Understanding the Drivers and Outcomes of Healthcare Organizational Privacy Responses

This research adopts a grounded theory approach to examine the drivers, safeguards and operational outcomes of organizational information privacy responses in the healthcare context. Semi-structured interviews with key healthcare stakeholders were conducted. The findings are sobering. First, privacy safeguards are driven by legal compliance, competitive advantages, available resources and best practices. However, organizations have to balance conflicting risks associated with these drivers. Second, this study identifies the operational and behavioral outcomes which results in major balance issues. Third, the adoption of a privacy impact assessment (PIA) allows the integration of a risk management approach to effectively assess the different types of privacy risks. The findings provide evidence for: (1) a gap between privacy responses and their outcomes on healthcare practice and delivery; (2) the importance of the privacy impact assessment as a risk management tool; and (3) the challenging context of the healthcare environment of how privacy responses are unfolding.

[1]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[2]  W. Powell,et al.  The iron cage revisited institutional isomorphism and collective rationality in organizational fields , 1983 .

[3]  Ritu Agarwal,et al.  Adoption of Electronic Health Records in the Presence of Privacy Concerns: The Elaboration Likelihood Model and Individual Persuasion , 2009, MIS Q..

[4]  J. Goodstein Institutional Pressures and Strategic Responsiveness: Employer Involvement in Work-Family Issues , 1994 .

[5]  Jeff Smith,et al.  Privacy policies and practices: inside the organizational maze , 1993, CACM.

[6]  Linda L. Dawson,et al.  The health information system security threat lifecycle: An informatics theory , 2009, Int. J. Medical Informatics.

[7]  J. V. Maanen,et al.  The Fact of Fiction in Organizational Ethnography. , 1979 .

[8]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[9]  Gurpreet Dhillon,et al.  Information Security and Privacy - Rethinking Governance Models , 2010, Commun. Assoc. Inf. Syst..

[10]  KA Thleen,et al.  Building Theories from Case Study , 2007 .

[11]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[12]  Quey-Jen Yeh,et al.  Threats and countermeasures for information system security: A cross-industry study , 2007, Inf. Manag..

[13]  Geoff Walsham,et al.  GIS for District-Level Administration in India: Problems and Opportunities , 1999, MIS Q..

[14]  D. Straub Effective IS Security , 1990 .

[15]  G. Johns The Essential Impact of Context on Organizational Behavior , 2006 .

[16]  C. Oliver STRATEGIC RESPONSES TO INSTITUTIONAL PROCESSES , 1991 .

[17]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[18]  Richard D. Johnson,et al.  Concern for Information Privacy and Online Consumer Purchasing , 2006, J. Assoc. Inf. Syst..

[19]  Wanda J. Orlikowski,et al.  CASE Tools as Organizational Change: Investigating Incremental and Radical Changes in Systems Development , 1993, MIS Q..

[20]  Tsan-sheng Hsu,et al.  Preserving confidentiality when sharing medical database with the Cellsecu system , 2003, Int. J. Medical Informatics.

[21]  Lara Khansa,et al.  Valuing the flexibility of investing in security process innovations , 2009, Eur. J. Oper. Res..

[22]  Barry Turner,et al.  THE USE OF GROUNDED THEORY FOR THE QUALITATIVE ANALYSIS OF ORGANIZATIONAL BEHAVIOUR , 1983 .

[23]  Rakesh Agrawal,et al.  Securing electronic health records without impeding the flow of information , 2007, Int. J. Medical Informatics.

[24]  Izak Benbasat,et al.  Predicting Intention to Adopt Interorganizational Linkages: An Institutional Perspective , 2003, MIS Q..

[25]  Jai Mohan,et al.  The Malaysian Telehealth Flagship Application: a national approach to health data protection and utilisation and consumer rights , 2004, Int. J. Medical Informatics.

[26]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[27]  Suzanne Rivard,et al.  Positioning the institutional perspective in information systems research , 2009, J. Inf. Technol..

[28]  J. Barney Types of Competition and the Theory of Strategy: Toward an Integrative Framework , 1986 .

[29]  Izak Benbasat,et al.  Understanding Emergence and Outcomes of Information Privacy Concerns: a Case of Facebook , 2010, ICIS.

[30]  Yolande E. Chan,et al.  Theoretical Explanations for Firms' Information Privacy Behaviors , 2005, J. Assoc. Inf. Syst..

[31]  John W. Meyer,et al.  Institutionalized Organizations: Formal Structure as Myth and Ceremony , 1977, American Journal of Sociology.

[32]  Sung S. Kim,et al.  Internet Users' Information Privacy-Protective Responses: A Taxonomy and a Nomological Model , 2008, MIS Q..

[33]  Heng Xu,et al.  Examining the Formation of Individual's Privacy Concerns: Toward an Integrative View , 2008, ICIS.

[34]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[35]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[36]  B. Turner,et al.  Grounded Theory and Organizational Research , 1986 .

[37]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[38]  Lynette Hirschman,et al.  The MITRE Identification Scrubber Toolkit: Design, training, and assessment , 2010, Int. J. Medical Informatics.

[39]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[40]  Glen E. Kreiner,et al.  Where is the “Me” Among the “We”? Identity Work and the Search for Optimal Balance , 2006 .

[41]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[42]  Thomas Neubauer,et al.  A methodology for the pseudonymization of medical data , 2011, Int. J. Medical Informatics.

[43]  Eike-Henner W. Kluge,et al.  Secure e-Health: Managing risks to patient health data , 2007, Int. J. Medical Informatics.

[44]  Heng Xu,et al.  Information Privacy Research: An Interdisciplinary Review , 2011, MIS Q..

[45]  R. Rumelt Towards a Strategic Theory of the Firm , 1984 .

[46]  H. Jeff Smith,et al.  Values, personal information privacy, and regulatory approaches , 1995, CACM.

[47]  Xia Zhao,et al.  Information Governance: Flexibility and Control through Escalation and Incentives , 2008, WEIS.

[48]  A. Strauss,et al.  Basics of qualitative research: Grounded theory procedures and techniques. , 1992 .

[49]  Lucila Ohno-Machado,et al.  Protecting patient privacy by quantifiable control of disclosures in disseminated databases , 2004, Int. J. Medical Informatics.

[50]  Kiyomu Ishikawa,et al.  Health data use and protection policy; based on differences by cultural and social environment , 2000, Int. J. Medical Informatics.

[51]  Mary J. Culnan,et al.  How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches , 2009, MIS Q..

[52]  Michel Avital,et al.  Designing interviews to generate rich data for information systems research , 2011, Inf. Organ..

[53]  B. Wernerfelt,et al.  A Resource-Based View of the Firm , 1984 .

[54]  Wanda J. Orlikowski,et al.  Technology and Institutions: What Can Research on Information Technology and Research on Organizations Learn from Each Other? , 2001, MIS Q..

[55]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[56]  Yunjie Calvin Xu,et al.  Am I Afraid of My Peers? Understanding the Antecedents of Information Privacy Concerns in the Online Social Context , 2009, ICIS.

[57]  G. Johnson The essential impact of context on organizational behavior , 2006 .

[58]  Catherine Quantin,et al.  Anonymous statistical methods versus cryptographic methods in epidemiology , 2000, Int. J. Medical Informatics.

[59]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[60]  David Gefen,et al.  The Moderating Influence of Privacy Concern on the Efficacy of Privacy Assurance Mechanisms for Building Trust: A Multiple-Context Investigation , 2008, ICIS.

[61]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[62]  Jack Smith Towards a secure EPR: cultural and educational issues , 2000, Int. J. Medical Informatics.

[63]  K. Eisenhardt Building theories from case study research , 1989, STUDI ORGANIZZATIVI.

[64]  Mark S. Ackerman,et al.  Privacy in pervasive environments: next generation labeling protocols , 2004, Personal and Ubiquitous Computing.