ABSTRACT
As the baby boomers age and the focus of healthcare shifts from acute care to chronic care, home healthcare will become increasingly important in controlling cost and improving quality. Health IT will undoubtedly play critical role toward these goals. Yet, growing adoption of Health IT raises important questions related to privacy and security of protected health information, necessitating a better understanding of compliance to HIPAA regulation, which mandates privacy and security safeguards by care providers. In this research we investigate the prevalence of HIPAA compliance in home healthcare to identify drivers influencing HIPAA compliance in home health agencies. The research design involves a model of regulatory compliance comprising institutional and market forces that may have a bearing on home healthcare. We develop hypotheses guided by neo-institutional theory, and conduct quantitative analysis with the goal of generating insights on the primary drivers and barriers of HIPAA compliance.
- Adler, P.S. 2005 "The Evolving Object of Software Development," Organization 12,3.Google ScholarCross Ref
- Agrawal, A. 2002. "Return on Investment Analysis for a Computer-based Patient Record in the Outpatient Clinic Setting," Journal of the Association for Academic Minority Physicians 13, p 61Google Scholar
- Agresti, A. 2003. Categorical Data Analysis. Wiley, NYGoogle Scholar
- AHIMA - The American Health Information Management Association. 2006. "The State of HIPAA Privacy and Security Compliance," last accessed on Nov. 2008,Google Scholar
- Anthony, D.L., and Banaszak-Holl, J. 2003. "Organizational Variation in the Managed Care Industry in the 1990s: Implications for Institutional Change," Research in the Sociology of Health Care 21, pp 21--38Google ScholarCross Ref
- Appari, A., Anthony, D.L., Johnson, E.M., 2009 "HIPAA Compliance: An Examination of Institutional and Market Forces," The 8th Workshop on Economics of Information Security, London, August 24-25Google Scholar
- Aspden, P., Corrigan, J.M., Wolcott, J., and Erickson, S. M. 2003. Patient Safety: Achieving a New Standard for Care. Washington, DC: National Academies PressGoogle Scholar
- Baron, B.R., and Baron, P. 1980. "A Regulatory Compliance Model," Journal of Contemporary Business 92, pp 139--150Google Scholar
- Bellman, S., Johnson, E.J., Kobrin, S.J., and Lohse, G.L. 2002 "Regional Differences in Privacy Preferences: Implications for the Globalization of Electronic Commerce," working paper, Columbia UniversityGoogle Scholar
- Benders, J., Batenberg, R. and Blonk, H. 2006 "Sticking to Standards; Technical and other Isomorphic Pressures in Deploying ERP-Systems," Information & Management 43:2, pp 124 Google ScholarDigital Library
- Björck, F. 2004 "Institutional Theory: A New Perspective for Research into IS/IT Security in Organizations," Proceedings of the 37th Annual Hawaii International Conference on System Sciences, Hawaii, January 5-6 Google ScholarDigital Library
- Chaiken, B. P. 2003 "Clinical ROI: Not Just Costs Versus Benefits," Journal of Healthcare Information Management 17:4, pp 36--41Google Scholar
- Chao, H., Twu, S., and Hsu, C. 2005 "A Patient-Identity Security Mechanism for Electronic Medical Records during Transit and at Rest," Medical Informatics and the Internet in Medicine 30: 3, pp 227--240Google ScholarCross Ref
- CHCF -- California HealthCare Foundation 2005, "National Consumer Health Privacy Survey 2005: Executive Summary," available at www.chcf.orgGoogle Scholar
- Computer World, May 2001. "Beware of Predatory HIPAA Consultants," last accessed on 11/27/2008 at http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,60250,00.htmlGoogle Scholar
- Covaleski, M.A., Dirsmith, M.W., and Michelman, J.E. 1993 "An Institutional Theory Perspective on the DRG Framework, Case-Mix Accounting Systems and Healthcare Organizations," Accounting, Organization and Society 18:1, pp 65--80.Google ScholarCross Ref
- D'Aunno, T., Succi, M., Alexander, J. A. 2000 "The Role of Institutional and Market Forces in Divergent Organizational Change," Administrative Science Quarterly 45:4, pp 679.Google ScholarCross Ref
- Dacin, M. T. (1997). Isomorphism in context: The power and prescription of institutional norms. Academy of Management Journal, 40(1), 46--81.Google Scholar
- Davis, G.F., and Marquis, C. 2005. "Prospects for Organizations Theory in the Early Twenty--First Century: Institutional Fields and Mechanisms," Organization Science, pp 1--12 Google ScholarDigital Library
- DiMaggio, P., W. Powell. 1983 "The Iron Cage Revisited: Institutional isomorphism and collective rationality in organizational fields," American Sociological Review 48,147--160Google ScholarCross Ref
- Dynes, S. 2009 "Emergent Risks in Critical Infrastructure," in Papa, M. and Shenoi, S. Eds. Critical Infrastructure Protection II, Springer, pp 3--16Google ScholarCross Ref
- Edelman, L.B. and Suchman, M.C. 1997 "The Legal Environments of Organizations," Annual Review of Sociology 23, pp 479--515.Google ScholarCross Ref
- Eldridge, S.W. and Kealey, B.T. 2005 "SOX Costs: Auditor Attestation under Section 404," Available at SSRN: http://ssrn.com/abstract=743285Google Scholar
- Fazzi Associates. 2007. Phillips National Study on the Future of Technology and Telehealth in Home Care -- Presentation at National Association for Home Care and Hospice: October 2007. Northampton, MA.Google Scholar
- Fedorowicz, J., and Ray, A.W. 2004 "Impact of HIPAA on the Integrity of Healthcare Information," International Journal of Healthcare Technology and Management 6:2, pp 142--157.Google ScholarCross Ref
- Fortinsky, R.H., Garcia, R.I., Sheehan, T.J., Madigan, E.A. and Tullai-McGuinness, S. 2003. Measuring Disability in Medicare HomeCare Patients: Application of Rasch Modeling to the Outcome and Assessment Information Set. Medical Care, 41, 5, 601--15.Google ScholarCross Ref
- Gosain, S. 2004 "Enterprise Information Systems as Objects and Carriers of Institutional Forces: The Iron Cage Revisited," Journal of AIS 5:4, pp 151--182.Google Scholar
- Greenway, K.E., and Chan, Y.E. 2005 "Theoretical Explanations for Firms' Information Privacy Behaviors," Journal of AIS 6:6, pp 171--198Google Scholar
- Gunningham, N.A., Thornton, D., and Kagan, R.A. 2005 "Motivating Management: Corporate Compliance in Environmental Protection," Law & Policy 27, pp. 289--316Google ScholarCross Ref
- Hannan, M., Carroll, G., Dundon, E. A., & Torres, J. C. (1995). Organizational evolution in a multinational context: Entries of automobile manufacturers in Belgium, Britain, France, Germany and Italy. American Sociological Review 60, pp 509--528.Google ScholarCross Ref
- Hasan, R., and Yurcik, W. 2006. "A Statistical Analysis of Disclosed Storage Security Breaches," ACM workshop on Storage security and survivability. Google ScholarDigital Library
- Haveman, H., and Rao, H. (1997). Structuring a theory of moral sentiments: Institutional and organizational coevolution in the early thrift industry. American Journal of Sociology 102, 1606--1651Google ScholarCross Ref
- Health Privacy Project 2007. "Health Privacy Stories," http://www.healthprivacy.orgGoogle Scholar
- Heugens, P.P.M.A.R., and Lander, M.W. 2009. "Structure! Agency! (And Other Quarrels): A meta-Analysis of Institutional Theories of Organizations," Academy of Management Journal 52:1, pp 61--85Google ScholarCross Ref
- Hu, Q., Hart, P. Cooke, D. 2007. The role of external and internal influences on information security -- a neo-institutional perspective. Journal of Strategic Information Systems, 16, 153--172. Google ScholarDigital Library
- Huston, T. 2001 "Security Issues for Implementation of E-Medical Records." Communications of the ACM 44: 9 Google ScholarDigital Library
- Johnson, M.E. 2009 "Data Hemorrhages in the Healthcare Sector," Financial Cryptography and Data Security, Thirteenth International Conference, February 23-26, 2009 Google ScholarDigital Library
- Johnston, A.C. and Warkentin, M., 2008. "Information Privacy Compliance in the Healthcare Industry" Information Management and Computer Security, 16, 1, pp 5--19Google ScholarCross Ref
- Kalorama Information a division of MarketResearch.com 2007. "Wireless Opportunities in Healthcare".Google Scholar
- Kemper, P. 2003 "Long-Term Care Research and Policy," The Gerontologist 43:4, pp 436--446.Google ScholarCross Ref
- King, J. L., Gurbaxani, V., Kraemer, K. L., McFarlan, F. W., Raman, K. S., and Yap, C. S. 1994. "Institutional factors in information technology innovation." Information Systems Research 52, 139--169.Google ScholarDigital Library
- Lorence, D.H., and Richards, M.C. 2003. "Adoption of Regulatory Compliance Programs Across United States Health Care Organizations: A view of Institutional Disobedience," Health Services Management Research 16:3, pp 167--178Google ScholarCross Ref
- Lounsbury, M. (2001). Institutional sources of practice variation: Staffing college and university recycling programs. Administrative Science Quarterly, 46, 29--56.Google ScholarCross Ref
- Lounsbury, M. 2008. "Institutional Rationality and Practice Variation: New Directions in the Institutional Analysis of Practice," Accounting, Organizations and Society 33, pp 349--361.Google ScholarCross Ref
- March, J.G. and Olsen, J.P. 1976 Ambiguity and Choice in Organizations, NorwayGoogle Scholar
- Mercuri, R.T. 2004. "The HIPAA-potamus in Health Care Data Security," Communications of the ACM 47:7. Google ScholarDigital Library
- Meyer, J.W. and Rowan, B. (1977) "Institutionalized Ceremonies: Formal Structure as Myth and Ceremony", American Journal of Sociology (83:2), pp. 340--363.Google Scholar
- Miller, A.R., and Tucker, C.E. 2009 "Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records," Management Science (55:7), pp 1077--1093. Google ScholarDigital Library
- Mor, V. 2005 "Improving the Quality of Long-Term Care with Better Information," The Milibank Quarterly 83:3, pp 333--364.Google ScholarCross Ref
- NIST -- National Institute of Standards and Technology. 2005. "An Introductory Resource Guide for Implementing the Health Information Portability and Accountability ACT HIPAA Security Rule," NIST Special publication 800--66.Google Scholar
- Oliver, C. 1991 "Strategic Responses to Institutional Processes", Academy of Management Review, 16, pp. 145Google ScholarCross Ref
- Pedersen, D.M., and Frances, S. 1990 "Regional Differences in Privacy Preferences" Psychological Reports 66, pp 731Google ScholarCross Ref
- Peterson, Z. and Burns, R. 2005 "Ext3cow: A Time-Shifting File System for Regulatory Compliance," ACM Transactions on Storage 1:2, pp. 190--212 Google ScholarDigital Library
- Powell, W.W., DiMaggio, P.J. eds., 1991 The New Institutionalism in Organizational Analysis, Chicago: University of Chicago Press.Google Scholar
- Pritts, J., Choy, A., Emmart, L., Hustead, J. 2002 "The State of Health Privacy Second Edition: A Survey of State Health Privacy Statute," Volume I and II, http://ihcrp.georgetown.edu/papers.htmlGoogle Scholar
- Rye, C.B., Kimberly, J.R. 2007 "The Adoption of Innovations by Provider Organizations in Health Care," Medical Care Research and Review 64:3; pp 235Google ScholarCross Ref
- Scott, R.W. 2001. Institutions and Organizations, Second Edition. Thousand Oaks, CA: Sage PublicationsGoogle Scholar
- Scott, R.W., Ruef, M., Mendel, P.J., and Caronna, C.A. 2000 Institutional Change and Healthcare Organizations: From Professional Dominance to Managed Care. Chicago: University of Chicago Press.Google Scholar
- Silverman, M.G. 2008. Compliance Management for Public, Private, or Non-Profit Organizations, McGraw-Hill, NYGoogle Scholar
- Suchman, M. C. 1995. Managing legitimacy: Strategic and institutional approaches. Academy of Management Review 20:3, 571--610.Google ScholarCross Ref
- Varian, H.R., Woroch, G. and Wallenburg, F. 2005 "The Demographics of the Do-Not-Call List," IEEE Security and Privacy 3:1, pp 34--39. Google ScholarDigital Library
- Wade, J. B., Swaminathan, A., and Saxon, M. S. 1998. Normative and resource flow consequences of local regulations in the American brewing industry, 1845--1918. Administrative Science Quarterly, 43, 905--935.Google ScholarCross Ref
- Weidenbaum, M.L. 1979. The Future of Business Regulation Amacom, NYGoogle Scholar
- Zucker, L.G. 1987 "Institutional Theories of Organizations," Annual Review of Sociology 13, pp 443--464Google ScholarCross Ref
Index Terms
- HIPAA compliance in home health: a neo-institutional theoretic perspective
Recommendations
HIPAA Compliance with Mobile Devices Among ACGME Programs
To analyze self-reported HIPAA compliance with mobile technologies among residents, fellows, and attendings at ACGME training programs. A digital survey was sent to 678 academic institutions over a 1-month period. 2427 responses were analyzed using Chi-...
The reverse loophole of HIPAA security compliance
CERIAS '04: Proceedings of the 5th Annual Information Security SymposiumThis project investigates the relationship between large and small healthcare providers in relation to the HIPAA security ruling. Contained within the ruling is a provision that, to be HIPAA compliant, a healthcare provider must ensure that all parties ...
Organizational Factors Associated with Health Information Technology Adoption and Utilization Among Home Health / Hospice Agencies
Health information technology HIT adoption has been recommended as a method to improve care coordination and promote patient safety. Home health agencies can use HIT to improve coordination of care provided in multiple locations. The purposes of this ...
Comments