Health information systems face challenges with data input and information output. Concerns with health information systems may vastly impact the accessibility and/or integrity of patient-protected health information (PHI). Health care leaders are continuously concerned about PHI value, quality, security, and efficiency. Meanwhile, technology is advancing in health care at an unsurpassed rate. Some health care organizations are very slow to adapt. Other organizations spend the time and resources ensuring that they remain competitive, measuring the risk versus the benefit of new or improved health information systems.
Evaluate three threats to health information systems and explain their impact on patient health information.
Organizing Information Technology Services
Privacy is an individual’s constitutional right to be left alone, to be free from unwarranted
publicity, and to conduct his or her life without its being made public. In the health care
environment, privacy is an individual’s right to limit access to his or her health care information.
In spite of this constitutional protection and other legislated protections discussed in this chapter,
approximately 112 million Americans (a third of the United States population) were affected by
breaches of protected health information (PHI) in 2015 (Koch, 2016). Three large
insurance-related corporations accounted for nearly one hundred million records being exposed
(Koch, 2016). In one well-publicized security breach at Banner Health, where hackers gained
entrance through food and beverage computers, approximately 3.7 million individuals’
information was accessed, much of it health information (Goedert, 2016).
Health information privacy and security are key topics for health care administrators. In today’s
ever-increasing electronic world, where the Internet of Things is on the horizon and nearly every
health care organization employee and visitor has a smart mobile device that is connected to at
least one network, new and more virulent threats are an everyday concern. In this chapter we
will examine and define the concepts of privacy, confidentiality, and security as they apply to
health information. Major legislative efforts, historic and current, to protect health care
information are outlined, with a focus on the Health Insurance Portability and Accountability Act
(HIPAA) Privacy, Security, and Breach Notification rules. Different types of threats, intentional
and unintentional, to health information will be discussed. Basic requirements for a strong health
care organization security program will be outlined, and the chapter will conclude with the
cybersecurity challenges in today’s environment of mobile and cloud-based devices, wearable
fitness trackers, social media, and remote access to health information.
Privacy, Confidentiality, and Security Defined
As stated, privacy is an individual’s right to be left alone and to limit access to his or her health
care information. Confidentiality is related to privacy but specifically addresses the expectation
that information shared with a health care provider during the course of treatment will be used
only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust. Security
refers to the systems that are in place to protect health information and the systems within
which it resides. Health care organizations must protect their health information and health
information systems from a range of potential threats. Certainly, security systems must protect
against unauthorized access and disclosure of patient information, but they must also be
designed to protect the organization’s IT assets—such as the networks,hardware, software, and
applications that make up the organization’s health care information systems—from harm.
Legal Protection of Health Information
There are many sources for the legal and ethical requirements that health care professionals
maintain the confidentiality of patient information and protect patient privacy. Ethical and
professional standards, such as those published by the American Medical Association and
other organizations, address professional conduct and the need to hold patient information in
confidence. Accrediting bodies, such as the Joint Commission, state facility licensure rules, and
the government through Centers for Medicare and Medicaid, dictate that health care
organizations follow standard practice and state and federal laws to ensure the confidentiality
and security of patient information.
Today, legal protection specially addressing the unauthorized disclosure of an individual’s health
information generally comes from one of three sources (Koch, 2016):
Federal HIPAA Privacy, Security, and Breach Notification rules
State privacy laws. These laws typically apply more stringent protections for information related
to specific health conditions (HIV/AIDS, mental or reproductive health, for example).
Federal Trade Commission (FTC) Act consumer protection, which protects against unfair or
deceptive practices. The FTC issued the Health Breach Notification Rule in 2010 to require
certain businesses not covered by HIPAA, including PHR vendors, PHR-related entities, or
third-party providers for PHR vendors or PHR-related entities to notify individuals of a security
However, there are two other major federal laws governing patient privacy that, although they
have been essentially superseded by HIPAA, remain important, particularly from a historical
The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB Circular No. A-108 )
Confidentiality of Substance Abuse Patient Records (42 U.S.C. §290dd- 2, 42 C.F.R. Part 2)
The Privacy Act of 1974
In 1966, the Freedom of Information Act (FOIA) was passed. This legislation provides the
American public with the right to obtain informationfrom federal agencies. The act covers all
records created by the federal government, with nine exceptions. The sixth exception is for
personnel and medical information, “the disclosure of which would constitute a clearly
unwarranted invasion of personal privacy.” There was, however, concern that this exception to
the FOIA was not strong enough to protect federally created patient records and other health
information. Consequently, Congress enacted the Privacy Act of 1974. This act was written
specifically to protect patient confidentiality only in federally operated health care facilities, such
as Veterans Administration hospitals, Indian Health Service facilities, and military health care
organizations. Because the protection was limited to those facilities operated by the federal
government, most general hospitals and other nongovernment health care organizations did not
have to comply. Nevertheless, the Privacy Act of 1974 was an important piece of legislation, not
only because it addressed the FOIA exception for patient information but also because it
explicitly stated that patients had a right to access and amend their medical records. It also
required facilities to maintain documentation of all disclosures. Neither of these things was
standard practice at the time.
Confidentiality of Substance Abuse Patient Records
During the 1970s, people became increasingly aware of the extra-sensitive nature of drug and
alcohol treatment records. This led to the regulations currently found in 42 C.F.R. (Code of
Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records. These
regulations have been amended twice, with the latest version published in 1999. They offer
specific guidance to federally assisted health care organizations that provide referral, diagnosis,
and treatment services to patients with alcohol or drug problems. Not surprisingly, they set
stringent release of information standards, designed to protect the confidentiality of patients
seeking alcohol or drug treatment.
HIPAA is the first comprehensive federal regulation to offer specific protection to private health
information. Prior to the enactment of HIPAA there was no single federal regulation governing
the privacy and security of patient-specific information, only the limited legislative protections
previously discussed. These laws were not comprehensive and protected only specific groups
The Health Insurance Portability and Accountability Act of 1996 consists of two main parts:
Title I addresses health care access, portability, and renewability, offering protection for
individuals who change jobs or health insurance policies. (Although Title I is an important piece
of legislation, it does not address health care information specifically and will therefore not be
addressed in this chapter.)
Title II includes a section titled, “Administrative Simplification.”
The requirements establishing privacy and security regulations for protecting individually
identifiable health information are found in Title II of HIPAA. The HIPAA Privacy Rule was
required beginning April 2003 and the HIPAA Security Rule beginning April 2005. Both rules
were subsequently amended and the Breach Notification Rule was added as a part of the
HITECH Act in 2009.
The information protected under the HIPAA Privacy Rule is specifically defined as PHI, which is
Relates to a person’s physical or mental health, the provision of health care, or the payment for
Identifies the person who is the subject of the information
Is created or received by a covered entity
Is transmitted or maintained in any form (paper, electronic, or oral)
Unlike the Privacy Rule, the Security Rule addressed only PHI transmitted or maintained in
electronic form. Within the Security Rule this information is identified as ePHI.
The HIPAA rules also define covered entities (CEs), those organizations to which the rules
Health plans, which pay or provide for the cost of medical care
Health care clearinghouses, which process health information (for example, billing services)
Health care providers who conduct certain financial and administrative transactions
electronically (These transactions are defined broadly so that the reality of HIPAA is that it
governs nearly all health care providers who receive any type of third-party reimbursement.)
If any CE shares information with others, it must establish contracts to protect the shared
information. The HITECH Act amended HIPAA and added “Business Associates” as a category
of CE. It further clarified that certain entities, such as health information exchange organizations,
regional health information organizations, e-prescribing gateways, or a vendor that contracts
with a CE to allow the CE to offer a personal health record as a part of its EHR, are business
associates if they require access to PHI on a routine basis (Coppersmith, Gordon, Schermer, &
Brokelman, PLC, 2012).
HIPAA Privacy Rule
Although the HIPAA Privacy Rule is a comprehensive set of federal standards, it permits the
enforcement of existing state laws that are more protective of individual privacy, and states are
also free to pass more stringent laws. Therefore, health care organizations must still be familiar
with their own state laws and regulations related to privacy and confidentiality.
The major components to the HIPAA Privacy Rule in its original form include the following:
Boundaries. PHI may be disclosed for health purposes only, with very limited exceptions.
Security. PHI should not be distributed without patient authorization unless there is a clear basis
for doing so, and the individuals who receive the information must safeguard it.
Consumer control. Individuals are entitled to access and control their health records and are to
be informed of the purposes for which information is being disclosed and used.
Accountability. Entities that improperly handle PHI can be charged under criminal law and
punished and are subject to civil recourse as well.
Public responsibility. Individual interests must not override national priorities in public health,
medical research, preventing health care fraud, and law enforcement in general.
With HITECH, the Privacy Rule was expanded to include creation of new privacy requirements
for HIPAA-covered entities and business associates. In addition, the rights of individuals to
request and obtain their PHI are strengthened, as is the right of the individual to prevent a health
care organization from disclosing PHI to a health plan, if the individual paid in full out of pocket
for the related services. There were also some new provisionsfor accounting of disclosures
made through an EHR for treatment, payment, and operations (Coppersmith et al., 2012).
The HIPAA Privacy Rule attempts to sort out the routine and nonroutine use of health
information by distinguishing between patient consent to use PHI and patient authorization to
release PHI. Health care providers and others must obtain a patient’s written consent prior to
disclosure of health information for routine uses of treatment, payment, and health care
operations. This consent is fairly general in nature and is obtained prior to patient treatment.
There are some exceptions to this in emergency situations, and the patient has a right to
request restrictions on the disclosure. However, health care providers can deny treatment if they
feel that limiting the disclosure would be detrimental. Health care providers and others must
obtain the patient’s specific written authorization for all nonroutine uses or disclosures of PHI,
such as releasing health records to a school or a relative.
Exhibit 9.1 is a sample release of information form used by a hospital, showing the following
elements that should be present on a valid release form:
Patient identification (name and date of birth)
Name of the person or entity to whom the information is being released
Description of the specific health information authorized for disclosure
Statement of the reason for or purpose of the disclosure
Date, event, or condition on which the authorization will expire, unless it is revoked earlier
Statement that the authorization is subject to revocation by the patient or the patient’s legal
Patient’s or legal representative’s signature
Signature date, which must be after the date of the encounter that produced the information to be
Health care organizations need clear policies and procedures for releasing PHI. A central point
of control should exist through which all nonroutine requests for information pass, and all
disclosures should be well documented.
In some instances, PHI can be released without the patient’s authorization. For example, some
state laws require disclosing certain health information. It is always good practice to obtain a
patient authorization prior to releasing information when feasible, but in state-mandated cases it
is not required. Some examples of situations in which information might need to be disclosed to
authorized recipients without the patient’s consent are the presence of a communicable disease,
such as AIDS and sexually transmitted diseases, which must be reported to the state or county
department of health; suspected child abuse or adult abuse that must be reported to designated
authorities; situations in which there is a legal duty to warn another person of a clear and
imminent danger from a patient; bona fide medical emergencies; and the existence of a valid
The HIPAA Security Rule
The HIPAA Security Rule is closely connected to the HIPAA Privacy Rule. The Security Rule
governs only ePHI, which is defined as protected health information maintained or transmitted in
electronic form. It is important to note that the Security Rule does not distinguish between
electronic forms of information or between transmission mechanisms. ePHI may be stored in
any type of electronic media, such as magnetic tapes and disks, optical disks, servers, and
personal computers. Transmission may take place over the Internet or on local area networks
(LANs), for example.
The standards in the final rule are defined in general terms, focusing on what should be done
rather than on how it should be done. According to the Centers for Medicare and Medicaid
Services (CMS, 2004), the final rule specifies “a series of administrative, technical, and physical
security procedures for covered entities to use to assure the confidentiality of electronic
protected health information (ePHI). The standards are delineated into either required or
addressable implementation specifications.” A required specification must be implemented by a
CE for that organization to be in compliance. However, the CE is in compliance with an
addressable specification if it does any one of the following:
Implements the specification as stated
Implements an alternative security measure to accomplish the purposes of the standard or
Chooses not to implement anything, provided it can demonstrate that the standard or
specification is not reasonable and appropriate and that the purpose of the standard can still be
met; because the Security Rule is designed to be technology neutral, this flexibility was granted
for organizations that employ nonstandard technologies or have legitimate reasons not to need
the stated specification (AHIMA, 2003)
The standards contained in the HIPAA Security Rule are divided into sections, or categories, the
specifics of which we outline here. You will notice overlap among the sections. For example,
contingency plans are covered under both administrative and physical safeguards, and access
controls are addressed in several standards and specifications.
The HIPAA Security Rule
The HIPAA Security Administrative Safeguards section of the Final Rule contains nine
1. Security management functions. This standard requires the CE to implement policies and
procedures to prevent, detect, contain, and correct security violations. There are four
implementation specifications for this standard:
Risk analysis (required). The CE must conduct an accurate and thorough assessment of the
potential risks to and vulnerabilities of the confidentiality, integrity, and availability of ePHI.
Risk management (required). The CE must implement security measures that reduce risks and
vulnerabilities to a reasonable and appropriate level.
Sanction policy (required). The CE must apply appropriate sanctions against workforce
members who fail to comply with the CE’s security policies and procedures.
Information system activity review (required). The CE must implement procedures to regularly
review records of information system activity, such as audit logs, access reports, and security
incident tracking reports.
Assigned security responsibility. This standard does not have any implementation
specifications. It requires the CE to identify the individual responsible for overseeing
development of the organization’s security policies and procedures.
Workforce security. This standard requires the CE to implement policies and procedures to
ensure that all members of its workforce have appropriate access to ePHI and to prevent those
workforce members who do not have access from obtaining access. There are three
implementation specifications for this standard:
Authorization and/or supervision (addressable). The CE must have a process for ensuring that
the workforce working with ePHI has adequate authorization and supervision.
Workforce clearance procedure (addressable). There must be a process to determine what
access is appropriate for each workforce member.
Termination procedures (addressable). There must be a process for terminating access to ePHI
when a workforce member is no longer employed or his or her responsibilities change.
Information access management. This standard requires the CE to implement policies and
procedures for authorizing access to ePHI. There are three implementation specifications within
this standard. The first (not shown here) applies to health care clearinghouses, and the other two
apply to health care organizations:
Access authorization (addressable). The CE must have a process for granting access to ePHI
through a workstation, transaction, program, or other process.
Access establishment and modification (addressable). The CE must have a process (based on
the access authorization) to establish, document, review, and modify a user’s right to access a
workstation, transaction, program, or process.
Security awareness and training. This standard requires the CE to implement awareness and
training programs for all members of its workforce. This training should include periodic security
reminders and address protection from malicious software, log-in monitoring, and password
management. (These items to be addressed in training are all listed as addressable
Security incident reporting. This standard requires the CE to implement policies and procedures
to address security incidents.
Contingency plan. This standard has five implementation specifications:
Data backup plan (required)
Disaster recovery plan (required)
Emergency mode operation plan (required)
Testing and revision procedures (addressable); the CE should periodically test and modify all
Applications and data criticality analysis (addressable); the CE should assess the relative
criticality of specific applications and data in support of its contingency plan
Evaluation. This standard requires the CE to periodically perform technical and nontechnical
evaluations in response to changes that may affect the security of ePHI.
Business associate contracts and other arrangements. This standard outlines the conditions
under which a CE must have a formal agreement with business associates in order to
The HIPAA Security Physical Safeguards section contains four standards:
Facility access controls. This standard requires the CE to implement policies and procedures to
limit physical access to its electronic information systems and the facilities in which they are
housed to authorized users. There are four implementation specifications with this standard:
Contingency operations (addressable). The CE should have a process for allowing facility
access to support the restoration of lost data under the disaster recovery plan and emergency
mode operation plan.
Facility security plan (addressable). The CE must have a process to safeguard the facility and
its equipment from unauthorized access, tampering, and theft.
Access control and validation (addressable). The CE should have a process to control and
validate access to facilities based on users’ roles or functions.
Maintenance records (addressable). The CE should have a process to document repairs and
modifications to the physical components of a facility as they relate to security.
2. Workstation use. This standard requires the CE to implement policies and procedures that
specify the proper functions to be performed and the manner in which those functions are to be
performed on a specific workstation or class of workstation that can be used to access ePHI
and that also specify the physical attributes of the surroundings of such workstations.
Workstation security. This standard requires the CE to implement physical safeguards for all
workstations that are used to access ePHI and to restrict access to authorized users.
Device and media controls. This standard requires the CE to implement policies and procedures
for the movement of hardware and electronic media that contain ePHI into and out of a facility
and within a facility. There are four implementation specifications with this standard:
Disposal (required). The CE must have a process for the final disposition of ePHI and of the
hardware and electronic media on which it is stored.
Media reuse (required). The CE must have a process for removal of ePHI from electronic media
before the media can be reused.
Accountability (addressable). The CE must maintain a record of movements of hardware and
electronic media and any person responsible for these items.
Data backup and storage (addressable). The CE must create a retrievable, exact copy of ePHI,
when needed, before movement of equipment.
The HIPAA Security Technical Safeguards section has five standards:
Access control. This standard requires the CE to implement technical policies and procedures
for electronic information systems that maintain ePHI in order to allow access only to those
persons or software programs that have been granted access rights as specified in the
administrative safeguards. There are four implementation specifications within this standard:
Unique user identification (required). The CE must assign a unique name or number for
identifying and tracking each user’s identity.
Emergency access procedure (required). The CE must establish procedures for obtaining
necessary ePHI in an emergency.
Automatic log-off (addressable). The CE must implement electronic processes that terminate an
electronic session after a predetermined time of inactivity.
Encryption and decryption (addressable). The CE should implement a mechanism to encrypt
and decrypt ePHI as needed.
Audit controls. This standard requires the CE to implement hardware, software, and procedures
that record and examine activity in the information systems that contain ePHI.
Integrity. This standard requires the CE to implement policies and procedures to protect ePHI
from improper alteration or destruction.
Person or entity authentication. This standard requires the CE to implement procedures to verify
that a person or entity seeking access to ePHI is in fact the person or entity claimed.
Transmission security. This standard requires the CE to implement technical measures to guard
against unauthorized access to ePHIbeing transmitted across a network. There are two
implementation specifications with this standard:
Integrity controls (addressable). The CE must implement security measures to ensure that
electronically transmitted ePHI is not improperly modified without detection.
Encryption (addressable). The CE should encrypt ePHI whenever it is deemed appropriate.
The Policies, Procedures, and Documentation section has two standards:
Policies and procedures. This standard requires the CE to establish and implement policies and
procedures to comply with the standards, implementation specifications, and other
Documentation. This standard requires the CE to maintain the policies and procedures
implemented to comply with the Security Rule in written form. There are three implementation
Time limit (required). The CE must retain the documentation for six years from the date of its
creation or the date when it was last in effect, whichever is later.
Availability (required). The CE must make the documentation available to those persons
responsible for implementing the policies and procedures.
Updates (required). The CE must review the documentation periodically and update it as
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires CEs and their business associates to provide
notification following a breach of unsecured protected health information. “‘Unsecured’ PHI is
PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized
persons through the use of a technology or methodology specified by the Secretary in guidance”
(US Department of Health and Human Services, n.d.c). To meet the requirement of “secured”
PHI, it must have been encrypted using a valid encryption process, or the media on which the
PHI is stored have been destroyed. Paper or other hard copy media, such as film, must be
shredded or otherwise destroyed so that it cannot be read or reconstructed. Electronic media
must be “sanitized” according to accepted standards so that PHI cannot be retrieved (US
Department of Health and Human Services, n.d.c).
The notification requirements include, depending on the circumstances, notification to these
The Health and Human Services Secretary (via the Office for Civil Rights [OCR])
Major media outlets
All individuals affected by breaches of unsecured PHI must be notified within a reasonable
length of time—less than sixty days—after the breach is discovered. If the CE does not have
sufficient information to contact ten or more individuals directly, the notification must be made on
the home page of its website for at least ninety days or by a major media outlet. A CE that
experiences a breach involving five hundred or more individuals must, in addition to sending
individual notices, provide notice to a major media outlet serving the area. This notification must
also be made within sixty days. All breaches must also be reported to the secretary of HHS; the
breaches involving more than five hundred individuals must be reported within sixty days; all
others may be reported on an annual basis (US Department of Health and Human Services,
HIPAA Enforcement and Violation Penalties
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is
responsible for enforcing HIPAA Privacy and Security rules. In addition, HITECH gave state
attorneys general the authority to bring civil actions on behalf of the residents of their states for
HIPAA violations. From April 2003 until May 2016, OCR has received over 134,000 HIPAA
complaints and has initiated 879 compliance reviews. The resolution of the complaints and
reviews is as follows (US Department of Health and Human Services, 2016):
Settled thirty-five cases resulting in $36,639,200 in penalties
Resolved 24,241 cases by requiring a change in privacy practices and corrective actions by, or
providing technical assistance to, CEs or business associates
Identified 11,018 cases as no violation and 79,865 cases as non-eligible
HIPAA criminal and civil penalties for noncompliance are applied using a tiered schedule that
ranges from $100 for a single violation, when the individual did not know he or she was not in
compliance, to $1,500,000 for multiple violations because of willful neglect. It is important to note
that civil penalties cannot be levied in situations when the violation is corrected within a specified
period of time.
The structure for HIPAA violations reflect four categories of violations and associated penalties.
Table 9.1 outlines the categories and penalties.
Table 9.1 HIPAA violation categories
Source: What are the penalties for HIPAA violations? (2015).
Violation Category Category Fine*
Category 1: A violation that the CE was unaware of, and could not have realistically avoided,
had a reasonable amount of care been taken to abide by HIPAA rules Minimum fine of $100
per violation up to $50,000
Category 2: A violation that the CE should have been aware of but could not have avoided even
with a reasonable amount of care (but falling short of willful neglect of HIPAA rules)
Minimum fine of $1,000 per violation up to $50,000
Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA rules, in cases in
which an attempt has been made to correct the violation Minimum fine of $10,000 per
violation up to $50,000
Category 4: A violation of HIPAA rules constituting willful neglect, and no attempt has been
made to correct the violation Minimum fine of $50,000 per violation
*The fines are issued per violation category, per year that the violation was allowed to persist.
The maximum fine per violation category, per year, is $1,500,000.
In addition to these civil penalties, a HIPAA violation may result in criminal charges. The criminal
penalties are divided into the following three tiers (What are the penalties for HIPAA violations,
Tier 1: Reasonable cause or no knowledge of violation—Up to one year in jail
Tier 2: Obtaining PHI under false pretenses—Up to five years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent—Up to ten years in jail
As stated, most HIPAA violations are resolved with corrective action. In 2015 six financial
penalties were issued. However, a serious violation can cost a health care organization a
significant about of money. One such case resulting in a substantial financial settlement is
outlined in the Perspective. The top ten largest fines levied for HIPAA violations as of August
2016 are listed in Table 9.2.
Table 9.2 Top ten largest fines levied for HIPAA violations as of August 2016
Source: Bazzoli (2016).
Organization Individuals Affected Fine Awarded ($ million) Data Awarded
Advocate Health Care: Lacked appropriate safeguards, including an unencrypted laptop was left
in a vehicle overnight 4 million 5.55 August 2016
New York Presbyterian Hospital and Columbia University: PHI accessible on Google and other
search engines 6,800 4.8 May 2014
Cignet Health: Did not allow patients access to medical records and refused to cooperate with
OCR 41 4.3 February 2011
Feinstein Institute for Medical Research: Lacked appropriate safeguards leading to theft
Unknown 3.9 March 2016
Triple-S Management Corp (Blue Cross/Blue Shield licensee in Puerto Rico): Did not deactivate
user IDs and passwords, allowing previous employees to access PHI 398,000 3.5
University of Mississippi Medical Center: Did not manage risks appropriately, although aware of
risks and vulnerabilities 10,000 2.75 July 2016
Oregon Health & Science University: Lacked safeguards with regards to stolen laptop and used
cloud storage without a business associate agreement in place 7,000 2.7 July 2016
CVS Pharmacy: Improperly disposed of PHI such as prescription labels Unknown 2.25
New York Presbyterian Hospital: Allowed filming of two patients for a TV series creating the
potential for PHI to be compromise. (Note: Hospital continues to maintain it was not a violation.)
Unknown 2.2 April 2016
Concentra Health Services: Failed to remediate an identified lack of encryption after an
unencrypted laptop was stolen 870 1.73 April 2014
$750,000 HIPAA Settlement Underscores the Need for Organization-Wide Risk Analysis
The University of Washington Medicine (UWM) has agreed to settle charges that it potentially
violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule
by failing to implement policies and procedures to prevent, detect, contain, and correct security
violations. UWM is an affiliated covered entity, which includes designated health care
components and other entities under the control of the University of Washington, including
University of Washington Medical Center, the primary teaching hospital of the University of
Washington School of Medicine. Affiliated covered entities must have in place appropriate
policies and processes to assure HIPAA compliance with respect to each of the entities that are
part of the affiliated group. The settlement includes a monetary payment of $750,000, a
corrective action plan, and annual reports on the organization’s compliance efforts.
The US Department of Health and Human Services Office for Civil Rights (OCR) initiated its
investigation of the UWM following receipt of a breach report on November 27, 2013, which
indicated that the electronic protected health information (e-PHI) of approximately 90,000
individuals was accessed after an employee downloaded an email attachment that contained
malicious malware. The malware compromised the organization’s IT system, affecting the data
of two different groups of patients: (1) approximately 76,000 patients involving a combination of
patient names, medical record numbers, dates of service, and/or charges or bill balances; and
(2) approximately 15,000 patients involving names, medical record numbers, other
demographics such as address and phone number, dates of birth, charges or bill balances,
Social Security numbers, insurance identification or Medicare numbers.
OCR’s investigation indicated UWM’s security policies required its affiliated entities to have
up-to-date, documented system-level risk assessments and to implement safeguards in
compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities
were properly conducting risk assessments and appropriately responding to the potential risks
and vulnerabilities in their respective environments.
Source: HHS.gov (2015). Used with permission.
Threats to Health Care Information
What are the threats to health care information systems? In general, threats to health care
information systems fall into one of these three categories:
Human tampering threats
Natural and environmental threats, such as floods and fire
Environmental factors and technology malfunctions, such as a drive that fails and has no
backup or a power outage
Threats to health care information systems from human beings can be intentional or
unintentional. They can be internal, caused by employees, or external, caused by individuals
outside the organization.
Intentional threats include knowingly disclosing patient information without authorization, theft,
intentional alteration of data, and intentional destruction of data. The culprit could be a computer
hacker, a disgruntled employee, or a prankster. Cybercrime directed at health information
systems has increased significantly in recent years. In the 2014–2015 two-year period, more
than 90 percent of health care organizations reported a health information security breach, and
of these reports, nearly half were because of criminal activity (Koch, 2016). Intentional
destruction or disruption of health care information is generally caused by some form of
malware, a general term for software that is written to “infect” and subsequently harm a host
computer system. The best-known form of malware is the computer virus, but there are others,
including the particularly virulent ransomware, attacks from which are on the rise in health care.
The following list includes common forms of malware with a brief description of each (Comodo,
Viruses are generally spread when software is shared among computers. It is a “contagious”
piece of software code that infects the host system and spreads itself.
Trojans (or Trojan Horses) are a type of virus specifically designed to look like a safe program.
They can be programmed to steal personal information or to take over the resources of the host
computer making it unavailable for its intended use.
Spyware tracks Internet activities assisting the hacker in gathering information without consent.
Spyware is generally hidden and can be difficult to detect.
Worms are software code that replicates itself and destroys files that are on the host computer,
including the operating system.
Ransomware is an advanced form of malware that hackers use to cripple the organization’s
computer systems through malicious code, generally launched via an e-mail that is opened
unwittingly by an employee, a method known as phishing. The malicious code then encrypts
and locks folders and operating systems. The hacker demands money, generally in the form of
bitcoins, a type of digital currency, to provide the decryption key to unlock the organization’s
systems (Conn, 2016).
Some of the causes of unintentional health information breaches are lack of training in proper
use of the health information system or human error. Users may unintentionally share patient
information without proper authorization. Other examples include users sharing passwords or
downloading information from nonsecure Internet sites, creating the potential for a breach in
security. Some of the more common forms of internal breaches of security across all industries
are the installation or use of unauthorized software, use of the organization’s computing
resources for illegal or illicit communications or activities (porn surfing, e-mail harassment, and
so forth), and the use of the organization’s computing resources for personal profit. Losing or
improperly disposing of electronic devices, including computers and portable electronic devices,
also constitute serious forms of unintentional health information exposure. In 2015, the OCR
portal, which lists breach incidents potentially affecting five hundred or more individuals, reported
more than seventy-five thousand individuals’ data were breached either because of loss or
improper disposal of a device containing PHI (OCR, n.d.).
Threats from natural causes, such as fire or flood, are less common than human threats, but
they must also be addressed in any comprehensive health care information security program.
Loss of information because of environmental factors and technical malfunctions must be
secured against by using appropriate safeguards.
The Health Care Organization’s Security Program
The realization of any of the threats discussed in the previous section can cause significant
damage to the organization. Resorting to manual operations if the computers are down for days,
for example, can lead to organizational chaos. Theft or loss of organizational data can lead to
litigation by the individuals harmed by the disclosure of the data and HIPAA violations. Malware
can corrupt databases, corruption from which there may be no recovery. The function of the
health care organization’s security program is to identify potential threats and implement
processes to remove these threats or mitigate their ability to cause damage. The primary
challenge of developing an effective security program in a health care organization is balancing
the need for security with the cost of security. An organization does not know how to calculate
the likelihood that a hacker will cause serious damage or a backhoe will cut through network
cables under the street. The organization may not fully understand the consequences of being
without its network for four hours or four days. Hence, it may not be sure how much to spend to
remove or reduce the risk.
Another challenge is maintaining a satisfactory balance between health care information system
security and health care data and information availability. As we saw in Chapter Two, the major
purpose of maintaining health information and health records is to facilitate high-quality care for
patients. On the one hand, if an organization’s security measures are so stringent that they
prevent appropriate access to the health information needed to care for patients, this important
purpose is undermined. On the other hand, if the organization allows unrestricted access to all
patient-identifiable information to all its employees, the patients’ rights to privacy and
confidentiality would certainly be violated and the organization’s IT assets would be at
The ONC (2015) publication Guide to Privacy and Security of Electronic Health Information for
health care providers includes a chapter describing a seven-step approach for implementing a
security management process. The guidance is directed at physician practices or other small
health care organizations, and it does not include specific technical solutions. Specific solutions
for security protection will be driven by the organization’s overall plan and will be managed by
the organizations IT team. Larger organizations must also develop comprehensive security
programs and will follow the same basic steps, but it will likely have more internal resources for
security than smaller practices.
Each step in the ONC security management process for health care providers is listed in the
Step 1: Lead Your Culture, Select Your Team, and Learn
This step includes six actions:
Designate a security officer, who will be responsible for developing and implementing the
security practices to meet HIPAA requirements and ensure the security of PHI.
Discuss HIPAA security requirements with your EHR developer to ensure that your system can
be implemented to meet the security requirements of HIPAA and Meaningful Use.
Consider using a qualified professional to assist with your security risk analysis. The security
risk analysis is the opportunity to discover as much as possible about risks and vulnerabilities to
health information within the organization.
Use tools to preview your security risk analysis. Examples of available tools are listed within
Refresh your knowledge base of the HIPAA rules.
Promote a culture of protecting patient privacy and securing patient information. Make sure to
communicate that all members of the organization are responsible for protecting patient
Step 2: Document Your Process, Findings, and Actions
Documenting the processes for risk analysis and implementation of safeguards is very
important, not to mention a requirement of HIPAA. The following are some examples cited by
the ONC of records to retain:
Policies and procedures
Completed security checklists (ESET, n.d.)
Training materials presented to staff members and volunteers and any associated certificates of
Updated business associate (BA) agreements
Security risk analysis report
EHR audit logs that show utilization of security features and efforts to monitor users’ actions
Risk management action plan or other documentation that shows appropriate safeguards are in
place throughout your organization, implementation timetables, and implementation notes
Security incident and breach information
Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)
Risk analysis assesses potential threats and vulnerabilities to the “confidentiality, integrity and
availability” (ONC, 2015, p. 41) of PHI. Several excellent government-sponsored guides and
toolsets available for conducting a comprehensive risk analysis are listed in Table 9.3 with a
corresponding web address.
Table 9.3 Resources for conducting a comprehensive risk analysis
OCR’s Guidance on Risk Analysis Requirements under the HIPAA Rule
OCR Security Rule Frequently Asked Questions (FAQs)
ONC SRA (Security Risk Assessment) Tool for small practices
National Institute of Standards and Technology (NIST) HIPAA Security Rule Toolkit
The three basic actions recommended for the organization’s first comprehensive security risk
analysis are as follows:
Identify where ePHI exists.
Identify potential threats and vulnerabilities to ePHI.
Identify risks and their associated levels.
Step 4: Develop an Action Plan
As discussed, the HIPAA Security Plan provides flexibility in how to achieve compliance, which
allows an organization to take into account its specific needs. The action plan should include five
components. Once in place, the plan should be reviewed regularly by the security team, led by
the security officer.
Policies and procedures
Table 9.4 lists common examples of vulnerabilities and mitigation strategies that could be
Table 7.4 Common examples of vulnerabilities and mitigation strategies
Security Component Examples of Vulnerabilities Examples of Security Mitigation Strategies
Administrative safeguards No security officer is designated.
Workforce is not trained or is unaware of privacy and security issues. Security officer is
designated and publicized.
Workforce training begins at hire and is conducted on a regular and frequent basis.
Security risk analysis is performed periodically and when a change occurs in the practice or the
Physical safeguards Facility has insufficient locks and other barriers to patient data access.
Computer equipment is easily accessible by the public.
Portable devices are not tracked or not locked up when not in use. Building alarm systems are
Offices are locked.
Screens are shielded from secondary viewers.
Technical safeguards Poor controls enable inappropriate access to EHR.
Audit logs are not used enough to monitor users and other HER activities.
No measures are in place to keep electronic patient data from improper changes.
No contingency plan exists.
Electronic exchanges of patient information are not encrypted or otherwise secured. Secure
user IDs, passwords, and appropriate role-based access are used.
Routine audits of access and changes to EHR are conducted.
Anti-hacking and anti-malware software is installed.
Contingency plans and data backup plans are in place.
Data are encrypted.
Organizational standards No breach notification and associated policies exist.
BA agreements have not been updated in several years. Regular reviews of agreements are
conducted and updates made accordingly.
Policies and procedures Generic written policies and procedures to ensure HIPAA security
compliance were purchased but not followed.
The manager performs ad hoc security measures. Written policies and procedures are
implemented and staff members are trained.
Security team conducts monthly review of user activities.
Routine updates are made to document security measures.
Step 5: Manage and Mitigate Risks
The security plan will reduce risk only if it is followed by all employees in the organization. This
step has four actions associated with it.
Implement your plan.
Prevent breaches by educating and training your workforce.
Communicate with patients.
Update your BA contracts.
Step 6: Attest for Meaningful Use Security Related Objective
Organizations can attest to the EHR Incentive Program security-related objective after the
security risk analysis and correction of any identified deficiencies.
Step 7: Monitor, Audit, and Update Security on an Ongoing Basis
The security officer, IT administrator, and EHR developer should work together to ensure that
the organization’s monitoring and auditing functions are active and configured appropriately.
Auditing and monitoring are necessary to determine the adequacy and effectiveness of the
security plan and infrastructure, as well as the “who, what, when, where and how” (ONC, 2015,
p. 54) patients’ ePHI is accessed.
Beyond HIPAA: Cybersecurity for Today’s Wired Environment
Clearly, HIPAA is an important legislative act aimed at protecting health data and information.
However, in today’s increasingly wired environment, health care organizations face threats that
were not present when HIPAA was enacted. In June 2016, 41 percent of all data breaches were
because of cybercrime—hacking. In July of the same year a single hacker was responsible for
30 percent of the health care data breached (Sullivan, 2016). Experts argue that health care
organizations are easy targets for cybercriminals because they are inadequately prepared. The
average health care provider spends less than 6 percent of its total IT budget on security,
compared to the government, which spends 16 percent, and the banking industry, which spends
between 12 and 15 percent. By one estimate the increase in cybercrime against health care
organizations is because of, at least in part, PHI’s value on the black market, estimating that
PHI is fifty times more valuable than financial information (Koch, 2016; Siwicki, 2016).
The reality of today’s environment is that there are more entry points into health care information
networks and computers than ever before. Mobile devices, cloud use, the use of smart
consumer products, health care devices with Internet connectivity, along with more employees
connecting to health care networks from remote locations create an increased need for
cybersecurity in health care organizations. One recent survey found that among medical
students and physicians 93.7 percent owned smartphones and 82.9 percent had used them in a
clinical setting. Perhaps the most surprising aspect of the survey was that none of respondents
believed using the devices increased risk of breaching patient information (Buchholz, Perry,
Weiss, & Cooley, 2016).
So-called mHealth technologies, which include entities that support personal health records and
cloud-based or mobile applications that collect patient information directly from patients or allow
uploading of health-related data from wearable devices, are also on the rise, as is the use of
health-related social media sites. These technologies were not addressed in HIPAA and,
therefore, do not meet the criteria as a CE (DeSalvo & Samuels, 2016).
To provide assistance to health care organizations to combat cyber attacks and improve
cybersecurity, the ONC (n.d.) published the Top 10 Tips for Cybersecurity in Health Care. The
first tip reminds health care organizations to establish a security culture, the same initial tip in
their guidance for developing a security plan, clearly emphasizing the importance of this aspect
of any security program. The other tips in the publication contain some more specific ways to
mitigate the threat from cyber attacks. These tips are listedwith specific checkpoints to ensure
security (ONC, n.d.). The full version of the top-ten document is available at HealthIT.gov.
Protect Mobile Devices
Ensure your mobile devices are equipped with strong authentication and access controls.
Ensure laptops have password protection.
Enable password protection on handheld devices (if available). Take extra physical control
precautions over the device if password protection is not provided.
Protect wireless transmissions from intrusion.
Do not transmit unencrypted PHI across public networks (e.g., Internet, Wi-Fi).
When it is absolutely necessary to commit PHI to a mobile device or remove a device from a
secure area, encrypt the data.
Do not use mobile devices that cannot support encryption.
Develop and enforce policies specifying the circumstances under which devices may be
removed from the facility.
Take extra care to prevent unauthorized viewing of the PHI displayed on a mobile device.
Maintain Good Computer Habits
Uninstall any software application that is not essential to running the practice (e.g., games,
instant message clients, photo-sharing tools).
Do not simply accept defaults or “standard” configurations when installing software.
Find out whether the EHR developer maintains an open connection to the installed software (a
“back door”) in order to provide updates and support.
Disable remote file sharing and remote printing within the operating system (e.g., Windows
Automate software updates to occur weekly (e.g., use Microsoft Windows Automatic Update).
Monitor for critical and urgent patches and updates that require immediate attention and act on
them as soon as possible.
Disable user accounts for former employees quickly and appropriately.
If an employee is to be involuntarily terminated, close access to the account before the notice of
termination is served.
Prior to disposal, sanitize computers and any other devices that have had data stored on them.
Archive old data files for storage if needed or clean them off the system if not needed, subject to
applicable data retention requirements.
Fully uninstall software that is no longer needed (including trial software and old versions of
Work with your IT team or other resources to perform malware, vulnerability, configuration, and
other security audits on a regular basis.
Use a Firewall
Unless your electronic health record (EHR) and other systems are totally disconnected from the
Internet, you must install a firewall to protect against intrusions and threats from outside
Larger health care organizations that use a local area network (LAN) should consider a
Install and Maintain Antivirus Software
Use an antivirus product that provides continuously updated protection against viruses,
malware, and other code that can attack your computers through web downloads, CDs, e-mail,
and flash drives.
Keep antivirus software up-to-date.
Most antivirus software automatically generates reminders about these updates, and many are
configurable to allow for automated updating.
Plan for the Unexpected
Create data backups regularly and reliably.
Begin backing up data from day one of a new system.
Ensure the data are being captured correctly.
Ensure the data can be quickly and accurately restored.
Use an automated backup system, if possible.
Consider storing the backup far away from the main system.
Protect backup media with the same type of access controls described in the next section.
Test backup media regularly for their ability to restore data properly, especially as the backups
Have a sound recovery plan. Know the following:
What data was backed up (e.g., databases, pdfs, tiffs, docs)
When the backups were done (time frame and frequency)
Where the backups are stored
What types of equipment are needed to restore them
Keep the recovery plan securely at a remote location where someone has responsibility for
producing it in the event of an emergency.
Control Access to PHI
Configure your EHR system to grant PHI access only to people with a “need to know.”
This access control system might be part of an operating system (e.g., Windows), built into a
particular application (e.g., an e-prescribing module), or both.
Manually set file access permissions using an access control list.
This can only be done by someone with authorized rights to the system.
Prior to setting these permissions, identify which files should be accessible to which staff
Configure role-based access control as needed.
In role-based access, a staff member’s role within the organization (e.g., physician, nurse,
billing specialist, etc.) determines what information may be accessed.
Assign staff members to the correct roles and then set the access permissions for each role
correctly on a need-to-know basis.
The following case on access control provides additional examples of access control.
Mary Smith is the director of the health information management department in a hospital. Under
a user-based access control scheme, Mary would be allowed read-only access to the hospital’s
laboratory information system because of her personal identity—that is, because she is Mary
Smith and uses the proper log-in and password(s) to get into the system. Under a role-based
control scheme, Mary would be allowed read-only access to the hospital’s lab system because
she is part of the health information management department and all department employees
have been granted read-only privileges for this system. If the hospital were to adopt a
context-based control scheme, Mary might be allowed access to the lab system only from her
own workstation or another workstation in the health information services department, provided
she used her proper log-in and password. If she attempted to log in from the emergency
department or another administrative office, she might be denied access. The context control
could also involve time of day. Because Mary is a daytime employee, she might be denied
access if she attempted to log in at night.
Use Strong Passwords
Choose a password that is not easily guessed. Following are some examples of strong
At least eight characters in length (the longer the better)
A combination of uppercase and lowercase letters, one number, and at least one special
character, such as a punctuation mark
Strong passwords should not include personal information:
Names of self, family members, or pets
Social Security number
Anything that is on your social networking sites or could otherwise be discovered easily by
Use multifactor authentication for more security. Multifactor authentication combines multiple
authentication methods, such as a password plus a fingerprint scan; this results in stronger
security protections. If you e-prescribe controlled substances, you must use multifactor
authentication for your accounts.
Configure your systems so that passwords must be changed on a regular basis.
To discourage staff members from writing down their passwords, develop a password reset
process to provide quick assistance in case of forgotten passwords.
Limit Network Access
Prohibit staff members from installing software without prior approval.
When a wireless router is used, set it up to operate only in encrypted mode.
Prohibit casual network access by visitors.
Check to make sure file sharing, instant messaging, and other peer-to-peer applications have
not been installed without explicit review and approval.
Control Physical Access
Limit the chances that devices (e.g., laptops, handhelds, desktops, servers, thumb drives, CDs,
backup tapes) may be tampered with, lost, or stolen.
Document and enforce policies limiting physical access to devices and information:
Keep machines in locked rooms.
Manage keys to facilities.
Restrict removal of devices from a secure area.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
Recognizing the severity of the rise in cybercrime, President Obama issued an executive order
in February 2013 to “enhance the security and resilience of the Nation’s critical infrastructure”
(Executive Order 13636). As a result the National Institute of Standards and Technology (NIST)
was directed to develop, with help of stakeholder organizations, a voluntary cybersecurity
framework to reduce cyber-attack risks. The resulting NIST cybersecurity framework consists
of three components (NIST, n.d.):
The Framework Core consists of “five concurrent and continuous Functions—Identify, Protect,
Detect, Respond, Recover.” The functions provide “the highest level, strategic view of an
organization’s management of cybersecurity risk” (NIST, n.d., p. 4). The functions are divided
into categories and subcategories as shown in Exhibit 9.2.
The Framework Implementation Tiers characterize an organization’s actual cybersecurity
practices compared to the framework, using a range of tiers from partial (Tier 1) to adaptive (Tier
The Framework Profile documents outcomes obtained by reviewing all of the categories and
subcategories and comparing them to the organization’s business needs. Profiles can be
identified as “current,” documenting where the organization is now, or as “target,” where the
organization would like to be in the future.
Since its initial publication in 2014, the HHS, OCR, and the ONC have cited the framework as
an important tool for health care organizations to consider when developing a comprehensive
security program. In 2016, OCR published a crosswalk that maps the HIPAA Security Rule to
the NIST framework, which can be found at HHS.gov/hipaa (US Department of Health and
Human Services, n.d.a).
In this chapter we gained insight into why health information privacy and security are key topics
for health care administrators. In today’s ever-increasing electronic world with new and more
virulent threats, the security of health information is an ongoing concern. In this chapter we
examined and defined the concepts of privacy, confidentiality, and security and explored major
legislative efforts, historical and current, to protect health care information, with a focus on the
HIPAA Privacy, Security, and Breach Notification rules. Different types of threats, human,
natural and environmental, intentional and unintentional, were identified, with a focus on the
increase in cybercrime. Basic requirements for a strong health care organization security
program were outlined and the chapter ended with a discussion of the cybersecurity challenges
within the current health care environment.
Assessing and Achieving Value in Health Care Information Systems
Virtually all the discussion in this book focuses on the knowledge and management processes
necessary to achieve one fundamental objective: organizational investments in IT resulting in a
desired value. That value might be the furtherance of organizational strategies, improvement in
the performance of core processes, or the enhancement of decision making. Achieving value
requires the alignment of IT with overall strategies, thoughtful governance, solid information
system selection and implementation approaches, and effective organizational change.
Failure to achieve desired value can result in significant problems for the organization. Money is
wasted. Execution of strategies is hamstrung. Organizational processes can be damaged.
This chapter carries the IT value discussion further. Specifically, it covers the following topics:
The definition of IT-enabled value
The IT project proposal
Ensuring the delivery of value
Analyses of the IT value challenge
Definition of IT-Enabled Value
We can make several observations about IT-enabled value:
IT value can be tangible and intangible.
IT value can be significant.
IT value can be variable across organizations.
IT value can be diverse across IT proposals.
A single IT investment can have a diverse value proposition.
Different IT investments have different objectives and hence different value propositions and
value assessment techniques.
These observations will be discussed in more detail in the following sections.
Tangible and Intangible
Tangible value can be measured whereas intangible value is very difficult, perhaps practically
impossible, to measure.
Some tangible value can be measured in terms of dollars:
Increases in revenue
Reductions in labor costs: for example, through staff layoffs, overtime reductions, or shifting
work to less expensive staff members
Reductions in supply costs: for example, because of improvements in purchasing
Reductions in maintenance costs for computer systems
Reductions in use of patient care services: for example, fewer lab tests are performed or care is
conducted in less expensive settings
Some tangible value can be measured in terms of process improvements:
Faster turnaround times for test results
Reductions in elapsed time to get an appointment
A quicker admissions process
Improvement in access to data
Improvements in the percentage of care delivery that follows medical evidence
Some tangible value can be measured in terms of strategically important operational and market
Growth in market share
Reduction in turnover
Increase in brand awareness
Increase in patient and provider satisfaction
Improvement in reliability of computer systems
By contrast, intangible value can be very difficult to measure. The organization is trying to
measure such things as
Improved decision making
Becoming more state of the art
Improved organizational competencies: for example, becoming better at managing chronic
Becoming more customer friendly
IT can be leveraged to achieve significant organization value. The following are some example
A study that compared the quality of diabetes care between physician practices that used EHRs
and practices that did not found that the EHR sites had composite standards for diabetes care
that were 35.1 percent higher than paper-based sites and had 15 percent better care outcomes
(Cebul, Love, Jain, & Herbert, 2011).
EMC (a company that makes data storage devices and other information technologies) reported
a reduction of $200 million in health care costs over ten years through the use of data analytics,
lifestyle coaches, and remote patient monitoring to help employees manage health risks and
chronic diseases (Mosquera, 2011).
A cross-sectional study of hospitals in Texas (Amarasingham, Plantinga, Diener-West, Gaskin,
& Powe, 2009) found that higher levels of the automation of notes and patient records were
associated with a 15 percent decrease in the adjusted odds of a fatal hospitalization. Higher
scores in the use of computerized provider order entry (CPOE) were associated with 9 percent
and 55 percent decreases in the adjusted odds of death for myocardial infarction and coronary
artery bypass graft procedures, respectively. For all cases of hospitalization, higher levels of
clinical decision-support use were associated with a 16 percent decrease in the adjusted odds
of complications. And higher levels of CPOE, results reporting, and clinical decision support
were associated with lower costs for all hospital admissions.
A clinical decision support (CDS) module, embedded within an EHR, was used to provide early
detection of situations that could result in venous thromboembolism (VTE). A study of the
impact of the module showed that the VTE rate declined from 0.954 per one thousand patient
days to 0.434 comparing baseline to full VTE CDS. Compared to baseline, patients benefitting
from VTE CDS were 35 percent less likely to have a VTE (Amland et. al., 2015).
Even when they implement the same system, not all organizations experience the same value.
Organizational factors such as change management prowess and governance have a
significant impact on an organization’s ability to be successful in implementing health information
As an example of variability, two children’s hospitals implemented the same EHR (including
CPOE) in their pediatric intensive care units. One hospital experienced a significant increase in
mortality (Han et al., 2005), whereas the other did not (Del Beccaro, Jeffries, Eisenberg, &
Harry, 2006). The hospital that did experience an increase in mortality noted that several
implementation factors contributed to the deterioration in quality; specific order sets for critical
care were not created, changes in workflow were not well executed, and orders for patients
arriving via critical care transportation could not be written before the patient arrived at the
hospital, delaying life-saving treatments.
Even when organizations have comparable implementation skill levels, the value achieved can
vary because different organizations decide to focus on different objectives. For example, some
organizations may decide to improve the quality of diabetes care, and others may emphasize
the reduction in care costs. Hence, if an outcome is of modest interest to an organization and it
devotes few resources to achieving that outcome, it should not be surprised if the outcome does
Diverse across Proposals
Consider three proposals (real ones from a large integrated delivery system) that might be in
front of organizational leadership for review and approval: a disaster notification system, a
document imaging system, and an e-procurement system. Each offers a different type of value
to the organization.
The disaster notification system would enable the organization to page critical personnel, inform
them that a disaster—for example, a train wreck or biotoxin outbreak—had taken place, and tell
them the extent of the disaster and the steps they would need to take to help the organization
respond to the disaster. The system would cost $520,000. The value would be “better
preparedness for a disaster.”
The document imaging system would be used to electronically store and retrieve scanned
images of paper documents, such as payment reconciliations, received from insurance
companies. The system would cost $2.8 million, but would save the organization $1.8 million per
year ($9 million over the life of the system) through reductions in the labor required to look for
paper documents and in the insurance claim write-offs that occur because a document cannot
The e-procurement system would enable users to order supplies, ensure that the ordering
person had the authority to purchase supplies, transmit the order to the supplier, and track the
receipt of the supplies. Data from this system could be used to support the standardization of
supplies, that is, to reduce the number of different supplies used. Such standardization might
save $500,000 to $3 million per year. The actual savings would depend on physician willingness
to standardize. The system would cost $2.5 million.
These proposals reflect a diversity of value, ranging from “better disaster response” to a clear
financial return (document imaging) to a return with such a wide potential range (e-procurement)
that it could be a great investment (if you really could save $3 million a year) or a terrible
investment (if you could save only $500,000 a year).
Diverse in a Single Investment
Picture archiving and communication systems (PACS) are used to store radiology (and other)
images, support interpretation of images, and distribute the information to the physician
providing direct patient care. These systems are an example of the diversity of value that can
result from one IT investment. A PACS can do the following:
Reduce costs for radiology film and the need for film librarians.
Improve service to the physician delivering care, through improved access to images.
Improve productivity for the radiologists and for the physicians delivering care (both groups
reduce the time they spend looking for images).
Generate revenue, if the organization uses the PACS to offer radiology services to physician
groups in the community.
This one investment has a diverse value proposition; it has the potential to deliver cost
reduction, productivity gains, service improvements, and revenue gains.
Different Analyses for Different Objectives
The Committee to Study the Impact of Information Technology on the Performance of Service
Activities (1994), organized by the National ResearchCouncil (NRC), has identified six
categories of IT investments in service industries, reflecting different objectives. The techniques
used to assess IT investment value should vary by the type of objective that the IT investment
intends to support. One technique does not fit all IT investments.
IT investments may be for infrastructure that enables other investments or applications to be
implemented and deliver desired capabilities. Examples of infrastructure are data
communication networks, workstations, and clinical data repositories. A delivery system–wide
network enables a large organization to implement applications to consolidate clinical
laboratories, implement organization-wide collaboration tools, and share patient health data
It is difficult to quantitatively assess the impact or value of infrastructure investments because of
They enable applications. Without those applications, infrastructure has no value. Hence,
infrastructure value is indirect and depends on application value.
The allocation of infrastructure value across applications is complex. When millions of dollars
are invested in a data communication network, it may be difficult or impossible to determine how
much of that investment should be allocated to the ability to create delivery system–wide EHRs.
A good IT infrastructure is often determined by its agility, potency, and ability to facilitate
integration of applications. It is very difficult to assign return on investment (ROI) numbers or
any meaningful numerical value to most of these characteristics. What, for instance, is the value
of being agile enough to speed up the time it takes to develop and enhance applications?
Information system infrastructure is as hard to evaluate as other organizational infrastructure,
such as having talented, educated staff members. As with other infrastructure,
Evaluation is often instinctive and experientially based.
In general, underinvesting can severely limit the organization.
Investment decisions involve choosing between alternatives that are assessed for their ability to
achieve agreed-on goals. For example,if an organization wishes to improve security, it might
ask whether it should invest in network monitoring tools or enhanced virus protection. Which of
these investments would enable it to make the most progress toward its goal?
Four Types of IT Investment
Complementing the NRC study, Jeanne Ross and Cynthia Beath (2002) studied the IT
investment approaches of thirty companies from a wide range of industries. They identified four
classes of investment:
Transformation. These IT investments had an impact that would affect the entire organization or
a large number of business units. The intent of the investment was to effect a significant
improvement in overall performance or change the nature of the organization.
Renewal. Renewal investments were intended to upgrade core IT infrastructure and applications
or reduce the costs or improve the quality of IT services. Examples of these investments
include application replacements, upgrades of the network, or expansion of data storage.
Process improvement. These IT investments sought to improve the operations of a specific
business entity—for example, to reduce costs and improve service.
Experiments. Experiments were designed to evaluate new information technologies and test
new types of applications. Given the results of the experiments, the organization would decide
whether broad adoption was desirable.
Different organizations will allocate their IT budgets differently across these classes. An office
products company had an investment mix of experiments (15 percent), process improvement
(40 percent), renewal (25 percent), and transformation (20 percent). An insurance firm had an
investment mix of experiments (3 percent), process improvement (25 percent), renewal (18
percent), and transformation (53 percent).
The investment allocation is often an after-the-fact consideration—the allocation is not planned, it
just “happens.” However, ideally, the organization decides its desired allocation structure and
does so before the budget discussions. An organization with an ambitious and perhaps radical
strategy may allocate a very large portion of its IT investment to the transformation class,
whereas an organization with a conservative, stay-the-course strategy may have a large
process improvement portion to its IT investments.
Source: Ross and Beath (2002, p. 54).
Information system investment may be necessary because of mandated initiatives. Mandated
initiatives might involve reporting quality data to accrediting organizations, making required
changes in billing formats, or improving disaster notification systems. Assessing these
initiatives is generally approached by identifying the least expensive and the quickest to
implement alternative that will achieve the needed level of compliance.
Information system investments directed to cost reduction are generally highly amenable to ROI
and other quantifiable dollar-impact analyses. The ability to conduct a quantifiable ROI analysis
is rarely the question. The ability of management to effect the predicted cost reduction or cost
avoidance is often a far more germane question.
Specific New Products and Services
IT can be critical to the development of new products and services. At times the information
system delivers the new service, and at other times it is itself the product. Examples of
information system–based new services include bank cash-management programs and
programs that award airline mileage for credit card purchases. A new service offered by some
health care providers is a personal health record that enables a patient to communicate with his
or her physician and to access care guidelines and consumer-oriented medical textbooks.
The value of some of these new products and services can be quantifiably assessed in terms of
a monetary return. These assessments include analyses of potential new revenue, either
directly from the service or from service-induced use of other products and services. An ROI
analysis will need to be supplemented by techniques such as sensitivity analyses of consumer
response. Despite these analyses, the value of this IT investment usually has a speculative
component. This component involves consumer utilization, competitor response, and impact on
Information system investments are often directed to improving the quality of service or medical
care. These investments may be intended to reduce waiting times, improve the ability of
physicians to locate information, improve treatment outcomes, or reduce errors in treatment.
Evaluation of these initiatives, although quantifiable, is generally done in terms of service
parameters that are known or believed to be important determinants of organizational success.
These parameters might be measures of aspects of organizational processes that customers
encounter and then use to judge the organization, for example, waiting times in the physician’s
office. A quantifiable dollar outcome for the service of care quality improvement can be very
difficult to predict. Service quality is often necessary to protect current business, and the effect
of a failure to continuously improve service or medical care can be difficult to project.
Major Strategic Initiative
Strategic initiatives in information technology are intended to significantly change the competitive
position of the organization or redefine the core nature of the enterprise. In health care it is
unusual that information systems are the centerpiece of a redefinition of the organization,
although as we discussed in Chapter Four IT is a critical foundation for provider efforts to
manage population health. However, several other industries have attempted IT-centric
Amazon is an effort to transform retailing. Venmo (which enables micropayments between
individuals) is an effort to disrupt aspects of the branch bank. There can be a ROI core or
component to analyses of such initiatives, because they often involve major reshaping or
reengineering of fundamental organizational processes. However, assessing the ROIs of these
initiatives and their related information systems with a high degree of accuracy can be very
difficult. Several factors contribute to this difficulty:
These major strategic initiatives usually recast the organization’s markets and its roles. The
outcome of the recasting, although visionary, can be difficult to see with clarity and certainty.
The recasting is evolutionary; the organization learns and alters itself as it progresses over what
are often lengthy periods of time. It is difficult to be prescriptive about this evolutionary process.
Most accountable care organizations are confronting this phenomenon.
Market and competitor responses can be difficult to predict.
IT value is diverse and complex. This diversity indicates the power of IT and the diversity of its
use. Nonetheless, the complexity of the value proposition means that it is difficult to make
choices between IT investments and also difficult to assess whether the investment ultimately
chosen delivered the desired value or not.
The IT Project Proposal
The IT project proposal is a cornerstone in examining value. Clearly, ensuring that all proposals
are well crafted does not ensure value. To achieve value, alignment with organizational
strategies must occur, factors for sustained IT excellence must be managed, budget processes
for making choices between investments must exist, and projects must be well managed.
However, the proposal (as will be discussed in Chapter Thirteen) does describe the intended
outcome of the IT investment. The proposal requests money and an organizational commitment
to devote management attention and staff effort to implementing an information system. The
proposal describes why this investment of time, effort, and money is worth it—that is, the
proposal describes the value that will result. In this section we discuss the value portion of the
proposal and some common problems encountered with it.
Sources of Value Information
As project proponents develop their case for an IT investment, they may be unsure of the full
gamut of potential value or of the degree to which a desired value can be truly realized. The
organization may not have had experience with the proposed application and may have
insufficient analyst resources to perform its own assessment. It may not be able to answer such
questions as, What types of gains have organizations seen as a result of implementing a
population health system? To what degree will IT be a major contributor to our efforts to improve
patient access through telehealth?
Information about potential value can be obtained from several sources (discussed in Appendix
A). Conferences often feature presentations that describe the efforts of specific individuals or
organizations in accomplishing initiatives of interest to many others. Industry publications may
offer relevant articles and analyses. Several industry research organizations—for example,
Gartner and the Advisory Board—can offer advice. Consultants can be retained who have
worked with clients who are facing or have addressedsimilar questions. Vendors of applications
can describe the outcomes experienced by their customers. And colleagues can be contacted
to determine the experiences of their organizations.
Garnering an understanding of the results of others is useful but insufficient. It is worth knowing
that Organization Y adopted computerized provider order entry (CPOE) and reduced
unnecessary testing by x percent. However, one must also understand the CPOE features that
were critical in achieving that result and the management steps taken and the process changes
made in concert with the CPOE implementation.
Formal Financial Analysis
Most proposals should be subjected to formal financial analyses regardless of their value
proposition. Several types of financial measures are used by organizations. An organization’s
finance department will work with leadership to determine which measures will be used and how
these measures will be compiled.
Two common financial measures are net present value and internal rate of return:
Net present value is calculated by subtracting the initial investment from the future cash flows
that result from the investment. The cash can be generated by new revenue or cost savings.
The future cash is discounted, or reduced, by a standard rate to reflect the fact that a dollar
earned one or more years from now is worth less than a dollar one has today (the rate depends
on the time period considered). If the cash generated exceeds the initial investment by a certain
amount or percentage, the organization may conclude that the IT investment is a good one.
Internal rate of return is the discount rate at which the present value of an investment’s future
cash flow equals the cost of the investment. Another way to look at this is to ask, Given the
amount of the investment and its promised cash, what rate of return am I getting on my
investment? On the one hand, a return of 1 percent is not a good return (just as one would not
think that a 1 percent return on one’s savings was good). On the other hand, a 30 percent return
is very good.
Table 7.1 shows the typical form of a financial analysis for an IT application.
Table 7.1 Financial analysis of a patient accounting document imaging system
Current Year Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7
One-time capital expense $1,497,466 $1,302,534
System maintenance — 288,000 $288,000 $288,000 $288,000
$288,000 $288,000 $288,000
System maintenance — 152,256 152,256 152,256 152,256
152,256 152,256 152,256
TOTAL COSTS 1,497,466 1,742,790 440,256 440,256 440,256
440,256 440,256 440,256
Rebilling of small secondary balances — 651,000 868,000 868,000
868,000 868,000 868,000 868,000
Medicaid billing documentation — 225,000 300,000 300,000
300,000 300,000 300,000 300,000
bad debt audit — — — — 100,000 100,000 100,000
Projected staff savings — 36,508 136,040 156,504 169,065
169,065 169,065 171,096
Projected operating savings — 64,382 77,015 218,231 222,550 226,436
TOTAL BENEFITS — 976,891 1,381,055 1,542,735 1,659,615
1,663,502 1,663,608 1,669,031
CASH FLOW (1,497,466) (765,899) 940,799 1,102,479 1,219,359
1,223,246 1,223,352 1,228,775
CUMULATIVE CASH FLOW (1,497,466) (2,263,365) (1,322,566) (220,087)
999,272 2,222,517 3,445,869 4,674,644
NPV (12% discount ) 1,998,068
Comparing Different Types of Value
Given the diversity of value, it is very challenging to compare IT proposals that have different
value propositions. How does one compare a proposal that promises to increase revenue and
improve collaboration to one that offers improved compliance, faster turnaround times, and
reduced supply costs?
At the end of the day, judgment is used to choose one proposal over another. Health care
executives review the various proposals and associated value statements and make choices
based on their sense of organizational priorities, available monies, and the likelihood that the
proposed value will be seen. These judgments can be aided by developing a scoring approach
that enables leaders to apply a common metric across proposals. For example, the organization
might decide to score each proposal according to how much value it promises to deliver in each
of the following areas:
Patient or customer satisfaction
Quality of work life
Quality of care
Potential learning value
In this approach, each of these areas in each proposal is assigned a score, ranging from 5
(significant contribution to the area) to 1 (minimal or no contribution). The scores are then totaled
for each proposal, and, in theory, one picks those proposals with the highest aggregate scores.
In practice, IT investment decisions are rarely that purely algorithmic. However, such scoring
can be very helpful in sorting through complex and diverse value propositions:
Scoring forces the leadership team to discuss why different members of the team assigned
different scores—why, for example, did one person assign a score of 2 for the revenue impact
of a particular proposal and another person assign a 4? These discussions can clarify people’s
understandings of proposal objectives and help the team arrive at a consensus on each project.
Scoring means that the leadership team will have to defend any decision not to fund a project
with a high score or to fund one with a low score. In the latter case, team members will have to
discuss why they are all in favor of a project when it has such a low score.
Prerequisites for Effective IT Project Prioritization
Jeanne Ross and Emmett Johnson (2009) identified four prerequisites to effective IT project
Explicit operating vision of the business. An operating vision is more than the sum of the
operations of individual departments. Rather, it is a solid understanding of how the organization
wants to operate as a whole. For example, how will the organization manage patients with a
chronic disease? What processes must be in place to ensure a superior patient experience?
Operating visions lead to enterprise-wide requirements for integration and standardization. IT
projects should support this vision and conform to these requirements.
Business process owners. Process owners are those senior leaders who are responsible for
the performance of core organization processes, such as patient access. These owners must
sponsor IT initiatives and be held accountable for their successful completion and value delivery.
These owners are in a good position to understand the IT priorities of their processes.
Transparent IT operating costs. Organizational leadership must understand IT costs and the
drivers of those costs. This understanding prepares them to thoughtfully assess the risks and
benefits of proposed new systems and to identify alternative approaches to achieving desired
Rigorous project governance. Excellent IT governance must exist for the overall IT agenda (to
be discussed in Chapter Twelve) and for individual projects (to be discussed in Chapter
Source: Ross and Johnson (2009).
The organization can decide which proposal areas to score and which not to score. Some
organizations give different areas different weights—for example, reducing costs might be
considered twice as important as improving organizational learning. The resulting scores are not
binding, but they canbe helpful in arriving at a decision about which projects will be approved and
what value is being sought.
Tactics for Reducing the Budget
Proposals for IT initiatives may originate from a wide variety of sources in an organization. The
IT group will submit proposals, as will department directors and physicians. Many of these
proposals will not be directly related to an overall strategy but may nevertheless be good ideas
that if implemented would lead to improved organizational performance. So it is common for an
organization to have more proposals than it can fund. For example, during the IT budget
discussion, the leadership team may decide that although it is looking at $2.2 million in requests,
the organization can afford to spend only $1.7 million, so $500,000 worth of requests must be
denied. Table 7.2 presents a sample list of requests.
Table 7.2 Requests for new information system projects
Community General Hospital
Project Name Operating Cost
Clinical portfolio development 38,716
Enterprise monitoring 70,133
HIPAA security initiative 36,950
Accounting of disclosure—HIPAA 35,126
Ambulatory Center patient tracking 62,841
Bar-coding infrastructure 64,670
Capacity management 155,922
Chart tracking 34,876
Clinical data repository 139,902
CRP research facility 7,026
Emergency Department data warehouse 261,584
Emergency Department order entry 182,412
Medication administration system 315,323
Order communications 377,228
Transfusion services replacement system 89,772
Wireless infrastructure 44,886
Next-generation order entry 3,403
Graduate medical education duty hours 163,763
Reducing the budget in situations such as this requires a value discussion. The leadership is
declaring some initiatives to have more value than others. Scoring initiatives according to criteria
is one approach to addressing this challenge.
In addition to such scoring, other assessment tactics can be employed, prior to the scoring, to
assist leaders in making reduction decisions.
Some requests are mandatory. They may be mandatory because of a regulation requirement
(such as a new Medicare rule) or because a current system is so obsolete that it is in danger of
crashing—permanently—and it must be replaced soon. These requests must be funded.
Some projects can be delayed. They are worthwhile, but a decision on them can be put off until
next year. The requester will get by in the meantime.
Key groups within IT, such as the staff members who manage clinical information systems, may
already have so much on their plate that they cannot possibly take on another project. Although
the organization wants to do the project, it would be ill-advised to do so now, and so the project
can be deferred to next year.
The user department proposing the application may not have strong management or may be
experiencing some upheaval; hence, implementing a new system at this time would be risky.
The project could be denied or delayed until the management issues have been resolved.
The value proposition or the resource estimates or both are shaky. The leadership team does
not trust the proposal, so it could be denied or sent back for further analysis. Further analysis
means that the proposal will be examined again next year.
Less expensive ways of addressing the problems cited in the proposal may exist, such as a
less expensive application or a non-IT approach. The proposal could be sent back for further
The proposal is valuable, and the leadership team would like to move it forward. However, the
team may reduce the budget, enabling progress to occur but at a slower pace. This delays
realizing the value but ensures that resources are devoted to making progress.
These tactics are routinely employed during budget discussions aimed at trying to get as much
value as possible given finite resources.
Common Proposal Problems
During the review of IT investment proposals, organizational leadership might encounter several
problems related to the estimates of value and the estimates of the resources needed to obtain
the value. If undetected, these problems might lead to a significant overstatement of potential
return or understatement of costs. An overstatement or understatement, obviously, may result
in significant organizational unhappiness when the value that people thought they would see
never materializes and never could have materialized.
Fractions of Effort
Proposal analyses might indicate that the new IT initiative will save fractions of staff time, for
example, that each nurse will spend fifteen minutes less per shift on clerical tasks. To suggest a
total value, the proposal might multiply as follows (this example is highly simplified): 200 nurses
× 15 minutes saved per 8-hour shift × 250 shifts worked per year = 12,500 hours saved. The
math might be correct, and the conclusion that 12,500 hours will become available for doing
other work such as direct patient care might also be correct. But the analysis will be incorrect if
it then concludes that the organization would thus “save” the salary dollars of six nurses
(assuming 2,000 hours worked per year per nurse).
Saving fractions of staff effort does not always lead to salary savings, even when there are large
numbers of staff members, because there may be no practical way to realize the savings—to,
for example, lay off six nurses. If, for example, there are six nurses working each eight-hour
shift in a particular nursing unit, the fifteen minutes saved per nurse would lead to a total savings
of 1.5 hours per shift. But if one were then to lay off one nurse on a shift, it would reduce the
nursing capacity on that shift by eight hours, damaging the unit’s ability to deliver care. Saving
fractions of staff member effort does not lead to salary savings when staff members are
geographically highly fragmented or when they work in small units or teams. It leads to possible
salary savings only when staff members work in very large groups and some work of the
reduced staff members can be redistributed to others.
Reliance on Complex Behavior
Proposals may project with great certainty that people will use systems in specific ways. For
example, several organizations expect that consumers will use Internet-based quality report
cards to choose their physicians andhospitals. However, few consumers appear to actually rely
on such sites. Organizations may expect that nurses will readily adopt systems that help them
discharge patients faster. However, nurses often delay entering discharge transactions so that
they can grab a moment of peace in an otherwise overwhelmingly busy day.
System use is often not what was anticipated. This is particularly true when the organization has
no experience with the relevant class of users or with the introduction of IT into certain types of
tasks. The original value projection can be thrown off by the complex behaviors of system
users. People do not always behave as we expect or want them to. If user behavior is uncertain,
the organization would be wise to pilot an application and learn from this demonstration.
Project proponents are often guilty of optimism that reflects a departure from reality. Proponents
may be guilty of any of four mistakes:
They assume that nothing will go wrong with the project.
They assume that they are in full control of all variables that might affect the project—even, for
example, quality of vendor products and organizational politics.
They believe that they know exactly what changes in work processes will be needed and what
system features must be present, when what they really have, at best, are close
approximations of what must happen.
They believe that everyone can give full time to the project and forget that people get sick or
have babies and that distracting problems unrelated to the project will occur, such as a sudden
deterioration in the organization’s fiscal performance, and demand attention.
Decisions based on such optimism eventually result in overruns in project budgets and
timetables and compromises in system goals. Overruns and compromises change the value
Projects often achieve gains in the first year of their implementation, and proponents are quick to
project that such gains will continue during the remaining life of the project. For example, an
organization may see 10 percentof its physicians move from using dictation when developing a
progress note to using structured, computer-based templates. The organization may then
erroneously extrapolate that each year will see an additional 10 percent shift. In fact, the first
year might be the only year in which such a gain will occur. The organization has merely
convinced the more computer-facile physicians to change, and the rest of the physicians have
no interest in ever changing.
Underestimating the Effort
Project proposals might count the IT staff member effort in the estimates of project costs but not
count the time that users and managers will have to devote to the project. A patient care system
proposal, for instance, may not include the time that will be spent by dozens of nurses working
on system design, developing workflow changes, and attending training. These efforts are real
costs. They often lead to the need to hire temporary nurses to provide coverage on the inpatient
care units, or they might lead to a reduced patient census because there are fewer nursing
hours available for patient care. Such miscounting of effort understates the cost of the project.
IT project proposals may note that the project can reduce the expenses of a department or
function, including costs for staff members, supplies, and effort devoted to correcting mistakes
that occur with paper-based processes. Department managers will swear in project approval
forums that such savings are real. However, when asked if they will reduce their budgets to
reflect the savings that will occur, these same managers may become significantly less
convinced that the savings will result. They may comment that the freed-up staff member effort
or supplies budgets can be redeployed to other tasks or expenses. The managers may be right
that the expenses should be redeployed, and all managers are nervous when asked to reduce
their budgets and still do the same amount of work. However, the savings expected have now
Failure to Account for Post-Implementation Costs
After a system goes live, the costs of the system do not go away. System maintenance
contracts are necessary. Hardware upgrades will be required. Staff members may be needed to
provide enhancements to the application. These support costs may not be as large as the costs
of implementation, butthey are costs that will be incurred every year, and over the course of
several years they can add up to some big numbers. Proposals often fail to adequately account
for support costs.
Ensuring the Delivery of Value
Achieving value from IT investments requires management effort. There is no computer genie
that descends on the organization once the system is live and waves its wand
and—shazzam!—value has occurred. Achieving value is hard work but doable work.
Management can take several steps to ensure the delivery of value (Dragoon, 2003; Glaser,
2003a, 2003b). These steps are discussed in the sections that follow.
Make Sure the Homework Was Done
IT investment decisions are often based on proposals that are not resting on solid ground. The
proposer has not done the necessary homework, and this elevates the risk of a suboptimal
Clearly, the track record of the investment proposer will have a significant influence on the
investment decision and on leaders’ thinking about whether or not the investment will deliver
value. However, regardless of the proposer’s track record, an IT proposal should enable the
leadership team to respond with a strong yes to each of the following questions:
Is it clear how the plan advances the organization’s strategy?
Is it clear how care will improve, costs will be reduced, or service will be improved? Are the
measures of current performance and expected improvement well researched and realistic?
Have the related changes in operations, workflow, and organizational processes been defined?
Are the senior leaders whose areas are the focus of the IT plan clearly supportive? Could they
give the project proposal presentation?
Are the resource requirements well understood and convincingly presented? Have these
requirements been compared to those experienced by other organizations undertaking similar
Have the investment risks been identified, and is there an approach to addressing these risks?
Do we have the right people assigned to the project, have we freed up their time, and are they
Answering with a no, a maybe, or an equivocal yes to any of these questions should lead one to
believe that the discussion is perhaps focusing on an expense rather than an investment.
Require Formal Project Proposals
It is a fact of organizational life that projects are approved as a result of hallway conversations or
discussions on the golf course. Organizational life is a political life. While recognizing this reality,
the organization should require that every IT project be written up in the format of a proposal and
that each proposal should be reviewed and subjected to scrutiny before the organization will
commit to supporting it. However, an organization may also decide that small projects—for
example, those that involve less than $25,000 in costs and less than 120 person-hours—can be
handled more informally.
Increase Accountability for Investment Results
Few meaningful organizational initiatives are accomplished without establishing appropriate
accountability for results. Accountability for IT investment results can be improved by taking
three major steps.
First, the business owner of the IT investment should defend the investment—for example, the
director of clinical laboratories should defend the request for a new laboratory system and the
director of nursing should defend the need for a new nursing system. The IT staff members will
need to work with the business owner to define IT costs, establish likely implementation time
frames, and sort through application alternatives. But the IT staff members should never defend
an application investment.
Second, as will be discussed in Chapter Thirteen, project sponsors and business owners must
be defined, and they must understand the accountability that they now have for the successful
completion of the project.
Third, the presentation of these projects should occur in a forum that routinely reviews such
requests. Seeing many proposals, and their results, over the course of time will enable the
forum participants to develop a seasoned understanding of good versus not-so-good proposals.
Forum members are also able to compare and contrast proposals as they decide which ones
should be approved. A manager might wonder (and it’s a good question), “If I approve this
proposal, does that mean that we won’t have resources for another project that I might like even
better?” Examining as many proposals together as possible enables the organization to take a
portfolio view of its potential investments.
Figure 7.1 displays an example of a project investment portfolio represented graphically. The
size of each bubble reflects the magnitude of a particular IT investment. The axes are labeled
“reward” (the size of the expected value) and “risk” (the relative risk that the project will not
deliver the value). Other axes may be used. One commonly used set of axes consists of
“support of operations” and “support of strategic initiatives.”
Diagrams such as the one in Figure 7.1 serve several functions:
They summarize IT activity on one piece of paper, enabling leaders to consider a new request in
the context of prior commitments.
They help to ensure a balanced portfolio, promptly revealing imbalances such as a clustering of
projects in the high-risk quadrant.
They help to ensure that the approved projects cover an appropriate spectrum of organizational
needs: for example, that projects are directed to revenue cycle improvement, to operational
improvement, and to patient safety.
Manage the Project Well
One guaranteed way to reduce value is to mangle the management of the implementation
project. Implementation failures or significant budget and timetable overruns or really unhappy
users—any of these can dilute value.
Types of Portfolio Investments
Peter Weill and Sinan Aral (2006) note that organizations should manage their IT investments as
a portfolio. Specifically, they describe four types of IT investments in a portfolio.
Infrastructure. Infrastructure refers to the core information technology that serves as the
foundation for all applications. Examples of infrastructure include networks, servers, operating
systems, and mobile devices.
Transactional. Transactional systems are those applications that support the core operations
processes. Examples of transactional systems include CPOE, scheduling, clinical laboratory
automation, and clinician documentation.
Informational. Informational IT assets are those that support decision making such as clinical
decision support, quality measurement and analyses, market assessment, and budget
Strategic. Strategic investments are IT systems that are critical to the furthering of an
organization’s strategy. These investments could be infrastructure, transactional, and
informational, but they differ in that they are clearly directed to furthering a strategic initiative as
distinct from being helpful to support ongoing operations.
Weill and Aral note that different industries have different allocations of IT investments across
these categories. Financial services emphasize infrastructure in an effort to ensure high
reliability and low costs. However, retail has emphasized informational as they seek to
understand customer buying patterns.
Source: Weill and Aral (2006).
Among the many factors that can lead to mangled project management are the following:
The project’s scope is poorly defined.
The accountability is unclear.
The project participants are marginally skilled.
The magnitude of the task is underestimated.
Users feel like victims rather than participants.
All the world has a vote and can vote at any time.
Many of these factors were discussed in Chapters Five and Six.
Value is not an automatic result of implementing an information system. Value must be
managed into existence. Figure 7.2 depicts a reduction in days in accounts receivable (AR) at a
physician practice. During the interval depicted, a new practice management system was
implemented. The practice did not see a precipitous decline in days in AR (a sign of improved
revenue performance) in the time immediately following the implementation in the second
quarter of 2015. The practice did see a progressive improvement in days in AR because
someone was managing that improvement using the new capabilities that came with the new
Figure 7.2 Days in accounts receivable
If the gain in revenue performance had been an “automatic” result of the information system
implementation, the practice would have seen a quick, sharp drop in days in AR. Instead it saw
a gradual improvement over time. This gradual change reflects the following:
The gain occurred through day-in, day-out changes in operational processes, fine-tuning of
system capabilities, and follow-ups in staff training.
A person had to be in charge of obtaining this improvement. Someone had to identify and make
operational changes, manage changes in system capabilities, and ensure that needed training
Conduct Post-Implementation Audits
Rarely do organizations revisit their IT investments to determine if the promised value was
actually achieved. They tend to believe that once the implementation is over and the change
settles in, value will have been automatically achieved. This is unlikely.
Post-implementation audits can be conducted to identify value achievement progress and the
steps still needed to achieve maximum gain. An organization might decide to audit two to four
systems each year, selecting systems that have been live for at least six months. During the
course of the audit meeting, these five questions can be asked:
What goals were expected at the time the project investment was approved?
How close have we come to achieving those original goals?
What do we need to do to close the goal gap?
How much have we invested in system implementation, and how does that compare to our
If we had to implement this system again, what would we do differently?
Post-implementation audits assist value achievement by the following:
Signaling leadership interest in ensuring the delivery of results
Identifying steps that still need to be taken to ensure value
Supporting organizational learning about IT value realization
Reinforcing accountability for results
Celebrate Value Achievement
Business value should be celebrated. Organizations usually hold parties shortly after
applications go live. These parties are appropriate; a lot of people worked very hard to get the
system up and running and used. However, up and running and used does not mean that value
has been delivered. In addition to go-live parties, organizations should consider business value
parties,celebrations conducted once the value has been achieved—for example, a party that
celebrates the achievement of service improvement goals. Go-live parties alone risk sending
the inappropriate signal that implementation is the end point of the IT initiative. Value delivery is
the end point.
Leverage Organizational Governance
The creation of an IT committee of the board of directors can enhance organizational efforts to
achieve value from IT investments. At times the leadership team of an organization is
uncomfortable with some or all of the IT conversation. Board members may not understand why
infrastructure is so expensive or why large implementations can take so long and cost so much.
They may feel uncomfortable with the complexity of determining the likely value to be obtained
from IT investments. The creation of a subcommittee made up of the board members most
experienced with such discussions can help to ensure that hard questions are being asked and
that the answers are sound.
Shorten the Deliverables Cycle
When possible, projects should have short deliverable cycles. In other words, rather than asking
the organization to wait twelve or eighteen months to see the first fruits of its application
implementation labors, make an effort to deliver a sequence of smaller implementations. For
example, one might conduct pilots of an application in a subset of the organization, followed by a
staged rollout. Or one might plan for serial implementation of the first 25 percent of the
Pilots, staged rollouts, and serial implementations are not always doable. When they are
possible, however, they enable the organization to achieve some value earlier rather than later,
support organizational learning about which system capabilities are really important and which
were only thought to be important, facilitate the development of reengineered operational
processes, and create the appearance (whose importance is not to be underestimated) of more
Organizations should benchmark their performance in achieving value against the performance
of their peers. These benchmarks might focus on process performance—for example, days in
accounts receivable or average time to get an appointment. An important aspect of value
benchmarkingis the identification of the critical IT application capabilities and related operational
changes that enabled the achievement of superior results. This understanding of how other
organizations achieved superior IT-enabled performance can guide an organization’s efforts to
continuously achieve as much value as possible from its IT investments.
Once a year the IT department should develop a communication plan for the twelve months
ahead. This plan should indicate which presentations will be made in which forums and how
often IT-centric columns will appear in organizational newsletters. The plan should list three or
so major themes—for example, specific regional integration strategies or efforts to improve IT
service—that will be the focus of these communications. Communication plans try to remedy
the fact that even when value is being delivered, most people in the organization may not be fully
aware of it.
Analyses of the IT Value Challenge
The IT investment and value challenge plagues all industries. It is not a problem peculiar to
health care. The challenge has been with us for fifty years, ever since organizations began to
spend money on big mainframes. This challenge is complex and persistent, and we should not
believe we can fully solve it. We should believe we can be better at dealing with it. This section
highlights the conclusions of several studies and articles that have examined this challenge.
Factors That Hinder Value Return
The Committee to Study the Impact of Information Technology on the Performance of Service
Activities (1994) found these major contributors to failures to achieve a solid return on IT
The organization’s overall strategy is wrong, or its assessment of its competitive environment is
The strategy is fine, but the necessary IT applications and infrastructure are not defined
appropriately. The information system, if it is solving a problem, is solving the wrong problem.
The organization fails to identify and draw together well all the investments and initiatives
necessary to carry out its plans. The ITinvestment then falters because other changes, such as
reorganization or reengineering, fail to occur.
The organization fails to execute the IT plan well. Poor planning or less than stellar management
can diminish the return from any investment.
Value may also be diluted by factors outside the organization’s control. Weill and Broadbent
(1998) noted that the more strategic the IT investment, the more its value can be diluted. An IT
investment directed to increasing market share may have its value diluted by non-IT decisions
and events—for example, pricing decisions, competitors’ actions, and customers’ reactions. IT
investments that are less strategic but have business value—for example, improving nursing
productivity—may be diluted by outside factors—for example, shortages of nursing staff
members. And the value of an IT investment directed toward improving infrastructure
characteristics may be diluted by outside factors—for example, unanticipated technology
immaturity or business difficulties confronting a vendor.
The Investment-Performance Relationship
A study by Strassmann (1990) examined the relationship between IT expenditures and
organizational effectiveness. Data from an Information Week survey of the top one hundred
users of IT were used to correlate IT expenditures per employee with profits per employee.
Strassmann concluded that there is no overall obvious direct relationship between expenditure
and organizational performance. This finding has been observed in several other studies (for
example, Keen, 1997). It leads to several conclusions:
Spending more on IT is no guarantee that the organization will be better off. There has never
been a direct correlation between spending and outcomes. Paying more for care does not give
one correspondingly better care. Clearly, one can spend so little that nothing effective can be
done. And one can spend so much that waste is guaranteed. But moving IT expenditures from 4
percent of the operating budget to 6 percent of the operating budget does not inherently lead to a
50 percent increase in desirable outcomes.
Factors other than the appropriateness of the tool to the task also influence the relationship
between IT investment and organizational performance. These factors include the nature of the
work (for example, IT is likely to have a greater impact on bank performancethan on consulting
firm performance), the basis of competition in an industry (for example, cost per unit of
manufactured output versus prowess in marketing), and an organization’s relative competitive
position in the market.
The Value of the Overall Investment
Many analyses and academic studies have been directed to answering this broad question:
How can an organization assess the value of its overall investments in IT? Assessing the value
of the aggregate IT investment is different from assessing the value of a single initiative or other
specific investment. And it is also different from assessing the caliber of the IT department.
Developing a definitive, accurate, and well-accepted way to answer this question has so far
eluded all industries and may continue to be elusive. Nonetheless there are some basic
questions that can be asked in pursuit of answering the larger question. Interpreting the answers
to these basic questions is a subjective exercise, making it difficult to derive numerical scores.
Bresnahan (1998) suggests five questions:
How does IT influence the customer experience?
Do patients and physicians, for example, find that organizational processes are more efficient,
less error prone, and more convenient?
Does IT enable or retard growth? Can the IT organization support effectively the demands of a
merger? Can IT support the creation of clinical product lines—for example, cardiology—across
the integrated delivery system?
Does IT favorably affect productivity?
Does IT advance organizational innovation and learning?
Progressive Realization of IT Value
Brown and Hagel (2003) made three observations about IT value.
First, IT value requires innovation in business practices. If an organization merely computerizes
existing processes without rectifying (or at times eliminating) process problems, it may have
merely made process problems occur faster. In addition, those processes are now more
expensive because there is a computer system to support. Providing appointment scheduling
systems may not make waiting times any shorter or enhance patients’ ability to get an
appointment when they need one.
All IT initiatives should be accompanied by efforts to materially improve the processes that the
system is designed to support. IT often enables the organization to think differently about a
process or expand its options for improving a process. If the process thinking is narrow or
unimaginative, the value that could have been achieved will have been lost, with the organization
settling for an expensive way to achieve minimal gain.
For example, if Amazon had thought that the Internet enabled it to simply replace the catalogue
and telephone as a way of ordering something, it would have missed ideas such as presenting
products to the customer based on data about prior orders or enabling customers to leave their
own ratings of books and music.
Second, the economic value of IT comes from incremental innovations rather than “big bang”
initiatives. Organizations will often introduce very large computer systems and process change
all at once. Two examples of such big bangs are the replacement of all systems related to the
revenue cycle and the introduction of a new EHR over the course of a few weeks.
Big bang implementations are very tricky and highly risky. They may be haunted by series of
technical problems. Moreover, these systems introduce an enormous number of process
changes affecting many people. It is exceptionally difficult to understand the ramifications of
such change during the analysis and design stages that precede implementation. A full
understanding is impossible. As a result, the implementing organization risks material damage.
This damage destroys value. It may set the organization back, and even if the organization
grinds its way through the disruption, the resulting trauma may make the organization unwilling
to engage in future ambitious IT initiatives.
By contrast, IT implementations (and related process changes) that are more incremental and
iterative reduce the risk of organizational damage and permit the organization to learn. The
organization has time to understand the value impact of phase n and then can alter its course
before it embarks upon phase n + 1. Moreover, incremental change leads the organization’s
members to understand that change, and realizing value, are never-ending aspects of
organizational life rather than things to be endured every couple of years.
Third, the strategic impact of IT investments comes from the cumulative effect of sustained
initiatives to innovate business practices. If economic value is derived from a series of
thoughtful, incremental steps, then the aggregate effect of those steps should be a competitive
advantage. Most of the time, organizations that wind up dominating an industry do so through
incremental movement over the course of several years (Collins, 2001).
Persistent innovation by a talented team, over the course of years, will result in significant
strategic gains. The organization has learned how toimprove itself, year in and year out.
Strategic value is a marathon. It is a long race that is run and won one mile at a time.
Companies with Digital Maturity
CapGemini (2012) examined digital innovations at four hundred large companies. The study
examined the digital maturity of these companies and compared this maturity with the
performance of the companies. Digital maturity is defined according to two variables:
Digital intensity, or the extent to which the company had invested in technology-enabled
initiatives to change how the company operates. Example investments included advanced
analytics, social media, digital design of products, and real-time monitoring of operations.
Transformation management intensity, or the extent of the leadership capabilities necessary to
drive digital transformation throughout the company. Example capabilities included vision,
governance, and ability to change culture.
The study examined the degree to which digital intensity and transformation-management
intensity separated those that performed well from those that did not. (See Figure 7.3.)
The study found that companies that had low scores on both intensity dimensions fared the
poorest (24 percent less profitable than their competitors), whereas companies that had high
scores on both intensity dimensions performed the best (26 percent more profitable than their
However, the study found that transformation-management intensity was more important than
digital intensity. Companies that had high transformation-management intensity but low digital
intensity performed 9 percent better than their competitors. And companies that had high digital
intensity but low transformation intensity were 11 percent less profitable than competitors.
Transformation ability was more important than investment in IT although IT investments
enabled transformation skills to achieve more value.
IT value is complex, multifaceted, and diverse across and within proposed initiatives. The
techniques used to analyze value must vary with the nature of the value.
Figure 7.3 Digital intensity versus transformation intensity
Source: CapGemini (2012). CapGemini Consulting and the MIT Center for Digital Business,
“The Digital Advantage: How digital leaders outperform their peers in every industry,” Nov. 5,
2012. Used with permission.
The project proposal is the core means for assessing the potential value of an IT initiative. IT
proposals have a commonly accepted structure. And approaches exist for comparing proposals
with different types of value propositions. Project proposals often present problems in the way
they estimate value—for example, they may unrealistically combine fractions of effort saved, fail
to appreciate the complex behavior of system users, or underestimate the full costs of the
Many factors can dilute the value realized from an IT investment. Poor linkage between the IT
agenda and the organizational strategy, the failure to set goals, and the failure to manage the
realization of value all contribute to dilution.
There are steps that can be taken to improve the achievement of IT value. Leadership can
ensure that project proponents have done their homework, that accountability for results has
been established, that formal proposalsare used, and that post-implementation audits are
conducted. Even though there are many approaches and factors that can enhance the
realization of IT-enabled value, the challenges of achieving this value will remain a management
issue for the foreseeable future.
Health care organization leaders often feel ill-equipped to address the IT investment and value
challenge. However, no new management techniques are required to evaluate IT plans,
proposals, and progress. Leadership teams are often asked to make decisions that involve
strategic hunches (such as a belief that developing a continuum of care would be of value) about
areas where they may have limited domain knowledge (new surgical modalities) and where the
value is fuzzy (improved morale). Organizational leaders should treat IT investments just as
they would treat other types of investments; if they don’t understand, believe, or trust the
proposal or its proponent, they should not approve it.
Evaluation research studies essential to
ensuring health information systems meet
the needs of users, including patients
Joanne Callen, BA, DipEd, MPH(Research), PhD
Electronic health records and the Internet will continue to transform how information is accessed and shared. Users of
health data such as health professionals, governments, policymakers, researchers and patients themselves need to be able
to access the right information at the right time and be confident in the quality of that information, whether personal,
aggregated or knowledge based. It is essential to evaluate information systems and applications that claim to improve infor-
mation quality and access in order to provide evidence that they support
healthcare delivery and improve patient outcomes.
access to information; data quality; electronic medical records; evaluation research; health information management;
health information systems; Internet; patient access to records; personal electronic health records
I am pleased to advise that beginning with this Issue, the
Health Information Management Journal (HIMJ) will have
a new publisher, SAGE Publishing Ltd (SAGE). Previously
our research journal was published ‘in house’ by the Health
Information Management Association of Australia
(HIMAA). This suited our needs as evidenced by the
increasing quality of the journal content and our ability to
obtain an impact factor in 2009. Recently, it became appar-
ent that for HIMJ to maintain its position among peer-
reviewed journals and to develop it further, it was essential
to move to an external publisher. The scientific publishing
environment is changing rapidly, becoming highly compet-
itive and complex. After negotiations with a number of
potential publishers, HIMAA signed a 5-year contract with
SAGE. Ownership and copyright of HIMJ will be retained
by HIMAA, and the Editorial Board of HIMJ will retain
full editorial independence. The benefits for HIMJ will be
evident in the production service, including online submis-
sion and tracking of papers, an increase in reach, visibility
and profile, and an upgraded web page. SAGE is an inde-
pendent company that, by its own constitution, cannot be
subject to merger or acquisition and this guarantees stabi-
lity in our partnership. I believe this is an exciting time for
HIMJ. I look forward to our collaboration with SAGE and
am confident it will ensure that HIMJ will continue to
advance in terms of the quality and reach of published
papers related to the management of health information.
Users of health data such as health professionals, patients,
governments, policymakers and researchers need to be
confident in the quality of the information being accessed.
Are the data reliable? The Canadian Institute for Health
Information (2009) proposed five key dimensions of data
quality: accuracy (how well information in or derived from
the data holding reflects the reality they were designed to
measure), timeliness (how current the data are), comparabil-
ity (extent to which data are consistent over time), usability
(ease of access and comprehension) and relevance (degree to
which the data meet the current and future needs of users).
Challenges to the quality of routinely collected data are
highlighted in the studies reported in this Issue by Monto
et al. (2016) and Davis et al. (2016), and also online by
Donnolley et al. (2016). Monto et al. (2016) found that
health-related quality of life data for cost-effectiveness anal-
ysis (CEA) were incomplete due to a multitude of factors,
including lack of commitment of hospital staff, typing errors
with manual data entry, incomplete information on forms
completed by patients related to quality of life, and cost
information of treatments not recorded in CEA software.
Data collection processes varied between departments, and
there was a lack of commitment from senior management
regarding the importance of quality data. This article pro-
vides practical suggestions for improvements from a busi-
ness process management perspective, such as automation of
paper questionnaires using touch screens, commitment of
resources to the data collection process and education, feed-
back of data to staff and uniform procedures for every unit.
The management of health information in aged care ser-
vices is challenged by a structure that encompasses a multitude
of manual and electronic systems with minimal integration and
consistency. Given that efficient and effective information
Macquarie University, Australia
Health Information Management Journal
2016, Vol. 45(1) 3–4
ª The Author(s) 2016
Reprints and permission:
systems are necessary to support the provision of high-quality
aged care and funding, Davis et al. (2016) used a modified
Delphi method to determine the key information needs in this
setting. The final proposed aged care minimum data set con-
sists of 60 core data items broadly grouped into who receives
the service, what services they receive and service cost and
outcomes (data items for the last category are under develop-
ment). Davis et al. (2016) also provide advice regarding stra-
tegies to improve the quality of aged care data and collection
processes, highlighting the importance of staff education and
training, information and technology infrastructure planning
and governance. In respect of models of care for maternity
services, Donnolley et al. (2016) have provided a much needed
classification system. Given that there is a broad range of mod-
els of care in this area with little clarity around definitions and
terms, this research filled a much needed gap and also has the
potential to expand as maternity care models evolve. Impor-
tantly, the process used to develop the models of care could be
replicated in other care service areas (Donnolley et al., 2016).
In this Issue, Usher et al. (2016) have presented a study
that explores how university students use communication
technologies to access publicly available health information.
The increased use of social media (e.g. Facebook, Twitter,
Instagram) and mobile communication technologies (e.g.
smartphones and iPads) has prompted researchers to ask the
extent to which these technologies are being used to access
health information and whether this access leads to positive
healthy lifestyle changes. This is vital research given that
young people often engage in risky health behaviours and
also have high usage of mobile technologies and social media.
The study reports that most students used mobile communi-
cation technologies rather than social media to access health
information. Usher and colleagues also found that the univer-
sity students in their sample perceived that the use of both
social media and mobile technologies impacted positively on
their health lifestyle behaviours, with outcomes including
increased exercise, diet changes and emotional well-being.
New trends point to patients needing to be able to access
information from their personal health records to foster a
collaborative relationship with their healthcare providers.
It is claimed that patients’ access to electronic health records
(EHRs) supports and improves their communications with
healthcare providers and also provides patients with greater
control and responsibility over their care. A recent study
examined how maternity patients accessed their health
information using patient portals tied to their EHRs (Forster
et al., 2015). This study found that most maternity patients
used the patient portal, with a number saying that in order to
be prepared, they accessed information prior to their visit to
the midwife or doctor, and most thought it improved their
ability to understand their care (Forster et al., 2015). Access
to personal and knowledge-based health information is par-
ticularly critical for patients with chronic diseases. For
patients with long-term diseases, care is constant, often pro-
vided by multiple practitioners using multiple information
systems, and the information needs of the patient are high.
Ayatollahi et al. (2016), in his article titled ‘Type 1 diabetes
self-management: developing a web-based telemedicine
application’, has shown that the web-based tool enabled
patients to learn more about their disease and skills in self-
management by accessing the educational component of the
application. The tool also allowed patients to enter their
blood glucose levels and insulin doses, thereby facilitating
access to this information by physicians from a distance, at
any time, hence enabling them to support patients in their
self-managed care (Ayatollahi et al., 2016). An important
aspect in the design of web-based applications for chronic
disease patients is that the patients themselves need to be
involved as collaborators in the design of these technologies
to support their everyday living (Kanstrup et al., 2015).
Access to health information and the quality of that
information is critical to efficient and effective healthcare
delivery by health professionals and to ensure quality out-
comes for patients. Patients and health professionals need
to be able to access both personal and knowledge-based
health information easily and in a timely fashion. Govern-
ments, policymakers and researchers need access to aggre-
gated health data essential for planning, research and
funding. Electronic health records, mobile devices and the
Internet will continue to transform how information is
accessed and shared. It is important to evaluate information
systems and applications that claim to improve information
quality and access in order to ensure they actually support
healthcare delivery and improve patient outcomes.
Ayatollahi H, Hasannezhad M, Fard HS, et al. (2016) Type 1 diabetes
self-management: developing a web-based telemedicine applica-
tion. Health Information Management Journal 45(1): 16–26.
Canadian Institute for Health Information (2009) The CIHI Data
Quality Framework, 2009. Ottawa: CIHI, 2009. Available at:
(accessed 23 January 2016).
Davis J, Morgans A and Burgess S (2016) Information management
for aged care provision in Australia: development of an aged care
minimum dataset and strategies to improve quality and continuity
of care. Health Information Management Journal 45(1): 27–35.
Donnolley N, Butler-Henderson K, Chapman M, et al. (2016) The
development of a classification system for maternity models of
care. Health Information Management Journal. DOI: 10.1177/
Forster M, Dennison K, Callen J, et al. (2015) Maternity patients’ access
to their electronic medical records: use and perspectives of a patient
portal. Health Information Management Journal 44(1): 4–11.
Kanstrup AM, Bertelsen P and Nohr C (2015) Patient innovations:
results from a user-driven design study of health informatics
applications for everyday life with diabetes. Health Informa-
tion Management Journal 44(1): 12–20.
Monto S, Penttila R, Karri T, et al. (2016) Improving data collection
processes for routine evaluation of treatment cost-effective-
ness. Health Information Management Journal 45(1): 45–52.
Usher W, Gudes O and Parekh S (2016) Exploring the use of
technology pathways to access health information by Austra-
lian university students: a multi-dimensional approach. Health
Information Management Journal 45(1): 5–15.
4 Health Information Management Journal 45(1)
24 D A T A B A S E T R E N D S A N D A P P L I C A T I O N S
DATA GOVERNANCE is sometimes viewed as
a roadblock that keeps data scientists and
analysts from turning data into business
insights quickly and efficiently. Yet, it’s
often a lack of sound data governance
that prevents organizations from realiz-
ing the full value of their data.
Data governance deals with such ques-
tions as the origins, or lineage, of data;
who can access data and what they can do
with it; how data is categorized; and the
quality and completeness of data.
Here are five ways that a modern
approach to data governance can make
your data scientists and analysts more
productive, enabling your business leaders
to gain insights more quickly.
Good business metadata is good
for the business. Effectively gov-
erned metadata—that’s data that labels or
categorizes other data—facilitates the dis-
covery process for data scientists, helping
them find the data they need, when they
need it. Tagging and cataloging data at the
time of ingestion will help your organiza-
tion keep its data lake clean while giving
your data scientists a better understanding
of what’s available to them.
Effective schema management
saves time and money, especially in
a big data environment. Schemas define
how data should be read. It’s essential that
data consumers know which schema to
use when looking at particular files. Yet
managing schemas can be difficult, par-
ticularly in a big data environment. Pro-
grammatic technical and business schema
discovery eases the problem.
When a new dataset is ingested into a
data lake, an open source tool can help you
determine the schema automatically, and,
in a mature environment, match the newly
discovered data to existing business meta-
data, providing you with both the business
and technical metadata immediately. Pub-
lishing, curating, and governing all known
schemas will save your data scientists and
analysts considerable time, freeing them to
focus on their primary roles.
Good data quality and profiling
can accelerate time to insight. Poor
data quality is among the key reasons that
40% of business initiatives fail to achieve
targeted benefits, according to a report by
Gartner Inc., which also notes that data
quality affects overall labor productivity
by as much as 20%.
Developing a sound architecture and
effective data quality protocols will help
you keep your data lake from becoming
a data swamp. Establishing data-usage
agreements between producers and con-
sumers of data will also prove helpful, as
these agreements give everyone a better
idea of the level of data quality expected
and how it will be documented. Profiling
data and storing the profiles with meta-
data is also a useful practice, giving your
data scientists a better understanding of
the types of data contained in the system
and allowing them to formulate hypothe-
ses more quickly.
Data lineage can help keep you
from getting sued or fired. In an
era of data breaches, data governance can
provide important protections to your
business and its employees. Data gov-
ernance won’t stop determined hackers
from gaining access to secure data, but,
in the event of a breach, it will help you
understand what has and hasn’t been
Data governance affords particular
protections to people who work in regu-
lated industries such as financial services
and healthcare. In an audit, data gover-
nance enables you to show exactly where
your data came from and how you made
Your models and analyses w ill
run right in production. If your
data governance program includes the
measures discussed up to this point, your
data will be of sufficiently high quality
that you’ll experience fewer problems with
models and analyses in production.
If you go a step further and establish
preventive and detective controls, you’ll
gain additional benefits. Preventive con-
trols help ensure that low-quality data
isn’t used by the business. Detective con-
trols help the production and operations
team troubleshoot jobs that fail as a result
of data quality issues.
Saving Time, Energy, and Money
With a modern data governance pro-
gram in place, data scientists needn’t
spend their working hours looking for
data, trying to understand definitions,
wondering whether datasets are com-
plete and accurate, or trying to determine
where data originated. That saves time,
energy, and money while improving the
quality of business decision making. A
sound data governance program will also
keep your organization safe and compli-
ant, with full documentation of how data
is used and by whom. �
Ben Harden leads the Data and Analytics
Practice at CapTech.
The Five Ways Modern
Data Governance Helps
By Ben Harden
Reproduced with permission of the copyright owner. Further reproduction prohibited without
Achieving the Promise of DigitaAchieving the Promise of
Digital Health Information Systems
Gary L. Kreps
Author information Article notes Copyright and License information Disclaimer
This article has been cited by other articles in PMC.
The failed promise of digital health information dissemination
Many pundits, including me, proclaimed the advent of an era of digital
health where health information systems would transform the delivery of
health care and the promotion of public health. 1-3 Digital health prophets
described how health information systems would provide consumers and
providers with relevant, timely, and influential health information to address
challenging health issues and enhance health outcomes. However, the
enthusiastic predictions about the amazing contributions of digital health
programs for promoting public health has not reached fruition and the great
promise of health information systems has resulted in limited returns. 4
There is a long way to go for digital health information systems to reach
their incredible potential.
Digital media and the dissemination of relevant health information
Timely, accurate, and appropriate health information is the most influential
resource for guiding important health decisions. 5 Consumers and providers
depend on access to relevant health information to increase their
understanding about complex health risks, problems, and interventions, to
guide accurate diagnoses, to identify and respond to serious health risks, and
to select the best health promotion interventions. Health care issues are
often tremendously complex and revealing health information can reduce
the many uncertainties consumers and providers confront in making
important health decisions. Unfortunately, access to the best health
information is often problematic. 5 Due to numerous barriers to accessing
health information, many people are seriously under-informed and
misinformed about key health issues. 6 , 7 Consumers are not the only ones
who experience challenges in accessing health information. Even well
trained health care professionals encounter problems accessing relevant
health information needed for making important diagnostic and treatment
decisions. Policy makers also struggle to access relevant information for
guiding the design of effective health care regulations, programs, and
practices. We need to design digital health information systems that do a
better job of providing all participants in the modern health care system
with the information they need to promote health!
Factors that confound digital health
There are a number of design issues that limit the effectiveness of digital
health information systems. While many health websites provide a vast
array of information about health conditions, treatments, research,
providers, and facilities, the information is often provided in ways that is
difficult for many people to access and understand. While, powerful search
engines can provide online access to a broad range of relevant health
websites, they often provide too much information about health issues that
can be difficult for many information seekers to evaluate. Digital health
decision support systems can interpret complex health problems and suggest
best response strategies, but these systems are often difficult to use. Online
support groups can be powerful forums for sharing relevant health
information and support, yet many consumers who might benefit from these
groups do not know how to access them. Numerous communication
problems are preventing digital health information systems from achieving
health promotion goals.
Designing digital health information systems that communicate
The best digital information systems must be designed to be interactive,
personally relevant, relationally sensitive, involving, exciting, and easy to
use. 3 , 8-11 Regrettably, most e-health programs do not live up to these
communication standards. They are typically overly complex, formal,
technical, and difficult to use. The information they provide is often
dispassionate, boring, and unimaginative. Even worse, the health promotion
messages provided on many of these health information systems are
insulting and disempowering to users. They provide overly directive and
prescriptive statements that are typically presented in inflexible and static
one-way messages, with minimal interaction and opportunities for
involvement from consumers. Most current health information systems are
often not much fun for users and it is not surprising these systems are not as
well utilized or as effective as they might be!
There has been more emphasis on designing technically sophisticated health
information systems than on making these system communicatively
competent. While most current digital communication systems have been
designed to store, process, and deliver vast amounts of health information,
these systems often do not communicate health information in very
meaningful, sensitive, and engaging ways to the diverse audiences who
desperately need relevant health information. Health promoting
communication is an intricate, interactive process that depends on the
quality of relevant adaptive messages exchanged over time to inform
important health decisions and influence health behaviours. 5 , 10 Most digital
health systems fail to fully engage users, leading to problems with
information overload, and confusing rather than informing users, especially
those users who experience health literacy challenges. Health literacy
challenges are a pervasive and ubiquitous health communication
impediment due to the complexity of making sense of many health
problems, the bureaucracy of health care systems, the difficulties inherent in
influencing health behaviours, and the physical, cognitive, and emotional
challenges people typically face when they are feeling ill. When people are
sick they may not think as clearly as usual, they are concerned, and perhaps
fearful about their health conditions. They may be cognitively impaired by
medications, pain, nausea, fatigue, and a whole host of conditions that keep
them from exhibiting their best communication skills. It is not surprising
that people who are confronting health problems often experience
difficulties understanding complex health information.
Strategies for enhancing digital communication systems
When designing digital health information systems there are a number of
key questions that should be asked. How engaging and interactive are these
health information systems. Are these systems designed to capture audience
attention? Do they communicate health information clearly and
compellingly? Do they communicate humanely and sensitively? Do they
adapt well to unique users? Do they promote immediacy? Immediacy is a
powerful communication process that humanizes and intensifies interaction
by promoting physical and emotional closeness, interpersonal comfort,
engagement and caring, personal involvement, enthusiasm, authenticity, and
enjoyment. 8 How many digital health information systems achieve these
humane communication goals? Not many! Research has shown that high
levels of immediacy brings communicators closer together, enhances
expressions of affect, increases cognitive and affective learning, increases
perceptions of credibility and identification, enhances motivation and
participation, encourages communication and feedback, and reduces
resistance by promoting cooperation. 8
The next generation of digital health information systems should be
designed to demonstrate immediacy by communicating in friendly,
animated, involving, exciting, comforting, and caring ways. Messages
should be designed to be personal and familiar, involving, clear, and
interesting to move users with relevant, interesting, and actionable health
information. Strategic use of video, animation, dramatic narratives, virtual
human agents, virtual reality, and interactive health games can promote
immediacy. Immediate health information systems can enhance health
promotion outcomes by increasing access (exposure) to relevant health
information, improving the quality of health communication, increasing
consumer involvement, and influencing both health behaviours and health
outcomes. These systems can supplement traditional health care and health
promotion activities as additional channels of health communication that
can actively involve consumers in directing their own care, promote
continuity of care, coordination of care, relieve demands on health care
staff, reduce health care costs, increase the efficiency of health care
services, and improve health outcomes. 8
Communicatively competent digital health information systems can
promote interactivity by providing opportunities for users to ask questions
and receive meaningful answers. They will employ tailored message
systems to provide specific and appropriate feedback. They will be designed
using principles of artificial intelligence to relationally adapt over time to
unique user responses and stored information about users gathered from
electronic health records. 8 These relationally sensitive, interactive, and
adaptive digital health information systems will share control with users by
encouraging user input and direction based on individual user needs and
preferences. They will also provide congruent, empathetic, and personally
sensitive messages that demonstrate concern and respect for users. A new
generation of communicatively competent health information systems can
achieve the tremendous promise of digital health for enhancing health
1. Kreps GL. Health communication and information technology. The Electronic
Journal of Communication / La Revue Electronique de Communication/La Reve
Electronique de Communication . 2002. Available from:
http://www.cios.org/www/ejc/v11n3.htm# Intro2 [ Google Scholar ]
2. Kreps GL. E-health: technology-mediated health communication. J Health Psychol
2003;8:5-6. [ PubMed ] [ Google Scholar ]
3. Neuhauser L, Kreps GL. The advent of e-health: how interactive media are
transforming health communication. Medien Kommunikationswissenschaft
2003;51:541-56. [ Google Scholar ]
4. Kreps GL, Neuhauser L. New directions in ehealth communication: opportunities and
challenges. Patient Educ Couns 2010;78:329-336. [ PubMed ] [ Google Scholar ]
5. Kreps GL. The pervasive role of information in health and health care: implications
for health communication policy. In: Anderson J, Ed. Communication yearbook 11 .
Newbury Park, CA: Sage; 1988. pp 238-276. [ Google Scholar ]
6. Kreps GL. Consumer control over and access to health information. Ann Fam Med
2012;10:428-34. [ PMC free article ] [ PubMed ] [ Google Scholar ]
7. Kreps GL. The information revolution and the changing face of health
communication in modern society. J Health Psychol 2011; 16:192-3. [ Google Scholar ]
8. Kreps GL, Neuhauser L. Artificial intelligence and immediacy: designing health
communication to personally engage consumers and providers. Patient Educ Couns
2013;92: 205-10. [ PubMed ] [ Google Scholar ]
9. Kreps GL, Neuhauser L. E-health and health promotion. J Comput Mediat Commun
2010;15:527-9. [ Google Scholar ]
10. Neuhauser L, Kreps GL. Ehealth communication and behavior change: promise and
performance. Soc Semiot 2010;20:7-24. [ Google Scholar ]
11. Neuhauser L, Kreps GL. Rethinking communication in the e-health era. J Health
Psychol 2003;8:7-22. [ PubMed ] [ Google Scholar ]
P E R S P E C T I V E
From AIDS to Opioids — How to Combat an Epidemic
n engl j med 375;9 nejm.org September 1, 2016
grams or vouchers (covering MAT
medications and the overdose-
reversal agent naloxone), perhaps
as a new mechanism under the
Substance Abuse Prevention and
Treatment Block Grant program
or Medicaid demonstration waiv-
ers, could provide access for many
people with OUD, even in states
that haven’t expanded Medicaid
under the ACA. Although the
mental health parity law of 2008
requires most managed-Medicaid
and private insurance plans that
cover substance-abuse treatment
to do so at the same level as other
medical care, violations abound.5
Despite the requirement that sub-
stance-abuse treatment be consid-
ered an essential health benefit,
and despite the fact that the Na-
tional Institute on Drug Abuse
deems MAT the first-line treatment
for OUD, the Centers for Medi-
care and Medicaid Services has
not yet made methadone or bupre-
norphine maintenance treatment
for OUD a mandated benefit.
Finally, another innovation of
the response to AIDS was the
creation of the Office of AIDS
Research within the National In-
stitutes of Health (NIH) to coor-
dinate HIV–AIDS research efforts
across institutes and programs.
Such an office overseeing a na-
tional strategy for addressing the
opioid epidemic could be devel-
oped and housed within the NIH
or an appropriate division of the
Department of Health and Hu-
man Services; it could emphasize
that OUD is a chronic medical
disorder, as Surgeon General Vivek
Murthy has insisted, that should
be managed according to stan-
dards analogous to those for
other chronic disorders.
The scope of reform needed to
respond appropriately to this epi-
demic is daunting. The response
to AIDS, however, established a
precedent for expanding access to
lifesaving medications and sup-
porting clinicians in implement-
ing evidence-based treatment in
marginalized populations. Current
federal and state efforts have
largely fallen short in addressing
the opioid epidemic, as witnessed
by ever-increasing mortality. We
believe that federal funding should
be used to promote new and ef-
fective models that provide patients
with evidence-based treatment
rather than supporting outdated
treatment programs that are un-
willing or unable to evolve.
Disclosure forms provided by the authors
are available at NEJM.org.
From the Division on Substance Abuse,
Columbia University Department of Psychia-
try, New York State Psychiatric Institute,
1. Nosyk B, Anglin MD, Brissette S, et al.
A call for evidence-based medical treatment
of opioid dependence in the United States
and Canada. Health Aff (Millwood) 2013; 32:
2. Buck JA. The looming expansion and
transformation of public substance abuse
treatment under the Affordable Care Act.
Health Aff (Millwood) 2011; 30: 1402-10.
3. Sigmon SC. The untapped potential of
office-based buprenorphine treatment. JAMA
Psychiatry 2015; 72: 395-6.
4. Bentzley BS, Barth KS, Back SE, Book
SW. Discontinuation of buprenorphine main-
tenance therapy: perspectives and outcomes.
J Subst Abuse Treat 2015; 52: 48-57.
5. Wen H, Cummings JR, Hockenberry JM,
Gaydos LM, Druss BG. State parity laws and
access to treatment for substance use disor-
der in the United States: implications for
federal parity legislation. JAMA Psychiatry
2013; 70: 1355-62.
Copyright © 2016 Massachusetts Medical Society.
From AIDS to Opioids — How to Combat an Epidemic
Accelerating Innovation in Health IT
Accelerating Innovation in Health IT
Robert S. Rudin, Ph.D., David W. Bates, M.D., and Calum MacRae, M.B., Ch.B., Ph.D.
Even as information technology (IT) transforms many indus-
tries, the pace of innovation in
health IT continues to lag. Elec-
tronic health records (EHRs) re-
ceive few accolades from providers
and have been cited as a major
source of professional dissatisfac-
tion among physicians.1 Despite
a proliferation of patient-facing
health apps, few have been shown
to produce health improvements
and many are barely used. The
most common IT tools connecting
patients to providers are patient
portals that so far do little more
than provide basic secure mes-
saging and present unexplained
clinical data. Though many start-
ups and research programs exist
and venture capital investment
has been growing, health IT suc-
cess stories remain rare.
A plan to accelerate innova-
tion should begin with a diag-
nosis of the problem. Some ob-
servers blame perverse financial
incentives in health care that re-
ward volume rather than quality
and efficiency, regulations that
restrict the flow of information
ostensibly to protect patient pri-
vacy, and technical integration
challenges. Another factor has
been the multiple demands of
“meaningful use,” which have de-
layed innovation in many areas
of health IT. Though these issues
are important, we believe there is
P E R S P E C T I V E
Accelerating Innovation in Health IT
n engl j med 375;9 nejm.org September 1, 2016
a more fundamental barrier that
has not yet received due attention:
the disconnect between health IT
developers and users. Alternative
provider-payment models should
create incentives for innovation
by rewarding health care provid-
ers who use novel IT tools to
control cost and improve quality,
but the effect of these models
will be attenuated unless the
developer–user disconnect is ad-
Health IT developers typically
work in one of three settings —
established IT companies, start-
ups, or academic research depart-
ments — where they have little
to no contact with patients and
clinicians and therefore often lack
a deep understanding of users’
needs. Established IT firms, most
notably EHR companies, have
adhered poorly to user-centered
design principles, despite federal
certification requirements that
they apply such principles.2 In
startups, developers are typically
young and healthy, with little
firsthand knowledge of clinicians
or the chronically ill patients who
consume most health care ser-
vices. Much of venture capital is
therefore clustered in wellness
companies making products such
as fitness trackers that cannot
help the patients most in need
and thus will have little effect on
health care costs. Some health
care incubators are producing
startups that target clinicians and
chronically ill patients, but we
believe that these organizations
generally underestimate the effort
needed to understand such com-
plex and diverse users. Some aca-
demics have focused on under-
standing users’ needs, but efforts
tend to be small and fragmented
and to involve multiple years of
development. Rarely do findings
make their way into the design
of novel functionalities, for which
relatively few funding sources
Users of health IT systems also
face challenges in addressing this
disconnect. Although clinicians
may know what aspects of their
system they dislike and may have
ideas about how they might work
better (e.g., perhaps notes could
be made into a wiki, so that vari-
ous clinicians could add to or
revise them), few are trained to
specify their ideas in a way that
can be turned into workable
software or understand IT capa-
bilities well enough to propose
technically feasible approaches.
Experienced clinicians may also
have difficulty imagining how
their workf lows may be altered,
especially in ways that relegate
some of their revenue-generating
activities to others.
We have observed myriad un-
fortunate results of this developer–
user disconnect. Tools are built
on the basis of fundamental mis-
conceptions about the clinical
utility of new data sources (e.g.,
episodic blood-pressure readings
or accelerometry). Developers
make incorrect design assump-
tions about when and how clini-
cians are available to respond to
data produced by monitoring de-
vices and when such contact is
appropriate and clinically useful.
Developers incorrectly assume that
the same features can be used
for drastically different purposes
— for example, for both individ-
ual inpatients and large outpa-
tient populations. Tools are highly
customizable but require enor-
mous effort from individual us-
ers to tailor and configure them
before they become practical. One-
size-fits-all functionality does not
accommodate differences in users’
technical proficiencies or in indi-
vidual triggers of patients’ clini-
cal events. Critical tasks that are
important to users, such as care
coordination, are not prioritized.
What can be done to bridge
this chasm? One solution might
be sustained innovation programs
that could foster long-term collab-
oration between developers and
users, incubate ideas for new IT
functionalities, and facilitate rapid-
cycle testing and evaluation. Pro-
grams will be most effective, in
our view, if they include four key
The first is involvement of
multidisciplinary teams including
both developers and users. The
developers may include employees
of established IT firms, entrepre-
neurs, and researchers. Users may
include relevant clinicians and pa-
tients with various disease condi-
tions. To plan for implementing
sustainable ideas within complex
incentive structures, teams may
also involve public and private pay-
ers and health services research-
ers. Since these participants may
not interact often, it’s helpful to
get people who can “speak more
than one language” to serve as
liaisons, especially between users
The second essential trait is a
focus on users’ needs. The two
key stakeholders in health care
— patients and clinicians — are
diverse and have complex needs
and expectations. The first step
toward effective solutions is de-
veloping a thorough understand-
ing of these needs through direct
interaction with users, including
interviews and observations. Tech-
nology is too often based on in-
correct assumptions about users’
needs, and most organizations
underinvest in this critical activity.
A third key is for health care
P E R S P E C T I V E
Accelerating Innovation in Health IT
n engl j med 375;9 nejm.org September 1, 2016
innovators to redesign care pro-
cesses in parallel with IT tools.
Research from other industries
shows that most IT benefits do
not result from “paving the cow
path.” Instead, major transforma-
tions occur after intensive pro-
cess reengineering to leverage the
technology’s potential.3 Major IT
innovations can’t be bolted onto
existing health care processes ei-
ther. Changes in the work of pa-
tients and clinicians will require
not just knowledge of current
user needs, but also the imagina-
tion to address latent needs that
users haven’t yet considered. Such
work will require a deep and sus-
tained relationship between devel-
opers and users, as well as fun-
damental understanding of the
biology of diseases.
Fourth, developers can serve
users’ needs better when they
have the freedom to experiment
and fail quickly. Innovation pro-
grams can offer an environment
in which ideas can be tested rap-
idly in simulated or real clinical
settings, allowing users to try out
innovations and provide in-depth
feedback in a systematic fashion.
Such environments have been
Programs with these charac-
teristics can accelerate innovation
through spinoff companies, open-
source technology, care models
based on redesigned workflows,
provision of implementation ser-
vices, and published knowledge
and best practices. An innovation
program can help its developers
and researchers decide which dis-
semination channel is most ap-
Because such programs don’t
currently exist, new funding mod-
els will be needed. Funding op-
tions to explore include public
and private research sources,
health plans, and private invest-
ment. Traditional approaches to
the management of intellectual
property used by academic cen-
ters may not be effective, because
the primary financial returns will
probably come from first-mover
advantage and early discovery of
best practices. Flexibility will al-
low programs to support the full
spectrum of research and devel-
opment, from early-stage forma-
tive research through prototype
development and evaluation of
The transformative potential of
IT is no less powerful in health
care than in other industries.
The essential missing ingredient
is a forum for innovation. Dedi-
cated programs that facilitate col-
laboration among developers and
users will help accelerate innova-
tion so that health care can catch
up with the modern world. As
other industries have demonstrat-
ed, there’s an insatiable demand
for new, useful, user-friendly IT
functionality. As emerging pro-
vider-payment models take hold
and providers seek tools to help
them reduce costs and improve
quality, the demand for new health
IT functionality will grow. With
sustained commitment, the IT-
enabled transformations that have
revolutionized so many other
industries might finally come to
Disclosure forms provided by the authors
are available at NEJM.org.
From RAND (R.S.R.), the Divisions of Gen-
eral Medicine and Primary Care (D.W.B.)
and Cardiovascular Medicine (C.M.),
Brigham and Women’s Hospital and Har-
vard Medical School, and the Harvard
School of Public Health (D.W.B.), Boston,
and the Broad Institute of Harvard and MIT,
Cambridge (C.M.) — all in Massachusetts.
1. Friedberg MW, Chen PG, Van Busum
KR, et al. Factors affecting physician profes-
sional satisfaction and their implications for
patient care, health systems, and health
policy. Santa Monica, CA: RAND, 2013.
2. Ratwani RM, Fairbanks RJ, Hettinger
AZ, Benda NC. Electronic health record us-
ability: analysis of the user-centered design
processes of eleven electronic health record
vendors. J Am Med Inform Assoc 2015; 22:
3. Jones SS, Heaton PS, Rudin RS, Schnei-
der EC. Unraveling the IT productivity para-
dox — lessons for health care. N Engl J Med
2012; 366: 2243-5.
Copyright © 2016 Massachusetts Medical Society.Accelerating Innovation in Health IT
Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.
Understanding champion behaviour in a health-
care information system development project –
how multiple champions and champion
behaviours build a coherent whole
Joeri van Laere1 and Lena
1School of informatics, University of Skövde,
Skövde, Sweden; 2School of Business, University of
Skövde, Skövde, Sweden
Correspondence: Joeri van Laere, School of
informatics, University of Skövde, P.O.
Box 408, SE-54128 Skövde, Sweden.
Received: 18 April 2013
Revised: 14 May 2014
2nd Revision: 10 December 2014
Accepted: 09 February 2015
Champions are commonly suggested as a means of promoting the adoption of
information systems. Since there are many different definitions of the concepts
of champion and champion behaviour in the literature, practitioners and
researchers may be confused about how to exactly use these concepts.
A qualitative analysis of a single case study in a Swedish health-care organisation
enabled us to explain how different champion behaviours relate to each other
and how multiple champions interact. Combining our rich case observations
with an analysis of champion literature reveals how champion behaviours form a
coherent and meaningful whole in which networks of different types of
champions at different levels in an organisation utilise their network of relations,
their knowledge of the organisation and their insight into strategic decision-
making politics to time and orchestrate the framing of innovations and the
involvement of the right people. In conclusion, championing is a complex
performance of contextually dependent collective social interaction, varying
over time, rather than a heroic act of one individual promoting an idea. Future
studies need to focus more on how the relations between different champions
and their behaviours develop across innovations and over time, in order to
develop a richer understanding of championing.
European Journal of Information Systems
(2016) 25(1), 47–63.
doi:10.1057/ejis.2015.5; published online 28 April 2015
Keywords: champions; champion behaviours; information system development; organisa-
tional change; health-care informatics
Since 1963, studies of both product and process innovations have identified
and confirmed the role of influential individuals associated with the success
of a technological innovation, so-called champions of innovation (Schön,
1963; Chakrabarti, 1974; Maidique, 1980; Howell & Higgins, 1990). Several
studies have specifically focused on the adoption of Information Systems
(IS) as a type of innovation (Curley & Gremillion, 1983; Howell & Higgins,
1990; Beath, 1991; Heng et al, 1999), confirming that lessons learned from
champion literature in general also hold for champions influencing IS
adoption. Even in health-care, the context of our case study, it has been
shown how champions contribute to a change of work practices (Soo et al,
2009) or IS adoption (Malik & Khan, 2009).
European Journal of Information Systems (2016) 25, 47–63
© 2016 Operational Research Society Ltd. All rights reserved 0960-085X/16
Practitioners and researchers often suggest that cham-
pions could be a solution for successful IS implementa-
tion in health-care (e.g., Zandieh et al, 2008; Millery &
Kukafka, 2010), although what the exact role and con-
tribution of the champions could be has not been
explicitly discussed in their recommendations. The latter
is problematic, since a closer look at the champion
literature reveals that clear, generally accepted, uniform
definitions are lacking for what the champion role
involves and for what is regarded as champion behaviour
and what is not (Howell & Higgins, 1990; Howell & Shea,
2006). Even recent studies in IS literature, which discuss
champions and related concepts, such as top manage-
ment support (Dong et al, 2009), intra-organisational
alliances (Ngwenyama & Nørbjerg, 2010), charismatic
leadership (Neufeld et al, 2007) and organisational influ-
ence processes (Ngwenyama & Nielsen, 2014), confirm
that both the nature of championing and its assumed
impacts need further investigation.
Two research streams can be identified in the champion
● a heroic, individualistic perspective of one person acting
as an all-round champion (Schön, 1963; Howell et al,
2005; Walter et al, 2011),
● an interactive perspective where several specialised indi-
viduals cooperate, each serving a distinctive role (Witte,
1973; Witte, 1977; Rost et al, 2007; Fichter, 2009).
The heroic, individualistic perspective is the dominating
perspective in champion literature. Rost et al (2007) sug-
gest that the findings of both perspectives can be inte-
grated, in order to develop a more comprehensive
understanding of championing or promoting innovations.
Both research streams have put much effort into respec-
tively identifying unique champion behaviours and
unique champion roles. Although Taylor et al (2011,
p. 430) state ‘champion-driven leadership processes are
often highly dynamic, context sensitive and involve many
leaders’, little is still known regarding how different cham-
pion behaviours actually influence each other and how
different champions develop and execute their collabora-
The main contribution of our study is a more elaborated
conceptualisation of the interactive nature of championing
by, in detail, picturing how different champions cooperate
and how different champion behaviours interact. Our results
are primarily based on an in-depth qualitative analysis of
championing in a health-care information system develop-
ment project, complemented with an extensive literature
study. Furthermore, some additional specific lessons learnt,
which can inspire future research, are identified. Finally, our
findings are translated into implications for practitioners, in
the form of some straightforward guidelines.
Before presenting the applied research method and the
results of our case study, a short review is given of how
different champion roles and different champion beha-
viours are currently portrayed in the literature and what
issues are currently not being addressed.
Championing in the literature
The champion as one heroic individual
Champions can be defined as individuals who informally
emerge in an organisation (Schön, 1963; Chakrabarti, 1974;
Howell et al, 2005) and make a decisive contribution to the
innovation by actively and enthusiastically promoting its
progress to critical stages, in order to obtain resources and/or
active support from top management (Rothwell et al, 1974).
A problem with this definition is that it leaves quite a lot of
room for subjective interpretation of what a ‘decisive con-
tribution’ involves and what ‘progress to critical stages’
means. Schön (1963) is, for instance, more demanding when
using the following formulations: ‘the champion must be …
willing to put himself on the line for an idea of doubtful
success. He is willing to fail. … using any and every means of
informal sales and pressure in order to succeed … identify
with the idea as their own, and with its promotions as a
cause, to a degree that goes far beyond the requirements of
their job … display persistence and courage of heroic
quality’, as quoted in Maidique (1980, p. 60) and (Howell &
Higgins, 1990, p. 320). For a further illustration of the
differentiation in the definitions of the champion concept,
we refer to Walter et al (2011) and (Roure, 2001) who
respectively list 12 and 16 definitions that clearly differ
in highlighting certain aspects of the champion concept.
In addition, it is worth mentioning that besides the identifi-
cation of the product champion by Schön (1963), other
related roles have been ascertained, for example, gatekeepers,
project champions, business innovators, technological inno-
vators, user champions, sponsor/coach, godfather, power
promotor, expert promotor, process promotor, early adop-
ters, and opinion leaders (Rogers, 1962; Rothwell et al, 1974;
Witte, 1977; Maidique, 1980; Howell & Higgins, 1990;
Smith, 2007; Fichter, 2009). The existence of so many
identified roles, which are, just as the champion role, only
roughly defined and often clearly overlap, makes it hard to
compare studies, since determining what elements of differ-
ent innovation process roles are included or excluded in
their champion concepts may not always be clear (Howell &
Higgins, 1990; Walter et al, 2011). Also, this makes it hard to
correctly identify champions in this study and future studies.
Champion personality characteristics and champion
Over the years, research has first focused on the question
of what kind of person a champion actually is (personality
characteristics) and then on the question of what a
champion actually does (champion behaviour). However,
since personality traits (charisma) are sometimes written as
behaviours (being charismatic), this distinction is proble-
matic when analysing the literature. Champion personal-
ity characteristics are often related to transformative
leadership, that is, leaders who inspire their followers to
transcend their own self-interests for a higher collective
purpose (Bass, 1985; Howell & Higgins, 1990). Champions
are risk takers, they are innovative and can articulate a
compelling vision, as well as instil confidence in others to
Understanding champion behaviour Joeri van Laere and Lena Aggestam48
European Journal of Information Systems
participate effectively, and they can display innovative
actions to achieve goals (Howell & Higgins, 1990; Howell
et al, 2005). By being charismatic, champions capture the
attention of others, provide emotional meaning and
energy to the idea, and induce the commitment of others
to the innovation (Howell & Higgins, 1990; Heng et al,
1999). Champions rely on personal networks in and out-
side the organisation when scouting for new ideas and
obtaining support. They tailor selling strategies that tie
these ideas to stakeholder interests and positive organisa-
tion outcomes (Howell, 2005). In addition, Chakrabarti
(1974) has already suggested that product champions
should have knowledge about the technology, the organi-
sation and the market, besides having drive, aggressive-
ness, and political astuteness. Recently, more extensive
quantitative studies have been conducted to determine the
key components of champion behaviour. These studies
identify ‘expressing enthusiasm and confidence’, ‘getting
the right people involved’ (Howell et al, 2005), ‘pursuing
the innovative idea’, ‘network building’, ‘taking responsi-
bility’ (Walter et al, 2011) and ‘persistence under adversity’
(Howell et al, 2005; Walter et al, 2011) as key behaviours.
Interaction between multiple champions with fixed roles
Witte (1973, 1977) argues that innovation processes
involve very complex and multi-person decision processes
that cannot only be borne by one individual. Witte’s
Promotor Theory was initially a two-centre theory of
power, where two specialists cooperate; the expert promo-
tor contributes through expert knowledge and the power
promotor through hierarchical power (Witte, 1977; Rost
et al, 2007; Fichter, 2009). Later, other promotor roles have
been added (Rost et al, 2007; Fichter, 2009), for instance,
a process promotor, a relationship promotor, and techno-
logical gatekeepers. Promotor theory stresses that it is not
necessary for the different specialised promotor roles to be
played by different individuals. These roles can also be
combined in one person, the ‘universal promotor’, which
is then similar to the champion concept of one heroic
individual (Rost et al, 2007; Fichter, 2009). Even in the
literature on the individual all-round champion, there has
been some attention on the fact that champions do not
operate alone, but interact with project teams, executives,
and other stakeholders (Howell & Shea, 2006). Champions
positively influence team member beliefs in team effec-
tiveness and, in turn, rely on the extent to which they can
leverage the talents and resources of the innovation team
(Howell & Shea, 2006). Still, this is a perspective of a heroic
individual impacting and influenced by others, rather than
cooperation between different champions, as described in
promotor theory; or the kind of co-performance of cham-
pion behaviour as presented in this study.
Unaddressed issues in research on championing
Previous research has identified important individual
champion behaviours and ascertained several unique
champion roles that are taken on by different people. Still,
little is known about how these people, roles and beha-
viours actually interact. One reason for this could be that
research is predominantly based on quantitative surveys
that combine the insights gathered in a large number of
questionnaires or interviews. A clear benefit of those
studies is that they include many cases, which enables
generalisations stating that a single champion behaviour
or champion role is important in many instances. A draw-
back is that the analysis of each case is rather obscure and
any in-depth insight into how champion behaviours and
different champions interact in the specific case is lacking.
In addition, some recent studies have suggested that the
appliance or occurrence of champion behaviours may
depend on a range of contextual and situational factors.
For instance, there is increasing awareness that there can
be degrees of championing (Howell & Shea, 2001; Walter
et al, 2011), rather than defining individuals as either cham-
pions or non-champions. Walter et al (2011) and Hendy &
Barlow (2012) show that there is a limit to ‘persisting under
adversity’ and ‘taking responsibility’. A champion pushing
an innovation too long may be counterproductive (creating
resistance, lack of innovation spread) or harmful (imple-
menting a faulty innovation). Also, Taylor et al (2011) and
Hendy & Barlow (2012) describe how champion behaviour
varies between different phases of the innovation process.
In the initiation phase, when almost nobody believes in the
innovation, there may be one enthusiastic individual (cf. the
heroic champion perspective). During the endorsement
phase, when top management support needs to be obtained,
a project champion and an executive champion may work in
tandem (cf. Witte’s original two-centre theory of power).
Finally, in the implementation phase, when it is necessary to
spread the innovation throughout the whole organisation,
multi-disciplinary, cross-boundary project teams and high
levels of collaboration, involving many leaders from all parts
of the organisation, may be needed (cf. Promotor theory
with a network of multiple promotors).
Our study extends the current body of knowledge by the
in-depth study and analysis of how championing is per-
formed in different situations in an IS development project
and, hence, the detailed description of how champions and
champion behaviours interact, and how this interaction is
adapted to the context over time. Our analysis shows that
the interaction of champions and champion behaviours is
more situational and diversified than currently portrayed
in the literature.
Our research design is based on an inductive research
strategy and a qualitative research method. A single, in-
depth case study has been conducted, studying the phe-
nomenon of championing in a 14-month IS
project at a large Swedish health-care organisation. Data
collection was based on participatory observation by the
second author and one in-depth interview by the first
author. Data sources included all the project documenta-
tion and personal notes, as well as reflective group
Understanding champion behaviour Joeri van Laere and Lena Aggestam 49
European Journal of Information Systems
discussions and the interview. The data analysis was con-
ducted by both authors after the conclusion of the project
and comprised several iterations of comparing different
theoretical perspectives of championing with the collected
data. A more detailed discussion of each of these design
Inductive research strategy and in-depth single case
A clear theory on how champion behaviours are related
and exactly how champions interact is lacking. As such,
there is a need for theory building rather than theory
testing, which leads us to an inductive research strategy
(Eisenhardt & Graebner, 2007). Since our aim is to provide
unique and rich descriptions of champion collaboration
and the interaction of champion behaviours, a single case
study provided better opportunities for extensive data
collection and a deeper understanding of contextual cir-
cumstances. A drawback is, of course, that our findings
may be dependent on the particular circumstances in just
this case study. However, the aim of inductive qualitative
research with a theory-building objective is not to present
a statistical generalisation, from this single case study, to
the entire community of champions in IS development
projects or even innovation projects (Yin, 2014). Rather,
the aim is to expand and generalise theories (analytic
generalisation), implying that we aim to provide one
example of a new perspective on championing, which
can then be used to inform qualitative case studies in other
organisations/projects or to design quantitative survey
studies in a different way (Yin, 2014).
Data collection through participative observation
The second author was a member of the project studied in
this case and data collection was therefore primarily based
on participative observation throughout the whole period
of 14 months. In addition, the first author conducted a
complementary interview with one steering group mem-
ber, which focused on situations that did not include the
presence of the second author. The second author had
been an IS researcher for approximately 7 years before
leaving academia to work full time in the health-care
sector at the Västra Götaland Regional Council (Västra
Götalandsregionen (VGR). The second author documen-
ted and captured data in the project, not only from the
perspective of a project participant, but also from a
research perspective. The data collected comprised meet-
ing notations and personal reflection accounts of more
than 100 meetings held in different constellations during
the project, the power point presentation files used at
these meetings, the different versions and iterations of
work process models created in the project, personal
reflection accounts of informal discussions with groups or
individuals in the project, and the interview. The data
collection had a broad perspective and was focused on
capturing the events that occurred during this project in
general, from an IS development and organisational
change point of view (Aggestam & van Laere, 2012).
Championing as such was not a focus issue. As discussed
hereafter, the issue of championing emerged during the
analysis of the data. This is not seen as a weakness (e.g.,
champion issues may have been missed since capturing
them was not the aim), but rather as a strength (cham-
pioning emerged as an important factor during the analysis,
although we were not explicitly looking for it).
Data analysis through three iterations
As shown in Figure 1, our initial theoretical frame of
analysis was IS development (ISD) in general and, more
particularly, the use of certain critical success factors (CSF).
During the analysis of the case chronology from that
perspective, the personal charisma of one steering group
member and her ability to influence the support of the
project at decisive moments emerged as an important
factor not addressed in CSF.
As a consequence, the interview with the steering
group member was conducted. Thereafter, the data and
case chronology were analysed with the aim of identify-
ing different champion behaviours, according to the
championing perspective of one heroic individual (which
dominated the initial literature review). During the sec-
ond data analysis, it became increasingly apparent that
the steering group member’s contribution was consider-
able and this individual could be defined as a champion.
However, we became mired in the analysis in two ways.
First, it was hard to distinguish between the different
champion behaviours in our analysis, as they continu-
ously became entangled. Also, it became increasingly
clearer that the decisive contributions of the steering
group member were not the individual acts of one hero,
but cooperative efforts in which her qualities in combina-
tion with those of other important people together
enabled championing. This required a new literature
review where the perspective of different champion
behaviours performed by different people, as described
in the promotor theory, was identified. In the third
iteration of the case data analysis, taking into account
both these perspectives, it emerged that neither of these
theories could explain the interaction between beha-
viours and between champions, as had been observed
and documented in this case study. This led to a final
analysis based on both literature perspectives and the
data from our case study, which resulted in a more
elaborated conceptualisation of championing, captured
in Figure 12 and the many examples in our results
The case study: the referral and answer subproject
A convenient way of reporting on a case study that
enhances readability is to apply a question and answer
format (Yin, 2014, p. 185). Hence, we set the scene by
answering the following questions: What innovation was
pursued in what kind of organisation? What kind of
Understanding champion behaviour Joeri van Laere and Lena Aggestam50
European Journal of Information Systems
complexities existed that required championing? Who
were the main people involved that could perform cham-
pion behaviours? What happened chronologically? In the
results section, the focus is on the main research question,
that is, how did multiple champions perform multiple
interrelated champion behaviours in concert?
What innovation was pursued in what kind of
Our analysis is limited to a subproject of the Referral and
Answer Project (RAP), hereafter called the RA SubProject
(RASP). RAP aimed to ensure patient security by imple-
menting a standardised way of working and information
content that support the referral process for all types of
referrals. The goals in achieving this aim included devel-
oping and implementing a VGR common-regulations
book, a desired common and unified VGR referral process,
as well as a common VGR IT solution. The first two goals,
and the additional goal of encouraging people to be
motivated and positive, were central to RASP. RASP started
in the autumn of 2010 and ended on 6 October 2011. RAP
had started earlier and continued after October 2011.
RASP developed a participatory way of working that was
regarded as an innovation in itself.
What kind of complexities existed that required
RAP was addressing a necessary and important change in
VGR, but the organisation had been struggling with this
desired change for 10 years and earlier initiatives had
become mired. Many people were aware that the current
referral and answer process was not functioning well,
but RAP was seen as a difficult project with a high risk of
failure for several reasons. First, RAP and RASP had to
overcome the size and accompanying complexity of the
health-care organisation that includes 17 hospitals, 121
health-care centres, and 170 public dental-care centres.
Changing the referral and answer work process involved
a 14 months’
IS development project
Appearance of charisma and
influence tactics at decisive moments
Critical Success Factors
Champion behaviours are entangled
and cannot be isolated
Championing is not an effort of one
hero but a collective performance
”champion as one heroic individual”
Champion behaviours are interelated
and strengthen each other
Champions do not work individually
on tasks which they are specialised in,
but perform champion behaviours
collaboratively while contributing
different expertise according to their
backgrounds and specialisations
”Interaction between multiple
champions with fixed roles”
A MORE ELABORATED CONCEPTUALISATION OF CHAMPIONING
Championing framework (figure12)
Rich exemplifying descriptions and detailed figures of interactions (results section)
”how multiple champions perform multiple interrelated champion behaviours in concert”
Figure 1 Three iterations of data analysis.
Understanding champion behaviour Joeri van Laere and Lena Aggestam 51
European Journal of Information Systems
the entire organisation of 15 administrations and 48,000
employees. Many different existing referral routines needed
to be aligned to enable a common IT support solution.
Second, VGR was organised into 15 highly autonomous
administrations, of which each had its own board con-
trolled by an administration manager. The high level of
autonomy meant that development projects, such as RAP,
had to work with agreements between the administrations.
As such, many different groups had to be convinced and
committed. Furthermore, earlier referral projects had not
achieved their aims and another recent high stake VGR-IT
project was, according to many stakeholders, regarded
negatively. Finally, in parallel with RAP and RASP, a
National eReferral project was planned. Consequently,
RASP would have to keep itself informed about the deci-
sions and results of the National eReferral project, since
VGR’s processes must comply with national rules. Also,
since VGR is a large organisation, several other develop-
ment projects that could at some point interfere with RASP
were being carried out.
Who were the main people involved that could perform
RASP comprised the RASP team, an informal steering
group, and a number of working groups. In addition, the
RASP team had important relations with the RAP team and
the formal RAP steering group, which included participat-
ing in meetings with RAP.
The RASP team consisted of three project team members:
a subproject leader with a health-care background (PL-HC), a
subproject member with a health-care background (PM-HC)
and a subproject member with an Information Systems
background (PM-IS). Both PL-HC and PM-HC have a health-
care education, a lot of experience in health-care work and
development projects, as well as long careers in VGR.
(the 2nd author) has an academic background: a Ph.D. in
Data and Systems Science and a key research interest in CSF
in IS development. PM-IS had worked in VGR since March
2010. The team members were individuals with a strong
personality and an enthusiastic attitude.
The formal RAP steering group consisted of members
that represented different perspectives, both with regard to
professional roles and the administrations of VGR. One of
the RAP steering group members served as a contact person
(CP) for the RASP team. This CP was a well-respected and
experienced member of the VGR organisation who had
worked in its different administrations for more than
40 years. For example, the CP had worked both as physi-
cian and more recently as an administration manager,
which has given her much insight into how health-care
work is performed, a significant amount of leadership
experience in just this organisation, as well as a large
number of contacts at different levels in VGR. Although
semi-retired, when the RAP and RASP projects were carried
out, she was still active in some strategic projects and
maintained a strong position and a very good reputation
in the larger VGR organisation. She was also regarded as a
trustworthy person. The RASP team members and the
shared a strong belief in the importance of stakeholder
interaction. A participatory structure was created, includ-
ing a group with RASP administration managers and local
interdisciplinary working groups (Figure 2).
The group with RASP administration
included a representative from each of the 15 administra-
tions in VGR, who were members of or had a strong
connection to their respective administration’s manage-
ment board. As such, it became an informal steering
group. Each RASP administration manager was responsi-
ble for creating and managing an interdisciplinary group,
consisting of physicians, nurses and administrative staff,
at their local administration.
What happened chronologically?
RASP commenced in September 2010. To enable good
stakeholder interaction with all 15 administrations, a clear
common objective related to patient security was created
and the participatory structure was designed. A commit-
ment to work according to this participatory structure was
subsequently obtained, first from the formal steering
group, then from VGR’s top management board in which
all administrations are represented, and finally from the
15 selected RASP administration managers that would
become the heart of the participatory structure. In the
following phase, process modelling activities were carried
out with several iterations in the local interdisciplinary
work groups of each administration, where the
led the meetings supported by the local RASP administra-
In a final iteration, models were discussed and refined in
cross administration meetings. Results from all these mod-
elling meetings were analysed and synthesised by the
RASP team and then discussed with the RASP administra-
tion managers and the CP. Parallel to the modelling work,
time was spent maintaining commitment at all levels.
Finally, preparations were carried out to get a formal
approval for the results of RASP. RASP ended when its
results were formally ratified by the Director of Health-Care
on 6 October 2011.
Figure 2 The participatory structure in RASP as it was described
in the project.
Understanding champion behaviour Joeri van Laere and Lena Aggestam52
European Journal of Information Systems
Results and analysis: how champions and
champion behaviours interact and form a
In this section, eight examples of championing, as
observed in RASP, are presented. Each example is illu-
strated in a small figure, according to the syntax shown in
Figure 3, and thereafter explained. The general champion
behaviours are adopted from lists of champion behaviours
identified in a number of earlier studies (Howell et al, 2005;
Howell & Shea, 2006; Walter et al, 2011).
The examples play an important role in achieving our
article’s aim, since they together provide an in-depth
insight into what championing is about. In the subsequent
analysis, a more elaborated conceptualisation of cham-
pioning is constructed from the example descriptions.
Example 1: Recruiting the RASP team members
During different moments in RASP, it was important to
recruit the right people. One example is when the CP
recruited PM-IS, PM-HC and PL-HC. This example illus-
trates how the CP relied on experience from earlier inno-
vation projects and how different champion behaviours
strengthen each other (Figure 4).
The CP and PM-IS knew each other from a network of
logistical change managers in which PM-IS was one of the
members and the CP was the mentor. When the CP
became aware that PM-IS was dissatisfied with her current
work role and planned to resign, the CP approached her
and discussed potential opportunities and needs for her in
VGR. Simultaneously, the CP spoke with a potential new
manager. After informally receiving a positive response
from both PM-IS and the new manager, the CP and the
new manager arranged the formal appointment of PM-IS.
The interview with the CP reveals that the strategy of
combining informal and formal channels to obtain the
interest and nomination of desired persons was
consciously. This strategy involved contacting both the
desired person and that person’s manager, first informally,
to check out the situation, and then, if the result was
positive, more formally, in order to obtain the formal
appointment decision. The informal discussions provided
insights into the person’s appropriateness, regarding com-
petence and motivation, and whether the person was able
to leave the current assignment. The informal discussions
prevented the necessity of posing an inappropriate formal
request that would be refused. The CP applied this strategy
not only in RASP: ‘to select the appropriate staff- and
project members has been my main success factor
throughout my career’.
The interview with the CP also reveals that PM-IS, PM-
HC, and PL-HC were recruited with a strategy in mind.
They were selected because they would contribute knowl-
edge or strategic relations that the CP or the project
currently lacked. The CP stated: ‘when I do not have a
certain relation with an important person or important
organisational unit myself, I invite someone into the
project that has that relation’. PM-HC was a Development
Manager and a respected member of the largest adminis-
tration who had been working with referral processes in
that administration. PL-HC was an Operation Controller
who represented another large administration and had
worked in organisation development projects across dif-
ferent administrations. Both had long careers in VGR and
understood the organisation well. PM-IS has an academic
background in ISD and CSF. The combination of these
RASP team members resulted in good knowledge in IS
development, insight into how health-care functions in
general and in VGR in particular, as well as access to many
personal networks in different parts of the VGR organisa-
tion. The involvement of these three people lifted the
capabilities and status of RAP (and later RASP).
Example 2: Recruiting interdisciplinary group members
Later, in RASP, RASP-administration managers had to
recruit members for the interdisciplinary work groups of
each local administration. This example shows how the
champion behaviours from Example 1 were applied differ-
ently in a later phase of the project and at a different level
of the VGR organisation. The adaptation involves multiple
champions cooperating and co-performing certain cham-
pion behaviours (Figure 5).
The RASP team supported each RASP administration
manager in recruiting by designing general require-
ments which were presented on a slide to the RASP-
administration managers. The requirements were that
the group should include experience from and knowl-
edge about the referral and answer process from different
perspectives, it should be interdisciplinary and it should
have members with enough time to work in RASP. With
the support of these requirements, the actual selection
was carried out by the RASP-administration managers, as
they had the contextual knowledge to find the appro-
priate persons within their administrations. The RASP
team was available for consultation, if the RASP admin-
istration managers had questions concerning how this
Actual application in
Influence on next champion behaviourInfluence from previous champion behaviour
Figure 3 Syntax for the example models presented in the results section.
Understanding champion behaviour Joeri van Laere and Lena Aggestam 53
European Journal of Information Systems
could be achieved. In addition, PM-HC contributed to
forming the interdisciplinary group in her local admin-
istration. PM-HC discussed how to put the group
together with her RASP administration manager and
provided support by informally consulting some of the
identified key persons.
Example 3: Developing the participatory structure
One of the clearest impacts on how the involvement of
certain people redefined the nature and content of the
innovation process became obvious when PM-IS, PM-HC,
PL-HC and CP became involved in the discussion regard-
ing how the RAP objectives should be achieved. This
resulted in the development of the participatory structure
(Figure 2). Example 3 illustrates how different champions
contribute their range of experiences and backgrounds and
how they together create a meaningful whole when they
integrate their knowledge and champion behaviours
In the first meetings with the RAP project team, user
participation was discussed. Everybody shared the view
that user participation was important for achieving suc-
cess. However, during the forthcoming project planning
discussions, when the activities regarding how to achieve
user participation at a more detailed level were being
defined, it became clear that opinions diverged concerning
the practical implications of user participation. Opinions
varied from actually involving the users in each step of the
development work to the project team first carrying out
the development work and then asking some users to
provide feedback on the models. Taking experiences from
earlier research into account, PM-IS had strong scientific
arguments for the necessity of involving the users inten-
sively throughout the whole development process, a point
of view that was also in line with both PL-HC’s and PM-
of the RASP team
Getting the right
Using informal and
Need for an expert
with social network
in parts of
large social network
Figure 4 Championing in example 1.
the RASP team
RASP admin mgrs
Using informal and
CSF in IS
Getting the right
functions to involve
RASP admin mgrs,
Getting the right
RASP admin mgr
Figure 5 Championing in example 2.
Understanding champion behaviour Joeri van Laere and Lena Aggestam54
European Journal of Information Systems
HC’s practical experiences. Since PM-IS shared an office
with CP and worked with CP on other projects, PM-IS
had the opportunity, during informal discussions, to
‘now and then’ discuss the necessity of actually invol-
ving the users in the project. From these discussions it
emerged that PM-IS’s scientific arguments and the
desired participatory approach were also in line with
the CP’s own experiences. Accordingly, the CP contrib-
uted to further developing the participatory way of
working. In this process, PM-IS served as a link between
the RASP team and the CP. During RASP team meetings,
which were often held in the building that housed the
office of PM-IS and CP, RASP team members had the
opportunity to consult the CP when questions arose, or
the CP could briefly join the meeting. When meetings
were organised elsewhere, PM-IS collected questions and
discussed them with the CP the next day.
While the RASP team developed the participatory struc-
ture, the CP contributed, among other things, with the
requirements that the RASP administration managers had
to have a connection to the local management board of
each respective administration and be nominated by
the administration manager. This is further described in
Example 4 concerning building support for this structure.
Example 4: Support from the higher decision-making
Working according to the participatory structure was an
innovation in itself and, as such, it was necessary to
convince different stakeholders in VGR of its benefits. This
example also illustrates how different champions coopera-
tively orchestrate their champion behaviours and demon-
strates how informal anchoring and formal decision
meetings are used to build support (Figure 7).
structure to be
RASP team, CP
Using informal and
Using informal and
Listening to or
discussing the talks
support for way of
support for way of
CSF in IS
Lack of stakeholder
interaction in recent
need for real user
RASP team, CP
Using informal and
Figure 7 Championing in example 4.
CSF in IS
Requirement that RASP-
admin managers should be
Getting the right people
Lack of stakeholder
interaction in recent
CP, PL-HC, PM-HC
Need for connection
need for real user
RASP team, CP
Using informal and
Figure 6 Championing in example 3.
Understanding champion behaviour Joeri van Laere and Lena Aggestam 55
European Journal of Information Systems
As described earlier, PM-IS and CP shared an office and
worked together in other projects, which gave them
numerous opportunities for informal conversations.
Through these and other interactions between the RASP
team and the CP, as well as between PM-IS and the CP, the
RASP team had favourable opportunities to gain support
for their strategies from the CP. In turn, the CP was the
link between RASP and the steering committee and
between RASP and the management board in VGR. After
the CP was committed to the work structure proposed by
RASP, she focused on obtaining support from the RAP
steering group and the 15 administration managers that
form the VGR management board. On various occasions,
the CP discussed the intended working structure with the
Chairman of the Steering Committee. These conversations
were regularly communicated from CP to PM-IS, but some-
times PM-IS was, in a way, part of the conversations, since
CP met the Chairman or talked with him by telephone in
the office shared with PM-IS. This meant that PM-IS had a
clear and updated understanding of the steering commit-
tee’s opinions. Another challenge was to have the way of
working sanctioned by the VGR management board. This
was important because without their approval it would not
be prioritised and necessary resources would not be allo-
cated. In order to obtain their commitment, the CP had
informal meetings that served as a means of obtaining
information about the important aspects for the adminis-
tration, as well as an opportunity to explain why it was
necessary to work according to the intended structure.
Consequently, arguments were dealt with before the
formal meetings and, by listening well, the message at the
meetings could be attuned to addressing any important
matters of interest put forth by the Chairman and the
managers. The CP openly reflected over this informal
anchoring process in discussions with PM-IS: ‘Have we
talked with all now?’
Example 5: Support from the RASP administration
After securing commitment from top management, sup-
port for the participatory way of working had to be
obtained from those who would participate in RASP. This
was primarily achieved during the first two formal meet-
ings with RASP administration managers (Example 5) and
the first meetings with the local interdisciplinary
groups (Example 6). Examples 5 and 6 illustrate how the
champion behaviour from Example 4 was adapted to
different contexts when applied in a later phase of the
project and at a different level in the VGR organisation
The first meeting with the group of RASP administration
managers was a critical step, because without their com-
mitment to the aims of RASP and the intended way of
working (the participatory approach), it would have been
necessary to re-plan everything. The fact that the man-
agers were not used to being involved so early in the
project is illustrated by the following comment: ‘Are we
included already now?’ The meeting was planned in close
cooperation between the RASP team and the CP, in a
highly iterative manner similar to the description in
Present the patient
suggested way of
Possibility for local
RASP admin mgrs
Present the facts
and figures of
Committing to RASP
and the way of
RASP admin mgrs
Long career in VGR
CSF in IS
the referral process
CP, PL-HC, PM-HC
Academic career in
RASP admin mgrs
Figure 8 Championing in example 5.
Understanding champion behaviour Joeri van Laere and Lena Aggestam56
European Journal of Information Systems
Example 3. Furthermore, the RASP team prepared slides
whose contents were sanctioned by the CP, who also
meticulously reformulated certain sensitive matters that
could divert the discussion in the wrong direction (given
her knowledge of the organisation). The plan included
that each RASP member should be responsible for the
preparation and presentation of parts which related to
their specific competence. The CP, who represented a
direct link to the top management level and who is
favoured with a highly respected status in the organisa-
tion, presented the goal of RAP as an opportunity to really
increase patient security. PL-HC and PM-HC, with long
careers in VGR and extensive knowledge of how the
organisation functions at all levels, presented the facts and
figures of the referral processes, as well as real patient cases,
in order to substantiate the objective and make the appeal
more emotional. PM-IS, with academic experience regard-
ing CSF in IS development, presented the participatory
structure. The CP was vigorous and persistent concerning
the necessity of RAP and RASP to address patient security,
explicitly illustrating and repeating this message whenever
questions arose in the first meeting. At the same time,
although a commitment to this general objective was
required (the why and what), each administration was free
to choose how to reach this objective, thus allowing local
adaptions of the implementation (the how). This was
important since the prerequisites of the different adminis-
trations varied greatly. Hence, enabling local adaptations
was necessary in order to secure their commitment, but also
for increasing patient security. In addition, the RASP team
answered questions and took note of comments received,
reflected upon them and prepared more elaborate answers
for the next meeting with the same group. This created an
atmosphere in which doubts and scepticism were openly
discussed and used to strengthen the way of working and
the developed referral process (see also Example 7).
Example 6: Support from the interdisciplinary work
Meetings with the interdisciplinary work groups in a way
mirrored those with the RASP administration managers, but
also included discussions of referral and answer challenges
at a more detailed level, as well as modelling work. The
design and implementation was in line with the description
in Example 5, however, the RASP team themselves designed
and carried out the presentations on the basis of the
decisions made and discussions held in the meetings with
the RASP administration managers and the CP. As such, this
example shows how previously applied champion beha-
viours once again are adapted to a new context and how
champions take over each other’s roles (Figure 9).
Again, the RASP team members utilised their different
backgrounds and, as such, their status related to different
topics, both during the presentation and when moderating
the following modelling activities. Owing to the large
number of meetings, it was not always possible to have all
three RASP members present, but at least two of them
participated in each meeting. Since the RASP administra-
tion managers had some pre-understanding from the meet-
ing with all the RASP administration managers, they were at
this stage actively used to supporting the RASP team in the
local context. The RASP administration managers were
Present the patient
suggested way of
Clarify how RASP
RASP admin mgrs
Present the facts
and figures of
to RASP and the
way of working
RASP admin mgrs
Long career in VGR
CSF in IS
the referral process
CP, PL-HC, PM-HC
Connection to local
RASP admin mgrs
Academic career in
RASP admin mgrs
RASP team, CP,
RASP admin mgrs
RASP admin mgrs
Figure 9 Championing in example 6.
Understanding champion behaviour Joeri van Laere and Lena Aggestam 57
European Journal of Information Systems
already informed about the RAP and RASP mission of
increasing patient security. Therefore, the RASP team could
invite the administration managers to help confirm and
clarify the goal of RASP for the members of the interdisci-
plinary work groups. The local RASP administration man-
ager was also utilised by the RASP team when questions
and issues arose regarding how this could be performed
and achieved in their own situation and context. In this
way, the local RASP administration manager partly filled
the role of the CP. For example, in one administration
work group, members shared concerns about sometimes
not having the time to sign a referral before it had to be
sent. At that point, the RASP administration manager
vigorously stated that this matter needed to be solved by
adjusting the local working routines.
Example 7: Establishing the participatory approach and
that the object of design includes both the referral
process and the rule book
Although the RASP team and the CP were initially most
active in defining and formulating the participatory way of
working, others became more involved in defining the
participatory way of working and the new way of conduct-
ing the referral and answer process in VGR. This example
shows how the champion behaviours of ‘formulating the
innovation’ and ‘building support’ are closely interrelated
and, again, how championing is adapted to new situa-
tions, as well as how multiple champions contribute and
together create a meaningful whole (Figure 10).
After the first meeting with the RASP administration
managers, the RASP team felt they had not succeeded in
properly answering the question: ‘Why shall we succeed
this time?’ When this question was raised by the RASP
administration managers, the answers of the CP and the
RASP team had been based on stories and assumptions, not
on facts, and thus the answer had not been convincing
enough. The RASP team therefore put an effort into
analysing prior referral and answer projects in more detail.
The main differences between the former way of working
and the new approach were summarised on a slide as
answers to: ‘What is there to say that we will succeed this
time?’ At the second meeting with the RASP administration
managers, the CP presented this overview, a strategic move
to signal the importance of the issue. The same slide was
later used in the meetings with the interdisciplinary work
groups. The efforts of the RASP administration managers,
who questioned the first arguments, and those of the RASP
team, enhancing the motivation, resulted in a more con-
vincing first presentation to the interdisciplinary work
groups. When the RASP team evaluated the models of the
new referral process, which were developed collaboratively
with all the administrations, deficiencies in an official
document called the rule book became apparent. When
the reciprocal relationship between the rule book and the
referral process was discovered, the CP, the RASP team and
the RASP administration managers concluded that both
should be ʻobjects of design’. Next, the CP lobbied by
discussing this question informally and formally with the
RASP steering group, while the RASP administration man-
agers built support at the local level. Next the CP and PL-HC
presented the proposal that the referral process and the rule
book from then on would be included in one document at a
formal management meeting and obtained a formal deci-
sion. This meant that a new referral process automatically
implied a new version of the rule book.
Example 8: Maintaining support
After the initial engagement had been created at higher
decision-making levels (Example 4), among the RASP
administration managers (Example 5) and among their
interdisciplinary work groups (Example 6), a continuous
challenge was to maintain motivation and support at all
these levels. This example shows how multiple champions
are involved to maintain support (Figure 11).
RASP admin mgrs
Searching for and
RASP team, CP
between rule book and
Gain support for
inclusion of rule book
as object of design
CP, RASP admin mgrs
Using informal and
new referral process
RASP adming mgrs
Obtaining formal decision
inclusion rule book in
Figure 10 Championing in example 7.
Understanding champion behaviour Joeri van Laere and Lena Aggestam58
European Journal of Information Systems
Although the CP was vigorous in her support at the first
two meetings with the RASP administration managers, she
was not as active in the discussions at subsequent meetings.
Instead, the RASP team handled the discussions while the
CP was supportive through her presence and body lan-
guage. The symbolic value of her presence was critical to
maintaining the commitment and support over time,
including that of the formal steering group. Nevertheless,
there was a clear difference in the degree of support between
the earlier and later meetings. Informal discussions were
not only utilised to build support in preparation for formal
meetings, but also to monitor whether support was being
maintained. Here, not only the CP, but each RASP team
member used their social network. For example, during a
coffee break at a meeting related to another project, a
person from one of the administrations approached PM-IS
and raised some doubts concerning RASP, as well as com-
municated some deficiencies in the local administration.
This made it possible for PM-IS to both explain some
matters and to adapt the forthcoming meetings for that
administration’s local work group, in order to deal with the
scepticism. In similar ways, all members of RASP promoted
the project and gathered relevant information to adjust the
project to local circumstances in different administrations.
In the concluding phase, when the RASP team and the CP
prepared the final presentation to the VGR management
board, it appeared that support for most of the decisions
concerning RASP was already in place, thanks to the applied
participatory structure. RASP administration managers and
interdisciplinary group members had already spread the
results of RASP and certified that the local interests of their
administration had been acknowledged in the end result.
Table 1 and Figure 12 present the main elements of our
more elaborated conceptualisation of championing which
is based on a thorough analysis of the previously described
In all the examples (except Example 1), champion
behaviours are performed by multiple champions, either each
of those champions performs a single behaviour, or several
champions co-perform a single championing activity. This is
clearly shown in all the figures where the names of
different champions are connected to the behaviours, or
where more champions are connected to a single beha-
viour. Next, all the examples show how different champion
behaviours are interrelated and how they strengthen each other
(as indicated by the arrows between the behaviours). This
is indicated within examples but also across examples. For
instance, within Example 4, ‘the use of informal and
formal processes’ strongly contributes to ‘building sup-
port’. It was hard to discern between ‘developing the
participatory structure’ in Example 3 (which is an example
of ‘formulating the innovation’) and building support in
Example 4. ‘Building support’ is enabled by means of
‘formulating the innovation’ in such a way that it attracts
the target groups and is recognised by them. Conversely,
the ‘building support’ process consists of carefully listen-
ing to target group representatives during informal discus-
sions so that their comments and viewpoints can later be
used to ‘re-formulate the innovation’ to better suit their
interests and, in turn, facilitate its acceptance. Combining
the previous observations, championing implies that the
collective knowledge of all involved champions, their
collective status and networks, and so forth, influence
how they collectively perform and co-perform champion
behaviours to impact overall project success. From this
realisation followed another aspect of championing that
became increasingly clearer during the analysis; champion
behaviours do not just (randomly) interact and champions
do not (randomly) choose behaviours, instead, both cham-
pions and champion behaviours form a meaningful whole. This
means that the different champions are continuously and
through the participatory
RASP admin mgrs
Using informal and formal
presentation for VGR
RASP team, CP
Using informal and
Obtain commitment from
VGR management board
CP, RASP team
Using informal and
Know people on
different levels and in
different units of VGR
CP, RASP team
large social network
on all levels
on a continual basis
CP, RASP team
RASP admin mgrs
Symbolic value of
Figure 11 Championing in example 8.
Understanding champion behaviour Joeri van Laere and Lena Aggestam 59
European Journal of Information Systems
consciously adapting their champion behaviours to each
other, thereby, together in interaction, creating a coherent
and meaningful whole. This coherent performance
becomes meaningful by adapting it to the current situation
and context in which championing is being performed.
‘Building support’ involved different champions and dif-
ferent champion behaviours, depending on the level in
the organisation and the phase of the project (Examples 4,
5, 6 and 8). In this continuous adaptation process, cham-
pions can switch roles completely. Where the CP is persistent
at defining moments during high level board meetings
(Example 3), the RASP administration managers fulfil this
role during modelling sessions that the CP does not attend
(Example 7). Similarly, recruiting is performed by the CP in
Example 1 and by RASP administration managers sup-
ported by the RASP teams in Example 2. Finally, in
Example 1, the CP states explicitly several times that she
heavily relies on championing experience from previous innova-
tion projects. This is implicitly expressed by other cham-
pions when they explain why they favoured certain
champion behaviours in particular situations. As a result,
champions learn from championing in previous innova-
tion projects and take the lessons learnt with regard to
championing from this project to future innovation projects.
The discussed aspects of championing are presented in
Figure 12. Figure 12 gives an overview how multiple cham-
pion behaviours performed by multiple champions form a
meaningful whole in a particular context and situation; how
this collective performance is adapted from situation to situa-
tion over time; how each collective performance utilises each
champion´s knowledge and experiences and simultaneously
generates new learning; and how this continuous process of
collective performance impacts innovation success. The figure
can be interpreted as a summary of how championing has
Characteristics of championing observed in RASP
Characteristics of championing observed in RASP
Multiple champions perform champion behaviours
Champions co-perform a single champion behaviour
Champion behaviours are interrelated and strengthen each other
Champions and their champion behaviours form a meaningful whole
Championing (the behaviours selected and who performs them) is adapted to the situation and over time
Champions switch roles
Champions learn across innovation projects by relying on acquired championing experience in earlier innovation projects and by gathering
championing experience for future projects
multiple behaviours performed by multiple
champions forming a meaningful whole in a
multiple behaviours performed by multiple
champions forming a meaningful whole in a
Collective experience of
champion 1, 2, 3, 4, …
Knowing the innovation
Knowing the organisational context
Knowing the decision making context
Having a large social network
Having a respected status
Using informal and formal processes
Getting the right people involved
Formulating the innovation
Environmental scanning through people
Persisting under adversity
Adaption to new situation over time
Utilising previous experience
Utilising previous experience Learning
to new situations over time
Continuous utilisation of experience
and continuous learning
Figure 12 A more elaborated conceptualisation of championing.
Understanding champion behaviour Joeri van Laere and Lena Aggestam60
European Journal of Information Systems
been observed in our case study, and as a richer concep-
tualisation of how collective championing is performed in
general, that can inform future research and practitioners.
Discussion, limitations and implications for future
The way that championing has been observed in our case
study goes to the best of our knowledge beyond the
existing portrayal of championing in the literature. Cham-
pioning is not performed by single heroes (as in the heroic,
individualistic perspective); instead, there are multiple
heroes that collaborate intensively. In that collaboration,
they do not have strictly separate roles (as in the inter-
active perspective where several specialists each serve a
distinctive role), but can both co-perform championing
activities (while simultaneously contributing with experi-
ence from their specialisations) and even switch roles
completely, if situational circumstances require it. Finally,
our case examples show that adaption to situational con-
text over time is much more complex than an inverted U
relationship (Walter et al, 2011) or an adaption to three
general phases (Taylor et al, 2011).
As discussed previously, one limitation of our study is
that it is the study of just one project. This research design
choice was inevitable to enable the discovery and in-
depth study of interactions between champion beha-
viours. However, there is a clear need to apply our frame-
work in other organisations and other areas, in order to
validate and develop it further. Another limitation is how
the champions and champion behaviours have been
identified. Most often in studies on championing, many
different people involved in the innovation are first
invited to nominate a champion and then an analysis of
the particular behaviours the nominated champion exhi-
bits is conducted. However, our approach has been to first
identify champion behaviours and then seek out the
person who performs them. It is clear that nominating
champions by seeking out the most influential individual
(as in the individual heroic perspective) hampers the
identification of collective champion performance.
Therefore, an interesting option for future studies would
be to aim at combining our way of identifying champions
and the traditional way of broadly seeking out influential
individuals (plural!), to see whether the same persons are
Another research implication is that concepts such as
‘getting the right people involved’ can be interpreted in
multiple ways and more unified definitions should be
proposed. For instance, in our study, the concepts ‘getting
the right people involved’ and ‘building support’ were
clearly different notions, whereas others (Howell et al,
2005) have used them as synonyms. A completely unex-
plored topic is how groups of champions take champion
experiences from one innovation project to another, since,
to our knowledge, champion studies always limit them-
selves to studying just one innovation project and not
several sequential ones.
Implications for practitioners
As researchers, we have a pragmatist stance which implies
an interest for what works and what does not work
in a practical context (Goldkuhl, 2012). Hence, based
on our study, we have developed some guidelines for
● Be aware of the importance of champions for innova-
tion project success. People that are continuously posi-
tive about the project, talk well about it and can act as
sponsors must be involved in the project.
● Pay attention and put effort into finding good cham-
pions (plural) for the project. The champions should
complement, not resemble, each other, and each cham-
pion must be committed to the goal of the project. In
RASP, this was patient security.
● Collectively, the champions should have the following
� A respected status among stakeholder groups that are
critical for the project
� A relevant and strong social network
� Complementary skills and competences
� Knowledge about the organisational context and the
● The project leader is a key champion and, hence, the
most important qualification is that this person is
respected, confident, and has status in the context
where change is needed.
● Effective championing requires a holistic approach and
adaptation to situations and over time. Hence, it is
important that champions are good listeners and have
the capacity to reflect and learn, for example, to under-
stand people’s daily work experiences and to envisage
how the project may improve their situation.
Our main contribution is a rich illustration and exemplifi-
cation of championing presented in eight examples and a
more elaborated conceptualisation of championing cap-
tured in Figure 12, that explains:
● how champion behaviours are interrelated
● how champion behaviours are performed by multiple
● how champions and their champion behaviours form a
coherent and meaningful whole
● and how the constellation of behaviours and champions
is adapted to situational context and over time.
In addition to this main contribution, some other
lessons learnt have been identified. Champions involved
in a project can co-perform certain champion behaviours,
while simultaneously contributing different expertise
according to their backgrounds and specialisations.
In adapting to situational circumstances, champions can
also exchange roles, in order to apply the best champion
behaviours available, during the various stages of a pro-
ject. Also, champions learn from championing in earlier
Understanding champion behaviour Joeri van Laere and Lena Aggestam 61
European Journal of Information Systems
projects and gather experiences during the current pro-
ject that can enable more effective championing in the
For practitioners, this implies that a diversified group of
champions should be recruited, rather than one heroic
individual. The members of this champion group should
complement each other’s knowledge, status and social net-
works, and be careful listeners who are eager to learn how to
adapt to each other and to situational circumstances.
The most important challenge for future research is to
study these championing collectives across several sequen-
tial innovation projects.
We thank the members of the VGR organisation for their
generosity in sharing their experiences. We are also grateful
for the support and insightful comments of the Associate
Editor and two anonymous reviewers.
About the authors
Joeri van Laere is an Assistant Professor at University of
Skövde, Sweden. He holds a Ph.D. in Information Systems
from Delft University of Technology, the Netherlands. Joeri
performs research at the interface of organisation science,
communication science and information systems. His
research interests include decision support, crisis manage-
ment, gaming-simulation, knowledge management, organi-
sational change and distributed work. He has published at
several international conferences such as ECIS, HICSS, and
ISCRAM, and in journals including the Journal of Contingencies
and Crisis Management, the Journal of Information Fusion and
the Journal of Production, Planning and Control.
Lena Aggestam is an Assistant Professor at University of
Skövde, Sweden. She holds a Ph.D. in Computer Science
from Stockholm University, Sweden. Based on systems
thinking, in the areas of learning organisations and knowl-
edge management, her research interests include change
management and how to achieve sustainable development,
information systems development and critical success fac-
tors. She has published at several international conferences
such as ECIS, HICSS, and IRMA, and in journals including the
International Journal of Knowledge Management, Information,
the Journal of Cases on Information Technology and the Inter-
national Journal of Systems and Service-Oriented Engineering.
AGGESTAM L and VAN LAERE J (2012) How to successfully apply critical
success factors in healthcare information systems development–A story
from the field. ECIS 2012 Proceedings, Paper 220, http://aisel.aisnet.org/
BASS BM (1985) Leadership and Performance Beyond Expectation. Free Press,
BEATH CM (1991) Supporting the information technology champion.
MISQ 15(3), 355–372.
CHAKRABARTI AK (1974) The role of champion in product innovation.
California Management Review 17(2), 58–62.
CURLEY KF and GREMILLION LL (1983) The role of the champion in DSS
implementation. Information and Management 6(4), 203–209.
DONG L, NEUFELD D and HIGGINS C (2009) Top management support of
enterprise systems implementations. Journal of Information Technology
EISENHARDT KM and GRAEBNER ME (2007) Theory Building from Cases:
Opportunities and Challenges. Academy of Management Journal 50(1),
FICHTER K (2009) Innovation communities: the role of networks of
promotors in open innovation. R&D Management 39(4), 357–371.
GOLDKUHL G (2012) Pragmatism vs interpretivism in qualitative informa-
tion systems research. European Journal of Information Systems 21(2),
HENDY J and BARLOW J (2012) The role of the organizational champion in
achieving health system change. Social Science & Medicine 74(3), 348–355.
HENG MSH, TRAUTH EM and FISCHER SJ (1999) Organisational champions of
IT innovation. Accounting, Management and Information Technologies
HOWELL JM (2005) The right stuff: identifying and developing effective
champions of innovation. Academy of Management Executive 19(2),
HOWELL JM and HIGGINS CA (1990) Champions of technological innova-
tion. Administrative Science Quarterly 35(2), 317–341.
HOWELL JM and SHEA CM (2001) Individual differences, environmental scan-
ning, innovation framing, and champion behavior: key predictors of proj-
ect performance. Journal of Product Innovation Management 18(1), 15–27.
HOWELL JM and SHEA CM (2006) Effects of champion behavior,
team potency, and external communication activities on predicting
team performance. Group & Organization Management 31(2),
HOWELL JM, SHEA CM and HIGGINS CA (2005) Champions of product
innovations: defining, developing, and validating a measure of cham-
pion behavior. Journal of Business Venturing 20(5), 641–661.
MAIDIQUE MA (1980) Entrepreneurs, champions and technological inno-
vation. Sloan Management Review 21(2), 59–76.
MALIK MA and KHAN HR (2009) Understanding the implementation of an
electronic hospital information system in a developing country: a case
study from Pakistan. In Proceedings of the Third Australasian Workshop on
Health Informatics and Knowledge Management (HIKM 2009), CRPIT
volume 97 (Warren JR, ed), pp 31–36, Australian Computer Society,
Wellington, New Zealand.
MILLERY M and KUKAFKA R (2010) Health information technology and
quality of health-care: strategies for reducing disparities in under-
resourced settings. Medical Care Research & Review 67(5Suppl),
NGWENYAMA O and NIELSEN PA (2014) Using organizational influence
processes to overcome IS implementation barriers: lessons from a
longitudinal case study of SPI implementation. European Journal of
Information Systems 23(3), 205–222.
NGWENYAMA O and NØRBJERG J (2010) Software process improvement with
weak management support: an analysis of the dynamics of intra-
organizational alliances in IS change initiatives. European Journal of
Information Systems 19(3), 303–319.
NEUFELD DJ, DONG L and HIGGINS CA (2007) Leadership and user acceptance
of information technology. European Journal of Information Systems
ROTHWELL R, FREEMAN C, HORLSEY A, JERVIS VTP, ROBERTSON AB and TOWN-
SEND J (1974) SAPPHO updated – project SAPPHO phase II. Research
Policy 3(3), 258–291.
ROURE L (2001) Product champion characteristics in France and Germany.
Human Relations 54(5), 663–682.
ROGERS EM (1962) Diffusion of Innovations. Free Press, New York.
Understanding champion behaviour Joeri van Laere and Lena Aggestam62
European Journal of Information Systems
ROST K, HÖLZLE K and GEMUNDEN HG (2007) Promotors or champions? Pros
and cons of role specialisation for economic progress. Schmalenbach
Business Review 59, 340–363.
SCHÖN D (1963) Champions for radical new inventions. Harvard Business
Review 41(2), 77–86.
SMITH DJ (2007) The politics of innovation: why innovations need a
godfather. Technovation 27(3), 95–104.
SOO S, BERTA W and BAKER GR (2009) Role of champions in the implementation
of patient safety practice change. Health Care Quarterly 12(sp), 123–128.
TAYLOR A, COCKLIN C, BROWN R and WILSON-EVERED E (2011) An investiga-
tion of champion-driven leadership processes. The Leadership Quarterly
WALTER A, PARBOTEEAH KP, RIESENHUBER F and HOEGL M (2011) Championship
behaviours and innovations success: an empirical investigation of univer-
sity spin-offs. Journal of Product Innovation Management 28(4), 586–598.
WITTE E (1973) Organisation fur Innovationsentscheidungen – Das Promotor-
enmodell. Schwart, Gottingen.
WITTE E (1977) Power and innovation: a two center theory. International
Studies of Management and Organization 7(1), 47–70.
YIN RK (2014) Case Study Research: Design and Methods. Sage, London.
ZANDIEH SO, YOON-FLANNERY K, KUPERMAN GJ, LANGSAM DJ, HYMAN D and
KAUSHAL R (2008) Challenges to EHR implementation in electronic-
versus paper-based office practices. Journal of General Internal Medicine
Understanding champion behaviour Joeri van Laere and Lena Aggestam 63
European Journal of Information Systems
Reproduced with permission of the copyright owner. Further reproduction prohibited without
Why Work with Us
Top Quality and Well-Researched Papers
We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.
Professional and Experienced Academic Writers
We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.
Free Unlimited Revisions
If you think we missed something, send your order for a free revision. You have 10 days to submit the order for review after you have received the final document. You can do this yourself after logging into your personal account or by contacting our support.
Prompt Delivery and 100% Money-Back-Guarantee
All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.
Original & Confidential
We use several writing tools checks to ensure that all documents you receive are free from plagiarism. Our editors carefully review all quotations in the text. We also promise maximum confidentiality in all of our services.
24/7 Customer Support
Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.
No matter what kind of academic paper you need and how urgent you need it, you are welcome to choose your academic level and the type of your paper at an affordable price. We take care of all your paper needs and give a 24/7 customer care support system.
Admission Essays & Business Writing Help
An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.
Our academic writers and editors make the necessary changes to your paper so that it is polished. We also format your document by correctly quoting the sources and creating reference lists in the formats APA, Harvard, MLA, Chicago / Turabian.
If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.