It has been duly acknowledged that the adoption of electronic medical records (EMR), a collection of software functions commonly utilized in the delivery of directives for patient care, in the maintenance of patients’ medical records, and the distribution of laboratory testing or radiologic examinations results [1], can improve healthcare quality and decrease overall cost [2]. Via EMR, healthcare professionals can serve to inquire after patient information immediately without the limitations of time and space [3]. However, with the advent of a more accessible and comprehensive EMR system, a massive amount of medical records may become easily obtainable to both unauthorized and authorized users who are both inside and outside the healthcare facilities [4]. EMR are therefore potentially susceptible to security breaches which may lead to real patients’ privacy concerns [1]. Most reported privacy violations in healthcare facilities stem in fact from staff misuse or abuse of their privileged access status to patient records [5, 6].
There is a widely accepted knowledge as to the importance of employees’ compliance with organizational rules, procedures, and policies, all of which can be used to regulate employees’ accurate attitudes or behaviors regarding how organizational resources should be utilized [5, 7, 8]. Despite such evidence, employees often demonstrate not to abide by such prescriptive rules or policies. In reality, non-compliance to such stated policies may cause organizations significant reputational damage, remediation costs, or even subsequent penalties [9]. For many healthcare facilities, regulations have been purposefully mandated in order to secure patient information due to the increased digitization of patient records [10]. Healthcare facilities must therefore invest in how to effectively motivate employees to comply with stated policy and to secure EMR.
Although existing literature has significantly enhanced our understanding of the drivers for privacy policy compliance [4, 5, 8, 11], little is known about what happens afterwards. Persuading hospital employees to adhere to EMR privacy policy is of limited value if they subsequently eschew it and then return to risky non-compliance behaviors. One of the distinct aspects relating to the healthcare context is that the leaking of patients’ confidential medical information may cause greater risks than they may in other contexts [2]. Hence, to better understand what drives repeated compliance behavior, the incidence of previous adherence behavior may be inadequate, leaving a need to develop a more relevant model to find out those driven salient factors.
Research on repeated behavior indicates that both motivation and habit can play a role in continued compliance behavior [12,13,14,15]. Motivation has been identified as a key driver of general behavior [16], health behavior [17], and compliance behavior [13, 14]. Further, promoting habits requires a prior knowledge of the habit-formation process, but a paucity of privacy policy-compliance related habit formation literature exists since few studies have adequately investigated the relationship between motivation and habit [17].
Our aims in this study are therefore, based on both the motivational and habitual perspectives, to investigate the following research questions: (1) Does habit predict continuous EMR privacy policy compliance intention? And, (2) What are the motivational antecedents of habitual compliance? Knowledge about the impact and antecedents of habit is not only helpful in knowing how and why privacy compliance habits are formed, but it may also provide valuable guidelines on how to better develop hospital staff’s habit of continuance adherence to privacy policy in most cases.
Theoretical foundation and hypotheses
The theoretical foundation of our study is adapted from self-determination theory [18] and habit-related perspective [19]. Self-determination theory, one of the often-adopted theoretical frameworks within motivation research [20], differentiates between various types of motivation according to the different reasons or goals leading to a given action [18]. Among those motivations, self-determinant theory differentiates between two main types of motivation: (1) intrinsic motivation, and (2) extrinsic motivation [18]. Intrinsic motivation refers to undertaking a behavior because it is inherently enjoyable or interesting to do, while extrinsic motivation refers to doing something because it can result in a separable outcome [16]. Such intrinsic and extrinsic motivation when taken together affect an individual to undertake a particular behavior [21].
Habits are commonly considered to be “learned sequences of acts that become automatic responses to specific situations, which may be functional in obtaining certain goals or end states [19] (p.14).” Many behaviors that are of interest to individuals, especially when they are repeatedly and satisfactorily executed, may eventually become personal habits without extra cognitive processes having to take place [19]. Although some researchers hold that habits can be formed quickly, most studies argue that habit continuation requires a certain amount of repetition or practice to take place [22, 23]. As for the formation of habits, literature [24] suggests that a stable context which requires an individual’s minimal attention in responding to certain situations, is essential. Once a habit is shaped, an individual can then perform a behavior automatically [25].
By integration of the motivation perspective from the standpoint of self-determination theory and the habit perspective, we argued that full protection of EMR privacy can be achieved via hospital staff’s habitual compliance behavior. This is due in large part because significant amounts of patient information is accessible through even a single breach if hospital staff are habitually in non-compliance with stated privacy policy. Further, enhancement of the hospital staff’s motivation to act responsibly and accordingly is also required [26] so that both intrinsic and extrinsic motivation, based on self-determination theory, can thus be assumed as helpful in forming the hospital staff’s policy compliance intention.
Figure 1 depicts our proposed research model. The model proposes that both intrinsic motivation and extrinsic motivation can serve to motivate the hospital staff’s habit formation for adherence to EMR privacy policy. Intrinsic motivation includes satisfaction (referring to hospital staff’s feelings related to prior compliance experiences with stated privacy policy) and self-efficacy (referring to the extent to which hospital staff’s assurance of adherence to stated privacy policy is measured). Extrinsic motivation includes perceived and measurable usefulness (referring to the hospital staff’s perceptions of the benefits of adherence to stated privacy policy) and facilitating conditions (referring to the extent to which the hospital staff believes that resources such as EMR, related software, hardware, and procedures exist to support their compliance to stated privacy policy). If the hospital staff’s habits (measuring the degree to which hospital staff tends to regularly abide with stated privacy policy because of learning attended from prior policy compliance experience) regarding adherence to EMR privacy policy are formed, they are then expected to have continuous compliance intention of EMR privacy policy. Each construct investigated in our research model and hypotheses is discussed below.
The relationship between satisfaction and habit
Prior satisfaction experiences are an important condition for habit development as they will guide an individual’s dispositions to repeat the same action in order to attain his/her goal [22]. Therefore, if one has achieved his/her intended goals by undertaking a particular behavior and the experience turns out to be satisfactory, a repetition of the same action is more than likely [22, 27]. The higher the frequency, the stronger the habit [25]. Hospital staff members are requested to comply with a stated privacy policy when they become employed in hospitals, meaning they have the prior experience of adherence to privacy policy. If such an experience is pleasant, they are more likely to adhere to stated privacy policy repeatedly, which is necessary for developing a compliance habit. Evidence [23, 28, 29] supports this notion stating that satisfaction is positively linked with habit formation. It therefore follows that:
The relationship between self-efficacy and habit
Literature has regarded habit as an automatic behavioral tendency [30] and many actions occur without cognitive efforts [31]. Generally speaking, since an individual’s effort and time are limited resources, he/she may thus allocate such finite resources to differing activities. It may imply that one activity may be perceived as being easier to perform than another and is therefore more likely to be conducted by the individual. In the context of our study, if hospital staff possess a higher level of self-efficacy, it will be easier for him/her to comply with stated privacy policy. And, we expect such a high self-efficacy will finally result in the formation of his/her habit of repetitive adherence to privacy policy. A number of studies [32,33,34,35] have found a relationship between self-efficacy and policy compliance intention or continuance intention to protect security. Further, research on the role of self-efficacy [29] has suggested the importance of self-efficacy on forming habits. We therefore propose the following:
The relationship between perceived usefulness and habit
Davis [36] found that perceived usefulness significantly associated with individuals’ usage of information technology since users perceive that such utility will help them to attain the desired performance or goals they seek. The higher the perceived usefulness of compliance with stated privacy policy by hospital staff, the more likely the staff will take the same actions more often [22]. Associated feelings of achieving effective protection on patient privacy may then contribute to an increased level of perceived usefulness as the compliance behavior is performed frequently. Eventually, and as a result of simple repetitive behaviors, hospital staff may develop the habit of automatic adherence to stated privacy policy. Based on this argument, perceived usefulness could be an important antecedent in developing a hospital staff’s habit for adherence to stated privacy policy. Recent evidence suggests that the perceived security protection mechanism or perceived effectiveness, concepts that are akin to perceived usefulness of privacy policy in our study, are associated with policy compliance intention [37, 38]. Further, it is known that prior studies have suggested the relationship between perceived usefulness and habit [39, 40]. We therefore hypothesize the following:
The relationship between facilitating conditions and habit
Triandis [41] argued that behavior cannot happen if objective conditions in the environment are to discourage it. The purpose of these supporting resources is to remove any of the potential barriers hospital staff may face when they act according to privacy policy and to assist hospital staff in achieving the intended goal of protecting patients’ privacy. If facilitating conditions do not permit hospital staff to comply with privacy policy, they are unable to do so even if they perform the behavior habitually. With sufficient facilitating conditions present, adherence to stated privacy policy may thus likely become a matter of automatic responses from hospital staff since facilitating conditions provide for a stable context which can promote their habit formation [23]. Prior studies usually investigated the association between facilitating conditions and behavioral intention [15]. However, to the best of our knowledge, little attention has been paid to the examination of the relationship between facilitating conditions and the formation of habit. We expect the following hypothesis:
The relationship between habit and continuous privacy policy compliance intention
Habit-related research [15, 23, 29, 42] suggests that many actions performed by individuals occur without a conscious decision to act, and they are engaged in because individuals are simply used to performing them on a repetitive or continuous basis. In other words, these repeated behaviors are habitual [41]. Previous studies [28, 43, 44] have reported the link between habit and behavioral intention. Transferring the rationale from prior habitual studies to our given context, if prior experience of compliance with stated privacy policy becomes habitual in nature, hospital staff members will be more likely to adhere to some or all of the stated privacy policy in an unthinking, lock-step or rote manner. In light of the above expectations, we hypothesize as follows: