Information Assurance Compliance with Government Regulations

contributed articles

126 communications of the acm | march 2010 | vol. 53 | no. 3

doi: 10.1145/1666420.1666453

by sherrie drye cannoy and a. f. salam

As mAny As 400 people mAy hAve Access to one’s

personal medical information throughout the typical care process. Disclosures of sensitive information such as emotional problems, sexually transmitted diseases, substance abuse, and genetic predispositions to diseases—could cause embarrassment and affect insurability, child custody cases, and employment.6,8,10 A recent survey by IDC found that “Most consumers …were uncomfortable with their health plan sharing health information with a hospital, a specialist or their primary care doctor… (and) were concerned with who saw their information and were worried that the information could be made available online… (and) other respondents said they

didn’t trust their health plan or hospital to protect their information.”2 Clearly, patients (consumers) feel that it is crit- ical that their medical information is held in confidence. If patients do not feel that their personal medical infor- mation will be kept confidential, they may withhold important medical in- formation from health care providers2 making it difficult to provide quality and effective health care.

This issue of safeguarding sensi- tive patient information has become even more critical given that the Elec- tronic Protected Health Information (PHI), in Electronic Medical Records (EMR) as mandated by the Health In- surance Portability and Accountability Act (HIPAA),6 may consist of a patient’s medical, demographic and insurance information. Thus, presenting a sig- nificant information assurance and security challenge to the health care industry as reflected by the consum- ers’ concerns related to building trust with health care community.2,6,7 If the health care industry falls behind in assuring the public that it can indeed safeguard patient information, then the initiative to create a more efficient and cost effective health care system by using Information Technology will be in serious jeopardy. The research pre- sented in this article addresses this im- portant information assurance and se- curity challenge by building upon past research2,6 and presenting a framework of Information Assurance and Compli- ance developed through multi-site case study approach7 involving multiple health care providers in the U.S.

Mercuri8 correctly identified that “solutions (to the information assurance challenge) are not as simple as adding on security tools and providing employees with policies and procedures for their job classification and requiring them to read and sign off on them.” Information As- surance (IA) technologies such as en- cryption, password protection, access control mechanisms,11 and so on, for PHI may not be sufficient, since not all individual health care professionals may be familiar with the requirements

a framework for health care information assurance Policy and compliance

march 2010 | vol. 53 | no. 3 | communications of the acm 127

contributed articles

that external factors affect beliefs and beliefs in turn affect attitudes, and atti- tudes affect intention which ultimately affect one’s behavior. We examine how these concepts are related to one’s be- havior in complying with information assurance policy regarding patient health information. Using TRA,3 we build our framework on solid theoreti- cal foundations drawing from research in technology acceptance model,1 in- formation assurance and security,6,7 ethical behavior,12 organizational cul- ture4 and health information manage- ment.5,8,9,10

a case study approach Case studies have been utilized in health care research.5,9 In our study, we analyzed qualitative data, obtained through case study research9 across multiple health care providers (Table 1) in the Southeastern U.S. Our resultant research framework for IA Policy com- pliance integrating case study findings with theories drawn from different dis- ciplines is presented in Figure 1.

Both response to questionnaires and discussion in interviews allowed re- spondents (under nondisclosure agree- ment) to confidentially discuss factors associated with compliance beliefs, at- titudes and their behavioral outcomes in terms of IA policy compliance.

We found through our case studies, in line with TRA,3 that one’s individual propensity for compliance and Govern- ment regulation as external imperative4 affect one’s belief in IA policy compli- ance. Communication and training on IA policy affect one’s beliefs in appro- priateness and clarity of IA policy. Pre- vious experience with IA technology af- fect one’s beliefs regarding usefulness and ease of use of IA technology. These beliefs were found to affect one’s atti- tudes on IA policy compliance, IA pol-

of the law nor sufficiently motivated or trained to protect private and sensi- tive patient information. Health care Information Assurance policy (IA Pol- icy) may be in place due to HIPPA requirements, but if health care employ- ees fail to comply with such policy then patient information will be at a risk for disclosure. In this context, Mercuri8 correctly underscores the importance of human and manage- ment factors related to compliance by stating that “…the workers (must be giv- en) a sufficient period in which to incor- porate the new structures and rules into their culture and ethics. Otherwise efforts (related to IA Policy compliance) may be frustrated and unsuccessful.”

Even though human and manage- ment factors, related to compliance, have been recognized as important as technical factors in providing security to PHI in the health care industry,2,5,6 there is a lack of well-developed frame- work to understand IA policy compli- ance factors addressing the behavioral dimension in the context of patient health care information. Without such a framework, it is difficult to develop both managerial interventions and re- search studies in this important area of health care information assurance. The purpose of this research (using multi-site case research approach) is to present such a research frame- work that examines what factors af- fect health care employee’s behavior to comply with information assurance (IA) policy related to protection of pa- tient health care information. We also present sample measures to assess in- dividual compliance.

In the light of recent breaches and/ or theft of sensitive consumer data from banking, academic institutions, govern- ment agencies, and health care provid- ers, this study provides a framework that can be extended and adapted to un- derstand IA Policy issues in health care as well as in other industries. Therefore, the implication of this study is much broader and can be extended to other industries with appropriate adaptation.

The unifying foundation for our research framework is the Theory of Reasoned Action (TRA).3 TRA3 posits

icy usage, and toward IA technology. Attitudes toward IA Policy Compliance, IA Policy Usage and IA Technology also affect one’s Intention to Comply with IA Policy. One’s intention related to IA Policy Compliance lead to Behavioral Outcome related to complying with IA policy in line with TRA.3 Next, we dis- cuss each of these components of our framework in more detail providing support for each of these components based on analyses of multi-site qualita- tive case study data.

external factors affecting ia Policy compliance Individual Propensity for Compliance and Government Regulation ( Figure 1: 1a, 2a and 2b). There are individu- als who will be more ethically inclined to be compliant, while others will not have the same level of propensity to fol- low policy as closely.12 Gordon4 stated that certain values develop concerning the ‘right things to do,’ and consistent with these values, management de- velops strategies, structures, and pro- cesses necessary for the company to conduct its business. The radiology ad- ministrator in one case site stated that government regulation “forces people who are lax to pay more attention to secu- rity issues.” This supports our finding, in line with TRA,3 that one’s belief in IA Policy compliance is affected by one’s propensity for compliance and existing government regulations.

All of our respondents mentioned government regulations such as HIPAA as the main driver for implementing formal compliance policies. Gordon,4 in his research on industry determi- nants of organizational culture, states that organizations, in general, are af- fected by their environments and that organizations are founded on industry- based assumptions about customers,

table 1. healthcare employees interviewed

contributed articles

128 communications of the acm | march 2010 | vol. 53 | no. 3

competitors, and society, which form the basis of company culture.

The respondent in medical staff re- lations felt that “with HIPAA, the govern- ment will continue to set standards that all health care entities will have to meet.” The radiology administrator felt that since health care had maintained a cul- ture of security and confidentiality, In- formation Assurance policies would be easier to implement. However, the IT Director felt that without regulations, security would not get a “tremendous amount of attention” at many organiza- tions. If the culture of the organization integrated security and confidentiality, policies should be somewhat easier to implement, which was the case in the administrator’s organization. The IT Director felt that the requirement of disclosing PHI security breaches would reinforce heightened compliance with regulations to avoid damage to the or- ganization’s reputation.

Training and Communication (Fig- ure 1: 3a, 3b and 4a, 4b). If policies are communicated often, and in various ways, emphasizing security of PHI, employees are likely to perceive that

IA policy is beneficial for patients, health care professionals and provid- ers alike. In our case studies, training and communication of IA policy were mentioned repeatedly as key factors re- lated to IA policy compliance in our in- terviews with health care professionals and are in line with previous research using TAM.1 According to one of the re- spondents:

“Of high importance is the training program to mitigate the potential effects of un-intentional misuse of that technology. A good example is that of a clerical worker that sends un-encrypted information via com- pany email via the internet.”

Previous Experience with IA Tech- nology (Figure 1: 6a, 6b). Based on TAM,1 one’s previous experience with IA technology affect beliefs about ease of use and usefulness of that particular technology when utilized in a compli- ance policy context. For example, will employees understand the importance of keeping passwords secure and en- crypting email that includes PHI? The IT Director from our study suggests

that a positive previous experience with technology may result in the intention to use the technology in an appropriate manner:

“Technology is an enabler of securi- ty but also carries with it the side ef- fects of different risks. The capacity to communicate electronically over great distances with patients and other providers for instance car- ries the risk that an SSL encrypted connection will be compromised by a “man in the middle” or other at- tack. . . As technology grows it is of vital importance that all aspects of the security program grow with it.”

beliefs affecting ia Policy compliance Individual belief in IA policy com- pliance (Figure 1: 7a). When asked about individual’s role in compliance issues, one respondent said that her role involves “following the guidelines and procedures put in place by our prac- tice; asking questions when I don’t un- derstand, and helping others when they have questions (patients and co-work- ers).” This seems to relate to a strong

figure 1. framework for information assurance policy compliance

march 2010 | vol. 53 | no. 3 | communications of the acm 129

contributed articles

ployee is aware of compliance issues, and intends to behave in a manner which supports those policies. Extent of intention to comply varies from sur- face-level compliance to deep-levels of compliance, and depends on various external and individual factors as dis- cussed above.

Compliance behavior related to IA policy ( Figure 1: 16a). TRA3 supports the notion that intention is a positive indicator of behavior. An employee who intentionally performs positive compliance behaviors is important to organizational success. Positive com- pliance behaviors are inherently risk- aversive and ideally would permeate throughout the organizational culture. It is the visible behaviors of organiza- tional members that provide clues to the observable parts of an organiza- tion’s culture and provide impetus to new employees and existing members regarding what is acceptable and not acceptable in an organization. Thus, at a deeper level of compliance organi- zational members are likely to exhibit compliance with IA policy in response to deeply held and shared value of se- curing patient information.

conclusion and managerial implication: intervention and compliance Our case analyses indicate that em- ployees who have a high propensity for compliance beliefs (see Figure 2) and organizations that have high man- agement level of intervention through training, meetings, policy implemen- tation, and enforcement, are likely to be at a deeper-level of IA Policy Compli- ance. For employees who exhibit a low propensity for compliance, we believe that an increase in management levels of intervention such as exposure of en- forcement, increased training sessions, and productive compliance meetings, over time will increase the individual’s level of propensity for compliance. The individual, and, collectively the organi- zation, would move diagonally in the continuum toward the deeper-level of compliance over time. Figure 2 dis- plays an analysis of where the respon- dents (from each of the organizations participating in our study) fall on the continuum.

The following quote from a medical staff respondent is helpful in viewing

belief in complying with policy to the extent of being motivated enough to ask questions and help others. On the other hand, the radiology administra- tor pointed to the need for regulations that “forces people who are lax to pay more attention” to security issues. The propensity for compliance may vary from individual to individual depend- ing upon the strength of their belief in IA policy compliance.

Management Commitment (Figure 1: 9a). When asked what role should management play in IA policy compli- ance, one employee at the clerical level suggested that the manager should have “an understanding of various regu- lations and laws, educating staff and monitoring activities to ensure everyone is doing it correctly.” Interestingly, one of the manager’s at this location felt that “the only role that management plays with security issues is to make sure the practice is in compliance by filling in the forms required by HIPAA.” This seems to be a surface-level of compli- ance in which only minimum require- ments are met for HIPAA regulation, whereas a deeper-level of compliance would entail going beyond minimum regulation requirements so that com- pliance to security policy is eventually integrated into the culture of the orga- nization. The radiology administrator revealed a deeper-level of compliance in stating that “it’s up to someone like me to set the tone for everything, not to just set the plan in place.” The IT Direc- tor saw his role as a champion of the IA policy. This individual involved with regulatory compliance believes that the role of management is also to dem- onstrate to their “customers” that the organization will do “everything we can to protect the information that they have entrusted with us.”

IA policy enforcement (Figure 1: 8a). Trevino12 proposes that an organization can influence behavior of its members through rewards and punishments for ethical/unethical behavior. The individual in medical staff relations believes that “without guidelines to fol- low and proper enforcement, it would be difficult to hold staff accountable for any breaches.” The radiology administra- tor, stated that management must be willing to fire people if they won’t fol- low policy. If an employee’s attitude is based upon the belief that there are

negative consequences to non-compli- ance behaviors, the employee’s inten- tion will be to comply with the security and IA policy.

Appropriateness and clarity of IA policy (Figure 1: 10a). HIPAA regula- tions can be confusing since organiza- tions of different size have different re- quirements for compliance to policy5,8. There were also different deadlines for implementing HIPAA regulations as part of organizational security and privacy policies. As one clerical respon- dent stated, “Overall, I understand the reason for this policy, but it took a lot of work to learn and put in place and has been confusing in some areas.” If the IA Policy is not clear to understand and follow then that will have an impact on the attitude towards usage of the IA policy and eventually the intention and actual compliance with such policy.

Perceived usefulness and ease of use of IA technology (Figure 1: 11a, 12a). If technology is perceived to be useful and easy to use, one would de- velop more positive attitudes towards IA technology,1 such as encryption, proper password usage and access control mechanisms etc. The IT Di- rector stated that “IT has always had a ‘feature first’ mindset in which feature availability and ease of use has been in the forefront…Security has been seen as a hindrance to functionality. This does not need, and indeed should not be the case.” He felt that the culture of health care providers and software vendors is slow to change; and this has implications for the adoption of technological fea- tures which enhance security policy.

attitudes affecting ia Policy compliance Attitudes towards IA policy and IA tech- nology( Figure 1: 13a, 14a, 15a ). TAM1 states that a person’s intention to use technology is affected by their attitudes and previous experience with tech- nology. If one has a positive attitudes toward policy compliance, IA policy and technology, it is expected to cre- ate a stronger intention to comply with policy. The IT Director responded that “a properly deployed EMR will be more secure than paper records due to audited access behind security mechanisms.”

Intention to comply with IA policy (Figure 1: 15a). Intention to comply with IA Policy suggests that an em-

contributed articles

130 communications of the acm | march 2010 | vol. 53 | no. 3

figure 2. ia Policy compliance is dependant upon an individual’s beliefs in ia Policy compliance and level of compliance intervention by management

table 2. abbreviated list of measures for compliance assessment

march 2010 | vol. 53 | no. 3 | communications of the acm 131

contributed articles

compliance issues: “I believe that technology can play a major role in health care security by helping to protect patient infor- mation from being inappropriately accessed. You can’t place too much emphasis on the importance of technology in health care security, but the human factor is just as im- portant… Because of that, there will always be the need for staff to play a direct role in security.”

Ultimately, success of IA policy de- pends upon whether employees comply, and to what extent they comply to keep patient information confidential. The authors have research underway where they are developing measures of health care employee compliance factors as outlined in this research (see Figure 1). Based on the ongoing research, we pres- ent some sample measures for the com- pliance factors in Table 2 to provide man- agers with guidelines that can be used in the compliance assessment process.

Even though we carried out this study in the context of the health care industry, the findings can be useful in providing insight for IA Policy compli- ance in other industries since safe- guarding sensitive consumer informa- tion is critical for any industry. In this sense, the contribution of this study is not limited to the health care industry alone, but can be extended to other in- dustries as well through suitable adap- tation. We hope that this study benefits both academics and practitioners.

Usual limitations of generalizability applies to our study. Given the fact that health care regulations vary signifi- cantly across different countries, it is difficult to generalize our findings for other countries outside of the U.S. Even within the U.S., we need more studies and investigations to fully understand the complex issues related to health care security and information assur- ance. We hope that our study will stim- ulate active research in this important and critical area among academics and practitioners.

References: 1. Amoako-Gyampah, K. and Salam, A.F. An extension

of the technology acceptance model in the ERP implementation environment. Information & Management 41, (2004), 731-745.

2. Border, C. Survey: Consumers concerned about control, access to medical info. Healthcare IT News, Jan. 18, 2006. http://www.healthcareitnews.com/

prinStory.cms?id=4335. 3. Fishbein, M. and Ajzen, I. Belief, Attitude, Intention,

and Behavior: An Introduction to Theory and Research. Addison-Wesley, Reading, MA, 1975.

4. Gordon, G. Industry determinants of organizational culture. Academy of Management Review 16, 2, (1991), 396-415.

5. Cannoy, S. Consumer Empowerment in Healthcare Information Exchange: An Investigation Using the Grounded Theory Approach. Unpublished Doctoral Dissertation. 2008.

6. Currim, F., Jung., E., Xiao, X., Jo, I. Privacy policy enforcement for health information data access. WiMD ’09, (May 18, 2009, New Orleans, LA), USA.

7. Chryssanthou, A., Varlamis, I. and Latsiou, C., Security and trust in virtual healthcare communities. PETRA ’09, (June 09-13, 2009, Corfu, Greece).

8. Mercuri, R. The HIPAA-potamus in health care data security. Comm of the ACM 47, 7 (July 2004), 25-28.

9. Miles, M. and Huberman, M. Qualitative Data Analysis 2nd Edition Sage Publication, Thousand Oaks, CA; 1994.

10. Pratt, W., Unruh, K., Civan, A. Personal health information management. Comm of the ACM 49, 1 (Jan. 2006), 51-55.

11. Raghupathi, W. and Tan, J. Strategic IT applications in health care. Comm of the ACM 45, 12, (Dec. 2002), 56-61.

12. Trevino, L. Ethical decision making in organizations: A person-situation interactionist model. Academy of Management Review 11, 3, (1986), 601-617.

Sherrie Drye Cannoy (sdcannoy@ncat.edu) is an assistant professor in the Department of Business Education at the School of Business and Economics, North Carolina A&T University, NC.

A. F. Salam (amsalam@uncg.edu) is an associate professor in the Information Systems and Operations Management Department at the Bryan School of Business and Economics, University of North Carolina at Greensboro, Greensboro, NC.

© 2010 ACM 0001-0782/10/0300 $10.00

Copyright of Communications of the ACM is the property of Association for Computing Machinery and its

content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s

express written permission. However, users may print, download, or email articles for individual use.