Skip to main content

Continuance compliance of privacy policy of electronic medical records: the roles of both motivation and habit



Hospitals have increasingly realized that wholesale adoption of electronic medical records (EMR) may introduce differential tangible/intangible benefits to them, including improved quality-of-care, reduced medical errors, reduced costs, and allowable instant access to relevant patient information by healthcare professionals without the limitations of time/space. However, an increased reliance on EMR has also led to a corresponding increase in the negative impact exerted via EMR breaches possibly leading to unexpected damage for both hospitals and patients. This study investigated the possible antecedents that will influence hospital employees’ continuance compliance with privacy policy of Electronic Medical Records (EMR). This is done from both motivational and habitual perspectives; specifically, we investigated the mediating role of habit between motivation and continuance compliance intention with EMR privacy policy.


Data was collected from a large Taiwanese medical center by means of survey methodology. A total of 312 responses comprised of various groups of healthcare professionals was collected and analyzed via structural equation modeling.


The results demonstrated that self-efficacy, perceived usefulness, and facilitating conditions may significantly predict hospital employees’ compliance habit formation, whereas habit may significantly predict hospital employees’ intention to continuance adherence to EMR privacy policy. Further, habit partially mediates the relationships between self-efficacy, perceived usefulness, facilitating conditions and continuance adherence intention.


Based on our findings, the study suggests that healthcare facilities should take measures to promote their employees’ habitualization with continuous efforts to protect EMR privacy parameters. Plausible strategies include improving employees’ levels of self-efficacy, publicizing the effectiveness of on-going privacy policy, and creating a positive habit-conducive environment leading to continued compliance behaviors.

Peer Review reports


It has been duly acknowledged that the adoption of electronic medical records (EMR), a collection of software functions commonly utilized in the delivery of directives for patient care, in the maintenance of patients’ medical records, and the distribution of laboratory testing or radiologic examinations results [1], can improve healthcare quality and decrease overall cost [2]. Via EMR, healthcare professionals can serve to inquire after patient information immediately without the limitations of time and space [3]. However, with the advent of a more accessible and comprehensive EMR system, a massive amount of medical records may become easily obtainable to both unauthorized and authorized users who are both inside and outside the healthcare facilities [4]. EMR are therefore potentially susceptible to security breaches which may lead to real patients’ privacy concerns [1]. Most reported privacy violations in healthcare facilities stem in fact from staff misuse or abuse of their privileged access status to patient records [5, 6].

There is a widely accepted knowledge as to the importance of employees’ compliance with organizational rules, procedures, and policies, all of which can be used to regulate employees’ accurate attitudes or behaviors regarding how organizational resources should be utilized [5, 7, 8]. Despite such evidence, employees often demonstrate not to abide by such prescriptive rules or policies. In reality, non-compliance to such stated policies may cause organizations significant reputational damage, remediation costs, or even subsequent penalties [9]. For many healthcare facilities, regulations have been purposefully mandated in order to secure patient information due to the increased digitization of patient records [10]. Healthcare facilities must therefore invest in how to effectively motivate employees to comply with stated policy and to secure EMR.

Although existing literature has significantly enhanced our understanding of the drivers for privacy policy compliance [4, 5, 8, 11], little is known about what happens afterwards. Persuading hospital employees to adhere to EMR privacy policy is of limited value if they subsequently eschew it and then return to risky non-compliance behaviors. One of the distinct aspects relating to the healthcare context is that the leaking of patients’ confidential medical information may cause greater risks than they may in other contexts [2]. Hence, to better understand what drives repeated compliance behavior, the incidence of previous adherence behavior may be inadequate, leaving a need to develop a more relevant model to find out those driven salient factors.

Research on repeated behavior indicates that both motivation and habit can play a role in continued compliance behavior [12,13,14,15]. Motivation has been identified as a key driver of general behavior [16], health behavior [17], and compliance behavior [13, 14]. Further, promoting habits requires a prior knowledge of the habit-formation process, but a paucity of privacy policy-compliance related habit formation literature exists since few studies have adequately investigated the relationship between motivation and habit [17].

Our aims in this study are therefore, based on both the motivational and habitual perspectives, to investigate the following research questions: (1) Does habit predict continuous EMR privacy policy compliance intention? And, (2) What are the motivational antecedents of habitual compliance? Knowledge about the impact and antecedents of habit is not only helpful in knowing how and why privacy compliance habits are formed, but it may also provide valuable guidelines on how to better develop hospital staff’s habit of continuance adherence to privacy policy in most cases.

Theoretical foundation and hypotheses

The theoretical foundation of our study is adapted from self-determination theory [18] and habit-related perspective [19]. Self-determination theory, one of the often-adopted theoretical frameworks within motivation research [20], differentiates between various types of motivation according to the different reasons or goals leading to a given action [18]. Among those motivations, self-determinant theory differentiates between two main types of motivation: (1) intrinsic motivation, and (2) extrinsic motivation [18]. Intrinsic motivation refers to undertaking a behavior because it is inherently enjoyable or interesting to do, while extrinsic motivation refers to doing something because it can result in a separable outcome [16]. Such intrinsic and extrinsic motivation when taken together affect an individual to undertake a particular behavior [21].

Habits are commonly considered to be “learned sequences of acts that become automatic responses to specific situations, which may be functional in obtaining certain goals or end states [19] (p.14).” Many behaviors that are of interest to individuals, especially when they are repeatedly and satisfactorily executed, may eventually become personal habits without extra cognitive processes having to take place [19]. Although some researchers hold that habits can be formed quickly, most studies argue that habit continuation requires a certain amount of repetition or practice to take place [22, 23]. As for the formation of habits, literature [24] suggests that a stable context which requires an individual’s minimal attention in responding to certain situations, is essential. Once a habit is shaped, an individual can then perform a behavior automatically [25].

By integration of the motivation perspective from the standpoint of self-determination theory and the habit perspective, we argued that full protection of EMR privacy can be achieved via hospital staff’s habitual compliance behavior. This is due in large part because significant amounts of patient information is accessible through even a single breach if hospital staff are habitually in non-compliance with stated privacy policy. Further, enhancement of the hospital staff’s motivation to act responsibly and accordingly is also required [26] so that both intrinsic and extrinsic motivation, based on self-determination theory, can thus be assumed as helpful in forming the hospital staff’s policy compliance intention.

Figure 1 depicts our proposed research model. The model proposes that both intrinsic motivation and extrinsic motivation can serve to motivate the hospital staff’s habit formation for adherence to EMR privacy policy. Intrinsic motivation includes satisfaction (referring to hospital staff’s feelings related to prior compliance experiences with stated privacy policy) and self-efficacy (referring to the extent to which hospital staff’s assurance of adherence to stated privacy policy is measured). Extrinsic motivation includes perceived and measurable usefulness (referring to the hospital staff’s perceptions of the benefits of adherence to stated privacy policy) and facilitating conditions (referring to the extent to which the hospital staff believes that resources such as EMR, related software, hardware, and procedures exist to support their compliance to stated privacy policy). If the hospital staff’s habits (measuring the degree to which hospital staff tends to regularly abide with stated privacy policy because of learning attended from prior policy compliance experience) regarding adherence to EMR privacy policy are formed, they are then expected to have continuous compliance intention of EMR privacy policy. Each construct investigated in our research model and hypotheses is discussed below.

Fig. 1
figure 1

Research model and hypotheses

The relationship between satisfaction and habit

Prior satisfaction experiences are an important condition for habit development as they will guide an individual’s dispositions to repeat the same action in order to attain his/her goal [22]. Therefore, if one has achieved his/her intended goals by undertaking a particular behavior and the experience turns out to be satisfactory, a repetition of the same action is more than likely [22, 27]. The higher the frequency, the stronger the habit [25]. Hospital staff members are requested to comply with a stated privacy policy when they become employed in hospitals, meaning they have the prior experience of adherence to privacy policy. If such an experience is pleasant, they are more likely to adhere to stated privacy policy repeatedly, which is necessary for developing a compliance habit. Evidence [23, 28, 29] supports this notion stating that satisfaction is positively linked with habit formation. It therefore follows that:

  • H1: A hospital staff’s level of satisfaction with prior compliance to privacy policy is positively associated with his/her personal habit formation.

The relationship between self-efficacy and habit

Literature has regarded habit as an automatic behavioral tendency [30] and many actions occur without cognitive efforts [31]. Generally speaking, since an individual’s effort and time are limited resources, he/she may thus allocate such finite resources to differing activities. It may imply that one activity may be perceived as being easier to perform than another and is therefore more likely to be conducted by the individual. In the context of our study, if hospital staff possess a higher level of self-efficacy, it will be easier for him/her to comply with stated privacy policy. And, we expect such a high self-efficacy will finally result in the formation of his/her habit of repetitive adherence to privacy policy. A number of studies [32,33,34,35] have found a relationship between self-efficacy and policy compliance intention or continuance intention to protect security. Further, research on the role of self-efficacy [29] has suggested the importance of self-efficacy on forming habits. We therefore propose the following:

  • H2: Self-efficacy will have a positive relationship with the formation of a hospital staff’s habit to continue compliance with stated privacy policy.

The relationship between perceived usefulness and habit

Davis [36] found that perceived usefulness significantly associated with individuals’ usage of information technology since users perceive that such utility will help them to attain the desired performance or goals they seek. The higher the perceived usefulness of compliance with stated privacy policy by hospital staff, the more likely the staff will take the same actions more often [22]. Associated feelings of achieving effective protection on patient privacy may then contribute to an increased level of perceived usefulness as the compliance behavior is performed frequently. Eventually, and as a result of simple repetitive behaviors, hospital staff may develop the habit of automatic adherence to stated privacy policy. Based on this argument, perceived usefulness could be an important antecedent in developing a hospital staff’s habit for adherence to stated privacy policy. Recent evidence suggests that the perceived security protection mechanism or perceived effectiveness, concepts that are akin to perceived usefulness of privacy policy in our study, are associated with policy compliance intention [37, 38]. Further, it is known that prior studies have suggested the relationship between perceived usefulness and habit [39, 40]. We therefore hypothesize the following:

  • H3: Perceived usefulness is positively associated with hospital staff’s habit of adherence to stated privacy policy.

The relationship between facilitating conditions and habit

Triandis [41] argued that behavior cannot happen if objective conditions in the environment are to discourage it. The purpose of these supporting resources is to remove any of the potential barriers hospital staff may face when they act according to privacy policy and to assist hospital staff in achieving the intended goal of protecting patients’ privacy. If facilitating conditions do not permit hospital staff to comply with privacy policy, they are unable to do so even if they perform the behavior habitually. With sufficient facilitating conditions present, adherence to stated privacy policy may thus likely become a matter of automatic responses from hospital staff since facilitating conditions provide for a stable context which can promote their habit formation [23]. Prior studies usually investigated the association between facilitating conditions and behavioral intention [15]. However, to the best of our knowledge, little attention has been paid to the examination of the relationship between facilitating conditions and the formation of habit. We expect the following hypothesis:

  • H4: Facilitating conditions will have a positive relationship with the formation of a hospital staff’s habit to continuously compliance with stated privacy policy.

The relationship between habit and continuous privacy policy compliance intention

Habit-related research [15, 23, 29, 42] suggests that many actions performed by individuals occur without a conscious decision to act, and they are engaged in because individuals are simply used to performing them on a repetitive or continuous basis. In other words, these repeated behaviors are habitual [41]. Previous studies [28, 43, 44] have reported the link between habit and behavioral intention. Transferring the rationale from prior habitual studies to our given context, if prior experience of compliance with stated privacy policy becomes habitual in nature, hospital staff members will be more likely to adhere to some or all of the stated privacy policy in an unthinking, lock-step or rote manner. In light of the above expectations, we hypothesize as follows:

  • H5: Hospital staff’s continuous intention to gain adherence with stated privacy policy is positively associated with their habits regarding compliance with privacy policy.



In Taiwan, hospitals are usually divided into three major categories based on given characteristics of size: medical centers, regional hospitals, and district hospitals. Totally, the number of medical centers, regional hospitals, and district hospitals in Taiwan are about 19, 80, and 308, respectively [45]. Most of the three types of hospitals have utilized some form of EMR due to efforts to improve EMR adoption promoted by the Ministry of Health and Welfare in Taiwan. Medical centers, however, implement more comprehensive EMR systematization and have wider application of EMR than regional and district hospitals due to appreciable organizational resources. We therefore surveyed hospital staff from a medical center of 1300-beds serving nearly 5000 outpatients daily located in southern Taiwan. The subject hospital has about 3511 employees including 3020 healthcare professionals and 491 administrative staff. The subject hospital was chosen because of two major considerations: (1) The subject hospital is equipped with well-established EMRs systems aimed at providing patients with high quality healthcare services; and, (2) The subject hospital was regarded as being rather proactive in their use of EMR in terms of overall internal EMR utilization and the amount of EMR exchanged with external healthcare facilities [46]. Both reasons made the chosen hospital suitable for use in the study of EMR privacy protecting issues.


Our study used a cross-sectional design, and survey methodology was adopted to collect data. Since most violations of patient privacy in healthcare facilities stem from staff misuse or abuse of the privileged right to access patient records [5, 6], hospital employees (i.e., healthcare professionals and administrative staff) who are granted access EMR must still be regarded as potential threats capable of jeopardizing EMR privacy. Among 3511 employees involved as part of this study, about 2800 healthcare professionals and 100 administrative staff were actually authorized to access EMR. Considering the heavy workload of hospital staff, a census of all eligible employees is unfeasible, we therefore adopted convenience sampling to collect relevant data. We appointed a coordinator for the departments whose staff members maintain access to EMR systems in order to assist questionnaire administration. Recruitment of hospital employees was voluntarily and guaranteed anonymity to participate in the survey. Ethical approval from the subject hospital was sought and then acquired prior to the eventual administration of the survey.


Our study used paper-and-pencil questionnaires for purposes of data collection. Following Churchill’s [47] suggestions for scale development, we adapted questionnaire items from existing validated scales in the extant literature in order to establish an initial item pool for each construct. Since adapted items were not originally designed for use in a healthcare context, we modified subsequent items to fit within an EMR setting. For example, an item for measuring perceived usefulness was, ‘Overall, I find the electronic mail system useful in my job.’ We changed this item to read, ‘Overall, compliance with EMR privacy policy is advantageous.’ An expert panel, consisting of one professor specializing in healthcare information management and two experienced EMR experts, reviewed postulated items to appraise their content validity. A few equivocal words were modified per the recommendations proposed by the panel in order to remove any possible misunderstandings during survey administration. In this questionnaire, all the items, with the exception of items pertaining to demographic information, were measured using a seven-point Likert scale, ranging from 1, representing “strongly disagree,” to 7, representing “strongly agree.” Composite reliability and Cronbach’s α were used to assess the reliability while discriminant validity and convergent validity were adopted to evaluate validity [48, 49].

The instrument for satisfaction was measured using four items adapted from [50]; whereas, the measurement scale for self-efficacy was measured using four items adapted from Taylor and Todd [51]. Perceived usefulness and facilitating conditions were measured using three items and four items adapted from Davis [36] and Taylor and Todd [51], respectively. Habit was measured by three items adapted from Limayem and Cheung [52]. Continuance intention to comply with privacy policy was measured with three items adapted from Bhattacherjee [50]. A pilot test was then conducted on 20 hospital staff members. Further modification to words and phrasing was made to the suggested items, leading to a final questionnaire justified for further testing. Appendix shows the final survey items as it was used in our study.

Statistical analysis

Partial least squares (PLS), a distribution-free analytic method [49], was used for purposes of data analysis because the collected data did not follow a normal distribution (p < .001) to some extent subsequent to a Kolmogorov-Smirnov test. We utilized R software version 3.5.1 [53], with both plspm version 0.4.9 and semPLS version 1.0–10 package [54, 55], to assess the measurement model (i.e., dealing with the relationships between the observed variables and the latent variables) and the structural model (i.e., dealing with the relationships between the exogenous and endogenous variables) of PLS, respectively. In order to obtain the scores of the latent variables for subsequent use of measurement and in the structural model, their associated observed variables are weighted and summed by PLS [55]. Further, the RMediation version 1.1.4 [56] package was used to assess the mediation effect of habit.


Respondent characteristics

Among the 2900 eligible hospital employees from differing participative units, we dispensed 350 questionnaires to those units that were willing to take part in our survey. From January 1st to January 31st, 2016, totally, 320 responses were collected, showing a response rate of 93.33%. Excluding eight unusable responses due to the presence of incomplete answers, 312 useful responses remained for subsequent analysis. Of the 312 valid responses, 56.78% of the given responses were from female respondents and 43.27% were from males. Nearly 75% of the respondents were aged 30–49 years old. Further, most of the respondents were university- or graduate school-educated (94.87%). Physicians and administrative staff together comprised the largest group of participants (51.92%), and over 58.33% of respondents claimed of having more than 10 years of healthcare-related work experience. Further, all respondents reported to understand the connation of EMR privacy policy, with 36.54% of respondents being not very sure about the particular contents of such stated policy in their facility. Respondents’ demographic information is provided in Table 1.

Table 1 Respondent characteristics

Measurement model assessment

In PLS, the measurement model assesses the reliability and the validity of measures taken [48, 49]. Literature suggests reliability can be evaluated via composite reliability or Cronbach’s α [49]. In our study, both the values of composite reliability and Cronbach’s α of all constructs (see Table 2) were larger than the suggested value of 0.7 [49], thus demonstrating sufficient reliability being present.

Table 2 Descriptive statistics, reliability, and validity of constructs

As for validity, convergent validity and discriminant validity are commonly assessed in terms of PLS [49]. Table 3 shows that all items in our study loaded highly on the postulated factors and had factor loadings greater than 0.7 [49]. Regarding the validity of construct level, the constructs used in this study had a value of average variance extracted higher than 0.5 [48], indicating sufficient convergent validity (see Table 2). Further, the squared root of average variance extracted for each construct was larger than the correlation coefficients of the specific construct with any other constructs in the proposed model, also demonstrating adequate discriminant validity [48].

Table 3 Factor loadings of constructs

Several correlations between constructs are higher than 0.7 (see Table 2), but they are still lower than 0.85, which may indicate the presence of a collinearity issue [57]. To avoid the possible influence of collinearity, we further checked for the issue and the results demonstrated that the tolerance value of each construct investigated ranges from 0.15–0.64, showing that collinearity should not become an issue in this study [49].

Structural model assessment

After assessing the measurement model, we then validated the hypotheses by inspecting the structural model. A bootstrapping procedure was adopted to assess the statistical significance of each path coefficient. Figure 2 demonstrated the structural model results. The five postulated hypotheses were all supported with correct signs, with the exception being Hypothesis 1. Contrary to our expectation that satisfaction did not predict habit, Hypothesis 1 was not supported (p = 0.193). Hypothesis 2 suggests a positive association of self-efficacy with habit, and we find support for this association (β = 0.23, p < .001). Hypothesis 3 posits that perceived usefulness significantly associates with habit. This was confirmed with a significant and a positive path coefficient (β = 0.23, p < .001). Regarding the role of facilitating conditions, Hypothesis 4 posits a positive relation between facilitating conditions and habit. The path coefficient (β = 0.41, p < .001) from facilitating conditions to habit was significant and positive, supporting Hypothesis 4. Finally, Hypothesis 5 posits that habit predicts continuance intention to comply with privacy policy. The path coefficient from habit to continuous intention was significant and positive (β = 0.84, p < .001), thus Hypothesis 5 was supported. Overall, about 75.48 and 70.95% of the variance of the habit and behavioral intention to continuous compliance with privacy policy can be accounted by the research model. Table 4 presents the structural model results with path coefficient, t value, and p value.

Fig. 2
figure 2

Structural model results

Table 4 Structural model results

In addition to testing the proposed hypotheses, we further examined the PLS structural model with three widely adopted criteria, namely the predictive relevance Q2, the q2 and the f2 effect size [49]. The Q2 value of habit was 0.64, showing the structural model had predictive relevance for this construct [49]. Further, the relative impact of predictive relevance (q2) of satisfaction, self-efficacy, perceived usefulness, and facilitating conditions was − 0.015, 0.042, 0.038, and 0.128, respectively. These q2 sizes were deemed small according the criteria suggested by the literature [49]. Finally, the exogenous constructs of satisfaction, self-efficacy, perceived usefulness, and facilitating conditions for explaining the endogenous construct habit have f2 effect sizes of 0.005, 0.070, 0.238, and 0.066, respectively. According to their effect sizes, these facilitating conditions had a medium effect size (f2 = 0.238), as well as possessing small predictive relevance (q2 = 0.128) [49]. Both self-efficacy and perceived usefulness were seen to have a small effect size and a small amount of predictive relevance. Satisfaction had the smallest effect size and also the smallest amount of predictive relevance in our study.

Assessment of the mediation effect of habit

We followed suggested methodology steps [56] for establishing the mediation effect of habit. As shown in Table 5, habit was seen to significantly mediate among all the relationships besides the suggested relationship between satisfaction and continuance intention. The type of mediation found is a form of partial mediation for the relationships between self-efficacy, facilitating conditions, perceived usefulness and continuous intention to comply with privacy policy (see Table 5).

Table 5 Results of mediation analysis


Prior research has argued the importance of protecting patient privacy as an important step in implementing successful EMR in healthcare facilities [1], and a privacy policy should be designed to fulfill this goal. Through compliance with a stated privacy policy, employees of these healthcare facilities can effectively protect the privacy of the patients. Despite several studies which have investigated the determinants of adherence to a privacy policy [4, 5, 8, 11, 58], patient privacy and the ultimate success of EMR remain dependent on continuance protection rather than on one time protection. Surprisingly, prior to this particular study, little, if any, effort has been made to fill this gap in the literature.

The primary purposes of our study were to understand the drivers of continuance intention of privacy policy compliance from both motivational and habitual perspectives. We proposed that continuous intention is driven by a hospital staff’s habit formation, which in turn is motivated by satisfaction, self-efficacy, perceived usefulness, and facilitating conditions. Overall, we found that habit is a key element to positively predicting the continuous intention of hospital staff’s adherence to privacy policy, and habit can be formed through both extrinsic and intrinsic motivations. We identified three significant motivational antecedents of habit to be self-efficacy, perceived usefulness, and facilitating conditions. By comparing the importance of the three antecedents to habit development, facilitating conditions are seen to play a primary role, followed by self-efficacy, and then by perceived usefulness. Satisfaction, contrary to our expectation, was not considered as a significant antecedent of habit. Several academic and practical implications can be derived from our findings.

Academic implications

Based on the reported findings, we would propose several points that might be worthy of consideration for further theory development. First, the literature [59] has considered continuance behavior (or, repeat behavior) to be guided by an individual’s cognitive process. Hence, much effort is devoted to explaining continuance intention directly from these perspectives, such as perceived usefulness, satisfaction, etc. However, as EMR becomes more prevalent among healthcare facilities, and thus healthcare professionals can access EMR anywhere and at any time without much involved cognitive process, habit may play a significantly larger role in protecting patient privacy. We therefore hope that our study will contribute towards future development of habit formation to ensure patient privacy protection in EMR usage.

Second, the significant antecedents of habit formation are found to include perceived usefulness, facilitating conditions, and self-efficacy; and, they are ranked in importance as follows: facilitating conditions, self-efficacy, and perceived usefulness. It implies that facilitating conditions are the most important determinant of habit formation. Prior literature [15, 22, 25, 60] asserts that intrinsic motivation overpowers extrinsic motivation. Interestingly, our study determined that extrinsic motivation (facilitating conditions) outweighs intrinsic motivation (self-efficacy). A possible explanation for such a finding may be due to the purposes of such behavioral intention being either egoistical or altruistic in nature. In our study, the ultimate purpose of adherence to privacy policy is to directly protect patients’ information, while prior studies [15, 22, 25] are primarily related to providing protection for themselves.

Third, habit cannot be determined by means of satisfaction, a finding that is not in line with prior evidence [23, 28, 29]. One plausible explanation for this occurrence might be that any existence of a privacy policy may impose significant burdens on hospital staff to maintain a compliant position, which is therefore less likely to positively form their habits. Further, compliance to stated privacy policy may not bring about expected rewards that would lead to the satisfaction of hospital staff as product or service consumption might evince [61].

Fourth, the inclusion of facilitating conditions and self-efficacy in our model has provided additional perspectives. Facilitating conditions and self-efficacy are usually considered before a behavior is conducted in terms of other behavioral theory [51]. The inclusion of these two variables in our model has allowed a broader picture of hospital staff’s perceptions in the post-behavioral phase, and it has created a richer understanding of their continuance intentions.

Practical implications

The introduction of EMR may put hospital managers in situations where they must directly confront the important issue of patient privacy-protection. We hold that hospital managers may profit from knowing the influence of habit and the motivations of habit formation when encountering situations that call for continuance protection of EMR privacy. Knowing the influence of habit and the motivations of habit formation will not only force hospital managers to inspect whether or not to encourage the habitualization of EMR privacy-protection, but it will also help them to take proper actions for creating a more habit-conducive environment. First of all, we found that self-efficacy predicts the formation of a privacy-protection habit among hospital staffers. This finding may suggest that managers can launch EMR privacy-protection training programs to equip hospital staff with required knowledge, skills, or tools deemed necessary for their adherence to a stated privacy policy. Second, the significant result of perceived usefulness may also imply that the above privacy-protection training programs may focus on cultivating a perception that privacy policy is an effective means of protecting EMR privacy. Third, facilitating conditions is also a key to privacy-protection habit development. This finding may imply that hospital management should ensure all the required resources (i.e., hardware, software, and codified procedures) are in place for hospital staff to protect the privacy of patient and EMR facility. Further, any changes in EMR-related hardware, software, or codified procedures should not make hospital staff feel a huge difference has transpired. Otherwise, the formation of privacy-protection habit may not be immediately possible.

Several limitations should be noted in our study. First, the data was collected from only one Taiwanese medical center without comprising samples from other hospitals. Hence, the generalizability of our finding may in fact be limited. Further, in order to avoid any interruption of patient-care activities, the survey used a self-reporting method to investigate behavioral intention among staff rather than through direct observation or through the recording of participants’ actual compliance behavioral patterns. Future research can therefore examine the issue in order to better realize the associations among these investigated constructs examined as part of this study.


By integrating both motivation and habitual perspectives, our study presented and then empirically verified a model used to examine continuous compliance with EMR privacy policies by hospital employees. Motivations including self-efficacy, perceived usefulness, and facilitating conditions are significant predictors of compliance habits; and, habits, in their turn, may significantly predict hospital staff’s continuance compliance intention. We also found that habit is a partial mediator between motivations and continuance compliance intention.

Our study findings may contribute to the body of knowledge in several ways. Firstly, our study adds to the existing literature of EMR privacy policy by harmonizing motivational and habitual perspectives, which may lay a theoretical foundation useful in investigating continuous compliance intentions to stated privacy policy. Second, our study proved that habit may also be regarded as a mediator of intrinsic and extrinsic motivations. Such a mediating effect of habit may yield a differing, nevertheless, useful perspective towards our understanding of continuous behaviors pertinent to overall privacy-policy adherence issues. Third, the findings of our study also proposed suggestions for health authorities and hospitals useful to foster effective strategies necessary to improve hospital staff’s continuous adherence to privacy policy in order to secure the overall safety of and responsible access to EMR.



Electronic medical records




Probability value


Partial least squares


Standard deviation


Standard error


t statistics


Path coefficient


  1. Kuo KM, Ma CC, Alexander JW. How do patients respond to violation of their information privacy? Health Inf Manag J. 2014;43(2):23–33.

    Article  Google Scholar 

  2. Anderson CL, Agarwal R. The digitization of healthcare: boundary risks, emotion, and consumer willingness to disclose personal health information. Inform Syst Res. 2011;22(3):469–90.

    Article  Google Scholar 

  3. Zhou L, Soran CS, Jenter CA, Volk LA, Orav EJ, Bates DW, et al. The relationship between electronic health record use and quality of care over time. J Am Med Inform Assn. 2009;16(4):457–64.

    Article  Google Scholar 

  4. Sher ML, Talley PC, Yang CW, Kuo KM. Compliance with electronic medical records privacy policy: an empirical investigation of hospital information technology staff. Inquiry-J Health Car. 2017;54:1–12.

    Article  Google Scholar 

  5. Foth M. Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence. Eur J Inf Syst. 2016;25(2):91–109.

    Article  Google Scholar 

  6. U.S. Department of Health & Human Services. Standards for privacy of individually identifiable health information. In: Department of Health & Human Services, editor. Washington, DC: U.S. Department of Health & Human Services; 2017.

    Google Scholar 

  7. D’Arcy J, Devaraj S. Employee misuse of information technology resources: testing a contemporary deterrence model. Decision Sci. 2012;43(6):1091–124.

    Article  Google Scholar 

  8. Ma CC, Kuo KM, Alexander JW. A survey-based study of factors that motivate nurses to protect the privacy of electronic medical records. BMC Med Inform Decis Mak. 2016;16:13.

    Article  PubMed  PubMed Central  Google Scholar 

  9. Kwon J, Johnson ME. Health-care security strategies for data protection and regulatory compliance. J Manage Inform Syst. 2013a;30(2):41–66.

    Article  Google Scholar 

  10. Congress of United States of America, editor. Health insurance portability and accountability act. In: Congress of United States of America, editor. Washington, DC: Congress of United States of America. p. 1996.

  11. Sher ML, Talley PC, Cheng TJ, Kuo KM. How can hospitals better protect the privacy of electronic medical records? Perspectives from staff members of health information management departments. Health Inf Manag J. 2017;46(2):87–95.

    Article  Google Scholar 

  12. Chang CC, Liang C, Yan CF, Tseng JS. The impact of college students’ intrinsic and extrinsic motivation on continuance intention to use english mobile learning systems. Asian-Pac Educ Research. 2013;22(2):181–92.

    Article  Google Scholar 

  13. Dwenger N, Kleven H, Rasul I, Rincke J. Extrinsic and intrinsic motivations for tax compliance: evidence from a field experiment in Germany. Am Econ J Econ Polic. 2016;8(3):203–32.

    Article  Google Scholar 

  14. Henshaw H, McCormack A, Ferguson MA. Intrinsic and extrinsic motivation is associated with computer-based auditory training uptake, engagement, and adherence for people with hearing loss. Front Psychol. 2015;6:1067.

    Article  PubMed  PubMed Central  Google Scholar 

  15. Limayem M, Hirt SG. Force of habit and information systems usage: theory and initial validation. J Assoc Inf Syst. 2003;4(1):65–97.

    Google Scholar 

  16. Ryan RM, Deci EL. Intrinsic and extrinsic motivations: classic definitions and new directions. Contemp Educ Psychol. 2000;25(1):54–67.

    Article  CAS  PubMed  Google Scholar 

  17. Gardner B, Lally P. Does intrinsic motivation strengthen physical activity habit? Modeling relationships between self-determination, past behaviour, and habit strength. J Behav Med. 2013;36(5):488–97.

    Article  PubMed  Google Scholar 

  18. Deci EE, Ryan RM. Intrinsic motivation and self-determination in human behavior. Perspectives in social psychology. New York: Plenum Press; 1985.

    Book  Google Scholar 

  19. Verplanken B, Aarts H. Habit, attitude, and planned behaviour: is habit an empty construct or an interesting case of goal-directed automaticity? Eur Rev Soc Psychol. 1999;10(1):101–34.

    Article  Google Scholar 

  20. Wu J, Lu X. Effects of extrinsic and intrinsic motivators on using utilitarian, hedonic, and dual-purposed information systems: a meta-analysis. J Assoc Inf Syst. 2013;14(3):Article 1.

    Google Scholar 

  21. Venkatesh V, Speier C. Computer technology training in the workplace: a longitudinal investigation of the effect of mood. Organ Behav Hum Dec. 1999;79(1):1–28.

    Article  CAS  Google Scholar 

  22. Aarts H, Paulussen T, Schaalma H. Physical exercise habit: on the conceptualization and formation of habitual health behaviours. Health Educ Res. 1997;12(3):363–74.

    Article  CAS  PubMed  Google Scholar 

  23. Limayem M, Hirt SG, Cheung CMK. How habit limits the predictive power of intention the case of information systems continuance. Mis Quart. 2007;31(4):705–37.

    Article  Google Scholar 

  24. Ouellette JA, Wood W. Habit and intention in everyday life: the multiple processes by which past behavior predicts future behavior. Psychol Bull. 1998;124(1):54–74.

    Article  Google Scholar 

  25. Aarts H, Dijksterhuis A. Habits as knowledge structures: automaticity in goal-directed behavior. J Pers Soc Psychol. 2000;78(1):53–63.

    Article  CAS  PubMed  Google Scholar 

  26. Puhakainen P, Siponen M. Improving employees’ compliance through information systems security training: an action research study. Mis Quart. 2010;34(4):767–78.

    Article  Google Scholar 

  27. Charng HW, Piliavin JA, Callero PL. Role identity and reasoned action in the prediction of repeated behavior. Soc Psychol Quart. 1988;51(4):303–17.

    Article  Google Scholar 

  28. Turel O. Quitting the use of a habituated hedonic information system: a theoretical model and empirical examination of facebook users. Eur J Inform Syst. 2015;24(4):431–46.

    Article  Google Scholar 

  29. Wang C, Harris J, Patterson P. The roles of habit, self-efficacy, and satisfaction in driving continued use of self-service technologies. J Serv Res-US. 2013;16(3):400–14.

    Article  Google Scholar 

  30. Verplanken B, Aarts H, Van Knippenberg A. Habit, information acquisition, and the process of making travel mode choices. Eur J Soc Psychol. 1997;27(5):539–60.

    Article  Google Scholar 

  31. Verplanken B. Beyond frequency: habit as mental construct. Brit J Soc Psychiat. 2006;45(3):639–56.

    Article  Google Scholar 

  32. Boss SR, Galletta DF, Benjamin Lowry P, Moody GD, Polak P. What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. Mis Quart. 2015;39(4):837–64.

    Article  Google Scholar 

  33. Siponen M, Adam Mahmood M, Pahnila S. Employees’ adherence to information security policies: an exploratory field study. Inform Manage. 2014;51(2):217–24.

    Article  Google Scholar 

  34. Vance A, Siponen M, Pahnila S. Motivating is security compliance: insights from habit and protection motivation theory. Inform Manage. 2012;49(3–4):190–8.

    Article  Google Scholar 

  35. Warkentin M, Johnston AC, Shropshire J, Barnett WD. Continuance of protective security behavior: a longitudinal study. Decis Supp Syst. 2016;92:25–35.

    Article  Google Scholar 

  36. Davis FD. Perceived usefulness, perceived ease of use, and user acceptance of information technology. Mis Quart. 1989;13(3):319–40.

    Article  Google Scholar 

  37. Herath T, Rao HR. Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Supp Syst. 2009;47(2):154–65.

    Article  Google Scholar 

  38. Zhang J, Reithel BJ, Li H. Impact of perceived technical protection on security behaviors. Inform Manage Comput Secur. 2009;17(4):330–40.

    Article  Google Scholar 

  39. Barnes SJ. Understanding use continuance in virtual worlds: empirical test of a research model. Inform Manage. 2011;48(8):313–9.

    Article  Google Scholar 

  40. Hsiao CH, Chang JJ, Tang KY. Exploring the influential factors in continuance usage of mobile social apps: satisfaction, habit, and customer value perspectives. Telemat Inform. 2016;33(2):342–55.

    Article  Google Scholar 

  41. Triandis HC, editor. Values, attitudes, and interpersonal behavior Nebraska Symposium on Motivation; 1980; Lincoln, NE: University Nebraska Press.

  42. Bhattacherjee A, Lin CP. A unified model of it continuance: three complementary perspectives and crossover effects. Eur J Inf Syst. 2015;24(4):364–73.

    Article  Google Scholar 

  43. Chiu CM, Hsu MH, Lai H, Chang CM. Re-examining the influence of trust on online repeat purchase intention: the moderating role of habit and its antecedents. Decis Supp Syst. 2012;53(4):835–45.

    Article  Google Scholar 

  44. Lee MKO, Cheung CMK, Chen ZH. Acceptance of internet-based learning medium: the role of extrinsic and intrinsic motivation. Inform Manage. 2005;42(8):1095–104.

    Article  Google Scholar 

  45. Joint Commission of Taiwan. List of qualified accreditation hospitals and teaching hospitals by the ministry of health and welfare from 2011 to 2015. 2016. Accessed 7 May 2016.

  46. Ministry of Health and Welfare. Bulletin of emrs adoption. 2017. Accessed 7 May 2017.

  47. Churchill GA Jr. A paradigm for developing better measures of marketing constructs. J Marketing Res. 1979;16(1):64–73.

    Article  Google Scholar 

  48. Fornell C, Larcker DF. Evaluating structural equation models with unobservable variables and measurement error. J Marketing Res. 1981;18(1):39–50.

    Article  Google Scholar 

  49. Hair JF, Hult GTM, Ringle CM, Sarstedt M. A primer on partial least squares structural equation modeling (pls-sem). Thousand Oaks: Sage; 2014.

    Google Scholar 

  50. Bhattacherjee A. Understanding information systems continuance: an expectation-confirmation model. Mis Quart. 2001;25(3):351–70.

    Article  Google Scholar 

  51. Taylor S, Todd PA. Understanding information technology usage - a test of competing models. Inform Syst Res. 1995;6(2):144–76.

    Article  Google Scholar 

  52. Limayem M, Cheung CMK. Understanding information systems continuance: the case of internet-based learning technologies. Inform Manage. 2008;45(4):227–32.

    Article  Google Scholar 

  53. R Core Team. R: a language and environment for statistical computing. Vienna: R Foundation for Statistical Computing; 2018.

    Google Scholar 

  54. Monecke A, Leisch F. Sempls: structural equation modeling using partial least squares. J Stat Softw. 2012;48(3).

  55. Sanchez G. Pls path modeling with r. Berkeley: Trowchez ed; 2013.

    Google Scholar 

  56. Tofighi D, Rmediation MKDP. An r package for mediation analysis confidence intervals. Behav Res Methods. 2011;43(3):692–700.

    Article  PubMed  PubMed Central  Google Scholar 

  57. Kline RB. Principles and practice of structural equation modeling. In: Methodology in the social sciences. 2nd ed. New York: The Guilford Press; 2005.

    Google Scholar 

  58. Kuo KM, Talley PC, Hung MC, Chen YL. A deterrence approach to regulate nurses’ compliance with electronic medical records privacy policy. J Med Syst. 2017;41(12):198.

    Article  PubMed  Google Scholar 

  59. Ayanso A, Herath TC, O'Brien N. Understanding continuance intentions of physicians with electronic medical records (emr): an expectancy-confirmation perspective. Decis Supp Syst. 2015;77:112–22.

    Article  Google Scholar 

  60. Judson TJ, Volpp KG, Detsky AS. Harnessing the right combination of extrinsic and intrinsic motivation to change physician behavior. JAMA. 2015;314(21):2233–4.

    Article  CAS  PubMed  Google Scholar 

  61. Oliver RL. A cognitive model of the antecedents and consequences of satisfaction decisions. J Marketing Res. 1980;17(4):460–9.

    Article  Google Scholar 

Download references


Not applicable


This work has been supported by the Ministry of Science and Technology (Grant no. MOST-104-2410-H-214-007), Taiwan, R.O.C.

Availability of data and materials

The anonymous datasets from the present study are available from the corresponding author on reasonable request. No identifying/confidential patient data were collected.

Author information

Authors and Affiliations



KMK conceived of this study and participated in the design and administration of the study. KMK, YCC, and CHH drafted the manuscript and performed the statistical analysis. PCT reviewed the manuscript at several stages of in the process, providing feedback and relevant suggestions. KMK and YCC contributed equally to this work. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Chi Hsien Huang.

Ethics declarations

Ethics approval and consent to participate

The study was conducted with an approval by the Institutional Review Board (IRB) of Chi-Mei Medical Center, Taiwan. The IRB waived the mandate for obtaining a written informed consent from subjects. Participants were provided with an information sheet which detailed relevant information about the study, potential benefits and risks of participation in this study, the opportunity and means to ask questions, and also the options regarding voluntary agreement to participate in this study. Verbal consent was then requested prior to commencement of the survey. This study was provided as an anonymous survey of adults over the age of 20 for which no personal, identifiable information was collected.

Consent for publication

The manuscript does not contain any individual’s data in any form.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.



Table 6. Questionnaire. The questionnaire used in this study

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver ( applies to the data made available in this article, unless otherwise stated.

Reprints and Permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kuo, K.M., Chen, Y.C., Talley, P.C. et al. Continuance compliance of privacy policy of electronic medical records: the roles of both motivation and habit. BMC Med Inform Decis Mak 18, 135 (2018).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: