Balancing information privacy and operational utility in healthcare: proposing a privacy impact assessment (PIA) framework

One needs to look only at recent data breaches to be reminded of the severe and far-reaching damage caused by privacy threats. In light of these threats, global healthcare leaders are striving to understand how to protect patient information without the loss of benefits (utility) that results from privacy-preserving mechanisms. Consequently, our study examines the relatively unexplored issue of simultaneously responding to information privacy threats and maintaining utility in a healthcare privacy compliance context. Counterintuitively, we also identify a symbiotic relationship between these two focal and interdependent efforts. We adopt an interpretive qualitative research method leveraging the value-focused thinking (VFT) approach which results in two major contributions: (1) the development of a value-driven framework presented as a means-end objective network providing a list of 16 means objectives and seven key fundamental objectives enabling higher-quality privacy decision making vis-a-vis privacy and utility. Our second and central contribution (2) is a theoretical framework of privacy impact assessment (PIA) emphasising the interplay and balance between making appropriate decisions in responding to information privacy while not hindering healthcare operations. This work provides the foundation for proposing four compelling propositions for future healthcare privacy research.