Managing compliance with privacy regulations through translation guardrails: A health information exchange case study

Abstract

Information privacy is increasingly important in our digitally connected world, particularly in healthcare, and privacy regulations are ramping up to promote appropriate privacy practices. As a digital platform that enables healthcare providers to exchange protected health information (PHI), a health information exchange (HIE) is governed by health information privacy regulations. The challenge for HIEs is to operate in a way that will maximize information exchange while maintaining compliance with regulations that may constrain the sharing of PHI. Regulations impose a measure of universality through compliance requirements, while being flexible to allow adaptation to the local context. However, our longitudinal case study into the privacy policies of an HIE, demonstrates that the journey of privacy ideas from their original formulation in regulations, to their ultimate enactment in an organizational setting, is accompanied by translations, such that the final implementation may vary extensively from its original form. Such variability often results in interpretations that differ from what the regulators intended. Consequently, translation guardrails are necessary to protect against problematic translations of regulatory ideas which could lead to compliance issues and loss of platform participation. Our findings offer two contributions. First, we contribute to the compliance literature by explaining how guardrails can balance the use of permission and obligation schemas which are necessary to translate regulations into effective organizational policies for the success of HIEs and other information exchange platforms. Second, we contribute to extending translation theory by explaining how pragmatic reasoning schemas function as the mechanism through which translation of regulations occurs.