Compliance With Electronic Medical Records Privacy Policy: An Empirical Investigation of Hospital Information Technology Staff

The employment of Electronic Medical Records is expected to better enhance health care quality and to relieve increased financial pressure. Electronic Medical Records are, however, potentially vulnerable to security breaches that may result in a rise of patients’ privacy concerns. The purpose of our study was to explore the factors that motivate hospital information technology staff’s compliance with Electronic Medical Records privacy policy from the theoretical lenses of protection motivation theory and the theory of reasoned action. The study collected data using survey methodology. A total of 310 responses from information technology staff of 7 medical centers in Taiwan was analyzed using the Structural Equation Modeling technique. The results revealed that perceived vulnerability and perceived severity of threats from Electronic Medical Records breaches may be used to predict the information technology staff’s fear arousal level. And factors including fear arousal, response efficacy, self-efficacy, and subjective norm, in their turn, significantly predicted IT staff’s behavioral intention to comply with privacy policy. Response cost was not found to have any relationship with behavioral intention. Based on the findings, we suggest that hospitals could plan and design effective strategies such as initiating privacy-protection awareness and skills training programs to improve information technology staff member’s adherence to privacy policy. Furthermore, enhancing the privacy-protection climate in hospitals is also a viable means to the end. Further practical and research implications are also discussed.

[1]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[2]  Noboru Sonehara,et al.  Aspects of privacy for electronic health records , 2011, Int. J. Medical Informatics.

[3]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[4]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[5]  J. Yeates,et al.  Health and welfare , 2018, Leading with Integrity.

[6]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .

[7]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[8]  Choung Hye-Uk,et al.  Personal Information Protection Act , 2011 .

[9]  J. Hair Multivariate data analysis : a global perspective , 2010 .

[10]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[11]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[12]  Michael Foth,et al.  Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence , 2016, Eur. J. Inf. Syst..

[13]  Mark A Rothstein Health privacy in the electronic age. , 2007, The Journal of legal medicine.

[14]  Gaby Odekerken-Schröder,et al.  Using PLS path modeling for assessing hierarchial construct models: guidelines and impirical illustration , 2009 .

[15]  梁 啓超,et al.  庸言 = The justice , 2022 .

[16]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[17]  Teodor Sommestad,et al.  The sufficiency of the theory of planned behavior for explaining information security policy compliance , 2015, Inf. Comput. Secur..

[18]  Vincenzo Esposito Vinzi,et al.  PLS Path Modeling: From Foundations to Recent Developments and Open Issues for Model Assessment and Improvement , 2010 .

[19]  Ting Li,et al.  The effects of information privacy concerns on digitizing personal health records , 2014, J. Assoc. Inf. Sci. Technol..

[20]  R Core Team,et al.  R: A language and environment for statistical computing. , 2014 .

[21]  Peter G. Goldschmidt,et al.  HIT and MIS , 2005, Commun. ACM.

[22]  LeMai Nguyen,et al.  Electronic health records implementation: An evaluation of information system impact and contingency factors , 2014, Int. J. Medical Informatics.

[23]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[24]  William C. McDowell,et al.  Am I Really at Risk? Determinants of Online Users' Intentions to Use Strong Passwords , 2009 .

[25]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[26]  Pascale G. Quester,et al.  Who's afraid of that ad? Applying segmentation to the protection motivation model , 2004 .

[27]  Jens H. Weber,et al.  Protecting privacy during peer-to-peer exchange of medical documents , 2012, Inf. Syst. Frontiers.

[28]  Ritu Agarwal,et al.  The Digital Transformation of Healthcare: Current Status and the Road Ahead , 2010 .

[29]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[30]  Yuichi Yoshida,et al.  The trends in EMR and CPOE adoption in Japan under the national strategy , 2013, Int. J. Medical Informatics.

[31]  Kelly Caine,et al.  Patients want granular privacy control over health information in electronic medical records , 2013, J. Am. Medical Informatics Assoc..

[32]  Friedrich Leisch,et al.  semPLS: Structural Equation Modeling Using Partial Least Squares , 2012 .

[33]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[34]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[35]  David Sánchez,et al.  A semantic framework to protect the privacy of electronic health records with non-numerical attributes , 2013, J. Biomed. Informatics.

[36]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[37]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[38]  Madhu C. Reddy,et al.  Designing for privacy management in hospitals: Understanding the gap between user activities and IT staff's understandings , 2015, Int. J. Medical Informatics.

[39]  Kuang-Ming Kuo,et al.  How Do Patients Respond to Violation of Their Information Privacy? , 2014, Health information management : journal of the Health Information Management Association of Australia.

[40]  J. Helton,et al.  Impact of Electronic Health Records on Nurses’ Productivity , 2012, Computers, informatics, nursing : CIN.

[41]  Kuang-Ming Kuo,et al.  A survey-based study of factors that motivate nurses to protect the privacy of electronic medical records , 2015, BMC Medical Informatics and Decision Making.

[42]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[43]  Electronic Medical Records — Federal Standards Needed , 2006, Inquiry : a journal of medical care organization, provision and financing.

[44]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[45]  Joann G Elmore,et al.  Online Access to Doctors' Notes: Patient Concerns About Privacy , 2013, Journal of medical Internet research.

[46]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[47]  Mark H. Chignell,et al.  PHR User Privacy Concerns and Behaviours , 2014, EUSPN/ICTH.

[48]  H. Humphrey,et al.  Standards for privacy of individually identifiable health information. , 2003, Health care law monthly.

[49]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[50]  James B. Hunt,et al.  The Protection Motivation Model: A Normative Model of Fear Appeals: , 1991 .

[51]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[52]  Steven R. Simon,et al.  The relationship between electronic health record use and quality of care over time. , 2009, Journal of the American Medical Informatics Association : JAMIA.

[53]  David W. Bates,et al.  EHR adoption across China's tertiary hospitals: A cross-sectional observational study , 2014, Int. J. Medical Informatics.

[54]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[55]  Douglas S Bell,et al.  Electronic Prescribing and HIPAA Privacy Regulation , 2004, Inquiry : a journal of medical care organization, provision and financing.

[56]  Detmar W. Straub,et al.  Validation in Information Systems Research: A State-of-the-Art Assessment , 2001, MIS Q..

[57]  Thomas A. Horan,et al.  Personal health records , 2011, Health Informatics J..

[58]  Gilbert A. Churchill A Paradigm for Developing Better Measures of Marketing Constructs , 1979 .