A Deterrence Approach to Regulate Nurses’ Compliance with Electronic Medical Records Privacy Policy

Hospitals have become increasingly aware that electronic medical records (EMR) may bring about tangible/intangible benefits to managing institutions, including reduced medical errors, improved quality-of-care, curtailed costs, and allowed access to patient information by healthcare professionals regardless of limitations. However, increased dependence on EMR has led to a corresponding increase in the influence of EMR breaches. Such incursions, which have been significantly facilitated by the introduction of mobile devices for accessing EMR, may induce tangible/intangible damage to both hospitals and concerned individuals. The purpose of this study was to explore factors which may tend to inhibit nurses’ intentions to violate privacy policy concerning EMR based upon the deterrence theory perspective. Utilizing survey methodology, 262 responses were analyzed via structural equation modeling. Results revealed that punishment certainty, detection certainty, and subjective norm would most certainly and significantly reduce nurses’ intentions to violate established EMR privacy policy. With these findings, recommendations for health administrators in planning and designing effective strategies which may potentially inhibit nurses from violating EMR privacy policy are discussed.

[1]  Ting Li,et al.  The effects of information privacy concerns on digitizing personal health records , 2014, J. Assoc. Inf. Sci. Technol..

[2]  Hee-Jun Lee,et al.  A study on the antecedents of healthcare information protection intention , 2015, Information Systems Frontiers.

[3]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[4]  Kuang-Ming Kuo,et al.  A survey-based study of factors that motivate nurses to protect the privacy of electronic medical records , 2015, BMC Medical Informatics and Decision Making.

[5]  Mary J. Culnan,et al.  How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches , 2009, MIS Q..

[6]  Thomas C. Rindfleisch,et al.  Privacy, information technology, and health care , 1997, CACM.

[7]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[8]  Kuang-Ming Kuo,et al.  How can hospitals better protect the privacy of electronic medical records? Perspectives from staff members of health information management departments , 2017, Health information management : journal of the Health Information Management Association of Australia.

[9]  Alex R. Piquero,et al.  Specifying the direct and indirect effects of low self-control and situational factors in offenders' decision making: Toward a more complete model of rational offending , 1996 .

[10]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[11]  Ram D. Gopal,et al.  Preventive and Deterrent Controls for Software Piracy , 1997, J. Manag. Inf. Syst..

[12]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[13]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[14]  Charles R. Tittle,et al.  Crime Rates and Legal Sanctions , 1969 .

[15]  Mehmet Top,et al.  Nurses’ Views on Electronic Medical Records (EMR) in Turkey: An Analysis According to Use, Quality and User Satisfaction , 2012, Journal of Medical Systems.

[16]  Ritu Agarwal,et al.  The Digitization of Healthcare: Boundary Risks, Emotion, and Consumer Willingness to Disclose Personal Health Information , 2011, Inf. Syst. Res..

[17]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[18]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[19]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[20]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[21]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[22]  Claudia van Oppen,et al.  USING PLS PATH MODELING FOR ASSESSING HIERARCHICAL CONSTRUCT MODELS : GUIDELINES AND EMPIRICAL , 2022 .

[23]  Ned Kock,et al.  Using WarpPLS in e-Collaboration Studies: Mediating Effects, Control and Second Order Variables, and Algorithm Choices , 2011, Int. J. e Collab..

[24]  Steven R. Simon,et al.  The relationship between electronic health record use and quality of care over time. , 2009, Journal of the American Medical Informatics Association : JAMIA.

[25]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[26]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[27]  Francis T. Cullen Taking Stock: The Status of Criminological Theory , 2017 .

[28]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[29]  Sally Millar,et al.  Caring for patients while respecting their privacy: renewing our commitment. , 2005, Online journal of issues in nursing.

[30]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[31]  Kuang-Ming Kuo,et al.  Compliance With Electronic Medical Records Privacy Policy: An Empirical Investigation of Hospital Information Technology Staff , 2017, Inquiry: A Journal of Medical Care Organization, Provision and Financing.

[32]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[33]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[34]  Michael Foth,et al.  Technology acceptance as an influencing factor of hospital employees’ compliance with data‐protection standards in Germany , 2012, Journal of Public Health.

[35]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[36]  Rathindra Sarathy,et al.  Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance , 2014, Inf. Syst. J..

[37]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[38]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[39]  Ping An Wang,et al.  Assessment of Cybersecurity Knowledge and Behavior: An Anti-phishing Scenario , 2013 .

[40]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[41]  Mary Bosworth Encyclopedia of prisons & correctional facilities , 2005 .

[42]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[43]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[44]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[45]  Michael Foth,et al.  Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence , 2016, Eur. J. Inf. Syst..

[46]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[47]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[48]  Travis C. Pratt,et al.  The Empirical Status of Deterrence Theory: A Meta-Analysis , 2006 .

[49]  Irene M. Y. Woon,et al.  Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior , 2006 .