Table 1.
Descriptive statistics
| Variable name | Description (dichotomous indicators unless noted) | Mean | SD | Min | Max | |
|---|---|---|---|---|---|---|
| Safeguarding information | ||||||
| IT sec | Technical IT security measures (ie, firewalls, encrypted e-mails, network monitoring, intrusion detection, etc) | 0.98 | 0.14 | 0.00 | 1.00 | |
| Report breaches | Process in place for reporting breaches in patient information | 0.97 | 0.17 | 0.00 | 1.00 | |
| Data access | Data access minimization (ie, giving employees only the information they need) | 0.94 | 0.24 | 0.00 | 1.00 | |
| Who they say they are | Ensuring that patient is who they say they are | 0.91 | 0.28 | 0.00 | 1.00 | |
| Access and sharing policies | Specific policy in place to monitor electronic patient health information access and sharing | 0.87 | 0.33 | 0.00 | 1.00 | |
| Auditing | ||||||
| IT audit | IT applications have audit functions that monitor the access and use of patient information | 0.95 | 0.22 | 0.00 | 1.00 | |
| Audit systems | Regular audits are conducted of systems that generate/collect/transmit patient data | 0.87 | 0.33 | 0.00 | 1.00 | |
| Audit IT logs | IT audit logs are created and analyzed for inappropriate access to patient data | 0.83 | 0.37 | 0.00 | 1.00 | |
| Audit policies | Regular scheduled meetings are conducted to review status of data security policies | 0.77 | 0.42 | 0.00 | 1.00 | |
| Audit shared data | Regular audits are conducted for processes where patient information is shared with external organizations | 0.74 | 0.44 | 0.00 | 1.00 | |
| HR management | ||||||
| Hiring practices | Hiring practices (ie, background checks) | 0.97 | 0.17 | 0.00 | 1.00 | |
| HR monitor | HR monitors completion of courses on confidential patient data for hiring and continuing education tasks | 0.88 | 0.32 | 0.00 | 1.00 | |
| Education | Formal education courses | 0.86 | 0.35 | 0.00 | 1.00 | |
| Third-party security management | ||||||
| Third-party agreement | Business associate agreement signed by third party | 0.98 | 0.14 | 0.00 | 1.00 | |
| Report third-party breaches | Ensure that third party has plan for notifying covered entities of breach | 0.79 | 0.41 | 0.00 | 1.00 | |
| Detect third-party breaches | Ensure that third party has plan for identifying breaches | 0.76 | 0.43 | 0.00 | 1.00 | |
| Third-party training | Proof of employee training | 0.61 | 0.49 | 0.00 | 1.00 | |
| Compliance (1, not at all compliant; 7, ‘compliant with all applicable standards’) | ||||||
| Overall compliance | Overall compliance by factor analysis | 0.00 | 0.90 | −4.81 | 0.81 | |
| HITECH | HITECH | 5.75 | 1.39 | 1.00 | 7.00 | |
| Red | Red Flags rule | 6.14 | 1.21 | 1.00 | 7.00 | |
| HIPAA | HIPAA | 6.59 | 0.70 | 2.00 | 7.00 | |
| State | State security laws | 6.38 | 0.97 | 1.00 | 7.00 | |
| CMS | CMS regulations | 6.61 | 0.65 | 4.00 | 7.00 | |
| Organizational information | ||||||
| Size | Size (1–100, 2–100 to 299, 3–300 + beds) | 1.63 | 0.71 | 1.00 | 3.00 | |
| Critical access | Critical access | 0.35 | 0.48 | 0.00 | 1.00 | |
| General medical | General medical/surgical | 0.55 | 0.50 | 0.00 | 1.00 | |
| Academic | Academic | 0.04 | 0.19 | 0.00 | 1.00 | |
CMS, Centers for Medicare and Medicaid Services; HIPAA, Health Insurance Portability and Accountability Act; HITECH, Health Information Technology for Economic and Clinical Health; HR, human resources.