Abstract
Aim
Data-protection regulations in German hospitals, based on data-protection laws and internal regulations, must be complied with and taken into account in daily work. However, these regulations are not always respected, as evidenced by the data-protection scandals in Germany of recent years.
Subjects and methods
In a 2010 survey, data was collected from 557 individuals including administrative staff, nursing staff, physicians, physicians with scientific/research-based work and other health professionals of 26 hospitals in Germany to analyze the factors of relevance with regard to data-protection compliance.
Results
The acceptance of hospital staff concerning data-protection regulations is significantly influenced by subjective values and personal attitudes. Significant differences related to the acceptance of data-protection rules and regulations can be found in gender or type of hospital. The results show that employees consider rules and regulations to be necessary and important. However damage caused by data security breaches and the likelihood that they will occur, are considered to be less significant. A large impact on individual data-protection compliance can be reported in the subjective norm, which is influenced by the effect of close colleagues and superiors.
Conclusion
The underlying results of the study at hand demonstrate practical implications which can lead to a high degree of data-protection compliance in the future. The related aspects deserving future investigation of the possible explanations for differences in behavior related to data protection among various occupational groups in hospitals are discussed. Men and women exhibit very different levels of data-protection acceptance, so future efforts to increase sensitivity and awareness of data-protection issues in employees require gender-specific approaches. Another issue that merits investigation is the source of the influence of hospital type on data-protection compliance.
Similar content being viewed by others
Notes
Sensitive data according to the Federal Data Protection Act (BDSG) Part 3, Chapter 9, Section 42a
Current publications of data-protection scandals found at www.datenschutzskandale.de and www.projekt-datenschutz.de (in German)
Together with the new building complex at the University Clinic Eppendorf, a modernized system was introduced for patient administration. Complete details regarding the medical history of prominent patients were made available to a large number of the 5,800 members of staff. Hamburger Morgenpost (2009a).
Sensitive patient data from numerous German hospitals surfaced in a warehouse in Leipzig, which was easily accessible by unauthorized persons. Some data was made public via the Internet and remained available for many hours. This involved hospitals in Minden and Karlsruhe, and clinics in Offenbach and Hofgeismar. Hamburger Morgenpost (2009b)
Two hard‐drives containing sensitive patient data went missing from Märkischen clinics (Lüdenscheid.) A data storage device was found by a passerby in the Iserlohn inner‐city. Der Westen (2009).
The insurance provider, DAK transmitted 200,000 data sets with sensitive health information to the private company Healthways, who contacted chronically ill patients on behalf of the health insurance fund. Conversations with 40,000 patients from Bayern and Baden-Württemberg were conducted from a call-center in Berlin Focus online (2008).
In at least two cases, health insurance companies were supposed to have sold data to a privately held insurance company so that the buying company could offer additional insurance. Augsburger Allgemeine (2009).
BDSG Amendment I: BT-Drs. versions 16/10529 and 16/10581 with changes made to BT-Drs. 16/13219; effective on 1 April 2010; BDSG-Amendment II: BT-Drs., version 16/12011 with the changes from BT-Drs. 16/13657; effective on 1 September 2009 with transitional regulations in Section 47, BDSG-Amendment III: BR-Drs. version 639/09; Parliament approval on 2 July 2009; effective on 11 June 2010
Cf. StGB (German Penal Code) Section 203, Ch. 3
Art. 1:(1) Human dignity shall be inviolable. To respect and protect it shall be the duty of all state authorities.
GG Art. 2 Paragraph 1: Every person shall have the right to free development of his personality insofar as he does not violate the rights of others or offend against the constitutional order or the moral law.
BDSG Section 1: Purpose and Scope, paragraph 3: Where other federal laws apply to personal data and their publication, they shall take precedence over the provisions of this Act. The obligation to abide by legal obligations of secrecy or professional or special official secrecy not based on law shall remain unaffected.
BDSG Section 4 g “In particular, the data protection official shall… 2. Take appropriate measures to familiarize persons employed in the processing of personal data with the provisions of the Act and other data-protection provisions, and with the various special requirements of data protection.
Oath of Hippocrates. In: Harvard Classics, Volume 38. Boston: P.F. Collier and Son, 1910. http://www.cirp.org/library/ethics/hippocrates/. Cited 17 march 2011
MBO, Art. 9 Confidentiality
(1) Physicians are obliged to maintain confidentiality regarding everything confided in them, or becoming known to them, in their capacity as a physician—including after the death of the patient. This also includes written communications from the patient,, records concerning patients, X-ray images and other examination findings.
(2) Physicians are authorised to disclose information insofar as they have been released from their obligation to maintain confidentiality or insofar as disclosure is necessary in order to safeguard a higher-ranking legally protected interest. Statutory duties to give evidence and obligations of notification remain unaffected. Insofar as statutory provisions restrict the physician’s obligation to maintain confidentiality, the physician is to inform the patient of this situation.
(3) Physicians must instruct their staff, and persons taking part in physicians’ activities in preparation for the profession, regarding the statutory duty to maintain confidentiality, and must document this instruction in writing.
(4) If several physicians examine or treat the same patient, simultaneously or consecutively, they are mutually released from the obligation to maintain confidentiality insofar as the patient’s informed consent has been given or can be assumed.
Checklist “Datenschutz im Krankenhaus” Independent Federal State Center for Data Protection Schleswig-Holstein (ULD), https://www.datenschutzzentrum.de/medizin/krankenh/checkliste-patientendatenschutz.pdf (in German)
References
Ajzen I (1988) Attitudes, personality, and behaviour. Dorsey, Chicago, IL, pp 151–166
Ajzen I (1991) Theory of planned behaviour. Organ Behav Hum Dec 50(2):179–211. doi:10.1016/0749-5978(91)90020-T
Ajzen I (2002) Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. J Appl Soc Psychol 32:665–683. doi:10.1111/j.1559-1816.2002.tb00236.x
Ajzen I, Fishbein M (1980) Understanding attitudes and predicting social behavior. Prentice Hall Englewood Cliffs, NJ
Ajzen I, Madden TJ (1986) Prediction of goal directed behaviour: attitude, intentions and perceived behavioural control. J Exp Soc Psychol 22:453–474. doi:10.1016/0022-1031(86)90045-4
Allen NJ, Meyer JP (1990) The measurement and antecedents of affective, continuance and normative commitment to the organization. J Occup Psychol 1(1):1–18
Anderson C (2005) Creating the conscientious cybercitizen: an examination of home computer user attitudes and intentions towards security. IN: Tenth INFORMS Conference on Information Systems and Technology (CIST), San Francisco, 2005
Anderson C, Agarwal R (2005/2009) Practicing safe computing: a multi-method empirical examination of home computer user security behavioural intentions. MIS Quart 34(3):613–643
Arthur D, Quester P (2004) Who’s afraid of that ad? Applying segmentation to the protection motivation model. Psychol Market 21:671–696. doi:10.1002/mar.20024
Augsburger Allgemeine (2009) Health insurance companies sold obviously patient data, http://www.augsburger-allgemeine.de/politik/Krankenkassen-verkauften-offensichtlich-Patienten-Daten-id5803031.html. Cited 19 February 2011
Bandura A (1977) Social learning theory. Prentice Hall, Englewood Cliffs, NJ
Bulgurcu B (2008) The antecedents of information security policy compliance. MSc Thesis, The University of British Columbia, Canada
Bulgurcu B, Cavusoglu H, Benbasat I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quart 34(3):523–548
Chan M, Woon I, Kankanhalli A (2005) Perceptions of information security at the workplace: linking information security climate to compliant behaviour. J Inf Priv Security 1(3):18–41
Culnan M (2004) Bentley survey on consumers and internet security: summary of findings. www.bentley.edu/events/iscw2004/survey_findings.pdf. Cited 6 June 2011
Davis FD (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quart 13(3):319–339. http://www.jstor.org/stable/249008. Cited 6 June 2011
Davis FD, Bagozzi RP, Warshaw PR (1989) User acceptance of computer technology: a comparison of two theoretical models. Manage Sci 35:982–1003. doi:10.1287/mnsc.35.8.982
Der Westen (2009) Patient data missing. http://www.derwesten.de/nachrichten/wr/2009/6/3/news-121712344/detail.html. Cited 19 February 2011
Dinev T, Hu Q (2007) The centrality of awareness in the formation of user behavioral intention toward protective information technologies. J Assoc Inform Syst 8(4):386–408. http://aisel.aisnet.org/jais/vol8/iss7/23. Cited 6 June 2011
Dinev T, Goo J, Hu Q, Nam K (2009) User behaviour towards protective information technologies: the role of national cultural differences. Inform Syst J 19(4):391–412. doi:10.1111/j.1365-2575.2007.00289.x
Ellen PS, Wiener JL, Cobb-Walgren C (1991) The role of perceived consumer effectiveness in motivating environmentally conscious behaviors. J Public Policy Mark 10(2):102–117. http://www.jstor.org/stable/30000238. Cited 6 June 2011
Featherman MS, Pavlou PA (2003) Predicting e-services adoption: a perceived risk facets perspective. Int J Hum-Comput St 59(4):451–474. doi:10.1016/S1071-5819(03)00111-3
Fishbein M, Ajzen I (1975) Belief, attitude, intention and behaviour: an introduction to theory and research. Series in Social Psychology, Addison-Wesley, Boston, MA
Focus online (2008) Illegal passing on of sensitive patient data. http://www.focus.de/finanzen/versicherungen/krankenversicherung/krankenkasse-dak-gibt-patientendaten-weiter_aid_325837.html. Cited 19 February 2011
Gefen D, Straub DW (2000) The relative importance of perceived ease of use in IS adoption: a study of e-commerce adoption. J Assoc Inform Syst 1(1):1–28. http://aisel.aisnet.org/jais/vol1/iss1/8. Cited6 June 2011
Hamburger Morgenpost (2009a) UKE scandal around patient documents. http://archiv.mopo.de/archiv/2009/20090228/hamburg/uke_skandal_um_kranken_daten.html. Cited 19 February 2011
Hamburger Morgenpost (2009b) Patient documents in the Internet. http://www.dradio.de/dlf/sendungen/wib/1310932/. Cited 19 February 2011
Hayn B (2005) Datenschutz: Anwendungsorientierte Aspekte—Anspruch und Wirklichkeit, am Beispiel des LKH-Univ. Klinikum Graz, Hall in Tyrol. MSc Thesis, LKH-Univ. Klinikum Graz, Austria
Herath T, Rao HR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur J Inform Syst 18(2):106–125. doi:10.1057/ejis.2009.6
Kacen JJ, Lee JA (2002) The influence of culture on consumer impulsive buying behaviour. J Consum Psychol 12(2):163–176. doi:10.1207/S15327663JCP1202_08
Karahanna E, Straub DW, Chervany NL (1999) Information technology adoption across time: a cross-sectional comparson of pre-adoption and post-adoption beliefs. MIS Quart 23(2):183–213. http://www.jstor.org/stable/249751. Cited 6 June 2011
Knapp KJ, Marshall TE, Rainer RK, Ford FN (2005) Managerial dimensions in information security: a theoretical model of organizational effectiveness. . ISC2, Framingham, MA and Auburn University, Auburn, AL
Legris P, Ingham J, Collerette P (2003) Why do people use information technology? A critical review of technology acceptance model. Inform Manage 40:191–204. doi:10.1016/S0378-7206(01)00143-4
Maddux JE, Rogers RW (1983) Protection motivation theory and self-efficacy: a revised theory of fear appeals and attitude change. J Exp Soc Psychol 19:469–479. doi:10.1016/0022-1031(83)90023-9
Malhotra Y, Galletta DF (1999) Extending the technology acceptance model to account for social influence: theoretical bases and empirical validation. 32nd Hawaii International Conference on System Science. IEEE, Maui, Hawaii, January 1999
Mathieson K (1991) Predicting user intentions: comparing the technology-acceptance-model with the theory of planned behaviour. Inform Syst Res 2:173–191. doi:10.1287/isre.2.3.173
Pavlou PA, Chai L (2002) What drives electronic commerce across cultures? A cross-cultural empirical investigation of the theory of planned behavior. J Elect Com Res 3(4):240–253
Peace AG, Galetta D, Thong J (2003) Software piracy in the workplace: a model and empirical test. J Manage Inform Syst 20(1):153–177. http://www.jstor.org/stable/40398620. Cited 6 June 2011
Peissl W (2003) Prinzipien des Datenschutzes und ihre Verwirklichung im medizinischen Bereich. Vortrag im Rahmen des Seminars „Datenschutz und Biomedizin“, 23.–24.6., University of Vienna, Austria. www.oeaw.ac.at/ita/ebene5/WPgendatenWien.pdf. Cited 6 June 2011
Pommerening K (1995) Datenschutz in Krankenhausinformationssystemen. Johannes-Gutenberg-Universität, Institut für Medizinische Statistik und Dokumentation, Mainz, Germany. http://www.staff.uni-mainz.de/pommeren/Artikel/vis95.pdf. Cited 6 June 2011
Riemenschneider CK, Harrisson D, Mykytyn PP (2003) Understanding IT adoption decision in small business: integrating current theories. Inform Manage 40:269–285. doi:10.1016/S0378-7206(02)00010-1
Robey D (1979) User attitudes and management information system use. Acad Manage J 22:527–538. doi:10.2307/255742
Rogers RW (1975) A protection motivation theory of fear appeals and attitude change. J Psychol 91(1):93–114. doi:10.1080/00223980.1975.9915803
Schmidt KH, Hollmann S, Sodenkamp D (1998) Psychometrische Eigenschaften und Validität einer deutschen Fassung des “Commitment-Fragebogens” von Allen und Meyer (1990). Z Differ Diag Psychol 2:93–106
Spitzmüller C, Stanton JM (2006) Examining employee compliance with organizational surveillance and monitoring. J Occup Organ Psych 79(2):245–272. doi:10.1348/096317905X52607
Statistisches Bundesamt Deutschland (2008): Gesundheit: Grunddaten der Krankenhäuser 2008. Fachserie 12 Reihe 6.1.1. Statistisches Bundesamt Deutschland, Berlin
Straub D, Keil M, Brenner W (1997) Testing the technology acceptance model across culture: a three country study. Inform Manage 33(1):1–11. doi:10.1016/S0378-7206(97)00026-8
Tan FB, Urquhart C, Yan S (2004) A conceptual model for online shopping behaviour: trust and national culture. Proceedings of the 5th International Business Research Forum, Temple University, Philadelphia, PA. http://www.fox.temple.edu/conferences/ibrf/2004/Session%203-C,%20Tan,%20Felix.ppt. Cited 6 June 2011
Taylor S, Todd PA (1995) Understanding information technology usage: a test of competing models. Inform Syst Res 6(3):144–176. doi:10.1287/isre.6.2.144
Trevino LK, Youngblood SA (1990) Bad apples in bad barrels: a causal analysis of ethical decision-making behaviour. J Appl Psychol 75(4):378–385. doi:10.1037/0021-9010.75.4.378
Venkatesh V (2000) Determinants of perceived ease of use: integrating control, intrinsic motivation, and emotion into the technology acceptance model. Inform Syst Res 11(4):342–365. doi:10.1287/isre.11.4.342.11872
Venkatesh V, Davis FD (1996a) A model of the perceived ease of use development and test. Decision Sci 27(3):451–481. doi:10.1111/j.1540-5915.1996.tb00860.x
Venkatesh V, Davis FD (1996b) A model of the perceived ease of use development and test. Decision Sci 27(3):451–481. doi:10.1111/j.1540-5915.1996.tb00860.x
Venkatesh V, Davis F (2000) A theoretical extension of the technology acceptance model: four longitudinal field studies. Manage Sci 46(2):186–204. doi:10.1287/mnsc.46.2.186.11926
Venkatesh V, Morris MG, Davis GB, Davis FD (2003) User acceptance of information technology: toward a unified view. MIS Quart 27(3):425–478. http://www.jstor.org/stable/30036540. Cited 6 June 2011
Vijanyan J (2009) Privacy rules may slow e-health use, study says. Computerworld 43(15):6
Vijayasarathy LR (2003) Predicting consumer intentions to use on-line shopping: the case for an augmented technology acceptance model. Inform Manage 41(6):747–762. doi:10.1016/j.im.2003.08.011
Würtenberger T (1999) Akzeptanz von Gesetzen. Kölner Z Soziol Soz 51(39):380–397
Yang H, Yoo Y (2003) It’s all about attitude: revisiting the technology acceptance model. Decis Support Syst 38(1):19–31. doi:10.1016/S0167-9236(03)00062-9
Zakour AB (2004) Cultural differences and information technology acceptance. Seventh Annual Conference of the Southern Association for Information Systems (SAIS), http://sais.aisnet.org/sais2004/Zakour.pdf. Cited 6 June 2011
Zinnbauer M, Eberl M (2004) Die Überprüfung von Spezifikation und Güte von Strukturgleichungsmodellen: Verfahren und Anwendung. In: Schriftenreihe zur Empirischen Forschung und Quantitativen Unternehmensplanung, vol 21. Ludwig-Maximillans University, Munich, Germany
Conflict of interests
The authors declare that they have no conflict of interest.
Author information
Authors and Affiliations
Corresponding author
Appendix: Scales and items
Appendix: Scales and items
Rights and permissions
About this article
Cite this article
Foth, M., Schusterschitz, C. & Flatscher‐Thöni, M. Technology acceptance as an influencing factor of hospital employees’ compliance with data‐protection standards in Germany. J Public Health 20, 253–268 (2012). https://doi.org/10.1007/s10389-011-0456-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10389-011-0456-9