange in Academic Medicine: A Guide for Skeptics and
Novices, 37 MED. TCHR. 411, 413 (2014).
28. Bernard Marr, Big Data a Game Changer for Healthcare, FORBES (May 24, 2016,
1:55 AM), http://www.forbes.com/sites/bernardmarr/2016/05/24/big-data-a-game-changer-in-
healthcare/#28efa52f3c75 [https://perma.cc/UYA3-MJKC].
29. Id.
30. Caroline Humer & Jim Finkle, Your Medical Record Is Worth More to Hackers Than
Your Credit Card, REUTERS (Sep. 24, 2014, 2:24 PM), http://www.reuters.com/article/us-
cybersecurity-hospitals-idUSKCN0HJ21I20140924 [https://perma.cc/X7QQ-4SVD].
http://www.gao.gov/assets/660/658151 [https://perma.cc/U8JQ-SZZZ].
32. Id. at 53.
Report_Final_Final [https://perma.cc/V35F-JGCT]. $1.5 billion per year is a lot of money to
make just from aggregating and selling health data.

216 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

records and pieces of patient information are combined into a dataset
that is sold as a product to a variety of users.34 These practices
illustrate how one’s health information may be commodified—that is,
turned into a product for someone else’s profit. In this landscape,
legal ownership of information becomes a critical question.

Figure 1: Data combined by IMS Health for its “Market Insights”

health information business sector35

Courts are confronting these new data uses and considering

where they fit in existing legal structures, such as intellectual
property law. Two cases decided by the US Supreme Court in recent
years illustrate the challenge of sorting out legal rights where
corporate interests in personal information are concerned.36 In 2013,
in Ass’n for Molecular Pathology v. Myriad Genetics, Inc., (Myriad),
the Court considered a challenge to a patent held by Myriad Genetics
on genetic tests for certain genes that increase the risk of breast and
ovarian cancer.37 The tests involved isolating natural DNA strands
and creating synthetic complementary DNA that mirrored the original
isolated strands with slight alterations.38 The Court ruled that
synthetically created complementary DNA is patentable, while
isolated natural DNA is not.39 Although the case appeared to be a
relatively straightforward application of intellectual property law,
granting corporations a protectable property interest in material
derived from an individual’s DNA could have far-reaching
implications.40 If a corporation can create a commodity from DNA,
selling it and preventing others from making competing products,

34. Id.
35. Global, National and Subnational Insights, QUINTILESIMS,
http://www.imshealth.com/en/solution-areas/market-insights [https://perma.cc/NG8J-YY56] (last
visited Nov. 12, 2016).
36. See generally Ass’n for Molecular Pathology v. Myriad Genetics, Inc., 133 S. Ct. 2107
(2013); Sorrell v. IMS Health Inc., 564 U.S. 552 (2011).
37. Myriad, 133 S. Ct. at 2110–11.
38. Id. at 2111.
39. Id.
40. Id. at 2113, 2120.


other activities that amount to ownership of a person’s biological
material are not far off.

In 2011, the Court considered the constitutionality of legal
restrictions on the use of collected personal information in Sorrell v.
IMS Health Inc.41 Sorrell dealt with a common marketing practice,
wherein pharmacies collect prescriber-identifying information when
processing prescriptions and sell this information to “data miners.”42
Data miners use this information to produce reports on prescriber
behaviors, de-identified with respect to patients but identifying the
prescribing physician, which they lease to pharmaceutical
manufacturers.43 Manufacturers then employ “detailers,” commonly
known as pharmaceutical sales representatives or “drug reps,” who
use the reports to strategically market and promote their drugs to

The Vermont law in question prohibited pharmacies from
selling or disclosing prescriber-identifying information for marketing
purposes without the prescriber’s consent and further prohibited
pharmaceutical manufacturers and marketers from using prescriber-
identifiable information for sales marketing and promotion practices.45
The majority used a First Amendment free speech analysis to strike
down the statute because it imposed a burden on the protected speech
of the regulated pharmacies, manufacturers, and marketers, including
plaintiff IMS Health, thereby restricting communication.46

The dissent, however, argued that Vermont’s law regulated
commercial activity rather than speech and thus imposed no
significant burden on free speech.47 Because the majority interpreted
restrictions on the use of health information as a free speech violation
rather than regulation of health information use and exchange for
commercial purposes, the Court may have made it very difficult for
legislators to regulate the activity of collecting and disseminating
personal information, including health information, for profit. With
respect to ownership of health information, it may not be possible
after Sorrel to give ownership rights over health information to a
particular individual or entity through statute, regulation, or common

41. Sorrell, 564 U.S. at 557.
42. Id. at 558.
43. Id.
44. Id.
45. VT. STAT. ANN. tit. 18, § 4631(d) (West 2010), invalidated by Sorrell v. IMS Health,
Inc., 564 U.S. 552 (2011).
46. Sorrell, 564 U.S. at 563–65.
47. Id. at 591–92.

218 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

law because another party may be able to claim a constitutional right
to use the information for their own purposes.

The legal status of health information is the subject of robust
debate and the legal landscape is in flux. Scholars debate what legal
framework—whether property law, tort law, or constitutional
protections of free speech—should apply to health information.48
Members of the public debate the ethics of using personal health
information without consent, as in the case of Henrietta Lacks, whose
cancer cells were taken, replicated, and later commodified for valuable
research for decades without her consent and without her family’s
knowledge.49 Policymakers debate the proper balance between the
potential benefits of data derived from personal information and the
need to protect privacy and other rights.50

At the federal level, ONC is leading efforts to define the rules
of the road for the use and exchange of health information. For
example, ONC released a set of guiding principles related to health
information exchange governance in 2013, which were designed to
serve as a common framework for organizations engaging in the data
exchange for healthcare purposes.51 In 2015, ONC released the
Federal Health IT [Information Technology] Strategic Plan 2015–
2020,52 which highlights the importance of protecting health
information privacy and security in order to support and advance
“widespread use of all forms of health IT.”53 According to the Plan,
clarifying federal and state laws governing the privacy and security of
health information is a key component of promoting greater adoption
of health information technology.54

48. See, e.g., Barbara J. Evans, Much Ado About Data Ownership, 25 HARV. J.L. &
TECH. 70, 74 (2011) (arguing against propertization of health data); Bonnie Kaplan, Selling
Health Data: De-Identification, Privacy, and Speech, 24 CAMBRIDGE Q. HEALTHCARE ETHICS 256
(2015) (comparing property and free speech framework and suggesting tort law as alternative);
Paul M. Schwartz, Property, Privacy, and Personal Data, 117 HARV. L. REV. 2055, 2056 (2004)
(criticizing tort law as comprehensive framework and suggesting property law as proper
House 2010).
50. See, e.g., Marc A. Rodwin, Patient Data: Property, Privacy & the Public Interest, 36
AM. J.L. & MED. 586, 617 (2010).
IT STRATEGIC PLAN 2015–2020, at 4 (2015), https://www.healthit.gov/sites/default/files/9-5-
federalhealthitstratplanfinal_0 [https://perma.cc/BSG4-943T].
53. Id.
54. Id. at 43.



In law, ownership generally means legal title to something
combined with the exclusive right to possess it.55 Legal title gives the
owner a variety of rights, including rights to control, use, profit from,
dispose of, and prevent others from using the thing that is owned.56
This concept is straightforward in the case of an object or piece of real
estate. In the case of health information, ownership is usually less
clear. A patchwork of laws grants various rights and obligations with
respect to health information and medical records, including privacy,
confidentiality, and the rights to access, amend, and direct the
transfer of one’s health information.57 Some rights come from specific
laws and regulations, while others are derived from broader principles
of law, like privacy and property.58

Some states have laws granting specific ownership over
medical records or health information either to the healthcare
provider or, in New Hampshire, to the individual who is the subject of
the information.59 Some of these state laws use the term “own” or
“owner,” while others use the term “property.”60 In Wyoming, the law
refers to the physical conveyance for the information, giving the
provider ownership of “the paper, microfilm, or data storage unit upon
which the patient’s information is maintained [and stating that
patients] do not have a right to possess the physical means by which
the information is stored,” although they must be given access to
“pertinent information.”61 In New Hampshire, the state’s Patients’
Bill of Rights law states: “[m]edical information contained in the
medical records at any facility licensed under this chapter shall be
deemed to be the property of the patient.”62 This law is unique among
states and, since providers retain a property interest in their business
records, it is not clear how the conflicting property rights of patients
and providers would be resolved in case of a dispute. There are also
cases finding that medical records are the property of the healthcare

55. Ownership, BLACK’S LAW DICTIONARY (10th ed. 2014).
56. E.g., Jane B. Baron, Property as Control: Case of Information, 18 MICH. TELECOMM.
& TECH. L. REV. 367, 384 (2012).
57. E.g., Mark A. Hall, Property, Privacy, and the Pursuit of Interconnected Electronic
Medical Records, 95 IOWA L. REV. 631, 649–50 (2010).
58. See id.
59. Who Owns Medical Records: 50 State Comparison, HEALTH INFO. & L.,
comparison [https://perma.cc/3H2N-XNF5] (last visited Nov. 12, 2016).
60. See id.
61. 024-052 WYO. CODE R. § 003 (LexisNexis 2016).
62. N.H. REV. STAT. ANN. § 151:21 (2016).

220 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

provider who created them, even where there is no statute or
regulation to that effect.63

While ownership is significant, it may not determine who can
do what with health information. Patients may have rights with
respect to their medical records under some federal privacy laws and
regulations.64 Many states have specific laws addressing how
providers must maintain, protect, and dispose of records, as well as
laws giving patients, providers, and others access to medical records,
regardless of ownership status.65 The following discussion addresses
the legal theories that could potentially serve as the basis for
ownership of health information, including property law, intellectual
property law, and privacy law.

A. Property law

In the United States, there is no recognized property interest in
one’s own personal information.66 There may be property interests in
specific types of information, as in the case of medical information
under the New Hampshire law67 referenced above, or in the physical
container that houses the information, such as a computer or diary.68
When information about individuals is compiled from public data or by
an entity with legal access to the information, such as a credit card
company, it can be sold without the permission of the subjects of the
information, who are not entitled to any compensation.69 Information
about customers, such as mailing lists, can be distributed alongside
real property when a business is transferred.70

Property can be defined broadly as “any interest in an object,
whether tangible or intangible, that is enforceable against the

63. See, e.g., Holtkamp Trucking Co. v. David J. Fletcher, M.D., L.L.C., 932 N.E.2d 34,
43 (Ill. 2010) (holding that medical records were physician’s property); McGarry v. J.A. Mercier
Co., 262 N.W. 296, 297–98 (Mich. 1935) (holding that x-ray negatives were the property of the
physician who made them, not the patient).
64. Hall, supra note 57, at 649–50.

65. See States, HEALTH INFO. & L., http://www.healthinfolaw.org/state
[https://perma.cc/6DWF-FVSR] (last visited Nov. 13, 2016).
66. Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal
Information, 37 U.C. DAVIS L. REV. 379, 403 (2003).
67. N.H. REV. STAT. ANN. § 151:21 (2016).
68. Hall, supra note 57, at 646–47.
69. Dwyer v. Am. Express Co., 652 N.E.2d 1351, 1352–53 (Ill. App. Ct. 1995).
70. E-7.04 Sale of a Medical Practice, AM. MED. ASS’N,
https://www.denbar.org/docs/AMA%20(Professionalism)%20E-7 ?ID=2373
[https://perma.cc/5P5Y-WBAT] (last updated Sept. 26, 2005).


world.”71 As explained by the California Supreme Court, applying a
broad definition, “[t]he term ‘property’ is sufficiently comprehensive to
include every species of estate, real and personal, and everything
which one person can own and transfer to another. It extends to every
species of right and interest capable of being enjoyed as such upon
which it is practicable to place a money value.”72 Others have limited
the definition of property to the specific set of “legally sanctioned
property forms” defined by legislatures.73 This Article uses a broad
definition, modified to apply to health information. Thus, a property
interest in health information may be defined as any interest in the
health information that is enforceable against the world. Property
rights under this definition are distinguished from the more limited
rights that apply under the terms of a contract, where rights are
enforceable only against a party to the contract, or rights that only
apply in certain settings or for certain users, such as health
information privacy and security regulations. When considering
property rights in personal information, courts have historically held
that such information belongs to no one until it is collected, at which
point it belongs to the collector.74 Thus, when a company collects the
names, addresses, phone numbers, and shopping histories of its
customers, that information may become a protected piece of property
that can be transferred along with other corporate property when the
business is sold or sold outright as a product itself.75

In the healthcare context, medical records typically belong to
the physician, hospital, or another provider that created them.76
Thinking of healthcare like any other service industry, the medical
record is a record of the service provided to the customer. For the
healthcare provider, the information in a medical record is necessary
for a number of purposes other than patient care. These include
receiving payment for the service from an insurance company,
complying with state and federal reporting requirements, supporting
business functions such as profit-sharing among partners and paying
taxes, and defending the provider in case of any claim of malpractice.77

71. Schwartz, supra note 48, at 2058.
72. Yuba River Power Co. v. Nevada Irrigation Dist., 207 Cal. 521, 524 (1929).
73. Thomas W. Merrill & Henry E. Smith, Optimal Standardization in the Law of
Property: The Numerus Clausus Principle, 110 YALE L.J. 1, 10 (2000).
74. Bergelson, supra note 66, at 403.
75. E.g., Julia N. Mehlman, If You Give a Mouse a Cookie, It’s Going to Ask for Your
Personally Identifiable Information: A Look at the Data-Collection Industry and a Proposal for
Recognizing the Value of Consumer Information, 81 BROOK. L. REV. 329, 331 (2015).
76. E.g., Hall, supra note 57, at 646–47.
77. Stanley J. Reiser, The Clinical Record in Medicine Part 2: Reforming Content and
Purpose, 114 ANNALS INTERNAL MED. 980, 984 (1991).

222 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

As business records, medical records and the information they contain
can be transferred when, for example, a partner leaves a medical
practice or a practice merges with another institution.78 Custody of
medical records may be made part of an employment contract between
a practice and an individual physician or part of a contract for the sale
of a practice.79 Patients cannot take the original medical record away
from the provider who created it, as it remains a vital business record
of the service provided.

On the other hand, the property interest in medical records is
not exclusive to the individual or entity that created them.80 Because
of the many rights held by individual patients with respect to their
medical records, records may not be disposed of in the same manner
as other property.81 Medical records cannot be destroyed or given to
others without following the procedures prescribed by federal and
state laws.82 Providers cannot prevent individuals from taking the
information in their records and giving it to a competing provider.83
The property interest a physician has in medical records is
fundamentally different than the property interest he or she has in an
x-ray machine or stethoscope.84 Thus, while medical records are
certainly property, they are a unique type of property.

Turning to the information contained in the medical record, it
may be the property of the person or entity that collected it. In
general, the collected form of the information may be “property,”
which courts have recognized,85 rather than the individual pieces of
the information itself. In the case of a customer list, for example, the
list may be considered property in its collected form. However, when
the names of some of the individuals from that customer list are
available elsewhere, such as in a phone book, it cannot be said that
the phone book contains the property of the company that collected the
customer list. In other words, the fact that health information may be

Bartlett Publishers 4th ed. 2006).
79. Id. at 339.
80. Mark A. Hall & Kevin A. Schulman, Ownership of Medical Information, 301 J. AM.
MED. ASS’N. 1282, 1282–84 (2009).
81. See generally id.
82. E.g., Christine L. Glover, To Retain or Destroy? That Is the Health Care Records
Question, 103 W. VA. L. REV. 619, 625–26 (2001).
83. See Hall & Schulman, supra note 80, at 1282–84.
84. Id.
85. E.g., In re Nw. Airlines Privacy Litig., No. CIV.04-126(PAM/JSM), 2004 WL
1278459, at *4 (D. Minn. June 6, 2004) (where airline passengers’ personal information was
compiled and combined with other information to form a record, and the record itself became the
airline’s property).


the property of one party in its collected form does not mean that the
information itself is the property of the collector wherever it exists.

Whether or not the collected health information, like that in a
medical record, could be the property of the person who is the subject
of the information remains in question. In general, courts have
refused to recognize property rights in information about oneself, even
as they recognize causes of action where personal information is
misused, as in the case of identity theft or misappropriation of an
individual’s name or likeness for profit.86 Individuals have been
unable to prevent the distribution of information about them by
investigators, credit companies, and magazine publishers.87
Certainly, health information cannot be the exclusive property of the
subject, since the information itself is contained in business records of
the health providers who recorded the information and must be
exchanged with others, such as regulators, insurance companies, and
other providers, in order to do business.

What about genetic information, which is even more closely
tied to an individual than a name or photograph? Does genetic
information, such as a DNA sequence, have a special status as
property even where other health information does not? In the
famous Moore v. Regents of the University of California,88 a physician
at UCLA Medical Center isolated a cell line from the patient Moore’s
T-lymphocytes, extracted from biological samples taken during his
treatment.89 The physician made agreements to profit from
commercial development of the cell line and resulting products. Moore
sued, claiming, among other causes of action, that the biological
samples that yielded the cell line were his property that was illegally
converted by the physician.90 To prove the tort of conversion, the
“plaintiff must establish an actual interference with his ownership or
right of possession . . . [w]here plaintiff neither has title to the
property alleged to have been converted, nor possession thereof, he
cannot maintain an action for conversion.”91 In Moore, the California
Supreme Court held that Moore did not have an enforceable property
interest in his cells under existing law, partly because he did not

86. I.J. Schiffres, Annotation, Invasion of Privacy by Use of Plaintiff’s Name or Likeness
in Advertising, 23 A.L.R.3d 865 § 4 (1969).
87. E.g., Dwyer v. Am. Express Co., 652 N.E.2d 1351, 1351 (Ill. App. Ct. 1995); Shibley
v. Time, Inc., 341 N.E.2d 337, 340 (Ohio Ct. App. 1975); U.S. News & World Report, Inc. v.
Avrahami, No. 95-1318, 1996 WL 1065557, at *6 (Va. Cir. Ct. June 13, 1996).
88. Moore v. Regents of Univ. of Cal., 793 P.2d 479, 487 (Cal. 1990) (rejecting
individual’s claim of property right in his genetic information).
89. Id. at 481.
90. Id. at 482.
91. Id. at 488.

224 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

expect to retain possession of them after they were taken from his
body.92 The court declined to extend conversion to the facts in Moore,
noting the chilling effect on medical research and development of
treatments that would result from giving every patient a property
interest in their biological samples taken in the course of treatment
and any resulting research or innovation.93 Interestingly, genetic
information is one type of health information where states have given
individuals a property interest under the law. In Alaska,94 Colorado,95
Florida,96 Georgia,97 and Louisiana,98 state statutes declare genetic
information, DNA samples, or the results of DNA analysis to be the
property of the individuals who are the subject of the information.
Likewise, reproductive material has been deemed property after it has
been removed from the body.99 In general, reproductive material itself
is not sold but “donated,” although the donor may receive substantial
compensation in exchange for her “donor services.”100 Indeed, egg
donation is an $80 million market.101 Largely self regulated, there are
industry guidelines limiting the amount of compensation an egg donor
may receive, though no limits apply to sperm donation. These limits
were challenged in a class action102 brought by egg donors that was
settled in early 2016.103 Thus, given this history of treating
reproductive material as property or allowing the sale of reproductive
material using contracts in the same way other goods are sold, there is
potentially a greater degree of ownership that applies to reproductive
material than to other biological material or, more broadly, to health

In contrast, the status of preserved embryos is much less clear.
Some courts have held that as potential persons, embryos cannot be

92. Id. at 488–89.
93. Id. at 494.
94. ALASKA STAT. ANN. §§ 18.13.010–.030, .100 (West 2016).
95. COLO. REV. STAT. ANN. §§ 10-3-1104.6, 1104.7 (West 2016).
96. FLA. STAT. § 760.40 (2016).
97. GA. CODE ANN. §§ 33-54-1 to -8 (West 2016).
98. LA. STAT. ANN. § 22:1023 (2016).
99. E.g., Kurchner v. State Farm Fire & Cas. Co., 858 So. 2d 1220, 1221 (Fla. Dist. Ct.
App. 2003) (holding that sperm outside of the body is property for purposes of insurance claim).
100. Kamakahi v. Am. Soc’y for Reprod. Med., No. C 11-01781 SBA, 2013 WL 1768706, at
*3 (N.D. Cal. Mar. 29, 2013).
101. Id.
102. Kamakahi v. Am. Soc’y for Reprod. Med., No. 11-CV-01781-JCS, 2015 WL 1926312,
at *1 (N.D. Cal. Apr. 27, 2015).
103. Jacob Gershman, Fertility Industry Group Settles Lawsuit over Egg Donor Price
Caps, WALL ST. J. (Feb. 3, 2016, 11:01 AM), http://blogs.wsj.com/law/2016/02/03/fertility-
industry-group-settles-lawsuit-over-egg-donor-price-caps/ [https://perma.cc/989S-CHXF].


property to be transferred like other marital property,104 while others
have freely enforced contracts that determine how embryos are to be
used or disposed of in the case of a separation.105 As the practice of
assisted reproduction continues to become more common, the legal
approach to the disposition of embryos may be informative for the
question of health information ownership. At least two people have
simultaneous and valid legal interests in a frozen embryo, created
from their biological material, which is somewhat analogous to
multiple parties having valid interests in a piece of health

As these examples illustrate, the practice of treating health
information as property under the law has an uneven history. There
are some forms of health information, such as medical records created
by a healthcare provider in the course of doing business, that the law
is comfortable treating as property. Other forms, such as biological
materials and genetic information, have been treated differently.
Because an ownership interest may be claimed in intangible
information rather than the physical form of the record, some have
proposed that health information be protected under intellectual
property law.106

B. Intellectual Property Law

Intellectual property laws (which include trademark, copyright,
and patent mechanisms) confer the rights of property on creations of
the mind, such as scientific discoveries, artwork, designs, and written
work, which one could not otherwise have an exclusive interest.107
The term “[i]ntellectual property relates to items of information or
knowledge, which can be incorporated in tangible objects at the same
time in an unlimited number of copies at different locations anywhere
in the world.”108 In order to be protected by a patent, which is the
mechanism that would apply to most healthcare-related intellectual
property, the discovery in question cannot be simply a “consequence of
the body’s natural processes.”109 Even if the natural phenomenon in
question is not identical across every person, if “the genetic

104. Davis v. Davis, 842 S.W.2d 588, 593, 604 (Tenn. 1992).
105. E.g., Litowitz v. Litowitz, 48 P.3d 261, 274 (Wash. 2002).
106. See Schwartz, supra note 48, at 2076.
107. See What Is Intellectual Property?, WORLD INTELL. PROP. ORG.,
http://www.wipo.int/about-ip/en/ [https://perma.cc/HS98-PTZU] (last visited Nov. 14, 2016).
109. Genetic Techs. Ltd. v. Bristol-Myers Squibb Co., 72 F. Supp. 3d 521, 530 (D. Del.

226 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

correlations . . . exist apart from any human action,” the discovery is
unpatentable.110 Most of the health information about an individual
that is collected in medical records and databases is merely reporting
on the observed biological state and processes of the individual who is
the subject of the information. As such, it could not be protected by
intellectual property law, even if a human made the observation.

Courts in the United States have rejected attempts to patent
diagnostic procedures and medical treatments.111 However, it is
possible for a physician to use a very specialized technique for
evaluating or treating a patient and for that technique to be protected
by copyright or patent laws.112 The US Patent and Trademark Office
(USPTO) issued guidance to illustrate what considerations may allow
a procedure for evaluating or treating a natural process to be
protectable.113 If such protection is granted, the physician may be able
to shield the protected part of the evaluation from disclosure. Thus,
there is some capacity for health information to be protected by
intellectual property law, but it is limited under current standards.

C. Federal Privacy Law

1. Constitutional Law

The US Constitution does not explicitly enumerate a right to
privacy.114 However, various amendments to the Constitution grant
rights that relate to personal autonomy, an aspect of privacy insofar
as individuals can choose whether or not to participate in certain
activities or be subject to certain experiences, such as “the right to be
left alone.”115 The US Supreme Court has also identified a right to
privacy under the Fourteenth Amendment.116 Under the Fourteenth

110. Id. (citing Genetic Techs. Ltd. v. Agilent Techs., Inc., 24 F. Supp. 3d 922, 927 (N.D.
Cal. 2014) (stating correlations between variation in non-coding and coding regions alone are
unpatentable natural laws despite not being “universal” or “immutable scientific truths”)).
111. E.g., Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1298
(2012); PerkinElmer, Inc. v. Intema Ltd., 496 Fed. Appx. 65 (Fed. Cir. 2012). In Australia, by
contrast, medical treatments are considered patentable. Apotex Pty Ltd v Sanofi-Aventis
Australia Pty Ltd [2013] HCA 50.
112. See Memorandum from Andrew H. Hirshfeld, Deputy Comm’r for Patent
Examination Policy, U.S. Patent and Trademark Office, to the Patent Examining Corps (Mar. 4,
2014), http://www.uspto.gov/patents/law/exam/myriad-mayo_guidance
113. Id.
114. Julie K. Freeman, Medical Records and the U.S. and Pennsylvania Constitutions’
Right to Privacy, 70 Pa. B.A. Q. 93, 95 (1999).
115. Robert E. Mensel, The Antiprogressive Origins and Uses of the Right to Privacy in
the Federal Courts 1860–1937, 3 FED. CTS. L. REV. 109, 124 (2009).
116. See, e.g., Roe v. Wade, 410 U.S. 113, 164 (1973).


Amendment, a law is unconstitutional if it infringes upon the exercise
of a fundamental right, such as the right to privacy, without a
“compelling” state interest.117 The right to privacy is defined and
determined on a case-by-case basis; for example, the Court has
identified a specific right to privacy with respect to decisions about
“family, marriage, motherhood, procreation, and child rearing.”118

One aspect of the privacy concept is the ability to control one’s
own information.119 However, existing Supreme Court case law does
not recognize within the right to privacy a right to control information,
though it has specifically declined to foreclose that possibility for the
future.120 As it currently stands, the right to control one’s information,
health-related or otherwise, is not considered a fundamental right,
and thus any law infringing upon that ability need only be rationally
related to a legitimate government purpose.121 Ten states explicitly
recognize an individual’s right to privacy in their constitutions.122
These states prohibit unreasonable or unwarranted invasions of
privacy, though none specifically include the right to control one’s
personal information as an aspect of “privacy.”123 In general, however,
the right to information privacy has been conferred primarily by
statute and regulation rather than by courts’ application of a
constitutional right.124

There is no comprehensive federal statutory framework
governing health information privacy and security,125 rather a
patchwork of federal laws that often overlap or even contradict each
other. The primary function of these laws and regulations is to limit
the ways in which lawful holders of the information may use and
share it with or without the subject of the information’s consent.126
Although federal privacy laws and regulations do not explicitly confer
an ownership interest in health information, they do grant
information holders some ability to direct and control how the

117. Id. at 155–56.
118. Paris Adult Theater v. Slaton, 413 U.S. 49, 65 (1973).
119. See Hall & Schulman, supra note 80, at 1282–84.
121. See id.
122. Privacy Protections in State Constitutions, NAT’L CONF. ST. LEGISLATURES (Dec. 3,
2015), http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-
protections-in-state-constitutions.aspx [https://perma.cc/VG3R-Q6MY].
123. See id.
124. See id.
125. Jane Hyatt Thorpe & Elizabeth A. Gray, Big Data and Public Health: Navigating
Privacy Laws to Maximize Potential, PUB. HEALTH REP. 130(2):171–75 (2015).
126. E.g., Hall, supra note 57, at 657.

228 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

information is used.127 Some laws and regulations give individuals
explicit rights with respect to their health information when it is in
the possession of certain lawful holders of that information.128 These
laws vary considerably in terms of the health information they protect
and the entities they govern, though all of these laws apply only to
identifiable information.129


The most widely referenced federal framework related to
health information are the Health Insurance Portability and
Accountability Act of 1996 (HIPAA)’s130 Administrative Simplification
provisions131 and their enabling regulations—the Privacy, Security,
Breach Notification, and Enforcement Rules, known collectively as
“the HIPAA Rules.” Under HIPAA, individually identifiable health
information is oral or recorded information created or received by a
healthcare provider, health plan, employer, or healthcare
clearinghouse that identifies or could be used to identify an individual,
and relates to the individual’s care or to his past, present, or future
mental or physical health condition or payment for care.132 The
HIPAA Rules do not apply to individually identifiable health
information held in certain types of records, such as education records,
or about individuals deceased for over fifty years.133 The information
subject to HIPAA is referred to as “protected health information”
(PHI). Much health-related information exists outside of HIPAA’s
protections, including PGHD,134 consumer and sentiment data
describing patient activities and preferences (i.e., exhaust data),135

127. See id.
128. See id. at 646.
129. Id. at 659.
130. Health Insurance Portability and Accountability Act (HIPAA) of 1996, Pub. L. No.
104-191, 110 Stat. 139 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
131. See, e.g., id. at §§ 261–62.
132. 45 C.F.R. § 160.103 (2016) (“Individually identifiable health information is
information that is a subset of health information, including demographic information collected
from an individual . . . .”).
133. Id.
134. Patient-Generated Health Data, supra note 15.
135. Nicolas P. Terry, Big Data Proxies and Health Privacy Exceptionalism, 24 HEALTH
MATRIX 65, 85 (2014),


and de-identified information—though these types of information may
be subject to other laws and regulations.136

The HIPAA Rules only regulate the use, disclosure, and
management of PHI when it is in the possession of certain entities.137
These are Covered Entities (health plans, healthcare clearinghouses,
and most healthcare providers)138 and their Business Associates
(entities that have access to PHI in the course of performing certain
services for or functions on behalf of a Covered Entity);139 HIPAA does
not govern individually identifiable health information when it is in
the possession of non-regulated entities (i.e., neither Covered Entity
nor Business Associate), even if the information meets the definition
of PHI.140

The HIPAA Rules collectively serve as the federal floor for
identifiable health information privacy and security.141 The HIPAA
Privacy Rule, as its name suggests, governs the privacy and
confidentiality of PHI.142 It dictates when and to whom a Regulated
Entity is permitted to disclose PHI, which can be grouped into three
broad categories:

1. Required Disclosures: a Regulated Entity must disclose PHI to
the individual subject of the information upon request143 and

136. See generally What Is “Health Information” for Purposes of the Mobile Device
Privacy and Security Subsection of HealthIT.gov?, supra note 4.
137. 45 C.F.R. § 160.102(a), (b) (2016).
138. 45 C.F.R. § 160.103 (defining “covered entity” to include “[a] health plan,” “[a]
health care clearinghouse,” and “[a] health care provider who transmits any health information
in electronic form in connection with a transaction covered by this subchapter”); see also §
160.103 (defining “health care clearinghouses” to include businesses or agencies that process
nonstandard health information they receive from other entities into a standard format); §
160.103 (where “health information”—information (identifiable or not) that is created by a
healthcare provider, health plan, public health authority, employer, life insurer, school or
university, or healthcare clearinghouse and that relates to an individual’s healthcare or an
individual’s past, present, or future physical or mental health or condition or payment for care—
has a broader definition than “protected health information”); 45 C.F.R. § 162 (2016) (defining
“covered health care provider” as one who electronically transmits health information in
connection with “covered” transactions, which include, but are not limited to, benefit eligibility
inquiries and claims).
139. 45 C.F.R. § 160.103 (defining “business associate” to include those who provide
“legal, actuarial, accounting, consultation, data aggregation . . ., management, administrative,
accreditation, or financial services”).
140. See, e.g., Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Notification Rules Under the Health Information Technology for Economic and Clinical Health
Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA
Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (codified at C.F.R. pts. 160, 164).
141. See 45 C.F.R. § 160 (2016); see also 45 C.F.R. § 160.203 (2016); 45 C.F.R. § 164.502
142. See generally 45 C.F.R. §§ 164.500–.534 (2016).
143. 45 C.F.R. § 164.502(a)(2)(i), (4)(ii) (2016).

230 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

to the Secretary of the US Department of Health and Human
Services (HHS) for enforcement and compliance purposes;144

2. Prohibited or Limited Disclosures: a Regulated Entity may not
disclose PHI for certain purposes145 (e.g., most sales of PHI146)
and must obtain an individual’s authorization to disclose
certain types of PHI (e.g., psychotherapy notes147) in almost all
circumstances;148 and

3. Permissive Disclosures: a Covered Entity149 may disclose
[most] PHI without first obtaining the subject’s authorization
for a variety of purposes (though some of these purposes
require that, where practicable, the individual be given the
opportunity to informally object to the disclosure150).151

Any disclosures not required, permitted, or prohibited by the Privacy
Rule require written authorization from the individual subject of the
PHI.152 The “permissive disclosure” exceptions were designed to
permit Covered Entities to engage in fundamental healthcare
activities without being burdened by authorization requirements.153
Permissive exceptions include disclosures for purposes of treatment,
payment, and healthcare operations,154 as well as a variety of purposes
that benefit the public good, such as disease surveillance, national
security, and law enforcement activities.155 These exceptions are so
broad that Covered Entities essentially retain greater control over
PHI than the actual subject of the information.156 However, in an

144. 45 C.F.R. § 164.502(a)(2)(ii), (4)(i).
145. See 45 C.F.R. § 164.502(a)(5).
146. 45 C.F.R. § 164.502(a)(5)(ii).
147. 45 C.F.R. § 164.508(a) (2016).
148. 45 C.F.R. § 164.508(a)(2).
149. See 45 C.F.R. § 164.502(a)(1); see also 45 C.F.R. § 164.502(a)(3) (stating that a
business associate may only disclose PHI as required by its business associate contract or the
150. 45 C.F.R. § 164.510 (2016).
151. 45 C.F.R. § 164.512 (2016); see also OFFICE FOR CIVIL RIGHTS, PERMITTED USES AND
http://www.hhs.gov/sites/default/files/exchange_treatment [https://perma.cc/8WK6-F6D5];
OPERATIONS 1 (2016), http://www.hhs.gov/sites/default/files/exchange_health_care_ops
152. 45 C.F.R. § 164.502(a)(1).
153. See, e.g., Standards for Privacy of Individually Identifiable Health Information, 67
Fed. Reg. 14776 (proposed Mar. 27, 2002) (to be codified at C.F.R. pts. 160, 164).
154. 45 C.F.R. § 164.506 (2016).
155. 45 C.F.R. § 164, §§ 510, 512 (2016).
156. See infra notes 168–73.


effort to balance an individual’s interest in his or her own information
with the need to enable proper functioning of the healthcare system,
the Privacy Rule establishes six rights individuals have with respect
to their PHI:

1. To be notified of uses and disclosures a Covered Entity may

2. To request restrictions on some uses and disclosures, though a
Covered Entity is only required to comply with such a request
in very limited circumstances;158

3. To request that a health plan or a covered provider
communicate PHI confidentially (i.e., by alternative means or
at alternative locations), though a health plan is only required
to comply in specific circumstances;159

4. To inspect and obtain a copy of PHI or have the Covered Entity
transmit a copy of PHI to a designated third party;160

5. To amend PHI in certain circumstances;161 and

6. To receive an accounting of disclosures of PHI made in the
preceding six years, though many types of disclosures are
exempt from the accounting requirement.162

While the HIPAA Privacy Rule grants an individual substantial
rights, including access to and some measure of control over their
health information, because of the many exceptions to and limitations
on these rights, they do not equate to the full control that ownership
under a property theory would convey.163

3. Other Federal and State Statutes and Regulations Protecting
Health Information Privacy

Some other federal statutes and regulations protect health
information primarily based on its content. These include: 42 C.F.R.
Part 2 (Part 2),164 which protects identifying information about

157. 45 C.F.R. § 164.520(a)(1) (2016).
158. 45 C.F.R. § 164.522(a) (2016).
159. 45 C.F.R. § 164.522(b).
160. 45 C.F.R. § 164.524 (2016).
161. 45 C.F.R. § 164.526 (2016).
162. 45 C.F.R. § 164.528 (2016).
163. Hall, supra note 57, at 649.
164. 42 C.F.R. § 2 (2016).

232 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

substance abuse treatment patients, the Genetic Information Non-
Disclosure Act of 2008 (GINA),165 which protects individuals’ genetic
information, and the Patient Safety and Quality Improvement Act of
2005 (PSQIA),166 which protects identifiable patient safety work
product. Other laws protect health information primarily based on its
source. These include: the Fair Credit Reporting Act (FCRA),167 which
protects medical information in consumer reports, the Privacy Act of
1974,168 which protects individually identifiable information—
including health information—held by the federal government, the
Family Educational Records Privacy Act (FERPA),169 which protects
identifiable information—including health information—in education
records, and the Public Health Services Act’s Title X,170 which protects
health information collected by Community Health Centers.

a. The Genetic Information Non-Disclosure Act of 2008 (GINA)

GINA protects individuals’ genetic information171 from being
used for certain purposes.172 Under Title I of GINA, health plans and
health insurance issuers may not use genetic information to make
coverage-related decisions about beneficiaries.173 Health plans and
issuers generally may not even request that a beneficiary undergo
genetic testing or provide genetic information, though there are
limited exceptions.174

Title II of GINA prohibits employers from using genetic
information to discriminate against employees or applicants and from
using genetic information in employment decisions.175 Employers are
generally prohibited from acquiring genetic information about an

165. Genetic Information Nondiscrimination Act (GINA) of 2008, Pub. L. No. 110-233,
122 Stat. 881 (tit. II codified at 42 U.S.C. § 2000ff).
166. Patient Safety and Quality Improvement Act (PSQIA) of 2005, Pub. L. No. 109-41,
119 Stat. 424 (codified in scattered sections of 42 U.S.C.).
167. Fair Credit Reporting Act (FCRA), 15 U.S.C. §§ 1681–1681x (2012).
168. Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (codified at 5 U.S.C. § 552a).
169. Family Educational Records Privacy Act (FERPA) of 1974, 20 U.S.C. § 1232g (2012)
(implementing regulations at 34 C.F.R. § 99).
170. 42 C.F.R. § 51c.110 (2016).
171. “Genetic information” includes family medical history, information from genetic tests
and services, requests for and receipt of genetic services, and participation in clinical research
that includes genetic services. See, e.g., Genetic Information Nondiscrimination Act (GINA) of
2008, Pub. L. No. 110-233, tit. I, § 101(d), 122 Stat. 881, 883 (2008).
172. Note that GINA does not apply to life insurance plans, long-term care plan issuers,
or disability insurers. Genetic Discrimination, NAT’L HUM. GENOME RES. INST.,
https://www.genome.gov/10002077/ [https://perma.cc/CF84-PPR3] (last updated May 2, 2016).
173. See, e.g., GINA tit. I, § 102(a)(4).
174. See, e.g., GINA § 101(b).
175. See, e.g., GINA tit. II, § 202(a).


employee or applicant for any reason,176 with some exceptions where
the acquisition is unintentional or for certain legitimate business
purposes. Title II also requires that employers keep [legally acquired]
genetic information confidential,177 and lists several purposes for such
information may be disclosed without the individual subject’s
consent.178 GINA permits, but does not require, employers to disclose
genetic information to the employee upon written request.179

GINA mandated amendments to HIPAA to ensure that
“genetic information” is included within the definition of PHI, and that
Title I’s prohibition on the use of genetic information by health
insurers for underwriting purposes is also explicitly prohibited under
HIPAA.180 GINA’s protections give individuals some control over their
genetic information by limiting not just how that information can be
used, but whether it can be obtained at all.181 GINA was enacted to
ensure that individuals were not discouraged from utilizing genetic
testing, technologies, research, and related therapies out of fear of

b. Privacy Act and FOIA

The Privacy Act of 1974 protects identifiable information about
individuals, including health information, held or collected by the
federal government.183 Generally, a federal agency may not release
individually identifiable information to anyone without the subject of
the information’s written consent.184 There are multiple exceptions to
this prohibition, including for several legitimate governmental
purposes, statistical research, and as required by the US Freedom of
Information Act (FOIA).185 The Privacy Act does provide individuals
certain rights with respect to their information, including the right to
receive an accounting of certain disclosures made within the last five
years,186 the right to review and obtain a copy of the information upon
request,187 and the right to request an amendment to the information,

176. GINA § 203(b).
177. GINA § 206(a).
178. GINA § 206(b).
179. Id.
180. GINA tit. I, § 105(a).
181. GINA § 101(d).
182. GINA § 2(5).
183. 5 U.S.C. § 552a (2012).
184. § 552a(b).
185. Id.
186. § 552a(c)(3).
187. § 552a(d)(1).

234 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

though the agency is not required to comply with such a request.188
While the Privacy Act does give individuals some control over their
information, it does not limit the information that may be collected or
stored by a federal agency, though such limitations may exist in other
laws or regulations.189 An individual cannot restrict, or even request
that an agency restrict, how information is used or disclosed.190 Thus,
the Privacy Act is quite broad, though its reach is limited by its
relationship to FOIA.191

Under FOIA, any person may access any information contained
in federal agency records,192 including individually identifiable
information otherwise protected by the Privacy Act, unless the
information is specifically exempted from disclosure.193 Generally,
these exemptions prevent disclosure of information that is considered
sensitive or of a personal nature; the most pertinent of these is
exemption 6, which protects “personnel, medical, and similar files”
where disclosure “would constitute a clearly unwarranted invasion of
personal privacy.”194 Exemption 6 essentially closes the privacy gap
created by the Privacy Act’s exception for FOIA-related disclosures.195
While exemption 6 does not give an individual more control over his or
her health information in the possession of the federal government,
the opportunities for such information to be shared without the
individual’s consent is limited almost entirely to governmental and
law enforcement functions.196

c. 42 C.F.R. Part 2

42 C.F.R. Part 2 protects identifying information, recorded or
not, that could or does reveal that an individual received substance
abuse treatment;197 Part 2 applies to all federally-assisted
programs198 providing substance abuse diagnosis, treatment, or

188. § 552a(d)(2).
189. § 552a(b)(1).
190. Id.
192. 5 U.S.C. § 552(a)(6)(A) (2012).
193. § 552(b).
194. § 552(b)(6).
195. See id.
196. See id.
197. 42 CFR § 2.12(a)(1)(ii), (a)(2) (2016).
198. A program is “federally assisted” if it is conducted by any federal department or
agency (directly or under contract), is carried out under any federal license, certification,


referral.199 While Part 2 information is also protected health
information (PHI) and Part 2 programs are almost always Covered
Entities, Part 2’s protection for patient identifying information
provides much greater control to patients than HIPAA would
otherwise provide.200 In general, Part 2-covered information may not
be disclosed without the patient’s written consent,201 with limited
exceptions. Part 2 also prohibits recipients of covered information
from further disclosing the information without written consent or
unless otherwise permitted by Part 2.202 Part 2 grants individuals
some rights with respect to their covered information, though these
are limited to the right to be informed of Part 2’s confidentiality
protections203 and the right to access, inspect, and obtain a copy of his
or her own records.204 Part 2’s provisions grant individuals the near-
exclusive ability to control when and to whom their covered
information is disclosed.205 Similar to GINA’s intended purpose, Part
2 was enacted to ensure that individuals were not discouraged from
seeking substance abuse treatment due to privacy-related fears.206

Federal Privacy Law has been crafted to meet certain needs
but is not a comprehensive regulatory scheme covering all types or
uses of health information. It does not confer comprehensive
ownership rights but does extend a number of rights and obligations
over health information that may have the same effect as ownership
under the law, in some circumstances, for those types and uses of
information that are covered.

D. Contract Law

Contracts are a way to confer rights where they may or may
not be granted by other legal authorities.207 Ownership can be

registration, or authorization (e.g., Medicare/Medicaid providers, providers with a DEA number),
or receives any federal financial assistance (e.g., grants, federal tax-exempt status). § 2.12(b).
199. § 2.12(e)(2).
201. 42 C.F.R. § 2.1(a) (2016).
202. 42 C.F.R. § 2.12(d)(2)(iii).
203. 42 C.F.R. § 2.22(a) (2016).
204. 42 C.F.R. § 2.23(a) (2016).
205. See § 2.12.
206. 42 C.F.R. § 2.3(b)(2) (2016).

236 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

granted, transferred, or revoked through the use of contracts.208
Regardless of ownership, any number of rights and responsibilities
with respect to information can be delineated in a contract and
enforceable in court with penalties for any breach.209 The limitation of
a contract is, of course, that it is only enforceable against the parties
to the contract.210 Thus, any protections granted to information by a
contract will not follow the information if it is transferred to another
person who, or entity that, is not a party to the contract.211

Contracts may be used to limit or expand rights and
responsibilities over information even where the information in
question is already regulated, as in the case of Business Associate
Agreements (BAAs) that regulate how Business Associates of Covered
Entities must manage protected health information in order to comply
with HIPAA.212 Even though the health information held by a
Covered Entity is already regulated under HIPAA, the BAA can be
used to extend the HIPAA’s protections and liability for any breach to
another entity.213

Contracts are a powerful way for parties to establish rights and
responsibilities under the law, but they are limited because they only
bind the parties to the contract. The privacy of people who are the
subject of the information may be protected or left vulnerable by the
terms of contracts to which they are not a party and which they
cannot enforce.

E. State Law

States have wide latitude to define their own privacy
framework, and as a result, state privacy laws vary considerably in
terms of scope and application.214 State health information laws may
mirror federal requirements, be more protective than federal law, or
govern health information that is not specifically protected by federal
law.215 In general, governed entities must comply with any state laws

208. See id.
210. See, e.g., Winterbottom v. Wright (1842) 152 Eng. Rep. 402, 405 (holding breach of
contract not available as remedy for injured mail-coach passenger because there was no
211. See id.
212. 45 C.F.R § 164.504(e) (2016).
213. See id.
214. See States, supra note 65.
215. For more information about state laws governing health information, see id.


that are more protective of patients’ rights,216 as well as any state laws
governing data, patients, or entities not regulated by existing federal
law.217 More protective state laws are generally content-based and
focus specifically on highly sensitive information, such as HIV/AIDS
test results,218 STD treatment information, and mental health
information,219 and information about vulnerable populations, such as
minors, incarcerated adults, and those declared legally incompetent.220
States also generally have laws governing state-based registries,
compulsory health information reporting, health insurers, public
health entities, and provider licensure—all of which may contain
requirements related to data sharing and confidentiality.221


As is evident from the discussion above, individuals in the
United States have a patchwork of rights, sometimes overlapping,
with respect to information about them held by others and the use of
that information. These rights are more or less enforceable depending
on their source and the jurisdiction in question. What happens when
these rights conflict? For example, suppose one person has a property
interest in information about a second person, such as ownership of a
database containing health information, and the second person has a
privacy interest in keeping his or her information from being sold to
other entities. Whose rights prevail? Historically, individuals have
needed to prove a tort violation with damages to enforce privacy
rights, such as appropriation of one’s likeness, identity theft, or
egregious invasion of privacy.222 The HIPAA Privacy Rule confers
some specific rights but enforcement is limited for aggrieved

DISCLOSE HEALTH INFORMATION, at 1-2 to 1-3 (2009),
217. Id.
http://www.cdc.gov/hiv/policies/law/states [https://perma.cc/DWU5-KRG4] (last updated Aug. 29,
220. See, e.g., Carol A. Ford & Abigail English, Limiting Confidentiality of Adolescent
Health Services, 288 J. AM. MED. ASSN. 752, 752 (2002).
221. See States, supra note 65.
222. Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal
Information, 37 U.C. DAVIS L. REV. 379, 405 (2003).

238 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

individuals because there is no private right of action to enforce

The European Union (EU) recently adopted a regulation for the
protection of personal data across the EU that gives individuals broad
rights to control the use of personal information about them.224
Adopted April 27, 2016, the EU General Data Protection Regulation
includes a number of rights for individuals who are the subject of
personal information and obligations of member states to protect that
information, though as with other EU regulations, there are many
ways in which member states’ application of the regulation will
vary.225 Among the most significant aspects of the Regulation are the
designation of “the right to the protection of personal data” as a
fundamental right226 and the codification of a “right to be forgotten,”
where individuals have the right to withdraw consent at any point and
have their data erased by any data holder.227 Some have argued that
this Regulation amounts to a property regime because it gives
individuals substantial rights over their personal information akin to
property rights.228 For example, the protections created by the
Regulation run with the information and bind third parties with
whom the individual subject of the information may have no
relationship.229 The Regulation includes many exceptions, such as
data processing necessary for public health, scientific research, and
the provision of social services, and there will be substantial variation
in how EU member states put the Regulation’s broad principles into
effect in their individual jurisdictions.230 However, it creates a general
right of access and control for the subject of the information, across all
types of personal information, that is far more comprehensive than
current US policies.

In contrast to the patchwork of rights that currently apply to
health information in the US and even the more comprehensive EU
regulation, ownership is a more concrete legal theory for enforcing
rights in information that would give more certainty to the field.

223. See In re Nw. Airlines Privacy Litig., No. 04 Civ. 126 (PAM/JSM), 2004 WL
1278459, at *4 (D. Minn. June 6, 2004).
224. Council Regulation 2016/679, 2016 O.J. (119) (EU), http://eur-lex.europa.eu/legal-
225. See generally id.
226. Id. at 1.
227. Id. at 12–13.
228. Jacob M. Victor, The EU General Data Protection Regulation: Toward a Property
Regime for Protecting Data Privacy, 123 YALE L.J. 513, 515 (2013).
229. Council Regulation 2016/679, supra note 224, at ch.III, art. 17.
230. See, e.g., id. at ch.IX, art. 88.


However, having enforceable ownership of personal information
depends on the law recognizing the information as property or
intellectual property.231 As discussed above, health information does
not fit neatly under these legal constructs, though policymakers and
courts may expand the definitions for the two types of protected
information to grant ownership rights over health information. It may
be, however, that information can never be “owned” the way a piece of
real estate is owned because so many people have access to that
information, by consent or by necessity, that one cannot be considered
to be the exclusive owner of it.

Does it even matter whether an individual “owns” his or her
health information? Where there are specific rights conferred with
respect to my health information, such as under the HIPAA Privacy
Rule, one maintains the right to access and share one’s information
even where one’s healthcare provider owns the medical record.232 It
may be that comprehensive privacy laws can grant enough rights to
the individual and impose enough responsibilities on holders and
users of personal health information that ownership becomes
irrelevant because it would convey no additional benefit than already

The legal structures governing privacy have not yet reached
this ideal, but using a property approach that assigns ownership of
information to the individual subject of the information may not be
good public policy. Ownership implies that the thing that is owned
can be taken away and potentially disposed of whenever desired by
the owner. But such exclusive rights may conflict with other interests.
In the case of medical records, those records exist also as business
records documenting the healthcare provider’s services. The
information may be valuable to the public, as information about the
quality of care provided at a healthcare institution, data for scientific
research, or evidence of a communicable disease, for example.

On the other hand, as health information is increasingly being
commodified, profit-seeking by individuals and organizations—either
traditional healthcare entities, such as providers and insurers, or
third parties whose function is simply collecting and selling
information—may call for increased protection for the subjects of the
information. In the case of healthcare providers, ethical and practical
considerations provide some protections for individuals. Providers

231. E.g., Hall, supra note 57, at 645.
232. For example, rights to request privacy protection for protected health information.
See, e.g., 45 C.F.R. § 164.524 (2016).

240 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

have a duty to avoid harm, to ensure informed consent, and to provide
a certain standard of care regardless of their financial interest, in
addition to complying with laws that protect patient privacy and
govern medical research.233 However, other entities, such as data
brokers, may have no such duties. If the law were to convey an
ownership interest to the subject of the data being bought and sold,
that individual would have an enforceable right not only to control the
use of his or her information, but also the potential to profit directly
from it or claim a share in any profit that results from its use by
others. If patients were granted ownership interests over their
information, it would be important to ensure that such rights did not
inhibit important medical innovation and public health activities.
These essential activities could be preserved through careful
regulation because the law allows the restriction of property interests
for the public good, as in the case of zoning laws and other regulatory

In the healthcare setting, the potential for conflicting profit
motives between patient and provider could chill a relationship that
depends on honest exchange of information. If an individual can
potentially profit from the sale of his or her information, that
individual may wish to withhold it to prevent its disclosure through
another route. Alternatively, a patient may simply wish to prevent
his or her provider from making additional profit off of his or her
information, which is certainly a disconcerting thought for many
patients. While there have always been financial incentives in the US
healthcare system, they have generally been limited to fees and
reimbursements received for the provision of services.234 But it may
be that, in addition to these usual sources of income, a provider will
create a product from the personal information gathered about his or
her patients and sell that for a profit. As research and technology
venture further into the realm of personalized medicine, it may be
that details about individual patients become more valuable, such as
for use in creating treatments or tools to support diagnosis. We may
see more cases similar to Moore,235 based on the use of specific
information about patients to develop profitable products, perhaps
revisiting the question of the use of genetic material.

233. Marc A. Rodwin, Financial Incentives for Doctors, 328 BMJ 1328, 1328–29 (2004),
234. See, e.g., Mark Hagland, How Does Your Doctor Get Paid?, FRONTLINE,
[https://perma.cc/7J4T-UJ9N] (last visited Nov. 14, 2016).
235. Moore v. Regents of Univ. of Cal., 793 P.2d 479 (Cal. 1990).



The legal environment surrounding health information is
dynamic and varied. Because of the expanse of rights at issue and the
fact that many of them are subject to regulation by all fifty states in
addition to the federal government, there’s no single solution to
address the issue of health information ownership. As illustrated, a
variety of different laws and legal theories can be applied, potentially
causing confusion for users of health information and the individuals
who are the subject of the information. Valid rights and
responsibilities can conflict. Unregulated activities appear that use
health information in unanticipated ways, which may be threatening
to the individual subjects of the information. Ownership is a familiar
concept that some see as a simple way to clarify legal rights; indeed,
many healthcare consumers may be surprised to discover that they
don’t already own their health information. However, conferring
ownership to one party may interfere with legitimate claims of
another party or important public goals. For example, vesting full
ownership of health information in patients under a property scheme
may harm research, hinder performance measurement, and limit
important public health activities like disease surveillance. On the
other hand, vesting full ownership with healthcare providers may
prevent oversight, inhibit quality improvement, reduce patient
autonomy, and limit patients’ willingness to share information
necessary for proper medical treatment. Given the balance of rights
that must be struck to protect important public goals, we suggest that
rights over health information should be resolved by new policies
rather than under existing legal structures. As technology evolves to
enable greater capability to digest health information and make it
meaningful while the market responds to greater, more expansive
uses of health information for a wider variety of stakeholders,
policymakers at the federal and state levels should work to develop a
legal framework to govern the many uses for and users of health
information. It is important that this framework be as consistent as
possible across settings and jurisdictions so that the many
stakeholders in the health information marketplace know their rights
and responsibilities and the public’s interest in appropriate sharing of
health information is protected.

Copyright of Vanderbilt Journal of Entertainment & Technology Law is the property of
Vanderbilt University Law School and its content may not be copied or emailed to multiple
sites or posted to a listserv without the copyright holder’s express written permission.
However, users may print, download, or email articles for individual use.

Vol. 62, No. 4, April 2016, pp. 1042–1063
ISSN 0025-1909 (print) � ISSN 1526-5501 (online) http://dx.doi.org/10.1287/mnsc.2015.2194

© 2016 INFORMS

The Impact of Privacy Regulation and Technology
Incentives: The Case of Health Information Exchange


Idris Adjerid
Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556, iadjerid@nd.edu

Alessandro Acquisti, Rahul Telang, Rema Padman
H. John Heinz III Heinz College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213

{acquisti@andrew.cmu.edu, rtelang@andrew.cmu.edu, rpadman@cmu.edu}

Julia Adler-Milstein
School of Information, University of Michigan, Ann Arbor, Michigan 48109 juliaam@umich.edu

Health information exchanges (HIEs) are healthcare information technology efforts designed to foster coordi-nation of patient care across the fragmented U.S. healthcare system. Their purpose is to improve efficiency
and quality of care through enhanced sharing of patient data. Across the United States, numerous states have
enacted laws that provide various forms of incentives for HIEs and address growing privacy concerns associ-
ated with the sharing of patient data. We investigate the impact on the emergence of HIEs of state laws that
incentivize HIE efforts and state laws that include different types of privacy requirements for sharing healthcare
data, focusing on the impact of laws that include requirements for patient consent. Although we observe that
privacy regulation alone can result in a decrease in planning and operational HIEs, we also find that, when
coupled with incentives, privacy regulation with requirements for patient consent can actually positively impact
the development of HIE efforts. Among all states with laws creating HIE incentives, only states that combined
incentives with consent requirements saw a net increase in operational HIEs; HIEs in those states also reported
decreased levels of privacy concern relative to HIEs in states with other legislative approaches. Our results
contribute to the burgeoning literature on health information technology and the debate on the impact of pri-
vacy regulation on technology innovation. In particular, they show that the impact of privacy regulation on the
success of information technology efforts is heterogeneous: both positive and negative effects can arise from
regulation, depending on the specific attributes of privacy laws.

Keywords : privacy; information systems; IT policy and management; economics of information systems;

History : Received April 19, 2012; accepted December 16, 2014, by Anandhi Bharadwaj, information systems.
Published online in Articles in Advance November 13, 2015.

1. Introduction
The U.S. healthcare system is in the midst of an infor-
mation technology revolution. Adoption of electronic
medical record (EMR) systems is quickly rising (Office
of the National Coordinator for Health Information
Technology 2012). In parallel, health information
exchanges (HIEs) have emerged. HIEs provide infor-
mation technology solutions that allow electronic
information sharing between otherwise disconnected
healthcare organizations. They are intended to facil-
itate the exchange of patient health information
between hospitals belonging to different health sys-
tems or distinct physician practices. In turn, this
enables patients’ health records to electronically fol-
low them between care settings. HIEs are viewed
as a particularly critical investment because much
of the anticipated efficiency and quality gains from
EMRs come from the ability to support the electronic
exchange of patient data across healthcare providers

(Walker et al. 2005). Without HIEs, data are trapped
in individual institutions, thereby inhibiting coordina-
tion of care, resulting in avoidable medical errors, and
driving up costs from duplicative utilization. This has
resulted in substantial legislative activity1 aimed at
realizing the vision of nationwide adoption of EMRs
coupled with the ability to exchange data between
them (Blumenthal 2010).

Legislative efforts have focused on creating a favor-
able environment in which HIEs can flourish. The
rationale for government involvement is that HIEs
have experienced both slow growth rates and high
failure rates across the United States (Adler-Milstein
et al. 2009, 2011). Research on the underlying causes
of these failures revealed an array of barriers to the

1 See, e.g., the Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009, Pub. L. No. 111-5, 123 Stat.
226 (2009); and the Patient Protection and Affordable Care Act of
2010, Pub. L. No. 111-148, 124 Stat. 119 (2010).





















. F





, a






Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1043

development of HIE efforts. Central among them are
challenges related to financial sustainability (National
eHealth Collaborative 2011, Vest and Gamm 2010,
eHealth Initiative 2005–2010) and issues related to
patient privacy (Simon et al. 2009, McDonald 2009,
McGraw et al. 2009). These challenges have spurred
25 states (as well as the District of Columbia) to
enact legislation to incentivize HIE efforts (e.g., by
providing funding for HIE efforts), address privacy
concerns, or, most often, both. However, the best
approach to ameliorating the issues associated with
HIE efforts remains unclear. In particular, HIEs have
spurred significant debate over the appropriate bal-
ance of patient privacy and the potential gains to
healthcare providers and their patients. The sensitiv-
ity of the digital health information that is exchanged
by HIEs has made the role of patient consent espe-
cially contentious.

One side of the debate is that consent require-
ments add administrative costs and restrict the
availability of patient information (National eHealth
Collaborative 2011, Pritts et al. 2009). By contrast,
Simon et al. (2009) find that patients felt that their
consent should be obtained for the exchange of
health information (i.e., an opt-in system); a system
that assumed their willingness to participate with-
out obtaining explicit consent (i.e., an opt-out system)
would not be acceptable. Thus, policy makers seeking
to foster the growth of HIE efforts face the same chal-
lenge that emerges in other industries: how to address
privacy concerns without overregulating the disclo-
sure of personal information and stifling the growth
and emergence of valuable information technology
efforts reliant on it.

Careful empirical literature related to that chal-
lenge has been recently emerging. Work by Miller and
Tucker (2009) finds that the presence of privacy reg-
ulation inhibits technology adoption by hospitals. In
subsequent work, Miller and Tucker (2011) account
for some of the variation in the statutory require-
ments of privacy regulation and hospital character-
istics, and they identify some heterogeneous effects
of privacy regulation.2 Adopting a similarly granular
approach to measuring privacy regulation, we explore
whether different forms of privacy regulation enable
or impede HIE efforts. Extending prior work, we dif-
ferentiate between states that coupled privacy regula-
tion with HIE incentives and those that did not. We
posit that incentives could offset the significant costs
associated with HIE efforts, including those that arise

2 For instance, they find that, although privacy regulation most
often negatively impacted hospital technology adoption, it also had
a positive effect on adoption in some cases (e.g., when laws had
limits on redisclosure).

from varying degrees of privacy regulation. We eval-
uate the impact of these laws compared to states with
no laws pertaining to HIE efforts.

Our empirical strategy takes advantage of the
fact that across different states policy makers have
approached HIE challenges in different ways, enact-
ing legislation that varied both in terms of the incen-
tives they create for HIEs, and in terms of the types
of privacy protections they afford to patient data
exchanged through HIEs. Specifically, some states
enacted legislation with HIE incentives alongside
requirements for patient consent while other states
enacted legislation with HIE incentives but with pri-
vacy regulation that did not require consent. Yet other
states enacted legislation with HIE incentives but no
privacy regulation or only privacy regulation, or they
did not enact relevant legislation at all. Our work
leverages this variation to evaluate the impact of this
legislation—in particular, the variation in privacy pro-
tection afforded by these laws—on the propensity of
regional healthcare markets to have an HIE working
toward exchange capabilities (planning HIE) or an
HIE that is actively exchanging patient health infor-
mation between healthcare entities (operational HIE).
We use semiannual data from a six-year period (2004–
2009) to compare the probability of a hospital refer-
ral region (HRR)3 having an HIE in the planning or
operational stage across states with variation in the
extent to which legislation provided patients the right
to consent to the exchange of their data by the HIE.
We disentangle the impact of consent requirements
from HIE incentives using between-state and across-
time variation in consent requirements and regula-
tions providing HIE incentives. We include HRR and
time fixed effects and control for relevant observables
(e.g., other elements of the laws, differences in HRR
wealth, populations, health information technology
(IT) adoption).

Although we show that privacy regulation without
incentives had a negative effect on HIE efforts, we
also find that privacy regulation, particularly regula-
tion that includes consent requirements, was a nec-
essary condition for incentives to positively impact
HIE efforts. Incentives coupled with privacy regula-
tion that included requirements for patient consent
resulted in a 47% increase in the propensity of an
HRR having a planning HIE and a 23% increase in
the propensity of an HRR having an operational HIE.
By contrast, incentives without any privacy regula-
tion resulted in no measurable gain in the propensity
of HRRs having planning or operational HIEs, and

3 HRRs are areas defined by the Dartmouth Atlas for Healthcare as
regional healthcare markets for tertiary medical care that contain at
least one hospital that performs major cardiovascular procedures
and neurosurgery (Wennberg and Cooper 1996, p. 201).

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1044 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

incentives coupled with privacy regulation that did
not include consent requirements resulted in either no
gains (e.g., for planning HIEs) or comparably mod-
est gains (a 9% increase in the propensity of an HRR
having an operational HIE) that only offset but did
not overcome the baseline negative effects of privacy
regulation. As a result, of all attempts to incentivize
HIE efforts, only those coupled with privacy regula-
tion including consent requirements resulted in a net
gain in HIE efforts. Specifically, HRRs in these states
saw an 11% net increase in the propensity of having
an operational HIE.

Our findings are bolstered by the fact that we do
not find evidence that HIE laws are passed as a
result of increased HIE activity (i.e., reverse causa-
tion). We find consistent results when we consider
the impact of unobservable state characteristics that
may be correlated with the passage of HIE incentives
(such as changes in political attitudes or public opin-
ion toward the importance of health IT). Moreover,
we find no correlation between consent requirements
and the availability of funding or the number of
patients covered by an HIE. We theorize that this sur-
prising interplay between HIE incentives and consent
requirements may be due to an association between
incentives and privacy concerns. Specifically, we posit
that incentives may be associated with an increased
attention to and salience of HIE privacy concerns,
which inhibits their effectiveness when they are not
coupled with comprehensive privacy regulation (e.g.,
regulation with consent requirements). We find evi-
dence in support of this interpretation: HIEs in states
with incentives but no consent requirements were sig-
nificantly more likely to report that privacy was a
major challenge in their development relative to HIEs
in states with other legislative approaches (includ-
ing no law). By contrast, HIEs in states with con-
sent requirements reported the lowest level of privacy

Our work contributes to two streams of literature.
One stream relates to the adoption and the diffusion
of IT in healthcare—in particular, the factors and bar-
riers that impact their adoption (Angst and Agarwal
2009, Angst et al. 2010, Anderson and Agarwal 2011).
Specific to HIEs, numerous national surveys have
suggested that health privacy issues are some of
the most significant barriers to HIE efforts (eHealth
Initiative 2005–2010, Adler-Milstein et al. 2009, 2011).
As a result, research has also focused on how to
address privacy concerns associated with informa-
tion technology in healthcare and HIE in particu-
lar (Greenberg et al. 2009, McDonald 2009, McGraw
et al. 2009). Within this stream of literature, which is
largely nonempirical, experts disagree on the appro-
priate solution for addressing privacy concerns. To
our knowledge, our work is the first to empirically

evaluate the impact on the emergence of planning and
operational HIEs of varying approaches to privacy

Another stream relates to the economic and policy
literature evaluating the impact of privacy protections
on technological progress. Numerous consumer ser-
vices thrive today thanks to the exchange and use
of personal—and sometimes sensitive—information.
The risks associated with the potential misuse of
that information, however, have fueled a debate over
the best approach to protecting consumers’ privacy
and the role of regulation in that protection (Solove
2004, Lenard and Rubin 2005). This has led to a
small but growing body of careful empirical analy-
ses of that relationship (e.g., Miller and Tucker 2009,
2011; Goldfarb and Tucker 2011). We extend that
work in various ways. First, this literature has either
focused on contexts where technology incentives did
not exist or (as in the case of work in the context
of health IT) predated a paradigm shift in the pol-
icy approach toward promoting health IT. Focusing
on the interaction of various forms of privacy reg-
ulation with previously unstudied attempts to pro-
mote information technology efforts in healthcare, we
document a surprising interplay between state initia-
tives aimed at incentivizing HIE efforts and privacy
regulation. We find that HIE incentives consistently
offset the negative baseline effects of privacy regu-
lation on HIEs and, more surprisingly, that incen-
tives were more effective in doing so when coupled
with privacy regulation that included consent require-
ments. This suggests that the potential fixed costs
that arise from regulatory privacy protection may be
proactively managed by accompanying incentives for
information technology efforts. Interestingly, coupling
more comprehensive privacy protections (e.g., con-
sent requirements, which seemingly impose higher
costs on HIEs) with HIE incentives may sometimes
be preferred if those protections alleviate privacy con-
cerns that dampen the propensity of incentives to
enable HIE efforts. Furthermore, research is emerg-
ing that points to heterogeneous effects of privacy
regulation on information technology efforts (e.g., the
net effect of privacy regulation on hospital IT adop-
tion may depend on the number of hospitals in a
county; see Miller and Tucker 2011). By documenting
the differential impacts on HIE efforts of privacy reg-
ulation with and without incentives, we extend the
understanding of the heterogeneous effects of privacy
regulation on technology efforts. Thus, the findings
presented here suggest that regulators may have an
opportunity to provide meaningful privacy protection
to patients while encouraging the growth and suc-
cess of valuable information technology efforts. For
instance, legislative efforts such as the HITECH Act
of 2009, which couple significant incentives for health

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1045

IT with enhanced privacy protections for patients,
may offer an effective approach toward providing
improved patient privacy protections while encourag-
ing the growth of valuable health information tech-
nology solutions.

2. Background
The healthcare delivery system in the United States
is highly fragmented. Most people, over their life-
time, receive care from multiple medical providers
who practice in unaffiliated settings. As a result, dif-
ferent pieces of a patient’s medical history reside
in the various places in which they received care,
forcing medical providers to make clinical decisions
with incomplete information. This can contribute to
a range of negative patient consequences, includ-
ing missed diagnoses, duplicative testing, dangerous
combinations of medications, and poor care coordi-
nation. Prompted by estimates of gains in quality4

and efficiency5 of patient care, enabling clinical data
to electronically follow patients between care delivery
settings has gained substantial support. In particular,
in recent years, there has been an increase in efforts to
facilitate electronic exchange of patient data via HIEs.

HIEs are information technology service organiza-
tions that provide a governance framework and tech-
nology solution for exchanging patient data. Entities
with clinical data, such as hospitals, physician prac-
tices, and laboratories (“healthcare entities”), are the
most common participants in an HIE, and they most
often send and receive test results as well as care

HIE development typically occurs in two stages:
planning and operational. In the planning stage, a
group of healthcare stakeholders in a given com-
munity initially come together informally to discuss
the problem of care fragmentation and how best to
address it. This is typically initiated by a large stake-
holder in the community, either a healthcare delivery
organization (e.g., a large hospital) or a payer (e.g.,
an insurer or large employer). If there is agreement to

4 Gains in quality of care may be realized from the increased avail-
ability of comprehensive health information, which should allow
clinicians to make better treatment decisions and fewer mistakes.
This benefit would be especially salient in the emergency care con-
text, in which the patient may not be able to report preexisting
conditions or drug allergies (Vest and Gamm 2010).
5 Health information exchanges have the potential to significantly
decrease the costs of providing healthcare. Walker et al. (2005) esti-
mate that, when fully implemented, health information exchanges
could yield approximately $78 billion in annual savings from
administrative efficiencies and reducing redundant utilization. Jha
et al. (2009) estimate that, in the United States, eliminating avoid-
able instances of injury to a patient resulting from a medical
intervention, such as administering the wrong medication, and
redundant medical tests would save over $24 billion per year.

move forward into a more formal planning phase, this
often proceeds in one of two ways: either a third-party
organization is established or identified to serve as a
formal HIE entity or one of the stakeholders agrees to
serve as the lead entity. In our data set, two-thirds of
efforts operated as established, independent organi-
zations and the remaining one-third operated directly
from within another organization (typically a hospi-
tal or health system that spearheaded the effort). The
formal planning phase consists of an array of inter-
related decisions that include conducting an envi-
ronmental scan and needs assessment, establishing
a mission and goals, setting up a governance struc-
ture, establishing legal and information sharing agree-
ments, deciding on an approach to protect patient
privacy (including patient consent), developing a sus-
tainability plan and identifying revenue streams that
at least cover operating costs, marketing to a broader
group of potential stakeholders, and developing a
technical infrastructure.6

The second stage begins when an HIE effort reaches
operational status with a functional technology and
administrative infrastructure and data start to be
exchanged between healthcare entities. Although this
is considered a key milestone, HIEs in this stage con-
tinue efforts to increase participation from healthcare
entities: increasing the quantity and quality of patient
data available through an HIE makes the expected
benefits of exchange more likely and also helps HIEs
to achieve financial sustainability (only 33% of opera-
tional exchanges in our data set reported covering the
cost of operating an HIE with participant fees alone).

The last decade has seen significant growth in
HIE activity, including the number of planned HIEs
and an increasing number of HIEs that are opera-
tional: in our data, we observe 15 total HIEs nation-
wide in 2004, compared to 143 by the end of 2009.
Despite substantial potential benefits, HIEs are not
yet widespread, and many attempts to establish HIEs
have failed (Adler-Milstein et al. 2009, 2011). This has
spurred a growing body of work evaluating barri-
ers to HIEs, which suggests that they have been hin-
dered by financial sustainability challenges stemming
from misaligned incentives from competing health-
care entities and patient privacy concerns (eHealth
Initiative 2005–2010, Adler-Milstein et al. 2009, 2011).

2.1. HIE Incentives
Numerous HIEs have struggled to develop a sustain-
ability plan and identify revenue streams. In part,
this is due to misaligned incentives for HIE partici-
pants (who are the primary source of HIE revenue)
and the significant cost attached to the administra-
tive and technical infrastructure necessary to facili-
tate exchange. Although healthcare entities can derive

6 See National Rural Health Resource Center (2015).

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1046 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

some value from participating in an HIE (e.g., bet-
ter quality of patient care), under the predominant
healthcare reimbursement model of fee-for-service,
redundant care translates into revenue, and physi-
cians have little incentive to avoid care if they believe
it is of even marginal value. Worse, HIE makes it
easier for patients to switch healthcare providers,
potentially resulting in some hospitals and physicians
losing patients. Moreover, healthcare entities (e.g.,
hospitals and physician practices) are expected to pay
for HIE when those paying for care accrue much of
the benefit. For example, if a physician avoids order-
ing a redundant test because he or she has access to
the results of a diagnostic test performed in a differ-
ent setting, the physician (or laboratory) loses revenue
while the payer (and, downstream, the patient) accrue
the savings. The challenges in sustaining HIE efforts
that stem from these misaligned incentives for health-
care entities have been exacerbated by the high costs
of HIE efforts, with considerable resources required
to develop administrative and technical infrastructure
that meets regulatory requirements (e.g., privacy reg-
ulation) while also addressing the concerns and needs
of various HIE stakeholders. These challenges have
led some to argue that HIE should be treated as a
public good with support from the government (e.g.,
Vest and Gamm 2010).

A number of states have heeded these calls,
enacting legislation that attempts to alleviate these
concerns by incentivizing HIE efforts. Specifically,
various state legislations included general provisions
aimed at reducing the costs (financial, legal, man-
agerial, coordination, or otherwise) associated with
pursuing a health information exchange effort in the
state. These laws and their typical provisions are
described in more detail in §4.2.

2.2. HIEs and Privacy
Issues of privacy are among the most widely cited
barriers to HIE formation (Simon et al. 2009) and
have materialized as significant costs to HIEs. HIEs
differ from other forms of health IT (e.g., EMRs) in
ways that have important implications for patient
privacy. First, HIEs facilitate the exchange of infor-
mation between multiple, unaffiliated organizations;
thus the risk to the privacy of health information
and associated concerns expressed by consumers
may be substantially greater than with other tech-
nologies. Also, HIEs are predicated on the idea of
exchanging individual personal health information as
opposed to aggregated population-level data, mak-
ing privacy concerns salient and relevant. These
unique challenges have spurred a stream of liter-
ature evaluating how to best address privacy con-
cerns while still encouraging HIE efforts (Greenberg
et al. 2009, McDonald 2009, McGraw et al. 2009).

Scholars have expressed differing opinions about the
appropriate way to address privacy concerns asso-
ciated with HIEs. For example, Greenberg et al.
(2009) and McDonald (2009) agree that federal pro-
tections need to be revisited in light of a poten-
tial nationwide health information network, which is
envisioned to ultimately link regional and state-level
HIEs; however, they differ on the need to update
state protections. McDonald (2009) suggests that new
restrictions beyond the protection afforded by the
Health Insurance Portability and Accountability Act
of 1996 (HIPAA) would interfere with efficient and
safe care. Greenberg et al. (2009) advocate updates to
state legislation to better address privacy issues spe-
cific to HIEs. The ramifications of this debate can be
observed in the significant heterogeneity in how states
have tackled HIE privacy challenges. The variation in
privacy regulation is described in more detail in §4.2.

3. Theory: Privacy Regulation,
Incentives, and HIE Efforts

Although the stakeholders initiating HIE efforts and
the specific model they pursue can vary, the mech-
anism underlying the choice of stakeholders to start
planning for exchange and whether or not an HIE
becomes operational is the same: HIEs can only cre-
ate value if healthcare entities (i.e., those with clinical
data) participate in an HIE, which typically involves
adhering to the terms set forth by the HIE and using
its offered technology solutions to receive and send
patient health information. The choice of healthcare
entities to participate in an HIE is driven by an
assessment of the costs and benefits that they will
accrue. For example, a hospital would incur tech-
nical costs, participation fees, and potential loss of
patients as a result of reduced switching costs, as
well as the increased legal risk from a data breach
or misuse of patient data. This would be weighed
against potential quality and efficiency gains from
electronic access to more complete information about
their patients, as well as reputational benefits from
joining a community-based effort to improve care
coordination. In addition, a broader group of stake-
holders, which do not deliver care, may stand to
benefit from cost reductions as a result of HIE and
could also influence efforts to plan for an HIE and
whether it becomes operational. For instance, a large
payer may participate in an HIE effort and subsidize
the costs to healthcare entities in order to encourage
broader participation. This could be particularly likely
if the net benefit to healthcare entities (absent these
subsidies) was not sufficiently compelling to promote
widespread participation (e.g., because of the mis-
aligned incentives described earlier). In the remain-
der of this section, we discuss how varying forms of

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1047

privacy regulation and incentives may have diverse
effects on the expected benefits and costs of HIE.

3.1. Privacy Regulation and
Consent Requirements

In principle, regulation that protects patients’ privacy
may have a range of effects on the benefits and costs
of HIE efforts. Consistent with early analysis of pri-
vacy economics by scholars such as Stigler (1980) and
Posner (1981), regulating the use of patient data may
decrease availability of their information when it is
needed by healthcare providers to make decisions,
making promised benefits less likely. Regulation may
also increase the cost of establishing and maintaining
an HIE (for instance, by imposing additional techno-
logical controls or administrative procedures to pro-
tect individuals’ data). On the other hand, privacy
regulation may have a positive effect on the choice
to pursue an HIE. An established literature finds that
privacy concerns can increase the cost of technol-
ogy adoption and reduce its effectiveness (Angst and
Agarwal 2009, Sheng et al. 2008). As a result, schol-
ars have argued that assurances provided by regu-
lation can assuage privacy concerns and positively
impact the success of information technology efforts
(Bamberger and Mulligan 2011, McGraw et al. 2009).

Naturally, privacy regulation is not monolithic; the
extent to which privacy regulation impacts the ben-
efits and costs of HIEs likely depends on the degree
and type of reassurance it affords. In particular, one
of the key differentiating features between regulatory
approaches in the context of HIE is whether they
include requirements for patient consent. Consent, or
informed consent, is a cornerstone of the Organisa-
tion for Economic and Cooperative Development’s
privacy guidelines and the Federal Trade Commis-
sion’s Fair Information Practice Principles. Generally
speaking, consent in the context of HIE refers to
the notion that patients should be informed about
the risks and benefits associated with the electronic
exchange of their health information and have the
right to decide whether they would like to incur them.
As in the case of privacy regulation in general, regu-
lation specifically requiring consent can, in principle,
produce an array of effects, both positive and nega-
tive, on the emergence of planning and operational
HIEs. A central concern relative to patient consent
in the context of HIE is that it may result in lim-
ited or patchy patient agreement to have their data
included in the HIE (Lai and Hui 2006), in which
case the potential benefits of HIE may be hindered.
Healthcare entities may be less willing to participate
in an HIE if they perceive a low likelihood of reaping
efficiency and quality gains as a result of incomplete
or low-quality patient data. Moreover, other stake-
holders (e.g., payers) may be less willing to support

an HIE effort (i.e., subsidize the cost to healthcare
entities) if they perceive the benefits to be unlikely.
Furthermore, requirements for consent are also likely
to impact HIEs’ technology and administrative costs
(i.e., in establishing more stringent legal agreements)
and participation costs for healthcare entities (i.e.,
costs for participants to adhere to them). For example,
HIEs operating in states with consent requirements
may need additional investment in technical and
administrative controls to meet regulatory require-
ments (e.g., clerical time by staff or technical controls
to garner and track patient consent decisions). Hence,
consent requirements may further reduce the propen-
sity of a healthcare entity to participate in an HIE if
they perceive participation to be too costly to justify
their expected benefits.

On the other hand, regulations with consent
requirements can reduce costs stemming from patient
privacy concerns. Patients may demand the right to
consent to the use of their data in the context of an
HIE. Simon et al. (2009) find that patients felt that
an HIE that assumed their willingness to participate
without obtaining explicit consent (i.e., an opt-out
system) would not be acceptable. As a consequence,
healthcare entities may decide not to participate in
HIEs if a lack of patient consent results in significant
privacy costs and pushback from patients and advo-
cacy groups. McGraw et al. (2009) argue in support of
this notion and propose that a comprehensive frame-
work that implements core privacy principles such as
consent can bolster trust from patients and medical
providers. In contrast to previously described effects
of privacy regulation, a reduction in costs stemming
from privacy concerns may encourage increased par-
ticipation by healthcare entities, thus helping HIEs to
reach the critical mass of participants to ensure that
anticipated benefits are realized.

The role of privacy regulation that does not include
consent requirements is also of interest because
numerous states have privacy legislation that does
not require patient consent before the exchange of
health information between providers. For example,
legislation in the state of Indiana does not include
requirements for patient consent but instead, requires
compliance “with the federal Health Insurance Porta-
bility and Accountability Act (HIPAA)” and the pro-
tection of “information privacy.”7 It is likely that the
role of regulation that does not require consent is
similar to consent-based regulation except that the
impact on benefits and costs (and the propensity of
community stakeholders to pursue HIE efforts) may
be less pronounced. For example, privacy regulation
that does not include consent requirements may still
restrict (to some degree) the availability of patient

7 Ind. Code Ann. §5-31-6-1; Ind. Code Ann. §5-31-6-3 (West 2009).

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1048 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

information and also introduce additional costs to
HIE efforts, but these effects may not be as pro-
nounced when compared to regulation with consent
requirements. It may also be the case that regulation
without consent is not as effective in reducing costs
to HIE efforts stemming from patient privacy con-
cerns. In fact, we argue that this is likely the case.
Recent experimental work suggests that providing
consumers with choice relative to the use of their per-
sonal information may be particularly vital in assuag-
ing privacy concerns. Brandimarte et al. (2012) find
that individuals who were provided increased choice
perceived a lower privacy risk, even when the objec-
tive risks were held constant, and were significantly
more likely to make personal disclosures; Stutzman
et al. (2013) find a strong positive correlation between
the granularity of control provided to users of online
social networks and the amount of disclosure by users
(albeit to a narrower set of users). These mecha-
nisms are also likely to be present in the context of
HIEs, given the sensitivity of personal health infor-
mation. Finally, policy makers have also recognized
the unique role of providing choice by increasingly
promoting more control for consumers with respect
to online uses of their personal information (Federal
Trade Commission 2012, White House 2012).

3.2. Incentives and Privacy Concerns
The impact of HIE incentives on the benefits and
costs of establishing an HIE seem, at first glance, com-
paratively straightforward: all else equal, stakehold-
ers with access to incentives that reduce the costs
of pursuing an HIE effort should be more likely to
start planning for exchange, and these HIEs should
be more likely to become operational. For instance,
stakeholders in communities with access to grant pro-
grams associated with HIE incentives would have
less of a challenge generating the required capital
to initiate exchange efforts and be able to provide
healthcare entities the opportunity to participate at
a lower cost (thus increasing the likelihood of more
widespread participation and the propensity of reap-
ing expected benefits from exchange). Additionally,
given the potential of privacy requirements to impose
fixed costs on information technology efforts (e.g.,
Goldfarb and Tucker 2011, Miller and Tucker 2009)
and the anecdotal evidence that privacy requirements
have been key hurdles for HIE efforts, incentives may
serve to offset some of these costs and attenuate some
of the negative effects of privacy regulation on the
propensity of HIE efforts to emerge.

However, there may also be a more nuanced and
less obvious interplay between incentives, privacy
concerns, and the impact of privacy regulation and
incentives. Specifically, legislation intended to encour-
age the pursuit of HIE efforts may also be associ-
ated with elevated salience and awareness of privacy

concerns. We see examples of a similar phenomenon
in other contexts: government subsidies for clean
energy solutions have led to significant investment
in these technologies but have simultaneously high-
lighted the limitations and potentially adverse effects
of these technologies (e.g., lack of cost effective-
ness and efficacy); see Somaskanda (2013) and Cala
(2013). With respect to HIE incentives, they may be
seen to increase the probability that HIEs will be cre-
ated and become operational and thereby increase the
likelihood of patient privacy concerns being realized.
Moreover, it may simply be the case that HIE incen-
tives increase the attention paid to these efforts (e.g.,
by regulators, patient groups, and privacy advocates),
including increased attention to associated privacy
concerns. There is some anecdotal evidence in sup-
port of this notion. For example, the American Civil
Liberties Union brought suit against the legislatively
created Rhode Island HIE on the grounds that it was
not adequately soliciting consent from patients, and
privacy advocates warned that states “will find them-
selves embroiled in legal entanglements over privacy
as they seek to implement HIEs” (Miliard 2010). This
latter statement suggests that state-supported HIEs
(such as those initiated or aided by state legislation)
may receive disproportionate scrutiny from privacy
advocates. It is also possible that the direction of
causality is reversed: states in which the attention to
health information exchange, including attention to
privacy concerns, is high may be more likely to pro-
vide HIE incentives.

3.3. Conceptual Model and Predictions
Although we cannot directly observe the granu-
lar benefits and costs to various stakeholders from
HIE participation, we can observe variation in the
propensity of healthcare stakeholders to start plan-
ning for exchange capabilities (PlanningHIE) and
whether these exchanges start actively exchanging
patient health information between healthcare enti-
ties (OperationalHIE). We argue that these observed
variables are, in turn, a function of the unobserved
expected benefit and costs of an HIE effort to poten-
tial HIE stakeholders, NetRegionalBenefit. Moreover,
we model the choice to pursue an exchange at the
level of a state subregion j since HIEs have emerged
predominately as regionally focused efforts.8 Schol-
ars suggest that this regional focus is due to the sig-
nificant variation between healthcare markets (even
within a given state) and the nuanced challenges
this variation can introduce for the pursuit of HIE
efforts (Grossman et al. 2008). For example, the nec-
essary collaborations, technology infrastructure, and

8 Of the 73 operational exchanges in our data set, 71 were exchang-
ing data predominately in a single HRR.

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1049

the priorities of participating providers are likely to
differ considerably between the healthcare market
in metropolitan and rural regions of a state (e.g.,
Manhattan versus upstate New York). Moreover, an
HIE’s goal is to enable clinical data to electronically
follow patients between the settings in which they
receive care, which also are predominantly within a
defined geographic region. Hence, we utilize HRRs as
our unit of analysis because they represent regional
healthcare markets.9 In effect, HRRs are defined pre-
cisely to capture the geographic regions in which
patients are likely to receive the bulk of their care
and thus require the exchange of information. Finally,
and consistent with the preceding arguments, we
suggest that various forms of privacy requirements
(PrivConsent/PrivNoConsent) and legislative provisions
intended to encourage the pursuit of HIE efforts
(Incentives) can affect the benefits and costs of HIE
efforts to stakeholders within the various healthcare
markets in a state, impacting the choice of stake-
holders to start planning for exchange and whether
these HIEs becomes operational. This is summarized
in the following conceptual model (based on Miller
and Tucker 2009):



1 OperationalHIE∗


= f 4NetRegionalBenefit

� PrivConsentjst1

PrivNoConsentjst1 Incentivesjst5


This model assumes a latent variable construct where
stakeholders in HRR j in state s at time t start
planning for an HIE if the (unobserved) expected
net benefit (NetRegionalBenefit) is positive. Moreover,
we assume that an HIE effort in the region reaches
operational status if the NetRegionalBenefit remains
positive such that they are able to complete key
planning activities (e.g., create data sharing agree-
ments, develop the underlying technical infrastruc-
ture, and gather the critical mass of participation
by healthcare entities to make exchange feasible).
Conversely, healthcare stakeholders will not form
exchanges if they perceive the net benefit to be neg-
ative, and healthcare entities will cease pursuing HIE
efforts (resulting in failed exchange) if they perceive
the net benefit from HIE to no longer be positive.

The arguments from this conceptual model and
the various dynamics described in this section are
summarized in Figure 1. This figure suggests that
the net effect of privacy regulation on HIE efforts
is a function of (1) the costs associated with pri-
vacy regulation; (2) the extent to which privacy con-
cerns are, in fact, barriers to the pursuit of HIE

9 Specifically, HRRs define healthcare markets determined by where
most of the residents in a given area received treatment for
major cardiovascular surgical procedures and for neurosurgery
(Wennberg and Cooper 1996).

efforts; and (3) the likelihood of available regulation
to alleviate these concerns. With this in mind, we
first consider the simplest case where privacy reg-
ulation is enacted without accompanying incentives
(i.e., the left-hand side of Figure 1), where we con-
sider it more likely that privacy regulation will have
a negative overall effect on NetRegionalBenefit, thus
reducing the likelihood that HIEs form and become
operational (this is similar to what has been shown
in the current empirical literature). This implies that
the propensity of privacy regulation to reduce the
NetRegionalBenefit from HIE as a result of increased
implementation costs and the restrictions on the avail-
ability of patient data (�11�25 are likely to outweigh
any gains from reduced patient privacy concerns
(�11�25. Moreover, taking into account the propen-
sity of consent requirements to have more substantial
negative effects on NetRegionalBenefit (�1 > �2), this
effect may be more pronounced for legislation includ-
ing consent requirements.

The introduction of HIE incentives, however, intro-
duces a more complex and interesting dynamic.
Focusing only on the propensity of incentives to
reduce HIE costs (�35, incentives alone may positively
impact NetRegionalBenefit, and, if passed alongside
privacy regulation, HIE incentives could offset some
of the costs of privacy regulation. However, if we also
consider the potential of incentives to be associated
with elevated privacy concerns (�35 that then offset
the positive effects of HIE incentives on NetRegional-
Benefit (�45, we may observe a more nuanced effect of
both incentives and privacy regulation on HIE efforts.
First, we may see a limited positive effect on Net-
RegionalBenefit of incentives passed alone because of
the dampening effect of the simultaneously elevated
privacy concerns (�35. Moreover, this suggests that
privacy regulation, and in particular consent regula-
tion that can better alleviate patient privacy concerns
(�1 > �25, may become a more prominent force in
this dynamic and could play a critical role in unlock-
ing the propensity of HIE incentives to positively
impact the net benefits of exchange. The implication
of this is that coupling consent requirements with HIE
incentives may have a stronger positive impact on
NetRegionalBenefit (and thus differentially increase the
propensity of regional stakeholders to start planning
for exchange and these exchanges becoming opera-
tional) relative to incentives with privacy regulation
that did not include consent requirements or with no
accompanying privacy regulation. Further, this sug-
gests that privacy regulation may have considerably
different (and potentially opposite) effects on HIEs
depending on whether incentives are also in place.

4. Data
Our analysis uses a combination of a six-year panel
data set and cross-sectional HIE survey data to assess

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1050 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

Figure 1 Effects of Legislation on HIE Formation

the impact of the different legislative approaches on
planning and operational HIEs. Consistent with the
literature, we define an HIE as any entity that facili-
tates electronic health information exchange between
independent healthcare entities in a defined geo-
graphic region to improve health (Adler-Milstein et al.
2009). As a result, the HIEs in our data set predom-
inately focused on the exchange of patient health
information between medical providers for patient
treatment purposes. Further, we consider facilitation
to be providing a technical infrastructure to support
clinical data exchange. Together, these criteria exclude
efforts whose entire scope is limited to administrative
data exchange as well as efforts working on issues
related to HIE but not directly enabling it to occur.

4.1. Panel HIE Data
To identify HIEs across regions and time, we used
publicly available data from the eHealth Initiative’s
annual compilation of state, regional, and local HIE
efforts (eHealth Initiative 2005–2010). These data are
based on yearly surveys of HIEs completed by the
eHealth Initiative (eHI) and provide longitudinal
information about planning and operational HIEs in
the 2004–2009 period. We also used various online
resources provided by health organizations and indi-
vidual HIEs to determine their status as of the end of
2009 and collect any additional information on char-
acteristics of these exchanges (e.g., profit status). As
noted earlier, at the beginning of 2004, there were

only a handful of established HIEs. As of the end of
2009, we identified 220 HIEs that were in one of two

• Planning: The HIE has been initiated but is in the
planning stages of development and is not actively
sharing health information 4n = 1325.

• Operational: The HIE is actively enabling the
exchange of health information between healthcare
entities 4n = 885.

We also identified 92 HIEs that had been initiated
during this time period but had subsequently ceased
operations. We do not have longitudinal data on these
exchanges, and they are not included in our panel
data. However, using cross-sectional data on the total
number of failed HIEs in our time period of analysis,
we find no significant differences in failed exchanges
between legislative approaches.10 To identify the date
on which HIEs were initiated and became operational
and their geographic area of operation, we matched
HIEs in the eHealth Initiative survey data with a
national survey of HIEs collected in 2010 that cap-
tured detailed information on HIEs as of the end of
2009 (Adler-Milstein et al. 2011). Our sample includes
the 73 planning and 75 operational exchanges com-
mon to both data sets minus 5 exchanges that were

10 Normalizing by state population, we find that during our time
period, states with incentives and consent requirements had


failed HIEs compared with 2.9 failed HIEs for states with incentives
but no consent and 3.7 for states without any HIE incentives.

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1051

dropped because they did not report detailed infor-
mation on their geographic location, resulting in
143 exchanges (70 planning and 73 operational) in our
panel data set.

On average, HIEs in our data set had been in exis-
tence for approximately four years, and the subset
of HIEs that were operational had been exchanging
health information for three and a half years by the
end of 2009. Most exchanges (86%) operated within
a single state; nearly all exchanges (98%) were oper-
ating in fewer than two states. HIE geographic cov-
erage was measured at the more granular level of an
HRR. HRRs are generally contained within a single
state but can span multiple states and, in some cases,
can also span legislative approaches (although this
was not common).11 Of the operational exchanges,
70% reported covering a single HRR, and 60% of
the planning exchanges anticipated covering a single
HRR. The exchanges that were operational or plan-
ning in multiple HRRs tended to have the major-
ity of their coverage in a single HRR, and thus we
considered only their primary HRR. For example, of
the 22 exchanges that reported operating in multiple
HRRs, 20 reported being primarily operational in a
single HRR with more than 70% of their overall cov-
erage in a single HRR.12 We aggregated HRR cover-
age across individual HIEs to generate two primary
dependent variables.13

• PlanningHIEjst: A binary measure of whether
HRR j in state s at time t had one or more HIEs in
the planning phase. This measure only includes HIEs
that had not failed and were available to take the HIE
survey in 2010.

• OperationalHIEjst: A binary measure of whether
HRR j in state s at time t had one or more operational

These variables are created semiannually over the
period 2004–2009 to most accurately capture the
impact of legislation on HIEs, which commonly went
into effect at the beginning or the middle of the year.

To construct measures of HRR demographics,
including measures of HRR population, income, and
unemployment rates, we used a range of secondary
sources (e.g., U.S. Census Bureau, U.S. Bureau of Eco-
nomic Analysis, and the U.S. Department of Health

11 In our analysis we find that only 9% of HRRs had significant
portions (more than 25%) of the populations they encompass in
other states with different legislative approaches. Our results are
robust to the exclusion of these HRRs.
12 On average, HIEs were operational in 9.5 hospital service areas
(HSAs)—a collection of ZIP codes whose residents receive most of
their hospitalizations from the hospitals in that area (Wennberg and
Cooper 1996)—in their central HRRs compared with 1.5 HSAs in
their secondary HRRs.
13 HRRs having multiple operational exchanges were uncommon,
with only 4% of regions reporting multiple operational exchanges.

and Human Services’ Area Health Resources Files
(AHRF)). Finally, we used the Health Information and
Management Systems Society (HIMSS) Analytics™

Database (HADB) to create measures that enabled
us to control for hospital-level health IT adoption.
In addition to our semiannual panel data set, we con-
structed a cross-sectional data set using HIE survey
data. These data, which were only available for the
final year of our data, offered a detailed snapshot of
HIE activities, including a range of self-reported mea-
sures that captured qualitative differences between
HIEs. We used this cross-sectional data to exam-
ine other dimensions of HIE progress that were not
captured in our panel measures of HIE efforts. For
example, these data include measures of the num-
ber of patients covered by an exchange, organiza-
tional structure, sources of funding, and challenges
faced. We supplemented this with data from other
sources to construct state-level measures of education
levels, age structure, and political leaning. Table 1
includes the full list of measures and associated sum-
mary statistics.

4.2. Legislation
Protection of patients’ personal health information, as
well as requirements for patient consent for the shar-
ing of personal health information in the context of
exchanges, is governed by a combination of federal
and state laws.

At the federal level, patient consent is governed
primarily by HIPAA14 and associated regulation.
HIPAA was amended in 2009 by the HITECH Act,
which added some privacy requirements, including
breach notification requirements for entities covered
by HIPAA.15 Although HIPAA laws impact the dis-
closure of health information by HIEs, HIPAA applies
to all states (our analysis relies on between-state vari-
ation) and was passed before the time period of our
analysis. HITECH was passed in our period of analy-
sis, and its effect on HIE efforts is accounted for by the
time fixed effects in our models. At the state level, two
types of privacy legislation may affect HIE outcomes:
(1) general privacy health laws, not HIE specific, that
were largely enacted before the significant emergence
of HIEs; and (2) HIE-specific laws aimed at promot-
ing HIE activities and/or focusing on the disclosure
of patient data and patient consent.

General health privacy laws (i.e., not HIE spe-
cific) have historically been in place to deal with
various aspects of health privacy, including disclo-
sure of patient health information and consent. We

14 Health Insurance Portability and Accountability Act of 1996,
42 U.S.C. §1320d-9 (2011).
15 Health Information Technology for Economic and Clinical Health
Act of 2009, U.S.C. §3013 (2011).

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1052 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

Table 1 Data Overview and Summary Statistics

Panel Cross section

Variable Description Mean SD Mean SD Source

Dependent variables
PlanningHIEjst A binary measure of whether HRR j in state s at

time t is covered by one or more planning HIEs.
0015 0035 0018 0038 HIE/eHi survey

OperationalHIEjst A binary measure of whether HRR j in state s at
time t is covered by one or more operational HIEs.

0010 003 0020 004 HIE/eHi survey

PrivChallengeis Binary variable indicating whether HIE i in state s
reported that privacy concerns were a major
challenge to their progress.

— — 0012 0033 HIE survey

FundChallengeis Binary variable indicating whether an HIE i in state s
reported the lack of funding as a major challenge
to their progress.

— — 0043 0049 HIE survey

HighPatientHIEis Binary variable of whether HIE i in state s covered
more than 50,000 patients.

— — 0062 0048 HIE survey

Independent variables
PrivConsentst Dummy variable indicating a state s at time t has

privacy legislation that requires consent for HIE.
0009 0028 0017 0038 Goldstein and Rein (2010);

Pritts et al. (2009)
PrivNoConsentst Dummy variable indicating a state s at time t has

privacy legislation that does not require patient
consent for HIE.

0039 0048 0047 005 Goldstein and Rein (2010);
Pritts et al. (2009)

Incentivesst Dummy variable indicating whether a state s at time t
enacted any law intended to encourage HIEs.

0016 0036 0045 005 Westlaw/LexisNexis

BroadbandAccesss The percentage of households in state s with

high-speed Internet access.
— — 0051 0006 U.S. Census Bureau

PerCapGDPs ($1,000) The total GDP of state s divided by the population of
state s.

— — 4301 1308 U.S. Bureau of Economic

Fundingst Dummy variable indicating whether HIE-specific
legislation at time t explicitly provides funding
opportunities for HIEs in state s.

001 003 0021 0041 Westlaw/LexisNexis

StateDesignatedst Dummy variable indicating whether HIE-specific
legislation in state s at time t creates or
designates a statewide HIE.

0003 0015 0008 0027 Westlaw/LexisNexis

Populationjst (1,000s) Number of inhabitants in HRR j in state s at time t. 97604 1109609 1100205 1113201 AHRF
MedianIncomejst ($1,000s) The median family income for HRR j in state s at

time t.
4501 1005 4703 1008 AHRF

UnempRatejst The unemployment rate for HRR j in state s at
time t.

601 2003 905 204 AHRF

CPOEADOPTIONjst Percentage of hospitals in HRR j in state s at time t
adopting computerized provider order entry
systems (CPOEs) normalized by staffed beds.

0019 0022 0024 0024 HADB

MonthsPursuingis Months an HIE i in state s has been in existence. — — 48 38 HIE survey
FormalGovis Binary indicator of whether an HIE i in state s has a

formal governance structure.
— — 0081 0039 HIE survey

Democratics Dummy variable indicating whether a democrat has
carried state s in the 2000, 2004, and 2008
presidential elections.

— — 0047 005 National Archives

TopMeds Dummy variable if state s had a hospital in the U.S.
News & World Report hospital honor roll in

— — 0031 0046 Comarow (2009)

AdvancedDegrees The percentage of individuals in state s with a
graduate degree.

— — 001 0003 U.S. Census Bureau

Over 65s The percentage of individuals in state s over 65. — — 0012 0002 AHRF

identified state health privacy laws using the recent
compilation by Pritts et al. (2009) and the earlier com-
pilation of general state privacy laws by Pritts et al.
(2002). However, we found that most state health pri-
vacy laws, similar to HIPAA, were passed before our
period of analysis. Moreover, there has been consid-
erable debate over the applicability of patient consent
requirements provided in general health privacy laws.
Specifically, most HIEs in our data set focused on

the exchange of patient health information between
providers for treatment purposes. However, patient
consent requirements in the majority of state health
privacy laws include exceptions to garnering patient
consent for data disclosures between providers for
treatment purposes, thus effectively precluding the
majority of exchange activities. According to Pritts
et al. (2009), only two states (Minnesota and New
York) appear to generally require patient permission

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1053

to disclose all types of health information and only
three (New York, Minnesota, and Vermont) usually
require medical providers to obtain patient permis-
sion before disclosing health information to other
providers. Because general health privacy laws that
are not HIE specific were passed before our period
of analysis, and their requirements for consent have
limited applicability to HIEs, we do not use them as
focal independent variables. The states with require-
ments relevant to the exchange of health information
were included in our analysis as interactions with
time-varying HIE-specific legislation. This accounts
for states that may not provide explicit requirements
for consent in HIE-specific legislation because their
existing legislation already has relevant requirements.

Our primary independent variables capture HIE-
specific laws that, unlike general health privacy laws,
were passed in the period of our analysis and have
direct applicability to exchange efforts. We identi-
fied HIE-specific laws primarily through various legal
search services (e.g., LexisNexis Academic and West-
law) and supplemented these searches with recent
reports on disclosure laws and HIEs (Goldstein and
Rein 2010). We find that, in the past decade, vari-
ous states enacted legislation that (1) incentivized HIE
efforts, (2) addressed patient privacy and consent, or,
most commonly, (3) some combination of both.

As we described earlier, we considered state leg-
islation as providing HIE incentives if it included,
at a minimum, general provisions aimed at reducing
any of the costs (financial, legal, managerial, coor-
dination, or otherwise) associated with pursuing a
health information exchange effort in the state. Our
review of state laws fitting this criterion yields a
number of state laws with provisions to incentivize
HIE efforts. For instance, the North Dakota state
law directs its health information technology office
to “facilitate and expand electronic health informa-
tion exchange in the state, directly or by awarding
grants”;16 West Virginia law requires the director of
the Office of Health Enhancement and Lifestyle Plan-
ning to work “through the West Virginia Health Infor-
mation Network, the Bureau for Medical Services
and other appropriate entities, to develop a collabora-
tive approach for health information exchange”;17 and
Kentucky state law tasks the Kentucky eHealth net-
work board with responsibility for “the operation of
an electronic health network in this Commonwealth”
and, among other things, for making recommenda-
tions related to “models for an electronic health net-
work” and “financing the central interchange for the
network.”18 Moreover, we reviewed the specific provi-
sions in state laws incentivizing HIE efforts to identify

16 N.D. Cent. Code, §54-59-26.
17 W. Va. Code Ann. §16-29H-6.
18 Ky. Rev. Stat. Ann. §216.267.

any trends in the nature of HIE incentives. This effort
yielded two broad categories of HIE incentives. First,
we found that 11 states have laws designating explicit
funds authorized for use in support of HIE efforts.
For instance, Minnesota state law allocated funding
for the commissioner of health to award grants for the
purpose of implementing “regional or community-
based health information exchange organizations.”19

North Dakota state law included provisions to create
an “electronic health information exchange fund” and
also instituted a “health information technology loan
program.” We found seven states that had HIE incen-
tives focused on creating or designating a specific
statewide HIE as opposed to focusing on dispersed
regional efforts (such provisions do not exclude other
entities from creating additional exchanges in that
state). For instance, Rhode Island state law estab-
lished a “statewide HIE under state authority to allow
for the electronic mobilization of confidential health
care information,”20 and Vermont state law tasked
the Vermont Information Technology Leaders (a non-
profit organization within the state) with operating
the “statewide health information exchange network
for this state” that included “grant agreements” with
the organization.21 We account for this variation in
the specific provisions included as part of state laws
incentivizing HIE efforts in our empirical analysis.

Similar to general health privacy laws, HIE-specific
laws varied in the extent to which they provided
patients with privacy protections and, in partic-
ular, the extent to which they instituted require-
ments for consent. Given that most states’ general
health privacy laws22 do not include consent require-
ments for disclosing health information23 to other
providers (which are also the majority of HIE par-
ticipants), requirements for consent in HIE-specific
laws are especially relevant to the disclosure of
health information by exchanges. As a result, we
differentiate between legislation including provisions
requiring consent, only general privacy requirements
without consent, and no privacy requirements at all.
Leveraging variation in HIE incentives and privacy
requirements between states, we categorize states that

19 Minn. Stat. Ann. §144.3345.
20 RI Gen L §5-37.7-4.
21 18 V.S.A. §9352.
22 New York, Minnesota, and Vermont have some requirements
that require consent for disclosure between providers. These states
were treated as having consent requirements and are Incentives and
PrivConsent states because they would all subsequently pass HIE-
specific legislation.
23 States have passed more stringent laws for some specific and
sometimes sensitive health data (e.g., mental health or HIV data).
Because this data type is generally not the focus of HIEs, we focus
only on laws restricting the exchange of general health information.

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1054 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

Figure 2 Overview of HIE-Specific Legislation

Incentives and PrivConsent

Incentives and PrivNoConsent

Incentives only

passed HIE-specific legislation into one of three main

• Incentives and PrivConsent: states with laws
intended to encourage the pursuit of HIEs and that
have requirements for patient consent (eight states).25

• Incentives and PrivNoConsent: states with laws
intended to encourage the pursuit of HIEs and that
make some mention of privacy protections but do
not include requirements for consent (i.e., they rely
on the status quo of no consent requirements for the
exchange of health information between healthcare
entities) (11 states).

• Incentives: states with laws intended to encour-
age the pursuit of HIEs but that make no men-
tion of privacy protections; these states also did not
have any preexisting general health privacy laws that
would require consent in the context of exchange
(three states and the District of Columbia).

Figure 2 identifies the states that have enacted HIE-
specific legislation. In addition, we identified three
states that passed or amended health privacy laws
that instituted privacy requirements for HIEs without
accompanying incentives. During the time period of
our analysis, Nevada and New Mexico passed health
privacy legislation that explicitly mentioned exchange
but did not institute consent requirements for the
exchange of health information between healthcare
entities for treatment purposes (similar to general
health disclosure laws discussed previously). Con-
versely, Maine amended existing privacy legislation to

24 See EC.1 in the electronic companion (available as supplemen-
tal material at http://dx.doi.org/10.1287/mnsc.2015.2194) for addi-
tional example statutes and text.
25 Specifically, under this category, we consider any law that man-
dates that patients are provided with notice before the exchange of
their personal health information in an HIE and, at a minimum,
that patients are also provided with the choice to exclude their
information from such an exchange as having consent requirements.

require patient consent prior to the exchange of patient
health information. This leaves 25 states that did not
pass HIE-specific legislation during our time period.

5. Methods
Our empirical approach leverages time-series regres-
sion using longitudinal data on planning and oper-
ational HIEs across HRRs, as well ascross-sectional
analysis using survey data on individual HIEs.

5.1. Model 1: Fixed Effects Model
The first model we estimate is a panel linear prob-
ability model that includes HRR and time fixed
effects with reported standard errors clustered at the
state level. This model evaluates the impact of HIE-
specific legislation on HIE creation (PlanningHIEjst)
and reaching operational status (OperationalHIEjst) in
healthcare market j, in state s, at time t.26 This model
identifies the baseline effects on these variables of

26 In our context, nonlinear models with fixed effects (e.g., logit)
are not desirable because they leverage only variation across time.
In our analysis, this precludes a significant portion of our data
and would result in a specification with estimations using HRR
fixed effects failing to converge. The central limitation to the lin-
ear probability model is that the predicted probabilities are not
constrained between 0 and 1, thus requiring some caution when
interpreting coefficient estimates. However, prior work has shown
little qualitative difference between the logit and linear probabil-
ity specification (Angrist and Pischke 2008), and prior empirical
work in this field has leveraged identical approaches (Miller and
Tucker 2009, Goldfarb and Tucker 2011). In addition to the practical
limitations associated with nonlinear fixed effects models, scholars
(e.g., Neyman and Scott 1948) have demonstrated that estimates
from nonlinear fixed effects models are inconsistent because the
asymptotic variance of the main parameters is a function of a small
and assumed fixed group size; this is also known as the inciden-
tal parameter problem. Greene (2002) finds this problem to be of
significant practical consequence with slope estimates from non-
linear fixed effects models uniformly biased away from zero com-
pounded by estimates of the standard errors biased toward zero.

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1055

privacy regulation with and without consent require-
ments and the effects of HIE incentives while allowing
for the differential impact of HIE incentives if privacy
requirements are also in place (model 1):

1 OperationalHIE


= �0 + �1 × PrivConsentst + �2 × PrivNoConsentst

+ �3 × Incentivesst + �4 × PrivConsentst × Incentivesst

+ �5 × PrivNoConsentst × Incentivesst

+ B6 × StateDesignatedst + �7 × Fundingst
+ � × Xjst + �js + �t + �jst0

Here, PrivConsentst is a dummy variable indicat-
ing whether a state s at time t had a privacy law
that also required patient consent in the context of
exchange, and PrivNoConsentst is a dummy variable
indicating whether a state had a privacy law in
place but did not require patient consent in the con-
text of exchange. In this model, PrivConsentst and
PrivNoConsentst capture the impact of privacy regu-
lation that was passed without accompanying incen-
tives. Moreover, Incentivesst is a dummy variable
indicating whether a state s had legislation provid-
ing HIE incentives at time t (where t represents
semiannual intervals). We also include the interac-
tions PrivConsentst × Incentivesst and PrivNoConsentst ×
Incentivesst to identify any differential impact of incen-
tives when varying degrees of privacy protections are
present. These interactions take into account other
potentially relevant privacy legislation. For example,
if a state had passed legislation with HIE incentives
during our time period of analysis without privacy
provisions but either during or prior to our period
of analysis also passed privacy requirements relevant
to exchange in separate legislation, this interaction
would be positive.

We also created variables to differentiate between
the most common provisions in state laws incentiviz-
ing HIE efforts. We found that states differed in terms
of whether they provided explicit funding in legisla-
tion incentivizing HIEs; some states provided funds
explicitly authorized for use in support of HIE efforts,
whereas other states directed responsible entities to
identify sources of financial support for exchange
efforts or were ambiguous regarding financial sup-
port from the state. Thus, our first variable captures
HIE incentives with explicit funding opportunities
(Fundingst5. In addition, we captured differences in
states’ propensity to focus HIE incentives on creating
or designating a statewide exchange versus focusing
HIE incentives on HIE efforts in disparate healthcare
markets. Thus, our second variable captures states
with laws that designate or create a state-sponsored
HIE (StateDesignatedst5. We include these variables in

our model to address the concern that the variation in
state strategies toward HIE incentives may correlate
with a particular legislative approach. If this were the
case, the effect of a given legislative approach could
be driven by the intensity or nature of HIE incentives.

Finally, we include a vector of control variables, Xjst,
which accounts for other factors relevant to the emer-
gence of planning and operational HIEs. For exam-
ple, HIE efforts may require that regional healthcare
entities have some minimum level of patient record
digitization and health IT infrastructure in order to
engage in electronic exchange, which could be corre-
lated with privacy regulation. As a result, we control
for healthcare IT adoption in the HRR by includ-
ing CPOEAdoptionjst to capture hospital adoption of
computerized provider order entry (CPOE).27 CPOE
is often a proxy for advanced adoption of health-
care IT and is highly correlated with the adoption of
other healthcare IT (e.g., electronic medical records).
It is also a core component of the federal defini-
tion of “meaningful use” of electronic health records
(Blumenthal and Tavenner 2010). Other HRR-level
controls include those capturing population, median
income, and unemployment rates. HRR and time
fixed effects are represented by �js and �t, respec-
tively; �jst is the error term. We evaluate whether
multicollinearity is a concern in the estimation of this
model by calculating correlation tables and the vari-
ance inflation factor (VIF) for each independent vari-
able in the model. We find that all variables have a
VIF well below the recommended maximum of 10
(Kennedy 1992), with a mean VIF of 1.9 for the vari-
ables in our panel estimation (see EC.2 in the elec-
tronic companion). Similar fixed effects models have
been used in the literature to examine the effect of a
policy intervention (Bertrand et al. 2004). HRR fixed
effects allow us to control for time-invariant unob-
served factors and time dummies allow us to control
for time trends. Thus, the unbiased effect of varied
regulatory approaches can be identified from varia-
tion across HRRs and time. In an extended specifica-
tion, we include one-year lagged variables to allow
for a delayed effect on HIE outcomes of legislation
aimed at incentivizing HIE efforts with and without
privacy regulation. This accounts for the potential for
resources provided by these laws to take time to reach
entities interested in pursuing HIE.28

5.2. Model 2: Cross-Sectional Model
The second model we estimate also uses a linear
probability model and standard errors clustered at

27 Based on data obtained from HADB.
28 For clarity of exposition, we exclude the lagged terms for the
binary indicators of states having privacy regulation alone (Priv-
Consent and PrivNoConsent) since the lagged effect of this legislative
approach is not of central interest and was rare in our data set.

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1056 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

the state level but uses cross-sectional survey data.
Our survey data captured a detailed snapshot of
HIEs’ status and activities as of the end of 2009.
This model evaluates the association between relevant
HIE characteristics (described below) and the vary-
ing approaches toward incentivizing HIE efforts (i.e.,
those with and without consent-based regulation):

HIECharactersiticis = �0 + �1 × Incentivess

+ �2 × Incentivess × PrivConsents

+ � × Xs + � × Zis + �is0

Here, Incentivess is a binary indicator of whether an
HIE is operating in a state s with HIE incentives. The
interaction between Incentivess ∗ PrivConsents captures
any differential impact of having consent require-
ments alongside HIE incentives. Because states with
privacy regulation without incentives had only two
operational and three planning exchanges, we do
not attempt to estimate effects for these legislative
approaches. However, to avoid biased interpretation
of our estimates, we exclude these HIEs from our
estimation for model 2. This model does include a
vector of state-level controls, Xs, which accounts for
state political leaning, wealth, population, age struc-
ture, and education levels, as well as a vector, Zis, of
HIE-level controls including measures of the length of
time an HIE has been pursuing exchange and whether
they have a formal governance structure. Although
we do include a number of state- and HIE-level con-
trols, we cannot include HIE or regional fixed effects.
As a result, the estimates from model 2 should be
interpreted with some caution. However, we argue
that the most problematic endogeneity concerns are
unlikely in the context of our analysis.

For instance, we use this model primarily to eval-
uate the association among HIE incentives, consent
requirements, and HIE privacy challenges. Specifi-
cally, we use a binary measure of whether an HIE i
in state s reported that privacy concerns were a
major challenge or impediment to their development
(PrivChallengeis5 to evaluate our previous conjecture
that incentives for HIEs may be associated with an
increased attention to and salience of privacy con-
cerns, which could materialize as barriers to the emer-
gence of HIEs. In the context of this analysis, one
concern may be that heterogeneity in states’ tastes for
privacy would both impact their propensity to have
consent requirements, as well as the pushback HIEs
face from privacy concerns. However, our predictions
would actually be made less likely by this effect, since
we conjecture that HIEs in states with consent require-
ments will, in fact, report less pushback as a result
of patient privacy concerns. For a similar reason, we
consider reverse causality in which low initial privacy

concerns resulted in states being more likely to pass
consent requirements as also being unlikely.

Additionally, we use this model to evaluate
whether relevant heterogeneity exists in key indi-
vidual characteristics of HIEs across states with and
without consent requirements. For example, because
availability of funding (beyond that from the gov-
ernment) has been shown to significantly affect the
choice to pursue exchange (Adler-Milstein et al.
2009), we evaluate the correlation between consent
requirements and the availability of funding to HIEs.
Although our panel estimation controls for legisla-
tion with explicit funding opportunities as part of
their HIE incentives, this may not suffice, because
HIEs may leverage a range of funding sources includ-
ing those provided by the federal government and
other private sources (e.g., large health systems or
physician groups). As a result, we include the vari-
able FundChallengeis as a binary measure indicating
whether HIE i in state s reported that the lack of
funding was a major challenge to their development.
Finally, we evaluate whether HIEs in states with con-
sent requirements varied with respect to other char-
acteristics that are also indicative of HIE progress and
their ability to achieve desired goals. Specifically, we
evaluate differences in the number of patients covered
by an exchange (HighPatientHIEis5 across states with
and without consent requirements.

6. Results
The results for the fixed effects model (model 1) are
presented in Table 2. We find that privacy regulation
without incentives had a negative effect on the pur-
suit of HIE. However, this effect varied depending
on the stage of HIE development. For privacy regula-
tion with consent requirements (PrivConsent), we find
a large negative and significant coefficient for Plan-
ningHIE (column (A)). However, a similarly negative
coefficient for OperationalHIE is not significant (p =
00171, column (B)). For privacy regulation without
consent requirements (PrivNoConsent), we find a sig-
nificant negative coefficient for OperationalHIE but a
near-zero and insignificant estimate for PlanningHIE.
This suggests that, although privacy regulation with-
out consent had a significant effect on HIEs reaching
operational status, it does not seem to dissuade enti-
ties from initially pursuing HIE.

We find small and generally insignificant estimates
on Incentives, suggesting that HRRs in states that pro-
vided HIE incentives without accompanying privacy
provisions did not see increases in HIEs. However,
we do find a significant and positive coefficient on
the interaction of PrivNoConsent and Incentives, but
only for OperationalHIE. This suggests that incentives
passed alongside regulation without consent require-
ments resulted in a 9% increase in the probability

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1057

Table 2 Impact of Legislation on HIE Efforts

(A) (B) (C) (D)
PlanningHIE OperationalHIE PlanningHIE OperationalHIE

PrivConsent −00360∗∗ −00116 −00342∗∗ −000773
40007235 40008315 40007415 40008465

PrivNoConsent 000282 −00104∗∗ 000302 −00100∗∗

40005905 40002435 40005885 40002285
Incentives 0000462 0000459 −0000598 −00000367

40005015 40002675 40003995 40002225
Incentives × PrivConsent 00466∗∗ 00230∗∗ 00432∗∗ 00135∗

4001125 40006915 4001005 40006685
Incentives × PrivNoConsent −000483 000908∗∗ −000410 000987∗∗

40009065 40003075 40007965 40003055
IncentivesLag 000412 000319

4001075 40002735
IncentivesLag × PrivConsentLag 000293 00117

4001195 40009885
IncentivesLag × PrivNoConsentLag −000297 −000344

4001235 40002885
StateDesignated −00162+ 00196∗∗ −00150 00218∗∗

40009015 40007205 40009065 40006965
Funding 000497 −000556∗ 000447 −000641∗

4001065 40002315 4001075 40002565
CPOEAdoption 0000659 000798 0000772 000815

40006665 40008055 40006585 40007985
OperationalHIE −00520∗∗ −00525∗∗

40005695 40005575

Observations 3,672 3,672 3,672 3,672
R-squared 00195 00113 00196 00120
Control variables Yes Yes Yes Yes
Time fixed effects Yes Yes Yes Yes
HRR fixed effects Yes Yes Yes Yes

Note. Robust standard errors are shown in parentheses.

+p < 001; ∗p < 0005; ∗∗p < 0001.

of an HRR having an operational exchange but no
measurable effect on the propensity of initiating an
exchange. Finally, we find consistent and significant
gains from HIE incentives when they were coupled
with privacy regulation providing patient consent
requirements. Specifically, we find a large and signif-
icant coefficient on the interaction of PrivConsent and
Incentives for both PlanningHIE (p < 0001) and Opera- tionalHIE (p < 0001), suggesting that incentives passed alongside privacy regulation with consent require- ments resulted in a 47% increase in the probability of HRRs having a planning exchange and a 23% increase in the probability of HRRs having an operational exchange. Moreover, the difference in the effective- ness of incentives coupled with consent requirements was statistically significant when compared with the incentives alone (Incentives) or incentives with reg- ulation without consent (Incentives × PrivNoConsent) for both PlanningHIE (p < 0001) and OperationalHIE (p < 0005).

Given that we find evidence of negative baseline
effects of privacy regulation, we also consider the net

effect for states with legislative approaches that com-
bined incentives and privacy regulation. For instance,
although HIE incentives coupled with privacy regu-
lation without consent requirements resulted in a 9%
increase in the probability of HRRs having an opera-
tional exchange, this effect was offset by the negative
(10%) baseline effect of the privacy regulation, result-
ing in a zero net effect on the propensity of HRRs in
these states to have operational HIEs. By contrast, we
find evidence of a net gain in operational HIEs for
HRRs in states with both HIE incentives and privacy
regulation with consent requirements. Specifically, we
identify an 11% (p < 0005) net increase for Operational- HIE and also a 10% net increase (although insignifi- cant, p = 0022) for PlanningHIE. Within our data set, HIE incentives coupled with consent requirements was the only legislative approach with evidence of a net gain in OperationalHIE.

Estimates of our main model with lagged variables
are presented in Table 2, columns (C) and (D). We find
that estimates on our baseline interaction of Incentives
and PrivConsent for PlanningHIE are of similar mag-
nitude to our primary estimation and are significant

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1058 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

(p < 0005), whereas our lagged term has a small and insignificant coefficient. This suggests that new HIEs were planned within a short period of the passage of these laws and may reflect the relatively low costs of initiating an exchange and that parties interested in pursuing HIE closely tracked the progression of these laws. However, we may reasonably expect that the effect of legislation on the propensity of an exchange actually becoming operational may be less immediate, because the resources afforded by these laws may be critical in exchanges advancing their capabilities. We find some support for this notion, with the coefficient on our baseline interaction of Incentives and PrivCon- sent for OperationalHIE roughly half the magnitude of our primary estimation (13.5% versus 23.0%). Our lagged term, however, is larger (11.7%) but less pre- cisely estimated (p = 0024), suggesting some variabil- ity in the lagged effect of relevant legislation. We should note that we are not able to observe lagged effects for states that passed laws within the last year of our panel (Oregon and Alaska), which may also be contributing to higher standard errors for estimation of our lagged term.

The results from our cross-sectional model (see
Table 3) offer some explanation for the differen-
tial HIE gains from incentives coupled with consent
requirements and also address alternative interpre-
tations of our results. First, we evaluate the valid-
ity of our earlier conjecture that the effectiveness of
incentives with consent requirements is driven by the
propensity of consent requirements to address ele-
vated consumer privacy concerns associated with HIE
incentives. We find evidence in support of this con-
jecture with HIE incentives not coupled with consent
requirements positively associated with increased
scrutiny and privacy concerns. Specifically, we find
that HIEs in states with HIE incentives but without
consent requirements were 30% more likely to report
that privacy was a major challenge compared with
HIEs in states with incentives and consent require-
ments (p < 0001) and 14% more likely to report that privacy was a major challenge in their develop- ment compared with states without any legislation (p < 0005). HIEs in states with incentives and consent requirements were least likely to report major pri- vacy challenges compared with all other legislative approaches (p < 0001).

Results from our cross-sectional model also help
to rule out what we considered the most promi-
nent confounding factors to the interpretations of
our results. First, we consider whether our results
merely reflect heterogeneity in the propensity of
incentives coupled with consent requirements to pro-
vide funding opportunities for HIE efforts (the lack
of sufficient financial support has been a prominent
barrier to HIE development). Although we account

Table 3 Consent Requirements and Key HIE Characteristics

(A) (B) (C)
PrivChallenge FundChallenge HighPatientHIE

Incentives 00144∗ −00240∗ −00102
4000665 4001185 4001145

Incentives × PrivConsent −00302∗∗ −00102 00160
4000685 4001415 4001075

Population 00007∗ −00005 −00005
4000035 4000035 4000035

PerCapGDP −00007∗∗ −00007 00010+

4000025 4000055 4000065
BroadbandAccess −00001 00006 00008

4000035 4000075 4000095
Democratic −00015 −00019 00070

4000645 4001125 4001035
TopMed 00135∗ 00218+ 00087

4000535 4001175 4001275
AdvancedDegree 00030∗ 00019 −00078∗

4000145 4000295 4000345
Over65 00032∗∗ −00011 −00030

4000115 4000225 4000205
MonthsPursuing −00001+ −00002 00003∗∗

40000015 4000015 4000015
FormalGov −00087 −00104 00437∗

4000735 4001555 4001595

Observations 133 136 70
R-squared 0013 0011 0019

Notes. Robust standard errors are shown in parentheses. The number of
observations varies because of some nonresponses in the survey; col-
umn (C) only uses responses from operational exchanges.

+p < 001; ∗p < 0005; ∗∗p < 0001.

for this in our panel estimation by controlling for HIE
incentives with funding opportunities (Funding), we
address this concern further by evaluating any asso-
ciation between HIE self-reported funding challenges
and incentives that included consent requirements.
We do not find support for the notion that HIEs in
states with consent requirements significantly differed
with respect to their access to sources of funding: col-
umn (B) in Table 3 shows that, although HIEs in states
with HIE incentives were 24% less likely to report that
funding was a major challenge (p < 0005), there is no significant correlation between consent requirements and funding being a major challenge for HIEs with an insignificant estimate on Incentivess × PrivConsents.

In addition, we evaluate whether legislative ap-
proaches coupling incentives with consent require-
ments actually resulted in a positive effect on
exchange capabilities in a healthcare market. Specif-
ically, it may be the case that, although legislative
approaches coupling incentives with consent result
in a higher likelihood of an exchange being opera-
tional, these exchanges may have less extensive or
comprehensive exchange capabilities. We do not find
evidence of this, however, with an insignificant esti-
mate on Incentivess × PrivConsents for HighPatientHIE

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1059

(column (C)). In fact, the positive estimate on this
coefficient suggests that HIEs in states with both
incentives and consent requirements trended toward
covering more patients, not fewer.

7. Robustness
We evaluated the robustness of our primary results
(model 1) by examining concerns regarding (1) the
endogenous passing of legislation providing incen-
tives and consent, (2) our assumption that HRRs are
subject to only one legislative approach, and (3) incen-
tive heterogeneity and high-impact states.

7.1. Endogeneity of Incentives and Consent
The results presented in §6 highlighted the unique
role of consent requirements combined with HIE
incentives in spurring the emergence of planning and
operational HIEs. The model we estimate was iden-
tified using HRR and time fixed effects to isolate
within-HRR variation over time and controls that
could be correlated with the legislative initiatives of
interest and the pursuit of HIE. However, a state’s
choice of a particular legislative approach is certainly
not random, exposing our estimates to potential bias
if there exists time-varying heterogeneity between
states with certain legislative approaches that also
contributes to the success of HIEs. Although the direc-
tion of this bias is ambiguous (i.e., it is possible that
the potential bias in our results makes our results
more conservative), we focus on the potential bias,
which could result in the overestimation of our cen-
tral result.

First, rather than HIE laws driving HIE activity,
these laws could instead be passed as a result of
increased HIE activity. To assess this possibility, we
plotted the total number of attempted HIEs (plan-
ning plus operational) for the main HIE legislative
approaches we identified. Figure 3 reveals that states
that ultimately passed consent requirements did not
have elevated levels of HIE activity before the pas-
sage of the law. In fact, they had the lowest level
of HIE activity when compared with other legisla-
tive approaches. More generally, before the period in
which most HIE laws were passed (pre-2007), there
were minor differences in the number of attempted
HIEs. However, as we move into 2007, states with
no legislation or incentives without consent main-
tain a roughly constant rate of growth, whereas states
that coupled incentives with consent requirements see
a significant increase in attempted HIEs. We further
evaluate possible reverse causality by estimating our
main model with one-time-period lead variables for
the legal requirements (see columns (A) and (B) in
Table 4). This allows us to evaluate whether the trends
of increased planning and operational HIEs were, in
fact, in existence prior to the enactment of relevant

Figure 3 (Color online) Number of HIEs in States with Key Legislative












2004 2005 2006 2007 2008 2009 2010


l H


Attempted HIEs

Incentives and PrivConsent
Incentives and PrivNoConsent

No HIE law

HIE laws. We find that our initial result is robust to
the inclusion of lead variables and that the estimates
on our lead variables, including the interaction of
incentives and consent requirements, are insignificant.

In addition, our main estimation evaluates the
impact on HIE efforts of legislation with HIE incen-
tives compared with states without any such legisla-
tion. However, HIE incentives may be correlated with
time-varying state unobservables that also impact HIE
outcomes. For example, HIE incentives may be cor-
related with changes in political attitudes or public
opinion toward the importance of health IT, which is
likely to also have an impact on the emergence of HIE
efforts. As a result, we evaluate whether our results
are being driven by differences between states with
and without HIE incentives. Specifically, we estimate
our model using only the subset of states that have
legislation with HIE incentives (columns (C) and (D)
in Table 4). The results are consistent with those in our
original estimation with a sizable and significant (p < 0005) impact of Incentives × PrivConsent on both Plan- ningHIE and OperationalHIE. In addition, we argue that the heterogeneous effects on HIE efforts of incen- tives (e.g., incentives without consent had a marginal or no effect on HIE efforts) make it less likely that unobserved factors, correlated over time with HIE incentives, are systematically driving HIE efforts.

With respect to the endogeneity of privacy regu-
lation, prior work (e.g., Miller and Tucker 2011) has
used privacy regulation limiting the disclosure of
health information as an instrumental variable in the
estimation of the effect of EMR adoption on health-
care outcomes, arguing and presenting evidence that
such regulations are likely exogenous to shifts in
states’ focus on healthcare issues and political motiva-
tions. Similar to such analysis, we find that states with
consent requirements varied considerably in terms of
geographic location, size, and state political affiliation.
Moreover, we propose, similar to the case against the

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1060 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

Table 4 Robustness Checks

Lead variable analysis Only states with incentives Excluding overlapping HRR

(A) (B) (C) (D) (E) (F)
PlanningHIE OperationalHIE PlanningHIE OperationalHIE PlanningHIE OperationalHIE

PrivConsent −00354∗∗ −00123∗ −00372∗∗ −00109
40006145 40005755 40008535 40008195

PrivNoConsent −000246 −000845∗∗ −00106∗∗ −00114∗∗

40004075 40002305 40003685 40003745
Incentives −0000114 000266 000172 000150

40003945 40002825 40005855 40002765
Incentives × PrivConsent 00389∗∗ 00164∗∗ 00248∗ 00160∗∗ 00445∗∗ 00221∗∗

4001045 40005695 40009235 40004915 4001225 40006735
Incentives × PrivNoConsent 000430 000630+ 000779 000904∗

40007175 40003465 40008265 40004115
IncentivesLead 000230 −000319

40003545 40003115
IncentivesLead × PrivConsentLead 00116 000798

40007005 40004815
IncentivesLead × PrivNoConsentLead −000601 000447

40004375 40003325
StateDesignated −00161+ 00245∗∗ −00246+ 00152+ −00156+ 00187∗

40009545 40004825 4001255 40007965 40008945 40007115
Funding 000433 −000662∗∗ 000568 −000656∗ 000503 −000590∗

4001195 40002105 40009635 40002905 4001175 40002395
CPOEAdoption 000128 000894 −000408 −000393 000160 000924

40006825 40007935 40009925 40009735 40007245 40008805
OperationalHIE −00530∗∗ −00526∗∗ −00523∗∗

40006385 40008855 40005775

Observations 3,366 3,366 1,584 1,584 3,384 3,384
R-squared 00197 00114 00219 00143 00198 00119
Control variables Yes Yes Yes Yes Yes Yes
Time fixed effects Yes Yes Yes Yes Yes Yes
HRR fixed effects Yes Yes Yes Yes Yes Yes

Note. Robust standard errors are shown in parentheses.
+p < 001; ∗p < 0005; ∗∗p < 0001.

endogeneity of HIE incentives, that our results par-
tially shield us from these concerns. If unobserved
factors are powerfully driving HIE efforts and these
factors are correlated, over time, with privacy reg-
ulation, the divergent effects of privacy regulation
(e.g., privacy regulation without incentives actually
inhibited HIE efforts) would be considerably more
difficult to identify. Since we focus on the interac-
tion of privacy regulation with incentives, we are still
concerned that specific legislative approaches, partic-
ularly legislative approaches that couple incentives
with consent requirements, could be differentially cor-
related with other unobserved factors over time that
could also drive the emergence of planning and oper-
ational HIEs. For instance, it is possible that legisla-
tive approaches coupling consent requirements with
incentives are also associated with changes in atti-
tudes toward health IT and the value of technol-
ogy in healthcare settings. However, we consider this
unlikely, because HIEs have expressed significant con-
cerns over consent-based regulation. For instance, in

a recent report (National eHealth Collaborative 2011),
HIE administrators suggested that requiring patients
to opt in to an HIE was a barrier to achieving the
critical mass of patient records needed to generate
theorized benefits. As a result, we suggest that it is
more likely that states that adopt consent require-
ments signal a shift toward a more tempered atti-
tude toward the trade-offs associated with health IT
relative to states with HIE incentives alongside less
stringent regulation, likely making our results more

Finally, the combination of incentives and con-
sent requirements could reflect the sophistication of
state legislative bodies in anticipating and proac-
tively addressing the central concerns associated with
increased HIE activity in the state. This sophistica-
tion could also be correlated with better administered,
managed, and otherwise executed incentive programs
that yield improved HIE outcomes. To evaluate this
concern, we leverage work by Squire (2007) that ranks
state legislatures based on their professionalism. We

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1061

first find that measures of state legislative profession-
alism do not vary considerably over time: all but one
of the states ranking below the median in 1996 con-
tinued to rank below the median in 2003 (the most
recent ranking). Moreover, the states that passed con-
sent requirements and incentives varied considerably
in their legislative professionalism, with four of the
eight states ranking below the median in 2003.

Although we take a number of steps to con-
sider and evaluate potential endogeneity of legislative
efforts, we acknowledge that these concerns may per-
sist to some degree, as they often do with empirical
work of this nature.

7.2. HRR Boundaries
Measuring HIE activity at the level of an HRR allows
us to identify the impact of legislation on the propen-
sity of an HIE to be operational or in the plan-
ning stage within relatively self-contained healthcare
markets; it also allows for meaningful comparison
across states with regions subject to varying legisla-
tive approaches. This approach requires us to assume
that each HRR is contained within a single state and
thus a single legislative approach. However, HRR
boundaries can sometimes span multiple states that
may have different legislative approaches. We find
that this is fairly uncommon, with 80% of HRRs either
being fully contained in a single state or overlapping
with states that had the same legislative approach. An
additional 11% of HRRs had minor overlap (less than
25% of their population) in states with different leg-
islative approaches. When we exclude the remaining
9% of HRRs, which had significant overlap in states
with different legislation approaches, and estimate
our main model (see Table 4, columns (E) and (F)), we
find consistent results with our original estimation.29

7.3. Incentive Heterogeneity and
High-Impact States

Although we control for the most prominent variation
in the strategies that states take toward HIE incen-
tives, there may also be other HIE incentives that are
less common in our analysis but may still have an
impact on the nature of HIE incentives and also on
HIE outcomes. Specifically, we identified four other
features of HIE incentives that were less frequent
but still of potential interest: whether HIE incentives
were directed to an existing private organization as
opposed to a government entity, whether HIE incen-
tives instituted a pilot program, whether incentives
addressed existing regulation viewed as an impedi-
ment to HIE progress, and whether incentives had

29 Although not presented here for clarity, our results are also con-
sistent when using a state-level ordinary least squares estimation
approach with aggregated count measures of HIE activity, state and
time fixed effects, and state-level controls.

an interstate dimension. To evaluate whether these
less common features of HIE incentives impact our
estimation, we estimate our main model with addi-
tional controls capturing these less frequent features
of HIE incentives and find consistent results with our
main estimation (see EC.3 in the electronic compan-
ion). Because our analysis relies on a limited num-
ber of states, it is also possible that our results are
not due to a correlation between consent requirements
and incentives but by a single state with unique HIE
incentives or with disproportionate HIE success as a
result of factors not captured in our model. To address
this concern, we limit our analysis to states with
HIE incentives and sequentially exclude all regions
in a given state that coupled incentives with consent
requirements from our estimation for PlanningHIE
and OperationalHIE (see EC.3 in the electronic com-
panion). We find that our results for PlanningHIE
and OperationalHIE are robust to sequential exclusion
of states with incentives and consent requirements.
Excluding New York seems to have the largest impact
on estimates of the effect of incentives coupled with
consent requirements, but these estimates are still sig-
nificant for OperationalHIE and marginally significant
for PlanningHIE.

8. Discussion and Conclusions
We evaluated the impact of legislation that varied
in whether it included requirements for patient con-
sent and provided HIE incentives over a span of six
years. We document a surprising interplay between
state attempts to incentivize HIE efforts and pri-
vacy regulation. Specifically, although privacy regula-
tion alone—and, in particular, regulation with consent
requirements—resulted in a negative effect on HIE
efforts, coupling HIE incentives with consent require-
ments was the only legislative approach intended to
encourage HIE efforts that actually resulted in an
increase in operational HIEs. We find that this result
is robust to considerations of reverse causality, endo-
geneity of HIE incentives and consent requirements,
considerations of HRR legislative boundaries, incen-
tive heterogeneity, and a single state driving the effect.
We also find that HIEs in states with both incen-
tives and consent requirements reported lower lev-
els of concern about patient privacy issues, whereas
exchanges in states with HIE incentives but with-
out consent requirements reported higher levels of
patient privacy concerns. We propose that this ele-
vated concern may be due to an association between
HIE incentives and privacy concerns that inhibit the
effectiveness of such incentives when consent require-
ments are not in place.

There are limitations to this research. The depen-
dent variables presented in this work may not cover

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1062 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

the full breadth of potential measures of success for
HIEs. For instance, prior research on HIEs has noted
that sharing by HIEs has been limited in breadth
and scope (Adler-Milstein et al. 2009). We evaluate
these measures using cross-sectional data, but future
work may evaluate the impact of various legislative
approaches on these measures in more substantive
terms. Moreover, an increase in regional HIE efforts
may not necessarily be a positive outcome. For exam-
ple, a better outcome might be to have only one
exchange that facilitates exchange for all providers in
the state. However, the current national strategy for
the exchange of health information involves spurring
small regional efforts and then linking them as build-
ing blocks of state and national exchange (Vest and
Gamm 2010). As is true in prior work, we can thus
view a higher probability of HIEs in planning and
operational stages in HRRs as a positive indicator of
HIE progress. Moreover, our work focuses specifically
on the role of providing patients with the choice to
consent in the context of HIEs, but other key con-
cerns with HIEs may also be relevant. For example,
it may be prudent in future work to evaluate the role
of information security requirements on the develop-
ment and progress of HIEs. Finally, this paper focuses
on regional models of HIE and, although alternative
approaches to HIE exist (e.g., national EMR vendor
HIE networks), we use an inclusive and widely held
definition of clinical data exchange between unaffil-
iated entities (i.e., those with no shared ownership
or governance). Moreover, regional efforts are more
likely to capture the full benefits of HIE because the
other approaches (e.g., vendor driven) restrict data
exchange in some way. It is therefore critical to under-
stand the conditions under which the HIE efforts
included in our study can succeed and, in particular,
the policy conditions that foster their success.

Our results help to inform the large national effort
underway to achieve the broad-based exchange of
health information. Given that HIEs offer innova-
tive healthcare technology solutions with the poten-
tial to alleviate two of the most pressing concerns
of the current healthcare system—rising costs and
inconsistent quality—this study proposes a comple-
mentarity of technology incentives and substantive
consumer privacy protections, highlighting the poten-
tial for future efforts to incentivize HIE growth while
balancing patient privacy concerns. Such results may
help to inform the broader debate on the role of
privacy regulation in information technology efforts.
First, the findings highlight the potential for the neg-
ative effects of privacy regulation on information
technology efforts to be counteracted by technology
incentives. Additionally, the focus on both the impact
of technology incentives and privacy requirements
extends the growing body of empirical work in this

space and bolsters the notion that privacy regulation
can have heterogeneous and complex effects on infor-
mation technology efforts. Specifically, we suggest
that a symbiotic relationship may exist between tech-
nology incentives and substantive privacy regulation
with simultaneous benefit to both consumers and pro-
ponents of information technology efforts. This yields
a possible lesson for regulators and policy makers:
legislative approaches that both incentivize technol-
ogy efforts and provide consumer privacy protections
may be one approach for enabling the growth of valu-
able information technology efforts while addressing
consumer privacy concerns.

Supplemental Material
Supplemental material to this paper is available at http://dx

The authors thank their reviewers for helpful comments
and suggestions and their associate editor for exceptional
effort and guidance throughout the review process. They
thank HIMSS Analytics for providing some of the data used
in this study and multiple discussants and seminar par-
ticipants for their insights. In particular, the authors are
grateful for the useful feedback from participants at the
2013 National Bureau of Economic Research Workshop on
the Economics of IT and Digitization, with distinct grati-
tude for the insightful feedback of Avi Goldfarb, Catherine
Tucker, and Amalia Miller. The authors also thank Sasha
Romanosky, Zia Hydari, and Corey Angst for their review
of early drafts of the manuscript. In addition, the authors
thank their research assistants Megan McGovern, Danning
Chen, and Kara Cronin for their diligent work in support
of this manuscript. Finally, Alessandro Acquisti gratefully
acknowledges support from the Carnegie Corporation of
New York via an Andrew Carnegie Fellowship. The state-
ments made and views expressed in this paper are solely the
responsibility of the authors. All errors are the authors’ own.

Adler-Milstein J, Bates DW, Jha AK (2009) U.S. regional health

information organizations: Progress but challenges remain.
Health Affairs 28(2):483–492.

Adler-Milstein J, Bates DW, Jha AK (2011) A survey of health infor-
mation exchange organizations in the United States: Impli-
cations for meaningful use. Ann. Internal Medicine 154(10):

Anderson CL, Agarwal R (2011) The digitization of healthcare:
Boundary risks, emotion, and consumer willingness to disclose
personal health information. Inform. Systems Res. 22(3):469–490.

Angrist JD, Pischke JS (2008) Mostly Harmless Econometrics: An
Empiricist’s Companion (Princeton University Press, Prince-
ton, NJ).

Angst CM, Agarwal R (2009) Adoption of electronic health records
in the presence of privacy concerns: The elaboration likelihood
model and individual persuasion. MIS Quart. 33(2):339–370.

Angst CM, Agarwal R, Sambamurthy V, Kelley K (2010) Social con-
tagion and information technology diffusion: The adoption of
electronic medical records in U.S. hospitals. Management Sci.

Bamberger K, Mulligan D (2011) Privacy on the books and on the
ground. Stanford Law Rev. 63(274):274–315.

. F
, a

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1063

Bertrand M, Duflo E, Mullainathan S (2004) How much should
we trust differences-in-differences estimates? Quart. J. Econom.

Blumenthal D (2010) Launching HITECH. New Engl. J. Med.

Blumenthal D, Tavenner M (2010) The “meaningful use” regulation
for electronic health records. New Engl. J. Med. 363(6):501–504.

Brandimarte L, Acquisti A, Loewenstein G (2012) Misplaced confi-
dences: Privacy and the control paradox. Soc. Psych. Personality
Sci. 4(3):340–347.

Cala A (2013) Renewable energy in Spain is taking a beating.
New York Times (October 8), http://www.nytimes.com/2013/

Comarow A America’s best hospitals: The 2009–2010 honor roll.
U.S. News & World Report (July 15), http://health.usnews.com/

eHealth Initiative (2005–2010) Annual survey of Health Informa-
tion Exchange at the state and local levels. Report, eHealth
Initiative, Washington, DC. https://www.ehidc.org/articles/

Federal Trade Commission (2012) Protecting consumer privacy
in an era of rapid change: Recommendations for businesses
and policy makers. Report, Federal Trade Commission, Wash-
ington, DC. https://www.ftc.go/reports/protecting-consumer

Goldfarb A, Tucker CE (2011) Privacy regulation and online adver-
tising. Management Sci. 57(1):57–71.

Goldstein M, Rein A (2010) Consumer consent options for elec-
tronic health information exchange: Policy considerations
and analysis. Report, Office of the National Coordinator for
Health Information Technology, U.S. Department of Health
and Human Services, Washington, DC.

Greenberg MD, Ridgely MS, Hillestad RJ (2009) Crossed wires:
How yesterday’s privacy rules might undercut tomorrow’s
nationwide health information network. Health Affairs 28(2):

Greene W (2002) The behavior of the fixed effects estimator in non-
linear models. Working Paper EC-02-05, New York University,
New York.

Grossman JM, Kushner KL, November EA (2008) Creating sus-
tainable local health information exchanges: Can barriers to
stakeholder participation be overcome? Res. Brief February(2):

Jha AK, Chan DC, Ridgway AB, Franz C, Bates DW (2009) Improv-
ing safety and eliminating redundant tests: Cutting costs in
U.S. hospitals. Health Affairs 28(5):1475–1484.

Kennedy P (1992) A Guide to Econometrics (Blackwell, Oxford, UK).
Lai Y, Hui K (2006) Internet opt-in and opt-out: Investigating the

roles of frames, defaults and privacy concerns. Proc. 2006 ACM
SIGMIS CPR, (ACM, New York), 253–263.

Lenard TM, Rubin PH (2005) Slow down on data secu-
rity legislation. Progress Snapshot (Release 1.9), https://www
.techpolicyinstitute.org/files/ps1.9 .

McDonald C (2009) Protecting patients in health information
exchange: A defense of the HIPAA privacy rule. Health Affairs

McGraw D, Dempsey JX, Harris L, Goldman J (2009) Privacy as an
enabler, not an impediment: Building trust into health infor-
mation exchange. Health Affairs 28(2):416–427.

Miliard M (2010) ACLU brings suit against Rhode Island HIE.
it Healthcare IT News (December 1), http://www.healthcareit

Miller AR, Tucker C (2009) Privacy protection and technology dif-
fusion: The case of electronic medical records. Management Sci.

Miller AR, Tucker CE (2011) Can health care information technol-
ogy save babies? J. Political Econom. 119(2):289–324.

National eHealth Collaborative (2011) Secrets of HIE success
revealed: Lessons from the leaders. Report, HIE Networks,
Tallahassee, FL. http://www.nationalehealth.org/ckfinder/
userfiles/files/REPORT%20-SecretsofHIESuccessRevealed .

National Rural Health Resource Center (2015) Health informa-
tion exchange—First considerations. Report, National Rural
Health Resource Center, Duluth, MN. Accessed September 1,
2015, https://www.ruralcenter.org/sites/default/files/rhitnd/
Resource%20Center .

Neyman J, Scott EL (1948) Consistent estimates based on partially
consistent observations. Econometrica 16(1):1–32.

Office of the National Coordinator for Health Information Technol-
ogy (2012) Electronic health record adoption and utilization:
2012 highlights and accomplishments. Report, Office of the
National Coordinator for Health Information Technology, U.S.
Department of Health and Human Services, Washington, DC.

Posner R (1981) The economics of privacy. Amer. Econom. Rev.

Pritts J, Choy A, Emmart L, Hustead J (2002) The State of Health
Privacy: A Survey of State Health Privacy Statutes (Georgetown
University, Washington, DC).

Pritts J, Lewis S, Jacobson R, Lucia K, Kayne K (2009) Privacy
and security solutions for interoperable health information
exchange: Report on state law requirements for patient per-
mission to disclose health information. Report, Office of the
National Coordinator for Health Information Technology, U.S.
Department of Health and Human Services, Washington, DC.

Sheng H, Nah FH, Siau K (2008) An experimental study on ubiq-
uitous commerce adoption: Impact of personalization and pri-
vacy concerns. J. Assoc. Inform. Systems 9(6):Article 15.

Simon S, Evans JS, Benjamin A, Delano D, Bates DW (2009)
Patients’ attitudes toward electronic health information
exchange: Qualitative study. J. Medical Internet Res. 11(3):e30.

Solove DJ (2004) The Digital Person: Technology and Privacy in the
Information Age (New York University Press, New York).

Somaskanda S (2013) Renewable energy losing its shine in Europe.
USA Today (March 23), http://www.usatoday.com/story/

Squire P (2007) Measuring state legislative professionalism: The
Squire index revisited. State Politics Policy Quart. 7(2):211–227.

Stigler G (1980) An introduction to privacy in economics and poli-
tics. J. Legal Stud. 9(4):628–633.

Stutzman F, Gross R, Acquisti A (2013) Silent listeners: The evolu-
tion of privacy and disclosure on Facebook. J. Privacy Confiden-
tiality 4(2):7–41.

Vest JR, Gamm LD (2010) Health information exchange: Persis-
tent challenges and new strategies. J. Amer. Medical Informatics
Assoc. 17(3):288–294.

Walker J, Pan E, Johnston D, Adler-Milstein J, Bates DW, Middleton
B (2005) The value of health care information exchange and
interoperability. Health Affairs 24(2):10–18.

Wennberg JE, Cooper MM (1996) The diagnosis and surgical treat-
ment of common medical conditions. The Dartmouth Atlas of
Healthcare (American Hospital Publishing, Chicago), 113–144.

White House (2012) Consumer data privacy in a networked world:
A framework for protecting privacy and promoting innovation
in the global digital economy. Report, U.S. Government Print-
ing Office, Washington, DC.

. F
, a

Copyright 2016, by INFORMS, all rights reserved. Copyright of Management Science is the
property of INFORMS: Institute for Operations Research and its content may not be copied or
emailed to multiple sites or posted to a listserv without the copyright holder’s express written
permission. However, users may print, download, or email articles for individual use.

A managerial view of the knowledge flows of a
health-care system

Harri Laihonen1

1Tampere University of Technology, Tampere,

Correspondence: Harri Laihonen,
Department of Information Management and
Logistics, Tampere University of Technology,
PO Box 541, FI-33101, Tampere, Finland.
E-mail: Harri.laihonen@tut.fi

Received: 26 September 2011
Revised: 6 September 2013
Accepted: 14 February 2014

A health system has various knowledge structures enabling its knowledge
resources to be efficiently applied. The literature has covered the management
of clinical health information fairly extensively, but less is known about manage-
rial knowledge flows. To address this knowledge gap, a regional health system in
Finland is studied and managerial knowledge flows categorized in order to
provide a better understanding of the inter-organizational knowledge networks
of a health system. The paper contributes by illustrating and concretizing the
knowledge dynamics of a health system. The empirical examination reveals the
complexity of managerial knowledge flows and identifies three main categories
of these: (1) national information steering, (2) regional information steering, and
(3) internal control information. These categories are further elaborated with the
data gathered through observation, interviews, and process modelling. A better
understanding and management of knowledge flows is expected to have
a positive effect on the performance of the health system.

Knowledge Management Research & Practice

(2015) 13(4), 475–485.
doi:10.1057/kmrp.2014.3; published online 17 March 2014

Keywords: knowledge transfer; knowledge flows; knowledge management; health

This paper studies the managerial knowledge flows of a health-care system.
A focus on knowledge dynamics is required because modern health-
care organizations and systems are very dynamic; system structures are in
a continuous state of change and individual organizations compete,
co-operate, and create value in close interaction with their customers (cf.
Porter & Teisberg, 2006; Nordgren, 2009; Laihonen, 2012). The paper
contributes with its empirical approach, its focus on managerial knowledge,
and by studying knowledge flows from the system perspective. Previously,
the focus has been markedly on organizations and the integration of
information systems into clinical work (Bose, 2003; Berg, 2004) and only
few attempts have been made to analyse knowledge transfer from the
perspective of managing the service system (cf. Edwards et al, 2005;
Laihonen, 2012). This brings in the need for understanding inter-organiza-
tional knowledge transfer and knowledge networks (Easterby-Smith et al,
2008; Van Wijk et al, 2008; Phelps et al, 2012). Finally, the knowledge
transfer literature has also been criticized for a lack of empirical research
(Nissen & Levitt, 2002; Riege, 2007).
The managerial perspective is essential because health-care organizations

store vast amounts of data but often lack the means and/or the will (Sveiby,
2007) to analyse and refine it for purposes of managing and developing
their operations (Delesie & Croes, 2000; Berg, 2004). The role of informa-
tion technologies and information systems in decision-support is a widely

Knowledge Management Research & Practice (2015) 13, 475–485
© 2015 Operational Research Society Ltd. All rights reserved 1477-8238/15


studied area (e.g., Williams et al, 2006; Avillach et al, 2008;
Lemire, 2010; Lloyd-Bostock, 2010), likewise the role
of knowledge transfer in building expertise of health-
care professionals (see Pentland et al (2011) for an exten-
sive review). What seems to be missing is a more general
and strategic understanding of the knowledge structures
that enable the development and renewal of the health-
care system. To address this knowledge gap, the paper
studies the managerial knowledge flows of the health-care
system and aims to create a basis for more effective
utilization of knowledge resources in health care. This is
expected to lead in the long run to more effective health
The paper focuses on knowledge transfer because this

has been widely recognized as a critical success factor for
modern organizations. In order to respond to changes in
the environment, to innovate and achieve competitive
success, organizations have to be able to transfer knowl-
edge effectively (Cohen & Levinthal, 1990; Grant, 1996;
Szulanski, 1996; Albino et al, 1999; Riege, 2007; Easterby-
Smith et al, 2008; Meier, 2011). Nevertheless, it is easy to
stress the importance of knowledge transfer in general but
what does it mean in practice? This paper offers some
answers to this question by building on the knowledge
transfer literature and studying knowledge flows in health-
care management. The viewpoint is managerial – the
empirical part of the paper seeks answers to the following
research question: What knowledge flows create a basis for
management in a regional health-care system?
The remainder of the paper is organized as follows. The

next section reviews the literature on knowledge transfer
and knowledge flows. From the literature, four critical
components of knowledge transfer are identified that form
the basis for the empirical analysis. Then the empirical
research methods are described. The empirical section
maps the managerial knowledge flows of the health-care
system studied and categorizes them on the basis of
the literature. The discussion section follows the empirical
section. Finally, the concluding section summarizes the
key findings of the paper and suggests directions for
further research.

The literature on knowledge transfer and
knowledge flows
Knowledge transfer has been one of the main research
fields of knowledge management ever since the early
1990s (e.g., Cohen & Levinthal, 1990; Grant, 1996;
Szulanski, 1996). The increased complexity of modern
business environments has further increased the impor-
tance of and interest in the phenomenon, not only
within organizations but also between different agents
(e.g., Inkpen & Tsang, 2005; Easterby-Smith et al,
2008; Khamseh & Jolly, 2008; Van Wijk et al, 2008;
Hutzschenreuter & Horstkotte, 2010; Phelps et al,
2012). The essence of knowledge transfer is emphasized
in knowledge-intensive organizations, and its value is
primarily determined by their knowledge assets

(e.g., Alvesson, 1993; Blackler, 1995; Miles et al, 1995;
Løwendahl et al, 2001; Käpylä et al, 2011).
Knowledge transfer is defined as the transfer of knowl-

edge from one unit to another (e.g., Cutler, 1989; Albino
et al, 1999; Hendriks, 1999; Argote & Ingram, 2000; Bender
& Fish, 2000; Kalling, 2003; Kumar & Ganesh, 2009). It
is a process involving two actors – the sender and the
receiver (individuals or organizations), and occurs through
different media. Thus, when analysing knowledge trans-
fer, it is important to understand: (1) who transfers knowl-
edge to whom (actors), (2) what is transferred (content),
(3) in which context (context), and (4) which medium is
the most suitable in a given context (media) (Albino
et al, 1999; Jasimuddin, 2005). To distinguish this key
concept from its very closely related concept ‘knowledge
sharing’, this paper follows a definition stating that ‘trans-
fer implies focus, a clear objective, and unidirectionality,
while knowledge can be shared in unintended ways
multiple-directionally without any objective’ (King, 2006,
p. 493).
From the actors’ viewpoint, several factors affect the trans-

fer. The roles of openness or willingness to share knowl-
edge, trust, and previous knowledge have been recognized
as important characteristics (Wathne et al, 1996; Cruz
et al, 2009). Each of these characteristics correlates posi-
tively with knowledge transfer (e.g., Cohen & Levinthal,
1990; Dodgson, 1993; Wathne et al, 1996). The cognitive
capabilities of the actors, and especially the absorptive
capacity of the recipient, also influence the success
of transfer (e.g., Cohen & Levinthal, 1990; Gupta &
Govindarajan, 1991, 2000; Szulanski, 1996; Simonin,
1999; Tsai, 2000; Foss & Pedersen, 2002). Further,
Ko et al (2005) emphasize the important role of the sender
(i.e., credibility and intrinsic motivation) for the success of
inter-organizational knowledge transfer. Easterby-Smith
et al (2008) continues the list with the characteristics of
a firm and points out absorptive capacity, motivation or
learning intent, power issues, risk taking, and geographic
Concerning the content of the transfer, it is more

challenging to transfer tacit knowledge than explicit
knowledge (e.g., von Hippel, 1994; Simonin, 1999; Argote
& Ingram, 2000; McEvily & Chakravarthy, 2002). Explicit
knowledge can be more easily articulated and is often
transferred by information systems, whereas storytelling
(e.g., Swap et al, 2001) is a commonly used method for
transferring tacit knowledge. The ambiguous nature of
knowledge hampers the transfer (e.g., Zander & Kogut,
1995; Szulanski, 1996, 2000; Stein & Ridderstrale, 2001;
Simonin, 2004; Coff et al, 2006; Van Wijk et al, 2008). In
addition, the value of the information transferred makes
a difference – the more valuable the information, the
more interested the receiver is in receiving it (Gupta &
Govindarajan, 2000).
The context of the transfer can be distinguished into

internal and external (Albino et al, 1999). Internal context
refers to organizational culture. External context refers
to the circumstances in which inter-organizational

A managerial view of the knowledge flows of a health-care system Harri Laihonen476

Knowledge Management Research & Practice

relationships take place. A shared context (i.e., similarities
in organizational culture, values, and technical skills)
expedites the transfer by reducing the ambiguity. Finally,
the transfer media or the actual means for the transfer
have a significant role. The success of the transfer is
dependent on the capacity and richness of the media
(Albino et al, 1999). The qualitative aspect of capacity
concerns the ability for noiseless transfer, while the quan-
titative aspect refers to the redundancy of the transferred
information. Richness refers to the possibility to exchange
mental representations (Daft & Lengel, 1986).
Another closely related concept describing an exchange

of knowledge is knowledge flow (Kumar & Ganesh, 2009).
It occurs quite frequently in the knowledge transfer litera-
ture (e.g., Appleyard, 1996; Preiss, 1999; Argote & Ingram,
2000; Dixon, 2000; Spencer, 2000; Swap et al, 2001; Foss &
Pedersen, 2002; Bontis et al, 2003; Cantwell & Mudambi,
2003; Snider & Nissen, 2003; Nissen, 2006; Mu et al, 2008).
Nevertheless, the concept as such has been the prime focus
of research in only a few studies despite its potential as a
more precise expression related to the phenomenon of
knowledge transfer.
The literature so far has approached knowledge flows

mainly as a part of a particular knowledge management
process, such as knowledge creation. The most familiar
approach to the flow of knowledge is Nonaka’s (1994)
view of knowledge creation. Nonaka studied four different
types of knowledge flows that are illustrated by the
SECI model (Nonaka & Takeuchi, 1995). The SECI model
has been criticized for its conceptual focus and it has
been claimed that the model does not provide any prac-
tical way of analysing knowledge flows (Nissen & Levitt,
2002). This criticism reflects the practical need for empiri-
cal studies to concretize the conceptual approaches and
to enhance the current understanding about the flow
of knowledge (cf. Simonin, 2004; Riege, 2007). Later
on Nonaka et al (2008) discuss ‘process theory’, in an
attempt to open up the black box of knowledge creation.
They state that it always deals with ‘the process in which
individuals with different values and perspectives relate
with each other and with the environment’. Thus, in
addition to a more practical theory, the role of the
environment and inter-organizational knowledge flow
have also been emphasized more recently (cf. Bell &
Zaheer, 2007; Easterby-Smith et al, 2008; Van Wijk et al,
2008; Phelps et al, 2012).
Defining knowledge flows exhaustively is not straight-

forward. In their definition Mu et al (2008) state that
knowledge flow comprises the set of processes, events,
and activities through which data, information, and
knowledge are transferred from one entity (person or
system) to another. This definition is still quite abstract
and requires concretization. It does not specify how
the knowledge actually flows. The next section aims
to bridge this gap between existing theory and practice
by illustrating the concrete embodiments of knowledge
transfer from the health-care system management

Research methods
The paper reports the findings of a 3-year case study of
managerial knowledge flows in a regional health-care
system in Finland. The study was conducted between
2005 and 2007. A case study approach (e.g., Stake, 1994;
Yin, 1994) was appropriate to obtain detailed information
on the conditions, critical events, and processes of a single
entity (Jensen & Rodgers, 2001). It was expected that this
in-depth understanding would also have theoretical impli-
cations (cf. Eisenhardt, 1989; Stake, 1994). The Health
Care District of Forssa (FSTKY) was the subject of the
research, a federation of five municipalities that started as
a joint municipal health-care authority at the beginning of
2001. The population in the area is about 35,000. The
federation provides primary health care, specialized health
care, mental health care, environmental health care, and
A-clinic services (operations to reduce alcohol, drug, and
other addiction problems) for the inhabitants of its area in
southwestern Finland. The federation employs about 700
The qualitative data was gathered in three phases in

order to gain a wide perspective on the phenomenon
(cf. Eisenhardt, 1989). After each phase, a summary report
of the findings was provided for the organization in order
to foster continuous interaction between practitioners and
the researcher, and to validate the relevance of the inter-
pretations made. In the first phase, the author observed
the management group meetings for a period of 7 months.
During this period a total of nine meetings were held and
their durations varied from 1.5 h to 3.5 h. All the meetings
were tape-recorded and transcribed. On the basis of this
data, preliminary categorizations of managerial knowledge
flows were formed.
In the second phase, the knowledge flows of one treat-

ment process (i.e., neurological treatment chain/diagnosis
of dementia) were modelled. In this phase, four interviews
with the key participants (i.e., chief physician, health
centre physician, system support specialist, and quality
and development manager) were conducted. This phase of
the study provided valuable insights into the accumula-
tion of internal control information and the status of
knowledge-based decision making in FSTKY. In the third
phase, after the analysis of the preceding phases, the
leading office holders of the FSTKY were interviewed
(n = 7). During these interviews conceptualizations of the
earlier phases were discussed and iterated. The interviews
focused on both the current knowledge-related challenges
and the future knowledge needs of the interviewees.
The overall purpose of the empirical phase was to

identify the knowledge structures and respective flows that
managers utilize in their knowledge formation, and there-
fore only leading office holders were interviewed. The data
provides a many-sided picture of knowledge flows in
health-care system management, although the target
group somewhat limits the generalizability of the results.
The analysis is based on the theoretical setting described in
the previous section and the four aspects of the actors,
content, context, and media.

A managerial view of the knowledge flows of a health-care system Harri Laihonen 477

Knowledge Management Research & Practice

Results – knowledge flows in health-care system

Knowledge structures of a regional health-care system
A general description of Finnish public health care and its
knowledge flows is provided in Figure 1. The figure illus-
trates how knowledge flows can be categorized into sub-
categories by posing simple questions: who, what, and to
whom (cf. Albino et al, 1999; Jasimuddin, 2005). This
conceptualization already helps managers in assigning
responsibilities and communicating the importance of
different knowledge-related tasks.
In the figure the arrows represent the three main cate-

gories of knowledge flows identified during the first
empirical phase (observation): (1) national information
steering, (2) regional information steering, and (3) internal
control information. The steering is two-way at all levels:
health-care organizations are steered but at the same
time they are also able and expected to participate in the
steering through their feedback and opinions.
Information steering in the Finnish context refers to

a public policy instrument, the purpose of which is to
provide information for service producers to develop
their own operations (cf. Vedung & van der Doelen,
1998; Syväjärvi et al, 2007). Despite the usage of the term
‘information steering’, this policy instrument also includes
the application of methods that refer more to data and
also knowledge. This relates to a more general issue
concerning the Finnish language, which has no separate

words equivalent to English ‘data’, ‘information’, and
‘knowledge’. ‘Knowledge’ can refer to any of these depend-
ing on the context. Here, the term ‘knowledge flow’ is
preferred because the aim of these flows is to improve
managers’ decision-making capabilities, which always
requires interpretation. Thus in the following discussion
and analysis, knowledge flows contain data, information,
or knowledge, depending on the situation. For practical
purposes, this definition had to be made. During the
interviews it was fairly easy to distinguish whether the
interviewee was referring to data, information, or knowl-
edge. When an interviewee talked about operational infor-
mation systems s/he was referring to data, in the case
of reports and research publications the focus was on
information and if the source was a meeting with a
colleague it was reasonable to consider this as a transfer
of knowledge.
The above description provides a good starting point for

analysing the knowledge structures of the health-care
system, but a more detailed analysis is needed when
seeking the concrete bottlenecks in knowledge transfer.
However, it is also important to picture each organization
within a wider system in order to ensure that all the
important stakeholders are taken into account.

Knowledge flows in national information steering
Each upper-level knowledge flow illustrated in Figure 1
can be further categorized in several ways by asking the

Regional health care systems

Interest groups

– Political parties

– Media

– Elected officials

– Customers

– Other opinion leaders

Regional information


National information steering
Health care programs

Quality guidelines Handbooks








National health care system

Health care organization

Public Private 3rd sector

Patient work

Admin./Health care specialists

Figure 1 Knowledge structures of a regional health-care system.
Source: Laihonen (2012).

A managerial view of the knowledge flows of a health-care system Harri Laihonen478

Knowledge Management Research & Practice

same questions as above: who, what, and to whom. In the
case study the process was continued with a more detailed
analysis of the actors (who and to whom). However, it
became evident that this approach was closely connected
to the analysis of the content of knowledge flows (what),
and the selection of an appropriate context and media
for transferring the knowledge.
The chosen approach enabled, for example, a more

detailed analysis of national information steering. This
led to the separation of knowledge flows that relate to
a certain health-specific area of expertise from the more
general information steering (i.e., health care in general,
or further, a certain specialty area, like surgery). Profession-
based information steering represents the other end of the
continuum. This steering relies on personal interaction
and the exchange of tacit knowledge. It is also important
to note that doctors and other health-care specialists are
typically steered by the experts of their own specialty area
as one of the interviewees pointed out:

Professional steering is strongly based on collegial discus-
sions – knowledge seeking and sharing, different opinions –
that finally lead to or crystallize into a shared understanding
and vision

Advances in medical science are likewise typically dis-
cussed together with the specialists from a certain area and
these knowledge flows are clearly distinguishable from the
administrative steering that concentrates on very different
issues and is operationalized in very different terms:

Administrative steering represents quite an opposite type of
steering – it is very black and white. Letters, instructions, and
orders are delivered in a very simple form. The message is
inserted into a conduit and the rest is up to the receiver.
There is very little room for discussion.

More detailed analysis of administrative steering
revealed that it is possible to separate the central govern-
ment’s information steering from other administrative
guidance. The former happens, for example, through
formal written communications from the ministries, offi-
cial statistics, national development programs, and the
communication of health policies. These flows dissemi-
nate strategic information and it was found that the
citation above refers more to this steering by the govern-
ment agencies. Other administrative steering relates more to
tactical and operational management and is based more
on interaction but also involves the dissemination of
instructions and guidelines. The former can be considered
as vertical steering, whereas the latter typically concen-
trates on horizontal steering and concerns more practical
and local issues of public administration. Table 1 cate-
gorizes national information steering into three categories
and also presents some examples of such steering.
The categories also differ regarding the content of steer-

ing. The emphasis is on different types of knowledge, that
is, data, information, or knowledge. The categories are also
differently positioned on the tacit–explicit continuum,
which imposes various requirements on the contextual

setting of knowledge transfer and also on the mechanisms
and methods used. Thus, content analysis relates closely
to the selection of the most appropriate transfer media.
For example, profession-based steering is typically based
on face-to-face interaction, which is needed for transfer-
ring highly specialized tacit knowledge. This emphasizes
the richness of the media. In the case of administrative
steering, such as statistical data or other explicit material,
the capacity of the media is more important. The selection
of the appropriate media and context also represents
a strategic choice between codification and personaliza-
tion strategies (cf. Hansen et al, 1999).

Knowledge flows in regional information steering
Similar categorizations can be conducted at the various
levels of the system. The earlier literature and public
discussion in Finland have focused on information steer-
ing at the national level because at this level it constitutes
an official policy instrument. However, the role of infor-
mation steering and the respective knowledge flows is
not restricted to national level. In the case study, a similar
analysis was conducted at the regional level, where
regional information steering was categorized into sub-
categories of regional governance, regional development,
and regional operations management (see Table 2).
Again, the categories were formed on the basis of the

participating actors. Concerning regional governance,
the actors were the five municipalities, as the owners
of the FSTKY, and at the other end the management of
FSTKY. This category concerns strategic management and
top-level regional decision making. FSTKY as a federation
of municipalities constitutes its own political system
and therefore knowledge transfer among the governing
parties plays a significant role in regional development.
Interviewees highlighted the reciprocal nature of knowl-
edge transfer in this context. Leading office holders have
a major role in the preparation of upcoming major
decisions, especially when these are expected to have
a significant financial impact. Thus, these knowledge
flows cover more than mere information provision. In
general, regional processes were regarded as more inter-
active than governmental steering, which was mostly due
to the spatial proximity of the actors and the trust
accumulating over years of continuous face-to-face inter-
action at the local and regional level.
Knowledge flows of regional development were consid-

ered to be extremely important components of a system’s
knowledge structures because they encapsulate opinions
and knowledge arising bottom-up. These flows are impor-
tant constituents of tactical steering because it is through
these that the best possible approaches and operating
methods are developed for this particular area. Further-
more, knowledge flows related to regional operations
management address the knowledge needs of operative
guidance and continuous development. Together these
two latter categories form knowledge structures that
enable top management and various functional units to

A managerial view of the knowledge flows of a health-care system Harri Laihonen 479

Knowledge Management Research & Practice

Table 2 Categorization of regional information steering

Regional governance Regional development Regional operations management

Sender Owners (five municipalities and their administrative
bodies), Federation council

Employees, inhabitants of the owner

Management group, top management, divisional

Receiver Management group Owners (five municipalities), management
group, top management

Functional units

Context/content Strategic management Tactical management Operational management and development
Examples of the steering parties and
content of the steering

Guidelines and recommendations from the county

Assimilation of external knowledge Control and process information provided by the
patient information system

Self-assessments Regional (internal) development projects,
regional co-operation

Information from administrative information
systems (HR, finance, etc.)

Regional development projects and evaluations Development initiatives from the personnel,
feedback from the customers

Framework agreements and purchasing contracts

Table 1 Categorization of national information steering

Central government’s information steering Administrative information steering Profession-based information steering

Sender Governmental agencies Administrative specialists Medical/nursing professionals
Receiver Municipalities, federation council and

executive board, management group
Administrative specialists based on functional responsibilities Medical/nursing professionals

Context/content Health policy, strategic management Administrative guidelines, tactical/operational management Professional development and knowledge sharing
Examples of the steering
parties and content of the

Guidelines and recommendations from
the ministries and county administration

Administrative guidelines, evaluations, and education from
the Finnish Local and Regional authorities

National institute for health and welfare

National statistics Administrative guidance from the hospital districts Care guidelines by the Finnish Medical Society Duodecim
National development projects and

Framework agreements and purchasing contracts Professional Interest groups (medical and nursing
associations, training, publications, visits, seminars)

The social Insurance Institution of Finland Best practices concerning human resources management,
financial management, and information management

Research, pharmaceuticals (international and domestic)
















interact and guide the organization towards the pre-set
The health-care system studied relies heavily on

the mere existence and transfer of information; it does
not systematically accumulate this information into
valid control information as described by one of the

We don’t have shared data warehouses that would enable the
combination and collation of data from different sources.
Combination is done in Excel, some information taken from
the patient information systems, some from the financial

This also illustrates the interconnectedness of knowl-
edge flows; data and information about operational pro-
cesses should create the basis for tactical and strategic
decision making. This is a bottleneck also recognized in
the literature on health-care knowledge management.
Information systems provide an efficient method for
transferring patient-related information within opera-
tional processes (cf. Williams et al, 2006; Avillach et al,
2008; Lemire, 2010; Lloyd-Bostock, 2010), but the man-
agerial perspective has not received enough attention.
Knowledge flows smoothly in clinical care pathways,
especially within an organization, but does not accumu-
late into strategic insights. Problems arise when patients
cross organizational boundaries and when the discussion
turns to the effectiveness of cross-organizational services.

We don’t have such tools that would enable us to evaluate
certain customer processes. We don’t have tools for analyz-
ing service processes, we are able to monitor outputs and
financial issues, but we don’t get any direct feedback about
the actual processes – to illustrate the quality and effective-
ness of our services.

The last two quotes also exemplify a wider technical
issue concerning several more or less unconnected infor-
mation systems. The fragmentation of data and informa-
tion between information systems and expertise between
professionals challenge the seamless flow of knowledge,
which results in breaks in service processes.

Discussion: knowledge flows in health-care system

Contribution to the knowledge management literature
This study contributes to the knowledge management
literature and to the discussion on knowledge transfer in
particular by illustrating a practical way of analysing
knowledge flows. This has been noted as a deficiency in
the knowledge transfer literature (Nissen & Levitt, 2002;
Riege, 2007). It has been argued that the literature focuses
more on factors impeding or stimulating transfer than on
empirically tested solutions (Riege, 2007). To help bridge
this knowledge gap, the paper studied knowledge transfer
as an underlying phenomenon and knowledge flows
as its practical manifestation. In light of the empirical
experiences, the added value of the approach proposed

originates from its practical focus on the concrete
flows that transfer knowledge and generate value from
organizations’ knowledge resources (cf. Løwendahl
et al, 2001; Schiuma et al, 2007; Schiuma, 2009). The
existing approaches highlight the dynamic nature of
knowledge, but remain at a fairly general level concerning
the ways in which value creation actually takes place.
The empirical evidence implies that practitioners ana-

lyse knowledge transfer in small and concrete parts, and
that ‘knowledge flow’ offers them a conceptual tool for
communicating this abstract issue. Consequently, knowl-
edge flow can be defined as the concrete process in which
certain knowledge is transferred from the sender to the
receiver. This definition is consonant with various defini-
tions of knowledge transfer (e.g., Cutler, 1989; Albino
et al, 1999; Hendriks, 1999; Argote & Ingram, 2000;
Bender & Fish, 2000; Kalling, 2003) but also adds an
important practical aspect by focusing on individual trans-
fer processes. A particular knowledge flow can serve as
a primary impulse for interaction or as feedback on
a preceding knowledge flow.
The literature seems to provide a good basis for the

empirical analysis of knowledge flows despite the criti-
cism; the empirical examination revealed aspects very
similar to those reported in the literature. The roles of
openness and willingness to share knowledge, trust,
and previous knowledge that have been recognized as
the drivers of knowledge transfer in literature (Wathne
et al, 1996; Cruz et al, 2009) were also deemed important
in practice. However, before actors can engage in interac-
tion, a strategic decision needs to be taken on how this
interaction is supported by the health-care system and
the individual organizations. Depending on the content
(explicit or tacit) either technical tools or a physical
location for the knowledge transfer must be provided
(cf. von Hippel, 1994; Simonin, 1999; Argote & Ingram,
2000; McEvily & Chakravarthy, 2002). It is also important
to engage the right people and to select the right content
for this audience (cf. Ko et al, 2005). Currently, a lot of
information (e.g., from research institutes, various non-
profit organizations, and even governmental institutions)
is merely fed into all possible channels and steering parties
simply hope that this information will reach the right
people and influence their behaviour. The suggested four-
fold approach (i.e., to actors, content, context, and media)
is also applicable as a managerial tool.
Another contribution of the paper originates from its

system perspective. When seeking system-level productiv-
ity improvements (cf. Lönnqvist & Laihonen, 2012), inter-
organizational cooperation increases the complexity of
knowledge transfer (Easterby-Smith et al, 2008; Van Wijk
et al, 2008). This was clearly also detected in the empirical
study and was one reason why external steering was
divided into national and regional information steering
and why internal control information was separated from
the external knowledge sources. Depending on where the
boundaries are drawn, the nature of knowledge transfer
changes, for example, due to cultural differences as well as

A managerial view of the knowledge flows of a health-care system Harri Laihonen 481

Knowledge Management Research & Practice

trust, power, and credibility issues among system mem-
bers, which are all also affected by the geographical posi-
tion of organizations (cf. Easterby-Smith et al, 2008; Van
Wijk et al, 2008; Phelps et al, 2012). These clearly also have
managerial implications. The paper presents as evidence
the diversity of actors participating in health-care manage-
ment and various knowledge flows disseminating knowl-
edge within the system. It also dispels the ambiguity of
knowledge in health-care management and enhances
the understanding about the mechanisms of knowledge
transfer in this particular context.
Related to the systemic analysis of knowledge flows, the

paper also raises an important issue concerning the pro-
blems in process-specific approaches presented in the
earlier knowledge transfer literature. Focusing exclusively
on a certain process (e.g., knowledge creation or learning)
may lead to an incomplete understanding of knowledge
transfer and cause sub-optimization or bottlenecks in knowl-
edge transfer, either within an organization or between the
actors of the health-care system. The approach proposed
aims to overcome these problems by stressing that the
efficiency of knowledge transfer should be a central con-
cern not only for individual organizational functions
(e.g., clinical care pathways, human resources, or customer
relationship management). The mapping and analysis
of knowledge flows should also be approached from
the perspective of the health-care system as a whole. The
understanding of the health system as a knowledge system
builds up gradually from individual patient encounters,
but the most influential effects are achieved when this
information is compiled and analysed in larger parts; this
alone reveals the true effectiveness of health services.
Finally, an important lesson from the empirical study

relates to the often irrational and ad hoc nature of knowl-
edge flows. Whereas the literature considers knowledge
transfer and knowledge flow more or less as a rational and
intended process, in practice it often occurs in a haphazard
manner, that is, without being planned and without
a clear purpose. This irrational aspect of knowledge trans-
fer has not been very thoroughly discussed, although
sudden and ad hoc knowledge processes spring up con-
tinuously. This notion turns the focus from the strictly
defined transfer processes to the enabling structures that
make it possible for the participants to become engaged in
the transfer in the first place. The managerial implica-
tion of this is to concentrate on building those enabling
structures instead of controlling and planning each and
every single transfer process. Institutional structures and
predefined knowledge flows can promote knowledge
transfer, but this is not the whole truth about knowledge
management in health care.

Managerial implications
The implications of the study for health-care management
originate first from its managerial and second from its
system perspective. The literature has focused more on
the application of information technologies and systems

to clinical work (e.g., Williams et al, 2006; Avillach
et al, 2008; Lemire, 2010; Lloyd-Bostock, 2010) and the
role of knowledge transfer in building up the expertise
of health-care professionals (Pentland et al, 2011). To break
free from organization-specific and technology-oriented
thinking, the paper utilized the concept of ‘knowledge
flow’ as a research instrument and studied how knowledge
flows within a health system. The viewpoint was manage-
rial; the aim was to understand how managers perceive
their knowledge environment.
Empirical experiences suggest that the categorization of

knowledge flows helps practitioners to gain an improved
understanding about their knowledge environment. Cate-
gorization offered a structured way to understand how
the knowledge resources are combined and transformed
(cf. Laihonen & Lönnqvist, 2010). Practitioners found
the knowledge flow analysis to be a simple and practical
way of enhancing their understanding of the knowledge
dynamics of the health-care system. According to the
empirical findings, inter-organizational knowledge flows
and external knowledge seem to play an important role
in the renewal of the health-care system. Thus, internal
information about the efficiency of services needs to be
complemented with the external perspective. An analysis
of who transfers knowledge to whom, what is transferred,
in which context, and through which media (the transfer
happens) (Albino et al, 1999; Jasimuddin, 2005) offered
a practical way to analyse the surrounding knowledge

This kind of thinking and theoretical approach offers
a method for understanding and simplifying the overwhelm-
ing amount of knowledge – which is valuable.

The empirical examination also revealed the well-known
distinction between two dominant knowledge strategies:
personalization and codification (Hansen et al, 1999).
Typically these two strategies are considered from the
viewpoint of one organization, but the study showed that
these are also highly relevant for system-level analysis
and management. There is a clear need to contemplate
information steering also from this perspective. Defining
and concretizing knowledge strategies not only clarifies
the roles of different steering parties but also helps practi-
tioners to identify the most valuable steering for their
particular area. The main question that arises concerns
who bears or could bear the responsibility for the whole
service system, who is responsible for balancing the var-
ious information steering activities at the national level,
and how the regional-level steering can be coordinated. An
important practical observation also relates to the differ-
ence between knowledge transfer and knowledge sharing.
To improve the effectiveness of information steering,
a distinction should be made between an intended and
focused knowledge transfer and unintended knowledge
sharing (cf. King, 2006). For some knowledge, sharing
is satisfactory, but, as the empirical examination pointed
out, there are numerous occasions where sharing is not
enough; a more focused and decisive approach is needed.

A managerial view of the knowledge flows of a health-care system Harri Laihonen482

Knowledge Management Research & Practice

Considering the self-organizing nature of modern health-
care systems and their knowledge processes (Laihonen,
2006, 2012), these questions are difficult political issues.
Codification strategy applies well to some kinds of

steering. From the viewpoint of an individual health-care
organization the management challenge then concerns
the integration of external knowledge, and the first task is
to recognize the most important information sources and
to build knowledge structures and practices that support
efficient knowledge transfer. However, there are numerous
situations requiring a more personal approach. Trust
and motivation to learn also improve when steering is
interactive and personal. Thus, a personalization strategy
should be preferred especially in the case of extremely
ambiguous and tacit knowledge. This is important to bear
in mind to balance the general dominance of technical
approaches in the area of health knowledge management.
The categorization proposed helps to understand the
scale and complexity of the knowledge management of
the health-care system – it is not just about the clinical
information systems and explicit knowledge. In addition,
individuals’ attitudes, capabilities and tacit knowledge,
working methods and knowledge networks at each sys-
tem level should be taken into account in the pursuit of
productivity improvements and appropriate ways to orga-
nize future health care.

Concluding remarks
In light of the foregoing discussion, it is proposed that
a knowledge flow approach provides a practical way for
understanding the dynamics of a health-care system. By
analysing knowledge flows, managers can get a concrete
grasp of the phenomenon of knowledge transfer and target
their management efforts at the most meaningful knowl-
edge-based activities. It is also argued that the approach
has theoretical value – it is a step towards a more practice-
oriented theory of knowledge transfer.
A special focus on knowledge flows helps in identifying

concrete activities where the sender delivers knowledge

to the receiver. As the paper illustrated, the transfer
of certain knowledge from the sender to the receiver often
necessitates not only the usage of a different context
and medium, but also reciprocal interaction and conversa-
tion. From the theoretical perspective, this paper contri-
butes to the discussion on the phenomenon of knowl-
edge transfer. Despite the wide variety of knowledge
transfer literature, it seems that the practical applications
still lack those groundbreaking ideas and examples that
would explain how the theoretical principles could
be put into specific terms and utilized in practice. The
knowledge flow approach proposed offers a concrete
method for practitioners at the various levels of the
health-care system to recognize, understand, and, above
all, concretize such phenomena that might otherwise
go unrecognized.
The practical relevance of the analysis presented is

significant because it disengages from the prevailing tech-
nology-oriented approaches and seeks answers to more
profound questions about the role of knowledge in health-
care management. This is a timely issue because modern
health-care systems are dynamic and evolving structures
for which knowledge is a critical resource. For practi-
tioners, the paper provides a simple way to proceed. First,
it stresses the recognition of the actors (sender and recei-
ver). This helps in classifying the knowledge flows used for
the actual knowledge transfer. Second, the content of the
transfer should be taken into account when selecting the
context and media for knowledge transfer (e.g., face-to-
face or technical solutions). These fairly simple managerial
guidelines originate from the theoretical discussion on
knowledge transfer but are not yet fully implemented.
The categorization of knowledge flows proposed illustrates
the range of knowledge that needs to be taken into
account and managed in the Finnish context. Failure to
identify the variety and range of knowledge flows may be
one reason why practitioners are still struggling with their
transfer processes despite the richness of the existing
knowledge transfer literature.

ALBINO V, GARAVELLI AC and SCHIUMA G (1999) Knowledge transfer and

inter-firm relationships in industrial districts: the role of the leader firm.
Technovation 19(1), 53–63.

ALVESSON M (1993) Organizations as rhetoric: knowledge-intensive firms
and the struggle with ambiguity. Journal of Management Studies 30(6),

ARGOTE L and INGRAM P (2000) Knowledge transfer: a basis for competitive
advantage in firms. Organizational Behavior and Human Decision Pro-
cesses 82(1), 150–169.

APPLEYARD MM (1996) How does knowledge flow? Interfirm patterns
in the semiconductor industry. Strategic Management Journal
17(Winter Special Issue), 137–154.

AVILLACH P, JOUBERT M and FIESCHI M (2008) Improving the quality of the
coding of primary diagnosis in standardized discharge summaries.
Health Care Management Science 11(2), 147–151.

BELL G and ZAHEER A (2007) Geography, networks, and knowledge flow.
Organization Science 18(6), 955–972.

BENDER S and FISH A (2000) The transfer of knowledge and the retention of
expertise: the continuing need for global assignments. Journal of Knowl-
edge Management 4(2), 125–137.

BERG M (2004) Health Information Management: Integrating Information
Technology in Health Care Work. Routledge, New York.

BLACKLER F (1995) Knowledge, knowledge work and organizations: an
overview and interpretation. Organization Studies 16(6), 1021–1046.

BONTIS N, FEARON M and HISHON M (2003) The e-flow audit: an evaluation
of knowledge flow within and outside a high-tech firm. Journal of
Knowledge Management 7(1), 6–19.

BOSE R (2003) Knowledge management-enabled health care manage-
ment systems: capabilities, infrastructure, and decision-support. Expert
Systems with Applications 24(1), 59–71.

CANTWELL JA and MUDAMBI R (2003) Multinational enterprises and compe-
tence-creating knowledge flows: a theoretical analysis. In Knowledge
Flows, Governance and the Multinational Enterprise: Frontiers in Interna-
tional Management Research (MAHNKE V and PEDERSEN T, Eds), pp 38–57,
Palgrave Macmillan, New York.

COFF R, COFF D and EASTVOLD R (2006) The knowledge-leveraging
paradox: how to achieve scale without making knowledge imitable.
Academy of Management Review 31(2), 1–13.

COHEN WM and LEVINTHAL DA (1990) Absorptive capacity: a new perspective
on learning and innovation. Administrative Science Quarterly 35(1), 128–152.

A managerial view of the knowledge flows of a health-care system Harri Laihonen 483

Knowledge Management Research & Practice

CRUZ NM, PÉREZ VM and CANTERO CT (2009) The influence of employee
motivation on knowledge transfer. Journal of Knowledge Management
13(6), 478–490.

CUTLER RS (1989) A comparison of Japanese and U.S. high-technology
transfer practices. IEEE Transactions on Engineering Management 36(1),

DAFT RL and LENGEL RH (1986) Organizational information requirements,
media richness and structural design. Management Science 32(5),

DELESIE L and CROES L (2000) Operations research and knowledge
discovery: a data mining method applied to health care management.
International Transactions in Operational Research 7(2), 159–170.

DIXON NM (2000) Common Knowledge. Harvard Business School Press,
Boston, MA.

DODGSON M (1993) Learning, trust, and technological collaboration.
Human Relations 46(1), 77–95.

EASTERBY-SMITH M, LYLES MA and TSANG EWK (2008) Inter-organizational
knowledge transfer: current themes and future prospects. Journal of
Management Studies 45(4), 677–690.

EDWARDS JS, HALL MJ and SHAW D (2005) Proposing a systems vision of
knowledge management in emergency care. Journal of the Operational
Research Society 56(2), 180–192.

EISENHARDT KM (1989) Building theories from case study research.
Academy of Management Review 14(4), 532–550.

FOSS NJ and PEDERSEN T (2002) Transferring knowledge in MNCs: the
role of sources of subsidiary knowledge and organizational context.
Journal of International Management 8(1), 49–67.

GRANT RM (1996) Toward a knowledge-based theory of the firm. Strategic
Management Journal 17(Winter Special Issue), 109–122.

GUPTA A and GOVINDARAJAN V (1991) Knowledge flows and the structure of
control within multinational corporations. The Academy of Management
Review 16(4), 768–792.

GUPTA A and GOVINDARAJAN V (2000) Knowledge flows within multinational
corporations. Strategic Management Journal 21(4), 473–496.

HANSEN MT, NOHRIA N and TIERNEY T (1999) What’s your strategy for
managing knowledge? Harvard Business Review 77(2), 106–116.

HENDRIKS P (1999) Why share knowledge? The influence of ICT on the
motivation for knowledge sharing. Knowledge and Process Management
6(2), 91–100.

HUTZSCHENREUTER T and HORSTKOTTE J (2010) Knowledge transfer to
partners: a firm level perspective. Journal of Knowledge Management
14(3), 428–448.

INKPEN AC and TSANG EWK (2005) Social capital, networks, and knowledge
transfer. Academy of Management Review 30(1), 146–165.

JASIMUDDIN SM (2005) Storage of transferred knowledge of transfer of
stored knowledge: which direction? If both, then how? Proceedings of
the 38th Hawaii International Conference on System Sciences, 1, 27a.

JENSEN JL and RODGERS R (2001) Cumulating the intellectual gold of case
study research. Public Administrative Review 61(2), 235–246.

KALLING T (2003) Organization-internal transfer of knowledge and the role
of motivation: a qualitative case study. Knowledge and Process Manage-
ment 10(2), 115–126.

intensity as an organisational characteristic. Knowledge Management
Research & Practice 9(4), 315–326.

KHAMSEH HM and JOLLY DR (2008) Knowledge transfer in alliances:
determinant factors. Journal of Knowledge Management 12(1),

KING WR (2006) Knowledge sharing. In The Encyclopedia of Knowledge
Management (SCHWARTZ DG, Ed), pp 493–498, Idea Group Publishing,
Hershey, PA.

KO DG, KIRSCH LJ and KING WR (2005) Antecedents of knowledge transfer
from consultants to clients in enterprise system implementations. MIS
Quarterly 29(1), 59–85.

KUMAR JA and GANESH LS (2009) Research on knowledge transfer in
organizations: a morphology. Journal of Knowledge Management 13(4),

LAIHONEN H (2006) Knowledge flows in self-organizing processes. Journal
of Knowledge Management 10(4), 127–135.

LAIHONEN H (2012) Knowledge structures of a health ecosystem. Journal of
Health Organization and Management 26(4), 542–558.

LAIHONEN H and LÖNNQVIST A (2010) Knowledge-based value creation:
grasping the intangibility of service operations in Finland. International
Journal of Knowledge-Based Development 1(4), 331–345.

LEMIRE M (2010) What can be expected of information and communica-
tion technologies in terms of patient empowerment in health? Journal of
Health Organization and Management 24(2), 167–181.

LLOYD-BOSTOCK S (2010) The creation of risk-related information: the UK
General Medical Council’s electronic database. Journal of Health Organi-
zation and Management 24(6), 584–596.

LÖNNQVIST A and LAIHONEN H (2012) Welfare service system productivity:
the concept and its application. International Journal of Productivity and
Performance Management 61(2), 128–141.

value creation in professional service firms: A framework for analysis.
Human Relations 54(7), 911–931.

MCEVILY SK and CHAKRAVARTHY B (2002) The persistence of knowledge-based
advantage: an empirical test for product performance and technological
knowledge. Strategic Management Journal 23(4), 285–305.

MEIER M (2011) Knowledge management in strategic alliances: a review of
empirical evidence. International Journal of Management Reviews 13(1),

MILES I et al (1995) Knowledge-Intensive Business Services: Users, Carriers and
Sources of Innovation, European Innovation Monitoring System (EIMS).
EIMS Publication No. 15 Luxembourg.

MU J, PENG G and LOVE E (2008) Interfirm networks, social capital, and
knowledge flow. Journal of Knowledge Management 12(4), 86–100.

NISSEN M (2006) Harnessing Knowledge Dynamics: Principled Organizational
Knowing & Learning. IRM Press, Hershey, PA.

NISSEN M and LEVITT R (2002) Dynamic models of knowledge-flow
dynamics. CIFE Working Paper No. 76. Stanford University, Stanford,

NONAKA I, TOYAMA R and HIRATA T (2008) Managing Flow: A Process Theory
of the Knowledge-Based Firm. Palgrave Macmillan, Basingstoke, UK.

NONAKA I (1994) A dynamic theory of organizational knowledge creation.
Organization Science 5(1), 14–37.

NONAKA I and TAKEUCHI H (1995) The Knowledge Creating Company: How
Japanese Companies Create the Dynamics of Innovation. Oxford Univer-
sity Press, New York.

NORDGREN L (2009) Value creation in health care services – developing
service productivity: experiences from Sweden. International Journal of
Public Sector Management 22(2), 114–127.

PENTLAND D et al (2011) Key characteristics of knowledge transfer and
exchange in healthcare: integrative literature review. Journal of
Advanced Nursing 67(7), 1408–1425.

PHELPS C, HEIDL R and WADHWA A (2012) Knowledge, networks, and
knowledge networks: a review and research agenda. Journal of Manage-
ment 38(4), 1115–1166.

PORTER M and TEISBERG E (2006) Redefining Health Care: Creating Value-
Based Competition on Results. Harvard Business School Publishing,
Boston, MA.

PREISS K (1999) Modelling of knowledge flows and their impact. Journal of
Knowledge Management 3(1), 36–46.

RIEGE A (2007) Actions to overcome knowledge transfer barriers in MNCs.
Journal of Knowledge Management 11(1), 48–67.

SCHIUMA G (2009) The managerial foundations of knowledge
assets dynamics. Knowledge Management Research & Practice 7(4),

SCHIUMA G, ORDÓÑEZ DE PABLOS P and SPENDER JC (2007) Intellectual capital
and company’s value creation dynamics. International Journal of Learn-
ing and Intellectual Capital 4(4), 331–341.

SIMONIN BL (1999) Ambiguity and the process of knowledge transfer in
strategic alliances. Strategic Management Journal 20(7), 595–623.

SIMONIN BL (2004) An empirical investigation of the process of knowledge
transfer in international strategic alliances. Journal of International
Business Studies 35(5), 407–427.

SNIDER KF and NISSEN ME (2003) Beyond the body of knowledge: a
knowledge-flow approach to project management theory and practice.
Project Management Journal 34(2), 4–12.

SPENCER JW (2000) Knowledge flows in the global innovation system: do
US firms share more scientific knowledge than their Japanese rivals?
Journal of International Business Studies 31(3), 521–530.

A managerial view of the knowledge flows of a health-care system Harri Laihonen484

Knowledge Management Research & Practice

STAKE RE (1994) Case studies. In Handbook of Qualitative Research (DENZIN NK
and LINCOLN YS, Eds), pp 236–247, Sage Publications, Thousand Oaks, CA.

STEIN J and RIDDERSTRALE J (2001) Managing the dissemination of compe-
tences, in knowledge management and organizational competence. In
Knowledge Management and Organizational Competence (SANCHEZ R,
Ed), pp 63–76, Oxford University Press, Oxford.

SZULANSKI G (1996) Exploring internal stickiness: impediments to the
transfer of best practice within the firm. Strategic Management Journal
17(Winter Special Issue), 27–43.

SZULANSKI G (2000) The process of knowledge transfer: a diachronic
analysis of stickiness. Organizational Behavior and Human Decision
Processes 82(1), 9–27.

SVEIBY KE (2007) Disabling the context for knowledge work: the role of
managers’ behaviours. Management Decision 45(10), 1636–1655.

SWAP W, LEONARD D, SHIELDS M and ABRAMS L (2001) Using mentoring and
storytelling to transfer knowledge in the workplace. Journal of Manage-
ment Information Systems 18(1), 95–114.

SYVÄJÄRVI A, STENVALL J and HARISALO R (2007) Information steering to create
innovative actions in local public administration. In Proceedings of
the Eleventh International Research Symposium on Public Management,
pp 2–4. Potsdam University, Germany, April.

TSAI W (2000) Social capital, strategic relatedness and the formation
of intraorganizational linkages. Strategic Management Journal 21(9),

VAN WIJK R, JANSEN JP and LYLES MA (2008) Inter- and intra-organizational
knowledge transfer: a meta-analytic review and assessment of its
antecedents and consequences. Journal of Management Studies 45(4),

VEDUNG E and VAN DER DOELEN F (1998) The sermon: information programs
in the public policy process – choice, effects, and evaluation. In Carrots,
Sticks & Sermons (BEMELMANS-VIDEC R and VEDUNG E, Eds), pp 103–128,
Transaction Publishers, New Brunswick, Canada.

VON HIPPEL E (1994) ‘Sticky information’ and the locus of problem
solving: implications for innovation. Management Science 40(4),

WATHNE K, ROOS J and VON KROGH G (1996) Towards a theory of knowledge
transfer in a cooperative context. In Managing Knowledge – Perspectives
on Cooperation and Competition (VON KROGH G and ROOS J, Eds), pp 55–
81, Sage Publications, London.

WILLIAMS K, ROBINSON K and TOTH A (2006) Data quality maintenance of
the patient master index (PMI): a ‘snap-shot’ of public healthcare facility
PMI data quality and linkage activities. Health Information Management
Journal 35(1), 10–26.

YIN RK (1994) Case Study Research: Design and Methods. Sage Publications,
Newbury Park, CA.

ZANDER U and KOGUT B (1995) Knowledge and the speed of transfer and
imitation of organizational capabilities: an empirical test. Organization
Science 6(1), 76–92.

About the Author
Harri Laihonen is a Research Fellow at the Department of
Information Management and Logistics, Tampere Univer-
sity of Technology, Finland. His research focuses on

knowledge-based value creation and the management of
service performance.

A managerial view of the knowledge flows of a health-care system Harri Laihonen 485

Knowledge Management Research & Practice

Reproduced with permission of the copyright owner. Further reproduction prohibited without



Health Information Technology:
Integration, Patient Empowerment, and Security

Kevin C. Marvin, B.S.Pharm.,
M.S., FASHP, FHIMMS, Informatics
Pharmacist Consultant, Swanton, VT.

Address correspondence to Mr. Marvin

Copyright © 2017, American Society of
Health-System Pharmacists, Inc. All rights
reserved. 1079-2082/17/0102-0036.


With the 2015 enactment of the Medicare Access and CHIP Re-
authorization Act, beginning in 2018,
there will be a shift from meaningful-
use payment adjustments that em-
phasize use of an electronic health
record (EHR) toward a merit-based
incentive payment system (MIPS)
that requires measurable improve-
ments to care quality.1 Integration of
health information technologies is es-
sential in meeting MIPS goals. Contin-
ued advancements in technology and
interoperability will expand health-
care device utilization in all care set-
tings. At the same time, increased data
security will require attention.


Consolidation of health systems
has led to increased integration of
health information technologies. A
large majority (89%) of Forecast Pan-
elists (FPs) predicted that at least half
of health systems will significantly re-
organize their information technology
infrastructure to achieve true system-
wide integration in the next five years
(Figure 1, item 1). For pharmacy de-
partments, such integration requires
standardization of medication order-
ing, distribution, monitoring, docu-
mentation, and related processes.

Without such standards, simple differ-
ences (e.g., with i.v. medication con-
centrations) will compromise integra-
tion by forcing the need for different
order sets, smart pump libraries, and
configurations of other automated
systems. The integration of patients
into the decision-making process for
their care will be facilitated through
EHR portals and secure messaging
among care team members.2


Beyond patient EHR portals, am-
bulatory care data sources are evolv-
ing quickly. Wearable devices provide
real-time data and encourage patient
self-monitoring and therapy adherence.
In addition, medication dispensing
and reminder devices provide real-
time medication adherence informa-
tion. Sixty-five percent of FPs agreed
that in at least 25% of health systems,
health data generated by ambulatory
care patients (such as from wearable
devices) will be integrated into the pa-
tient’s EHR in real time (Figure 1, item
3). The design of patient-connected
devices must be optimized, based on
human factors and interoperability,
to ensure safe and accurate diagnoses
and appropriate treatments.3,4


Integration of patient physiologi-
cal data (e.g., vital signs) into the EHR
through monitoring devices is com-
monplace. Opportunities abound to
integrate these data into automated
decision-support systems, but there
is limited experience in achieving in-
teroperability with medication admin-
istration devices. About three fourths
of FPs predicted that at least 50% of
hospitals will realize measurable im-
provements in patient outcomes and
staff productivity through interoper-

ability between EHRs and medical de-
vices (Figure 1, item 2). This prediction
may be too optimistic, with a recent
study finding an error rate of 60% as-
sociated with the use of smart infusion
pumps.5 Thus, caution must be exer-
cised so that errors are not introduced
or magnified in the pursuit of EHR-
to-pump interoperability. Careful de-
sign of i.v. medication ordering and
administration workflows is needed to
address multiple pump-use variables,
including medication concentrations,
weight-based dosing, dose rounding,
loading dose and bolus administra-
tion, titrations, and pump setup. EHR-
to-device interoperability can support
improved patient care but requires
accurate configuration and coordina-
tion of all components.


Most EHR systems support the
creation and sharing of care plans,
but updating by the patient and all
care team members is not universally
available. Almost two thirds of FPs
predicted that patients in at least 25%
of health systems within five years
will have a single plan of care that is
readily accessible at all points of care
and can be updated by all healthcare
professionals and the patient (Fig-
ure 1, item 4). Electronic care plans
should support a team-based consen-
sus process that includes the patient
and provides access appropriate to
the caregiver or patient. Pharmacists
should be incorporated into the care
planning process.6


Patient empowerment requires
the provision of more information
to patients to support their decision-
making process. Public entities, pay-
ers, and employers will create elec-



Figure 1 (Health Information Technology). Forecast Panelists’ responses to the question, “How likely is it that the fol-
lowing will occur by the year 2021 in the geographic region where you work?”

















1 At least 50% of health systems will have
significantly reorganized their information
technology infrastructure (including electronic health
records) to achieve true systemwide integration.








2 In at least 50% of hospitals, interoperability between
electronic health records and medical devices (e.g.,
infusion pumps, physiological monitoring systems)
will lead to measurable improvements in patient
outcomes and staff productivity.







3 In at least 25% of health systems, health data
generated by ambulatory patients (such as from
wearable devices) will be integrated into the
patient’s electronic health record in real time.





4 Patients in at least 25% of health systems will have
a single plan of care that is readily accessible at all
points of care and can be updated by all healthcare
professionals in the system and by the patient.


38% 41%



5 At least 10% of health systems will be the victim
of a major cyberattack or unauthorized information
system access that seriously compromises patient





6 At least 50% of healthcare consumers will use an
online provider report card to help decide where to
seek medical care.




1. Assertively pursue systemwide
integration of medication-
related information tech-
nology using sound project
management techniques (e.g.,
clear goals, accountability,
deadlines). Establish system-
wide standards for safety-related
facets of medication use (e.g.,
i.v. drug concentrations) and

2. Through the pharmacy and
therapeutics committee, estab-
lish policies that clearly assign
responsibilities for i.v. pump
configuration, user training,
support, and maintenance.
Ensure that the formulary and
all medication-use process-
es are consistent with the i.v.
pump configuration.

3. Ensure that pharmacy has a
voice in your health system’s
preacquisition assessment
of devices that would affect

medication use and monitor-
ing. In those assessments, take
into account human factors
and interoperability with elec-
tronic health records.

4. If your health system has cen-
tralized patient care plans,
ensure clarity in the process for
pharmacists accessing and en-
tering information into those

5. Give priority to reviewing
the access security of all
pharmacy-managed technology
systems. Test downtime work-
flow processes and procedures
for each system, and make
improvements as indicated.

6. Identify the pharmacy-specific
metrics displayed (or likely to
be displayed) on your health
system’s provider report card
and develop a continuous
quality-improvement plan for
those measures.

tronic tools to display quality and cost
data to support patient selection of
providers and therapies. Most health-
care consumers, according to 78% of
FPs, are likely to use an online provid-
er report card to help decide where to
seek medical care (Figure 1, item 6).
These report cards can be an excellent
tool to support patient decision-mak-
ing when they properly balance quality
and cost measures. Opportunities exist
for pharmacy departments to monitor
and improve report card measures that
could affect patient demand for am-
bulatory care and specialty medica-
tion services. A feedback mechanism
for patients to comment on the report
card’s usefulness (with subsequent ad-

justments based on this input) is also
an important consideration.7


Healthcare data integration re-
quires enhanced data access, which
can increase susceptibility to hack-
ing. Cyberattacks on health-system
computers have occurred and can be
costly due to downtime and the loss
or release of patient data.8 Indeed,
79% of FPs predicted that at least 10%
of health systems will be the victims
of a major cyberattack or unauthor-
ized information system access that
seriously compromises patient safety
(Figure 1, item 5). Electronic systems
across the organization must be eval-

uated to ensure that they are secure
from unauthorized access, are prop-
erly backed up, and have appropri-
ately tested downtime processes.

The author has declared no potential
conflicts of interest.

1. Medicare Access and CHIP Reau-

thorization Act. www.congress.gov/
(accessed 2016 Oct 13).

2. Royal Philips. Breaking the cycle of
reactive healthcare: analysis of the
U.S. Future Health Index results.
Report_2016_US (accessed 2016
Jul 10).

3. Harte RP, Glynn LG, Broderick BJ et
al. Human centred design consider-
ations for connected health devices
for the older adult. J Pers Med. 2014;

4. Food and Drug Administration. Guid-
ance for industry: applying human
factors and usability engineering to
medical devices (February 2016).
vices/…/UCM259760 (accessed
2016 Jul 10).

5. Schnock KO, Dykes PC, Albert J et al.
The frequency of intravenous medi-
cation administration errors related
to smart infusion pumps: a multihos-
pital observational study. BMJ Qual
Saf. Epub ahead of print. 2016 Feb 23.

6. Joint Commission of Pharmacy Prac-
titioners. Pharmacists’ patient care
process (May 2014). www.ashp.org/
Process2014.aspx (accessed 2016 Jul

7. Friedberg M, Damberg C. A five-point
checklist to help performance reports
incentivize improvement and effec-
tively guide patients. Health Aff. 2012;

8. Moriarty-Siler E. Cyberattacks: the
next health care epidemic (May 2016).
epidemic?page_all=1 (accessed 2016
Jul 10).

Copyright of American Journal of Health-System Pharmacy is the property of American
Society of Health System Pharmacists and its content may not be copied or emailed to
multiple sites or posted to a listserv without the copyright holder’s express written permission.
However, users may print, download, or email articles for individual use.

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
The price is based on these factors:
Academic level
Number of pages
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Confidentiality Guarantee

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more

24/7 Support

Our specialists are always online to help you! We are available 24/7 via live chat, WhatsApp, and phone to answer questions, correct mistakes, or just address your academic fears.

See our T&Cs
Live Chat+1(978) 822-0999EmailWhatsApp

Order your essay today and save 30% with the discount code ESSAYHELP