Advanced search
Publication Cover
European Journal of Information Systems Volume 32, 2023 - Issue 6
Submit an article Journal homepage
1,020
Views
1
CrossRef citations to date
0
Altmetric
Research Article

Balancing information privacy and operational utility in healthcare: proposing a privacy impact assessment (PIA) framework

Rachida F Parksa Computer Information Systems, Quinnipiac University, Hamden, Quinnipiac, USACorrespondence[email protected]
,
Rolf T Wigandb Emeritus College at Arizona State University, Scottsdale, Arizona, USA
&
Paul Benjamin Lowryc Pamplin College of Business Department of Business Information Technology, Virginia Polytechnic Institute and State University, Blacksburg, Virginia, USAORCID Iconhttps://orcid.org/0000-0002-0187-5808
ORCID Icon
Pages 1052-1069 | Received 31 May 2019, Accepted 05 Jul 2022, Published online: 02 Aug 2022

References

  • Abouelmehdi, K., Beni-Hessane, A., & Khaloufi, H. (2018). Big healthcare data: Preserving security and privacy. Journal of Big Data, 5(1), 1–18. https://doi.org/10.1186/s40537-017-0110-7
  • Ahmadian, A. S., Strüber, D., Riediger, V., & Jürjens, J. (2018). Supporting privacy impact assessment by model-based privacy analysis. Paper presented at the Proceedings of the 33rd Annual ACM Symposium on Applied Computing, pp. 1467–1474.
  • Al-Muhtadi, J., Shahzad, B., Saleem, K., Jameel, W., & Orgun, M. A. (2019). Cybersecurity and privacy issues for socially integrated mobile healthcare applications operating in a multi-cloud environment. Health Informatics Journal, 25(2), 315–329. https://doi.org/10.1177/1460458217706184
  • Alencar, M. H., Priori L., Jr, & Alencar, L. H. (2017). Structuring objectives based on value-focused thinking methodology: Creating alternatives for sustainability in the built environment. Journal of Cleaner Production, 156(July), 62–73. https://doi.org/10.1016/j.jclepro.2017.03.221
  • Alshammari, M., & Simpson, A. (2018). Towards an effective privacy impact and risk assessment methodology: Risk assessment. Paper presented at the International Conference on Trust and Privacy in Digital Business. Springer, Cham, pp. 85–99.
  • Anderson, C., Baskerville, R. L., & Kaul, M. (2017). Information security control theory: Achieving a sustainable reconciliation between sharing and protecting the privacy of information. Journal of Management Information Systems, 34(4), 1082–1112. https://doi.org/10.1080/07421222.2017.1394063
  • Angst, C. M., Block, E. S., D’arcy, J., & Kelley, K. (2017). When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41(3), 893–916. https://doi.org/10.25300/MISQ/2017/41.3.10
  • Barrett-Maitland, N., Barclay, C., & Osei-Bryson, K.-M. (2016). Security in social networking services: A value-focused thinking exploration in understanding users’ privacy and security concerns. Information Technology for Development, 22(3), 464–486. https://doi.org/10.1080/02681102.2016.1173002
  • Belanger, F., & Crossler, R. E. (2011). Privacy in the digital age: A review of information privacy research in information systems. MIS Quarterly, 35(4), 1017–1041. https://doi.org/10.2307/41409971
  • Benkert, J. (2019). Reconciling analytics with holistic thinking in business sustainability decision-making. Paper presented at the Academy of Management Proceedings, Boston, MA. Briarcliff Manor, NY. pp. 17339.
  • Blijleven, V., Koelemeijer, K., & Jaspers, M. (2019). SEWA: A framework for sociotechnical analysis of electronic health record system workarounds. International Journal of Medical Informatics, 125, 71–78. doi:10.1145/1401890.1401904.
  • Blijleven, V., Koelemeijer, K., & Jaspers, M. (2019a). SEWA: A framework for sociotechnical analysis of electronic health record system workarounds. International Journal of Medical Informatics, 125(May), 71–78. https://doi.org/10.1016/j.ijmedinf.2019.02.012
  • Bond, S. D., Carlson, K. A., & Keeney, R. L. (2008). Generating objectives: Can decision makers articulate what they want? Management Science, 54(1), 56–70. https://doi.org/10.1287/mnsc.1070.0754
  • Brickell, J., & Shmatikov, V. (2008, August 24-27). The cost of privacy: Destruction of data-mining utility in anonymized data publishing. Paper presented at the 14th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Las Vegas, NV. ACM, pp. 70–78.
  • Clayton, K., Beekhuyzen, J., & Nielsen, S. (2012). Now I know what ICT can do for me! Information Systems Journal, 22(5), 375–390. https://doi.org/10.1111/j.1365-2575.2012.00414.x
  • Corbin, J., & Strauss, A. (2008). Basics of qualitative research: Techniques and procedures for developing grounded theory. Sage.
  • Culnan, M., & Williams, C. (2009). How ethics can enhance organizational privacy: Lessons from the choicepoint and TJX data breaches. MIS Quarterly, 33(4), 673–687. https://doi.org/10.2307/20650322
  • De Aguiar, E. J., Faiçal, B. S., Krishnamachari, B., Ueyama, J., Dadakova, T., Swisher, C. L., Cui, Z., & Zhao, P. (2020). A survey of blockchain-based strategies for healthcare. ACM Computing Surveys, 53(2), 27. https://doi.org/10.1145/3379504
  • Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293–314. https://doi.org/10.1111/j.1365-2575.2006.00219.x
  • Dhillon, G., Oliveira, T., Susarapu, S., & Caldeira, M. (2016a). Deciding between information security and usability: Developing value based objectives. Computers in Human Behavior, 61(August), 656–666. https://doi.org/10.1016/j.chb.2016.03.068
  • Dhillon, G., Oliveira, T., Susarapu, S., & Caldeira, M. (2016b). Deciding between information security and usability: Developing value based objectives. Computers in Human Behavior, 61(August), 656–666. doi:10.1016/j.chb.2016.03.068.
  • Dhillon, G., Oliveira, T., & Syed, R. (2018). Value-based information privacy objectives for internet commerce. Computers in Human Behavior, 87(October), 292–307. https://doi.org/10.1016/j.chb.2018.05.043
  • DHS. (2010). Privacy office- privacy impact assessments. Retrieved May 28, 2019, from http://www.dhs.gov/sites/default/files/publications/privacy_pia_guidance_june2010_0.pdf
  • Dooley, P. P., Levy, Y., Hackney, R. A., & Parrish, J. L. (2018). Critical value factors in business intelligence systems implementations analytics and data science (pp. 55–78). Springer.
  • Eisenhardt, K. M. (1989). Building theories from case study research. Academy of Management Review, 14(4), 532–550. https://doi.org/10.2307/258557
  • El Emam, K., Mosquera, L., & Hoptroff, R. (2020). Practical synthetic data generation: balancing privacy and the broad availability of data. O’Reilly Media.
  • Entzeridou, E., Markopoulou, E., & Mollaki, V. (2018). Public and physician’s expectations and ethical concerns about electronic health record: Benefits outweigh risks except for information security. International Journal of Medical Informatics, 110(February), 98–107. https://doi.org/10.1016/j.ijmedinf.2017.12.004
  • Flores Zuniga, A. E., Win, K. T., & Susilo, W. (2010). Biometrics for electronic health records. Journal of Medical Systems, 34(5), 975–983. https://doi.org/10.1007/s10916-009-9313-6
  • Gabriel, M. H., Noblin, A., Rutherford, A., Walden, A., & Cortelyou-Ward, K. (2018). Data breach locations, types, and associated characteristics among US hospitals. American Journal of Managed Care, 24(2), 78–84. http://ajmc.s3.amazonaws.com/_media/_pdf/AJMC_02_2018_Gabriel%20final.pdf
  • Gao, S., Li, Y., & Guo, H. (2018). Understanding the value of MOOCs from the perspectives of students: A value-focused thinking approach. In A.-S. S (Ed.), Challenges and opportunities in the digital era, lecture notes in computer science (pp. 129–140). Springer.
  • Gerlach, J. P., Eling, N., Wessels, N., & Buxmann, P. (2019). Flamingos on a slackline: Companies’ challenges of balancing the competing demands of handling customer information and privacy. Information Systems Journal, 29(2), 548–575. https://doi.org/10.1111/isj.12222
  • Glaser, B. S., & Strauss, A. (1967). The discovery of grounded theory. Aldine.
  • Golden-Biddle, K., & Locke, K. (2007). Composing qualitative research. Sage.
  • Gutman, J. (1982). A means-end chain model based on consumer categorization processes. Journal of Marketing, 46(2), 60–72. https://doi.org/10.1177/002224298204600207
  • Harjala, B. (2019). Target faces potential $3.6 billion liability over credit card breach. Retrieved May 30, 2019, from https://www.supermoney.com/2013/12/target-faces-potential-3-6-billion-liability-credit-card-breach/#.UrjIfLR7LRt
  • Heath, H., & Cowley, S. (2004). Developing a grounded theory approach: A comparison of Glaser and Strauss. International Journal of Nursing Studies, 41(2), 141–150. https://doi.org/10.1016/S0020-7489(03)00113-5
  • HHS. (2015). Privacy impact assessments by the U.S. Department of Health & Human Services. Retrieved: May 30, 2019, from http://www.hhs.gov/pia/#System
  • HHS. (2019). Policy for privacy impact assessments (PIA). Document Number: HHS-OCIO-PIM-2019-05-003, 2019. Retrieved December 20, 2019, from https://www.hhs.gov/web/governance/digital-strategy/it-policy-archive/policy-for-privacy-impact-assessments.html#6.1
  • HIPAA Journal. (2021). Healthcare Data Breach Statistics. https://www.hipaajournal.com/healthcare-data-breach-statistics/
  • Ibrahim, M., Ribbers, P. M., & Bettonvil, B. (2012). Human-knowledge resources and interorganisational systems. Information Systems Journal, 22(2), 129–149. https://doi.org/10.1111/j.1365-2575.2011.00377.x
  • ISO. (2018). Ergonomics of human-system interaction — Part 11: usability: Definitions and concepts. Retrieved: December 19, 2019, from https://www.iso.org/obp/ui/#iso:std:iso:9241:-11:ed-1:v1:en
  • Keeney, R. L. (1992). Value-focused thinking. Harvard University Press.
  • Klein, H. K., & Myers, M. D. (1999). A set of principles for conducting and evaluating interpretive field studies in information systems. MIS Quarterly, 23(1), 67–93. https://doi.org/10.2307/249410
  • Koch, H., Leidner, D. E., & Gonzalez, E. S. (2013). Digitally enabling social networks: Resolving IT-culture conflict. Information Systems Journal, 23(6), 501–523. https://doi.org/10.1111/isj.12020
  • Kohli, R., & Tan, S. S.-L. (2016). Electronic health records: How can IS researchers contribute to transforming healthcare? MIS Quarterly, 40(3), 553–573. https://doi.org/10.25300/MISQ/2016/40.3.02
  • Koppel, R., Smith, S. W., Blythe, J., & Kothari, V. H. (2015). Workarounds to computer access in healthcare organizations: You want my password or a dead patient? (Vol. 208). IOS Press.
  • Kotulic, A. G., & Clark, J. G. (2004). Why there aren’t more information security research studies? Information & Management, 41(5), 597–607. https://doi.org/10.1016/j.im.2003.08.001
  • Kruse, C. S., Stein, A., Thomas, H., & Kaur, H. (2018). The use of Electronic Health Records to Support Population Health: A Systematic Review of the Literature. Journal of Medical Systems, 42(11), 214. https://doi.org/10.1007/s10916-018-1075-6
  • Lacroix, P., & Hamilton, S.-L. (2017). Chapter 5 - Privacy and the hi-tech healthcare professional. In A. Shachak, E. M. Borycki, & S. P. Reis (Eds.), Health professionals’ education in the age of clinical information systems, mobile computing and social networks (pp. 91–110). Academic Press.
  • Li, T., & Li, N. (2009, June 28-July 1). On the tradeoff between privacy and utility in data publishing. Paper presented at the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Paris, France, pp. 517–526. doi:10.1145/1557019.1557079.
  • Lincoln, Y. S., & Guba, E. G. (1985). Naturalistic inquiry. Sage.
  • Lipson-Smith, R., Churilov, L., Newton, C., Zeeman, H., & Bernhardt, J. (2019). A framework for designing inpatient stroke rehabilitation facilities: A new approach using interdisciplinary value-focused thinking. HERD: Health Environments Research & Design Journal, 12(4), 142–158. https://doi.org/10.1177/1937586719831450
  • Lowry, P. B., Dinev, T., & Willison, R. (2017). Why security and privacy research lies at the centre of the information systems (IS) artefact: Proposing a bold research agenda. European Journal of Information Systems, 26(6), 546–563. https://doi.org/10.1057/s41303-017-0066-x
  • Makri, E.-L., Georgiopoulou, Z., & Lambrinoudakis, C. (2020). A proposed privacy impact assessment method using metrics based on organizational characteristics (pp. 122–139). Springer
  • Martin, N., Matt, C., Niebel, C., & Blind, K. (2019a). How data protection regulation affects startup innovation. Information Systems Frontiers, 21(September), 1–18. doi:10.1007/s10796-019-09974-2.
  • Martin, N., Matt, C., Niebel, C., & Blind, K. (2019b). How data protection regulation affects startup innovation. Information Systems Frontiers, 21(November), 1307–1324. https://doi.org/10.1007/s10796-019-09974-2
  • Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis (An expanded sourcebook ed.). sage.
  • Mohammady, M., Wang, L., Hong, Y., Louafi, H., Pourzandi, M., & Debbabi, M. (2018). Preserving both privacy and utility in network trace anonymization. Paper presented at the Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, pp. 459–474. doi:10.1145/3243734.3243809.
  • O’ Connor, Y., & O’ Reilly, P. (2018). Examining the infusion of mobile technology by healthcare practitioners in a hospital setting. Information Systems Frontiers, 20(6), 1297–1317. https://doi.org/10.1007/s10796-016-9728-9
  • Orlikowski, W. J., & Baroudi, J. J. (1991). Studying information technology in organizations: Research approaches and assumptions. Information Systems Research, 2(1), 1–28. https://doi.org/10.1287/isre.2.1.1
  • Pandey, P., & Litoriya, R. (2020). Implementing healthcare services on a large scale: Challenges and remedies based on blockchain technology. Health Policy and Technology, 9(1), 69–78. https://doi.org/10.1016/j.hlpt.2020.01.004
  • Parks, R. F., Chu, C., Xu, H., & Adams, L. (2011). Understanding the drivers and outcomes of healthcare organizational privacy responses. Paper presented at the 32nd Annual International Conference on Information Systems (ICIS 2011), Shanghai, China. Association for Information Systems.
  • Parks, R., Xu, H., Chu, C.-H., & Lowry, P. B. (2017). Examining the intended and unintended consequences of organisational privacy safeguards. European Journal of Information Systems, 26(1), 37–65. https://doi.org/10.1057/s41303-016-0001-6
  • Ponemon Institute. (2018) 2018 cost of a data breach study by ponemon. Retrieved May 13, 2019, form https://www.ibm.com/security/data-breach
  • Powers, E. M., Shiffman, R. N., Melnick, E. R., Hickner, A., & Sharifi, M. (2018). Efficacy and unintended consequences of hard-stop alerts in electronic health record systems: A systematic review. Journal of the American Medical Informatics Association, 25(11), 1556–1566. https://doi.org/10.1093/jamia/ocy112
  • PRC. (2021). Data breaches. Retrieved: May 11, 2019, from https://www.privacyrights.org/data-breaches
  • Reynolds, T. J., & Gutman, J. (1988). Laddering theory, method, analysis, and interpretation. Journal of Advertising Research, 28(1), 11–31.
  • Riaz, Z., Dürr, F., & Rothermel, K. (2018). Location privacy and utility in geo-social networks: survey and research challenges. Paper presented at the 2018 16th Annual Conference on Privacy, Security and Trust (PST). IEEE, pp. 1–10. doi:10.1109/PST.2018.8514193.
  • Rugg, G., Eva, M., Mahmood, A., Rehman, N., Andrews, S., & Davies, S. (2002). Eliciting information about organizational culture via laddering. Information Systems Journal, 12(3), 215–229. https://doi.org/10.1046/j.1365-2575.2002.00124.x
  • Sankar, L., Rajagopalan, S. R., & Poor, H. V. (2010, January 31-Feburary 5). Utility and privacy of data sources: Can Shannon help conceal and reveal information? Paper presented at the 2010 Information Theory and Applications Workshop (ITA), San Diego, CA. IEEE. pp. 1–7. doi:10.1109/ITA.2010.5454092.
  • Schultze, U., & Avital, M. (2010). Designing interviews to generate rich data for information systems research. Information and Organization, 21(1), 1–16. https://doi.org/10.1016/j.infoandorg.2010.11.001
  • Shen, N., Bernier, T., Sequeira, L., Strauss, J., Silver, M., Carter-Langford, A., et al. (2019). Understanding patient privacy perspective on health information exchange: A systematic review. International Journal of Medical Informatics, 125(May), 1–12. https://doi.org/10.1016/j.ijmedinf.2019.01.014
  • Sheng, H., Siau, K., & Nah, F. F. H. (2010). Understanding the values of mobile technology in education: A value-focused thinking approach. ACM SIGMIS DATABASE: the DATABASE for Advances in Information Systems, 41(2), 25–44. https://doi.org/10.1145/1795377.1795380
  • Shrivastava, U., Song, J., Han, B. T., & Dietzman, D. (2021). Do data security measures, privacy regulations, and communication standards impact the interoperability of patient health information? A cross-country investigation. International Journal of Medical Informatics, 148(April), 104401. https://doi.org/10.1016/j.ijmedinf.2021.104401
  • Smith, J. H., Dinev, T., & Xu, H. (2011). Information privacy research: An interdisciplinary review. MIS Quarterly, 35(4), 989–1016. https://doi.org/10.2307/41409970
  • Stahl, B. C., Doherty, N. F., & Shaw, M. (2012). Information security policies in the UK healthcare sector: A critical evaluation. Information Systems Journal, 22(1), 77–94. https://doi.org/10.1111/j.1365-2575.2011.00378.x
  • Tembhare, A., Chakkaravarthy, S. S., Sangeetha, D., Vaidehi, V., & Rathnam, M. V. (2019). Role-based policy to maintain privacy of patient health records in cloud. The Journal of Supercomputing, 75(June), 5866–5881. https://doi.org/10.1007/s11227-019-02887-6
  • Tripathi, M., & Mukhopadhyay, A. (2020). Financial loss due to a data privacy breach: An empirical analysis. Journal of Organizational Computing and Electronic Commerce, 30(4), 381–400. https://doi.org/10.1080/10919392.2020.1818521
  • Urquhart, C., Lehmann, H., & Myers, M. D. (2010). Putting the ‘theory’ back into grounded theory: Guidelines for grounded theory studies in information systems. Information Systems Journal, 20(4), 357–381. https://doi.org/10.1111/j.1365-2575.2009.00328.x
  • Valdez, A. C., & Ziefle, M. (2019). The users’ perspective on the privacy-utility trade-offs in health recommender systems. International Journal of Human-Computer Studies, 121(January), 108–121. https://doi.org/10.1016/j.ijhcs.2018.04.003
  • Vemou, K., & Karyda, M. (2019). Evaluating privacy impact assessment methods: Guidelines and best practice. Information & Computer Security, 28(1), 35–53. https://doi.org/10.1108/ICS-04-2019-0047
  • Vora, J., Italiya, P., Tanwar, S., Tyagi, S., Kumar, N., and Obaidat, M. S. (11-13 July 2018). Ensuring privacy and security in e-health records. Paper presented at the 2018 International Conference on Computer, Information and Telecommunication Systems (CITS). IEEE. pp. 1–5. doi:10.1109/CITS.2018.8440164.
  • Wadhwa, K., & Rodrigues, R. (2013). Evaluating privacy impact assessments. Innovation: The European Journal of Social Science Research, 26(1–2), 161–180. doi:10.1080/13511610.2013.761748.
  • Wall, J. D., Lowry, P. B., & Barlow, J. (2015). Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems, 17(1), 39–76. https://doi.org/10.17705/1jais.00420
  • Walsham, G., & Sahay, S. (1999). GIS for district-level administration in India: Problems and opportunities. MIS Quarterly, 23(1), 39–65. https://doi.org/10.2307/249409
  • Wright, D., & De Hert, P. (2011). Privacy impact assessment (Vol. 6). Springer Science & Business Media.
  • Zhou, Z., Dou, Y., Tan, Y., & Jiang, J. (2018). A review of value-focused thinking (VFT) application. Paper presented at the 2018 IEEE 4th International Conference on Control Science and Systems Engineering (ICCSSE). IEEE. pp. 555–558. doi:10.1109/CCSSE.2018.8724791.
  • Zhu, H., Ou, C. X. J., van den Heuvel, W. J. A. M., & Liu, H. (2017). Privacy calculus and its utility for personalization services in e-commerce: An analysis of consumer decision-making. Information & Management, 54(4), 427–437. https://doi.org/10.1016/j.im.2016.10.001
  • Zibuschka, J. (2020). Analysis of automation potentials in privacy impact assessment processes. Springer.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.