Evaluating the Balance Between Privacy and Access in Digital Information Sharing.

OBJECTIVES: Access to personal health records in an ICU by persons involved in the patient's care (referred to broadly as "family members" below) has the potential to increase engagement and reduce the negative psychologic sequelae of such hospitalizations. Currently, little is known about patient preferences for information sharing with a designated family member in the ICU. We sought to understand the information-sharing preferences of former ICU patients and their family members and to identify predictors of information-sharing preferences. DESIGN: We performed an internet survey that was developed by a broad, multidisciplinary team of stakeholders. Formal pilot testing of the survey was conducted prior to internet survey administration to study subjects. SETTING: Internet survey. SUBJECTS: Subjects included English-speaking adults who had an ICU experience or a family member with ICU experience between 2013 and 2016. We used panel sampling to ensure an ethnically representative sample of the U.S. population. INTERVENTIONS: None. MEASUREMENTS AND MAIN RESULTS: One thousand five hundred twenty surveys were submitted, and 1,470 were included in analysis. The majority of respondents (93.6%) stated that they would want to share present and past medical history, either all or that related to their ICU stay, with a designated family member of their choosing. The majority (79%) would also want their designated family member to be able to access that information from a home computer. Although most respondents preferred to share all types of information, they indicated varying levels of willingness to share specific types of more sensitive information. Information-sharing preferences did not differ by age, sex, ethnicity, or type of prior experience in the ICU (i.e., patient or family member). CONCLUSIONS: In the context of an ICU admission, sharing personal health information with a person of the patient's choosing appears desirable for most patients and family members. Policies and implementation of regulations should take this into consideration.

Pindex: Private multi-linked index for encrypted document retrieval.

Cryptographic cloud storage is used to make optimal use of the cloud storage infrastructure to outsource sensitive and mission-critical data. The continuous growth of encrypted data outsourced to cloud storage requires continuous updating. Attacks like file-injection are reported to compromise confidentiality of the user as a consequence of information leakage during update. It is required that dynamic schemes provide forward privacy guarantees. Updates should not leak information to the untrusted server regarding the previously issued queries. Therefore, the challenge is to design an efficient searchable encryption scheme with dynamic updates and forward privacy guarantees. In this paper, a novel private multi-linked dynamic index for encrypted document retrieval namely Pindex is proposed. The multi-linked dynamic index is constructed using probabilistic homomorphic encryption mechanism and secret orthogonal vectors. Full security proofs for correctness and forward privacy in the random oracle model is provided. Experiments on real world Enron dataset demonstrates that our construction is practical and efficient. The security and performance analysis of Pindex shows that the dynamic multi-linked index guarantees forward privacy without significant loss of efficiency.

Sharing ICU Patient Data Responsibly Under the Society of Critical Care Medicine/European Society of Intensive Care Medicine Joint Data Science Collaboration: The Amsterdam University Medical Centers Database (AmsterdamUMCdb) Example.

OBJECTIVES: Critical care medicine is a natural environment for machine learning approaches to improve outcomes for critically ill patients as admissions to ICUs generate vast amounts of data. However, technical, legal, ethical, and privacy concerns have so far limited the critical care medicine community from making these data readily available. The Society of Critical Care Medicine and the European Society of Intensive Care Medicine have identified ICU patient data sharing as one of the priorities under their Joint Data Science Collaboration. To encourage ICUs worldwide to share their patient data responsibly, we now describe the development and release of Amsterdam University Medical Centers Database (AmsterdamUMCdb), the first freely available critical care database in full compliance with privacy laws from both the United States and Europe, as an example of the feasibility of sharing complex critical care data. SETTING: University hospital ICU. SUBJECTS: Data from ICU patients admitted between 2003 and 2016. INTERVENTIONS: We used a risk-based deidentification strategy to maintain data utility while preserving privacy. In addition, we implemented contractual and governance processes, and a communication strategy. Patient organizations, supporting hospitals, and experts on ethics and privacy audited these processes and the database. MEASUREMENTS AND MAIN RESULTS: AmsterdamUMCdb contains approximately 1 billion clinical data points from 23,106 admissions of 20,109 patients. The privacy audit concluded that reidentification is not reasonably likely, and AmsterdamUMCdb can therefore be considered as anonymous information, both in the context of the U.S. Health Insurance Portability and Accountability Act and the European General Data Protection Regulation. The ethics audit concluded that responsible data sharing imposes minimal burden, whereas the potential benefit is tremendous. CONCLUSIONS: Technical, legal, ethical, and privacy challenges related to responsible data sharing can be addressed using a multidisciplinary approach. A risk-based deidentification strategy, that complies with both U.S. and European privacy regulations, should be the preferred approach to releasing ICU patient data. This supports the shared Society of Critical Care Medicine and European Society of Intensive Care Medicine vision to improve critical care outcomes through scientific inquiry of vast and combined ICU datasets.

Can caregivers trust information technology in the care of their patients? A systematic review.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that healthcare providers allow patients to engage in their healthcare by allowing access to their health records. Often patients need informal caregivers including family members or others to help them with their care. This paper explores whether trust is a key factor for informal caregivers' decision to use health information technologies (HIT) including electronic health records (EHR), patient portals, mobile apps, or other devices to care for their patient. Six reviewers conducted a comprehensive search of four literature databases using terms that pertained to a caregiver and trust to investigate the role trust plays when caregivers use HIT. While trust is a key factor for the use of HIT, it the researchers only identified ten articles that met the research question thresholds. Four main topics of trust surfaced including perceived confidentiality, perceived security, technological malfunction, and trustworthiness of the information. Trust is a critical factor for informal caregivers when using HIT to assist in the care of their patient (child, loved one, parent, or acquaintance). Based on the findings, it is clear that more research on the use of HIT by caregivers is needed.

Proposal and Assessment of a De-Identification Strategy to Enhance Anonymity of the Observational Medical Outcomes Partnership Common Data Model (OMOP-CDM) in a Public Cloud-Computing Environment: Anonymization of Medical Data Using Privacy Models.

BACKGROUND: De-identifying personal information is critical when using personal health data for secondary research. The Observational Medical Outcomes Partnership Common Data Model (CDM), defined by the nonprofit organization Observational Health Data Sciences and Informatics, has been gaining attention for its use in the analysis of patient-level clinical data obtained from various medical institutions. When analyzing such data in a public environment such as a cloud-computing system, an appropriate de-identification strategy is required to protect patient privacy. OBJECTIVE: This study proposes and evaluates a de-identification strategy that is comprised of several rules along with privacy models such as k-anonymity, l-diversity, and t-closeness. The proposed strategy was evaluated using the actual CDM database. METHODS: The CDM database used in this study was constructed by the Anam Hospital of Korea University. Analysis and evaluation were performed using the ARX anonymizing framework in combination with the k-anonymity, l-diversity, and t-closeness privacy models. RESULTS: The CDM database, which was constructed according to the rules established by Observational Health Data Sciences and Informatics, exhibited a low risk of re-identification: The highest re-identifiable record rate (11.3%) in the dataset was exhibited by the DRUG_EXPOSURE table, with a re-identification success rate of 0.03%. However, because all tables include at least one "highest risk" value of 100%, suitable anonymizing techniques are required; moreover, the CDM database preserves the "source values" (raw data), a combination of which could increase the risk of re-identification. Therefore, this study proposes an enhanced strategy to de-identify the source values to significantly reduce not only the highest risk in the k-anonymity, l-diversity, and t-closeness privacy models but also the overall possibility of re-identification. CONCLUSIONS: Our proposed de-identification strategy effectively enhanced the privacy of the CDM database, thereby encouraging clinical research involving multiple centers.

Assessment of the Electronic Health Record Skills Needed for the Health Information Management Student.

Electronic health records (EHR) have continued to advance and improve patient care, treatment, and safety, but the education required for EHR use can vary. In preparing future health care professionals for the use of EHR, allied health programs such as health information management (HIM) should understand the current use of EHR skills of HIM professionals. This quantitative descriptive study identified the current use of EHR skills of HIM professionals within a region. An email containing a link to the electronic survey was sent to 350 HIM association members. The response rate was 34.6% (n=121). The results indicated higher use of federal and state regulations regarding privacy/security, problem solving and critical thinking skills for health information technology (HIT) systems, and data mining skills. But, there were some skillsets that had a lower use such as financial decision making, database design, and HIT software development. The findings suggest some specific EHR skills that are essential for HIM graduates. It is imperative that HIM programs have an understanding of what EHR skills are needed for their profession.

Virtual Visits in Ophthalmology: Timely Advice for Implementation During the COVID-19 Public Health Crisis.

Virtual visits (VVs) are necessitated due to the public health crisis and social distancing mandates due to COVID-19. However, these have been rare in ophthalmology. Over 3.5 years of conducting >350 ophthalmological VVs, our group has gained numerous insights into best practices. This communication shares these experiences with the medical community to support patient care during this difficult time and beyond. We highlight that mastering the technological platform of choice, optimizing lighting, camera positioning, and "eye contact," being thoughtful and creative with the virtual eye examination, and ensuring good documenting and billing will make a successful and efficient VV. Moreover, we think these ideas will stimulate further VV creativity and expertise to be developed in ophthalmology and across medicine. This approach, holds promise for increasing its adoption after the crisis has passed.

Future-proofing biobanks' governance.

Good biobank governance implies-at a minimum-transparency and accountability and the implementation of oversight mechanisms. While the biobanking community is in general committed to such principles, little is known about precisely which governance strategies biobanks adopt to meet those objectives. We conducted an exploratory analysis of governance mechanisms adopted by research biobanks, including genetic biobanks, located in Europe and Canada. We reviewed information available on the websites of 69 biobanks, and directly contacted them for additional information. Our study identified six types of commonly adopted governance strategies: communication, compliance, expert advice, external review, internal procedures, and partnerships. Each strategy is implemented through different mechanisms including, independent ethics assessment, informed consent processes, quality management, data access control, legal compliance, standard operating procedures and external certification. Such mechanisms rely on a wide range of bodies, committees and actors from both within and outside the biobanks themselves. We found that most biobanks aim to be transparent about their governance mechanisms, but could do more to provide more complete and detailed information about them. In particular, the retrievable information, while showing efforts to ensure biobanks operate in a legitimate way, does not specify in sufficient detail how governance mechanisms support accountability, nor how they ensure oversight of research operations. This state of affairs can potentially undermine biobanks' trustworthiness to stakeholders and the public in a long-term perspective. Given the ever-increasing reliance of biomedical research on large biological repositories and their associated databases, we recommend that biobanks increase their efforts to future-proof their governance.

Privacy and Security Issues with Mobile Health Research Applications.

This article examines the privacy and security issues associated with mobile application-mediated health research, concentrating in particular on research conducted or participated in by independent scientists, citizen scientists, and patient researchers. Building on other articles in this issue that examine state research laws and state data protection laws as possible sources of privacy and security protections for mobile research participants, this article focuses on the lack of application of federal standards to mobile application-mediated health research. As discussed in more detail below, the voluminous and diverse data collected by some independent scientists who use mobile applications to conduct health research may be at risk for unregulated privacy and security breaches, leading to dignitary, psychological, and economic harms for which participants have few legally enforceable rights or remedies under current federal law. Federal lawmakers may wish to consider enacting new legislation that would require otherwise unregulated health data holders to implement reasonable data privacy, security, and breach notification measures.

Prevalence of zolpidem use in France halved after secure prescription pads implementation in 2017: A SNDS database nested cohort study.

Our objective was to quantify the impact on the use of zolpidem of the obligation implemented in France in 2017 to use secure prescription pads to prescribe it. We conducted a cohort study within the French SNDS healthcare database. Patients aged over 18 years of age were considered for inclusion. The number of prevalent users and incident episodes of zolpidem use were compared before the change in law (July 1, 2016 to January 1, 2017) and after (July 1, 2017 to January 1, 2018). A prevalent user was a patient who has been reimbursed for zolpidem at least once. An incident episode of zolpidem use was defined by a first administration of zolpidem without any prior administration within the previous six months. Regarding prevalence of zolpidem users, we observed a decrease from 2.79% (CI95%:2.75-2.83) to 1.48% (1.44-1.51), with a number of patients who stopped taking it after the change in law being approximately 4.3 times higher than the number of patients who started. We observed a negative association between the post-law change period (OR = 0.52 (0.51-0.53)) and the probability of receiving zolpidem, adjusting for sex, aging, low income and chronic disease. We observed a decrease from 183 treatment episodes per 100,000 insured months on average to 79 episodes per 100,000 insured months, with an incidence rate ratio (IRR) equal to 0.43 (0.38-0.49). The use of secure prescription pads seems to have reduced the exposure of the French population to zolpidem.

Privacy, Confidentiality, and Safety Considerations for Conducting Geographic Momentary Assessment Studies Among Persons Who Use Drugs and Men Who Have Sex with Men.

Geographic momentary assessments (GMA) collect real-time behavioral data in one's natural environment using a smartphone and could potentially increase the ecological validity of behavioral data. Several studies have evaluated the feasibility and acceptability of GMA among persons who use drugs (PWUD) and men who have sex with men (MSM), but fewer have discussed privacy, confidentiality, and safety concerns, particularly when illegal or stigmatized behavioral data were collected. This study explores perceptions regarding privacy, confidentiality, and safety of GMA research among PWUD and MSM recruited in three different settings (rural Appalachia, a mid-sized city in the South, and a mid-Atlantic city). Between November 2014 and April 2017, we recruited 35 PWUD from rural Appalachian Kentucky (N = 20) and Baltimore, Maryland (N = 15) and 20 MSM from Lexington, Kentucky to complete semi-structured qualitative interviews. Through thematic analyses, we identified and compared privacy, confidentiality, and safety concerns by demographic characteristics, risk behaviors, and setting. Privacy, confidentiality, and safety concerns varied by setting, age, smartphone ownership, use of illegal drugs, and history of drug-related arrests. Among those who used drugs, participants reported concerns with being tracked and burden associated with carrying and safeguarding study phones and responding to survey prompts. Privacy and confidentiality concerns were noted in each setting, but tracking concerns were greatest among Baltimore participants and led many to feel that they (or others) would be unwilling to participate or comply with study procedures. While locations considered to be sensitive varied by setting, participants in all settings said they would take measures to prevent sensitive information from being collected (i.e., intentionally disable devices, leave phones at home, alter response times). Privacy, confidentiality, and safety concerns may limit the accuracy of risk location information, study compliance, and participation. As concerns were often greatest among those engaging in illegal behaviors and with the highest risk behaviors, selection bias and non-response bias could negatively influence the representativeness and validity of study findings.

Emergency hormonal contraceptive service provision via community pharmacies in the UK: a systematic review of pharmacists' and young women's views, perspectives and experiences.

AIMS: Unintended pregnancy among young people remains a major public health problem in the UK, despite recent evidence suggesting that the number of teenage pregnancies in England is falling. Community pharmacies have the potential to reduce health inequalities among young women through improved and appropriate access to sexual health services. This study seeks to examine the views, perceptions and experiences of young women and community pharmacists concerning emergency hormonal contraceptive (EHC) provision from community pharmacies in the UK. METHODS: Six electronic databases were searched for articles published in English between 2000 and 2017. Titles and abstracts were screened by two researchers according to the inclusion criteria. RESULTS: A total of eight papers reporting studies carried out within the UK were included. Five key themes were identified from the perspectives of young women: convenience and ease of access, embarrassment and non-judgemental services, free services, confidentiality and pharmacist being helpful. Six key themes were identified from the perspectives of the pharmacists: concerns about supply of EHC, improved access, no need for appointment, confidentiality, free EHC and training. CONCLUSIONS: The review suggests that services should be designed based on the views, perceptions and experiences of the service users and providers in order to reduce inequities to access of EHC. Pharmacists who provide EHC should continuously upgrade their knowledge base through training if the sexual health needs of the young women who access pharmacies are to be adequately met.

Precarious patients: health professionals' perspectives on providing care to Mexican and Jamaican migrants in Canada's Seasonal Agricultural Worker Program.

INTRODUCTION: The intersecting vulnerabilities of migrant agricultural workers (MAWs) impact both their health and their access to health care in rural areas, yet rural clinicians' voices are rarely documented. The purpose of this study was to explore health professionals' perspectives on health care for MAWs in sending countries and rural Ontario, Canada. METHODS: Qualitative research design occurred over three distinct projects, using a multi-methodological approach including semi-structured interviews in Mexico, Jamaica and rural Ontario (n=43), and session field notes and questionnaires administered to healthcare providers (n=65) during knowledge exchange sessions in rural Ontario. A systematic analysis of these data was done to identify common themes, using NVivo software initially and then Microsoft Excel for application of a framework approach. RESULTS: Structural challenges posed by migrant workers' context included difficulties preventing and managing work-related conditions, employers or supervisors compromising confidentiality, and MAWs' fears of loss of employment and return to countries of origin prior to completing treatments. Structural challenges related to health services included lack of adequate translation/interpretation services and information about insurance coverage and MAWs' work and living situations; scheduling conflicts between clinic hours and MAWs' availability; and difficulties in arranging follow-up tests, treatments and examinations. Intercultural challenges included language/communication barriers; cultural barriers /perceptions; and limited professional knowledge of MAWs' migration and work contexts and MAWs' knowledge of the healthcare system. Transnational challenges arose around continuity of care, MAWs leaving Canada during/prior to receiving care, and dealing with health problems acquired in Canada. A range of responses were suggested, some in place and others requiring additional organization, testing and funding. CONCLUSION: Funding to strengthen responses to structural and intercultural challenges, including research assessing improved supports to rural health professionals serving MAWs, are needed in rural Canada and rural Mexico and Jamaica, in order to better address the structural and intersecting vulnerabilities and the care needs of this specific population.

Data breach remediation efforts and their implications for hospital quality.

OBJECTIVE: To estimate the relationship between breach remediation efforts and hospital care quality. DATA SOURCES: Department of Health and Human Services' (HHS) public database on hospital data breaches and Medicare Compare's public data on hospital quality measures for 2012-2016. MATERIALS AND METHODS: Data breach data were merged with the Medicare Compare data for years 2012-2016, yielding a panel of 3025 hospitals with 14 297 unique hospital-year observations. STUDY DESIGN: The relationship between breach remediation and hospital quality was estimated using a difference-in-differences regression. Hospital quality was measured by 30-day acute myocardial infarction mortality rate and time from door to electrocardiogram. PRINCIPAL FINDINGS: Hospital time-to-electrocardiogram increased as much as 2.7 minutes and 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points during the 3-year window following a breach. CONCLUSION: Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes. Thus, breached hospitals and HHS oversight should carefully evaluate remedial security initiatives to achieve better data security without negatively affecting patient outcomes.

Considerations for Modernized Criminal HIV Laws and Assessment of Legal Protections Against Release of Identified HIV Surveillance Data for Law Enforcement.

In November 2018, the Centers for Disease Control and Prevention distributed guidance to funded agencies under its Integrated HIV Surveillance and Prevention Programs Initiative to support the implementation of the program's third strategy: HIV transmission cluster investigation and outbreak response efforts. Cluster detection seeks to identify persons infected with HIV (diagnosed and undiagnosed) who are linked to infections in single or related sexual and injection drug networks. Identifying expanding clusters allows public health personnel to intervene directly where active HIV transmissions occur.However, in the context of HIV infection where most US states have enacted criminal exposure laws, these efforts have sparked concerns about the protection of HIV surveillance data from court order or subpoena for law enforcement purposes. The Centers for Disease Control and Prevention calls for funded agencies to evaluate relevant confidentiality laws to ensure that these are sufficient to protect the confidentiality of HIV surveillance data from use by law enforcement.We present four often overlooked factors about the criminalization of HIV exposure and HIV surveillance data protections that should be considered in statutory assessments.

A systematic review of reasons for and against asking patients about their socioeconomic contexts.

BACKGROUND: People's social and economic circumstances are important determinants of their health, health experiences, healthcare access, and healthcare outcomes. However, patients' socioeconomic circumstances are rarely asked about or documented in healthcare settings. We conducted a systematic review of published reasons for why patients' socioeconomic contexts (including education, employment, occupation, housing, income, or wealth) should, or should not, be enquired about. METHODS: Systematic review of literature published up to and including 2016. A structured literature search using databases of medicine and nursing (pubmed, embase, global health), ethics (Ethicsweb), social sciences (Web of Science), and psychology (PsychINFO) was followed by a 'snowball' search. Eligible publications contained one or more reasons for: asking patients about socioeconomic circumstances; collecting patients' socioeconomic information; 'screening' patients for adverse socioeconomic circumstances; or linking other sources of individual socioeconomic data to patients' healthcare records. Two authors conducted the screening: the first screened all references, the second author screened a 20% sample with inter-rater reliability statistically confirmed. 'Reason data' was extracted from eligible publications by two authors, then analysed and organised. RESULTS: We identified 138 eligible publications. Most offered reasons for why patients' should be asked about their socioeconomic circumstances. Reasons included potential improvements in: individual healthcare outcomes; healthcare service monitoring and provision; population health research and policies. Many authors also expressed concerns for improving equity in health. Eight publications suggested patients should not be asked about their socioeconomic circumstances, due to: potential harms; professional boundaries; and the information obtained being inaccurate or unnecessary. CONCLUSIONS: This first summary of literature on the subject found many published reasons for why patients' social and economic circumstances should be enquired about in healthcare settings. These reasons include potential benefits at the levels of individuals, health service provision, and population, as well as the potential to improve healthcare equity. Cautions and caveats include concerns about the clinician's role in responding to patients' social problems; the perceived importance of social health determinants compared with biomedical factors; the use of average population data from geographic areas to infer the socioeconomic experience of individuals. Actual evidence of outcomes is lacking: our review suggests hypotheses that can be tested in future research.

Electronic Communication of the Health Record and Information With Pediatric Patients and Their Guardians.

Communication of health data has evolved rapidly with the widespread adoption of electronic health records (EHRs) and communication technology. What used to be sent to patients via paper mail, fax, or e-mail may now be accessed by patients via their EHRs, and patients may also communicate securely with their medical team via certified technology. Although EHR technologies have great potential, their most effective applications and uses for communication between pediatric and adolescent patients, guardians, and medical teams has not been realized. There are wide variations in available technologies, guiding policies, and practices; some physicians and patients are successful in using certified tools but others are forced to limit their patients' access to e-health data and associated communication altogether. In general, pediatric and adolescent patients are less likely than adult patients to have electronic access and the ability to exchange health data. There are several reasons for these limitations, including inconsistent standards and recommendations regarding the recommended age for independent access, lack of routine EHR support for the ability to filter or proxy such access, and conflicting laws about patients' and physicians' rights to access EHRs and ability to communicate electronically. Effective, safe electronic exchange of health data requires active collaboration between physicians, patients, policy makers, and health information technology vendors. This policy statement addresses current best practices for these stakeholders and delineates the continued gaps and how to address them.

Assessment of the Data Sharing and Privacy Practices of Smartphone Apps for Depression and Smoking Cessation.

Importance: Inadequate privacy disclosures have repeatedly been identified by cross-sectional surveys of health applications (apps), including apps for mental health and behavior change. However, few studies have assessed directly the correspondence between privacy disclosures and how apps handle personal data. Understanding the scope of this discrepancy is particularly important in mental health, given enhanced privacy concerns relating to stigma and negative impacts of inadvertent disclosure. Because most health apps fall outside government regulation, up-to-date technical scrutiny is essential for informed decision making by consumers and health care professionals wishing to prescribe health apps. Objective: To provide a contemporary assessment of the privacy practices of popular apps for depression and smoking cessation by critically evaluating privacy policy content and, specifically, comparing disclosures regarding third-party data transmission to actual behavior. Design and Setting: Cross-sectional assessment of 36 top-ranked (by app store search result ordering in January 2018) apps for depression and smoking cessation for Android and iOS in the United States and Australia. Privacy policy content was evaluated with prespecified criteria. Technical assessment of encrypted and unencrypted data transmission was performed. Analysis took place between April and June 2018. Main Outcomes and Measures: Correspondence between policies and transmission behavior observed by intercepting sent data. Results: Twenty-five of 36 apps (69%) incorporated a privacy policy. Twenty-two of 25 apps with a policy (88%) provided information about primary uses of collected data, while only 16 (64%) described secondary uses. While 23 of 25 apps with a privacy policy (92%) stated in a policy that data would be transmitted to a third party, transmission was detected in 33 of all 36 apps (92%). Twenty-nine of 36 apps (81%) transmitted data for advertising and marketing purposes or analytics to just 2 commercial entities, Google and Facebook, but only 12 of 28 (43%) transmitting data to Google and 6 of 12 (50%) transmitting data to Facebook disclosed this. Conclusions and Relevance: Data sharing with third parties that includes linkable identifiers is prevalent and focused on services provided by Google and Facebook. Despite this, most apps offer users no way to anticipate that data will be shared in this way. As a result, users are denied an informed choice about whether such sharing is acceptable to them. Privacy assessments that rely solely on disclosures made in policies, or are not regularly updated, are unlikely to uncover these evolving issues. This may limit their ability to offer effective guidance to consumers and health care professionals.

Exploring the nonlinear impact of critical incidents on users' satisfaction with healthcare services.

PURPOSE: The purpose of this paper is to evaluate the nonlinear impact of users' memories on their general evaluation of outpatient healthcare services by the integration of two methodologies: critical incidents technique (CIT) and penalty-reward contrast analysis (PRCA). DESIGN/METHODOLOGY/APPROACH: The authors carried out a survey with 356 respondents, users of seven outpatient clinics located in the city of Blumenau/SC, Brazil, during 2016. The participants were asked about their perceptions of positive and negative aspects of the service; and, using CIT, the answers were categorized according to the following dimensions: empathy, communication, facilities, access, promptness, medicines availability, complementary services, safety/confidentiality and service performance. Then, the authors evaluated the nonlinear impact of critical incidents on users' general evaluation of the service using the identified incidents as input variables in a PRCA. FINDINGS: The findings show that users of healthcare services tend to remember emotion and health aspects positively, while technical and formal aspects tend to be more negatively than positively remembered. On the other hand, PRCA identifies that incidents of three dimensions positively influence the overall perception of the service (empathy, complementary services and privacy) and five negatively (empathy, facilities, speed, drugs/pharmacy and health performance), explaining 26.3 percent of the variation in clients' general satisfaction. ORIGINALITY/VALUE: The present paper explores the integration of two methodologies, showing how we can use open listening to healthcare service users to identify the nonlinear impact of different incidents on their general evaluation of the service. The results show that what customers remember does not necessarily influence overall customer satisfaction. The present approach allows companies to improve the process of listening to customers. There are no other papers exploring this approach, particularly in relation to healthcare services.