Use of Telemedicine and Smart Technology in Obstetrics: Barriers and Privacy Issues

While telemedicine had been utilized in varying ways over the last several years, it has dramatically accelerated in the era of the COVID-19 pandemic. In this article we describe the privacy issues, in relation to the barriers to care for health care providers and barriers to the obstetric patient, licensing and payments for telehealth services, technological issues and language barriers. While there may be barriers to the use of telehealth services this type of care is feasible and the barriers are surmountable.

How US law will evaluate artificial intelligence for covid-19

Daniel E Ho and colleagues explore the legal implications of using artificial intelligence in the response to covid-19 and call for more robust evaluation frameworks

Can caregivers trust information technology in the care of their patients? A systematic review

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that healthcare providers allow patients to engage in their healthcare by allowing access to their health records. Often patients need informal caregivers including family members or others to help them with their care. This paper explores whether trust is a key factor for informal caregivers' decision to use health information technologies (HIT) including electronic health records (EHR), patient portals, mobile apps, or other devices to care for their patient. Six reviewers conducted a comprehensive search of four literature databases using terms that pertained to a caregiver and trust to investigate the role trust plays when caregivers use HIT. While trust is a key factor for the use of HIT, it the researchers only identified ten articles that met the research question thresholds. Four main topics of trust surfaced including perceived confidentiality, perceived security, technological malfunction, and trustworthiness of the information. Trust is a critical factor for informal caregivers when using HIT to assist in the care of their patient (child, loved one, parent, or acquaintance). Based on the findings, it is clear that more research on the use of HIT by caregivers is needed.

Health Information Privacy Laws in the Digital Age: HIPAA Doesn't Apply

The notion of health information privacy has evolved over time as the healthcare industry has embraced technology. Where once individuals were concerned about the privacy of their conversations and financial information, the digitization of health data has created new challenges for those responsible for ensuring that patient information remains secure and private. Coupled with the lack of updated, overarching legislation, a critical gap exists between advancements in technology, consumer informatics tools and privacy regulations. Almost twenty years after the HIPAA (Health Insurance Portability and Accountability Act) compliance date, the healthcare industry continues to seek solutions to privacy challenges absent formal contemporary law. Since HIPAA, a few attempts have been made to control specific aspects of health information including genetic information and use of technology however none were visionary enough to address issues seen in today's digital data focused healthcare environment. The proliferation of digital health data, trends in data use, increased use of telehealth applications due to COVID-19 pandemic and the consumer's participatory role in healthcare all create new challenges not covered by the existing legal framework. Modern efforts to address this dilemma have emerged in state and international law though the United States healthcare industry continues to operate under a law written two decades ago. As technology continues to advance at a rapid pace along with consumers playing a greater role in the management of their healthcare through digital health the privacy guidance provided by federal law must also shift to reflect the new reality.

Ethical and Legal Implications of Remote Monitoring of Medical Devices

Policy Points Millions of life-sustaining implantable devices collect and relay massive amounts of digital health data, increasingly by using user-downloaded smartphone applications to facilitate data relay to clinicians via manufacturer servers. Our analysis of health privacy laws indicates that most US patients may have little access to their own digital health data in the United States under the Health Insurance Portability and Accountability Act Privacy Rule, whereas the EU General Data Protection Regulation and the California Consumer Privacy Act grant greater access to device-collected data. Our normative analysis argues for consistently granting patients access to the raw data collected by their implantable devices.

CONTEXT

Millions of life-sustaining implantable devices collect and relay massive amounts of digital health data, increasingly by using user-downloaded smartphone applications to facilitate data relay to clinicians via manufacturer servers. Whether patients have either legal or normative claims to data collected by these devices, particularly in the raw, granular format beyond that summarized in their medical records, remains incompletely explored.

METHODS

Using pacemakers and implantable cardioverter-defibrillators (ICDs) as a clinical model, we outline the clinical ecosystem of data collection, relay, retrieval, and documentation. We consider the legal implications of US and European privacy regulations for patient access to either summary or raw device data. Lastly, we evaluate ethical arguments for or against providing patients access to data beyond the summaries presented in medical records.

FINDINGS

Our analysis of applicable health privacy laws indicates that US patients may have little access to their raw data collected and held by device manufacturers in the United States under the Health Insurance Portability and Accountability Act Privacy Rule, whereas the EU General Data Protection Regulation (GDPR) grants greater access to device-collected data when the processing of personal data falls under the GDPR's territorial scope. The California Consumer Privacy Act, the "little sister" of the GDPR, also grants greater rights to California residents. By contrast, our normative analysis argues for consistently granting patients access to the raw data collected by their implantable devices. Smartphone applications are increasingly involved in the collection, relay, retrieval, and documentation of these data. Therefore, we argue that smartphone user agreements are an emerging but potentially underutilized opportunity for clarifying both legal and ethical claims for device-derived data.

CONCLUSIONS

Current health privacy legislation incompletely supports patients' normative claims for access to digital health data.

US Privacy Laws Go Against Public Preferences: Impeding Public Health and Research (Preprint)

Background

Reaping the benefits from massive volumes of data collected in all sectors to improve population health, inform personalized medicine, and transform biomedical research requires the delicate balance between the benefits and risks of using individual-level data. There is a patchwork of US data protection laws that vary depending on the type of data, who is using it, and their intended purpose. Differences in these laws challenge big data projects using data from different sources. The decisions to permit or restrict data uses are determined by elected officials; therefore, constituent input is critical to finding the right balance between individual privacy and public benefits.

Objective

This study explores the US public’s preferences for using identifiable data for different purposes without their consent.

Methods

We measured data use preferences of a nationally representative sample of 504 US adults by conducting a web-based survey in February 2020. The survey used a choice-based conjoint analysis. We selected choice-based conjoint attributes and levels based on 5 US data protection laws (Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy Act, Privacy Act of 1974, Federal Trade Commission Act, and the Common Rule). There were 72 different combinations of attribute levels, representing different data use scenarios. Participants were given 12 pairs of data use scenarios and were asked to choose the scenario they were the most comfortable with. We then simulated the population preferences by using the hierarchical Bayes regression model using the ChoiceModelR package in R.

Results

Participants strongly preferred data reuse for public health and research than for profit-driven, marketing, or crime-detection activities. Participants also strongly preferred data use by universities or nonprofit organizations over data use by businesses and governments. Participants were fairly indifferent about the different types of data used (health, education, government, or economic data).

Conclusions

Our results show a notable incongruence between public preferences and current US data protection laws. Our findings appear to show that the US public favors data uses promoting social benefits over those promoting individual or organizational interests. This study provides strong support for continued efforts to provide safe access to useful data sets for research and public health. Policy makers should consider more robust public health and research data use exceptions to align laws with public preferences. In addition, policy makers who revise laws to enable data use for research and public health should consider more comprehensive protection mechanisms, including transparent use of data and accountability.

Medical Records: More Than the Health Insurance Portability and Accountability Act

It is the responsibility of each organization, including private practice businesses, to maintain a comprehensive medical records retention policy. While registered dietitian nutritionists (RDNs) are qualified and competent business owners, navigating through the challenges of proper medical record management can be difficult without a sound policy. A comprehensive medical record retention policy consists of 4 major components: creation, utilization, maintenance, and destruction as well as a retention schedule. Successful implementation of a comprehensive medical record retention policy promotes positive clinician-patient interaction and avoidance of potential legal ramifications.

Participation in patient support forums may put rare disease patient data at risk of re-identification

BACKGROUND

Rare disease patients often struggle to find both medical advice and emotional support for their diagnosis. Consequently, many rare disease patient support forums have appeared on hospital webpages, social media sites, and on rare disease foundation sites. However, we argue that engagement in these groups may pose a healthcare data privacy threat to many participants, since it makes a series of patient indirect identifiers 'readily available' in combination with rare disease conditions. This information produces a risk of re-identification because it may allow a motivated attacker to use the unique combination of a patient's identifiers and disease condition to re-identify them in anonymized data.

RESULTS

To assess this risk of re-identification, patient direct and indirect identifiers were mined from patient support forums for 80 patients across eight rare diseases. This data mining consisted of scanning patient testimonials, social media sites, and public records for the collection of identifiers linked to a rare disease patient. The number of people in the United States that may share each patient's combination of marital status, 3-digit ZIP code, age, and sex, as well as their rare disease condition, was then estimated, as such information is commonly found in health records which have undergone de-identification by HIPAA's 'Safe Harbor.' The study showed that by these estimations, nearly 75% of patients could be at high risk for re-identification in healthcare datasets in which they appear, due to their unique combination of identifiers.

CONCLUSIONS

The results of this study show that these rare disease patients, due to their choice to provide support for their community, are putting all their healthcare data at risk of re-identification. This paper demonstrates how simple adjustments to participation guidelines in such support forums, in combination with improved privacy measures at the organizational level, could mitigate this risk of re-identification. Additionally, this paper suggests the potential for future investigation into consideration of certain 'risky' International Classification of Diseases (ICD) codes as quasi-identifiers in de-identified datasets to further protect patients' privacy, while maintaining the utility of such rare disease support groups.

Developments in Privacy and Data Ownership in Mobile Health Technologies, 2016-2019

OBJECTIVES

To survey international regulatory frameworks that serve to protect privacy of personal data as a human right as well as to review the literature regarding privacy protections and data ownership in mobile health (mHealth) technologies between January 1, 2016 and June 1, 2019 in order to identify common themes.

METHODS

We performed a review of relevant literature available in English published between January 1, 2016 and June 1, 2019 from databases including PubMed, Google Scholar, and Web of Science, as well as relevant legislative background material. Articles out of scope (as detailed below) were eliminated. We categorized the remaining pool of articles and discrete themes were identified, specifically: concerns around data transmission and storage, including data ownership and the ability to re-identify previously de-identified data; issues with user consent (including the availability of appropriate privacy policies) and access control; and the changing culture and variable global attitudes toward privacy of health data.

RESULTS

Recent literature demonstrates that the security of mHealth data storage and transmission remains of wide concern, and aggregated data that were previously considered "de-identified" have now been demonstrated to be re-identifiable. Consumer-informed consent may be lacking with regard to mHealth applications due to the absence of a privacy policy and/or to text that is too complex and lengthy for most users to comprehend. The literature surveyed emphasizes improved access control strategies. This survey also illustrates a wide variety of global user perceptions regarding health data privacy.

CONCLUSION

The international regulatory framework that serves to protect privacy of personal data as a human right is diverse. Given the challenges legislators face to keep up with rapidly advancing technology, we introduce the concept of a "healthcare fiduciary" to serve the best interest of data subjects in the current environment.

Using word embeddings to improve the privacy of clinical notes

OBJECTIVE

In this work, we introduce a privacy technique for anonymizing clinical notes that guarantees all private health information is secured (including sensitive data, such as family history, that are not adequately covered by current techniques).

MATERIALS AND METHODS

We employ a new "random replacement" paradigm (replacing each token in clinical notes with neighboring word vectors from the embedding space) to achieve 100% recall on the removal of sensitive information, unachievable with current "search-and-secure" paradigms. We demonstrate the utility of this paradigm on multiple corpora in a diverse set of classification tasks.

RESULTS

We empirically evaluate the effect of our anonymization technique both on upstream and downstream natural language processing tasks to show that our perturbations, while increasing security (ie, achieving 100% recall on any dataset), do not greatly impact the results of end-to-end machine learning approaches.

DISCUSSION

As long as current approaches utilize precision and recall to evaluate deidentification algorithms, there will remain a risk of overlooking sensitive information. Inspired by differential privacy, we sought to make it statistically infeasible to recreate the original data, although at the cost of readability. We hope that the work will serve as a catalyst to further research into alternative deidentification methods that can address current weaknesses.

CONCLUSION

Our proposed technique can secure clinical texts at a low cost and extremely high recall with a readability trade-off while remaining useful for natural language processing classification tasks. We hope that our work can be used by risk-averse data holders to release clinical texts to researchers.

Confidentiality and Capacity

This article focuses on confidentiality and capacity issues affecting patients receiving care in the emergency department. The patient-physician relationship begins with presumed confidentiality. The article also clarifies instances where a physician may be required to break confidentiality for the safety of patients or others. This article then discusses risk management issues relevant to determining a patient's capacity to accept or decline medical care in the emergency department setting. Situations pertaining to refusal of care and discharges against medical advice are examined in detail, and best practices for mitigating risk in informed consent and barriers to consent are reviewed.

Mobile Point-of-Care Medical Photography: Legal Considerations for Health Care Providers

Medical photographs have been used for decades to document clinical findings. The ease with which medical photographs can be captured and integrated into the electronic health record (EHR) has increased as digital cameras obviated the need for the film development process. Today, cameras integrated into smartphones allow for high-resolution images to be instantly uploaded and integrated into the EHR. With major EHR vendors offering mobile smartphone applications for the conduct of point-of-care medical photography, health care providers and institutions need to be aware of legal questions that arise in the conduct of medical photography. Namely, (1) what are the requirements for consent when taking medical photographs, and how may photographs be used after consent is obtained, (2) are medical photographs admissible as evidence in court, and (3) how should a provider respond to a request by a patient or parent requesting that a photograph be deleted from the medical record? Herein, we review relevant laws and legal cases in the context of accepted standards of medical practice pertaining to point-of-care medical photography. This review is intended to aid health care providers and institutions seeking to develop or revise policies regarding using a mobile application at their clinical practice.

Integrating Rules for Genomic Research, Clinical Care, Public Health Screening and DTC Testing: Creating Translational Law for Translational Genomics

Human genomics is a translational field spanning research, clinical care, public health, and direct-to-consumer testing. However, law differs across these domains on issues including liability, consent, promoting quality of analysis and interpretation, and safeguarding privacy. Genomic activities crossing domains can thus encounter confusion and conflicts among these approaches. This paper suggests how to resolve these conflicts while protecting the rights and interests of individuals sequenced. Translational genomics requires this more translational approach to law.

The Perils of Parity: Should Citizen Science and Traditional Research Follow the Same Ethical and Privacy Principles?

The individual right of access to one's own data is a crucial privacy protection long recognized in U.S. federal privacy laws. Mobile health devices and research software used in citizen science often fall outside the HIPAA Privacy Rule, leaving participants without HIPAA's right of access to one's own data. Absent state laws requiring access, the law of contract, as reflected in end-user agreements and terms of service, governs individuals' ability to find out how much data is being stored and how it might be shared with third parties. Efforts to address this problem by establishing norms of individual access to data from mobile health research unfortunately can run afoul of the FDA's investigational device exemption requirements.

From Genetics to Genomics: Facing the Liability Implications in Clinical Care

Health care is transitioning from genetics to genomics, in which single-gene testing for diagnosis is being replaced by multi-gene panels, genome-wide sequencing, and other multi-genic tests for disease diagnosis, prediction, prognosis, and treatment. This health care transition is spurring a new set of increased or novel liability risks for health care providers and test laboratories. This article describes this transition in both medical care and liability, and addresses 11 areas of potential increased or novel liability risk, offering recommendations to both health care and legal actors to address and manage those liability risks.

The Streetlight Effect: Regulating Genomics Where the Light Is

Regulatory policy for genomic testing may be subject to biases that favor reliance on existing regulatory frameworks even when those frameworks carry unintended legal consequences or may be poorly tailored to the challenges genomic testing presents. This article explores three examples drawn from genetic privacy regulation, oversight of clinical uses of genomic information, and regulation of genomic software. Overreliance on expedient regulatory approaches has a potential to undercut complete and durable solutions.

Protecting Participants in Genomic Research: Understanding the "Web of Protections" Afforded by Federal and State Law

Researchers now commonly collect biospecimens for genomic analysis together with information from mobile devices and electronic health records. This rich combination of data creates new opportunities for understanding and addressing important health issues, but also intensifies challenges to privacy and confidentiality. Here, we elucidate the "web" of legal protections for precision medicine research by integrating findings from qualitative interviews with structured legal research and applying them to realistic research scenarios involving various privacy threats.

Hospitals should act now to notify patients about research use of their data and biospecimens

Private industry is increasingly soliciting hospitals to sell or share health data and biospecimens, but current laws offer more disclosure and consent protections for research participants than for patients receiving clinical care. Hospitals can offer more protections than required by law, however, and should move toward greater transparency with their patients about the research use of clinical health data and biospecimens to respect patients and avoid distrust.

Privacy and Security Issues with Mobile Health Research Applications

This article examines the privacy and security issues associated with mobile application-mediated health research, concentrating in particular on research conducted or participated in by independent scientists, citizen scientists, and patient researchers. Building on other articles in this issue that examine state research laws and state data protection laws as possible sources of privacy and security protections for mobile research participants, this article focuses on the lack of application of federal standards to mobile application-mediated health research. As discussed in more detail below, the voluminous and diverse data collected by some independent scientists who use mobile applications to conduct health research may be at risk for unregulated privacy and security breaches, leading to dignitary, psychological, and economic harms for which participants have few legally enforceable rights or remedies under current federal law. Federal lawmakers may wish to consider enacting new legislation that would require otherwise unregulated health data holders to implement reasonable data privacy, security, and breach notification measures.

Hacking HIPAA: "Best Practices" for Avoiding Oversight in the Sale of Your Identifiable Medical Information

In light of the confusion invited by applying the label "de-identified" to information that can be used to identify patients, it is paramount that regulators, compliance professionals, patient advocates and the general public understand the significant differences between the standards applied by HIPAA and those applied by permissive "de-identification guidelines." This Article discusses those differences in detail. The discussion proceeds in four Parts. Part II (HIPAA's Heartbeat: Why HIPAA Protects Identifiable Patient Information) examines Congress's motivations for defining individually identifiable health information broadly, which included to stop the harms patients endured prior to 1996 arising from the commercial sale of their medical records. Part III (Taking the "I" Out of Identifiable Information: HIPAA's Requirements for De-Identified Health Information) discusses HIPAA's requirements for de-identification that were never intended to create a loophole for identifiable patient information to escape HIPAA's protections. Part IV (Anatomy of a Hack: Methods for Labeling Identifiable information "De-Identified") examines the goals, methods, and results of permissive "de-identification guidelines" and compares them to HIPAA's requirements. Part V (Protecting Un-Protected Health Information) evaluates the suitability of permissive "de-identification guidelines," concluding that the vulnerabilities inherent in their current articulation render them ineffective as a data protection standard. It also discusses ways in which compliance professionals, regulators, and advocates can foster accountability and transparency in the utilization of health information that can be used to identify patients.