The Organization and Management of Information Technology in Hospitals
Donna M. Schaeffer, PhD and Cynthia Knott, PhD
School of Business Administration, Marymount University,
2807 North Glebe Road, Arlington VA 22207
Email contact: and

Sebelius, Solis Announce Nearly $1 Billion Recovery Act Investment in Advancing Use of Health IT, Training Workers for Health Jobs of the Future

Grant Awards to Help Make Health IT Available to Over 100,000 Health Providers by 2014, Support Tens of Thousands of Jobs Nationwide


Grants were made to 43 states and territories:

  • Alabama
  • American Samoa
  • Arizona
  • Arkansas
  • California
  • Colorado
  • Delaware
  • District of Columbia
  • Florida
  • Guam
  • Hawaii

  • Idaho
  • Illinois
  • Indiana
  • Iowa
  • Kansas
  • Kentucky
  • Maine
  • Massachusetts
  • Michigan
  • Minnesota
  • Missouri

  • Nebraska
  • Nevada
  • New Hampshire
  • New Mexico
  • New York
  • North Carolina
  • Ohio
  • Oklahoma
  • Oregon
  • Pennsylvania
  • Puerto Rico

  • Rhode Island
  • Tennessee
  • Utah
  • Vermont
  • Virgin Islands
  • Virginia
  • Washington
  • West Virginia
  • Wisconsin
  • Wyoming

and 55 community colleges, public and private universities, and training consortiums:

  • Calhoun Community College
  • Mid-South Community College
  • South Arkansas Community College
  • Kern Community College District (KCCD)
  • Los Rios Community College District
  • Mt. San Antonio Community College District
  • San Diego State University Research Foundation
  • San Jose State University Research Foundation
  • San Bernardino Community College District
  • Youth Policy Institute
  • Spanish Speaking Unity Council
  • Otero Junior College
  • National Council of La Raza

  • Providence Health Foundation of Providence Hospital
  • DeKalb Technical College (DTC)
  • Governors State University
  • Indianapolis Private Industry Council, Inc.
  • Ivy Tech Community College of Indiana
  • Iowa Workforce Development
  • Maysville Community and Technical College
  • Louisiana Technical College, Greater Acadiana Region 4
  • Southern University at Shreveport
  • Maine Department of Labor
  • The Community College of Baltimore County (CCBC)
  • Macomb Community College
  • Northland Community and Technical College
  • MN State Colleges & Universities DBA Pine Technical College
  • South Central College
  • The Montgomery Institute
  • Full Employment Council
  • Crowder College
  • Maryville University - St. Louis
  • American Indian Opportunities Industrialization Center
  • University of New Hampshire
  • Passaic County Community College
  • Fulton Montgomery Community College (FMCC)
  • Hudson Valley Community College (HVCC)
  • University Behavioral Associates, Inc.
  • Workforce Investment Board of Herkimer, Madison, and Oneida Counties
  • Goodwill Industries, Inc., Serving E. Neb and SW Iowa
  • Nevada Cancer Institute
  • Berea Children's Home Total
  • BioOhio
  • Cincinnati State Technical and Community College
  • Columbus State Community College
  • Enterprise for Employment and Education
  • Trident Technical College
  • Florence-Darlington Technical College (FDTC)
  • The University of South Dakota
  • Centerstone of Tennessee, Inc.
  • North Central Texas College
  • San Jacinto Community College District
  • The University of Texas Medical Branch at Galveston (UTMB)
  • Shenandoah Valley Workforce Investment Board, Inc. (SVWIB)
  • Workforce Training and Education Coordinating Board

  • Combined with current spending on information technology, (Source: Source: HIMSS Analytics Database):

































    and HIPPA Regulations:

    The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

    resulted in health care organizations following strict standards:

    The Joint Commission on Accreditation of Healthcare Organizations (JCAHO), an independent, not-for-profit organization that accredits and certifies health care organizations in the United States, has included,information management in its standards.


    Elements of Performance

    Standard IM.2.10 "Information privacy and confidentiality are maintained." JCAHO defines privacy as "an individual's right to limit the disclosure of personal information" and confidentiality as "the safekeeping of data/information so as to restrict access to individuals who have need, reason, and permission for such access."

  • Developed written processes based on and consistent with applicable laws addressing privacy and confidentiality
  • Policies have been effectively communicated to staff
  • Effective processes for enforcing policy
  • Monitor compliance with the policy
  • Use monitoring results for improving privacy and confidentiality
  • Patients are aware of uses and disclosures that may or will be made
  • Removal of identifiers encouraged
  • PHI is used for purposes identified to patients or as required by law and not further disclosed without patient authorization
  • Hospital preserves confidentiality of information and “requires extraordinary means to preserve patient privacy”
  • IM.2.20 ensures that “Information security, including data integrity, is maintained.”

    There are 7 Elements of Performance including:
  • Developed written process based on and consistent with applicable law that addresses information security, including data integrity
  • Effective communication of policy, and any changes, to applicable staff
  • Effective process for enforcing the policy
  • Monitors compliance with policy
  • Monitoring results and technology developments used to improve information security, including data integrity
  • Develops and implements controls to safeguard data and information, including the clinical record, against loss, destruction, and tampering
  • Policies and procedures, including plans for implementation and for electronic information systems, address: data integrity, authentication, non-repudiation, encryption as warranted, and auditability, as appropriate to the system and types of information, e.g., patient information and billing information.
    JCAHO specifies the following controls for safeguarding data and information:
  • Developing and implementing policies when removal of records is permitted
  • Protecting data and information against unauthorized intrusion, corruption or damage
  • reventing falsification of data and information
  • Developing and implementing guidelines to prevent the destruction of records
  • Developing and implementing guidelines for destroying copies of records
  • Protecting records in a manner that minimizes the possibility of damage from fire and water.
  • JCAHO IM.2.30, which requires “The hospital has a process for maintaining continuity of information.”

  • usiness continuity/disaster recovery plan
  • Periodic testing to ensure business interruption backup techniques are effective
  • Electronic systems – business continuity/disaster recovery plan addresses the following:
    • • Plans for scheduled/unscheduled interruptions, including end user training
    • • Contingency procedures
    • • Plans for minimal interruptions during scheduled downtime
    • • Emergency service plan
    • • Back up system
    • • Data retrieval – including from storage and information presently in active systems
  • IM 3.0 requires that the hospital has processes in place to effectively manage information, including the capturing, reporting, processing, storing, retrieving, disseminating, and displaying of clinical/service and non-clinical data and information.

  • Uniform data definitions and data capture methods
    • • Minimum data sets, terminology definitions, classifications, vocabulary, and standardized nomenclature
    • • Industry standards are used when possible
  • Abbreviations, acronyms, and symbols are standardized throughout the hospital and there is a “don't use” list
  • Quality control systems are used to monitor data content and collection activities
    • • Method used assures timely and economical data collection with the degree of accuracy, completeness, and discrimination necessary for their intended use

  • Due to regulations like Health Information Privacy and Protection Act (HIPAA) and growing sensitivity to privacy, the position of Chief Privacy Officer had been created in many hospitals. This position brings together policy and technology, and requires an individual with an interdisciplinary background. The CPO must have knowledge of information technology, business processes, law, ethics, and medical research. They work closely with records and information managers within the hospital.

    The Chief Security Officer is responsible for protecting and monitoring all information, including assuring proper access by those both outside of and inside of the hospital. Data and information may be protected by technical means, such as encryption or physical means, e.g., access codes. Typically, CSOs have a four year degree in computer science or business information systems and may hold certifications, e.g., CISSP, CCNA or CNSA. It is important for the CSO to understand networking protocols and operating systems.


    Executive Director of Information Services:

  • 30 employees
  • budget of approximately $3.2 million for operating and capital projects
  • undergraduate degree in business administration, computer science, health administration or other technical field, and a graduate degree preferred
  • eight years experience, with three to five of those years in progressive management experience
  • recent experience in the health care field
  • understanding of project management and change management
  • reports to the Chief Operating Officer
  • Director of Health Information Management

  • three managers with 40 full-time direct reports
  • Registered Health Information Administratorm certification
  • 10 years of experience in health records, some management experience
  • reports to the Chief Operating Officer
  • Chief Security Officer

    The Vice President of Marketing and Business Development serves is responsible for security of information.

    (Source: US Navy)

  • reports directly to the Commanding Officer of the National Naval Medical Center
  • oversees
    • Chief Technology Officer
    • Chief of Medical Informatics Officer
    • Deputy Chief Information Officer.
  • 109 employees
  • budget of $11,400,000.