Health IT VI. Key Issues: Financing and Delivery >> A. Health Spending >> Health Cost Containment  >> Improve Administration >> Health IT (last updated 11.25.16)
Lead Editor: Dana Beezley-Smith, Ph.D.


The adoption of various forms of health information technology (HIT) may have disparate impacts, including improvements in access/continuity of care, quality, patient satisfaction or privacy of medical information.  However, a principal motivation for pursuing HIT is the expectation that it will lead to system efficiencies that result in net savings in the short run or long run. Because most HIT innovations have multiple effects, this section examines the benefits and costs of a full range of HIT innovations for which there is real-world evidence even if their purpose or impact might be quality improvement at the expense of cost containment.
Discussion of health reform policy proposals related to HIT (i.e., policy options under discussion and not yet adopted or implemented) is contained at Health IT under Health Reform, Components of Reform, Cost Containment.

Health Information Technology for Economic and Clinical Health (HITECH) Act 

Health Information Exchange (HIE)

Electronic Health Records (EHRs)


Health IT and Hospitals

  • The Healthcare Chief Information Officer MindMap. “It’s a beautiful display of everything that’s happening in healthcare IT. Although, it’s also an illustration of the challenge we hospital CIOs face. Is it any wonder that so many hospital CIOs feel overwhelmed?” (EMR and HIPAA. 4.8.14)



  • Transition to a Post-HITECH World (9.18.15). The Robert Wood Johnson Foundation. “In 2015… a large percentage of acute care hospitals have at least a basic electronic health record (EHR) system. But many are not ready to meet Stage 2 meaningful use criteria—criteria that must be met in order to participate in the Medicare and Medicaid EHR Incentive programs. Key Findings: By 2014, 75.5 percent of hospitals had adopted at least a basic EHR, a substantial increase from 58.9 percent in 2013; Seventy-six percent of hospitals reported exchanging data with outside health professionals in 2014, up from 62 percent in 2013 and 41 percent in 2008, the year the survey began including this measure; Hospitals continue to face barriers toward adopting national standards enacted in 2009 to encourage technology investments and the development of health information exchanges.”

Hospital Monitoring of High-Risk Behavior

  • Hospitals to Begin Monitoring Your Credit Card Purchases to Flag ‘Unhealthy’ Habits. “What you buy at the grocery store, where you live, and even your membership status at the local gym are all subject to a new data collection scheme by the American medical system. Reports indicate that hospitals and doctors’ offices all across the country are now collecting this and other personal information in order to target individuals deemed to have ‘unhealthy’ lifestyle habits that put them at high risk of disease.” (Caldwell, Leonard, 8.11.14)
  • Hospitals Soon See Donuts-to-Cigarette Charges for Health. “Some hospitals are starting to use detailed consumer data to create profiles on current and potential patients to identify those most likely to get sick, so the hospitals can intervene before they do… Information compiled by data brokers from public records and credit card transactions can reveal where a person shops, the food they buy, and whether they smoke. The largest hospital chain in the Carolinas is plugging data for 2 million people into algorithms designed to identify high-risk patients, while Pennsylvania’s biggest system uses household and demographic data.” (Bloomberg Business, 6.26.14)

Health IT News and Analysis

  •  Reboot: Re-examining the Strategies Needed to Successfully Adopt Health IT. (4.16.13) The key implementation deficiencies can be summed up in five points:
    • Lack of Clear Path Toward Interoperability. The HITECH Act, a $35 billion program of grants and incentive payments in ARRA, was created to promote the use of electronic health records (EHRs) among hospitals and physicians, with the ultimate goal of incentivizing the adoption and use of health information technologies meeting a certain data standard so that providers can share patient health data nationwide… Unfortunately, early reports suggest that federal incentive payments are being made without clear evidence that providers can achieve “meaningful use,” or the ability to use the health IT program internally, and without an adequate plan to ensure providers can share information with each other.
    • Increased Costs. [E]arly reports raise concerns that health IT may have actually accelerated the ordering of unnecessary care as well as increased billing for the same procedures.
    • Lack of Oversight. Based on Department of Health and Human Service’s Inspector General and Government Accountability Office (GAO) reports as well as stakeholder comments and a review of program data, it is increasingly clear that the Administration does not have adequate mechanisms in place to prevent waste and fraud in its health IT programs. Too often we have heard stories of “money spent” being used as a metric of success, rather than specific, concrete program goals and tangible deliverables that are focused on achieving interoperability.
    • Patient Privacy at Risk. We are concerned the administration has not done enough to protect sensitive patient information in a cost-effective manner. Among other problems, regulations related to payments made to providers do not require providers to demonstrate that the technology is secure; consequently, patients’ sensitive, personal medical information may be at risk. In fact, the Inspector General of the U.S. Department of Health and Human Services found that the security policies and procedures at the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology – two federal entities which oversee the administration of the health IT program – are lax and may jeopardize sensitive patient data.
    • Program Sustainability. For providers who have accepted grants or incentive payments, it is unclear how much it will cost to maintain their health IT systems after the initial grant money and incentive payments run out… the complicated patchwork of overlapping reporting and compliance requirements is already placing ongoing compliance burdens on all participating providers. We are concerned that compliance and maintenance costs for providers may be unreasonably burdensome.
  • Omnibus Bill Keeps Office of the National Coordinator for Health IT Funding at Same Level as 2014. “In its ‘Congressional Asks’ — formal requests to Congress to accomplish specific goals to advance health IT – HIMSS urged lawmakers to fund ONC at the higher level. It calls this fourth year and Stage 2 of Meaningful Use a ‘critical juncture’ for the adoption and effective use of EHRs, citing the need to maintain the momentum achieved so far.” (Fierce Health IT, 12.15.14)

Security Concerns

  • Medical Devices Can Lead to Breaches. “Computer-security researchers have discovered a website containing documents that could allow hackers to easily obtain electronic medical records and payment information from health-care providers, CIO Journal’s Rachael King reports. The documents—found by two cybersecurity firms on a site commonly used by hackers—detail the type of equipment used in computer networks, the Internet addresses for computers and other devices, and the passwords to network firewalls run by health-care providers such as nursing homes, doctors’ offices and hospitals. If such networks were accessed, cybercriminals easily could find personal details on individuals, security experts said. Such information could be used to sell credit-card information and—more valuable to hackers—medical information that could be used to commit insurance fraud… The SANS Institute corroborated widespread problems with hackers infiltrating health-care networks and plans to issue a report on the vulnerabilities Wednesday. The report finds that security practices at health-care companies generally aren’t keeping pace with the high volume of attacks, SANS researchers say. Researchers from the institute found evidence of hacked dialysis and MRI machines and compromised personal health information… Medical records sell for about $60 apiece on the black market, while credit-card information typically goes for about $20, said Sam Glines, the CEO of cybersecurity firm Norse Corp. Medical records are ‘more valuable because you can do more with it, including Medicare fraud and prescription fraud,’ he said.” (Wall Street Journal CIO Report, 2.18.14)
  • Expert: U.S. Hospital Breach Biggest Yet to Exploit Heartbleed Bug. “Hackers who stole the personal data of about 4.5 million patients of hospital group Community Health Systems Inc broke into the company’s computer system by exploiting the “Heartbleed” internet bug, making it the first known large-scale cyber attack using the flaw, according to a security expert…Community Health Systems, one of the biggest U.S. hospital groups, said the information stolen included patient names, addresses, birth dates, phone numbers and social security numbers of people who were referred or received services from doctors affiliated with the company over the last five years.” (Reuters, 8.20.14)
  • Apple: Health Apps Shouldn’t Use iCloud Storage. “After an apparent breach into celebrities’ iCloud accounts led to nude photos leaking, Apple is forbidding its health app developers from housing sensitive user data with the storage service. Apple’s latest version of its App Store developers guidelines, released on Tuesday, say that apps “using the HealthKit framework that store users’ health information in iCloud will be rejected, 9to5mac originally reported.” (CNBC, 9.3.14)
  • Patients’ Medical Records Under Threat from Data Breaches. “Your private medical information is under threat. That’s according to a study that found almost 30 million health records nationwide were involved in criminal theft, malicious hacking or other data breaches over four years. The incidents seem to be increasing. Compromised information included patients’ names, home addresses, ages, illnesses, test results or Social Security numbers. Most involved electronic data and theft, including stolen laptops and computer thumb drives… Hackings doubled during the study, from almost 5 percent of incidents in 2010 to almost 9 percent in 2013. Hackings are particularly dangerous because they can involve a high number of records, said Dr. Vincent Liu, the lead author and a scientist at Kaiser Permanente’s research division in Oakland, California. ‘Our study demonstrates that data breaches have been and will continue to be a persistent threat to patients, clinicians, and health care systems,’ Liu said…A JAMA editorial says there’s evidence that the incidents are leading some patients to avoid giving doctors sensitive information about their health, including substance abuse, mental health problems, and HIV status. ‘Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States,’ the editorial said.” (Associated Press, 4.14.15)
  • Partners Data Breach Affects 3,300 Patients. “Hackers may have accessed medical and personal information, including Social Security numbers, about 3,300 patients at Partners HealthCare, the health system said Thursday. The breach happened when some Partners employees responded to phishing e-mails, which allowed unauthorized access to their e-mail accounts. Some of the e-mails contained private patient information, including Social Security numbers, addresses, phone numbers, and information about medical treatments and health insurance.” (The Boston Globe, 4.30.15)
  • Three Keys to Improving Privacy and Security Protections for Electronic Health Information Exchange. “Increasing reports of cyber theft of patient information via hacking — most recently of UCLA Health System, EHR vendor Medical Informatics Engineering and its patient portal NoMoreClipboard, and, earlier, of Anthem and Premera — suggest these data breaches will continue as criminals increasingly seek out medical data because the data contain links to financial and insurance information. According to DirectTrust President and CEO David C. Kibbe, MD, MBA, ‘The reason healthcare data are so vulnerable is, in a word, neglect. Despite the rich trove of data it stores, the healthcare industry has not taken security as seriously as other sectors of the economy, where privacy breaches have occurred for several years and systems have been hardened to protect against intruders.’… ‘Ironically, the push to make healthcare information systems more interoperable, and the rush into mobile and wearable healthcare applications may be increasing the vulnerability of health information to hacking events,’ Dr. Kibbe continued.” (Market Wired, 8.4.15)
  • Over 90% Of Cloud Services Used In Healthcare Pose Medium To High Security Risk. “According to cloud security vendor Skyhigh Networks, more than 13% of cloud services used in healthcare are high‒risk and 77% are medium risk ‒ as measured across 54 different security attributes (like data encryption and “two factor” authentication).” Munro, Dan. (Forbes, 9.1.14)
  • Roundup: Three Data Breaches, One Settlement. “The health data breaches continue apace. In Ohio, Kentucky, and North Carolina, for instance, providers have had to announce a series of recent exposure, while in Connecticut a hospital said it has agreed to pay a settlement related to its own security incident.” (Government HealthIT, 11.23.15)
  • Health Care Industry Susceptible to Cyber Attacks. “Health care organizations are a popular target for cyber attacks. According to a KPMG survey published last month, 81 percent of health care executives said their organizations had been hit by malware, botnets or cyber attacks at least once in the past two years. Similarly, recent Raytheon/Websense research found that the health care industry experiences 340 percent more security incidents and attacks than most other industries. Hackers are interested in health care data because of its high value, said Carl Leonard, principal security analyst for Raytheon/Websense. ‘Health care providers have very complete data sets. Your doctor knows pretty much everything there is to know about you,’ he said, adding that the data often even includes links to insurance and other sensitive financial information. With widespread adoption of electronic health care record systems just a few years old, health care organizations are behind the curve when it comes to data protection best practices. ‘They are still learning how to expose data to authorized individuals,’ Leonard said.” (eSecurityPlanet, 10.5.15)
  • 655,000 Patient Records for Sale on the Dark Net. The first database was listed as a ‘Healthcare Database (48,000 Patients) from Farmington, Missouri, United States’… The second database was described as “(210,000 Patients) from Central/Midwest United States.”… The third database was described as ‘Healthcare Database (397,000 Patients) from Atlanta, Georgia, United States’… As the government has pushed providers into greater use of EMR and interoperability, one can only ponder what TheDarkOverlord also told this reporter during our chat: Networking is the downfall of most of my targets.’ (Daily Dot, 6.27.16)

Health IT and Patient Privacy

Governmental Health IT Initiatives



Leave a Reply

Your email address will not be published. Required fields are marked *