Which Hospitals Are Complying with HIPAA: An Empirical Investigation of US Hospitals1,2

Since the passage of HIPAA regulation, US hospitals have gone on a high gear by investing organizational resources on HIPAA policy and procedures, information technologies, and information privacy & security safeguards to achieve compliance status by the enforcement dates. Yet, recent industry report, conducted post HIPAA enforcement deadlines, presents a bleak picture of HIPAA compliance, raising concerns for the privacy and security of patient data, as well transactional efficiency of hospitals. Drawing from organizational sociology and organizational behavior literature we examine propensity of hospitals being fully compliant with privacy, security and transaction rules of HIPAA. In particular, we focus on several hospital characteristics including academic status, profit status, hospital size and industry leadership in IT use to identify which type of hospitals are more likely to be HIPAA compliant. Overall, our findings offer insights on the current state of performance outcome of information security investments in the healthcare sector as measured by hospitals‟ HIPAA compliance, an area under researched in information security literature. Moreover, we expect our findings may inform policy decisions in particular reference to HIPAA compliance.