Deterrence approach on the compliance with electronic medical records privacy policy: the moderating role of computer monitoring

BackgroundThis study explored the possible antecedents that will motivate hospital employees’ compliance with privacy policy related to electronic medical records (EMR) from a deterrence perspective. Further, we also investigated the moderating effect of computer monitoring on relationships among the antecedents and the level of hospital employees’ compliance intention.MethodsData was collected from a large Taiwanese medical center using survey methodology. A total of 303 responses was analyzed via hierarchical regression analysis.ResultsThe results revealed that sanction severity and sanction certainty significantly predict hospital employees’ compliance intention, respectively. Further, our study found external computer monitoring significantly moderates the relationship between sanction certainty and compliance intention.ConclusionsBased on our findings, the study suggests that healthcare facilities should take proactive countermeasures, such as computer monitoring, to better protect the privacy of EMR in addition to stated privacy policy. However, the extent of computer monitoring should be kept to minimum requirements as stated by relevant regulations.

[1]  Charles R. Tittle,et al.  Crime Rates and Legal Sanctions , 1969 .

[2]  Shuchih Ernest Chang,et al.  Exploring privacy and trust for employee monitoring , 2015, Ind. Manag. Data Syst..

[3]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[4]  Jörg Henseler,et al.  Testing Moderating Effects in PLS Path Models. An Illustration of Available Procedures , 2005 .

[5]  Rathindra Sarathy,et al.  Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance , 2014, Inf. Syst. J..

[6]  Viswanath Venkatesh,et al.  Consumer Acceptance and Use of Information Technology: Extending the Unified Theory of Acceptance and Use of Technology , 2012, MIS Q..

[7]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[8]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[9]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[10]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[11]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[12]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[13]  Omar F. El-Gayar,et al.  Security Policy Compliance: User Acceptance Perspective , 2012, 2012 45th Hawaii International Conference on System Sciences.

[14]  H. Humphrey,et al.  Standards for privacy of individually identifiable health information. , 2003, Health care law monthly.

[15]  Mark A Rothstein Health privacy in the electronic age. , 2007, The Journal of legal medicine.

[16]  Yajiong Xue,et al.  Punishment, Justice, and Compliance in Mandatory IT Settings , 2011, Inf. Syst. Res..

[17]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[18]  Steven R. Simon,et al.  The relationship between electronic health record use and quality of care over time. , 2009, Journal of the American Medical Informatics Association : JAMIA.

[19]  Mary Bosworth Encyclopedia of prisons & correctional facilities , 2005 .

[20]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[21]  Alecia M. Santuzzi,et al.  Monitoring What and How: Psychological Implications of Electronic Performance Monitoring , 2015 .

[22]  Yuichi Yoshida,et al.  The trends in EMR and CPOE adoption in Japan under the national strategy , 2013, Int. J. Medical Informatics.

[23]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[24]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[25]  David W. Bates,et al.  EHR adoption across China's tertiary hospitals: A cross-sectional observational study , 2014, Int. J. Medical Informatics.

[26]  Richard W. Brislin,et al.  Comparative Research Methodology: Cross-Cultural Studies , 1976 .

[27]  G. McClelland,et al.  Misleading Heuristics and Moderated Multiple Regression Models , 2001 .

[28]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[29]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[30]  H. J. Arnold Moderator variables: A clarification of conceptual, analytic, and psychometric issues , 1982 .

[31]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[32]  Mary J. Culnan,et al.  How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches , 2009, MIS Q..

[33]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[34]  Frederick A. Russ,et al.  Links among satisfaction, commitment, and turnover intentions: The moderating effect of experience, gender, and performance , 1995 .

[35]  Hilde van der Togt,et al.  Publisher's Note , 2003, J. Netw. Comput. Appl..

[36]  Ram D. Gopal,et al.  Preventive and Deterrent Controls for Software Piracy , 1997, J. Manag. Inf. Syst..

[37]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[38]  Hee-Jun Lee,et al.  A study on the antecedents of healthcare information protection intention , 2015, Information Systems Frontiers.

[39]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[40]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[41]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[42]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[43]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[44]  Michael Foth,et al.  Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence , 2016, Eur. J. Inf. Syst..

[45]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[46]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[47]  Travis C. Pratt,et al.  The Empirical Status of Deterrence Theory: A Meta-Analysis , 2006 .

[48]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[49]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[50]  Larry E. Toothaker,et al.  Multiple Regression: Testing and Interpreting Interactions , 1991 .

[51]  J. Dawson Moderation in Management Research: What, Why, When, and How , 2014 .

[52]  Jeffrey M. Stanton,et al.  Examining employee compliance with organizational surveillance and monitoring , 2006 .

[53]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[54]  S. Sarpong,et al.  Assessing the effects of ‘big brother’ in a workplace: The case of WAST , 2014 .

[55]  A. Hayes Introduction to Mediation, Moderation, and Conditional Process Analysis: A Regression-Based Approach , 2013 .

[56]  E. Ramsey,et al.  Trust considerations on attitudes towards online purchasing: The moderating effect of privacy and security concerns , 2010 .