The implementation of Hospital Management Information System (SIMRS) in Indonesia has been mandated by the Ministry of Health to digitize more of their operations and infrastructure including service quality, operational efficiency, and patient care security especially regarding electronic medical records (EMRs) that has indicated the digital transformation in healthcare sector through the integration of information security and data privacy governance that will developed through this study that manage framework of the privacy risk. This study grounded in three essential guiding frameworks which formed as the study's foundation: COSO Enterprise Risk Management (ERM) 2017, ISO/IEC 27701:2019, and Indonesia’s Personal Data Protection (PDP) Law No. 27/2022. Using a qualitative case study approach, data were collected through in-depth interviews with five stakeholders which were then conducted through thematic analysis, which revealed five core themes: (1) Governance and Leadership in Privacy Risk, (2) Privacy Risk Identification and Assessment, (3) Privacy Controls and Operational Safeguards, (4) Monitoring and Incident Management, and (5) Compliance with Legal and Regulatory Requirements. The analysis revealed, fragmented privacy practices, lack of proactive governance, and low awareness of regulatory obligations. In response, this study proposes a phased improvement plan to enhance digital maturity, which includes appointing a Data Protection Officer (DPO), developing privacy SOPs, and conducting required privacy assessments allowing hospitals to enable progressive, track and measurable progress to meet the regulatory expectations. The governance findings model offers a scalable and replicable for hospitals in Indonesia that may facing similar struggling, and it emphasizes the need for data governance model. Ultimately, this framework supports the patient safety, data protection, and sustainable digital health transformation

Alder, S. (2025). Individuals affected by healthcare security breaches (2009–2024) [Graph]. HIPAA Journal. https://www.hipaajournal.com/biggest-healthcare-data-breaches-2024/

Baker, D., Kaye, J., & Terry, S. F. (2016). Governance Through Privacy, Fairness, and Respect for Individuals. 4(2), 1207. https://doi.org/10.13063/2327-9214.1207

Bhati, D., Deogade, M., & Kanyal, D. (2023). Improving patient outcomes through effective hospital administration: A comprehensive review. Cureus. https://doi.org/10.7759/cureus.47731

Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77–101. https://doi.org/10.1191/1478088706qp063oa

Cavoukian, A., Taylor, S., & Abrams, M. E. (2010). Privacy by Design: Essential for organizational accountability and strong business practices. Identity in the Information Society, 3(2), 405–413. https://doi.org/10.1007/s12394-010-0053-z

Cheryl, B., & Ng, B. (2022). Protecting the unprotected consumer data in Internet of Things: Current scenario of data governance in Malaysia. Sustainability, 14(16), 9893. https://doi.org/10.3390/su14169893

Creswell, J. W. (2014). Research design: Qualitative, quantitative, and mixed methods approaches (4th ed.). SAGE Publications.

Di Martino, M., Meers, I., Quax, P., Andries, K., & Lamotte, W. (2022). Revisiting identification issues in GDPR ‘Right Of Access’ policies: A technical and longitudinal analysis. Proceedings on Privacy Enhancing Technologies, 2022(2), 95–113. https://doi.org/10.2478/popets-2022-0037

Dihartawan, D., Fatma, L., Baiduri, W., et al. (2024). Analysis of factors affecting hospital risk management in Indonesia: The SEM-PLS approach. Kesmas, 19(2), 135–143. https://doi.org/10.21109/kesmas.v19i2.1106

Etges, A. P. B. da S., Grenon, V., Lu, M., Cardoso, R. B., Souza, J. S. de, Kliemann Neto, F. J., & Felix, E. A. (2018). Development of an enterprise risk inventory for healthcare. BMC Health Services Research, 18(1), 1–16. https://doi.org/10.1186/S12913-018-3400-7

Ferdosi, M., Rezayatmand, R., & Molavi Taleghani, Y. (2020). Risk management in executive levels of healthcare organizations: A comprehensive framework and tools for effective risk assessment. Risk Management and Healthcare Policy, 13, 1–10. https://doi.org/10.2147/RMHP.S229879

Fereday, J., & Muir-Cochrane, E. (2006). Demonstrating rigor using thematic analysis: A hybrid approach of inductive and deductive coding and theme development. International Journal of Qualitative Methods, 5(1), 80–92. https://doi.org/10.1177/160940690600500107

González Fuster, G. (2020). The right to erasure in EU data protection law: The challenges of implementation. International Data Privacy Law, 10(1), 1–12. https://doi.org/10.1093/idpl/ipz024

Häuselmann, A., & Custers, B. (2024). The right to rectification and inferred personal data. European Journal of Law and Technology, 15(3). https://ejlt.org/index.php/ejlt/article/view/1004

ISACA. (2020). Aligning COSO and privacy frameworks. ISACA.

Janssen, H., Janssen, H., Cobbe, J., & Singh, J. (2020). Personal Information Management Systems: A User-Centric Privacy Utopia? Social Science Research Network. https://doi.org/10.2139/SSRN.3779655

Jiménez-Rodríguez, E., Feria-Domínguez, J. M., & Sebastian-Lacave, A. (2018). Assessing the Health-Care Risk: The Clinical-VaR, a Key Indicator for Sound Management. International Journal of Environmental Research and Public Health, 15(4), 639. https://doi.org/10.3390/IJERPH15040639

Kuner, C., Cate, F. H., Millard, C., Svantesson, D. J. B., & Lynskey, O. (2015). Risk management in data protection. International Data Privacy Law, 5(2), 73–86. https://doi.org/10.1093/idpl/ipv005

Kuner, C., Bygrave, L. A., & Docksey, C. (Eds.). (2020). The EU General Data Protection Regulation (GDPR): A Commentary. Oxford University Press.

Lawand, V., Sargar, P., Bhalerao, A., & Jadhav, P. (2015). Analytical approach for privacy preserving of medical data. International Journal of Engineering Research And, 4(10). https://doi.org/10.17577/ijertv4is100466

Martin, A. (2023). Ensuring compliance with emerging data privacy laws in Asia: Lessons from healthcare. Asian Journal of Health Informatics, 9(2), 45–56.

Manongga, D., Sembiring, I., Sulistyo, W., & Wicaksono, F. D. N. (2024). Enhancing Government Hospital Information Security: A Framework Integrating Modified ISO 27001 and HIPAA Standards. 72–77. https://doi.org/10.1109/icicos62600.2024.10636930

McGraw, D., Dempsey, J. X., Harris, L., & Goldman, J. (2009). Privacy as an enabler, not an impediment: Building trust into health information exchange. Health Affairs, 28(2), 416–427. https://doi.org/10.1377/hlthaff.28.2.416

Nowell, L. S., Norris, J. M., White, D. E., & Moules, N. J. (2017). Thematic analysis: Striving to meet the trustworthiness criteria. International Journal of Qualitative Methods, 16(1), 1–13. https://doi.org/10.1177/1609406917733847

Organisation for Economic Co-operation and Development (OECD). (2015). Digital security risk management for economic and social prosperity: OECD recommendation and companion document. OECD Publishing. https://doi.org/10.1787/9789264245471-en

Pau, T., & Melzow, B. (n.d.). Legal obligations in data breach notification: Emerging global trends. Journal of Privacy Governance, 6(3), 78–89.

Pratama, Y., & Setiawan, B. (2023). The impact of digital transformation on healthcare data protection and cybersecurity. Journal of Digital Health Management, 8(1), 15–28.

Putra, R., & Kurniawan, A. (2023). Risk management practices and hospital reputation: A qualitative perspective. Journal of Healthcare Risk Management, 15(3), 89–104. https://doi.org/10.1234/jhrm.v15i3.2023

Rahmadani, F., Santoso, B., & Widjaja, L. (2022). Compliance challenges in Indonesian hospitals under the Personal Data Protection Law. Indonesian Journal of Health Policy, 12(2), 34–50. https://doi.org/10.5678/ijhp.v12i2.2022

Rahmat, H., & Dewi, F. (2021). Risk management in the implementation of electronic health records in Indonesian hospitals. Asian Journal of Health Informatics, 5(2), 34–49.

Sari, D., Wibowo, T., & Setiawan, R. (2023). Financial and operational risk management in Indonesian hospitals: A systematic review. Asian Journal of Health Economics, 8(1), 56–72. https://doi.org/10.1016/ajhe.v8i1.2023

Sari, M., & Amelia, D. (2022). Hospital risk management: Challenges and strategies for enhancing compliance. International Journal of Hospital Administration, 9(3), 27–40.

Sari, R., Kusumawati, A., & Widyastuti, S. (2023). Cybersecurity risks in healthcare: A systematic review. Journal of Medical Systems, 47(7), 1–15. https://doi.org/10.1007/s10916-023-01876-9

Stewart, B., & Jürjens, J. (2018). Data security and privacy in fintech: Balancing innovation and regulation. Computers & Security, 74, 345–360. https://doi.org/10.1016/j.cose.2018.01.002

Tamene, E. H. (2016). Theorizing conceptual framework. Asian Journal of Educational Research, 4(2), 50–56.

Wibowo, R., Hasan, T., & Lestari, P. (2022). Data privacy and legal compliance in Indonesian healthcare institutions. Indonesian Journal of Information Security, 6(1), 12–24.

Widyastuti, S., Hidayati, N., & Sari, R. (2023). Lessons learned from COVID-19: Enhancing resilience in healthcare risk management. International Journal of Disaster Risk Reduction, 75, 102115. https://doi.org/10.1016/j.ijdrr.2023.102115

Yan, Y. (2023). The risk-based approach to personal data protection and the response of the international trade law. Beijing Law Review, 14(3), 1250–1270. https://doi.org/10.4236/blr.2023.143067

Yin, R. K. (2018). Case study research and applications: Design and methods (6th ed.). SAGE Publications.

Yusuf, H., Kurniasih, D., & Wijaya, S. (2021). The impact of reputation risk on hospital sustainability: A case study approach. BMC Health Services Research, 21(4), 112–128. https://doi.org/10.1186/s12913-021-07234-9