Infs discussion 6

Are you pressed for time and haven’t started working on your assignment yet? Would you like to buy an assignment? Use our custom writing services for better grades. Even if your deadline is approaching fast, our writers can handle your task right when you need it.

Order a Similar Paper Order a Different Paper

 Please read “Case 20: Strategic IS planning for the hospital ED” on page 512-515 of the textbook and discuss question 1 at the end of the case.  

Health Care

Information Systems

Health Care

Information Systems

A Practical Approach for Health

Care Management

Fourth Edition

Karen A. Wager

Frances Wickham Lee

John P. Glaser

Cover design by Wiley

Copyright © 2017 by John Wiley & Sons, Inc. All rights reserved.

Published by Jossey-Bass
A Wiley Brand
One Montgomery Street, Suite 1000, San Francisco, CA 94104-4594—

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise,
except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without
either the prior written permission of the publisher, or authorization through payment of the
appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers,
MA 01923, 978-750-8400, fax 978-646-8600, or on the Web at Requests to
the publisher for permission should be addressed to the Permissions Department, John Wiley
& Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best
efforts in preparing this book, they make no representations or warranties with respect to the
accuracy or completeness of the contents of this book and specifi cally disclaim any implied
warranties of merchantability or fi tness for a particular purpose. No warranty may be created or
extended by sales representatives or written sales materials. The advice and strategies contained
herein may not be suitable for your situation. You should consult with a professional where
appropriate. Neither the publisher nor author shall be liable for any loss of profi t or any other
commercial damages, including but not limited to special, incidental, consequential, or other
damages. Readers should be aware that Internet Web sites offered as citations and/or sources
for further information may have changed or disappeared between the time this was written and
when it is read.

Jossey-Bass books and products are available through most bookstores. To contact Jossey-Bass
directly call our Customer Care Department within the U.S. at 800-956-7739, outside the U.S. at
317-572-3986, or fax 317-572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some
material included with standard print versions of this book may not be included in e-books or
in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the
version you purchased, you may download this material at For
more information about Wiley products, visit

Library of Congress Cataloging-in-Publication Data
Library of Congress Cataloging-in-Publication Data has been applied for and is on fi le with
the Library of Congress.

9781119337188 (paperback)
9781119337126 (ePDF)
9781119337089 (ePub)

Printed in the United States of America


PB Printing 10 9 8 7 6 5 4 3 2 1


Tables, Figures, and Exhibits …………………………………………………………………….. xi

Preface …………………………………………………………………………………………………. xv

Acknowledgments ……………………………………………………………………………….. xxiii

The Authors ………………………………………………………………………………………… xxv

Part 1 Major Environmental Forces That
Shape the National Health Information
System Landscape ………………………………………………. 1

1 The National Health Information
Technology Landscape …………………………………………………………… 3

Learning Objectives
1990s: The Call for HIT
2000–2010: The Arrival of HIT
2010–Present: Health Care Reform and the Growth of HIT
Key Terms
Learning Activities

2 Health Care Data …………………………………………………………………. 21

Learning Objectives
Health Care Data and Information Defi ned
Health Care Data and Information Sources
Health Care Data Uses
Health Care Data Quality
Key Terms
Learning Activities

3 Health Care Information Systems …………………………………………. 65

Learning Objectives
Review of Key Terms
Major Health Care Information Systems
History and Evolution
Electronic Health Records
Personal Health Records
Key Issues and Challenges


vi · C O N T E N T S


Key Terms

Learning Activities


4 Information Systems to Support Population
Health Management ……………………………………………………………. 99
Learning Objectives
PHM: Key to Success
Accountable Care Core Processes
Data, Analytics, and Health IT Capabilities and Tools
Transitioning from the Record to the Plan
Key Terms
Learning Activities

Part 2 Selection, Implementation, Evaluation, and
Management of Health Care Information
Systems ………………………………………………………….. 139
5 System Acquisition …………………………………………………………….. 141

Learning Objectives
System Acquisition: A Defi nition
Systems Development Life Cycle
System Acquisition Process
Project Management Tools
Things That Can Go Wrong
Information Technology Architecture
Key Terms
Learning Activities

6 System Implementation and Support …………………………………. 179

Learning Objectives
System Implementation Process
Managing Change and the Organizational Aspects
System Support and Evaluation
Key Terms
Learning Activities

7 Assessing and Achieving Value in Health Care
Information Systems ………………………………………………………….. 215
Learning Objectives
Definition of IT-Enabled Value

C O N T E N T S · vii

The IT Project Proposal

Ensuring the Delivery of Value

Analyses of the IT Value Challenge


Key Terms

Learning Activities


8 Organizing Information Technology Services ………………………. 251

Learning Objectives
Information Technology Functions
Organizing IT Staff Members and Services
In-House versus Outsourced IT
Evaluating IT Effectiveness
Key Terms
Learning Activities

Part 3 Laws, Regulations, and Standards That
Affect Health Care Information Systems ………….. 285

9 Privacy and Security …………………………………………………………… 287

Learning Objectives
Privacy, Confidentiality, and Security Defi ned
Legal Protection of Health Information
Threats to Health Care Information
The Health Care Organization’s Security Program
Beyond HIPAA: Cybersecurity for Today’s Wired Environment
Key Terms
Learning Activities

10 Performance Standards and Measures ………………………………… 323

Learning Objectives
Licensure, Certification, and Accreditation
Measuring the Quality of Care
Federal Quality Improvement Initiatives
Key Terms
Learning Activities

11 Health Care Information System Standards ………………………… 357

Learning Objectives

HCIS Standards Overview

Standards Development Process

viii · C O N T E N T S

Federal Initiatives Affecting Health Care IT Standards
Other Organizations Influencing Health Care IT Standards
Health IT Standards
Vocabulary and Terminology Standards
Data Exchange and Messaging Standards
Health Record Content and Functional Standards
Key Terms
Learning Activities

Part 4 Senior-Level Management Issues Related
to Health Care Information Systems
Management ………………………………………………….. 393

12 IT Alignment and Strategic Planning ………………………………….. 395

Learning Objectives
IT Planning Objectives
Overview of Strategy
The IT Assest
A Normative Approach to Developing Alignment and IT Strategy
IT Strategy and Alignment Challenges
Key Terms
Learning Activities

13 IT Governance and Management ……………………………………….. 427

Learning Objectives
IT Governance
IT Budget
Management Role in Major IT Initiatives
IT Effectiveness
The Competitive Value of IT
Key Terms
Learning Activities

14 Health IT Leadership Case Studies ………………………………………. 467

Case 1: Population Health Management in Action
Case 2: Registries and Disease Management in the PCMH
Case 3: Implementing a Capacity Management

Information System
Case 4: Implementing a Telemedicine Solution
Case 5: Selecting an EHR For Dermatology Practice
Case 6: Watson’s Ambulatory EHR Transition

C O N T E N T S · ix

Case 7: Concerns and Workarounds with a Clinical
Documentation System

Case 8: Conversion to an EHR Messaging System
Case 9: Strategies for Implementing CPOE
Case 10: Implementing a Syndromic Surveillance System
Case 11: Planning an EHR Implementation
Case 12: Replacing a Practice Management System
Case 13: Implementing Tele-psychiatry in a Community Hospital

Emergency Department
Case 14: Assessing the Value and Impact of CPOE
Case 15: Assessing the Value of Health IT Investment
Case 16: The Admitting System Crashes
Case 17: Breaching The Security of an Internet Patient Portal
Case 18: The Decision to Develop an IT Strategic Plan
Case 19: Selection of a Patient Safety Strategy
Case 20: Strategic IS Planning for the Hospital ED
Case 21: Board Support for a Capital Project
Supplemental Listing of Related Case Studies and Webinars

A. Overview of the Health Care IT Industry …………………………….. 525

The Health Care IT Industry

Sources of Industry Information

Health Care IT Associations


Learning Activities


B. Sample Project Charter, Sample Job Descriptions,
and Sample User Satisfaction Survey ………………………………….. 539
Sample Project Charter

Sample Job Descriptions

Sample User Satisfaction Survey

Index ………………………………………………………………………………………………….. 559

Tables, Figures, and Exhibits


1.1 Stages of Meaningful Use ……………………………………………………….. 9

1.2 Differences between Medicare and Medicaid EHR

incentive programs ……………………………………………………………….. 11

1.3 MIPS performance categories…………………………………………………..13

2.1 Ten common hospital statistical measures ………………………………….47

2.2 Terms used in the literature to describe the fi ve common

dimensions of data quality ……………………………………………………..52

2.3 Excerpt from data dictionary used by AHRQ surgical site infection

risk stratifi cation/outcome detection …………………………………………56

3.1 Common types of administrative and clinical information systems ….68

3.2 Functions defining the use of EHRs ………………………………………….76

3.3 Sociotechnical dimensions ………………………………………………………92

4.1 Key attributes and broad results of current ACO models …………….. 106

5.1 Sample criteria for evaluation of RFP responses ……………………….. 161

7.1 Financial analysis of a patient accounting document

imaging system …………………………………………………………………..227

7.2 Requests for new information system projects ………………………….. 230

9.1 HIPAA violation categories …………………………………………………… 302

9.2 Top ten largest fines levied for HIPAA violations as of

August 2016 ………………………………………………………………………. 303

9.3 Resources for conducting a comprehensive risk analysis …………….. 309

9.4 Common examples of vulnerabilities and mitigation strategies …….. 310

10.1 2015 approved CMS accrediting organizations …………………………..329

10.2 Major types of quality measures …………………………………………….336

10.3 Excerpt of CQMs for 2014 EHR Incentive Programs ……………………338

10.4 MIPS performance categories…………………………………………………349

11.1 Relationships among standards-setting organizations …………………. 361

11.2 Excerpt from CVX (clinical vaccines administered) …………………….374

11.3 Excerpt from NCPDP data dictionary ……………………………………… 380

11.4 X12 TG2 work groups …………………………………………………………. 381

11.5 Excerpt from the HL7 EHR-S Functional Model …………………………386


xii · T A B L E S , F I G U R E S , A N D E X H I B I T S

12.1 IT initiatives linked to organizational goals ………………………………397

12.2 Summary of the scope of outpatient care problems …………………… 402

12.3 Assessment of telehealth strategic opportunities ……………………….. 413

12.4 Summary of IT strategic planning ………………………………………….. 414

13.1 Target increases in an IT operating budget ……………………………….442

14.1 List of cases and corresponding chapters …………………………………469

A.1 IT interests of different health care organizations ………………………526

A.2 Health care provider market: NAICS taxonomy …………………………527

A.3 Changes in application focus resulting from changes

in the health care business model ………………………………………….528

A.4 Major health care IT vendors, ranked by revenue ……………………… 530

B.1 Revision history …………………………………………………………………. 541

B.2 Issue management ………………………………………………………………549


1.1 Milestones for a supportive payment and regulatory environment ….15

2.1 Health care data to health care knowledge …………………………………23

2.2 Sample EHR information screen ………………………………………………33

2.3 Sample EHR problem list ……………………………………………………….34

2.4 Sample EHR progress notes …………………………………………………….34

2.5 Sample EHR lab report …………………………………………………………..35

2.6 Sample heart failure and hypertension query screen …………………….45

3.1 History and evolution of health care information systems

(1960s to today) …………………………………………………………………..70

3.2 Sample drug alert screen ………………………………………………………..73

3.3 Sample patient portal …………………………………………………………….74

3.4 Percent of non-federal acute care hospitals with adoption of at

least a basic EHR with notes system and position of a certifi ed

EHR: 2008–2015 ……………………………………………………………………75

3.5 Office-based physician practice EHR adoption since 2004 ……………..77

3.6 The ONC’s roadmap to interoperability ……………………………………..84

4.1 Percent of nonfederal acute care hospitals that electronically

exchanged laboratory results, radiology reports, clinical care

summaries, or medication lists with ambulatory care providers

or hospitals outside their organization: 2008–2015 ……………………. 118

5.1 Systems development life cycle ………………………………………………144

5.2 System usability scale questionnaire ……………………………………….163

5.3 Cost-benefi t analysis ……………………………………………………………164

5.4 Example of a simple Gantt chart ……………………………………………167

T A B L E S , F I G U R E S , A N D E X H I B I T S · xiii

6.1 Project timeline with project phases ……………………………………….189

7.1 IT investment portfolio …………………………………………………………237

7.2 Days in accounts receivable ………………………………………………….239

7.3 Digital intensity versus transformation intensity ………………………..246

8.1 IT organizational chart: Large health system …………………………….257

10.1 Screenshot from NQF ………………………………………………………….. 341

10.2 Projected timetable for implementation of MACRA ……………………. 350

12.1 Overview of IT strategy development ……………………………………… 400

12.2 IT initiative priorities ………………………………………………………….. 415

12.3 IT plan timetable and budget ……………………………………………….. 416

12.4 Hype cycle for emerging technologies, 2014 …………………………….. 422

13.1 IT budget decision-making process …………………………………………443

13.2 Gross margin performance differences in high IT–use industries ….. 461

13.3 Singles and grand slams ……………………………………………………….463


2.1 Excerpt from ICD-10-CM 2016 ………………………………………………….38

2.2 Excerpt from ICD-10 PCS 2017 OCW …………………………………………40

2.3 Patient encounter form coding standards …………………………………..41

5.1 Overview of System Acquisition Process …………………………………. 147

9.1 Sample release of information form ………………………………………..294

9.2 Cybersecurity framework core ………………………………………………. 318

10.1 Medical Record Content: Excerpt from South Carolina Standards

for Licensing Hospitals and Institutional General Infi rmaries ……….326

10.2 Medical Record Content: Excerpt from the Conditions of

Participation for Hospitals …………………………………………………….328

11.1 Excerpt from ONC 2016 Interoperability Standards Advisory ………..366

11.2 X12 5010 professional claim standard……………………………………… 382

12.1 IT initiatives necessary to support a strategic goal for a provider …. 410

12.2 IT initiatives necessary to support a strategic goal for a

health plan ……………………………………………………………………….. 411

12.3 System support of nursing documentation ………………………………. 412

In memory of our colleague Andy Pasternack


Health care delivery is in the early stages of a profound shift in its core strat­
egies, organization, financing, and operational and care processes.

Reactive sick care is being replaced by proactive efforts to keep people
well and out of the hospital. Fragmented care delivery capabilities are being
supplanted by initiatives to create and manage cross-continuum systems
of care. Providers that were rewarded for volume are increasingly being
rewarded for quality and effi ciency.

New forms of reimbursement, such as bundles and various types of cap­
itation, are causing this shift. To thrive in the new era of health care delivery,
providers are creating health systems, such as accountable care organizations,
that include venues along the care spectrum.

In addition providers are introducing new processes to support the
need to manage care between encounters, keep people healthy, and ensure
that utilization is appropriate. Moreover, as reimbursement shifts to incent-
improved provider performance these organizations will have a common
need to optimize operational efficiency, improve financial management, and
effectively engage consumers in managing their health and care.

These changes in business models and processes follow on the heels of
the extraordinary increase in electronic health record adoption spurred by
the Meaningful Use program of the US federal government.

On top of a foundation of electronic health records, the industry will add
population health management applications, systems that support extensive
patient engagement, broader interoperability, and more significant use of
analytics. Providers involved in patient care will need immediate access to
electronic decision-support tools, the latest relevant research findings on a
given topic, and patient-specific reminders and alerts. Health care executives
will need to be able to devise strategic initiatives that take advantage of access
to real-time, relevant administrative and clinical information.

In parallel with the changes in health care, information technology (IT)
innovation continues at a remarkable pace. The Internet of Things is creating
a reality of intelligent homes, cars, and equipment, such as environmental
sensors and devices attached to patients. Social media use continues to grow


xvi · P R E F A C E

and become more sophisticated and capable. Mobile personal devices have
become the device of choice for personal and professional activities. Big data
has exceptional potential to help identify new diagnostic and therapeutic
algorithms, conduct most market surveillance, and assess the comparative
effectiveness of treatments.

For providers to prosper in this new era they must be very effective in
developing IT strategies, implementing the technology, and leveraging the
technology to improve organizational performance. They must understand
the nature of health care data and the challenges of privacy and security.
Clinicians and managers must appreciate the breadth of health care IT and
emerging health care IT trends.

The transformation of the health care industry means that IT is no longer
a necessary back-office evil—it is an essential foundation if an organization is
to survive. That has not been true in the past; provider organizations could
do quite well in a fee-for-service world without computerized physician order
entry and other advanced IT applications.

Having ready access to timely, complete, accurate, legible, and rele­
vant information is critical to health care organizations, providers, and
the patients they serve. Whether it is a nurse administering medication to
a comatose patient, a physician advising a patient on the latest research
findings for a specific cancer treatment, a billing clerk filing an electronic
claim, a chief executive officer justifying to the board the need for build­
ing a new emergency department, or a health policy analyst reporting on
the cost-effectiveness of a new prevention program to the state’s Medicaid
program, each individual needs access to high-quality information with
which to effectively perform his or her job.

The need for quality information in health care, already strong, has
never been greater, particularly as this sector of our society strives to provide
quality care, contain costs, and ensure adequate access.


The purpose of this book is to prepare future health care executives with
the knowledge and skills they need to manage information and information
systems technology effectively in this new environment. We wrote this book
with the graduate student (or upper-level undergraduate student) enrolled in
a health care management program in mind.

Our definition of health care management is fairly broad and includes
a range of academic programs from health administration, health infor­
mation management, and public health programs to master of business

P R E F A C E · xvii

administration (MBA) programs with an emphasis in health to nursing
administration and physician executive educational programs. This book
may also serve as an introductory text in health informatics programs.

The first (2005), second (2009), and third (2013) editions have been
widely used by a variety of health care management and health information
systems programs throughout the United States and abroad. Although we
have maintained the majority of the chapters from the third edition, this
edition has gone through significant changes in composition and structure
reflecting feedback from educators and students and the need to discuss
topics such as population health and recent changes in payment reform ini­
tiatives. We have removed the section on the international perspective on
health care information technology and updated the case studies of organi­
zations experiencing management-related information system challenges. We
also added a new chapter on the role of information systems in managing
population health.


The chapters in this book are organized into four major parts:

• Part One: “Major Environmental Forces That Shape the National
Health Information System Landscape” (Chapters One through Four)

• Part Two: “Selection, Implementation, Evaluation, and Management of
Health Care Information Systems” (Chapters Five through Eight)

• Part Three: “Laws, Regulations, and Standards That Affect Health
Care Information Systems” (Chapters Nine through Eleven)

• Part Four: “Senior-Level Management Issues Related to Health
Care Information Systems Management” (Chapters Twelve through

In addition Appendix A provides an overview of the health care IT indus­
try. Appendix B provides a compendium of a sample project charter, sample
job descriptions, and a sample user satisfaction survey.

The purpose of Part One (“Major Environmental Forces That Shape
the National Health Information System Landscape”) is to provide the
reader with the foundation needed for the rest of the book. This foun­
dation includes an overview of the major environmental forces that are
shaping the national health IT landscape, such as Medicare’s alternative
payment programs. The reader will gain insight into the different types
of clinical, administrative, and external data used by health care provider

xviii · P R E F A C E

organizations. Additionally, the reader will gain an understanding of the
adoption, use, and functionality of health care information systems with
focus on electronic health records (EHRs), personal health records (PHRs),
and systems need to support population health management (e.g., data
analytics, telehealth).

Specifically Part One has four chapters:

• Chapter One: National Health Information Technology Landscape. This
chapter discusses the various forces and activities that are shaping
health information systems nationally. The chapter reviews the
HITECH Act, the Affordable Care Act, HIPAA, and national efforts to
advance interoperability.

• Chapter Two: Health Care Data. This chapter examines the range
of health care data and issues with data quality and capture. This
examination is conducted from a cross-continuum, health system

• Chapter Three: Health Care Information Systems. This chapter provides
an overview of clinical and administrative information systems. The
chapter focuses on the electronic health record and personal health
record and describes in greater detail the major initiatives that have
led to current adoption and use of EHRs by hospitals and physician
practices (e.g., Meaningful Use and health information exchanges).
The chapter also includes discussion on the state of EHRs in settings
across the care continuum (e.g., behavioral health, community care,
long-term care). It concludes with a discussion on important health
care information system issues including interoperability, usability,
and health IT safety.

• Chapter Four: Information Systems to Support Population Health
Management. This is a new chapter. Its purpose is to focus on the key
data and information needs of health systems to effectively manage
population health. Key topics include population health, telehealth,
patient engagement (including social media), data analytics, and
health information exchange (HIE).

The purpose of Part Two (“Selection, Implementation, Evaluation, and
Management of Health Care Information Systems”) is to provide the reader
with an overview of what is needed to effectively select, implement, evaluate,
and manage health care information systems. This section discusses issues
mid- and senior-level managers are likely to encounter related to managing

P R E F A C E · xix

change and managing projects. The reader will also gain insight into the role
and functions of the IT organization or department.

Specifically Part Two has four chapters:

• Chapter Five: System Acquisition. This chapter discusses the processes
that organizations use to select information systems. We have
included a discussion on the importance of system architecture.

• Chapter Six: System Implementation and Support. This chapter reviews
the processes and activities need to implement and support health
care information systems. We have included an examination of change
management and project management.

• Chapter Seven: Assessing and Achieving Value in Health Care
Information Systems. This chapter discusses the nature of the value
that can be obtained from health care information systems and the
approaches to achieving that value.

• Chapter Eight: Organizing Information Technology Services. This
chapter reviews the structure and responsibilities of the IT
organization. This chapter discusses IT senior management roles such
as the chief information offi cer and the chief medical information
offi cer.

The purpose of Part Three (“Laws, Regulations, and Standards That
Affect Health Care Information Systems”) is to provide the reader with an
overview of the laws, regulations, and standards that affect health care infor­
mation systems. Emphasis is given to system security.

Specifically Part Three has three chapters:

• Chapter Nine: Privacy and Security. This chapter examines privacy and
security regulations and practices.

• Chapter Ten: Performance Standards and Measures. This chapter
discusses the wide range of regulations that affect health care
information systems, with an emphasis on new regulations related to
the focus on the continuum of care.

• Chapter Eleven: Health Care Information Systems Standards. This
chapter reviews the new and emerging standards that govern health
care data, transactions, and quality measures.

The purpose of Part Four (“Senior-Level Management Issues Related to
Health Care Information Systems Management”) is to provide the reader with

xx · P R E F A C E

an understanding of senior-level management responsibilities and activities
related to IT management.

Specifically Part Four has three chapters:

• Chapter Twelve: IT Alignment and Strategic Planning. This chapter
discusses the processes used by organizations to develop an IT
strategic plan. The chapter reviews the challenges faced in developing
these plans.

• Chapter Thirteen: IT Governance and Management. This chapter
discusses several topics that must be addressed by senior leadership
if IT is to be leveraged effectively: establishing IT governance,
developing the IT budget, and ensuring that projects are successful.

• Chapter Fourteen: Health IT Leadership Case Studies. This chapter
comprises case studies that provide real-world situations that touch on
the content of this textbook.

Each chapter in the book (except Chapter Fourteen) begins with a set of
chapter learning objectives and an overview and concludes with a summary
of the material presented and a set of learning activities. These activities are
designed to give students an opportunity to explore more fully the concepts intro­
duced in the chapter and to gain hands-on experience by visiting and talking
with IT and management professionals in a variety of health care settings.

Two appendixes offer supplemental information. Appendix A presents an
overview of the health care IT industry: the companies that provide IT hard­
ware, software, and a wide range of services to health care organizations.
Appendix B contains a sample project charter, sample job descriptions, and a
sample user satisfaction survey: documents referenced throughout the book.

Depending on the nature and interests of the students, various chapters
are worth emphasizing. Students and courses that are targeted for current
or aspiring senior executive positions may want to emphasize Chapter One
(National Health Care IT Landscape), Chapter Four (Population Health),
Chapter Seven (IT Value), Chapter Twelve (IT Strategy), and Chapter Thirteen
(IT Governance and Management). For classes focused on mid-level man­
agement, Chapter One (National Health Care IT Landscape), Chapter Five
(System Selection), Chapter Six (System Implementation), and Chapter Seven
(IT Value) will merit attention.

Regardless of role, Chapter Two (Health Care Data), Chapter Three
(Health Care Information Systems), Chapter Eight (IT Organization), and
Part Three (Laws, Regulations, and Standards) provide important founda­
tional knowledge.

P R E F A C E · xxi

One final comment. Two terms, health information technology (HIT) and
health care information systems (HCIS), are frequently used throughout the
text. Although it may seem that these terms are interchangeable, they are, in
fact, related but different. As used in this text, HIT encompasses the technol­
ogies (hardware, software, networks, etc.) used in the management of health
information. HCIS describes a broader concept that not only encompasses HIT
but also the processes and people that the HIT must support. HCIS delivers
value to individual health care organizations, patients, and providers, as well
as across the continuum of care and for entire communities of individuals.
HIT delivers little value on its own. Both HCIS and HIT must be managed,
but the management of HCIS is significantly more difficult and diverse.

Health care and health care information technology are in the early stages
of a profound transformation. We hope you find this textbook helpful as we
prepare our students for the challenges that lie ahead.


We wish to extend a special thanks to Juli Wilt for her dedication and assis­
tance in preparing the fi nal manuscript for this book. We also wish to thank
the following MUSC students in the doctoral program in health administra­
tion, who contributed information systems management stories and expe­
riences to us for use as case studies: Penney Burlingame, Barbara Chelton,
Stuart Fine, David Freed, David Gehant, Patricia Givens, Shirley Harkey,
Victoria Harkins, Randall Jones, Michael Moran, Catrin Jones-Nazar, Ronald
Kintz, Lauren Lent, George Mikatarian, Lorie Shoemaker, and Gary Wilde.

To all of our students whom we have learned from over the years, we
thank you.

Finally, we wish to extend a very special thanks to Molly Shane Grasso
for her many contributions to Chapter Four, “Information Systems to Support
Population Health Management.”


The Authors

Karen A. Wager is professor and associate dean for student affairs in the
College of Health Professions at the Medical University of South Carolina
(MUSC), where she teaches management and health information systems
courses to graduate students. She has more than thirty years of professional
and academic experience in the health information management profession
and has published numerous articles, case studies, and book chapters. Recog­
nized for her excellence in interprofessional education and in bringing prac­
tical research to the classroom, Wager received the 2016 College Teacher of
the Year award and the 2008 MUSC outstanding teaching award in the educa­
tor-lecturer category and the 2008 Governor’s Distinguished Professor Award.
She currently serves as the chair of the Accreditation Council for the Com­
mission on Accreditation of Healthcare Management Education (CAHME), is
a member of the CAHME board of directors, and is a past fellow of CAHME.
Wager previously served as a member of the HIMSS-AUPHA-CAHME Task
Force responsible for the development of a model curriculum in health
information systems appropriate for educating graduate students in health
administration programs. She is past president of the South Carolina chapter
of the Healthcare Information and Management Systems Society (HIMSS)
and past president of the South Carolina Health Information Management
Association. Wager holds a doctor of business administration (DBA) degree
with an emphasis in information systems from the University of Sarasota.

Frances Wickham Lee is professor and director of instructional operations
for Healthcare Simulation South Carolina at the Medical University of South
Carolina (MUSC). She recently joined the faculty at Walden University to
teach in the Master of Healthcare Administration program. Lee has more
than thirty years of professional and academic experience in the health
information management, including publication of numerous articles and
book chapters related to the field. She is past president of the North Carolina
Health Information Management Association and South Carolina chapter of
the Healthcare Information and Management Systems Society (HIMSS). Since
2007, Lee has broadened her expertise as a health care educator through
her membership in a pioneering team charged with bringing health care


xxvi · T H E A U T H O R S

simulation to students and practicing professionals across the state of South
Carolina. She holds a DBA degree with an emphasis in information systems
from the University of Sarasota.

John P. Glaser currently serves as the senior vice president of population health
for Cerner. He joined Cerner in 2015 as part of the Siemens Health Services
acquisition, where he was CEO. Prior to Siemens, Glaser was vice president
and CIO at Partners HealthCare. He also previously served as vice president of
information systems at Brigham and Women’s Hospital.

Glaser was the founding chair of the College of Healthcare Informa­
tion Management Executives (CHIME) and the past president of the Health-
care Information and Management Systems Society (HIMSS). He has served
on numerous boards including eHealth Initiative, the American Telemedi­
cine Association (ATA), and the American Medical Informatics Association
(AMIA). He is a fellow of CHIME, HIMSS, and the American College of Health
Informatics. He is a former senior advisor to the Office of the National Coor­
dinator for Health Information Technology (ONC).

Glaser has published more than two hundred articles, three books on the
strategic application of information technology in health care. Glaser holds
a PhD in health care information systems from the University of Minnesota.

Health Care

Information Systems

Major Environmental
Forces That Shape

the National Health
Information System





The National Health

Information Technology



• To be able to discuss some of the most signifi cant infl uences
shaping the current and future health information technology
landscapes in the United States.

• To understand the roles national private sector and government
initiatives have played in the advancement of health information
technology in the United States.

• To be able to describe major events since the 1990s that have
infl uenced the adoption of health information technologies and


4 · C H A P T E R 1 : T H E N A T I O N A L H E A L T H I N F O R M A T I O N T E C H N O L O G Y L A N D S C A P E

Since the early 1990s, the use of health information technology (HIT)
across all aspects of the US health care delivery system has been increasing.
Electronic health records (EHRs), telehealth, social media, mobile applica­
tions, and so on are becoming the norm—even commonplace—today. Today’s
health care providers and organizations across the continuum of care have
come to depend on reliable HIT to aid in managing population health effec­
tively while reducing costs and improving quality patient care. Chapter One
will explore some of the most signifi cant influences shaping the current and
future HIT landscapes in the United States. Certainly, advances in infor­
mation technology affect HIT development, but national private sector and
government initiatives have played key roles in the adoption and application
of the technologies in health care. This chapter will provide a chronologi­
cal overview of the significant government and private sector actions that
have directly or indirectly affected the adoption of HIT since the Institute of
Medicine landmark report, The Computer-Based Patient Record: An Essential
Technology for Health Care, authored by Dick and Steen and published in 1991.
Knowledge of these initiatives and mandates shaping the current HIT national
landscape provides the background for understanding the importance of the
health information systems that are used to promote excellent, cost-effective
patient care.


Institute of Medicine CPR Report

The Institute of Medicine (IOM) report The Computer-Based Patient Record:
An Essential Technology for Health Care (Dick & Steen, 1991) brought
international attention to the numerous problems inherent in paper-based
medical records and called for the adoption of the computer-based patient
record (CPR) as the standard by the year 2001. The IOM defi ned the
CPR as “an electronic patient record that resides in a system specifi ­
cally designed to support users by providing accessibility to complete and
accurate data, alerts, reminders, clinical decision support systems, links
to medical knowledge, and other aids” (Dick & Steen, 1991, p. 11). This
vision of a patient’s record offered far more than an electronic version of
existing paper records—the IOM report viewed the CPR as a tool to assist
the clinician in caring for the patient by providing him or her with remind­
ers, alerts, clinical decision–support capabilities, and access to the latest
research findings on a particular diagnosis or treatment modality. CPR
systems and related applications, such as EHRs, will be further discussed

2 0 0 0 – 2 0 1 0 : T H E A R R I V A L O F H I T · 5

in Chapter Three. At this point, it is important to understand the IOM
report’s impact on the vendor community and health care organizations.
Leading vendors and health care organizations saw this report as an
impetus toward radically changing the ways in which patient information
would be managed and patient care delivered. During the 1990s, a number
of vendors developed CPR systems. However, despite the fact that these
systems were, for the most part, reliable and technically mature by the
end of the decade, only 10 percent of hospitals and less than 15 percent
of physician practices had implemented them (Goldsmith, 2003). Needless
to say, the IOM goal of widespread CPR adoption by 2001 was not met.
The report alone was not enough to entice organizations and individual
providers to commit to the required investment of resources to make the
switch from predominantly paper records.

Health Insurance Portability and Accountability Act (HIPAA)

Five years after the IOM report advocating CPRs was published, President
Clinton signed into law the Health Insurance Portability and Account­
ability Act (HIPAA) of 1996 (which is discussed in detail in Chapter Nine).
HIPAA was designed primarily to make health insurance more affordable
and accessible, but it included important provisions to simplify adminis­
trative processes and to protect the security and confi dentiality of personal
health information. HIPAA was part of a larger health care reform effort and
a federal interest in HIT for purposes beyond reimbursement. HIPAA also
brought national attention to the issues surrounding the use of personal
health information in electronic form. The Internet had revolutionized the
way that consumers, providers, and health care organizations accessed health
information, communicated with each other, and conducted business, creat­
ing new risks to patient privacy and security.


IOM Patient Safety Reports

A second IOM report, To Err Is Human: Building a Safer Health Care System
(Kohn, Corrigan, & Donaldson, 2000), brought national attention to research
estimating that 44,000 to 98,000 patients die each year because of medical
errors. A subsequent related report by the IOM Committee on Data Stan­
dards for Patient Safety, Patient Safety: Achieving a New Standard for Care
(Aspden, 2004), called for health care organizations to adopt information

6 · C H A P T E R 1 : T H E N A T I O N A L H E A L T H I N F O R M A T I O N T E C H N O L O G Y L A N D S C A P E

technology capable of collecting and sharing essential health information on
patients and their care. This IOM committee examined the status of stan­
dards, including standards for health data interchange, terminologies, and
medical knowledge representation. Here is an example of the committee’s

• As concerns about patient safety have grown, the health care
sector has looked to other industries that have confronted similar
challenges, in particular, the airline industry. This industry learned
long ago that information and clear communications are critical to
the safe navigation of an airplane. To perform their jobs well and
guide their plane safely to its destination, pilots must communicate
with the airport controller concerning their destination and current
circumstances (e.g., mechanical or other problems), their fl ight
plan, and environmental factors (e.g., weather conditions) that
could necessitate a change in course. Information must also pass
seamlessly from one controller to another to ensure a safe and
smooth journey for planes fl ying long distances, provide notifi cation
of airport delays or closures because of weather conditions, and
enable rapid alert and response to extenuating circumstance, such as
a terrorist attack.

• Information is as critical to the provision of safe health care—which
is free of errors of commission and omission—as it is to the safe
operation of aircraft. To develop a treatment plan, a doctor must have
access to complete patient information (e.g., diagnoses, medications,
current test results, and available social supports) and to the most
current science base (Aspden, 2004).

Whereas To Err Is Human focused primarily on errors that occur in hospi­
tals, the 2004 report examined the incidence of serious safety issues in other
settings as well, including ambulatory care facilities and nursing homes. Its
authors point out that earlier research on patient safety focused on errors
of commission, such as prescribing a medication that has a potentially fatal
interaction with another medication the patient is taking, and they argue
that errors of omission are equally important. An example of an error of
omission is failing to prescribe a medication from which the patient would
likely have benefited (Institute of Medicine, Committee on Data Standards
for Patient Safety, 2003). A significant contributing factor to the unacceptably
high rate of medical errors reported in these two reports and many others is
poor information management practices. Illegible prescriptions, unconfi rmed

2 0 0 0 – 2 0 1 0 : T H E A R R I V A L O F H I T · 7

verbal orders, unanswered telephone calls, and lost medical records could all
place patients at risk.

Transparency and Patient Safety

The federal government also responded to quality of care concerns by pro­
moting health care transparency (for example, making quality and price
information available to consumers) and furthering the adoption of HIT. In
2003, the Medicare Modernization Act was passed, which expanded the
program to include prescription drugs and mandated the use of electronic
prescribing (e-prescribing) among health plans providing prescription drug
coverage to Medicare beneficiaries. A year later (2004), President Bush called
for the widespread adoption of EHR systems within the decade to improve
efficiency, reduce medical errors, and improve quality of care. By 2006, he
had issued an executive order directing federal agencies that administer or
sponsor health insurance programs to make information about prices paid
to health care providers for procedures and information on the quality of
services provided by physicians, hospitals, and other health care providers
publicly available. This executive order also encouraged adoption of HIT
standards to facilitate the rapid exchange of health information (The White
House, 2006).

During this period significant changes in reimbursement practices also
materialized in an effort to address patient safety, health care quality, and
cost concerns. Historically, health care providers and organizations had
been paid for services rendered regardless of patient quality or outcome.
Nearing the end of the decade, payment reform became a hot item. For
example, pay for performance (P4P) or value-based purchasing pilot
programs became more widespread. P4P reimburses providers based on
meeting predefined quality measures and thus is intended to promote
and reward quality. The Centers for Medicare and Medicaid Services
(CMS) notified hospitals and physicians that future increases in payment
would be linked to improvements in clinical performance. Medicare also
announced it would no longer pay hospitals for the costs of treating certain
conditions that could reasonably have been prevented—such as bedsores,
injuries caused by falls, and infections resulting from the prolonged use of
catheters in blood vessels or the bladder—or for treating “serious prevent­
able” events—such as leaving a sponge or other object in a patient during
surgery or providing the patient with incompatible blood or blood prod­
ucts. Private health plans also followed Medicare’s lead and began denying
payment for such mishaps. Providers began to recognize the importance

8 · C H A P T E R 1 : T H E N A T I O N A L H E A L T H I N F O R M A T I O N T E C H N O L O G Y L A N D S C A P E

of adopting improved HIT to collect and transmit the data needed under
these payment reforms.

Office of the National Coordinator for Health

Information Technology

In April 2004, President Bush signed Executive Order No. 13335, 3 C.F.R.,
establishing the Office of the National Coordinator for Health Information
Technology (ONC) and charged the office with providing “leadership for
the development and nationwide implementation of an interoperable health
information technology infrastructure to improve the quality and effi ciency
of health care.” In 2009, the role of the ONC (organizationally located within
the US Department of Health and Human Services) was strengthened when
the Health Information Technology for Economic and Clinical Health
(HITECH) Act legislatively mandated it to provide leadership and oversight
of the national efforts to support the adoption of EHRs and health informa­
tion exchange (HIE) (ONC, 2015).

In spite of the various national initiatives and changes to reimbursement
during the first decade of the twenty-first century, by the end of the decade
only 25 percent of physician practices (Hsiao, Hing, Socey, & Cai, 2011) and
12 percent of hospitals (Jha, 2010) had implemented “basic” EHR systems.
The far majority of solo and small physician practices continued to use paper-
based medical record systems. Studies show that the relatively low adoption
rates among solo and small physician practices were because of the cost of
HIT and the misalignment of incentives (Jha et al., 2009). Patients, payers,
and purchasers had the most to gain from physician use of EHR systems, yet
it was the physician who was expected to bear the total cost. To address this
misalignment of incentives issue, to provide health care organizations and
providers with some funding for the adoption and Meaningful Use of EHRs,
and to promote a national agenda for HIE, the HITECH Act was passed as a
part of the American Recovery and Reinvestment Act in 2009.



HITECH and Meaningful Use

An important component of HITECH was the establishment of the Medicare
and Medicaid EHR Incentive Programs. Eligible professionals and hospitals
that adopt, implement, or upgrade to a certified EHR received incentive pay­
ments. After the first year of adoption, the providers had to prove successfully

2 0 1 0 – P R E S E N T : H E A L T H C A R E R E F O R M A N D T H E G R O W T H O F H I T · 9

that they were “demonstrating Meaningful Use” of certified EHRs to receive
additional incentive payments. The criteria, objectives, and measures for
demonstrating Meaningful Use evolved over a five-year period from 2011 to
2016. The first stage of Meaningful Use criteria was implemented in 2011–2012
and focused on data capturing and sharing. Stage 2 (2014) criteria are
intended to advance clinical processes, and Stage 3 (2016) criteria aim to show
improved outcomes. Table 1.1 provides a broad overview of the Meaningful
Use criteria by stage.

Through the Medicare EHR Incentive Program, each eligible professional
who adopted and achieved meaningful EHR use in 2011 or 2012 was able
to earn up to $44,000 over a five-year period. The amount decreased over
the period, creating incentives to providers to start sooner rather than later.

Table 1.1 Stages of Meaningful Use

Stage 1: Stage 2: Stage 3:
Meaningful Use criteria Meaningful Use criteria Meaningful Use criteria
focus focus focus

Electronically capturing
health information in a
standardized format

Using that information
to track key clinical

Communicating that
information for care
coordination processes

Initiating the reporting
of clinical quality
measures and public
health information

Using information to
engage patients and
their families in their

More rigorous HIE

Increased requirements
for e-prescribing and
incorporating lab

Electronic transmission
of patient summaries
across multiple settings

More patient-controlled

Improving quality, safety,
and effi ciency leading
to improved health

Decision support for
national high-priority

Patient access to self-
management tools

Access to comprehensive
patient data through
patient-centered HIE

Improving population

Source: ONC (n.d.a.).

10 · C H A P T E R 1 : T H E N A T I O N A L H E A L T H I N F O R M A T I O N T E C H N O L O G Y L A N D S C A P E

Eligible hospitals could earn over $2 million through the Medicare EHR
Incentive Program, and the Medicaid program made available up to $63,500
for each eligible professional (through 2021) and over $2 million to each
eligible hospital. As of December 2015, more than 482,000 health care pro­
viders received a total of over $31 billion in payments for participating in the
Medicare and Medicaid EHR Incentive Programs (CMS, n.d.). See Table 1.2
for primary differences between the two incentive programs.

Within the ONC, the Office of Interoperability and Standards oversees
certification programs for HIT. The purpose of certification is to provide
assurance to EHR purchasers and other users that their EHR system has the
technological capability, functionality, and security needed to assist them in
meeting Meaningful Use criteria. Eligible providers who apply for the EHR
Medicare and Medicaid Incentive Programs are required to use certifi ed EHR
technology. The ONC has authorized certain organizations to perform the
actual testing and certification of EHR systems.

Other HITECH Programs

Many small physician practices and rural hospitals do not have the in-house
expertise to select, implement, and support EHR systems that meet certifi ca­
tion standards. To address these needs, HITECH funded sixty-two regional
extension centers (RECs) throughout the nation to support providers in adopt­
ing and becoming meaningful users of EHRs. The RECs are primarily intended
to provide advice and technical assistance to primary care providers, espe­
cially those in small practices, and to small rural hospitals, which often do not
have information technology (IT) expertise. Furthermore, HITECH provided
funding for various workforce training programs to support the education
of HIT professionals. The education-based programs included curriculum
development, community college consortia, competency examination, and
university-based training programs, with the overarching goal of training an
additional forty-five thousand HIT professionals. Funding was also made avail­
able to seventeen Beacon communities and Strategic Health IT Advanced
Research Projects (SHARP) across the nation. The Beacon programs are
leading organizations that are demonstrating how HIT can be used in innova­
tive ways to target specific health problems within communities (,
2012). These programs are illustrating HIT’s role in improving individual and
population health outcomes and in overcoming barriers such as coordination
of care, which plagues our nation’s health care system (McKethan et al., 2011).

Achieving Meaningful Use requires that health care providers are able to
share health information electronically with others using a secure network
for HIE. To this end, HITECH provided state grants to help build the HIE

2 0 1 0 – P R E S E N T : H E A L T H C A R E R E F O R M A N D T H E G R O W T H O F H I T · 11

Table 1.2 Differences between Medicare and Medicaid EHR incentive programs

Medicare EHR Incentive Program Medicaid EHR Incentive Program

Federally implemented and available

Medicare Advantage professionals have
special eligibility accommodations.

Open to physicians, subsection (d)
hospitals, and critical access hospitals

Same definition of Meaningful Use
applied to all participants nationally

Must demonstrate Meaningful Use in
fi rst year

Maximum incentive for eligible
professionals is $44,000; 10 percent
for HPSA (health professional shortage

2014 is the last year in which a
professional can initiate participation.

Payments over fi ve years

In 2015 fee reductions (penalties) begin
for those who do not demonstrate
Meaningful Use of a certifi ed HER.

2016 is the last incentive payment year.

No Medicare patient population
minimum is required.

Implemented voluntarily by states

Medicaid managed care professionals
must meet regular eligibility

Open to fi ve types of professionals and
three types of hospitals

States can adopt a more rigorous
definition of Meaningful Use.

Adopt, implement, or upgrade option in
fi rst year

Maximum incentive for eligible
professionals is $63,750.

2016 is the last year in which a
professional can initiate participation.

Payments over six years

No fee reductions (penalties)

2021 is the last incentive payment year.

Eligible professionals must have a
30 percent Medicaid population
(20 percent for pediatricians) to
participate; this must be demonstrated

Source: Carson, Garr, Goforth, and Forkner (2010).

infrastructure for exchange of electronic health information among provid­
ers and between providers and consumers. Nearly all states have approved
strategic and operational plans for moving forward with implementation of
their HIE cooperative agreement programs.

12 · C H A P T E R 1 : T H E N A T I O N A L H E A L T H I N F O R M A T I O N T E C H N O L O G Y L A N D S C A P E

Affordable Care Act

In addition to the increased efforts to promote HIT through legislated pro­
grams, the early 2010s brought dramatic change to the health care sector as
a whole with the passage of significant health care reform legislation. Amer­
icans have grappled for decades with some type of “health care reform” in
an attempt to achieve the simultaneous “triple aims” for the US health care
delivery system:

• Improve the patient experience of care

• Improve the health of populations

• Reduce per capita cost of health care (IHI, n.d.)

Full achievement of these aims has been challenging within a health care
delivery system managed by different stakeholders—payers, providers, and
patients—whose goals are frequently not well aligned. The latest attempt at
reform occurred in 2010, when President Obama signed into law the Patient
Protection and Affordable Care Act (PPACA), now known as the Affordable
Care Act (ACA).

Along with mandating that individuals have health insurance and
expanding Medicaid programs, the ACA created the structure for health
insurance exchanges, including a greater role for states, and imposed
changes to private insurance, such as prohibiting health plans from
placing lifetime limits on the dollar value of coverage and prohibiting
preexisting condition exclusions. Numerous changes were to be made to
the Medicare program, including continued reductions in Medicare pay­
ments to certain hospitals for hospital-acquired conditions and excessive
preventable hospital readmissions. Additionally, the CMS established an
innovation center to test, evaluate, and expand different payment struc­
tures and methodologies to reduce program expenditures while main­
taining or improving quality of care. Through the innovation center and
other means, CMS has been aggressively pursuing implementation of
value-based payment methods and exploring the viability of alternative
models of care and payment.

The final assessment of the success of ACA is still unknown; however,
what is certain is that its various programs will rely heavily on quality HIT
to achieve their goals. A greater emphasis than ever is placed on facilitating
patient engagement in their own care through the use of technology. On the
other end of the spectrum, new models of care and payment include improved
health for populations as an explicit goal, requiring HIT to manage the sheer
volume and complexity of data needed.

2 0 1 0 – P R E S E N T : H E A L T H C A R E R E F O R M A N D T H E G R O W T H O F H I T · 13

Value-Based Payment Programs

Shortly after the ACA was passed, CMS implemented several value-based
payment programs in an effort to reward health care providers with incentive
payments for the quality of care they provide to Medicare patients. In 2015,
the Medicare Access and CHIP Reauthorization Act (MACRA) was signed
into law. Among other things, MACRA outlines a timetable for the 2019
implementation of a merit-based incentive payment system (MIPS) that will
replace other value-based payment programs, including the EHR Incentive
Programs. MIPS will use a set of performance measures, divided into catego­
ries, to calculate a score (between 0 and 100) for eligible professionals. Each
category of performance will be weighted as shown in Table 1.3.

Health care providers meeting the established threshold score will receive
no adjustment to payment; those scoring below will receive a negative adjust­
ment, and those above, a positive adjustment. Exceptional performers may
receive bonus payments (CMS, n.d.).

Alternate Payment Methods

Providers who meet the criteria to provide an alternate payment method
(APM) will receive bonus payments and will be exempt from the MIPS.
Although there are likely to be other APMs identified over time, three types
are receiving a great deal of attention currently: accountable care organi­
zations (ACOs), bundled payments, and patient-centered medical homes
(PCMHs). ACOs are “networks of . . . health care providers that share respon­
sibility for coordinating care and meeting health care quality and cost metrics
for a defined patient population” (Breakaway Policy Strategies for FasterCures,
2015, p. 2). Bundled payments aim to incentivize providers to improve care
coordination, promote teamwork, and lower costs. Payers will compensate

Table 1.3 MIPS performance categories

Category Weight (%)

Quality 50

Advancing care information 25

Clinical practice improvement activities 15

Resource use 10

14 · C H A P T E R 1 : T H E N A T I O N A L H E A L T H I N F O R M A T I O N T E C H N O L O G Y L A N D S C A P E

providers with a single payment for an episode of care. PCMHs are APMs
that are rooted in the private sector. In 2007, four physician societies pub­
lished a joint statement of principles emphasizing a personal physician–led
coordination of care. All of the APMs rely heavily on HIT. ACOs and PCMHs,
in particular, require that HIT support the organization and its providers in
the carrying out the following functions:

• Manage and coordinate integrated care.

• Identify, manage, and reduce or contain costs.

• Adhere to evidence-based practice guidelines and standards of care;
ensure quality and safety.

• Manage population health.

• Engage patients and their families and caregivers in their own care.

• Report on quality outcomes.

HIT Interoperability Efforts

Despite efforts dating back to the first reports on the need for adoption of
computerized patient records, complete interoperability among HIT systems,
which is key to supporting an integrated health care delivery system that
provides improved care to individuals and populations while managing costs,
remains elusive. The federal government, along with other provider, vendor,
and professional organizations, however, recognize this need for interopera­
bility. The ONC defines interoperability as “the ability of a system to exchange
electronic health information with and use electronic health information from
other systems without special effort on the part of the user” (ONC, n.d.a).
Interoperability among HIT encompasses far more than just connected EHRs
across systems. Home health monitoring systems are becoming common­
place, telehealth is on the rise, and large public health databases exist at
state and national levels. True interoperability will encompass any electronic
sources with information needed to provide the best possible health care.

Some of the more notable efforts toward HIT interoperability include
the efforts by the government under the direction of the ONC and several
other national public and private organizations. In 2015, the ONC published
“Connecting Health and Care for the Nation: A Shared Nationwide Interop­
erability Roadmap,” a ten-year plan for achieving HIT interoperability in the
United States. Figure 1.1 summarizes the key milestones identified in the ONC
road map. The ultimate goal for 2024 is “a learning health system enabled
by nationwide interoperability.” The goal of the learning health system is to

2 0 1 0 – P R E S E N T : H E A L T H C A R E R E F O R M A N D T H E G R O W T H O F H I T · 15

Figure 1.1 Milestones for a supportive payment and regulatory environment

Source: ONC (2015).

improve the health of individuals and populations by “generating information
and knowledge from data captured and updated over time . . . and sharing and
disseminating what is learned in timely and actionable forms that directly
enable individuals, clinicians, and public health entities to . . . make informed
decisions” (ONC, 2015, p. 18).

Health Level Seven International (HL7), a not-for-profi t, ANSI (American
National Standards Institute)–accredited, standards-developing organization,
is focused on technical standards for HIE. The HL7 Fast Healthcare Interop­
erability Resources (FHIR) standards were introduced in 2012 and are under
development to improve the exchange of EHR data. About this same time
Healtheway, now the Sequoia Project, was chartered as a nonprofi t organi­
zation to “advance the implementation of secure, interoperable nationwide
health information exchange” (Sequoia Project, n.d.a). The Sequoia Project
supports several initiatives, including the eHealth Exchange, a group of
government and nongovernment organizations devoted to improving patient
care through “interoperable health information exchange” (Sequoia Project,
n.d.a). Unlike HL7, which focuses on technical standards, eHealth Exchange’s
primary focus is on the legal and policy barriers associated with nationwide
interoperability. Another Sequoia initiative, Carequality, strives to connect
private HIE networks. Another private endeavor, Commonwell Health Alli­
ance, is a consortium of HIT vendors and other organizations that are com­
mitted to achieving interoperability. Commonwell began in 2013 with six
EHR vendors. In 2015, their membership represented 70 percent of hospitals.
Provider members of Commonwell register their patients in order to exchange
easily information with other member providers (Jacob, 2015).

Although HIT has become commonplace across the continuum of care,
seamless interoperability among the nation’s HIT systems has not yet been
realized. One author describes the movement toward HIT interoperability in
the United States not as a straight path but rather as a jigsaw puzzle with
multiple public and private organizations “working on different pieces”

16 · C H A P T E R 1 : T H E N A T I O N A L H E A L T H I N F O R M A T I O N T E C H N O L O G Y L A N D S C A P E

(Jacob, 2015). Interoperability requires not only technical standards but also
a national health information infrastructure, along with an effective gov­
erning system. Concerns about the misalignment of incentives for achiev­
ing interoperability remain. Most experts agree that technology is not the
barrier to interoperability. Governance and alignment of agendas among
disparate organizations are cited as the most daunting barriers. Because of
its potential to affect seriously the progress of interoperability, in 2015, the
ONC reported to Congress on the phenomenon of health information block­
ing, which is defined as occurring “when persons or entities knowingly and
unreasonably interfere with the exchange or use of electronic health infor­
mation” (ONC, 2015). The report charged that current economic incentives
were not supportive of information exchange and that some of the current
market practices actually discouraged sharing health information (DeSalvo
& Daniel, 2015).


Chapter One provides a brief chronological overview of the some of the most
significant national drivers in the development, growth, and use of HIT in
the United States. Since the 1990s and the publication of The Computer-Based
Patient Record: An Essential Technology for Health Care, the national HIT
landscape has certainly evolved, and it will continue to do so. Challenges
to realizing an integrated national HIT infrastructure are numerous, but the
need for one has never been greater. Recognizing that the technology is not
the major barrier to the national infrastructure, the government, through
legislation, CMS incentive programs, the ONC, and other programs, will
continue to play a significant role in the Meaningful Use of HIT, pushing for
the alignment of incentives within the health care delivery system.

In a 2016 speech, CMS acting chief Andy Slavitt summed up the govern­
ment’s role in achieving its HIT vision with the following statements:

The focus will move away from rewarding providers for the use of tech­
nology and towards the outcome they achieve with their patients.

Second, providers will be able to customize their goals so tech compa­
nies can build around the individual practice needs, not the needs of the
government. Technology must be user-centered and support physicians,
not distract them.

Third, one way to aid this is by leveling the technology playing fi eld for
start-ups and new entrants. We are requiring open APIs . . . that allow
apps, analytic tools, and connected technologies to get data in and out of
an EHR securely.

K E Y T E R M S · 17

We are deadly serious about interoperability. We will begin initiatives . . .
pointing technology to fill critical use cases like closing referral loops and
engaging a patient in their care.

Technology companies that look for ways to practice “data blocking” in oppo­
sition to new regulations will find that it won’t be tolerated. (Nerney, 2016)

Many of the initiatives discussed in Chapter One will be explored more
fully in subsequent chapters of this book. The purpose of Chapter One is
to provide the reader with a snapshot of the national HIT landscape and
enough historical background to set the stage for why health care managers
and leaders must understand and actively engage in the implementation of
effective health information systems to achieve better health for individuals
and populations while managing costs.

Accountable Care Organizations (ACOs)

Affordable Care Act (ACA)

Alternate payment methods (APM)

American Recovery and Reinvestment

ANSI (American National Standards

Beacon communities
Bundled payments
Centers for Medicare and Medicaid

Services (CMS)
Commonwell Health Alliance
Computer-based patient record (CPR)
Coordination of care
eHealth Exchange
Electronic health records (EHRs)
Fast Healthcare Interoperability

Resources (FHIR) standards
Health information blocking
Health information exchange (HIE)
Health information technology (HIT)
Health Information Technology for

Economic and Clinical Health


Health Insurance Portability and

Accountability Act (HIPAA)

Health Level Seven International


HIT interoperability
Meaningful Use of EHR
Medicare Access and CHIP

Reauthorization Act (MACRA)
Medicare Modernization Act
Merit-based incentive payment system

Nationwide Interoperability

Office of the National Coordinator

for Health Information Technology

Patient-centered medical homes

Patient safety
Pay for performance (P4P)
Regional extension centers (RECs)
Strategic Health IT Advanced

Research Projects (SHARP)
The Sequoia Project
Value-based payment

18 · C H A P T E R 1 : T H E N A T I O N A L H E A L T H I N F O R M A T I O N T E C H N O L O G Y L A N D S C A P E


1. Investigate the latest Meaningful Use criteria for eligible professionals
or eligible hospitals. Visit either a physician practice or hospital in
your community. Have they participated in the Medicare or Medicaid
EHR Incentive Program? Why or why not? If the organization or
provider has participated in the program, what has the experience
been like? What lessons have they learned? Find out the degree to
which the facility uses EHRs and what issues or challenges they have
had in achieving Meaningful Use.

2. Evaluate different models of care within your local community or
state. Did you find any examples of accountable care organizations
or patient-centered medical homes? Explain. Working as a team, visit
or interview a leader from a site that uses an innovative model of
care. Describe the model, its use, challenges, and degree of patient
coordination and integration. How is HIT used to support the delivery
of care and reporting of outcomes?

3. Investigate one of the Beacon communities to find out how they
are using HIT to improve quality of care and access to care within
their region. Be prepared to share with the class a summary of your
findings. Do you think the work that this Beacon community has
done could be replicated in your community? Why or why not?

4. Explore the extent to which health information exchange is occurring
within your community, region, or state. Who are the key players?
What types of models of health information exchange exist? To
what extent is information being exchanged across organizations for
patient care purposes?

5. Investigate the CMS website to determine their current and proposed
value-based or pay-for-performance programs. Compare one or more
of the programs to the traditional fee-for-service payment method.
What are the advantages and disadvantages of each to a physician
provider in a small practice?


Aspden, P. (2004). Patient safety: Achieving a new standard for care. Washington,
DC: National Academies Press.

Breakaway Policy Strategies for FasterCures. (2015). A closer look at alternative
payment models. FasterCures value and coverage issue brief. Retrieved August 4,
2016, from


R E F E R E N C E S · 19

Carson, D. D., Garr, D. R., Goforth, G. A., & Forkner, E. (2010). The time to hesitate
has passed: The age of electronic health records is here (pp. 2–11). Columbia,
SC: South Carolina Medical Association.

Centers for Medicare & Medicaid Services (CMS). (n.d.). The merit-based incen­
tive payment system: MIPS scoring methodology overview. Retrieved August
4, 2016, from

DeSalvo, K., & Daniel, J. (2015, April 10). Blocking of health information undermines
health system interoperability and delivery reform. HealthIT Buzz. Retrieved
August 4, 2016, from

Dick, R. S., & Steen, E. B. (1991). The computer-based patient record: An essential
technology for health care. Washington, DC: National Academy Press.

Goldsmith, J. C. (2003). Digital medicine: Implications for healthcare leaders.
Chicago, IL: Health Administration Press. (2012). The Beacon community program improving health through
health information technology [Brochure]. Retrieved August 3, 2016, from les/beacon-communities- lessons­

Hsiao, C., Hing, E., Socey, T., & Cai, B. (2011, Nov.). Electronic medical record/
electronic health record systems of office-based physicians: United States, 2009
and preliminary 2010 state estimates. NCHS Data Brief (79). Washington, DC:
US Department of Health and Human Services, National Center for Health
Statistics, Division of Health Care Statistics.

Institute for Healthcare Improvement (IHI). (n.d.). The IHI triple aim. Retrieved
September 22, 2016, from

Institute of Medicine, Committee on Data Standards for Patient Safety. (2003).
Reducing medical errors requires national computerized information systems:
Data standards are crucial to improving patient safety. Retrieved from http://

Jacob, J. A. (2015). On the road to interoperability, public and private organizations
work to connect health care data. JAMA, 314(12), 1213.

Jha, A. K. (2010). Meaningful use of electronic health records. JAMA, 304(15),
1709. doi:10.1001/jama.2010.1497

Jha, A. K., Desroches, C. M., Campbell, E. G., Donelan, K., Rao, S. R., Ferris,
T. G. . . . Blumenthal, D. (2009). Use of electronic health records in US hos­
pitals. New England Journal of Medicine, 360(16), 1628–1638. doi:10.1056/

Kohn, L. T., Corrigan, J., & Donaldson, M. S. (2000). To err is human: Building a
safer health system. Washington, DC: National Academy Press.

20 · C H A P T E R 1 : T H E N A T I O N A L H E A L T H I N F O R M A T I O N T E C H N O L O G Y L A N D S C A P E

McKethan, A., Brammer, C., Fatemi, P., Kim, M., Kirtane, J., Kunzman, J. . . .
Jain, S. H. (2011). An early status report on the Beacon Communities’ plans
for transformation via health information technology. Health Affairs, 30(4),
782–788. doi:10.1377/hlthaff.2011.0166

Nerney, C. (2016, January). CMS acting chief Slavitt on interoperabil­
ity. Retrieved August 3, 2016, from

Office of the National Coordinator for Health Information Technology (ONC).
(2015). Connecting health and care for the nation: A shared nationwide interop­
erability roadmap. Retrieved August 3, 2016, from
sites/default/fi les/nationwide-interoperability-roadmap-draft-version-1.0.pdf

Office of the National Coordinator for Health Information Technology (ONC).
(n.d.a). EHR incentives & certifi cation. Retrieved September 21, 2016, from

Office of the National Coordinator for Health Information Technology (ONC).
(n.d.b). Interoperability. Retrieved September 21, 2016, from https://www

The Sequoia Project. (n.d.a). About the Sequoia Project. Retrieved August 4, 2016,

The Sequoia Project. (n.d.b). What is eHealth exchange. Retrieved from http://

The White House. (2006, August). Fact sheet: Health care transparency: Empowering
consumers to save on quality care. Retrieved September 22, 2016, from https://


Health Care Data


• To be able to define health care data and information.

• To be able to understand the major purposes for maintaining
patient records.

• To be able to discuss basic patient health record and claims

• To be able to discuss basic uses of health care data, including big
and small data and analytics.

• To be able to identify common issues related to health care data


22 · C H A P T E R 2 : H E A L T H C A R E D A T A

Central to health care information systems is the actual health care data
that is collected and subsequently transformed into useful health care infor­
mation. In this chapter we will examine key aspects of health care data. In
particular, this chapter is divided into four main sections:

• Health care data and information defined (What are health data and
health information?)

• Health care data and information sources (Where does health data
originate and why? When does health care data become health care

• Health care data uses (How do health care organizations use data?
What is the impact of the trend toward analytics and big data on
health care data?)

• Health care data quality (How does the quality of health data affect its


Often the terms health care data and health care information are used inter­
changeably. However, there is a distinction, if somewhat blurred in current
use. What, then, is the difference between health data and health informa­
tion? The simple answer is that health information is processed health data.
(We interpret processing broadly to cover everything from formal analysis to
explanations supplied by the individual decision maker’s brain.) Health care
data are raw health care facts, generally stored as characters, words, symbols,
measurements, or statistics. One thing apparent about health care data is that
they are generally not very useful for decision making. Health care data may
describe a particular event, but alone and unprocessed they are not particu­
larly helpful. Take, for example, this figure: 79 percent. By itself, what does
it mean? If we process this datum further by indicating that it represents the
average bed occupancy for a hospital for the month of January, it takes on
more meaning. With the additional facts attached, is this figure now infor­
mation? That depends. If all a health care executive wants or needs to know
is the bed occupancy rate for January, this could be considered information.
However, for the hospital executive who is interested in knowing the trend
of the bed occupancy rate over time or how the facility’s bed occupancy rate
compares to that of other, similar facilities, this is not yet the information
he needs. A clinical example of raw data would be the lab value, hematocrit
(HCT) = 32 or a diagnosis, such as diabetes. These are single facts, data at
the most granular level. They take on meaning when assigned to particular

H E A L T H C A R E D A T A A N D I N F O R M A T I O N D E F I N E D · 23

patients in the context of their health Figure 2.1 Health care data to
care status or analyzed as components health care knowledge
of population studies.

Knowledge is seen by some as
the highest level in a hierarchy with
data at the bottom and information in
the middle (Figure 2.1). Knowledge is
defined by Johns (1997, p. 53) as “a
combination of rules, relationships,
ideas, and experience.” Another way
of thinking about knowledge is that it
is information applied to rules, expe­
riences, and relationships with the
result that it can be used for decision
making. Data analytics applied to
health care information and research
studies based on health care information are examples of transforming health
care information into new knowledge. To carry out our example from previ­
ous paragraphs, the 79 percent occupancy rate could be related to additional
information to lead to knowledge that the health care facility’s referral strat­
egy is working.

Where do health care data end and where does health care information
begin? Information is an extremely valuable asset at all levels of the health care
community. Health care executives, clinical staff members, and others rely on
information to get their jobs accomplished. The goal of this discussion is not
to pinpoint where data end and information begins but rather to further an
understanding of the relationship between health care data and information—
health care data are the beginnings of health care information. You cannot
create information without data. Through the rest of this chapter the terms
health care data and health care information will be used to describe either the
most granular components of health care information or data that have been
processed, respectively (Lee, 2002).

The first several sections of this chapter focus primarily on the health
care data and information levels, but the content of the section on health care
data quality takes on new importance when applied to processes for seeking
knowledge from health care data. We will begin the chapter exploring where
some of the most common health care data originate and describe some of the
most common organizational and provider uses of health care information,
including patient care, billing and reimbursement, and basic health care
statistics. Please note there are many other uses for health information that
go beyond these basics that will be explored throughout this text.


24 · C H A P T E R 2 : H E A L T H C A R E D A T A


The majority of health care information created and used in health care
information systems within and across organizations can be found as an
entry in a patient’s health record or claim, and this information is readily
matched to a specifi c, identifi able patient.

The Health Insurance Portability and Accountability Act (HIPAA), the
federal legislation that includes provisions to protect patients’ health informa­
tion from unauthorized disclosure, defi nes health information as any information,
whether oral or recorded in any form or medium, that does the following:

• Is created or received by a health care provider, health plan, public
health authority, employer, life insurer, school or university, or health
care clearinghouse

• Relates to the past, present, or future physical or mental health
or condition of an individual, the provision of health care to an
individual, or the past, present, or future payment for the provision of
health care to an individual

HIPAA refers to this type of identifiable information as protected health
information (PHI).

The Joint Commission, the major accrediting agency for many types of
health care organizations in the United States, has adopted the HIPAA defi ni­
tion of protected health information as the definition of “health information”
listed in their accreditation manuals’ glossary of terms (The Joint Commis­
sion, 2016). Creating, maintaining, and managing quality health information
is a significant factor in health care organizations, such as hospitals, nursing
homes, rehabilitation centers, and others, who want to achieve Joint Commis­
sion accreditation. The accreditation manuals for each type of facility contain
dozens of standards that are devoted to the creation and management of
health information. For example, the hospital accreditation manual contains
two specific chapters, Record of Care, Treatment, and Services (RC) and Infor­
mation Management (IM). The RC chapter outlines specifi c standards govern­
ing the components of a complete medical record, and the IM chapter outlines
standards for managing information as an important organizational resource.

Medical Record versus Health Record

The terms medical record and health record are often used interchangeably
to describe a patient’s clinical record. However, with the advent and subse­
quent evolution of electronic versions of patient records these terms actually
describe different entities. The Office of the National Coordinator for Health






H E A L T H C A R E D A T A A N D I N F O R M A T I O N S O U R C E S · 25

Information Technology (ONC) distinguishes the electronic medical record
and the electronic health record as follows.

Electronic medical records (EMRs) are a digital version of the paper
charts.  An EMR contains the medical and treatment history of the patients
in one practice (or organization). EMRs have advantages over paper records.
For example, EMRs enable clinicians (and others) to do the following:

• Track data over time

• Easily identify which patients are due for preventive screenings or


• Check how their patients are doing on certain parameters—such as

blood pressure readings or vaccinations

• Monitor and improve overall quality of care within the practice

But the information in EMRs doesn’t travel easily out of the practice (or
organization). In fact, the patient’s record might even have to be printed out
and delivered by mail to specialists and other members of the care team. In
that regard, EMRs are not much better than a paper record.

Electronic health records (EHRs) do all those things—and more. EHRs
focus on the total health of the patient—going beyond standard clinical
data collected in the provider’s office (or during episodes of care)—and is
inclusive of a broader view on a patient’s care. EHRs are designed to reach
out beyond the health organization that originally collects and compiles
the information. They are built to share information with other health care
providers (and organizations), such as laboratories and specialists, so they
contain information from all the clinicians involved in the patient’s care
(Garrett & Seidman, 2011). Another distinguishing feature of the EHR (dis­
cussed in more detail in Chapter Three) is the inclusion of decision-support
capabilities beyond those of the EMR.

Patient Record Purposes

Health care organizations maintain patient clinical records for several key
purposes. As we move into the discussion on clinical information systems in
subsequent chapters, it will be important to remember these purposes, which
remain constant regardless of the format or infrastructure supporting the
records. In considering the purposes listed, the scope of care is also important.
Records support not only managing a single episode of care but also a patient’s
continuum of care and population health. Episode of care generally refers to
the services provided to a patient with a specific condition for a specifi c period

26 · C H A P T E R 2 : H E A L T H C A R E D A T A

of time. Continuum of care, as defined by HIMSS (2014), is a concept involving
a system that guides and tracks patients over time through a comprehensive
array of health services spanning all levels and intensity of care. Population
health is a relatively new term and definitions vary. However, the concept
behind managing population health is to improve health outcomes within
defined communities (Stoto, 2013). The following list comprises the most
commonly recognized purposes for creating and maintaining patient records.

1. Patient care. Patient records provide the documented basis for
planning patient care and treatment, for a single episode of care and
across the care continuum. This purpose is considered the number-
one reason for maintaining patient records. As our health care
delivery system moves toward true population health management
and patient-focused care, the patient record becomes a critical tool for
documenting each provider’s contribution to that care.

2. Communication. Patient records are an important means by which
physicians, nurses, and others, whether within a single organization
or across organizations, can communicate with one another about
patient needs. The members of the health care team generally
interact with patients at different times during the day, week, or
even month or year. Information from the patient’s record plays an
important role in facilitating communication among providers across
the continuum of care. The patient record may be the only means
of communication among various providers. It is important to note
that patients also have a right to access their records, and their
engagement in their own care is often reflected in today’s records.

3. Legal documentation. Patient records, because they describe and
document care and treatment, are also legal records. In the event
of a lawsuit or other legal action involving patient care, the record
becomes the primary evidence for what actually took place during the
care. An old but absolutely true adage about the legal importance of
patient records says, “If it was not documented, it was not done.”

4. Billing and reimbursement. Patient records provide the
documentation patients and payers use to verify billed services.
Insurance companies and other third-party payers insist on clear
documentation to support any claims submitted. The federal
programs Medicare and Medicaid have oversight and review
processes in place that use patient records to confirm the accuracy
of claims filed. Filing a claim for a service that is not clearly
documented in the patient record may be construed as fraud.

H E A L T H C A R E D A T A A N D I N F O R M A T I O N S O U R C E S · 27

5. Research and quality management. Patient records are used in many
facilities for research purposes and for monitoring the quality of
care provided. Patient records can serve as source documents from
which information about certain diseases or procedures can be taken,
for example. Although research is most prevalent in large academic
medical centers, studies are conducted in other types of health care
organizations as well.

6. Population health. Information from patient records is used to
monitor population health, assess health status, measure utilization of
services, track quality outcomes, and evaluate adherence to evidence-
based practice guidelines. Health care payers and consumers are
increasingly demanding to know the cost-effectiveness and effi cacy of
different treatment options and modalities. Population health focuses
on prevention as a means of achieving cost-effective care.

7. Public health. Federal and state public health agencies use
information from patient records to inform policies and procedures to
ensure that they protect citizens from unhealthy conditions.

Patient Records as Legal Documents

The importance of maintaining complete and accurate patient records cannot
be underestimated. They serve not only as a basis for planning patient care
but also as the legal record documenting the care that was provided to
patients. The data captured in a patient record become a permanent record
of that patient’s diagnoses, treatments, response to treatments, and case
management. Patient records provide much of the source data for health
care information that is created, maintained, and managed within and across
health care organizations.

When the patient record was a file folder full of paper housed in the health
information management department of the hospital, identifying the legal
health record (LHR) was fairly straightforward. Records kept in the usual
course of business (in this case, providing care to patients) represent an
exception to the hearsay rule, are generally admissible in a court, and there­
fore can be subpoenaed—they are legal documentation of the care provided
to the patients. With the implementation of comprehensive EHR systems
the definition of an LHR remains the same, but the identification of the
boundaries for it may be harder to determine. In 2013, the ONC’s National
Learning Consortium published the Legal Health Record Policy Template to
guide health care organizations and providers in defi ning which records and
record sets constitute their legal health record for administrative, business, or

28 · C H A P T E R 2 : H E A L T H C A R E D A T A

evidentiary purposes. The media on which the records are maintained does
not determine the legal status; rather, it is the purpose for which the record
was created and is maintained. The complete template can be found at www les/legal_health_policy_template.docx.

Because of the legal nature of patient records, the majority of states
have specific retention requirements for information contained within them.
These state requirements should be the basis for the health care organiza­
tion’s formal retention policy. (The Joint Commission and other accrediting
agencies also address retention but generally refer organizations back to their
own state regulations for specifics.) When no specific retention requirement
is made by the state, all patient information that is a part of the LHR should
be maintained for at least as long as the state’s statute of limitations or other
regulation requires. In the case of minor children the LHR should be retained
until the child reaches the age of majority as defined by state law, usually
eighteen or twenty-one. Health care executives should be aware that stat­
utes of limitations may allow a patient to bring a case as long as ten years
after the patient learns that his or her care caused an injury (Lee, 2002).
Although some specific retention requirements and general guidelines exist,
it is becoming increasingly popular for health care organizations to keep all
LHR information indefinitely, particularly if the information is stored in an
electronic format. If an organization does decide to destroy LHR information,
this destruction must be carried out in accordance with all applicable laws
and regulations.

Another important aspect related to the legal nature of patient records is
the need for them to be authenticated. State and federal laws and accredita­
tion standards require that medical record entries be authenticated to ensure
that the legal document shows the person or persons responsible for the care
provided. Generally, authentication of an LHR entry is accomplished when
the physician or other health care professional signs it, either with a hand­
written signature or an electronic signature.

Personal Health Records

An increasingly common type of patient record is maintained by the indi­
vidual to track personal health care information: the personal health record
(PHR). According to the American Health Information Management Associ­
ation (AHIMA, 2016), a PHR “is a tool .  .  . to collect, track and share past
and current information about your health or the health of someone in your
care.” A PHR is not the same as a health record managed by a health care
organization or provider, and it does not constitute a legal document of care,
but it should contain all pertinent health care information contained in an

H E A L T H C A R E D A T A A N D I N F O R M A T I O N S O U R C E S · 29

individual’s health records. PHRs are an effective tool enabling patients to be
active members of their own health care teams (AHIMA, 2016).

Patient Record Content

The following components are common to most patient records, regardless of
facility type or record system (AHIMA, 2016). Specific patient record content
is determined to a large extent by external requirements, standards, and
regulations (discussed in Chapter Nine). Keep in mind, a patient record may
contain some or all of the documentation listed. Depending on the patient’s
illness or injury and the type of treatment facility, he or she may need addi­
tional specialized health care services. These services may require specifi c
documentation. For example, long-term care facilities and behavioral health
facilities have special documentation requirements. Our list is intended to
introduce the common components of patient records, not to provide a com­
prehensive list of all possible components. The following provides a general
overview of record content and the person or persons responsible for cap­
turing the content during a single episode of care. It reveals that the patient
record is a repository for a variety of health care data and information that
is captured by many different individuals involved in the care of the patient.

• Identifi cation screen. Information found on the identifi cation screen
of a health or medical record originates at the time of registration or
admission. The identifi cation data generally includes at least the patient
name, address, telephone number, insurance carrier, and policy number,
as well as the patient’s diagnoses and disposition at discharge. These
diagnoses are recorded by the physicians and coded by administrative
personnel. (Diagnosis coding is discussed following in this chapter.)
The identifi cation component of the data is used as a clinical and an
administrative document. It provides a quick view of the diagnoses that
required care during the encounter. The codes and other demographic
information are used for reimbursement and planning purposes.

• Problem list. Patient records frequently contain a comprehensive
problem list, which identifi es signifi cant illnesses and operations the
patient has experienced. This list is generally maintained over time.
It is not specifi c to a single episode of care and may be maintained
by the attending or primary care physician or collectively by all the
health care providers involved in the patient’s care.

• Medication record. Sometimes called a medication administration record
(MAR), this record lists medicines prescribed for and subsequently
administered to the patient. It often also lists any medication allergies

30 · C H A P T E R 2 : H E A L T H C A R E D A T A

the patient may have. Nursing personnel are generally responsible for
documenting and maintaining medication information in acute care
settings, because they are responsible for administering medications
according to physicians’ written or verbal orders.

• History and physical. The history component of the report describes
any major illnesses and surgeries the patient has had, any signifi cant
family history of disease, patient health habits, and current
medications. The information for the history is provided by the patient
(or someone acting on his or her behalf) and is documented by the
attending physician or other care provider at the beginning of or
immediately prior to an encounter or treatment episode. The physical
component of this report states what the physician found when he
or she performed a hands-on examination of the patient. The history
and physical together document the initial assessment of the patient
for the particular care episode and provide the basis for diagnosis
and subsequent treatment. They also provide a framework within
which physicians and other care providers can document signifi cant
findings. Although obtaining the initial history and physical is a one­
time activity during an episode of care, continued reassessment and
documentation of that reassessment during the patient’s course of
treatment is critical. Results of reassessments are generally recorded
in progress notes.

• Progress notes. Progress notes are made by the physicians, nurses,
therapists, social workers, and other staff members caring for the
patient. Each provider is responsible for the content of his or her notes.
Progress notes should refl ect the patient’s response to treatment along
with the provider’s observations and plans for continued treatment.
There are many formats for progress notes. In some organizations all
care providers use the same note format; in others each provider type
uses a customized format. A commonly used format for a progress
note is the SOAP format. Providers are expected to enter notes divided
into four components:

o Subjective fi ndings

o Objective fi ndings

o Assessment

o Plan

• Consultation. A consultation note or report records opinions about
the patient’s condition made by another health care provider at
the request of the attending physician or primary care provider.

H E A L T H C A R E D A T A A N D I N F O R M A T I O N S O U R C E S · 31

Consultation reports may come from physicians and others inside or
outside a particular health care organization, but this information is
maintained as part of the patient record.

• Physician’s orders. Physician’s orders are a physician’s directions,
instructions, or prescriptions given to other members of the health
care team regarding the patient’s medications, tests, diets, treatments,
and so forth. In the current US health care system, procedures and
treatments must be ordered by the appropriate licensed practitioner; in
most cases this will be a physician.

• Imaging and X-ray reports. The radiologist is responsible for
interpreting images produced through X-rays, mammograms,
ultrasounds, scans, and the like and for documenting his or her
interpretations or findings in the patient’s record. These fi ndings
should be documented in a timely manner so they are available to the
appropriate provider to facilitate the appropriate treatment. The actual
digital images are generally maintained in the radiology or imaging
departments in specialized computer systems. These images are
typically not considered part of the legal patient record, per se, but in
modern EHRs they are available through the same interface.

• Laboratory reports. Laboratory reports contain the results of tests
conducted on body fl uids, cells, and tissues. For example, a medical
lab might perform a throat culture, urinalysis, cholesterol level, or
complete blood count. There are hundreds of specifi c lab tests that can
be run by health care organizations or specialized labs. Lab personnel
are responsible for documenting the lab results into the patient record.
Results of the lab work become part of the permanent patient
record. However, lab results must also be available during treatment.
Health care providers rely on accurate lab results in making clinical
decisions, so there is a need for timely reporting of lab results and
a system for ensuring that physicians and other appropriate care
providers receive the results. Physicians or other primary care providers
are responsible for documenting any findings and treatment plans
based on the lab results.

• Consent and authorization forms. Copies of consents to admission,
treatment, surgery, and release of information are an important
component of the patient record related to its use as a legal document.
The practitioner who actually provides the treatment must obtain
informed consent for the treatment. Patients must sign informed
consent documents before treatment takes place. Forms authorizing
release of information must also be signed by patients before any

32 · C H A P T E R 2 : H E A L T H C A R E D A T A

patient-specifi c health care information is released to parties not
directly involved in the care of the patient.

• Operative report. Operative reports describe any surgery performed and
list the names of surgeons and assistants. The surgeon is responsible for
documenting the information found in the operative report.

• Pathology report. Pathology reports describe tissue removed during
any surgical procedure and the diagnosis based on examination
of that tissue. The pathologist is responsible for documenting the
information contained within the pathology report.

• Discharge summary. Each acute care patient record contains a
discharge summary. The discharge summary summarizes the
hospital stay, including the reason for admission, signifi cant fi ndings
from tests, procedures performed, therapies provided, responses to
treatments, condition at discharge, and instructions for medications,
activity, diet, and follow-up care. The attending physician is
responsible for documenting the discharge summary at the conclusion
of the patient’s stay in the hospital.

With the passage of the Accountable Care Act (ACA) and other health
care payment reform measures, organizations and communities have begun
to shift focus from episodic care to population health. By defi nition, pop­
ulation health focuses on maintaining health and managing health care
utilization for a defined population of patients or community with the goal
of decreasing costs. Along with other key components, successful popula­
tion health will require extensive care coordination across care providers
and community organizations. Care managers are needed to interact with
patients on a regular basis during and in between clinical encounters (Insti­
tute for Health Technology Transformation, 2012). Needless to say, this will
have a significant impact on the form and structure of the future EHRs.
These care managers will document all plan findings, clinical and social,
within the patient’s record and rely on other providers’ notes and fi ndings
to effectively coordinate care. Baker, Cronin, Conway, DeSalvo, Rajkumar,
and Press (2016), for example, describes a new tool to support “person-cen­
tered care by a multidisciplinary team,” the comprehensive shared care
plan (CSCP), which will rely on HIT to enable collaboration across settings.
A stakeholder group organized by the US Department of Health and Human
Services developed key goals for the CSCP as they envision it:

• It should enable a clinician to electronically view information that is
directly relevant to his or her role in the care of the person, to easily

H E A L T H C A R E D A T A A N D I N F O R M A T I O N S O U R C E S · 33

identify which clinician is doing what, and to update other members
of an interdisciplinary team on new developments.

• It should put the person’s goals (captured in his or her own words) at
the center of decision making and give that individual direct access to
his or her information in the CSCP.

• It should be holistic and describe clinical and nonclinical (including
home- and community-based) needs and services.

• It should follow the person through high-need episodes (e.g., acute
illness) as well as periods of health improvement and maintenance
(Baker et al., 2016).

Figures 2.2 through 2.5 display screens from one organization’s EHR.

Claims Content

As we have seen in the previous section, health care information is captured
and stored as a part of the patient record. However, there is more to the
story: health care organizations and providers must be paid for the care
they provide. Generally, the health care organization’s accounting or billing

Figure 2.2 Sample EHR information screen

Source: Medical University of South Carolina; Epic.

34 · C H A P T E R 2 : H E A L T H C A R E D A T A

Figure 2.3 Sample EHR problem list

Source: Medical University of South Carolina; Epic.

Figure 2.4 Sample EHR progress notes

Source: Medical University of South Carolina; Epic.

H E A L T H C A R E D A T A A N D I N F O R M A T I O N S O U R C E S · 35

Figure 2.5 Sample EHR lab report

Source: Medical University of South Carolina; Epic.

department is responsible for processing claims, an activity that includes
verifying insurance coverage; billing third-party payers (private insurance
companies, Medicare, or Medicaid); and processing the payments as they
are received. Centers for Medicare and Medicaid Services (CMS) currently
requires health care providers to submit claims electronically using a set of
standard elements. As early as the 1970s the health care community strived to
develop standard insurance claim forms to facilitate payment collection. With
the nearly universal adoption of electronic billing and government-mandated
transaction standards, standard claims content has become essential.

Depending on the type of service provided to the patient, one of two
standard data sets will be submitted to the third-party payer. The UB-04, or
CMS-1450, is submitted for inpatient, hospital-based outpatient, home health
care, and long-term care services. The CMS-1500 is submitted for health care
provider services, such as those provided by a physician’s office. It is also
used for billing by some Medicaid state agencies. The standard requirements
for the parallel electronic counterparts to the CMS-1450 and CMS-1500 are
defined by ANSI ASC X12N 837I (Institutional) and ANSI ASC X12N 837P
(Professional), respectively. Therefore, the claims standards are frequently
referred to as 837I and 837P.


In 1975, the American Hospital Association (AHA) formed the National
Uniform Billing Committee (NUBC), bringing the major national provider and

36 · C H A P T E R 2 : H E A L T H C A R E D A T A

payer organizations together for the purpose of developing a single billing form
and standard data set that could be used for processing health care claims
by institutions nationwide. The first uniform bill was the UB-82. It has since
been modified and improved on, resulting, first, in the UB-92 data set and now
in the currently used UB-04, also known as CMS-1450. UB-04 is the de facto
institutional provider claim standard. Its content is required by CMS and has
been widely adopted by other government and private insurers. In addition to
hospitals, UB-04 or 837I is used by skilled nursing facilities, end stage renal
disease providers, home health agencies, hospices, rehabilitation clinics and
facilities, community mental health centers, critical access hospitals, federally
qualified health centers, and others to bill their third-party payers. The NUBC
is responsible for maintaining and updating the specifications for the data
elements and codes that are used for the UB-04/CMS-1450 and 837I. A full
description of the elements required and the specifications manual can be
found on the NUBC website, (CMS 2016a; NUBC, 2016).


The National Uniform Claim Committee (NUCC) was created by the Amer­
ican Medical Association (AMA) to develop a standardized data set for the
noninstitutional or “professional” health care community to use in the sub­
mission of claims (much as the NUBC has done for institutional providers).
Members of this committee represent key provider and payer organizations,
with the AMA appointing the committee chair. The standardized claim form
developed and overseen by NUCC is the CMS-1500 and its electronic coun­
terpart is the 837P. This standard has been adopted by CMS to bill Medicare
fee-for-service, and similar to UB-04 and 837I for institutional care, it has
become the de facto standard for all types of noninstitutional provider claims,
such as those for private physician services. NUCC maintains a crosswalk
between the 837P and CMS-1500 explaining the specific data elements, which
can be found on their website at (CMS, 2013; NUCC, 2016).

It is important to recognize that the UB-04 and the CMS-1500 and their
electronic counterparts incorporate standardized data sets. Regardless of a
health care organization’s location or a patient’s insurance coverage, the same
data elements are collected. In many states UB-04 data and CMS-1500 data
must be reported to a central state agency responsible for aggregating and
analyzing the state’s health data. At the federal level the CMS aggregates the
data from these claims forms for analyzing national health care reimburse­
ment and clinical and population trends. Having uniform data sets means
that data can be compared not only within organizations but also within
states and across the country.

H E A L T H C A R E D A T A A N D I N F O R M A T I O N S O U R C E S · 37

Diagnostic and Procedural Codes

Diagnostic and procedural codes are captured during the patient encounter,
not only to track clinical progress but also for billing, reimbursement, and
other administrative purposes. This diagnostic and procedural information
is initially captured in narrative form through physicians’ and other health
care providers’ documentation in the patient record. This documentation is
subsequently translated into numerical codes. Coding facilitates the classi­
fication of diagnoses and procedures for reimbursement purposes, clinical
research, and comparative studies.

Two major coding systems are employed by health care providers today:

• ICD-10 (International Classification of Diseases)

• CPT (Current Procedural Terminology), published by the American

Medical Association

Use of these systems is required by the federal government for reimburse­
ment, and they are recognized by health care agencies nationally and inter­
nationally. The UB-04 and CMS-1500 have very specific coding requirements
for claim submission, which include use of these coding sets.


The ICD-10 classification system used to code diseases and other health
statuses in the United States is derived from the International Classifi ca­
tion of Diseases, Tenth Revision, which was developed by the World Health
Organization (WHO) (CDC, 2016) to capture disease data. The precursors to
the current ICD system were developed to enable comparison of morbidity
(illness) and mortality (death) statistics across nations. Over the years this
basic purpose has evolved and today ICD-10-CM (Clinical Modifi cation)
coding plays major role in reimbursement to hospitals and other health
care institutions. ICD-10-CM codes used for determining the diagnosis
related group (DRG) into which a patient is assigned. DRGs are in turn the
basis for determining appropriate inpatient reimbursements for Medicare,
Medicaid, and many other health care insurance benefi ciaries. Accurate
ICD coding has, as a consequence, become vital to accurate institutional

The National Center of Health Statistics (NVHS) is the federal agency
responsible for publishing ICD-10-CM (Clinical Modification) in the United
States. Procedure information is similarly coded using the ICD-10-PCS (Pro­
cedural Coding System). ICD-10-PCS was developed by CMS for US inpatient

– –

38 · C H A P T E R 2 : H E A L T H C A R E D A T A

Exhibit 2.1 Excerpt from ICD 10 CM 2016

Malignant neoplasms (C00-C96)

Malignant neoplasms, stated or presumed to be primary (of specifi ed

sites), and certain specified histologies, except neuroendocrine, and of

lymphoid, hematopoietic, and related tissue (C00-C75)

Malignant neoplasms of lip, oral cavity, and pharynx (C00-C14)

C00 Malignant neoplasm of lip

Use additional code to identify:

alcohol abuse and dependence (F10.-)

history of tobacco use (Z87.891)

tobacco dependence (F17.-)

tobacco use (Z72.0)

Excludes 1: malignant melanoma of lip (C43.0)

Merkel cell carcinoma of lip (C4A.0)

other and unspecifi ed malignant neoplasm of skin of lip (C44.0-)

C00.0 Malignant neoplasm of external upper lip

Malignant neoplasm of lipstick area of upper lip

Malignant neoplasm of upper lip NOS

Malignant neoplasm of vermilion border of upper lip

C00.1 Malignant neoplasm of external lower lip

Malignant neoplasm of lower lip NOS

Malignant neoplasm of lipstick area of lower lip

Malignant neoplasm of vermilion border of lower lip

hospital settings only. The ICD-10-CM and ICD-10-PCS publications are
considered federal government documents whose contents may be used
freely by others. However, multiple companies republish this government
document in easier-to-use, annotated, formally copyrighted versions. In
general, the ICD-10-CM and ICD-10-PCS are updated on an annual basis
(CMS, 2015, 2016b).

Exhibits 2.1 and 2.2 are excerpts from the ICD-10-CM and ICD-10-PCS
classification systems. They show the system in its text form, but large health
care organizations generally use encoders, computer applications that facil­
itate accurate coding. Whether a book or text file or encoder is used, the
classification system follows the same structure.

H E A L T H C A R E D A T A A N D I N F O R M A T I O N S O U R C E S · 39

C00.2 Malignant neoplasm of external lip, unspecifi ed

Malignant neoplasm of vermilion border of lip NOS

C00.3 Malignant neoplasm of upper lip, inner aspect

Malignant neoplasm of buccal aspect of upper lip

Malignant neoplasm of frenulum of upper lip

Malignant neoplasm of mucosa of upper lip

Malignant neoplasm of oral aspect of upper lip

C00.4 Malignant neoplasm of lower lip, inner aspect

Malignant neoplasm of buccal aspect of lower lip

Malignant neoplasm of frenulum of lower lip

Malignant neoplasm of mucosa of lower lip

Malignant neoplasm of oral aspect of lower lip

C00.5 Malignant neoplasm of lip, unspecifi ed, inner aspect

Malignant neoplasm of buccal aspect of lip, unspecifi ed

Malignant neoplasm of frenulum of lip, unspecifi ed

Malignant neoplasm of mucosa of lip, unspecifi ed

Malignant neoplasm of oral aspect of lip, unspecifi ed

C00.6 Malignant neoplasm of commissure of lip, unspecifi ed

C00.7 Malignant neoplasm of overlapping sites of lip

C00.8 Malignant neoplasm of lip, unspecifi ed

Source: CMS (2016b).


The American Medical Association (AMA) publishes an updated CPT each
year. Unlike ICD-9-CM, CPT is copyrighted, with all rights to publication and
distribution held by the AMA. CPT was first developed and published in 1966.
The stated purpose for developing CPT was to provide a uniform language for
describing medical and surgical services. In 1983, however, the government
adopted CPT, in its entirety, as the major component (known as Level 1) of
the Healthcare Common Procedure Coding System (HCPCS). Since then CPT
has become the standard for physician’s office, outpatient, and ambulatory
care coding for reimbursement purposes. Exhibit 2.3 is a simplifi ed example
of a patient encounter form with HCPCS/CPT codes.

40 · C H A P T E R 2 : H E A L T H C A R E D A T A

Exhibit 2.2 Excerpt from ICD 10 PCS 2017 OCW

Section 0 Medical and Surgical

Body System C Mouth and Throat

Operation W Revision: Correcting, to the extent possible, a portion of a
malfunctioning device or the position of a displaced device

Body Part Approach Device Qualifi er

A Salivary Gland 0 Open

3 Percutaneous

X External

0 Drainage Device

C Extraluminal

Z No Qualifi er

S Larynx 0 Open

3 Percutaneous

7 Via Natural or
Artifi cial Opening

8 Via Natural or
Artifi cial Opening

X External

0 Drainage Device

7 Autologous

Z No Qualifi er

Tissue Substitute

D Intraluminal

J Synthetic

K Nonautologous
Tissue Substitute

Y Mouth and 0 Open 0 Drainage Device Z No Qualifi er

3 Percutaneous 1 Radioactive

7 Via Natural or
Artifi cial Opening 7 Autologous

8 Via Natural or
Artifi cial Opening D Intraluminal

X External



Tissue Substitute

J Synthetic

K Nonautologous
Tissue Substitute

Source: CMS (2016c).

H E A L T H C A R E D A T A A N D I N F O R M A T I O N S O U R C E S · 41

Exhibit 2.3 Patient encounter form coding standards

Pediatric Associates P.A. 123 Children’ s Avenue, Anytown, USA

Offi ce Visits
99211 Estab Pt—minimal Preventive Medicine—New
99212 Estab Pt—focused 99381 Prev Med 0–1 years
99213 Estab Pt—expanded 99382 Prev Med 1–4 years
99214 Estab Pt—detailed 99383 Prev Med 5–11 years
99215 Estab Pt—high complexity 99384 Prev Med 12–17 years

99385 Prev Med 18–39 years
99201 New Pt—problem focused
99202 New Pt—expanded Preventive Medicine—Established
99203 New Pt—detailed 99391 Prev Med 0–1 years
99204 New Pt—moderate complexity 99392 Prev Med 1–4 years

99205 New Pt—high complexity 99393 Prev Med 5–11 years
99394 Prev Med 12–17 years

99050 After Hours 99395 Prev Med 18–39 years
99052 After Hours—after 10 pm
99054 After Hours—Sundays and Holidays 99070 10 Arm Sling

99070 11 Sterile Dressing
Outpatient Consult 99070 45 Cervical Cap
99241 99242 99243 99244 99245

Immunizations, Injections, and Office Laboratory Services
90471 Adm of Vaccine 1 81000 Urinalysis w/ micro
90472 Adm of Vaccine > 1 81002 Urinalysis w/o micro
90648 HIB 82270 Hemoccult Stool
90658 Infl uenza 82948 Dextrostix
90669 Prevnar 83655 Lead Level
90701 DTP 84030 PKU
90702 DT 85018 Hemoglobin
90707 MMR 87086 Urine Culture
90713 Polio Injection 87081 Throat Culture
90720 DTP/HIB 87205 Gram Stain
90700 DTaP 87208 Ova Smear (pin worm)
90730 Hepatitis A 87210 Wet Prep
90733 Meningococcal 87880 Rapid Strep
90744 Hepatitis B 0–11
90746 Hepatitis B 18+ years

Patient Name
Name of Insured ID
Insurance Company
Return Appointment ___________________________________________________

42 · C H A P T E R 2 : H E A L T H C A R E D A T A

As coding has become intimately linked to reimbursement, directly deter­
mining the amount of money a health care organization can receive for a
claim from insurers, the government has increased its scrutiny of coding
practices. There are official guidelines for accurate coding, and health care
facilities that do not adhere to these guidelines are liable to charges of fraud­
ulent coding practices. In addition, the Office of Inspector General of the
Department of Health and Human Services (HHS OIG) publishes compliance
guidelines to facilitate health care organizations’ adherence to ethical and
legal coding practices. The OIG is responsible for (among other duties) investi­
gating fraud involving government health insurance programs. More specifi c
information about compliance guidelines can be found on the OIG website
( and will be more thoroughly discussed in Chapter Nine.


The previous sections of this chapter examine how health care data is cap­
tured in patient records and billing claims. Even with this brief overview you
can begin to see what a rich source of health care data these records could be.
However, before health care data can be used, it must be stored and retrieved.
How do we retrieve that data so that the information can be aggregated,
manipulated, or analyzed for health care organizations to improve patient
care and business operations? How do we combine this patient care data
created and stored internally with other pertinent data from external sources?

As we discussed previously in the chapter, data need to be processed
to become information. We also noted that data and information may be
considered along a continuum, one person’s data may be another person’s
information depending on the level of processing required. In this section of
the chapter we will focus on the use of data analysis to transform data into
information. There is a lot of discussion about the current and future impact
of so-called big data on the health care community. We will start the dis­
cussion of data analysis by looking at the basic elements required to perform
effective health care data analysis, followed by a comparison of “small” data
analysis examples to the emerging big data.

Regardless of the scope of the data or the tools used, health care data
analysis requires basic elements. First, there must be a source of data, for
example, the EHR, claims data, laboratory data, and so on. Second, these
data must be stored in a retrievable manner, for example, in a database
or data warehouse. Next, an analytical tool, such as mathematical statistics,
probability models, predictive models, and so on, must be applied to the
stored data. Finally, to be meaningful, the analyzed data must be reported
in a usable manner.

H E A L T H C A R E D A T A U S E S · 43

Databases and Data Warehouses

A database generally refers to any structured, accessible set of data stored elec­
tronically; it can be large or small. The back end of EHR and claims systems
are examples of large databases. A data warehouse differs from a database
in its structure and function. In health care, data warehouses that are derived
from health care information systems may be referred to as clinical data repos­
itories. The data in a data warehouse come from a variety of sources, such
as the EHR, claims data, and ancillary health care information systems (lab­
oratory, radiology, etc.). The data from the sources are extracted, “cleaned,”
and stored in a structure that enables the data to be accessed along multiple
dimensions, such as time (e.g., day, month, year); location; or diagnosis. Data
warehouses help organizations transform large quantities of data from sep­
arate transactional files or other applications into a single decision-support
database. The important concept to understand is that the database or data
warehouse provides organized storage for data so that they can be retrieved
and analyzed. Before useful information can be obtained, the data must be
analyzed. In the most straightforward uses, the data from the data stores are
aggregated and reported using simple reporting or statistical methods.

Small versus Big Data

Data stores and data analytics are not new to health care. However, the scope
and speed with which we are now capable of analyzing data and discovering
new information has increased tremendously. Big data is not a data store
(warehouse or database), nor is it a specific analytical tool, but rather it refers
to a combination of the two. Experts describe big data as characterized by
three Vs (the fourth V—veracity, or accuracy—is sometimes added). These
characteristics are present in big but not small data:

• Very large volume of data

• A variety (e.g., images, text, discrete) of types and sources (EHR,

wearable fi tness technology, social media, etc.) of data

• The velocity at which the data is accumulated and processed (Glaser,
2014; Macadamian, n.d.)

Harris and Schneider (2015) describe a useful metaphor for explaining the
difference between big data and traditional data storage and analysis systems.
They tell us to consider “even enormous databases, such as the Medicare
claims database as ‘filing cabinets,’ while big data is more like a ‘conveyor

44 · C H A P T E R 2 : H E A L T H C A R E D A T A

belt.’ The filing cabinet no matter how large, is static, while the conveyor belt
is constantly moving and presenting new data points and even data sources”
(p. 53). They further provide the following examples of questions answered
by big versus small data in health care:

o What are the effects of our immunization programs? versus Is my
child growing as expected?

o What are some the healthiest regions? versus Is this medication
improving my (or my patients’) blood pressure?

Small Data Examples

Disease and Procedure Indexes

Health care management often wants to know summary information about a
particular disease or treatment. Examples of questions that might be asked
are What is the most common diagnosis among patients treated in the facil­
ity? What percentage of patients with diabetes is African American? What is
the most common procedure performed on patients admitted with gastritis
(or heart attack or any other diagnosis)? Traditionally, such questions have
been answered by looking in disease and procedure indexes. Prior to EHRs
and their resulting databases, disease and procedure indexes were large
card catalogues or books that kept track of the numbers of diseases treated
and procedures occurring in a facility by disease and procedure codes. Now
that repositories of health care data are common, the disease and procedure
index function is generally handled as a component of the EHR. The retrieval
of information related to diseases and procedures is still based on ICD and
CPT codes, but the queries are limitless. Users can search the disease and
procedure database for general frequency statistics for any number of combi­
nations of data. Figure 2.6 is an example of a screen resulting from a query
for a specific patient, Iris Hale, who has been identified as a member of both
the Heart Failure and Hypertension registries.

Many other types of aggregate clinical reports are used by health
care providers and executives. Ad hoc reporting capability applied to
clinical databases gives providers and executives access to any number
of summary reports based on the data elements from patient health and
claims records.

Health Care Statistics

Utilization and performance statistics are routinely gathered for health care
executives. This information is needed for facility and health care provision

H E A L T H C A R E D A T A U S E S · 45

planning and improvement. Statistical reports can provide managers and
executives a snapshot of their organization’s performance.

Two categories of statistics directly related to inpatient stays are routinely
captured and reported. Many variations of these reports and others that drill
down to more granular level of data also exist.

• Census statistics. These data reveal the number of patients present
at any one time in a facility. Several commonly computed rates are
based on these census data, including the average daily census and bed
occupancy rates.

• Discharge statistics. This group of statistics is calculated from
data accumulated when patients are discharged. Some commonly
computed rates based on discharge statistics are average length of stay,
death rates, autopsy rates, infection rates, and consultation rates.

Outpatient facilities and group practices, specialty providers, and so on
also routinely collect utilization statistics. Some of the more common statis­
tics are average patient visits per month (or year) and percentage of patients
achieving a health status goal, such as immunizations or smoking cessa­
tion. The number of descriptive health care statistics that can be produced
is limitless. Health care organizations also track a wide variety of fi nancial

Figure 2.6 Sample heart failure and hypertension query screen

Source: Cerner Corporation (2016). Used with permission.

46 · C H A P T E R 2 : H E A L T H C A R E D A T A

performance, patient satisfaction, and employee satisfaction data. Patient
and employee data generally come from surveys that are routinely adminis­
tered. The body of data collected and analyzed is driven by the mission of
the organization, along with reporting requirements from state, federal, and
accrediting organizations.

Health care organizations also look to data to guide improved perfor­
mance and patient satisfaction. Performance data are essential to health
care leaders; however, because they are generally managed within a quality
or performance improvement department and are not derived from health
care data, per se, they will not be discussed in depth in this chapter. A few
significant external agencies that report performance data, however, will be
discussed in Chapter Nine.

Although each organization will determine which daily, monthly, and
yearly statistics they need to track based on their individual service missions,
Rachel Fields (2010) in an article published by Becker’s Hospital Review pro­
vides a list of ten common measures identified by a panel of fi ve hospital
leaders, as shown in Table 2.1.

Big Data Examples

Health care organizations today contend with data from EHRs, internal
databases, data warehouses, as well as the availability of data from the
growing volume of other health-related sources, such as diagnostic imaging
equipment, aggregated pharmaceutical research, social media, and personal
devices such as Fitbits and other wearable technologies. No longer is the data
needed to support health care decisions located within the organization or
any single data source. As we begin to manage populations and care con­
tinuums we have to bring together data from hospitals, physician practices,
long-term care facilities, the patient, and so on. These data needs are bigger
than the data needs we had (and still have) when we focused primarily on
inpatient care.

Big data is a practice that is applied to a wide range of uses across a wide
range of industries and efforts, including health care. There is no single big data
product, application, or technology, but big data is broadening the range of data
that may be important in caring for patients. For instance, in the case of Alz­
heimer’s and other chronic diseases such as diabetes and cancer, online social
sites not only provide a support community for like-minded patients but also
contain knowledge that can be mined for public health research, medication
use monitoring, and other health-related activities. Moreover, popular social
networks can be used to engage the public and monitor public perception and
response during flu epidemics and other public health threats (Glaser, 2014).

H E A L T H C A R E D A T A U S E S · 47

Table 2.1 Ten common hospital statistical measures

Daily Monthly Yearly

1. Quality measures, 4. Point-of-service cash
such as collections

Infection rates 5. Percentage of charity care

Patient falls 6. Percentage of budget spent

Overall mortality
for each department

2. Patient census
7. Door-to-discharge time

statistics 8. Patient satisfaction scores

By physician

By service line

3. Discharged but not
fi nal billed

9. Colleague satisfaction

10. Market share
and service line

Source: Fields (2010).

As important and perhaps more important than the data themselves are
the novel analytics that are being developed to analyze these data. In health
care we see an impressive range of analytics:

• Post-market surveillance of medication and device safety

• Comparative effectiveness research (CER)

• Assignment of risk, for example, readmissions

• Novel diagnostic and therapeutic algorithms in areas such as oncology

• Real-time status and process surveillance to determine, for example,
abnormal test follow-up performance and patient compliance with
treatment regimes

• Determination of structure including intent, for example, identifying
treatment patterns using a range of structured and unstructured and
EHR and non-EHR data

• Machine correction of data-quality problems

The potential impact of applying data analytics to big data is huge.
McKinsey & Company (Kayyil, Knott, & Van Kuiken, 2013) estimates that
big data initiatives could account for $300 to $450 billion in reduced
health care spending, or 12 to 17 percent of the $2.6 trillion baseline in
US health care costs. There are several early examples of possibly profound


48 · C H A P T E R 2 : H E A L T H C A R E D A T A

impact. For example, an analysis of the cumulative sum of monthly
hospitalizations because of myocardial infarction, among other clinical and
cost data, led to the discovery of arthritis drug Vioxx’s adverse effects
and its subsequent withdrawal from the market in 2004.

A Deloitte (2011) analysis identifi ed five areas of analysis that will be
crucial in the emerging era of providers being held more accountable for the
care delivered to a patient and a population:

• Population management analytics. Producing a variety of clinical
indicator and quality measure dashboards and reports to help improve
the health of a whole community, as well as help identify and manage
at-risk populations

• Provider profiling/physician performance analytics. Normalizing
(severity and case mix–adjusted profiling), evaluating, and reporting
the performance of individual providers (PCPs and specialists)
compared to established measures and goals

• Point of care (POC) health gap analytics. Identifying patient­
specifi c health care gaps and issuing a specifi c set of actionable
recommendations and notifi cations either to physicians at the point of
care or to patients via a patient portal or PHR

• Disease management. Defining best practice care protocols over
multiple care settings, enhancing the coordination of care, and
monitoring and improving adherence to best practice care protocols

• Cost modeling/performance risk management/comparative
effectiveness. Managing aggregated costs and performance risk and
integrating clinical information and clinical quality measures


Up to this point, this chapter has examined health care data and information
with a focus on the origins and uses of such. Changes to the health care
delivery system and payment reform are amending the ways in which we
use health care information. Traditionally, patient clinical and claims records
were used primarily to document episodic care or, at best, the care received
by an individual across the continuum, as long as that care was provided
through a single organization. In today’s environment, care providers, care
coordinators, analysts, and researchers are all looking to EHRs and electronic
claims records as a source of data beyond the episodic scope. Any discussion
of health care data analytics and big data include the EHR as a key data

H E A L T H C A R E D A T A Q U A L I T Y · 49

source. This expanded use of electronic records and the push for bigger and
better data analytics has raised the bar for ensuring the quality of the health
care data. Quality health care data has always been important, but the criteria
for what constitute high-quality data have shifted.

There are many operational definitions for quality. Two of the best known
were developed by the well-known quality “gurus,” Philip B. Crosby and
Joseph M. Juran. Crosby (1979) defines quality as “conformance to require­
ments” or conformance to standards. Juran (Juran & Gryna, 1988) defi nes
quality as “fitness for use,” products or services must be free of defi ciencies.
What these definitions have in common is that the criteria against which
quality is measured will change depending on the product, service, or use.
Herein lies the problem with adopting a single standard for health care data
quality—it depends on the use of the data.

EHRs evolved from patient medical records, whose central purpose was to
document and communicate episodes of patient care. Today EHRs are being
evaluated as source data for complex data analytics and clinical research.
Before an organization can measure the quality of the information it produces
and uses, it must establish data standards. And before it can establish data
standards it must identify all endorsed uses of the EHR.

Consider this scenario. EHRs contain two basic types of data: struc­
tured data that is quantifiable or predefined and unstructured data that is
narrative. Within a health care organization, the clinicians using the EHR
for patient care prefer unstructured data, because it is easier to dictate a
note than to follow a lengthy point and click pathway to create a struc­
tured note. The clinicians feel that the validation screens cost time that is
too valuable for them to waste. The researchers within the organization,
however, want as much of the data in the record as possible to be structured
to avoid missing data and data entry errors. What should the organization
adopt as its standard? Structured or unstructured data? Who will decide
and based on what criteria? This discussion between the primary use of
EHR data and secondary, or reuse, of data is likely to continue. However,
to effectively use EHR data to create new knowledge, either through ana­
lytics or research, will require HIT leaders to adopt the more stringent data
quality criteria posed by these uses. Wells, Nowacki, Chagin, and Kattan
(2013) identify missing data as particularly problematic when using the
EHR for research purposes. They further identify two main sources of
missing EHR data:

1. Data were not collected. A patient was never asked about a condition.
This is most likely directly related to the clinician’s lack of interest
in what would be considered irrelevant to the current episode of

50 · C H A P T E R 2 : H E A L T H C A R E D A T A

care. Few clinicians will take a full history, for example, at every

2. Documentation was not complete. The patient was asked, but it was
not noted in the record. This is common in the EHR when clinicians
only note positive values and leave negative values blank. For
example, if a patient states that he or she does not have a history
of cancer, no note will be made, either positive or negative. For a
researcher this creates issues. Is this missing data or a negative

Although there is no single common standard against which health care
data quality can be measured, there are useful frameworks for organizations
to use to evaluate health care quality (once the purpose for the data is clearly

The following section will examine two different frameworks for eval­
uating health care data quality. The first was developed by the American
Health Information Management Association (AHIMA) (Davoudi et al.,
2015), the second by Weiskopf and Weng (2013). The AHIMA framework
is set in the context of managing health care data quality across the enter­
prise. The Weiskopf and Weng framework was delineated after in-depth
research into the quality of data specifically found within an EHR, as cur­
rently used. Common health data quality issues will be examined using
each framework.

AHIMA Data Quality Characteristics

AHIMA developed and published a set of health care data quality character­
istics as a component of a comprehensive data quality management model.
They define data quality management as “the business processes that ensure
the integrity of an organization’s data during collection, application (includ­
ing aggregation), warehousing, and analysis” (Davoudi et al., 2015). These
characteristics are to be measured for conformance during the entire data
management process.

• Data accuracy. Data that refl ect correct, valid values are accurate.
Typographical errors in discharge summaries and misspelled names
are examples of inaccurate data.

• Data accessibility. Data that are not available to the decision makers
needing them are of no value to those decision makers.

H E A L T H C A R E D A T A Q U A L I T Y · 51

• Data comprehensiveness. All of the data required for a particular use
must be present and available to the user. Even relevant data may not
be useful when they are incomplete.

• Data consistency. Quality data are consistent. Use of an abbreviation
that has two different meanings is a good example of how lack of
consistency can lead to problems. For example, a nurse may use
the abbreviation CPR to mean cardiopulmonary resuscitation at one
time and computer-based patient record at another time, leading to

• Data currency. Many types of health care data become obsolete after a
period of time. A patient’s admitting diagnosis is often not the same as
the diagnosis recorded on discharge. If a health care executive needs a
report on the diagnoses treated during a particular time frame, which
of these two diagnoses should be included?

• Data defi nition. Clear definitions of data elements must be provided
so that current and future data users will understand what the data
mean. This issue is exacerbated in today’s health care environment of
collaboration across organizations.

• Data granularity. Data granularity is sometimes referred to as data
atomicity. That is, individual data elements are “atomic” in the sense
that they cannot be further subdivided. For example, a typical patient’s
name should generally be stored as three data elements (last name,
first name, middle name—”Smith” and “John” and “Allen”), not as a
single data element (“John Allen Smith”). Again, granularity is related
to the purpose for which the data are collected. Although it is possible
to subdivide a person’s birth date into separate fi elds for the month, the
date, and the year, this is usually not desirable. The birth date is at its
lowest practical level of granularity when used as a patient identifi er.
Values for data should be defined at the correct level for their use.

• Data precision. Precision often relates to numerical data. Precision
denotes how close to an actual size, weight, or other standard a
particular measurement is. Some health care data must be very
precise. For example, in figuring a drug dosage it is not all right
to round up to the nearest gram when the drug is to be dosed in

• Data relevancy. Data must be relevant to the purpose for which they
are collected. We could collect very accurate, timely data about a
patient’s color preferences or choice of hairdresser, but are these
matters relevant to the care of the patient?

52 · C H A P T E R 2 : H E A L T H C A R E D A T A

Table 2.2 Terms used in the literature to describe the fi ve common dimensions of
data quality

Completeness Correctness Concordance Plausibility Currency

Accessibility Accuracy Agreement Accuracy Recency
Accuracy Corrections made Consistency Believability Timeliness
Availability Errors Reliability Trustworthiness

Missingness Misleading Variation Validity
Omission Positive predictive

Presence Quality
Quality Validity
Rate of recording

Source: Weiskopf and Weng (2013). Reproduced with permission of Oxford University

• Data timeliness. Timeliness is a critical dimension in the quality of
many types of health care data. For example, critical lab values must
be available to the health care provider in a timely manner. Producing
accurate results after the patient has been discharged may be of little
or no value to the patient’s care.

Weiskopf and Weng Data Quality Dimensions

Weiskopf and Weng (2013) published a review article in the Journal of the
American Medical Informatics Association that identifi ed five dimensions of
EHR data quality. They based their findings on a pool of ninety-fi ve arti­
cles that examined EHR data quality. Their context was using the EHR for
research, that is, “reusing” the EHR data. Although different terms were
used in the articles, the authors were able to map the terms to one of the
five dimensions (see Table 2.2):

• Completeness: Is the truth about a patient present?

• Correctness: Is an element that is in the EHR true?

• Concordance: Is there agreement between elements in the EHR or
between the EHR and another data source?

• Plausibility: Does an element in the EHR make sense in light of other
knowledge about what that element is measuring?

H E A L T H C A R E D A T A Q U A L I T Y · 53

Problems with Reusing EHR Data:

Examples from the Literature

Botsis, T., Hartvigsen, G., Chen, F., & Weng, C. (2010). Secondary use
of EHR: Data quality issues and informatics opportunities. Summit on
Translational Bioinformatics, 2010, 1–5.

The authors report on data quality issues they encountered when
attempting to use data that originated in an EHR to conduct survival
analysis of pancreatic cancer patients treated at a large medical center
in New York City. They found that of 3,068 patients within the clini­
cal data warehouse, only 1,589 had appropriate disease documentation
within a pathology report. The sample size was further reduced to 522
when the researchers discovered incompleteness of key study variables.
Other instances of incompleteness and inaccuracies were found within
the remaining 522 subjects’ documentation, causing the researchers to
make inferences regarding some of the non-key study variables.

Bayley, K. B., Belnap, T., Savitz, L., Masica, A. L., Shah, N., & Fleming,
N. S. (2013). Challenges in using electronic health record data for CER.
Medical Care, 51(8 Suppl 3), S80–S86. doi:10.1097/mlr.0b013e31829b1d48

The authors conducted research to determine the “strengths and
challenges” of using EHRs for CER across four major health care systems
with mature EHR systems. They looked at comparing the effectiveness of
antihypertensive medications on blood pressure control for a population
of patients with hypertension who were being followed by primary care
providers within the health systems. Data quality problems that were
identifi ed included the following:

• Missing data

• Erroneous data

• Uninterpretable data

• Inconsistent data

• Text notes and noncoded data

The authors concluded that the potential for EHRs as a source of longi­
tudinal data for comparative effectiveness studies in populations is high,
but they note that “improving data quality within the EHR in order to
facilitate research will remain a challenge as long as research is seen as
a separate activity from clinical care.”

54 · C H A P T E R 2 : H E A L T H C A R E D A T A

• Currency: Is an element in the EHR a relevant representation of the
patient state at a given point in time?

The authors further identify completeness, correctness, and currency as
“fundamental,” stating that concordance and plausibility “appear to be proxies
for the fundamental dimensions when it is not possible to assess them directly.”

Strategies for Minimizing Data Quality Issues

As a beginning point, health care data standardization requires clear, con­
sistent definitions. One essential tool for identifying and ensuring the use of
standard data definitions is to use a data dictionary. AHIMA defines a data
dictionary as “a descriptive list of names (also called ‘representations’ or
‘displays’), definitions, and attributes of data elements to be collected in an
information system or database” (Dooling, Goyal, Hyde, Kadles, & White, 2014,
p. 7) (see Table 2.3).

Regardless of how well data are defined, however, errors in entry will
occur. These errors can be discussed in terms of two types of underlying
cause—systematic errors and random errors. Systematic errors are errors that
can be attributed to a flaw or discrepancy in the system or in adherence
to standard operating procedures or systems. Random errors, however, are
caused by carelessness, human error, or simply making a mistake.

Consider these scenarios:

• A nurse is required to document vital signs into each patient’s EHR
at the beginning of each visit. However, the data entry screen is
cumbersome and often the nurse must wait until the end of day and
go back to update the vital signs. On occasion the EHR locks up
and does not allow the nurse to update the information. This is an
example of a systematic error.

• A physician uses the structured history and physical module of the
EHR within her practice. However, to save time she cuts and pastes
information from one visit to another. During cutting and pasting,
she fails to reread her note and leaves in the wrong encounter date.
Although there are some elements of systematic error in this situation
(not following protocol), the error is primarily a random error.

Effective systems are needed to ensure preventable errors are minimized
and errors that are not preventable are easily detected and corrected. Clearly,
there are multiple points during data collection and processing when the
system design can reduce data errors.

H E A L T H C A R E D A T A Q U A L I T Y · 55

The Markle Foundation (2006, p. 4) argues that comprehensive data
quality programs are needed by health care organizations to prevent “dirty
data” and subsequently improve the quality of patient care. They propose that
a data quality program include “automated and human strategies”:

• Standardizing data entry fi elds and processes for entering data

• Instituting real-time quality checking, including the use of validation
and feedback loops

• Designing data elements to avoid errors (e.g., using check digits,

algorithms, and well-designed user interfaces)

• Developing and adhering to guidelines for documenting the care that
was provided

• Building human capacity, including training, awareness-building, and
organizational change

Health care data quality problems are exacerbated by inter-facility collab­
orations and health information exchange. Imagine standardizing processes
and definitions across multiple organizations.

Certainly, information technology has tremendous potential as a tool
for improving health care data quality. Through the use of electronic data
entry, users can be required to complete certain fields, prompted to add
information, or warned when a value is out of prescribed range. When
health care providers respond to a series of prompts, rather than dictating
a free-form narrative, they are reminded to include all necessary elements
of a health record entry. Data quality is improved when these systems also
incorporate error checking. Structured data entry, drop-down lists, and
templates can be incorporated to promote accuracy, consistency, and com­
pleteness (Wells et al., 2013). To date some of this potential for technology-
enhanced improvements has been realized, but many opportunities remain.
As noted in the Perspective many of the data in existing EHR systems are
recorded in an unstructured format, rather than in data fields designated to
contain specific pieces of information, which can lead to poor health care
data quality. Natural language processing (NLP) is a promising, evolving
technology that will enable efficient data extraction from the unstructured
components of the EHR, but it is not yet commonplace with health care

A clear example of data quality improvement achieved through informa­
tion technology is the result seen from incorporating medication adminis­
tration systems designed to prevent medication error. With structured data
input and sophisticated error prevention, these systems can signifi cantly

Table 2.3 Excerpt from data dictionary used by AHRQ surgical site infection risk stratifi cation/outcome detection

Table Field Datatype Description

PATIENT Include patients who had surgery that meet inclusion CPT, SNOMED,
or ICD-9 criteria between 1/1/2007 and 1/30/2009.

PATIENT DOB Date The birthdate for the patient

PATIENT PATIENT_ID Integer A unique ID for the patient

PATIENT DATA_SOURCE_ID Varchar(10) An identifi er for the source of the patient record data (UU, IHC, DH
for example)

DIAGNOSIS Include ICD-9 CM discharge codes within one month of surgery. A
list of included codes is in table 2 of Stevenson et al. AJIC vol 36 (3)

DIAGNOSIS DIAGNOSIS_ID Integer A unique ID for the diagnosis

DIAGNOSIS DIAGNOSIS_CODE Varchar(64) The code for the patient’s diagnosis

DIAGNOSIS DIAGNOSIS_CODE_ Varchar(64) The nomenclature that the diagnosis code is taken from
SOURCE (ICD9, etc.)

DIAGNOSIS CLINICAL_DTM Date The date and time of the diagnosis’s onset or exacerbation

MICROBIOLOGY Include all Microbiology specimens taken within one month before
or after a surgery. (For risk, this might be expanded to one year or

MICROBIOLOGY MICRO_ID Integer A unique ID for the procedure

MICROBIOLOGY SPECIMEN_CODE Varchar(64) The site that the specimen was collected from

MICROBIOLOGY SPECIMEN_CODE_ Varchar(64) The nomenclature that the specimen code is taken from (SNOMED,

MICROBIOLOGY PATHOGEN_CODE Varchar(64) The code of the pathogen cultured from the collected specimen

MICROBIOLOGY PATHOGEN_CODE_ Varchar(64) The nomenclature that the pathogen code is taken from (SNOMEN,

MICROBIOLOGY COLLECT_DTM Date The date and time the specimen was collected

ENCOUNTER Include all Encounters within one month before or after surgery.

ENCOUNTER ENCOUNTER_ID Integer A unique ID for the visit. This will serve to tie all of the different data
tables together via foreign key relationship.

ENCOUNTER ADMIT_DTM Date The admission date and time for a patient’s visit

ENCOUNTER DISCH_DTM Date The discharge date and time for a patient’s visit

ENCOUNTER ENCOUNTER_TYPE Varchar(64) The type of patient encounter such as inpatient, outpatient, observa­
tion, etc.

Source: Agency for Healthcare Research and Quality (2012).

58 · C H A P T E R 2 : H E A L T H C A R E D A T A

reduce medication errors. The challenge for the foreseeable future is to
balance the need for structured data with the associated costs (time and
money). Further in the future, new challenges will appear as the breadth
of data contained in patient records is likely to increase. Genomic and pro­
teomic data, along with enhanced behavioral and social data, are likely to
be captured (IOM, 2014). These added data will introduce new quality issues
to be resolved.


Without health care data and information, there would be no need for health
care information systems. Health care data and information are valuable
assets in health care organizations, and they must be managed similar to
other assets. To that end, health care executives need an understanding of
the sources of health care data and information and recognize the importance
of ensuring the quality of health data and information. In this chapter, after
defining health care data and information, we examined patient record and
claims content as sources for health care data. We looked at disease and
procedure indexes and health care statistics as examples of basic uses of
the health care data. The emerging use of data analytics and big data were
introduced and the chapter concluded with a discussion of two frameworks
for examining health care data quality and a discussion of how informa­
tion technology, in general, and the EHR, in particular, can be leveraged to
improve the quality of health care data.


Accountable Care Act (ACA)
American Hospital Association (AHA)
Big data
Comprehensive shared care plan

Consent and authorization forms
Continuum of care

CPT (Current Procedural Terminology)
Data accessibility
Data accuracy
Data comprehensiveness
Data consistency
Data currency
Data defi nition
Data granularity
Data precision
Data quality characteristics
Data relevancy

L E A R N I N G A C T I V I T I E S · 59

Data timeliness
Data warehouses
Diagnosis related group (DRG)
Diagnostic and procedural codes
Discharge summary
Disease and procedure indexes
Electronic health records (EHRs)
Electronic medical records

Episode of care
Healthcare Common Procedure

Coding System (HCPCS)
Health care data
Health care data quality
Health care information
Health care statistics
Health Insurance Portability and

Accountability Act (HIPAA)
Health record
History and physical
ICD-10 (International Classifi cation of

ICD-10-CM (Clinical Modifi cation)
ICD-10-PCS (Procedural Coding



Identifi cation screen
Imaging and X-ray reports
Laboratory reports
Legal health record (LHR)
Medical record
Medication record
The National Center of Health

Statistics (NVHS)
National Uniform Billing Committee

National Uniform Claim Committee

Office of Inspector General of the

Department of Health and Human
Services (HHS OIG)

Operative report
Pathology report
Physician’s orders
Population health
Problem list
Progress notes
Protected health information (PHI)
Small data

1. Contact a health care facility (hospital, nursing home, physician’s offi ce,
or other organization) to ask permission to view a sample of the health
records they maintain. Answer the following questions for each record:

a. What is the primary reason (or condition) for which the patient
was seen?

b. How long has the patient had this condition?

c. Did the patient have a procedure performed? If so, what

procedure(s) was (were) done?

60 · C H A P T E R 2 : H E A L T H C A R E D A T A

d. Did the patient experience any complications? If so, what were

e. How does the physician’s initial assessment of the patient compare
with the nurse’s initial assessment? Where in the record would you
find this information?

f. To where was the patient discharged?

g. What were the patient’s discharge orders or instructions? Where in
the record should you find this information?

2. Make an appointment to meet with the business manager at a
physician’s offi ce or health care clinic. Discuss the importance of
ICD-10 coding or CPT coding (or both) for that offi ce. Ask to view the
system that the offi ce uses to assign diagnostic and procedure codes.
After the visit, write a brief summary of your findings and impressions.

3. Visit What are the major responsibilities of the
Offi ce of Inspector General as they relate to coded health care data?
What other responsibilities related to health care fraud and abuse
does this offi ce have?

4. Consider a patient (real or imagined) with a chronic health condition.
Identify at least three actual health care providers that this patient
has seen in the past twelve months. Draw a diagram to illustrate the
timeline of the patient’s encounters. Considering these encounters,
how easy is it for each provider to share health care information
regarding this patient with the others? What are the barriers to the
communication and sharing of health care information? How will this
affect the patient’s overall care?

5. Contact a health care facility (hospital, nursing home, physicians’
offi ce, or other facility) to ask permission to view a sample of the
health records it maintains. These records may be in paper or
electronic form. For each record, answer the following questions
about data quality:

a. How would you assess the quality of the data in the patient’s


b. What proportion of the data in the patient’s medical record is
captured electronically? What information is recorded manually?
Do you think the method of capture affects the quality of the

c. How does the data quality compare with what you expected?

R E F E R E N C E S · 61


Agency for Healthcare Research and Quality. (2012). Improving the measurement of
surgical site infection risk stratification/outcome detection. Appendix C: Data dic­
tionary. Retrieved from ndings/fi nal-reports/

AHIMA. (2016). What is a personal health record (PHR)? Retrieved May 29, 2016,

Baker, A., Cronin, K., Conway, P., DeSalvo, K., Rajkumar, R., & Press,
M. (2016, May 18). Making the comprehensive shared care plan

a reality. Retrieved June 1, 2016, from


Bayley, K. B., Belnap, T., Savitz, L., Masica, A. L., Shah, N., & Fleming, N. S.
(2013). Challenges in using electronic health record data for CER. Medical
Care, 51(8 Suppl 3), S80–S86. doi:10.1097/mlr.0b013e31829b1d48

Botsis, T., Hartvigsen, G., Chen, F., & Weng, C. (2010). Secondary use of EHR: Data
quality issues and informatics opportunities. Summit on Translational Bioinfor­
matics, 2010, 1–5.

CDC. (2016). International classification of diseases, tenth revision. Clinical Modi­
fication (ICD-10-CM). Retrieved May 30, 2016, from

Centers for Medicare and Medicaid Services (CMS). (2013). Medicare billing: 837P
and form CMS-1500 [Brochure]. Retrieved March 2013 from https://www.cms.

Centers for Medicare and Medicaid Services (CMS). (2015). ICD-10-CM/PCS: The
next generation of coding [Brochure]. Retrieved May 30, 2016, from https://

Centers for Medicare and Medicaid Services (CMS). (2016a). Medicare billing: 837I
and form CMS-1450 [Brochure]. Retrieved May 30, 2016, from https://www.cms

Centers for Medicare and Medicaid Services (CMS). (2016b). 2016 ICD-10-CM and
GEMS. Retrieved August 2016 from

Centers for Medicare and Medicaid Services (CMS). (2016c). 2017 ICD-10 PCS and
GEMS. Retrieved August 2016 from

Crosby, P. B. (1979). Quality is free: The art of making quality certain. New York,
NY: McGraw-Hill.

Davoudi, S., Dooling, J., Glondys, B., Jones, T., Kadlec, L., Overgaard, S., . . .

62 · C H A P T E R 2 : H E A L T H C A R E D A T A

& Wendicke, A. (2015, Oct.). Data quality management model (2015
update). Journal of AHIMA, 86(10). Retrieved from

Deloitte Consulting. (2011) Integrated care organizations’ information technology
requirements. New York, NY: Author.

Dooling, J., Goyal, P., Hyde, L., Kadles, L., & White, S. (2014). Health data analysis
toolkit. Chicago, IL: AHIMA. Retrieved September 22, 2016, from http://library.

Fields, R. (2010, Sept. 2). 10 statistics your hospital should track. Becker’s Hospital
Review. Retrieved May 30, 2016, from

Garrett, P., & Seidman, J. (2011, Jan. 4). EMR vs. EHR—what is the difference?
Health IT Buzz. Retrieved May 30, 2016, from

Glaser, J. (2014, Dec. 9). Solving big problems with big data.

Retrieved October 11, 2016, from


Harris, Y., & Schneider, C. D. (2015). Health information technology in the United
States, 2015: Transition to a post-HITECH world (Ch. 4). Published jointly by
the Robert Wood Johnson Foundation, Mathematica Policy Research, Harvard
School of Public Health, and University of Michigan, School of Information.
Available online.

Health Information Management and Systems Society (HIMSS). (2014). Defi nition of
continuum of care [Brochure]. Retrieved June 1, 2016, from http://s3.amazonaws
.com/rdcms-himss/fi les/production/public/2014-05-14-Defi nitionContinuumofCare

Institute for Health Technology Transformation. (2012). Population health manage­
ment: A roadmap for provider-based automation in a new era of healthcare.
Retrieved May 29, 2016, from

Institute of Medicine (IOM). (2014) Capturing social and behavioral domains and
measures in electronic health records. Washington, DC: National Academies.

Johns, M. (1997). Information management for health professionals. Albany, NY:

The Joint Commission. (2016). Comprehensive accreditation manual for hospitals.
Oakbrook Terrace, IL: Author.

Juran, J. M., & Gryna, F. M. (1988). Juran’s quality control handbook. New York,
NY: McGraw-Hill.

Kayyil, B., Knott, D., & Van Kuiken, S. (2013). The “big data” revolution in health-
care. New York, NY: McKinsey and Co. Retrieved July 8, 2016, from http:// les/The_big-data_revolution_in_US_

R E F E R E N C E S · 63

Lee, F. W. (2002). Data and information management. In K. LaTour & S. Eich­
enwald (Eds.), Health information management concepts, principles, and
practice (pp.83–100). Chicago, IL: American Health Information Management

Macadamian. (n.d.). Big data vs. small data: Turning big data into actionable
insights. Retrieved August 3, 2016, from

Markle Foundation. (2006). Connecting for health common framework: Background
issues on data quality. Retrieved September 22, 2016, from http://www.markle
.org/sites/default/fi les/T5_Background_Issues_Data.pdf

National Learning Consortium. (2013). Legal health record policy template. Offi ce of
the National Coordinator for Health Information Technology. Retrieved August 18,
2016, from les/legal_health_policy_template.docx

National Uniform Billing Committee (NUBC). (2016). About us. Retrieved August
2016 from

National Uniform Claim Committee (NUCC). (2016). Who are we? Retrieved August
2016 from

Stoto, M. A. (2013, Feb. 21). Population health in the Affordable Care Act era.
Academy Health. Retrieved June 1, 2016, from https://www.academyhealth
.org/fi les/AH2013pophealth.pdf

Wells, B. J., Nowacki, A. S., Chagin, K., & Kattan, M. W. (2013). Strategies for
handling missing data in electronic health record derived data. EGEMs
(Generating Evidence & Methods to Improve Patient Outcomes), 1(3).

Weiskopf, N. G., & Weng, C. (2013). Methods and dimensions of electronic health
record data quality assessment: Enabling reuse for clinical research. Journal
of the American Medical Informatics Association, 20(1), 144–151. doi:10.1136/


Health Care

Information Systems


• To be able to identify the major types of administrative and
clinical information systems used in health care.

• To be able to give a brief explanation of the history and evolution
of health care information systems.

• To be able to discuss the key functions and capabilities of
electronic health record systems and current adoption rates in
hospitals, physician practices, and other settings.

• To be able to describe the use and adoption of personal health
records and patient portals.

• To be able to discuss current issues pertaining to the use of
HCIS systems including interoperability, usability, and health IT


66 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

After reading Chapters One and Two, you should have a general understanding
of the national health IT landscape and the types and uses of clinical and
administrative data captured in provider organizations. In this chapter we
build on these fundamental concepts and introduce health care information
systems, a broad category that includes clinical and administrative applica­
tions. We begin by providing a brief history and overview of information
systems used in health care provider organizations. The chapter focuses on the
electronic health record (EHR) and personal health record (PHR), including
patient portals and the major initiatives that have led to the adoption and
use of EHRs in hospitals and physician practices. Included is a discussion
on the state of EHR adoption and use in other health care settings, including
behavioral health, community health, and long-term care. Applications such as
computerized provider order entry and decision support are described in the
context of the EHR. (Note: Other health IT systems and applications needed to
support population health and value-based payment—such as patient engage­
ment tools, telemedicine, and telehealth—are described in Chapter Four.)
Finally, the chapter concludes with a discussion on important key issues in
the use of HCIS including usability, interoperability, and health IT safety.

We begin first with a brief review of key terms.


An information system (IS) is an arrangement of data (information), pro­
cesses, people, and information technology that interact to collect, process,
store, and provide as output the information needed to support the orga­
nization (Whitten & Bentley, 2007). Note that information technology is
a component of every information system. Information technology (IT) is
a contemporary term that describes the combination of computer technol­
ogy (hardware and software) with data and telecommunications technology
(data, image, and voice networks). Often in current management literature
the terms information system (IS) and information technology (IT) are used

Within the health care sector, health care IS and IT include a broad range
of applications and products and are used by a wide range of constituent groups
such as payers, government, life sciences, and patients, as well as providers and
provider organizations. For our purpose, however, we have chosen to focus on
health care information systems from the provider organization’s perspective.
The provider organization is the hospital, health system, physician practice,
integrated delivery system, nursing home, or rural health clinic. That is, it
is any setting where health-related services are delivered. The organization
(namely, the capacity, decisions about how health IT is applied, and incentives)

M A J O R H E A L T H C A R E I N F O R M A T I O N S Y S T E M S · 67

and the external environment (regulations and public opinion) are important
elements in how systems are used by clinicians and other users (IOM, 2011).
We also examine the use of patient engagement tools such as PHRs and secure
patient portals. Yet our focus is from an organization or provider perspective.


There are two primary categories of health care information systems: admin­
istrative and clinical. A simple way to distinguish them is by purpose and
the type of data they contain. An administrative information system (or
an administrative application) contains primarily administrative or fi nancial
data and is generally used to support the management functions and general
operations of the health care organization. For example, an administrative
information system might contain information used to manage personnel,
finances, materials, supplies, or equipment. It might be a system for human
resource management, materials management, patient accounting or billing,
or staff scheduling. Revenue cycle management is increasingly important to
health care organizations and generally includes the following:

• Charge capture

• Coding and documentation review

• Managed care contracting

• Denial management of claims

• Payment posting

• Accounts receivable follow-up

• Patient collections

• Reporting and benchmarking

By contrast, a clinical information system (or clinical application) contains
clinical or health-related information used by providers in diagnosing and
treating a patient and monitoring that patient’s care. Clinical information
systems may be departmental systems—such as radiology, pharmacy, or
laboratory systems—or clinical decision support, medication administration,
computerized provider order entry, or EHR systems, to name a few. They
may be limited in their scope to a single area of clinical information (for
example, radiology, pharmacy, or laboratory), or they may be comprehensive
and cover virtually all aspects of patient care (as an EHR system does, for
example). Table 3.1 lists common types of clinical and administrative health
care information systems.

68 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

Health care organizations, particularly those that have implemented EHR
systems, generally provide patients with access to their information electron­
ically through a patient portal. A patient portal is a secure website through
which patients may communicate with their provider, request refill on pre­
scriptions, schedule appointments, review test results, or pay bills (Emont,
2011). Another term that is frequently used is personal health record (PHR).
Different from an EHR or patient portal, which is managed by the provider
or health care organization, the PHR is managed by the consumer. It may

Table 3.1. Common types of administrative and clinical information systems

Administrative Applications Clinical Applications

Patient administration systems

Admission, discharge, transfer (ADT)
tracks the patient’ s movement of care in an
inpatient setting

Registration may be coupled with ADT
system; includes patient demographic and
insurance information as well as date of
visit(s), provider information

Scheduling aids in the scheduling of
patient visits; includes information on
patients, providers, date and time of visit,
rooms, equipment, other resources

Patient billing or accounts receivable
includes all information needed to submit
claims and monitor submission and
reimbursement status

Utilization management tracks use and
appropriateness of care

Other administrative and fi nancial

Accounts payable monitors money owed to
other organizations for purchased products
and services

General ledger monitors general fi nancial
management and reporting

Ancillary information systems

Laboratory information supports
collection, verifi cation, and reporting of
laboratory tests

Radiology information supports digital
image generation (picture archiving and
communication systems [PACS]), image
analysis, image management

Pharmacy information supports
medication ordering, dispensing, and
inventory control; drug compatibility
checks; allergy screening; medication

Other clinical information systems

Nursing documentation facilitates
nursing documentation from assessment
to evaluation, patient care decision
support (care planning, assessment, fl ow-
sheet charting, patient acuity, patient

Electronic health record (EHR)
facilitates electronic capture and
reporting of patient’ s health history,
problem lists, treatment and outcomes;
allows clinicians to document clinical
findings, progress notes, and other patient
information; provides decision-support
tools and reminders and alerts

H I S T O R Y A N D E V O L U T I O N · 69

Administrative Applications Clinical Applications

Personnel management manages human
resource information for staff, including
salaries, benefi ts, education, and training

Materials management monitors ordering
and inventory of supplies, equipment needs,
and maintenance

Payroll manages information about staff
salaries, payroll deductions, tax withholding,
and pay status

Staff scheduling assists in scheduling and
monitoring staffi ng needs

Staff time and attendance tracks employee
work schedules and attendance

Revenue cycle management monitors the
entire fl ow of revenue generation from charge
capture to patient collection; generally relies
on integration of a host of administrative and
fi nancial applications

Computerized provider order entry
(CPOE) enables clinicians to directly enter
orders electronically and access decision-
support tools and clinical care guidelines
and protocols

Telemedicine and telehealth supports
remote delivery of care; common features
include image capture and transmission,
voice and video conferencing, text

Rehabilitation service documentation
supports the capturing and reporting of
occupational therapy, physical therapy,
and speech pathology services

Medication administration is typically
used by nurses to document medication
given, dose, and time

include health information and wellness information, such as an individual’s
exercise and diet. The consumer decides who has access to the information
and controls the content of the record. The adoption and use of patient portals
and PHRs are discussed further on in this chapter. For now, we begin with
a brief historical overview of how these various clinical and administrative
systems evolved in health care.


Since the 1960s, the development and use of health care information systems
has changed dramatically with advances in technology and the impact of
environmental influences and payment reform (see Figure 3.1). In the 1960s to
1970s, health care executives invested primarily in administrative and fi nan­
cial information systems that could automate the patient billing process and
facilitate accurate Medicare cost reporting. The administrative applications
that were used were generally found in large hospitals, such as those affi li­
ated with academic medical centers. These larger health care organizations
were often the only ones with the resources and staff available to develop,

70 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

Figure 3.1 History and evolution of health care information systems (1960s to today)

implement, and support such systems. It was common for these facilities to
develop their own administrative and financial applications in-house in what
were then known as “data processing” departments. The systems themselves
ran on large mainframe computers, which had to be housed in large, envi­
ronmentally controlled settings. Recognizing that small, community-based
hospitals could not bear the cost of an in-house, mainframe system, leading
vendors began to offer shared systems, so called because they enabled hospi­
tals to share the use of a mainframe with other hospitals. Vendors typically
charged participating hospitals for computer time and storage, for the number
of terminal connects, and for reports.

By the 1970s, departmental systems such as clinical laboratory or
pharmacy systems began to be developed, coinciding with the advent
of minicomputers. Minicomputers were smaller and more powerful than
some of the mainframe computers and available at a cost that could be
justified by revenue-generating departments. Clinical applications includ­
ing departmental systems such as laboratory, pharmacy, and radiology
systems became more commonplace. Most systems were stand-alone and
did not interface well with other clinical and administrative systems in the

The 1980s brought a significant turning point in the use of health care
information systems primarily because of the development of the micro­
computer, also known as the personal computer (PC). Sweeping changes
in reimbursement practices designed to rein in high costs of health care
also had a significant impact. In 1982, Medicare shifted from a cost-based
reimbursement system to a prospective payment system based on diagnosis
related groups (DRGs). This new payment system had a profound effect on

H I S T O R Y A N D E V O L U T I O N · 71

hospital billing practices. Reimbursement amounts were now dependent on
the accuracy of the patient’s diagnosis and procedures(s) and other informa­
tion contained in the patient’s record. With hospital reimbursement changes
occurring, the advent of the microcomputer could not have been more timely.
The microcomputer was smaller, often as or more powerful, and far more
affordable than a mainframe computer. Additionally, the microcomputer was
not confined to large hospitals. It brought computing capabilities to a host
of smaller organizations including small community hospitals, physician
practices, and other care delivery settings. Sharing information among micro­
computers also became possible with the development of local area networks.
The notion of best of breed systems was also common; individual clinical
departments would select the best application or system for meeting their
unique unit’s needs and attempt to get the “systems to talk to each other”
using interface engines.

Rapid technological advances continued into the 1990s, with the most
profound being the evolution and widespread use of the Internet and elec­
tronic mail (e-mail). The Internet provided health care consumers, patients,
providers, and industries with access to the World Wide Web and new and
innovative opportunities to access care, promote services, and share infor­
mation. Concurrently, the Institute of Medicine (IOM, 1991) published its fi rst
landmark report The Computer-Based Patient Record: An Essential Technology
for Health Care, which called for the widespread adoption of computerized
patient records (CPRs) as the standard by the year 2001. CPRs were the
precursor to what we refer to today as EHR systems. Numerous studies had
revealed the problems with paper-based medical records (Burnum, 1989;
Hershey, McAloon, & Bertram, 1989; IOM, 1991). Records are often illegible,
incomplete, or unavailable when and where they are needed. They lack any
type of active decision-support capability and make data collection and anal­
ysis very cumbersome. This passive role for the medical record was no longer
sufficient. Health care providers needed access to active tools that afforded
them clinical decision-support capabilities and access to the latest relevant
research findings, reminders, alerts, and other knowledge aids. Along with
patients, they needed access to systems that would support the integration
of care across the continuum.

By the start of the new millennium, health care quality and patient safety
emerged as top priorities. In 2000, the IOM published the report To Err Is
Human: Building a Safer Health Care System, which brought national attention
to research estimating that 44,000 to 98,000 patients die each year to medical
errors. Since then, additional reports have indicated that these fi gures are
grossly underestimated and the incidents of medical errors are much higher

72 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

(Classen et al., 2011; James, 2013; Makary & Daniel, 2016;). A subsequent
report, Patient Safety: Achieving a New Standard of Care (2004), called for
health care providers to adopt information technology to help prevent and
reduce errors because of illegible prescriptions, drug-to-drug interactions,
and lost medical records, for example.

By 2009, the US government launched an “unprecedented effort to reengi­
neer” the way we capture, store, and use health information (Blumenthal,
2011, p. 2323). This effort was realized in the Health Information Technology
for Economic and Clinical Health (HITECH) Act. Nearly $30 billion was set
aside over a ten-year period to support the adoption and Meaningful Use
of EHRs and other types of health information technology with the goal
of improving health and health care. Rarely, if ever, have we seen public
investments in the advancement of health information technology of this
magnitude (Blumenthal, 2011). Interest also grew in engaging patients more
fully in providing access to their EHR through patient portals or the concept
of a PHR. We have also seen significant advances in telemedicine and tele­
health, cloud computing, and mobile applications that monitor and track a
wide range of health data.


Features and Functions

Let’s first examine the features and functions of an EHR because it is core
to patient care. An EHR can electronically collect and store patient data,
supply that information to providers on request, permit clinicians to enter
orders directly into a computerized provider order entry (CPOE) system,
and advise health care practitioners by providing decision-support tools such
as reminders, alerts, and access to the latest research findings or appropriate
evidence-based guidelines. CPOE at its most basic level is a computer appli­
cation that accepts provider orders electronically, replacing handwritten or
verbal orders and prescriptions. Most CPOE systems provide physicians and
other providers with decision-support capabilities at the point of ordering.
For example, an order for a laboratory test might trigger an alert to the
provider that the test has already been ordered and the results are pending.
An order for a drug to which the patient is allergic might trigger an alert
warning to the provider of an alternative drug. These decision-support capa­
bilities make the EHR far more robust than a digital version of the paper
medical record.

Figure 3.2 illustrates an EHR alert reminding the clinician that the patient
is allergic to certain medication or that two medications should not be taken

E L E C T R O N I C H E A L T H R E C O R D S · 73

Figure 3.2 Sample drug alert screen

Source: Medical University of South Carolina, Epic. Used with permission.

in combination with each other. Reminders might also show that the patient
is due for a health maintenance test such as a mammography or a cholesterol
test or for an influenza vaccine (Figure 3.2).

Up until the passage of the HITECH Act of 2009, EHR adoption and use
was fairly low. HITECH made available incentive money through the Medi­
care and Medicaid EHR Incentive Programs for eligible professionals and
hospitals to adopt and become “meaningful users” of EHR. As mentioned in
Chapter One, the Meaningful Use criteria were established and rolled out in
three phases. Each phase built on the previous phase in an effort to further
the advancement and use of EHR technology as a strategy to improve the
nation’s health outcome policy priorities:

• Improve health care quality, safety, and effi ciency and reduce health

• Engage patients and families in their health care.

• Improve care coordination.

• Improve population and public health.

• Ensure adequate privacy and security of personal health information.

To accomplish these goals and facilitate patient engagement in managing
their health and care, health care organizations provide patients with access
to their records typically through a patient portal. A patient portal is a
secure website through which patients can electronically access their medical
records. Portals often also enable users to complete forms online, schedule
appointments, communicate with providers, request refills on prescriptions,
review test results, or pay bills (Emont, 2011) (see Figure 3.3). Some provid­
ers offer patients the opportunity to schedule e-visits for a limited number
of nonurgent medical conditions such as allergic skin reactions, colds, and

74 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

Figure 3.3 Sample patient portal

Source: Medical University of South Carolina.

EHR Adoption Rates in US Hospitals

As of 2015, nearly 84 percent of US nonfederal acute care hospitals had
adopted basic EHR systems representing a nine-fold increase from 2008
(Henry, Pylypchuck, Searcy, & Patel, 2016) (see Figure 3.4). Table 3.2 lists
the difference functionality between a basic system and a fully functional
system (DesRoches et al., 2008). A key distinguishing characteristic is fully
functional EHRs provide order entry capabilities (beyond ordering medica­
tions) and decision-support capabilities.

The Veterans Administration (VA) has used an EHR system for years,
enabling any veteran treated at any VA hospital to have electronic access to
his or her EHR. Likewise, the US Department of Defense is under contract
with Cerner to replace its EHR system. EHR adoption among specialty hos­
pitals such as children’s (55 percent) and psychiatric hospitals (15 percent)
is significantly lower than general medicine hospitals because these types
of hospitals were not eligible for HITECH incentive payments. Small, rural,
and critical access hospitals that have historically lagged behind in EHR
adoption are now closing the gap with general acute care hospitals (Henry
et al., 2016).

E L E C T R O N I C H E A L T H R E C O R D S · 75

Figure 3.4 Percent of non-federal acute care hospitals with adoption of at least a
basic EHR with notes system and position of a certifi ed EHR: 2008–2015

Note: Basic EHR adoption requires the EHR system to have a set of EHR functions
defined in Table 3.2. A certified EHR is EHR technology that meets the technological
capability, functionality, and security requirements adopted by the Department of
Health and Human Services. Possession means that the hospital has a legal agreement
with the EHR vendor but is not equivalent to adoption. *Signifi cantly different from
previous year (p<0.05).
Source: ONC (2015a).

EHR Adoption in Office-Based Physician Practices

In addition to EHR use in hospitals, we have also seen signifi cant increases
in the adoption and use of EHR systems among offi ce-based physician prac­
tices. By 2014, 79 percent of primary care physicians had adopted a certifi ed
EHR system and 70 percent of medical and surgical specialties had as well
(Heisey-Grove & Patel, 2015) (see Figure 3.5).

Ninety-eight percent of physicians in community health centers had
adopted an EHR, three-quarters of them using a certified EHR. Not surpris­
ingly, physicians in solo and small group practices were less likely to have
adopted EHR systems (Heisey-Grove & Patel, 2015).

EHR Adoption in Other Settings

Less is known nationally about EHR adoption rates in settings other than
hospitals and physician practices. Among home health and hospice agencies,

76 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

Table 3.2 Functions defining the use of EHRs

Fully Functional
Basic System


Health Information Data

Patient demographics X

Patient problem lists X

Electronic lists of medications taken by


Clinical notes X X

Notes including medical history and



Order Entry Management

Orders for prescriptions X X

Orders for laboratory tests X

Orders for radiology tests X

Prescriptions sent electronically X

Orders sent electronically X

Results Management

Viewing laboratory results X X

Viewing imaging results X X

Electronic images returned X

Clinical Decision Support

Warnings of drug interactions or

contraindications provided

Out-of-range test levels highlighted X

Reminders regarding guidelines-based


interventions or screening

the latest national estimates based on data from the 2007 National Home

and Hospice Care survey indicate that 44 percent of home health and

hospice agencies have adopted EHR systems (16 percent EHRs only and 28

percent EHRs and mobile technologies such as tablets or hand-held devices


E L E C T R O N I C H E A L T H R E C O R D S · 77

Figure 3.5. Offi ce-based physician practice EHR adoption since 2004

Source: ONC (2015a).

used to gather information at the point of care) (Bercovitz, Park-Lee, &
Jamoom, 2013).

Some states, such as New York, have attempted to assess EHR adoption in
long-term care facilities such as nursing homes. One study found that among
473 nursing homes in New York, 56.3 percent had implemented an EHR
system (Abramson, Edwards, Silver, & Kaushal, 2014). Among the nursing
homes that did not have EHRs, the majority had plans to implement one
within two years. One-fifth had plans to implement one in more than two
years, and 11.7 percent had no EHR implementation plans (Abramson et al.,
2014). The majority of nursing homes indicated the biggest barriers to health
IT investment were the initial cost, a lack of IT staff members, and the lack
of fiscal incentives. National estimates on EHR adoption in long-term care are
nearly nonexistent. Most are qualitative studies examining the experiences
of early adopters (Cherry, Ford, & Peterson, 2011).

Impact of EHR Systems

Numerous studies over the years have demonstrated the value of using EHR
systems and other types of clinical applications within health care organi­
zations. The majority of benefits fall into three broad categories: (1) quality,
outcomes, and safety; (2) efficiency, improved revenues, and cost reduction;
and (3) provider and patient satisfaction. Following is a brief discussion of
these major categories, along with several recent examples and reports illus­
trating the value of EHRs to the health care process. It is important to note,
however, that despite the benefits, some studies have found mixed results or
negative consequences.

78 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

• Quality, outcomes, and safety. EHR systems can have a signifi cant
impact on patient quality, outcomes, and safety. Three major effects
on quality are increased adherence to evidence-based care, enhanced
surveillance and monitoring, and decreased medication errors. Banger
and Graber (2015) recently conducted a review of the literature on the
impact of health IT (including EHR systems) on patient quality and
safety and found four major systematic reviews had been conducted
from 2006 through 2014 each using a consistent methodology (Buntin,
Burke, Hoaglin, & Blumenthal, 2011; Chaudhry et al., 2006; Goldzweig,
Towfigh, Maglione, & Shekelle, 2009; Jones, Rudin, Perry, & Shekelle,
2014). Two of the reviews were published before the HITECH Act
and two afterward. Collectively, 59 percent of the studies examined
demonstrated positive effects on quality and safety, 25 percent had
mixed-positive outcomes, 9 percent were neutral, and 8 percent
were negative (Banger & Graber, 2015). Limitations of most of the
earlier studies were based on the fact that they did not include many
commercially available EHR systems. Since then, more than half of EHR
evaluation studies involved commercially available EHR systems (Jones
et al., 2014). Findings from the most recent systematic review conclude
that CPOE effectively decreases medication errors. Hydari, Telang,
and Marella (2014) studied the incidence of adverse patient safety
events reported from 231 Pennsylvania hospitals from 2005 to 2012
in relation to their level of health IT use. After controlling for several
possibly confounding factors, the authors found that hospitals adopting
advanced EHRs (as defined by HIMSS) experienced a 27 percent overall
reduction in reported patient safety events. Using advanced EHRs was
associated with a 30 percent decline in medication errors and a 25
percent decline in procedure-related errors (Hydari et al., 2014).

• Efficiency, improved revenue, and cost reduction. In addition to
improving quality and safety, some studies have shown that the EHR
can improve effi ciency, increase revenues, and lead to cost reductions
(Barlow, Johnson, & Steck, 2004; Grieger, Cohen, & Krusch, 2007). A
fairly recent study by Howley, Chou, Hansen, and Dalrymple (2014)
examined the financial impact of EHRs on ambulatory practices
by tracking the productivity (e.g., the number of patient visits)
and reimbursement of thirty practices for two years after EHR
implementation. They found that practice revenues increased during
EHR implementation despite seeing fewer patients. Another study
looked at seventeen primary care clinics that used EHR systems and
found that the clinics recovered their EHR investments within an
average period of ten months (95 percent CI 6.2–17.4 months), seeing

E L E C T R O N I C H E A L T H R E C O R D S · 79

more patients with an average increase of 27 percent in the active­
patients-to-clinicians full-time equivalent ratio, and an increase in the
clinic net revenue (p<.001) (Jang, Lortie, & Sanche, 2014).

• Provider and patient satisfaction. Provider and patient satisfaction
are common factors to assess when implementing EHR systems.
Results from satisfaction surveys are often mixed. In a 2008 national
survey of physicians, 90 percent of providers using EHRs reported
they were satisfi ed or very satisfi ed with them and a large majority
could point to specifi c quality benefi ts (DesRoches et al., 2008). Those
who had systems in place for two or more years were more likely
to be satisfi ed (Menachemi, Powers, Au, & Brooks, 2010). A study
that examined EHR satisfaction among obstetrics/gynecology (OB/
GYN) physicians found that 63 percent reported being satisfi ed with
their EHR system, and nearly 31 percent were not satisfi ed (Raglan,
Margolis, Paulus, & Schulkin, 2014). Among study participants,
younger OB/GYN physicians were more satisfi ed with their EHR than
older physicians. A study by Rand (in collaboration with the AMA)
found that although many physicians approved of EHRs in concept
(for example, they appreciated the fact that they could remotely access
patient information and provide improved patient care), they expressed
frustrations with usability and work fl ow (Friedberg et al., 2013).
The time-consuming nature of data entry, interference with face-to­
face patient care, ineffi ciency, and the inability to exchange health
information between EHR products led to dissatisfaction. Physicians
across the full range of specialties and practice models also described
other concerns regarding the degradation of clinical documentation.

Among US hospitals, a 2011 national study found that those with EHRs
had significantly higher patient satisfaction scores on items such as “staff
always giving patients information about what to do for the recovery at home,”
“patients rating the hospital as a 9 or 10 overall,” and “patients would defi ­
nitely recommend the hospital to others” than hospitals that did not (Kazley,
Diana, Ford, & Menachemi, 2011, p. 26). Yet the same study found that the
EHR use was not statistically associated with other patient satisfaction mea­
sures (such as having clean rooms) that one would not expect to be affected
by EHR use. A more recent study by Jarvis and colleagues (2013) assessed the
impact of using advanced EHRs (as defined as Stages 6 or 7 on the HIMSS
Analytics EMR Adoption Model [EMRAM] level of health IT adoption) on
hospital quality patient satisfaction using a composite score for measuring
patient experience. (See the following Perspective.) They found that hospitals
with the most advanced EHRs had the greatest gains in improving clinical

80 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

process of care scores, without negatively affecting the patient experience
(Jarvis et al., 2013). Another study found that physicians using EHRS that met
Meaningful Use criteria and had two or more years EHR experience were more
likely to report clinical benefits (King, Patel, Jamoon, & Furukawa, 2014).

Limitations and Need for Further Research

Not all studies have demonstrated positive outcomes from using EHR systems.
For example, the same EHR or clinical information system can be imple­
mented in different organizations and have different results. As example of
variability, two children’s hospitals implemented the same EHR (including
CPOE) in their pediatric intensive care units. One hospital experienced a
significant increase in mortality (Han et al., 2005), and the other did not (Del
Beccaro, Jeffries, Eisenberg, & Harry, 2006). The hospital that experienced an
increase in mortality noted that several implementation factors contributed
to the deterioration in quality; specific order sets for critical care were not
created, changes in workflow were not well executed, and orders for patients
arriving via critical care transportation could not be written before the
patient arrived at the hospital, delaying life-saving treatments. Many factors
can influence the successful use and adoption of EHR systems. These are
discussed more fully in Chapter Six.


In addition to EHRs and patient portals, the broader concept of a personal
health record has emerged in recent years. Initially, the PHR was envisioned
as a tool to enable individuals to keep their own health records, and they
could share information electronically with their physicians or other health
care professionals and receive advice, reminders, test results, and alerts
from them. Unlike the EHR and patient portal, which is managed by health
care provider organizations, the PHR is managed by the consumer. It may
include health and wellness information, such as an individual’s exercise
and diet. The consumer decides who has access to the information and con­
trols the content of the record. Personal data the consumer gathers through
use of health apps such as My Fitness Pal or Fitbits may be included.

What is the value of the PHR, and how does it relate to the EHR? Tang
and Lansky (2005) believe the PHR enables individuals to serve as copilots
in their own care. Patients can receive customized content based on their
needs, values, and preferences. PHRs should be lifelong and comprehensive
and should support information exchange and portability. Patients are often
seen by multiple health care providers in different settings and locations over

P E R S O N A L H E A L T H R E C O R D S · 81

HIMSS Analytics EHR Adoption Levels among US Hospitals

Stage Cumulative Capabilities 2016—Q1

Stage 7 Complete EHR is used; data warehousing and
data analytics is used to improve care; clinical
information can be shared via standardized
electronic transactions across continuum of care.


Stage 6 Physician documentation with structured templates
and discrete data is implemented for at least one
inpatient area. Full CCSS. The closed loop medication
administration with bar coding is used. The fi ve rights
of medication administration are verifi ed.


Stage 5 A full complement of radiology PACS system provides
medical images to physicians via an intranet.


Stage 4 Computerized provider order entry (CPOE) used to
create orders; CDSS is used with clinical protocols.


Stage 3 Nursing/clinical documentation has been implemented
including electronic medication administration
record (MAR); clinical decision support (CDS)
capabilities allow for error checking with order
entry. Medical image access from picture archive and
communication systems (PACS) is available within


Stage 2 Major clinical systems feed into clinical data repository
(CDR) that enables viewing of orders and results.
CDR contains a controlled medical vocabulary, and
clinical decision support system (CDSS) capabilities.
Hospital may have health information exchange
(HIE) capabilities and can share CDR information
with patient care stakeholders.


Stage 1 All three major ancillary clinical systems (laboratory,
pharmacy, radiology) are installed.


Stage 0 All three key ancillary department systems (laboratory,
pharmacy, radiology) are not installed.



Source: Adapted from HIMSS Analytics EMR Adoption Model (EMRAM).
© HIMSS Analytics 2016. Retrieved from­
vider-solutions. Used with permission.

82 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

the course of a lifetime. In our fragmented health care system, this means
patients are often left to consolidate information from the various participants
in their care. A PHR that brings together important health information across
an individual’s lifetime and that is safe, secure, portable, and easily acces­
sible can reduce costs by avoiding unnecessary duplicate tests and improv­
ing health care communications. The concept of patient portals and PHRs
are also inherent in the CMS Meaningful Use program. Stage 3 Meaningful
Use recommendations (originally scheduled for implementation in 2017 but
now under policy reconsideration) state that patients should be able to (1)
communicate electronically using secure messaging, (2) access patient edu­
cation materials on the Internet, (3) generate health data into their providers’
EHRs, and (4) view, download, and transmit their provider-managed EHRs.
Taken together, Ford, Hesse, and Huerta (2016) argue that these requirements
outline the basic functionalities of a consumer-managed PHR.

Ford and his colleagues (2016) examined US consumers PHR use over
time, the factors that influence use, and projected the diffusion of PHR under
three scenarios. Not surprisingly, they found that consumers were increas­
ingly using electronic means for storing health data and communicating with
their clinical providers. An estimated 5 percent of consumers used PHRs in
2008, and by 2013, this number had reached 17 percent (Ford et al., 2016),
still relatively low. Using various prediction models, they estimate that PHR
use will increase significantly within the next decade.

PHRs and personal health applications have the potential to positively
affect medication adherence and quality of life for patients with chronic dis­
eases. For example, a recent controlled study examined the impact of a text-
based message reminder system on medication adherence among adolescents
with asthma (Johnson et al., 2016). Compared to adolescents in the control
group, they found improvements in self-reported medication adherence (p =
.011), quality of life (p = .037), and self-effi cacy (p = .016). System use varied
considerably, however, with lower use among African American adolescents
(Johnson et al., 2016).

Consumers are also increasingly capturing health, wellness, and clin­
ical data about themselves using a wide range of mobile technologies and
applications—everything from wrist-worn devices that track steps and sleep
patterns to web-based food diaries, networked weight scales, and blood pres­
sure machines (Rosenbloom, 2016). They also use social media networks to
connect with others who share a similar health condition. Such approaches
are referred to as person-generated health data (PGHD) technologies given
that consumers may use these technologies independent of situations in
which they are patients per se. According to Rosenbloom (2016) the fi eld
of PGHD and related technologies is in its infancy, particularly in studying

K E Y I S S U E S A N D C H A L L E N G E S · 83

the real value these technologies add to health care delivery. Shaw and his
colleagues (2016) found, for example, that individuals with chronic illnesses
(who may have the most to benefi t from using mobile health devices) may be
less likely to adopt and use these devices compared to healthy individuals.
As health care organizations and providers move to managing population
health and cohorts of patients under value-based payment models, the use
of such technologies with certain populations of patients may be incredibly
useful. Chapter Four discusses further the health IT tools needed to support
population health management.


Despite the proliferation in the adoption and use of EHR systems, health care
providers and organizations still face critical issues and challenges related
to interoperability, usability, and health IT safety. Following is a brief dis­
cussion of each.


In simple terms, interoperability is “the ability of a system to exchange elec­
tronic health information with and use electronic health information from
other systems without special effort on the part of the [user]” (Institute
for Electrical and Electronics Engineering [IEEE], n.d.). The ONC’s report
Connecting Health and Care for the Nation: A Shared Nationwide Interoper­
ability Roadmap (ONC, 2015a) describes the importance of interoperability
in a creating a “learning health system” in which “health information fl ows
seamlessly and is available to the right people, at the right place, at the
right time.” The overarching vision of a learning health system is to put
patients at the center of their care—“where providers can easily access and
use secure health information from different sources; where an individual’s
health information is not limited to what is stored in EHRs, but includes
information from other sources (including technologies that individuals use)
and portrays a longitudinal picture of their health, not just episodes of care;
where diagnostic tests are only repeated when necessary, because the infor­
mation is readily available; and where public health agencies and researchers
can rapidly learn, develop and deliver cutting edge treatments” (ONC, 2015a,
p. vi) (see Figure 3.6).

Today, providers are challenged to knit together multiple EHRs, fi nan­
cial systems, and analytic solutions in an effort to effectively manage
population health and facilitate care coordination. As health care providers

Source: ONC (2015a).

84 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

Figure 3.6 The ONC’s roadmap to interoperability

and organizations coalesce to manage performance and utilization risk
in their communities, they need high degrees of interoperability among
these systems (Glaser, 2015). The systems must also fit well into the
clinical workflow and patient care process while ensuring patient safety
and quality. Additionally, interoperability will enable data generated by
personal fitness and wearable devices to be included in the patient’s EHR
(Glaser, 2015).

True interoperability has yet to be realized. Several factors make interop­
erability among health care information systems complicated. EHR systems
are often developed using different platforms with inconsistent use of stan­
dards, no universal patient identifier exists, and pulling together from a wide
range of sources is complicated (Glaser, 2015). Moreover, historically there
has not been a great deal of incentive for providers to share information, nor
for health IT vendors to bridge together a number of different systems, giving
rise to the concept of information blocking. According to the ONC, informa­
tion blocking occurs “when persons or entities knowingly and unreasonably
interfere with exchange or use of electronic health information” (ONC, 2015b).
The concept of information blocking implies that the entity intentionally and
knowingly interferes with sharing the data and is objectively unreasonable
in light of public policy. The ONC has developed comprehensive strategies for
identifying, deterring, and remedying information blocking and coordinat­
ing with other federal agencies that can investigate and take action against
certain types of information blocking.

The ONC Roadmap to Interoperability postulates that work is needed in
three critical areas: (1) requiring standards, (2) motivating the use of those
standards through appropriate incentives, and (3) creating a trusted environ­
ment for collecting, sharing, and using electronic health information. Broad

K E Y I S S U E S A N D C H A L L E N G E S · 85

stakeholder involvement is critical to achieving interoperability. Stakeholders
include those who receive or support care, those who deliver care, those who
pay for care, and people and organizations that support health IT capabilities,
oversight of health care organizations, and those who develop and maintain
standards (ONC, 2015b). (See the following Perspective.) In addition to the
ONC, which resides in the Department of Health and Human Services, CMS
and state governments also play key roles in advancing interoperability.
Statewide health information exchanges can be found in Massachusetts, New
York, and Delaware (Glaser, 2015). Interoperability efforts and standards
development are discussed more fully in Chapter Ten.

Partnerships are also occurring within the private sector to advance
interoperability among systems by creating standards and promoting the
sharing of data. CommonWell Health Alliance has created and implemented
patient identification and record-locating service capabilities, Carequality
is developing an interoperability and governance framework, and the Argo­
naut Project is testing the next generation of interoperability standards.
Glaser (2015) argues that we must focus on several important goals in
making interoperability in health care a reality by doing the following:

• Advancing standards development and pursuing new technical

approaches to effecting standards-based interoperability

• Strengthening sanctions, perhaps through the certifi cation process, to
minimize business practices that thwart interoperability

• Increasing transparency of vendor and provider progress in achieving

• Developing a trust framework that balances the need for effi cient
exchange with the privacy rights of patients

• Promoting collaborative multi-stakeholder efforts, such as
CommonWell Health Alliance, Carequality, and eHealth Initiative

• Encouraging provider-led activities within communities to broaden
the range of interconnections and include stakeholders such as safety
net providers

• Creating a governance mechanism that ensures an effective
interchange across a wide range of health information exchanges

• Making reimbursement changes that emphasize care coordination and
population health management, all of which must continue to evolve
and be implemented

Unfortunately, there is no silver bullet or easy road to achieving true
interoperability. However, with collaboration among stakeholders, appropriate

86 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

Connecting Health and Care for the Nation: A Shared Nationwide Interoper­
ability Roadmap (ONC, 2015b) was released by the Office of the National
Coordinator for Health Information Technology in 2015. This document
was published as a companion to the Connecting Health and Care for the
Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastruc­
ture. The following facts are taken from the Roadmap and its companion
infographic, Shared Nationwide Interoperability Roadmap: The Journey to
Better Health and Care. This outline lists progress toward interoperability
since 2009, the current state of health care supporting the need for interop­
erability, and the future goals and selected payer and outcome milestones
for achieving the ultimate in interoperability, “learning health systems
in which health information flows seamlessly and is available to the right
people, at the right place, at the right time” (ONC, 2015a).

Selected Historical Interoperability Achievements

2009 16% of hospitals and 21% of providers adopted basic EHRs.
2011 27% of hospitals and 34% of providers adopted EHRs.
2013 94% of nonfederal acute care hospitals use a certifi ed EHR.

78% of offi ce-based physicians use an EHR.
62% of hospitals electronically exchanged health information
with providers outside their system.

2014 80% of hospitals can electronically query other organizations
for health information.
14% of office-based providers electronically share patient
information with other providers.

Current State of Health Care

• One in three consumers must provide his or her own health informa­
tion when seeking care for a medical problem.

• A typical Medicare benefi ciary sees seven providers annually.

• A typical primary care physician has to coordinate care with 229
other physicians working in 117 practices.

• Eighty to ninety percent of health determinants are not related to
health care.

K E Y I S S U E S A N D C H A L L E N G E S · 87

The ONC Roadmap to Interoperability

• One in eight Americans tracks a health metric using technology.

• It takes seventeen years for evidence to go from research to practice.

Barriers to Interoperability

• States have different laws and regulations making it diffi cult to share
health information across state lines.

• Health information is not suffi ciently standardized.

• Payment incentives are not aligned to support interoperability.

• Privacy laws differ and are misinterpreted.

• There is a lack of trust among health care providers and consumers.

2015–2017 Goal and Milestones
Goal: Send, receive, find, and use priority data domains to improve health
care quality and outcomes

Roadmap Milestones for a Supportive Payment and Regulatory
Environment and Outcomes

CMS will aim to administer 30 percent of all Medicare payments to
providers through alternative payment models that reward quality
and value and encourage interoperability by the end of 2016.

A majority of individuals are able to securely access their elec­
tronic health information and direct it to the destination of their

Providers evolve care processes and information reconciliation to
ensure essential health information is sent, found, or received to
support safe transitions in care.

ONC, federal partners, and stakeholders develop a set of measures
assessing interoperable exchanges and the impact of interoperability
on key processes that enable improved health and health care.

2018–2020 Goal and Milestones
Goal: Expand interoperable health IT and users to improve health and
lower cost

88 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

Roadmap Milestones for a Supportive Payment and Regulatory
Environment and Outcomes

CMS will administer 50 percent of all Medicare payments to pro­
viders through alternative payment models that reward quality and
value by the end of 2018.

Individuals regularly access and contribute to their longitudinal
electronic health information via health IT, send and receive that
information through a variety of emerging technologies, and use that
information to manage their health and participate in shared deci­
sion making with their care, support, and service teams.

Providers routinely and proactively seek outside information about
individuals and can use it to coordinate care.

Public and private stakeholders report on progress toward interop­
erable exchange, including identifying barriers to interoperability,
lessons learned, and impacts of interoperability on health outcomes
and costs.

incentives, and keeping the patient at the center of our work and efforts,
secure and efficient interoperability is certainly within reach.


In addition to interoperability concerns, clinicians often express frustration
with the usability of EHR systems and other clinical information systems. In
fact, 55 percent of physicians reported that it was difficult or very diffi cult
to use. Common frustrations include confusing displays, iconography that
lacks consistency and intuitive meaning, and the feeling that systems do not
support clinicians’ cognitive workflow or inhibit them from easily drawing
insights or conclusions from the data. Similarly, physicians who participated
in a Rand study (Friedberg et al., 2013) felt that EHR data entry was time-con­
suming, interfered with face-to-face patient care, and was overall ineffi cient.
They also reported that inability to exchange health information and the deg­
radation of clinical documentation were of concern. Others argue that poor
usability of EHR systems not only contributes to clinician frustration but also
can lead to errors and patient safety concerns (Meeks, Smith, Taylor, Sittig,

K E Y I S S U E S A N D C H A L L E N G E S · 89

2020–2024 Goal and Milestones
Goal: Achieve nationwide interoperability to enable a learning health system

Roadmap Milestones for a Supportive Payment and Regulatory
Environment and Outcomes

The federal government will use value-based payment models as the
dominant mode of payment for providers.

Individuals are able to seamlessly integrate and compile longitudi­
nal electronic health information across online tools, mobile plat­
forms, and devices to participate in shared decision making with
their care, support, and service teams.

Providers routinely use relevant info from a variety of sources,
including environmental, occupational, genetic, human service, and
cutting-edge research evidence, to tailor care to the individual.

Public and private stakeholders report on progress on key metrics
identifi ed to achieve a learning health system.

Source: ONC (2015a).

Scott, & Singh, 2014; Sittig & Singh, 2011). In essence, usability refers to “the
effectiveness, efficiency, and satisfaction with which the intended users can
achieve their tasks in the intended context of produce use” (Bevan, 2001).
Smartphones are typically viewed as having high usability, because they
require little training and are intuitive to use. In fact, we often see young
children navigating them before they can even talk!

Given the importance of system usability, a task force was formed by the
American Medical Informatics Association (Middleton et al., 2013) to study
the issue. They identified key recommendations on critical usability issues,
particularly those that may adversely affect patient safety and the quality of
care. The recommendations fall into four categories: (1) usability and human
factors research, (2) policy recommendations, (3) industry recommendations,
and (4) clinical end user recommendations. (See the Perspective.)

As one can discern from AMIA’s task force recommendations, usability is
a multifaceted issue and one that requires thoughtful research, standardiza­
tion and interoperability, a common user interface style guide, and systems
for identifying best practices and monitoring use as well as adverse events
that may affect patient safety.

90 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

AMIA EHR Usability Recommendations

1. Usability and human factors research agenda in health IT

a. Prioritize standardized use cases.

b. Develop a core set of measures for adverse events related to
health IT use.

c. Research and promote best practices for safe implementation of

2. Policy recommendations

d. Standardization and interoperability across EHR systems should
take account of usability concerns.

e. Establish an adverse event reporting system for health IT and
voluntary health IT event reporting.

f. Develop and disseminate an educational campaign on the safe
and effective use of EHR.

3. Industry recommendations

g. Develop a common user interface style guide for select EHR

h. Perform formal usability assessments on patient-safety sensitive
EHR functionalities.

4. Clinical end user recommendations

i. Adopt best practices for EHR implementation and ongoing

j. Monitor how IT systems are used and report IT-related adverse

Source: Middleton et al. (2013). Reproduced with permission of Oxford Univer­
sity Press.

K E Y I S S U E S A N D C H A L L E N G E S · 91

Health IT Safety

In 2011, the Institute of Medicine published a report titled Health IT and
Patient Safety: Building Safer Systems for Better Care in which they outlined
a number of recommendations to ensure health IT systems are safe. In brief,
they suggest that safety is a shared responsibility between vendors and health
care organizations and requires the following:

• Building systems using user-centered design principles with adequate
testing and simulation

• Embedding safety considerations throughout the implementation

• Developing and publishing best practices

• Having accreditation agencies (such as the Joint Commission) assume
a signifi cant role in testing as part of their accreditation criteria

• Focusing on shared learning and transparency

• Creating a nonpunitive environment for reporting (IOM, 2011)

Since then, the topic of health IT safety has grown in importance as more
EHR systems have been deployed. Health IT patient safety concerns include
adverse events that reached the patient, near misses that did not reach the
patient, or unsafe conditions that increased the likelihood of a safety event
(Meeks et al., 2014). Such events are often difficult to define and detect.
Consequently, Singh and Sittig (2016) have developed a health IT safety
measurement framework that takes into account eight technological and
nontechnological dimensions or sociotechnical dimensions (see Table 3.3).

The Health IT Safety Framework provides a conceptual framework for
defining and measuring health IT–related patient safety issues. The frame­
work is also built on continuous quality improvement methods that require
stakeholders to ask themselves, How are we doing? Can we do better? How
can we do better (Singh & Sittig, 2016)? In fact, Singh and Sittig (2016) argue
that it is essential that clinicians and leaders make health IT patient safety
an organizational priority by ensuring that the governance structure facil­
itates measuring and monitoring and creating an environment that is con­
ducive to detecting, fixing, and learning from system vulnerabilities. Meeks
and colleagues (2014) used a variation of the Health IT Safety Framework
in analyzing one hundred different EHR-related safety concerns reported to
and investigated by the VA’s Informatics Patient Safety Office, which is a
voluntary reporting system. The major categories of errors were because of
(1) unmet display needs (mismatch between information needs and content

92 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

Table 3.3 Sociotechnical dimensions

Dimension Description

Hardware and software Computing infrastructure used to support and operate
clinical applications and devices

Clinical content The text, numeric data, and images that constitute the
“language” of clinical applications, including clinical
decision support

Human-computer All aspects of technology that users can see, touch, or
interface hear as they interact with it

People Everyone who is involved with patient care and/or
interacts in some way with health care delivery
(including technology). This would include patients,
clinicians and other health care personnel, IT
developers and other IT personnel, informaticians

Workfl ow and Processes to ensure that patient care is carried out
communication effectively, effi ciently, and safely

Internal organizational Policies, procedures, the physical work environment,
features and the organizational culture that govern how the

system is configured, who uses it, and where and
how it is used

External rules and Federal or state rules (e.g., CMS’s Physician Quality
regulations Reporting Initiative, HIPAA, and Meaningful Use

program) and billing requirements that facilitate or
constrain the other dimensions

Measurement and Evaluating both intended and unintended
monitoring consequences through a variety of prospective and

retrospective, quantitative, and qualitative methods

Source: Reproduced from Measuring and Improving Patient Safety through Health
Information Technology: The Health IT Safety Framework, Singh and Sittig, 25: p.228,
2016. With permission from BMJ Publishing Group Ltd.

display; (2) software modifications (concerns about upgrades, modifi ca­
tions, or configurations); (3) system-to-system interfacing (concerns about
failure of interfacing between systems); and (4) hidden dependencies on
distributed systems (one component of the EHR is unexpectedly or unknow­
ingly affected by the state or condition of another component) (Meeks et al.,
2014). They concluded that because EHR-related safety concerns have soci­
otechnical origins and are multifaceted, health care organizations should
build a robust infrastructure to monitor and learn from them.

K E Y T E R M S · 93

Numerous factors can affect the safety and effective use of health care
information systems—everything from poor usability to software glitches
to unexpected downtime or cyber attacks. Health care executives should be
aware of these issues and vulnerabilities and ensure their organizations have
in place mechanisms to prevent, detect, monitor, and address adverse events
that may affect patient safety and quality of care.


This chapter provided an overview of health care information systems
including administrative and clinical information systems. We gave a brief
history of the evolution of the use of information systems in health care.
Special attention was given to the adoption, use, and features of EHR
systems, patient portals, and PHR systems. We also summarized recent
literature on the value of EHR systems, which may be categorized into
three main areas: (1) quality, outcomes, and safety; (2) effi ciency, improved
revenues, and cost reduction; and (3) provider and patient satisfaction.
Limitations to research findings were noted along with the need for future
research. Key issues related to the use of health care information systems
were discussed including interoperability, usability, and health IT safety. The
chapter concludes with a discussion of a health IT safety framework that may
be useful to health care leaders in preventing, detecting, and monitoring
health IT–related patient safety issues.

Administrative information system Information blocking
Best of breed Interoperability
Clinical information systems Learning health systems
Computerized provider order entry Mainframe computers

(CPOE) Microcomputer
Electronic health record (EHR) Minicomputers
Health IT safety Patient portals
HIMSS Analytics EMR Adoption Personal health record (PHR)

Model (EMRAM) Usability

94 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S


1. Search the literature and find at least one article describing the
adoption and use of one administrative or clinical information
system. Summarize the article for your classmates and discuss it with
them. What are the key points of the article? What learned lessons
does it describe?

2. Visit a health care organization that uses one of the clinical
applications described in this chapter. Find out how the application’s
value is measured or assessed. What do the providers think of it?
Health care executives? Nurses? Support staff members? What impact
has it had on quality? Patient safety? Effi ciency? Satisfaction?

3. Conduct a literature review on interoperability in health care. What
progress has been made to date? What challenges lie ahead? How do
you think we may overcome these challenges?

4. Interview a CIO or health IT professional in your community
regarding interoperability and health information exchange. To
what extent is the organization exchanging health information
electronically with others? What are the barriers and facilitators to
the exchange?

5. Visit a health care organization (outside of a hospital or physician
practice) to examine the types and use of information systems
used. What are the major management issues related to the use of
information systems in this setting? Discuss strategies for addressing
these issues.

6. Interview a CMIO or other health care executive to investigate how
health IT safety events are detected, monitored, and addressed in his
or her organization. How does the organization’s approach take into
consideration the factors described in the Singh and Sittig’s Health IT
Safety Framework?


Abramson, E. L., Edwards, A., Silver, M., & Kaushal, R. (2014). Trending health
information technology adoption among New York nursing homes. The Ameri­
can Journal of Managed Care, 20(Special Issue), eSP53–eSP59.

Banger, A., & Graber, M. L. (2015). Recent evidence that health IT improves patient
safety: Issue brief. RTI International. Retrieved July 28, 2016, from https://

R E F E R E N C E S · 95

Barlow, S., Johnson, J., & Steck, J. (2004). The economic effect of implementing an
EMR in an outpatient clinical setting. Journal of Healthcare Information Man­
agement, 18(1), 46–51.

Bercovitz, A. R., Park-Lee, E., & Jamoom, E. (2013). Adoption and use of electronic
health records and mobile technology by home health and hospice care agen­
cies. National health statistics report, no 66. Hyattsville, MD: National Center
for Health Statistics.

Bevan, N. (2001). International standards for HCI and usability. International
Journal of Human-Computer Studies, 55, 533–552.

Blumenthal, D. (2011). Wiring the health system—origins and provisions of a new
federal program: Part one of two. New England Journal of Medicine, 365(24),

Buntin, M. B., Burke, M. F., Hoaglin, M. C., & Blumenthal, D. (2011). The benefi ts
of health information technology: A review of the recent literature shows pre­
dominantly positive results. Health Affairs, 30(3), 464–471.

Burnum, J. (1989). The misinformation era: The fall of the medical record. Annals
of Internal Medicine, 110, 482–484.

Chaudhry, B., Wang, J., Wu, S., Maglione, M., Mojica, W., Roth, E., . . . & Shek­
elle, P. G. (2006). Systematic review: Impact of health information technology
on quality, efficiency, and costs of medical care. Annals of Internal Medicine,
144(10), 742–752.

Cherry, B. J., Ford, E. W., & Peterson, L. T. (2011). Experiences with electronic
health records: Early adopters in long term care facilities. Health Care Manage­
ment Review, 36(3), 265–274.

Classen, D., Resar, R., Griffin, F., Federico, F., Frankel, T, . . . & James, B. C. (2011).
Global “trigger tool” shows that adverse events in hospitals may be ten times
greater than previously measured. Health Affairs, 30(4), 581–589.

Del Beccaro, M. A., Jeffries, H. E., Eisenberg, M. A., & Harry, E. D. (2006). Com­
puterized provider order entry implementation: No association with increased
mortality rates in an intensive care unit. Pediatrics, 118, 290–295.

DesRoches, C. M., Campbell, E. G., Rao, S. R., Donelan, K., Ferris, T. G., Jha, A., . . .
& Blumenthal, D. (2008). Electronic health records in ambulatory care: A
national survey of physicians. New England Journal of Medicine, 359(1), 50–60.

Emont, S. (2011). Measuring the impact of patient portals: What the literature tells
us. Oakland, CA: California HealthCare Foundation.

Ford, E. W., Hesse, B. W., & Huerta, T. R. (2016). Personal health record use in the
United States: Forecasting future adoption levels. Journal of Medical Internet
Research, 18(3), e73.

Friedberg, M. W., Chen, P. G., Van Busum, K. R., Aunon, F., Pham, C., Caloyeras,
J. P. Mattke, S., Pitchforth, E., . . . & Tutty, P. (2013). Factors affecting physician
professional satisfaction and their implications for patient care, health systems,

96 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

and health policy. Santa Monica, CA: Rand Corporation. Retrieved August 3,
2016, from

Glaser, J. (2015, April 14). Interoperability: A promise unfulfi lled. Hospitals and
Health Networks.

Goldzweig, C. L., Towfigh, A., Maglione, M., & Shekelle, P. G. (2009). Costs and
benefits of health information technology: New trends from the literature.
Health Affairs, 28(2), w282–w293.

Grieger, D. L., Cohen, S. H., & Krusch, D. (2007). A pilot study to document the
return on investment for implementing an ambulatory electronic health record
at an academic medical center. Journal of the American College of Surgeons,
205(1), 89–96.

Han, Y. Y., Carcillo, J. A., Venkataraman, S. T., Clark, R., Watson, R. S., Nguyen, T.
C., & Orr, R. A. (2005). Unexpected increased mortality after implementation
of a commercially sold computerized physician order entry system. Pediatrics,
116(6), 1506–1512.

Heisey-Grove, D., & Patel, V. (2015, Sept.). Any, certified or basic: Quantifying phy­
sician EHR adoption. ONC Data Brief, No. 28. Washington, DC: Office of the
National Coordinator for Health Information Technology.

Henry, J., Pylypchuck, Y., Searcy, Y., & Patel, V. (2016, May). Adoption of electronic
health record systems among US non-federal acute care hospitals: 2008–2015.
ONC Data Brief, No. 35. Washington, DC: Office of the National Coordinator for
Health Information Technology.

Hershey, C., McAloon, M., & Bertram, D. (1989). The new medical practice environ­
ment: Internists’ view of the future. Archives of Internal Medicine, 149, 1745–1749.

HIMSS Analytics. (n.d.). EMR adoption model (EMRAM). Retrieved from http://

Howley, M. J., Chou, E. Y., Hansen, N., & Dalrymple, P. W. (2014). The long-term
financial impact of electronic health record implementation. Journal of the
American Medical Informatics Association, 2015(22), 443–452. Retrieved from

Hydari, M. Z., Telang, R., & Marella, W. M. (2014). Saving patient Ryan: Can
advanced medical records make patient care safer. Retrieved from https://

IEEE. (n.d.) Interoperability. Standards glossary. Retrieved from

Institute of Medicine (IOM). (1991). The computer based patient record: An essential
technology for health care. Washington, DC: National Academies Press.

Institute of Medicine (IOM). (2011). Health IT and patient safety: Building safer
systems for better care. Washington, DC: National Academies Press.

James, J.T.A. (2013). A new evidence-based estimate of patient harm associated
with hospital care. Journal of Patient Safety, 9, 122–128.

R E F E R E N C E S · 97

Jang, Y., Lortie, M. A., & Sanche, S. (2014). Return on investment in electronic health
records in primary care practices: A mixed-methods study. Journal of Medical
Informatics, 2(2), e25. Retrieved from

Jarvis, B., Johnson, T., Butler, P., O’Shaughnessy, K., Fullam, F., Tran, L., & Gupta,
R. (2013). Assessing the impact of electronic health records as an enabler of
hospital quality and patient satisfaction. Academic Medicine, 88(10), 1471–1477.

Johnson, K. B., Patterson, B. L., Ho, Y., Chen, Q., Nian, H., Davison, C. L., Slagle,
J., & Mulvaney, S. A. (2016). The feasibility of text reminders to improve med­
ication adherence in adolescents with asthma. The Journal of the American
Medical Informatics Association, 21(3), 449–455.

Jones, S., Rudin, R., Perry, T., & Shekelle, P. (2014). Health information technol­
ogy: An updated systematic review with a focus on meaningful use. Annals of
Internal Medicine, 160, 48–54.

Kazley, A. S., Diana, M. D., Ford, E., & Menachemi, N. (2011). Is EHR use associated
with patient satisfaction in hospitals? Health Care Management Review, 37(1).

King, J., Patel, V., Jamoom, E. W., & Furukawa, M. F. (2014). Clinical benefi ts of
electronic health record use: National fi ndings. Health Services Research, 49(1),

Makary, M. A., & Daniel, M. (2016, May 3). Medical error—the third leading cause
of death in the US. British Medical Journal, 353, i2139. Retrieved August 3,
2016, from

Meeks, D. W., Smith, M. W., Taylor, L., Sittig, D. F., Scott, J. M., & Singh, H. (2014).
An analysis of electronic health record-related patient safety concerns. Journal
of the American Medical Informatics Association, 21, 1053–1059.

Menachemi, N., Powers, T, Au, D. W., & Brooks, R. G. (2010). Predictors of phy­
sician satisfaction among electronic health record system users. Journal of
Healthcare Quality, 32(1), 35–41.

Middleton, B., Bloomrosen, M., Dente, M. A., Hashmat, B., Koppel, R., Overhage,
J. M., Payne, T. H., Rosenbloom, S. T., Weaver, C., & Zhang, J. (2013, June).
Enhancing patient safety and quality of care by improving the usability of
electronic health record systems: Recommendations from AMIA. Journal of the
American Medical Informatics Association, 20, e2–e8.

ONC. (2015a). Connecting health and care for the nation: A shared nation­
wide interoperability roadmap. Final version 1.0. Retrieved July 11,
2016, from

ONC. (2015b). Report to Congress on health information blocking. Retrieved
August 3, 2016, from les/reports/

Raglan, G. B., Margolis, B., Paulus, R. A., & Schulkin, J. (2014). Electronic health
record adoption among obstetricians/gynecologists in the United States:

98 · C H A P T E R 3 : H E A L T H C A R E I N F O R M A T I O N   S Y S T E M S

Physician practices and satisfaction. Journal for Healthcare Quality. Retrieved

August 3, 2016, from

Rosenbloom, S.T. (2016). Personal-generated health and wellness data for health
care. Journal of the American Medical Informatics Association, 23(3), 438–439.

Shaw, R. J., Steinberg, D. M., Bonnet, J., Modarai, F., George, A., Cunningham, T.,
Mason, M., Shahsahebi, M., Grambow, S. C., Bennett, G. G., & Bowsorth, H. B.
(2016). Mobile health devices: Will patients actually use them? Journal of the
American Medical Informatics Association, 23(3), 462–466.

Sittig, D. F., & Singh, H. (2011). Defining health information technology-related
errors. Archives in Internal Medicine, 171(14), 1281–1284.

Singh, H., & Sittig, D. F. (2016). Measuring and improving patient safety through
health information technology: The health IT safety framework. BMJ Quality
and Safety, 25, 226–232.

Tang, P. C., & Lansky, D. (2005). The missing link: Bridging the patient-provider
health information gap. Health Affairs, 24(5), 1290–1295.

Whitten, J., & Bentley, L. (2007). Systems analysis and design methods (7th ed.).
New York, NY: McGraw-Hill/Irvin.


Information Systems

to Support Population

Health Management


• To be able to understand the data and information needs of
health systems in managing population health effectively under
value-based payment models.

• To be able to discuss key health IT tools and strategies for
population health management including EHRs, registries,
risk stratifi cation, patient engagement, and outreach, care
coordination and management, analytics, health information
exchange, and telemedicine and telehealth.

• To be able to discuss the application and use of data analytics to
monitor, predict, and improve performance.


100 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

The enactment of the Affordable Care Act (ACA) brought about sweeping
legislation intended to reduce the numbers of uninsured and make health
care accessible to all Americans. It also ushered in an era in which chang­
ing reimbursement and care delivery models are driving providers from the
current fragmented system focused on volume-based services to an outcomes
orientation. As a result, the health care system now taking shape is one in
which value-based payment models financially reward patient-centered, coor­
dinated, accountable care.

Against this backdrop, providers’ increasing use of evidence-based med­
icine and growing capabilities in managing volumes of clinical evidence
through sophisticated health IT systems will mean that treatments can be
tailored for the individual and interventions can be made earlier to keep
patients well. Furthermore, patient engagement is fast becoming a critical
component in the care process, particularly in the area of population health
management (PHM).

Health care providers’ interest in improving population health appears to
be increasing because of the sudden ubiquity of the phrase, because many
are participating in accountable care organizations (ACOs), and because
even hospitals not participating in an ACO increasingly have incentives to
reduce their number of potentially unavoidable admissions, readmissions,
and emergency department visits (Casalino, Erb, Joshi, & Shortell, 2015).

In this chapter we’ll not only seek a common understanding of PHM but
also explore how the advent of shared accountability fi nancial arrangements
between providers and purchasers of care has created significant focus on
PHM. We’ll also review the core processes associated with accountable care
and examine the strategic IT investments and data management capabilities
required to support population health management and enable a successful
transition from volume-based to value-based care.


Although the ACO model is still new and evolving, approximately 750 ACOs
are in operation today, covering some 23.5 million lives under Medicare,
Medicaid, and private insurers. Although not all ACOs have demonstrated
success in delivering better health outcomes at a lower cost, many have
achieved promising results (Houston & McGinnis, 2016). As such, signifi cant
ACO growth is expected. In fact, it is predicted that upward of 105 million
people will be covered by an ACO by 2020 (Leavitt Partners, 2015).

Similarly, although the industry’s move to value-based payment is also in
its early stages, value-based contracts are expected to substantially increase
throughout the next decade. CMS has a stated goal that 50 percent of Medicare

P H M : K E Y T O S U C C E S S · 101

payments will be tied to alternative payment models by the end of 2018 (US
DHHS, 2015). In fact, the projected impact of MACRA, which we discussed
in Chapter One, on the adoption of value-based payment models is expected
to rival the impact of Meaningful Use on adoption of EHRs. In addition, the
substantial payment reform activity at the federal level is paralleled by private
insurers’ efforts to support value-based payment and new models of care. For
example, Aetna expects that 75 percent of its contracts will be value-based
by 2020 (Jaspen, 2015).

These trends will accelerate the demand for services and technology
that enable health systems and other organizations (health plans, Medicaid,
community-based organizations, employers, and so forth) to jointly manage
the health and care of populations—either as an ACO or in an ACO-like
fashion. Although diverse, these organizations will all have a common need
to improve operational efficiency, drive better patient outcomes while reduc­
ing the overall cost of care, and effectively engage consumers in managing
their health and care.

Although the new reimbursement system is still taking shape, it’s clear
that population health management will become a required core competency
for provider organizations in a post fee-for-service payment environment
(Institute for Health Technology Transformation, 2012).

Understanding Population Health Management

Population health as a concept first appeared in 2003 when David Kindig and
Greg Stoddart (2003) defined it as “the health outcomes of a group of individ­
uals, including the distribution of such outcomes within the group” (p. 380).

It is important to note that medical care is only one of many factors
that affect those outcomes. Other factors include public health interventions;
aspects of the social environment (income, education, employment, social
support, and culture); the physical environment (urban design, clean air and
water); genetics; and individual behavior (Institute for Health Technology
Transformation, 2012). “Improving the health of populations” was later iden­
tified as one element in the Institute for Healthcare Improvement’s triple aim
for improving the US health care system, along with improving the individual
experience of care and reducing the per capita cost of care (Berwick, Nolan
& Whittington, 2008, p. 759).

Today, population health management comprises the proactive application
of strategies and interventions to defined groups of individuals (e.g., diabetics,
cancer patients with tumor regrowth, the elderly with multiple comorbidities)
to improve the health of individuals within the group at the lowest cost. PHM
interventions are designed to maintain and improve people’s health across


102 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

the full continuum of care—from low-risk, healthy individuals to high-risk
individuals with one or more chronic conditions (Felt-Lisk & Higgins, 2011).
PHM also seeks to minimize the need for expensive encounters with the
health care system, such as emergency department visits, hospitalizations,
imaging tests, and procedures. This not only lowers costs but also redefi nes
health care as an activity that encompasses far more than sick care, because
it systematically addresses the preventative and chronic care needs of every
patient—not just high-risk patients who generate the majority of health care
costs (Institute for Health Technology Transformation, 2012).

Although population health can also mean the health of the entire popu­
lation in a geographic area, the population health efforts most health systems
and ACOs are undertaking are aimed at providing better preventive and
medical care for the “population” of patients “attributed” to their organiza­
tions by Medicare, Medicaid, or private health insurers (Casalino et al., 2015).

New Care Delivery and Payment Models: The Link to PHM

As we know, historically, there has been a lack of accountability for the total
care of patients, the outcomes of their treatment, and the  effi ciency with
which health resources are used. The fact that health care services are paid
primarily on a fee-for-service basis has contributed to the fragmentation and
lack of accountability. Fee-for-service emphasizes the provision of health ser­
vices by individual hospitals or providers rather than care that is coordinated
across providers to address the patient’s needs. Providers are rewarded for
volume and for conducting procedures that are often more complex, when
simpler, lower-cost, better methods may be more appropriate (Guterman  &
Drake, 2010).

Value-based care is emerging as a solution to address rising health care
costs, clinical inefficiency and duplication of services, and to make it easier
for people to get the appropriate care they need. As the federal government
continues to test and implement several new payment models designed to
achieve optimal health outcomes at a sustainable cost, commercial insurers
are also partnering with health care providers in various arrangements that
similarly seek to reward value rather than volume of services.

As discussed in Chapter One, two popular models of delivery system
reform are the patient-centered medical home (PCMH) and the ACO. The
PCMH emphasizes the central role of primary care and care coordination,
with the vision that every person should have the opportunity to easily
access high-quality primary care in a place that is familiar and knowledge­
able about his or her health care needs and choices. The ACO emphasizes
the urgent need to think beyond patients to populations, providing a vision


P H M : K E Y T O S U C C E S S · 103

for increased accountability for performance and spending across the health
care system (Patient-Centered Primary Care Collaborative, 2011). Both models
rely on health care organizations and physicians providing coordinated and
integrated care in an evidence-based, cost-effective way. This, of course, has
significant implications for an organization’s ability to manage information

In conjunction with new models of care are new or modifi ed forms
of payment for health care services, which are being piloted in various
communities around the nation. These include  bundled payments,  pay for
performance, shared savings programs, capitation or global payment, and
episode-of-care payments.

Bundled payments may take different forms such  as making a single
payment for hospital and physician services instead  of separate payments,
bundling payments for inpatient and post-acute care, or paying based on diag­
nosis instead of treatment. Bundled payments are often applied to surgical
procedures such as hip replacements.  Pay-for-performance (P4P) programs
reward hospitals, physician practices, and other providers with fi nancial and
nonfinancial incentives based on performance on select measures. These
performance measures can cover various aspects of health care delivery:
clinical quality and safety, efficiency, patient experience, and health infor­
mation technology adoption. Most P4P programs, however, are still a bonus
to a fee-for-service model (Miller, 2011). An integral part of the ACA, shared
savings programs are intended to reward providers by paying them a bonus
that is explicitly connected to the amount by which they reduce the total cost
of care compared to expected levels. Capitation or global payment places full
risk with the provider organization; the provider is responsible for the costs of
all care that a patient receives. An episode-of-care payment system would pay
the provider organization a single payment for all of the services associated
with a hospitalization or other episode of acute care, such as a heart attack,
including inpatient and post-acute care (Miller, 2011).

The revised payments associated with these programs signal the federal
government’s most all-encompassing effort thus far to distribute risk and
hold providers financially accountable for the quality of care they deliver.
Although an in-depth discussion of these and other proposed payment reform
systems is beyond the scope of this book, the following resources can provide
a wealth of detailed information on health care payment reform initiatives:

• Centers for Medicaid & Medicare Services (

• Healthcare Financial Management Association (

• American College of Healthcare Executives (

104 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

Progress to Date: PCMHs

Growing support for the PCMH has arisen across the vast majority of the US
health care delivery system to include commercial insurance plans, multiple
employers, state Medicaid programs, numerous federal agencies, the Depart­
ment of Defense, hundreds of safety net clinics, and thousands of small
and large clinical practices nationwide (Grundy, Hacker, Langner, Nielsen,
& Zema, 2012). Private and public payer initiatives together have grown
from eighteen states in 2009 to forty-four states in 2013, and they now cover
almost twenty-one million patients. These heterogeneous initiatives overall
are becoming larger, paying higher fees, and engaging in more risk sharing
with practices (NCQA, 2015).

Because the patient-centered medical home is foundational to ACOs—
with ACOs often described as the “medical neighborhood”—the PCMH is
likely to gain even greater prominence as ACOs continue to develop in the
marketplace (Grundy et al., 2012). Moreover, a growing body of scientifi c
evidence shows that PCMHs are saving money by reducing hospital and
emergency department visits, mitigating health disparities, and improving
patient outcomes. Examples of specific outcomes achieved by various PCMHs
include the following:

• Lower Medicare spending

• More effective care management and optimized use of health care

• Improved care management and preventative screenings for
cardiovascular and diabetes patients

• Reduced socioeconomic disparities in cancer screening (NCQA, 2015)

Additionally, more than nine thousand primary care practices and for­
ty-three thousand clinicians (doctors and nurse practitioners) across the
country have earned the PCMH designation from the National Committee for
Quality Assurance (NCQA), the nation’s largest credentialing organization.
The designation is earned by demonstrating achievement of goals related to
accessible, coordinated, and patient-centered care (Olivero, 2015).

Progress to Date: ACOs

In the value-based care world, ACOs are expected to play a leadership role in
improving population health—whether participating in contracts with Medi­
care, Medicaid, or managed care organizations (MCOs) or health plans. These
arrangements are often complex and may differ widely, including elements

P H M : K E Y T O S U C C E S S · 105

such as governance requirements, payment structures, quality metrics,
reporting requirements, and data sharing (Houston & McGinnis, 2016).

Several different ACO models, including the Pioneer ACO program and the
Medicare Shared Savings Program (MSSP), are testing and evaluating various
risk-sharing agreements. In December 2011, CMS signed agreements with
thirty-two organizations to participate in the Pioneer ACO model, designed to
show how particular ACO payment arrangements can best improve care and
generate savings for Medicare. As of May 1, 2016, there are nine Pioneer ACOs
participating in the model for a fifth and final performance year (CY2016). The
MSSP is a key component of the Medicare delivery system reform initiatives
included in the Affordable Care Act and is designed to facilitate coordination
and cooperation among providers to improve the quality of care for Medicare
fee-for-service (FFS) beneficiaries and reduce unnecessary costs. Eligible
providers, hospitals, and suppliers may participate in the MSSP by creating
or participating in an ACO.

Although there has been considerable debate among policymakers as to
the success of the ACO model, some of these ACOs are already reporting pos­
itive results for improving patient outcomes and controlling costs, as shown
in Table 4.1 (Houston & McGinnis, 2016).

ACO Challenges

Now with years of observation and learnings to draw from, several key chal­
lenges facing ACOs have been identified, including difficulties working across
organizational boundaries, building the requisite infrastructure for effective
data sharing, and truly engaging patients in the care process. One of the more
notable challenges currently being worked on is the alignment and consolida­
tion of myriad quality measures being used in public and private programs.

Effective quality measures are imperative to accountability in organized
systems of care, especially when performance affects the ability of the pro­
vider to share in savings or determines whether a provider avoids penalties
or receives bonus payments (Bipartisan Policy Center, 2015). However, the
notion of “measurement fatigue” and the increasing administrative burden
it places on providers is a legitimate concern (Buelt, Nichols, Nielsen, &
Patel, 2016). Another challenge with quality metrics is that although they
tend to capture performance on specific outcomes, such as lower avoidable
readmissions, or processes, such as screening for depression, they may not
accurately measure the overall health of the patient, making it diffi cult
to assess the true impact and efficacy of ACO arrangements (Houston &
McGinnis, 2016).

106 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

Table 4.1 Key attributes and broad results of current ACO models

Commercial Medicaid

Attribute MSSP Pioneer ACO ACOs ACOs


333 ACOs in 47 states

Key model

Shared savings
payment methodology

33 quality metrics

Results to

CMS has reported
results for different
cohorts of MSSP ACOs
based on start date,
which have shown
signifi cant savings,
but it is diffi cult
to aggregate these
results, though only
26% of ACOs received
shared savings

ACOs consistently
improved on 27 of 33
quality metrics.

Increases in patient
satisfaction relative to
patients not enrolled
in ACOs

18 ACOs in 8

Designed for large
hospital systems

Shared savings
system with
higher risk and
reward potential
than MSSP

Same 33 quality
metrics as MSSP

$304 million
in savings over
three years

ACOS consistently
improved on
28 of 33 quality

in patient
relative to
patients not
enrolled in ACOs

Began with 32
participants; 14
have left program


ACOs and

Many feature

Not many
due to
diffi culty

66 ACOs
in 9 active

to payment
shared savings
and capitation

to quality

and VT have
$129.9 million
in savings.

ED visits in
OR decreased
by 22%.

Source: R. Houston and T. McGinnis. January 2016. “Accountable Care Organizations: Looking
Back and Moving Forward.” Center for Health Care Strategies. Used with permission.

P H M : K E Y T O S U C C E S S · 107

Implications for Health Care Leaders

Through the combination of changing health care business models and
payment mechanisms, we are witnessing transformational change in the
nature of health care delivery. It is evolving from one of reactive care with
fragmented accountability and a dependence on full beds to a model of health
management, care that extends over time and place and rewards for effi ciency
and quality. This transformation poses potent challenges for providers and
has enormous implications for today’s health care leaders, particularly by
placing greater emphasis on these issues:

• Keeping patients well and managing and preventing disease

• Establishing more effi cient organization and utilization of care teams

and venues of care

• Creating a care culture that is comfortable with change and ongoing


• Engaging patients in managing their care and overall health

• Ensuring the most cost-effective care is provided and that clinical

processes are streamlined and follow the best evidence

More specifically, accountable care and the move to population health
management will require industry perspectives and health care delivery
practices to shift from

• Care providers working independently to collaborative teams of providers

• Treating individuals when they get sick to keeping groups of people


• Emphasizing volumes to emphasizing outcomes

• Maximizing the use of resources and assets to applying appropriate

levels of care at the right place

• Offering care at centralized facilities to providing care at sites

convenient to patients

• Treating all patients the same to customizing health care for each patient

• Avoiding the sickest chronically ill patients to providing special

chronic care services

• Being responsible for those who seek services to being responsible for
the needs of the community

• Putting forth best efforts to becoming high-reliability organizations

(Glaser, 2012b)

108 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

Additionally, accountability will bring new performance and utilization
risks to providers as the focus shifts from optimizing business unit perfor­
mance to optimizing network performance. At the same time, instead of
maximizing the profitability of care, organizations will increase the volume
of desired bundled episodes while controlling costs. At an operational level,
organizations must change their structure as well as workflows to imple­
ment PHM and adopt new types of automation tools and reporting. This will
require setting clear goals, the active participation of leadership—including
physician leaders, an assessment of technology requirements, and an effective
rollout strategy (Institute for Health Technology Transformation, 2012).

Health IT clearly plays a vital role in the success of new models of care
and payment reform and should be an integral part of the organization’s
planning process. Whether participating in an ACO or not, all health care
organizations should be thinking about building a population health man­
agement strategy and addressing related gaps in their information technology
(IT) capabilities. Minimally, this would include acquiring the capabilities and
tools to do the following:

• Know, characterize, and predict the health trajectory that will happen
within a population.

• Engage members, families, and care providers to take action.

• Manage outcomes to improve health and care.


Accountable care frameworks are based on risk and reward, with providers
and organizations agreeing to share the financial risk for a population in
return for the opportunity to access rewards on meeting health care quality
and cost goals. ACOs are responsible for tracking and measuring specifi c
quality metrics to indicate that patient outcomes are improving or evidence‐
based processes are being used. Some, but not necessarily all, metrics may
be tied directly to the payment methodology, meaning that performance on
these metrics will trigger either a quality incentive (such as an increased
percentage of shared savings) or a disincentive (such as not receiving any
shared savings) (Houston & McGinnis, 2016).

To accomplish the goals of PHM, a provider must deliver proactive pre­
ventive and chronic care to its attributed patient population. As such, the care
team must maintain regular contact with patients and support their efforts
to manage their own health. At the same time, care managers must closely
monitor high-risk patients to prevent them from deteriorating or developing
complications. The use of evidence-based protocols to diagnose and treat

A C C O U N T A B L E C A R E C O R E P R O C E S S E S · 109

patients in a consistent, cost-effective manner is also central to PHM efforts.
In many respects, success in population health management depends largely
on a provider’s ability to manage several core processes in an accountable
care environment. We’ll review these core processes in the next sections.

Identifying, Assessing, Stratifying, and Selecting
Target Populations

To manage population health effectively, an organization must be able to
track and monitor the health of individual patients, while also stratifying its
population into subgroups that require particular services at specifi ed inter­
vals. ACOs typically stratify their patient population by common care needs,
conditions, and expenditure levels and then deploy tailored interventions
based on these characteristics (Houston & McGinnis, 2016). For example, a
high-risk pregnancy may require more frequent interventions (offi ce visits,
fetal heart monitoring, etc.) than standard prenatal care warrants.

Stratifi cation also involves the ability to identify a patient or cohort at
risk for a negative health event (e.g., myocardial infarction, stroke, mental
health crisis) or preventable health care utilization (e.g., surgical proce­
dure or hospitalization) (Gibson, Hunt, Knudson, Powell, Whittington, &
Wozney, 2015). The Agency for Healthcare Research and Quality (AHRQ)
describes another method of stratification as being able to identify subpop­
ulations of patients who might benefit from additional services. Examples of
these groups include patients needing reminders for preventive care or tests,
patients overdue for care or not meeting management goals, patients who have
failed to receive follow-up after being sent reminders, and patients who might
benefit from discussion of risk reduction (Institute for Health Technology
Transformation, 2012).

Although there are numerous ways to identify and segment patients,
having the ability to identify risk, alert appropriate stakeholders, and inter­
vene in the care process at the right time is a key component of population
health management.

Providing High-Quality Care and Care Management
Interventions across the Continuum

A key tenet of accountable care is to ensure that the health and wellness
of a population is managed, the most cost-effective care is provided, clini­
cal processes are streamlined and follow the best evidence, the necessary
reporting is in place, and payments and reimbursement are appropriate.
Although this is an obvious goal for all providers, ACOs must facilitate

110 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

cross-continuum medical management of patients for active episodes and
acute disease processes or for any patient outside of the defined goals of
a target population. An ACO must demonstrate, in a variety of ways, its
commitment to being patient centered and to engaging patients in their
care and overall health.

To effectively care for populations, care management involves the
patient-centered management and coordination of care events and activities
in multiple care settings by one or more providers (e.g., fi ne-tuning coor­
dination among care team members, identifying care gaps and situations
requiring additional interventions, as well as managing care transitions). For
example, research indicates that poorly executed transitions of care between
different locations (e.g., from hospital to primary care) are associated with
increased risks of adverse medication events, hospital readmissions, and
higher health care costs. Determining which transitions present the greatest
risks and targeting care management services to patients undergoing those
transitions should conserve resources and lead to better cost and quality
outcomes (AHRQ, 2015).

Additionally, lack of follow-up care after hospital discharge can result
in complications, worsening of patients’ conditions, and a higher chance
of readmission (Nielsen & Shaljian, 2013). Therefore, another example of a
care management intervention is ensuring that hospitals notify primary care
practices when patients are discharged and that primary care teams follow
up with patients shortly thereafter.

The overall aim of care management is to manage the most complex
patients through the health care system, as well as managing the overall
health of a select population (e.g., diabetics and elderly), taking their prefer­
ences and overall situation into consideration. Care management ensures that
all patients from the lowest risk level to high-risk “super users” receive care at
the right time, in the right place, and in a manner best suited for the patient.
This requires proactive care, communication, education, and outreach.

Managing Contracts and Financial Performance

Under new payment models, proactively understanding patient coverage and
fi nancial responsibility will be more critical than ever. Financial teams must
have a solid handle on estimating reimbursement and associated payment
distributions, carrying out predictive modeling for reimbursement contracts,
measuring performance against contracts and predicting profitability, as well
as integrating with other key processes to share information.

For example, profit maximization under a shared savings-risk model
requires a shift away from revenue-focused strategies to cost-containment

A C C O U N T A B L E C A R E C O R E P R O C E S S E S · 111

strategies (Houston & McGinnis, 2016). To effectively manage costs, health
care executives will need tools and data to support different types of fi nan­
cial modeling, such as modeling the implications of moving patient care to
settings other than the hospital or physician’s office. ACOs will also need
actuarial cost and utilization predictors to effectively manage the care of a
defi ned population.

These changes represent a significant cultural shift for provider organi­
zations that must be prepared to handle a complex mix of public and private
sector payment mechanisms.

Measuring, Predicting, and Improving Performance

Data analytics is an integral part of PHM. ACOs typically measure quality
and outcomes data against national guidelines or peer groups, and they seek
to demonstrate longitudinal improvements. They might also measure costs,
utilization, and patient experience on a population-wide basis, and they
may use these reports as the basis for quality reporting to payers and other
outside entities.

With payment so tightly linked to quality and outcomes, predicting, mon­
itoring, and measuring system performance in key areas becomes paramount
in an accountable care environment. Under value-based payment programs,
there will be real ramifications for poor care and rewards for improved care.
In fact, even low-performing areas can qualify for high payments if they
demonstrate year-over-year improvement.

Therefore, providers must have the ability to forecast which patients are
likely to become high-risk so they can intervene before a patient’s condition
worsens. They must also understand in real time if they are complying
with a certain set of measures and monitor their continual performance.
For example, ACOs will want to measure the effectiveness of care protocols,
such as exercise compliance, for a population of diabetic patients. Surgical
services providers will need to understand the costs and quality of proposed
procedure bundles. Understanding what works and what does not is key to
ensuring reimbursements, controlling costs, and, most important, providing
the best care for patients (Glaser, 2012a).

Equally important is retrospective monitoring—finding out what
didn’t happen and why. For example, if a care provider failed to respond
to an alert in a timely fashion or deviated from a given standard of care
process, they can use these data to determine if new care interventions are
necessary or if they need to alter an individual’s plan of care. Likewise,
knowing that a patient failed to keep an appointment or was unexpect­
edly seen in the emergency room will enable the care team to engage

112 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

patients in new ways to better manage chronic disease. With providers
facing penalties for readmission, it will be more important than ever to
understand if it’s the treatment that failed, the discharge plan that failed,
or the patient who did not follow through on the post-discharge plan
(Chopra & Glaser, 2013).

Preparation and Automation Is Key

Overall, the accountable care movement demands that providers be more
focused and aggressive in managing their organization and their patients.
Among other challenges, changes in reimbursement will require providers
to predict which patients will need extra care, more intensively engage and
manage high-risk patients, model the financial implications of delivering
sub-par care, assess the performance of core organizational processes such as
transitions of care, determine conformance to medical evidence, and report
quality measures to purchasers of care.

The long-term success of the transition to value-based payment models
and PHM relies largely on health care providers investing in the IT tools
and infrastructure—as well as acquiring the data management and analysis
expertise—needed to automate and support these core processes. In addition,
as with any IT endeavor, expertise in change management and workfl ow
redesign is also a core requirement.

Even for providers that may not be participating in an ACO, building the
organizational and IT competencies to support accountable care is critical
to staying competitive. Organizations that fail to develop and demonstrate
accountable care capabilities may not fulfill their obligations to the commu­
nity they serve—in fact, they may not survive.

Yet, organizations embracing the transformation from traditional fee-for­
service to value-based PHM are fi nding significant gaps in their IT capabil­
ities (Gibson et al., 2015). In the following section we examine the core IT
building blocks and capabilities necessary to support accountable care and
the move to PHM.



As more providers and health systems evolve into ACOs, they are becom­
ing increasingly aware of what it takes to manage care from a population
health perspective. As we know, this includes establishing new partner net­
works, targeting populations, aligning providers and contracts, developing

D A T A , A N A L Y T I C S , A N D H E A L T H I T C A P A B I L I T I E S A N D T O O L S · 113

cross-continuum protocols for care management, and enabling effi cient data

It’s All about the Data

For a PHM program to be effective there is a critical need to focus on the data
and information that will increasingly power clinical decisions. This includes
aggregating and normalizing clinical data, claims data, administrative data,
and self-reported patient data to create a holistic view of the patients within
a health care network. These data enable the network to identify populations
of patients whose conditions can be managed through evidence-based care
plans that are coordinated across care settings.

For example, the risk of progression from glucose intolerance to dia­
betes mellitus can be influenced by diet and exercise. Individuals within
this “rising risk” population are at different stages of readiness to change
and consequently at different stages of modifiable risk. Having this insight
enables providers to offer services at the appropriate level and time
(AHRQ, 2015).

However, for many organizations, obtaining population health data can
be difficult because it must be collected and organized from many disparate
sources (e.g., laboratory information systems, EHRs, practice management
systems, and home-monitoring devices). Data types that require aggrega­
tion and normalization include labs, radiology reports, medications, vital
signs, diagnoses, demographic information, and more. Returning to our
diabetes example, although a diabetic’s blood glucose result is discrete
data that can be found in an EHR, the results of the same patient’s foot or
eye exam may be found only in text format within a practice management

Data management for PHM purposes is also challenging because there’s
no guarantee the various IT systems talk to each other, and each provider and
health plan may have a different system for patient identification and provider
attribution. An important first step in connecting patient data across different
care settings is to establish master patient indices (Glaser & Salzberg, 2011).
Patient indices can serve as a crosswalk among the different medical record
numbers and identifiers that may be used by various provider organizations
to correctly identify patients. In addition, a record locator service may be
used to determine which patient records exist for a member and where the
source data is located. The key concept behind having a record locator service
is that a patient’s health information is housed on computers at the various
sites of his or her care and this information is queried and aggregated from
these sites at the time of a request.

114 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

Beyond the EHR: Core PHM Solution Components

Although a certified EHR certainly provides the necessary foundation for
effectively responding to new payment models, population health requires a
range of IT applications, PHM solution components, and analytical capabili­
ties. In fact, early adopters of PHM solutions are already seeing the need for
next-generation capabilities to support the following transitions:

• From management of the sickest patients to management of all

• Static risk categorization to risk categorization that follows a patient’s
evolving risk

• Focus on a single disease or condition based on simple data values
and events to a focus on multi-disease or condition using evidence-
based care plans

• “List” generation with signifi cant manual work for care managers to
signifi cant process automation

• Loosely connected care “actors” to a care team that includes the
patient and family

• Retrospective analysis to concurrent analysis (Glaser, 2016a)

As organizations look to enhance their population health management
strategies, they should make investments that enable the IT platform to do
the following:

• Collect data from multiple, disparate sources in near–real time,
including any EHR, devices used in the home and at work, and other
data sources, such as pharmacy benefi t managers or insurance claims.

• Support organizations in not only aggregating but also transforming
and reconciling data to establish a longitudinal record for each
individual within a population.

• Identify and stratify populations to pinpoint gaps in care, enabling
providers to act on information and match the right care programs to
the right individuals (Glaser, 2016a).

In addition to having an EHR that spans the continuum of care, pro­
viders pursuing PHM might invest in a PHM platform that sits above the
EHR and other sources of data and must be EHR agnostic. In general,
the following key technologies will enable the core accountable care

D A T A , A N A L Y T I C S , A N D H E A L T H I T C A P A B I L I T I E S A N D T O O L S · 115

Revenue Cycle Systems and Contract Management

One could argue that the revenue cycle system forms the foundation of a
provider’s response to accountable care and payment reform. As the reim­
bursement environment becomes more complex, revenue cycle systems must
evolve to support payments based on quality and performance, requiring new
capabilities such as these:

• Aggregating charges to form bundles and episodes, with the

aggregation logic enabling different groupings for different payers

• Managing the distribution of payment for a bundle to the physicians,

hospitals, and non-acute facilities that delivered the care

• Streamlining transitions between disparate reimbursement

methodologies and contracts when billing and collecting

• Providing tools for retrospective analysis of clinical and administrative
data to identify areas for improving the quality of care and reducing
the cost of care delivered

These new capabilities must complement routine activities such as
registering patients, scheduling appointments, and administering patient

Care Management Systems

Used by care managers and discussed previously, care management systems
enable proactive surveillance, automation, coordination, and facilitation of
services for many different subpopulations across the care continuum. Spe­
cific capabilities might include helping to facilitate transitions of care more
efficiently, use of automated campaigns (e-mail, text, phone) to better manage
high-risk patients, and supporting care teams in delivering evidence-based
interventions to reduce high-cost utilization.

According to time-motion studies published in the journal Population
Health Management by Prevea Health, automation of routine care manage­
ment tasks enables care managers to manage two to three times as many
patients as they can with manual methods (Handmaker & Hart, 2015).

Rules Engines and Workfl ow Engines

Processes that are efficient, predictable, and robust enable an organization
to thrive in an accountable care environment. Workflow and rules engines

116 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

can monitor process performance, alerting staff members to missed steps,
sequence issues, or delays.

Workflow engines specialize in executing a business process, not just
decisions made at a discrete point in time. The technology can greatly
assist in clinical decision making by not only presenting clinicians with
alerts and reminders, such as a rules engine, but also by encouraging
teamwork in clinical decisions, assisting with the time management and
task allocation in process delivery, stating changes in patient or opera­
tional conditions, and creating behind-the-scenes automation of process

In a value-based purchasing world where each core measure needs to
be associated with what’s happening today, performance improvement inter­
ventions must occur in real time—that is, while the patient is still in the
acute care cycle. Therefore, sophisticated IT tools such as workflow and rules
engines that push information to the front lines, guiding decisions at the point
of highest possible impact, will be required.

Data Warehouse, Analytics, and Business Intelligence

Analytics will facilitate proactive management of key performance metrics,
because accountable care creates a greater need to assess care quality and
costs, examine variations in practice, and compare outcomes.

An enterprise data warehouse will fuel a wide range of analytic needs
and provide intelligence to enable continual care process improvement
initiatives. For example, it will be imperative that an organization can
compare a hypertensive patient’s total cost of care relative to its peers and
national benchmarks, and perhaps even more important, predict if those
costs will significantly increase because of comorbidities, complications, or
gaps in care.

Applied to the data in registries or warehouses, predictive analytics tools
can also help caregivers identify patients who are likely to present in the
ER or be readmitted so they can tailor appropriate interventions and avoid
penalties for excessive readmissions.

Although most providers lack experience with the tools and techniques
associated with advanced data analysis, the application of business intelli­
gence (BI) in health care will become the platform on which the organization
not only monitors performance but also makes critical decisions to uncover
new revenue opportunities, reduce costs, reallocate resources, and improve
care quality and operational efficiency. Thus, enhancing an organization’s
competency in data analytics and BI will become essential for success in
population health management.

D A T A , A N A L Y T I C S , A N D H E A L T H I T C A P A B I L I T I E S A N D T O O L S · 117

Health Information Exchange (HIE)

Essential to successful implementation of new models of care and payment reform
is the exchange of clinical and administration information among different health
care entities and between providers and patients. Although there has been some
success in the regional health information exchange (HIE) movement, much of
the focus now is on HIE capabilities at the integrated delivery system or ACO
level. This enables providers to obtain a composite clinical picture of the patient
regardless of where that patient was seen. By participating in an HIE or sharing
health information, a number of potential important benefits may be realized:

• Serves as a building block for improved patient care, quality, and safety

• Makes relevant health care information readily available when and

where it is needed

• Provides the means to reduce duplication of services that can lead to

reduced health care costs

• Enables automation of administrative tasks

• Provides governance and management over the data exchange process

• Facilitates achievement of meaningful use requirements (HIMSS, 2010)

The concept of HIE is not new. For nearly two decades organizations
and collaborators have tried to facilitate HIE, but unfortunately a number
of HIE initiatives have failed to be sustainable over the long term (Vest &
Gamm, 2010). The HITECH Act placed renewed interest in the success of HIE
by providing incentive payments to eligible providers for Meaningful Use
of electronic health records, which includes having the ability to exchange
information electronically with others in order to have a comprehensive view
of the patient’s health and care (Rudin, Salzberg, Szolovitis, Volk, Simon, &
Bates, 2011). However, despite investment at the national, state, and local
levels, the increase in HIE utilization remains modest.

In fact, a recent survey of organizations facilitating health information
exchange found that 30  percent of hospitals and 10  percent of ambulatory
practices now participate in one of the 119 operational health information
exchange efforts across the United States (Adler-Milstein, Bates, & Jha, 2013).
Although this is substantial growth from prior surveys, the researchers also
found that 74  percent of HIE efforts report struggling to develop a sustain­
able business model. These findings suggest that despite progress, there
is a substantial risk that many current efforts to promote health informa­
tion exchange will fail when public funds supporting these initiatives are
depleted. Adding to the challenge, HIE efforts have struggled to engage payers,

118 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

Figure 4.1 Percent of nonfederal acute care hospitals that electronically exchanged
laboratory results, radiology reports, clinical care summaries, or medication lists
with ambulatory care providers or hospitals outside their organization: 2008–2015

Source: Henry, Patel, Pylypchuk, and Searcy (2016).

and only 40 percent of HIE efforts in the country have one or more payers
providing financial support (Adler-Milstein, Cross, & Lin, 2016).

Still, there is reason to remain optimistic, with more recent data showing
that hospitals’ rates of electronically exchanging laboratory results, radiol­
ogy reports, clinical care summaries, or medication lists with ambulatory
care providers or hospitals outside their organization has doubled since
2008 (see Figure 4.1). Moreover, this exchange has signifi cantly increased
annually since 2011 (Henry, Patel, Pylypchuk, & Searcy, 2016).

Although there is still signifi cant progress to be made to improve the use
of exchanged information and to address barriers to interoperability, HIE is
critically important to the success of care transformation efforts nationwide.
Thus, the industry must continue its efforts toward achieving sustainable
HIE approaches to ensure that the massive national investment in health IT
throughout the past decade delivers its intended return—higher-quality care,
improved outcomes, and lower cost.

Registries and Scorecards

Serving as a kind of central database for PHM, registries can be used for
patient monitoring, care gap assessment, point-of-care reminders, care man­
agement, and public health and quality reporting, among other uses. By
integrating clinical, financial, and operational data across disparate sources
into a single chronic condition and wellness registry solution, data can be
normalized and turned into meaningful, actionable information.

D A T A , A N A L Y T I C S , A N D H E A L T H I T C A P A B I L I T I E S A N D T O O L S · 119

For example, registries and scorecards enable providers to identify, score,
and predict risks of individuals or populations to allow targeted interventions
to be implemented. When applied to a population, the registry can show, for
example, how all of a particular provider’s patients with type 2 diabetes are
doing, which diabetic patients are out of control, or how well an entire orga­
nization is treating patients with that condition (Nielsen & Shaljian, 2013).

Longitudinal Record and Care Plan

As we know, even if a provider is diligently capturing patient information in
an EHR, the data are valuable only in the world of collaborative, accountable
care if the information can be integrated with patient data from other sources
and harmonized to produce a single, consolidated record at the member level.
The longitudinal record presents a complete picture of the patient’s medical
history in an organized, coherent view.

Serving as the sister solution to the longitudinal record, a longitudinal
care plan provides a consolidated, normalized view of indicators to be mon­
itored, events due to happen, and actions to be taken to ensure that a patient
maintains and improves his or her level of health.

Patient Engagement Tools

Medical interventions that occur solely through offi ce-based patient-provider
interactions will no longer provide the level of monitoring and scrutiny needed
to manage the health of individuals and populations. As such, providers must
continue to harness the power of technology to engage patients in their care
via tools such as home-monitoring devices, patient portals, and personal
health records (PHRs), as well as through the use of social media, texting,
and e-mail.

Portals and PHRs

Although patient portal use is still considered modest at best, given later-stage
meaningful-use requirements and the anticipated benefits of patient engagement
in the value-based care world, many providers are ramping up their portal efforts
and seeing adoption rates well above 20 percent (Buckley, 2015). Another recent
study predicts that PHR adoption will exceed 75 percent by 2020, an optimistic
projection that outpaces the PHR goals set under the Meaningful Use incentive
program (Ford, Hesse, & Huerta, 2016). These consumer-centric technologies are
designed to help patients and consumers better manage their own health and
care, securely communicate with providers, pay bills, obtain test results, view
doctors’ notes, refill prescriptions, schedule appointments, and so on.

120 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

Despite the fact that the environment for building, creating, and developing
an HIE organization has never been better, the concerns about long-term
sustainability and the impact and value of exchanging health information
persist. The National eHealth Collaborative (NeHC) conducted a comprehen­
sive study of twelve fully operationally HIEs across the nation to find out from
their leaders what factors have led to their success (NeHC, 2011). In-depth
structured interviews were conducted with senior executives representing the
business, clinical, and technical areas of each HIE. The key critical success
factors these leaders identifi ed in sustaining an HIE are as follows:

• Aligning stakeholders with HIE priorities in an intensive and ongoing
effort. Create a shared vision that all stakeholders can embrace and that
serves as the cornerstone to success. Foster an environment that is built
on trust and that promotes learning and resolves differences when they
arise. Make ongoing and effective stakeholder engagement a priority.

• Establishing and maintaining consistent brand identity and role as a
trusted, neutral entity dedicated to protecting the interests of participants.
Data use and data integrity are two critical elements. The culture, policies,
and procedures regarding the use of data must ensure that no entity will
gain competitive advantage at the expense of others. Consent and security
policies must meet the requirements of various stakeholders and regions or

Some patient portals and PHRs are integrated into a provider’s existing
website, and others are extensions of the organization’s EHR system. For
example, New York-Presbyterian (NYP) Hospital’s award-winning patient
portal,, was built to expand on its existing EHR. Use of the portal
led to a 42 percent increase of appointments scheduled using, and
it lowered the no-show rated from 20 percent to 12 percent over a period of six
months after it was made available in January 2012 (Glaser, 2013). Additional
applications of the same appointment-alert technology can provide custom­
ized patient education material and personalized reminders to patients who
fit a specific clinical profile, such as patients who missed an immunization.

Social Media

Additionally, with one-third of consumers using online forums and social
media sites such as Facebook, Twitter, and YouTube for health-related matters

D A T A , A N A L Y T I C S , A N D H E A L T H I T C A P A B I L I T I E S A N D T O O L S · 121

The HIE Lessons

states. The HIE infrastructure must ensure that patient data are accurate,
reliable, and trustworthy.

• Ensuring alignment with vision in making strategic choices. Assess the
stakeholders’ alignment with the initiative and congruence with the
vision before deciding to pursue them. Regardless of how promising a
source of funding may have initially appeared, some HIEs chose not to
pursue it because the funding source did not have the full support of all

• Considering structural characteristics and dynamics of the HIE market.
The geographic location, composition of stakeholders, and resource
capabilities are all factors to consider.

• Understanding clinical workflow and managing change. The imple­
mentation of an HIE requires that clinicians and administrative staff
members understand the impact of HIE applications on workfl ow and
identify opportunities to improve effi ciencies.

Different business models, governance structures, and strategies may be
used to create value for the HIE participants.

Source: NeHC (2011).

(PwC, 2012), many providers are actively engaged in using social media to
communicate with patients and disseminate information on everything from
emergency department wait times to new clinical offerings and research
endeavors. They might also use social media channels to provide useful
links to self-management tools and invitations to chronic care management
programs. In fact, nearly 95 percent of hospitals have a Facebook page and
just over 50 percent have a Twitter account (Griffis et al., 2014).

Automated Messaging

Similar to social media, the use of automated messaging tools (via text,
e-mail, or phone) can be equally beneficial in urging patients to sched­
ule necessary appointments, fill their prescriptions, and comply with dis­
charge orders. For example, one study showed that diabetic and hypertensive
patients were two to three times more likely to attend a chronic care visit if

122 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

Given the modest adoption rates of PHRs and patient portals to date,
research firm KLAS asked providers what best practices for patient portal
adoption they would pass along to other providers trying to improve their
rates. The following are their suggestions:

1. Educate patients.
“What contributes to adoption is educating our patients about the portal,
helping them sign up, and encouraging them to use it. But education is key.
Patients have embraced the portal and use it for much of our communica­
tion, bill pay, results review, and more.”

2. Educate patients—again and again.
“We ask patients on the phone whether they have signed up for the portal,
and at their appointments we check to see whether they have fi lled things
out on the portal. Then the medical assistants who greet the patients ask
whether they have put their information on the portal. We promote the
portal five or six times. On their way out, the doctors tell the patients that
they are going to send their results to the portal.”

3. Educate staff members as if they were patients.
“The patients get inundated and get tired of hearing it, but it was the kickoff
that got everybody in the practice used to pushing the portal. We also made
everyone here register on the portal to see what the patients would go
through and so we could make changes and adjustments to fit our needs. It
is an ongoing process, and we try to do contests every quarter. That is what
contributes to our success, and it is pretty impressive.”

4. Give patients a reason to use the portal.
“We are apparently doing something right in encouraging patients to come
to our portal. They come to the portal to fill out the patient history and

successfully contacted using automated provider communications (Nielsen
& Shaljian, 2013).

PHM is most effective when a symbiotic relationship exists between
human interventions and automation tools. Patient engagement tools and
outreach programs enable providers to correspond with each person in their
patient populations, with the goal of raising the percentages of patients
receiving the recommended care as reflected in the quality measures payers
use to evaluate provider and health system performance. More important,

D A T A , A N A L Y T I C S , A N D H E A L T H I T C A P A B I L I T I E S A N D T O O L S · 123

Top Tips for Portal Adoption

the medication list. I think that is because of the way our front desk staff
members make new-patient appointments and the way they present the
portal to the patients. They tell them that we can give them less waiting
time when they come in if they get on the portal. We have an aggressive
sign-up process. We give patients a Chromebook in the waiting room and
help them sign up for the portal right away. We have a similar process in
the ED and inpatient areas. We try to push as much content to the portal
as possible.”

5. Talk to your vendor and physicians.
“We drove adoption from the top down. In our initial phase, the adoption
didn’t go well because we thought we knew what we were doing and could
do it ourselves. We went back and listened to Medfusion. We took the
portal to the doctors who understand technology. They came back from a
CMS meeting and said we had to do the portal. They said we might not like
it, but we have to do it.”

6. Hold your vendor accountable.
“When we started to deploy Empower in our ambulatory area, we hit chal­
lenges and barriers with the physician group. The physicians really wanted
to yank the product out; they didn’t want anything to do with it. They were
beyond frustrated. We worked with MEDSEEK and the physicians, and in the
last year and a half, we went from having a handful of patients on the portal
to having sixty-five thousand. We were fi nally able to leverage the solution in
the ambulatory space after we made changes to the product and the interface.
There were deal breakers in how the product looked and felt from a patient
perspective, and we worked through those.”

Source: Buckley (2015). Used with permission.

such programs assist providers in keeping patients as healthy as possible for
as long as possible, a core tenant of PHM.

Telemedicine and Telehealth

The growing use of telemedicine can make patient interactions more convenient,
expand geographic horizons particularly where needed medical specialists are
few in number, and make care more accessible to those with mobility issues.

124 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

With an abundance of patient-generated health information now available
through online patient communities, social media can play a vital role in
improving our understanding of disease and accelerating new approaches
to treatment. Consider the following ways patient and consumer use of
social media is benefi ting health care.

Creates a Sense of Community
For those seeking emotional support and tips for coping with a disease,
social media delivers on many fronts. It can enable the formation of com­
munities regardless of member locations and enable members to commu­
nicate asynchronously.

Sites such as PatientsLikeMe and Inspire provide virtual medical com­
munities focused on chronic diseases where patients can discuss their con­
ditions, track key health information, share side effects of medications and
therapies, and bond with others as they chronicle the highs and lows of
their health care journeys.

In fact, a 2014 survey of PatientsLikeMe members found that the vast
majority of adult social media users with health conditions embrace the
idea of sharing their health information online if it helps clinicians improve
care, assists other patients, or advances medical research.

Users of online health communities also frequently cite as reasons for
their membership the accountability the sites provide them in managing
their own health and reaching their health-related goals, as well as the
motivation, support, and advice they receive from others. Online commu­
nities can also lessen the feeling of isolation that often accompanies those
with rare conditions or parents with a critically ill child.

Delivers New Clinical Research Insights
As more and more patients use social media to track their health conditions
and actively participate in their care, there is a greater opportunity to use
this real-world data to better inform new treatments and treatment deci­
sions, enhance symptom management, and ultimately improve outcomes.

For example, in analyzing the results of observational data housed on
PatientsLikeMe, researchers found that lithium therapy had no impact on
ALS disease progression, which was later confirmed by subsequent rand­
omized trials (Chretien & Kind, 2013).

D A T A , A N A L Y T I C S , A N D H E A L T H I T C A P A B I L I T I E S A N D T O O L S · 125

Five Reasons to “Like” Consumers’ Use of Social Media

Although PatientsLikeMe began as a social network enabling people to
crowdsource the collective wisdom of others, it has developed into a pow­
erful analytical platform for clinicians and researchers. In fact, the network
is quite transparent with its members about how it makes money—by
sharing the information members provide about their experience with dis­
eases and selling it to their partners (companies that are developing or
selling products to patients). This may include drugs, devices, equipment
insurance, or medical services.

In addition to helping patients find and take advantage of clinical
trials, health care social networks also provide an opportunity for par-
ticipant-led research, in which members initiate new fields of study. For
instance, Inspire members with spontaneous coronary artery dissection
(SCAD) persuaded researchers at the Mayo Clinic to launch new research
about their condition, which led to the creation of a SCAD registry, a key
step in the further study of this rare disease (Tweet, Gulati, Aase, & Hayes,
2011). Indeed, there is tremendous potential for online patient communities
to contribute to the notion of a continuously learning health system.

Builds Awareness of Cause-Related Issues or Personal Health Care Crises
Social media can also serve as the birthplace for beneficial social move­
ments, as well as hubs for galvanizing emotional and financial support for
a personal health care crisis.

The ALS Ice Bucket Challenge is a terrific example of social media’s
power to deliver on the fund-raising aspect of the campaign and on the
equally important goal of helping the public become more aware of ALS
and efforts to find a cure.

The simple act of pouring ice on one’s head, capturing it on video, and
calling out another person to do the same spread across social media chan­
nels like wildfire. With everyone from schoolchildren to celebrities getting
in on the act, the ALS Association raised $115 million in 2014, a staggering
increase from its $23.5 million intake in 2013 (ALS Association, 2015).

On a smaller scale, sites such as GoFundMe and My Cancer Circle can
help keep family and friends abreast of a loved one’s illness and treatment
status, provide tools to coordinate meal deliveries and rides to medical
appointments, as well as enable financial contributions to help offset per­
sonal health care expenses.

126 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

Provides Assistance with Treatment, Physician, or Hospital Selection
Although physician rating sites have been around for many years, social

media has given health care consumers a more active voice and an ever-

present tool set for broadcasting opinions on all things health care–related—

from physicians and hospitals to medications, devices, and insurance plans.

Like it or not, social media is proving to be a vehicle that can help scale

positive and negative attitudes about one’s health care experience at Inter­
net speed. In fact, a 2012 survey by Demi & Cooper Advertising and DC

Interactive found that 41 percent of people said social media would affect

their choice of a specifi c doctor, hospital, or medical facility.

Of course, the downside here is that the negative opinions of a vocal

minority could cause unjust reputation management issues for providers.

With the viewpoints of those in online social networks playing such

a key role in influencing health care decisions, providers ought to ensure

they are optimizing their social media channels and actively participating

in helping consumers share positive opinions online.

Complements Traditional Approaches to Measuring Patient Satisfaction
Beyond just randomly monitoring opinions shared on social media,

savvy providers may want to turn to social media to supplement their

The American Telemedicine Association defines telemedicine or tele­
health as exchanging medical information via electronic communications to
improve a patient’s clinical health status. Health care providers are embrac­
ing telemedicine because they see it as an efficient and cost-effective way to
deliver quality care and improve patient satisfaction (Glaser, 2015a). Today’s
telehealth framework spans the continuum of care and can include services
such as the following:

• Telepsychiatry

• Remote image interpretation (teleradiology, teledermatology)

• e-Visits or televisits between providers and their patients

• Video visits for semi-urgent care

• Clinician-to-clinician consultations

• Critical care (virtual ICU, telestroke)

• Remote monitoring of a patient with a chronic disease

• Cybersurgery or telesurgery

D A T A , A N A L Y T I C S , A N D H E A L T H I T C A P A B I L I T I E S A N D T O O L S · 127

traditional means of capturing patient satisfaction and feedback on inpa­
tient experience.

In fact, researchers at Boston Children’s Hospital conducted a study
to determine if Twitter could provide a reasonable form of complemen­
tary quality measurement, given the real-time nature of tweets. The team
amassed unsolicited knowledge (versus data gleaned from very targeted
survey questions) about what pleased or angered consumers by collecting
more than 400,000 tweets directed at the Twitter handles of nearly 2,400
US hospitals between 2012 and 2013 (Ulrich, 2015).

Although certainly no replacement for patient satisfaction surveys,
according to the researchers the data are suggestive and provide proof of
principle that Twitter and the right analytical tools may provide a valua­
ble means for complementing standard approaches to measuring quality.
Moreover, the ability to correlate social media data points such as tweets
with actual outcomes measures (e.g., patient length of stay in the emer­
gency department or readmission rates) provides an interesting avenue for
further exploration.

Source: Glaser (2016b). Reprinted from H&HN Daily by permission, April 11, 2016,
Copyright 2016, by Health Forum, Inc.

Let’s take a closer look at some of the more popular applications of tele­
medicine and telehealth. Two-way interactive video-conferencing or other
web-based technologies can be used when a face-to-face consultation is
necessary. In addition, a number of peripheral devices can be linked to com­
puters to aid in interactive examination. For example, a stethoscope can be
linked to a computer, enabling the consulting physician to hear the patient’s
heartbeat from a distance. Electronic monitoring of physiological vital signs
can be done through electronic intensive care unit (eICU) patient-monitoring
systems, and telesurgery can enable a surgeon in one location to remotely
control a robotic arm to perform surgery in another location.

Telehealth is also being used to capture and monitor data from patients
at home. Examples include monitoring patient blood sugar levels through
glucometers attached to cell phones and conducting teledermatology visits
with the aid of cell phone cameras.

According to the American Hospital Association (AHA), 52 percent of
hospitals used some form of telehealth in 2013, and another 10 percent were
beginning to implement such services (AHA, 2015). Its growth potential is

128 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

also notable. Business information provider IHS predicts the US telehealth
market will grow from $240 million in revenue in 2013 to $1.9 billion in
2018—an annual growth rate of more than 50 percent (EY, 2014).

In addition to the growing demand for access and convenience, the need
for telemedicine is driven by other factors such as the following:

• Signifi cant increase in the US population

• Shortage of licensed health care professionals

• Increasing incidence of chronic diseases

• Need for effi cient care of the elderly, homebound, and physically
challenged patients

• Lack of specialists and health facilities in rural areas and in many
urban areas

• Avoidance of adverse events, injuries, and illnesses that can occur
within the health care system

These factors become increasingly important as new health care delivery
and payment models evolve and providers are challenged to better manage
chronic diseases, avoid readmissions, improve quality, and remove low acuity
care from high-cost venues. As we know, the long-term benefits of population
health programs are predicated in large part on managing high-cost, chron­
ically ill patient populations more effectively. Furthermore, the rapid deploy­
ment of high deductible health plans, which make consumers more conscious
and accountable for their health care consumption and spending, has added
to the pressure on providers to provide low-cost, convenient options.

Despite all its promise, several major barriers must be addressed if tele­
medicine is to be used more widely and become available. Concerns about
provider acceptance, interstate licensure, overall confidentiality and liability,
data standards, and lack of universal reimbursement for telemedicine services
from public and private payers are among the complex and evolving issues
affecting the widespread use of telemedicine. Furthermore, its cost-effectiveness
has yet to be fully demonstrated.

Nonetheless, the barriers are beginning to erode under mounting pres­
sure from all health care constituents. Licensure portability will further ease
the barriers to accessing services, whereas regulatory and payment policy
changes in support of telehealth are widely expected in the coming years.
For instance, on the private payer side, telemedicine use has been bolstered
by a growing number of states enacting parity laws, which require health
insurers to treat telehealth services the same way they would in-person

T R A N S I T I O N I N G F R O M T H E R E C O R D T O T H E P L A N · 129


As we reviewed in this chapter, the profound changes in reimbursement and
care models are altering the structure of care provision, requiring providers
to make investments in a comprehensive IT portfolio—beyond the EHR—to
support PHM and enable the core processes associated with accountable care.
These changing business and payment models are leading not only to signif­
icant changes in organization and practice but also to changes in the funda­
mental nature and design of the EHR itself. These changes can be characterized
as a transition from the electronic health record to the electronic health plan
(Glaser, 2015b).

The EHR does not disappear as a result of this shift. We will still need
traditional EHR capabilities: providers need to review a radiology report
and document a patient’s history and the care delivered. Problems must be
recorded and medications reconciled. However, the strategic emphasis will
move to technologies and applications that assist the care team (including
the patient) in developing and managing the longitudinal, cross-venue health
plan and assessing the outcomes of that plan.

For example, evidence-based pathways and decision-support logic have
been embedded into EHRs to guide provider decisions according to a plan
based on patient condition. EHRs can now include or be enhanced by the
specific PHM technologies we discussed that enable the organization to
understand its aggregate performance in undertaking disease-specifi c plans
for multiple patients.

Provider organizations will not thrive in an era of health reform because
they have a superb and interoperable EHR. They will thrive because the care
they deliver consistently follows a plan designed to ensure desired outcomes.
The EHR must evolve so it focuses on individual patients’ care plans—the
steps required to maintain or create health.

Every patient’s EHR should clearly display the master care plan—a long-
term care plan to maintain health integrated with short-term plans for transient
conditions. The EHR should be organized according to this master plan: it
should highlight the steps needed to recover or maintain health, list the expec­
tations of every caregiver the patient interacts with, and include tools such
as decision support and a library of standard care plans. Interoperability is a
necessity, because various providers must be able to use the plan-based EHR.

Care Plan Attributes

The care health plan has attributes that need to be present to ensure health
and should be based on some fundamental ideas.

130 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

First, all people have a foundational plan. If the person is a healthy young
man, the plan may be simple: establishing health behaviors such as exercise.
If the person is a middle-aged man with high cholesterol and sleep apnea,
the plan may be annual physicals, statins, a CPAP machine, and a periodic
colonoscopy. If a person is frail and elderly with multiple chronic diseases,
the plan may be merging the care for each chronic condition, ensuring proper
diet, and providing transportation for clinic visits.

Second, plans are a combination of medical care strategies with goals to
maintain health (such as losing weight) along with public health campaigns
(such as immunizations).

Third, on top of foundational plans there may be transient plans. For the
patient undergoing a hip replacement there is a time-bounded plan beginning
with presurgery testing and ending when rehabilitation has been completed.
A patient undergoing a bad case of the flu has a time-bounded plan.

Fourth, people who have a common plan are members of the same pop­
ulation. These populations may be all patients undergoing a coronary artery
bypass graft in a hospital, all patients with a certain chronic disease, or all
patients at high risk of coronary artery disease. Moreover, a particular person
may be a member of multiple populations at the same time.

Fifth, risk is the likelihood that the plan will not be followed or will not
result in desired outcomes. A patient motivated to manage his or her blood
pressure has a lower risk than a patient who is not motivated. A frail person
with multiple chronic diseases is at greater risk that the plans will not keep
him or her out of the hospital than a person whose health is generally good
despite having multiple chronic diseases.

Sixth, not all care will be amenable to a predefined patient plan. Life-
threatening trauma, diseases of mysterious origin, sudden complications—all
require skilled caregivers to make the best decisions possible at the moment.

Seventh, plans should be based on the evidence of best care and health prac­
tices. And the effectiveness of a plan should be measurable, either in terms of
plan steps being completed or desired outcomes being achieved (Glaser, 2015a).

The Plan-Centric EHR

The EHR needs to evolve into plan-centric applications. Among others, these
applications will have several key characteristics.

A Library of Plans That Cover a Wide Range of Situations

This library will include, for instance, plans for managing hypertension,
removing an appendix, losing weight, and treating cervical cancer. There

T R A N S I T I O N I N G F R O M T H E R E C O R D T O T H E P L A N · 131

will be variations in plans that reflect variations in patient circumstances
and preferences, for example, plans that depend on whether the patient is a
well-managed diabetic or plans that reflect the slower surgical recovery time
of an elderly person.

Algorithms to Form a Patient’s Master Plan

A master plan will combine, for example, the patient’s asthma, hysterectomy,
depression, and weight-reduction plans into a single plan. These algorithms
will identify conflicts and redundancies among the plans and highlight the
care steps that optimize a patient’s health for all plans. For example, if each
of the five plans has six care steps, the algorithms can determine which steps
are the most important.


The master plan will cover the steps to be carried out by a patient’s primary
care provider, specialists, nurse practitioners, pharmacists, case managers, and
the patient. Each team member can see the master plan and his or her specifi c
portion of the plan. Team members can assign tasks to each other (Glaser, 2015a).

Business Models in Other Industries

Major changes in an industry’s business model invariably lead to major changes
in the focus and form of the core applications used by that industry. For
example, financial services, retailers, and music distributors, along with many
other industries, have also experienced massive shifts in their business models.

Several decades ago, financial deregulation enabled banks to offer bro­
kerage services. The business model of many banks shifted from banking
(offering mortgages as well as checking and savings accounts) to wealth
management. As banks shifted from transaction-oriented services to services
that optimized a customer’s financial assets, their core applications broad­
ened to include an additional set of transactions (buying and selling stocks)
and new services (financial advisory services).

Prior to the web, most retailers’ business models focused on establishing
a brand, offering an appropriate set of well-priced products, and building
attractive stores in convenient locations. The web enabled retailers to gather
significantly richer data about a customer’s buying patterns and interests (and
to use real-time logic to guide purchasing decisions). Retailers’ core applica­
tions broadened to include well-designed e-commerce sites and analytics of
customer behavior.

132 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

In both examples, even though there was a significant shift in the business
model, applications needed for the previous model continued to be necessary.
Banks still had to handle savings account and mortgage payment transactions.
Retailers still needed to manage inventory. And advances in these legacy
applications—expanding inventory breadth and reducing inventory-carrying
costs—continue to be important. In each case, a critical new set of applica­
tions were added to the legacy applications. Often, these new applications
were more important than legacy applications.

The business model changes in health care will lead to a shift from appli­
cations focused on the patient’s record to applications focused on the patient’s
plan for health. This evolution in the nature of the EHR is a key component
to achieving success in population health management.


As the health care industry continues its transition from a fragmented, volume-
based system toward one that embraces the notion of patient-centered,
accountable care driven by value-based payment models, providers must
consider what new relationships, processes, and IT assets and skills will be
required to succeed—particularly when it comes to managing the health and
care of attributed populations.

By implementing a PHM strategy, organizations have enormous oppor­
tunity to use data and analytics to improve inefficiency and waste, thereby
reducing costs, and monitor adherence to evidence-based protocols to drive
better outcomes. Several PCMHs and ACOs are already showing promising
performance in the emerging world of value-based payment and population
health management.

In addition to having a robust EHR, organizations looking to enhance
their PHM strategies should consider several key solution components.
PHM technologies can help providers stratify and select target populations,
identify gaps in care, predict outcomes and apply early interventions, and
actively engage patients in their care. Moreover, they can enable an orga­
nization to  understand its aggregate performance in undertaking disease-
specific plans for multiple patients and better manage contracts and fi nancial

Additionally, because value-based payment is based on conformance to
chronic disease protocols, providers must have the ability to aggregate and
normalize real-time, accurate, cross-continuum data from disparate sources
illustrating how well the data conform to those protocols. As we know, many
hospitals and health systems do not operate from a position of excess revenue,
and as outcomes become increasingly tied to the reimbursement stream, it

L E A R N I N G A C T I V I T I E S · 133

will become critical that providers can rely on their data and IT tools to detect
and remedy variations in care.

Population health management solutions are intended to complement—
not replace—the traditional EHR. They represent a shift from applications
focused on documenting the patient’s record of care to applications focused
on developing the patient’s plan for health.


Accountable care organizations Patient-centered medical home

Analytics Population health management
Business intelligence (BI) (PHM)
Care management Stratifi cation
Health information exchange (HIE) Telemedicine and telehealth
Patient engagement Value-based care


1. Interview a health care executive or CEO in your local community.
To what extent is the organization involved in population health
management? How is that person using health IT to further his or
her PHM initiatives? To what extent does the organization’s health IT
capabilities facilitate PHM? What other capabilities are needed?

2. Investigate the adoption and use of telemedicine and telehealth
in your state. How is it being used? What benefi ts have been
realized? What challenges or obstacles still exist? How important is
telemedicine and telehealth in providing access to care? In improving
quality of care? And in reducing costs?

3. Explore the health IT products on the market that are designed
to facilitate care management. What are their key features
and functions? In what specifi c ways do these tools facilitate
communication among providers and patients and families?

4. Conduct a literature review on the use of social media in health care.
How are consumers using social media to learn more about their
health or health conditions? How are health care organizations using
social media to connect with consumers? Where do you see the future
of social media in health care evolving?

5. Evaluate different models of care within your local community or
state. Did you find any examples of accountable care organizations or

134 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

patient-centered medical homes? Explain. Working as a team, visit or
interview a leader from a site that uses an innovative model of care.
Describe the model, its uses, challenges, and the degree of patient
coordination and integration. How is health IT used to support the
delivery of care and the reporting of outcomes?

6. Explore the extent to which health information exchange is occurring
within your community, region, or state. Who are the key players? To
what extent is information being exchanged across organizations for
patient care purposes? What challenges have they faced? How have
they overcome them, if at all?

7. Visit a health care organization that uses an EHR system and
provides patients access to their information via a patient portal. To
what extent are patients using the portal? For what purposes are they
using them? What are the demographic characteristics of the portal
users and nonusers? What strategies might you employ to promote
greater usage?


Adler-Milstein, J., Bates, D. W., & Jha, A. K. (2013). Operational health information
exchanges show substantial growth, but long-term funding remains a concern.
Health Affairs, 32(8), 1486–1492.

Adler-Milstein, J., Cross, D., & Lin, S. (2016). Assessing payer perspectives on
health information exchange. Journal of the American Medical Informatics
Association, 23(2), 297–303.

AHRQ. (2015, April). Issue brief: Care management; Implications for medical
practice, health policy, and health services research. AHRQ Publication No.
15-0018-EF. Retrieved May 2016 from

ALS Association. (2015). ALS ice bucket challenge—FAQ. Retrieved February 2016

American Hospital Association (AHA). (2015, Jan.). Trendwatch: The promise of tele­
health for hospitals, health systems and their communities. Retrieved October
2015 from

Berwick, D., Nolan, T., & Whittington, J. (2008). The triple aim: Care, health, and
cost. Health Affairs, 27(3), 759–769.

Bipartisan Policy Center. (2015, July). Transitioning from volume to value: Accel­
erating the shift to alternative payment models. Retrieved May 2016 from­

R E F E R E N C E S · 135

Buckley, C. (2015, May). Patient portals adoption: From 5% to 20% and beyond.
KLAS. Retrieved May 2016 from­

Buelt, L., Nichols, L., Nielsen, M., & Patel, K. (2016, Feb.). The patient-centered
medical home’s impact on cost and quality annual review of evidence 2014–2015.
Patient-Centered Primary Care Collaborative. Retrieved May 2016 from https://­

Chopra, N., & Glaser, J. (2013, April 9). Ready, set, go: Performance-based reim­
bursement. H&HN Daily.

Chretien, K. C., & Kind, T. (2013). Social media and clinical care: Ethical, profes­
sional, and social implications. Circulation, 127, 1413–1421.

Casalino, L., Erb, N., Joshi, M., & Shortell, S. (2015, Aug.). Accountable care orga­
nizations and population health organizations. Journal of Health Politics, Policy
and Law, 40(4), 821–837.

EY. (2014). Shaping your telehealth strategy. Health Care Industry Post. Retrieved
October 2015 from­

Felt-Lisk, S., & Higgins, T. (2011, Aug.). Exploring the promise of population health
management programs to improve health. Mathematica Policy Research Issue
Brief. Retrieved May 2016 from­
publications-and-fi ndings/publications/exploring-the-promise-of-population­

Ford, E., Hesse, B., & Huerta, T. (2016). Personal health record use in the United
States: Forecasting future adoption levels. Journal of Medical Internet Research,

Gibson, R., Hunt, J., Knudson, S., Powell, K., Whittington, J., & Wozney, B. (2015).
Guide for developing and information technology investment road map for
population health management. Population Health Management, 18(3), 159–171.

Glaser, J. (2012a, Oct. 9). The growing role of analytics and business intelligence.
H&HN Daily.

Glaser, J. (2012b, April 10). Six key technologies to support accountable care.
H&HN Weekly.

Glaser, J. (2013, June). Expanding patients’ role in their care. H&HN Daily.

Glaser, J. (2015a, Dec.). Telemedicine hits its stride. H&HN Daily.

Glaser, J. (2015b, Aug. 11). From the electronic health record to the electronic
health plan. H&HN Daily.

Glaser, J. (2016a, June 13). All roads lead to population health management. H&HN

Glaser, J. (2016b, April 11). Five reasons to “like” patients’ use of social media.
H&HN Daily.

136 · C H A P T E R 4 : I N F O R M A T I O N S Y S T E M S T O S U P P O R T P O P U L A T I O N H E A L T H M A N A G E M E N T

Glaser, J., & Salzberg, C. (2011). The strategic application of information technology
in health care organizations (3rd ed.). San Francisco, CA: Jossey-Bass.

Griffis, H. M., Kilaru, A. S., Werner, R. M., Asch, D. A., Hershey, J. C., Hill, S., Ha,
Y. P., Sellers, A., Mahoney, K., & Merchant, R. M. (2014). Use of social media
across US hospitals: Descriptive analysis of adoption and utilization. Journal of
Medical Internet Research, 16(11), e264.

Grundy, P., Hacker, T., Langner, B., Nielsen, M., & Zema, C. (2012, Sept.). Benefi ts
of implementing the primary care patient-centered medical home: A review
of cost & quality results, 2012. Patient-Centered Primary Care Collaborative.
Retrieved May 2016 from ts-implementing­

Guterman, S., & Drake, H. (2010, May). Developing innovative payment approaches:
Finding the path to high performance. New York, NY: The Commonwealth

Handmaker, K., & Hart, J. (2015). 9 steps to effective population health manage­
ment. Healthcare Financial Management, 69(4), 70–76.

Health Information Management and Systems Society (HIMSS). (2010). Overview of
HIE in era of meaningful use. Retrieved February 2013 from http://www.himss
.org/content/fi les/12_21_2010_HIE%20OverView%20in%20HITECH.pdf

Henry, J., Patel, V., Pylypchuk, Y., & Searcy, T. (2016, May). Interoperability among
US non-federal acute care hospitals in 2015. ONC Data Brief, No. 36. Washing­
ton, DC: Office of the National Coordinator for Health Information Technology.

Houston, R., & McGinnis, T. (2016, Jan.). Accountable care organizations: Looking
back and moving forward. Center for Health Care Strategies. Retrieved May
2016 from

Institute for Health Technology Transformation. (2012). Population health manage­
ment: A Roadmap for provider-based automation in a new era of healthcare.
Retrieved May 2016 from

Jaspen, B. (2015, May). Value-based care will drive Aetna’s future goals. Forbes.
Retrieved May 2016 from

Kindig, D., & Stoddart, G. (2003). What is population health? American Journal of
Public Health, 93(3), 380–383.

Leavitt Partners. (2015, Dec.). Projected growth of accountable care organizations.
Retrieved May 2016 from­

Miller, H. D. (2011). Transitioning to accountable care: Incremental payment reforms
to support higher quality, more affordable health care. Pittsburgh, PA: Center for
Healthcare Quality and Payment Reform.

The National Committee for Quality Assurance (NCQA). (2015, June). Latest
evidence: Benefits of the patient-centered medical home. Retrieved May 2016

R E F E R E N C E S · 137


National eHealth Collaborative (NeHC). (2011, July). Secrets of HIE success revealed:
Lessons from the leaders. Washington, DC: Author.

Nielsen, M., & Shaljian, M. (2013, Oct.). Managing populations, maximizing tech­
nology: PHM in the medical neighborhood. Patient-Centered Primary Care
Collaborative. Retrieved May 2016 from

Olivero, M. (2015, March). Is a “medical home” in your future? US News & World
Report. Retrieved May 2016 from

Patient-Centered Primary Care Collaborative. (2011, March). Better to best: Value-
driving elements of the patient centered medical home and accountable care
organizations. Retrieved May 2016 from

PwC. (2012, April). Social media likes healthcare: From marketing to social business.
Retrieved February 2016 from

Rudin, R. S., Salzberg, C. A., Szolovitis, P., Volk, L. A., Simon, S. R., & Bates, D. W.
(2011). Care transitions as opportunities for clinicians to use data exchange
services: How often do they occur? Journal of the American Medical Informatics
Association, 18(6), 853–859.

Tweet, M. S., Gulati, R., Aase, L. A., & Hayes, S. N. (2011). Spontaneous coronary
artery dissection: A disease-specific, social networking community–initiated
study. Mayo Clinic Proceedings, 86(9), 845–850.

US Department of Health & Human Services (US DHHS). (2015, Jan.). Better,
smarter, healthier: In historic announcement, HHS sets clear goals and timeline
for shifting Medicare reimbursements from volume to value. Retrieved May 2016

Ulrich, T. (2015, October). What can patients’ tweets teach us about their health care
experiences? Boston Children’s Hospital Notes. Retrieved February 2016 from­

Vest, J. R., & Gamm, L. D. (2010). Health information exchange: Persistent
challenges and new strategies. Journal of the American Medical Informatics
Association, 17, 288–294.

Evaluation, and
of Health Care

Information Systems




System Acquisition


• To be able to explain the process a health care organization
generally goes through in selecting a health care information

• To be able to describe the systems development life cycle and its
four major stages.

• To be able to discuss the various options for acquiring a health
care information system (for example, purchasing, leasing,
contracting with vendor for cloud computing services, or building
a system in-house) and the pros and cons of each option.

• To be able to discuss the purpose and content of a request for
information and request for proposal in the system acquisition

• To gain insight into the problems that may occur during the
system acquisition process.

• To gain an understanding of the health care IT industry and
the resources available for identifying health care IT vendors


142 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

and learning about their history, products, services, and

• To gain insight into the importance of understanding IT

By now you should have an understanding of the various types of health care
information systems and the value they can bring to health care organizations
and the patients they serve. This chapter describes the typical process a health
care organization goes through in acquiring or selecting a new clinical or
administrative application. Acquiring an information system (IS) application
can be an enormous investment for health care organizations. In addition to
the initial cost, there are a host of long-term costs associated with maintaining,
supporting, and enhancing the system. Health care professionals need access
to reliable, complete, and accurate information in order to provide effective and
efficient health care services and to achieve the strategic goals of the organiza­
tion. Selecting the right application, one that meets the organization’s needs, is
a critical step. Too often information systems are acquired without exploring
all options, without evaluating costs and benefits, and without gaining suffi ­
cient input from key constituent user groups. The results can be disastrous.

This chapter describes the people who should be involved, the activities
that should occur, and the questions that should be addressed in acquir­
ing any new information system. The suggested methods are based on the
authors’ years of experience and on countless case studies of system acqui­
sition successes and failures published in the health care literature.


In this book system acquisition refers to the process that occurs from the
time the decision is made to select a new system (or replace an existing
system) until the time a contract has been negotiated and signed. System
implementation is a separate process described in the next chapter, but both
are part of the systems development life cycle. The actual system selection,
or acquisition, process can take anywhere from a few days to a couple
of years, depending on the organization’s size, structure, complexity, and
needs. Factors such as whether the system is deemed a priority and whether
adequate resources (time, people, and funds) are available can also directly
affect the time and methods used to acquire a new system (Jones, Koppel,
Ridgley, Palen, Wu, & Harrison, 2011).

S Y S T E M S D E V E L O P M E N T L I F E C Y C L E · 143

Prior to arriving at the decision to select a new system, the health care
executive team should engage in a strategic IS planning process in which the
strategic goals of the organization are formulated and the ways in which
information technology (IT) will be employed to aid the organization in
achieving its strategic goals and objectives are discussed. We discuss the
need for aligning IT plans with the strategic goals of the organization and
for determining IT priorities in Chapter Twelve. In this chapter, we assume
that a strategic IT plan exists, IT priorities have been established, the new
system has been adequately budgeted, and the organization is ready to move
forward with the selection process. We also assume that the organization
has conducted a readiness assessment and is well equipped to move forward
with the health IT project or initiative. The AHRQ National Resource Center
for Health IT has available a number of tools publicly available that can be
helpful to health care organizations in assessing their readiness for health
IT projects such as EHR implementations and for ensuring that they have
in place the personnel, technical, and financial resources to embark on
the initiative. These tools can be found at­
it-tools-and-resources. Additionally, the Office of the National Coordinator
for Health Information Technology (ONC) has readiness tools available and
implementation blueprints that serve as excellent resources at https://www


No board of directors would recommend building a new health care facility
without an architect’s blueprint and a comprehensive assessment of the orga­
nization’s and the community’s needs and resources. The architect’s blueprint
helps ensure that the new facility has a strong foundation, is well designed,
fosters the provision of high-quality care, and has the potential for growth
and expansion. Similarly, the health care organization needs a blueprint to
aid in the planning, selection, implementation, and support of a new health
care information system. The decision to invest in a health care information
system should be well aligned with the organization’s overall strategic goals
and should be made after careful thought and deliberation. Information
systems are an investment in the organization’s infrastructure, not a one­
time purchase. Health care information systems require not only up-front
costs and resources but also ongoing maintenance, support, upgrades, and
eventually, replacement.

The process an organization generally goes through in planning, select­
ing, implementing, and evaluating a health care information system is known
as the systems development life cycle (SDLC). Although the SDLC is most

144 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

commonly described in the context of software development, the process also
applies when systems are purchased from a vendor or leased through cloud-
based computing services. Cloud computing is a general term that refers to
a broad range of application, software, and hardware services delivered over
the Internet. Regardless of how the system is acquired, most health care
organizations follow a structured process for selecting and implementing a
new computer-based system. The systems development process itself involves
participation from individuals with different backgrounds and areas of exper­
tise. The specific mix of individuals depends on the nature and scope of the
new system.

Many SDLC frameworks exist, some of which employ an incremental
approach, but most have four general phases, or stages: planning and analy­
sis, design, implementation, and support and evaluation (Wager & Lee, 2006)
(see Figure 5.1). Each phase has a number of tasks that need to be performed.
In this chapter we focus on the first two phases; Chapter Six focuses on the
last two.

The SDLC approach assumes that this four-phase life of an IS starts
with a need and ends when the benefits of the system no longer outweigh
its maintenance costs, at which point the life of a new system begins (Oz,
2012). Hence, the entire project is called a life cycle. After the decision has
been made to explore further the need for a new information system, the
feasibility of the system is assessed and the scope of the project defi ned (in
actuality it is at times difficult to tell when this decision making ends and
analysis begins). The primary focus of this planning and analysis phase

Figure 5.1 Systems development life cycle

S Y S T E M S D E V E L O P M E N T L I F E C Y C L E · 145

is on the business problem, or the organization’s strategy, independent of
any technology that can or will be used. During this phase, it is important
to examine current systems and problems in order to identify opportunities
for improvement. The organization should assess the feasibility of the new
system—is it technologically, financially, and operationally feasible? Further­
more, sometimes it is easy to think that implementing a new IS will solve
all information management problems. Rarely, if ever, is this the case. But
by critically evaluating existing systems and workflow processes, the health
care team might find that current problems are rooted in ineffective proce­
dures or lack of sufficient training. Not always is a new system needed or
the answer to a problem.

Once it is clear that a new IS is needed, the next step is to assess the
information needs of users and define the functional requirements: What
functions must the system have to fulfill the need? This process can be very
time-consuming. However, it is vital to solicit widespread participation from
end users during this early stage—to solicit and achieve buy-in. As part of the
needs assessment, it is also helpful to gather, organize, and evaluate informa­
tion about the organization in which the new system is to operate. Through
defining system requirements, the organization specifies what the system
should be able to do and the means by which it will fulfill its stated goals.

Once the team knows what the organization needs, it enters the second
stage, the design phase, when it considers all its options. Will the new system
be designed in-house? Will the organization contract with an outside devel­
oper? Or will the organization purchase a system from a health information
systems vendor or contract with a vendor for cloud-based services? A large
majority of health care organizations purchase a system from a vendor or
at least look first at the systems available on the market. Contracting with
the vendor to host the applications, software, hardware, and infrastructure
via cloud computing is also growing in popularity in health care (Griebel
et al., 2015). System design is the evaluation of alternative solutions to address
the business problem. It is generally in this phase that all alternatives are
considered, a cost-benefi t analysis is done, a system is selected, and vendor
negotiations are fi nalized.

After the contract has been finalized or the system has been chosen, the
third phase, implementation, begins. The implementation phase requires
significant allocation of resources in completing tasks, such as conducting
work-flow and process analyses, installing the new system, testing the
system, training staff members, converting data, and preparing the organi­
zation and staff members for the go-live of the new system. Finally, once
the system is put into operation, the support and evaluation phase begins.
It is common to underestimate the number of staff and resources needed to

146 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

effectively keep new and existing information systems functioning properly.
No matter how much time and energy were spent on the design and build
of the application, you can count on the fact that changes will need to be
made, glitches fixed, and upgrades installed. Likewise, most mission-critical
systems need to be functioning 99.99 percent of the time—that is, with
little downtime. Sufficient resources (people, technology, infrastructure, and
upgrades) need to be allocated to maintain and support the new system.
Moreover, maintaining and supporting the new system is not enough.
Health care executives and boards often want to know the value of the IT
investment, thus the degree to which the new system has achieved its goals
and objectives should be assessed. Eventually, the system will be replaced
and the SDLC process begins again.

With this general explanation of the SDLC established, we begin by
focusing on the first two phases—the planning and analysis phase and the
design phase. Together they constitute what we refer to as the system acqui­
sition process.


To gain an understanding of and appreciation for the activities that occur
during the system acquisition process, we will follow a health care facility
through the selection process for a new information system—specifi cally, an
electronic health record (EHR) system. In this case the organization, which
we will call Valley Practice, is a multiphysician primary care practice.

What process should the practice use to select the EHR? Should it pur­
chase a system from a vendor, contract with a vendor for cloud-based ser­
vices, or seek the assistance of a system developer? Who should lead the
effort? Who should be involved in the process? What EHR products are
available on the market? How reputable are the vendors who develop these
products? These are just a few of the many questions that should be asked
in selecting a new IS.

Although the time and resources needed to select an EHR (or any health
care information system) may vary considerably from one setting to another,
some fundamental issues should be addressed in any system acquisition
initiative. The sections that follow the case study describe in more detail
the major activities that should occur (see Exhibit 5.1), relating them to the
multiphysician practice scenario. We assume that the practice wishes to
purchase (rather than develop) an EHR system. However, we briefl y describe
other options and point out how the process may differ when the EHR
acquisition process occurs in a larger health care setting, such as integrated
health systems.

Exhibit 5.1 Overview of system acquisition process

• Establish project steering committee and appoint project

• Define project objectives and scope of analysis.

• Screen the marketplace and review vendor profi les.

• Determine system goals.

• Determine and prioritize system requirements.

• Develop and distribute a request for proposal (RFP) or a request
for information (RFI).

• Explore other options for acquiring system (e.g., leasing, hiring
system designer, building in-house).

• Evaluate vendor proposals.

o Develop evaluation criteria.

o Hold vendor demonstrations.

o Make site visits and check references.

o Prepare vendor analysis.

• Conduct cost-benefi t analysis.

• Prepare summary report and recommendations.

• Conduct contract negotiations.

S Y S T E M A C Q U I S I T I O N P R O C E S S · 147

Establish a Project Steering Committee

One of the first steps in any major project such as an EHR acquisition effort
is to create a project steering committee. This committee’s primary function
is to plan, organize, coordinate, and manage all aspects of the acquisition
process. Appointing a project manager with strong communication skills,
organizational skills, and leadership abilities is critical to the project. In our
Valley Practice case, the project manager was a physician partner. In larger
health care organizations such as hospitals, it would likely be a CIO involved
in the effort and that person might also be asked to lead it.

Increasingly, clinicians such as physicians and nurses with training
in informatics are being called on to lead clinical system acquisition and
implementation projects. Known as chief medical informatics offi cers (CMIOs)
or chief nursing informatics offi cers (CNIOs), these individuals bring to the


148 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N


Replacing an EHR System

Valley Practice provides patient care services at three locations, all within
a fifteen-mile radius, and serves nearly one hundred thousand patients.
Valley Practice is owned and operated by seven physicians; each physi­
cian has an equal partnership. In addition to the physicians, the practice
employs nine nurses, fifteen support staff members, a business offi cer
manager, an accountant, and a chief executive offi cer (CEO).

During a two-day strategic planning session, the physicians and man­
agement team created a mission, vision, and set of strategic goals for Valley
Practice. The mission of the facility is to serve as the primary care “medical
home” of individuals within the community, regardless of the patients’
ability to pay. Valley Practice wishes to be recognized as a “high-tech,
high-touch” practice that provides high-quality, cost- effective patient care
using evidence-based standards of care. Consistent with its mission, one
of the practice’s strategic goals is to replace its legacy EHR with an EHR
system that adheres to industry standards for security and interoperability
and that fosters patient engagement, with the long-term goal of supporting
health fi tness applications.

Dr. John Marcus, the lead physician at Valley Practice, asked Dr. Julie
Brown, the newest partner in the group, to lead the EHR project initiative.
Dr. Brown joined the practice two years ago after completing an internal
medicine residency at an academic medical center that had a fully inte­
grated EHR system available in the hospital and its ambulatory care clinics.
Of all the physicians at Valley Practice, Dr. Brown has had the most expe­
rience using EHR applications via portable devices. She has been a vocal
advocate for migrating to a new EHR and believes it is essential to enabling
the facility to achieve its strategic goals.

Dr. Brown agreed to chair the project steering committee. She invited other
key individuals to serve on the committee, including Dr. Renee Ward, a senior
physician in the practice; Mr. James Rowls, the CEO; Ms. Mary Matthews,
RN, a nurse; and Ms. Sandy Raymond, the business offi cer manager.

After the project steering committee was formed, Dr. Marcus met with
the committee to outline its charge and deliverables. Dr. Marcus expressed
his appreciation to Dr. Brown and all of the members of the committee
for their willingness to participate in this important initiative. He assured
them that they had his full support and the support of the entire physician

S Y S T E M A C Q U I S I T I O N P R O C E S S · 149

Dr. Marcus reviewed with the committee the mission, vision, and stra­
tegic goals of the practice as well as the committee’s charge. The committee
was asked to fully investigate and recommend the top three EHR products
available in the vendor community. He stressed his desire that the com­
mittee members would focus on EHR vendors that have experience and a
solid track record in implementing systems in physician practices similar to
theirs and that have Office of the National Coordinator for Health Informa­
tion Technology (ONC)–certified EHR products. He is intrigued with the idea
of cloud-based EHR systems provided they can ensure safety, security, and
confidentiality of data; are reliable and scalable; and have the capacity to
convert data easily from the current system into the new system. The vendor
must also be willing to sign a business associates’ agreement ensuring com­
pliance with HIPAA security and privacy regulations.

Dr. Marcus is also interested in exploring what opportunities are
available for health information exchange within the region. He envi­
sions that the practice will likely partner with specialists, hospitals, and
other key stakeholders in the community to provide coordinated care
across the continuum under value-based reimbursement models. Under
the leadership of Dr. Brown, the members of the project steering com­
mittee established five project goals and the methods they would use to
guide their activities. Ms. Moore, the consultant, assisted them in clearly
defining these goals and discussing the various options for moving
forward. They agreed to consider EHR products only from those vendors
that had five or more years of experience in the industry and had a solid
track record of implementations (which they defined as having done
twenty-five or more). Dr. Ward, Mr. Rowls, and Ms. Matthews assumed
leadership roles in verifying and prioritizing the requirements expressed
by the various user groups.

The five project goals were based on Valley Practice’s strategic goals.
These project goals were circulated for discussion and approved by the
CEO and the physician partners. Once the goals were agreed on, the project
steering committee appointed a small task group of committee members to
carry out the process of defining system functionality and requirements.
Because staff time was limited, the task group conducted three separate
focus groups during the lunch period—one with the nurses, one with the
support staff members, and a third with the physicians. Ms. Moore, the

150 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

consultant, conducted the focus groups, using a semi-structured nominal
group technique.

Concurrently with the requirements definition phase of the project,
Mr. Rowls and Dr. Brown, with assistance from Ms. Moore, screened the
EHR vendor marketplace. They reviewed the literature, consulted with
colleagues in the state medical association, and surveyed practices in
the state that they knew used state-of-the-art EHR systems. Mr. Rowls
made a few phone calls to chief information offi cers (CIOs) in surround­
ing hospitals who had experience with ambulatory care EHR to get their
advice. This initial screening resulted in the identification of eight EHR
vendors whose products and services seemed to meet Valley Practice’s

Given the fairly manageable number of vendors, Ms. Moore suggested
that the project steering committee use a short-form RFP. This form had
been developed by her consulting firm and had been used successfully

project a clinical perspective as well as an understanding of IT and informa­
tion management processes. (The roles of CMIOs and CNIOs are described
more fully in Chapter Eight.) Regardless of the discipline or background of
the project manager (for example, IT, clinical, or administrative), he or she
should bring to the project passion, interest, time, strong interpersonal and
communication skills, and project management skills and should be someone
who is well respected by the organization’s leadership team and who has the
political clout to lead the effort effectively.

Pulling together a strong team of individuals to serve on the project
steering committee is also important. These individuals should include rep­
resentatives from key constituent groups in the practice. At Valley Practice, a
physician partner, a nurse, the business officer manager, and the CEO agreed
to serve on the committee. Gaining project buy-in from the various user
groups should begin early. This is a key reason for inviting representatives
from key constituent groups to serve on the project steering committee. They
should be individuals who will use the EHR system directly or whose jobs
will be affected by it.

Consideration should also be given to the size of the committee; typically,
having five to six members is ideal. In a large facility, however, this may not
be possible. The committee for a hospital or health systems might have fi fteen
to twenty members, with representatives from key clinical areas such as
laboratory medicine, pharmacy, and radiology in addition to representatives
from the administrative, IT, nursing, and medical staffs.

S Y S T E M A C Q U I S I T I O N P R O C E S S · 151

by other physician practices to identify top contenders. The short-form
RFPs were sent to the eight vendors; six responded. Each of these six pre­
sented an initial demonstration of its EHR system on site. Following the
demonstrations, the practice staff members completed evaluation forms
and ranked the various vendors. After reviewing the completed RFPs and
getting feedback on the vendor presentations, the committee determined
that three vendors had risen to the top of the list.

Dr. Brown and Dr. Ward visited four physician practices that used
EHR systems from these three finalists. Mr. Rowls checked references
and prepared the final vendor analysis. A detailed cost-benefi t analysis
was conducted, and the three vendors were ranked. All three vendors, in
rank order, were presented in the fi nal report given to Dr. Marcus and the
other physician partners. Dr. Marcus, Dr. Brown, and Mr. Rowls spent four
weeks negotiating a contract with the top contender. It was fi nalized and
approved after legal review and after all the partners agreed to it.

It is important to have someone knowledgeable about IT serving on the
project steering committee. This may be a physician, a nurse, the CEO, or
an outside consultant. In a physician group practice, having an in-house IT
professional is not always possible. The committee chair might look internally
to see if someone has the requisite IT knowledge, skills, interests, and also
the time to devote to the project, but the chair also might look externally for
a health care IT professional who might serve in a consultative role and help
the committee direct its activities appropriately.

Define Project Objectives and Scope of Analysis

Once the project steering committee has been established, its fi rst order
of business is to clarify the charge to the committee and to defi ne project
goals. The charge describes the scope and nature of the committee’s activ­
ities. The charge usually comes from senior leadership or a lead physician
in the practice. Project goals should also be established and communicated
in well-defined, measurable terms. What does the committee expect to
achieve? What process will be used to ensure the committee’s success? How
will milestones be acknowledged? How will the committee communicate
progress and resolve problems? What resources (such as time, personnel,
and travel expenses) will the committee need to carry out its charge? What
method will be used to evaluate system options? Will the committee con­
sider contracting with a system developer to build a system or outsourcing

152 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

the system to an application service provider? Or is the committee only
considering systems available for purchase from a health care information
systems vendor?

Once project goals are formulated, they can guide the committee’s activ­
ities and also clarify the resources needed and the likely completion date for
the project. Here are some examples of typical project goals:

• Assess the practice’s information management needs and establish
goals and objectives for the new system based on these needs.

• Conduct a review of the literature on EHR products and the market
resources for these products.

• Investigate the top-ten EHR system products for the ambulatory care

• Visit two to four health care organizations similar to ours that have
implemented an EHR system.

• Schedule vendor demonstrations for times when physicians, nurses,
and others can observe and evaluate without interruptions.

As part of the goal-setting process, the committee should determine the
extent to which various options will be explored. For example, the Valley
Practice project steering committee decided at the onset that it was going to
consider only EHR products available in the vendor community and ONC-
certified. Users can be assured that certified EHR products meet certain
standards for content, functionality, and interoperability.

The committee further stipulated that it would consider only vendors with
experience (for example, five or more years in the industry) and those with a
solid track record of system installations (for example, twenty-five or more
installations). The committee members felt the practice should contract with
a system developer only if they were unable to find a suitable product from
the vendor community—their rationale being that the practice wanted to be
known as high-tech, high-touch. They also believed it was important to
invest in IT personnel who could customize the application to meet practice
needs and who would be able to assist the practice in achieving project and
practice goals.

Screen the Marketplace and Review Vendor Profi les

Concurrently with the establishment of project goals, the project steering
committee should conduct its first, cursory review of the EHR marketplace
and begin investigating vendor profiles. Many resources are available to

S Y S T E M A C Q U I S I T I O N P R O C E S S · 153

aid the committee in this effort. For example, the Valley Practice commit­
tee might obtain copies of recent market analysis reports—from research
firms such as Gartner or KLAS—listing and describing the vendors that
provide EHR systems for ambulatory care facilities. The committee might
also attend trade shows at conferences of professional associations such
as the Healthcare Information and Management Systems Society (HIMSS)
and the American Medical Informatics Association (AMIA). (Appendix A
provides an overview of the health care IT industry and describes a variety
of resources available to health care organizations interested in learning
about health care IT products, such as EHR systems, available in the vendor

Determine System Goals

Besides identifying project goals, the project steering committee should defi ne
system goals. System goals can be derived by answering questions such as,
What does the organization hope to accomplish by implementing an EHR
system? What is it looking for in a system? If the organization intends to
transform existing care processes, can the system support the new processes?
Such goals often emerge during the initial strategic planning process when
the decision is made to move forward with the selection of the new system.
At this point, however, the committee should state its goals and needs for
a new EHR system in clearly defi ned, specific, and measurable terms. For
example, a system goal such as “select a new EHR system” is very broad and
not specific. Here are some examples of specific and measurable goals for a
physician practice.

Our EHR system should do the following:

• Enable the practice to provide service to patients using evidence-based
standards of care.

• Aid the practice in monitoring the quality and costs of care provided
to the patients served.

• Provide clinicians with access to accurate, complete, relevant patient
information, on-site and remotely.

• Improve staff member effi ciency and effectiveness.

• More fully engage patients in their own care by providing patients
with ready access to their test results, immunization records, patient
education materials, and other aids.

• Enable the practice to manage chronic disease patient care more

154 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

These are just a few of the types of system goals the project steering com­
mittee might establish as it investigates a new EHR for the organization. The
system goals should be aligned with the strategic goals of the organization
and should serve as measures of success throughout the system acquisition

Determine and Prioritize System Requirements

Once the goals of the new system have been established, the project steering
committee should begin to determine system requirements. These require­
ments may address everything from what information should be available
to the provider at the point of care to how the information will be secured
to what type of response time is expected. The committee may use any
of a variety of ways to identify system requirements. One approach is to
have a subgroup of the committee conduct focus-group sessions or small-
group interviews with the various user groups (physicians, nurses, billing
personnel, and support staff members). A second approach is to develop
and administer a written or an electronic survey, customized for each user
group, asking individuals to identify their information needs in light of their
job role or function. A third is to assign a representative from each specifi c
area to obtain input from users in that area. For example, the nurse on the
Valley Practice project steering committee might interview the other nurses;
the business office manager might interview the support staff members.
System requirements may also emerge as the committee examines templates
provided by consultants or peer institutions, looks at vendor demonstrations
and sales material, or considers new regulatory requirements the organiza­
tion must meet.

The committee may also use a combination of these or other approaches.
At times, however, users do not know what they want or will need. Hence,
it can be extremely helpful to hold product demonstrations, meet with con­
sultants, or visit sites already using EHR systems so that those who will
use or be affected by the EHR can see and hear what is possible. Whatever
methods are chosen to seek users’ information system needs, the end result
should be a list of requirements and specifications that can be prioritized or
ranked. This ranking should directly reflect the specific strategic goals and
circumstances of the organization.

The system requirements and priorities will eventually be shared with
vendors or the system developer; therefore, it is important that they be
clearly defined and presented in an organized, easy-to-understand format.
For example, it may be helpful to organize the requirements into catego­
ries such as software (system functionality, software upgrades); technical

S Y S T E M A C Q U I S I T I O N P R O C E S S · 155

infrastructure (hardware requirements, network specifi cations, backup,
disaster recovery, security); and training and support (initial and ongoing
training, technical support). These requirements will eventually become a
major component of the RFP submitted to vendors or other third parties
(discussed next).

Develop and Distribute the RFP or RFI

Once the organization has defined its system requirements, the next step
in the acquisition process is to package these requirements into a structure
that a third party can respond to, whether that third party be a development
partner or a health information systems vendor. Many health care organiza­
tions package the requirements into a request for proposal. The RFP provides
the vendor with a comprehensive list of system requirements, features, and
functions and asks the vendor to indicate whether its product or service
meets each need. Vendors responding to an RFP are also generally required
to submit a detailed and binding price quotation for the applications and
services being sought.

RFPs tend to be highly detailed and are therefore time-consuming and
costly to develop and complete. However, they provide the health care
organization and each vendor with a comprehensive view of the system
needed. Health care IT consultants can be extremely resourceful in assist­
ing the organization with developing and packaging the RFP. An RFP for
a major health care information system acquisition generally contains the
following information (sections marked with an asterisk [*] are completed
by the vendor; the other sections are completed by the organization issuing
the RFP):

• Instructions for vendors:

o Proposal deadline and contact information: where and when the
RFP is due; whom to contact with questions

o Confi dentiality statement and instructions: a statement that the RFP
and the responses provided by the vendor are confi dential and are
proprietary information

o Specifi c instructions for completing the RFP and any stipulations
with which the vendor must comply in order to be considered

• Organizational objectives: type of system or application being sought;
information management needs and plans

• Background of the organization:

156 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

o Overview of the facility: size, types of patient services, patient
volume, staff composition, strategic goals of organization

o Application and technical inventory: current systems in use,
hardware, software, network infrastructure

• System goals and requirements: goals for the system and functional
requirements (may be categorized as mandatory or desirable and
listed in priority order). Typically this section includes application,
technical, and integration requirements. Increasingly, health care
providers are interested in assessing and testing system usability.
Incorporating scripted scenarios in the requirements section of the
RFP that are based on existing workfl ow and business processes can
provide meaningful information during the selection process (Corrao,
Robinson, Swiernik, & Naeim, 2010; Eisenstein, Jurwishin, Kushniruk,
& Nahm, 2011; IOM, 2011).

• Vendor qualifi cations: *general background of vendor, experience,
number of installations, financial stability, list of current clients,
standard contract, and implementation plan

• Proposed solutions: *how vendor believes its product meets the goals
and needs of the health care organization. Vendor may include case
studies, results from system analysis projects, and other evidence of
the benefi ts of its proposed solution.

• Criteria for evaluating proposals: how the health care organization
will make its final decisions on product selection

• General contractual requirements: *warranties, payment schedule,
penalties for failure to meet schedules specifi ed in contract, vendor
responsibilities, and so forth

• Pricing and support: *quote on cost of system, using standardized
terms and forms

The RFP may become the basis for a legally binding contract or obligation
between the vendor and the solicitor, so it is important for both parties to
carefully consider the wording of questions and the corresponding responses
(AHIMA, 2007).

RFPs are not the only means by which to solicit information from vendors.
A second approach that is often used is the request for information. An RFI
is less formal, considerably shorter than an RFP, and less time-consuming to
develop. It is often used as part of the fact-finding process to obtain basic infor­
mation on the vendor’s background, product descriptions, and service capa­
bilities. Some health care organizations send out an RFI before distributing

S Y S T E M A C Q U I S I T I O N P R O C E S S · 157

the RFP in order to screen out vendors whose products or services are not
consistent with the organization’s needs or to narrow the field of vendors to
a manageable number. The RFI can serve as a tool in gathering background
information on vendors’ products and services and providing the project steer­
ing committee with a better sense of the health IT marketplace. How does
one decide whether to use an RFP, an RFI, both, or neither during the system
acquisition process? Several factors should be considered. Although time-
consuming to develop, the RFP is useful in forcing a health care organization
to define its system goals and requirements and prioritize its needs. The RFP
also creates a structure for objectively evaluating vendor responses and pro­
vides a record of documentation throughout the acquisition process. System
acquisition can be a highly political process; by using an RFP the organization
can introduce a higher degree of objectivity into that process. RFPs are also
useful data collection tools when the technology being selected is established
and fully developed, when there is little variability between vendor products
and services, when the organization has the time to fully evaluate all options,
and when the organization needs strong contract protection from the selected
vendor (DeLuca & Enmark, 2002). However, not all vendors may wish to
submit a response to an RFI or RFP because of costs or suitability.

There are also drawbacks to RFPs. In addition to taking considerable time
to develop and review, they can become cumbersome and so detail oriented
that they lose their effectiveness. For instance, it is not unusual to receive
three binders full of product and service information from one vendor. If ten
vendors respond to an RFP (about five is ideal), the project steering committee
may be overwhelmed and find it difficult to wade through and differentiate
among vendor responses. Having too much information to summarize can be
as crippling to a committee in its deliberations as having too little.

Therefore a scaled-back RFP or an RFI might be a desirable alternative.
An RFI might be used when the health care organization is considering only a
small group of vendors or products or when it is still in the exploratory stages
and has not yet established its requirements. Some facilities use an even less
formal process consisting primarily of site visits and system demonstrations.

Regardless of the tool(s) used, it is important for the health care orga­
nization to provide sufficient detail about its current structure, strategic IT
goals, and future plans so that the vendor can respond appropriately to its
needs. Additionally, the RFP or RFI (or variation of either) should result
in enough specific detail that the organization gets a good sense of the
vendor—its services, history, vision, stability in the marketplace, and system
or product functionality. The organization should be able to easily screen
out vendors whose products are undeveloped or not yet fully tested (DeLuca
& Enmark, 2002).

158 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

Explore Other Acquisition Options

In our Valley Practice case, the physicians and staff members opted to acquire
an EHR system from the vendor community. Organizations such as Valley
Practice often turn to the market for products that they will run on their own
IT infrastructure. But there are times when they do not go to the market—
they choose to leverage someone else’s infrastructure (by contracting with an
application service provider or vendor who offers cloud computing services)
or they build the application (by contracting with a system developer or using
in-house staff members).

Option to Contract with Vendor for Cloud

Computing Services

In recent years, there has been a wider availability of high-speed or broadband
Internet connections, more sophisticated vendor solutions, and a growing
number of options for hosting software, hardware, and infrastructure via
the Internet. These services are generally referred to as cloud computing,
a general term that refers to the applications delivered as services over the
Internet and the hardware and software in the data centers that provide those
services. Vendors and companies may use different terms to describe cloud-
based services. Common options include application service provider (ASP),
software as a service (SaaS), infrastructure as a service, and platform as a
service. The scope of services and payment methods also can vary consider­
ably. However, cloud computing options generally require less upfront capital
expenses, fewer IT staff members and resources, and greater scalability and
access to analytic capabilities (Armbrust et al., 2010). Essentially the health
care provider contracts with the vendor to host and maintain the clinical or
administrative application and related hardware; the health care organization
or provider simply accesses the system remotely over a network connection and
pays the monthly or negotiated fees.

Why might a health care organization consider contracting with a vendor
in a cloud-based service arrangement rather than purchasing an EHR system
(or other application) from a vendor? There are several reasons. First, the facil­
ity may not have the IT staff members needed to run or support the desired
system. Hiring qualified personnel at the salaries they demand may be dif­
ficult, and retaining them may be equally challenging. Second, cloud-based
options enable health care organizations to use clinical or administrative
applications with fewer up-front costs and less capital. For a small physician
practice, these financial arrangements can be particularly appealing. Because

S Y S T E M A C Q U I S I T I O N P R O C E S S · 159

many vendors offer cloud-based services on fi xed monthly fees or fees based
on use, organizations are better able to predict costs. Third, by contracting
with a vendor to host, manage, or support IT, the health care organization
can focus on its core business and not get bogged down in IT support issues,
although it may still have to deal with issues of system enhancements, user
needs, and the selection of new systems. Other advantages are rapid deploy­
ment and 24/7 technical support. They also offer scalability and fl exibility,
so as the practice or organization grows or shrinks in size or volume, they
pay only for the services used. Other benefits include upgrades that can be
made once and applied across a network of users instantaneously; users can
access services from any standardized device no matter their location; and a
cloud-based network can easily accommodate changes in use (increase and
decrease during certain periods).

However, cloud computing services have some disadvantages and limita­
tions that the health care organization should consider in its deliberations.
Although rapid deployment of the application can be a tremendous advantage
to an organization, the downside is the fact that the application will likely be
a standard, off-the-shelf product, with little if any customization. This means
that the organization has to adapt or mold its operations to the application
rather than tailoring the application to meet the operational needs of the
organization. A second drawback deals with technical support. Although
technical support is generally available, it is unrealistic to think that the
vendor’s support personnel will have intimate knowledge of the organiza­
tion and its operations. Frustrations can mount when one lacks in-house IT
technical staff members when and where they are needed. Third, health care
providers have long been concerned about data ownership, security, and
privacy—worries that increase when another organization hosts their clinical
data and applications. How the vendor will secure data and maintain patient
privacy should be clearly specified in the contract. Likewise, to minimize
downtime, the vendor should have clear plans for backing up data, preventing
disasters, and recovering data.

As the industry matures, we will likely see different variations and greater
choices among organizations offering cloud-based services. A recent review of
the literature found cloud computing used in six primary domains: (1) telemed­
icine and teleconsultation, (2) medical imaging, (3) public health and patients’
self-management, (4) clinical information systems, (5) therapy, and (6) second­
ary use of data (Griebel et al., 2015). Additionally, cloud computing is designed
to support cooperation, care coordination, and information sharing.

The health care executive considering a move to cloud computing should
carefully consider the type of application moving to the cloud (clinical,

160 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

administrative) and the cloud service model that will be the most attractive
economic option (Cloud Standards Customer Council, 2012). Health care
executives should also thoroughly research the company and its products
and consider factors such as company viability, target market, functionality,
integration, implementation and training help desk support, security, pricing,
and service levels. It is important to be able to trust the vendor and products
and to choose systems and services wisely.

Option to Contract with a System Developer
or Build In-House

An alternative to purchasing or leasing a system from a vendor is to contract
with a developer to design a system for your organization. The developer
may be employed in-house or by an outside firm. Working with a system
developer can be a good option when the health care organization’s needs
are highly uncertain or unique and the products available on the market do
not adequately meet these needs. Developing a new or innovative application
can also give the organization a significant competitive advantage. The costs
and time needed to develop the application can be significant, however. It is
also important to consider the long-term costs. If the developer leaves, how
difficult would it be to hire and retain someone to support and maintain
the system? How will problems with the system be addressed? How will the
application be upgraded? What long-term value will it bring the organization?
These are a few of the many questions that should be addressed in consid­
ering this option. It is rare for a health care organization to develop its own
major clinical information system.

Evaluate Vendor Proposals

In the Valley Practice case, the project steering committee decided to focus
its efforts at first on considering only EHR products available for purchase or
lease in the vendor community. The committee came to this conclusion after
its initial review of the EHR marketplace. Committee members felt there were
a number of vendors whose products appeared to meet practice needs. They
also felt strongly that in-house control of the EHR system was important to
achieving the practice goal of becoming a high-tech, high-touch organiza­
tion, because they wanted to be able to customize the application. Realizing
this, the committee had budgeted for an IT director and an IT support staff
member. Members felt that the long-term cost savings from implementing an
EHR would justify these two new positions.

S Y S T E M A C Q U I S I T I O N P R O C E S S · 161

Develop Evaluation Criteria

The project steering committee at Valley Practice decided to go through the
RFP process. It developed criteria by which it would review and evaluate
vendor proposals. Criteria were used to grade each vendor’s response to the
RFP. Grading scales were established so the committee could accurately
compare vendors’ responses. These grading scales involved assigning more
weight to required items and less weight to those deemed merely desirable.
Categories of “does not meet requirement,” “partially meets requirement,”
and “meets requirement” were also used. RFP documents were compared
item by item and side by side, using the grading scales established by the
committee (see Table 5.1 for sample criteria). To avoid information overload,
a common condition in the RFP review process, the project steering committee
focused on direct responses to requirements and referred to supplemental
information only as needed. Summary reports of each vendor’s response to
the RFP were then prepared by a small group of committee members and
distributed to the committee at large.

Hold Vendor Demonstrations

During the vendor review process, it is important to host vendor system
demonstrations. The purpose of these demonstrations is to give the members

Table 5.1 Sample criteria for evaluation of RFP responses

Type of Application: Electronic Health Record System

Vendor Name: The EHR Company

Meets Partially Meets Does Not Meet
Criteria Requirement Requirement Requirement

1. Alerts user to possible drug


2. Provides user with list of
alternate drugs


3. Advises user on dosage
based on patient’s weight


4. Allows user to enter over­
the-counter medications

x (on different

5. Allows easy printout of


162 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

of the health care organization an opportunity to (1) evaluate the look
and feel of the system from a user’s point of view, (2) validate how much
the vendor can deliver of what has been proposed, (3) conduct system
usability testing, and (4) narrow the field of potential vendors. It is often
a good idea to develop demonstration scripts and require all vendors to
present their systems in accordance with these scripts. Scripts generally
reflect the requirements outlined in the RFP and contain a moderate level
of detail. For example, a script might require demonstrating the process
of registering a patient or renewing a prescription. The use of scripts can
ensure that all vendors are evaluated on the same basis or functionality.
At the same time, it is important to allow vendors some creativity in pre­
senting their product and services. When scripts are used, they need to be
provided to vendors at least one month in advance of the demonstration,
and vendors and health care organization must adhere to them. It is also
important to have end users carry out certain functions or procedures
that they would usually do in the course of the day using the vendor’s
system. You might ask them to complete a system usability survey after
they have had a chance to use the system and practice on several records.
Figure 5.2 is an example of a system usability scale questionnaire in which
end users are asked to respond to each item using a Likert scale of 1 to 5,
from strongly disagree to strongly agree. Criteria should be developed and
used in evaluating vendor demonstrations, just as they are for reviewing
vendor responses to the RFP.

Make Site Visits and Check References

After reviewing the vendors’ RFPs and evaluating their product demonstra­
tions, it is advisable to make site visits and check references. By visiting other
facilities that use a vendor’s products, the health care organization should
gain additional insight into what the vendor would be like as a potential
partner. It can be extremely benefi cial to visit organizations similar to yours.
For instance, in the Valley Practice case, representatives from key practice
constituencies decided to visit other ambulatory care practices to see how
a specific system was being used, the problems that had been encountered,
and how these problems had been addressed.

How satisfied are the staff members with the system? How responsive
has the vendor been to problems? How quickly have problems been resolved?
To what degree has the vendor delivered on its promises? Hearing answers
to such questions firsthand from a variety of users can be extremely helpful
in the vendor review process.

S Y S T E M A C Q U I S I T I O N P R O C E S S · 163

Figure 5.2 System usability scale questionnaire

Source: Brooke (1996); Lewis and Sauro (2009).

Other Strategies for Evaluating Vendors

A host of other strategies can be used to evaluate a vendor’s reputation and
product and service quality. Organizational representatives might attend
vendor user group conferences, review the latest market reports, consult
with colleagues in the field, seek advice from consultants, and request an
extensive list of system users.

Prepare a Vendor Analysis

Throughout the vendor review process, the project steering committee
members should have evaluation tools in place to document their impres­
sions and the views of others in the organization who participate in any or
all of the review activities (review of RFPs, system demonstrations, site visits,
reference checks, and so forth). The committee should then prepare vendor

164 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

Figure 5.3 Cost-benefi t analysis

analysis reports that summarize the major findings from each of the review
activities. How do the vendors compare in reputation? In quality of their product?
In quality of service? How do the systems compare in terms of their initial and
ongoing costs? To what degree is the vendor’s vision for product development
aligned with the organization’s strategic IT goals?

Conduct a Cost-Benefi t Analysis

The final analysis should include an evaluation of the cost and benefi ts of
each proposed system. Figure 5.3 shows a comparison of six vendor products.
Criteria were developed to score and rank each vendor’s system. As the fi gure
illustrates, the selection committee ranked vendor 4 the top choice.

The capital cost analysis may include software, hardware, network or
infrastructure, third-party, and internal capital costs. The total cost of own­
ership should factor in support costs and the costs of the resources needed
(including personnel) to implement and support the system. Once the initial
and ongoing costs are identified, it is important to weigh them against the
benefits of the systems being considered. Can the benefits be quantifi ed?
Should they be included in the fi nal analysis?

Prepare a Summary Report and Recommendations

Assuming the capital cost analysis supports the organization in moving
forward with the project, the project steering committee should compile a
final report that summarizes the process and results from each major activity
or event. The report may include these elements:

P R O J E C T M A N A G E M E N T T O O L S · 165

• System goals and criteria

• Process used

• Results of each activity and conclusions

• Cost-benefi t analysis

• Final recommendation and ranking of vendors

It is generally advisable to have two or three vendors in the fi nal ranking,
in the event that problems arise with the first choice during contract negoti­
ations, the final step in the system acquisition process.

Conduct Contract Negotiations

The final step of the system acquisition process is to negotiate a contract
with the vendor. This, too, can be time-consuming, and therefore it is helpful
to seek expert advice from business or legal advisors. The contract outlines
expectations and performance requirements, who is responsible for what (for
example, training, interfaces, support), when the product is to be delivered
(and vendor financial liability for failing to deliver on time), how much cus­
tomization can be performed by the organization purchasing the system, how
confidentiality of patient information will be handled, and when payment is
due. The devil is in the details, and although most technical terms are common
among vendors, other language and nuances are not. Establish a schedule and
a pre-implementation plan that includes a timeline for implementation of the
applications and an understanding of the resource requirements for all aspects
of the implementation, including cultural change management, workfl ow rede­
sign, application implementation, integration requirements, and infrastructure
development and upgrades, all of which can consume substantial resources.


Throughout the course of the system acquisition project, a lot of materials will
be generated, many of which should be maintained in a project repository. A
project repository serves as a record of the project steering committee’s prog­
ress and activities. It includes such information and documents as minutes
of meetings, correspondence with vendors, the RFP or RFI, evaluation forms,
and summary reports. This repository can be extremely useful when there are
changes in staff members or in the composition of the committee and when the
organization is planning for future projects. The project manager should assume
a leadership role in ensuring that the project repository is established and main­
tained. Following is a sample of the typical contents of a project repository.

166 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

Sample Contents of a Project Repository

• Committee charge and membership (including contact

• Project objectives (including method that will be used to select

• System goals

• Timeline of committee activities (for example, Gantt chart)

• System requirements (mandatory and desirable)



• Evaluation forms for

o Responses to RFPs

o Vendor demonstrations

o Site visits

o Reference checks

• Summary report and recommendations

• Project budget and resources

Managing the various aspects of the project and coordinating activities
can be a challenging task, particularly in large organizations or when a lot
of people are involved and many activities are occurring simultaneously. It
is important that the project manager helps those involved to establish clear
roles and responsibilities for individual committee members, set target dates,
and agree on methods for communicating progress and problems. Many
project management tools exist that can be useful here. For example, a simple
Gantt chart (Figure 5.4) can document project objectives, tasks and activities,
responsible parties, and target dates and milestones. A Gantt chart can also
display a graphical representation of all project tasks and activities, showing
which ones may occur simultaneously and which ones must be completed
before another task can begin. Other tools enable one to allocate time, staff
members, and financial resources to each activity. (Gantt charts and other
timelines can be created with software programs such as Visio or Microsoft
Project. A discussion of these tools is beyond the scope of this book but can
be found in most introductory project management textbooks.)

T H I N G S T H A T C A N G O W R O N G · 167

Figure 5.4 Example of a simple Gantt chart

It is important to clearly communicate progress within the project steer­
ing committee and to individuals outside the committee. Senior management
should be kept apprised of project progress, budget needs, and committee
activities. Regular updates should be provided to senior management as well
as other user groups involved in the process. Communication can be formal
and informal—everything from periodic update reports at executive meetings
to facility newsletter briefings to informal discussions at lunch.


Managing the system acquisition process successfully requires strong and
effective leadership, planning, organizational, and communication skills.
Things can and do go wrong. Upholding a high level of objectivity and fair­
ness throughout the acquisition process is important to all parties involved.
Failing to do so can hamper the overall success of the project. Following is
a list of some common pitfalls in the system acquisition process, along with
strategies for avoiding them.

Failing to manage vendor access to organizational leadership. The
vendor may schedule private time with the CEO or a board member
in the hope of infl uencing the decision and bypassing the project
steering committee entirely. It is not unusual to hear that processes or
decisions have been altered after the CEO has been on a golf outing
or taken a trip to the Super Bowl with a vendor. The vendor may
persuade the CEO or a board member to overturn or question the
decisions of the project steering committee, crippling the decision
process. Hence, it should be clearly communicated to all parties
(senior management, board, and vendor) that all vendor requests
and communication should be channeled through the project steering

Failing to keep the process objective (getting caught up in vendor
razzle-dazzle). Related to the need to manage vendor access to
decision makers is the need to keep the process objective. The project

168 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

steering committee should assume a leadership role in ensuring
that there are clearly defined criteria and methods for selecting the
vendor. These criteria and methods should be known to all the parties
involved and should be adhered to. In addition, it is important that the
committee and other organizational representatives remain unbiased
and not get so impressed with the vendor’s razzle-dazzle (in the form,
for example, of exquisite dinners or fancy gadgets) that they fail to
assess the vendor or the product objectively. Consider the politics of a
situation but do not allow the vendor to drive the result—take the high
road to avoid the appearance of favoritism.

Overdoing or underdoing the RFP. Striking a balance between
too much and too little information and detail in the RFP and also
determining how much weight to give to the vendors’ responses to the
RFP can be challenging. The project steering committee should err on
the side of being reasonable—that is, the committee should include
enough information and detail that the vendor can appropriately respond
to the organization’s needs and should give the vendor responses to
the RFP appropriate consideration in the final decision. Organizations
should also be careful that they do not assign either too much or too
little weight to the RFP process.

Failing to involve the leadership team and users extensively during
the selection process. A sure way to disenchant the leadership team
and end users is to fail to involve them adequately in the system
acquisition process. There should be ample opportunity for people
at all levels of the organization who will use or be affected by the
new information system to have input into its selection. Involvement
can include everything from being invited and encouraged to attend
vendor presentations during uninterrupted time to being asked to join
a focus group in which user input is sought. It is important that the
project steering committee seek input and involvement throughout
the acquisition process, not simply at the end when the decision is
nearly final. Far too often information system projects fail because
the leadership team and end users were not actively involved in the
selection of the new system. Involving people from the very beginning
helps them to be an integral part of the process and the solution.

Turning negotiations into a blood sport. You want to negotiate a
fair deal with the vendor and not leave the vendor’s people feeling
as though they have just been “beaten” in a contest. A lopsided
deal results in a disenchanted partner and can create a bad
climate. Understand what is required from all parties and establish

I N F O R M A T I O N T E C H N O L O G Y A R C H I T E C T U R E · 169

performance criteria for payments and remedies for nonperformance.
It is important to form a healthy, respectful long-term relationship with
the vendor.

These are just a few of the many issues that can arise during the system
acquisition process that the health care executive should be aware of. Failing
to appropriately address these issues can interfere with the organization’s
ability to successfully select and implement a system that will be adopted
and widely used.


Congruent with the selection process, it is important for health care execu­
tives to have an understanding of the underlying IT architecture. In other
words, how does the organization choose among different technologies and
ultimately bring them together into a cohesive set of health care information
systems? This section addresses this important question by examining health
care information system architecture.

An organization’s information systems require that a series of core
technologies come together, or work together as whole, to meet the IT goals
of the organization. The way that core technologies, along with the appli­
cation software, come together should be the result of decisions about what
information systems are implemented and used within the organization and
how they are implemented and used. For example, the EHR system or the
patient accounting system with which users ultimately interact involves not
just the application software but also the network, servers, security systems,
and so forth that all come together to make the system work effectively.
This coming together should never be a haphazard process. It should be

In discussing IT architecture, we will cover several topics:

• A definition of architecture

• Architecture perspectives

• Architecture examples

• Observations about architecture

A Definition of Architecture

A design and a blueprint guide the coming together of a house. The coming
together of information systems is guided by information technology

170 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

architecture. For the house, the development of the blueprint and the
design is influenced by the builder’s objectives for the house (is it to be
a single-family house or an apartment building, for example) and the
desired properties of the house (energy efficient or handicap accessible, for
example). For an organization’s information systems, the development of
an architecture is influenced by the organization’s objectives (EHRs that
span multiple hospitals, for example) and the systems’ desired properties
(efficient to support and having a high degree of application integration,
for example).

Following the design and the blueprints, the general contractor, plumb­
ers, carpenters, and electricians use building materials to create the house.
Following the architecture for the organization’s information systems, the IT
staff members and the organization’s vendors implement the core technolo­
gies and application software and integrate them to create the information

IT architecture consists of concepts, strategies, and principles that guide an
organization’s technology choices and the manner in which the organization
integrates and manages these choices. For example, an organization’s architec­
ture discussion concludes that the organization should use industry standard
technology. This decision reflects an organizational belief that standard technol­
ogy will have a lower risk of obsolescence, be easier to support, and be available
from a large number of IT vendors that use standard technology. Guided by
its architecture decision, the organization chooses to implement networks that
conform to a specific standard network protocol and decides to use the Windows
operating system for its workstations.

Two additional terms are sometimes used either as synonyms for or in
describing architecture: platform and infrastructure. In this text, however,
we adhere to accepted distinctions among these three terms. For example,
you might hear IT personnel say that “our systems run on a Microsoft, HP,
and Cisco platform.” Platforms are the specific vendors and technologies
that an organization chooses for its information systems. You might hear
of a Windows platform or web-based platform. Platform choices should be
guided by architecture discussions. You might also hear IT personnel talk
about the infrastructure of the health care information system. Infrastruc­
ture refers to the entire base of IT that an organization uses—its networks,
servers, workstations, and so on. Organizations choose specifi c platforms
from specific vendors to implement their infrastructure. An organization’s
infrastructure can have several platforms—CISCO for networks, Microsoft
for workstations, and so on. Although infrastructure is not vendor or
technology specific, it is not quite as broad a term as architecture, which
encompasses much more than specific technologies and networks.

I N F O R M A T I O N T E C H N O L O G Y A R C H I T E C T U R E · 171

In creating an infrastructure, an organization will implement platforms
and be guided by its IT architecture.

Architecture Perspectives

Organizations adopt various frames of reference as they approach the topic
of architecture. This section will illustrate two approaches, one based on
the characteristics and capabilities of the desired architecture and the other
based on application integration.

Characteristics and Capabilities

Glaser (2002, p. 62) defines architecture as “the set of organizational, manage­
ment, and technical strategies and tactics used to ensure that the organization’s
information systems have critical, organizationally defi ned characteristics
and capabilities.” For example, an organization can decide that it wants an
information system that has characteristics such as being agile, effi cient to
support, and highly reliable.

In addition, the organization can decide that its information systems
should have capabilities such as being accessible by patients from their
homes or being able to incorporate clinical decision support. If it wants high
reliability, it will need to make decisions about fault-tolerant computers and
network redundancy. If it wants users to be able to customize their clinical
information screens, this will influence its choice of a clinical information
system vendor. If it wants providers to be able to structure clinical documen­
tation, it will need to make choices about natural language processing, voice
recognition, and templates in its electronic medical record.

Architecture choices are guided by organizational decisions about the
capabilities and characteristics that are desired of its information systems.

Application Integration

Another way of looking at information systems architecture is to look at how
applications are integrated across the organization. One often hears vendors
talk about architectures such as best of breed, monolithic, and visual integra­
tion. Best of breed describes an architecture that enables each department to
pick the best application it can find and that then attempts to integrate these
applications by means of an interface engine that manages the transfer of
data between these applications—for example, it can send a transaction with
registration information on a new patient from the admitting system to the
laboratory system.

172 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

Monolithic describes the architecture of a set of applications that all come
from one vendor and that all use a common database management system
and common user interface.

Visual integration architecture wraps a common browser user interface
around a set of diverse applications. This interface enables the user, for example,
a physician, to use one set of screens to access clinical data even though those
data may come from several different applications.

This view of architecture is focused on the various approaches to the integra­
tion of applications: integration by sharing data between applications, integration
by having all applications use one database, and integration by having an inte­
grated access to data. This view does not address other aspects of architecture,
for example, the means by which the organization might get information to
mobile workers.

Architecture Examples

A few examples will help illustrate how architecture can guide IT choices.
Each example begins with an architecture statement and then shows some
choices about core technologies and applications and the approach to imple­
menting them that might result from this statement.

Statement. We would like to deliver an EHR to our small physician prac­
tices that is inexpensive, reliable, and easy to support. To do this we will

• Run the application from our computer room, reducing the need for
practice staff members to manage their own servers and do tasks such
as backups and applying application enhancements

• Run several practices on one server to reduce the cost

• Obtain a high-speed network connection, and a backup connection,
from our local telephone company to provide good application
performance and improve reliability

Statement. We would like to have decision-support capabilities in our
clinical information systems. To do this we will

• Purchase our applications from a vendor whose product includes a
very robust rules engine

• Make sure that the rules engine has the tools necessary to author new
decision support and maintain existing clinical logic

• Ensure that the clinical information systems use a single database
with codifi ed clinical data

I N F O R M A T I O N T E C H N O L O G Y A R C H I T E C T U R E · 173

Statement. We want all of our systems to be easy and efficient to support.
To do this we will

• Adopt industry standard technology, making it easier to hire support

staff members

• Implement proven technology—technology that has had most of the

bugs worked out

• Purchase our application systems from one vendor, reducing the

support problems and the finger-pointing that can occur between

vendors when problems arise

Observations about Architecture

Organizations will often bypass the architecture discussion in their haste to
“get the IT show on the road and begin implementing stuff.” Haste makes
waste, as people say. It is terribly important to have thoughtful architecture
discussions. There are many organizations, for example, that never took the
time to develop thoughtful plans for integrating applications and that then
discovered, after millions of dollars of IT investments, that this oversight
meant that they could not integrate these applications or that the integration
would be expensive and limited.

As we will see in Chapter Thirteen, the organizations that have been
very effective in their applications of IT over many years have had a signif­
icant focus on architecture. They have realized that thoughtful approaches
to agility, cost efficiency, and reliability have a significant impact on their
ability to continue to apply technology to improve organizational perfor­
mance. For example, information systems that are not agile can be diffi cult
(or impossible) to change as the organization’s needs evolve. This ossifi cation
can strangle an organization’s progress. In addition, information systems that
have reliability problems can lead an organization to be hesitant to implement
new, strategically important applications—how can they be sure that this new
application will not go down too often and impair their operations?

Organizational leadership must take time to engage in the architecture
discussion. The health care executive does not need to be involved in decid­
ing which vendor to choose to provide network switches. But he or she does
need a basic understanding of the core technologies in order to help guide
the formation of the principles and strategies that will direct that decision. In
the following example, the application integration perspective on architecture
(choosing among best of breed, monolithic, and visual integration) illustrates
a typical architecture challenge that a hospital might face.

174 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N

A hospital has adopted a best-of-breed approach and, over the course of
several years, has implemented separate applications that support the reg­
istration, laboratory, pharmacy, and radiology departments and the tran­
scription of operative notes and discharge summaries. An interface engine
has been implemented that enables registration transactions to fl ow from
the registration system to the other systems.

However, the physicians and nurses have started to complain. To
retrieve a patient’s laboratory, pharmacy, and radiology records and tran­
scribed materials, they have to sign into each of these systems, using a
separate user name and password. To obtain an overall view of a patient’s
condition, they have to print out the results from each of these systems and
assemble the different printouts. All of this takes too much time, and there
are too many passwords to remember.

Moreover, the hospital would like to analyze its care, in an effort to
improve care quality, but the current architecture does not include an inte­
grated database of patient results.

The hospital has two emerging architectural objectives that the current
architecture cannot meet:

1. Provide an integrated view of a patient’s results for caregivers.

2. Effi ciently support the analysis of care patterns.


Acquiring or selecting a new clinical or administrative information system is
a major undertaking for a health care organization. It is important that the
process be managed effectively. Although the time and resources needed to
select a new system will vary depending on the size, complexity, and needs
of the organization, certain fundamental issues should be addressed in any
system acquisition project.

This chapter discussed the various activities that occur in the system
acquisition process. These activities were presented in the context of a mul­
tiphysician group practice that wishes to replace its current paper record
with an EHR system by acquiring a system from a reputable vendor. Key
activities in the system selection process are (1) establishing a project steering

S U M M A R Y · 175

Choosing the System Architecture

To address these objectives, the hospital decides to implement a browser-
based application that will do the following:

• Gathers clinical data from each application and presents it in a
unifi ed view for the caregivers

• Supports the entry of one user ID and password that is synchronized
with the user ID and password for each application

In addition, the hospital decides to implement a database that receives
clinical results from each of the applications and stores these data for
access by query tools and analysis software.

To achieve its emerging objectives, the hospital has migrated from best­
of-breed architecture to visual integration architecture. The hospital has
also extended to visual integration architecture by adding an integrated
database for analysis purposes.

In analyzing what would be the best architecture to meet its new objec­
tives, the hospital considered monolithic architecture. It could meet its objec­
tives by replacing all applications with one integrated suite of applications
from one vendor. However, the hospital decided that this approach would be
too expensive and time-consuming. Besides, the current applications (labora­
tory, pharmacy, and radiology) worked well; they just weren’t integrated. The
monolithic architecture approach to integration was examined and discarded.

committee and appointing a strong project manager to lead the effort, (2)
defining project objectives, (3) screening the vendor marketplace, (4) deter­
mining system goals, (5) establishing system requirements, (6) developing
and administering an RFP or RFI, (7) evaluating vendor proposals, and (8)
conducting a cost-benefi t analysis on the various options. Other options such
as contracting with a vendor for cloud computing service arrangements or
a system developer were also discussed. This chapter presented some of the
issues that can arise during the system selection process and outlined the
importance of documenting and communicating project activities and prog­
ress. Finally, the chapter concluded with a general overview of IT architecture
and its relevance in making IT investment decisions.

176 · C H A P T E R 5 : S Y S T E M A C Q U I S I T I O N


Acquisition process
Cloud-based computing
Cost-benefi t analysis
Design phase
Implementation phase
Planning and analysis phase
Project repository


Project steering committee
Request for information (RFI)
Request for proposal (RFP)
Support and evaluation phase
Systems development life cycle (SDLC)
Usability testing
IT architecture

1. Interview a health care executive regarding the process last used by
his or her organization to acquire a new information system. How did
that process compare with the system acquisition process described
in this chapter?

2. Assume you are part of a project steering committee in a rural
nonprofi t hospital. The hospital is interested in replacing its legacy
EHR system. You offer to screen the marketplace to see what types of
EHRs are available. Prepare a fifteen-minute summary report of your
findings to the committee at large.

3. Conduct a literature review (including an Internet search) on various
cloud-based computing services available in health care. What
criteria might you use to compare them? How do they differ in terms
of service, support, and fi nancing arrangements?

4. Find and critique a sample RFP for a health care organization.
What did you like about it? What aspects of it did you feel could be
improved? Explain.

5. This chapter described a typical physician practice that wishes to
select an EHR system. Using the information in the Valley Practice
scenario, draft a script for vendors to use in demonstrating their
products and services to Valley Practice staff members. Include a
description of the process you used to arrive at the script.

6. Working with your classmates in small groups, assume that you
are a Valley Practice committee member interested in obtaining
user feedback on the EHR vendor demonstrations. Develop a survey
instrument that might be used to solicit and summarize participants’
responses to each vendor demonstration. Swap the survey your group
designed with another group’s survey; critique each other’s work.

R E F E R E N C E S · 177


American Health Information Management Association (AHIMA). (2007). The RFP
process for EHR systems (updated). Retrieved February 2013 from http://library

Armbrust, M., Fox, A., Griffith, R. Joseph, A. D., Katz, R., Konwinski, A., . . . &
Zaharia, M. (2010). A view of cloud computing. Communications of the ACM,
53(4), 50–58.

Brooke, J. (1996). SUS: A “quick and dirty” usability scale. In P. W. Jordan, B.
Thomas, I. L. McClelland, & B. A. Weerdmeester (Eds.), Usability evaluation in
industry (pp. 189–194). London, UK: Taylor & Francis.

Cloud Standards Customer Council. (2012). Impact of cloud computing on health-
care. Retrieved from­

Corrao, N. J., Robinson, A. G., Swiernik, M. A., & Naeim, A. (2010). Importance of
testing for usability when selecting and implementing an electronic health or
medical record system. Journal of Oncology Practice, 6(3), 120–124.

DeLuca, J., & Enmark, R. (2002). The CEO’s guide to health care information systems
(2nd ed.). San Francisco, CA: Jossey-Bass.

Eisenstein, E. L., Jurwishin, D., Kushniruk, A. W., & Nahm, M. (2011). Defi ning
a framework for health information technology evaluation. Studies in Health
Technology and Informatics, 164, 94–99.

Glaser, J. (2002). The strategic application of information technology in health care
organizations (2nd ed.) San Francisco, CA: Jossey-Bass.

Griebel, L., Prokosch, H., Kopcke, F., Toddenroth, D., Christoph, J., Leb, I., Engel,
I., & Sedlmayr, M. (2015). A scoping review of cloud computing in healthcare.
BMC Medical Informatics and Decision Making, 15, 17, 1–16.

Institute of Medicine (IOM). (2011). Health IT and patient privacy: Building safer
systems for better care. Washington, DC: National Academies Press.

Jones, S. S., Koppel, R., Ridgley, M. S., Palen, T., Wu, S., & Harrison, M. I. (2011, Aug.).
Guide to reducing unintended consequences of electronic health records. Rockville,
MD: Agency for Healthcare Research and Quality.

Lewis, J. R., & Sauro, J. (2009). The factor structure of the system usability scale.
In Proceedings of the Human Computer Interaction International Conference
(HCII 2009), San Diego, CA.

Oz, E. (2012). Management information systems: Instructor edition (6th ed.). Boston,
MA: Course Technology.

Wager, K. A., & Lee, F. W. (2006). Introduction to healthcare information systems. In
M. Johns (Ed.), Health information management technology: An applied approach
(2nd ed.). Chicago, IL: American Health Information Management Association.


System Implementation

and Support


• To be able to discuss the process that a health care organization
typically goes through in implementing a health care
information system.

• To be able to assess the organizational and behavioral factors
that can affect system acceptance and use and strategies for
managing change.

• To be able to develop a sample system implementation plan for
a health care information system project, including the types of
individuals who should be involved.

• To gain insight into many of the things that can go wrong during
system implementations and strategies that health care manager
can employ to alleviate potential problems.

• To be able to discuss the importance of training, technical
support, infrastructure, and ongoing maintenance and
evaluation of any health care information system project.


180 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

Once a health care organization has finalized its contract with the vendor to
acquire an information system, the system implementation process begins.
Selecting the right system does not ensure user acceptance and success; the
system must also be incorporated effectively into the day-to-day operations
of the health care organization and adequately supported or maintained.
Whether the system is built in-house, designed by an outside consultant,
or leased or purchased from a vendor, it will take a substantial amount of
planning and work to get the system up and running smoothly and integrated
into operations.

This chapter focuses on the two final stages of the system development
life cycle: implementation and then support and evaluation. It describes the
planning and activities that should occur when implementing a new system.
Our discussion focuses on a vendor-acquired system; however, many of the
activities described also apply to systems designed in-house, by an outside
developer, or acquired or leased through cloud-based computing services.

Implementing a new system (or replacing an old system) can be a massive
undertaking for a health care organization. Not only are there workstations to
install, databases to build, and networks to test but also there are processes
to redesign, users to train, data to convert, and procedures to write. There
are countless tasks and details that must be appropriately coordinated and
completed if the system is to be implemented on time and within budget—
and widely accepted by users. Essential to the process is ensuring that the
introduction of any new health care information system or workfl ow change
results in improved organizational performance, such as a reduction in
medication errors, an improvement in care coordination, and more effective
utilization of tests and procedures.

Concerns have been raised about the potential for EHRs to result in risk
to patient safety. Health care information systems such as EHRs are enor­
mously complex and involve not only the technology (hardware and software)
but also people, processes, workflow, organizational culture, politics, and
the external environment (licensure, accreditation, regulatory agencies). The
Institute of Medicine published a report that offers health care organizations
and vendors suggestions on how to work collaboratively to make health IT
safer (IOM, 2011). Poor user-interface designs, ineffective workflow, and lack
of interoperability are all considered threats to patient safety. Several of the
suggested strategies for ensuring system safety are discussed in this chapter.

Along with attending to the many activities or tasks associated with
system implementation, it is equally important to manage change effectively
and address organizational and behavioral issues. Studies have shown that
over half of all information system projects fail. Numerous political, cultural,
behavioral, and ethical factors can affect the successful implementation and

S Y S T E M I M P L E M E N T A T I O N P R O C E S S · 181

use of the new system (Ash, Anderson, & Tarczy-Hornoch, 2008; Ash, Sittig,
Poon, Guappone, Campbell, & Dykstra, 2007; McAlearney, Hefner, Sieck,
& Huerta, 2015; Sittig & Singh, 2011). We devote a section of this chapter
to strategies for managing change and the organizational and behavioral
issues that can arise during the system implementation process. The chapter
concludes by describing the importance of supporting and maintaining infor­
mation systems.


System implementation begins once the organization has acquired the system
and continues through the early stages following the go-live date (the date
when the system is put into general use for everyone). Similar to the system
acquisition process, the system implementation process must have a high
degree of support from the senior executive team and be viewed as an orga­
nizational priority. Sufficient staff, time, and resources must be devoted to
the project. Individuals involved in rolling out the new system should have
sufficient resources available to them to ensure a smooth transition.

The time and resources needed to implement a new health care informa­
tion system can vary considerably depending on the scope of the project, the
needs and complexity of the organization, the number of applications being
installed, and the number of user groups involved. There are, however, some
fundamental activities that should occur during any system implementation,
regardless of its size or scope:

• Organize the implementation team and identify a system champion.

• Clearly define the project scope and goals.

• Identify accountability for the successful completion of the project.

• Establish and institute a project plan.

Failing to appropriately plan for and manage these activities can lead to
cost overruns, dissatisfied users, project delays, and even system sabotage.
In fact, during the industry rush to take advantage of CMS incentive dollars,
a flurry of EHR stories hit the news—with everything from CIOs and CEOs
losing their jobs as a result of “failed” EHR implementations, to hospital
operations screeching to a halt, to signifi cant financial problems arising
from glitches in the revenue cycle. These high-profile cases brought national
attention to the consequences of a failed implementation. During system
implementation, facilities often see their days in accounts receivable and
denials increase while cash flow slows. By organizations anticipating risks

182 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

to the revenue cycle prior to go-live and as part of EHR workflow, they are
in a much better position to stay on track and maintain positive fi nancial
performance during the transition (Daly, 2016). In today’s environment, in
which capital is scarce and resources are limited, health care organizations
cannot afford to mismanage implementation projects of this magnitude and
importance. Examining lessons learned from others can be helpful.

Organize the Implementation Team
and Identify a Champion

One of the first steps in planning for the implementation of a new system is
to organize an implementation team. The primary role and function of the
team is to plan, coordinate, budget, and manage all aspects of the new system
implementation. Although the exact team composition will depend on the
scope and nature of the new system, a team might include a project leader,
system champion(s), key individuals from the clinical and administrative
areas that are the focus of the system being acquired, vendor representatives,
and information technology (IT) professionals. For large or complex projects,
it is also a good idea to have someone skilled in project management princi­
ples on the team. Likewise, having a strong project leader and the right mix
of people is critically important.

Implementation teams often include some of the same people involved in
selecting the system; however, they may also include other individuals with
knowledge and skills important to the successful deployment of the new
system. For example, the implementation team will likely need at least one
IT professional with technical database and network administration exper­
tise. This person may have had some role in the selection process but is now
being called on to assume a larger role in installing the software, setting up
the data tables, and customizing the network infrastructure to adequately
support the system and the organization’s needs.

The implementation team should also include at least one system cham­
pion. A system champion is someone who is well respected in the organi­
zation, sees the new system as necessary to the organization’s achievement
of its strategic goals, and is passionate about implementing it. In many
health care settings the system champion is a physician, particularly when
the organization is implementing a system that will directly or indirectly
affect how physicians spend their time. The physician champion serves as
an advocate of the system, assumes a leadership role in gaining buy-in from
other physicians and user groups, and makes sure that physicians have ade­
quate input into the decision-making process. Other important qualities of

S Y S T E M I M P L E M E N T A T I O N P R O C E S S · 183

system champions are strong communication, interpersonal, and listening
skills. The system champion should be willing to assist with pilot testing, to
train and coach others, and to build consensus among user groups (Miller
& Sim, 2004). Numerous studies have demonstrated the importance of
the system champion throughout the implementation process (Ash, Stavri,
Dykstra, & Fournier, 2003; Daly, 2016; Miller, Sim, & Newman, 2003; Wager,
Lee, White, Ward, & Ornstein, 2000; Yackanicz, Kerr, & Levick, 2010). When
implementing clinical applications that span numerous clinical areas, such
as nursing, pharmacy, and physicians, having a system champion from each
division can be enormously helpful in gaining buy-in and in facilitating
communication among staff members. The various system champions can
also assume a pivotal role in ensuring that project milestones are achieved
and celebrated.

Clearly Define the Project Scope and Goals

One of the implementation team’s first items of business is to determine the
scope of the project and develop tactical plans. To set the tone for the project,
a senior health care executive should meet with the implementation team
to communicate how the project relates to the organization’s overall strate­
gic goals and to assure the team of the administration’s commitment to the
project. The senior executive should also explain what the organization or
health system hopes the project will achieve.

The goals of the project and what the organization hopes to achieve by
implementing the new system should emerge from early team discussions.
The system goals defined during the system selection process (discussed
in Chapter Five) should be reviewed by the implementation team. Far too
often health care organizations skip this important step and never clearly
define the scope of the project or what they hope to gain as a result of the
new system. At other times they define the scope of the project too broadly
or scope creep occurs. The goals should be specific, measurable, attainable,
relevant, and timely. They should also define the organization’s criteria for
success (Cusack & Poon, 2011).

Let’s look at two hypothetical examples from two providers that we will
call Rutledge Retirement Community and St. Luke’s Medical Center. The
implementation team at Rutledge Retirement Community defined its goal
and the scope of the project and devised measures for evaluating the extent
to which Rutledge achieved this goal. The implementation team at St. Luke’s
Medical Center was responsible for completing Phase 1 of a three-part project;
however, the scope of the team’s work was never clearly defi ned.

184 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T


Rutledge Retirement Community

Rutledge Retirement Community in a Commission on Accreditation of
Rehabilitation Facilities (CARF)–accredited continuum of care commu­
nity offers residential, assisted living, and skilled care to residents in
southern Georgia. An implementation team was formed and charged
with managing all aspects of the EHR rollout. Rutledge’s mission is to
be “the premier continuum of care facility in the region providing high-
quality, resident-centered care with family engagement.” Considering
how to achieve this mission, the team identified the EHR as the building
block needed to improve care coordination, reduce medication errors,
and create communication channels with families of residents by offering
a family portal. In addition to establishing this goal, the team went a step
further to define what a successful EHR implementation initiative would
consist of. Team members then developed a core set of metrics—reduction
in medication errors, reduction in duplicate services, and increased com­
munication with family regarding residents’ health status. Family and
caregiver satisfaction with communication were also assessed.

St. Luke’s Medical Center

St. Luke’s Medical Center set out to implement a digital medical record,
planning to do so in three phases. Phase 1 would involve establishing a
clinical data repository, a central database from which all ancillary clin­
ical systems would feed. Phase 2 would consist of the implementation of
computerized physician order entry (CPOE) and nursing documentation
systems, and Phase 3 would see the elimination of all outside paper reports
through the implementation of a document-imaging system. St. Luke’s
staff members felt that if they could complete all three phases, they would
have, in essence, a true electronic or digital patient record. The implemen­
tation team did not, however, clearly define the scope of its work. Was it to
complete Phase 1 or all three phases? Likewise, the implementation team
never defined what it hoped to accomplish or how implementation of the
digital record fit into the medical center’s overall mission or organizational
goals. It never answered the question, How will we know if we are suc­
cessful? Some project team members argued that a digital record was not
the same as an EHR and questioned whether the team was headed down
the right path. The ambiguity of the implementation team’s scope of work
led to disillusionment and a sense of failing to ever finish the project.

S Y S T E M I M P L E M E N T A T I O N P R O C E S S · 185

Identify Accountability for the Successful
Completion of the Project

Four roles are important in the management of large health care information
system projects:

• Business sponsor

• Business owner

• Project manager

• IT manager

Business Sponsor

The business sponsor is the individual who holds overall accountability
for the project. The sponsor should represent the area of the organization
that is the major recipient of the performance improvement that the project
intends to deliver. For example, a project that involves implementing a new
claims processing system may have the chief fi nancial offi cer as the business
sponsor. A project to improve nursing workflow may ask the chief nursing
officer to serve as business sponsor. A project that affects a large portion of
the organization may have the CEO as the business sponsor.

The sponsor’s management or executive level should be appropriate to
the magnitude of the decisions and the support that the project will require.
The more significant the undertaking, the higher the organizational level of
the sponsor.

The business sponsor has several duties:

• Secures funding and needed business resources—for example, the

commitment of people’s time to work on the project

• Has final decision-making and sign-off accountability for project

scope, resources, and approaches to resolving project problems

• Identifi es and supports the business owner(s) (discussed in the next


• Promotes the project internally and externally and obtains the buy-in

from business constituents

• Chairs the project steering committee and is responsible for steering

committee participation during the life of the project

• Helps define deliverables, objectives, scope, and success criteria with

identifi ed business owners and the project manager

• Helps remove business obstacles to meeting the project timeline and

producing deliverables, as appropriate

186 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

Business Owner

A business owner generally has day-to-day responsibility for running a func­
tion or a department; for example, a business owner might be the director of
the clinical laboratories. A project may need the involvement of several busi­
ness owners. For example, the success of a new patient accounting system
may depend on processes that occur during registration and scheduling (and
hence the director of outpatient clinics and the director of the admitting
department will both be business owners) and may also depend on adequate
physician documentation of the care provided (and hence the administrator
of the medical group will be another business owner).

Business owners often work on the project team. Among their several
responsibilities are the following:

• Representing their department or function at steering committee and
project team meetings

• Securing and coordinating necessary business and departmental

• Removing business obstacles to meeting the project timeline and
producing deliverables, as appropriate

• Working jointly with the project manager on several tasks (as
described in the next section)

Project Manager

The project manager does just that—manages the project. He or she is the
person who provides the day-to-day direction setting, confl ict resolution,
and communication needed by the project team. The project manager may
be an IT staffer or a person in the business, or function, benefiting from the
project. Among their several responsibilities, project managers accomplish
the following:

• Identify and obtain needed resources.

• Deliver the project on time, on budget, and according to specifi cation.

• Communicate progress to sponsors, stakeholders, and team members.

• Ensure that diligent risk monitoring is in place and appropriate risk
mitigation plans have been developed.

• Identify and manage the resolution of issues and problems.

• Maintain the project plan.

• Manage project scope.

S Y S T E M I M P L E M E N T A T I O N P R O C E S S · 187

The project manager works closely with the business owners and busi­
ness sponsor in performing these tasks. Together they set meeting agendas,
manage the meetings, track project progress, communicate project status,
escalate issues as appropriate, and resolve deviations and issues related to
the project plan.

IT Manager

The IT manager is the senior IT person assigned to the project. In performing
his or her responsibilities, the IT manager does the following:

• Represents the IT department

• Has final IT decision-making authority and sign-off accountability

• Helps remove IT obstacles to meeting project timelines and producing

• Promotes the project internally and externally and obtains buy-in from
IT constituents

Establish and Institute a Project Plan

Once the implementation team has agreed on its goals and objectives and
has identified key individuals responsible for managing the project, the next
major step is to develop and implement a project plan. The project plan should
have the following components:

• Major activities (also called tasks)

• Major milestones

• Estimated duration of each activity

• Any dependencies among activities (so that, for example, one task

must be completed before another can begin)

• Resources and budget available (including staff members whose time

will be allocated to the project)

• Individuals or team members responsible for completing each activity

• Target dates

• Measures for evaluating completion and success

These are the same components one would find in most major projects.
What are the major activities or tasks that are unique to system implementation

188 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

projects? Which tasks must be completed first, second, and so forth? How
should time estimates be determined and milestones defi ned?

System implementation projects tend to be quite large, and therefore
it can be helpful to break the project into manageable components. One
approach to defi ning components is to have the implementation team brain­
storm and identify the major activities that need to be done before the
go-live date. Once these tasks have been identified, they can be grouped and
sequenced based on what must be done first, second, and so forth. Those
tasks that can occur concurrently should also be identified (see Figure 6.1.).
A team may find it helpful to use a consultant to guide it through the imple­
mentation process. Or the health care IT vendor may have a suggested
implementation plan; the team must make sure, however, that this plan
is tailored to suit the unique needs of the organization in which the new
system is to be introduced.

The subsequent sections describe the major activities common to most
information system implementation projects (outlined in the “Typical Com­
ponents of an Implementation Plan” box) and may serve as a guide. These
activities are not necessarily in sequential order; the order used should be
determined by the institution in accordance with its needs and resources.

Workflow and Process Analysis

One of the first activities necessary in implementing any new system is to
review and evaluate the existing workflow or business processes. Members of
the implementation team might also observe the current information system
in use (if there is one). Does it work as described? Where are the problem
areas? What are the goals and expectations of the new system? How do orga­
nizational processes need to change in order to optimize the new system’s
value and achieve its goals? Too often organizations never critically evaluate
current business processes but plunge forward implementing the new system
while still using old procedures. The result is that they simply automate their
outdated and ineffi cient processes.

Before implementing any new system, the organization should evaluate
existing procedures and processes and identify ways to improve workfl ow,
simplify tasks, eliminate redundancy, improve quality, and improve user
(customer) satisfaction. In complex settings, it can be critically important to
have informatics professionals such as CMIOs and CNIOs actively involved in
the implementation team in analyzing workfl ow and information fl ow (Elias,
Barginere, Berry, & Selleck, 2015). Although describing them is beyond the
scope of this book, many extremely useful tools and methods are available
for analyzing workflow and redesigning business processes (see, for example,

190 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

Typical Components of an Implementation Plan

1. Workflow and process analysis

• Analyze or evaluate current process and procedures.

• Identify opportunities for improvement and, as appropriate, effect
those changes.

• Identify sources of data, including interfaces to other systems.

• Determine location and number of workstations needed.

• Redesign physical location as needed.

2. System installation

• Determine system confi guration.

• Order and install hardware.

• Prepare data center.

• Upgrade or implement IT infrastructure.

• Install software and interfaces.

• Customize software.

• Test, retest, and test again . . .

3. Staff training

• Identify appropriate training method(s) to be used for each major
user group.

• Prepare training materials.

Guide to Reducing Unintended Consequences of Electronic Health Records,
by Jones, Koppel, Ridgley, Palen, Wu, & Harrison, 2011). Observing the
old system in use, listening to users’ concerns, and evaluating information
workflow can identify many of the changes needed. In addition, the vendor
generally works with the organization to map its future workflow using fl ow-
charts or flow diagrams. It is critical that all key areas affected by the new
system participate in the workflow analysis process so that potential problems
can be identified and addressed before the system goes live. For example, if a
new CPOE application is to be implemented using a phased-in approach, in
which the system will go-live unit by unit over a three-month process, how
will the organization ensure orders are not lost or duplicated if a patient is
transferred between a unit using CPOE and a unit using handwritten orders?
What will downtime procedures entail? If paper orders are generated during

S Y S T E M I M P L E M E N T A T I O N P R O C E S S · 191

• Train staff members.

• Test staff member profi ciency.

• Update procedure manuals.

4. Conversion

• Convert data.

• Test system.

5. Communications

• Establish communication mechanisms for identifying and address­
ing problems and concerns.

• Communicate regularly with various constituent groups.

6. Preparation for go-live date

• Select date when patient volume is relatively low.

• Ensure suffi cient staff members are on hand.

• Set up mechanism for reporting and correcting problems and


• Review and effect process reengineering.

7. System downtime procedures

• Develop downtime procedures.

• Train staff members on downtime procedures.

downtime, how will these orders be stored or become part of the patient’s
permanent medical record?

Involving users at this early stage of the implementation process can
gain initial buy-in to the idea and the scope of the process redesign. In all
likelihood, the organization will need to institute a series of process changes
as a result of the new system. Workflow and processes should be evaluated
critically and redesigned as needed. For example, the organization may fi nd
that it needs to do away with old forms or work steps, change job descriptions
or job responsibilities, or add to or subtract from the work responsibilities of
particular departments. Getting users involved in this reengineering process
can lead to greater user acceptance of the new system.

Let’s consider an example. Suppose a multiphysician clinic is imple­
menting a new practice management system that includes a patient portal

192 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

for appointment scheduling, prescription refills, and paying bills. The clinic
might wish to begin by appointing a small team of individuals knowledge­
able about analyzing workflow and processes to work with staff members in
studying the existing process for scheduling patient appointments, refi lling
prescriptions, and patient billing. This team might conduct a series of indi­
vidual focus groups with schedulers, physicians and nurses, and patients,
and ask questions such as these:

• Who can schedule patient appointments?

• How are patient appointments made, updated, or deleted?

• Who has access to scheduling information? From what locations?

• How well does the current system work? How effi cient is the process?

• What are the major problems with the current scheduling system and
process? In what ways might it be improved?

The team should tailor the focus questions so they are appropriate for
each user group. The answers can then be a guide for reengineering existing
processes and workflow to facilitate the new system. A similar set of questions
could be asked concerning the refill of prescriptions or patient billing processes.

During the workfl ow analysis, the team should also examine where the
new system’s actual workstations will be located, how many workstations
will be needed, and how information will flow between manual organi­
zational processes (such as phone calls) and the electronic information
system. Here are a few of the many questions that should be addressed
in ensuring that physical layouts are conducive to the success of the new

• Will the workstations be portable or fixed? If users are given portable
units, how will these be tracked and maintained (and protected from
loss or theft)? If workstations are fixed, will they be located in safe,
secure areas where patient confi dentiality can be maintained?

• How will the user interact with the new system?

• Does the physical layout of each work area need to be redesigned to
accommodate the new system and the new process?

• Will additional wiring be needed?

• How will the new system affect the workfl ow within the practice
among offi ce staff members, nurses, and physicians?

• Will the e-prescribing function with local pharmacies be affected by
the change?

S Y S T E M I M P L E M E N T A T I O N P R O C E S S · 193

System Installation

The next step, which may be done concurrently with the workfl ow analysis,
is to install the hardware, software, and network infrastructure to support
the new information system and build the necessary interfaces. IT staff
members play a crucial role in this phase of the project. They will need to
work closely with the vendor in determining system specifications and con­
figurations and in preparing the computer center for installation. It may be,
for example, that the organization’s current computer network will need to
be replaced or upgraded. During implementation, having adequate numbers
of computer workstations placed in readily accessible locations is critical.
Those involved in the planning need to determine beforehand the maximum
number of individuals likely to be using the system at the same time and
accommodate this scenario. Vendors may recommend a certain number of
workstations or use of hand-held devices; however, the organization must
ensure the recommendations are appropriate.

Typically when a health care organization acquires a system from a
vendor, quite a bit of customization is needed. IT personnel will likely work
with the vendor in setting up and loading data tables, building interfaces,
and running pilot tests of the hardware and software using actual patient
and administrative data. It is not unlikely when purchasing a clinical appli­
cation such as order entry from a vendor, for example, that the health care
organization is provided a shell or basic framework from which to build the
order sets or electronic forms. A great deal of customization and building
of templates occurs. Thus, it is a good idea to pay physicians for their time
involved in the project. For instance, if you need a physician’s time to assist
in building or reviewing order sets for the cardiology division, factor that
into the resources needed for the project, perhaps by allocating two hours
per week to the project for a certain period of time. Otherwise, you may be
pulling physicians away from seeing patients and revenue-generating activi­
ties. It demonstrates the value placed on the physician’s time and commitment
to the project.

We recommend piloting the system in a unit or area before rolling out
the system enterprise-wide. This test enables the implementation team to
evaluate the system’s effectiveness, address issues and concerns, fi x bugs,
and then apply the lessons learned to other units in the organization before
most people even start using the system. Vendors will often offer guiding
principles and strategies that they have found effective in implementing

Consideration should be given to choosing an appropriate area (for
example, a department or a location) or set of users to pilot the system.

194 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

Following are some of the questions the implementation team should consider
in identifying potential pilot sites:

• Which units or areas are willing and equipped to serve as a pilot
site? Do they have suffi cient interest, administrative support, and

• Are the staff and management teams in each of these units or areas
comfortable with being system guinea pigs?

• Do staff members have the time and resources needed to serve in this

• Is there a system champion in each unit or area who will lead the

In migrating from one electronic system to another, such as from a legacy
EHR to a new EHR, it may be more appropriate to go-live at once, instead of
a more staggered or phased approach. For example, when Bon Secours Health
System embarked on the implementation of an EHR system among fourteen
hospitals, they decided after the second hospital EHR implementation to adopt
the EHR vendor’s revenue cycle system along with the clinical application,
and go-live with both systems at once (Daly, 2016). This enabled them to
monitor clinical and financial indicators at the same time and ensure that
the charge master and revenue cycle teams worked collaboratively prior to
and following implementation.

Staff Training

Training is an essential component of any new system implementation.
Although no one would argue with this statement, the implementation team
will want to consider many issues as it develops and implements a training

• How much training is needed? Do different user groups have different
training needs?

• Who should conduct the training?

• When should the training occur? What intervals of training are ideal?

• What training format is best: for example, formal, classroom-style
training; one-on-one or small-group training; computer-based training;
or a combination of methods?

• What is the role of the vendor in training?

S Y S T E M I M P L E M E N T A T I O N P R O C E S S · 195

• Who in the organization will manage or oversee the training? How
will training be documented?

• What criteria and methods will be used to monitor training and
ensure that staff members are adequately trained? Will staff members
be tested on profi ciency?

• What additional training and support are available to physicians and
others after go-live?

There are various methods of training. One approach, commonly known
as train the trainer, relies on the vendor to train selected members of the
organization who will then serve as super-users and train others in their
respective departments, units, or areas. These super-users should be individ­
uals who work directly in the areas in which the system is to be used; they
should know the staff members in the area and have a good rapport with
them. They will also serve as resources to other users once the vendor repre­
sentatives have left. They may do a lot of one-on-one training, hand-holding,
and other work with people in their areas until these individuals achieve a
certain comfort level with the system. The main concern with this approach
is that the organization may devote a great deal of time and resources to
training the trainers only to have these trainers leave the institution (often
because they’ve been lured away by career opportunities with the vendor).

Another method is to have the vendor train a pool of trainers who are
knowledgeable about the entire system and who can rotate through the
different areas of the organization working with staff members. The trainer
pool might include IT professionals (including clinical analysts) and clinical
or administrative staff members such as nurses, physicians, lab managers,
and business managers.

Regardless of who conducts the training, it is important to introduce fun­
damental or basic concepts first and enable people to master these concepts
before moving on to new ones. Studies among health care organizations that
have implemented clinical applications such as CPOE systems have shown
that classroom training is not nearly as effective as one-on-one coaching,
particularly among physicians (Holden, 2011; Metzger & Fortin, 2003). Most
systems can track physician use; physicians identified as low-volume users
may be targeted for additional training.

Timing of the training is also important. Users should have ample oppor­
tunity to practice before the system goes live. For instance, when a nursing
documentation system is being installed, nurses should have the chance to
practice with it at the bedside of a typical patient. Likewise, when a CPOE
system is going in, physicians should get to practice ordering a set of tests

196 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

during their morning rounds. This just-in-time training might occur several
times, for example, three months, two months, one month, and one week
before the go-live date. Its purpose is to enable users to practice on the
system multiple times before go-live. Training might be supplemented with
computer-based training modules that enable users to review concepts and
functions at their own pace. Training has to be a priority and at least some
of training should be in an environment free of distractions. Eventually staff
members will want to use the system in a near-live or simulated environment.
Additional staff members should be on hand during the go-live period to
assist users as needed during the transition to the new system. In general, the
implementation team should work with the vendor to produce a thoughtful
and creative training program.

Once the details of how the new system is to work have been deter­
mined, it is important to update procedure manuals and make the updated
manuals available to the staff members. Designated managers or representa­
tives from the various areas may assume a leadership role in updating proce­
dure manuals for their respective areas. When people must learn specifi c IT
procedures such as how to log in, change passwords, and read common error
messages, the IT department should ensure that this information appears in
the procedure manuals and that the information is routinely updated and
widely disseminated to the users. Procedure manuals serve as reference
guides and resources for users and can be particularly useful when training
new employees.

Effective training is important. Staff members need to be relatively com­
fortable with the application and need to know to whom they should turn if
they have questions or concerns. We recommend having the users evaluate
the training prior to go-live.


Another important task is to convert the data from the old system to the new
system and then adequately test the new system. Staff members involved in
the data conversion must determine the sources of the data required for the
new system and construct new files. It is particularly important that data be
complete, accurate, and current before being converted to the new system.
Data should be cleaned before being converted. Once converted, the data
should run through a series of validation checkpoints or procedures to ensure
the accuracy of the conversion.

IT staff members who are knowledgeable in data conversion proce­
dures should lead the effort and verify the results with key managers from
the appropriate clinical and administrative areas. The specifi c conversion

S Y S T E M I M P L E M E N T A T I O N P R O C E S S · 197

procedures used will depend on the nature of the old system and its structure
as well as on the configuration of the new system.

Finally, the new system will need to be tested. The main purpose of the
testing is to simulate the live environment as closely as possible and deter­
mine how well the system and accompanying procedures work. Are there
programming glitches or other problems that need to be fixed? How well
are the interfaces working? How does response time compare to what was
expected? The system should be populated with live data and tested again.
Vendors, IT staff members, and user staff members should all participate in
the testing process. As with training, one can never test too much. A good
portion of this work has to be done for the pilot testing. It may need to be
repeated before going live. And the pilot lessons will guide any additional
testing or conversion that needs to be done. In some cases, it may be advis­
able to run the old and new systems in tandem (parallel conversion) for a
period of time until it is evident that the new system is operating effectively.
This can reduce organizational risk. Again, running parallel systems is not
always feasible or appropriate. Instead, organizations may opt to implement
the system using a phased approach over a period of time.


Equally as important as successfully carrying out the activities discussed
so far is having an effective plan for communicating the project’s progress.
This plan serves two primary purposes. First, it identifies how the members
of the implementation team will communicate and coordinate their activities
and progress. Second, it defines how progress will be communicated to key
constituent groups, including but not limited to the board, the senior admin­
istrative team, the departments, and the staff members at all levels of the
organization affected by the new system. The communication plan may set
up formal and informal mechanisms. Formal communication may include
everything from regular updates at board and administrative meetings to
written briefings and articles in the facility newsletter. The purpose should
be to use as many channels and mechanisms as possible to ensure that the
people who need to know are fully informed and aware of the implemen­
tation plans. Informal communication is less structured but can be equally
important. Implementing a new health care information system is a major
undertaking, and it is important that all staff members (day, evening, and
night shifts) be made aware of what is happening. The methods for com­
munication may be varied, but the message should be consistent and the
information presented up-to-date and timely. For example, do not rely on
e-mail communication as your primary method only to discover later that

198 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

your organization’s nurses do not regularly check their e-mail or have little
time to read your type of message.

Preparation for System Go-Live

A great deal of work goes into preparing for the go-live date, the day the
organization transitions from the old system to the new. Assuming the imple­
mentation team has done all it can to ensure that the system is ready, the
staff members are well trained, and appropriate procedures are in place, the
transition should be a smooth one. Additional staff members should be on
hand and equipped to assist users as needed. It is best to plan for the system
to go-live on a day when the patient census is typically low or fewer patients
than usual are scheduled to be seen. Disaster recovery plans should also be
in place, and staff members should be well trained on what to do should the
system go down or fail. Designated IT staff members should monitor and
assess system problems and errors.

System Downtime Procedures

One thing that you can count on is that systems will go down. Both sched­
uled and unscheduled downtime exist, and downtime procedures need to be
developed and communicated well before go-live. Any negative impact will be
minimized if the organization has invested in a stable and secure technical IT
infrastructure and backup procedures and fail-safe systems are in place. But
everyone needs to know what to do if the system is down, from the registra­
tion staff members to the nursing staff members to the medical staff members
and the transport team. How will orders be placed? If a paper record is kept
during downtime, what is the procedure for getting the documentation in
electronic form when the system is up again? How will scheduled downtime
be communicated to units? And all staff members? If an organization relies
heavily on computerized systems to care for patients, downtime should be
minimal or near 0 percent. However, business continuity procedures must
be in place to ensure patient safety and continuity of care.


Implementing an information system in a health care facility can have a
profound impact on the organization, the people who work there, and the
patients they serve. Individuals may have concerns and apprehensions about

M A N A G I N G C H A N G E A N D T H E O R G A N I Z A T I O N A L A S P E C T S · 199

the new system: How will the new system affect my job responsibilities or
productivity? How will my workload change? Will the new system cause
me more or less stress? Even individuals who welcome the new system, see
the need for it, and see its potential value may worry: What will I do if the
system is down? Will the system impede my relationship with my patients?
Who will I turn to if I have problems or questions? Will I be expected to type
my notes into the system? With the new system comes change, and change
can be difficult if not managed effectively.

Effecting Organizational Change

The management strategies required to manage change depend on the type
of change. As one moves from incremental to fundamental change, the mag­
nitude and risk of the change increase enormously, as does the uncertainty
about the form and success of the outcome.

Managing change has several necessary aspects:

• Leadership

• Language and vision

• Connection and trust

• Incentives

• Planning, implementing, and iterating (Keen, 1997)


Change must be led. Leadership, often in the form of a committee of leaders,
will be necessary to accomplish the following:

• Define the nature of the change.

• Communicate the rationale for and approach to the change.

• Identify, procure, and deploy necessary resources.

• Resolve issues and alter direction as needed.

• Monitor the progress of the change initiative.

This leadership committee needs to be chaired by an appropriate senior
leader. If the change affects the entire organization, the CEO should chair
the committee. If the change is focused on a specific area, the most senior
leader who oversees that area should chair the committee.

200 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

Language and Vision

The staff members who are experiencing the change must understand the
nature of the change. They must know what the world will look like (to the
degree that this is clear) when the change has been completed, how their roles
and work life will be different, and why making this change is important.
The absence of this vision or a failure to communicate the importance of the
vision elevates the risk that staff members will resist the change and through
subtle and not-so-subtle means cause the change to grind to a halt. Change is
hard for people. They must understand the nature of the change and why they
should go through with what they will experience as a diffi cult transition.

Leaders might describe the vision, the desired outcome of efforts to
improve the outpatient service experience, in this way:

• Patients should be able to get an appointment for a time that is most
convenient for them.

• Patients should not have to wait longer than ten minutes in the
reception area before a provider can see them.

• We should communicate clearly with patients about their disease and
the treatment that we will provide.

• We should seek to eliminate administrative and insurance busywork
from the professional lives of our providers.

These examples illustrate a thoughtful use of language. They fi rst and
foremost focus on patients. But the organization also wants to improve the
lives of its providers. The examples use the word should rather than the word
must because it is thought that staff members won’t believe the organization
can pull off 100 percent achievement of these goals, and leaders do not want
to establish goals seen as unrealistic. The examples also use the word we
rather than the word you. We means that this vision will be achieved through
a team effort, rather than implying that those hearing this message have to
bear this challenge without leadership’s help.

Connection and Trust

Achieving connection means that leadership takes every opportunity to
present the vision throughout the organization. Leaders may use depart­
ment head meetings, medical staff forums, one-on-one conversations in the
hallway, internal publications, and e-mail to communicate the vision and
to keep communicating the vision. Even when they start to feel ill because

M A N A G I N G C H A N G E A N D T H E O R G A N I Z A T I O N A L A S P E C T S · 201

they have communicated the vision one thousand times, they have to com­
municate it another one thousand times. A lot of this communication has
to be done in person, where others can see the leaders, rather than hiding
behind an e-mail. The communication must invite feedback, criticism, and

The members of the organization must trust the integrity, intelligence,
compassion, and skill of the leadership. Trust is earned or lost by everything
that leaders do or don’t do. The members must also trust that leaders have
thoughtfully come to the conclusion that the difficult change has excellent
reasons behind it and represents the best option for the organization. Orga­
nizational members are willing to rise to a challenge, often to heroic levels,
if they trust their leaders. Trust requires that leaders act in the best interests
of the staff and the organization and that leaders listen and respond to the
organization’s concerns.


Organizational members must be motivated to support significant change. At
times, excitement with the vision will be sufficient incentive. Alternatively,
fear of what will happen if the organization fails to move toward the vision
may serve as an incentive. Although important, neither fear nor rapture is
necessarily suffi cient.

If organizational members will lose their jobs or have their roles changed
significantly, education that prepares them for new roles or new jobs must be
offered. Bonuses may be offered to key individuals, awarded according to the
success of the change and each person’s contribution to the change. At times,
frankly, support is obtained through old-fashioned horse-trading—if the other
person will support the change, you will deliver something that is of interest
to him or her (space, extra staff members, a promotion). Incentives may also
take the form of awards—for example, plaques and dinners for two—to staff
members who go above and beyond the call of duty during the change effort.

Planning, Implementing, and Iterating

Change must be planned. These plans describe the tasks and task sequences
necessary to effect the change. Tasks can range from redesigning forms to
managing the staged implementation of application systems to retraining staff
members. Tasks must be allotted resources, and staff members accountable
for task performance must be designated.

Implementation of the plan is obviously necessary. Because few orga­
nizational changes of any magnitude will be fully understood beforehand,

202 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

problems will be encountered during implementation. New forms may fail to
capture necessary data. The estimate of the time needed to register a patient
may be wrong and long lines may form at the registration desk. The planners
may have forgotten to identify how certain information would flow from one
department to another.

These problems are in addition to the problems that occur, for example,
when task timetables slip and dependent tasks fall idle or are in trouble. The
implementation of the application has been delayed and will not be ready
when the staff members move to the new building—what do we do? Itera­
tion and adjustment will be necessary as the organization handles problems
created when tasks encounter trouble and learns about glitches with the new
processes and workfl ows.

Organizational and Behavioral Factors

The human factors associated with implementing a new system should not be
taken lightly. A great deal of change can occur as a result of the new system.
Some of the changes may be immediately apparent; others may occur over
time as the system is used more fully. Many IT implementation studies have
been done in recent years, and they reveal several strategies that may lead
to greater organizational acceptance and use of a new system:

• Create an appropriate environment, one in which expectations are
defined, met, and managed.

• Know your culture and do not underestimate user resistance.

• Allocate suffi cient resources, including technical support staff

members and IT infrastructure.

• Provide adequate initial and ongoing training.

• Manage unintended consequences, especially those known to affect
implementations such as CPOE and EHR systems.

• Establish strong working relationships with vendors.

Each of these strategies is described in the following sections.

Create an Appropriate Environment

If you ask a roomful of health care executives, physicians, nurses, pharma­
cists, or laboratory managers if they have ever experienced an IT system
failure, chances are over half of the hands in the room will go up. In all
likelihood the people in the room would have a much easier time describing a

M A N A G I N G C H A N G E A N D T H E O R G A N I Z A T I O N A L A S P E C T S · 203

system failure than a system success. If you probed a little further and asked
why the system was a failure, you might hear comments such as these: “the
system was too slow,” “it was down all the time,” “training was inadequate
and nothing like the real thing,” “there was no one to go to if you had ques­
tions or concerns,” “it added to my stress and workload,” and the list goes
on. The fact is, the system did not meet their expectations. You might not
know whether those expectations were reasonable or not.

Previously we discussed the importance of clearly defining and commu­
nicating the goals and objectives of the new system. Related to goal defi nition
is the management of user expectations. Different people may have different
perspectives on what they expect from the new system; in addition, some will
admit to having no expectations, and others will have joined the organiza­
tion after the system was implemented and consequently are likely to have
expectations derived from the people currently using the system.

Expectations come from what people see and hear about the system and
the way they interpret what the system will do for them or for their organiza­
tion. Expectations can be formed from a variety of sources—they may come
from a comment made during a vendor presentation, a question that arises
during training, a visit to another site that uses the same system, attendance
at a professional conference, or a remark made by a colleague in the hallway.
Furthermore, the main criterion used to evaluate the system’s value or success
depends on the individual’s expectations and point of view. For example, the
chief fi nancial officer might measure system success in terms of the fi nancial
return on investment, the chief medical director might look at impact on
physicians’ time and quality of care, the nursing staff members might con­
sider any change in their workload, public relations personnel might compare
levels of patient satisfaction, and the IT staff members might evaluate the
change in the number of help desk calls made since the new system was
implemented. All these approaches are measures of an information system’s
perceived impact on the organization or individual. However, they are not
all the same, and they may not have equal importance to the organization in
achieving its strategic goals.

It is therefore important for the health care executive team not only to
establish and communicate clearly defi ned goals for the new system but also
to listen to needs and expectations of the various user groups and to defi ne,
meet, and manage expectations appropriately. Ways to manage expectations
include making sure users understand that the first days or weeks of system
use may be rocky, that the organization may need time to adjust to a new
workflow, that the technology may have bugs, and that users should not
expect problem-free system operation from the start. Clear and effective
communication is key in this endeavor.

204 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

In managing expectations it can be enormously helpful to conduct for­
mative assessments of the implementation process, in which the focus is on
the process as well as the outcomes. Specific metrics need to be chosen and
success criteria defined to determine whether or not the system is meeting
expectations (Cusack & Poon, 2011). For example, if wide-scale use is a pri­
ority, collection of actual numbers of transactions or use logs may be mean­
ingful information for the leadership team. Other categories of metrics that
might be helpful are clinical outcome measures, clinical process measures,
provider adoption and attitude measures, patient knowledge and attitude
measures, workflow impact measures, and financial impact measures. The
Agency for Healthcare Research and Quality published the Health Information
Technology Evaluation Toolkit, which can serve as a guide for project teams
involved in evaluating the system implementation process or project outcomes
(Cusack & Poon, 2011).

Know Your Culture and Do Not Underestimate

User Resistance

Before embarking on system implementation, it is critical to know your
culture. Understanding the culture is important before you make the invest­
ment. For example, you might ask, How engaged and ready are the physicians
and other clinicians for the new system? Are they comfortable with tech­
nology? Do you have hospitalists on staff? Or are you a community hospital
in which the bulk of your medical staff members are physicians who have
admitting privileges at several hospitals and make rounds only once a day?
How engaged have the physicians been in the design and build of the new
system? Is there strong support? If you don’t have sufficient medical staff
buy-in and support or hospitalists on staff who are committed to the project,
you run the risk of encountering user resistance and system failure because
of inadequate use.

During the implementation process it is also important to analyze
current workflow and make appropriate changes as needed. Previously we
gave an example of analyzing a patient scheduling process. Patient sched­
uling is a relatively straightforward process. A change in this system may
not dramatically change the job responsibilities of the schedulers and may
have little impact on nurses’ or physicians’ time. Therefore, these groups
may offer little resistance to such a change. (This is not to guarantee a lack
of resistance—if you mess up a practice’s schedule, you can have a lot of
angry people on your hands!) By contrast, changes in processes that involve
the direct provision of patient care services and that do affect nurses’ and
physicians’ time may be tougher for users to accept. The physician ordering

M A N A G I N G C H A N G E A N D T H E O R G A N I Z A T I O N A L A S P E C T S · 205

process is a perfect example. Historically most physicians were accustomed
to picking up a pen and paper and handwriting an order or calling one in
to the nurses’ station from their phones. With CPOE, physicians may be
expected to keyboard their orders directly into the system and respond to
automated reminders and decision-support alerts. A process that historically
took them a few seconds to do might now take several minutes, depending
on the number of prompts and reminders. Moreover, physicians are now
doing things that were not asked of them before—they are checking for
drug interactions, responding to reminders and alerts, evaluating whether
evidence-based clinical guidelines apply to the patient, and the list goes
on. All these activities take time, but in the long run they will improve
the quality of patient care. Therefore, it is important for physicians to be
actively involved in designing the process and in seeing its value to the
patient care process.

Getting physicians, nurses, and other clinicians to accept and use clini­
cal information systems can be challenging even when they are involved in
the implementation. At times the incentives for using the system may not be
aligned with their individual needs and goals. On the one hand, for example,
if the physician is expected to see a certain number of patients per day and
is evaluated on patient load and if writing orders used to take thirty minutes
a day with the old system and now takes sixty to ninety minutes with the
new CPOE system, the physician can either see fewer patients or work more
hours. One should expect to see physician resistance. On the other hand, if
the physician’s performance and income is related to adherence to clinical
practice guidelines, care coordination, and patient health outcomes, using
the system may be far more enticing. A recent study among six health care
organizations found that more senior physicians often feel a loss of power by
having junior physicians more comfortable with computers than they are and
a loss in power in the physicians’ ability to shift work to others (McAlearney
et al., 2015). That is, with the implementation of EHRs, the physicians were
now required to use the computers and input their orders rather than delegate
the tasks to junior physicians or nurses.

It perhaps goes without saying that user acceptance occurs when users
see or realize the value the health care information system brings to their
work and the patients they serve. This value takes different forms. Some
people may realize increased efficiency, less stress, greater organization,
and improved quality of information, whereas others may find that the
system enables them to provide better care, avoid medical mistakes, and
make better decisions. In some cases an individual may not experience the
value personally yet may come to realize the value to the organization as
a whole.

206 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

Allocate Suffi cient Resources

Sufficient resources are needed during and after the new system has been
implemented. User acceptance comes from confidence in the new system.
Individuals want to know that the system works properly, is stable and
secure, and that someone is available to help them when they have ques­
tions, problems, or concerns. Therefore, it is important for the organization to
ensure that adequate resources are devoted to implementing and supporting
the system and its users. At a minimum, adequate technical staff expertise
should be available as well as sufficient IT infrastructure.

We have discussed the importance of giving the implementation team
sufficient support as it carries out its charge, but what forms can this support
take? Some methods of supporting the team are to make available release
time, additional staff members, and development funds. Senior managers
might allocate travel funds so team members can view the system in use in
other facilities. They might decide that all implementation team members or
super-users will receive 50 percent release time for the next six months to
devote to the project. This release time will enable those involved to give up
some of their normal job duties so they can focus on the project.

Providing sufficient time and resources to the implementation phase of
the project is, however, only part of the overall support needed. Studies have
shown that an information system’s value to the organization is typically
realized over time. Value is derived as more and more people use the system,
offer suggestions for enhancing it, and begin to push the system to fulfi ll its
functionality. If users are ever to fully realize the system’s value, they must
have access to local technical support—someone, preferably within the organi­
zation, who is readily available, is knowledgeable about the intricacies of the
system, and is able to handle hardware and software problems. This individual
should be able to work effectively with the vendor and others to fi nd solutions
to system problems. Even though it is ideal to have local technical support
in-house, that may be difficult in small physician offices or community-based
settings. In such cases the facility may need to consider such options as
(1) devoting a significant portion of an employee’s time to training so that he
or she may assume a support role, (2) partnering with a neighboring organi­
zation that uses the same system to share technical support staff members, or
(3) contracting with a local computer firm to provide the needed assistance.
The vendor may be able to assist the organization in identifying and securing
local technical support.

In addition to arranging for local technical support, the organization will also
need to invest resources in building and maintaining a reliable, secure IT infra­
structure (servers, operating systems, and networks) to support the information

M A N A G I N G C H A N G E A N D T H E O R G A N I Z A T I O N A L A S P E C T S · 207

system, particularly if it is a mission-critical system. Many patient informa­
tion systems need to be available 24 hours a day, 7 days a week, 365 days a
year. Health care professionals can come to rely on having access to timely,
accurate, and complete information in caring for their patents, just as they
count on having electricity, water, and other basic utilities. Failing to build
the IT infrastructure that will adequately support the new clinical system can
be catastrophic for the organization and its IT department.

An IT infrastructure’s lifetime may be relatively short. It is reasonable to
expect that within three to ten years, the hardware, software, and network
will likely need to be replaced as advances are made in technology, the orga­
nization’s goals and needs change, and the health care environment changes.
Downtime, scheduled and unscheduled, should be limited.

Provide Adequate Training

Previously we discussed the importance of training staff members on the
new system prior to the go-live date. Having a training program suited to the
needs of the various user groups is very important during the implementation
process. People who will use the system should be relatively comfortable with
it, have had ample opportunities to use it in a safe environment, and know
where to turn should they have questions or need additional assistance. It
is equally important to provide ongoing training months and even years
after the system has been implemented. In all likelihood the system will go
through a series of upgrades, changes will be made, and users will get more
comfortable with the fundamental features and will be ready to push the
system to the next level. Some users will explore additional functionality on
their own; others will need prodding and additional training in order to learn
more advanced features.

It is also critical to provide the type of training that works best for
your users’ needs and learning preferences. Do not be afraid to have dif­
ferent training methods for different user groups (Holden, 2011). Memorial
Sloan-Kettering Cancer Center is a perfect example. It is one of the world’s
oldest private cancer centers in the world. All of its physicians are employ­
ees of the organization. When they were first implementing their CPOE, all
clinical and administrative staff members underwent group training sessions
(Sklarin, Granovsky, & Hagerty-Paglia, 2011). The system was not accepted
by the physicians for a variety of reasons, and training was a critical issue.
Once the leadership team realized this, they regrouped, changed tactics, and
added three new approaches to working with the physicians: (1) they rolled
out one service at a time with one hour of personalized training to each
physician of that service (additional time did not seem to help); (2) support

208 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

staff members were stationed at the clinical areas during the implementa­
tion period for individualized assistance; and (3) a physician champion was
involved in workflow discussions and key in facilitating the placement of
orders in the system and in helping ensure physician compliance (Sklarin et
al., 2011). Understanding the culture and the physician training needs of the
organization is vital when implementing a new system, as is a willingness
to reevaluate the project. It is important to view the system as a long-term
investment rather than a one-time purchase. The resources allocated or
committed to the system should include not only the upfront investment in
hardware and software but also the time, people, and resources needed to
maintain and support it.

Manage Unintended Consequences

Management expertise and leadership are important elements to the success
of any system implementation. Effective leaders help build a community of
collaboration and trust. However, effective leadership also entails under­
standing the unintended consequences that can occur during complex
system implementations and managing them. Unintended consequences can
be positive, negative, or both, depending on one’s perspective. A decade
ago, Ash and colleagues (2007) conducted interviews with key individuals
from 176 US hospitals that had implemented CPOE. CPOE is one of the most
complex and challenging of clinical applications to implement and a key
function of EHR systems. From their work, they identified eight types of
unintended consequences that implementation teams should plan for and
consider when implementing CPOE.

Conflicts can also occur between paper-based and electronic systems
if providers who prefer paper records annotate printouts and place them in
patient charts as formal documentation, in essence creating two distinct and
sometimes conflicting patient records (Jones et al., 2011).

Health care executives and implementation teams should be aware of
these unintended consequences, particularly those that can adversely affect
the organization, and carefully plan for and manage them.

Establish Strong Working Relationships with Vendors

Developing strong working relationships with the vendor is key. The health
care executive should view the vendor as a partner and an entity with which
the organization will likely have a long-term relationship. This relationship
often begins when the organization first selects a new information system

M A N A G I N G C H A N G E A N D T H E O R G A N I Z A T I O N A L A S P E C T S · 209

Unintended Consequences of CPOE

1. More work or new work. CPOEs can increase work because
systems may be slow, nonstandard cases may call for more steps
in ordering, training may remain an issue, some tasks may
become more diffi cult, the computer forces the user to complete
“all steps,” and physicians often take on tasks that were formerly
done by others.

2. Workfl ow. CPOEs can greatly alter workfl ow, sometimes improv­
ing workfl ow for some and slowing or complicating it for others.

3. System demands. Maintenance, training, and support efforts can
be signifi cant for an organization, not only in building the system
but also in making improvements and enhancements to it.

4. Communication. CPOE systems affect communication within the
organization; they can reduce the need to clarify orders but also
lead to people failing to adequately communicate with each other
in appropriate situations.

5. Emotions. Clinician reactions to CPOE can run the gamut from
positive to negative.

6. New kinds of errors. Although CPOE systems are generally
designed to detect and prevent errors, they can lead to new types
of errors such as juxtaposition errors, in which clinicians click on
the adjacent patient name or medication from a list and inadvert­
ently enter the wrong order.

7. Power shifts. Shifts in power may be viewed as less of a problem
than some of the other unintended consequences, but CPOE can
be used to monitor physician behavior.

8. Dependence on the system. Clinicians become dependent on the
CPOE system, so managing downtime procedures is critical. Even
then, while the system is down, CPOE users view the situation as
managed chaos.

Source: Adapted from Ash et al. (2007). Reproduced with permission of Amer­
ican Medical Informatics Association.

210 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

and continues well after the system is live and operational. The system will
have upgrades, new version releases, and ongoing maintenance contracts. It
behooves both parties, the health care provider organization and the vendor,
to clearly define expectations, resource needs, and timelines. It is important
to have open, honest, and candid conversations when problems arise or dif­
ferences in expectation occur. Equally important is for both parties to demon­
strate a willingness to address needs and solve problems collaboratively.


Information systems evolve as an organization continues to grow and change.
No matter how well the system was designed and tested, errors and prob­
lems will be detected and changes will need to be made. IT staff members
generally assume a major role in maintaining and supporting the informa­
tion systems in the health care organization. When errors or problems are
detected, IT staff members correct the problem or work with the vendor to
see that the problem is fixed. Moreover, the vendor may detect glitches and
develop upgrades or patches that will need to be installed.

Many opportunities for enhancing and optimizing the system’s perfor­
mance and functionality will arise well after the go-live date. The organiza­
tion will want to ensure that the system is adequately maintained, supported,
and further developed over time. Selecting and implementing a health care
information system is an enormous investment. This investment must be
maintained, just as one would maintain one’s home. In fact, health care orga­
nizations that have implemented EHR systems are now actively in the midst
of optimizing use of the system in practice (Sachs & Long, 2016). Optimiza­
tion can take the form of additional training, revised workflows, adding new
features or functionality, or using data from the system for quality improve­
ment initiatives, as examples. Optimizing systems and assessing their value
is discussed in Chapter Seven.

As with other devices, information systems have a life cycle and even­
tually need to be replaced. Health care organizations typically go through
a process whereby they plan, design, implement, and evaluate their health
care information systems. Too often in the past the organization’s work was
viewed as done once the system went live. It has since been discovered how
vital system maintenance and support resources are and how important it is
to evaluate the extent to which the system goals are being achieved.

Evaluating or accessing the value of the health care information system is
increasingly important. Acquiring and implementing systems requires large
investments, and stakeholders, including boards of directors, are demanding
to know the actual and future value of these projects. Evaluations must be

S U M M A R Y · 211

viewed as an integral component of every major health information system
project and not an afterthought. Chapter Seven is devoted to this topic.


Implementing a new information system in a health care organization
requires a significant amount of planning and preparation. The health care
organization should begin by appointing an implementation team compris­
ing experienced individuals, including representatives from key areas in the
organization, particularly areas that will be affected by or responsible for
using the new system. Key users should be involved in analyzing existing
processes and procedures and making recommendations for changes. A
system champion should be part of the implementation team and serve as
an advocate in soliciting input, representing user views, and spearheading
the project. When implementing a clinical application, it is important that
the system champion be a physician or clinician, someone who is able to
represent the views of the care providers.

Under the direction of a highly competent implementation team, a number
of important activities should occur during the system rollout. This team
should assume a leadership role in ensuring that the system is effectively
incorporated into the day-to-day operations of the facility. This generally
requires the organization to (1) analyze workflow and processes and perform
any necessary process reengineering, (2)  install and configure the system,
(3) train staff members, (4) convert data, (5) adequately test the system, and
(6)  communicate project progress using appropriate forums at all levels
throughout the organization. Attention should be given to the countless
details associated with ensuring that downtime and backup procedures are
in place, security plans have been developed, and the organization is ready
for the go-live date.

During the days immediately following system implementation, the orga­
nization should have sufficient staff members on hand to assist users and
provide individual assistance as needed. A stable and secure IT infrastructure
should be in place to ensure minimal, ideally zero, downtime and adequate
response time. The IT department or other appropriate unit or representative
should have a formal mechanism in place for reporting and correcting errors,
bugs, and glitches in the system.

Once the system has gone live, it is critical for the organization to have in
place the plans and resources needed to adequately maintain and support the
new system. Technical staff members and resources should be available to the
users. Ongoing training should be an integral part of the organization’s plans
to support and further develop the new system. In addition, the leadership

212 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

team should have in place a thoughtful plan for evaluating the implementa­
tion process and assessing the value of the health care information system.

Beyond taking ultimate responsibility for completion of the activities
needed to implement and support and evaluate the new system, the health
care executive should assume a leadership role in managing change and the
organizational and human aspects of the new system. Information systems
can have a profound impact on health care organizations, the people who
work there, and the patients they serve. Acquiring a good product and having
the right technical equipment and expertise are not enough to ensure system
success. Health care executives must also be attuned to the human aspects
of introducing new IT into the care delivery process.


Business owner System champion
Business sponsor System implementation
Implementation team Train the trainer
IT manager Unintended consequences
Managing change User resistance
Project manager Workflow and process analysis


1. Visit a health care organization that has recently implemented or
replaced a health care information system. What process did it use
to implement the system? How does that process compare with the
one described in this chapter? How successful was the organization
in implementing the new system? To what do staff members attribute
this success?

2. Search the literature for a recent article on a system implementation
project. Briefl y describe the process used to implement the system
and the lessons learned. How might this particular facility’s
experiences be useful to others? Explain.

3. Physician acceptance and use of clinical information systems
are often cited as challenges. What do you think the health care
leadership team can or should do to foster acceptance by physicians?
Assume that a handful of physicians in your organization are actively
resisting a new clinical information system. How would you approach
and address their resistance and concerns?

R E F E R E N C E S · 213

4. Assume you are working with an implementation team in installing
a new nursing documentation system for a home health agency.
Historically, all its nursing documentation was recorded in paper
form. The home health agency has little computerization beyond
basic registration information and has no IT staff members. What
recommendations might you offer to the implementation team as it
begins the work of installing the new nursing documentation system?

5. Discuss the risks to a health care organization in failing to allocate
suffi cient support and resources to a newly implemented health care
information system.

6. Assume you are the CEO of a large group practice (seventy-fi ve physi­
cians) that implemented an EHR system two years ago. The physicians
are asking for an evaluation of the system and its impact on quality,
costs, and patient satisfaction. Devise a plan for evaluating the EHR
system’s impact on the organization in these three areas.

7. Read the executive summary of the Institute of Medicine’s (2011)
report entitled Health IT and Patient Privacy: Building Safer Systems
for Better Care. How can the introduction of health IT that is designed
to enhance or improve patient quality and safety lead to patient
safety concerns? Do you agree that patient safety is a partnership
between the health care organization and health IT vendor when
implementing health care information systems? Explain the role of
each and your rationale.


Ash, J. S., Anderson, N. R., & Tarczy-Hornoch, P. (2008). People and organization
issues in research systems implementation. Journal of the American Medical
Informatics Association, 15, 283–289.

Ash, J. S., Sittig, D. F., Poon, E. G., Guappone, K., Campbell, E., & Dykstra, R.
(2007). The extent and importance of unintended consequences related to
computerized provider order entry. Journal of the American Medical Informatics
Association, 14(4), 415–423.

Ash, J. S., Stavri, P., Dykstra, R., & Fournier, L. (2003). Implementing computerized
physician order entry: The importance of special people. International Journal
of Medical Informatics, 69(2–3), 235–250.

Cusack, C., & Poon, E. (2011). Health information exchange evaluation toolkit.
Agency for Healthcare Research and Quality. Retrieved February 2013 from

214 · C H A P T E R 6 : S Y S T E M I M P L E M E N T A T I O N A N D S U P P O R T

Daly, R. (2016). The EHR evolution: New priorities and implementation changes.
Healthcare Financial Management (Feb.), 45–50.

Elias, B., Barginere, M., Berry, P. A., & Selleck, C. S. (2015). Implementation of an
electronic health records system within an interprofessional model of care.
Journal of Interprofessional Care, 29(6), 551–554.

Holden, R. J. (2011). What stands in the way of technology-mediated patient safety
improvements? A study of facilitators and barriers to physicians’ use of elec­
tronic health records. Journal of Patient Safety, 7(4), 193–202.

Institute of Medicine (IOM). (2011). Health IT and patient privacy: Building safer
systems for better care. Washington, DC: National Academies Press.

Jones, S. S., Koppel, R., Ridgley, M. S., Palen, T., Wu, S., & Harrison, M. I. (2011,
Aug.). Guide to reducing unintended consequences of electronic health records.
Rockville, MD: Agency for Healthcare Research and Quality.

Keen, P. (1997). The process edge. Boston, MA: Harvard Business School Press.

McAlearney, A. S., Hefner, J. L., Sieck, C. J., & Huerta, T. R. (2015). The journey
through grief: Insights from a qualitative study of electronic health record
implementation. Health Services Research, 50(2), 462–488.

Metzger, J., & Fortin, J. (2003). Computerized physician order entry in commu­
nity hospitals: Lessons from the fi eld. Oakland, CA: California HealthCare

Miller, R. H., & Sim, I. (2004). Physicians’ use of electronic medical records: Barri­
ers and solutions. Health Affairs, 23(2), 116–126.

Miller, R. H., Sim, I., & Newman, J. (2003). Electronic medical records: Lessons from
small physician practices. Oakland, CA: California HealthCare Foundation.

Sachs, P. B., & Long, G. (2016). Process for managing and optimizing radiology
work flow in the electronic health record environment. Journal of Digital
Imaging, 29, 43–46.

Sittig, D. F., & Singh, H. (2011). Defining health information technology-related
errors: New developments since To Err Is Human. Archives of Internal Medi­
cine, 171(14), 1281–1284.

Sklarin, N. T., Granovsky, S., & Hagerty-Paglia, J. (2011). Electronic health record
implementation at an academic cancer center: Lessons learned and strategies
for success. American Society of Clinical Oncology, pp. 411–415.

Wager, K. A., Lee, F., White, A., Ward, D., & Ornstein, S. (2000). Impact of an
electronic medical record system on community-based primary care practices.
Journal of the American Board of Family Practice, 13(5), 338–348.

Yackanicz, L., Kerr, R., & Levick, D. (2010). Physician buy-in for EMRs. Journal of
Healthcare Information Management, 24(2), 41–44.


Assessing and Achieving

Value in Health Care

Information Systems


• To be able to discuss the nature of IT-enabled value.

• To review the components of the IT project proposal.

• To be able to understand steps to improve IT project value

• To be able to discuss factors that ensure value delivery.


216 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

Virtually all the discussion in this book focuses on the knowledge and man­
agement processes necessary to achieve one fundamental objective: organi­
zational investments in IT resulting in a desired value. That value might be
the furtherance of organizational strategies, improvement in the performance
of core processes, or the enhancement of decision making. Achieving value
requires the alignment of IT with overall strategies, thoughtful governance,
solid information system selection and implementation approaches, and effec­
tive organizational change.

Failure to achieve desired value can result in significant problems for
the organization. Money is wasted. Execution of strategies is hamstrung.
Organizational processes can be damaged.

This chapter carries the IT value discussion further. Specifically, it covers
the following topics:

• The definition of IT-enabled value

• The IT project proposal

• Ensuring the delivery of value

• Analyses of the IT value challenge


We can make several observations about IT-enabled value:

• IT value can be tangible and intangible.

• IT value can be signifi cant.

• IT value can be variable across organizations.

• IT value can be diverse across IT proposals.

• A single IT investment can have a diverse value proposition.

• Different IT investments have different objectives and hence different
value propositions and value assessment techniques.

These observations will be discussed in more detail in the following

Tangible and Intangible

Tangible value can be measured whereas intangible value is very diffi cult,
perhaps practically impossible, to measure.

D E F I N I T I O N O F I T – E N A B L E D V A L U E · 217

Some tangible value can be measured in terms of dollars:

• Increases in revenue

• Reductions in labor costs: for example, through staff layoffs, overtime
reductions, or shifting work to less expensive staff members

• Reductions in supply costs: for example, because of improvements in


• Reductions in maintenance costs for computer systems

• Reductions in use of patient care services: for example, fewer lab tests
are performed or care is conducted in less expensive settings

Some tangible value can be measured in terms of process improvements:

• Fewer errors

• Faster turnaround times for test results

• Reductions in elapsed time to get an appointment

• A quicker admissions process

• Improvement in access to data

• Improvements in the percentage of care delivery that follows medical


Some tangible value can be measured in terms of strategically important
operational and market outcomes:

• Growth in market share

• Reduction in turnover

• Increase in brand awareness

• Increase in patient and provider satisfaction

• Improvement in reliability of computer systems

By contrast, intangible value can be very difficult to measure. The orga­
nization is trying to measure such things as

• Improved decision making

• Improved communication

• Improved compliance

• Improved collaboration

218 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

• Increased agility

• Becoming more state of the art

• Improved organizational competencies: for example, becoming better
at managing chronic disease

• Becoming more customer friendly

Signifi cant

IT can be leveraged to achieve significant organization value. The following
are some example studies:

A study that compared the quality of diabetes care between physician
practices that used EHRs and practices that did not found that the
EHR sites had composite standards for diabetes care that were 35.1
percent higher than paper-based sites and had 15 percent better care
outcomes (Cebul, Love, Jain, & Herbert, 2011).

EMC (a company that makes data storage devices and other information
technologies) reported a reduction of $200 million in health care costs
over ten years through the use of data analytics, lifestyle coaches, and
remote patient monitoring to help employees manage health risks and
chronic diseases (Mosquera, 2011).

A cross-sectional study of hospitals in Texas (Amarasingham, Plantinga,
Diener-West, Gaskin, & Powe, 2009) found that higher levels of the
automation of notes and patient records were associated with a 15
percent decrease in the adjusted odds of a fatal hospitalization. Higher
scores in the use of computerized provider order entry (CPOE) were
associated with 9 percent and 55 percent decreases in the adjusted
odds of death for myocardial infarction and coronary artery bypass
graft procedures, respectively. For all cases of hospitalization, higher
levels of clinical decision-support use were associated with a 16
percent decrease in the adjusted odds of complications. And higher
levels of CPOE, results reporting, and clinical decision support were
associated with lower costs for all hospital admissions.

A clinical decision support (CDS) module, embedded within an EHR,
was used to provide early detection of situations that could result in
venous thromboembolism (VTE). A study of the impact of the module
showed that the VTE rate declined from 0.954 per one thousand
patient days to 0.434 comparing baseline to full VTE CDS. Compared
to baseline, patients benefi tting from VTE CDS were 35 percent less
likely to have a VTE (Amland et. al., 2015).

D E F I N I T I O N O F I T – E N A B L E D V A L U E · 219


Even when they implement the same system, not all organizations experience
the same value. Organizational factors such as change management prowess
and governance have a significant impact on an organization’s ability to be
successful in implementing health information technology.

As an example of variability, two children’s hospitals implemented the
same EHR (including CPOE) in their pediatric intensive care units. One
hospital experienced a significant increase in mortality (Han et al., 2005),
whereas the other did not (Del Beccaro, Jeffries, Eisenberg, & Harry, 2006).
The hospital that did experience an increase in mortality noted that several
implementation factors contributed to the deterioration in quality; specifi c
order sets for critical care were not created, changes in workflow were not
well executed, and orders for patients arriving via critical care transporta­
tion could not be written before the patient arrived at the hospital, delaying
life-saving treatments.

Even when organizations have comparable implementation skill levels,
the value achieved can vary because different organizations decide to focus
on different objectives. For example, some organizations may decide to
improve the quality of diabetes care, and others may emphasize the reduction
in care costs. Hence, if an outcome is of modest interest to an organization
and it devotes few resources to achieving that outcome, it should not be
surprised if the outcome does not materialize.

Diverse across Proposals

Consider three proposals (real ones from a large integrated delivery system)
that might be in front of organizational leadership for review and approval: a
disaster notification system, a document imaging system, and an e-procurement
system. Each offers a different type of value to the organization.

The disaster notification system would enable the organization to page
critical personnel, inform them that a disaster—for example, a train wreck or
biotoxin outbreak—had taken place, and tell them the extent of the disaster
and the steps they would need to take to help the organization respond to
the disaster. The system would cost $520,000. The value would be “better
preparedness for a disaster.”

The document imaging system would be used to electronically store
and retrieve scanned images of paper documents, such as payment recon­
ciliations, received from insurance companies. The system would cost $2.8
million, but would save the organization $1.8 million per year ($9 million
over the life of the system) through reductions in the labor required to look

220 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

for paper documents and in the insurance claim write-offs that occur because
a document cannot be located.

The e-procurement system would enable users to order supplies, ensure
that the ordering person had the authority to purchase supplies, transmit the
order to the supplier, and track the receipt of the supplies. Data from this
system could be used to support the standardization of supplies, that is, to
reduce the number of different supplies used. Such standardization might
save $500,000 to $3 million per year. The actual savings would depend on
physician willingness to standardize. The system would cost $2.5 million.

These proposals refl ect a diversity of value, ranging from “better disaster
response” to a clear financial return (document imaging) to a return with
such a wide potential range (e-procurement) that it could be a great invest­
ment (if you really could save $3 million a year) or a terrible investment (if
you could save only $500,000 a year).

Diverse in a Single Investment

Picture archiving and communication systems (PACS) are used to store radiol­
ogy (and other) images, support interpretation of images, and distribute the
information to the physician providing direct patient care. These systems are
an example of the diversity of value that can result from one IT investment.
A PACS can do the following:

• Reduce costs for radiology film and the need for fi lm librarians.

• Improve service to the physician delivering care, through improved
access to images.

• Improve productivity for the radiologists and for the physicians
delivering care (both groups reduce the time they spend looking for

• Generate revenue, if the organization uses the PACS to offer radiology
services to physician groups in the community.

This one investment has a diverse value proposition; it has the poten­
tial to deliver cost reduction, productivity gains, service improvements, and
revenue gains.

Different Analyses for Different Objectives

The Committee to Study the Impact of Information Technology on the Per­
formance of Service Activities (1994), organized by the National Research

D E F I N I T I O N O F I T – E N A B L E D V A L U E · 221

Council (NRC), has identified six categories of IT investments in service
industries, reflecting different objectives. The techniques used to assess IT
investment value should vary by the type of objective that the IT investment
intends to support. One technique does not fit all IT investments.


IT investments may be for infrastructure that enables other investments or
applications to be implemented and deliver desired capabilities. Examples of
infrastructure are data communication networks, workstations, and clinical
data repositories. A delivery system–wide network enables a large organiza­
tion to implement applications to consolidate clinical laboratories, implement
organization-wide collaboration tools, and share patient health data between

It is difficult to quantitatively assess the impact or value of infrastructure
investments because of the following:

• They enable applications. Without those applications, infrastructure
has no value. Hence, infrastructure value is indirect and depends on
application value.

• The allocation of infrastructure value across applications is complex.
When millions of dollars are invested in a data communication
network, it may be diffi cult or impossible to determine how much of
that investment should be allocated to the ability to create delivery
system–wide EHRs.

• A good IT infrastructure is often determined by its agility, potency,
and ability to facilitate integration of applications. It is very diffi cult
to assign return on investment (ROI) numbers or any meaningful
numerical value to most of these characteristics. What, for instance,
is the value of being agile enough to speed up the time it takes to
develop and enhance applications?

Information system infrastructure is as hard to evaluate as other organi­
zational infrastructure, such as having talented, educated staff members. As
with other infrastructure,

• Evaluation is often instinctive and experientially based.

• In general, underinvesting can severely limit the organization.

• Investment decisions involve choosing between alternatives that are
assessed for their ability to achieve agreed-on goals. For example,

Four Types of IT Investment

Complementing the NRC study, Jeanne Ross and Cynthia Beath (2002)
studied the IT investment approaches of thirty companies from a wide
range of industries. They identifi ed four classes of investment:

• Transformation. These IT investments had an impact that would
affect the entire organization or a large number of business units.
The intent of the investment was to effect a signifi cant improvement
in overall performance or change the nature of the organization.

• Renewal. Renewal investments were intended to upgrade core IT
infrastructure and applications or reduce the costs or improve the
quality of IT services. Examples of these investments include appli­
cation replacements, upgrades of the network, or expansion of data

• Process improvement. These IT investments sought to improve
the operations of a specific business entity—for example, to reduce
costs and improve service.

• Experiments. Experiments were designed to evaluate new infor­
mation technologies and test new types of applications. Given the
results of the experiments, the organization would decide whether
broad adoption was desirable.

Different organizations will allocate their IT budgets differently
across these classes. An office products company had an investment mix
of experiments (15 percent), process improvement (40 percent), renewal
(25 percent), and transformation (20 percent). An insurance fi rm had
an investment mix of experiments (3 percent), process improvement (25
percent), renewal (18 percent), and transformation (53 percent).

The investment allocation is often an after-the-fact consideration—
the allocation is not planned, it just “happens.” However, ideally, the
organization decides its desired allocation structure and does so before
the budget discussions. An organization with an ambitious and perhaps
radical strategy may allocate a very large portion of its IT investment to
the transformation class, whereas an organization with a conservative,
stay-the-course strategy may have a large process improvement portion
to its IT investments.

Source: Ross and Beath (2002, p. 54).


D E F I N I T I O N O F I T – E N A B L E D V A L U E · 223

if an organization wishes to improve security, it might ask whether
it should invest in network monitoring tools or enhanced virus
protection. Which of these investments would enable it to make the
most progress toward its goal?


Information system investment may be necessary because of mandated initia­
tives. Mandated initiatives might involve reporting quality data to accrediting
organizations, making required changes in billing formats, or improving disas­
ter notification systems. Assessing these initiatives is generally approached
by identifying the least expensive and the quickest to implement alternative
that will achieve the needed level of compliance.

Cost Reduction

Information system investments directed to cost reduction are generally highly
amenable to ROI and other quantifiable dollar-impact analyses. The ability
to conduct a quantifiable ROI analysis is rarely the question. The ability of
management to effect the predicted cost reduction or cost avoidance is often
a far more germane question.

Specific New Products and Services

IT can be critical to the development of new products and services. At times
the information system delivers the new service, and at other times it is itself
the product. Examples of information system–based new services include
bank cash-management programs and programs that award airline mileage
for credit card purchases. A new service offered by some health care provid­
ers is a personal health record that enables a patient to communicate with
his or her physician and to access care guidelines and consumer-oriented
medical textbooks.

The value of some of these new products and services can be quanti­
fiably assessed in terms of a monetary return. These assessments include
analyses of potential new revenue, either directly from the service or from
service-induced use of other products and services. An ROI analysis will need
to be supplemented by techniques such as sensitivity analyses of consumer
response. Despite these analyses, the value of this IT investment usually has
a speculative component. This component involves consumer utilization,
competitor response, and impact on related businesses.

224 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

Quality Improvement

Information system investments are often directed to improving the quality of
service or medical care. These investments may be intended to reduce waiting
times, improve the ability of physicians to locate information, improve treat­
ment outcomes, or reduce errors in treatment. Evaluation of these initiatives,
although quantifiable, is generally done in terms of service parameters that
are known or believed to be important determinants of organizational success.
These parameters might be measures of aspects of organizational processes
that customers encounter and then use to judge the organization, for example,
waiting times in the physician’s office. A quantifiable dollar outcome for the
service of care quality improvement can be very difficult to predict. Service
quality is often necessary to protect current business, and the effect of a failure
to continuously improve service or medical care can be difficult to project.

Major Strategic Initiative

Strategic initiatives in information technology are intended to signifi cantly
change the competitive position of the organization or redefine the core
nature of the enterprise. In health care it is unusual that information systems
are the centerpiece of a redefinition of the organization, although as we
discussed in Chapter Four IT is a critical foundation for provider efforts to
manage population health. However, several other industries have attempted
IT-centric transformations.

Amazon is an effort to transform retailing. Venmo (which enables micro-
payments between individuals) is an effort to disrupt aspects of the branch
bank. There can be a ROI core or component to analyses of such initiatives,
because they often involve major reshaping or reengineering of fundamental
organizational processes. However, assessing the ROIs of these initiatives and
their related information systems with a high degree of accuracy can be very
difficult. Several factors contribute to this diffi culty:

• These major strategic initiatives usually recast the organization’s
markets and its roles. The outcome of the recasting, although
visionary, can be diffi cult to see with clarity and certainty.

• The recasting is evolutionary; the organization learns and alters
itself as it progresses over what are often lengthy periods of time. It
is diffi cult to be prescriptive about this evolutionary process. Most
accountable care organizations are confronting this phenomenon.

• Market and competitor responses can be diffi cult to predict.

T H E I T P R O J E C T P R O P O S A L · 225

IT value is diverse and complex. This diversity indicates the power of IT
and the diversity of its use. Nonetheless, the complexity of the value propo­
sition means that it is difficult to make choices between IT investments and
also difficult to assess whether the investment ultimately chosen delivered
the desired value or not.


The IT project proposal is a cornerstone in examining value. Clearly, ensur­
ing that all proposals are well crafted does not ensure value. To achieve
value, alignment with organizational strategies must occur, factors for sus­
tained IT excellence must be managed, budget processes for making choices
between investments must exist, and projects must be well managed.
However, the proposal (as will be discussed in Chapter Thirteen) does
describe the intended outcome of the IT investment. The proposal requests
money and an organizational commitment to devote management atten­
tion and staff effort to implementing an information system. The proposal
describes why this investment of time, effort, and money is worth it—that is,
the proposal describes the value that will result. In this section we discuss
the value portion of the proposal and some common problems encountered
with it.

Sources of Value Information

As project proponents develop their case for an IT investment, they may be
unsure of the full gamut of potential value or of the degree to which a desired
value can be truly realized. The organization may not have had experience
with the proposed application and may have insufficient analyst resources
to perform its own assessment. It may not be able to answer such questions
as, What types of gains have organizations seen as a result of implementing
a population health system? To what degree will IT be a major contributor
to our efforts to improve patient access through telehealth?

Information about potential value can be obtained from several sources
(discussed in Appendix A). Conferences often feature presentations that
describe the efforts of specific individuals or organizations in accomplish­
ing initiatives of interest to many others. Industry publications may offer
relevant articles and analyses. Several industry research organizations—for
example, Gartner and the Advisory Board—can offer advice. Consultants can
be retained who have worked with clients who are facing or have addressed

226 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

similar questions. Vendors of applications can describe the outcomes experi­
enced by their customers. And colleagues can be contacted to determine the
experiences of their organizations.

Garnering an understanding of the results of others is useful but insuffi ­
cient. It is worth knowing that Organization Y adopted computerized provider
order entry (CPOE) and reduced unnecessary testing by x percent. However,
one must also understand the CPOE features that were critical in achieving
that result and the management steps taken and the process changes made
in concert with the CPOE implementation.

Formal Financial Analysis

Most proposals should be subjected to formal financial analyses regardless
of their value proposition. Several types of financial measures are used by
organizations. An organization’s finance department will work with lead­
ership to determine which measures will be used and how these measures
will be compiled.

Two common financial measures are net present value and internal rate
of return:

1. Net present value is calculated by subtracting the initial investment
from the future cash fl ows that result from the investment. The cash
can be generated by new revenue or cost savings. The future cash is
discounted, or reduced, by a standard rate to refl ect the fact that a
dollar earned one or more years from now is worth less than a dollar
one has today (the rate depends on the time period considered). If the
cash generated exceeds the initial investment by a certain amount or
percentage, the organization may conclude that the IT investment is a
good one.

2. Internal rate of return is the discount rate at which the present value
of an investment’s future cash fl ow equals the cost of the investment.
Another way to look at this is to ask, Given the amount of the
investment and its promised cash, what rate of return am I getting on
my investment? On the one hand, a return of 1 percent is not a good
return (just as one would not think that a 1 percent return on one’s
savings was good). On the other hand, a 30 percent return is very

Table 7.1 shows the typical form of a financial analysis for an IT

Table 7.1 Financial analysis of a patient accounting document imaging system

Year Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7

One-time capital expense $1,497,466 $1,302,534
System operations
System maintenance — 288,000 $288,000 $288,000 $288,000 $288,000 $288,000 $288,000
System maintenance — 152,256 152,256 152,256 152,256 152,256 152,256 152,256
TOTAL COSTS 1,497,466 1,742,790 440,256 440,256 440,256 440,256 440,256 440,256
Revenue gains
Rebilling of small — 651,000 868,000 868,000 868,000 868,000 868,000 868,000

secondary balances
Medicaid billing — 225,000 300,000 300,000 300,000 300,000 300,000 300,000

Disallowed Medicare — — — — 100,000 100,000 100,000 100,000

bad debt audit
Staff savings
Projected staff savings — 36,508 136,040 156,504 169,065 169,065 169,065 171,096
Operating savings
Projected operating — 64,382 77,015 218,231 222,550 226,436 226,543 229,935

TOTAL BENEFITS — 976,891 1,381,055 1,542,735 1,659,615 1,663,502 1,663,608 1,669,031
CASH FLOW (1,497,466) (765,899) 940,799 1,102,479 1,219,359 1,223,246 1,223,352 1,228,775
CUMULATIVE CASH (1,497,466) (2,263,365) (1,322,566) (220,087) 999,272 2,222,517 3,445,869 4,674,644

NPV (12% discount ) 1,998,068
IRR 33%

228 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

Comparing Different Types of Value

Given the diversity of value, it is very challenging to compare IT proposals
that have different value propositions. How does one compare a proposal that
promises to increase revenue and improve collaboration to one that offers
improved compliance, faster turnaround times, and reduced supply costs?

At the end of the day, judgment is used to choose one proposal over
another. Health care executives review the various proposals and associated
value statements and make choices based on their sense of organizational
priorities, available monies, and the likelihood that the proposed value will
be seen. These judgments can be aided by developing a scoring approach
that enables leaders to apply a common metric across proposals. For example,
the organization might decide to score each proposal according to how much
value it promises to deliver in each of the following areas:

• Revenue impact

• Cost reduction

• Patient or customer satisfaction

• Quality of work life

• Quality of care

• Regulatory compliance

• Potential learning value

In this approach, each of these areas in each proposal is assigned a score,
ranging from 5 (signifi cant contribution to the area) to 1 (minimal or no con­
tribution). The scores are then totaled for each proposal, and, in theory, one
picks those proposals with the highest aggregate scores. In practice, IT invest­
ment decisions are rarely that purely algorithmic. However, such scoring can
be very helpful in sorting through complex and diverse value propositions:

• Scoring forces the leadership team to discuss why different members
of the team assigned different scores—why, for example, did one
person assign a score of 2 for the revenue impact of a particular
proposal and another person assign a 4? These discussions can clarify
people’s understandings of proposal objectives and help the team
arrive at a consensus on each project.

• Scoring means that the leadership team will have to defend any
decision not to fund a project with a high score or to fund one with a
low score. In the latter case, team members will have to discuss why
they are all in favor of a project when it has such a low score.

T H E I T P R O J E C T P R O P O S A L · 229

Prerequisites for Effective IT Project Prioritization

Jeanne Ross and Emmett Johnson (2009) identifi ed four prerequisites to
effective IT project prioritization.

Explicit operating vision of the business. An operating vision is more
than the sum of the operations of individual departments. Rather, it is
a solid understanding of how the organization wants to operate as a
whole. For example, how will the organization manage patients with a
chronic disease? What processes must be in place to ensure a superior
patient experience?

Operating visions lead to enterprise-wide requirements for integration
and standardization. IT projects should support this vision and conform
to these requirements.

Business process owners. Process owners are those senior leaders who
are responsible for the performance of core organization processes, such
as patient access. These owners must sponsor IT initiatives and be held
accountable for their successful completion and value delivery. These
owners are in a good position to understand the IT priorities of their

Transparent IT operating costs. Organizational leadership must
understand IT costs and the drivers of those costs. This understanding
prepares them to thoughtfully assess the risks and benefits of proposed
new systems and to identify alternative approaches to achieving desired
process gains.

Rigorous project governance. Excellent IT governance must exist for the
overall IT agenda (to be discussed in Chapter Twelve) and for individual
projects (to be discussed in Chapter Thirteen).

Source: Ross and Johnson (2009).

The organization can decide which proposal areas to score and which
not to score. Some organizations give different areas different weights—for
example, reducing costs might be considered twice as important as improving
organizational learning. The resulting scores are not binding, but they can

230 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

be helpful in arriving at a decision about which projects will be approved
and what value is being sought.

Tactics for Reducing the Budget

Proposals for IT initiatives may originate from a wide variety of sources in
an organization. The IT group will submit proposals, as will department
directors and physicians. Many of these proposals will not be directly related
to an overall strategy but may nevertheless be good ideas that if implemented
would lead to improved organizational performance. So it is common for an
organization to have more proposals than it can fund. For example, during
the IT budget discussion, the leadership team may decide that although it
is looking at $2.2 million in requests, the organization can afford to spend
only $1.7 million, so $500,000 worth of requests must be denied. Table 7.2
presents a sample list of requests.

Table 7.2 Requests for new information system projects

Community General Hospital

Project Name Operating Cost

TOTAL $2,222,704
Clinical portfolio development 38,716
Enterprise monitoring 70,133
HIPAA security initiative 36,950
Accounting of disclosure—HIPAA 35,126
Ambulatory Center patient tracking 62,841
Bar-coding infrastructure 64,670
Capacity management 155,922
Chart tracking 34,876
Clinical data repository 139,902
CRP research facility 7,026
Emergency Department data warehouse 261,584
Emergency Department order entry 182,412
Medication administration system 315,323
Order communications 377,228
Transfusion services replacement system 89,772
Wireless infrastructure 44,886
Next-generation order entry 3,403
Graduate medical education duty hours 163,763

T H E I T P R O J E C T P R O P O S A L · 231

Reducing the budget in situations such as this requires a value discus­
sion. The leadership is declaring some initiatives to have more value than
others. Scoring initiatives according to criteria is one approach to addressing
this challenge.

In addition to such scoring, other assessment tactics can be employed,
prior to the scoring, to assist leaders in making reduction decisions.

• Some requests are mandatory. They may be mandatory because of

a regulation requirement (such as a new Medicare rule) or because

a current system is so obsolete that it is in danger of crashing—

permanently—and it must be replaced soon. These requests must be


• Some projects can be delayed. They are worthwhile, but a decision on
them can be put off until next year. The requester will get by in the

• Key groups within IT, such as the staff members who manage

clinical information systems, may already have so much on their

plate that they cannot possibly take on another project. Although the

organization wants to do the project, it would be ill-advised to do so

now, and so the project can be deferred to next year.

• The user department proposing the application may not have

strong management or may be experiencing some upheaval; hence,

implementing a new system at this time would be risky. The project

could be denied or delayed until the management issues have been


• The value proposition or the resource estimates or both are shaky.

The leadership team does not trust the proposal, so it could be denied

or sent back for further analysis. Further analysis means that the

proposal will be examined again next year.

• Less expensive ways of addressing the problems cited in the proposal

may exist, such as a less expensive application or a non-IT approach.

The proposal could be sent back for further analysis.

• The proposal is valuable, and the leadership team would like to

move it forward. However, the team may reduce the budget, enabling

progress to occur but at a slower pace. This delays realizing the value

but ensures that resources are devoted to making progress.

These tactics are routinely employed during budget discussions aimed at
trying to get as much value as possible given fi nite resources.

232 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

Common Proposal Problems

During the review of IT investment proposals, organizational leadership
might encounter several problems related to the estimates of value and the
estimates of the resources needed to obtain the value. If undetected, these
problems might lead to a significant overstatement of potential return or
understatement of costs. An overstatement or understatement, obviously,
may result in significant organizational unhappiness when the value that
people thought they would see never materializes and never could have

Fractions of Effort

Proposal analyses might indicate that the new IT initiative will save fractions
of staff time, for example, that each nurse will spend fifteen minutes less per
shift on clerical tasks. To suggest a total value, the proposal might multiply
as follows (this example is highly simplified): 200 nurses × 15 minutes saved
per 8-hour shift × 250 shifts worked per year = 12,500 hours saved. The math
might be correct, and the conclusion that 12,500 hours will become available
for doing other work such as direct patient care might also be correct. But
the analysis will be incorrect if it then concludes that the organization would
thus “save” the salary dollars of six nurses (assuming 2,000 hours worked
per year per nurse).

Saving fractions of staff effort does not always lead to salary savings,
even when there are large numbers of staff members, because there may be
no practical way to realize the savings—to, for example, lay off six nurses.
If, for example, there are six nurses working each eight-hour shift in a par­
ticular nursing unit, the fifteen minutes saved per nurse would lead to a total
savings of 1.5 hours per shift. But if one were then to lay off one nurse on
a shift, it would reduce the nursing capacity on that shift by eight hours,
damaging the unit’s ability to deliver care. Saving fractions of staff member
effort does not lead to salary savings when staff members are geographically
highly fragmented or when they work in small units or teams. It leads to
possible salary savings only when staff members work in very large groups
and some work of the reduced staff members can be redistributed to others.

Reliance on Complex Behavior

Proposals may project with great certainty that people will use systems in
specific ways. For example, several organizations expect that consumers
will use Internet-based quality report cards to choose their physicians and

T H E I T P R O J E C T P R O P O S A L · 233

hospitals. However, few consumers appear to actually rely on such sites.
Organizations may expect that nurses will readily adopt systems that help
them discharge patients faster. However, nurses often delay entering dis­
charge transactions so that they can grab a moment of peace in an otherwise
overwhelmingly busy day.

System use is often not what was anticipated. This is particularly true
when the organization has no experience with the relevant class of users or
with the introduction of IT into certain types of tasks. The original value
projection can be thrown off by the complex behaviors of system users.
People do not always behave as we expect or want them to. If user behavior
is uncertain, the organization would be wise to pilot an application and learn
from this demonstration.

Unwarranted Optimism

Project proponents are often guilty of optimism that reflects a departure from
reality. Proponents may be guilty of any of four mistakes:

• They assume that nothing will go wrong with the project.

• They assume that they are in full control of all variables that might
affect the project—even, for example, quality of vendor products and
organizational politics.

• They believe that they know exactly what changes in work processes
will be needed and what system features must be present, when
what they really have, at best, are close approximations of what must

• They believe that everyone can give full time to the project and forget
that people get sick or have babies and that distracting problems
unrelated to the project will occur, such as a sudden deterioration in
the organization’s fiscal performance, and demand attention.

Decisions based on such optimism eventually result in overruns in
project budgets and timetables and compromises in system goals. Overruns
and compromises change the value proposition.

Shaky Extrapolations

Projects often achieve gains in the first year of their implementation, and
proponents are quick to project that such gains will continue during the
remaining life of the project. For example, an organization may see 10 percent


234 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

of its physicians move from using dictation when developing a progress note
to using structured, computer-based templates. The organization may then
erroneously extrapolate that each year will see an additional 10 percent shift.
In fact, the fi rst year might be the only year in which such a gain will occur.
The organization has merely convinced the more computer-facile physicians
to change, and the rest of the physicians have no interest in ever changing.

Underestimating the Effort

Project proposals might count the IT staff member effort in the estimates
of project costs but not count the time that users and managers will have to
devote to the project. A patient care system proposal, for instance, may not
include the time that will be spent by dozens of nurses working on system
design, developing workflow changes, and attending training. These efforts
are real costs. They often lead to the need to hire temporary nurses to provide
coverage on the inpatient care units, or they might lead to a reduced patient
census because there are fewer nursing hours available for patient care. Such
miscounting of effort understates the cost of the project.

Fairy-Tale Savings

IT project proposals may note that the project can reduce the expenses
of a department or function, including costs for staff members, supplies,
and effort devoted to correcting mistakes that occur with paper-based pro­
cesses. Department managers will swear in project approval forums that such
savings are real. However, when asked if they will reduce their budgets to
reflect the savings that will occur, these same managers may become sig­
nificantly less convinced that the savings will result. They may comment
that the freed-up staff member effort or supplies budgets can be redeployed
to other tasks or expenses. The managers may be right that the expenses
should be redeployed, and all managers are nervous when asked to reduce
their budgets and still do the same amount of work. However, the savings
expected have now disappeared.

Failure to Account for Post-Implementation Costs

After a system goes live, the costs of the system do not go away. System
maintenance contracts are necessary. Hardware upgrades will be required.
Staff members may be needed to provide enhancements to the application.
These support costs may not be as large as the costs of implementation, but

E N S U R I N G T H E D E L I V E R Y O F V A L U E · 235

they are costs that will be incurred every year, and over the course of several
years they can add up to some big numbers. Proposals often fail to adequately
account for support costs.


Achieving value from IT investments requires management effort. There is
no computer genie that descends on the organization once the system is live
and waves its wand and—shazzam!—value has occurred. Achieving value
is hard work but doable work. Management can take several steps to ensure
the delivery of value (Dragoon, 2003; Glaser, 2003a, 2003b). These steps are
discussed in the sections that follow.

Make Sure the Homework Was Done

IT investment decisions are often based on proposals that are not resting on
solid ground. The proposer has not done the necessary homework, and this
elevates the risk of a suboptimal return.

Clearly, the track record of the investment proposer will have a signifi cant
infl uence on the investment decision and on leaders’ thinking about whether
or not the investment will deliver value. However, regardless of the proposer’s
track record, an IT proposal should enable the leadership team to respond
with a strong yes to each of the following questions:

• Is it clear how the plan advances the organization’s strategy?

• Is it clear how care will improve, costs will be reduced, or service
will be improved? Are the measures of current performance and
expected improvement well researched and realistic? Have the related
changes in operations, workflow, and organizational processes been
defi ned?

• Are the senior leaders whose areas are the focus of the IT plan clearly
supportive? Could they give the project proposal presentation?

• Are the resource requirements well understood and convincingly
presented? Have these requirements been compared to those
experienced by other organizations undertaking similar initiatives?

• Have the investment risks been identifi ed, and is there an approach to
addressing these risks?

• Do we have the right people assigned to the project, have we freed up
their time, and are they well organized?

236 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

Answering with a no, a maybe, or an equivocal yes to any of these ques­
tions should lead one to believe that the discussion is perhaps focusing on
an expense rather than an investment.

Require Formal Project Proposals

It is a fact of organizational life that projects are approved as a result of
hallway conversations or discussions on the golf course. Organizational life
is a political life. While recognizing this reality, the organization should
require that every IT project be written up in the format of a proposal and
that each proposal should be reviewed and subjected to scrutiny before the
organization will commit to supporting it. However, an organization may also
decide that small projects—for example, those that involve less than $25,000
in costs and less than 120 person-hours—can be handled more informally.

Increase Accountability for Investment Results

Few meaningful organizational initiatives are accomplished without estab­
lishing appropriate accountability for results. Accountability for IT investment
results can be improved by taking three major steps.

First, the business owner of the IT investment should defend the invest-
ment—for example, the director of clinical laboratories should defend the
request for a new laboratory system and the director of nursing should defend
the need for a new nursing system. The IT staff members will need to work
with the business owner to define IT costs, establish likely implementation
time frames, and sort through application alternatives. But the IT staff
members should never defend an application investment.

Second, as will be discussed in Chapter Thirteen, project sponsors and
business owners must be defined, and they must understand the accountabil­
ity that they now have for the successful completion of the project.

Third, the presentation of these projects should occur in a forum that
routinely reviews such requests. Seeing many proposals, and their results,
over the course of time will enable the forum participants to develop a sea­
soned understanding of good versus not-so-good proposals. Forum members
are also able to compare and contrast proposals as they decide which ones
should be approved. A manager might wonder (and it’s a good question), “If
I approve this proposal, does that mean that we won’t have resources for
another project that I might like even better?” Examining as many proposals
together as possible enables the organization to take a portfolio view of its
potential investments.

E N S U R I N G T H E D E L I V E R Y O F V A L U E · 237

Figure 7.1 IT investment portfolio

Source: Adapted from Arlotto and Oakes (2003). Copyright 2003 Healthcare Informa­
tion and Management Systems Society (HIMSS) Used with permission.

Figure 7.1 displays an example of a project investment portfolio repre­
sented graphically. The size of each bubble reflects the magnitude of a par­
ticular IT investment. The axes are labeled “reward” (the size of the expected
value) and “risk” (the relative risk that the project will not deliver the value).
Other axes may be used. One commonly used set of axes consists of “support
of operations” and “support of strategic initiatives.”

Diagrams such as the one in Figure 7.1 serve several functions:

• They summarize IT activity on one piece of paper, enabling leaders to
consider a new request in the context of prior commitments.

• They help to ensure a balanced portfolio, promptly revealing
imbalances such as a clustering of projects in the high-risk quadrant.

• They help to ensure that the approved projects cover an appropriate
spectrum of organizational needs: for example, that projects are
directed to revenue cycle improvement, to operational improvement,
and to patient safety.

Manage the Project Well

One guaranteed way to reduce value is to mangle the management of
the implementation project. Implementation failures or signifi cant budget

238 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

Types of Portfolio Investments

Peter Weill and Sinan Aral (2006) note that organizations should manage
their IT investments as a portfolio. Specifically, they describe four types
of IT investments in a portfolio.

Infrastructure. Infrastructure refers to the core information technology
that serves as the foundation for all applications. Examples of
infrastructure include networks, servers, operating systems, and mobile

Transactional. Transactional systems are those applications that support
the core operations processes. Examples of transactional systems
include CPOE, scheduling, clinical laboratory automation, and clinician

Informational. Informational IT assets are those that support decision
making such as clinical decision support, quality measurement and
analyses, market assessment, and budget performance.

Strategic. Strategic investments are IT systems that are critical to the
furthering of an organization’s strategy. These investments could be
infrastructure, transactional, and informational, but they differ in that
they are clearly directed to furthering a strategic initiative as distinct
from being helpful to support ongoing operations.

Weill and Aral note that different industries have different allo­
cations of IT investments across these categories. Financial services
emphasize infrastructure in an effort to ensure high reliability and low
costs. However, retail has emphasized informational as they seek to
understand customer buying patterns.

Source: Weill and Aral (2006).

and  timetable overruns or really unhappy users—any of these can dilute

Among the many factors that can lead to mangled project management
are the following:

• The project’s scope is poorly defi ned.

• The accountability is unclear.

E N S U R I N G T H E D E L I V E R Y O F V A L U E · 239

• The project participants are marginally skilled.

• The magnitude of the task is underestimated.

• Users feel like victims rather than participants.

• All the world has a vote and can vote at any time.

Many of these factors were discussed in Chapters Five and Six.

Manage Outcomes

Value is not an automatic result of implementing an information system.
Value must be managed into existence. Figure 7.2 depicts a reduction in
days in accounts receivable (AR) at a physician practice. During the interval
depicted, a new practice management system was implemented. The practice
did not see a precipitous decline in days in AR (a sign of improved revenue
performance) in the time immediately following the implementation in the
second quarter of 2015. The practice did see a progressive improvement in
days in AR because someone was managing that improvement using the new
capabilities that came with the new system.

If the gain in revenue performance had been an “automatic” result of the
information system implementation, the practice would have seen a quick,
sharp drop in days in AR. Instead it saw a gradual improvement over time.
This gradual change reflects the following:

• The gain occurred through day-in, day-out changes in operational

processes, fine-tuning of system capabilities, and follow-ups in staff


Figure 7.2 Days in accounts receivable

240 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

• A person had to be in charge of obtaining this improvement. Someone
had to identify and make operational changes, manage changes in
system capabilities, and ensure that needed training occurred.

Conduct Post-Implementation Audits

Rarely do organizations revisit their IT investments to determine if the
promised value was actually achieved. They tend to believe that once the
implementation is over and the change settles in, value will have been auto­
matically achieved. This is unlikely.

Post-implementation audits can be conducted to identify value achieve­
ment progress and the steps still needed to achieve maximum gain. An
organization might decide to audit two to four systems each year, selecting
systems that have been live for at least six months. During the course of the
audit meeting, these five questions can be asked:

1. What goals were expected at the time the project investment was

2. How close have we come to achieving those original goals?

3. What do we need to do to close the goal gap?

4. How much have we invested in system implementation, and how does
that compare to our original budget?

5. If we had to implement this system again, what would we do

Post-implementation audits assist value achievement by the following:

• Signaling leadership interest in ensuring the delivery of results

• Identifying steps that still need to be taken to ensure value

• Supporting organizational learning about IT value realization

• Reinforcing accountability for results

Celebrate Value Achievement

Business value should be celebrated. Organizations usually hold parties
shortly after applications go live. These parties are appropriate; a lot of people
worked very hard to get the system up and running and used. However, up
and running and used does not mean that value has been delivered. In addi­
tion to go-live parties, organizations should consider business value parties,


E N S U R I N G T H E D E L I V E R Y O F V A L U E · 241

celebrations conducted once the value has been achieved—for example, a party
that celebrates the achievement of service improvement goals. Go-live parties
alone risk sending the inappropriate signal that implementation is the end
point of the IT initiative. Value delivery is the end point.

Leverage Organizational Governance

The creation of an IT committee of the board of directors can enhance organi­
zational efforts to achieve value from IT investments. At times the leadership
team of an organization is uncomfortable with some or all of the IT conversa­
tion. Board members may not understand why infrastructure is so expensive
or why large implementations can take so long and cost so much. They may
feel uncomfortable with the complexity of determining the likely value to
be obtained from IT investments. The creation of a subcommittee made up
of the board members most experienced with such discussions can help to
ensure that hard questions are being asked and that the answers are sound.

Shorten the Deliverables Cycle

When possible, projects should have short deliverable cycles. In other words,
rather than asking the organization to wait twelve or eighteen months to
see the first fruits of its application implementation labors, make an effort
to deliver a sequence of smaller implementations. For example, one might
conduct pilots of an application in a subset of the organization, followed
by a staged rollout. Or one might plan for serial implementation of the fi rst
25 percent of the application features.

Pilots, staged rollouts, and serial implementations are not always doable.
When they are possible, however, they enable the organization to achieve
some value earlier rather than later, support organizational learning about
which system capabilities are really important and which were only thought
to be important, facilitate the development of reengineered operational pro­
cesses, and create the appearance (whose importance is not to be underesti­
mated) of more value delivery.

Benchmark Value

Organizations should benchmark their performance in achieving value
against the performance of their peers. These benchmarks might focus on
process performance—for example, days in accounts receivable or average
time to get an appointment. An important aspect of value benchmarking

242 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

is the identification of the critical IT application capabilities and related
operational changes that enabled the achievement of superior results. This
understanding of how other organizations achieved superior IT-enabled per­
formance can guide an organization’s efforts to continuously achieve as much
value as possible from its IT investments.

Communicate Value

Once a year the IT department should develop a communication plan for the
twelve months ahead. This plan should indicate which presentations will
be made in which forums and how often IT-centric columns will appear in
organizational newsletters. The plan should list three or so major themes—
for example, specific regional integration strategies or efforts to improve IT
service—that will be the focus of these communications. Communication
plans try to remedy the fact that even when value is being delivered, most
people in the organization may not be fully aware of it.


The IT investment and value challenge plagues all industries. It is not a
problem peculiar to health care. The challenge has been with us for fi fty
years, ever since organizations began to spend money on big mainframes.
This challenge is complex and persistent, and we should not believe we can
fully solve it. We should believe we can be better at dealing with it. This
section highlights the conclusions of several studies and articles that have
examined this challenge.

Factors That Hinder Value Return

The Committee to Study the Impact of Information Technology on the Perfor­
mance of Service Activities (1994) found these major contributors to failures
to achieve a solid return on IT investments:

• The organization’s overall strategy is wrong, or its assessment of its
competitive environment is inadequate.

• The strategy is fine, but the necessary IT applications and
infrastructure are not defined appropriately. The information system,
if it is solving a problem, is solving the wrong problem.

• The organization fails to identify and draw together well all the
investments and initiatives necessary to carry out its plans. The IT

A N A L Y S E S O F T H E I T V A L U E C H A L L E N G E · 243

investment then falters because other changes, such as reorganization
or reengineering, fail to occur.

• The organization fails to execute the IT plan well. Poor planning

or less than stellar management can diminish the return from any


Value may also be diluted by factors outside the organization’s control.
Weill and Broadbent (1998) noted that the more strategic the IT investment,
the more its value can be diluted. An IT investment directed to increasing
market share may have its value diluted by non-IT decisions and events—for
example, pricing decisions, competitors’ actions, and customers’ reactions.
IT investments that are less strategic but have business value—for example,
improving nursing productivity—may be diluted by outside factors—for
example, shortages of nursing staff members. And the value of an IT invest­
ment directed toward improving infrastructure characteristics may be diluted
by outside factors—for example, unanticipated technology immaturity or
business difficulties confronting a vendor.

The Investment-Performance Relationship

A study by Strassmann (1990) examined the relationship between IT expendi­
tures and organizational effectiveness. Data from an Information Week survey
of the top one hundred users of IT were used to correlate IT expenditures per
employee with profits per employee. Strassmann concluded that there is no
overall obvious direct relationship between expenditure and organizational
performance. This finding has been observed in several other studies (for
example, Keen, 1997). It leads to several conclusions:

• Spending more on IT is no guarantee that the organization will be
better off. There has never been a direct correlation between spending
and outcomes. Paying more for care does not give one correspondingly
better care. Clearly, one can spend so little that nothing effective
can be done. And one can spend so much that waste is guaranteed.
But moving IT expenditures from 4 percent of the operating budget
to 6 percent of the operating budget does not inherently lead to a 50
percent increase in desirable outcomes.

• Factors other than the appropriateness of the tool to the task also

infl uence the relationship between IT investment and organizational

performance. These factors include the nature of the work (for

example, IT is likely to have a greater impact on bank performance

244 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

than on consulting firm performance), the basis of competition in an
industry (for example, cost per unit of manufactured output versus
prowess in marketing), and an organization’s relative competitive
position in the market.

The Value of the Overall Investment

Many analyses and academic studies have been directed to answering this
broad question: How can an organization assess the value of its overall invest­
ments in IT? Assessing the value of the aggregate IT investment is different
from assessing the value of a single initiative or other specifi c investment.
And it is also different from assessing the caliber of the IT department.

Developing a definitive, accurate, and well-accepted way to answer this
question has so far eluded all industries and may continue to be elusive.
Nonetheless there are some basic questions that can be asked in pursuit of
answering the larger question. Interpreting the answers to these basic ques­
tions is a subjective exercise, making it difficult to derive numerical scores.
Bresnahan (1998) suggests fi ve questions:

1. How does IT infl uence the customer experience?

2. Do patients and physicians, for example, find that organizational
processes are more effi cient, less error prone, and more convenient?

3. Does IT enable or retard growth? Can the IT organization support
effectively the demands of a merger? Can IT support the creation of
clinical product lines—for example, cardiology—across the integrated
delivery system?

4. Does IT favorably affect productivity?

5. Does IT advance organizational innovation and learning?

Progressive Realization of IT Value

Brown and Hagel (2003) made three observations about IT value.
First, IT value requires innovation in business practices. If an organiza­

tion merely computerizes existing processes without rectifying (or at times
eliminating) process problems, it may have merely made process problems
occur faster. In addition, those processes are now more expensive because
there is a computer system to support. Providing appointment scheduling
systems may not make waiting times any shorter or enhance patients’ ability
to get an appointment when they need one.

A N A L Y S E S O F T H E I T V A L U E C H A L L E N G E · 245

All IT initiatives should be accompanied by efforts to materially improve
the processes that the system is designed to support. IT often enables the
organization to think differently about a process or expand its options for
improving a process. If the process thinking is narrow or unimaginative, the
value that could have been achieved will have been lost, with the organiza­
tion settling for an expensive way to achieve minimal gain.

For example, if Amazon had thought that the Internet enabled it to simply
replace the catalogue and telephone as a way of ordering something, it would
have missed ideas such as presenting products to the customer based on
data about prior orders or enabling customers to leave their own ratings of
books and music.

Second, the economic value of IT comes from incremental innovations
rather than “big bang” initiatives. Organizations will often introduce very
large computer systems and process change all at once. Two examples of such
big bangs are the replacement of all systems related to the revenue cycle and
the introduction of a new EHR over the course of a few weeks.

Big bang implementations are very tricky and highly risky. They may be
haunted by series of technical problems. Moreover, these systems introduce
an enormous number of process changes affecting many people. It is excep­
tionally difficult to understand the ramifications of such change during the
analysis and design stages that precede implementation. A full understand­
ing is impossible. As a result, the implementing organization risks material
damage. This damage destroys value. It may set the organization back, and
even if the organization grinds its way through the disruption, the resulting
trauma may make the organization unwilling to engage in future ambitious
IT initiatives.

By contrast, IT implementations (and related process changes) that are
more incremental and iterative reduce the risk of organizational damage and
permit the organization to learn. The organization has time to understand the
value impact of phase n and then can alter its course before it embarks upon
phase n + 1. Moreover, incremental change leads the organization’s members
to understand that change, and realizing value, are never-ending aspects of
organizational life rather than things to be endured every couple of years.

Third, the strategic impact of IT investments comes from the cumulative
effect of sustained initiatives to innovate business practices. If economic value
is derived from a series of thoughtful, incremental steps, then the aggregate
effect of those steps should be a competitive advantage. Most of the time,
organizations that wind up dominating an industry do so through incremen­
tal movement over the course of several years (Collins, 2001).

Persistent innovation by a talented team, over the course of years, will
result in significant strategic gains. The organization has learned how to

246 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

improve itself, year in and year out. Strategic value is a marathon. It is a long
race that is run and won one mile at a time.

Companies with Digital Maturity

CapGemini (2012) examined digital innovations at four hundred large com­
panies. The study examined the digital maturity of these companies and
compared this maturity with the performance of the companies. Digital
maturity is defined according to two variables:

• Digital intensity, or the extent to which the company had invested in
technology-enabled initiatives to change how the company operates.
Example investments included advanced analytics, social media,
digital design of products, and real-time monitoring of operations.

• Transformation management intensity, or the extent of the leadership
capabilities necessary to drive digital transformation throughout
the company. Example capabilities included vision, governance, and
ability to change culture.

The study examined the degree to which digital intensity and transfor­
mation-management intensity separated those that performed well from those
that did not. (See Figure 7.3.)

The study found that companies that had low scores on both intensity
dimensions fared the poorest (24 percent less profitable than their competi­
tors), whereas companies that had high scores on both intensity dimensions
performed the best (26 percent more profitable than their competitors).

However, the study found that transformation-management intensity was
more important than digital intensity. Companies that had high transformation-
management intensity but low digital intensity performed 9  percent better
than their competitors. And companies that had high digital intensity but
low transformation intensity were 11 percent less profitable than competitors.

Transformation ability was more important than investment in IT although
IT investments enabled transformation skills to achieve more value.


IT value is complex, multifaceted, and diverse across and within proposed
initiatives. The techniques used to analyze value must vary with the nature
of the value.

S U M M A R Y · 247

Figure 7.3 Digital intensity versus transformation intensity

Source: CapGemini (2012). CapGemini Consulting and the MIT Center for Digital
Business, “The Digital Advantage: How digital leaders outperform their peers in every
industry,” Nov. 5, 2012. Used with permission.

The project proposal is the core means for assessing the potential value
of an IT initiative. IT proposals have a commonly accepted structure. And
approaches exist for comparing proposals with different types of value prop­
ositions. Project proposals often present problems in the way they estimate
value—for example, they may unrealistically combine fractions of effort
saved, fail to appreciate the complex behavior of system users, or underesti­
mate the full costs of the project.

Many factors can dilute the value realized from an IT investment. Poor
linkage between the IT agenda and the organizational strategy, the failure
to set goals, and the failure to manage the realization of value all contribute
to dilution.

There are steps that can be taken to improve the achievement of IT value.
Leadership can ensure that project proponents have done their homework,
that accountability for results has been established, that formal proposals

248 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

are used, and that post-implementation audits are conducted. Even though
there are many approaches and factors that can enhance the realization of
IT-enabled value, the challenges of achieving this value will remain a man­
agement issue for the foreseeable future.

Health care organization leaders often feel ill-equipped to address the IT
investment and value challenge. However, no new management techniques
are required to evaluate IT plans, proposals, and progress. Leadership teams
are often asked to make decisions that involve strategic hunches (such as a
belief that developing a continuum of care would be of value) about areas
where they may have limited domain knowledge (new surgical modalities)
and where the value is fuzzy (improved morale). Organizational leaders
should treat IT investments just as they would treat other types of invest­
ments; if they don’t understand, believe, or trust the proposal or its proponent,
they should not approve it.

Digital maturity
Internal rate of return
IT project proposal


IT value
Net present value
Value realization

1. Interview the CIO of a local health care provider or payer. Discuss
how his or her organization assesses the value of IT investments and
ensures that the value is delivered.

2. Select two articles from a health care IT trade journal that describe
the value an organization received from its IT investments. Critique
and compare the articles.

3. Select two examples of intangible value. Propose one or more
approaches that an organization might use to measure each of those

4. Prepare a defense of the value of a signifi cant investment in an
electronic health record system.


Amarasingham, R., Plantinga, L., Diener-West, M., Gaskin, D. J., & Powe, N. R.
(2009). Clinical information technologies and inpatient outcomes. Archives of
Internal Medicine, 169(2), 108–114.

R E F E R E N C E S · 249

Amland, R., Dean, B., Yu, H., Ryan, H., Orsund, T., Hackman, J., & Roberts, S.
(2015). Computerized clinical decision support to prevent venous thrombo­
embolism among hospitalized patients: Proximal outcomes from a multi-year
quality improvement project. Journal for Healthcare Quality, 37(4), 221–231.

Arlotto, P., & Oakes, J. (2003). Return on investment: Maximizing the value of
healthcare information technology. Chicago, IL: Healthcare Information and
Management Systems Society.

Bresnahan, J. (1998, July 15). What good is technology? CIO Enterprise, pp. 25–26,
28, 30.

Brown, J., & Hagel, J. (2003). Does IT matter? Harvard Business Review, 81,

CapGemini. (2012). The digital advantage: How digital leaders outperform their peers
in every industry. Paris, France: CapGemini.

Cebul, R. D., Love, T. E., Jain, A. K., & Herbert, C. J. (2011). Electronic health
records and the quality of diabetes care. New England Journal of Medicine,
365, 825–833.

Collins, J. (2001). Good to great. New York, NY: HarperCollins.

Committee to Study the Impact of Information Technology on the Performance
of Service Activities. (1994). Information technology in the service society.
Washington, DC: National Academies Press.

Del Beccaro, M. A., Jeffries, H. E., Eisenberg, M. A., & Harry, E. D. (2006). Com­
puterized provider order entry implementation: No association with increased
mortality rates in an intensive care unit. Pediatrics, 118(1), 290–295.

Dragoon, A. (2003, Aug. 15). Deciding factors. CIO, pp. 49–59.

Glaser, J. (2003a, March). Analyzing information technology value. Healthcare
Financial Management, pp. 98–104.

Glaser, J. (2003b, Sept.). When IT excellence goes the distance. Healthcare Finan­
cial Management, pp. 102–106.

Han, Y. Y., Carcillo, J. A., Venkataraman, S. T., Clark, R.S.B., Watson, R. S.,
Nguyen, T. C., Bayir, H., & Orr, R. A. (2005). Unexpected increased mortality
after implementation of a commercially sold computerized physician order
entry system. Pediatrics, 116(6), 1506–1512.

Keen, P. (1997). The process edge. Boston, MA: Harvard Business School Press.

Mosquera, M. (2011). How PHRs boosted shareholder value at EMC. Govern­
ment Health IT. Retrieved August 2011 from

Ross, J., & Beath, C. (2002). Beyond the business case: New approaches to IT
investment. MIT Sloan Management Review, 43(2), 51–59.

Ross, J. W., & Johnson, E. (2009). Prioritizing IT investments. Research Briefi ng,
IX(3). Cambridge, MA: MIT Center for Information Systems Research.

250 · C H A P T E R 7 : A S S E S S I N G A N D A C H I E V I N G V A L U E I N H E A L T H C A R E I N F O R M A T I O N S Y S T E M S

Strassmann, P. (1990). The business value of computers. New Canaan, CT: Informa­
tion Economics Press.

Weill, P., & Aral, S. (2006). Generating premium returns on your IT investments.
MIT Sloan Management Review, 47(2), 54–60.

Weill, P., & Broadbent, M. (1998). Leveraging the new infrastructure. Boston, MA:
Harvard Business School Press.


Organizing Information

Technology Services


• To be able to describe the roles, responsibilities, and major
functions of the IT department or organization.

• To be able to discuss the role and responsibility of the chief
information offi cer (CIO), chief medical informatics offi cer
(CMIO), chief security offi cer (CSO), chief technology offi cer
(CTO), and other key IT staff members.

• To be able to describe the different ways IT services might be
organized and governed within a health care organization.

• To be able to identify key attributes of highly effective IT

• To be able to describe the role and function of the data analytics
department or unit.

• To be able to develop a plan for evaluating the effectiveness of
the IT function within an organization.


252 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

By now you should have an understanding of health care data, the various
clinical and administrative applications that are used to manage those
health care data, and the processes of selecting, acquiring, and implement­
ing health care information systems. You should also have a basic under­
standing of the core technologies that are common to many health care
applications, and you can appreciate some of what it takes to ensure that
information systems are reliable and secure.

In many health care organizations, an information technology (IT) func­
tion requires staff members who are involved in these and other IT-related
activities—everything from customizing a software application to setting up
and maintaining a wireless network to performing system backups. In a solo
physician practice, this responsibility may lie with the office manager or
lead physician. In a large hospital setting, this responsibility may lie with the
IT department in conjunction with the medical staff, the administration, and
the major departmental units—for example, admissions, fi nance, radiology,
and nursing.

Some health care organizations outsource a portion or all of their IT
services; however, they are still responsible for ensuring that those services
are of high quality and support the IT needs of the organization. This respon­
sibility cannot be delegated entirely to an outside vendor or IT fi rm. Health
care executives must manage IT resources just as they do human, fi nancial,
and other facility resources.

This chapter provides an overview of the various functions and respon­
sibilities that one would typically find in the IT department of a large health
care organization. We describe the different groups or units that are typically
seen in an IT department. We review a typical organizational structure for
IT and discuss the variations that are often seen in that structure and the
reasons for them. This chapter also presents an overview of the senior IT
management roles and the roles with which health care executives will often
work in the course of projects and IT initiatives. IT outsourcing, in which
the health care organization asks an outside vendor to run IT, is reviewed.
Finally, we examine approaches to evaluating the efficiency and effectiveness
of the IT department.


The IT department has been an integral part of most hospitals or health care
systems since the early days of mainframe computing. If the health care facil­
ity was relatively large and complex and used a fair amount of information
technology, one would find IT staff members behind the scenes developing or
enhancing applications, building system interfaces, maintaining databases,

I N F O R M A T I O N T E C H N O L O G Y F U N C T I O N S · 253

managing networks, performing system backups, and carrying out a host of
other IT support activities. Today the IT department is becoming increasingly
important, not only in hospitals but also in all health care organizations that
use IT to manage clinical and administrative data and processes.

Throughout this chapter we refer to the IT department usually found in
an integrated health care system. We chose this setting because it is typically
the most complex and IT intensive. Moreover, many of the principles that
apply to managing IT resources in this setting also apply in other types of
health care facilities, such as an ambulatory care clinic or rural commu­
nity health center. The breadth and scope of the services provided may differ
considerably, however, depending on the extent to which IT is used in the

IT Department Responsibilities

The IT department has several responsibilities:

• Ensuring that an IT plan and strategy have been developed for the
organization and that the plan and strategy are kept current as
the organization evolves; these activities are discussed in Chapter

• Working with the organization to acquire or develop and implement
needed new applications; these processes were discussed in Chapters
Five and Six

• Providing day-to-day support for users: for example, fi xing broken
workstations, responding to questions about application use, training new
users, and applying vendor-supplied upgrades to existing applications

• Managing the IT infrastructure: for example, performing backups
of databases, installing network connections for new organizational
locations, monitoring system performance, and securing the
infrastructure from denial of service attacks

• Examining the role and relevance of emerging information


Core Functions

To fulfill their responsibilities, all IT departments have four core functions.
Depending on the size of the IT group and the diversity of applications and
responsibilities, a function may require several subsidiary departments or

254 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

Operations and Technical Support

The operations and technical support function manages the IT infrastruc­
ture—for example, the servers, networks, operating systems, database man­
agement systems, and workstations. This function installs new technology,
applies upgrades, troubleshoots and repairs the infrastructure, performs
“housekeeping” tasks such as backups, and responds to user problems, such
as a printer that is not working.

This function may have several IT subgroups:

• Data center management: manages the equipment in the
organization’s computer center

• Network engineers: manage the organization’s network technologies

• Server engineers: oversee the installation of new servers and perform
such tasks as managing server space utilization

• Database managers: add new databases, support database query tools,
and respond to database problems such as fi le corruptions

• Security: ensure that virus and intrusion detection software is current,
physical access to the computer room is constrained, disaster recovery
plans are current, and processes are in place to manage application
and system passwords

• Help desk: provide support to users who call in with problems such as
broken offi ce equipment, trouble operating an application, a forgotten
password, or uncertainty about how to perform a specifi c task on the

• Deployments: install new workstations and printers, move
workstations when groups move to new buildings, and the like

• Training: train organization staff members on new applications and
offi ce software, such as presentation development applications

Applications Management

The applications management group manages the processes of acquiring new
application systems, developing new application systems, implementing these
new systems, providing ongoing enhancement of applications, troubleshoot­
ing application problems, and working with application suppliers to resolve
these problems.

This function may have several IT groups:

• Groups that focus on major classes of applications: for example, a
financial systems group and a clinical systems group

I N F O R M A T I O N T E C H N O L O G Y F U N C T I O N S · 255

• Groups dedicated to specifi c applications (this is most likely in large
organizations): for example, a group to support the applications in the
clinical laboratory or in radiology

• An applications development group (this is found in organizations that
perform a signifi cant amount of internal development)

• Groups that focus on specifi c types of internal development: for
example, a web or mobile device development group

Specialized Groups

Health care organizations may develop groups that have very specialized func­
tions, depending on the type of organization or the organization’s approach
to IT. For example:

• Groups that support the needs of the research community in academic
medical centers

• Process redesign groups in organizations that engage in a signifi cant
degree of process reengineering during application implementation

• Decision-support groups that help users and management perform
analyses and create reports from corporate databases—for example,
quality-of-care reports or financial performance reports

In addition, the chief information offi cer (CIO), who is the most senior
IT executive, is often responsible for managing the organization’s telecom­
munications function—the staff members who manage the phone system,
overhead paging system, and nurse call systems. Depending on the organiza­
tion’s structure and the skill and interests of the CIO, one occasionally fi nds
these other organizational functions reporting to the CIO. These additional
functions are often added because of the executive skills of the CIO and not
strictly because they are IT-related:

• The health information management or medical records department

• The function that handles the organization’s overall strategic plan

• The marketing department

IT Administration

Depending on the size of the IT department, one may find groups that focus
on supporting IT administrative activities. These groups may perform such
tasks as these:

256 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

• Overseeing the development of the IT strategic plan

• Managing contracts with vendors

• Developing and monitoring the IT budget

• Providing human resource support for the IT staff members

• Providing support for the management of IT projects: for example,
developing project status reports or providing project management

• Managing the space occupied by an IT department or group

A typical organizational structure for an IT department in a large health
system is shown in Figure 8.1.

Figure 8.1 shows the enterprise-wide CIO, a deputy CIO, and CIOs for each
of the major divisions, for example, an academic medical center and the phy­
sician network of the health system. The division CIOs must ensure that the
IT needs of each division are met and that the division needs are considered
during the development and execution of enterprise-level initiatives such as
the implementation of a common revenue cycle system.

Figure 8.1 also shows roles for specialized functions: telehealth, genomics
IT, research, medical imaging, and medical informatics. The figure shows the
operations and technical support groups (technical services and operations
and network services and communications), application management groups
(clinical systems and finance and administrative systems), the IT administra­
tion group (IS administration), and health information management.

Finally, the fi gure shows the presence of a CTO (chief technology offi cer)
and CISO (chief information security officer), which will be discussed in the
following section on IT senior leadership roles.

IT Senior Leadership Roles

Within the overall IT group, several positions and roles are typically present
ranging from senior leadership—for example, the chief information offi cer—
to staff members who do the day-in, day-out work of implementing applica­
tion systems—for example, systems analysts. In the following sections we
will describe several senior-level IT positions:

• Chief information offi cer (CIO)

• Chief technology offi cer (CTO)

• Chief information security offi cer (CISO)

• Chief clinical informatics offi cer (CCIO), specifi cally the chief medical
information offi cer (CMIO)

258 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

This is not an exhaustive list of all possible senior-level positions, but the
discussion provides an overview of typical roles and functions.

The Chief Information Offi cer

Many midsize and large health care organizations employ a chief information
officer (CIO). The CIO not only manages the IT department but also is seen
as the executive who can successfully lead the organization in its efforts to
apply IT to advance its strategies.

The role of the CIO in health care and other industries has been the
subject of research and debate over the years (Glaser & Kirby, 2009; Glaser
& Williams, 2007). Studies conducted by College of Healthcare Information
Management Executives (CHIME) (1998, 2008) have chronicled the evolu­
tion of the health care CIO. This evolution has involved debates on CIO
reporting relationships, salaries, and titles and the role of the CIO in an
organization’s strategic planning. Through extensive research, CHIME has
identified seven key attributes, or competencies, exhibited by high- performing
CIOs (CHIME, 2008). CHIME provides intensive “boot camp” training ses­
sions for its CIO members to aid in their professional development of these

Earlier work by Earl and Feeney (1995) found that CIOs from a wide range
of industries who added value to their respective organizations had many of
these same characteristics:

• Obsessively and continuously emphasize business imperatives so that
they focus the IT direction correctly

• Have a track record of delivery that causes IT performance problems
to drop off management’s agenda

• Interpret for the rest of the leadership team the meaning and nature of
the IT success stories of other organizations

• Establish and maintain good working relationships with the members
of the organization’s leadership

• Establish and communicate the IT performance record.

• Concentrate the IT development efforts on those areas of the
organization where the most leverage is to be gained

• Work with the organization’s leadership to develop a shared vision of
the roles and contributions of IT

• Make important general contributions to business thinking and

I N F O R M A T I O N T E C H N O L O G Y F U N C T I O N S · 259

Seven Key Attributes of a High Performing CIO

1. Sets vision and strategy. Collaborates well with senior leaders to set

organization vision and strategy and to determine how technology

can best serve the organization.

2. Integrates information technology for business success. Applies

knowledge of the organization’s systems, structures, and functions

to determine how best to advance the performance of the business

with technology.

3. Makes change happen. Is able to lead the organization in

making the process changes necessary to fully capitalize on IT


4. Builds technological confi dence. Helps the business assess the

value of IT investments and the steps needed to achieve that value.

5. Partners with customers. Interacts with internal and external cus­
tomers to ensure continuous customer satisfaction.

6. Ensures information technology talent. Creates a work environ­
ment and community that draws, develops, and retains top IT


7. Builds networks and community. Develops and maintains profes­
sional networks with internal and external sources and effectively

leverages those networks to further the effective use of IT.

Source: CHIME (2008).

Earl and Feeney (1995) also found that the value-added CIO, as a person,
has integrity, is goal directed, is experienced with IT, and is a good consul­
tant and communicator. Those organizations that have such a CIO tend to
describe IT as critical to the organization, find that IT thinking is embedded
in business thinking, note that IT initiatives are well focused, and speak
highly of IT performance.

Organizational excellence in IT doesn’t just happen. It is managed and
led. If the health care organization decides that the effective application of IT
is a major element of its strategies and plans, it will need a very good CIO.
Failure to hire and retain such talent will severely hinder the organization’s

260 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

Whom the CIO should report to has been a topic of industry debate and
an issue inside organizations as well. CIOs will often argue that they should
report to the chief executive officer (CEO). This argument is not wrong nor is
it necessarily right. The CIO does need access to the CEO and clearly should
be a member of the executive committee and actively involved in strategy
discussions. However, the CIO needs a boss who is a good mentor, provides
appropriate political support, and is genuinely interested in the application
of IT. Chief fi nancial officers (CFOs) and chief operating officers (COOs) can
be terrific in these regards. In general about one-third of all health care
provider CIOs report to the CEO, one-third report to the CFO, and one-third
report to the COO.

The Chief Technology Offi cer

The chief technology offi cer (CTO) has several responsibilities. The CTO
must guide the definition and implementation of the organization’s tech­
nical architecture. This role includes defining technology standards (for
example, defining the operating systems and network technologies the
organization will support), ensuring that the technical infrastructure is
current (for example, that major vendor releases and upgrades have been
applied), and ensuring that all the technologies fit. The CTO’s role in
ensuring fit is similar to an architect’s role in ensuring that the materi­
als used to construct a house come together in a way that results in the
desired house.

The CTO is also responsible for tracking emerging technologies, identi­
fying the ones that might provide value to the organization, assessing them,
and when appropriate, working with the rest of the IT department and the
organization to implement these technologies. For example, the CTO may be
asked to investigate the possible usefulness of the Internet of Things. The CTO
role is not often found in smaller organizations but is increasingly common
in larger ones. In smaller organizations, the CIO also wears the CTO hat.

The Chief Information Security Offi cer

As will be discussed in Chapter Nine, the chief information security offi cer
(CISO) is a relatively new position that has emerged as a result of the growing
threats to information security and the health care organization’s need to
comply with federal and state security regulations. The primary role and
functions of the CISO are to ensure that the health care organization has an
effective information security plan, appropriate technical and administrative
procedures are in place to ensure that information systems are secure and

I N F O R M A T I O N T E C H N O L O G Y F U N C T I O N S · 261

safe from tampering or misuse, and appropriate disaster recovery procedures

The Chief Clinical Informatics Offi cer

There are several roles that fall under the broad umbrella of the chief clinical
informatics officer (AMIA Task Force Report on CCIO Knowledge, Education
and Skillset Requirements, 2016). These roles include the chief nursing infor­
matics officer (CNIO) and the chief pharmacy informatics officer. Of these
roles the chief medical information offi cer (CMIO) is the most common
(approximately 30 percent of CIOs employ a CMIO (AMIA Task Force Report
on CCIO Knowledge, Education and Skillset Requirements, 2016) although
still a relatively new position. The CMIO position emerged as a result of the
growing interest in adopting clinical information systems and leveraging
those systems to improve care. The CMIO is usually a physician, and this
role may be filled through a part-time commitment by a member of the orga­
nization’s medical staff.

Murphy (2011) identified the skills of the CCIO (including the CMIO and

• Guide an EHR selection process

• Define a clinical information systems governance process

• Engage senior executives in an EHR culture and practice changes

• Advise on implementation methodologies and the sequencing of EHR

• Identify the value proposition and key performance indicator metrics
of EHR use

• Determine an EHR enhancement request system and prioritization

• Staff ongoing clinical process improvement initiatives

• Educate about health technology and the interactions between people
and process changes

• Develop strong relationships with key stakeholders in the organization

The CIO, CTO, CISO, and CMIO all play important roles in helping to
ensure that information systems acquired and implemented are consistent
with the strategic goals of the health care organization, are well accepted
and effectively used, and are adequately maintained and secured. Sample job
descriptions for the CIO and the CMIO positions are given in Appendix B.

262 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

IT Staff Roles

The IT leadership team cannot carry out the organization’s IT agenda uni­
laterally. The department’s work relies heavily on highly trained, qualifi ed
professional and technical staff members to perform a host of IT-related
functions. In this section are brief descriptions of some key professionals
who work in IT:

• The project leader

• The systems analyst

• The programmer

• The database administrator

• The network administrator

The Project Leader

The project leader manages IT projects such as the implementation of a new
revenue cycle application, deployment of infrastructure in a new medical
office building, or determination of the need for a new system. At times
project leaders are staff members from user departments, though in general
they are members of the IT department. This role was discussed in more
depth in Chapter Six.

The Systems Analyst

The role of the systems analyst will vary considerably depending on the
analyst’s background and the needs of the organization. Some analysts have
a strong computer programming background, whereas others have a business
orientation or come from clinical disciplines, such as nursing, pharmacy, or
the laboratory. In fact, because of the increased interest in the adoption of
clinical information systems, systems analysts with clinical backgrounds in
nursing, pharmacy, medical technology, and the like (often referred to as
clinical systems analysts) are in high demand. Most systems analysts work
closely with managers and end users in identifying information system needs
and problems, evaluating workflow, and determining strategies for optimiz­
ing the use and effectiveness of particular systems.

When an organization decides to develop a new information system,
systems analysts are often called on to determine what computer hardware
and software will be needed. They prepare specifi cations, fl owcharts, and
process diagrams for computer programmers to follow.

I N F O R M A T I O N T E C H N O L O G Y F U N C T I O N S · 263

They work with programmers and vendor staff members to test new
systems and system upgrades, recommend solutions, and determine whether
program requirements have been met. They may also prepare cost-benefi t and
return-on-investment analyses to help management decide whether imple­
menting a proposed system will deliver the desired value.

The Programmer

Programmers write, test, and maintain the programs that computers must
follow to perform their functions. They also conceive, design, and test logical
structures for solving problems with computers. Many technical innovations
in programming—advanced computing technologies and sophisticated new
languages and programming tools—have redefined the role of programmers
and elevated much of the programming work done today.

Programmers are often grouped into two broad types—applications pro­
grammers and systems programmers. Applications programmers write
programs to handle specific user tasks, such as a program to track inven­
tory within an organization. They may also revise existing packaged soft­
ware or customize generic applications such as integration technologies.
Systems programmers write programs to maintain and control infrastruc­
ture software, such as operating systems, networked systems, and database
systems. They are able to change the sets of instructions that determine
how the network, workstations, and central processing units within a
system handle the various jobs they have been given and how they com­
municate with peripheral equipment such as other workstations, printers,
and disk drives.

The Database Administrator

Database administrators work with database management systems soft­
ware and determine ways to organize and store data. They identify user
requirements, set up computer databases, and test and coordinate modifi ­
cations to these systems. An organization’s database administrator ensures
the performance of the database systems, understands the platform on
which the databases run, and adds new users to the systems. Because they
may also design and implement system security, database administrators
often plan and coordinate security measures. With the volume of sensitive
data growing rapidly, data integrity, backup systems, and database secu­
rity have become increasingly important aspects of the job for database

264 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

The advent of payment reform is placing increasing pressure on providers
to improve the effi ciency and quality of clinical, operational, and fi nancial
performance. Moreover, the arrival of population health requires that pro­
viders define their populations and manage the health and care received
by that population. These pressures result in the need for a group that pro­
vides superior analytics support to the organization.

Most providers have had an analytics group for some time. Providers
have used analytics to measure referral patterns, DRG performance, payer
mix, and expected reimbursement and patient volumes. However, these
pressures have elevated the importance of this group and often expanded
their staff and the scope of their work.

This group can be a department within the IT organization but increas­
ingly the group reports up through a non-IT function, usually the function
responsible for clinical quality or fi nance.

Wadsworth (2016) defines a proposed structure and role for a typical
provider analytics group. A content and analytics team, composed of data
architects and outcomes analysts, mines the data contained in an enterprise
data warehouse (which is the aggregation, across the organization, of the
clinical, financial, operational, and market data deemed most important
to the organization). The team works with a senior leadership committee
to identify potential areas of organizational improvement. The commit­
tee prioritizes the areas and assigned workgroups to engage in process

Workgroups are teams that identify steps that should be taken to
improve clinical, operational, and financial performance of a particular
area (e.g., pharmacy) or process (e.g., total joint replacement). This work
usually defines a current state and outlines a desired future state. The core

The Network Administrator

It is essential that the organization has an adequate network or network
infrastructure to support all its clinical and administrative applications and
also its general applications (such as e-mail, intranets, and videoconferenc­
ing). Networks come in many variations, so network administrators are
needed to design, test, and evaluate systems such as local area networks

I N F O R M A T I O N T E C H N O L O G Y F U N C T I O N S · 265

Analytics Department

of the workgroup typically consists of a physician lead, an operations lead,
and a nurse who understands the patient workfl ow.

Members of the workgroup typically fulfill these functions:

• Data architect: Builds a solid architecture to capture and provide data
from disparate source systems into an integrated platform

• Application administrator: Ensures source-system applications func­
tion to capture needed data elements

• Outcomes analyst: Mines data to identify statistically valid trends
and variability that may exist

• Knowledge manager: Acts as a liaison between the technical and
clinical teams; usually staffed by a nurse, this critical role helps the
technical team understand and interpret clinical data as he or she
seeks to build algorithms that mimic clinical workfl ow

• Clinical implementation team (CIT): Consists of practicing clinicians
who own a clinical process within an organization, will champion
adoption of the improvements, and guide the rollout of the improve­
ment process

• Guidance team: Provides governance over all the workgroups and
CITs under a clinical program—for example, a guidance team for the
women and children’s clinical program may oversee three separate
workgroups focusing on gynecology, pregnancy, or normal newborn;
takes into account resources, organizational readiness, and political
climate to determine which workgroups receive priority; reports to the
senior leadership committee

Source: Wadsworth (2016).

(LANs), wireless networks, the Internet, intranets, and other data commu­
nications systems. Networks can range from a connection between two
offices in the same building to globally distributed connectivity to voice
mail and e-mail systems across a host of different health care organizations.
Network administrators perform network modeling, analysis, and planning;
they may also research related products and make hardware and software

266 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

Staff Positions in High Demand

As the technology evolves (for example, advances in analytics) and the focus
of organizations shifts (for example, shifts to population health) various IT
staff roles will become in high demand. The core positions will always be
needed but new roles and refinements of existing roles emerge constantly.
In 2016 high-demand positions (across industries) include these functions
(Florentine, 2015):

• User interface designers

• Web infrastructure developers

• Network engineers

• Security and cyber security professionals

• Mobile application developers

• Systems analysts

• Industry knowledgeable project managers

• Cloud application architects

• Data scientists

When positions are in high demand organizations may face signifi cant
challenges hiring the staff members they need; salaries may be very high,
availability will be limited, and organization’s will need to sell themselves
to prospective recruits. A CHIME (2012) survey of CIOs found 67 percent
were experiencing IT staff shortages. The positions in greatest demand were
clinical information systems project managers and systems analysts.

Staff Attributes

In addition to ensuring that it has the appropriate IT functions and IT roles
(and that the individuals filling these roles are competent), the health care
organization must ensure that the IT staff members have certain attributes.
These attributes are unlikely to arise spontaneously; they must often be
managed into existence. An assessment of the IT function (as discussed
further on in this chapter) can highlight problems in this area and then lead
to management steps designed to improve staff member attributes.

High-performing IT staff members have several general characteristics:

• They execute well. They deliver applications, infrastructure, and
services that refl ect a sound understanding of organizational needs.

O R G A N I Z I N G I T S T A F F M E M B E R S A N D S E R V I C E S · 267

These deliverables occur on time and on budget so that those
involved in a project give the project team high marks for professional

• They are good consultants. They advise organizational members
on the best approach to the application of IT given the problem or
opportunity. They advise when IT may be inappropriate or the least
important component of the solution. This advice ranges from help
desk support to systems analyses to new technology recommendations
to advice on the suitability of IT for furthering an aspect of
organizational strategy.

• They provide world-class support. Information systems require daily

care and feeding and problem identifi cation and correction. This

support needs to be exceptionally effi cient and effective.

• They stay current in their field of expertise. They keep up to date on
new techniques and technologies that may improve the ability of the
organization to apply IT effectively.


Now that we have introduced the various roles and functions found in the
health care IT arena, we will examine how these roles and functions can
be organized. Essentially, three factors influence the structure of the IT

• Degree of IT centralization or decentralization

• Core IT competencies

• Departmental attributes

Degree of IT Centralization or Decentralization

A critical factor in determining the structure for the IT department is the
degree of centralization of organizational decision making. A health care
organization might be a highly structured hierarchy in which decisions are
made by a few senior leaders. Conversely, an organization might delegate
authority to make many decisions to the department level or to the hospital
level in an integrated delivery system, resulting in decentralized decision
making. Referring to Figure 8.1, in a highly centralized organization, divi­
sion CIOs may not be necessary because virtually all decisions are made at
the enterprise level. Conversely, in a highly decentralized organization, the

268 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

central role of corporate director, clinical systems shown in Figure 8.1 may
not be necessary because all EHR decisions are made at the local level.

The following describes some of the advantages to centralizing IT ser­
vices (Oz, 2006):

• Enforcement of hardware and software standards. In a centralized
structure, the organization typically develops software and hardware
standards, which can lead to cost savings, facilitate the exchange of
data among systems, make installations easier, and promote sharing
of applications.

• Efficient administration of resources. Centralizing the administration
of contracts and licenses and inventories of hardware and software
can lead to greater effi ciency.

• Better staffi ng. Because it results in a pool of IT staff members from
which to choose, the centralized approach may be able to identify and
assign the most appropriate individuals to a particular project.

• Easier training. In a centralized department, staff members can
specialize in certain areas (hardware, software, networks) and do not
need to be jacks of all trades.

• Effective planning of shared systems. A centralized IT services unit
typically sees the big picture and can facilitate the deployment of
systems that are to be used by all units of a health care system or
across organizational boundaries.

• Easier strategic IT planning. A strategic IT plan should be well
aligned with the overall strategic plan of the organization. This
alignment may be easier when IT management is centralized.

• Tighter control by senior management. A centralized approach to
managing IT services permits senior management to maintain tighter
control of the IT budget and resources.

The following describes some of the advantages to a decentralized struc­
ture (Oz, 2006):

• Better fit of IT to business needs. The individual IT units are familiar
with their business unit’s or department’s needs and can develop or
select systems that fi t those needs more closely.

• Quick response time. The individual IT units are typically better
equipped to respond promptly to requests or can arrange IT projects to
fi t the priorities of their business unit or department.

O R G A N I Z I N G I T S T A F F M E M B E R S A N D S E R V I C E S · 269

• Encouragement of end user development of applications. In a
decentralized IT services structure, end users are often encouraged to
develop their own small applications to increase productivity.

• Innovative use of information systems. Given that IT staff

members are closer in proximity to users and know their needs, the

decentralized structure may have a better chance of implementing

innovative systems.

Most IT services in a health care organization are not fully centralized
or decentralized but a combination of the two. For example, training and
support for applications may be decentralized, with other IT functions such
as application development, network support, and database management
being managed centrally. The size, complexity, and culture of the health care
organization might also determine the degree to which IT services should
be managed centrally.

For example, in an ambulatory care clinic with three sites that are fairly
autonomous, it may be appropriate to divide IT services into three functional
units, each dedicated to a specific clinic. In a larger, more complex orga­
nization, such as an integrated delivery network (with multiple hospitals,
outpatient clinics, and physician practices), it may be appropriate to form a
centralized IT services unit that is responsible for specific IT areas such as
systems planning and integration, network administration, and telecommuni­
cations, with all other functions being managed at the individual facility level.

There is no right level of centralization. Centralized organizations can
be as effective as decentralized organizations. Ideally, the management and
structure of IT will parallel that of the executive team’s management phi­
losophy; centralized management tends to want centralized control over IT,
whereas decentralized management is more likely to be comfortable with IT
that can be locally responsive.

Core IT Competencies

Organizations should identify a small number of areas that constitute core IT
capabilities and competencies. These are areas where getting an A+ from the
“customers” matters. For example, an organization focused on transforming
its care processes would want to ensure A+ competency in this area and
would perhaps settle for B− competency in its supply chain operations. An
organization dedicated to being very effi cient would want A+ competency in
areas such as supplier management and productivity improvement and would
perhaps settle for a B− in delivering superb customer service.

270 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

This definition of core competencies has a bearing on the form of the
IT organization. If A+ competency is desired in care transformation, the IT
department should be organized into functions that specialize in supporting
care transformation—for example, a clinical information systems implemen­
tation group and a care reengineering group.

Partners HealthCare, for example, defined three areas of core capabilities:
base support and services, care improvement, and technical infrastructure.

Base Support and Services

The category of core capabilities at Partners HealthCare included two

• Frontline support: for example, mobile device problem resolution

• Project management skills

The choice of these areas of emphasis resulted in many management
actions and steps—for example, the selection of criteria to be used during
annual performance reviews. The emphasis on frontline support also led to
the creation of an IT function responsible for all frontline support activities,
including the help desk, workstation deployments, training, and user account
management. The emphasis on project management led to the creation of a
project management office to assist in monitoring the status of all projects
and a project center of excellence to offer training on project management
and established project management standards.

Care Improvement

Central to the Partners agenda was the application of IT to improve the
process of care. One consequence was to establish, as a core IT capa­
bility, the set of skills and people necessary to innovatively apply IT to
medical care improvement. An applied medical informatics function was
established to oversee a research and development agenda. Staff members
skilled in clinical information systems application development were hired.
A group of experienced clinical information system implementers was

An IT unit of health services researchers was formed to analyze defi cien­
cies in care processes, identify IT solutions that would reduce or eliminate
these deficiencies, and assess the impact of clinical information systems on
care improvement. Organizational units possessing unique technical and

O R G A N I Z I N G I T S T A F F M E M B E R S A N D S E R V I C E S · 271

clinical knowledge in radiology imaging systems and telemedicine were also

Technical Infrastructure

Because Partners HealthCare recognized the critical role of a well-conceived,
well-executed, and well-supported technical architecture, infrastructure
architecture and design continued to serve as a core competency. A technol­
ogy strategy function was created, and the role of chief technology offi cer was
created. Significant attention was paid to ensuring that extremely talented
architectural and engineering staff members were hired along with staff
members with terrific support skills.

Departmental Attributes

IT departments, similar to people, have characteristics or attributes. They
may be agile or ossified. They may be risk tolerant or risk averse. These
characteristics can be stated, and strategies to achieve desired characteris­
tics can be defined and implemented. To illustrate, this section will discuss
briefly two characteristics—agility and innovativeness—and discuss how
they might affect the organization of IT functions. These two characteristics
are representative and are generally viewed as desirable.

There are many steps that an organization can take to increase its overall
agility and also that of the IT department (Glaser, 2008a). For example, it is
likely to try to chunk its initiatives so that there are multiple points at which
a project can be reasonably stopped and yet still deliver value. Thus, the
rollout of an EHR might call for implementation at ten clinics per year but
could be stopped temporarily at four clinics and still deliver value to those
four. Chunking allows an organization and its departments to quickly shift
emphasis from one project to another.

An agile IT department will have the ability to form and disband teams
quickly (perhaps every three months) as staff members move from project to
project. This requires that organizational structures and reporting relation­
ships be flexible so staff members can move rapidly between projects. It also
means that during a project, the project manager is (temporarily anyway)
the boss of the project team members. The team members might report to
someone else according to the organizational chart, but their real boss at
this time is the project manager. Because team members might move rapidly
from project to project, they might have several bosses during the course of
a year. And a person might be the boss on one project and the subordinate
on another project. (Many consulting firms operate with this model.) Agile

272 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

organizations and departments are organized less around functions and more
around projects. The IT structure must accommodate continuous project team
formation, and project managers must have signifi cant authority.

An organization or department that wants to be innovative might take
steps such as implementing reward systems that encourage new ideas and
successful implementation of innovative applications and also punishment
systems that are loath to discipline those involved in experiments that
failed (Glaser, 2008b). The innovative IT department might create dedicated
research and development groups. It might form teams composed of IT and
vendor staff members in an effort to cross-fertilize each group with the ideas
of the other. It might also permit staff members to take sabbaticals or accept
internships with other departments in the organization in an effort to expand
IT members’ awareness of organizational operations, cultures, and issues.


For many years, health care organizations have generally provided IT ser­
vices in-house. By in-house we mean that the organization hired its own IT
staff members and formed its own IT department. In recent years, however,
health care organizations have shown a growing interest in outsourcing part
or all of their IT services. Outsourced IT means that an organization asks
a third party to provide the IT staff members and be responsible for the
management of IT.

The reasons for outsourcing IT functions are varied. Some health care
organizations may simply not have staff members with the skills, time, or
resources needed to take on new IT projects or provide suffi cient IT service.
Others may choose to outsource certain IT functions, such as help desk ser­
vices or website development, so that internal IT staff members can focus
their time on implementing or supporting applications central to the organi­
zation’s strategic goals.

Outsourcing IT may enable organizations to better control costs. Because
a contract is typically established for a defined scope of work to be done
over a specific period of time, the IT function becomes a line item that can
be more effectively budgeted over time. This does not mean, however, that
outsourcing IT services is necessarily more cost-effective than providing IT
services in-house.

At times, new organizational leadership finds an IT function that is in
disastrous condition. After years of mismanagement, applications may func­
tion poorly, the infrastructure may be unstable, and the IT staff members
may be demoralized. An outsourcing company may be brought in as a form
of rescue mission.

I N – H O U S E V E R S U S O U T S O U R C E D I T · 273

A number of factors come into play and should be considered when eval­
uating whether outsourcing part or all of IT services is in the best interest of
the organization. The following questions should be asked:

• Does our organization have IT staff members with the knowledge

and skills needed to provide necessary services? Effectively

manage projects? Adequately support current applications and


• How easy or diffi cult is it to recruit and retain qualifi ed IT staff


• What are our organization’s major IT priorities? How equipped is our

organization to address these priorities? Do we have the right mix of

skills, time, and resources?

• What benefi ts might be realized from outsourcing this IT function?

What are the risks? Do the benefi ts outweigh the risks?

• What parts, if any, of the IT department does it make the most sense

to outsource?

• If we opt to outsource IT services, with whom do we want to do

business? How will we monitor and evaluate IT performance and

service? What provisions will we make in the contract with the

outsourcing company to ensure timeliness and quality of service?

How will the terms of the contract be monitored?

It is important to evaluate the cost and effectiveness of the IT function
and services, whether they are performed by in-house staff members or
outsourced. There are pros and cons to each approach, and the organization
must make its decision based on its strategy goals and priorities. There is no
silver bullet or one solution for all.

Related to decisions to outsource all or a portion of the organization’s IT
staff are decisions to have a third-party supplier run the organization’s applica­
tions in the third party’s data center. Cloud computing growth has been explo­
sive recently. Gartner (2013) estimates that by the time this book is published
the majority of business computing will involve a cloud. The cloud approach
can be full (all of an organization’s applications are run on a third-party cloud)
or hybrid (the third party runs some applications and the organization runs
the remaining applications in its data centers).

Cloud computing can be less expensive, easier to scale, and more able
to adopt newer technologies. Keeping some applications internally enables
the organization to maintain control over sensitive or critical applications
and data.

274 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

Future Demands on the IT Function

Broaden the knowledge base. For the IT staff members steeped in inpa­
tient care, knowledge of hospital operations must expand to include
knowledge of the operations and needs of long-term care facilities,
patient support communities, and small physician practices. Under­
standing of the intricacies of fee-for-service must expand to include pay­
ments based on bundles and capitation.

Skills in managing complex implementations will still be neces­
sary, but those skills must broaden to include redesigning processes
that traverse care settings, turning clinical decision-support logic to
achieve chronic care outcomes, and assisting clinicians and managers
in developing the analytics capabilities necessitated by new payment

Address IT innovation and management. The IT staff members
must grapple with IT innovation that continues at a remarkable pace.
Social media use continues to grow and become more sophisticated and
capable. Mobile personal devices have become the device of choice for
personal and professional activities. Big data has exceptional potential,
although it is cloaked in a dense fog of hype.

In addition, the organization’s dependence on IT for it to function
heightens the importance of a well-managed and secure IT infrastruc­
ture and application base.

A shift in strategic emphasis. With the EHR core in place (cour­
tesy of Meaningful Use), the IT function must shift from focusing on
the large-scale implementation of EHRs to extending that investment to
support care management, enabling the management of a population’s
health, introducing extensive evidence-based decision support, develop­
ing superior analytics capabilities, creating and redesigning processes,
and improving the effi ciency of clinical and administrative processes.

Step up leadership skills. Leadership skills and attributes include
emotional intelligence, communication skills, integrity, business under­
standing, and the ability to hire, grow, and manage a world-class team.
As the pressures on operations and clinical practice increase, there will
be a growing premium placed on having superlative leadership skills.

Source: Glaser (2016).

E V A L U A T I N G I T E F F E C T I V E N E S S · 275


Whether IT services are provided by in-house staff or are outsourced, it is
important to evaluate IT performance. Is the function efficient? Does it deliver
good service? Is it on top of new developments in its field? Does the function
have a strong management team?

At times, health care executives become worried about the performance
of an IT function. Other organizations have IT functions that seem to accom­
plish more or spend less. Management and physicians frequently express
dissatisfaction with IT: nothing is getting done, it costs too much, or it takes
too long to get a new application implemented. Many factors may result
in user dissatisfaction: poor expectation setting, unclear priorities, limited
funding, or inadequate IT leadership. An assessment of IT services can help
management understand the nature of the problems and identify opportuni­
ties for improvement.

One desirable approach to assessing IT services is to use outside consul­
tants. Consultants can bring a level of objectivity to the assessment process
that is difficult to achieve internally. They can also share their experiences,
having worked with a variety of different health care organizations and having
observed different ways of handling some of the same issues or problems.

Whether the assessment is done by internal staff members or by consul­
tants, several key areas should be addressed:

• Governance

• Budget development and resource allocation

• System acquisition

• System implementation

• IT service levels


How effective is the governance structure? To what degree are IT strategies
well aligned with the organization’s overall strategic goals? Is the CIO actively
involved in strategy discussions? Does senior leadership discuss IT agenda
items on a regular basis? We will discuss governance in Chapter Thirteen.

Budget Development and Resource Allocation

The IT budget is often compared to the IT budgets of comparable health care
organizations. The question behind a budget benchmark is, Are we spending

276 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

too much or too little on IT? Budget benchmarks are expressed in terms of
the IT operating budget as a percentage of the overall organization’s operating
budget and the IT capital budget as a percentage of the organization’s total
capital budget.

These budget benchmarks are useful and in some sense required because
most boards of directors expect to see them. Management has to be careful
in interpreting the results, however. These percentages do not necessarily
reflect the quality of IT services or the extent and size of the organization’s
application base or infrastructure. Hence, one can find a poorly performing IT
group that has implemented little having the same percentage of the organi­
zation’s budgetary resources as a world-class IT group that has implemented
a stunning array of applications.

Spending a high percentage of the operating budget does not per se mean
that the organization is spending too much and should reduce its IT budget.
The organization may have decided to ramp up its IT investments in order
to achieve certain strategic objectives. A low percentage—for example, 1
percent—does not necessarily mean that underinvestment is occurring and
the IT budget should be significantly increased. The organization may be
very efficient, or it may have decided that given its strategies its investments
should be made elsewhere.

We will discuss the IT budget and resource allocation in Chapter Thirteen.

System Acquisition

How effective are system acquisitions? How long did they take? What process
was used to select the systems? We discussed system acquisition in Chapter

System Implementation

Are new applications delivered on time, within budget, and according to
specification? Do the participants in the implementation speak fondly of the
professionalism of the IT staff members or do they view IT staff members
as forms of demonic creatures? We discussed system implementation in
Chapter Six.

IT Service Levels

IT staff members deliver service every day—for example, they manage system
performance, respond to help desk calls, and manage projects. The quality of
these services can be measured. An assessment of the IT function invariably

E V A L U A T I N G I T E F F E C T I V E N E S S · 277

reviews these measures and the management processes in place to monitor
and improve IT services. IT users in the organization are interested in mea­
sures such as these:

• Infrastructure. Are the information systems reliable, that is, do they
rarely “go down”? Are response times fast?

• Day-to-day support. Does the help desk quickly, patiently, and
effectively resolve my problems? If I ask for a new workstation, does it
arrive in a reasonable period of time?

• Consultation. Are the IT folks good at helping me think through my
IT needs? Are they realistic in helping me to understand what the
technology will and will not do?

An organization faces a challenge in defining what level of IT service
it would like and also how much it is willing to pay for IT services. All of us
would love to have systems analysts with world-class consulting skills, but
we may not be able to afford their salaries. Similarly, all of us would love to
have systems that never go down and are as fast as greased lightning, but we
might not be willing to pay the cost of engineering very, very high reliability
and blazing speed. The IT service conversation attempts to establish formal
and measurable levels of service and the cost of providing that service. The
organization seeks an informed conversation about the desirability and the
cost of improving the service or the possibility of degrading the service in
an effort to reduce costs.

In general, it can be very difficult to measure quality and consequences
of consultative services. This makes it difficult to understand whether it is
worth investing to improve the service other than at the service extremes. For
example, it can be clear that you need to fire a very ineffective systems analyst
and that you need to treat your all-star analyst very well. But it may not be
clear whether paying $10,000 extra for an IT staff member is worth it or not.

Formal, measurable service levels can be established for many infrastruc­
ture attributes and day-to-day support. Moreover, industry benchmarks exist
for these measures. Common infrastructure metrics are as follows:

• Reliability: for example, the percentage of time that systems have
unscheduled downtime

• Response time: for example, how quickly an application moves from
one screen to the next

• Resiliency: for example, how quickly a system can recover after it
goes down

278 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

Glaser (2006) proposes a series of questions that can be used to assess the
IT function. These questions cover the areas of infrastructure and applica­
tion performance, execution, and strategic alignment.

Infrastructure and Application Performance
External and internal auditors’ reports on IT controls and management.
Do these reports note material problems with significant downtime, failure
to perform adequate management of the data center, and adequacy of
security controls?
IT infrastructure management processes. Does IT track downtime and
what steps have been taken to reduce it? Are they current with vendor
releases? How does IT manage virus protection? When the infrastructure
has problems, what are the procedures for responding?

Achieving desired application outcomes. Picking three recent
implementations, what were the objectives? To what degree were the
objectives achieved? If the organization fell short in achieving objectives,
why did this happen?
User engagement. Do implemented systems improve the operation of key
departments? Was the training good? Were the IT group and the vendor
responsive to issues and problems?

• Software bugs: for example, the number of bugs detected in an
application per line of program code or hour of use

Common day-to-day support metrics are as follows:

• The percentage of help desk calls that are resolved within twenty-four

• The percentage of help desk calls that are not resolved after fi ve days

• The percentage of help desk calls that are repeat calls, that is, the
problem was not resolved the fi rst time

• The time that elapses between ordering a workstation and its

E V A L U A T I N G I T E F F E C T I V E N E S S · 279

Assessing the IT Function

Managing the implementation. Were clear project charters developed? Are
sound project management techniques used? Do most projects get done on
time and on budget?
Frontline support. Does the IT organization measure its service? Has
the IT organization established service goals? Was the organization’s
management involved in setting those goals?
Departmental IT liaisons. Who are the IT liaisons to major user depart­
ments? Do they do a good job? Do the liaisons keep the department up-to­
date on IT plans? Are liaisons considered to be members of the department’s

Alignment of the IT Agenda with the Organization’s Agenda
IT linkage to organizational strategy. Can the major elements of the
organization’s strategy be mapped to the IT initiatives needed to support
the strategic plan? Is there a regular senior leadership discussion of the IT
agenda, and does the leadership take responsibility for making decisions
about which IT initiatives to fund?
Governance. What processes and committees are used to set priorities? Is
the process for setting the IT budget well understood, effi cient, suffi ciently
rigorous, and perceived as fair? Is there a well-accepted approach for
acquiring new applications?

Source: Glaser (2006).

It is important that the management team define the desired level of
IT service. For example, is the goal to achieve an uptime of 99.99 percent,
or does the organization want to have 90 percent of help desk calls closed
within twenty-four hours? If the service levels are deemed to be inadequate,
a discussion can be held with IT managers to identify the costs of achieving
a higher level of service. Additional staff members may be needed at the
help desk, or the organization may need to develop a redundant network to
improve resiliency. Conversely, if the organization needs to reduce IT costs,
the management team may need to examine the service consequences of
reducing the number of help desk staff members.

The assessment of the IT function requires examining areas that range
from strategy development to service levels. And the assessment can use a

280 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S

Managing Core IT Processes

Agarwal and Sambamurthy (2002) have identified eight core IT pro­
cesses that must be managed well for an IT department to be effective:

1. Human capital management involves the development of IT staff
skills and the attraction and retention of IT talent.

2. Platform management is a series of activities that designs
the IT architecture and constructs and manages the resulting

3. Relationship management centers on developing and maintaining
relationships between the IT function and the rest of the organiza­
tion and on partnerships with IT vendors.

4. Strategic planning links the IT agenda and plans to the organiza­
tion’s strategy and plans.

5. Financial management encompasses a wide range of management
processes—developing the IT budget, defining the business case for
IT investments, and benchmarking IT costs.

6. Value innovation involves identifying new ways for IT to improve
business operations and ensuring that IT investments deliver

7. Solutions delivery includes the selection, development, and imple­
mentation of applications and infrastructure.

8. Services provisioning centers on the day-to-day support of applica­
tions and infrastructure—for example, the help desk, workstation
deployments, and user training.

Source: Agarwal and Sambamurthy (2002).

variety of data collection techniques. Appendix B contains a sample survey
used by an IT services department to assess user satisfaction.

Answers to these questions provide an indication, clearly rough, of how
well the IT function is being run and, to a degree, of whether the aggregate IT
investment is providing value. All these questions come from commonsense
management beliefs about what is involved in running an organization well
and tests of IT domain knowledge.

K E Y T E R M S · 281


It is critical that health care organizations have access to appropriate IT staff
members and resources to support their health care information systems and
system users. IT staff members perform several common functions and have
several common roles. In large organizations, the IT department often has
a management team comprising the chief information offi cer, chief technol­
ogy officer, chief information security officer, and chief medical information
officer, who provide leadership to ensure that the organization fulfi lls its
IT strategies and goals. Having a CIO with strong leadership skills, vision,
and experience is critical to the organization achieving its strategic IT goals.
Working with the CIO and IT management team, one will often find a team
of professional and technical staff members including systems analysts, com­
puter programmers, network administrators, database administrators, web
designers, and support personnel. Each brings a unique set of knowledge and
skills to support the IT operations of the health care organization.

The organizational structure of the IT department is influenced by several
factors: level of centralization, core IT competencies, and desired attributes
of the IT department.

IT services may be provided by in-house staff members or outsourced to
an outside vendor or company. Many factors come into play in deciding if and
when to outsource all or part of the IT services. Availability of staff members,
time constraints, financial resources, and the executive management team’s
view of IT may determine the appropriateness of outsourcing.

Whether IT services are provided in-house or outsourced, it is important
for the management team to assess the efficiency and effectiveness of IT ser­
vices. The governance structure, how the IT resources are allocated, the track
record of system acquisitions and system implementations, and user satisfac­
tion with current IT service levels are some of the key elements that should
be examined in any assessment. Consultants may be employed to conduct
the assessment and offer the organization an outsider’s objective view.


Application management Governance
Chief information offi cer (CIO) IT centralization and decentralization
Chief information security offi cer Network administrators

(CISO) Operations and technical support
Chief medical information offi cer Outsourced IT

(CMIO) Programmers
Chief technology offi cer (CTO) Systems analyst
Database administrators

282 · C H A P T E R 8 : O R G A N I Z I N G I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S


1. Visit an IT department in a health care facility in your community
and interview the CIO or department director. Examine the IT
department’s organizational structure. What functions or services
does the IT department provide? How centralized are IT services
within the organization? Does the organization employ a CMIO,
CISO, or CTO? If so, what are each person’s job qualifi cations and

2. Find an article in the literature that outlines either the advantages or
disadvantages or both of outsourcing IT. Discuss the fi ndings with
your classmates. What have others learned about outsourcing that
may be important to your organization?

3. Plan and organize a panel discussion with CIOs from local health
care facilities. Find out what some of their greatest challenges are
and what a typical day is like for them. To what degree are their
organizations facing workforce shortages? In what areas, if any?
What strategies do they employ to recruit and retain top-notch staff

4. Investigate any one of the following roles and interview someone
working in this type of position. Find out the individual’s roles,
responsibilities, qualifi cations, background, experience, and

o Chief medical information offi cer

o Chief information security offi cer

o Chief technology offi cer

o Clinical systems analyst

o Mobile application developer


Agarwal, R., & Sambamurthy, V. (2002). Organizing the IT function for business
innovation leadership. Chicago, IL: Society for Information Management.

AMIA Task Force Report on CCIO Knowledge, Education and Skillset Requirements
(2016). The chief clinical informatics offi cer (CCIO). Washington, DC: American
Medical Informatics Association.

College of Healthcare Information Management Executives (CHIME). (1998). The
healthcare CIO: A decade of growth. Ann Arbor, MI: Author.

R E F E R E N C E S · 283

College of Healthcare Information Management Executives (CHIME). (2008). The
seven CIO success factors. Retrieved April 2008 from

College of Healthcare Information Management Executives (CHIME). (2012).
Demand persists for experienced health IT staff. Retrieved in April 2016 from­

Earl, M., & Feeney, D. (1995). Is your CIO adding value? McKinsey Quarterly, 2,

Florentine, S. (2015). 10 hot IT skills for 2016. Retrieved April 2016 from http:// ng/10-hot-it-job-skills-for-2016

Gartner. (2013). Gartner says cloud computing will become the bulk of new IT spend
by 2016. Retrieved April 2016 from

Glaser, J. (2006, Jan.). Assessing the IT function in less than one day. Healthcare
Financial Management, pp. 104–108.

Glaser, J. (2008a, April). Creating IT agility. Healthcare Financial Management,
pp. 36–39.

Glaser, J. (2008b, Feb. 6). The four cornerstones of innovation. Most Wired Online.

Glaser, J. (2016, Feb. 8). The evolution of the health care chief information offi cer.
H&HN Daily.

Glaser, J., & Kirby, J. (2009). Evolution of the healthcare CIO. Healthcare Financial
Management, 63(11), 38–41.

Glaser, J., & Williams, R. (2007). The definitive evolution of the role of the CIO.
Journal of Healthcare Information Management, 21(1), 9–11.

Murphy, J. (2011). The nursing informatics workforce: Who are they and what do
they do? Nursing Economics, 42(11), 20–23.

Oz, E. (2006). Management information systems: Instructor edition (4th ed.). Boston,
MA: Course Technology.

Wadsworth, J. (2016). The best organizational structure for healthcare analytics.
Health Catalyst. Retrieved May 31, 2016, from

Laws, Regulations,
and Standards That
Affect Health Care

Information Systems




Privacy and Security


• To be able to distinguish among privacy, confi dentiality, and
security as they relate to health information.

• To be able to identify the purpose of the Privacy Act of 1974 and
42 C.F.R. (Code of Federal Regulations) Part 2, Confi dentiality of
Substance Abuse Patient Records.

• To be able to describe and discuss the impact of the HIPAA
Privacy, Security, and Breach Notifi cation rules.

• To be able to identify threats to health care information and
information systems caused by humans (intentional and
unintentional), natural causes, and the environment.

• To be able to understand the purpose and key components of
the health care organization security program and the need to
mitigate security risks.

• To be able to discuss the increased need for and identify
resources to improve cybersecurity in health care organizations.


288 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

Privacy is an individual’s constitutional right to be left alone, to be free from
unwarranted publicity, and to conduct his or her life without its being made
public. In the health care environment, privacy is an individual’s right to limit
access to his or her health care information. In spite of this constitutional
protection and other legislated protections discussed in this chapter, approx­
imately 112 million Americans (a third of the United States population) were
affected by breaches of protected health information (PHI) in 2015 (Koch,
2016). Three large insurance-related corporations accounted for nearly one
hundred million records being exposed (Koch, 2016). In one well-publicized
security breach at Banner Health, where hackers gained entrance through
food and beverage computers, approximately 3.7 million individuals’ infor­
mation was accessed, much of it health information (Goedert, 2016).

Health information privacy and security are key topics for health care
administrators. In today’s ever-increasing electronic world, where the Inter­
net of Things is on the horizon and nearly every health care organization
employee and visitor has a smart mobile device that is connected to at least
one network, new and more virulent threats are an everyday concern. In
this chapter we will examine and define the concepts of privacy, confi den­
tiality, and security as they apply to health information. Major legislative
efforts, historic and current, to protect health care information are outlined,
with a focus on the Health Insurance Portability and Accountability
Act (HIPAA) Privacy, Security, and Breach Notification rules. Different
types of threats, intentional and unintentional, to health information will
be discussed. Basic requirements for a strong health care organization
security program will be outlined, and the chapter will conclude with the
cybersecurity challenges in today’s environment of mobile and cloud-based
devices, wearable fitness trackers, social media, and remote access to health


As stated, privacy is an individual’s right to be left alone and to limit access
to his or her health care information. Confi dentiality is related to privacy
but specifically addresses the expectation that information shared with a
health care provider during the course of treatment will be used only for
its intended purpose and not disclosed otherwise. Confidentiality relies on
trust. Security refers to the systems that are in place to protect health infor­
mation and the systems within which it resides. Health care organizations
must protect their health information and health information systems from
a range of potential threats. Certainly, security systems must protect against
unauthorized access and disclosure of patient information, but they must also
be designed to protect the organization’s IT assets—such as the networks,

L E G A L P R O T E C T I O N O F H E A L T H I N F O R M A T I O N · 289

hardware, software, and applications that make up the organization’s health
care information systems—from harm.


There are many sources for the legal and ethical requirements that health
care professionals maintain the confidentiality of patient information and
protect patient privacy. Ethical and professional standards, such as those pub­
lished by the American Medical Association and other organizations, address
professional conduct and the need to hold patient information in confi dence.
Accrediting bodies, such as the Joint Commission, state facility licensure
rules, and the government through Centers for Medicare and Medicaid,
dictate that health care organizations follow standard practice and state and
federal laws to ensure the confidentiality and security of patient information.

Today, legal protection specially addressing the unauthorized disclosure
of an individual’s health information generally comes from one of three
sources (Koch, 2016):

• Federal HIPAA Privacy, Security, and Breach Notifi cation rules

• State privacy laws. These laws typically apply more stringent
protections for information related to specifi c health conditions (HIV/
AIDS, mental or reproductive health, for example).

• Federal Trade Commission (FTC) Act consumer protection, which
protects against unfair or deceptive practices. The FTC issued the
Health Breach Notifi cation Rule in 2010 to require certain businesses
not covered by HIPAA, including PHR vendors, PHR-related entities, or
third-party providers for PHR vendors or PHR-related entities to notify
individuals of a security breach.

However, there are two other major federal laws governing patient privacy
that, although they have been essentially superseded by HIPAA, remain
important, particularly from a historical perspective.

• The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB
Circular No. A-108 [1975])

• Confi dentiality of Substance Abuse Patient Records (42 U.S.C. §290dd-
2, 42 C.F.R. Part 2)

The Privacy Act of 1974

In 1966, the Freedom of Information Act (FOIA) was passed. This legis­
lation provides the American public with the right to obtain information

290 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

from federal agencies. The act covers all records created by the federal
government, with nine exceptions. The sixth exception is for personnel and
medical information, “the disclosure of which would constitute a clearly
unwarranted invasion of personal privacy.” There was, however, concern
that this exception to the FOIA was not strong enough to protect federally
created patient records and other health information. Consequently, Con­
gress enacted the Privacy Act of 1974. This act was written specifi cally to
protect patient confidentiality only in federally operated health care facil­
ities, such as Veterans Administration hospitals, Indian Health Service
facilities, and military health care organizations. Because the protection
was limited to those facilities operated by the federal government, most
general hospitals and other nongovernment health care organizations did
not have to comply. Nevertheless, the Privacy Act of 1974 was an important
piece of legislation, not only because it addressed the FOIA exception for
patient information but also because it explicitly stated that patients had a
right to access and amend their medical records. It also required facilities
to maintain documentation of all disclosures. Neither of these things was
standard practice at the time.

Confidentiality of Substance Abuse Patient Records

During the 1970s, people became increasingly aware of the extra-sensitive
nature of drug and alcohol treatment records. This led to the regulations
currently found in 42 C.F.R. (Code of Federal Regulations) Part 2, Con­
fidentiality of Substance Abuse Patient Records. These regulations have
been amended twice, with the latest version published in 1999. They offer
specific guidance to federally assisted health care organizations that provide
referral, diagnosis, and treatment services to patients with alcohol or drug
problems. Not surprisingly, they set stringent release of information stan­
dards, designed to protect the confidentiality of patients seeking alcohol or
drug treatment.


HIPAA is the first comprehensive federal regulation to offer specifi c protection
to private health information. Prior to the enactment of HIPAA there was no
single federal regulation governing the privacy and security of patient-specifi c
information, only the limited legislative protections previously discussed.
These laws were not comprehensive and protected only specific groups of


L E G A L P R O T E C T I O N O F H E A L T H I N F O R M A T I O N · 291

The Health Insurance Portability and Accountability Act of 1996 consists
of two main parts:

• Title I addresses health care access, portability, and renewability,
offering protection for individuals who change jobs or health
insurance policies. (Although Title I is an important piece of
legislation, it does not address health care information specifi cally and
will therefore not be addressed in this chapter.)

• Title II includes a section titled, “Administrative Simplifi cation.”

The requirements establishing privacy and security regulations for pro­
tecting individually identifiable health information are found in Title II of
HIPAA. The HIPAA Privacy Rule was required beginning April 2003 and
the HIPAA Security Rule beginning April 2005. Both rules were subsequently
amended and the Breach Notification Rule was added as a part of the HITECH
Act in 2009.

The information protected under the HIPAA Privacy Rule is specifi cally
defined as PHI, which is information that

• Relates to a person’s physical or mental health, the provision of health
care, or the payment for health care

• Identifi es the person who is the subject of the information

• Is created or received by a covered entity

• Is transmitted or maintained in any form (paper, electronic, or oral)

Unlike the Privacy Rule, the Security Rule addressed only PHI transmitted
or maintained in electronic form. Within the Security Rule this information
is identified as ePHI.

The HIPAA rules also define covered entities (CEs), those organizations
to which the rules apply:

• Health plans, which pay or provide for the cost of medical care

• Health care clearinghouses, which process health information (for

example, billing services)

• Health care providers who conduct certain fi nancial and

administrative transactions electronically (These transactions

are defined broadly so that the reality of HIPAA is that it governs

nearly all health care providers who receive any type of third-party


292 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

If any CE shares information with others, it must establish contracts to
protect the shared information. The HITECH Act amended HIPAA and added
“Business Associates” as a category of CE. It further clarified that certain
entities, such as health information exchange organizations, regional health
information organizations, e-prescribing gateways, or a vendor that contracts
with a CE to allow the CE to offer a personal health record as a part of its
EHR, are business associates if they require access to PHI on a routine basis
(Coppersmith, Gordon, Schermer, & Brokelman, PLC, 2012).

HIPAA Privacy Rule

Although the HIPAA Privacy Rule is a comprehensive set of federal standards,
it permits the enforcement of existing state laws that are more protective
of individual privacy, and states are also free to pass more stringent laws.
Therefore, health care organizations must still be familiar with their own
state laws and regulations related to privacy and confi dentiality.

The major components to the HIPAA Privacy Rule in its original form
include the following:

• Boundaries. PHI may be disclosed for health purposes only, with very
limited exceptions.

• Security. PHI should not be distributed without patient authorization
unless there is a clear basis for doing so, and the individuals who
receive the information must safeguard it.

• Consumer control. Individuals are entitled to access and control
their health records and are to be informed of the purposes for which
information is being disclosed and used.

• Accountability. Entities that improperly handle PHI can be charged
under criminal law and punished and are subject to civil recourse as

• Public responsibility. Individual interests must not override national
priorities in public health, medical research, preventing health care
fraud, and law enforcement in general.

With HITECH, the Privacy Rule was expanded to include creation of new
privacy requirements for HIPAA-covered entities and business associates.
In addition, the rights of individuals to request and obtain their PHI are
strengthened, as is the right of the individual to prevent a health care orga­
nization from disclosing PHI to a health plan, if the individual paid in full
out of pocket for the related services. There were also some new provisions

L E G A L P R O T E C T I O N O F H E A L T H I N F O R M A T I O N · 293

for accounting of disclosures made through an EHR for treatment, payment,
and operations (Coppersmith et al., 2012).

The HIPAA Privacy Rule attempts to sort out the routine and nonroutine
use of health information by distinguishing between patient consent to use
PHI and patient authorization to release PHI. Health care providers and others
must obtain a patient’s written consent prior to disclosure of health informa­
tion for routine uses of treatment, payment, and health care operations. This
consent is fairly general in nature and is obtained prior to patient treatment.
There are some exceptions to this in emergency situations, and the patient
has a right to request restrictions on the disclosure. However, health care
providers can deny treatment if they feel that limiting the disclosure would
be detrimental. Health care providers and others must obtain the patient’s
specific written authorization for all nonroutine uses or disclosures of PHI,
such as releasing health records to a school or a relative.

Exhibit 9.1 is a sample release of information form used by a hospital,
showing the following elements that should be present on a valid release form:

• Patient identifi cation (name and date of birth)

• Name of the person or entity to whom the information is being


• Description of the specifi c health information authorized for disclosure

• Statement of the reason for or purpose of the disclosure

• Date, event, or condition on which the authorization will expire,
unless it is revoked earlier

• Statement that the authorization is subject to revocation by the patient
or the patient’s legal representative

• Patient’s or legal representative’s signature

• Signature date, which must be after the date of the encounter that
produced the information to be released

Health care organizations need clear policies and procedures for releasing
PHI. A central point of control should exist through which all nonroutine
requests for information pass, and all disclosures should be well documented.

In some instances, PHI can be released without the patient’s authoriza­
tion. For example, some state laws require disclosing certain health infor­
mation. It is always good practice to obtain a patient authorization prior to
releasing information when feasible, but in state-mandated cases it is not
required. Some examples of situations in which information might need to
be disclosed to authorized recipients without the patient’s consent are the

294 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

Exhibit 9.1 Sample release of information form

Source: © 2017 Medical University Hospital Authority. All rights reserved. This
form is provided “as is” without any warranty, express or implied, as to its
legal effect or completeness. Forms should be used as a guide and modifi ed to
meet the laws of your state. Use at your own risk.

L E G A L P R O T E C T I O N O F H E A L T H I N F O R M A T I O N · 295

presence of a communicable disease, such as AIDS and sexually transmitted
diseases, which must be reported to the state or county department of health;
suspected child abuse or adult abuse that must be reported to designated
authorities; situations in which there is a legal duty to warn another person of
a clear and imminent danger from a patient; bona fide medical emergencies;
and the existence of a valid court order.

The HIPAA Security Rule

The HIPAA Security Rule is closely connected to the HIPAA Privacy Rule.
The Security Rule governs only ePHI, which is defined as protected health
information maintained or transmitted in electronic form. It is important to
note that the Security Rule does not distinguish between electronic forms
of information or between transmission mechanisms. ePHI may be stored
in any type of electronic media, such as magnetic tapes and disks, optical
disks, servers, and personal computers. Transmission may take place over
the Internet or on local area networks (LANs), for example.

The standards in the final rule are defined in general terms, focusing on
what should be done rather than on how it should be done. According to the
Centers for Medicare and Medicaid Services (CMS, 2004), the fi nal rule spec­
ifies “a series of administrative, technical, and physical security procedures
for covered entities to use to assure the confi dentiality of electronic protected
health information (ePHI). The standards are delineated into either required
or addressable implementation specifications.” A required specifi cation must
be implemented by a CE for that organization to be in compliance. However,
the CE is in compliance with an addressable specification if it does any one
of the following:

• Implements the specifi cation as stated

• Implements an alternative security measure to accomplish the

purposes of the standard or specifi cation

• Chooses not to implement anything, provided it can demonstrate that
the standard or specifi cation is not reasonable and appropriate and
that the purpose of the standard can still be met; because the Security
Rule is designed to be technology neutral, this fl exibility was granted
for organizations that employ nonstandard technologies or have
legitimate reasons not to need the stated specifi cation (AHIMA, 2003)

The standards contained in the HIPAA Security Rule are divided into
sections, or categories, the specifics of which we outline here. You will notice

296 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

overlap among the sections. For example, contingency plans are covered
under both administrative and physical safeguards, and access controls are
addressed in several standards and specifi cations.

The HIPAA Security Rule

The HIPAA Security Administrative Safeguards section of the Final Rule
contains nine standards:

1. Security management functions. This standard requires the CE
to implement policies and procedures to prevent, detect, contain,
and correct security violations. There are four implementation
specifi cations for this standard:

• Risk analysis (required). The CE must conduct an accurate and
thorough assessment of the potential risks to and vulnerabilities
of the confi dentiality, integrity, and availability of ePHI.

• Risk management (required). The CE must implement security
measures that reduce risks and vulnerabilities to a reasonable and
appropriate level.

• Sanction policy (required). The CE must apply appropriate
sanctions against workforce members who fail to comply with the
CE’s security policies and procedures.

• Information system activity review (required). The CE must
implement procedures to regularly review records of information
system activity, such as audit logs, access reports, and security
incident tracking reports.

2. Assigned security responsibility. This standard does not have
any implementation specifi cations. It requires the CE to identify
the individual responsible for overseeing development of the
organization’s security policies and procedures.

3. Workforce security. This standard requires the CE to implement
policies and procedures to ensure that all members of its workforce
have appropriate access to ePHI and to prevent those workforce
members who do not have access from obtaining access. There are
three implementation specifi cations for this standard:

• Authorization and/or supervision (addressable). The CE must have
a process for ensuring that the workforce working with ePHI has
adequate authorization and supervision.

L E G A L P R O T E C T I O N O F H E A L T H I N F O R M A T I O N · 297

• Workforce clearance procedure (addressable). There must be a process

to determine what access is appropriate for each workforce member.

• Termination procedures (addressable). There must be a process for

terminating access to ePHI when a workforce member is no longer

employed or his or her responsibilities change.

4. Information access management. This standard requires the CE to
implement policies and procedures for authorizing access to ePHI.
There are three implementation specifi cations within this standard.
The first (not shown here) applies to health care clearinghouses, and
the other two apply to health care organizations:

• Access authorization (addressable). The CE must have a process

for granting access to ePHI through a workstation, transaction,

program, or other process.

• Access establishment and modifi cation (addressable). The CE

must have a process (based on the access authorization) to

establish, document, review, and modify a user’s right to access a

workstation, transaction, program, or process.

5. Security awareness and training. This standard requires the CE to
implement awareness and training programs for all members of its
workforce. This training should include periodic security reminders
and address protection from malicious software, log-in monitoring,
and password management. (These items to be addressed in training
are all listed as addressable implementation specifi cations.)

6. Security incident reporting. This standard requires the CE to
implement policies and procedures to address security incidents.

7. Contingency plan. This standard has fi ve implementation
specifi cations:

• Data backup plan (required)

• Disaster recovery plan (required)

• Emergency mode operation plan (required)

• Testing and revision procedures (addressable); the CE should

periodically test and modify all contingency plans

• Applications and data criticality analysis (addressable); the CE

should assess the relative criticality of specifi c applications and

data in support of its contingency plan

8. Evaluation. This standard requires the CE to periodically perform
technical and nontechnical evaluations in response to changes that
may affect the security of ePHI.

298 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

9. Business associate contracts and other arrangements. This standard
outlines the conditions under which a CE must have a formal
agreement with business associates in order to exchange ePHI.

The HIPAA Security Physical Safeguards section contains four standards:

1. Facility access controls. This standard requires the CE to implement
policies and procedures to limit physical access to its electronic
information systems and the facilities in which they are housed to
authorized users. There are four implementation specifi cations with
this standard:

• Contingency operations (addressable). The CE should have a process
for allowing facility access to support the restoration of lost data
under the disaster recovery plan and emergency mode operation plan.

• Facility security plan (addressable). The CE must have a process to
safeguard the facility and its equipment from unauthorized access,
tampering, and theft.

• Access control and validation (addressable). The CE should have a
process to control and validate access to facilities based on users’
roles or functions.

• Maintenance records (addressable). The CE should have a process
to document repairs and modifi cations to the physical components
of a facility as they relate to security.

2. Workstation use. This standard requires the CE to implement policies
and procedures that specify the proper functions to be performed
and the manner in which those functions are to be performed on a
specifi c workstation or class of workstation that can be used to access
ePHI and that also specify the physical attributes of the surroundings
of such workstations.

3. Workstation security. This standard requires the CE to implement
physical safeguards for all workstations that are used to access ePHI
and to restrict access to authorized users.

4. Device and media controls. This standard requires the CE to implement
policies and procedures for the movement of hardware and electronic
media that contain ePHI into and out of a facility and within a facility.
There are four implementation specifi cations with this standard:

• Disposal (required). The CE must have a process for the fi nal
disposition of ePHI and of the hardware and electronic media on
which it is stored.


L E G A L P R O T E C T I O N O F H E A L T H I N F O R M A T I O N · 299

• Media reuse (required). The CE must have a process for

removal of ePHI from electronic media before the media can be


• Accountability (addressable). The CE must maintain a record of

movements of hardware and electronic media and any person

responsible for these items.

• Data backup and storage (addressable). The CE must create a

retrievable, exact copy of ePHI, when needed, before movement of


The HIPAA Security Technical Safeguards section has fi ve standards:

1. Access control. This standard requires the CE to implement technical
policies and procedures for electronic information systems that
maintain ePHI in order to allow access only to those persons or
software programs that have been granted access rights as specifi ed
in the administrative safeguards. There are four implementation
specifi cations within this standard:

• Unique user identifi cation (required). The CE must assign a unique

name or number for identifying and tracking each user’s identity.

• Emergency access procedure (required). The CE must establish

procedures for obtaining necessary ePHI in an emergency.

• Automatic log-off (addressable). The CE must implement

electronic processes that terminate an electronic session after a

predetermined time of inactivity.

• Encryption and decryption (addressable). The CE should implement

a mechanism to encrypt and decrypt ePHI as needed.

2. Audit controls. This standard requires the CE to implement
hardware, software, and procedures that record and examine activity
in the information systems that contain ePHI.

3. Integrity. This standard requires the CE to implement policies
and procedures to protect ePHI from improper alteration or

4. Person or entity authentication. This standard requires the CE to
implement procedures to verify that a person or entity seeking access
to ePHI is in fact the person or entity claimed.

5. Transmission security. This standard requires the CE to implement
technical measures to guard against unauthorized access to ePHI

300 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

being transmitted across a network. There are two implementation
specifi cations with this standard:

• Integrity controls (addressable). The CE must implement security
measures to ensure that electronically transmitted ePHI is not
improperly modifi ed without detection.

• Encryption (addressable). The CE should encrypt ePHI whenever it
is deemed appropriate.

The Policies, Procedures, and Documentation section has two standards:

1. Policies and procedures. This standard requires the CE to establish
and implement policies and procedures to comply with the standards,
implementation specifi cations, and other requirements.

2. Documentation. This standard requires the CE to maintain the
policies and procedures implemented to comply with the Security
Rule in written form. There are three implementation specifi cations:

• Time limit (required). The CE must retain the documentation for
six years from the date of its creation or the date when it was last
in effect, whichever is later.

• Availability (required). The CE must make the documentation
available to those persons responsible for implementing the
policies and procedures.

• Updates (required). The CE must review the documentation
periodically and update it as needed.

HIPAA Breach Notifi cation Rule

The HIPAA Breach Notifi cation Rule requires CEs and their business associ­
ates to provide notification following a breach of unsecured protected health
information. “‘Unsecured’ PHI is PHI that has not been rendered unusable,
unreadable, or indecipherable to unauthorized persons through the use of
a technology or methodology specified by the Secretary in guidance” (US
Department of Health and Human Services, n.d.c). To meet the requirement of
“secured” PHI, it must have been encrypted using a valid encryption process,
or the media on which the PHI is stored have been destroyed. Paper or other
hard copy media, such as film, must be shredded or otherwise destroyed so
that it cannot be read or reconstructed. Electronic media must be “sanitized”
according to accepted standards so that PHI cannot be retrieved (US Depart­
ment of Health and Human Services, n.d.c).

L E G A L P R O T E C T I O N O F H E A L T H I N F O R M A T I O N · 301

The notification requirements include, depending on the circumstances,
notification to these sources:

• Individuals affected

• The Health and Human Services Secretary (via the Offi ce for Civil

Rights [OCR])

• Major media outlets

All individuals affected by breaches of unsecured PHI must be notifi ed
within a reasonable length of time—less than sixty days—after the breach is
discovered. If the CE does not have sufficient information to contact ten or
more individuals directly, the notification must be made on the home page
of its website for at least ninety days or by a major media outlet. A CE that
experiences a breach involving five hundred or more individuals must, in
addition to sending individual notices, provide notice to a major media outlet
serving the area. This notification must also be made within sixty days. All
breaches must also be reported to the secretary of HHS; the breaches involv­
ing more than five hundred individuals must be reported within sixty days;
all others may be reported on an annual basis (US Department of Health and
Human Services, n.d.b).

HIPAA Enforcement and Violation Penalties

The Department of Health and Human Services (HHS) Office for Civil Rights
(OCR) is responsible for enforcing HIPAA Privacy and Security rules. In addi­
tion, HITECH gave state attorneys general the authority to bring civil actions
on behalf of the residents of their states for HIPAA violations. From April
2003 until May 2016, OCR has received over 134,000 HIPAA complaints and
has initiated 879 compliance reviews. The resolution of the complaints and
reviews is as follows (US Department of Health and Human Services, 2016):

• Settled thirty-fi ve cases resulting in $36,639,200 in penalties

• Resolved 24,241 cases by requiring a change in privacy practices and

corrective actions by, or providing technical assistance to, CEs or

business associates

• Identifi ed 11,018 cases as no violation and 79,865 cases as non-eligible

HIPAA criminal and civil penalties for noncompliance are applied using
a tiered schedule that ranges from $100 for a single violation, when the
individual did not know he or she was not in compliance, to $1,500,000 for
multiple violations because of willful neglect. It is important to note that

302 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

Table 9.1 HIPAA violation categories

Violation Category Category Fine*

Category 1: A violation that the CE was unaware of, and Minimum fine of $100 per
could not have realistically avoided, had a reasonable violation up to $50,000
amount of care been taken to abide by HIPAA rules

Category 2: A violation that the CE should have been Minimum fine of $1,000 per
aware of but could not have avoided even with a violation up to $50,000
reasonable amount of care (but falling short of willful
neglect of HIPAA rules)

Category 3: A violation suffered as a direct result of Minimum fine of $10,000 per
“willful neglect” of HIPAA rules, in cases in which an violation up to $50,000
attempt has been made to correct the violation

Category 4: A violation of HIPAA rules constituting Minimum fine of $50,000 per
willful neglect, and no attempt has been made to violation
correct the violation

*The fines are issued per violation category, per year that the violation was allowed to persist.

The maximum fine per violation category, per year, is $1,500,000.

Source: What are the penalties for HIPAA violations? (2015).

civil penalties cannot be levied in situations when the violation is corrected
within a specified period of time.

The structure for HIPAA violations reflect four categories of violations
and associated penalties. Table 9.1 outlines the categories and penalties.

In addition to these civil penalties, a HIPAA violation may result in crim­
inal charges. The criminal penalties are divided into the following three tiers
(What are the penalties for HIPAA violations, 2015):

• Tier 1: Reasonable cause or no knowledge of violation—Up to one year
in jail

• Tier 2: Obtaining PHI under false pretenses—Up to fi ve years in jail

• Tier 3: Obtaining PHI for personal gain or with malicious intent—Up
to ten years in jail

As stated, most HIPAA violations are resolved with corrective action. In
2015 six financial penalties were issued. However, a serious violation can
cost a health care organization a significant about of money. One such case
resulting in a substantial financial settlement is outlined in the Perspective.
The top ten largest fines levied for HIPAA violations as of August 2016 are
listed in Table 9.2.

L E G A L P R O T E C T I O N O F H E A L T H I N F O R M A T I O N · 303

Table 9.2 Top ten largest fines levied for HIPAA violations as of August 2016

Individuals Awarded

Organization Affected ($ million) Data Awarded

Advocate Health Care: Lacked appropriate
safeguards, including an unencrypted laptop
was left in a vehicle overnight

New York Presbyterian Hospital and Columbia
University: PHI accessible on Google and other
search engines

Cignet Health: Did not allow patients access to
medical records and refused to cooperate with

Feinstein Institute for Medical Research: Lacked
appropriate safeguards leading to theft

Triple-S Management Corp (Blue Cross/
Blue Shield licensee in Puerto Rico): Did not
deactivate user IDs and passwords, allowing
previous employees to access PHI

University of Mississippi Medical Center: Did
not manage risks appropriately, although aware
of risks and vulnerabilities

Oregon Health & Science University: Lacked
safeguards with regards to stolen laptop and
used cloud storage without a business associate
agreement in place

CVS Pharmacy: Improperly disposed of PHI
such as prescription labels

New York Presbyterian Hospital: Allowed
filming of two patients for a TV series creating
the potential for PHI to be compromise. (Note:
Hospital continues to maintain it was not a

Concentra Health Services: Failed to remediate
an identifi ed lack of encryption after an
unencrypted laptop was stolen

4 million 5.55 August 2016

6,800 4.8 May 2014

41 4.3 February 2011

Unknown 3.9 March 2016

398,000 3.5 November 2015

10,000 2.75 July 2016

7,000 2.7 July 2016

Unknown 2.25 January 2009

Unknown 2.2 April 2016

870 1.73 April 2014

Source: Bazzoli (2016).

304 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

$750,000 HIPAA Settlement Underscores

the Need for Organization Wide Risk Analysis

The University of Washington Medicine (UWM) has agreed to settle
charges that it potentially violated the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) Security Rule by failing to implement
policies and procedures to prevent, detect, contain, and correct security
violations. UWM is an affiliated covered entity, which includes designated
health care components and other entities under the control of the Univer­
sity of Washington, including University of Washington Medical Center,
the primary teaching hospital of the University of Washington School of
Medicine. Affiliated covered entities must have in place appropriate poli­
cies and processes to assure HIPAA compliance with respect to each of the
entities that are part of the affiliated group. The settlement includes a mon­
etary payment of $750,000, a corrective action plan, and annual reports on
the organization’s compliance efforts.

The US Department of Health and Human Services Office for Civil
Rights (OCR) initiated its investigation of the UWM following receipt of a
breach report on November 27, 2013, which indicated that the electronic
protected health information (e-PHI) of approximately 90,000 individuals
was accessed after an employee downloaded an email attachment that con­
tained malicious malware. The malware compromised the organization’s
IT system, affecting the data of two different groups of patients: (1) approx­
imately 76,000 patients involving a combination of patient names, medical
record numbers, dates of service, and/or charges or bill balances; and (2)
approximately 15,000 patients involving names, medical record numbers,
other demographics such as address and phone number, dates of birth,
charges or bill balances, Social Security numbers, insurance identifi cation
or Medicare numbers.

OCR’s investigation indicated UWM’s security policies required its
affiliated entities to have up-to-date, documented system-level risk assess­
ments and to implement safeguards in compliance with the Security Rule.
However, UWM did not ensure that all of its affiliated entities were prop­
erly conducting risk assessments and appropriately responding to the
potential risks and vulnerabilities in their respective environments.

Source: (2015). Used with permission.

T H R E A T S T O H E A L T H C A R E I N F O R M A T I O N · 305


What are the threats to health care information systems? In general, threats
to health care information systems fall into one of these three categories:

• Human tampering threats

• Natural and environmental threats, such as fl oods and fi re

• Environmental factors and technology malfunctions, such as a drive

that fails and has no backup or a power outage

Threats to health care information systems from human beings can be
intentional or unintentional. They can be internal, caused by employees, or
external, caused by individuals outside the organization.

Intentional threats include knowingly disclosing patient information
without authorization, theft, intentional alteration of data, and intentional
destruction of data. The culprit could be a computer hacker, a disgruntled
employee, or a prankster. Cybercrime directed at health information systems
has increased signifi cantly in recent years. In the 2014–2015 two-year period,
more than 90 percent of health care organizations reported a health infor­
mation security breach, and of these reports, nearly half were because of
criminal activity (Koch, 2016). Intentional destruction or disruption of health
care information is generally caused by some form of malware, a general
term for software that is written to “infect” and subsequently harm a host
computer system. The best-known form of malware is the computer virus,
but there are others, including the particularly virulent ransomware, attacks
from which are on the rise in health care.

The following list includes common forms of malware with a brief
description of each (Comodo, 2014):

• Viruses are generally spread when software is shared among

computers. It is a “contagious” piece of software code that infects the

host system and spreads itself.

• Trojans (or Trojan Horses) are a type of virus specifi cally designed to
look like a safe program. They can be programmed to steal personal
information or to take over the resources of the host computer making
it unavailable for its intended use.

• Spyware tracks Internet activities assisting the hacker in gathering

information without consent. Spyware is generally hidden and can be

diffi cult to detect.

306 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

• Worms are software code that replicates itself and destroys fi les that
are on the host computer, including the operating system.

• Ransomware is an advanced form of malware that hackers use
to cripple the organization’s computer systems through malicious
code, generally launched via an e-mail that is opened unwittingly
by an employee, a method known as phishing. The malicious code
then encrypts and locks folders and operating systems. The hacker
demands money, generally in the form of bitcoins, a type of digital
currency, to provide the decryption key to unlock the organization’s
systems (Conn, 2016).

Some of the causes of unintentional health information breaches are lack
of training in proper use of the health information system or human error.
Users may unintentionally share patient information without proper autho­
rization. Other examples include users sharing passwords or downloading
information from nonsecure Internet sites, creating the potential for a breach
in security. Some of the more common forms of internal breaches of security
across all industries are the installation or use of unauthorized software,
use of the organization’s computing resources for illegal or illicit communi­
cations or activities (porn surfing, e-mail harassment, and so forth), and the
use of the organization’s computing resources for personal profit. Losing or
improperly disposing of electronic devices, including computers and porta­
ble electronic devices, also constitute serious forms of unintentional health
information exposure. In 2015, the OCR portal, which lists breach incidents
potentially affecting five hundred or more individuals, reported more than
seventy-five thousand individuals’ data were breached either because of loss
or improper disposal of a device containing PHI (OCR, n.d.).

Threats from natural causes, such as fi re or flood, are less common than
human threats, but they must also be addressed in any comprehensive health
care information security program. Loss of information because of environ­
mental factors and technical malfunctions must be secured against by using
appropriate safeguards.


The realization of any of the threats discussed in the previous section can
cause significant damage to the organization. Resorting to manual operations
if the computers are down for days, for example, can lead to organizational
chaos. Theft or loss of organizational data can lead to litigation by the indi­
viduals harmed by the disclosure of the data and HIPAA violations. Malware

T H E H E A L T H C A R E O R G A N I Z A T I O N ’ S S E C U R I T Y P R O G R A M · 307

can corrupt databases, corruption from which there may be no recovery.
The function of the health care organization’s security program is to iden­
tify potential threats and implement processes to remove these threats or
mitigate their ability to cause damage. The primary challenge of developing
an effective security program in a health care organization is balancing the
need for security with the cost of security. An organization does not know
how to calculate the likelihood that a hacker will cause serious damage or a
backhoe will cut through network cables under the street. The organization
may not fully understand the consequences of being without its network for
four hours or four days. Hence, it may not be sure how much to spend to
remove or reduce the risk.

Another challenge is maintaining a satisfactory balance between health
care information system security and health care data and information avail­
ability. As we saw in Chapter Two, the major purpose of maintaining health
information and health records is to facilitate high-quality care for patients.
On the one hand, if an organization’s security measures are so stringent that
they prevent appropriate access to the health information needed to care for
patients, this important purpose is undermined. On the other hand, if the orga­
nization allows unrestricted access to all patient-identifiable information to all
its employees, the patients’ rights to privacy and confidentiality would certainly
be violated and the organization’s IT assets would be at considerable risk.

The ONC (2015) publication Guide to Privacy and Security of Electronic
Health Information for health care providers includes a chapter describing
a seven-step approach for implementing a security management process.
The guidance is directed at physician practices or other small health care
organizations, and it does not include specific technical solutions. Specifi c
solutions for security protection will be driven by the organization’s overall
plan and will be managed by the organizations IT team. Larger organizations
must also develop comprehensive security programs and will follow the same
basic steps, but it will likely have more internal resources for security than
smaller practices.

Each step in the ONC security management process for health care pro­
viders is listed in the following section.

Step 1: Lead Your Culture, Select Your Team, and Learn

This step includes six actions:

1. Designate a security offi cer, who will be responsible for developing
and implementing the security practices to meet HIPAA requirements
and ensure the security of PHI.

308 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

2. Discuss HIPAA security requirements with your EHR developer to
ensure that your system can be implemented to meet the security
requirements of HIPAA and Meaningful Use.

3. Consider using a qualifi ed professional to assist with your security
risk analysis. The security risk analysis is the opportunity to
discover as much as possible about risks and vulnerabilities to health
information within the organization.

4. Use tools to preview your security risk analysis. Examples of available
tools are listed within Step 3.

5. Refresh your knowledge base of the HIPAA rules.

6. Promote a culture of protecting patient privacy and securing patient
information. Make sure to communicate that all members of the
organization are responsible for protecting patient information.

Step 2: Document Your Process, Findings, and Actions

Documenting the processes for risk analysis and implementation of safe­
guards is very important, not to mention a requirement of HIPAA. The fol­
lowing are some examples cited by the ONC of records to retain:

• Policies and procedures

• Completed security checklists (ESET, n.d.)

• Training materials presented to staff members and volunteers and any
associated certifi cates of completion

• Updated business associate (BA) agreements

• Security risk analysis report

• EHR audit logs that show utilization of security features and efforts to
monitor users’ actions

• Risk management action plan or other documentation that shows
appropriate safeguards are in place throughout your organization,
implementation timetables, and implementation notes

• Security incident and breach information

Step 3: Review Existing Security of ePHI
(Perform Security Risk Analysis)

Risk analysis assesses potential threats and vulnerabilities to the “confi den­
tiality, integrity and availability” (ONC, 2015, p. 41) of PHI. Several excellent

T H E H E A L T H C A R E O R G A N I Z A T I O N ’ S S E C U R I T Y P R O G R A M · 309

Table 9.3 Resources for conducting a comprehensive risk analysis

OCR’s Guidance on Risk
Analysis Requirements under guidance/fi nal-guidance-risk-analysis/index.html
the HIPAA Rule

OCR Security Rule Frequently
Asked Questions (FAQs)

ONC SRA (Security Risk
Assessment) Tool for small security-risk-assessment

National Institute of Standards
and Technology (NIST) HIPAA
Security Rule Toolkit

government-sponsored guides and toolsets available for conducting a compre­
hensive risk analysis are listed in Table 9.3 with a corresponding web address.

The three basic actions recommended for the organization’s fi rst compre­
hensive security risk analysis are as follows:

1. Identify where ePHI exists.

2. Identify potential threats and vulnerabilities to ePHI.

3. Identify risks and their associated levels.

Step 4: Develop an Action Plan

As discussed, the HIPAA Security Plan provides flexibility in how to achieve
compliance, which allows an organization to take into account its specifi c
needs. The action plan should include five components. Once in place, the plan
should be reviewed regularly by the security team, led by the security offi cer.

1. Administrative safeguards

2. Physical safeguards

3. Technical safeguards

4. Organizational standards

5. Policies and procedures

Table 9.4 lists common examples of vulnerabilities and mitigation strat­
egies that could be employed.

310 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

Table 9.4 Common examples of vulnerabilities and mitigation strategies

Security Examples of Security

Component Examples of Vulnerabilities Mitigation Strategies





No security offi cer is designated.

Workforce is not trained or is
unaware of privacy and security

Facility has insuffi cient locks
and other barriers to patient data

Computer equipment is easily
accessible by the public.

Portable devices are not tracked
or not locked up when not in use.

Poor controls enable
inappropriate access to EHR.

Audit logs are not used enough
to monitor users and other HER

No measures are in place to
keep electronic patient data from
improper changes.

No contingency plan exists.

Electronic exchanges of patient
information are not encrypted or
otherwise secured.

No breach notifi cation and
associated policies exist.

BA agreements have not been
updated in several years.

Security offi cer is designated and

Workforce training begins at hire
and is conducted on a regular and
frequent basis.

Security risk analysis is performed
periodically and when a change
occurs in the practice or the

Building alarm systems are

Offi ces are locked.

Screens are shielded from secondary

Secure user IDs, passwords, and
appropriate role-based access are

Routine audits of access and
changes to EHR are conducted.

Anti-hacking and anti-malware
software is installed.

Contingency plans and data backup
plans are in place.

Data are encrypted.

Regular reviews of agreements
are conducted and updates made

T H E H E A L T H C A R E O R G A N I Z A T I O N ’ S S E C U R I T Y P R O G R A M · 311

Security Examples of Security

Component Examples of Vulnerabilities Mitigation Strategies

Policies and

Generic written policies and
procedures to ensure HIPAA
security compliance were
purchased but not followed.

The manager performs ad hoc
security measures.

Written policies and procedures are
implemented and staff members are

Security team conducts monthly
review of user activities.

Routine updates are made to
document security measures.

Source: ONC (2015).

Step 5: Manage and Mitigate Risks

The security plan will reduce risk only if it is followed by all employees in
the organization. This step has four actions associated with it.

1. Implement your plan.

2. Prevent breaches by educating and training your workforce.

3. Communicate with patients.

4. Update your BA contracts.

Step 6: Attest for Meaningful Use Security Related Objective

Organizations can attest to the EHR Incentive Program security-related
objective after the security risk analysis and correction of any identifi ed
defi ciencies.

Step 7: Monitor, Audit, and Update Security
on an Ongoing Basis

The security officer, IT administrator, and EHR developer should work
together to ensure that the organization’s monitoring and auditing functions
are active and configured appropriately. Auditing and monitoring are neces­
sary to determine the adequacy and effectiveness of the security plan and
infrastructure, as well as the “who, what, when, where and how” (ONC, 2015,
p. 54) patients’ ePHI is accessed.

312 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y



Clearly, HIPAA is an important legislative act aimed at protecting health
data and information. However, in today’s increasingly wired environment,
health care organizations face threats that were not present when HIPAA was
enacted. In June 2016, 41 percent of all data breaches were because of cyber­
crime—hacking. In July of the same year a single hacker was responsible for
30 percent of the health care data breached (Sullivan, 2016). Experts argue
that health care organizations are easy targets for cybercriminals because
they are inadequately prepared. The average health care provider spends less
than 6 percent of its total IT budget on security, compared to the government,
which spends 16 percent, and the banking industry, which spends between
12 and 15 percent. By one estimate the increase in cybercrime against health
care organizations is because of, at least in part, PHI’s value on the black
market, estimating that PHI is fi fty times more valuable than fi nancial infor­
mation (Koch, 2016; Siwicki, 2016).

The reality of today’s environment is that there are more entry points into
health care information networks and computers than ever before. Mobile
devices, cloud use, the use of smart consumer products, health care devices
with Internet connectivity, along with more employees connecting to health
care networks from remote locations create an increased need for cyberse­
curity in health care organizations. One recent survey found that among
medical students and physicians 93.7 percent owned smartphones and 82.9
percent had used them in a clinical setting. Perhaps the most surprising
aspect of the survey was that none of respondents believed using the devices
increased risk of breaching patient information (Buchholz, Perry, Weiss, &
Cooley, 2016).

So-called mHealth technologies, which include entities that support per­
sonal health records and cloud-based or mobile applications that collect
patient information directly from patients or allow uploading of health-related
data from wearable devices, are also on the rise, as is the use of health-
related social media sites. These technologies were not addressed in HIPAA
and, therefore, do not meet the criteria as a CE (DeSalvo & Samuels, 2016).

To provide assistance to health care organizations to combat cyber
attacks and improve cybersecurity, the ONC (n.d.) published the Top 10 Tips
for Cybersecurity in Health Care. The first tip reminds health care organiza­
tions to establish a security culture, the same initial tip in their guidance for
developing a security plan, clearly emphasizing the importance of this aspect
of any security program. The other tips in the publication contain some more
specific ways to mitigate the threat from cyber attacks. These tips are listed

B E Y O N D H I P A A : C Y B E R S E C U R I T Y F O R T O D A Y ’ S W I R E D E N V I R O N M E N T · 313

with specific checkpoints to ensure security (ONC, n.d.). The full version of
the top-ten document is available at

Protect Mobile Devices

• Ensure your mobile devices are equipped with strong authentication

and access controls.

• Ensure laptops have password protection.

• Enable password protection on handheld devices (if available).

Take extra physical control precautions over the device if password

protection is not provided.

• Protect wireless transmissions from intrusion.

• Do not transmit unencrypted PHI across public networks (e.g.,

Internet, Wi-Fi).

• When it is absolutely necessary to commit PHI to a mobile device or

remove a device from a secure area, encrypt the data.

• Do not use mobile devices that cannot support encryption.

• Develop and enforce policies specifying the circumstances under

which devices may be removed from the facility.

• Take extra care to prevent unauthorized viewing of the PHI displayed
on a mobile device.

Maintain Good Computer Habits

• Uninstall any software application that is not essential to running the
practice (e.g., games, instant message clients, photo-sharing tools).

• Do not simply accept defaults or “standard” confi gurations when

installing software.

• Find out whether the EHR developer maintains an open connection to
the installed software (a “back door”) in order to provide updates and

• Disable remote file sharing and remote printing within the operating

system (e.g., Windows Operating System).

• Automate software updates to occur weekly (e.g., use Microsoft

Windows Automatic Update).

• Monitor for critical and urgent patches and updates that require

immediate attention and act on them as soon as possible.

314 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

• Disable user accounts for former employees quickly and appropriately.

• If an employee is to be involuntarily terminated, close access to the
account before the notice of termination is served.

• Prior to disposal, sanitize computers and any other devices that have
had data stored on them.

• Archive old data files for storage if needed or clean them off
the system if not needed, subject to applicable data retention

• Fully uninstall software that is no longer needed (including trial
software and old versions of current software).

• Work with your IT team or other resources to perform malware,
vulnerability, configuration, and other security audits on a regular

Use a Firewall

• Unless your electronic health record (EHR) and other systems are
totally disconnected from the Internet, you must install a fi rewall to
protect against intrusions and threats from outside sources.

• Larger health care organizations that use a local area network (LAN)
should consider a hardware fi rewall.

Install and Maintain Antivirus Software

• Use an antivirus product that provides continuously updated
protection against viruses, malware, and other code that can attack
your computers through web downloads, CDs, e-mail, and fl ash

• Keep antivirus software up-to-date.

• Most antivirus software automatically generates reminders about these
updates, and many are configurable to allow for automated updating.

Plan for the Unexpected

• Create data backups regularly and reliably.

• Begin backing up data from day one of a new system.

• Ensure the data are being captured correctly.

B E Y O N D H I P A A : C Y B E R S E C U R I T Y F O R T O D A Y ’ S W I R E D E N V I R O N M E N T · 315

• Ensure the data can be quickly and accurately restored.

• Use an automated backup system, if possible.

• Consider storing the backup far away from the main system.

• Protect backup media with the same type of access controls described
in the next section.

• Test backup media regularly for their ability to restore data properly,
especially as the backups age.

• Have a sound recovery plan. Know the following:

o What data was backed up (e.g., databases, pdfs, tiffs, docs)

o When the backups were done (time frame and frequency)

o Where the backups are stored

o What types of equipment are needed to restore them

• Keep the recovery plan securely at a remote location where someone
has responsibility for producing it in the event of an emergency.

Control Access to PHI

• Configure your EHR system to grant PHI access only to people with a
“need to know.”

o This access control system might be part of an operating system
(e.g., Windows), built into a particular application (e.g., an
e-prescribing module), or both.

• Manually set file access permissions using an access control list.

o This can only be done by someone with authorized rights to the

o Prior to setting these permissions, identify which files should be
accessible to which staff members.

• Configure role-based access control as needed.

o In role-based access, a staff member’s role within the organization
(e.g., physician, nurse, billing specialist, etc.) determines what
information may be accessed.

• Assign staff members to the correct roles and then set the access
permissions for each role correctly on a need-to-know basis.

The following case on access control provides additional examples of
access control.

316 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

Mary Smith is the director of the health information management
department in a hospital. Under a user-based access control scheme,
Mary would be allowed read-only access to the hospital’s laboratory
information system because of her personal identity—that is, because
she is Mary Smith and uses the proper log-in and password(s) to get
into the system. Under a role-based control scheme, Mary would be
allowed read-only access to the hospital’s lab system because she is part
of the health information management department and all department
employees have been granted read-only privileges for this system. If
the hospital were to adopt a context-based control scheme, Mary might
be allowed access to the lab system only from her own workstation or
another workstation in the health information services department, pro-
vided she used her proper log-in and password. If she attempted to log
in from the emergency department or another administrative offi ce, she
might be denied access. The context control could also involve time of
day. Because Mary is a daytime employee, she might be denied access if
she attempted to log in at night.


Access Control

Use Strong Passwords

• Choose a password that is not easily guessed. Following are some
examples of strong password characteristics:

o At least eight characters in length (the longer the better)

o A combination of uppercase and lowercase letters, one number, and
at least one special character, such as a punctuation mark

• Strong passwords should not include personal information:

o Birth date

o Names of self, family members, or pets

o Social Security number

o Anything that is on your social networking sites or could otherwise
be discovered easily by others

• Use multifactor authentication for more security. Multifactor
authentication combines multiple authentication methods, such as
a password plus a fingerprint scan; this results in stronger security

B E Y O N D H I P A A : C Y B E R S E C U R I T Y F O R T O D A Y ’ S W I R E D E N V I R O N M E N T · 317

protections. If you e-prescribe controlled substances, you must use
multifactor authentication for your accounts.

• Configure your systems so that passwords must be changed on a
regular basis.

• To discourage staff members from writing down their passwords,
develop a password reset process to provide quick assistance in case of
forgotten passwords.

Limit Network Access

• Prohibit staff members from installing software without prior


• When a wireless router is used, set it up to operate only in encrypted

• Prohibit casual network access by visitors.

• Check to make sure file sharing, instant messaging, and other peer-to­
peer applications have not been installed without explicit review and

Control Physical Access

• Limit the chances that devices (e.g., laptops, handhelds, desktops,
servers, thumb drives, CDs, backup tapes) may be tampered with, lost,
or stolen.

• Document and enforce policies limiting physical access to devices and

o Keep machines in locked rooms.

o Manage keys to facilities.

o Restrict removal of devices from a secure area.

National Institute of Standards and Technology (NIST)
Cybersecurity Framework

Recognizing the severity of the rise in cybercrime, President Obama issued
an executive order in February 2013 to “enhance the security and resilience
of the Nation’s critical infrastructure” (Executive Order 13636). As a result
the National Institute of Standards and Technology (NIST) was directed to
develop, with help of stakeholder organizations, a voluntary cybersecurity

318 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

Exhibit 9.2 Cybersecurity framework core

Source: NIST (2016).

S U M M A R Y · 319

framework to reduce cyber-attack risks. The resulting NIST cybersecurity
framework consists of three components (NIST, n.d.):

1. The Framework Core consists of “fi ve concurrent and continuous
Functions—Identify, Protect, Detect, Respond, Recover.” The
functions provide “the highest level, strategic view of an
organization’s management of cybersecurity risk” (NIST, n.d., p. 4).
The functions are divided into categories and subcategories as
shown in Exhibit 9.2.

2. The Framework Implementation Tiers characterize an organization’s
actual cybersecurity practices compared to the framework, using a
range of tiers from partial (Tier 1) to adaptive (Tier 4).

3. The Framework Profi le documents outcomes obtained by reviewing
all of the categories and subcategories and comparing them to the
organization’s business needs. Profiles can be identifi ed as “current,”
documenting where the organization is now, or as “target,” where the
organization would like to be in the future.

Since its initial publication in 2014, the HHS, OCR, and the ONC have
cited the framework as an important tool for health care organizations to
consider when developing a comprehensive security program. In 2016, OCR
published a crosswalk that maps the HIPAA Security Rule to the NIST frame­
work, which can be found at (US Department of Health and
Human Services, n.d.a).


In this chapter we gained insight into why health information privacy
and security are key topics for health care administrators. In today’s ever-
increasing electronic world with new and more virulent threats, the security
of health information is an ongoing concern. In this chapter we exam­
ined and defined the concepts of privacy, confidentiality, and security
and explored major legislative efforts, historical and current, to protect
health care information, with a focus on the HIPAA Privacy, Security, and
Breach Notification rules. Different types of threats, human, natural and
environmental, intentional and unintentional, were identified, with a focus
on the increase in cybercrime. Basic requirements for a strong health care
organization security program were outlined and the chapter ended with a
discussion of the cybersecurity challenges within the current health care

320 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y


42 C.F.R. (Code of Federal
Regulations) Part 2, Confi dentiality
of Substance Abuse Patient Records

Access control
Antivirus software
Business associate contracts
Confi dentiality
Electronic health record (EHR)
Electronic protected health

information (ePHI)
Federal Trade Commission (FTC) Act
Health Insurance Portability and

Accountability Act (HIPAA)
HIPAA Breach Notifi cation Rule
HIPAA Privacy Rule
HIPAA Security Administrative



HIPAA Security Physical Safeguards
HIPAA Security Rule
HIPAA Security Technical Safeguards
National Institute of Standards and

Technology (NIST)
NIST Cybersecurity Framework
Office for Civil Rights (OCR)
Privacy Act of 1974
Protected health information (PHI)
Security management

1. Do an Internet search for a recent article discussing a signifi cant
breach under the HIPAA Privacy and Security rules. Write a summary
of the article. Discuss how the organization cited in the article could
have prevented or mitigated the risk of the breach.

2. Contact a health care provider to talk with the person responsible
for maintaining the legal health record. Ask about the organization’s
release of information, retention, and destruction policies. Do they
comply with the requirements of HIPAA? Explain why or why not.

3. Contact a physician’s offi ce or clinic and ask if the organization has
a security plan. Discuss the process that staff members undertook to
complete the plan, or develop an outline of a plan for them.

4. Visit the Offi ce for Civil Rights Enforcement Activities and Results
website. Read at least fi ve case examples involving HIPAA security
violations. What do these cases have in common? What are their

R E F E R E N C E S · 321

differences? Do all of the Security Rule violations you read also
involve Privacy Rule violations? What were your impressions of the
types of cases you read and their resolutions?


American Health Information Management Association (AHIMA). (2003). Final Rule
for HIPAA security standards. Chicago, IL: Author.

Bazzoli, F. (2016, Aug. 9). 12 largest fines levied for HIPAA violations. Health Data
Management. Retrieved August 9, 2016, from http://www.healthdatamanagement
.com/list/12-largest-fi nes-levied-for-hipaa-violations

Buchholz, A., Perry, B., Weiss, L. B., & Cooley, D. (2016). Smartphone use and per­
ceptions among medical students and practicing physicians. Journal of Mobile
Technology in Medicine, 5(1), 27–32. doi:10.7309/jmtm.5.1.5

Centers for Medicare and Medicaid Services (CMS). (2004). HIPAA administrative
simplification: Security—Final Rule. Retrieved November 2004 from http://

Comodo. (2014, Aug. 4). Malware versus viruses: What’s the difference? Retrieved
August 10, 2016, from

Conn, J. (2016, Feb. 18). Hospital pays hackers $17,000 to unlock EHRs frozen in
“ransomware” attack. Retrieved November 11, 2016, from http://www

Coppersmith, Gordon, Schermer, & Brockelman, PLC. (2012). HITECH Act expands
HIPAA privacy and security rules. Retrieved March 2012 from http://www

DeSalvo, K. B., & Samuels, J. (2016, July 19). Examining oversight of the privacy &
security of health data collected by entities not regulated by HIPAA. Health IT
Buzz. Retrieved August 10, 2016, from

Goedert, J. (2016, Aug. 8). Hack of Banner systems highlights the need for more fi re-
walls. Retrieved August 10, 2016, from http://www.healthdatamanagement
.com/news/hack-of-banner-systems-highlights-the-need-for-more-fi rewalls?utm_
medium=email (2015). $750,000 HIPAA settlement underscores the need for organization-
wide risk analysis. Retrieved from

ESET. (n.d.). HIPAA security checklist [Brochure]. Retrieved August 8, 2016, from les/comments_upload/hipaa-security­

322 · C H A P T E R 9 : P R I V A C Y A N D S E C U R I T Y

Koch, D. D. (2016, Spring). Is HIPAA Security Rule enough to protect electronic
personal health information (PHI) in the cyber age? Journal of Health Care
Finance. Retrieved August 8, 2016, from http://www.healthfi

National Institute of Standards and Technology (NIST). (2016). Framework for
improving critical infrastructure cybersecurity. Retrieved from http://www.nist

National Institute of Standards and Technology (NIST). (n.d.). Cybersecurity frame­
work. Retrieved August 10, 2016, from

ONC. (2015). Guide to privacy and security of electronic health information.
Retrieved from les/pdf/privacy/privacy­

ONC. (n.d.). Top 10 tips for cybersecurity in health care [Brochure]. Retrieved
August 8, 2016, from les/Top_10_Tips_

Siwicki, B. (2016, May 17). Cybersecurity special report: Ransomware will get
worse, hackers targeting whales, medical devices and IoT trigger new vulnera­
bilities. Healthcare IT News. Retrieved August 10, 2016, from http://www

Sullivan, T. (2016, Aug. 9). “DarkOverLord” ransomware accounts for nearly
30 percent of health data breaches in July. Healthcare IT News. Retrieved
August 10, 2016, from­

Office for Civil Rights (OCR). (n.d.). HHS Breach Portal. Retrieved August 8, 2016,

US Department of Health and Human Services. (2016, Sept. 30). Enforcement
highlights. Retrieved August 8, 2016, from­

US Department of Health and Human Services. (n.d.a). Addressing gaps in cyberse­
curity: OCR releases crosswalk between HIPAA Security Rule and NIST cyberse­
curity framework. Retrieved August 10, 2016, from

US Department of Health and Human Services. (n.d.b). Breach Notifi cation Rule.
Retrieved August 8, 2016, from
breach-notifi cation/index.html

US Department of Health and Human Services. (n.d.c). Guidance to render unse­
cured protected health information unusable, unreadable, or indecipherable to
unauthorized individuals. Retrieved August 8, 2016, from
hipaa/for-professionals/breach-notifi cation/guidance/index.html

What are the penalties for HIPAA violations? (2015, June 14). HIPAA Journal.
Retrieved from­


Performance Standards

and Measures


• To be able to explain the signifi cant role of health information in
national private and public quality improvement initiatives.

• To be able to compare and contrast licensure, certifi cation, and
accreditation processes.

• To be able to discuss the role of the Joint Commission and the
National Committee for Quality Assurance in ensuring the
quality of care in the United States.

• To be able to understand performance measurement
development in the United States.

• To be able to identify the roles of specifi c public and private
organizations in the development and endorsement of national
performance measures.

• To be able to understand the origins and uses of major health
care comparative data sets.



324 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

This chapter examines public and private organizations and processes that
establish standards for ensuring that health records are maintained accu­
rately and completely and that they contain the data and information needed
to define and report a wide range of measures to determine the quality and
efficiency of health care. These activities are very important and have a sig­
nifi cant influence on providers and HIT capabilities, significant enough for
us to devote an entire chapter to them.

Health care organizations and health plans use data and information to
measure performance against internal and external standards; to compare
performance to other like organizations; to demonstrate performance to
licensing, certifying, and accrediting bodies; and to demonstrate performance
for reimbursement purposes. This chapter begins with an examination of
the licensure, certifi cation, and accreditation of health care facilities and
health plans, followed by an overview of key comparative data sets often
used by health care organizations in benchmarking performance. The chapter
concludes with a description of the national initiatives using performance
measures to improve the quality and safety of health care, including those
affecting provider reimbursement.

In the section titled “Licensure, Certification, and Accreditation,” we
define these processes, list the accrediting organizations recognized by CMS,
and examine the missions and general functions of the Joint Commission
and the National Committee for Quality Assurance (NCQA). These discus­
sions focus on how the licensure, certification, and accreditation processes
not only use health information to measure performance but also how they
influence the health care information that is collected.

“Measuring the Quality of Care” begins with a historical perspective of
major milestones in the national agenda for health care quality improvement,
followed by a discussion of the current efforts to improve health care quality
and patient safety, focusing on the efforts that involve using health care
data and information to measure performance. Quality measures are created
and validated by a range of organizations, private and public. However, in the
recent years significant progress has been made in aligning these measures
across organizations. Another significant movement related to quality mea­
surement in the United States is implementation of value-based reimbursement
programs, which are based on established performance criteria. The govern­
ment plans for significant growth in these programs over the next decade.


Health care organizations, such as hospitals, nursing homes, home health
agencies, and the like, must be licensed to operate. If they wish to fi le

L I C E N S U R E , C E R T I F I C A T I O N , A N D A C C R E D I T A T I O N · 325

Medicare or Medicaid claims, they must also be certified, and if they wish to
demonstrate quality performance, they will undergo an accreditation process.
What are these processes, and how are they related? If a health care organi­
zation is licensed, certified, and accredited, how will this affect the health
care information that it creates, uses, and maintains? In this section we will
examine each of these processes, their impact on the health care organiza­
tions, and their relationships with one another.


Licensure is the process that gives a facility legal approval to operate. As a
rule, state governments oversee the licensure of health care facilities, and
each state sets its own licensure laws and regulations. All facilities must have
a license to operate, and it is generally the state department of health or a
similar agency that carries out the licensure function. Licensure regulations
tend to emphasize areas such as physical plant standards, fire safety, space
allocations, and sanitation. They may also contain minimum standards for
equipment and personnel. A few states tie licensure to professional standards
and quality of care, but not all. In their licensure regulations, states gener­
ally set minimum standards for the content, retention, and authentication of
patient medical records. Exhibit 10.1 is an excerpt from the South Carolina
licensure regulations for hospitals. This excerpt governs patient medical
record content (with the exception of newborn patient records, which are
addressed in a separate section of the regulations). Although each state has
its own set of medical record content standards, these are fairly typical in
scope and content.

An initial license is required before a facility opens its doors, and this
license to operate must generally be renewed annually. Some states allow
organizations with the Joint Commission or other accreditation to forgo
a formal licensure survey conducted by the state; others require the state
survey regardless of accreditation status. As we will see in the section
on accreditation, the accrediting bodies’ standards are more detailed and
more stringent than the typical state licensure regulations. Also, most
accreditation standards are updated annually; most licensure standards
are not.

Certifi cation

Certification gives a health care organization the authority to participate
in the federal Medicare and Medicaid programs. Legislation passed in

326 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

Exhibit 10.1 Medical Record Content: Excerpt from South Carolina Standards
for Licensing Hospitals and Institutional General Infi rmaries

601.5 Contents:
A. Adequate and complete medical records shall be written for all patients
admitted to the hospital and newborns delivered in the hospital. All
notes shall be legibly written or typed and signed. Although use of ini­
tials in lieu of licensed nurses’ signatures is not encouraged, initials will
be accepted provided such initials can be readily identified within the
medical record. A minimum medical record shall include the following

1. Admission Record: An admission record must be prepared for each
patient and must contain the following information, when obtainable:
Name; address, including county; occupation; age; date of birth; sex;
marital status; religion; county of birth; father’s name; mother’s maiden
name; husband’s or wife’s name; dates of military service; health insur­
ance number; provisional diagnosis; case number; days of care; social
security number; the name of the person providing information; name,
address and telephone number of person or persons to be notified in the
event of emergency; name and address of referring physician; name,
address and telephone number of attending physician; date and hour of

2. History and physical within 48 hours after admission;

3. Provisional or working diagnosis;

4. Pre-operative diagnosis;

1972 mandated that hospitals had to be reviewed and certified to receive
reimbursement from Medicare and Medicaid programs (CMS, n.d.a). At
that time the Health Care Financing Administration, now the Centers for
Medicare and Medicaid Services (CMS), developed a set of minimum
standards known as the conditions of participation (CoPs). CMS con­
tracts with state agencies to inspect facilities to make sure they meet
these minimum standards, organized by facility functions and services.
See Exhibit 10.2 for the CoP standards section governing medical record

L I C E N S U R E , C E R T I F I C A T I O N , A N D A C C R E D I T A T I O N · 327

5. Medical treatment;

6. Complete surgical record, if any, including technique of operation and
findings, statement of tissue and organs removed and post-operative

7. Report of anesthesia;

8. Nurses’ notes;

9. Progress notes;

10. Gross pathological findings and microscopic;

11. Temperature chart, including pulse and respiration;

12. Medication Administration Record or similar document for recording
of medications, treatments and other pertinent data. Nurses shall
sign this record after each medication administered or treatment

13. Final diagnosis and discharge summary;

14. Date and hour of discharge summary;

15. In case of death, cause and autopsy findings, if autopsy is performed;

16. Special examinations, if any, e.g., consultations, clinical laboratory,
x-ray and other examinations.

Source: South Carolina Department of Health and Environmental Control, Stan­
dards for Licensing Hospitals and Institutional General Infi rmaries, Regulation
61–16 § 601.5 (2010).


Accreditation is an external review process that an organization elects to
undergo; it is voluntary and has fees associated with it. The accrediting
agency grants recognition to organizations that meet its predetermined per­
formance standards. The review process and standards are devised and regu­
lated by the accrediting agency. By far the best-known health care accrediting
agency in the United States is the Joint Commission, but there are others. The
National Committee for Quality Assurance (NCQA) is a leading accrediting
agency for health plans.

328 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

Exhibit 10.2 Medical Record Content: Excerpt from the Conditions of
Participation for Hospitals

Sec. 482.24 Condition of participation: Medical record services.

(c) Standard: Content of record. The medical record must contain
information to justify admission and continued hospitalization,
support the diagnosis, and describe the patient’s progress and
response to medications and services.

(1) All entries must be legible and complete, and must be authen­
ticated and dated promptly by the person (identified by name
and discipline) who is responsible for ordering, providing, or
evaluating the service furnished.

(i) The author of each entry must be identified and must authenti­
cate his or her entry.

(ii) Authentication may include signatures, written initials or com­
puter entry.

(2) All records must document the following, as appropriate:

(i) Evidence of a physical examination, including a health history,
performed no more than 7 days prior to admission or within 48
hours after admission.

(ii) Admitting diagnosis.

(iii) Results of all consultative evaluations of the patient and appro­
priate findings by clinical and other staff involved in the care of
the patient.

(iv) Documentation of complications, hospital acquired infections,
and unfavorable reactions to drugs and anesthesia.

(v) Properly executed informed consent forms for procedures and
treatments specifi ed by the medical staff, or by Federal or State
law if applicable, to require written patient consent.

(vi) All practitioners’ orders, nursing notes, reports of treatment, med­
ication records, radiology, and laboratory reports, and vital signs
and other information necessary to monitor the patient’s condition.

(vii) Discharge summary with outcome of hospitalization, disposi­
tion of case, and provisions for follow-up care.

(viii) Final diagnosis with completion of medical records within 30
days following discharge.

Source: Conditions of Participation: Medical Record Services, 42 C.F.R. §§ 482.24c
et seq. (2007).

L I C E N S U R E , C E R T I F I C A T I O N , A N D A C C R E D I T A T I O N · 329

Although accreditation is voluntary, there are financial and legal incen­
tives for health care organizations to seek accreditation. In order to elimi­
nate duplicative processes, Section 1865 of the Social Security Act “permits
providers and suppliers ‘accredited’ by an approved national accreditation
organization (AO) to be exempt from routine surveys by State survey agen­
cies to determine compliance with Medicare conditions” (CMS, 2015). This
is often referred to as deemed status. Table 10.1 lists the 2015 approved AOs
with corresponding program types and websites.

Table 10.1 2015 approved CMS accrediting organizations

Accrediting Organization Program Types Website

Accreditation Association
for Ambulatory Health Care

Accreditation Commission for
Health Care, Inc. (ACHC)

American Association for
Accreditation of Ambulatory
Surgery Facilities (AAAASF)

American Osteopathic
Facilities Accreditation
Program (HFAP)

Center for Improvement in
Healthcare Quality (CIHQ)

Community Health
Accreditation Program (CHAP)

DNV GL—Healthcare (DNV

The Compliance Team (TCT)

The Joint Commission (TJC)

ASC (ambulatory surgery


HHA (home health agency)



OPT (outpatient physical


RHC (rural health clinics)


CAH (critical access














Psychiatric hospital

330 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

Similar to CMS, many states also recognize accreditation in lieu of
their own licensure surveys. Other benefits for an organization are that

• May be required for reimbursement from payers (including CMS)

• Validates the quality of care within the organization

• May favorably infl uence liability insurance premiums

• May enhance access to managed care contracts

• Gives the organization a competitive edge over nonaccredited

The Joint Commission

The Joint Commission’s stated mission is “to continuously improve health care
for the public, in collaboration with other stakeholders, by evaluating health
care organizations and inspiring them to excel in providing safe and effec­
tive care of the highest quality and value” (The Joint Commission, n.d.). The
Joint Commission on Accreditation of Hospitals (as the Joint Commission
was first called) was formed as an independent, not-for-profi t organization
in 1951, as a joint effort of the American College of Surgeons, American
College of Physicians, American Medical Association, and American
Hospital Association. The Joint Commission has grown and evolved to set
standards for and accredit nearly twenty-one thousand health care orga­
nizations and programs in the United States. In addition to hospitals, the
Joint Commission has accreditation programs for health care organizations
that offer ambulatory care, behavioral health care, home care, long-term
care, and office-based surgery. They also provide an accreditation program
for organizations that offer laboratory services (The Joint Commission,
2016, n.d.).

In order to maintain accreditation, a health care organization must
undergo an on-site survey by a Joint Commission survey team every three
years. Laboratories must be surveyed every two years. This survey is con­
ducted to ensure that the organization continues to meet the established
standards. The standards themselves are the result of an ongoing, dynamic
process that incorporates the experience and perspectives of health care
professionals and others throughout the country. New standards manuals
are published annually and health care organizations are responsible for
knowing and incorporating any changes as they occur.

Categories of accreditation (The Joint Commission, 2016) that an organi­
zation can achieve are the following:

L I C E N S U R E , C E R T I F I C A T I O N , A N D A C C R E D I T A T I O N · 331

• Preliminary accreditation: for organizations that demonstrate
compliance with selected standards under the Early Survey Policy, which
allows organizations to undergo a survey prior to having the ability to
demonstrate full compliance. Organizations that receive preliminary
accreditation will be required to undergo a second on-site survey.

• Accreditation: for organizations that demonstrate compliance with all

• Accreditation with follow-up survey: for organizations that are not

in compliance with specifi c standards and require a follow-up survey

within thirty days to six months.

• Contingent accreditation: for organizations that fail to address all

requirements in an accreditation with follow-up survey decision or

for organizations that do not have the proper license or other similar

issue at the time of the initial survey. A follow-up survey is generally

required within thirty days.

• Preliminary denial of accreditation: for organizations for which there
is justifi cation for denying accreditation. This decision is subject to

• Denial of accreditation: for organizations that fail to meet standards

and that have exhausted all appeals.

The Joint Commission focus on quality of care provided in health care
facilities dates back to the early 1900s, when the American College of Sur­
geons began surveying hospitals and established a hospital standardization
program. With the program came the question, how is quality of care mea­
sured? One of the early concerns of the standardization program was the
lack of documentation in patient records. The early surveyors found that
documentation was so poor that they had no way to judge the quality of care
provided. The Joint Commission’s emphasis on health care information and
the documentation of care has continued to the present. Not only do the Joint
Commission reporting requirements rely heavily on patient information but
also the current survey process uses “tracer methodology,” through which
the surveyors analyze the organization’s systems by tracing the care provided
to individual patients. Patient records provide the road maps for the tracer
methodology. The absence of quality health records would have a direct
impact on the accreditation process. The following sections discuss Joint
Commission standards that directly influence the creation, maintenance,
and use of health care information. These sections further illustrate how the
overall accreditation process relies on the availability of high-quality health
care information (The Joint Commission, 2016).

332 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

The Joint Commission Record of Care (RC), Treatment,
and Services Standards

The Joint Commission Record of Care (RC), Treatment, and Services
standards provide information about the requirements for the content
of a complete health record, regardless of its format. The RC standards
for an ambulatory care program dictate that the organization will do the

• Maintain complete and accurate clinical record.

• Ensure clinical record entries are authenticated appropriately by
authorized persons.

• Ensure documentation in clinical records is timely.

• Audit their clinical records.

• Retain their clinical records according to relevant laws and

• Ensure clinical records contain specifi c information that refl ects the
patient’s care, treatment, or services.

• Ensure clinical records accurately refl ect operative and high-risk
procedures and use of sedation and anesthesia.

• Ensure documentation of proper use of restraints and seclusion.

• Ensure ambulatory care records contain a summary list.

• Ensure qualifi ed staff members receive and record verbal orders.
(The Joint Commission, 2014b)

Each RC standard has specific elements that must be addressed. For more
information, refer to the most recent edition of the appropriate Comprehensive
Accreditation Manual. All Joint Commission–accredited organizations have
access to the complete manual.

The Joint Commission Information Management Standards

The Joint Commission Information Management (IM) standards refl ect the
Joint Commission’s belief that quality information management infl uences
quality care. In the overview of the IM standards, the Joint Commission
states, “Every episode of care generates health information that must be
managed systematically” (emphasis is the authors’). Information is a resource
that must be managed similar to any other resource within the organization.

L I C E N S U R E , C E R T I F I C A T I O N , A N D A C C R E D I T A T I O N · 333

Whether the information management systems employed by the organization
are basic or sophisticated, the functions should include features that allow
for the following:

• Categorizing, filing, and maintaining all data and information used by
the organization

• Accurately capturing health information generated by delivery of care,
treatment, and services

• Accessing information by those authorized users who need the
information to provide safe, quality care (The Joint Commission,

The IM standards apply to noncomputerized systems and systems employ­
ing the latest technologies. The first standard within the IM chapter focuses
on information planning. The organization’s plan for IM should consider the
full spectrum of data generated and used by the organization as well as the
flow of information within and to and from external organizations. Identi­
fying and understanding the flow of information is critical to meeting the
organization’s needs for data collection and distribution while maintaining
the appropriate level of security (The Joint Commission, 2014a). The remain­
ing IM standards address the requirements for health care organizations:

• Provide continuity of the information management process, including
managing system interruptions and maintaining backup systems.

• Ensure the privacy, security, and integrity of health information.

• Manage data collection, including use of standardized data sets and
terminology and limiting the use of abbreviations.

• Manage health information retrieval, dissemination, and transmission.

• Provide knowledge-based information resources twenty-four hours a
day, seven days a week.

• Ensure the accuracy of the health information. (The Joint

Commission, 2011, 2014a)

National Committee for Quality Assurance

The National Committee for Quality Assurance (NCQA) is the leading accred­
iting body for health plans, including health maintenance organizations
(HMOs), Preferred Provider Organizations (PPOs), and Point of Service (POS)

334 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

plans in the United States. In addition, the NCQA also accredits the following

• Disease management

• Case management

• Wellness and health promotion

• Accountable care organizations

• Wellness and health promotion

• Managed behavioral health care organizations (NCQA, n.d.a)

The full list of NCQA accreditation requirements are published on its
website at The 2015 Health Plan Accreditation Program
requirements include specific criteria divided into the following sections:

• Quality management and improvement (QI)

• Utilization management (UM)

• Credentialing and recredentialing (CR)

• Members’ rights and responsibilities (RR)

• Member connections (MEM)

• Medicaid benefi ts and services (MED)

• Health Effectiveness Data and Information Set (HEDIS) performance
measures (see the “Measuring the Quality of Care” section for more
information about HEDIS) (NCQA, 2015).


Two landmark Institute of Medicine (IOM) reports, To Err Is Human: Build­
ing a Safer Health System, published in 2000 (Kohn, Corrigan, & Donaldson),
and Crossing the Quality Chasm: A New Health System for the 21st Century,
published in 2001, are often cited as marking the beginning of the modern
era of national health care quality and patient safety initiatives. The two
reports led to increased awareness of the severity of patient safety and quality
issues and helped frame the national landscape of improvement efforts.
To Err Is Human estimated that as many as ninety-eight thousand people
died in hospitals each year as a result of preventable medical errors. The
report found that most errors could be traced to poor processes and systems
and recommended development and implementation of improved perfor­
mance standards, including those associated with licensure, certifi cation, and

M E A S U R I N G T H E Q U A L I T Y O F C A R E · 335

accreditation. Crossing the Quality Chasm specifically outlined six aims for
establishing quality health care, stating that health care in the United States
should be (CMSS, 2014; Kohn, Corrigan, & Donaldson, 2000; IOM, 2001):

1. Safe

2. Effective

3. Patient-centered

4. Timely

5. Effi cient

6. Equitable

One of the challenges to meeting these aims was determining how to mea­
sure success in each area. What are the standards and performance measures
associated with these important aims?

Types of Measures

Whether at the local organizational level or at a national level, quality
improvement requires the identification of standards that define quality care
and measurement of performance to determine whether or not the identifi ed
standards are met. Quality measures are used across the full continuum of
care, from individual physicians to health plans. As we will examine in this
chapter, there are literally hundreds of different health care quality measures in
use today. These existing quality measures can generally be categorized into
four types: structure, process, outcome, and patient experience. Table  10.2
summarizes the types of measures, descriptions, and examples of each.

Data Sources for Measures

Whether quality measures are applied by an individual physician or by a
federal agency, they rely on valid and reliable data. A few of the common
sources of health care data used in performance measurement are listed in
the following sections.

Administrative Data

Administrative data submitted to private and government payers have the
advantage of being easy to obtain. Private and public payers have very large
claims databases.

336 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

Table 10.2 Major types of quality measures

Type Description Example

Structure Assesses the characteristics of a care
setting, including facilities, personnel,
and policies related to care delivery

Process Determines if the services provided to
patients are consistent with routine
clinical care

Outcome Evaluates patient health as a result of
the care received


Provides feedback on patients’
experiences of care

Does an intensive care unit (ICU)
have a critical care specialist on
staff at all times?

Does a doctor ensure that his or her
patients receive recommended
cancer screenings?

What is the survival rate for patients
who experience a heart attack?

Do patients report that their provider
explains their treatment options in
ways that are easy to understand?

Source: Morris (2014).

Disease Registries

Public health agencies, including state and federal agencies collect data on
patients with specific conditions. These disease registries often go beyond
administrative claims data.

Health Records

The EHR is recognized as a rich source of detailed patient information.
However, the full potential of the EHR as an easy-to-use source of reliable
data has not been reached. More work on standardization and tools for data
extraction is needed. Data extraction from paper records is labor intensive and,
therefore, expensive to implement. As you have seen in previous chapters,
Meaningful Use criteria address the need for EHR data extraction and sharing.

Qualitative Data

Qualitative data from patient surveys or interviews are often used for patient
experience measures (Morris, 2014).

Measurement Development

Regardless of the data source, the resulting measures must not only be reli­
able and valid but also feasible to collect (CMSS, 2015). There are dozens

M E A S U R I N G T H E Q U A L I T Y O F C A R E · 337

of public and private organizations that develop health care–related perfor­
mance measures. The following paragraphs identify a few of the key players
and their respective role in the development of recognized measures.

The NCQA is responsible for the HEDIS measures, one of the oldest and
most widely used sets of health care performance measures in the United
States. More than 90 percent of health plans in the United States collect
and report HEDIS data. HEDIS data is not only used for accreditation of
health plans but also for the basis of health plan comparison and quality

The Joint Commission also has a long history of developing and using
performance measures as a component of accreditation. In 1987, the Joint
Commission revamped its accreditation process with the goal of incorpo­
rating standardized performance measures. This initiative led to the devel­
opment of ORYX program. The current ORYX program is closely aligned
with CMS quality initiatives, using many of the same measures. Hospitals
seeking Joint Commission Accreditation in 2016 were required to report on
six of nine sets of chart (paper)-abstracted clinical quality measures (CQMs)
or six of eight electronic clinical quality measures (eCQMs) (The Joint
Commission, 2015b).

CQMs are identified and updated by CMS each year. Selected CQMs
are used in the EHR Incentive Programs for eligible professionals and
other CMS quality initiatives (discussed following in this chapter). The CMS
does not develop all of the CQMs but rather relies on private organizations,
such as NCQA, the Joint Commission, the American Medical Association
Physician Consortium for Performance Improvement (AMA-PCPI), and a
host of other health care societies, collaboratives, and alliances, as well as
government agencies, such as AHRQ, Centers for Disease Control and Pre­
vention (CDC), and Health Resources and Services Administration (HRSA)
for most of them. Table 10.3 is an excerpt from the CQMs for the 2014 EHR
Incentive Programs. Note that each measure is defined by a unique identifi er,
National Quality Forum (NQF) number, a measure description, numera­
tor and denominator statements, measure steward, and Physicians Quality
Reporting System (PQRS) number. Note: The PQRS role in quality improve­
ment and performance measurement is discussed in more detail following
in this chapter.

The NQF is a nonprofit, member organization whose mission is “to lead
national collaboration to improve health and healthcare quality through mea­
surement” (NQF, n.d.). It was created in 1999 and includes board members
from private and public sectors, including providers, purchasers, and repre­
sentatives from AHRQ, CDC, CMS, and HRSA. The NQF maintains a large,
searchable database of performance measures. Measures can be searched on

Table 10.3 Excerpt of CQMs for 2014 EHR Incentive Programs

eMeasure NQF Measure Title and Measure Numerator Denominator Measure
ID No. NQS Domain Description Statement Statement Steward PQRS No.

CMS69v5 0421 Preventive Care
and Screening:
Body Mass Index
(BMI) Screening
and Follow-Up Plan


CMS132v5 0564 Cataracts:

within Thirty Days
Following Cataract
Surgery Requiring
Additional Surgical

Percentage of patients aged
eighteen years and older with
a BMI documented during the
current encounter or during
the previous six months AND
with a BMI outside of normal
parameters, a follow-up plan is
documented during the encounter
or during the previous six months
of the current encounter

Normal Parameters:

Age eighteen years and older BMI
= > 18.5 and < 25 kg/m2

Percentage of patients aged
eighteen years and older with
a diagnosis of uncomplicated
cataract who had cataract surgery
and had any of a specifi ed list of
surgical procedures in the thirty
days following cataract surgery
which would indicate the

Patients with
a documented
BMI during the
encounter or during
the previous six
months, AND when
the BMI is outside of
normal parameters,
a follow-up plan is
documented during
the encounter or
during the previous
six months of the
current encounter

Patients who
had one or more
specifi ed operative
procedures for any
of the following
major complications
within thirty days
following cataract

All patients
eighteen and
older on the
date of the
with at least
one eligible
during the

All patients
aged eighteen
years and
older who
had cataract
surgery and
no signifi cant

Centers for 128

& Medicaid
Services PREV-9

PCPI(R) 192



Domain: Patient

CMS133v5 0565 Cataracts: 20/40
or Better Visual

Acuity within

Ninety Days

Following Cataract



Clinical Process/


CMS158v5 N/A Pregnant Women
That Had HBsAg



Clinical Process/


occurrence of any of the
following major complications:
retained nuclear fragments,
endophthalmitis, dislocated
or wrong power IOL, retinal
detachment, or wound dehiscence

Percentage of patients aged
eighteen years and older with
a diagnosis of uncomplicated
cataract who had cataract
surgery and no signifi cant
ocular conditions impacting the
visual outcome of surgery and
had best-corrected visual acuity
of 20/40 or better (distance or
near) achieved within 90 days
following the cataract surgery

This measure identifi es pregnant
women who had a HBsAg
(hepatitis B) test during their

surgery: retained
nuclear fragments,
dislocated or wrong
power IOL, retinal
detachment, or
wound dehiscence

Patients who had
visual acuity of
20/40 or better
(distance or near)
achieved within
ninety days
following cataract

Patients who were
tested for hepatitis
B surface antigen
(HBsAg) during
pregnancy within
280 days prior to

the surgical

All patients PCPI(R) 191
aged eighteen

years and

older who
had cataract

All female Optum 369
patients aged
twelve and
older who had
a live birth
or delivery
during the


Table 10.3 (Continued)

eMeasure NQF Measure Title and Measure Numerator Denominator Measure
ID No. NQS Domain Description Statement Statement Steward PQRS No.

CMS159v5 0710 Depression
Remission at
Twelve Months


Clinical Process/


Patients age eighteen and
older with major depression or
dysthymia and an initial Patient
Health Questionnaire (PHQ-9)
score greater than nine who
demonstrate remission at twelve
months (+/- 30 days after an
index visit) defi ned as a PHQ-9
score less than fi ve. This measure
applies to both patients with
newly diagnoses and existing
depression whose current
PHQ-9 score indicates a need for

Patients who
achieved remission
at twelve months
as demonstrated
by a twelve month
(+/- 30 days grace
period) PHQ-9 score
of less than fi ve

Patients age
eighteen and
older with
a diagnosis
of major
or dysthymia
and an initial
PHQ-9 score
greater than
nine during
the index visit

MN 370



Source: CMS (n.d.f).

M E A S U R I N G T H E Q U A L I T Y O F C A R E · 341

the NQF website ( by any combination of the follow­
ing dimensions:

• Endorsement Status (e.g. Endorsed, Not Endorsed)

• Measure Status (Time Limited, Reserved)

• Measure Format (eMeasure, Measure)

• Measure Steward (e.g., NCQA, CMS, The Joint Commission)

• Use in Federal Program (e.g., Meaningful Use, Medicare Shared
Savings Program)

• Clinical Condition/Topic Area (e.g., Cancer, Infectious Disease)

• Cross-Cutting Area (e.g., Overuse, Safety, Disparities)

• Care Setting (e.g., Ambulatory Care, Home Health, Hospital)

• National Quality Strategy Priorities (e.g., Affordable Care, Patient

• Actual/Planned Use (e.g., Public Reporting, Payment Program)

• Data Source (e.g., Administrative Data, Electronic Clinical Data,
Healthcare Provider Survey)

• Level of Analysis (e.g., Clinician, Facility, Health Plan)

• Target Population (Children’s Health)

Figure 10.1 is a screenshot from the NQF website showing a few of the
thousand-plus measures in the database that are classified as Home Health.

Figure 10.1 Screenshot from NQF

Source: National Quality Forum (2016). Copyright ©2016 National Quality Forum.
Used with permission.

342 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

Comparative Health Care Data Sets

Comparative health care data sets and information are often aligned with
organizations’ quality improvement efforts. An organization might collect
data on one or more of the specific performance measures, such as those
previously identified, and then use this information to compare its perfor­
mance to other similar organizations or state average results, for example.
The process of comparing one or more performance measures against a stan­
dard is called benchmarking. Benchmarking may be limited to internally set
standards; however, frequently it employs one or more externally generated
benchmark or standard.

Providers may select from many publicly and privately available health
care data sets for benchmarking purposes. Many of the organizations iden­
tified in the previous section not only develop standards but also provide
searchable websites that enable consumers and providers to compare results
of their measures across multiple organizations. Although each comparative
data set is unique, they can be loosely categorized by purpose: patient satis­
faction, practice patterns, or clinical data. The following paragraphs identify
some of the more well-known and frequently used comparative data sets and
list their associated searchable website when applicable.

Patient Satisfaction Data Sets

Patient satisfaction data generally come from survey data. Several private
organizations, such as NRC+Picker, Press Ganey, and the health care division
of Gallup, provide extensive consulting services to health care organizations
across the country. One of these services is to conduct patient satisfac­
tion surveys. Some health care organizations undertake patient satisfaction
surveys on their own. The advantage of using a national organization is the
comparative database it offers, which organizations can use for benchmark­
ing purposes.

Some of the most widely used groups of patient experience surveys in
the public arena were developed under the Agency for Healthcare Research
and Quality (AHRQ) Consumer Assessment of Healthcare Providers and
Systems (CAHPS) program. CAHPS originated in 1995 to assess participants’
perspectives on their health plans. Since that time the program has evolved
to include the following surveys:

• Health Plan

• Clinician & Group

• Hospital

M E A S U R I N G T H E Q U A L I T Y O F C A R E · 343

• Home Health Care

• In-Center Hemodialysis

• Nursing Home

• Surgical Care

• American Indian

• Dental Plan

• Experience of Care and Health Outcomes (for mental health and

substance abuse services)

CAHPS surveys are available to any organization. Federal agencies, such
as CMS, use the CAHPS survey results, but the results are also used by
health systems, physician practices, hospitals, and other health care provid­
ers in their quality improvement efforts (AHRQ, 2016). The Hospital CAHPS
(HCAHPS) results are available to consumers as a part of CMS Hospital
Compare (discussed under “Clinical Data Sets”) and from the AHRQ website.
Information about the CAHPS comparative data and access to the database
and chart books is located at
comparative-data/index.html (AHRQ, 2016).

Practice Patterns Data Set

The Dartmouth Atlas is a widely used, interactive, online tool that enables
health care organizations to compare data across a wide variety of parame­
ters. The project is a privately funded program through the Dartmouth Insti­
tute for Health Policy and Clinical Practice, which primarily uses Medicare
data to document variations in the use of medical resources across the United
States. To access the Dartmouth Atlas, go to
(The Dartmouth Institute, n.d.).

Clinical Data Sets

The Joint Commission and CMS are committed to the improvement of clinical
outcomes, and as a part of that commitment they provide consumers with
comparative data that encompasses clinical measures. The Joint Commis­
sion’s Quality Check has evolved since its introduction in 1994 to become
a comprehensive guide to health care organizations in the United States.
Visitors to can search for health care organizations by
a variety of parameters, identify accreditation status, and compare hospital
performance measures in terms of the Joint Commission’s (2015a) National

344 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

Patient Safety Goals. The 2016 National Patient Safety Goals for Hospitals
describes sixteen specific goals, including these:

• Identifying patients correctly

• Improving staff member communication

• Using medicines safely

• Using alarms safely

• Preventing infection

• Identifying patient safety risks

• Preventing mistakes in surgery (The Joint Commission, 2016)

Hospital Compare is the CMS-sponsored interactive, online comparative
data set. Located at, this data set con­
tains information about the quality of care at over four thousand Medicare-
certified hospitals. The interactive tool enables consumers to compare clinical
and patient satisfaction data. The purpose of the tool is to promote informed
decision making by consumers of hospital care and to encourage hospitals to
improve the quality of care they provide (CMS, n.d.b). In addition to Hospital
Compare, CMS sponsors public reporting of other health care organizations,
such as nursing homes, home health agencies, and kidney dialysis facilities
(CMS, n.d.d).

Comparative Data for Health Plans

In addition to data sets used by providers, the NCQA website enables consum­
ers to have access to comparative data for health plans through a variety of
report cards. The majority of the comparative data is derived from HEDIS and
CAHPS. NCQA health care report cards are found at http://reportcard.ncqa.
org. NCQA also offers a subscription service for a more detailed interactive
tool, Quality Compass (NCQA, n.d.b, n.d.c).


As stated at the beginning of the chapter, the publication of the IOM reports
addressing serious quality concerns marked a new era of government ini­
tiatives to improve the quality of patient care. Multiple new programs were
established and new efforts to link Medicare and Medicaid reimbursement
to quality care were undertaken. In this section we will examine the Patient
Safety Act, the National Quality Strategy, and a selection of related government

F E D E R A L Q U A L I T Y I M P R O V E M E N T I N I T I A T I V E S · 345

programs aimed at improving the quality of health care through performance
measurement including the related aspects of the Medicare Access & CHIP
Reauthorization Act of 2015 (MACRA).

The Patient Safety Act

The IOM To Err Is Human: Building a Safer Health System (Kohn, Corrigan, &
Donaldson, 2000) outlined serious concerns about and the need to improve
the safety and quality of health care in the United States. Despite the ongoing
efforts by voluntary accrediting bodies to ensure high-quality care, this report
identified a critical need for reporting and analyzing individual facility and
aggregate data related to adverse events. To address the need to capture
information to improve health care quality and prevent harm to patients,
the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act)
was passed by Congress “to promote shared learning to enhance quality
and safety nationally.” To implement the act, the Department of Health and
Human Services issued the Patient Safety Rule (effective January 2009),
which authorized the identifi cation of Patient Safety Organizations (PSOs).
As of August 2016, there were eighty-two PSOs in twenty-eight states. PSOs
are responsible for the collection and analysis of health information that is
referred to in the Final Rule as patient safety work product (PSWP). The PSWP
contains identifiable patient information that is covered by specifi c privilege
and confidentiality protections (AHRQ, n.d.a).

The types of patient safety events that are reported under these protec­
tions include the following:

• Incidents: patient safety events that reached the patient, whether or
not there was harm involved

• Near misses (or close calls): patient safety events that did not reach
the patient

• Unsafe conditions: circumstances that increase the probability of a
patient safety event occurring

To facilitate these activities, AHRQ has created Common Formats, which
are “common definitions and reporting formats to help providers uniformly
report patient safety events” (AHRQ, n.d.b).

National Quality Strategy

The requirement for a National Strategy for Quality Improvement in Health
Care (National Quality Strategy) was established by the Affordable Care Act

346 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

and subsequently published in 2011. More than three hundred groups and
individuals representing all aspects of the health care industry and public
provided input. It has subsequently been updated on an annual basis, but
the three broad aims and six priorities have remained consistent. The three
broad aims used to “guide and assess national efforts to improve health and
the quality of health care” (AHRQ, 2011) are as follows:

1. Better care: Improve the overall quality by making health care more
patient-centered, reliable, accessible, and safe.

2. Healthy people/healthy communities: Improve the health of the US
population by supporting proven interventions to address behavioral,
social, and environmental determinants of health in addition to
delivering higher-quality care.

3. Affordable care: Reduce the cost of quality health care for

individuals, families, employers, and government

To achieve these aims, the National Quality Strategy identifies the fol­
lowing six priorities:

1. Making care safer by reducing harm caused in the delivery of care

2. Ensuring that each person and family are engaged as partners in
their care

3. Promoting effective communication and coordination of care

4. Promoting the most effective prevention and treatment practices for
the leading causes of mortality, starting with cardiovascular disease

5. Working with communities to promote wide use of best practices to
enable healthy living

6. Making quality care more affordable for individuals, families,
employers, and governments by developing and spreading new health
care delivery models

The strategy goes further by recommending that all sectors of the health
care system (individuals, families, payers, providers, employers, and com­
munities) employ one or more of the following “levers” to “align” with the
National Quality Strategy (NQS)(AHRQ, 2011):

• Measurement and feedback: Provide performance feedback to plans
and providers to improve care.

• Public reporting: Compare treatment results, costs, and patient
experience for consumers.

F E D E R A L Q U A L I T Y I M P R O V E M E N T I N I T I A T I V E S · 347

• Learning and technical assistance: Foster learning environments that
offer training, resources, tools, and guidance to help organizations
achieve quality improvement goals.

• Certification, accreditation, and regulation: Adopt or adhere to

approaches to meet safety and quality standards.

• Consumer incentives and benefi t designs: Help consumers adopt

healthy behaviors and make informed decisions.

• Payment: Reward and incentivize providers to deliver high-quality,

patient-centered care.

• Health information technology: Improve communication,

transparency, and effi ciency for better coordinated health and health


• Innovation and diffusion: Foster innovation in health care quality

improvement, and facilitate rapid adoption within and across

organizations and communities.

• Workforce development: Invest in people to prepare the next

generation of health care professionals and support lifelong learning

for providers.

CMS Quality Programs

The Centers for Medicare and Medicaid (CMS) released its specifi c Quality
Strategy in 2016, which is based on the NQS. Adhering to the same broad
aims in the NQS, CMS developed a strategy to improve health care delivery
by the following means:

• Using incentives to improve care

• Tying payment to value through new payment models

• Changing how care is given through

o Better teamwork

o Better coordination across health care settings

o More attention to population health

o Putting the power of health care information to work (CMS, 2016)

Since 2001, CMS has engaged in a variety of Quality Initiatives, including
initiatives that result in public reporting of performance measures as previ­
ously discussed. The Physician Quality Reporting System (PQRS) encourages
individual “eligible professionals” (EPs) (e.g., physicians) and group practices

348 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

to assess and report the quality of care provided to their patients. EPs and
group practices that do not report on quality measures as outlined for Medi­
care Part B covered services risk a negative payment adjustment. There are
several mechanisms for reporting PQRS data, including EHRs (CMS, n.d.g).

Using PQRS reporting to determine reimbursement for Medicare Part B is
one of many mechanisms through which CMS incentivizes improved quality
of care. CMS has multiple value-based or pay-for-performance programs
aimed at tying reimbursements to demonstration of quality. CMS’s original
value-based programs were an attempt to link performance on endorsed
quality measures to reimbursement. These programs included the following:

• Hospital Value-Based Purchasing (HVBP) program rewards acute
care hospitals for quality care using incentives.

• Hospital Readmissions Reduction (HRR) program rewards acute
care hospitals that reduce unnecessary hospital readmissions for
certain conditions, such as acute myocardial infarction, health failure,
pneumonia, chronic obstructive pulmonary disease, elective hip or
knee replacement, and coronary artery bypass surgery.

• Hospital-Acquired Conditions (HAC) program determines whether
or not an acute care hospital should be paid a reduced amount based
on performance across health-acquired infections and unacceptable
adverse events.

• Value Modifi er (VM) program (also known as Physician Value-Based
Modifi er or PVBM) rewards physicians (and, beginning in 2018, other
primary care professionals, for example, physician assistants and
nurse practitioners) for high-quality, lower-cost performance using an
adjustment (modifi er) for each claim.

Three other value-based programs are applied to end-stage renal disease
programs, skilled nursing facilities, and home health programs.

Beyond these traditional value-based programs, CMS encourages inno­
vative, alternative models of care through the CMS Innovation Center. These
models are designed to promote lower-cost, higher-quality care. All depend
on appropriate reporting of performance measures (CMS, n.d.h).

The Medicare Access and CHIP Reauthorization

The Medicare Access and CHIP Reauthorization Act (MACRA) was enacted
in 2015. MACRA is one aspect of CMS’s push toward improving quality

F E D E R A L Q U A L I T Y I M P R O V E M E N T I N I T I A T I V E S · 349

and value. In January 2015, the Department of Health and Human Services
announced two goals for value-based payments and alternative payment
models (APMs):

• Goal 1: 30 percent of Medicare payments are tied to quality or value
through APMs by the end of 2016; 50 percent by the end of 2018.

• Goal 2: 85 percent of Medicare fee-for-service payments are tied to
quality or value by the end of 2016; 90 percent by the end of 2018.

They also invited private sector payers to match or exceed these same

MACRA affects physician providers, moving HHS closer to meeting these
goals. Key elements to MACRA are the following:

• Changes the way Medicare rewards physicians and practitioners for
value over volume

• Streamlines multiple quality programs directed at physicians and
practitioners under the new Merit-based Incentive Payment System

• Provides bonus payments for physician and practitioners participation
in eligible APMs (see Chapter One for examples of APMs)

MIPS will incorporate aspects of three existing quality and value pro­
grams: PQRS, Value-based Modifier, and the Medicare EHR Incentive Program.
The resulting set of performance measures will be divided into the following
categories to calculate a score (between 0 and 100) for eligible professionals.
Each category of performance will be weighted as shown in Table 10.4.

Health care providers meeting the established threshold score will receive
no adjustment to payment; those scoring below will receive a negative adjust­
ment and those above, a positive adjustment. Exceptional performers may
receive bonus payments (CMS, n.d.c, n.d.e).

Table 10.4 MIPS performance categories

Category Weight (%)

Quality 50

Advancing care information 25

Clinical practice improvement activities 15

Resource use 10

350 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

Figure 10.2 Projected timetable for implementation of MACRA

Source: CMS (n.d.e).

The exact implementation dates for MACRA were not set by the publica­
tion date for this textbook; however, the projected timetable for implementa­
tion of the various aspects of the law is shown in Figure 10.2 (CMS, n.d.c).


In this chapter we examined how health care organizations and health plans
use data and information to demonstrate performance to licensing, certify­
ing, and accrediting bodies; to measure performance against internal and
external standards; to compare performance to other similar organizations;
and to demonstrate performance for reimbursement purposes. This chapter
began with an examination of the licensure, certification, and accreditation of
health care facilities and health plans, followed by an overview of key com­
parative data sets often used by health care organizations in benchmarking
performance. The chapter further explored major milestones in the national
agenda for health care quality improvement, followed by a discussion of the
current efforts to improve health care quality and patient safety, focusing on
the efforts that involve using health care data and information to measure
performance. The private and public organizations responsible for developing
and endorsing national quality measures were introduced, and the progress
that has been made in aligning these measures across these organizations
was discussed. The chapter concluded with an overview of the signifi cant
movement toward value-based reimbursement programs and plans for sig­
nificant growth in these programs over the next decade.

Clearly, there is a bewildering and complex set of measures with many
organizations involved. Consequently, many measures being collected are

K E Y T E R M S · 351

inconsistent across the organizations requiring them. There are differences
of opinion about which measures to be collected and the specifi c defi nitions
of these measures. Efforts are under way, largely driven by CMS, to align
measures to ease the collection burden for health care providers. However,
today’s reality remains an overwhelmingly complex web of standards and
measurement requirements.

EHRs have been cited as the solution for easing the collection burden
for health care organizations and providers. However, the most current EHR
systems are limited in their ability to collect the required measures. The result
is that organizations and providers must resort to manual data collection. In
other chapters in this text we have explored reasons for the current limita­
tions of EHRs in this area, including provider resistance because of the time
burden. There is a largely unresolved tension in the health care community
and HIT industry between the desire to collect accurate and timely measures
and the provider resistance to entering the data into the EHR in a standard,
retrievable format.


Accreditation Dartmouth Atlas
Accreditation organization (AO) Deemed status
Administrative data Disease registries
Agency for Healthcare Research and EHR Incentive Programs

Quality (AHRQ) Electronic clinical quality measures
Alternative payment models (eCQMs)

(APMs) Eligible professionals
American Medical Association Health Effectiveness Data and

Physician Consortium for Information Set (HEDIS)
Performance Improvement Health records
(AMA-PCPI) Health Resources and Services

Centers for Disease Control and Administration (HRSA)
Prevention (CDC) Hospital-acquired conditions (HAC)

Centers for Medicare and Medicaid Hospital CAHPS (HCAHPS)
Services (CMS) Hospital Compare

Certifi cation Hospital Readmissions Reduction
Clinical quality measures (CQMs) (HRR)
Common formats Hospital Value-Based Purchasing
Comparative health care data sets (HVBP)
Conditions of participation (CoPs) The Joint Commission
Consumer Assessment of Healthcare The Joint Commission Information

Providers and Systems (CAHPS) Management (IM) standards

352 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

The Joint Commission Record of Care NCQA health care report cards
(RC), Treatment, and Services Patient Safety Act
standards Patient Safety Organizations (PSOs)

Licensure Performance measures
The Medicare Access and CHIP Physician Value-Based Modifi er

Reauthorization Act (MACRA) (PVBM)
Merit-based Incentive Payment System Physicians Quality Reporting System

(MIPS) (PQRS) number
National Committee for Quality Qualitative data

Assurance (NCQA) Quality Check
National Patient Safety Goals Quality measures
National Quality Forum (NQF) Value Modifi er (VM)
National Strategy for Quality

Improvement in Health Care

(National Quality Strategy)


1. Research two local health care organizations—one acute care facility
and one other type of organization. Determine each organization’s
current licensure, accreditation, and certifi cation status. How are
these processes related within your state? Do the processes differ
between the two types of health care organizations?

2. Visit the Joint Commission website at
What accreditation programs (other than the Hospital Accreditation
Program) does the Joint Commission have? List the programs and
their respective missions.

3. Visit the NCQA website at and look up at least two
health plans with which you are familiar. What do the report cards
tell you about these plans? Do you find this information useful? Why
or why not?

4. Visit the patient safety organization website at
Does your state have a PSO? If not, identify a PSO from a neighboring
state. Research the PSO and report on how long it has operated and
who its clients are.

5. Use Hospital Compare and the Joint Commission Quality Check to
research three hospitals in your region of the country. Write a report
outlining your findings. Would any of the information you discovered
infl uence your choice of care for you or your family? Why or why not?

R E F E R E N C E S · 353

6. Research the current status of the CMS Quality programs discussed in
this chapter. Write an update for this section of the chapter.

7. Research the current year’s National Quality Strategy. Has it changed
since this book was published? List the differences and comment on
the changes.

8. Use the NQF website to identify four specifi c performance measures
that are endorsed by NQF for physician practices. Research each
measure to identify how each measure is calculated, including the
source of the data, the numerator, and the denominator. Do you think
these measures are a good refl ection of quality practice? Why or
why not?


Agency for Healthcare Research and Quality (AHRQ). (2011). National quality
strategy (NQS). Retrieved August 31, 2016, from

Agency for Healthcare Research and Quality (AHRQ). (2016, July). Comparative
data. Retrieved August 31, 2016, from­

Agency for Healthcare Research and Quality (AHRQ). (n.d.a). About the PSO
program. Retrieved August 31, 2016, from

Agency for Healthcare Research and Quality (AHRQ). (n.d.b). Common formats.
Retrieved August 31, 2016, from

Centers for Medicare and Medicaid (CMS). (2015, Sept.). CMS-approved accrediting
organizations contacts for prospective clients. Retrieved August 30, 2016, from cation/

SurveyCertifi cationGenInfo/Downloads/Accrediting-Organization-Contacts­

Centers for Medicare and Medicaid (CMS). (2016). CMS quality strategy 2016.
Retrieved August 31, 2016, from­

Centers for Medicare and Medicaid (CMS). (n.d.a). Accreditation of Medicare-
certified providers & suppliers. Retrieved August 21, 2016, from https://www cation/
SurveyCertifi cationGenInfo/Accreditation-of-Medicare-Certifi ed-Providers­

Centers for Medicare and Medicaid (CMS). (n.d.b). Hospital compare. Retrieved
August 31, 2016, from

354 · C H A P T E R 1 0 : P E R F O R M A N C E S T A N D A R D S A N D M E A S U R E S

Centers for Medicare and Medicaid (CMS). (n.d.c). MACRA. Retrieved August 31,
2016, from

Centers for Medicare and Medicaid (CMS). (n.d.d). Medicare. Retrieved August 31,
2016, from

Centers for Medicare and Medicaid (CMS). (n.d.e). The Medicare Access & CHIP
Reauthorization Act of 2015: Path to value. Retrieved August 31, 2016, from­

Centers for Medicare & Medicaid Services (n.d.f). The merit-based incentive
payment system: MIPS scoring methodology overview. Retrieved August 4, 2016,

Centers for Medicare and Medicaid (CMS). (n.d.g). Physician quality reporting
system. Retrieved August 31, 2016, from

Centers for Medicare and Medicaid (CMS). (n.d.h). Value-based programs. Retrieved
August 31, 2016, from­

Council of Medical Specialty Societies (CMSS). (2014, Nov.). The measurement of
health care performance (3rd ed.). Retrieved August 21, 2016, from http://cmss
.org/wp-content/uploads/2015/07/ nal.pdf

The Dartmouth Institute (n.d.) Understanding of the efficiency and effectiveness of
the health care system. Retrieved August 31, 2016, from http://www

Institute of Medicine Committee (IOM) on Quality in America. (2001). Crossing
the quality chasm: A new health system for the 21st century. Washington, DC:
National Academy Press.

The Joint Commission. (2011). Comprehensive accreditation manual for hospitals.
Oakbrook Terrace, IL: Author.

The Joint Commission. (2014a, Aug.). Program: Ambulatory. Chapter: information
management (e-dition). Retrieved August 21, 2016, from

The Joint Commission. (2014b, Aug.). Program: Ambulatory. Chapter: Record of care,
treatment and services (e-dition). Retrieved August 21, 2016, from http://foh


The Joint Commission. (2015a, Nov. 5). Hospital: 2016 national patient safety
goals. Retrieved August 31, 2016, from

The Joint Commission. (2015b, Sept. 2). Joint Commission measure sets effective
January 1, 2016. Retrieved August 21, 2016, from https://www.jointcommission

The Joint Commission. (2016, April 27). Accreditation process overview. Retrieved
August 21, 2016, from

The Joint Commission. (n.d.). About the Joint Commission. Retrieved August 21,
2016, from

Kohn, L. T., Corrigan, J., & Donaldson, M. S. (2000). To err is human: Building a
safer health system. Washington, DC: National Academy Press.

Morris, C. (2014, May). Measuring health care quality: An overview of quality mea­
sures (Issue brief). FamiliesUSA. Retrieved August 21, 2016, from http:// les/product_documents/HIS_Quality
Measurement_Brief_fi nal_web.pdf

National Committee for Quality Assurance (NCQA). (2015). 2015 NCQA health plan
accreditation standards. Retrieved August 21, 2016 from

National Committee for Quality Assurance (NCQA). (n.d.a). About NCQA. Retrieved
August 21, 2016, from

National Committee for Quality Assurance (NCQA). (n.d.b). Quality compass.
Retrieved August 21, 2016, from

National Committee for Quality Assurance (NCQA). (n.d.c). Report cards. Retrieved
August 21, 2016, from

National Quality Forum (NQF). (n.d.). About us. Retrieved August 31, 2016, from

· 355


Health Care Information

System Standards


• To be able to give examples of the methods by which standards
are developed: ad hoc, de facto, government mandate, and

• To be able to identify and discuss the role of organizations that
currently have a signifi cant impact on the adoption of health
care information standards in the United States.

• To be able to identify and discuss the role of federal initiatives
and legislation that have a signifi cant impact on the adoption of
health care information standards in the United States.

• To be able to identify examples within the major types of health
care information standards and the organizations that develop or
approve them.

• To understand the importance of health care IT standards to the
future of the US health care delivery system.


358 · C H A P T E R 1 1 : H E A L T H C A R E I N F O R M A T I O N S Y S T E M S T A N D A R D S

Throughout this text we have examined a variety of different types of stan­
dards that affect, directly or indirectly, the management of health information
systems. In Chapter Ten we examined health care performance standards;
Chapter Two looked at data quality standards, Chapter Nine at security stan­
dards, and so on. In this chapter we will examine yet another category of
standards that affect health care data and information systems: health care
information system (HCIS) standards. In all cases the standards examined
represent the measuring stick or set of rules against which an entity, such
as an organization or system, will compare its structures, processes, or func­
tions to determine compliance. In the case of the HCIS standards discussed in
this chapter the aim is to provide a common set of rules by which health care
information systems can communicate. Systems that conform to different
standards cannot possibly communicate with one another. Portability, data
exchange, and interoperability among different health information systems
can be achieved only if they can “communicate.” For a simple analogy, think
about traveling to a country where you do not speak the language. You would
not be able to communicate with that country’s citizens without a common
language or translator. Think of the common language you adopt as the stan­
dard set of rules to which all parties agree to adhere. Once you and others
agree on a common language, you and they can communicate. You may still
have some problems, but generally these can be overcome.

By nature HCIS standards include technical specifications, which make it
less easy for the typical health care administrator to fully understand them. In
addition, a complex web of public and private organizations create, manage,
and implement HCIS standards, resulting in standards that are not always
aligned, making the standards even more difficult to fully grasp. In fact, some
may actually compete with one another. In addition to the complex web of
standards specifically designed for HCIS, there are many general IT standards
that affect health care information systems. Networking standards, such as
Ethernet and Wi-Fi, employed by health care organizations are not specifi c
to health care. Extensible markup language (XML) is widely accepted as a
standard for sharing data using web-based technologies in health care and
other industries. There are many other examples that are beyond the scope
of this text. Our focus will be on the standards that are specific to HCIS.

With HIPAA came the push for adoption of administrative transaction and
data exchange standards. This effort has been largely successful; claims are rou­
tinely submitted via standard electronic transaction protocols. However, although
real progress has been made in recent years, complete interoperability among
health care information systems remains elusive. Chapter Three examined the
need for interoperability among health care information systems to promote
better health of our citizens; Chapter Two discussed the lack of standardization

H C I S S T A N D A R D S O V E R V I E W · 359

in EHRs as an issue with using EHR data in research; and Chapter Nine outlined
problems associated with misalignment of quality and performance measures, in
part because of a lack of interoperability and standardization in EHRs and other
health care information systems. Interoperability, as defined by the ONC (2015)
in its publication Connecting Health Care for the Nation: A Shared Nation­
wide Interoperability Roadmap, results from multiple initiatives, including
payment, regulatory, and other policy changes to support a collaborative and
connected health care system. The best political and social infrastructures,
however, will not succeed in achieving interoperability without supportive

This chapter is divided into three main sections. The first section is an
overview of HCIS standards, providing general information about the types
of standards and their purposes. The second section examines a few of the
major initiatives, public and private, responsible for creating, requiring, or
implementing HCIS standards. Finally, the last section of the chapter exam­
ines some of the most commonly adopted HCIS standards, including examples
of the standards when possible.


Keith Boone, a prolific blogger and writer on all topics related to HIT stan­
dards, once wrote, “Standards are like potato chips. You always need more
than one to get the job done” (Boone, 2012b). In general, the health care
IT community discusses HCIS standards in terms of their specifi c function,
such as privacy and security, EHRs, electronic prescribing (e-prescribing), lab
reporting, and so on, but the reality is that achieving one of these or other
functions requires multiple standards directed at different levels within the
HCIS. For example, there is a need for standards at the level of basic com­
munication across the Internet or other network (Transporting), standards for
structuring the content of messages communicated across the network (Data
Interchange and Messaging), standards that describe required data elements
for a particular function, such as the EHR or clinical summary (Content), and
standards for naming or classifying the actual data, such as units of measure,
lab tests, diagnoses, and so on (Vocabulary/Terminology). Unfortunately,
there is no universal model for categorizing the plethora of HCIS standards.
In this chapter we will look at standards described as Data Interchange and
Messaging, Content, and Vocabulary/Terminology standards.

Standards, as we have seen, are the sets of rules for what should be
included for the needed function and system level. This is only a portion of
the challenge in implementing standards. The other challenge is how are
the standards used for a particular function or use case? Much of the work

360 · C H A P T E R 1 1 : H E A L T H C A R E I N F O R M A T I O N S Y S T E M S T A N D A R D S

today toward achieving interoperability of health care information systems
is concerned with the how. Organizations that develop standards may also
create specific implementation guides for using the standard in a partic­
ular use case. (To further complicate the already complicated standards
environment, these implementation guides are sometimes referred to as
standards.) Other organizations, such as the ONC, develop frameworks for
implementing standards, and several government initiatives, such as HIPAA
and HITECH, have set requirements for implementing specific standards or
sets of standards.


When seeking to understand why so many different IT and health care infor­
mation standards exist, it is helpful to look first at the standards development
process that exists in the United States (and internationally). In general the
methods used to establish health care IT standards can be divided into four
categories (Hammond & Cimino, 2006):

1. Ad hoc. A standard is established by the ad hoc method when a
group of interested people or organizations agrees on a certain
specifi cation without any formal adoption process. The Digital
Imaging and Communications in Medicine (DICOM) standard for
health care imaging came about in this way.

2. De facto. A de facto standard arises when a vendor or other
commercial enterprise controls such a large segment of the market
that its product becomes the recognized norm. The SQL database
language and the Windows operating system are examples of de facto
standards. XML is becoming a de facto standard for health care and
other types of industry messaging.

3. Government mandate. Standards are also established when the
government mandates that the health care industry adopt them.
Examples are the transaction and code sets mandated by the Health
Insurance Portability and Accountability Act (HIPAA) regulations.

4. Consensus. Consensus-based standards come about when
representatives from various interested groups come together to
reach a formal agreement on specifications. The process is generally
open and involves considerable comment and feedback from the
industry. This method is employed by the standards developing
organizations (SDOs) accredited by the American National
Standards Institute (ANSI). Many health care information standards
are developed by this method, including Health Level Seven (HL7)

S T A N D A R D S D E V E L O P M E N T P R O C E S S · 361

standards and the health-related Accredited Standards Committee
(ASC) standards.

The relationships among standard-setting organizations can be confus­
ing, to say the least. Not only do many of the acronyms sound similar but also
the organizations themselves, as voluntary, member-based organizations,
can set their own missions and goals. Therefore, although there is a formally
recognized relationship among the International Organization for Standard­
ization (ISO), ANSI, and the SDOs, there is also some overlap in activities.
Table 11.1 outlines the relationships among the formal standard-setting orga­
nizations and for each one gives a brief overview of important facts and a
current website.

Table 11.1 Relationships among standards-setting organizations

Organizations Facts Website

Organization for

Institute (ANSI)


• Members are national standards bodies from
many different countries around the world.

• Oversees the fl ow of documentation
and international approval of standards
development under the auspices of the its
member bodies

• US member of ISO

• Accredits standards development
organizations (SDOs) from a wide range of
industries, including health care

• Does not develop standards but accredits the
organizations that develop standards

• Publishes more than ten thousand standards
developed by accredited SDOs

• Must be accredited by ANSI

• Develop standards in accordance with ANSI

• Can use the label “Approved American
National Standard”

• Approximately two hundred SDOs are
accredited; twenty of these produce 90
percent of the standards.


Source: ANSI (n.d.a, n.d.b, n.d.c); ISO (n.d.).

362 · C H A P T E R 1 1 : H E A L T H C A R E I N F O R M A T I O N S Y S T E M S T A N D A R D S

All the ANSI-accredited SDOs must adhere to the guidelines established
for accreditation; therefore, they have similar standard-setting processes.
According to ANSI, this process includes the following:

• Consensus on a proposed standard by a group or “consensus body”
that includes representatives from materially affected or interested

• Broad-based public review and comment on draft standards

• Consideration of and response to comments submitted by voting
members of the relevant consensus body and by public review

• Incorporation of approved changes into a draft standard

• Right to appeal by any participant that believes that due process
principles were not suffi ciently respected during the standards
development in accordance with the ANSI-accredited procedures of
the standards developer (ANSI, n.d.c)

The IT industry in general has experienced a movement away from the
process of establishing standards via the accredited SDOs. The Internet and
World Wide Web standards, for example, were developed by groups with
much less formal structures. However, the accredited SDOs continue to have
a significant impact on the IT standards for the health care industry.

Boone (2012a) lists the following organizations as major developers of
HIT standards in the United States, which includes a mix of accredited SDOs
and other developers. Each organization’s specific areas for standard devel­
opment are indicated in parentheses. ANSI-accredited SDOs are indicated
with an “*.”

• International Standards Organization (ISO) [various]

• ASTM International (ASTM) [various]*

• Accredited Standards Committee (ASC) X12 [Insurance

• Health Level Seven International (HL7) [various]*

• Digital Imaging and Communication in Medicine (DICOM)

• National Council for Prescription Drug Programs (NCPDP)

• Regienstrief (LOINC) [Laboratory Vocabulary]

S T A N D A R D S D E V E L O P M E N T P R O C E S S · 363

• International Health Terminology SDO (IHTSDO) [Clinical


In addition, Boone (2012a) identifies the following “other” organizations
as having a major impact on HIT:

• World Wide Web Consortium (W3C) [XML, HTML]

• Internet Engineering Task Force (IETF) [Internet]

• Organization for the Advancement of Structured Information

Standards (OASIS) [Business use of XML]

He further identifies key groups known as “profiling bodies” (Boone,
2012a) that use existing standards to create comprehensive implementation
guides. Two examples of profiling bodies are Integrating the Healthcare
Enterprise (IHE) and the ONC, which focus on guidance for implementing
clinical interoperability standards.

European Committee for Standardization (CEN)

Although the focus of this chapter is standards developed within the

United States, it is important to recognize there are other standards

organizations worldwide. For example, the European Committee

for Standardization (CEN) was created in Brussels in 1975. In 2010

CEN partnered with another European standards developing organi­
zation, the European Committee for Electrotechnical Standardization

(CENELEC), to form the CEN-CENELEC Management Centre (CCMC)

in Brussels, Belgium. The CCMC current membership includes national

standards bodies from thirty-three European countries (CEN-CENE­
LEC, n.d.).

The Technical Committee within CEN that oversees health care

informatics standards is CEN TC 251, which consists of two working


• WG1: Enterprise and Information

• WG2: Technology and Applications

Source: CEN (n.d.).

364 · C H A P T E R 1 1 : H E A L T H C A R E I N F O R M A T I O N S Y S T E M S T A N D A R D S



There are many federal initiatives that affect health care IT standards. In this
section we look at federal initiatives for health care IT standards as a part of
HIPAA, CMS e-prescribing, CMS EHR Incentive Program, and the Offi ce of
the National Coordinator for Health Information Technology (ONC), includ­
ing the Interoperability Roadmap.


In August 2000, the US Department of Health and Human Services published
the final rule outlining the standards to be adopted by health care organi­
zations for electronic transactions and announced the designated standard
maintenance organizations (DSMOs). In publishing this rule, which has
been modified as needed, the federal government mandated that health care
organizations adopt certain standards for electronic transactions and stan­
dard code sets for these transactions and identified the standards organiza­
tions that would oversee the adoption of standards for HIPAA compliance.
The DSMOs have the responsibility for the development, maintenance, and
modification of relevant electronic data interchange standards. HIPAA trans­
action standards apply to all covered entities’ electronic data interchange
(EDI) related to claims and encounter information, payment and remittance
advice, claims status, eligibility, enrollment and disenrollment, referrals and
authorizations, coordination of benefits, and premiums payment. The current
HIPAA transaction standards are ASC X12N version 5010 (which accommo­
dates ICD-10) along with NCPDP D.0 for pharmacy transactions (CMS, 2016b).
In addition to these transaction standards, several standard code sets were
established for use in electronic transactions, including ICD-10-CM, ICD-10­
PCS, HCPCS, CPT, and Code on Dental Procedures and Nomenclature (CDT)
(CMS, 2016a).

Centers for Medicare and Medicaid E-prescribing

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003
(MMA) established a Voluntary Prescription Drug Benefit program. There is
no requirement in this act that providers write prescriptions electronically,
but those who choose to do so must comply with specific e-prescribing stan­
dards. The current published CMS e-prescribing standards consist of three
sets of existing health care IT standards as “foundation” standards, which
include NCPDP’s SCRIPT Standard for e-Prescribing, ASC X12N standard for

F E D E R A L I N I T I A T I V E S A F F E C T I N G H E A L T H C A R E I T S T A N D A R D S · 365

Health Care Eligibility Benefit and Response, and NCPDP’s telecommunica­
tions standard. In addition, the final rule identifies three additional electronic
tools to be used in implementing e-prescribing:

• NCPDP Formulary and Benefi t Standard Implementation Guide, which
provides information about drugs covered under the benefi ciary’s
benefi t plan

• NCPDP SCRIPT Medication History Transactions, which provides
information about medications a benefi ciary has been taking

• Fill Status Notifi cation (RxFill), which allows prescribers to receive
an electronic notice from the pharmacy regarding the benefi ciary’s
prescription status (CMS, 2013)

Centers for Medicare and Medicaid EHR Incentive Programs

As discussed previously, the Medicare and Medicaid EHR Incentive Programs
were established as a part of the HITECH Act to encourage eligible providers
(EPs) and eligible hospitals (EHs) to demonstrate Meaningful Use of certifi ed
EHR technology. EHR certification for Stage 1 and Stage 2 Meaningful Use
requires EPs and EHs to meet specific criteria. Certifi cation requirements
are organized according to objectives, measures, specific criteria, and stan­
dards. Not all criteria include specific standards, but many do. Examples of
standards required by 2014 certification rules include using the HL7 Imple­
mentation Guide for CDA in meeting the criteria for providing patients the
ability to view online, download, and transmit information about a hospital.
Other standards include SNOMED CT, which is required for coding a patient’s
smoking status, RxNorm, which is required for medications, and LOINC,
which is required for laboratory tests, among others (, 2014).

Office of the National Coordinator for Health
Information Technology

As discussed in previous chapters the Office of the National Coordinator for
Health Information Technology (ONC) was established in 2004 and charged
with providing “leadership for the development and nationwide implemen­
tation of an interoperable health information technology infrastructure to
improve the quality and efficiency of health care” (HHS, 2008). In 2009, the
role of the ONC was strengthened when the HITECH Act legislatively man­
dated ONC to provide this leadership and oversight (HHS, 2012). Today, the
ONC is “the principal federal entity charged with coordination of nationwide

Required Cost

Test Tool

No Free N/A

Exhibit 11.1 Excerpt from ONC 2016 Interoperability Standards Advisory

Section I: Best Available Vocabulary/Code Set/Terminology Standards and Implementation Specifi cations

I-A: Allergies

Interoperability Need: Representing patient allergic reactions


Standards Process Implementation Adoption

Specifi cation Maturity Maturity Level

SNOMED CT Final Production Standard

Limitations, Dependencies, and Preconditions for Applicable Value Set(s):


• SNOMED CT may not be suffi cient to differentiate Value Set Problem urn:oid:2.16.840.1.113883.
between an allergy or adverse reaction, or the level of

Interoperability Need: Representing patient allergens: medications


Type Specifi cation



Source: ONC (2016).

Required Cost

Test Tool

Yes Free N/A

No Free N/A

Standards Process



Standard Final Production

Standard Final Production Unknown

O T H E R O R G A N I Z A T I O N S I N F L U E N C I N G H E A L T H C A R E I T S T A N D A R D S · 367

efforts to implement and use the most advanced health information technol­
ogy and the electronic exchange of health information” (, n.d.).

Current ONC initiatives, in addition to implementing HITECH, include
implementation of health care IT standards for interoperability. In Chapter
Three, the ONC Interoperability Roadmap was introduced and key milestones
related to payment reform and outcomes were outlined. The Roadmap also
outlines key milestones for the development and implementation of tech­
nologies to support interoperability (ONC, 2015). Beginning in 2015, the
ONC published its fi rst Interoperability Standards Advisory, which has
been subsequently updated annually. This Advisory document outlines the
ONC-identified “best available” standards and implementation specifi cations
for clinical IT interoperability. The identified standards and specifi cations in
the 2016 Advisory are grouped into three sections:

• Best Available Vocabulary/Code Set/Terminology Standards and
Implementation Specifi cations, which address the “semantics,” or
standard meanings of codes and terms needed for interoperability

• Best Available Content/Structure Standards and Implementation
Specifi cations, which address the “syntax,” or rules by which the
common data elements can be shared to achieve interoperability

• Best Available Standards and Implementation Specifi cation for
Services, which address infrastructure components needed to achieve
interoperability (ONC, 2016)

Each specific standard is identified and defined by six characteristics:
process maturity, implementation maturity, adoption level, federal require­
ment status, cost, and whether a testing tool is available. The Advisory
also includes hyperlinks to the standards and implementation guides cited.
Exhibit 11.1 is an excerpt from the 2016 Advisory.


The following organizations certainly do not represent the full list of bodies
that are involved with health care IT standards development and implemen­
tation. However, they do represent a few of the most signifi cant nongovern­
ment contributors. ASTM International and HL7 International are accredited
SDOs with standards specifically addressing health care information. IHE is a
recognized profiling body influencing the implementation of interoperability

368 · C H A P T E R 1 1 : H E A L T H C A R E I N F O R M A T I O N S Y S T E M S T A N D A R D S

ASTM International

ASTM International was formerly known as the American Society for Testing
and Materials. ASTM International has more than thirty thousand members
from across the globe, and they are responsible for publishing more than
twelve thousand standards. ASTM standards range from those that dictate
traffic paint to cell phone casings (ASTM, n.d.a, n.d.b). The ASTM Standards
for Healthcare Services, Products and Technology include medical device
standards and health information standards. The health information stan­
dards are managed by the ASTM Committee E31, which focuses on “the
development of standards that help doctors and health care practitioners
preserve and transfer patient information using EHR technologies” (ASTM,
2014). Of particular note, the E31 standards include the continuity of care
record (CCR) discussed further on in this chapter.

HL7 International

HL7 International was founded in 1987. It is an ANSI-accredited SDO “dedi­
cated to providing a comprehensive framework and related standards for the
exchange, integration, sharing, and retrieval of electronic health information
that supports clinical practice and the management, delivery and evaluation
of health services” (HL7, n.d.). The HL7 standards related to interoperability
and listed on its website as “Primary Standards,” or most used, include the

• Version 2 and 3 HL7 messaging standards, interoperability
specifi cations for health and medical transactions; these are the
standards commonly referred to as HL7

• Clinical Document Architecture (CDA), a document markup standard
for clinical information exchange among providers based on version 3
of HL7

• Continuity of Care Document (CCD), a joint effort with ASTM
providing complete guidance for implementation of CDA in the United

• Clinical Context Object Workgroup (CCOW), interoperability
standards for visually integrating applications “at the point of use”

These primary standards are not the only ones developed by HL7 Inter­
national. The organization also publishes Functional EHR and PHR s