As many as 400 people may have access to one's personal medical information throughout the typical care process. Disclosures of sensitive information such as emotional problems, sexually transmitted diseases, substance abuse, and genetic predispositions to diseasescould cause embarrassment and affect insurability, child custody cases, and employment.6,8,10 A recent survey by IDC found that "Most consumers ...were uncomfortable with their health plan sharing health information with a hospital, a specialist or their primary care doctor... (and) were concerned with who saw their information and were worried that the information could be made available online... (and) other respondents said they didn't trust their health plan or hospital to protect their information."2 Clearly, patients (consumers) feel that it is critical that their medical information is held in confidence. If patients do not feel that their personal medical information will be kept confidential, they may withhold important medical information from health care providers2 making it difficult to provide quality and effective health care.
This issue of safeguarding sensitive patient information has become even more critical given that the Electronic Protected Health Information (PHI), in Electronic Medical Records (EMR) as mandated by the Health Insurance Portability and Accountability Act (HIPAA),6 may consist of a patient's medical, demographic and insurance information. Thus, presenting a significant information assurance and security challenge to the health care industry as reflected by the consumers' concerns related to building trust with health care community.2,6,7 If the health care industry falls behind in assuring the public that it can indeed safeguard patient information, then the initiative to create a more efficient and cost effective health care system by using Information Technology will be in serious jeopardy. The research presented in this article addresses this important information assurance and security challenge by building upon past research2,6 and presenting a framework of Information Assurance and Compliance developed through multi-site case study approach7 involving multiple health care providers in the U.S.
Mercuri8 correctly identified that "solutions (to the information assurance challenge) are not as simple as adding on security tools and providing employees with policies and procedures for their job classification and requiring them to read and sign off on them." Information Assurance (IA) technologies such as encryption, password protection, access control mechanisms,11 and so on, for PHI may not be sufficient, since not all individual health care professionals may be familiar with the requirements of the law nor sufficiently motivated or trained to protect private and sensitive patient information. Health care Information Assurance policy (IA Policy) may be in place due to HIPPA requirements, but if health care employees fail to comply with such policy then patient information will be at a risk for disclosure. In this context, Mercuri8 correctly underscores the importance of human and management factors related to compliance by stating that "...the workers (must be given) a sufficient period in which to incorporate the new structures and rules into their culture and ethics. Otherwise efforts (related to IA Policy compliance) may be frustrated and unsuccessful."
Even though human and management factors, related to compliance, have been recognized as important as technical factors in providing security to PHI in the health care industry,2,5,6 there is a lack of well-developed framework to understand IA policy compliance factors addressing the behavioral dimension in the context of patient health care information. Without such a framework, it is difficult to develop both managerial interventions and research studies in this important area of health care information assurance. The purpose of this research (using multi-site case research approach) is to present such a research framework that examines what factors affect health care employee's behavior to comply with information assurance (IA) policy related to protection of patient health care information. We also present sample measures to assess individual compliance.
In the light of recent breaches and/ or theft of sensitive consumer data from banking, academic institutions, government agencies, and health care providers, this study provides a framework that can be extended and adapted to understand IA Policy issues in health care as well as in other industries. Therefore, the implication of this study is much broader and can be extended to other industries with appropriate adaptation.
The unifying foundation for our research framework is the Theory of Reasoned Action (TRA).3 TRA3 posits that external factors affect beliefs and beliefs in turn affect attitudes, and attitudes affect intention which ultimately affect one's behavior. We examine how these concepts are related to one's behavior in complying with information assurance policy regarding patient health information. Using TRA,3 we build our framework on solid theoretical foundations drawing from research in technology acceptance model,1 information assurance and security,6,7 ethical behavior,12 organizational culture4 and health information management.5,8,9,10
A Case Study Approach
Case studies have been utilized in health care research.5,9 In our study, we analyzed qualitative data, obtained through case study research9 across multiple health care providers (Table 1) in the Southeastern U.S. Our resultant research framework for IA Policy compliance integrating case study findings with theories drawn from different disciplines is presented in Figure 1.
Both response to questionnaires and discussion in interviews allowed respondents (under nondisclosure agreement) to confidentially discuss factors associated with compliance beliefs, attitudes and their behavioral outcomes in terms of IA policy compliance.
We found through our case studies, in line with TRA,3 that one's individual propensity for compliance and Government regulation as external imperative4 affect one's belief in IA policy compliance. Communication and training on IA policy affect one's beliefs in appropriateness and clarity of IA policy. Previous experience with IA technology affect one's beliefs regarding usefulness and ease of use of IA technology. These beliefs were found to affect one's attitudes on IA policy compliance, IA policy usage, and toward IA technology. Attitudes toward IA Policy Compliance, IA Policy Usage and IA Technology also affect one's Intention to Comply with IA Policy. One's intention related to IA Policy Compliance lead to Behavioral Outcome related to complying with IA policy in line with TRA.3 Next, we discuss each of these components of our framework in more detail providing support for each of these components based on analyses of multi-site qualitative case study data.
External Factors Affecting IA Policy Compliance
Individual Propensity for Compliance and Government Regulation (Figure1: 1a, 2a and 2b). There are individuals who will be more ethically inclined to be compliant, while others will not have the same level of propensity to follow policy as closely.12 Gordon4 stated that certain values develop concerning the 'right things to do,' and consistent with these values, management develops strategies, structures, and processes necessary for the company to conduct its business. The radiology administrator in one case site stated that government regulation "forces people who are lax to pay more attention to security issues." This supports our finding, in line with TRA,3 that one's belief in IA Policy compliance is affected by one's propensity for compliance and existing government regulations.
All of our respondents mentioned government regulations such as HIPAA as the main driver for implementing formal compliance policies. Gordon,4 in his research on industry determinants of organizational culture, states that organizations, in general, are affected by their environments and that organizations are founded on industry-based assumptions about customers, competitors, and society, which form the basis of company culture.
The respondent in medical staff relations felt that "with HIPAA, the government will continue to set standards that all health care entities will have to meet." The radiology administrator felt that since health care had maintained a culture of security and confidentiality, Information Assurance policies would be easier to implement. However, the IT Director felt that without regulations, security would not get a "tremendous amount of attention" at many organizations. If the culture of the organization integrated security and confidentiality, policies should be somewhat easier to implement, which was the case in the administrator's organization. The IT Director felt that the requirement of disclosing PHI security breaches would reinforce heightened compliance with regulations to avoid damage to the organization's reputation.
Training and Communication (Figure 1: 3a, 3b and 4a, 4b). If policies are communicated often, and in various ways, emphasizing security of PHI, employees are likely to perceive that IA policy is beneficial for patients, health care professionals and providers alike. In our case studies, training and communication of IA policy were mentioned repeatedly as key factors related to IA policy compliance in our interviews with health care professionals and are in line with previous research using TAM.1 According to one of the respondents:
"Of high importance is the training program to mitigate the potential effects of un-intentional misuse of that technology. A good example is that of a clerical worker that sends un-encrypted information via company email via the internet."
Previous Experience with IA Technology (Figure 1: 6a, 6b). Based on TAM,1 one's previous experience with IA technology affect beliefs about ease of use and usefulness of that particular technology when utilized in a compliance policy context. For example, will employees understand the importance of keeping passwords secure and encrypting email that includes PHI? The IT Director from our study suggests that a positive previous experience with technology may result in the intention to use the technology in an appropriate manner:
"Technology is an enabler of security but also carries with it the side effects of different risks. The capacity to communicate electronically over great distances with patients and other providers for instance carries the risk that an SSL encrypted connection will be compromised by a "man in the middle" or other attack... As technology grows it is of vital importance that all aspects of the security program grow with it."
Beliefs Affecting IA Policy Compliance
Individual belief in IA policy compliance (Figure 1: 7a). When asked about individual's role in compliance issues, one respondent said that her role involves "following the guidelines and procedures put in place by our practice; asking questions when I don't understand, and helping others when they have questions (patients and co-workers)." This seems to relate to a strong belief in complying with policy to the extent of being motivated enough to ask questions and help others. On the other hand, the radiology administrator pointed to the need for regulations that "forces people who are lax to pay more attention" to security issues. The propensity for compliance may vary from individual to individual depending upon the strength of their belief in IA policy compliance.
Management Commitment (Figure 1: 9a). When asked what role should management play in IA policy compliance, one employee at the clerical level suggested that the manager should have "an understanding of various regulations and laws, educating staff and monitoring activities to ensure everyone is doing it correctly." Interestingly, one of the manager's at this location felt that "the only role that management plays with security issues is to make sure the practice is in compliance by filling in the forms required by HIPAA." This seems to be a surface-level of compliance in which only minimum requirements are met for HIPAA regulation, whereas a deeper-level of compliance would entail going beyond minimum regulation requirements so that compliance to security policy is eventually integrated into the culture of the organization. The radiology administrator revealed a deeper-level of compliance in stating that "it's up to someone like me to set the tone for everything, not to just set the plan in place." The IT Director saw his role as a champion of the IA policy. This individual involved with regulatory compliance believes that the role of management is also to demonstrate to their "customers" that the organization will do "everything we can to protect the information that they have entrusted with us."
IA policy enforcement (Figure 1: 8a). Trevino12 proposes that an organization can influence behavior of its members through rewards and punishments for ethical/unethical behavior. The individual in medical staff relations believes that "without guidelines to follow and proper enforcement, it would be difficult to hold staff accountable for any breaches." The radiology administrator, stated that management must be willing to fire people if they won't follow policy. If an employee's attitude is based upon the belief that there are negative consequences to non-compliance behaviors, the employee's intention will be to comply with the security and IA policy.
Appropriateness and clarity of IA policy (Figure 1: 10a). HIPAA regulations can be confusing since organizations of different size have different requirements for compliance to policy5,8. There were also different deadlines for implementing HIPAA regulations as part of organizational security and privacy policies. As one clerical respondent stated, "Overall, I understand the reason for this policy, but it took a lot of work to learn and put in place and has been confusing in some areas." If the IA Policy is not clear to understand and follow then that will have an impact on the attitude towards usage of the IA policy and eventually the intention and actual compliance with such policy.
Perceived usefulness and ease of use of IA technology (Figure 1: 11a, 12a). If technology is perceived to be useful and easy to use, one would develop more positive attitudes towards IA technology,1 such as encryption, proper password usage and access control mechanisms etc. The IT Director stated that "IT has always had a 'feature first' mindset in which feature availability and ease of use has been in the forefront...Security has been seen as a hindrance to functionality. This does not need, and indeed should not be the case." He felt that the culture of health care providers and software vendors is slow to change; and this has implications for the adoption of technological features which enhance security policy.
Attitudes Affecting IA Policy Compliance
Attitudes towards IA policy and IA technology (Figure 1: 13a, 14a, 15a). TAM1 states that a person's intention to use technology is affected by their attitudes and previous experience with technology. If one has a positive attitudes toward policy compliance, IA policy and technology, it is expected to create a stronger intention to comply with policy. The IT Director responded that "a properly deployed EMR will be more secure than paper records due to audited access behind security mechanisms."
Intention to comply with IA policy (Figure 1: 15a). Intention to comply with IA Policy suggests that an employee is aware of compliance issues, and intends to behave in a manner which supports those policies. Extent of intention to comply varies from surface-level compliance to deep-levels of compliance, and depends on various external and individual factors as discussed above.
Compliance behavior related to IA policy (Figure 1: 16a). TRA3 supports the notion that intention is a positive indicator of behavior. An employee who intentionally performs positive compliance behaviors is important to organizational success. Positive compliance behaviors are inherently risk-aversive and ideally would permeate throughout the organizational culture. It is the visible behaviors of organizational members that provide clues to the observable parts of an organization's culture and provide impetus to new employees and existing members regarding what is acceptable and not acceptable in an organization. Thus, at a deeper level of compliance organizational members are likely to exhibit compliance with IA policy in response to deeply held and shared value of securing patient information.
Conclusion and Managerial Implication: Intervention and Compliance
Our case analyses indicate that employees who have a high propensity for compliance beliefs (see Figure 2) and organizations that have high management level of intervention through training, meetings, policy implementation, and enforcement, are likely to be at a deeper-level of IA Policy Compliance. For employees who exhibit a low propensity for compliance, we believe that an increase in management levels of intervention such as exposure of enforcement, increased training sessions, and productive compliance meetings, over time will increase the individual's level of propensity for compliance. The individual, and, collectively the organization, would move diagonally in the continuum toward the deeper-level of compliance over time. Figure 2 displays an analysis of where the respondents (from each of the organizations participating in our study) fall on the continuum.
The following quote from a medical staff respondent is helpful in viewing compliance issues:
"I believe that technology can play a major role in health care security by helping to protect patient information from being inappropriately accessed. You can't place too much emphasis on the importance of technology in health care security, but the human factor is just as important... Because of that, there will always be the need for staff to play a direct role in security."
Ultimately, success of IA policy depends upon whether employees comply, and to what extent they comply to keep patient information confidential. The authors have research underway where they are developing measures of health care employee compliance factors as outlined in this research (see Figure 1). Based on the ongoing research, we present some sample measures for the compliance factors in Table 2 to provide managers with guidelines that can be used in the compliance assessment process.
Even though we carried out this study in the context of the health care industry, the findings can be useful in providing insight for IA Policy compliance in other industries since safe-guarding sensitive consumer information is critical for any industry. In this sense, the contribution of this study is not limited to the health care industry alone, but can be extended to other industries as well through suitable adaptation. We hope that this study benefits both academics and practitioners.
Usual limitations of generalizability applies to our study. Given the fact that health care regulations vary significantly across different countries, it is difficult to generalize our findings for other countries outside of the U.S. Even within the U.S., we need more studies and investigations to fully understand the complex issues related to health care security and information assurance. We hope that our study will stimulate active research in this important and critical area among academics and practitioners.
2. Border, C. Survey: Consumers concerned about control, access to medical info. Healthcare IT News, Jan. 18, 2006. http://www.healthcareitnews.com/prinStory.crns?id=4335.
©2010 ACM 0001-0782/10/0300 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.