Top

BMC Medical Informatics and Decision Making

Published in:

Open Access 01-12-2019 | Research article

Deterrence approach on the compliance with electronic medical records privacy policy: the moderating role of computer monitoring

Authors: Kuang-Ming Kuo, Paul C. Talley, Tain-Junn Cheng

Published in: BMC Medical Informatics and Decision Making | Issue 1/2019

Abstract

Background

This study explored the possible antecedents that will motivate hospital employees’ compliance with privacy policy related to electronic medical records (EMR) from a deterrence perspective. Further, we also investigated the moderating effect of computer monitoring on relationships among the antecedents and the level of hospital employees’ compliance intention.

Methods

Data was collected from a large Taiwanese medical center using survey methodology. A total of 303 responses was analyzed via hierarchical regression analysis.

Results

The results revealed that sanction severity and sanction certainty significantly predict hospital employees’ compliance intention, respectively. Further, our study found external computer monitoring significantly moderates the relationship between sanction certainty and compliance intention.

Conclusions

Based on our findings, the study suggests that healthcare facilities should take proactive countermeasures, such as computer monitoring, to better protect the privacy of EMR in addition to stated privacy policy. However, the extent of computer monitoring should be kept to minimum requirements as stated by relevant regulations.

Available only for authorised users

Zhou L, Soran CS, Jenter CA, Volk LA, Orav EJ, Bates DW, Simon SR. The relationship between electronic health record use and quality of care over time. J Am Med Inform Assn. 2009;16(4):457–64.CrossRef

Accenture: Overview of international EMR/EHR markets: Results from a survey of leading healthcare companies. Accenture; 2010, Retrieved from https://www.accenture.com/us-en/insight-getting-emr-back-fast-lane-summary. Accessed 17 May 2017.

Shu T, Liu H, Goss FR, Yang W, Zhou L, Bates DW, Liang M. EHR adoption across china's tertiary hospitals: a cross-sectional observational study. Int J Med Inform. 2014;83(2):113–21.PubMedCrossRef

Yoshida Y, Imai T, Ohe K. The trends in EMR and CPOE adoption in Japan under the national strategy. Int J Med Inform. 2013;82(10):1004–11.PubMedCrossRef

Culnan MJ, Williams CC. How ethics can enhance organizational privacy: lessons from the ChoicePoint and TJX data breaches. MIS Quart. 2009;33(4):673–87.CrossRef

Rothstein MA. Health privacy in the electronic age. J Legal Med. 2007;28(4):487–501.CrossRef

U.S. Department of Health and Human Services. Breaches affecting 500 or more individuals. U.S. Department of Health and Human Services, Washington, D.C. 2016, Retrieved from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed 17 Mar 2017.

Foth M. Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence. Eur J Inf Syst. 2016;25(2):91–109.CrossRef

Ministry of Health and Welfare, Regulations governing the production and management of electronic medical records. Ministry of Health and Welfare, Executive Yuan, Taiwan, 2009, Retrieved from http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=L0020121. Accessed 17 Mar 2017.

10.

Ministry of Justice, Personal information protection act. Ministry of Justice, Executive Yuan, Taiwan, 2015, Retrieved from http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021.

11.

U.S. Department of Health & Human Services: Standards for privacy of individually identifiable health information. Department of Health & Human Services. 2016, Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/introdution.html. Accessed 20 Apr 2017.

12.

Straub DW, Welke RJ. Coping with systems risk: security planning models for management decision making. MIS Quart. 1998;22(4):441–69.CrossRef

13.

Straub DW. Effective is security: an empirical study. Inform Syst Res. 1990;1(3):255–76.CrossRef

14.

D'Arcy J, Hovav A, Galletta D. User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inform Syst Res. 2009;20(1):79–98.CrossRef

15.

Herath T, Rao HR. Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Supp Syst. 2009a;47(2):154–65.CrossRef

16.

Herath T, Rao HR. Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur J Inf Syst. 2009b;18(2):106–25.CrossRef

17.

Hovav A, D’Arcy J. Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the U.S. and South Korea. Inform Manage. 2012;49(2):99–110.CrossRef

18.

Li H, Sarathy R, Zhang J, Luo X. Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Inform Syst J. 2014;24(6):479–502.CrossRef

19.

Guo KH, Yuan Y. The effects of multilevel sanctions on information security violations: a mediating model. Inform Manage. 2012;49(6):320–6.CrossRef

20.

Ifinedo P. Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput Secur. 2012;31(1):83–95.CrossRef

21.

Ifinedo P. Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Inform Manage. 2014;51(1):69–79.CrossRef

22.

D'Arcy J, Herath T. A review and analysis of deterrence theory in the is security literature: making sense of the disparate findings. Eur J Inf Syst. 2011;20(6):643–58.CrossRef

23.

Henseler J, Fassott G. Testing moderating effects in pls path models: An illustration of available procedures. In: Esposito Vinzi V, Chin WW, Henseler J, Wang H, editors. Handbook of partial least squares: Concepts, methods and applications in marketing and related fields. New York: Springer; 2010. p. 713–35.CrossRef

24.

Irwin JR, McClelland GH. Misleading heuristics and moderated multiple regression models. J Marketing Res. 2001;38(1):100–9.CrossRef

25.

Paczkowski WF, Kuruzovich J. Checking email in the bathroom: monitoring email responsiveness behavior in the workplace. Am J Manag. 2016;16(2):23–39.

26.

Sarpong S, Rees D. Assessing the effects of ‘big brother’ in a workplace: the case of wast. Eur J Manag. 2014;32(2):216–22.CrossRef

27.

Chang SE, Liu AY, Lin S. Exploring privacy and trust for employee monitoring. Ind Manage Data Syst. 2015;115(1):88–106.CrossRef

28.

Jeske D, Santuzzi AM. Monitoring what and how: psychological implications of electronic performance monitoring. New Tech Work Employ. 2015;30(1):62–78.CrossRef

29.

Spitzmüller C, Stanton JM. Examining employee compliance with organizational surveillance and monitoring. J Occup Organ Psych. 2006;79(2):245–72.CrossRef

30.

Pratt TC, Cullen FT, Blevins KR, Daigle LE, Madensen TD. The empirical status of deterrence theory: A meta-analysis. In: Cullen FT, Wright JP, Blevins KR, editors. Taking stock: The status of criminological theory. New Bronswick, NJ: Transaction Publisher; 2006. p. 367–96.

31.

Gibbs JP. Crime, punishment, and deterrence. Southwest Soc Sci Q. 1968;48(2):515–30.

32.

Tittle CR. Crime rates and legal sanctions. Soc Probl. 1969;16(4):409–23.CrossRef

33.

Onwudiwe I, Odo J, Onyeozili E. Deterrence theory. In: Bosworth M, editor. Encyclopedia of prisons & correctional facilities. Thousand Oaks, CA: Sage Publications, Inc; 2005. p. 234–8.

34.

Gopal RD, Sanders GL. Preventive and deterrent controls for software piracy. J Manage Inform Syst. 1997;13(4):29–48.CrossRef

35.

Al-Omari A, El-Gayar O, Deokar A. Security policy compliance: user acceptance perspective. In: 2012 45th Hawaii international conference on system science (HICSS): 4–7 January, 2012 2012; Maui. HI: IEEE; 2012. p. 3317–26.CrossRef

36.

Pahnila S, Siponen M, Mahmood A: Employees' behavior towards is security policy compliance. In: System Sciences, 2007 HICSS 2007 40th Annual Hawaii International Conference on: 3–6 January 2007 2007; Big Island, Hawaii; 2007: 156b-156b.

37.

Hu Q, Xu Z, Dinev T, Ling H. Does deterrence work in reducing information security policy abuse by employees? Comm Acm. 2011;54(6):54–60.CrossRef

38.

Siponen M, Pahnila S, Mahmood MA. Compliance with information security policies: an empirical investigation. Comput. 2010;43(2):64–71.CrossRef

39.

D’Arcy J, Hovav A. Does one size fit all? Examining the differential effects of is security countermeasures. J Bus Ethics. 2009;89(1):59–71.CrossRef

40.

Straub DW, Nance WD. Discovering and disciplining computer abuse in organizations - a field-study. MIS Quart. 1990;14(1):45–60.CrossRef

41.

Li H, Zhang J, Sarathy R. Understanding compliance with internet use policy from the perspective of rational choice theory. Decis Supp Syst. 2010;48(4):635–45.CrossRef

42.

Kankanhalli A, Teo HH, Tan BCY, Wei KK. An integrative study of information systems security effectiveness. Int J Inform Manage. 2003;23(2):139–54.CrossRef

43.

Lee SM, Lee SG, Yoo S. An integrative model of computer abuse based on social control and general deterrence theories. Inform Manage. 2004;41(6):707–18.CrossRef

44.

Yang CG, Lee HJ. A study on the antecedents of healthcare information protection intention. Inform Syst Front. 2016;18(2):253–63.CrossRef

45.

Peace AG, Galletta AG, Thong JYL. Software piracy in the workplace: a model and empirical test. J Manage Inform Syst. 2003;20(1):153–77.CrossRef

46.

Siponen M, Vance A. Neutralization: new insights into the problem of employee systems security policy violations. MIS Quart. 2010;34(3):487–502.CrossRef

47.

Venkatesh V, Thong JY, Xu X. Consumer acceptance and use of information technology: extending the unified theory of acceptance and use of technology. MIS Quart. 2012;36(1):157–78.CrossRef

48.

Brislin RW. Comparative research methodology: cross-cultural studies. Int J Psychol. 1976;11(3):215–29.CrossRef

49.

Hair JF, Black WC, Babin BJ, Anderson RE. Multivariate data analysis: Pearson new international edition. Seventh ed. Pearson Education Limited: Essex, United Kingdom; 2014.

50.

Dawson JF. Moderation in management research: what, why, when, and how. J Bus Psychol. 2014;29(1):1–19.CrossRef

51.

Hayes AF. Introduction to mediation, moderation, and conditional process analysis: a regression-based approach. New York, NY: Guilford Press; 2013.

52.

McCole P, Ramsey E, Williams J: Trust considerations on attitudes towards online purchasing: The moderating effect of privacy and security concerns 2010, 63(9–10):1018–1024.

53.

Aiken LS, West SG. Multiple regression: testing and interpreting interactions. Newbury Park, CA: Sage; 1991.

54.

Russ FA, McNeilly KM. Links among satisfaction, commitment, and turnover intentions: the moderating effect of experience, gender, and performance. J Bus Res. 1995;34(1):57–65.CrossRef

55.

Arnold HJ. Moderator variables: a clarification of conceptual, analytic, and psychometric issues. Organ Behav Hum Perf. 1982;29(2):143–74.CrossRef

56.

Xue Y, Liang H, Wu L. Punishment, justice, and compliance in mandatory it settings. Inform Syst Res. 2011;22(2):400–14.CrossRef

57.

Guo KH, Yuan Y, Archer NP, Connelly CE. Understanding nonmalicious security violations in the workplace: a composite behavior model. J Manage Inform Syst. 2011;28(2):203–36.CrossRef

58.

Son JY. Out of fear or desire? Toward a better understanding of employees’ motivation to follow is security policies. Inform Manage. 2011;48(7):296–302.CrossRef

59.

D'Arcy J, Devaraj S. Employee misuse of information technology resources: testing a contemporary deterrence model. Decis Sci. 2012;43(6):1091–124.CrossRef

60.

Chen Y, Ramamurthy K, Wen KW. Organizations' information security policy compliance: stick or carrot approach? J Manage Inform Syst. 2012;29(3):157–88.CrossRef

61.

Cheng L, Li Y, Li W, Holm E, Zhai Q. Understanding the violation of is security policy in organizations: An integrated model based on social control and deterrence theory. Comput Secur. 2013;39(Part B):447–59.CrossRef

Title: Deterrence approach on the compliance with electronic medical records privacy policy: the moderating role of computer monitoring
Authors: Kuang-Ming Kuo
Paul C. Talley
Tain-Junn Cheng
Publication date: 01-12-2019
Publisher: BioMed Central
Published in: BMC Medical Informatics and Decision Making / Issue 1/2019
Electronic ISSN: 1472-6947
DOI: https://doi.org/10.1186/s12911-019-0957-y

Keynote webinar | Spotlight on sleep in brain health

Springer Medicine

Deterrence approach on the compliance with electronic medical records privacy policy: the moderating role of computer monitoring

Abstract

Background

Methods

Results

Conclusions

Keynote webinar | Spotlight on sleep in brain health

Springer Medicine

Abstract

Background

Methods

Results

Conclusions

Please log in to get access to this content

Other articles of this Issue 1/2019

Field study of a web service for stimulating the positive side of stress: entrepreneurs’ experiences and design implications

Patient decision aids: a content analysis based on a decision tree structure

How should electronic health records be designed? A cross-sectional study in patients with psoriasis

How to improve eRehabilitation programs in stroke care? A focus group study to identify requirements of end-users

Frequency of ubiquitous connectivity and associated factors among Mexican adolescents

Characteristics of older adults using patient web portals to view their DXA results