研究目的：

合规的引入不仅能帮助医院应对激增的信息安全风险，避免医院因不当的信息处理行为承担法律责任、遭受经济损失、面临伦理争议，还能确保医院信息保护相关规范得到有效实施，从而助力医院高质量发展，助力健康中国、数字中国、法治中国建设。本研究旨在通过规范分析梳理医院信息保护合规任务，利用扎根理论分析信息保护合规要素，通过问卷调查了解当前医院信息保护现状，并在这些研究基础上，确定医院信息保护合规建设的主要内容、探讨医院信息保护合规建设可用路径，为医院推动信息保护合规建设提供对策建议。

研究内容：

（1）基于文献研究界定医院信息保护合规相关概念。在知网、HeinOnline、PubMed等中英文数据库中检索相关文献，梳理出医院信息保护合规研究现状并明确医院信息保护合规相关概念内涵。（2）基于规范分析梳理医院信息保护合规任务。在明晰医院信息保护合规对象并系统梳理相关规范后，按照“应为”“可为”“勿为”的行为模式分析规范内容，梳理出医院信息保护合规任务。（3）基于扎根理论分析信息保护合规要素。严格按照扎根理论四个步骤进行，分析信息保护合规要素并明确要素的具体内容。（4）基于问卷调查了解医院信息保护合规现状，包括医院个人信息保护合规情况、数据保护合规情况与网络安全管理合规情况三个方面，并根据调查结果修正补充确定医院信息保护合规要素。（5）探讨医院信息保护合规建设的对策建议。结合医院信息保护合规任务、医院信息保护合规要素与医院信息保护合规现状分析医院信息保护合规建设的具体内容与医院信息保护合规建设的可用路径，提出医院信息保护合规建设的对策建议。

研究方法：

（1）文献研究法：通过文献研究界定医院信息保护合规相关概念内涵。（2）规范分析法：通过规范分析梳理医院信息保护合规任务。（3）扎根理论研究。利用扎根理论分析信息保护合规要素。（4）问卷调查法：利用问卷调查法调查医院信息保护合规现状。

研究结果：

（1）日趋完善的信息保护法制体系给医院带来繁重的信息保护合规任务。（2）当前，医院信息保护整体合规情况一般。其中，在医院信息安全管理合规方面，医院网络安全管理合规情况较好，数据安全管理合规情况一般，个人信息保护管理合规情况较差；在医院信息处理行为合规方面，个人信息处理与数据处理行为合规情况均较差。（3）结合扎根理论与现状调查可知，医院信息保护合规包含明确信息保护合规原则、健全信息保护合规制度、加强信息保护合规监管、借力信息保护合规科技与营造信息保护合规文化5个基本要素，构建信息保护合规机制与重视信息合规风险管理2个运行要素和确保信息处理行为合规与做到信息安全管理合规2个目的要素。医院信息保护合规建设应围绕这9个要素展开。（4）在推动医院信息保护合规建设中，医院可选择基于合规成本的“整合型”或“独立型”路径，也可选择基于合规任务的“全面型”或“场景型”路径。

结论：

（1）当前，医院承担着繁重的信息保护合规任务且医院信息保护整体合规情况一般。因此，医院亟需开展或完善医院信息保护合规建设。（2）当前，医院开展或完善医院信息保护合规建设既存在诸多优势，也面临诸多挑战。（3）医院信息保护合规建设需结合医院自身需求，明确自身合规任务，充分发挥医院工作人员的力量和合规科技的作用。（4）医院信息保护合规建设应围绕明确信息保护合规原则、健全信息保护合规制度、加强信息保护合规监管、借力信息保护合规科技、营造信息保护合规文化、构建信息保护合规机制、重视信息合规风险管理、确保信息处理行为合规与做到信息安全管理合规9个方面展开。（5）医院信息保护合规建设的可用路径有基于合规成本的“整合型”和“独立型”信息保护合规路径与基于合规任务的“全面型”和“场景型”信息保护合规路径。

建议：

（1）医院应尽快开展和完善医院信息保护合规建设。（2）医院信息保护合规建设应落实医院信息保护合规要素。（3）医院应结合自身实际开展信息保护合规建设并选择适用信息保护合规建设路径。（4）医院信息保护合规建设需解决现存的信息保护合规问题。

Objectives

The introduction of compliance can not only help hospitals cope with the surging information security risks, avoid hospitals from bearing legal responsibilities, suffering economic losses and facing ethical controversies due to improper information handling behaviors, but also ensure the effective implementation of hospital information protection-related norms, thus helping hospitals to develop in a high quality manner and the construction of healthy China, digital China and rule of law China. This study aims to sort out the tasks of hospital information protection compliance through normative analysis, analyze the elements of information protection compliance using rooted theory, understand the current status of hospital information protection through questionnaire surveys, and on the basis of these studies, determine the main contents of hospital information protection compliance construction, explore the available paths of hospital information protection compliance construction, and provide countermeasure suggestions for hospitals to promote information protection compliance construction.

Contents

(1) Define the concepts related to hospital information protection compliance based on literature research. We searched relevant literature in Chinese and English databases which including CNKI, HeinOnline and PubMed to sort out the current status of research and clarify the connotation of concepts related to hospital information protection compliance. (2)Sort out the tasks of hospital information protection compliance based on normative analysis. After clarifying the object of hospital information protection compliance and systematically sorting out the relevant norms, we analyzed the content of norms according to the behavior pattern of "should", "can" and "don't", and we sorted out the tasks on hospital information protection compliance. (3)Analysis of information protection compliance elements based on the Grounded theory. Strictly following the four steps of Grounded theory, we analyze the information protection compliance elements and clarify the specific contents of those elements. (4)To understand the current status of hospital information protection compliance based on the questionnaire survey, including the three aspects compliance status of hospital personal information protection, data protection and network security management. And to revise and supplement the elements of hospital information protection compliance  based on the survey results. (5)To discuss the countermeasure suggestions for the construction of hospital information protection compliance. Combining the task of hospital information protection compliance, the elements of hospital information protection compliance and the current situation of hospital information protection compliance, we analyze the specific contents of hospital information protection compliance construction and the available path of hospital information protection compliance construction, and propose countermeasures and suggestions for hospital information protection compliance construction.

Methods

(1) Literature research method: Define the connotation of concepts related to hospital information protection compliance through literature research. (2) Normative analysis method: Sort out the tasks of hospital information protection compliance through normative analysis. (3) Grounded theory research. Analyze the elements of information protection compliance by using the Grounded theory. (4) Questionnaire survey method: Investigate the status of hospital information protection compliance by using questionnaire survey method.

Results

The increasingly improved legal system of information protection brings heavy information protection compliance tasks to hospitals. (2) Currently, the overall compliance of hospital information protection is average. Among them, in terms of hospital information security management compliance, hospital network security management compliance is good, data security management compliance is average, and personal information protection management compliance is poor. In terms of compliance with hospital information processing behavior, both personal information processing and data processing behavior have poor compliance. (3) Based on the Grounded theory and the survey of the current situation, hospital information protection compliance includes five basic elements: clarifying the principles of information protection compliance, improving the information protection compliance system, strengthening the supervision of information protection compliance, leveraging information protection compliance technology and creating an information protection compliance culture, Building an information protection compliance mechanism and emphasizing information compliance risk management are two operational elements, and ensuring compliance in information processing behavior and achieving compliance in information security management are two objective elements. The compliance construction of hospital information protection should revolve around those 9 elements. (4) In promoting the construction of hospital information protection compliance, hospitals can choose the “integrated” or “independent” pathway based on compliance costs, or the “comprehensive” or “scenario-based” pathway based on compliance tasks.

Conclusion

(1) Currently, hospitals bear many tasks of information protection compliance, and the overall compliance of hospital information protection is average. Therefore, hospitals urgently need to carry out or improve the compliance construction of hospital information protection. (2) Currently, hospitals have many advantages and challenges in carrying out or improving hospital information protection compliance construction. (3) The compliance construction of hospital information protection needs to be combined with the hospital's own needs, clarify its own compliance tasks, and fully leverage the power of hospital staff and the role of compliance technology. (4) The construction of hospital information protection compliance should revolve around nine aspects: clarifying information protection compliance principles, improving information protection compliance systems, strengthening information protection compliance supervision, leveraging information protection compliance technology, creating information protection compliance culture, constructing information protection compliance mechanisms, emphasizing information compliance risk management, ensuring information processing behavior compliance, and achieving information security management compliance. (5) The available paths for hospital information protection compliance construction includethe "comprehensive" and "scenario based" information protection compliance pathways which are based on compliance tasks, and "integrated" and "independent" information protection compliance pathways which are based on compliance costs.

Advice

(1) Hospitals should carry out and improve the construction of hospital information protection compliance as soon as possible. (2) Hospital information protection compliance construction should implement hospital information protection compliance elements. (3) Hospitals should carry out information protection compliance construction with their own reality and choose the applicable information protection compliance construction pathway. (4) The hospital information protection compliance construction needs to solve the existing information protection compliance problems.