Background
Hospitals have become increasingly aware that electronic medical records (EMR) have the potential to provide many benefits, such as improved healthcare quality, reduced medical errors, decreased costs [
1], and professional staff access to patient information without limitations of either time or space [
1]. EMR have also been well recognized as a cost-effective investment to make [
2‐
4]. More and more healthcare facilities have thus adopted EMR to maximize benefit from the eventual trend of digitalization.
However, an increasing reliance on EMR has led to a corresponding increase in the possible negative influences risked in EMR breaches from unauthorized access to EMR by internal staff or outside sources. These breaches may cause intangible/tangible damage to both hospitals and private individuals alike [
5] since the burgeoning volume of digital medical records remains highly accessible to both authorized and unauthorized users [
6]. According to a U.S. Health and Human Services Department report [
7], there have been 329 reported breaches involving an incident in which more than 500 records were exposed. More specifically, there were a total of 16,471,765 patients whose medical records were breached intentionally or unintentionally in 2016 alone. Most of these reported incidents of privacy violations in healthcare facilities stem in fact from staff misuse or abuse of their privileged access relationship to patient records [
7,
8]. What is more important is that if the information is disclosed inappropriately, patients may receive serious harm [
6]. It should be widely understood that non-compliance with the privacy rules may encompass both civil lawsuits and criminal penalties in many countries [
9‐
11]. In Taiwan, for example, the maximum civil monetary penalty can be more than six million USD, accompanied by five years of imprisonment, if related privacy-protection regulations are found to be broken.
In the realm of information security, literature [
12] has suggested four security activities to ameliorate the problem of unauthorized access, namely, an implementation of deterrence, prevention, detection, and remedies which will reduce the considerable number of inherent security risks. Deterrence refers to how organizations can best deter a potential perpetrator from committing unlawful behaviors by indicating serious sanctions related to security breaches, and that organizations will certainly punish breaches heavily through these proscribed rules (i.e., organizational policies) [
13]. Prevention refers to the use of active countermeasures (e.g., physical locks of information assets or password protection) with ready abilities that will prevent illegitimate intentions and unauthorized intrusions. Detection, such as computer monitoring, provides for the purposeful investigation of activities in order to identify plausible abnormalities. Remedies refer to whatever an organization can do to recover from the harmful effects of security-violation issues [
12]. Among these four activities, deterrence and detection exist as well-established influences to dissuade employees’ unlawful/unauthorized behaviors. These behaviors include the violation of organizational policies or the compelling employees’ compliance intentions [
13‐
18].
The deterrence theory, which mainly states that individuals are less likely to undertake illegal behaviors if the pertinent sanctions are severe and certain, is one of the many theories [
14,
16,
19‐
21] that have been widely adopted to investigate compliance to security policy. Extant literature however often reported mixed results [
22] when utilizing the deterrence theory for modeling compliance to information security policy. To better understand the plausible effects of deterrence such as sanction severity/certainty, prior study has called for testing more contingency variables and their possible moderating effects [
22]. Further, literature [
23,
24] suggests that the identification of moderating effects is important to advance scientific knowledge in the field. However, the moderating influence of detection practices on the relationship between deterrence and policy compliance intention is seemingly less investigated. We therefore contend that an identification of the moderating effects of detection practices could elicit differing perspectives as to the furtherance of organizational-policy compliance studies.
The primary purposes of this quantitative research were two-fold: 1) to investigate the inherent relationships between deterrent practices (i.e., sanction severity and sanction certainty in our study) and EMR privacy policy compliance intentions among hospital employees; and, 2) to explore the moderating influence of detection practices (i.e., computer monitoring in our study) on those relationships, as stated above. The results of our study should be of interest to both academics and practitioners pertinent to healthcare industries.
Discussion
As previously highlighted, the protection of electronic medical records privacy is an important managerial issue given its extensive proliferation among healthcare facilities and the extent to which EMR can change the paradigm of the healthcare service provided. An effective hospital staff adherence to stated privacy policy will enable patients to have more trust in the services delivered, and hospital employees can confidently access patient-related information instantly, regardless of time and location. The positive intention of compliance coupled with stated privacy policy will thus tend to improve the overall quality of healthcare service, mitigate the risks and legal consequences that healthcare facilities might face, and lower the potential negative impact on patients through possible security breaches to EMR.
Based upon this understanding, the main goal of our study has been to examine theoretical factors that may improve hospital employees’ intention to adhere to stated privacy policy of EMR from a deterrence perspective. To this end, our study has highlighted two conceptual realms: 1) deterrents such as sanction severity and sanction certainty towards compliance intention, and 2) the effects of computer monitoring on the effects of such available deterrents.
The main finding of our study is a determination of the moderating effect that computer monitoring has upon sanction severity and sanction certainty towards hospital employees’ adherence to stated privacy policy. Even though the literature [
23,
24] suggests that an identification of moderating effects is important towards the advancement of scientific knowledge, relatively few studies have tested the moderating effects of computer monitoring on existing associations between deterrents and compliance intentions. The results of the moderating effects in our study showed that the association between sanction certainty and behavioral intention was stronger among hospital employees with a lower-level-of-computer monitoring. That is, with low levels of computer monitoring, it is particularly true that if hospital employees know of the certainty of sanctions that they will inevitably adhere to stated privacy policy. This finding is in accordance with the study by D’Arcy and Hovav [
39], who found that the deterrence effects of monitoring on remote-site workers are weaker than central workers because they are in fact less monitored. In other words, remote-site workers may thus not behave as accordingly as centralized workers may do. Literature [
14] has encouraged the practice of computer monitoring because it is an effective countermeasure for regulating inappropriate information security behaviors; and, most importantly, organizations can directly control such a mechanism on a regular basis. Based on the findings of the moderating effect of computer monitoring, we, however, suggest that healthcare facilities should continue to monitor the usage of EMR, but employees should not be negatively influenced by or come to suspect such surveillance activities routinely take place. This suspicion may lower the performance of employees due to invisible pressures [
28,
29]. Most importantly, healthcare facilities should make sure that their employees are aware of the computer monitoring that is taking place, and the severity of and certainty of sanctions whenever stated privacy policy is violated. This is especially true since deterrence effect may be maximized if potential perpetrators are fully aware of the certain consequences of illegal behaviors [
12].
Besides, consistent with previous studies [
13,
14,
17,
18], sanction severity and sanction certainty were significantly related to one’s intention to comply with stated privacy policy. This may imply that both sanction severity and sanction certainty are effective determinants for regulating hospital employees’ future policy-compliance behavior. In terms of the relative importance of these two determinants, sanction certainty demonstrated a stronger predictive measure than sanction severity, which corroborates with the findings of meta-analysis by Pratt et al. [
30]. Pratt et al. [
30] also argue that sanction certainty tends to perform the best when predicting “white-collar” types of offenses, which is consistent with our study. According to the findings, we suggest that healthcare facilities should clearly define a set of policies with detailed rules and regulations regarding the potential punishments for all unlawful behaviors involving EMR. And most importantly, these policies should be communicated to hospital employees via training sessions. By doing so, potential offenders are more likely to be dissuaded from committing unlawful behaviors by the possibility of incrimination.
Our study contributes to both academic and practical concerns related to EMR administration. From an academic standpoint, our study provides one of the few tests of the differential deterrence hypothesis in the realm of EMR privacy protection. With few exceptions [
14,
39], most studies from the IS security have presumed that the impact of deterrents is consistent across most given individuals. By investigating the moderating effect of computer monitoring, our study contributes to a better understanding of the relationships between deterrents (i.e., sanction severity/certainty in our study) and policy compliance intention.
From the perspective of EMR privacy protection, the results may demonstrate that the effectiveness of sanction certainty is reliant upon hospital employees’ perceived levels of computer monitoring. The higher level of computer monitoring perceived by hospital employees, the lower the effect of sanction certainty on compliance intention will be. Therefore, healthcare facilities should inform their employees that EMR usage and access are duly monitored according to the security requirements and privacy concerns deemed necessary by the healthcare authorities. No excessive monitoring practices are implemented in their healthcare facilities. Further, any monitoring must be carried out in the least intrusive way possible. This is especially important as more health facilities have commonly adopted EMR practices for most procedures, to the extent that many hospital employees can now only acquire and maintain patients’ medical records from EMR systems.
Like most empirical studies, our study has limitations that should be taken into account. First, the study sample is drawn from only one medical center in Taiwan. Therefore, inferences to the wider population may not be safely made. In other words, the external validity of the present findings may therefore be limited to a greater or lesser extent. Since we adopted a convenience sampling approach, the participants may not be representative of all eligible hospital employees. Our findings can only become generalized to a population with the same characteristics. Further, the survey was mainly based on self-report rather than direct observation or the monitoring of participants’ regular behavioral patterns. Future research can thus examine the issue in order to better understand the associations among these constructs. Further, since our questionnaires asked about hospital employees’ intention to comply with EMR privacy policy, they may tend to behave in a rule-obedient manner despite the survey being completely voluntary and anonymous. Hence, the possibility of social acceptability bias may still exist in our study and should be improved in future studies. Finally, it should be noted that our entire findings are based on the assumption that an individual will make rational decisions related to EMR access.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.