A framework for health care information assurance policy and compliance

Quantified Score

Visualization

Abstract

Introduction As many as 400 people may have access to one's personal medical information throughout the typical care process. Disclosures of sensitive information such as emotional problems, sexually transmitted diseases, substance abuse, and genetic predispositions to diseases---could cause embarrassment and affect insurability, child custody cases, and employment. A recent survey by IDC found that "Most consumers …were uncomfortable with their health plan sharing health information with a hospital, a specialist or their primary care doctor… (and) were concerned with who saw their information and were worried that the information could be made available online… (and) other respondents said they didn't trust their health plan or hospital to protect their information." Clearly, patients (consumers) feel that it is critical that their medical information is held in confidence. If patients do not feel that their personal medical information will be kept confidential, they may withhold important medical information from health care providers making it difficult to provide quality and effective health care. This issue of safeguarding sensitive patient information has become even more critical given that the Electronic Protected Health Information (PHI), in Electronic Medical Records (EMR) as mandated by the Health Insurance Portability and Accountability Act (HIPAA), may consist of a patient's medical, demographic and insurance information. Thus, presenting a significant information assurance and security challenge to the health care industry as reflected by the consumers' concerns related to building trust with health care community. If the health care industry falls behind in assuring the public that it can indeed safeguard patient information, then the initiative to create a more efficient and cost effective health care system by using Information Technology will be in serious jeopardy. The research presented in this article addresses this important information assurance and security challenge by building upon past research and presenting a framework of Information Assurance and Compliance developed through multi-site case study approach involving multiple health care providers in the U.S. Mercuri correctly identified that "solutions (to the information assurance challenge) are not as simple as adding on security tools and providing employees with policies and procedures for their job classification and requiring them to read and sign off on them." Information Assurance (IA) technologies such as encryption, password protection, access control mechanisms, and so on, for PHI may not be sufficient, since not all individual health care professionals may be familiar with the requirements of the law nor sufficiently motivated or trained to protect private and sensitive patient information. Health care Information Assurance policy (IA Policy) may be in place due to HIPPA requirements, but if health care employees fail to comply with such policy then patient information will be at a risk for disclosure. In this context, Mercuri correctly underscores the importance of human and management factors related to compliance by stating that "…the workers (must be given) a sufficient period in which to incorporate the new structures and rules into their culture and ethics. Otherwise efforts (related to IA Policy compliance) may be frustrated and unsuccessful." Even though human and management factors, related to compliance, have been recognized as important as technical factors in providing security to PHI in the health care industry, there is a lack of well-developed framework to understand IA policy compliance factors addressing the behavioral dimension in the context of patient health care information. Without such a framework, it is difficult to develop both managerial interventions and research studies in this important area of health care information assurance. The purpose of this research (using multi-site case research approach) is to present such a research framework that examines what factors affect health care employee's behavior to comply with information assurance (IA) policy related to protection of patient health care information. We also present sample measures to assess individual compliance. In the light of recent breaches and/ or theft of sensitive consumer data from banking, academic institutions, government agencies, and health care providers, this study provides a framework that can be extended and adapted to understand IA Policy issues in health care as well as in other industries. Therefore, the implication of this study is much broader and can be extended to other industries with appropriate adaptation. The unifying foundation for our research framework is the Theory of Reasoned Action (TRA). TRA posits that external factors affect beliefs and beliefs in turn affect attitudes, and attitudes affect intention which ultimately affect one's behavior. We examine how these concepts are related to one's behavior in complying with information assurance policy regarding patient health information. Using TRA, we build our framework on solid theoretical foundations drawing from research in technology acceptance model, information assurance and security, ethical behavior, organizational culture4 and health information management.