HIPAA and Human Error: The Role of Enhanced Situation Awareness in Protecting Health Information

Several contemporary studies have identified human error as a major cause of privacy breaches in healthcare organizations. In this chapter, we first highlight the costs healthcare organizations incur from HIPAA privacy breaches. We then discuss the concept of situation awareness (SA) and its link with privacy protection. Situation awareness represents individuals’ awareness of what is happening in their surroundings and their understanding of how information, events, and actions affect their goals and objectives. Applying Endsley’s three-level SA framework helps us to identify specific types of SA errors and build scenarios of privacy breaches arising from SA errors. Using a taxonomy of SA errors derived from Endsley’s work, we analyzed the 21 cases of HIPAA privacy breaches in which the Office for Civil Rights has reached a resolution agreement. The results bring into focus the often neglected situational aspects of privacy protection and help to better understand the latent causes of privacy breaches along with their related implications for policy formulation, system design, and user training.

[1]  Lara Khansa,et al.  HIPAA Privacy Rule compliance: An interpretive study using Norman's action theory , 2012, Comput. Secur..

[2]  M. Endsley Situation Awareness In Aviation Systems , 1999 .

[3]  J. Freedman,et al.  Conceptions of Crowding. (Book Reviews: Crowding and Behavior; The Environment and Social Behavior. Privacy, Personal Space. Territory, Crowding) , 1975 .

[4]  Shinji Mase,et al.  The guideline of the personal health data structure to secure safety healthcare: The balance between use and protection to satisfy the patients' needs , 2007, Int. J. Medical Informatics.

[5]  G. Annas HIPAA regulations - a new era of medical-record privacy? , 2003, The New England journal of medicine.

[6]  M. Culnan,et al.  Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation , 1999 .

[7]  Annie I. Antón,et al.  The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information , 2007, IEEE Security & Privacy.

[8]  Lara Khansa,et al.  Information Privacy Situation Awareness: Construct and Validation , 2012, J. Comput. Inf. Syst..

[9]  Annie I. Antón,et al.  Inside JetBlue's privacy policy violations , 2004, IEEE Security & Privacy Magazine.

[10]  Lara Khansa,et al.  How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management , 2009, Computers & security.

[11]  Oliver Günther,et al.  Privacy in e-commerce: stated preferences vs. actual behavior , 2005, CACM.

[12]  M R Endsley,et al.  Sources of situation awareness errors in aviation. , 1996, Aviation, space, and environmental medicine.

[13]  Tamara Dinev,et al.  An Extended Privacy Calculus Model for E-Commerce Transactions , 2006, Inf. Syst. Res..

[14]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[15]  David Blumenthal,et al.  Keeping personal health information safe: the importance of good data hygiene. , 2015, JAMA.

[16]  Alvin T. S. Chan Mobile cookies management on a smart card , 2005, CACM.