Every healthcare IS post I have written is about breach cost. The real story is that the fax machine is still the primary interoperability tool, and structuration theory explains why the same EHR becomes two different systems in two different clinics.
I was reading the Tanriverdi, Kwon, and Im (2025) paper on cybersecurity in multihospital systems when I hit a sentence that made me put the PDF down. They describe an EHR environment where ten hospitals in the same health system each use a different brand of electronic health record, and the system somehow still has to move patient data between them. My first thought was not about the breach risk, which is what the paper is about. My first thought was that this is still considered normal. Healthcare is the only industry where that level of technical fragmentation is treated as an operational baseline rather than an emergency. And then I realized every healthcare post on this site is about breaches. I have written about breach cost, the human element in breaches, and the structural drivers that keep healthcare at the top of the cost list. I have never written about why the technology itself keeps failing before the attacker even shows up. That gap is what I want to close here.
The fax machine is still the dominant interoperability tool in American healthcare. This is not a colorful anecdote. It is the default method for transmitting clinical records between institutions that do not share the same EHR platform. In 2024, the Department of Health and Human Services published updated rules pushing toward API-based data exchange under the 21st Century Cures Act, and the industry response has been slow enough that fax volume remains substantial. Any other sector would have treated this as a competitive disadvantage decades ago. Healthcare has treated it as a regulatory compliance problem, which tells you something about how the field conceptualizes technology. It thinks about data movement in terms of legal permission, not in terms of system design. That is exactly the black-box problem Orlikowski and Iacono (2001) identified when they catalogued the five ways IS research treats the IT artifact. The Nominal view names the system but does not theorize it. The Tool view treats it as an instrumental means to an end. The Proxy view substitutes the technology for human capability. Most healthcare interoperability discourse is stuck in the Nominal and Tool zones. The fax machine is mentioned. Its material properties, its failure modes, its recursive effects on clinical workflow, and its role in shaping what clinicians believe is possible are not.
Orlikowski (1992) argued that technology is both a product and a medium of human action. It is shaped by people during design and implementation, and then it shapes what those people can do during use. That recursive loop is what she called the duality of technology, and it produces what she labeled technology-in-practice: the enacted structure that emerges only when people actually use the technology in a real setting. The implication for healthcare is immediate. The same Epic EHR installation does not produce the same technology-in-practice at two different hospitals. One clinic may configure the order entry workflow to match how physicians trained in the 1990s expect to write prescriptions. Another may force a structured electronic pathway that shifts prescribing authority to mid-level providers. The software is the same. The structural features, to borrow DeSanctis and Poole's (1994) language from Adaptive Structuration Theory, are identical. The appropriation is not. DeSanctis and Poole called this the difference between faithful and unfaithful appropriation, and their point was that the spirit of the technology, the intended design logic, almost never survives contact with the organization intact. Groups reshape the technology to fit local norms, local power structures, and local interpretations of what good care looks like. That is not user error. That is structuration happening in real time.
The reason this matters for health IT failure is that most evaluations of EHR success treat the system as a stable object and measure outcomes against a uniform benchmark. Did adoption time meet the target? Did user satisfaction scores rise? Did documentation compliance improve? These are Tool-view questions. They assume the artifact is the same everywhere and that variation in outcome is variation in user behavior or organizational resistance. Orlikowski's (1992) technology-in-practice perspective says the artifact is not the same. The technology-in-practice at a safety-net clinic with high staff turnover is a different sociotechnical object from the technology-in-practice at an academic medical center with a dedicated informatics team. Treating them as the same system and measuring them against the same metrics is a category error, and it is an error that the IS field has been warned about repeatedly.
Benbasat and Zmud (2003) framed this as the identity crisis of IS research. They argued that the discipline had drifted away from the IT artifact toward generic organizational and behavioral topics, and that without a return to the artifact as the central subject of theorizing, IS would lose its distinctive contribution. I think healthcare IS research is currently living inside that warning. The overwhelming share of healthcare IS scholarship in the major journals is about adoption, resistance, breach, or policy compliance. Each of those is a legitimate topic. But the cumulative effect is a literature that treats the EHR as a black box that either gets adopted or does not, either gets breached or does not, and either complies with regulation or does not. The actual material properties of the system, how those properties enable or constrain specific clinical actions for specific actor groups, and how those constraints reshape professional identity over time, are undertheorized. Markus and Silver (2008) tried to correct this with their distinction between technical objects, functional affordances, and symbolic expressions. A technical object is the bare material artifact. A functional affordance exists only in relation to a specific actor with a specific goal. A symbolic expression communicates status or identity. When a physician complains that the EHR turns them into a data entry clerk, they are describing a collapse of functional affordance. The system no longer enables the clinical action they consider central to their role. It becomes a symbolic expression of bureaucratic control. That is exactly the kind of breakdown that affordance theory is designed to explain, but it rarely appears in the healthcare IS literature framed that way.
Tanriverdi et al. (2025) provide a different entry point. Their empirical context is cybersecurity in multihospital systems, but their theoretical contribution is about complexity and complicatedness. They distinguish systems that are complicated, meaning they have many linear and well-structured interactions, from systems that are complex, meaning they have ad hoc and nonlinear interactions that produce emergent behavior. A health system with ten different EHR brands is complicated. The interactions are knowable and controllable in principle. The reason they remain uncontrolled is not complexity. It is that the governance structure of the health system does not centralize the decisions that would standardize the stack. Tanriverdi et al. call this governance complicatedness, and they show empirically that it increases breach risk by weakening technical, process, and people controls. Their solution is enterprise-wide data analytics platforms that structure and control the previously ad hoc exchanges. What interests me is that their mitigation is essentially structural. It does not fix the ten EHRs. It adds a governance layer above them. That is a perfectly reasonable organizational response, but it is also an admission that the original interoperability problem has been relocated rather than solved. The ten EHRs persist. The fax machines persist. The new platform is an information-sharing governance tool, not a replacement for the fragmented base.
I think the IS field needs to stop treating health IT failure as a problem that begins when an attacker breaches the perimeter and start treating it as a problem that begins when the technology is designed, appropriated, and re-appropriated by clinical professionals whose work is fundamentally interpretive. Diagnosis is not data entry. It is pattern recognition under uncertainty, shaped by tacit knowledge that varies across specialties, institutions, and individual practitioners. When an EHR forces a rigid structured input format, it is not just adding friction. It is changing what counts as a valid clinical thought. That is the kind of effect that structuration theory was built to explain. Structures shape action, and action reproduces or transforms structure. The EHR imposes a signification structure, a way of naming and categorizing clinical reality. Over time, clinicians internalize that structure. The drop-down menu becomes the diagnosis. That is not hyperbole. I have watched residents struggle to document a presentation that does not fit the template, and the struggle is not with software navigation. It is with the epistemic gap between what they saw and what the system allows them to record.
DeSanctis and Poole (1994) would call this an unfaithful appropriation, but I think that term understates the agency of the clinician. It is not that the clinician is misusing the system. It is that the system was designed for a different theory of clinical work than the one the clinician actually practices. The spirit of the EHR is managerial: standardize, measure, bill, comply. The spirit of clinical judgment is inductive and contextual. Those two spirits do not have to be enemies, but they will be if the research community keeps evaluating health IT through adoption metrics that assume managerial spirit is the correct default. Adaptive Structuration Theory predicts that groups will appropriate technology according to their local interpretive schemes, and that the outcome will be a negotiation between the designed structure and the enacted structure. The negotiation is what needs to be studied. Not the adoption rate. Not the breach count. The negotiation.
If I were advising a health system CIO, I would tell them to stop benchmarking their EHR rollout against the vendor's best-practice checklist and start mapping the technology-in-practice that is actually emerging in each clinic. Where are the workarounds? Where are the shadow documentation systems, the sticky notes, the verbal handoffs that happen because the electronic handoff is too slow or too rigid? Each workaround is a signal that the enacted structure has diverged from the designed structure, and each divergence is a place where the system is failing before any attacker gets involved. The fax machine is the ultimate workaround. It exists because the electronic systems do not talk to each other, but also because the clinicians who use it have developed a collective understanding of when a fax is more reliable than an electronic message that might disappear into an inbox nobody checks. That understanding is technology-in-practice. It is not resistance. It is sensemaking.
The research opportunity is enormous. We need studies that apply structuration and affordance theory to the clinical workplace, not as after-the-fact theoretical overlays on adoption surveys, but as the primary theoretical engine driving the research design. We need studies that treat the EHR as an ensemble artifact embedded in social practice, the way Orlikowski and Iacono (2001) insisted the IT artifact must be treated if IS research is to remain distinctive. We need studies that ask what the EHR affords for a nurse managing post-operative pain on a busy surgical floor, not what the EHR enables for the health system as an abstract entity. Those are different questions with different methods and different implications. The nurse's affordance question is local, relational, and material. The health system's question is aggregate, managerial, and usually financial.
I keep returning to Tanriverdi et al. (2025) because they are one of the few recent MIS Quarterly papers that treat healthcare IT as an organizational system rather than a technical control problem. Their finding that health IT complicatedness is a primary contributor to cybersecurity breaches is a bridge between the governance literature and the sociotechnical literature. It says that the way the technology is organized, not just how well it is defended, determines the risk landscape. I want to see that insight extended beyond security. The same health IT complicatedness that creates breach risk also creates clinical workflow failure, physician burnout, diagnostic delay, and patient safety gaps. Each of those outcomes is a technology-in-practice problem, and each of them is undertheorized in the IS literature relative to the volume of breach-cost research.
I started this post with the fax machine because it is the most visible symptom of a deeper theoretical neglect. The fax machine is not a technology failure in the conventional sense. It is a sociotechnical success. It works. It moves data across institutional boundaries that electronic systems have not bridged despite decades of investment. The research question is not why healthcare still uses fax. The research question is what the continued use of fax reveals about how clinical professionals have enacted their own interoperability infrastructure in the absence of a system that respects their technology-in-practice. That question requires structuration theory, affordance theory, and a willingness to treat the IT artifact as something more than a box that either gets adopted or does not. Breaches will continue to cost $9.77 million. The more important cost is the one we are not measuring: the slow erosion of clinical capability that happens every time a system designed for billing appropriates a practice designed for care.
About the author
Share
More notes
Related notes