Abstract
Hospitals have become increasingly aware that electronic medical records (EMR) may bring about tangible/intangible benefits to managing institutions, including reduced medical errors, improved quality-of-care, curtailed costs, and allowed access to patient information by healthcare professionals regardless of limitations. However, increased dependence on EMR has led to a corresponding increase in the influence of EMR breaches. Such incursions, which have been significantly facilitated by the introduction of mobile devices for accessing EMR, may induce tangible/intangible damage to both hospitals and concerned individuals. The purpose of this study was to explore factors which may tend to inhibit nurses’ intentions to violate privacy policy concerning EMR based upon the deterrence theory perspective. Utilizing survey methodology, 262 responses were analyzed via structural equation modeling. Results revealed that punishment certainty, detection certainty, and subjective norm would most certainly and significantly reduce nurses’ intentions to violate established EMR privacy policy. With these findings, recommendations for health administrators in planning and designing effective strategies which may potentially inhibit nurses from violating EMR privacy policy are discussed.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Li, T., and Slee, T., The effects of information privacy concerns on digitizing personal health records. J. Am. Med. Inform. Assn. 65:1541–1554, 2014. https://doi.org/10.1002/asi.23068.
Zhou, L., et al., The relationship between electronic health record use and quality of care over time. J. Am. Med. Inform. Assn. 16:457–464, 2009.
Culnan, M.J., and Williams, C.C., How ethics can enhance organizational privacy: Lessons from the choicepoint and tjx data breaches. MIS Quart. 33:673–687, 2009.
D’Arcy, J., and Devaraj, S., Employee misuse of information technology resources: Testing a contemporary deterrence model. Decis. Sci. 43:1091–1124, 2012. https://doi.org/10.1111/j.1540-5915.2012.00383.x.
Hu, Q., Dinev, T., Hart, P., and Cooke, D., Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decis. Sci. 43:615–660, 2012. https://doi.org/10.1111/j.1540-5915.2012.00361.x.
Sher, M.L., Talley, P.C., Cheng, T.J., and Kuo, K.M., How can hospitals better protect the privacy of electronic medical records? Perspectives from staff members of health information management departments. Health Inf. Manag. J. 46:87–95, 2017. https://doi.org/10.1177/1833358316671264.
Ifinedo, P., Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Comput. & Secur. 31:83–95, 2012. https://doi.org/10.1016/j.cose.2011.10.007.
Vroom, C., and von Solms, R., Towards information security behavioural compliance. Comput. & Secur. 23:191–198, 2004. https://doi.org/10.1016/j.cose.2004.01.012.
Chen, Y., Ramamurthy, K., and Wen, K.W., Organizations' information security policy compliance: Stick or carrot approach? J. Manage. Inform. Syst. 29:157–188, 2012.
D’Arcy, J., Hovav, A., and Galletta, D., User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Inform. Syst. Res. 20:79–98, 2009.
D’Arcy, J., and Hovav, A., Does one size fit all? Examining the differential effects of is security countermeasures. J. Bus. Ethics. 89:59–71, 2009. https://doi.org/10.1007/s10551-008-9909-7.
Guo, K.H., and Yuan, Y., The effects of multilevel sanctions on information security violations: A mediating model. Inform. Manage. 49:320–326, 2012.
Herath, T., and Rao, H.R., Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decis. Supp. Syst. 47:154–165, 2009.
Herath, T., and Rao, H.R., Protection motivation and deterrence: A framework for security policy compliance in organisations. Eur. J. Inf. Syst. 18:106–125, 2009.
Hovav, A., and D’Arcy, J., Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea. Inform. Manage. 49:99–110, 2012. https://doi.org/10.1016/j.im.2011.12.005.
Hu, Q., Xu, Z., Dinev, T., and Ling, H., Does deterrence work in reducing information security policy abuse by employees? Comm. ACM. 54:54–60, 2011.
Li, H., Zhang, J., and Sarathy, R., Understanding compliance with internet use policy from the perspective of rational choice theory. Decis. Supp. Syst. 48:635–645, 2010. https://doi.org/10.1016/j.dss.2009.12.005.
Pahnila, S., Siponen, M., and Mahmood, A., Employees' behavior towards is security policy compliance (2007) paper presented at 40 th annual Hawaii international conference onSystem sciences. Big Island, Hawaii, pp. 156b–156b, 2007.
Siponen, M., and Vance, A., Neutralization: New insights into the problem of employee systems security policy violations. MIS Quart. 34:487–502, 2010.
Ma, C.C., Kuo, K.M., and Alexander, J.W., A survey-based study of factors that motivate nurses to protect the privacy of electronic medical records. BMC Med. Inform. Decis. Mak. 16:13, 2016. https://doi.org/10.1186/s12911-016-0254-y.
Sher, M.L., Talley, P.C., Yang, C.W., and Kuo, K.M., Compliance with electronic medical records privacy policy: An empirical investigation of hospital information technology staff. Inquiry-J. Health. Car. 54:1–12, 2017. https://doi.org/10.1177/0046958017711759.
Foth, M., Factors influencing the intention to comply with data protection regulations in hospitals: Based on gender differences in behaviour and deterrence. Eur. J. Inf. Syst. 25:91–109, 2016. https://doi.org/10.1057/ejis.2015.9.
Foth, M., Schusterschitz, C., and Flatscher-Thöni, M., Technology acceptance as an influencing factor of hospital employees’ compliance with data-protection standards in germany. J Public Health. 20:253–268, 2012. https://doi.org/10.1007/s10389-011-0456-9.
Yang, C.G., and Lee, H.J., A study on the antecedents of healthcare information protection intention. Inform. Syst. Front. 18:253–263, 2016. https://doi.org/10.1007/s10796-015-9594-x.
Li, H., Sarathy, R., Zhang, J., and Luo, X., Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Inform. Syst. J. 24:479–502, 2014. https://doi.org/10.1111/isj.12037.
Gibbs, J.P., Crime, punishment, and deterrence. Southwest. Soc. Sci. Q. 48:515–530, 1968.
Anderson, C.L., and Agarwal, R., The digitization of healthcare: Boundary risks, emotion, and consumer willingness to disclose personal health information. Inform. Syst. Res. 22:469–490, 2011.
Top, M., and Gider, Ö., Nurses’ views on electronic medical records (emr) in turkey: An analysis according to use, quality and user satisfaction. J. Med. Syst. 36:1979–1988, 2012.
Erickson, J. I., and Millar, S., Caring for patients while respecting their privacy: Renewing our commitment. Online J. Issues Nurs. 10, 2005. doi: https://doi.org/10.3912/OJIN.Vol10No02Man01
Rindfleisch, T.C., Privacy, information technology, and health care. Comm. ACM. 40:92–100, 1997.
Tittle, C.R., Crime rates and legal sanctions. Soc. Probl. 16:409–423, 1969.
D’Arcy, J., and Herath, T., A review and analysis of deterrence theory in the is security literature: Making sense of the disparate findings. Eur. J. Inf. Syst. 20:643–658, 2011.
Pratt, T.C., Cullen, F.T., Blevins, K.R., Daigle, L.E., and Madensen, T.D., The empirical status of deterrence theory: A meta-analysis. In: Cullen, F.T., Wright, J.P., and Blevins, K.R. (Eds.), Taking stock: The status of criminological theory. Transaction Publisher, New Bronswick, NJ, pp. 367–396, 2006.
Gopal, R.D., and Sanders, G.L., Preventive and deterrent controls for software piracy. J. Manage. Inform. Syst. 13:29–48, 1997.
Onwudiwe, I., Odo, J., and Onyeozili, E., Deterrence theory. In: Bosworth, M. (Ed.), Encyclopedia of prisons & correctional facilities. Sage Publications, Inc, Thousand Oaks, CA, pp. 234–238, 2005.
Siponen, M., Mahmood, M.A., and Pahnila, S., Employees’ adherence to information security policies: An exploratory field study. Inform. Manage. 51:217–224, 2014. https://doi.org/10.1109/mc.2010.35.
Piquero, A., and Tibbetts, S., Specifying the direct and indirect effects of low self-control and situational factors in offenders' decision making: Toward a more complete model of rational offending. Justice. Q. 13:481–510, 1996. https://doi.org/10.1080/07418829600093061.
Ministry of Health and Welfare (2009) Regulations governing the production and management of electronic medical records, Retrieved from http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=L0020121 (Accessed 7th July, 2017).
Theoharidou, M., Kokolakis, S., Karyda, M., and Kiountouzis, E., The insider threat to information systems and the effectiveness of iso17799. Comput. & Secur. 24:472–484, 2005. https://doi.org/10.1016/j.cose.2005.05.002.
American Nurses Association (2014) Code of ethics for nurses with interpretive statements, Retrieved from http://nursingworld.org/MainMenuCategories/EthicsStandards/CodeofEthicsforNurses/Code-of-Ethics.pdf (Accessed 10th June 2017).
Kock, N., Using warppls in e-collaboration studies: Mediating effects, control and second order variables, and algorithm choices. Int. J. e-Collab. (IJeC). 7:1–13, 2011.
Peace, A.G., Galletta, A.G., and Thong, J.Y.L., Software piracy in the workplace: A model and empirical test. J. Manage. Inform. Syst. 20:153–177, 2003.
Straub, D.W., Effective is security: An empirical study. Inform. Syst. Res. 1:255–276, 1990.
Ifinedo, P., Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Inform. Manage-Amster. 51:69–79, 2014. https://doi.org/10.1016/j.im.2013.10.001.
Siponen, M., Pahnila, S., and Mahmood, M.A., Compliance with information security policies: An empirical investigation. Comput. 43:64–71, 2010.
Chan, M., Woon, I., and Kankanhalli, A., Perceptions of information security in the workplace: Linking information security climate to compliant behavior. J. Inform. Priv. Secur. 1:18–41, 2005.
Ministry of Health and Welfare (2017) Bulletin of emrs adoption, Retrieved from http://emr.mohw.gov.tw/emrlist.aspx (Accessed 7th July, 2017).
Fornell, C., and Larcker, D.F., Evaluating structural equation models with unobservable variables and measurement error. J. Marketing Res. 18:39–50, 1981.
Hair, J.F., Hult, G.T.M., Ringle, C.M., and Sarstedt, M., A primer on partial least squares structural equation modeling (pls-sem). Sage, Thousand Oaks, California, 2014.
Wetzels, M., Odekerken-Schröder, G., and van Oppen, C., Using pls path modeling for assessing hierarchical construct models: Guidelines and empirical illustration. MIS Quart. 33:177–195, 2009.
Askar, M.A., and Shen, K.N., Assessment of cybersecurity knowledge and behavior: An anti-phishing scenario, paper presented at the 22nd Americas Concerence on information systems. San Diego, CA. 2016:1–10, 2016.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interest
The authors declare that they have no conflict of interest.
Ethical Approval
All procedures performed in studies involving human participants were in accordance with the ethical standards of the institutional and/or national research committee and with the 1964 Helsinki declaration and its later amendments or comparable ethical standards. This article does not contain any studies with animals performed by any of the authors.
Informed Consent
Informed consent was obtained from all individual participants included in the study.
Additional information
This article is part of the Topical Collection on Systems-Level Quality Improvement
Rights and permissions
About this article
Cite this article
Kuo, KM., Talley, P.C., Hung, MC. et al. A Deterrence Approach to Regulate Nurses’ Compliance with Electronic Medical Records Privacy Policy. J Med Syst 41, 198 (2017). https://doi.org/10.1007/s10916-017-0833-1
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-017-0833-1