Skip to main content

A survey-based study of factors that motivate nurses to protect the privacy of electronic medical records



The purpose of this study is to investigate factors that motivate nurses to protect privacy in electronic medical records, based on the Decomposed Theory of Planned Behavior.


This cross-sectional study used questionnaires to collect data from nurses in a large tertiary care military hospital in Taiwan.


The three hundred two (302) valid questionnaires returned resulted in a response rate of 63.7 %. Structural equation modeling identified that the factors of attitude, subjective norm, and perceived behavioral control of the nurses significantly predicted the nurses’ intention to protect the privacy of electronic medical records. Further, perceived usefulness and compatibility, peer and superior influence, self-efficacy and facilitating conditions, respectively predicted these three factors.


The results of our study may provide valuable information for education and practice in predicting nurses’ intention to protect privacy of electronic medical records.

Peer Review reports


International advocacy has grown considerably to use healthcare information technologies (HITs), such as electronic medical records (EMRs), to enhance healthcare service quality and decrease costs [13]. Despite expected clinical and economic benefits for EMRs, the privacy of health care data remains a concern for both patients and healthcare organizations, impacting the use of EMRs [4].

Nursing plays an important role in patient care services since health care organizations recognize nurses as both coordinators and providers of these services [5]. Nurses comprise the largest portion of healthcare professionals and interact more with EMRs than other health care professionals due to the nature of their work [6]. The adoption of EMRs should assist nurses in providing nursing care and completing record-keeping routines more efficiently and effectively. Clinically, nurses collect and disseminate confidential patient information as part of their daily routines [7]. Consequently, besides caring for patients, the role of the nurse includes protecting the personal information of patients [7] as stated in the Code of Ethics for Nurses from the American Nurses Association [8] and the Nightingale Pledge [9]. Further, the privacy rules of Health Insurance Portability and Accountability Act (HIPAA) require healthcare providers to secure the privacy of patients’ health information [10]. Failure of nurses to safeguard patient privacy will erode nurse/patient relationships and impact the quality of the treatment provided [11]. Further, if nurses do not maintain the privacy of the information in EMRs, thus inappropriately disclose such information; patients may receive serious harm [12]. Unfortunately, most violations of patient privacy in medical facilities result from staff abuse or misuse of the right to access patient records [13].

Previous nursing studies regarding privacy mainly focused on providing opinion reports describing the importance of protecting patient privacy [7, 11]. However, little research has explored empirically the factors influencing nurses to protect the privacy of EMRs. By knowing these influencing factors, medical facilities can formulate strategies to motivate nurses’ intention to protect the privacy of EMRs. Consequently, the primary purpose of our study is to explore empirically the factors motivating nurses to protect EMRs privacy based on the Decomposed Theory of Planned Behavior (DTPB) [14].

Literature review

Electronic medical records

Generally, managers consider Information Technologies (ITs) to be an effective tool for improving efficiency and effectiveness in organizations. Although the healthcare industry has lagged behind other industries in the utilization of ITs, many medical facilities have understood the benefits that ITs offer and have adopted ITs [1]. The EMR is one type of IT that healthcare managers expect will reduce cost and improve the quality of health care [1, 2]. EMRs refer to the array of computer software applications commonly used to communicate orders for medical care, to document pertinent facts regarding a patient’s medical history, and to disseminate results of diagnostics testing [4].

Health care professionals often use another term, electronic health records (EHRs), interchangeably with EMRs. However, these two terms are different in several ways. First, EMRs are legal records created in hospitals and are the source of EHRs [15]. EMRs primarily contain the medical and treatment history of the patients in one hospital and only used by healthcare professionals within that hospital [16]. On the other hand, EHRs also contain wellness information [15, 16]. Thus, EHRs provide a broader view on a patient’s care than EMRs.

Additionally, health care professionals have used the concept of personal health records (PHRs) to preserve patient data. PHRs refer to “an electronic application through which individuals can access, manage and share their health information, and that of others for whom they are authorized, in a private, secure, and confidential environment” ([17], p. 122). PHRs gather health data entered by individuals and can provide individuals’ health information to healthcare professionals under authorizations by those individuals [18]. Further, PHRs can also capture data from EMRs to share over many hospitals, since patients could receive care from different hospitals [17]. Thus, our study adopts the term EMRs, since we focus on the electronic medical record in one hospital where most of the information is medical data gathered at that hospital, rather than data related to wellness and data gathered across institutions.

International proponents in the healthcare industry consider the wide-scale adoption of EMRs as essential [1, 2]. In 2012, 44 % of U.S. healthcare practitioners used some kind of EMRs [19]. In Taiwan, about 65.2 % of hospitals have adopted EMRs [20]. The rate of EMRs adoption in Japan in 2011 was 51.5 % in large hospitals [21]. In their study of EMRs adoption in China, Shu et al. [22] report that about 69.3 % of hospitals have their physicians using EMRs to place orders. An estimate is that by 2020, approximately 50 % of practitioners in USA will be using functional EMRs [1]. Accenture [23] even predicted that global EMRs market would reach $22.3 billion (USD) by the end of 2015. Thus, the study of EMRs is important.


Privacy is an individual’s right to determine which personal information to share with whom and for what purposes [11]. The invasion of privacy occurs when individuals cannot control the disclosure and usage of their personal information [24]. In healthcare settings, privacy refers to the ability of individuals to prevent certain disclosure of personal health information to others [25]. In addition to personal information such as the basic health information of height and blood pressures, the medical records may also include the more sensitive personal information such as sexually transmitted diseases, abortions, emotional problems, and physical abuse [24, 25]. Researchers have found that individuals have increasing concerns pertaining to whether organizations (including medical facilities) are proficient in safeguarding their personal information [24] including health-related information [26]. With the increasing usage of EMRs, more personal health information is stored and even shared among medical facilities and their staffs, which places the privacy of patients’ personal health information at a greater risk [7].

Research framework and hypotheses development

Among the well-known intention-behavior models, scientists have widely adopted the Theory of Planned Behavior (TPB) [27] to predict an individual’s behavior in numerous settings including healthcare-related settings [2830]. The TPB postulates that an individual’s behavioral intention is a function of attitude, subjective norm, and perceived behavioral control. Attitude refers to the positive/negative evaluations by an individual toward performing a behavior [28]. Subjective norm means the perceptions that significant referents desire the individual to perform or not perform a behavior [14]. Perceived behavioral control refers to the perceptions of internal and external constraints on behavior [27]. TPB [27] has been widely adopted to predict individual’s behavior in various disciplines. However, Taylor and Todd [14] argue that to better understand the relationships between multiple beliefs and the three antecedents of intention (i.e., attitude, subjective norm, and perceived behavioral control), further decomposition of attitudinal beliefs is required. Since their seminal work on the Decomposed Theory of Planned Behavior [14], numerous studies have adopted the model to predict individuals’ intention toward a specific behavior. Previous research [28, 3133] on individuals’ attitudes towards HITs has demonstrated DTPB performs better than TPB.

Our study adopted the DTPB [14] as the research framework to investigate nurses’ behavioral intentions to protect the privacy of EMRs. As Fig. 1 shows, the three primary antecedents (i.e., attitude, subjective norm, and perceived behavioral control) directly influence behavioral intentions can be decomposed into multidimensional constructs. Perceived usefulness (PU), perceived ease of protection (PEOP), and compatibility (COM) influence attitude (AT). Further, peer influence (PI) and superior influence (SI) collectively influence subjective norm (SN). In addition, self-efficacy (SE) and facilitating conditions (FC) influence perceived behavioral control (PBC). Figure 1 shows the justification of the research framework and the research constructs and their associations.

Fig. 1

Research framework (Adapted with permission. Copyright 1995 INFORMS. Shirley Taylor, Peter A. Todd (1995) Understanding Information Technology Usage: A Test of Competing Models. Information Systems Research 6(2):144–176, the Institute for Operations Research and the Management Sciences, 5521 Research Park Drive, Suite 200, Catonsville, Maryland 21228, USA). Note: PU (perceived usefulness), PEOP (perceived ease of protection), COM (compatibility), PI (peer influence), SI (superior influence), SE (self-efficacy), FC (facilitating conditions), AT (attitude), SN (subjective norm), PBC (perceived behavioral control), BI (behavioral intention)

Effects of perceived usefulness, perceived ease of protection, and compatibility on attitude

According to DTPB [14] as we use in this study, attitude refers to the extent that a nurse holds a favorable or unfavorable evaluation of protecting the privacy of EMRs [27]. Taylor and Todd [14] decompose attitude into three constructs (i.e., perceived usefulness, perceived ease of use, and compatibility) to predict users’ intentions to adopt new ITs. In our study setting, perceived usefulness depicts that protecting the privacy of EMRs is beneficial to nurses and hospitals. Perceived ease of use, originally defined as a person’s belief that using a particular system would be free of effort [34], is not suitable in our study context since we aim to investigate nurses’ intentions to protect the privacy of EMRs, not to adopt an IT. Consequently, we use ‘perceived ease of protection,’ which refers to the degree that nurses believe protecting the privacy of EMRs would be free of effort, thus corresponding to the ‘perceived ease of use.’ While compatibility refers to protecting the privacy of EMRs when nurses perceive the protection is consistent with existing values, needs, and experiences of nurses. Previous studies [14, 28, 31, 3537] affirm that perceived ease of use (protection), perceived usefulness, and compatibility significantly influence individuals’ attitude towards new ITs. Accordingly, the following hypotheses are proposed:

  • H1: Perceived usefulness has a positive influence on nurses’ attitudes toward protecting privacy of EMRs.

  • H2: Perceived ease of protection has a positive influence on nurses’ attitudes toward protecting privacy of EMRs.

  • H3: Compatibility has a positive influence on nurses’ attitudes toward protecting privacy of EMRs.

Effects of peer influence and superior influence on subjective norm

Subjective norm is a type of subjective social pressure derived from a similar group of people (e.g., friends, colleagues, or superiors), influencing an individual’s attitude toward his/her intentions [27]. Individuals are more likely to comply with others’ expectations when those referent others have the ability to reward the desired behavior or punish non-behavior [38]. That is, peer behaviors may play an important role in motivating individuals to perform a specific behavior. Taylor and Todd [14] also confirm that the influences of both peers and superiors have direct effects on subjective norms. Consequently, a reasonable supposition is that peers or superiors would influence nurses’ perceived subjective norm. This reasoning leads to the following hypotheses:

  • H4: Peer influence has a positive influence on nurses’ subjective norms toward protecting privacy of EMRs

  • H5: Superior influence has a positive influence on nurses’ subjective norms toward protecting privacy of EMRs

Effects of self-efficacy and facilitating conditions on perceived behavioral control

Based on prior studies [14, 38], perceived behavioral control refers to the internal and external constraints on protecting privacy of EMRs and in our study includes self-efficacy and facilitating conditions. Self-efficacy refers to the self-confidence of nurses in their ability to protect the privacy of EMRs, while facilitating conditions refers to resources such as EMRs related hardware, software, and usability in expediting privacy-protection behaviors that are compatible with existing hardware and software in hospitals. Extant literature [27, 28] confirms that the self-efficacy and facilitating conditions affect an individual’s perceived behavioral control. Therefore, the following hypotheses are proposed:

  • H6: Self-efficacy has a positive influence on nurses’ perceived behavioral control toward protecting privacy of EMRs

  • H7: Facilitating conditions have a positive influence on nurses’ perceived behavioral control toward protecting privacy of EMRs

Effects of attitude, subjective norm, and perceived behavioral control on behavioral intention

Based on TPB [27], three primary constructs including attitude, subjective norm, and perceived behavioral control predict an individual’s behavioral intention. Various literature [14, 28, 30] also suggests that these relationships exist. Transferring the rationale of TPB into our study, we suggest that if nurses hold positive attitudes toward privacy measures proposed by the hospital, they will be more willing to engage in EMRs privacy protection behavior. Moreover, individuals’ perceived social pressure from people they care about usually can influence them to perform a given behavioral action [27]. If nurses believe that their colleagues, superiors, or even friends expect protection of patient privacy, they will be more likely to protect the privacy of EMRs. Finally, individuals usually assess whether they have the requisite resources to overcome obstacles encountered to perform a specific behavior [27]. Consequently, nurses who feel capable of protecting patient privacy are more willing to engage in privacy-protecting activities related to EMRs. In light of above discussions, we propose the following hypotheses:

  • H8: Nurses’ attitudes have a positive influence on their behavioral intention to protect privacy of EMRs

  • H9: Nurses’ subjective norms have a positive influence on their behavioral intention to protect privacy of EMRs

  • H10: Nurses’ perceived behavioral controls have a positive influence on their behavioral intention to protect privacy of EMRs



To assess the perceptions of nurses regarding privacy protection of EMRs, we undertook a cross-sectional survey at a tertiary care military hospital in Taiwan. The hospital, with 732 beds, provides tertiary care service to both military and civilians patients resulting in more than 19,860 annual patient admissions in 2013. The hospital adopted EMRs in 2009, with all nurses documenting care records in EMRs. This fact indicates that the nurses should have adequate knowledge concerning the operations of EMRs to participate in this study.

Instrument development

The constructs in our research framework were measured using 32 items from previous validated works [14, 38]. An expert panel consisting of one senior hospital manager and two experienced researchers in the field of healthcare information management inspected these items. The panel considered one (1) of the items redundant and suggested removal of this item; while the researchers modified other items based on the recommendations from the experts (See Appendix 1 for the removed item). We used a 7-point Likert scale (1 for ‘strongly disagree’ and 7 for ‘strongly agree’) to assess the survey items since a 7-point scale is currently the most widely used type of scale [39] and is more reliable than a 5-point scale [40]. Further, a 7-point scales can prevent people from being too neutral in their responses [41] and is comparable with a 5-point scale [42]. Table 1 depicts the final measurement items for constructs of interest and their sources.

Table 1 Constructs of interest and corresponding items

Survey procedure and ethics approval

We used a field survey to test the proposed model. We obtained approval from the Institutional Review Board (IRB) of Kaohsiung Armed Forces General Hospital prior to proceeding with the investigation. The IRB waived the mandate for obtaining informed consent from subjects. We distributed questionnaires to all of the 474 registered nurses in the subject hospital. In December 2012, nurses, voluntarily and anonymously, completed the paper-and-pencil survey. In all, we collected 307 responses, indicating a response rate of 63.7 %. We had 302 responses for analysis since we eliminated five questionnaires because of partial answers.

Common method bias

Regarding common method bias, we used the Harman’s single factor test [43] to check whether significant method effects occurred on our hypothesized relationships. We use confirmatory factor analysis (CFA) to detect this issue as suggested by literature [43]. All the manifested items were modeled as the indicators of a single factor and the CFA results revealed poor fit between the collected data and the model (e.g., χ2/d.f. = 9.97; CFI = .74; RMSEA = .17). Common method bias should not be a problem in our study.


Descriptive statistics

Of the 302 valid responses, 296 were female (98 %) and six (6) were male (2 %). Nearly 75 % of the respondents were 30-49 years of age. In addition, the majority of respondents (99.3 %) were college- or university-educated. Further, about 8.6 % of the respondents were managerial level staff. All of the respondents had experiences in using EMRs in the subject hospital, indicating these respondents should have had adequate background knowledge about the survey content to render a meaningful response. Table 2 shows the respondents’ demographics.

Table 2 Respondent characteristics

Data analysis

We empirically validated the proposed model using partial least squares (PLS), supported by SmartPLS® 2.0 M3 software [44]. PLS (a variance-based structural equation model) reduces the effect of measurement error by creating a weighted sum from multiple indicators of a latent variable to account for measurement error. As such, PLS handles measurement error differs from covariance-based structural equation, which explicitly includes measurement error in the research model [45]. Currently, researchers have no clear census concerning whether measurement error should be modeled or eliminated [46]. We chose PLS for its ability to handle latent constructs with non-normality and with small to medium sample sizes [47].

Measurement model

We first assessed the measurement model according to three tests: reliability, convergent validity, and discriminant validity [47]. Reliability can be gauged via factor loading, composite reliability (CR), and Cronbach’s α [47]. The factor loadings of all constructs exceeded the suggested criterion of .7 [48], demonstrating adequate item reliability (see Table 3). In addition, the figures of CR and Cronbach’s α scores were higher than the recommended .7 thresholds, indicating acceptable reliability. Regarding convergent validity, the value of average variance extracted (AVE) exceeded .5 implying convergent validity [48] (see Table 3). Meanwhile, the inter-construct correlations matrix (see Table 4) demonstrates that the square root of AVE for each construct exceeded the correlation of the specific construct with any other constructs in the model, thus indicating sufficient discriminant validity [48].

Table 3 Descriptive statistics and reliability measures
Table 4 Inter-construct correlations

Structural model

After validating the measurement model, we then assessed the hypotheses by examining the structural model. We used the bootstrapping procedure to test the statistical significance of each path coefficient. Figure 2 presents the structural model results with path coefficient and t-statistics. Regarding hypotheses H1, H2, and H3, the results significantly supported only H1 and H3. That is, attitude was influenced by perceived usefulness (β = .30, t = 5.84) and compatibility (β = .58, t = 8.78), while perceived ease of protection was not a significant predictor of attitude (β = .09, t = 1.36). In terms of hypotheses H4 and H5, the results revealed significant support for both hypotheses. That is, subjective norm was influenced by peer influence (β = .53, t = 9.26) and superior influence (β = .43, t = 7.37), and peer influence is the strongest predictor of subjective norm. Further, hypotheses H6 and H7 were confirmed that both self-efficacy (β = .60, t = 10.55) and facilitating conditions (β = .36, t = 5.98) positively affect perceived behavioral control. Regarding hypotheses H8, H9, and H10, the results demonstrated that attitude (β = .28, t = 3.75), subjective norm (β = .17, t = 2.14), and perceived behavioral control (β = .50, t = 6.59) contributed to behavioral intention to protect privacy of EMRs. Perceived usefulness and compatibility jointly explained about 82 % of the variance of attitude while peer influence and superior influence roughly accounted for 82 % of the variance of subjective norm. In addition, self-efficacy and facilitating conditions collectively explained about 80 % of the variance of perceived behavioral control. Overall, the model explained about 83 % of the determined variance in the behavioral intention to protect the privacy of EMRs. Further, we adopted the global fit measure (GoF) to validate the overall PLS model and used the formula as \( \sqrt{\overline{Average\ Variance\ Extracted(AVE)}}*\left.\overline{R^2}\right) \) to compute the GoF [49]. The average AVE = .93 and average R2 = .82, resulting in a GoF = .87 demonstrated that our model was valid [49].

Fig. 2

Structural model results with β and t-statistics (in parenthesis)(Adapted with permission. Copyright 1995 INFORMS. Shirley Taylor, Peter A. Todd (1995) Understanding Information Technology Usage: A Test of Competing Models. Information Systems Research 6(2):144–176, the Institute for Operations Research and the Management Sciences, 5521 Research Park Drive, Suite 200, Catonsville, Maryland 21228, USA)


Effects of perceived usefulness, perceived ease of protection, and compatibility on attitude

In agreement with the assertion of DTPB, we found that perceived usefulness (PU) has a positive relationship with attitude [14]. The result is also consistent with prior studies in both healthcare [29, 31, 32, 50] and non-healthcare studies [35, 51], indicating that PU is a stable measure in predicting attitude across differing study contexts. The support of H1 demonstrates that an increase in perceived usefulness would strengthen nurses’ attitude toward protecting the privacy of EMRs. In the light of this finding, demonstrating the benefits and importance of protecting EMRs privacy to nurses is essential to foster their positive attitudes. To that end, providing appropriate privacy training may be vital for directing nurses’ beliefs regarding the usefulness of protecting the privacy of EMRs. In that way, nurses may hold more a positive attitude toward protecting EMRs privacy.

The result of failed support for H2 is not in line with what the original DTPB postulates. That is, perceived ease of use (PEOU) should have a positive relationship with attitude [14]. However, Lee et al. [52] found that PEOU is an unstable predictor in other contexts. They found only 58 out of 101 studies revealed a significant relationship between perceived ease of use with dependent variables. Although our result did not support the DTPB and related studies in non-healthcare context [35, 38], the results are in line with some prior literature conducted in healthcare context [31, 32]. More specifically, our finding is consistent with literature using physician subjects [32]. Chau and Hu [32] found that physicians might not consider perceived ease of use as an important factor since they can learn technology quickly. But Hung et al. [28] found that perceived ease of use significantly predict physician’s intention to use Medline systems. Our study used nurses as the study subjects and the evidence revealed an insignificant outcome. One possible reason might be that since nurses are familiar with protecting privacy of paper-based medical records, they have no concerns in conducting such protective behavior in digitized medical records. Most nurses should have adequate information literacy after graduation in Taiwan [53] and consequently, nurses might not view ease to protect the privacy as an issue of particular importance.

Regarding H3, we validated compatibility to be a significant predictor of nurses’ attitude toward protecting the privacy of EMRs. The result is consistent with the postulation of DTPB [14] and other studies [31, 54, 55]. Tung et al. [56] found that nurses are willing to use electronic logistic information systems only if the system is consistent with their existing values, experiences, and needs. For nurses, the primary value of protection privacy is not different between paper-based and digitized medical records. Further, nurses are used to practicing in a traditional way, that is, documenting/querying patient’s medical records in the nurses’ stations under the regulation of privacy policies. Therefore, most of the procedures for effectively protecting the privacy of EMRs should not be different from protecting paper-based medical records. However, nurses can also query medical records anywhere with proper devices and network connectivity away from nurses’ stations, which may require nurses to undertake a different approach and to possess sufficient IT-related skills for protecting the privacy of EMRs. Consequently, the significant result may imply that hospitals should ensure that any procedures or ITs employed for improving the protection of EMRs privacy should be consistent with nurses’ work practices and designed according to nurses’ experiences and needs.

Effects of peer influence and superior influence on subjective norm

DTPB decomposed subjective norms into peer influence and superior influence due to the possible incongruence of opinions among various referent groups [14]. While other studies proposed differing referent groups, these differing referent groups consistently exert significant effects on subjective norms. Our study is consistent with DTPB [14] and previous healthcare-related study [29] that decomposed subjective norm into peer influence and superior influence.

Nurses, as a profession, share a common terminology, training, professional culture, and work environments and a tendency towards compliance with organizational norms and expectations [57]. The support of H4 may imply that hospitals must equip nurses with adequate ethical knowledge and skills concerning the privacy-protection of EMRs. When nurses understand what kinds of actions are appropriate for accessing EMRs, they may prevent other nurses from committing illegal acts. Further, the support of H5 also demonstrates that hospitals should use the knowledge that superior influence reinforces perceptions of subjective norms to train managers, such as head nurses, to supervise other nurses in protecting the privacy of EMRs. Most hospitals have existing privacy policies for protecting EMRs and these policies mandate healthcare professionals, including nurses, adhere. Managers are obligated to ensure that health professionals strictly follow these policies. This practice may explain why superior influence is a significant predictor of subjective norms regarding EMRs privacy-protection.

Effects of self-efficacy and facilitating conditions on perceived behavioral control

As hypothesis H6 postulated, self-efficacy is a significant predictor of perceived behavioral control (PBC). Self-efficacy primarily concerns nurses’ self-confidence in their ability to protect the privacy of EMRs. In Taiwan, nursing schools usually provide lectures or courses concerning patient privacy and information security [53]. Meanwhile, the hospital in this study has acquired the ISO 27001 certification that mandates hospitals hold information-security training programs regularly. Consequently, besides having adequate knowledge regarding EMRs, nurses in our study should be equipped with sufficient privacy-protection knowledge. Further, nurses have adopted ethical codes that address the responsibility toward protecting patient privacy. Thus, nurses are ethically bound to hold all information in confidence [58]. This responsibility may explain why self-efficacy is a significant predictor of perceived behavioral control and the findings are in line with prior literature [14, 28, 29, 37, 59]. This significant finding may indicate that hospitals should provide nurses with sufficient ethical knowledge and IT skills for protecting the privacy of EMRs. We suggest that hospitals could organize continuous training programs regarding ethics, information security concepts/procedures, and IT skills to enhance their capabilities in protecting the privacy of EMRs.

Regarding hypothesis H7, facilitating condition is a strong determinant of nurses’ perceived behavioral control toward protecting the privacy of EMRs. Facilitating condition refers to resources such as EMRs related hardware, software, and usability for facilitating privacy-protection behavior that are compatible with existing hardware and software in hospitals. Since the hospital in this study adopted EMRs in 2009, the hospital leadership has integrated all computer hardware, software, and management procedures required for EMRs within the existing Hospital Information Systems (HISs). However, since most hospitals have joined Taiwan’s National Health Insurance Program, EMRs are subject to frequent change in regulations. Hence, nurses may expect that hospitals ensure subsequent changes in regulations that influence EMRs are compatible with existing HISs. This review would mandate the analysis of the requirements carefully whenever the National Health Insurance program implements essential changes that affect EMRs. These recommendations support previous studies [29, 38] and suggest that hospitals should ensure continued compatibility with the EMRs. Thus, nurses should perceive a lesser degree of constraint when protecting the privacy of EMRs.

Effects of attitude, subjective norm, and perceived behavioral control on behavioral intention to protect privacy of EMRs

H8 stated that the attitude of nurses would directly influence their intention to protect the privacy of EMRs. In words, nurses with positive opinions of the need for privacy of EMRs will be more likely to protect the privacy of EMRs, while nurses who simply do not care will be less likely to protect the privacy of EMRs. Attitude is a stable predictor of behavioral intention in previous studies [2830, 52, 60, 61] and our finding is consistent with results from many previous studies. Based on this finding, we suggest hospitals formulate relevant strategies for cultivating nurses with positive opinions on privacy of EMRs issues. Such strategies could include holding provisional seminars or constant training programs concerning ethics to strengthen nurses’ attitude toward EMRs privacy issue. Further, these training programs could focus on introducing the consequences of violating EMRs privacy policy as the awareness of these issues may lead to a change in nurses’ attitude toward EMRs privacy.

As stated in H9, the subjective norm of nurses will positively influence their intention to protect the privacy of EMRs. The results demonstrate that nurses have beliefs that depend on the social norm of referent groups (peer nursing workers and their superiors in our study). These results suggest that social influence plays a critical role in nurse’s privacy-protective intentions and are in line with previous studies [28, 30, 61, 62]. Our findings may suggest that protecting the privacy of EMRs among nurses can be improved by leveraging referent groups or important others that influence nurses’ intention to protect privacy. As Milholland [58] stated, nurses do not want providers or others to inadvertently access patient information. Therefore, nurse managers need to be sensitive to the privacy issues to guide their staffs in protecting patients from unauthorized invasions of privacy. The study produced results that corroborate the findings of original DTPB [14].

H10 asserts that the perceived behavioral control of nurses has a significant impact on their intention to protect the privacy of EMRs. In words, when nurses perceive higher control of or feel they are capable of protecting the privacy of EMRs, they are more likely to engage in such protective behavior. The results are consistent with previous studies [28, 30, 31, 37, 52, 61, 62]. Based on the findings, we suggest that hospitals improve nurses’ control perceptions via providing adequate resources and skills to facilitate nurses’ behavioral intention to protect the privacy of EMRs. To achieve the above-mentioned goal, hospitals could provide proper training programs concerning ethics and IT skills to enhance nurses’ perceptions of controllability to protect the privacy of EMRs.

Limitations and future study directions

Although the results of this study provide educational and pragmatic implications, some limitations create several opportunities for further research. First, our study only measured nurses’ behavioral intention of protecting the privacy of EMRs, which might not be representative of nurses’ actual protecting behavior. Future studies can collect data from nurses’ actual behavior to understand better the relationships among these constructs. Second, we conducted the study using a cross-sectional design, which may lead to a snapshot presentation of the current setting. Thus, additional research would add value to the theoretical development by using longitudinal studies. Third, since our study only targeted nurses in one Taiwanese military hospital, we cannot safely generalize the findings to other hospitals or to other countries. Future research should select the respondents from more representative samples. Finally, although common method bias does not seem to be a serious problem in our study, future study should avoid common method bias before data collection.


Our study examined a model based on DTPB to explain what motivates nurses to protect patient privacy in EMRs. Using responses collected from 302 nurses practicing in a tertiary care military hospital in Taiwan, we were able to validate the research model empirically in terms of the overall fit and explanatory power as well as the individual causal relationships specified. The model explains about 83 % of the variance in the behavioral intention. Our findings support nine of the 10 proposed hypotheses. The rejected hypothesis showed that perceived ease of protection has no influence on nurses’ attitude toward protecting the privacy of EMRs.

Our study has important implications. As EMRs continue to permeate healthcare industries, hospitals should pay attention to privacy issues as well as the benefits of EMRs. The evidence of our study suggests the development of training interventions that foster nurses’ positive attitudes toward the privacy of EMRs. This training should place emphases on acquainting nurses with the benefits of protecting the privacy of EMRs using protective procedures consistent with nurses’ needs and prior experiences. Additionally, our study shows that subjective norm contributes to nurses’ intention to protect the privacy of EMRs; and that the influence of nurses’ peers and supervisors enhance such perceptions. Finally, perceived behavioral control also contributes to nurses’ privacy-protection intentions about EMRs. Hospitals should augment these control perceptions by providing sufficient skills training and resources.


This study adopted the DTPB as the theoretical underpinning to investigate nurses’ behavioral intention to protect privacy of EMRs. Our findings demonstrate that DTPB provides a strong explanation of nurses’ intention to protect the privacy of EMRs with an R-square statistic for behavioral intention of 83 %. Further, the findings also provide insights for hospital managers to formulate strategies to boost nurses’ intention to protect the privacy of EMRs. Adding to the growing body of literature about privacy-protection among nurses, this study is particularly relevant to hospital managers facing the possibility of unauthorized invasions of patient privacy in EMRs.





behavioral intention




decomposed theory of planned behavior


electronic health record


electronic medical record


facilitating conditions


Health Insurance Portability and Accountability Act


Hospital Information System


Healthcare information technology


Information technology


Perceived behavioral control


Perceived ease of protection


Perceived ease of use


Personal health record


Peer influence


Perceived usefulness




Superior influence


Subjective norm


Theory of planned behavior


  1. 1.

    Goldschmidt PG. HIT and MIS: Implications of health information technology and medical information systems. Comm ACM. 2005;48(10):68–74.

    Article  Google Scholar 

  2. 2.

    Institute of Medicine: The computer-based patient record: An essential technology for health care, Revised Edition: Washington, D.C.: The National Academies Press; 1997.

    Google Scholar 

  3. 3.

    Leblanc G, Gagnon MP, Sanderson D. Determinants of primary care nurses’ intention to adopt an electronic health record in their clinical practice. Comput Informat Nurs. 2012;30(9):496–502.

    Article  Google Scholar 

  4. 4.

    Abbass I, Helton J, Mhatre S, Sansgiry SS. Impact of electronic health records on nurses’ productivity. Comput Informat Nurs. 2012;30(5):237–41.

    Article  Google Scholar 

  5. 5.

    van Bemmel JH, Musen MA. Handbook of medical informatics. Heidelberg: Springer Verlag; 1997.

    Google Scholar 

  6. 6.

    Top M, Gider Ö. Nurses’ views on electronic medical records (EMR) in Turkey: An analysis according to use, quality and user satisfaction. J Med Syst. 2012;36(3):1979–88.

    Article  PubMed  Google Scholar 

  7. 7.

    Kerr P. Protecting patient information in an electronic age: A sacred trust. Urol Nurs. 2009;29(5):315–8.

    PubMed  Google Scholar 

  8. 8.

    American Nurses Association (ANA): Code of ethics for nurses with interpretive statements: American Nurses Association (ANA); 2014. Retrieved September 2, 2014, from

  9. 9.

    McBurney BH, Filoromo T. The nightingale pledge: 100 years later. Nurs Manag. 1994;25(2):72–4.

    CAS  Google Scholar 

  10. 10.

    McGraw D. Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data. J Am Med Informat Assoc. 2013;20(1):29–34.

    Article  Google Scholar 

  11. 11.

    Erickson JI, Millar S. Caring for patients while respecting their privacy: Renewing our commitment. Online J Issues Nur. 2005;10(2):2.

    Google Scholar 

  12. 12.

    Rindfleisch TC. Privacy, information technology, and health care. Comm ACM. 1997;40(8):92–100.

    Article  Google Scholar 

  13. 13.

    U.S. Department of Health and Human Services: Breaches Affecting 500 or more Individuals. 2014 Retrieved September 2, 2014, from

  14. 14.

    Taylor S, Todd PA. Understanding information technology usage - A test of competing models. Inform Syst Res. 1995;6(2):144–76.

    Article  Google Scholar 

  15. 15.

    Garets D, Davis M. Electronic medical records vs. electronic health records: Yes, there is a difference. In. Chicago: HIMSS Analytics, LLC; 2006.

    Google Scholar 

  16. 16.

    Garret P, Seidman J: EMR vs EHR – What is the difference? 2011 Retrieved February 2, 2015, from

  17. 17.

    Tang PC, Ash JS, Bates DW, Overhage JM, Sands DZ. Personal health records: Definitions, benefits, and strategies for overcoming barriers to adoption. J Am Med Informat Assoc. 2006;13(2):121–6.

    CAS  Article  Google Scholar 

  18. 18.

    AHIMA. The role of the personal health record in the EHR. J AHIMA. 2005;76(7):64A–D.

    Google Scholar 

  19. 19.

    Charles, D, King, J, Patel, V, & Furukawa, M F. Adoption of electronic health record systems among U.S. non-federal acute care hospitals: 2008-2012. ONC Data Brief 2013 Retrieved September 2, 2014, from

  20. 20.

    Ministry of Health and Welfare: Bulletin of EMRs adoption 2014 Retrieved 15th August, 2014, from

  21. 21.

    Yoshida Y, Imai T, Ohe K. The trends in EMR and CPOE adoption in Japan under the national strategy. Int J Med Informat. 2013;82(10):1004–11.

    Article  Google Scholar 

  22. 22.

    Shu T, Liu H, Goss FR, Yang W, Zhou L, Bates DW, et al. EHR adoption across China’s tertiary hospitals: A cross-sectional observational study. Int J Med Informat. 2014;83(2):113–21.

    Article  Google Scholar 

  23. 23.

    Accenture: Getting EMR back in the fast lane. Accenture; 2014 Retrieved September 2, 2014, from

  24. 24.

    Malhotra NK, Kim SS, Agarwal J. Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model. Inform Syst Res. 2004;15(4):336–55.

    Article  Google Scholar 

  25. 25.

    Rothstein MA. Health privacy in the electronic age. J Leg Med. 2007;28(4):487–501.

    Article  PubMed  PubMed Central  Google Scholar 

  26. 26.

    Agaku IT, Adisa AO, Ayo-Yusuf OA, Connolly GN. Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. J Am Med Informat Assoc. 2014;21(2):374–8.

    Article  Google Scholar 

  27. 27.

    Ajzen I. The theory of planned behavior. Organ Behav Hum Decis Process. 1991;50(2):179–211.

    Article  Google Scholar 

  28. 28.

    Hung SY, Ku YC, Chien JC. Understanding physicians’ acceptance of the Medline system for practicing evidence-based medicine: A decomposed TPB model. Int J Med Informat. 2012;81(2):130–42.

    Article  Google Scholar 

  29. 29.

    Glegg SM, Holsti L, Velikonja D, Ansley B, Brum C, Sartor D. Factors influencing therapists’ adoption of virtual reality for brain injury rehabilitation. Cyberpsych Beh Soc N. 2013;16(5):385–401.

    Article  Google Scholar 

  30. 30.

    Seyal AH, Turner R. A study of executives’ use of biometrics: An application of theory of planned behaviour. Behav Inform Tech. 2013;32(12):1242–56.

    Article  Google Scholar 

  31. 31.

    Chau PYK, Hu PJH. Information technology acceptance by individual professionals: A model comparison approach. Decis Sci. 2001;32(4):699–719.

    Article  Google Scholar 

  32. 32.

    Chau PYK, Hu PJH. Examining a model of information technology acceptance by individual professionals: An exploratory study. J Manag Inform Syst. 2002;18(4):191–229.

    Article  Google Scholar 

  33. 33.

    Chau PYK, Hu PJH. Investigating healthcare professionals’ decisions to accept telemedicine technology: An empirical test of competing theories. Inform Manag. 2002;39(4):297–311.

    Article  Google Scholar 

  34. 34.

    Davis FD. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quart. 1989;13(3):319–40.

    Article  Google Scholar 

  35. 35.

    Chen JV, Yen DC, Chen K. The acceptance and diffusion of the innovative smart phone use: A case study of a delivery service company in logistics. Inform Manag. 2009;46(4):241–8.

    Article  Google Scholar 

  36. 36.

    Hu PJH, Chau PYK, Sheng ORL, Tam KY. Examining the technology acceptance model using physician acceptance of telemedicine technology. J Manag Inform Syst. 1999;16(2):91–112.

    Article  Google Scholar 

  37. 37.

    Lin HF. Predicting consumer intentions to shop online: An empirical test of competing theories. Electron Commerce Res Appl. 2007;6(4):433–42.

    Article  Google Scholar 

  38. 38.

    Venkatesh V, Morris MG, Davis GB, Davis FD. User acceptance of information technology: Toward a unified view. MIS Quart. 2003;27(3):425–78.

    Google Scholar 

  39. 39.

    Alwin DF. Feeling thermometers versus 7-point scales: Which are better? Socio Meth Res. 1997;25(3):318–40.

    Article  Google Scholar 

  40. 40.

    Nunnally JC, Bernstein IH. Psychometric theory. 3rd ed. New York: McGraw-Hill; 1994.

    Google Scholar 

  41. 41.

    Colman AM, Morris CE, Preston CC. Comparing rating scales of different lengths: Equivalence of scores from 5-point and 7-point scales. Psychol Rep. 1997;80(2):355–62.

    Article  Google Scholar 

  42. 42.

    Dawes JG. Do data characteristics change according to the number of scale points used? An experiment using 5-point, 7-point and 10-point scales. Int J Market Res. 2008;50(1):61–77.

    Google Scholar 

  43. 43.

    Podsakoff PM, MacKenzie SB, Lee JY, Podsakoff NP. Common method biases in behavioral research: A critical review of the literature and recommended remedies. J Appl Psychol. 2003;88(5):879–903.

    Article  PubMed  Google Scholar 

  44. 44.

    Ringle CM, Wende S, Will A: SmartPLS 2.0.M3. Hamburg: SmartPLS, 2005 Retrieved September 2, 2014, from

  45. 45.

    Henseler J, Dijkstra TK, Sarstedt M, Ringle CM, Diamantopoulos A, Straub DW, et al. Common beliefs and reality about PLS: Comments on Rönkkö and Evermann (2013). Organ Res Methods. 2014;17(2):182–209.

    Article  Google Scholar 

  46. 46.

    Gefen D, Straub D. A practical guide to factorial validity using PLS-Graph: Tutorial and annotated example. Comm Assoc Inform Syst. 2005;16(1):91–109.

    Google Scholar 

  47. 47.

    Hair JF, Hult GTM, Ringle CM, Sarstedt M. A primer on partial least squares structural equation modeling (pls-sem). Thousand Oaks: Sage; 2013.

    Google Scholar 

  48. 48.

    Fornell C, Larcker DF. Evaluating structural equation models with unobservable variables and measurement error. J Market Res. 1981;18(1):39–50.

    Article  Google Scholar 

  49. 49.

    Wetzels M, Odekerken-Schröder G, Van Oppen C. Using PLS path modeling for assessing hierarchical construct models: Guidelines and empirical illustration. MIS Quart. 2009;33(1):177–95.

    Google Scholar 

  50. 50.

    Martínez-Caro E, Cegarra-Navarro JG, Solano-Lorente M. Understanding patient e-loyalty toward online health care services. Health Care Manag Rev. 2013;38(1):61–70.

    Article  Google Scholar 

  51. 51.

    Kaba B, Osei-Bryson KM. Examining influence of national culture on individuals’ attitude and use of information and communication technology: Assessment of moderating effect of culture through cross countries study. Int J Inform Manag. 2013;33(3):441–52.

    Article  Google Scholar 

  52. 52.

    Lee Y, Kozar KA, Larsen KRT. The technology acceptance model: Past, present, and future. Comm Assoc Inform Syst. 2003;12(1):752–80.

    Google Scholar 

  53. 53.

    Kuo KM, Liu CF, Ma CC. An investigation of the effect of nurses’ technology readiness on the acceptance of mobile electronic medical record systems. BMC Med Informat Decis Making. 2013;13(1):88.

    Article  Google Scholar 

  54. 54.

    Cheung R, Vogel D. Predicting user acceptance of collaborative technologies: An extension of the technology acceptance model for e-learning. Comput Educ. 2013;63:160–75.

    Article  Google Scholar 

  55. 55.

    Wu JH, Wang SC. What drives mobile commerce? An empirical evaluation of the revised technology acceptance model. Inform Manag. 2005;42(5):719–29.

    Article  Google Scholar 

  56. 56.

    Tung FC, Chang SC, Chou CM. An extension of trust and TAM model with IDT in the adoption of the electronic logistics information system in HIS in the medical industry. Int J Med Informat. 2008;77(5):324–35.

    Article  Google Scholar 

  57. 57.

    Levett-Jones T, Lathlean J. ‘Don’t rock the boat’: Nursing students’ experiences of conformity and compliance. Nurse Educ Today. 2009;29(3):342–9.

    Article  PubMed  Google Scholar 

  58. 58.

    Milholland DK. Privacy and confidentiality of patient information: Challenges for nursing. J Nurs Admin. 1994;24(2):19–24.

    CAS  Article  Google Scholar 

  59. 59.

    Shih YY, Fang K. The use of a decomposed theory of planned behavior to study Internet banking in Taiwan. Internet Res. 2004;14(3):213–23.

    Article  Google Scholar 

  60. 60.

    Foltz CB, Schwager PH, Anderson JE. Why users (fail to) read computer usage policies. Ind Manag Data Syst. 2008;108(6):701–12.

    Article  Google Scholar 

  61. 61.

    Zhang J, Reithel BJ, Li H. Impact of perceived technical protection on security behaviors. Inform Manag Comput Secur. 2009;17(4):330–40.

    Article  Google Scholar 

  62. 62.

    Herath T, Rao HR. Protection motivation and deterrence: A framework for security policy compliance in organizations. Eur J Inform Syst. 2009;18(2):106–25.

    Article  Google Scholar 

Download references


Support for this paper came from the Ministry of Science and Technology (Grant No. MOST-103-2410-H-214-007) and I-Shou University (Grant No. ISU102-S-01), Taiwan, R.O.C.

Author information



Corresponding author

Correspondence to Kuang-Ming Kuo.

Additional information

Competing interests

The authors declare that they have no competing interests.

Authors’ contribution

CC and KM conceived of this study and participated in the its design and carried out the study. CC and KM also drafted the manuscript and performed the statistical analysis. JA reviewed the manuscript at several stages of in the process, providing feedback and suggestions. All authors read and approved the final manuscript.

Appendix 1

Appendix 1

Table 5 Removed items

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver ( applies to the data made available in this article, unless otherwise stated.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Ma, CC., Kuo, KM. & Alexander, J.W. A survey-based study of factors that motivate nurses to protect the privacy of electronic medical records. BMC Med Inform Decis Mak 16, 13 (2015).

Download citation


  • Decomposed theory of planned behavior
  • Electronic medical records
  • Privacy protection
  • Nurses