The Evolution of Information Technology Governance at the NIH Clinical Center

By Jon W. McKeeby, DSc, MBA, CPHI; Patricia S. Coffey, MS, RHIA, CPHIMS, CPHI; Susan M. Houston, MBA, RN-BC, PMP, CPHIMS, FHIMSS; Ryan D. Kennedy, Leighton Chan, MD, MPH; Rachael Schacherer, MPP; Stacie Alboum; Steve Bergstrom; and Maria D. Joyce


An information technology governance (ITG) program has helped the National Institutes of Health (NIH) Clinical Center (CC) in the implementation of many systems and has guided the organization through the maturity of its project management methodology. The NIHCC Department of Clinical Research Informatics (DCRI) maintains an electronic health record (EHR) called the clinical research information system (CRIS) along with many clinical information systems (CIS) and research information systems, supporting approximately 3,200 users.

ITG involves establishing processes to guide the review, selection, implementation, management, and setting of the IT strategy representing the business owners, stakeholders, and IT.1

Research conducted by Levstek, Hovelja, and Pucihar2 identified that different organizations may need different ITG structures, frameworks, and strategies. The path to achieving strong ITG is a continuous journey. This paper reviews the evolution of the NIHCC IT governance strategy.

Phase 1: NIHCC IT Governance

The path of the NIHCC for IT governance started as the NIHCC implemented a new EHR in 2004, the decision made by the EHR Steering Committee was to ensure the use of best practices of project, risk and configuration management.

Following the implementation of the EHR, the complexity of the NIHCC’s IT environment began to increase as new clinical applications were implemented and integrations across systems were developed. These activities were captured in a project dashboard, as the NIHCC developed a new Project Management Office (PMO). By 2005, the PMO was actively tracking five IT projects, which quickly ballooned to 24 active projects in 2007. Although there was some growth of the IT department during this time, it did not keep up with the evolving state of the IT architecture. Resources that normally would spend the majority of their time supporting existing systems were now shifting their time commitments to the implementation of new systems—all of which would then be added to their normal operational activities. At the time, the default arbiter of prioritizing these activities was the responsibility of the chief information officer (CIO). As the IT complexity continued to grow, it was clear that there was a need for a more robust governance process with input from the organization’s business stakeholders on the authorization and priority of new requests. Without IT governance, projects fail, resources become unavailable, systems are not managed properly, and expectations between the IT department and system business owners are not met. Houston and Kennedy3 explain that “having a robust governance process in place ensures that the right projects are done at the right time, while ensuring alignment to the organization’s mission and vision. Projects can be major undertakings, requiring multiple resources, time, and money, so it is crucial that these efforts are understood and monitored on a regular basis.”

The road to IT governance at the NIHCC started with the adoption of a systems-thinking approach to understand the organization from a big-picture perspective to develop communication, collaboration, and teamwork skills.4 Way and McKeeby5 identified the benefits of the systems thinking approach as follows:

  • Give customers choices, so it is not an absolute “no.”
  • Manage customer expectations.
  • Let customers have a voice in project prioritization.
  • Enlist management support.

The first milestone of ITG was a disciplined approach to create a shared understanding of the scope of workload internally within the DCRI. The NIHCC CIO started the process with the creation of a comprehensive inventory of projects. Each member of the DCRI leadership team validated the list, identified missing items and items no longer valid, and returned the annotated list to the NIHCC CIO.

As we started IT governance, we created an IT PMO with two project managers. The PMO developed a process to maintain the list, adding new requests, putting projects on hold, and removing projects.

Phase 2: NIHCC IT Governance

The second milestone for ITG at the NIHCC in 2006 was to prioritize the CC’s most impactful projects. The organization introduced the term cornerstone project and defines it as a project that combines many resources across multiple departments and is typically a mission-driven strategic initiative that spans multiple years. A cornerstone project identifies a priority in respect to resource utilization and implementation dates. All other projects are coordinated and scheduled with cornerstones as the baseline.

A sample list of the cornerstone projects is in Table 1.

At this time, the PMO increased to five. As part of Phase 2, we started a monthly project management team (PMT) meeting. The attendees included DCRI senior leadership, all DCRI project managers, a representative from the Office of Purchasing and Contracts (OPC), and all DCRI supervisors. DCRI supervisors includes service center, user support, system and network, database administration, CRIS build, NIHCC chief technology officer (CTO), and the NIHCC CIO.

Phase 3: NIHCC IT Governance

From 2007 to 2016, the NIHCC performed operational reviews across departments to identify areas of improvement. In 2009, an operational review of the NIHCC’s DCRI found that there were over 120 open or pending projects, there was no vetting of the prioritization of projects outside of DCRI, and there was no stakeholder involvement in the prioritization process.

The only directive from the 2009 operational review was the development of the Information Technology Advisory Group (ITAG). The mission of the ITAG is to plan, approve, prioritize, and direct NIHCC initiatives with the goal of meeting customer expectations regarding the implementation and support for developed information technology (IT) solutions. A secondary goal is the management of the project scope and risks to ensure we meet the clinical, administrative, and IT requirements.

DCRI added a chief of the portfolio and PMO (PPMO). The PPMO oversaw the PMO, enterprise architecture, configuration management, and testing. The PMT meeting expanded the agenda to include OPC and ISSO announcements and the review of the monthly CM calendar of system updates and activations.

Phase 3 institutionalized a formal governance organization to serve as the guiding force over IT projects. The first two critical components in devising an ITG model include the development of a charter and the identification of key stakeholders.6 The charter provided the NIHCC a clear roadmap of the mission, vision, roles, and responsibilities for the new governance organization. However, to be successful, it was important to ensure critical input was provided by key stakeholders and IT expertise across the NIH.7 ITAG was comprised of seven to eight senior business leaders from the NIHCC, one from the NIH CIO’s office; a member of the Medical Executive Committee (MEC) Clinical Information Management (CIM) Subcommittee; and a member of the EHR Prescribers’ Group and one to three additional institute/center representatives; and one member of NIH IT leadership.

In addition to the official members, we added several other key NIHCC staff to provide input for decision-making, including the NIHCC CIO, NIHCC chief financial officer (CFO) and the NIHCC chief medical information officer (CMIO). Of note, none of these members are able to vote, thereby allowing all decisions made based on the business needs of the organization.

Figure 1 illustrates the ITAG process.

The ITAG charter contains the following mission and responsibilities:


The mission of the ITAG is to plan, approve, prioritize, and direct NIHCC initiatives to meet customer expectations and organization requirements regarding the implementation and support for information technology solutions.


The ITAG has the following areas of responsibility:

  • Determine and consistently apply criteria for prioritizing and recommending NIHCC IT investments to the NIHCC CEO.
  • Ensure that all projects selected align with the NIHCC Strategic Plan.
  • Review IT resource requirements, scope, and/or schedule changes to IT initiatives.
  • Re-evaluate, prioritize, and recommend approval as needed.

Project Review Process

One of the early steps in the development of the ITAG was to narrow the scope of what constitutes a project. Specifically, a project is a piece of work that has the following distinct characteristics:

  • Requires over 40 hours of staff time to complete.
  • Has a time limited duration.
  • Produces a specific and distinguishable product, service, or result.
  • Serves a specific purpose.
  • Has interrelated activities or tasks.

Under the newly defined process, NIHCC departments, NIH institutes, and other NIH committees submit new IT project requests to the NIHCC’s Office of Financial Resource Management (OFRM). OFRM reviews the request for any financial obligations to the NIHCC and shares the request with a DCRI portfolio manager. The DCRI portfolio manager works with the requestor to document the business and technical requirements, justification, expected timeline, funding needs, and resource requirements into a project charter or business case, depending on the situation.

The DCRI portfolio manager submits the request and the details to the OFRM/DCRI Project Evaluation Committee. The OFRM/DCRI Project Evaluation Committee submits any item that fit the definition of a project, and require new capital IT equipment, new applications, or major version upgrades that consisted of new functionality, to ITAG. Based on defined criteria, many requests submitted are identified as routine operations and maintenance or mandates due to regulatory or security requirements. These types of requests were not vetted through ITAG but are reported due to their resource requirements.

ITAG met four times per calendar year. Requests, project charters, and/or business cases are distributed electronically one week prior to the meeting for the voting members to score the requests. The criteria for scoring is: 1) Areas of Benefit; 2) Strategic Alignment; 3) Operational Efficiencies; 4) Impact to Quality of Patient Care; 5) Impact to Satisfaction of Patient Care; 6/7) Number of Patients and Protocols Impacted.

At the meeting, the project requestors present their respective project requests. After the presentations, the ITAG voting members review the scoring summary. The committee also reviews a current list of all projects along with a staffing report, which includes available versus allocated project resources. With this information, the ITAG discusses each request and identifies a recommendation decision, to approve, needs more information or to deny. The ITAG chair then provides the recommendations to the NIHCC CEO for final disposition. The approval decision does not specify a start date. DCRI then works with the requestor on determining when resources would be available to start the project and assigns a project manager from the NIHCC PMO.

Phase 4: NIHCC ITG

The scope of the ITAG expanded in Phase 4. In 2019, the NIHCC CIO acknowledged that there was a substantial amount of work considered routine or mandatory, which compete for the same resources, allocated for the formal ITAG projects. As a result, it was difficult to manage the resources for projects. Requestors became frustrated that their projects were not being scheduled and project delays were frequent; staff morale was negatively affected by this long list of projects and feeling unable to meet the expectations of the organization.

In reviewing this issue with the NIHCC CEO, ITAG chair and NIHCC leadership, the NIHCC CEO identified that without improved and more comprehensive governance, it would be impossible for the DCRI staff to complete the project list of over 260 items. The scope of governance over IT work needed to improve; as such, the role of ITAG expanded to review all activity that fit within the definition of a project. With over 40 ITAG projects and over 200 other items, it would be very difficult for the ITAG to review all the activities independently.

In reviewing the list of activities that had IT components and met the definition of a project, it was determined the project categorization as ITAG Projects, Complex System Change Requests (SCRs), Security & Infrastructure Operations, and Maintenance (O&M).

  1. ITAG Projects are projects that require a full review and scoring as an individual project by the ITAG committee. Examples of these projects include:
    1. New capital IT equipment
    2. New functionalities, interfaces or applications
    3. Major upgrades
    4. New CC IT investments that require implementation and ongoing support
  2. Complex SCRs are projects managed through multiple SCRs. The NIHCC Functional Review Board (FRB), the Enterprise Scheduling Advisory Group (ESAG), or the CIM reviews these request. A voting member from ITAG participates in this review and presents the recommendations back to the full ITAG committee. Examples of these projects include:
  1. Large-scale configuration changes
  2. Significant IT work
  3. Limited updates to existing applications
  1. Security and Infrastructure O&M are projects reviewed by the Architecture Planning Board (APB), Technical Review Board (TRB), and/or the Security TRB (STRB) for security and infrastructure implementations and updates. A voting member from ITAG participates in this review and presents the recommendations back to the full ITAG committee. Examples of these projects include:
    1. Large-scale hardware and OS updates
    2. Mandates due to security, privacy, or architecture regulations
    3. Infrastructure updates and implementations

Figure 2 reviews the updated process.

Six Months Later, Post-Phase 4

The initial list presented to the NIHCC CEO had 262 ITAG projects, Complex SCRs, and Security & Infrastructure O&M projects. The first review by ITAG of this the list included a recommendation to remove 45 projects, as they included duplicates, projects already completed, or projects that had not been approved. Additionally, 37 projects were placed on hold based on a lack of funding or approval. As a result, the list presented at the first ITAG meeting was reduced to 180 projects.

In the most recent six months, since the new ITAG processes came into practice, DCRI completed 35 unique projects. This nearly doubled the typical average of 15-20 project completions over other six-month time frames. The rate of new submissions has also increased to nearly 30 additional project requests in the same six-month time frame, which indicates that more stakeholders are becoming aware of the project governance requirements.

Along the road to the development of this now robust IT governance process, the organization’s health information (HI) professionals remained well integrated and involved in the various components of the process in addition to team members from IT and other organizational leaders. The NIHCC values and understands the critical input from HI professionals and the unique skill set they have regarding project management, EHR configuration, documentation requirements, IT knowledge, privacy and security, and more. Nearly all IT projects have one or more of these components, and HI professionals bring value to the NIHCC’s process by managing and/or participating on the organization’s Clinical Documentation Control Board, Clinical Information Management Committee, Functional Review Board, EHR Stakeholder User Groups, and more.

Lessons Learned

The NIHCC’s road to a robust programmatic review of information technology initiatives has been a learning experience for the organization, including the primary fact that governance is not easy, but it is important to maintain the integrity of prioritization and the overall governance process. Organizations must ensure that all stakeholders are represented in some way throughout the various components and steps of the process. Finally, in order to be effective, all information technology efforts must be governed across the organization in a transparent manner.

The evolution of information technology governance at the NIHCC has resulted in many tangible benefits. In addition to the effects on completion, the morale of both the staff and stakeholders has markedly improved. DCRI and ITAG membership and the extended ITAG membership review the project list more, providing increased transparency as well as an opportunity for discussion that has improved the understanding the alignment of projects, staff resources, and needs of the organization.

Funding Statement

This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.

Competing Interests Statement

The authors have no competing interests to declare.

Contributorship Statement

All authors wrote and reviewed the final manuscript.

Author Biographies

Patricia Coffey, MS, RHIA, CPHIMS, CPHI, is the chief of the Health Information Management Department at the National Institutes of Health Clinical Center.

Jon Walter McKeeby, DSc, MBA, CPHI, is the chief information officer at the National Institutes of Health Clinical Center.

Maria D. Joyce is the chief financial officer at the National Institutes of Health Clinical Center.

Leighton Chan, MD, MPH, is the chief of the Rehabilitation Medicine Department at the National Institutes of Health Clinical Center.

Stacie Alboum is the deputy director of the Center for Information Technology at the National Institutes of Health.

Ryan D. Kennedy work in the Project and Portfolio Office of the Department of Clinical Research Informatics at the National Institutes of Health Clinical Center.

Susan M. Houston, MBA, RN-BC, PMP, CPHIMS, FHIMSS, is the owner and principal consultant at Houston Solutions LLC.

Stephen Bergstrom is the chief of enterprise architecture in the Department of Clinical Research Informatics at the National Institutes of Health Clinical Center.

Rachael Schacherer, MPP, is the chief of staff to the scientific director at the National Institute of Neurological Disorders and Stroke at the National Institutes of Health.


  1. Tonelli, A.O., de Souza Bermejo, P.H., Aparecida dos Santos, P., Zuppo, L, Zambalde, A,L. (2017). ITG in the Public Sector: A Conceptual Model. Information Systems Frontiers, 19(3). 593-610.
  2. Levstek, A., Hovelja, T., & Pucihar, A. (2018). ITG Mechanisms and Contingency Factors: Towards an Adaptive ITG Model. Organizacija, 51(4), 286.
  3. Houston, S. M., & Kennedy, R. D. (2020). Effective lifecycle management of healthcare applications: achieving best practices by using a portfolio framework (1st ed., Ser. HIMSS Book Series). Productivity Press.
  4. Way, C., & McKeeby, J. W. (2008). Systems Thinking as a Team-Building Approach. The Systems Thinker, 19(8), 7–9.
  5. Ibid.
  6. Project Management Institute. (2017). A guide to the Project Management Body of Knowledge (PMBOK guide) (6th ed.). Project Management Institute.
  7. Ibid.
Posted in:

Leave a Reply