Securing Health Care: Assessing Factors That Affect HIPAA Security Compliance in Academic Medical Centers

HIPAA security compliance in academic medical centers is a central concern of researchers, academicians, and practitioners. Despite increasing accounts of data security breaches, greater numbers of information technology implementations, and new HIPAA Security Rule requirements and audits, academic medical centers have shown limited HIPAA security compliance. Based on a literature review of technology acceptance and security effectiveness, this study investigated the factors that affect HIPAA security compliance. A theoretical model using management support, security awareness, security culture, and computer self-efficacy to predict security behavior and security effectiveness was proposed. Multiple linear regression and correlation analysis demonstrated that security awareness, management support, and security culture were significant predictors of security effectiveness and security behavior, with security awareness being the most significant predictor. The results of this research provide guidance to those involved with HIPAA security compliance initiatives in health care.

[1]  Hsiu-Fen Lin Knowledge sharing and firm innovation capability: an empirical study , 2007 .

[2]  Indira R. Guzman,et al.  The occupational culture of IS/IT personnel within organizations , 2008, DATB.

[3]  Tanya J. McGill,et al.  Understanding User Behavior towards Passwords through Acceptance and Use Modelling , 2009, Int. J. Inf. Secur. Priv..

[4]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[5]  Merrill Warkentin,et al.  Information privacy compliance in the healthcare industry , 2008, Inf. Manag. Comput. Secur..

[6]  Michael J. Shaw,et al.  Electronic Medical Records, HIPAA, and Patient Privacy , 2008, Int. J. Inf. Secur. Priv..

[7]  Joseph A. Cazier,et al.  An Empirical Investigation: Health Care Employee Passwords and Their Crack Times in Relationship to HIPAA Security Standards , 2007, Int. J. Heal. Inf. Syst. Informatics.

[8]  Yair Levy,et al.  Emerging Educational Technology: Assessing the Factors that Influence Instructors' Acceptance in Information Systems and Other Classrooms , 2008, J. Inf. Syst. Educ..

[9]  Chau-Kuang Chen,et al.  Using Ordinal Regression Model to Analyze Student Satisfaction Questionnaires. IR Applications, Volume 1, May 26, 2004. , 2004 .

[10]  Jacob Cohen,et al.  A power primer. , 1992, Psychological bulletin.

[11]  Rodger Jamieson,et al.  Determining Key Factors in E-Government Information System Security , 2006, Bled eConference.

[12]  Chris Higgins,et al.  Charismatic leadership and user acceptance of information technology , 2007, Eur. J. Inf. Syst..

[13]  Qingxiong Ma,et al.  Information security management objectives and practices: a parsimonious framework , 2008, Inf. Manag. Comput. Secur..

[14]  Joseph A. Cazier,et al.  The Role of Privacy Risk in IT Acceptance: An Empirical Study , 2007, Int. J. Inf. Secur. Priv..

[15]  Deborah Compeau,et al.  Social Cognitive Theory and Individual Reactions to Computing Technology: A Longitudinal Study , 1999, MIS Q..

[16]  Malcolm Robert Pattinson,et al.  How well are information risks being communicated to your computer end-users? , 2007, Inf. Manag. Comput. Secur..

[17]  B. Tabachnick,et al.  Using Multivariate Statistics , 1983 .

[18]  Sunil Hazari,et al.  An Empirical Investigation of Factors Influencing Information Security Behavior , 2008 .

[19]  Tina N. Barrett,et al.  The American Recovery and Reinvestment Act of 2009 , 2009 .

[20]  P. Allison Multiple Regression: A Primer , 1994 .

[21]  Patricia Williams,et al.  A practical application of CMM to medical security capability , 2008, Inf. Manag. Comput. Secur..

[22]  B. Tabachnick,et al.  Using multivariate statistics, 5th ed. , 2007 .

[23]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[24]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[25]  Patricia Y. Logan,et al.  Protecting Patient Information in Outsourced Telehealth Services: Bolting on Security when it cannot be Baked in , 2008, Int. J. Inf. Secur. Priv..

[26]  Jean-Noël Ezingeard,et al.  Perception of risk and the strategic impact of existing IT on information security strategy at board level , 2007, Online Inf. Rev..

[27]  Venkateshviswanath,et al.  A Theoretical Extension of the Technology Acceptance Model , 2000 .

[28]  Joy Chastity Womble E-learning: The relationship among learner satisfaction, self-efficacy, and usefulness , 2007 .

[29]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[30]  F. Nelson Ford,et al.  Information Security Effectiveness: Conceptualization and Validation of a Theory , 2007, Int. J. Inf. Secur. Priv..

[31]  Quey-Jen Yeh,et al.  On security preparations against possible IS threats across industries , 2006, Inf. Manag. Comput. Secur..

[32]  Olaf Winkel,et al.  Electronic government and network security: a viewpoint , 2007 .

[33]  Mohammad Ahmadi,et al.  Information Technology (IT) and the Healthcare Industry: A SWOT Analysis , 2008, Int. J. Heal. Inf. Syst. Informatics.

[34]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[35]  R. O’Brien,et al.  A Caution Regarding Rules of Thumb for Variance Inflation Factors , 2007 .

[36]  Burt S. Barnow,et al.  The American Recovery and Reinvestment Act , 2013 .

[37]  Suku Nair,et al.  Developing a SSE-CMM-based security risk assessment process for patient-centered healthcare systems , 2008, WoSQ '08.

[38]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[39]  Eijiroh Ohki,et al.  Information security governance framework , 2009, WISG '09.

[40]  John P. Hoffmann,et al.  Generalized linear models : an applied approach , 2004 .

[41]  R. C. Sprinthall Basic Statistical Analysis , 1982 .

[42]  Diane Lending,et al.  The Effects of Confidentiality on Nursing Self-Efficacy with Information Systems , 2007, Int. J. Heal. Inf. Syst. Informatics.

[43]  John Hale,et al.  Secur(e/ity) Management: A Continuing Uphill Climb , 2007, Journal of Network and Systems Management.