<![CDATA[The implementation of Hospital Management Information Systems (SIMRS) in Indonesia, mandated by the Ministry of Health, reflects the country's digital transformation in healthcare particularly in managing electronic medical records (EMRs), operational efficiency, and patient data security. This study aims to develop a privacy risk governance framework by integrating three key references: COSO Enterprise Risk Management (ERM) 2017, ISO/IEC 27701:2019, and Indonesia’s Personal Data Protection (PDP) Law No. 27/2022. Employing a qualitative case study approach, data were collected through in-depth interviews with five key stakeholders and analyzed thematically. Five major themes emerged: (1) Governance and Leadership in Privacy Risk, (2) Privacy Risk Identification and Assessment, (3) Privacy Controls and Operational Safeguards, (4) Monitoring and Incident Management, and (5) Legal and Regulatory Compliance. The study identified fragmented privacy practices, weak governance structures, and limited awareness of privacy obligations. To address these gaps, a phased improvement plan is proposed—starting with the appointment of a Data Protection Officer (DPO), the development of privacy-related standard operating procedures (SOPs), and the implementation of privacy impact assessments. These steps are designed to improve digital maturity and regulatory alignment. The proposed governance model is adaptable and scalable for other hospitals in Indonesia facing similar challenges. Ultimately, this framework contributes to enhancing patient safety, ensuring data protection, and supporting a sustainable digital health transformation. ]]>
