Health IT governance is difficult to establish because it sits at the intersection of competing priorities, fragmented technology, shifting regulations, and deeply entrenched organizational cultures. Unlike IT governance in most industries, healthcare adds layers of clinical safety, patient privacy, and life-or-death decision-making that raise the stakes of every choice. The result is that even well-resourced health systems struggle to build governance structures that actually function across the organization.
Too Many Stakeholders With Conflicting Goals
Effective IT governance requires agreement on priorities, and healthcare organizations are full of stakeholder groups that want fundamentally different things from technology. Physicians, nurses, hospital managers, insurers, and policymakers each evaluate the same tools through different lenses. Research published in BMC Medical Informatics and Decision Making found stark divides: managers and insurers ranked digital patient portals and self-testing tools among their most preferred innovations because of expected efficiency gains, while physicians, nurses, and patients ranked those same tools last because they doubted the health benefits.
The pattern holds across many IT decisions. A clinical decision-support app on a handheld device directly changes how a physician works dozens of times a day, but barely registers for a board member. A full-text search engine for narrative health records matters enormously to data analysts but has little impact on bedside care. When every stakeholder group has a legitimate claim on what the technology should do, governance committees face constant tension between optimizing for clinical workflow, financial performance, regulatory compliance, and patient experience. Reaching consensus is slow, and the compromises often leave no group fully satisfied.
Fragmented Systems Create Ungovernable Environments
You cannot govern what you cannot see, and most health systems operate in staggeringly fragmented technology environments. A 2026 survey by the College of Healthcare Information Management Executives found that 76% of respondents said managing too many point solutions makes operations more difficult. Some organizations reported running more than 100 tools across the enterprise, including 10 to 20 separate systems just for safety, compliance, provider management, and patient experience.
This fragmentation makes centralized governance nearly impossible. Each system may have its own data standards, its own access controls, and its own vendor relationship. Leaders increasingly recognize the problem: nearly 90% of healthcare organizations in the same survey said modernization is essential. But retiring legacy platforms without losing historical records, retraining staff, and maintaining continuity of care during transitions creates enormous friction. The governance body tasked with rationalizing this landscape has to manage technical debt accumulated over decades while keeping current operations running.
Data Exchange Barriers Undermine Governance Mandates
Even when governance policies call for data sharing and interoperability, the technical reality often makes it impossible to follow through. A 2023 study in the Journal of the American Medical Informatics Association found that 84% of non-federal acute care hospitals reported challenges exchanging data across different vendor platforms, and 42% called it a major barrier. The specific obstacles are concrete: hospitals have to build customized interfaces to exchange information, vendors impose contractual constraints that limit data sharing with competing systems, partner organizations send data in incompatible formats, and matching the correct patient across systems remains unreliable.
These barriers are especially pronounced when information needs to flow between organizations of different sizes and types, such as an independent hospital sharing records with a skilled nursing facility or a small physician practice. Governance frameworks can mandate interoperability all they want, but if the underlying systems were never designed to talk to each other, policy alone cannot bridge the gap. This creates a frustrating cycle where governance bodies set standards they lack the technical infrastructure to enforce.
Measuring Value Is Genuinely Hard
Governance requires making resource allocation decisions, and those decisions depend on understanding the return on investment. In healthcare IT, that understanding is elusive. Deloitte has noted that the definition of “digital transformation” itself varies across organizations, making apples-to-apples comparisons nearly impossible. Many health systems are further hampered by outdated data management that makes it difficult to track outcomes in the first place.
The value of IT governance investments often shows up indirectly: fewer duplicate tests, faster discharge times, reduced medication errors, better patient matching. These benefits are real but diffuse, spread across departments and time horizons. When a governance committee asks for budget to consolidate systems or implement new data standards, the financial case relies on projections that are hard to validate. This ambiguity makes it difficult to secure sustained executive commitment, especially when competing capital requests (a new surgical suite, more nursing staff) have more tangible and immediate payoffs.
Culture Stress and Staff Resistance
The most carefully designed governance framework will fail if the people expected to follow it resist or ignore it. A scoping review in Learning Health Systems examining organizational culture in health IT implementations found that “culture stress,” defined as perceived strain, role overload, and resource shortages, was the most frequently cited barrier across 34 studies reviewed. Staff consistently reported feeling that new IT systems shifted enormous volumes of work onto them without adequate support or staffing.
Physician resistance follows a specific pattern. When clinicians feel that a technology was not customized to their local workflow needs, they push back rather than adapt. One study captured the dynamic clearly: physicians saw themselves as passive implementers of a standardized technology package rather than active participants in shaping how the tool would work in their setting. Simply providing training manuals or instruction sets did not create buy-in. In another case, staff focus group participants sensed a lack of enthusiasm from leadership despite leadership’s stated support, because there was little to no communication filtering down from the top. The gap between what governance bodies decide in conference rooms and what staff experience on the floor is one of the most persistent failure points in health IT governance.
AI Introduces Governance Problems That Don’t Have Answers Yet
The rapid spread of artificial intelligence in clinical settings has introduced governance challenges that existing frameworks were never built to handle. AI tools are evolving from simple diagnostic aids into systems that summarize medical records, generate clinical reports, and propose treatment plans. A 2026 white paper on AI healthcare governance identified several unresolved contradictions that make governing these tools extraordinarily difficult.
First, AI outputs carry inherent uncertainty. Large language models can “hallucinate,” producing plausible but incorrect information. When that output influences a medication recommendation or a surgical plan, the error is no longer a technical glitch. It can directly harm a patient. Second, liability boundaries are blurred. If an AI system suggests a diagnosis and a physician follows it, then the diagnosis turns out to be wrong, the existing legal framework struggles to assign responsibility. Should the physician have overridden the AI? Is the technology vendor liable? Is the hospital that purchased the system at fault? These questions don’t have settled answers. Third, regulators haven’t yet determined whether a fine-tuned large language model used in clinical settings qualifies as a “medical device” or a “software service,” creating compliance uncertainty for any organization trying to deploy these tools responsibly.
For governance committees, AI forces a simultaneous reckoning with clinical safety, legal risk, regulatory ambiguity, and vendor accountability, all in a technology landscape that changes faster than policy cycles can keep up.
Security Stakes Keep Rising
Healthcare data breaches provide the starkest evidence of what happens when IT governance falls short. In 2025, at least 4,080 unique breach events impacted 375 million individuals across all sectors, and healthcare accounted for 66% of all affected people. The Change Healthcare ransomware attack alone, first discovered in February 2024, ultimately affected 192.7 million people, making it the largest healthcare data breach ever recorded and more than double the previous record held by Anthem for a decade.
Eight of the 20 largest breaches in 2025 occurred at service providers rather than healthcare organizations themselves, meaning that governance must extend beyond your own walls to every vendor and partner that touches patient data. Notification timelines remain slow: the most common window between breach discovery and patient notification was 91 to 180 days, and fewer than 10% of breaches would meet California’s new 30-day notification standard. These numbers illustrate how governance must cover not only prevention but also detection, response, and communication, each of which requires its own policies, staffing, and budget.
Governance Demands Breadth That Few Organizations Have
The ONC’s own framework for data governance illustrates the sheer scope of what effective governance requires. Organizations need governance bodies that function consistently across shared responsibilities, bidirectional communication channels that keep stakeholders informed and engaged, dedicated data management roles with sustained funding, a shared glossary of approved business terms so that different departments mean the same thing when they use the same words, and a metadata management system that catalogs what data the organization actually has and what it means.
Each of these components is a substantial organizational undertaking on its own. Doing all of them simultaneously, across a system that may span dozens of facilities and hundreds of software tools, while navigating stakeholder conflicts, budget constraints, regulatory requirements, and rapid technological change, explains why so many health systems find effective IT governance perpetually out of reach. The challenge is not that any single piece is impossible. It’s that all the pieces must work together, and healthcare is one of the few industries where failure carries direct consequences for human life.