Identification of How Health Information Security
Awareness (HISA) Influence in Patient’ Health
Information Protection Awareness (PHIPA)
Rodiatul Adawiyah Achmad Nizar Hidayanto
Faculty of Computer Science Faculty of Computer Science
Universitas Indonesia Universitas Indonesia
Jakarta, Indonesia Jakarta, Indonesia
rodiatul.adawiyah@ui.ac.id nizar@cs.ui.ac.id
Abstract— Securing the confidency of health information in
health care industry has been a notable matter. Nursing
students are still inexperienced and are in progress to thriving
their individual worths and trusts on the significance of Health
Information Security Awareness (HISA) and Patient’ Health
Information Protection Awareness (PHIPA). The objectives of
this study is to identify the influence of HISA in PHIPA, to
measure the quality of HISA and PHIPA of nursing students in
Baturaja and to provide recommendations on HISA and
PHIPA improvement on nursing education. Thirty-two
questions have been designed in the questionnaire and 94
respondents valid data were continued to analysed using
Partial Least Squares (PLS). Based on the analysis results,
HISA influences nursing students’ communication,
management and referral factors in PHIPA in positive ways.
And the measurement results shown that nursing students in
Baturaja has a well quality of HISA and PHIPA. Our
discovery in this study also supply implications for practice the
nursing schools and the health care industry about planning
extended curriculum and clinical practice guiding principle to
simplify students’ health information security awareness and
patient’ health information protection awareness.
Keywords— Health Information Security Awareness (HISA),
Patient’ Health Information Protection Awareness (PHIPA),
Partial Least Squares (PLS)
I. INTRODUCTION
Securing the confidency of health information in health
care industry has been a notable matter. According to the
Health Insurance Portability and Accountability Act
(HIPAA), one of the most suspectible health care
stakeholders that can contravene the health information
confidency are nursing students [1]. Nursing students are
still inexperienced [2] and are in progress to thriving their
individual worths and trusts on the significance of Health
Information Security Awareness (HISA) and Patient’ Health
Information Protection Awareness (PHIPA).
There are many opportunities that nursing students will
probably done throughout their clinical trials at hospitals or
any other health care industry that will cause the disclosed
of protected health information to the related stakeholders
(patient’ relatives, marketing people from health industry,
etc.). It is due to their unawareness, or a fragmentary
awareness of the adjustments and sanctions related to health
information security (IS), or any others mistakes. Nursing
students’ education related to health information security
Ika Chandra Hapsari
Faculty of Computer Science
Universitas Indonesia
Jakarta, Indonesia
ika.c@cs.ui.ac.id
awareness can have a notable influence to the patients’
health information protection awareness [3].
In Indonesia itself, problems that related to health
information privacy that occur in hospital are include:
informations leak by unauthorized employees, computer
units that left on when they go home or having a break, id
data and password’s privacy unguarded that can be a risk of
access rights being misused by unauthorized employees,
failure in information processing, and information theft [4].
From Park et al.’s [5] study previously indicated that the
HISA composed by three awareness learning components,
which are: General Information Security Awareness (GSA),
Health Information Security Regulation Awareness (HRA),
and Punishment Severity Awareness (PSA). Thereupon,
study by Song et al. [3], resulting a measurement tool for
scaling the Patient’ Health Information Protection
Awareness (PHIPA) with 23-items that classified into three
factors: Communication, Management, and Referral. It was
a revision from previous study by Lee and Park [6] that
using four sub-domains, which are: communication, primary
nursing, patients’ information and referral activities with a
39-item scale.
The similarity of those two studies are concerning
around the lack of awareness by nursing students, however
the correlation of HISA and PHIPA still hasn’t tested in
previous studies. Therefore, to fulfill this research gap, our
study conduct an investigation of how HISA influence in
PHIPA using the HISA model [5] and PHIPA measurement
tool [3] by collecting data from nursing students in Baturaja,
South Sumatera as our case study. In addition, our study
will also identify how well the quality of health IS and
protection awareness of nursing students in Baturaja.
The expecting contributions of our study are (1) to
identify the influence of HISA in PHIPA, (2) to measure the
quality of nursing students in Baturaja for their health IS and
protection awareness (3) to provide recommendations on
HISA and PHIPA improvement on nursing education.
The structure of this paper is as follows. First, we present
the background of the problem. Second, we discuss the
results of our literature review. Third, we outline our
research model. Fourth, we discuss the research
methodology. Fifth, we present and analyze our research
findings and make the recommendations. And last, we
present the conclusions of this research.
 II. LITERATURE REVIEW
A. Health Information Security Awareness (HISA)
Definition of Health Information Security Awareness
(HISA) is a general knowledgement about laws, security,
regulations, and relevant sanctions related to health
information that nursing student possess. In HISA
conceptual, there are three types of awareness: General
Information Security Awareness (GSA), Health Information
Security Regulation Awareness (HRA), and Punishment
Severity Awareness (PSA). Acquiring the awareness to the
certain level is one of expected notable output for nursing
students during their education in university or nursing
school [7].
The awareness level has its own variety of forms. It can
indicated as ‘noticing’, or ‘awareness’, or ‘attention’ depend
on its level. Awareness itself is a distinction between
noticing which is a lower level of awareness and attention,
the higher level of awareness [8]. Attention is a synonymous
of understanding which involve an explicit learning (on the
strength of insights, conscious knowledge, and hypotheses)
and implicit learning (learning build upon subconscious
processes of abstraction and generalization)” [5].
The importance of three awareness’ types in nursing
education is to rectify as well as evolve the awareness of
nursing students’ health IS. The first one is the General
Information Security Awareness (GSA) which is nursing
students’ overall knowledgement, comprehesion of potential
IS related issues as well as their ramifications, and how to
deal with that security-related issues. Nursing students that
have a high awareness are the ones that familiar with the
security practices, rules, their responsibilities regarding to
information origins and the consequences of misusing it [9].
Nursing students must comprehend the common concept of
IS and matters to protect patients’ health information
precisely.
The second awareness in HISA is the Health Information
Security Regulation Awareness (HRA) that resembles with
the concept of information security policy awareness. HRA
itself more trend to the nursing students’ knowledgement
and comprehesion of security regulations, laws and
requirements related to health information. Laws are
established by government and deliver its competency,
while policies act as guiding principle of an unacceptable
behaviors in an organization [10]. Therefore, neglecting a
policy is still an acceptable excuse but neglecting law is a
different story.
Finally, the last one is Punishment Severity Awareness
(PSA) that difined as knowledgement and comprehesion of
pinalties and affiliated with atrocity level of violating the
health IS that nursing students possess [5]. There may be
different effect related to the context of health IS. Violating
the protected health IS might be more severe than violating
the policy in other organizations that related to security in
that organizations. Therefore, it is necessary to impose a
more severe sentence on the violation [10]. In addition, a
regulatory government body institutes health IS laws which
include more advance pinalties than other general
organizations done with their security policies.
B. Patient’ Health Information Protection Awareness
(PHIPA)
The Patients’ Health Information Protection Awareness
(PHIPA) in health care industry is a vital ethic and legal
cognizances [3]. Protected Health Information (PHI) or
individual identity health information is information that
was created, lapsed, or uncovered that can be used to
identify the patient in the course of providing a health care
service such as diagnosis or treatment [11].
Health organizations actually already have provided the
guide principles and policies as well as proffered an
education related to the PHIPA. Unfortunately, the health
care stakeholders including nurses are still have minimum
information on how and what regarding the protected
patient’ health information. The reason that concerning this
case is possibly because the health care stakeholders are not
instructed during their education time on how to administer
their patients’ health information [3].
In the case of nursing students meet variety models of
patient’ health information, they might not savvy enough to
administer it precisely due to their concise education on it.
In most case, behavioral changed is linked to an awareness
changed. A higher level of PHIPA is correlated with a
bigger surveillance of individual information related to the
patient among both health care stakeholders and nursing
students. In spite of the importance of health IS and
confidency protection, there still minimum information
regarding the nursing students’ awareness of these concepts
[3].
C. Previous HISA and PHIPA Research
Park et al.’s [5] study assists to the research of security
related to the health care. The first attempt is to build the
concept model of HISA with its three components which are
GSA, HRA, and PSA. After identified and conduct an
experiental test about the relationship between HISA and
individual worths which are the personal norms and self-
control, they elevate the comprehension which is between
the individual worths and the intention to disclose health
information. From the study, they have found practical
implications supplied for nursing schools and the hospitals
where clinical practice occurs. They also got results such as
an outlining curriculum, organization policy related to the
security, and clinical practice guide principles to simplify
the HISA of nursing students.
The development of measuring tool for PHIPA is started
by the study from Lee and Park [6] that inquired personal
health information of health care industry using four sub-
domains which are the communication, primary nursing,
patients’ information, and referral activities with a 39-item
measurement. Since then, this four sub-domain 39-item
measumenet was used with nursing students for assessing
aknowledgement and attitude regarding of health
information protection as well.
Lee et al. [12] also built a 15-item tool for scaling
confidence notice regarded of personal health information
for citizens based on guide principles in Korea. This study
had similarity in terms of perspective by the three factors
which are: communication, management, referral with the
one Song et al. [3] conducted. The 23-item PHIPA
measurement that classified into the mentioned factors are
fewer than previous studies, for example the one that Lee
and Park [13] built which is a five sub-domain measurement
used to scale the insights and implementation of protecting
patient personal information that nurses possess. In addition,
Kim et al. [14] applied a revised of four sub-domain version
of Lee and Park’s measurement tools with nursing students.
The used of the measurement tools in Lee and Park’s study
[13] was for nurses in clinical settings, it also included a
wide range of health information protection behaviors.
III. THEORITICAL FRAMEWORK
The HISA and PHIPA in our research model (Fig. 1) is a
recent revised model related to the previous studies in both
matter. We build the HISA model with its three components
(GSA, HRA, and PSA) and PHIPA model with its three
factors (communication, management, referral). The
objective of the current research is to examine the influence
of HISA in general which is combination of the three
components in each of PHIPA factors.
Each hypothesis (H1, H2, H3) will be tested in this study
to determine the correlation between HISA and PHIPA. In
addition, we will also test each hypothesis to find the
answers of whether HISA influence PHIPA’ each factors in
positive way, negative way or not influencing at all.
Fig. 1. Research model.
IV. RESEARCH METHODOLODY
A. Research Instrument
A total 32-items have been designed in the questionnaire
as this study research instrument. It is used to test the
respondents' regarding of their HISA and PHIPA. In detail,
its consists of 9 questions, each 3 questions for GSA, HRA
and PSA related to HISA from Park et al [5] previous study.
As well as 23-items as the result of Song et al’s. [3] study
that categorized into three factors, which are: 9-items in
communication category, 3-items in management category,
and 11-items in referral category. The respondents were
asked their agreement to the items described in the
questionnaire by using Likert scale, from 5 as strongly agree
to 1 as strongly disagree.
B. Data Collection Procedures
Data in this research were collected from three different
groups. First, nurses who had worked in health care industry
for at least 15 years. Second, nurses who had worked in
health care industry but have not reached 15 years of
experience yet. The last one are nursing students that have
experienced in internship at healthcare industry in Baturaja
were recruited to fill out the questionnaire.
The research was conducted by online which was
implemented from January, 21st 2019 until January, 28th
2019. Of these, 100 respondents agreed to contributed, and
answered the questionnaire as it is. The results were only 94
questionnaires that are valid to continue to the next steps of
this research, meanwhile the 6 of it invalid because of the
respondents’ incomplete the questionnaire.
C. Method / Techniques for Analyzing Data
PLS (Partial Least Squares) is counted by many
researches as an emerging multivariate data analysis
method. PLS is quite famous for its capable for dealing
samples that have small size. Previous researches
recommend that a sample size of 100 to 200 which meet our
research data collected, is actually a good start line in
carrying out path modeling. PLS is worthwhile for structural
equation modeling in applied research projects especially
when there are limited respondents[15].
SmartPLS is used in this research analysis. SmartPLS is
one of the protruding software application for PLS. The
software has gained popularity since its launch in 2005 not
only because it is available free to academics and researches
but because of its user-friendly interface and advanced
reporting features as well[15].
V. RESULTS AND DISCUSSION
A. The Results of Constructs Reliability and Validity
TABLE I. CONSTRUCTS RELIABILITY
Constructs Cronbach’s Alpha Composite Realibility
HISA .838 .870
 GSA
 HRA
 PSA
Communication .776 .811
Management .634 .779
Referral .795 .835
To assess the reliability of the current research
instruments, we used Cronbach’s Alpha and Composite
Reliability (see in Table I). According to Hair, et al. [16]
Cronbach’s alpha is a good measurement of internal
consistency of the latent variables, and values are acceptable
normally above .70. However, it is still acceptable if the
values near of .60 and the factor have only few items.
In this study, all of the constructs in the scale model got
acceptable internal consistency as their Cronbach’s alpha
pass the recommendation which is .70 and .60 for construct
“management” since this factor only has 3 items in it. For
composite reliability, the values should be below .90 to be
indicate as desirable [17] which in this research we got
around .77-.87 for every contructs. In conclusion, this
research intruments can be concluded as a reliable scale
model.
After that, we also assessed the discriminant validity of
the scale as shown at Table II. The goal of the discriminant
validity assessment is to confirm a reflective construct has
the most connected relationships with its own indicators
compared to the others in the PLS path model [17].
Henseler, et al. [18] propose an approach, the multitrait-
multimethod matrix that used to assess discriminant
validity. Heterotrait-monotrait ratio of correlations (HTMT)
is the one that used to accomplish the objective. If the
HTMT value is below 0.90, that means between the two
reflective constructs, the discriminant validity has been
established which in this research has been accomplised.
We have verified our hypothesis by examine the path
coefficients, and the R2 values from the research model.
Path coefficients is used to indicate the correlation potency
among two constructs. Whilst, the R2 values points the
number of variety that influenced by the independent
constructs [5]. The R2 value for Communication was 0.173.
This means that the research model accounts for 17.3% of
the variance in the dependent variable. It goes as well for
Management that its R2 value was 0.186 which has 18,6% of
the variance in the dependant variable and Referral that got
0.196 for the R2 value, which mean its variance in the
dependent variable was 19,6%.
TABLE III. RESULTS OF HYPOTHESIS TEST

Description Result
TABLE II. DISCRIMINANT VALIDITY USING HTMT H1 HISA influences communication in positive ways. Supported
(β = 3.071, p = 0.002).
Ca. HISA Mb. Rc.
A greater level of HISA are possibly lead to a
Ca. -
better communication in PHIPA.
HISA 0.417 -
H2 HISA influences management in positive ways. Supported
Mb. 0.692 0.455 -
(β = 4.439, p = 0.000).
Rc. 0.815 0.423 0.782 - A greater level of HISA are possibly lead to a
a. Communication factor in PHIPA better management in PHIPA.
b. Management factor in PHIPA H3 HISA influences communication in positive ways. Supported
c. Referral factor in PHIPA (β = 2.614, p = 0.009).
A greater level of HISA are possibly lead to a
B. The Results of PLS Analysis and Hypothesis Test better referral in PHIPA.

Then, we calculated the path coefficients in the structural

model using all the sample data. We used the bootstrapping
method in SmartPLS with 500 re-samples to achieve the t-
values correspond to every path (see in Fig. 2). T-values for
two-tailed tests is needed to be greater than 1.96 at the
significance levels below 0.05 to be acceptable. In our
research, the t-value for each hypotesis are beyond the
acceptable value, whice are 3.071 for H1, 4.439 for H2, and
2.614 for H3. So the results showing that all of the three
hypothesis were supported (see in Table III).

Fig. 2. Results of PLS Analysis.

C. The Results of HISA and PHIPA Measurements

TABLE IV. DESCRIPTIVE STATISTICS OF HISA AND PHIPA

 In Table IV, we present the means and standard
deviations for each of the items of this research instrument
to measure quality of HISA and PHIPA of nursing students
in Baturaja. Respondents’ scores were lowest for the PHIPA
in Communication factor, item “When I explain hospital
admission procedures, I do it so that I am not heard by other
patients, guardians, or unrelated staffs members.” (M =
3.191, SD = 1.075) and item “When I explain discharge
procedures, I do it so I am not heard by other patients,
guardians, or unrelated staffs members.” (M = 3.202, SD =
1.006). Apart from the two specifics items, the other 30-
items got a stable high value. This can be considered as the
well quality of HISA and PHIPA of nursing students in
Baturaja.
D. Discussion
HISA and PHIPA in health care industry is a vital ethic
and legal cognizances as well as achieving it is one of
notable outcomes for nursing students. In the current study,
we combine the scales from previous study to assess HISA
and PHIPA among nursing students, and then used it as a
tool to measure the quality of health IS and protection
awareness of nursing students in Baturaja.
Our findings showed that the 32-items HISA and PHIPA
scale was reliable based on it Cronbach’s Alpha and
Composite Reliability value that pass the recommendation,
as well as had good the discriminant validity using HTMT.
Through the hypothesis test using bootstrapping method
in PLS analysis, we have found out that HISA that
generated from its three awareness learning components,
which are: GSA, HRA, and PSA are influences nursing
students’ PHIPA Communication, Management and
Referral factors in positive ways. Which means that a higher
level of HISA are possibly lead to a better PHIPA.
From 100 respondents that data has been collected, 94 of
it are valid to determine the quality of HISA and PHIPA of
nursing students in Baturaja. The results shown from the
stable high values of the means and the low values of
standard deviation which conclude as the small variety of
the answers, that for the health information security, nursing
students in Baturaja already aware of its concerns.
It is, fortunately also goes for the patient’ health
information protection. However, in two of communication
factor items, several respondents seem to think that
explaining admission procedures and explaining discharge
procedures must not has to discuss secretly with related
patient only therefore, the information regardless to that two
cases need not to be protected. Considering this found, it can
be used for the future research since it is not covered in the
present study.
E. Recommendations
Based on our discovery, we can provide implications for
practice the nursing schools and the health care industry.
First, awareness of health IS and patients’ information
protection could be sufficiently evaluated using the HISA
and PHIPA measurement tools for nursing students that
used in this research. Using the HISA and PHIPA
measurement tools, we found out the level of awareness of
nursing students and compare it between students from any
institutes that related to health education.
Second, the lack of awareness that found in this research
are from the communication factor of PHIPA. Nursing
students’ might thought that explaining admission
procedures and explaining discharge procedures publically
will not harm the patient’ health information. Therefore,
from this found we can extend the curriculum that related to
ethic attitudes regarding protection of patient’ health
information especially in communication factor.
Last, from the guide to privacy and security for health
information by the Office of the National Coordinator
(ONC), it is said that health care stakeholders are not only
educated about guide principles for IS in their organization
at least once a year routinely, but also when the procedures
in the organization changed [19]. Through routine education
and practices, nursing students and health care stakeholders
can adjust updated policies and procedures on the protection
of information regarding to the patients through patients in
clinical settings.
VI. CONCLUSION
The Health Information Security Awareness (HISA)
learning components has influencing the nursing students’
communication, management and referral factors in Patient’
Health Information Protection Awareness (PHIPA). The
results of examined data that we have collected from 94
respondents, we discovered that the HISA with its three
awareness learning components (General Information
Security Awareness (GSA), Health Information Security
Regulation Awareness (HRA), and Punishment Severity
Awareness (PSA)) is influencing nursing students’
communication, management and referral factors in PHIPA
in positive ways.
The measurement tool that made based on previous
studies, used to measure the quality of nursing students in
Baturaja based on their awareness toward health information
security and patient’ health information protection.
Although there are still lack awareness in 2 items which are
“When I explain hospital admission procedures, I do it so
that I am not heard by other patients, guardians, or unrelated
staffs members.” and “When I explain discharge procedures,
I do it so I am not heard by other patients, guardians, or
unrelated staffs members.”, the rest of the items shown that
nursing students in Baturaja has a well quality of HISA and
PHIPA.
Our discovery in this study also supply implications for
practice the nursing schools and the health care industry
about planning extended curriculum and clinical practice
guiding principle to simplify students’ health information
security awareness and patient’ health information
protection awareness.
REFERENCES
[1] Cannon, A.A, Caldwell, H. “HIPAA violations among nursing
students: teachable moment or terminal mistake-a case study”. J Nurs
Educ Pract 2016;6(12):41–8, 2016.
[2] Cowen, K.J, Hubbard, L.J, Hancock, D.C. “Concerns of nursing
students beginning clinical courses: a descriptive study”. Nurse Educ
Today 2016;43:64–8, 2016.
[3] Song, Y, Lee, M, Jun, Y, Lee, Y, Cho, J, Kwon, M, et al. “Revision
of the measurement tool for patients’ health information protection
awareness”. Healthc Inf Res 2016;22(3):206–16, 2016.
[4] Rahman, A.N, Tanuwijaya, H, Sutomo, E. “Audit Keamanan Sistem
Informasi Manajemen Rumah Sakit Berdasarkan ISO 27002:2005
pada Rumah Sakit Islam Jemursari”. JSIKA Vol. 5, No. 9, 2016.
[5] Park, E.H, Kim, J, Park, Y.S,. “The role of information security
learning and individual factors in disclosing patients’ health
information”. Computers & Security 65 (2017) 64–76, 2017.
[6] Lee MY, Park YI. “A study on the nurse’s perception and
performance of protecting patient privacy”. Clin Nurs Res
2005;11(1):7-20, 2005.
[7] Ög˘ütçü G, Testik ÖM, Chouseinoglou O. Analysis of personal
information security behavior and awareness. Comput Secur
2016;56:83–93, 2016.
[8] Meier, A.J., “The role of noticing in developing intercultural
communicative competence”. Eurasian Journal of Applied Linguistics
1 (2015) 25–38, 2015.
[9] Lang, M, Gathegi, J et al. “ Organisational Culture, Procedural
Countermeasures, and Employee Security Behaviour: A Qualitative
Study”. Information and Computer Security, 25 (2). pp. 118-136.
ISSN 2056-4961, 2017.
[10] Whitman M, Mattord H. “Principles of information security 6th
Edition”. Boston, MA: Cengage Learning, 2018.
[11] Parkland Center for Clinical Innovation. “Patient Protected
Information De-Identification System and Method”. United States
Patent Application Publication LePendu, 2017.
[12] Lee, K.H, Chung, Y.C, Han, K.S, Song, T.M,. “Development and
validation of privacy concern measurement tool in personal medical
information”. KIPS Trans Comput Commun Syst 2014;3(6):197-208,
2014.
[13] Lee, M.Y, Park, Y.I,. “A study on the nurse’s perception and
performance of protecting patient privacy”. Clin Nurs Res
2005;11(1):7-20, 2005.
[14] Kim, C.H, Jeong, S.Y, Song, Y.S,. “Recognition and performance of
patient private information protection (PPIP) in nursing students”. J
Digit Policy Manag 2013;11(11):479-90, 2013.
[15] Kwong, K., Wong, K., “Partial Least Squares Structural Equation
Modeling (PLS-SEM) Techniques Using SmartPLS”. Marketing
Bulletin 2013, 24, Technical Note 1, 2018.
[16] Hair, J., Black, W., Babin, B., & Anderson, R. “Multivariate Data
Analysis (8th ed.)”. New Jersey: Pearson Educational, Inc, 2018.
[17] Hair, J. F., Hult, G. M., Ringle, C. M., & Sarstedt, M. “A primer on
partial least squares structural equation modeling (PLS-SEM) (2nd
ed.)”. Thousand Oaks, CA: Sage Publications, 2017.
[18] Henseler, J., Ringle, C. M., and Sarstedt, M. “A New Criterion for
Assessing Discriminant Validity in Variance-based Structural
Equation Modeling”. Journal of the Academy of Marketing Science,
43(1): 115-135, 2015.
[19] The Office of the National Coordinator for Health Information
Technology. “Guide to privacy and security of health information”.
Washington (DC): US Department of Health and Human Services,
2017.