WEIS 2009

HIPAA Compliance: An Examination of Institutional and Market Forces

One would think that the enactment of the HIPAA, with its mandates on data security and privacy, would have brought a major shift in the security management practices within the US healthcare. Unfortunately, recent industry reports indicate low levels of regulatory compliance, thus raising security concerns for the US health IT infrastructure. This research develops a regulatory compliance model by drawing insights from the institutional theory literature to identify the key drivers influencing HIPAA compliance, both institutional and market forces (e.g., variability in state-level privacy laws comprehensiveness, interdependency between privacy and security rules, pressure from compliance leaders in the region, compliance officer’s functional background, and the consumer concern for privacy). We validate the model using a national sample of acute-care hospitals and find partial support. The primary contribution of this research lies in the novel application of institutional theory to explain the variability in regulatory compliance prevalent in the US healthcare sector.