Table 1.
Data extraction field description.
| No | Category | Description |
| 1 | Paper information | Name, authors, and publication year of the paper |
| 2 | Legal document name | The name of the legal documents found in the paper |
| 3 | Legal document type | This defines the category of law such as regulation, constitutional law, directive, statutory law, policy, and guidelines found in the paper |
| 4 | Legal document jurisdiction | The country in which the legal document applies |
| 5 | Security requirement | The requirement about information security found in the legal document |
| 6 | Privacy requirement | These are the measures or rules that seek to protect the dignity of patients. These include the right to consent and the right to be forgotten to preserve the privacy of an individual |
| 7 | Health care user category | The category of users with the primary responsibility to implement or comply with the related requirement. These include management, end users, and all users. The management category includes top management such as CEOsa, directors, managers, and officers with the responsibility of implementing and complying with the privacy and security requirement |
| 8 | Responsibility level | The user level is responsible for the requirement, and this defines the type of user category who is to take action to observe, enforce, implement, or comply with the security measure. Examples include management, end users, and all users. The management includes top-level staff such as the CEOs, directors, managers, and officers who are responsible for implementing and observing health care security practices. End users include all employees, consultants, suppliers, and others with access to the health system. All user-level categories include responsibilities that are concerned by management and end users |
| 9 | Security category | This refers to the security domain (eg, access control, security governance, access logs, and encryption) of the requirement |
| 10 | Privacy category | This refers to the privacy domain, such as consent and right to privacy, of the requirement and data protection |
aCEO: chief executive officer.