1
GOVERNANCE OF DATA PRIVACY AND
SECURITY: THE ELECTRONIC HEALTH
RECORD IN THE NETHERLANDS
Master thesis Crisis and Security Management
Joy de Vries (s1138383) Master Crisis and Security Management 8-6-2016
2 GOVERNANCE OF DATA PRIVACY AND SECURITY: THE ELECTRONIC HEALTH
RECORD IN THE NETHERLANDS
Master thesis for the Master program Crisis and Security Management at Leiden University, Faculty of Governance and Global Affairs, study year 2015-2016
Name: Joy de Vries Student number: S1138383 Supervisor: Prof. Dr. Monica den Boer
Second reader: Dr. Ruth Prins Date: 8-6-2016
3
Preface
At the start of (writing) my Master thesis, I had a clear idea in mind of what I wanted to study and how I wanted to conduct my research. However, plans quickly changed due to feasibility problems, and I needed to let go of my original idea. Multiple other subjects were discussed, and I even started to work on one subject. Yet, weeks later, it still did not feel right. Before the start of the Master thesis, the following was emphasized multiple times by a professor: Choose a subject you like. A subject that you do not only like for now, but will also like down road in a few months from now. The subject you choose is the subject you will work on day in day out for the upcoming months. If it stresses you out already, do not even think about proceeding. That’s when I decided that I was not going to proceed with the subject I had chosen. It just did not feel right. With the help of my Thesis supervisor, I decided that I was going to write about the governance of the electronic health record. In the meanwhile, almost three months had passed, but I felt great, and that was what I needed to write my Master thesis.
However, writing my Master thesis was not my process alone. Without the help of some I could have never conducted my research and finish my thesis. So first of all, I want to thank my supervisor Prof. Dr. Monica den Boer. Thank you for all of our brainstorm sessions, your patience with me, and all the help you have given me. Second of all, my parents. Thank you for your unconditional support, love, and help. You have made this whole process a lot easier for me. Third, my boyfriend. Thank you for supporting me and understanding my situation. You, together with my parents, completely accepted the fact that I was stressed out most of the time, and I cannot thank you enough for that. Last but not least, I want to thank my colleagues at work. Thank you for the support and the shifts you took from me when I needed to work on my thesis. I can tell you that this extra time was used wisely.
4
Abstract
Since the developments of the electronic health record were stopped by the government sector (public sector), the Dutch Minister of Health Mrs. Schippers developed the electronic health record with the help of private organisations, resulting in the electronic health record becoming solely governed by organisations the private sector. However, this switch from public sector to private sector, from government to governance, and especially the effect of this switch on regulating data privacy and security of electronic health records never has been thoroughly studied. This study consists of desktop research, analysing the shift from government to governance, in light of four key concepts in the realm of governance studies, namely agencification, responsibilization, privatization, and decentralization. Furthermore, an expert survey was conducted to analyse the effects of the shift from government to governance in practice. The main findings were that the shift from government to governance was not supported by the government. However, governing the electronic health record became a complete privatised matter by this shift. The VZVZ, the organisation that proceeded the electronic health record’s developments in the private sector, gained full responsibility of the electronic health record and the government had nothing to do with it anymore. Findings of the expert survey show that in practice, it is not clear which actor holds prime responsibility for regulating data privacy and security. The VZVZ is the overarching organisation, but was not mentioned once by the respondents. Knowledge of the governance of the electronic health record, and regulating data privacy and security was not adequate. However, research on a larger, national, scale is needed to analyse whether or not knowledge is indeed inadequate, or that this is only the case in the organisation analysed for this study. Furthermore, the recommendation is given to invest in the knowledge of employees, as they work with the electronic health record on a daily basis. When the system is being hacked, or data is leaked, employees need to know to whom or what organisation to turn to. Therefore, more knowledge about the governance of the electronic health record and regulating data privacy and security, is needed.
5
TABLE OF CONTENTS
CHAPTER I: INTRODUCTION 7
1.1. Context of the problem 7
1.2. Central research question 9
1.3. Scientific and social relevance 9
CHAPTER II: THEORETICAL FRAMEWORK 12
2.1. Literature review 12
2.1.1. Governance studies 12
2.1.2. Technological studies 15
2.1.3. Policy studies 16
2.2. Conceptual framework 17
2.2.1. General overview of key concepts 18
2.2.2. Agencification 22
2.2.3. Responsibilization 23
2.2.4. Privatization 24
2.2.5. Decentralization 25
2.3. Differences and commonalities 25
CHAPTER III: RESEARCH DESIGN 28
3.1. Methodology 28
3.1.1. Desktop research 28
3.1.2. Expert survey 29
3.2. Operationalisation 30
3.3. Questionnaire 30
3.3.1. Explaining the questions 31
3.4. Respondents 33
6
CHAPTER IV: GOVERNANCE OF THE ELECTRONIC HEALTH RECORD 35
4.1. Overview of relevant actors in the Dutch health care sector 35
4.2. Electronic health record: What is it? 36
4.3. History of the electronic health record 36
4.4. Mapping governance trends of the electronic health record 38
CHAPTER V: FINDINGS 41
5.1. Respondents and the use of the electronic health record 41 5.2. Advantages and disadvantages of the electronic health record 42 5.3. Responsibility and design of the electronic health record 45 5.4. Cooperation, level of governance, and decentralization 47 5.5. Data management: Who or what organisation is responsible? 49 5.6. Role of the police in governing the electronic health record 50
5.7. Respondents’ recommendations 52
5.8. Summary of the findings 54
CHAPTER VI: CONCLUSION AND DISCUSSION 56
6.1. Perceptions of the electronic health record 56
6.2. Implications 57
6.3. Advice 59
REFERENCES 61
APPENDIX I – EXPERT SURVEY 66
APPENDIX II – TRANSLATION OF THE EXPERT SURVEY 68
APPENDIX III - LIST OF ABBREVIATIONS 69
7
CHAPTER I: INTRODUCTION
Security, privacy and governance are no new concepts (Kleinwächter, 2014). Nowadays, these concepts play an important role in many national and international issues, such as terrorist threats and cybercrime (Thomas & Loader, 2000). In this master thesis, the focus will lie on how these concepts evolve when analysing the electronic health record. In the following paragraphs, an outline of the context of the problem will be given, where after the research question will be discussed. Furthermore, the scientific and social relevance of this topic will be highlighted as an explanation as to why this study is of such importance.
1.1. Context of the problem
In January of this year, alarming news was revealed in The Netherlands considering careless handlings of hospitals with personal medical files. Personal, sensitive medical data of approximately 150000 Dutch and Belgian citizens was leaked due to a mistake of a company that was hired by hospitals to digitalise old medical patient files (Omroep MAX, 2016). More alarming was that some medical files were processed by detainees. The latter was not known, according to some hospitals (Blik op nieuws, 2016). The reason why this mistake was made in the first place, was because of the fact that Dutch hospitals wanted to digitalise their archives to spare costs and space and to make personal data of patients more accessible for doctors. However, the digitalisation process was outsourced. A company was hired to digitalise all the medical files and in addition, the company offered to do so for the lowest price. Yet, in return for this low price, labour-intensive preparations were carried out in social workplaces and prisons, including the Central Prison of Leuven in Belgium. This caused a lot of commotion, not only because citizens became afraid that their personal data would be easily accessible, but also because the digitalisation process may only be carried out by certified companies whose personnel signed a confidentiality agreement in advance, which was not the case in this specific situation. (Omroep MAX, 2016).
Unfortunately, just recently another incident occurred. After an investigation by the Dutch ‘Autoriteit Persoonsgegevens’ (literally translated as: Authority Personal Data), a Dutch newspaper revealed on May 31st 2016 that the Dutch health authority (NZa) unlawfully shared medical data with third parties from the Diagnosis Information System (DIS) (Volkskrant, 2016). According to the article, strict rules apply when sharing information stored in the Diagnosis Information System. Even though pseudonyms are being used to make it more
8 difficult to convert the data to individual situations, the data is not being anonymised. Therefore, the law of protection of personal data (in Dutch: Wet bescherming persoonsgegevens (Wbp)) applies. Based on this law, the conclusion of the investigation was that the Dutch health authority unlawfully shared information with other organisations (Volkskrant, 2016). Van Daalen (2012) even states that data leaks, whereby unauthorized persons and/or organisations get a hold of citizens’ personal data, are happening every day (p. 100). He states that, while citizens think they have privacy and freedom on the internet, this is actually not the case, as some laws have profound negative consequences considering one’s privacy (p. 101).
The ‘Vereniging van Zorgaanbieders Voor Zorgcommunicatie’, also known as the VZVZ, is the association that connects all independent actors with one another when it comes to the electronic health record. According to their website, the exchange of medical data in electronic health records is closely monitored. It is stated that unauthorized or unusual use of medical data is being monitored continuously. However, how this is done, remains unclear (VZVZ, 2016b). Furthermore, when personal data from an electronic health record is being requested for inspection to go over the data in an unlawful matter, the Dutch ‘Autoriteit Persoonsgegevens’ and the Dutch Inspectie voor de Gezondheidszorg (literally translated as: Inspection for the Health Care Sector) have the opportunity to act against the request (VZVZ, 2016b). However, it is not clear if unlawful or unusual behaviour is indeed being monitored continuously, if certain behaviour is only being monitored when it is mentioned by one of the involved actors or if random eventual unlawful and/or unusual behaviour is being monitored. Thus, how the supervision of eventual unlawful and/or unusual behaviour takes place in practice, remains unclear.
But what exactly does this have to do with security, privacy and governance and in specific with the electronic health record? The example described above shows the ambiguity of the distribution of responsibilities and accountability. It is not clear who or what organisation is responsible for an eventual security breach, let alone who is responsible for a digital security breach now that the health records are digitalized. Therefore, in this master thesis the focus will lie on the change in responsibility, accountability and the effects of the changes on privacy of citizens when analysing the switch from government to governance. What is exactly meant by this will be more thoroughly described in the following paragraphs.
9 1.2. Central research question
To analyse the change from government to governance and all the effects this change has had considering the electronic health record, the following central research question will be answered:
How can the change from government to governance be characterised in relation to electronic health records and what are the effects on the regulation of data privacy and security?
The objective is to give an insight in how the regulation of data privacy and security of the electronic health records look like in practice. By answering this central research question, it is assumed that more clarity can be given as to how the shift from government to governance has evolved and how concepts such as responsibility and accountability has transformed in practice. Thus, who or what was responsible and accountable and who or what is now responsible and accountable since the introduction of the electronic health record? Furthermore, the effects of this transformation will be analysed, resulting in a few recommendations for the further development of the electronic health record. The first part of the question, the change from government to governance, will be analysed by conducting a literature review, whereas the last part of the question, the effects of the change on regulating data privacy and security, will be answered by conducting an expert survey.
1.3. Scientific and social relevance
A lot has been said and done about the introduction of the use of the electronic health records in The Netherlands (Eerste Kamer der Staten-Generaal, 2011). In 2008, the Dutch Minister of Health Mrs. Schippers introduced the use of electronic health records, but the developments were stopped unanimously by the Dutch Senate in 2011. Despite this standstill, minister Schippers succeeded in continuing the developments with the use of private actors (Pharmaceutisch Weekblad, 2011). This resulted in many questions about the protection of privacy and a lot of criticism on this move towards the private sector. When analysing the existing literature on electronic health records and on privacy in general, one can state that a lot has been written about technology issues as to how a system can be optimised to protect one’s data (Wong, Cheung, Hung & Liu, 2008; Al-Saggaf & Islam, 2015). Furthermore, the main focus in the existing literature seems to lie on how policies such as the implementation of the electronic health record work in practice, but also on what the benefits and disadvantages are of the use of the electronic health record. Tummers, Vermeeren, Steijn and Bekkers (2012) for
10 example focus on conflicting roles when implementing a policy not supported by professionals, whereas Angst and Agarwal (2009) describe the benefits and disadvantages of implementing the electronic health record in general.
Still, an important part of the discussion around the electronic health record is currently underexposed in existing literature. Since 2012, the Dutch state is no longer responsible for the (data) infrastructure within the health care sector (Masman, Brabers, Reitsma-Van Rooijen & De Jong, 2012, p. 14). This responsibility lies in the hands of a private association formed by multiple organisations providing health care, named ‘Vereniging van Zorgaanbieders voor Zorgcommunicatie’ (VZVZ) (Rijksoverheid, 2015). This means that the VZVZ coordinates if and how personal medical data is shared and that the government has no influence on this process. Thus, the digitalisation of medical data lies in the hands of a private association and is not being regulated by the government (Masman, Brabers, Reitsma-Van Rooijen & De Jong, 2012, p. 14). But how are privacy and responsibilities in general being regulated? The answer to this question is currently missing in existing literature and that is why this master thesis is scientifically relevant. To work around the criticism considering the lack of privacy, the infrastructure of the electronic health record is arranged on a more local level. The infrastructure is divided into approximately 40 regions. Each region has access to the records from their region, meaning: A doctor working in region X does not have access to electronic health records from citizens living in region Y. The issue that rises here is that it is not clear who or what organisation is responsible for the protection of data. Is it the VZVZ, or are local general practitioners or hospitals responsible? Maybe even the company that provides IT security? Furthermore, it remains unclear why the regions are divided as they are. There are no clear arguments why there are approximately 40 regions and why boundaries are drawn as they are now. In addition, the regions can still change in size. Thus, the division of regions as it is now, is not final. Last but not least, even though it is stated that regions are constructed to share medical data on a more local level which will create a more trustworthy basis, it is possible for a health care organisation to be a part of multiple regions (VZVZ, 2016c). Thus, how trustworthy is the division of regions?
The answers to all the questions described above are also missing in current existing literature and that is why this study is not only scientifically relevant, but socially relevant as well. This study focuses on the regulation of data privacy considering the electronic health record. By analysing the responsibility and accountability when it comes to data privacy in electronic health records, the relationship between the public sector and private sector will be brought to light. Even though the government does not take responsibility anymore for the
11 health care (data) infrastructure, a lot of questions rise, some discussed earlier, due to the privatization of regulating the electronic health record with regard to the personal privacy and data integrity (Masman, Brabers, Reitsma-Van Rooijen & De Jong, 2012, p. 14; Rijksoverheid, 2015). Large parts of the population can potentially be affected by mismanagement of electronic health data. Therefore, one can question if the government should indeed not take responsibility for the health care (data) infrastructure, or that the government should do so.
12
CHAPTER II: THEORETICAL FRAMEWORK
In this chapter, the theoretical framework of this master’s thesis will be thoroughly described. First of all, the research question and sub research question will be described and explained, where after the already existing literature will be discussed. After that, the conceptual framework will be described. Concepts will be clearly defined and both differences and commonalities between these concepts will be described.
2.1. Literature review
As mentioned before, a lot of scientific literature has been written about the electronic health record (Angst, 2007; De Veer & Francke, 2009; Eerste Kamer der Staten-Generaal, 2011). Current studies discuss the technological aspects of the electronic health record, as well as practical issues when implementing a policy (Angst, 2007; Burris, Kempa & Shearing, 2008). Thus, a lot of aspects of the electronic health record have already been analysed. In this paragraph, existing scientific literature will be discussed. Important findings about the electronic health record will be brought to light, but the focus will also lie on underexposed aspects of the electronic health record in current scientific literature. Because the focus of the studies differ, the literature review will be divided into three parts, namely a governance part, a technological part and a policy part. By this division, a clear overview will be given. The selection of academic literature will be shortly described in chapter III.
2.1.1. Governance studies.
Governance is one of the most important concepts in this study, due to the fact that the effects of the shift from government to governance considering the electronic health record will be analysed. But what exactly is governance? What does it hold? Burris, Kempa and Shearing (2008) define governance as “the management of the course of events in the social system” (p. 9). This however is a broad definition which is not really usable when studying something specific like the electronic health record. Burris et al. (2008) however specify this definition by focusing on three main elements, namely 1) institutions, 2) methods of power, and 3) constraints on governors. The focus on element one, institutions, simply holds analysing the shift from one institution to another exercising governance control (p. 5). This may be the shift from an organisation in the public sector to an organisation in the private sector. However, it may also hold a shift between organisation solely in the public or private sector. Considering the methods of power, governance is an ever changing concept. In the case of the electronic health record,
13 Minister Schippers turned to private actors to develop the electronic health record when the Dutch Senate (the public sector) unanimously ordered to stop the developments (Pharmaceutisch Weekblad, 2011). The method of power shifted from (the use of) the government to the use of private actors. Last but not least, the constraints on governors change as well. Governance systems change, together with social norms, technology, accountability, and transparency. All these concepts are connected with time. Due to changes in time, these concepts change as well (Burris et al., 2008, p. 5). For example, technological developments have grown rapidly over the last years. Thus, the type of governance, including its constraints and possibilities, depends on the time one lives in.
Whereas Burris et al. (2008) focus on the concept of governance in general, Kooper, Maes and Roos Lindgreen (2011) have a slightly different focus on the concept of governance, as they discuss the concept of information governance. According to them, due to the enormous growth of digitized data inside and outside organisations and due to the growth of possibilities to access this data, organisations have become aware of the need for governance of their data (p. 195). They furthermore highlight an interesting observation of current practice, namely that many organisations, if not all, lack an encompassing information governance policy (p. 196). This seems to mean that the governance data and thus data privacy is not regulated adequately. Beeuwkes, Buntin, Burke, Hoaglin and Blumenthal (2011) focus on governance of the electronic health record. In their study, Beeuwkes Buntin et al. (2011) draw on the example of the HITECH (Health Information Technology for Economic and Clinical Health) Act, a United States’ law passed by Congress and signed by President Barack Obama in 2009 to accelerate the use of health IT. The HITECH Act consists of multibillion dollar incentive payments, encouraging hospitals and health professions to adopt and use certified electronic health records. The law also established programmes for hospitals, doctors, physicians et cetera or guidance when it comes to technology. By doing so, the chance of a meaningful use of the electronic health record becomes bigger. This example shows that governing the electronic health record can be done on a national level.
Garde, Knaup, Hovenga and Heard (2007) state that governing the electronic health record can be done both in a formal as well as in an informal way. Simply put, it does not really matter who or what governs the electronic health record, as long as it is domain knowledge based governance. Domain knowledge governance is being defined as “[…] comprising all tasks related to establishing or influencing formal and informal organizational mechanisms and structures in order to systematically influence the building, dissemination, and maintaining of knowledge within and between domains”. To support the domain knowledge governance,
14 Garde et al. (2007) focus on the standardisation of archetypes. For each sector within the health care sector, a standard archetype of the electronic health record is build up by domain experts to create and change the knowledge in archetypes. This means that the way electronic health records are built up can be controlled by using designed structures to show the required clinical data and assuring that all constraints within a programme are being observed if not solved. But why are domain knowledge governance and the use of standard archetypes so important? According to Garde et al. (2007) there is an international desire to develop and implement interoperable health information systems and electronic health records. Thus, by the use of domain knowledge governance with the use of archetypes, systems will become alike, making it easier to work with the systems, but also making it easier to cooperate with colleagues from other organisations within or outside the country.
Besides the fact that Canada’s Health Informatics Association (2013), as well as Garde et al. (2007), is also of the opinion that only one system should be used for the use of electronic health records, they make an important statement about the concept of governance. According to their study, confusion prevails when it comes to the division of roles, accountability and authority (p. 9). Thus, it is not clear who or what fulfils what role, who or what is accountable in which situation, et cetera. The use of electronic health records however requires collaboration and decision making that crosses traditional borders in the health care sector (p. 14). To optimise cooperation and governance, Canada’s Health Informatics Association (2013) recommends that a shared definition of the electronic health records is being used. Furthermore, the use of an adequate model that supports the electronic health record system is needed and it is of importance that the focus will continuously lie on the future so that organisations can adapt in a responsive manner when changes are emerging (p. 14). These are interesting recommendations that do somewhat conflict with the conclusions drawn by Zalnieriute (2016). She states that it is not that simple for especially international organisations to adapt and cooperate over data privacy regulations (p. 31 & p. 32), and even when data privacy authorities do adapt, the question still remains if these adaptations have effective results (p. 53). Thus, it is not as easy as it sounds, according to Zalnieriute (2016). It is interesting however that these conclusions and recommendations conflict, thus both sides shall be analysed on the basis of the results of this study.
Based on the studies described above, governance is not only a matter of implementing policies, but it is also a matter of clear rules and agreements as to who or what is responsible, clear cooperation, and analysing the effects of the implementation as well (Garde et al., 2007; Burris et al., 2008; Canada’s Health Informatics Association, 2013).
15 2.1.2. Technological studies.
In the study done by Angst (2007), the likelihood of hospitals to adopt a technology like the electronic health record is being analysed. The assumption Angst (2007) holds, is that electronic health records may address many problems in the health care industry and thus are potentially valuable. Problems one can think of are patient safety, medical errors, and escalating costs. Nevertheless, the adoption of electronic health records by hospitals is a slow process (p. 11). This assumption is supported by previous studies (England, Stewart & Walker, 2000; Ash & Bates, 2005). Angst’s (2007) hypothesis is that the likelihood of adopting the electronic health record – and all technological aspects that come with it – is determined by two factors, namely 1) “the presence and concentration of complementary health information technologies”, and 2) “the level of experience that the hospital has with these technologies”(p. 10). Based on data drawn from a survey spanning 1970 to 2004 of approximately 4000 hospitals in the United States of America, Angst (2007) found that the likelihood of adopting (the technology of) electronic health records is positively related to the presence and concentration of complementary information technologies. Furthermore, the likelihood of adopting (the technology of) the electronic health record is higher when hospitals are spatially located close to other hospitals working with electronic health records (p. 13). Thus, based on this information, the implementation of the electronic health record not only seems to be an aspect of policy, but of technological possibilities and know-how as well.
This assumption is supported by Beeuwkes Buntin et al. (2011). As well as Angst (2007), they also state that health information technology may solve existing problems. According to them, “health information technology has the potential to improve the health of individuals and the performance of providers, yielding improved quality, cost savings, and greater engagement by patients in their own health care” (p. 464). However, they also note that organisations require an information technology infrastructure to coordinate care, but the human element is critical to health information technology implementation as well (p. 470). This means that it is not simply the implementation of technology that makes the electronic health record a success, but the success also holds the ability of employees to work with electronic health records in a correct way (Beeuwkes Buntin et al., 2011).
De Veer and Francke (2009) also emphasize this duality. Based on a panel survey distributed among approximately 1000 nurses, they conclude that a large part of the panel is unfamiliar with technology in general (p. 36). In addition, they state that not everyone who works in the health care sector is enthusiastic when it comes to implementing information technology, which is partly due to the fact that some have no knowledge of technology or
16 computers at all. Furthermore, it may occur that the technique does not work properly or that is does not match with daily work (p. 34). In this situation, the technology seems to be more of a burden instead of it functioning as a support system.
The three studies described above provide an indication of the findings concerning the technology behind the electronic health record. However, these studies represent the overall conclusion that the implementation of technology depends on multiple factors. Not only does a successful implementation of the electronic health record depends on technological possibilities and technological infrastructure within an organisation, but it also depends on the willingness and knowledge of employees (Angst, 2007; Beeuwkes Buntin et al., 2011; De Veer & Francke, 2009).
2.1.3. Policy studies.
Tummers, Steijn and Bekkers (2012) analyse the willingness of public professionals to implement public policies, because as they state, when public professionals are unwilling to implement a policy, the effectiveness of the policy is likely to be decreased, what eventually will influence the legitimacy of the government (p. 716-717). Tummers et al. (2007) draw on multiple factors to determine the willingness of implementing policies by public professionals. These factors are 1) the policy content and discretion, 2) the organizational context, and 3) personality characteristics of the implementers. Even though Tummers et al. (2007) do not specifically focus on the electronic health record, the three factors are important when analysing (the success of) the electronic health record.
When looking at the example of the HITECH Act described in paragraph 2.1.1., one can see that by the means of incentives, the health care sector was tried to encourage to implement the electronic health record system (Beeuwkes Buntin et al., 2011). Based on the factors described by Tummers et al. (2007) one can ask if this is discrete? Furthermore, analysing the personality characteristics, will an incentive have the desirable effect? When one is not at all sensitive for an incentive, the HITECH Act might not achieve its purpose.
In the article of Tummers et al. (2007) the following conclusions are drawn. Policy content is the most important factor in explaining the willingness to implement a policy. However, both organizational context as well as personality characteristics are influential and thus should be taken into account when wanting to implement a policy (p. 730). Furthermore, they concluded that when professionals do not see benefits for themselves, these professionals were less willing to implement the policy. Thus, in the case of the HITECH Act, when a professional does not see the benefits of an incentive, he or she might be less willing to
17 implement the policy. In addition, when professionals feel that a policy does not contribute to societal goals as transparency or increasing patient choice, they were far less willing to implement the policy (p. 731). Therefore, a policy in itself is not only influential, but how the policy is perceived by public professionals is important as well.
Whereas Tummers et al. (2007) focus more on policy implementations in general, Deutsch, Duftschmid and Dorda (2010) focus on policy implementations considering the electronic health record, whereby they compare multiple countries. They state that electronic health record programs are complex and need several years of time and high investments to implement in a successful way (p. 211). According to Deutsch et al. (2010), the implementation of electronic health records does not go without any problems. Countries that are further into the process of implementing electronic health record systems experience problems such as a slow progress of the projects, discussions about the implementation strategy, resistance health care sector and questions about large investments and priorities (p. 212). However, these problems did not occur in the health care sector as a whole, but instead occurred in small sub-areas of the sector. In these cases, it was not only a matter of coping with technology, but also coping with strategic, organizational and human challenges (p. 218). This finding is supported by the studies by Angst (2007), Beeuwkes Buntin et al. (2011), and De Veer and Francke (2009).
All studies described above somewhat overlap in their findings and conclusions. What all studies lack however, is an insight of experiences of employees when it comes to the electronic health record. When experiences of public professionals are being analysed, this is done by policy implementations in general, or it is done in a quantitative manner with a lack of in-depth insight (Tummers et al., 2007; Beeuwkes Buntin et al., 2011, Canada’s Health Informatics Association, 2013). Therefore, it is of importance that a qualitative, in-depth insight is being given as well and that is what will be tried to be done with this research.
2.2. Conceptual framework
In this paragraph, the most important concepts that will be analysed and applied in this master’s thesis will be thoroughly explained. By doing so, it will be clear what is meant by certain concepts and it will be clear which definition of a concept is used in this particular study. First of all, a general overview will be given of all key concepts, where after four key concepts will be highlighted to describe these concepts with more detail. At last, the differences and commonalities between these four concepts will be construed, to make sure it is clear how these concepts take form in view of concepts such as governance, security and privacy.
18 2.2.1. General overview of key concepts.
To answer the research question, some key concepts need to be clearly defined. Privacy is an ambiguous concept for example, taking different forms and having different definitions in different situations. The same goes for concepts such as agencification, responsibilization and privatization. To be as transparent as possible about the definitions of key concepts used in this master thesis, all key concepts will be clearly defined in Table 1.
19 Table 1
Definition and indicators of key concepts
Concept Definition Indicators Data source(s)
Privacy The right of being respected in one’s life, the life of one’s family, house and correspondence without the interference of authorities or companies
Not being disrupted for no reason considering one’s whereabouts in one’s life (including house and correspondence) by authorities or companies
Art. 8 EVRM
Data privacy The right of being respected in one’s online life and correspondence without the interference of authorities or companies
Not being disrupted for no reason considering one’s whereabouts in one’s online life (including correspondence) by authorities or companies
Art. 8 EVRM
Security Protection of a person, organisation, or country against whatever threat there may be
Feelings of safety and security (subjective)
CCTV cameras, police watch, neighbourhood watch, software on an electronic device (for example a virus scanner) (objective)
Muller, Van Der Leun, Moerings & Van Calster (2010)
20 Governance The management of the course of events in the
social system
A shift in forms of management through 1) institutions, 2) methods of power, and 3) constraints on governors
Burris, Kempa & Shearing (2008)
Agencification A shift in governance from policies and tasks from the public sector to autonomously governed, semi-public organisations
Structural disaggregation and/or the creation of ‘task specific’ organizations
Performance ‘contracting’ - some form of performance target setting, monitoring and reporting
Deregulation (or more properly reregulation) of controls over personnel, finance and other management matters
Majone (1997); Moynihan (2006)
Responsibilization A partial or complete shift from responsibilities from the public sector to the private sector and/or individual citizens to fulfil (a part of) their tasks, without the public sector intervening or playing any role in fulfilling these tasks Thus, there are no
Partial or complete integration of private actors (individual citizens and/or organisations) in the industry concentrated on their field of expertise
21 differences and there is no form of hierarchy
between the public sector and the private sector
No differences between the public and private sector when it comes to tasks, responsibilities, and accountability
No form of hierarchy between the public sector and private sector
Privatization The act of reducing the role of the government and increasing the role of the private institutions of society in satisfying people’s needs, meaning relying more on the private sector and less on government
A full shift from tasks, including responsibilities, from the public sector to the private sector
Savas (2005)
Decentralization Restructuring/reorganising authority, resulting in a system of co-responsibility between institutions of governance at the central, regional and local level, with the objective to improve the overall quality and effectiveness of the system of governance, while increasing the authority and capacities of sub-national levels
A formal partial or complete shift in authority from a national and/or regional level to a regional and/or local level
Co-responsibility between different levels of authority
UNDP (1999); Ribot, Agrawal & Larson (2006)
22 The analysis of the developments of the Dutch electronic health record, concentrating on both the positive and the negative effects, can be done from multiple theoretical perspectives. Below, four theoretical approaches that are shortly described in Table 1, will be further elaborated as these theories give an insight in multiple aspects of the electronic health record, such as governance and security. These theoretical approaches are 1) agencification, 2) responsibilization, 3) privatization, and 4) decentralization. It is not only important to understand what the possible negative and positive sides are, but it is of greater importance perhaps to analyse and understand the effects these positive and negative sides have on governance and security in The Netherlands. By analysing the four theoretical approaches, concepts as governance and security will be further explained in light of the electronic health record.
First, the reason as to why these four theoretical approaches are chosen will be given. As shown in Table 1, the definition of governance as defined by Burris, Kempa and Shearing (2008) is as follows: “The management of the course of events in the social system” (p. 9). Because this study focuses on the concept of governance, theoretical approaches were needed to eventually answer the central research question. In order to adequately do so, these theoretical approaches needed to cover the concept of governance completely. One theoretical approach would thus not be sufficient, as the concept of governance not only hold a shift from policies and tasks from the public sector to autonomously governed, semi-public organisations (agencification), but also focuses on the shift from policies and tasks to the private sector (privatization) (Burris, Kempa & Shearing, 2008; Majone, 1997; Savas, 2005; Moynihan, 2006). Therefore, the choice has been made to focus on the four theoretical approaches of agencification, responsibilization, privatization and decentralization as these theoretical approaches fully cover the concept of governance.
2.2.2. Agencification.
Agencification is not a new concept, as it has already been introduced in the 1970’s as a part of the new model of governance. This new model of governance also consisted of concepts such as privatization and deregulation and mainly focused on the (partial) shift of policies and tasks from the public sector to the private sector (Majone, 1997). He stated that it can be difficult for politicians to implement and develop a certain policy due to a lack of time because of regular elections every few years. Semi-public and/or private actors are not limited by such a timeframe, as they are not dependent on elections. In short, one can thus state that private actors are sometimes more free in their actions, whereas public actors are not.
23 Moynihan (2006) also states that the concept of agencification is strongly related to the managerial model of New Public Management (NPM). Based on criteria given by Talbot (2004), Moynihan (2006, p. 1029) gives three criteria that define the concept of agencification, namely:
Structural disaggregation and/or the creation of ‘task specific’ organizations;
Performance ‘contracting’ - some form of performance target setting, monitoring and reporting;
Deregulation (or more properly reregulation) of controls over personnel, finance and other management matters.
When analysing the developments of the electronic health record in The Netherlands, private agencies established the overarching organisation VZVZ, after failing to develop the electronic health record in the public sector due to a lack of trust (NRC, 2010). In light of the three criteria of Moynihan (2006), controls over personnel, finances et cetera deregulated. All of the sudden, an overarching organisation called the VZVZ that was created to develop the electronic health record, consisting of multiple organisations, had the task to construct the electronic health record in a successful way and the government had nothing to do with it anymore (Pharmaceutisch Weekblad, 2011; VZVZ, 2016). This shift in governance may have caused deregulation. The other two criteria defined by Moynihan (2006), creating ‘task specific’ organizations and performance ‘contracting’, were irrelevant in the case of the electronic health record in The Netherlands, as there were no ‘task specific’ organizations and there was also no performance ‘contracting’.
2.2.3. Responsibilization.
The theory of responsibilization holds that the private sector and/or individual citizens are given (full) responsibility by the public sector to fulfil a part of their tasks, without the public sector intervening or playing any role in fulfilling these tasks. One example holds that the state (public sector) cannot provide security on its own and therefore needs private actors to fulfil the task of providing security. By doing so, these private actors become responsible for a part of the provision of security. The concept of responsibilization holds that private actors or individual citizens are fully integrated in the industry concentrated on their field of expertise. Thus, there are no differences and there is no form of hierarchy between the public sector and the private sector (Spearin, 2010). However, the latter can cause some friction, as being responsible does
24 not mean one can be held (fully) accountable for one’s actions. This means that when something goes wrong, there is a possibility that the public sector can be held accountable.
When analysing the developments of the electronic health record through the lens of responsibilization, the findings are twofold. The private sector currently has full control over the electronic health record and its developments, but this full control has not willingly been given by the public sector. Instead, by establishing the VZVZ, private actors somewhat claimed “hijacked” the concept of the electronic health record and decided for themselves to proceed with its developments, even though the public sector stopped its developments due to financial risks and privacy issues (NRC, 2010; Pharmaceutisch Weekblad, 2011). Thus, even though the concept of responsibilization is recognisable in the process of developing the electronic health record, the role of the public sector is not as it should be according to the concept of responsibilization. The difference lies in the willingness of the public sector, as it is lacking in the case of the electronic health record, but is a criterion for the concept of responsibilization.
2.2.4. Privatization.
The concept of privatization somewhat coincides with concepts such as agencification and decentralization, however there are some core differences. These will be discussed at the end of this chapter. Savas (2005) thoroughly describes numerous definitions that have been given to the concept of privatization by different countries, corporations and government agencies. However, one clear-cut definition is missing. Savas (2005) starts off by stating that the concept of privatization is much more than a financial or managerial action. According to him, it is a position concerning the roles and relationships of the private sector and the public sector. Thus, Savas (2005) defines the concept of privatization as follows:
“Privatization is the act of reducing the role of government or increasing the role of the private institutions of society in satisfying people’s needs; it means relying more on the private sector and less on government” (p. 2).
Savas (2005) adds that it is more logical to talk about a public-private partnership instead of privatization, as both the public sector and the private sector play important roles in the success of privatization. The concept of privatization implies that the public sector does not have anything to do with the particular sector (anymore). However, this is not true according to Savas (2005).
25 When analysing the developments of the electronic health record in The Netherlands, one can state that the public-private partnership is not as optimal as Savas (2005) states it can be, because the electronic health record has been further developed by private companies when the Dutch Senate rejected the bill (Pharmaceutisch Weekblad, 2011).
2.2.5. Decentralization.
The concept of decentralization takes on different forms in different sectors. However, when analysing decentralization in a governance point of view, the following definitions suit best:
“[…] Decentralization, or decentralizing governance, refers to the restructuring or reorganization of authority so that there is a system of co-responsibility between institutions of governance at the central, regional and local levels according to the principle of subsidiarity, thus increasing the overall quality and effectiveness of the system of governance, while increasing the authority and capacities of sub-national levels” (UNDP, 1999, p. 2).
An academic definition is given by Ribot, Agrawal and Larson (2006). According to them, the definition of the concept of decentralization is as follows:
“[…] Any political act in which a central government formally cedes powers to actors and institutions at lower levels in a political-administrative and territorial hierarchy” (p. 1865).
In other words, the concept of decentralization holds a formal shift in authority from a central level to a regional and/or local level. Oftentimes, this holds a shift from only one or a few government organisations to numerous government organisations. An example is a shift from the state (national level) to multiple municipalities (local level).
The concept of decentralization mainly focuses on multiple levels of governance in the public sector, however, it does not focus on the private sector. However, what is interesting in sight of the electronic health record, is the possible role of local governance. One of the questions that will be addressed is if the electronic health record only plays a part in the private sector, or that it plays a part in the public sector as well, perhaps on a local or regional level.
2.3. Differences and commonalities
As mentioned earlier, the four concepts described above coincide with one another, but also have some core differences. In this paragraph, both these differences and commonalities in view
26 of concepts as governance, security and privacy will be described more thoroughly. One of the biggest commonalities for example is that all four concepts hold a shift from tasks from a central level of government towards a more fragmented level of governance.
However, whereas both concepts of responsibilization and privatization focus on the shift and/or cooperation between the public sector and the private sector, the concepts of agencification and decentralization do not (Majone, 1997; UNDP, 1999; Savas, 2005; Spearin, 2010). Within the concept of agencification and decentralization the focus does however lie on a shift of tasks from a central actor to multiple local and/or regional actors. Still, the difference between these actors does not specifically need to be a public versus private one. Agencification and decentralization can solely take place in the public sector or private sector as well.
But how does this difference takes form when analysing the electronic health record and the roles each actor fulfils? The difference when analysing the whole process of the electronic health record is that the electronic health record was never actually governed by the public sector, as its legislation was never ratified. This was the reason to shift to the private sector, to continue with developing the electronic health record. Even though the governance of the electronic health record was privatised, this was never a choice made by the public sector (NRC, 2010; Pharmaceutisch Weekblad, 2011). The private sector became responsible for the electronic health record, without the interference of the government. Once the electronic health record was privatised, concepts of agencification and decentralization started to play a role. The VZVZ, consisting of multiple agencies, governed the electronic health record and eventually the VZVZ started working on a more local, decentralized level to increase citizens’ trust in the use of the electronic health record (VZVZ, 2013; VZVZ 2016a). Figure 1 shows this process, including the role of the four concepts described above. The whole process of the electronic health record will further be thoroughly described in chapter IV.
27 Figure 1. Overview of electronic health record development process including key concepts.
28
CHAPTER III: RESEARCH DESIGN
In this chapter the research design of the master thesis will be discussed. This chapter consists of three paragraphs, namely operationalisation, methodology and participants. In the first paragraph, key concepts will be operationalised resulting in indicators to measure the key concepts used. In the second paragraph, the research methods will be thoroughly described as well as the reasons why the particular research methods are being used. In the last paragraph, the participants will be described and an explanation will be given as to why the particular group of participants is chosen for this type of research.
3.1. Methodology
During six months, from November 2015 up to May 2016, research was performed at the University of Leiden at the Faculty of Foreign Affairs in order to finish this Master thesis about the governance of the electronic health record. The first three months served as time so set up the case study design. The last three months served as the actual time available to conduct the research. The master thesis consists of a holistic single case study design (Swanborn, 2010). The unit of analysis is electronic health records used in the health care sector in The Netherlands. The focus will solely lie on this unit of analysis and the results will not be compared to other countries. The reason why the focus will solely lie on this particular unit of analysis is partly due to practical reasons, the researcher lives in this country. Furthermore, in the existing time frame it would not be feasible to focus on more countries. The unit of observation is the addiction care sector of The Netherlands. There are multiple reasons as to why this is the unit of observation, namely because this particular sector works with electronic health records. Furthermore, the reason for this particular unit of observation has two practical reasons. First of all, this sector seemed most accessible due to the network of the researcher and furthermore, due to the time frame it was more convenient to zoom in on one sub-domain within the health care sector instead of focusing on the health care sector as a whole.
3.1.1. Desktop research.
As a start, desktop research was conducted to analyse the change from government to governance and the effects this change has had when it comes to regulation privacy and security of electronic health records. What was the situation before and what does it look like now and why has it changed? Furthermore, what are the effects of these changes? In specific, who is
29 now responsible for protecting data privacy when something goes wrong? Who can be held accountable?
The University database was used to find most of the scientific literature. Sometimes articles were found by using the author’s name, however most of the time literature was found by the use of terms as electronic health record, governance of the electronic health record, privatization of the electronic health record, and technology of the electronic health record. Furthermore, these terms were also used online to retrieve important websites such as the website of the VZVZ, or to find online newspaper articles reporting about important changes in (the governance of) the electronic health record. Furthermore, the website of the government was consulted, to search for important (legal) documents about the electronic health record.
By conducting the desktop research, existing studies and reports could be analysed in order to find the answers to the questions mentioned above and to find information contributing to answering the central research question. These results can be found in chapter II. However, in order to shed new light on the current situation of the electronic health record, an expert survey was conducted to answer the questions described above and to answer the central research question. More information about the expert survey can be found in the paragraph below.
3.1.2. Expert survey.
The main focus of the expert survey lied on the governance of the electronic health record and in specific on how data privacy and security of the electronic health record are being regulated in practice. The survey was handed out to experts working in the field of social health care, so that they could share their experiences considering the electronic health record. Through an acquaintance in the network of the researcher, who works in the sector of addiction support service of the health care sector, the expert survey was distributed. Thus, the distribution of the expert survey was done using the snowball method, wherein the researcher uses the network of the respondent (Bijleveld, 2009). The expert survey was distributed digitally as well as on paper and the process of distributing and receiving the filled in survey took approximately a month of time. The distribution started in the second week of March 2016 and all the expert surveys were collected again in the third week of April 2016. The survey can be found in Appendix I and the translation of the survey in Appendix II.
The type of research conducted was qualitative, explorative research, because the survey consisted solely of open questions which focused on experiences and opinions of the experts that participated. Furthermore, the conducted research was of explorative nature, since the
30 current circumstances and experiences of regulating data privacy and security were being analysed.
3.2. Operationalisation
The operationalisation of the key concepts can be found in Table 1 in chapter II. Based on the analysed literature and based on existing, international law and legislation, the key concepts were defined and indicators were selected. The concepts in Table 1 were chosen as key concepts, as they all played a big role in this Master thesis. Without defining these concepts with clear indicators, it was impossible to answer the central research question.
Furthermore, the findings of the expert survey were entered in the statistics program SPSS. Because the expert survey solely consisted of questions with open answers, and thus not multiple choice questions, answers first needed to be categorised. After doing this, the findings could be entered and analysed.
3.3. Questionnaire
The expert survey consisted of a questionnaire with a total of 11 questions (see Appendix I and II). It was a conscious decision to pose 11 questions, as this was the number of questions needed to get a clear image of the respondent and his/her opinion about the electronic health record in practice. Furthermore, a limit of 12 questions was set in advance by the researcher to make sure that the questionnaire would not become too long, risking the discouragement of the respondents in answering the questions of the expert survey as answering these questions may have taken too much of their time. For some questions, the key concepts described in paragraph 2.2.2. up to 2.2.5. (agencification, responsibilization, privatization and decentralization) were taken into account and these questions were specifically asked to analyse how these key concepts took form in practice. The goal was to not let the questionnaire take up more than approximately 10 minutes of the experts’ time, as the acquaintance of the researcher in the network predicted that the respondents would be more willing to participate when the questionnaire would not take too much time. In the paragraph below, for each question a short explanation will be given as to why these questions were asked.
The expert survey offered complete anonymity. Names of the respondents and names of companies were left out to make sure that the answers given were as honest as possible. Furthermore, this was done to gain the trust of the respondents and the organisation. When discussing the results, not one company name or name of the respondents will be given. Because
31 this study consists of explorative research, it is not necessary to name the names of companies and respondents. Therefore, the choice for guaranteeing anonymity was a conscious decision.
3.3.1. Explaining the questions.
In this paragraph, each question of the expert survey will be shortly explained to clarify the reasons why these questions were asked.
Question 1 – What is your function within your organisation?
This question was asked to get an image of the respondent and to make sure that the respondent was in fact someone who works with the electronic health record.
Question 2 – For how long does your organisation work with electronic health records? Question 2 was asked to get an image of the company and to analyse their experience with the electronic health record.
Question 3 – What are, according to you, the advantages and disadvantages of the electronic health record?
This question was asked to analyse the main advantages and disadvantages of the electronic health record and to analyse whether or not there were differences between respondents considering the advantages and disadvantages. Perhaps perceptions of the advantages and disadvantages differ per division within the organisation.
Question 4 – Who or what organisation is responsible for securing the electronic health record? Question 4 served as a question to analyse whether or not respondents knew who or what organisation is responsible for the security of the electronic health record. Furthermore, this question was asked to analyse whether or not answers were the same. Did everybody think it is the same person or organisation, or are there differences in answers? When analysing the key concepts, this question focused on responsibilization of the governance of the electronic health record in practice.
Question 5 – What organisation designed the system of the electronic health record you are currently working with?
This question was asked for the same reason as question 4 was asked, thus to analyse whether or not respondents knew who designed the system and to analyse whether or not answers were
32 the same or if they differed. Furthermore, this question both focused on the responsibilization and the agencification of the electronic health record.
Question 6 – With what organisations do you work together when it comes to the electronic health record?
This question was asked to analyse the cooperation between different organisations considering the electronic health record. Do companies work together, do they share information, or does this not happen at all in practice? By asking this question, the concept of decentralization was tried analyse in practice.
Question 7 – Can you tell if the organisations mentioned at question 6 are local or national organisations and if these organisations are private or public organisations?
Question 7 was asked to analyse whether or not respondents knew what organisations functioned on what governmental level (local, regional or national) and to analyse whether or not respondents knew if the organisations were private or public organisations. Furthermore, this question was asked to analyse how the cooperation between different organisations takes form in practice. This question focused on the key concepts of privatization, agencification, and decentralization.
Question 8 – Can you tell if there has been a case of decentralization recently within the sector that works with the electronic health record? If so, can you shortly describe how the decentralization took place?
This question was asked to analyse if respondents knew if decentralization took place and if so, how this took place. This question tried to give an insight in if and how respondents recognized eventual changes in governing the electronic health record and focused on the key concept of decentralization.
Question 9 – Who or what organisation is responsible for the data management, for example when a data leak occurs?
Question 9 was asked in light of security and what happens if data is not been successfully secured and a data leak occurs. Not only was this question asked to let respondents think about the security of the data they work with, but also to let them think about who or what organisation is responsible for securing data. This question thus focused on the key concept of responsibilization.
33 Question 10 – Do you think it is a good idea to give police officers insight in electronic health records, for example to facilitate the investigation? If so, why? If not, why?
As well as question 9, question 10 focused on the security of data, but from another point of view. Would the insight of police officers in electronic health records contribute to their investigations and thus perhaps contribute to the security of society? Question 10 was asked to allow respondents to reflect about this situations and to share their opinion about this situation in order to analyse possible options of sharing electronic health records with the police.
Question 11 – Do you have specific recommendations regarding the electronic health record? If so, what are your recommendations?
The last question was asked to see if respondents had any specific recommendations regarding the electronic health record based on their experiences with the system thus far. By asking this question, possible cohesion between the answers could be analysed. Do all the respondents have the same recommendations, or do the recommendations differ per function and/or division within the organisation?
3.4. Respondents
The respondents who filled in the expert survey are all experts within the field of social health care, in specific the addiction support service. From all of the respondents who were approached, 13 respondents have participated in this study. As mentioned earlier, the reason why these group of participants was chosen was partly due to practical reasons as the researcher knew someone in the addiction health care sector. However, not only that. Even though the health care sector as a whole would benefit from a thorough regulation of data privacy and security, the addiction health care sector probably does even more because of the highly sensitive personal data. In all cases personal data should be protected with equal care, but the latter case does influence a person’s social life and work life more when the data is not handled with care. This was also the reason why the decision was made to focus on the addiction care sector, as data privacy and security in this sector is particularly important. Recommendations based on this study could perhaps benefit other sectors within the health care sector as well.
There was a limited number of respondents. However, 13 of the approached respondents did participate with the help of the researcher’s acquaintance in the addiction health care sector, due to the fact that the acquaintance already had her contacts and knew the respondents. However, the health care sector as a whole is not easy to approach when it comes to expert surveys. A lot of doctors and general practitioners, and thus also doctors working in the
34 addiction health care sector deal with limited time and a lot of tasks that need to be completed. A survey is not something they are particularly willing to spend their time on, as their time is already limited as it is. For this Master thesis, the researcher therefore needed to use her contacts with her acquaintance to distribute the expert survey in the addiction health care sector, however there was a risk of a low N. The researcher did however strive to approach at least 10 respondents and in the end the number of respondents became 13.
3.5. Validation
As mentioned in the paragraph above, by conducting this research the risk of a low N was high. People in the health care sector are not that easy to approach and are not all willing to participate, as they have a lot of tasks which all need to be due in a short amount of time. However, the researcher has noticed that having contacts with people in the health care sector helped her to approach the 13 respondents that participated in this study. Yet, because of the small N (13), the results of this Master thesis are not externally valid as the N is too small. The number of 13 respondents is not a representative number for the health care sector as a whole and thus, the outcome of the research generalized to the whole health care sector (Bijleveld, 2009, p. 45). The choice was made in advance to not conduct an externally valid research design, due to the limited time frame. The researcher had only three months to conduct the research, which was not enough to approach enough employees in the health care sector.
The construct validity of the research conducted is however high, as the most important key concepts are included in the survey to analyse the experiences of participants. The concepts described in Table 1 are defined based on legislation and scientific literature, where after these concepts were measured by the questions asked in the expert survey. Based on this approach, the internal validity is considered high, as concepts were clearly defined and thus, the concepts that needed to be measured, have been subject to a validation process (Bijleveld, 2009, p. 41-44).
