the flow of his or her sensitive medical information is still
Transcript of the flow of his or her sensitive medical information is still
c om p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 2 0 6 2 2 0 207
the flow of his or her sensitive medical information is still
limited. Many situations, such as emergencies, result in
disclosure of more than the minimum PHI necessary. The
Privacy Rule specifically requires covered entities to safeguard
PHI from accidental or intentional use or disclosure. The
primary objective of this paper is to study the causes of such
privacy breaches and to suggest measures to limit or prevent
such accidental or erroneous uses or disclosures.
1.2. Human error and privacy breaches e literaturereview
Reason (1990) defined error as “the failure to achieve an
intendedoutcome in a planned sequence ofmental or physical
activities when failure is not due to chance.” On the other
hand, a malicious act is intentional and done to cause harm.
Reason (1990) also categorized human error into slips and
mistakes. Slips occur as an outcome of the incorrect execution
of a correct action sequence; mistakes occur as an outcome of
the correct execution of an incorrect action sequence, i.e.,
wrong decisions executed correctly. Mistakes, also known as
“planning failures” or “errors of intention,” result from faulty
conceptual knowledge, incomplete knowledge, or incorrect
action specification. Slips are “execution failures,” often
arising from an actor’s lack of skill, confusion, or loss of acti
vation, as in the case of forgetting the original intention.
Reasonuses the term“lapse” todenote “anomission to execute
an action as planned, due to a failure of memory.” For the
purpose of our analysis, the term “slip” encompasses “lapse”.
Rasmussen (1983) classified human performance into three
categories. Of these, skill based behaviors are routine activities
conducted automatically and do not require conscious alloca
tion of attentional resources. Behaviors classified as rule
based are controlled by stored rules or procedures. Finally,
knowledge based behaviors are those in which stored rules
no longer apply and performance is goal oriented. Reason
(1990) analyzed these three behaviors further and developed
the skill rule knowledge (SRK) taxonomy of human error. Slips
and lapses only occur in skill based behaviors, and mistakes
only occur in rule based and knowledge based behaviors.
Senders and Moray (1991) argued that humans err often in
ignorance and sometimes despite a strong determination to
avoid them. Errorsmay arise from processeswithin an actor or
from processes external to the actor. Incorrect input, insuffi
cient knowledge, or wrong action are all causes of error. Addi
tionaldiscussionsandresearchontrendsonthe topicofhuman
error are available in Norman (1988) and Zhang et al. (2004).
The impact of human error has been studied in many
domains, especially aviation (Shappell et al., 2007), online
banking (Kjaerland, 2006), and medicine (Leape et al., 1993;
Weinstein, 2001). Leape et al. (1993) classified medical errors
into diagnostic, treatment related, system related, or
miscommunication errors. The decentralized and fragmented
nature of the healthcare delivery system and organizational
issues such as staffing, procedures, andwork environment are
consideredmajor contributing factors (Weinstein, 2001) to the
occurrence of errors. Two reports sponsored by the Institute of
Medicine (IOM) (2000, 2001) identified medical errors not only
as a leading cause of death in the U.S., but also, of equal
importance, as a critical problem in terms of human and
social costs. The IOM reports motivated numerous
researchers to try to identify the dimensions of medical error
management (Billings and Woods, 2001; Lenert and Bakken,
2002; Patel and Bates, 2003). Zhang et al. (2002), in particular,
argued that cognitive factors are critical at six different levels
of the healthcare systemhierarchy. At the core are individuals
who trigger errors without necessarily being their root cause.
The next higher hierarchical levels are: interactions among
individuals and between groups of people and technologies;
organizational structures such as coordination and commu
nication; institutional functions such as policies and guide
lines; and lastly, national regulatory agencies. Individuals are
at the last stage in the chain of events that lead to an error;
therefore, cognitive interventions are crucial in preventing
human errors. Norman’s seven stage action theory and its
extensions by Zhang et al. (2004) undergird our study of
privacy breaches within the healthcare system.
The Institute for Safe Medication Practices (ISMP) (2002)
recommends incorporating error management into an orga
nization’s strategic plan, proactively identifying error prone
processes, and devising safe alternatives by using process
flow analysis to combat medication errors. Further, the ISMP
(1999) suggests the following measures, in order of priority, to
remedy medication errors: design of processes with forcing
functions and constraints so that errors are virtually impos
sible or difficult tomake; simplification and standardization of
procedures; reminders, checklists, and double check systems;
rules and policies to support error prevention and disciplinary
measures for errant actions; and enhanced education and
awareness. A recent study of four hospitals (McFadden et al.,
2004) identified seven critical factors for successfully reducing
the likelihoodofmedical errorsorminimizing their effects.The
five most important are: (i) a new organizational structure, (ii)
causal analysis and redesigned processes and systems, (iii)
a modified organizational safety culture, (iv) focus on the
process and not the individual, and (v) education and training.
Several recent studies on the organizational context of
human error have recognized the difficulty of eliminating
human error altogether. Walker et al. (2008) addressed safety
concerns in electronic health records (EHRs) and proposed
steps for process improvement as well as ways to build safety
into the initial design of EHRs. Schonbeck et al. (2010) pre
sented a new approach to address human and organizational
factors in the operational phase (rather than in the design
phase) of safety instrumented systems. Targoutzidis (2010)
proposed using fault tree analysis to reduce workplace
process errors. Similarly, Mohaghegh and Mosleh (2009)
studied ways to improve workplace safety by reducing errors
in organizational processes. Leveson (2008) studied the tech
nical and managerial factors in the losses of the NASA Chal
lenger and Columbia space shuttles and concluded that
organizational or managerial flaws negated the potential
engineering and technical solutions. Kraemer and Carayon
(2007) and Kraemer et al. (2009) concluded that human and
organizational factors loom large as the cause of computer
and information security vulnerabilities e a topic closely
aligned with privacy e and emphasized the complex rela
tionships among human and organizational factors.
Human error has also been widely recognized as a main
cause of privacy breaches (Kraemer et al., 2009; Liginlal et al.,
c om p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 2 0 6 2 2 0208
2009; Schultz, 2005; Stanton et al., 2005; Wood and Banks,
1993). In recent times, consumers have become increasingly
wary of threats to their privacy. A poll conducted by Zogby
International (2007) showed that 85% of the respondents
valued their personal information and considered safeguard
ing their privacy a top priority. Firms that exposed customers’
private information, no matter the reason, have suffered
substantial consequences. In 2005, ChoicePoint was fined $15
million by the Federal Trade Commission to settle charges
that it failed to protect consumers’ private information
(Sullivan 2006). The Privacy Rights Clearinghouse estimated
that during attacks on ChoicePoint, over 100 million customer
records were put at risk of identity theft (Privacy Rights
Clearinghouse, 2010). Privacy breaches have also been
shown to lower the stock market’s opinion of the firms at
fault. In fact, ChoicePoint’s stock price declined more than
18% over the course of a fewweeks after the announcement of
the company’s privacy breaches. Campbell et al. (2003) found
that breaches involving loss of confidential data were associ
ated with significant declines in the stock prices of affected
firms. Acquisti et al. (2006) also found a significantly negative
effect of privacy breaches, especially for larger firmswith high
visibility. These studies clearly demonstrate that privacy
breaches eroded customers’ trust in the firms involved.
Liginlal et al. (2009) investigated publicly reported incidents
of privacy breaches in the U.S. and determined that human
error caused a majority of them. They found that mistakes in
the information processing stage constituted the highest
number of human error related privacy breaches, clearly
highlighting the need for effective policies and their enforce
ment. Their study, however, did not specifically focus on
either the issue of medical privacy or on the specific organi
zational context that caused the error. Although many orga
nizations have had significant breaches of PHI since 2003,
disciplinary measures have not been enforced until recently.
The recent example of Providence Health & Services (PH&S)
demonstrates one of the first instances of stricter enforce
ment (Portland Business Journal, 2010). The PH&S case
involved the theft of laptops, disks, and tapes containing
health records from employees’ cars in Seattle in 2005 and
2006, thus compromising the PHI of nearly 400,000 patients.
This reportedly was a case of human error arising from poor
policy formulation, enforcement, and employee education.
PH&S was required to implement corrective measures and
also was fined $100,000.
1.3. Research questions and organization of the paper
Against this backdrop of pervasive privacy breaches attribut
able to human error, our paper addresses the following key
questions:
1. Should covered entities consider human error an important
cause of noncompliance with HIPAA Privacy Rule?
2. What are the causal factors of human errors that lead to
such noncompliance?
3. What operational strategies and measures related to the
identified causal factors are essential to management of
errors that adversely affect compliance with HIPAA Privacy
Rule?
Our research is founded on Reason’s (1990) GEMS error
typology, Rasmussen’s (1983) SRK framework, and Norman’s
(1988) seven stage action theory. To answer these questions,
we used secondary data analysis, in depth interviews of
privacy officers, and interpretive research methodology. The
study draws upon Zhang et al. (2002)’s cognitive taxonomy of
human error and upon Liginlal et al. (2009)’s study of the
impact of human error on privacy and its overall regulatory
implications.
The remainder of the paper is organized as follows: In
Section 2, we provide preliminary evidence confirming human
error as a major cause of HIPAA violations. Section 3 focuses
on the design of the qualitative research study based on
semistructured interviews of privacy officers of leading U.S.
healthcare organizations in four states. Section 4 presents the
results of an interpretive analysis of the interview transcripts.
This analysis sheds light on the causes of human error leading
to privacy breaches. Then, in Section 5, we apply action theory
to study our compilation of reports of privacy breaches and to
further understand the causal issues underlying breaches and
their impact on HIPAA compliance. In Section 6, based on our
analyses, we develop a framework designed to manage
human error in the context of compliance with HIPAA Privacy
Rule. We conclude the paper by outlining the contributions
and limitations of our work along with a description of
ongoing related research.
2. Does human error affect HIPAAcompliance? Preliminary evidence
Prior research on privacy breaches (e.g., Liginlal et al., 2009)
has relied on the analysis of secondary data from publicly
available resources. From a methodological perspective, such
an approach, subsequently cross validated with data from
prominent public sources, has been used effectively in various
similar studies (Bagchi and Udo, 2003; Cavusoglu et al., 2004;
Sullivan, 2006; Erickson and Howard, 2007). The first part of
our study, which aimed at gathering preliminary evidence,
employs this research methodology. However, the rest of our
study differs from these earlier studies in two respects: (i) the
dataset is up to date and covers from January 1, 2005, to April
30, 2010, and (ii) data pertaining only to healthcare organiza
tions, i.e., privacy breaches with implications pertinent to
HIPAA, were considered. Overall, we compiled 237 incidents of
privacy breaches related to loss of PHI.
We analyzed this compilation and classified these privacy
breaches into those attributable to human error and those
caused by malicious attacks. Two researchers analyzed the
237 incidents independently, and a third researcher helped
resolve the resulting discrepancies. The observed inter rater
agreement was 0.935 (kappa 0.55; 2 tailed p < 0.0001). The
high value of Cohen’s Kappa indicated that the coding
approach was reliable, satisfying Landis and Koch’s (1977)
threshold of 0.77. We also analyzed the cause of each
privacy breach and determined seven categories of causes as
depicted in Figure 1.
Overall, we determined that only 12% of the 237 incidents
involved malicious acts; human error accounted for the
remainder (approximately 88%). In the latter category, we
Fig. 1 e Causes of medical privacy breaches in the U.S.
c om p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 2 0 6 2 2 0 209
found that 126 (53%) incidents were related to stolen or
missing media containing confidential patient information.
These losses stemmed from poor policy formulation and/or
enforcement in healthcare organizations, as amply demon
strated by the PH&S case mentioned earlier. Although the
theft in these losses is itself amalicious act, the root cause can
be attributed to an employee violating procedures (mistakes)
or to an employee’s act of omission (slip). From the organi
zation’s perspective, the loss of PHI results from failure to
enforce policies and procedures regarding remote computer
use, compounded by the absence of built in safeguards, such
as strong data encryption. Stolen laptops or lost media have
also been recognized in Liginlal et al. (2009) as a significant
cause of privacy loss and/or identity theft.
3. Studying the nature of human error inhealthcare organizations
Our preliminary results justified a more detailed analysis of
the organizational and human issues underlying privacy
breaches. Research in psychology has demonstrated, for
instance, that the tendency for error is strongly influenced by
adverse work conditions (Berner and Moss, 2005). These
conditions include employee stress, fatigue, time pressures,
cognitive overload, understaffing, complex procedures, inad
equate supervision, poor communication, rapid organiza
tional change, and flaws in system design or implementation.
Studying these causal factors from an organizational
perspective yields insight into the nature and types of errors,
the extent of their impact, and techniques to prevent or
mitigate this impact. This study will also help gauge the
importance that healthcare organizations assign to human
error as a cause of privacy breaches and identify themeasures
they have adopted to remedy these underlying causes.
3.1. Privacy officers as subjects of the study
HIPAA requires healthcare organizations to designate privacy
officers whose primary responsibilities include tracking the
use of PHI, setting up complaint procedures and punitive
action guidelines, and developing overall HIPAA policies and
procedures. Besides keeping up with the latest privacy prac
tices, privacy officers also frequently supervise operations and
training. In effect, a privacy officer is the driving force behind
enforcingHIPAA compliance and is, as such, the best source of
information about organizational practices and compliance
history. Although privacy officers vary in their educational
backgrounds, level of understanding of privacy and security
concepts, and skills in policy analysis and decision making,
we contend that their experience allows them to better
comprehend the relationship between human error and
HIPAA privacy breaches. Two privacy officerswith close ties to
the university with which two of the researchers were affili
ated assisted in design of the research. Besides being reliable
information sources, their assistance proved invaluable,
particularly in developing and refining a questionnaire and in
obtaining contact information for potential interviewees.
A list of privacy officers in four U.S. states was compiled by
searching the websites of the state bar associations, the
HIPAA Collaborative (a joint effort of healthcare organizations
to build a platform for implementing HIPAA), and thewebsites
of leading healthcare organizations in the region. The two
experts who helped in the research design also provided
additional contact information and leads. In all, we sent out
solicitations to privacy officers in 35 large and medium sized
healthcare organizations. Only 21 privacy officers responded
to our request for an interview. Each of them was then con
tacted and briefed about the objectives of the study and its
broader impact. Unsurprisingly, they were reluctant to
participate because of the confidential nature of the subject.
Multiple follow up requests and signed confidentiality agree
ments were necessary to gain their participation. Ultimately,
only 15 privacy officers agreed to be interviewed.
3.2. The interview protocol
The interview method is one of the most important data
gathering instruments in qualitative research. Interviews
may be a highly structured and quantitative oral survey,
a semistructured guided conversation, or a free flowing
information exchange (Myers and Newman, 2007). Reason
(1990) ranked questionnaire studies as the second most
important research method in human error and safety
c om p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 2 0 6 2 2 0210
studies. Leveson et al. (2005), while testing the hypothesis that
safety culture of National Aeronautics and Space Adminis
tration (NASA) can be modeled using systems dynamics,
collected most of their data by interviewing the employees of
the manned space program. Kramer and Carayon (2007)
explored the issue of human error and violations of informa
tion security through a series of 16 interviews with network
administrators and security specialists.
Based on a preliminary review of the literature (Bogner,
1994; McFadden et al., 2004; U.S. Department of Health &
Human Services, 2002, 2006; Vincent et al., 1998) and the
assistance of our two experts, we developed a semistructured
questionnaire. In constructing the questionnaire, we consid
ered the influence of both organizational factors and
employees’ knowledge and skill levels on the likely incidence
of human error. The organizational factors specifically
considered were: understaffing, high turnover, low morale,
heavy workload, and work environment.
The questionnaire had two parts. The first sought to
understand the background of the organization and gauge the
interviewee’s depth of experience in HIPAA administration,
particularly compliance with HIPAA Privacy Rule. The second
part, as described below and outlined in Appendix B, was
divided into three sections designed to understand the rela
tionship between human error and HIPAA privacy breaches
and to study the underlying causes, impact, andmanagement
of human error.
1. The first section sought to evaluate the extent of human
error as a cause of privacy breaches, categorize the causes,
and understand the impact of human error compared with
other forms of threats to privacy.
2. The second section aimed to determine the interviewee’s
assessment of the relationship between employees’ skill
levels and the frequency of errors. The questions were
designed to study the differences, in magnitude and
impact, among various types of human errors, i.e., slips and
mistakes, in a healthcare setting. Particular care was taken
in designing this section of the questionnaire to instruct the
interviewees not to emphasize human error as a direct
cause of privacy breaches, but to focus instead on the
human and environmental factors that cause the errors
leading to these breaches.
3. The third section examined what priority upper manage
ment gave to combating human error as a cause of privacy
breaches and the operational strategies required to handle
these incidents and manage human error. The interviewee
was also asked to recount specific privacy breaches that
occurred in his or her organization and how these incidents
were handled.
The interview protocol not only required privacy officers to
relate human error to HIPAA privacy breaches, and equally
important, it encouraged their creative and contextual
thought processes related to the avoidance, interception, and
mitigation of human error. The interview questions
purposefully avoided emphasis on terms such as mistake and
slip; instead, they used similar words or terms, such as inade
quate knowledge (mistake) and poor skills or lapse of concentration
(slip). The intention was to elicit early in the interview the
interviewee’s general perception of human error as a risk for
HIPAA privacy breaches. Open ended questions, with inter
viewees prompted at appropriate moments, were used to
elicit additional information. Three illustrative examples
corresponding to the skill rule knowledge taxonomy of
human error (Rasmussen, 1983; Reason 1990), created in
consultation with our experts, were included in Part I of the
questionnaire and distributed in advance to the interviewees.
The experts felt this was critical so that the interviewees could
gain a sufficient understanding of the term human error and
comprehend the likely causes of human error. To stimulate
contextual thinking, the research team asked the inter
viewees to relate their experiences in managing human error
related issues to their subsequent drafting of policies or action
plans. At the conclusion of each interview, the researchers’
notes were transcribed and organized question by question
into a text only electronic format.
Asmentioned earlier, only 15 of the 21 privacy officers who
responded to our request ultimately agreed to be interviewed.
Eleven interviews were face to face, each lasting about an
hour at the officers’ workplaces. Because of scheduling and
logistical problems, four other interviews were done by tele
phone. The first set of interviews was conducted in two states
in the Midwest over three months and the second set in two
states in the South over two months. Nine interviews were
conducted by two researchers and the rest by one researcher.
The privacy officers represented five medium sized hospitals
with 500 to 700 beds and multiple primary clinics, three large
academic health systems, and three large medical centers
comprising a hospital, pharmacy, and health center. Given its
qualitative nature and the confidential nature of the data, our
study involving two privacy officers in the design phase and 15
other privacy officers in the interview phase, may be compa
rable, in terms of design validity, to similar interview studies
in the information systems discipline (Myers and Newman,
2007), the applied ergonomics literature (Kraemer &
Carayon, 2007), and in the information security area
(Kraemer et al., 2009).
Approximately a week after each interview, a follow up
questionnaire was mailed to the interviewees to probe for
any additional thoughts they did not articulate during the
interview. The study team then combined and contrasted the
findings from the literature review and from the interviews to
identify areas of overlap, agreement, or disagreement. The
notes from the interviews were combined, and any discrep
ancies in these notes were resolved with the help of a third
researcher. To protect anonymity and provide confidentiality,
no interviewee names were recorded in any document
regardless of format or media.
3.3. Analyzing the causes of human error
A list of eight possible causes of human error that lead to
privacy breaches was compiled, as shown in Table 1. Our two
experts worked with us independently to create this consoli
dated list. During our interviews, we asked each privacy
officer to identify all possible causes of human error he or she
could think of that would lead to privacy breaches. Whenever
we sensed a lack of consensus or confusion of terminology, we
asked the interviewees for further clarification. Our post
c om p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 2 0 6 2 2 0212
staff should, therefore, be a high priority in gaining
compliance with HIPAA.
In summary, the most significant finding was a consensus
that more than 90% of known HIPAA privacy breaches are
unintentional and nonmalicious, an indication that human
error, whether mistakes or slips, constitutes the most signif
icant threat to privacy. This number also tallies with the
preliminary evidence of the causes of publicly reported inci
dents of privacy breaches listed in Figure 1.
5. Applying action theory to analyze incidentreports
To better understand the nature of human error in organi
zations, we extended our analysis beyond the GEMs model
by applying the seven stage action theory of Norman (1988)
and the taxonomy of medical error of Zhang et al. (2004).
Norman (1988) represented human action as a sequence of
stages encompassing the formation of goals, their execution,
and their evaluation. The seven stages consist of: formu
lating a goal, transforming the goal into an intention, spec
ifying an action sequence, executing the action, perceiving
what has actually happened, interpreting what has
happened, and, finally, evaluating the outcome and
comparing it to the original goals and intentions. Investi
gating and analyzing these seven stages that human actors
go through constitute good ways to understand how errors
occur.
Zhang et al. (2004) developed a cognitive taxonomy of
human errors based on Reason’s GEMS error typology and
Norman’s action theory. Human error, both slips and
mistakes, may occur at any of the seven stages. Such errors
may further be categorized into either execution errors or
evaluation errors. Besides goal errors, execution errors can
occur at the stages of intention, action specification, and
action execution. Evaluation errors can occur at the percep
tion, interpretation, or action evaluation stages. This cognitive
taxonomy offers a systematic and theory based approach to
the categorization of errors at an individual’s cognitive level
and also in relation to the use of technology. Further, the
taxonomy can be used for the development of cognitive
interventions and corrective actions.
An important question in the unstructured part of the
interview required privacy officers to recall actual privacy
breaches in their organizations that were caused by human
error. At the end of each interview, we also requested access
to documented privacy breaches from the respective orga
nization. These requests were accompanied by guarantees
of strict privacy. We repeated this request in a follow up e
mail. In all, we compiled 38 incidents from these three
sources, i.e., interviews, de identified organizational inci
dent reports, and the publicly available incident reports
discussed in Section 2. Two researchers independently
analyzed the compiled information and categorized the
incidents based on the error taxonomy. A third researcher
helped reconcile several initial discrepancies in coding. The
inter rater agreement was 0.814 (kappa 0.65; 2 tailed
p < 0.0001). This value is acceptable, according to Landis and
Koch (1977). The study based on the three reported sources
of breaches generated vignettes corresponding to only 12 of
the 14 items in Zhang et al. (2004)’s taxonomy. The two
missing cases were constructed through later discussions
among the researchers and with the two experts. Tables 2
and 3 contain the resulting vignettes for each of the 14
categories.
The first category of incidents comprises errors related to
the formation of goals. As Norman (1988) states, “To get
something done, you have to start with some notion of what is
wanted, i.e., the goal that is to be achieved.” Goal slips arise
from forgetting a goal or its distortion. Goal mistakes, in
contrast, arise most often from faulty knowledge. The two
goal examples in Table 2, respectively, apply to goals forgotten
because of interruptions and goal mistakes attributable to
incorrect or incomplete knowledge.
An intention is the decision to act to achieve a goal.
Intentional slips arise from forgetting an intention or because
of altered intent. Intentional mistakes arise from incorrect or
incomplete intentions, such as deciding to act upon a correct
goal of providing useful care related information, but select
ing faulty heuristics. The action specification stage involves
specifying the sequence of actions required to achieve the goal
and the intention. Table 2 shows an example of an action
specification slip that can arise from activation of a similar but
different sequence. Action specification mistakes can arise
from specifying an incorrect set of rules that create procedural
errors.
The next stage in the action cycle is the physical act of
executing a specified action sequence. Slips can arise from
automatic activation of a well learned routine or percep
tual confusion, as in the case illustrated in Table 2. Simi
larly, execution mistakes arise from the misapplication of
good rules (i.e., ones that “work” or are adequate if
followed).
Evaluation starts with an actor’s perception of the state of
the system. Table 3 presents the various causes of errors in
evaluation and gives examples of violations. Perception slips
may occur because of a lack of perception or an incorrect
perception. The example in Table 3 is a case of incorrect
perception.
Mistakes in perception, on the other hand, can stem from
an expectation driven processing of the perception of the
state of the system. The next stage is the interpretation of the
results of perceptual processing. Confirmation bias can give
rise to interpretation slips. Mistakes in interpretation may
arise from incorrect or incomplete knowledge. The final stage
in an action is the comparison of the system state with the
original goal and intention. Evaluation slips may arise from
forgetting the original goal, and evaluationmistakesmay arise
from incorrect knowledge, as the two examples in Table 3
illustrate.
6. Managing human error for HIPAAcompliance
The next discussion first presents the prioritized causes of
human error as identified by the privacy officers. Then, using
the management strategies they suggested for each of these
c om p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 2 0 6 2 2 0216
to constrain user behavior. In 10 of the 14 vignettes described
in Appendix C, the root cause can be addressed using such
technology based solutions. For example, when a sensitive
document is printed, a sensor on the printer may be acti
vated to ensure timely removal of the document and if
necessary, trigger an audible alert. In Table 5, we list the
relevant strategies under two categories e providing better
decision aids and using behavior shaping constraints. Using
memory aids, such as daily reminders that pop up on the
welcome screen or a checklist of important HIPAA policy
guidelines, falls under the former category. Also, the use of
RFID technology facilitates the tracking of sensitive paper
documents and ensures their safe disposal. Categorized
under behavior shaping constraints are built in compliance
checks in application software and network appliances.
Examples include the automatic identification and inter
ception of outbound e mail containing sensitive information
and delayed sending of e mail messages to allow for recall. It
is also pertinent to emphasize that although technology can
help implement a defense in depth strategy founded on
error avoidance, error interception, and error correction
(Liginlal et al., 2009), policies and processes play an equally
important role.
7. Conclusions, limitations, and futureresearch
In this paper, we used Reason’s GEMS typology and Zhang
et al.’s (2004) taxonomy of human error, which extends
Norman’s seven stage action theory, to categorize human
error underlying privacy violations. Studying publicly avail
able datasets of incidents of privacy breaches helped show
that human error causes a majority of reported violations of
HIPAA Privacy Rule. Our study of the underlying causes of
these errors adopted an interpretive research methodology
based on an analysis of semistructured interviews with 15
privacy officers of leading U.S. healthcare organizations. The
results revealed that these organizations have difficulty
preventing and coping with human error when these errors
(1) are systemic, (2) belong to the knowledge based mistake
category, and (3) are committed by the clinical staff.
Understandably, privacy officers noted the need for more
practical and efficient privacy policies that give clearer
guidelines to clinical staffs on how to avoid violating HIPAA
Privacy Rule. Norman’s seven stage action theory allows us
not only to study the underlying causes of human error but
also to propose strategies to prevent or mitigate their effects.
We also compiled and then mapped privacy breach vignettes
to the action based taxonomy to study the association
between each type of error and the underlying cognitive
mechanism. Our results led us to devise a framework and
operational strategies for healthcare organizations to use to
combat human errors that lead to noncompliance with
HIPAA Privacy Rule.
To summarize, this paper’s major contribution is its
consideration of human error as the origin of most viola
tions of HIPAA Privacy Rule. This study reinforces an earlier
general study of privacy breaches by Liginlal et al. (2009).
The other significant contributions include the application
of Zhang et al., (2002)’s taxonomy of human error to
a privacy context and development of a practical frame
work to address human error as a major cause of privacy
breaches and a key factor in compliance with HIPAA
Privacy Rule.
The study has several limitations. First, the adverse impact
of human error may not always appear immediately, making
it even harder to detect and remedy. Ill defined processesmay
have a damaging effect that is not easily observable. For
instance, if two employees must talk by telephone to enter
clinical data about a patient, others are likely to overhear the
phone conversation. Second, the notion of what constitutes
human error is often ambiguous because it is based on the
result of human activities, not on the activities themselves.
From this perspective, only activities with negative outcomes
are regarded as human error. Often the blame for human error
goes directly to the individual who committed the error
despite the possibility that systemic problemsmay be at fault.
When the problems are systemic, replacing or training indi
viduals brings little improvement, and process level or
organization level changes are recommended. This is why the
blame game should be replaced by amore proactive incentive
based program to deal with human error (ISMP, 1999). The
different causes of human error according to action theory
show many scenarios in which human error can be
a byproduct of environmental or organizational limitations.
Our study, however, does not clearly address these differences
between the cognitive deficiencies of individuals and the
systemic causes of error.
Another shortcoming of this study relates to the limited
number of judges that we had access to; this could hinder the
generalizability, and as a result, the external validity of our
findings. Given the sensitivity of the subject of HIPAA privacy,
the limited number of sources is a difficult issue to deal with,
because few privacy officers are willing to discuss their
experiences for fear of divulging more than they should. We
argue, however, that the Raschmethod addresses some of the
concerns surrounding the use of small sample sizes. In fact,
the Rash method has been shown to be a “somewhat restric
tive form of validity and reliability assessment” (Nam et al.
2011; p. 150). Further, the fact that privacy officers are
subject matter experts on HIPAA privacy also strengthens the
external validity of our results.
Threats to construct validity result from possible subjec
tivity in data collection and could bias the results. In our study,
the construct “human error” is an often broadly used term
that each interviewee may interpret differently. Some may
regard the noncompliance itself as an error and others
consider the error as a cause of the noncompliance. We
attempted to mitigate any construct validity by following
a carefully designed interview questionnaire. Given that the
interviewees are privacy officers with expertise in HIPAA
privacy matters and quite aware of HIPAA terminology, the
misinterpretation of the human error construct is less
pronounced, as demonstrated by the results of the Rash
analysis.
Finally, there could be issues with the internal validity of
our results regarding the causal effects on human error of the
various identified items. The general nature of the items
(organizational limitations, technology limitations, etc.) that
c om p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 2 0 6 2 2 0 219
Bogner MS. Human error in medicine. Hillsdale, New Jersey:Lawrence Erlbaum; 1994.
Campbell K, Gordon LA, Loeb MP, Zhou L. The economic cost ofpublicly announced information security breaches: empiricalevidence from the stock market. Journal of Computer Security2003;11:431 48.
Cavusoglu H, Mishra B, Raghunathan S. The effect of Internetsecuritybreachannouncementsonmarketvalue: capitalmarketreactions for breached firms and Internet security developers.International Journal of Electronic Commerce 2004;9:69 104.
Cranor L. A framework for reasoning about the human in theloop. Proceedings of the 1st Conference on Usability.Psychology and Security. San Francisco, CA [cited 2010October 3]. Available from, <http://www.usenix.org/event/upsec08/tech/full papers/ cranor/cranor.pdf>; 2008.
Erickson K, Howard PN. A case of mistaken identity? Newsaccounts of hacker, consumer, and organizationalresponsibility for compromised digital records. Journal ofComputer Mediated Communication 2007;12:1229 47.
Gladwell M. Blink: the power of thinking without thinking.New York: Little Brown and Company; 2005.
ISMP. Medication error prevention “Toolbox.” ISMP MedicationSafety Alert 1999 June 2 [cited 2010 May 28]. Available from,<http://www.ismp.org/MSAarticles/Toolbox.html>.
ISMP. Organizations release new tools for reducing medicationerrors. ISMP News Release 2002 Dec 10 [cited 2010 May 28].Available from: <http://www.ismp.org/pressroom/PR20021210.pdf>.
Institute of Medicine. To err is human: building a safer healthsystem. Washington, DC: National Academy Press; 2000.
Institute of Medicine. Crossing the quality chasm: a new healthsystem for the 21st century. Washington, DC: NationalAcademy Press; 2001.
Jiang X, Landay JA. Modeling privacy control in context awaresystems. IEEE Pervasive Computing 2002;1:59 63.
Kjaerland M. A taxonomy and comparison of computer securityincidents from the commercial and government sectors.Computers & Security 2006;25:522 38.
Kolter J, Kernchen T, Pernul G. Collaborative privacymanagement. Computers & Security 2010;29(5):580 91.
KraemerS,CarayonP.Humanerrorsandviolations incomputerandinformation security: the viewpoint of network administratorsand security specialists. Applied Ergonomics 2007;38:143 54.
Kraemer S, Carayon P, Clem J. Human and organizational factorsin computer and information security: pathways tovulnerabilities. Computers & Security 2009;28(7):509 20.
Kulynych J, Korn D. The effect of the new federal medical PrivacyRule on research. New England Journal of Medicine 2002;346:201 4.
Landis JR, Koch GG. Measurement of observer agreement forcategorical data. Biometrics 1977;33:159 74.
Leape LL, Lawthers AG, Brennan TA, Johnson WG. Preventingmedical injury. Quality Review Bulletin 1993;19(5):144 9.
Lenert LA, Bakken S. Enabling patient safety through informatics:works from the 2001 AMIA annual symposium andeducational curricula for enhancing safety awarenessEditorial introduction. Journal of the American MedicalInformatics Association 2002;9(6):S1 132.
Leveson NG. Technical and managerial factors in the NASAchallenger and Columbia losses. In: Kleinman DL, CloudHansen KA, Matta C, Handelsman J, editors. Looking forwardto the future controversies in science & technology Volume2: from climate to chromosomes. Mary Ann Liebert, Inc; 2008.
Leveson NG, Cutcher Gershenfeld J, Carroll JS, Barrett B, Dulac N,Marais K. Systems approaches to safety: NASA and the SpaceShuttle disasters. In: Starbuck WH, Farjoun M, editors.Organization at the limit: lessons from the Columbia disaster.Malden, MA: Blackwell Publishing; 2005. p. 269 88.
Liginlal D, Sim I, Khansa L. How significant is human error asa cause of privacy breaches? An empirical study anda framework for error management. Computers & Security2009;28:215 28.
McFadden KL, Towell ER, Stock GN. Critical success factors forcontrolling and managing hospital errors. QualityManagement Journal 2004;11(1):61 4.
Mohaghegh Z, Mosleh A. Measurement techniques fororganizational safety causal models: characterization andsuggestions for enhancements. Safety Science 2009;47:1398 409.
Myers MD, Newman M. The qualitative interview in IS research:examining the craft. Information & Organization 2007;17(1):2 26.
Nam SK, Yang E, Lee SM, Lee SH, Seol H. A psychometricevaluation of the career decision self efficacy scale withKorean students: a Rasch model approach. Journal of CareerDevelopment 2011;38:147 66.
Norman DA. The psychology of everyday things. New York: BasicBooks; 1988.
Patel VL, Bates DW. Cognition and measurement in patient safetyresearch guest editorial. Journal of Biomedical Informatics2003;36(1 2):1 3.
Portland Business Journal. Providence to pay $100K for HIPAAviolations, [cited 2010 Sep 9]. Available from, <http://www.bizjournals.com/portland/stories/2008/07/21/daily9.html>.
Privacy Rights Clearinghouse. A chronology of data breaches[cited 2010 October 1]. Available from, <http://www.privacyrights.org/ar/ChronDataBreaches.htm>; 2010 Oct.
Rasch G. Probabilistic models for some intelligence andattainment tests. Chicago: Mesa Press; 1960.
Rasmussen J. Skills, rules, and knowledge signals, signs, andsymbols, and other distinctions in human performancemodels. IEEE Transaction on Systems Man and Cybernetics1983;13:257 66.
Reason J. Human error. Cambridge, UK: Cambridge UniversityPress; 1990.
Schonbeck M, Rausand M, Rouvroye J. Human and organizationalfactors in the operational phase of safety instrumentedsystems: A new approach. Safety Science 2010;48:310 8.
Schultz E. The human factor in security. Computers & Security2005;24:425 6.
Senders J, Moray N. Human error: cause, prediction, andreduction. Hillsdale, New Jersey: Lawrence Erlbaum; 1991.
Shappell S, Detwiler C, Holcomb K, Hackworth C, Boquet A,Wiegmann DA. Human error and commercial aviationaccidents: an analysis using the human factors analysis andclassification system. Human Factors: The Journal of theHuman Factors and Ergonomics Society 2007;49:227 42.
Sim, I. Online Information Privacy and Privacy ProtectiveBehavior: How Does Situation Awareness Matter? Ph.D.Dissertation, The University of Wisconsin Madison; 2010.
Stanton JM, Stam KR, Mastrangelo P, Jolton J. Analysis of end usersecurity behaviors. Computers & Security 2005;24:124 33.
Sullivan B. “La Difference” is stark in EU, U.S. privacy laws.MSNBC [Internet] [cited 2010 May 28]. Available from, <http://www.msnbc.msn.com/id/15221111/>; 2006 Oct.
Targoutzidis A. Incorporating human factors into a simplified“bow tie” approach for workplace risk assessment. SafetyScience 2010;48:145 56.
US Department of Health & Human Services. Standards forprivacy of individually identifiable health information. FederalRegister 2002;67(157):53181 273.
US Department of Health & Human Services. HIPAA securityguidance [cited 2010 May 28]. Available from, <http://www.compliancehome.com/resources/HIPAA/Regulations/abstract10416.html>; 2006 Dec.
c om p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 2 0 6 2 2 0220
Zogby International. Most Americans worry about identity theft[cited 2010 October 1]. Available from, <http://www.zogby.com/NEWS/readnews.cfm>; 2007 April.
Vincent C, Taylor Adams S, Stanhope N. Framework foranalyzing risk and safety in clinical medicine. British MedicalJournal 1998;316:1154 7.
Walker JM, Carayon P, Leveson N, Paulus RA, Tooker J, Chin H,Bothe A, Stewart WF. EHR Safety: the way forward to safe andeffective systems. Journal of the American MedicalInformatics Association 2008;15(3):272 7.
Weinstein A. The bandwagon is outside waiting. HealthManagement Technology 2001;22(5):50 2.
Westin A. Privacy and freedom. New York: Athenaeum; 1967.Winsteps. [Computer software]. Rasch Measurement Software
and Publications [cited 2010 May 28]. Available from, <http://www.winsteps.com>; 2010 September.
Wood CC, Banks Jr WW. Human error: an overlooked butsignificant information security problem. Computers &Security 1993;12:51 60.
Wright BD, Masters GN. Rating scale analysis. Chicago: MESAPress; 1982.
Zhang J, Patel VL, Johnson TR, Shortliffe EH. Toward an actionbased taxonomy of human error in medicine. Proceedings ofthe Twenty Fourth Annual Conference of the CognitiveScience Society; 2002:970 5.
Zhang J, Patel VL, Johnson TR, Shortliffe EH. A cognitivetaxonomy of medical errors. Journal of Biomedical Informatics2004;37:193 204.
Divakaran Liginlal (Lal) is an Associate Teaching Professor ofInformation Systems at Carnegie Mellon University. Lal holdsa B.S. in Telecommunication Engineering from CET, a M.S. inComputer Science from the Indian Institute of Science, and a Ph.D.in Management Information Systems from the University of Arizona. Before joining CMU, he taught at three U.S. universities,including nine years at the University ofWisconsin Madison. Lal’sresearch in information security and decision support systemshas been published in such journals as CACM, IEEE TKDE, IEEESMC, European Journal of Operational Research, Computers &Security, Decision Support Systems, and Fuzzy Sets & Systems.Lal’s teaching and research have been supported by organizationssuch as Microsoft Corporation, Hewlett Packard, CISCO, and theICAIR at the University of Florida.
Inkook Sim holds a Ph.D. in information systems from theDepartment of Operations and Information Management at theUniversity ofWisconsin Madison School of Business. His researchinterests are in information privacy, social networking, contextaware system design, and IT productivity and evaluation. Dr.Sim has published his research in the Computers and SecurityJournal and peer reviewed international conferences. He isa member of the Association for Information Systems andINFORMS. Contact him at [email protected].
Lara Khansa is an Assistant Professor in the Department ofBusiness Information Technology at Virginia Tech. She receivedher Ph.D. in Information Systems, M.S in Computer Engineering,and MBA in Finance and Investment Banking from the Universityof Wisconsin, Madison. Her primary research interests includesocio economic aspects of information security and privacy,convergence and restructuring of the IT industry, and informationtechnology innovations. Dr. Khansa has published in leadingjournals including Decision Support Systems, European Journal ofOperational Research, Communications of the ACM, Computersand Security, IEEE Technology and Society, among others. She isa member of the Association for Information Systems (AIS), theInstitute of Electrical and Electronics Engineers (IEEE), and theBeta Gamma Sigma National Honor Society.
Paul Fearn is a National Library of Medicine Informatics ResearchFellow and PhD student atUniversity ofWashingtonDepartment ofMedicalEducationandBiomedical Informatics.His current researchis in the area of formal models for biorepository processes andsystems, andhe isworkingwith theClinical ResearchData Systemsgroup at Fred Hutchinson Cancer Research Center and SeattleCancer CareAlliance. Previously, Paulwas the InformaticsManagerfor the Department of Surgery and the Office of Strategic Planningand Innovation at Memorial Sloan Kettering Cancer Center(MSKCC), and he represented MSKCC in the Inter SPORE ProstateBiomarker Study (IPBS) Informatics effort. He initiated and led theCaisis project, creating an open source system to manage patientcare and research information that is currently used at over 25centers. Paul has a B.A. in Spanish from the University of Houston,graduate work in biometry from the University of Texas School ofPublic Health in Houston, and an M.B.A. from the New YorkUniversity Stern School of Business. He has over 12 years of experience in cancer research informatics with MSKCC and BaylorCollege ofMedicine; and hehas recently visited 60 cancer centers todiscuss database and informatics efforts and issues.