Institutional effects of Comparative Government regulation for the Protection and Privacy of Health Data in the Cloud

This research is a comparative study of the institutional effects of regulatory and compliance issues surrounding cloud computing in healthcare. Our focus is on health care organizations and the IT industry, and how these two important stakeholders interpret and apply the privacy and security rules from the U.S. and EU. As an institutional environment, healthcare is experiencing coercive, normative and mimetic isomorphic pressures on macro, meso and micro levels. International governments are seeking ways to build capacity in the cloud computing market, yet they are faced with difficult issues in relation to privacy and security of personal data. Our findings suggest that regulatory and compliance is being developed ‘in response to’ rather than ‘in anticipation of’ technical change. Normative pressures to encourage healthcare organizations to develop effective data protection and privacy policies to comply with new regulatory change are further complicated in an environment where cloud data may be transferred across different legal and regulatory jurisdictions. Our findings show that healthcare organizations and cloud providers need to work more closely together as business associates. However, translating HIPAA and EU rules and regulations into practice is thwarted by a lack of legal and regulatory knowledge, particularly in the smaller

[1]  W. Powell,et al.  The iron cage revisited institutional isomorphism and collective rationality in organizational fields , 1983 .

[2]  Eugene J. Schweitzer,et al.  Reconciliation of the cloud computing model with US federal electronic health record regulations , 2012, J. Am. Medical Informatics Assoc..

[3]  Mark Christopher Shaw,et al.  Information security policies in the UK healthcare sector: a critical evaluation , 2012, Inf. Syst. J..

[4]  Will Venters,et al.  A critical review of cloud computing: researching desires and realities , 2012, J. Inf. Technol..

[5]  Eva Boxenbaum,et al.  Isomorphism, Diffusion and Decoupling , 2008 .

[6]  Ahmad-Reza Sadeghi,et al.  Securing the e-health cloud , 2010, IHI.

[7]  Ahmad-Reza Sadeghi,et al.  Flexible patient-controlled security for electronic health records , 2012, IHI '12.

[8]  Feng Li,et al.  Cloud computing adoption by SMEs in the north east of England: A multi-perspective framework , 2013, J. Enterp. Inf. Manag..

[9]  Didier Bigo,et al.  Fighting cyber crime and protecting privacy in the cloud , 2012 .

[10]  M. Mizruchi,et al.  The Social Construction of Organizational Knowledge: A Study of the Uses of Coercive, Mimetic, and Normative Isomorphism , 1999 .

[11]  Subhajyoti Bandyopadhyay,et al.  Cloud Computing - The Business Perspective , 2011, 2011 44th Hawaii International Conference on System Sciences.

[12]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[13]  Lauren B. Movius,et al.  U.S. and EU Privacy Policy: Comparison of Regulatory Approaches , 2009 .

[14]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[15]  Wendy L. Currie,et al.  Institutional isomorphism and change: the national programme for IT – 10 years on , 2012, J. Inf. Technol..

[16]  W. Scott,et al.  Institutions and Organizations. , 1995 .

[17]  N. Sultan Knowledge Management in the Age of Cloud Computing and Web 2.0: Experiencing the Power of Disruptive Innovations , 2013 .