HIPAA Privacy Rule compliance: An interpretive study using Norman’s action theory

Using Reason’s GEMS typology to analyze publicly available reports of privacy breaches in the United States shows human error as the cause of a significant number of violations of HIPAA Privacy Rule. An interpretive study based on interviews of 15 privacy officers of major U.S. healthcare organizations reinforces this finding. Applying the Rating Scale Model to analyze these officers’ ranking of the underlying causes of human error suggests that such organizational factors as high workload and low morale impede HIPAA Privacy Rule compliance more than either poor skills or availability of technology resources. Contrary to the common belief that human error may be attributed primarily to an individual, the results suggest that the work environment is critical and that systemic limitations underlie errors made by employees. By applying a cognitive taxonomy of human errors based on Norman’s action theory, this paper gives healthcare organizations a framework for managing compliance with HIPAA Privacy Rule and operational strategies that help enforce this compliance, especially among the clinical staff.