As rules and regulations in the healthcare industry expand, so does the hospital C-suite.
New chief-level positions have been born in recent years, such as chief experience officers and chief population health officers. This growth and evolution can be observed especially in the IT department, where a significant portion of new rules and regulations are directed, like meaningful use, health information exchanges and HIPAA-related rules and requirements.
This evolution of the IT department can be perfectly illustrated by the leadership at Beth Israel Deaconess Medical Center in Boston.
When John Halamka, MD, was hired as BIDMC's CIO in 1996, he truly was doing the work of at least three different officers, he wrote in 2012 on his popular "Life as a Healthcare CIO" blog. He was effectively serving as the CIO, CMIO and CTO.
"When I started in 1996, being a CIO was keeping the bits and bytes flowing," he says. "Now, it's strategy, tactic and budgets."
To keep up with the IT evolution, Dr. Halamka recently appointed three other leaders to assume the duties and responsibilities of the CMIO, CTO and CISO. These chiefs report to Dr. Halamka, a move partly spurred by the growing dependence on technology in healthcare as well as the increasing responsibilities each role assumes.
"Today, information is what drives healthcare. Quality, safety, efficiency, the future of connected health — it all depends on technology," Dr. Halamka says. "Because of the importance of this information technology activity in healthcare, you're spreading the workload over four major leaders."
The importance of new IT leadership roles is evidenced by the growing number of professional organizations and societies dedicated to them. In 2014, the College of Healthcare Information Management Executives launched three new member groups for CIOs and other IT leaders: the Association for Executives in Healthcare Information Security, the Association for Executives in Healthcare Information Applications and the Association for Executives in Healthcare Information Technology.
Changing IT leadership roles
The IT C-suite wasn't always crowded with chief officers. The core IT executive was initially limited to the CIO, CTO and CISO roles, which are long-standing positions both in healthcare and other industries.
The CMIO is the only truly new role to join the matrix, says Mac McMillan, CEO of CynergisTek and current chair of the HIMSS Privacy & Security Policy Task Force. "[The CMIO] is literally a new role that healthcare has created by virtue of recognizing this need for having somebody who's got one foot in the technical side and one foot in the clinical side, who can translate back and forth," he says.
Mr. McMillan says he really started to see the CMIO role emerge around 2009 and 2010. While some hospitals had CMIOs before then, it wasn't until just a few years ago when CMIOs were as prevalent as they are today.
Mr. McMillan continues, "CIOs who have never worked in healthcare may be brilliant from an IT perspective, but they need that CMIO…to help them understand exactly what they need those systems to do from an operational perspective."
For example, Springfield, Mass.-based Baystate Health created a CMIO position in 2012 after the hospital attested to meaningful use stage 1. The University of Virginia Health System in Charlottesville appointed its first CMIO in 2014.
The CNIO role is also emerging in prominence. While CMIOs have a clinical focus in terms of how technology supports clinical processes, CNIOs may be more focused on the practical application of using systems to directly take care of patients, he says.
Additionally, Mr. McMillan adds that nurses overall may embody the ideal candidate for IT leadership. "I've always said some of the best CIOs that I have worked with in healthcare were former nurses, and the reason I say that is nobody knows hospital operations better than the nurse," he says.
In a similar vein, Pamela Dixon, managing partner at SSi-Search, a healthcare innovation-focused executive search firm, says the crossover of clinical leaders into IT isn't always, and doesn't have to be, recognized by a formal title. She notes how the pervasive reach of technology impacts the responsibilities of many clinical leaders who work alongside the CMIO today.
"Clinical leaders that understand the value of technology aren't just those leaders with an 'I' [in their title," Ms. Dixon says. "They're CMOs and CNOs as well. We see CMOs leading EHR deployments because it's a clinical initiative, not an IT initiative….We are going to see clinical executive leaders become increasingly important in general, because they have a first-hand understanding of patient care."
Keeping up with the government
With meaningful use regulations, the HIPAA omnibus rule, a shift toward population health and changes to the overall care model implemented by the Patient Protection and Affordable Care Act, IT departments are swimming in regulations.
"I used to wake up in the morning thinking, 'What new innovation is there or what could I do with an iPhone?'" says Dr. Halamka. "Now, I say, 'What's meaningful use stage 3 going to imply, and how are we going to be reimbursed three years from now?'"
BIDMC, where Dr. Halamka is CIO, is a huge, world-renowned academic medical center, and the organization's sheer size and scalability was a key reason why Dr. Halamka divvied up IT responsibilities among his four chief officers. "We have 83 locations currently, 2 million patients and 22,000 employees, and of course the expectation is I'm all-seeing and all-knowing [as CIO]," he says. "That is not scalable over that size of an organization."
However, not all hospitals need, or can afford, to expand the IT C-suite. Mr. McMillan says that while he sees a need for these roles at BIDMC, not every organization needs individuals devoted to each separate set of responsibilities. Smaller organizations with fewer departments, less clinical processes and fewer system users don't need the same human capital invested into systems and security as larger organizations with multiple sites and troves of data. CTOs and CMIOs are generally absent from small organizations, for instance, and those duties are instead assumed by an IT director, CIO and/or a security professional.
Ms. Dixon says smaller hospitals tend to look for one person to wear multiple hats while larger systems tend to seek strong leaders in each skill set.
Additionally, needing the executive doesn't always translate into a hospital's ability to acquire him or her. "It's absolutely a product of the needs for those roles, but at some point it's whether or not they can afford all those roles," Mr. McMillan says. "You may actually need them before you can afford them."
The types of expertise an organization needs also depends on where they are in their IT evolution, regardless of the size of the hospital or health system. "A system that's just looking at an EHR replacement or an initial selection will be focused on deployment and will have different leadership needs than to an organization post-deployment that's more focused on performance management," Ms. Dixon says.
Additionally, titles are less important than what the individuals in any given position are trying to accomplish, suggests Ms. Dixon. "The functionality of all these roles is absolutely necessary, but I don't think it's so much about what titles you have as what work is it that needs to be done," she says. "For example, an infrastructure needs to be maintained, whether it's from a CTO or a CIO."
Chains of command
With so many chief-level executives, the chains of command can become a little muddled. While these roles fall within the IT department, not all of them should report to the CIO.
By and large, CIOs report to CEOs. Within IT-specific roles, though, reporting structures vary, with most of the debate surrounding the CMIO and the CISO.
The CMIO, which largely acts as the liaison between the clinical and technical sides of things, fluctuates between reporting to the CIO or to the CMO. Mr. McMillan suggests CMIOs reporting to CIOs may be more commonplace, as the function of the CMIO can be viewed as an "interface role" between the technical and clinical communities. The CMIO is a role dedicated to advising how to use technology to support operational needs, Mr. McMillan says, and given this emphasis on the technological aspect, reporting to the CIO has its merits.
However, Ms. Dixon presents the other side of the argument and says that while the CMIO may report to the CIO, there is also great value in the CMIO reporting to the CMO. The CMIO is a clinical leader and is focused on issues regarding clinical care above anything else. "Sometimes it's easier to have the CMIO report to the CMO in terms of both leaders having a native understanding of patient care, even though the CMIO is definitely working hand-in-hand with the CIO," she says.
It gets even more complicated for the CISO, who shouldn't necessarily report to the CIO out of conflict of interest. "The CISO needs to be able to say when something is not safe or secure," Mr. McMillan says. "If the CISO is buried in the CIO's organization, you always run the risk of the CISO telling the CIO [something] is not safe [and] is a risk, and the CIO making the decision for the organization to accept that risk rather than airing it to executives."
The CIO, Mr. McMillan says, doesn't own the risk for the organization — the CEOs and COOs do.
Dr. Halamka says he owns the security risk at BIDMC, so it is appropriate that the CISO reports to him. However, he agrees that, in some organizations, it may be appropriate for the CISO to report to chief legal or compliance officers.
Another option Mr. McMillan suggests is organizing an IT steering committee, chaired by an executive outside the IT department, such as the COO. Doing so offers the CMIO, CNIO, CHIO, CTO and CISO, as well as any other members that may be in the committee, to have their voices heard.
"The bottom line is as long as you have a healthy governance structure that [allows] all of those voice to get heard at the executive level and at the board level, then a lot of times, organizational placement becomes less of an issue," Mr. McMillan says.
Emerging roles
Legislation and regulatory demands in healthcare have skyrocketed over the past few years, necessitating a change in the way IT departments are structured and operate.
"Three-hundred thousand pages of healthcare regulations have been written since I first became CIO in 1998, and therefore, it's a lot of compliance and it means the organization has to have a level of maturity and sophistication," Dr. Halamka says.
These demands have a ripple effect. The industry can undoubtedly expect more rules and regulations to be handed down. Leadership adapts to the regulatory environment, so hospitals and health systems can expect to see new roles continue to emerge as a result.
In fact, it already is happening. Roles such as chief privacy officers, chief experience officers and chief population health officers are already popping up across the industry. Within health IT, too, roles such as chief nursing information officer and chief health information officer are becoming more commonplace.
Individual organizations are tasked with looking at their strategies and determining how to mold the structure to support their end goals in the midst of all these changes — a difficult task indeed.
"What job requires you to continuously innovate while keeping perfect reliability and security?" asks Dr. Halamka. "It's like a library. I will check out all the books to everyone, but I can never lose one book."
For health IT departments, innovation and evolution follows rules and regulations. The number of books in the library will get bigger, and, presumably, more hands will be necessary to keep track of them all.
More articles on IT leadership:
CFOs hesitant to hand budget power to CIOs
The future of the healthcare CIO: Expanding roles, relationships and opportunities
Top 4 reasons CIOs get fired (and how to avoid them)