Implementation of Patient Data Protection Policy through the SMARTA-Based Electronic Medical Record System at Yogyakarta City Hospital

The protection of patient personal data is a crucial aspect of digital healthcare services. Yogyakarta City Hospital has implemented an SMARTA-based Electronic Medical Record (EMR) system as part of its policy to protect patient data in accordance with national regulations and internal hospital regulations. However, the success of policy implementation is not only determined by the existence of the system, but also by how the policy is implemented by those in the field. This study aims to analyze the implementation of patient personal data protection policies through the perspective of Edward III's Policy Implementation Theory, which covers four main variables, namely communication, resources, implementer disposition, and bureaucratic structure. This study used a qualitative descriptive approach with 20 informants selected through purposive sampling, involving medical record officers, information technology staff, health workers, legal staff, and management officials at the Yogyakarta City Hospital. Data were collected from August to October 2025 through in-depth interviews, observations, and documentation studies, then analyzed using the Miles and Huberman interactive model and validated through triangulation and member checking. The results of the study indicate that policy communication has been effective, but understanding of data access restrictions is not yet uniform, human resource competence in digital security is still limited, and coordination between units, especially between the information technology department and the polyclinic, is not yet optimal in handling patient data incidents. The results of the study show that based on interviews and observations, most informants stated that policy communication and the commitment of implementers to maintain the confidentiality of personal data had been carried out in accordance with procedures, although several technical obstacles were still found in the distribution of information and access monitoring, particularly in terms of clarity of communication and the commitment of implementers to maintain data confidentiality. However, there are still obstacles in the form of uneven distribution of information, limited human resource competencies related to digital security, the practice of using shared accounts, and monitoring mechanisms that tend to be reactive. This study is expected to provide practical recommendations for public hospitals in their efforts to improve patient data protection management in a sustainable and secure manner.