Exploring the Role of Contextual Integrity in Electronic Medical Record (EMR) System Workaround Decisions: An Information Security and Privacy Perspective

Many healthcare providers in the US are seeking increased efficiency and effectiveness by rapidly adopting information technology (IT) solutions such as electronic medical record (EMR) systems. Legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH), which codified the adoption and “meaningful use” of electronic records in the US, has further spurred the industry-wide adoption of EMR. However, despite what are often large investments in EMR, studies indicate that the healthcare industry maintains a culture of system workarounds. Though perhaps not uncommon, the creation of informal workflows among healthcare workers is problematic for assuring information security and patient privacy, particularly when involving decisions of information management (e.g., information storage, retrieval, and/or transmission). Drawing on the framework of contextual integrity, we assert that one can often explain workarounds involving information transmissions in terms of trade-offs informed by context-specific informational norms. We surveyed healthcare workers and analyzed their willingness to engage in a series of EMR workaround scenarios. Our results indicate that contextual integrity provides a useful framework for understanding information transmission and workaround decisions in the health sector. Armed with these findings, managers and system designers should be better able to anticipate healthcare workers’ information transmission principles (e.g., privacy norms) and workaround patterns (e.g., usage norms). We present our findings and discuss their significance for research and practice.

[1]  Guy Paré,et al.  Health Care IT: Process, People, Patients and Interdisciplinary Considerations , 2011, J. Assoc. Inf. Syst..

[2]  R. Mason Four ethical issues of the information age , 1986 .

[3]  Izak Benbasat,et al.  AMCIS 2002 Panels and Workshops I: Human-Computer Interaction Research in the MIS Discipline , 2002, Commun. Assoc. Inf. Syst..

[4]  J. Finch The Vignette Technique in Survey Research , 1987 .

[5]  Robert E. Crossler,et al.  Privacy in the Digital Age: A Review of Information Privacy Research in Information Systems , 2011, MIS Q..

[6]  Peter G. Goldschmidt,et al.  HIT and MIS , 2005, Commun. ACM.

[7]  Gregory Luke Larkin,et al.  From Hippocrates to HIPAA: Privacy and confidentiality in Emergency Medicine—Part I: Conceptual, moral, and legal foundations , 2004, Annals of Emergency Medicine.

[8]  Lori N. K. Leonard,et al.  What influences IT ethical behavior intentions - planned behavior, reasoned action, perceived importance, or individual characteristics? , 2004, Inf. Manag..

[9]  D. Robin,et al.  Toward the development of a multidimensional scale for improving evaluations of Business Ethics , 1990 .

[10]  R. Paul,et al.  Healthcare information systems: a patient-user perspective , 2012 .

[11]  Elizabeth Davidson,et al.  An organizational learning perspective on the assimilation of electronic medical records among small physician practices , 2007, Eur. J. Inf. Syst..

[12]  Sue Conger,et al.  Personal information privacy and emerging technologies , 2013, Inf. Syst. J..

[13]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[14]  Mary Beth Rosson,et al.  The personalization privacy paradox: An exploratory study of decision making process for location-aware marketing , 2011, Decis. Support Syst..

[15]  Marifran Mattson,et al.  Toward a Typology of Confidentiality Breaches in Health Care Communication: An Ethic of Care Analysis of Provider Practices and Patient Perceptions , 2004, Health communication.

[16]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[17]  Marc Berg,et al.  Viewpoint Paper: Some Unintended Consequences of Information Technology in Health Care: The Nature of Patient Care Information System-related Errors , 2003, J. Am. Medical Informatics Assoc..

[18]  Madhu C. Reddy,et al.  Privacy practices in collaborative environments: a study of emergency department staff , 2014, CSCW.

[19]  G. Antoniou,et al.  Reflections of the Hippocratic Oath in Modern Medicine , 2010, World Journal of Surgery.

[20]  Bonnie Kaplan,et al.  White Paper: Health IT Success and Failure: Recommendations from Literature and an AMIA Workshop , 2009, J. Am. Medical Informatics Assoc..

[21]  Alex R. Piquero,et al.  AN EMPIRICAL TEST OF TITTLE'S CONTROL BALANCE THEORY* , 1999 .

[22]  R. Warner Applied Statistics: From Bivariate through Multivariate Techniques [with CD-ROM]. , 2007 .

[23]  Craig Van Slyke,et al.  Paper versus Electronic: Challenges Associated with Physicians' Usage of Electronic Medical Records , 2007, HICSS.

[24]  Wilhelm Kirch,et al.  Encyclopedia of public health , 2008 .

[25]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[26]  Steven L. Alter,et al.  USF Scholarship: a digital repository @ Gleeson Library | Geschke Center , 2016 .

[27]  S. Petronio,et al.  Disclosure Predicaments Arising During the Course of Patient Care: Nurses' Privacy Management , 2011, Health communication.

[28]  Daniel S. Nagin,et al.  INTEGRATING CELERITY, IMPULSIVITY, AND EXTRALEGAL SANCTION THREATS INTO A MODEL OF GENERAL DETERRENCE: THEORY AND EVIDENCE* , 2001 .

[29]  Julia Adler-Milstein,et al.  More than half of US hospitals have at least a basic EHR, but stage 2 criteria remain challenging for most. , 2014, Health affairs.

[30]  Helen Nissenbaum,et al.  Privacy in Context - Technology, Policy, and the Integrity of Social Life , 2009 .

[31]  R. Bennett,et al.  Development of a measure of workplace deviance. , 2000, The Journal of applied psychology.

[32]  D. Blumenthal,et al.  The "meaningful use" regulation for electronic health records. , 2010, The New England journal of medicine.

[33]  R. Bennett,et al.  The past, present, and future of workplace deviance research. , 2003 .

[34]  Jeffrey Braithwaite,et al.  Nurses’ workarounds in acute healthcare settings: a scoping review , 2013, BMC Health Services Research.

[35]  Judith A. Hall,et al.  Physician Gender Effects in Medical Communication , 2002 .

[36]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[37]  Ritu Agarwal,et al.  Adoption of Electronic Health Records in the Presence of Privacy Concerns: The Elaboration Likelihood Model and Individual Persuasion , 2009, MIS Q..

[38]  Robert L Wears,et al.  Health information technology and victory. , 2015, Annals of emergency medicine.

[39]  D. Woodwell,et al.  Physician adoption of electronic health record systems: United States, 2011. , 2012, NCHS data brief.

[40]  Jesús Favela,et al.  Quality of Privacy (QoP) for the Design of Ubiquitous Healthcare Applications , 2006, J. Univers. Comput. Sci..

[41]  Kim M. Unertl,et al.  Traversing the many paths of workflow research: developing a conceptual framework of workflow terminology through a systematic literature review , 2010, J. Am. Medical Informatics Assoc..

[42]  Bradford H. Gray,et al.  Hospitals in Hurricane Katrina: Challenges Facing Custodial Institutions in a Disaster , 2007, Journal of health care for the poor and underserved.

[43]  Jen-Her Wu,et al.  Mobile computing acceptance factors in the healthcare industry : A structural equation model , 2006 .

[44]  Yan Xiao,et al.  Work coordination, workflow, and workarounds in a medical context , 2005, CHI Extended Abstracts.

[45]  E. Robin,et al.  The Hippocratic Oath today , 1996, The Lancet.

[46]  Jonathon R B Halbesleben,et al.  The role of continuous quality improvement and psychological safety in predicting work-arounds , 2008, Health care management review.

[47]  David Mason,et al.  Disempowerment and Resistance in the Print Industry? Reactions to Surveillance-Capable Technology , 2003 .

[48]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[49]  Tosha B. Wetterneck,et al.  Technology Evaluation: Workarounds to Barcode Medication Administration Systems: Their Occurrences, Causes, and Threats to Patient Safety , 2008, J. Am. Medical Informatics Assoc..

[50]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[51]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[52]  Yunan Chen,et al.  Privacy management in dynamic groups: understanding information privacy in medical practices , 2013, CSCW.

[53]  Ben-Tzion Karsh,et al.  A typology of electronic health record workarounds in small-to-medium size primary care practices. , 2014, Journal of the American Medical Informatics Association : JAMIA.

[54]  Elaine H. Ferneley,et al.  Resist, comply or workaround? An examination of different facets of user engagement with information systems , 2006, Eur. J. Inf. Syst..

[55]  D. Blumenthal Launching HITECH. , 2010, The New England journal of medicine.

[56]  Jennifer Lai,et al.  Unintended Consequences of Information Technologies in Health Care—An Interactive Sociotechnical Analysis , 2007 .

[57]  H. Keselman,et al.  Detecting repeated measures effects with univariate and multivariate statistics , 1997 .

[58]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[59]  Anita L. Tucker Work Design Drivers of Organizational Learning about Operational Failures: A Laboratory Experiment on Medication Administration , 2012 .

[60]  Stephen Timmons A failed panopticon: surveillance of nursing practice via new technology , 2003 .

[61]  Mihir A. Parikh,et al.  Paper Versus Electronic Medical Records: The Effects of Access on Physicians' Decisions to Use Complex Information Technologies , 2009, Decis. Sci..

[62]  S. Spear,et al.  Ambiguity and Workarounds as Contributors to Medical Error , 2005, Annals of Internal Medicine.