Which information locations in covered entities under HIPAA must be secured first? A multi-criteria decision-making approach.

Creating adequate safeguards for physical and online locations (e.g., desktop computers, network servers) where protected health information (PHI) may be breached is critical for management within entities compliant with the Health Information Portability and Accountability Act (HIPAA). With the increasing complexity of cyber breaches and budgetary issues, prioritizing which locations require the most immediate attention by top management through a data-driven model is more important than ever. Using CORAS threat modeling and five methods for multi-criteria decision-making, these locations were ranked from greatest to least risk of data breaches. Statistical methods were subsequently used for consistency and robustness checks. The findings illustrate that each type of covered entity under HIPAA must prioritize a different set of locations to safeguard first: health care providers must focus on the security of network servers, other portable electronic devices, and category of others (i.e., miscellaneous locations); health plans must focus on the security of paper and films, network servers, and others; and business associates must focus on the security of category of others, network servers, and other portable electronic devices. Combined with data on the source of the breaches (external vs. internal) and type of threats (e.g., hacking, theft), these findings provide recommendations for risk identification for privacy officers across health care.

Embedding research study recruitment within the patient portal preCheck-in.

OBJECTIVE: Patient portals are increasingly used to recruit patients in research studies, but communication response rates remain low without tactics such as financial incentives or manual outreach. We evaluated a new method of study enrollment by embedding a study information sheet and HIPAA authorization form (HAF) into the patient portal preCheck-in (where patients report basic information like allergies). MATERIALS AND METHODS: Eligible patients who enrolled received an after-visit patient-reported outcomes survey through the patient portal. No additional recruitment/messaging efforts were made. RESULTS: A total of 386 of 843 patients completed preCheck-in, 308 of whom signed the HAF and enrolled in the study (37% enrollment rate). Of 93 patients who were eligible to receive the after-visit survey, 45 completed it (48% completion rate). CONCLUSION: Enrollment and survey completion rates were higher than what is typically seen with recruitment by patient portal messaging, suggesting that preCheck-in recruitment can enhance research study recruitment and warrants further investigation.

Protecting Privacy: Health Insurance Portability and Accountability Act of 1996, Twenty-First Century Cures Act, and Social Media.

Advances in electronic health record technology, the ever-expanding use of social media, and cybersecurity sabotage threaten patient privacy and render physicians and health care organizations liable for violating federal and state laws. Violating a patient's privacy is both an ethical and legal breach with potentially serious legal and reputational consequences. Even an unintentional Health Insurance Portability and Accountability Act of 1996 (HIPAA) violation can result in financial penalties and reputational harm. Staying complaint with HIPAA requires vigilance on the part of both individuals with legitimate access to protected health information (PHI) and the organizations handling that PHI.

AI Chatbots, Health Privacy, and Challenges to HIPAA Compliance.

This Viewpoint examines the privacy concerns raised by medical uses of large language models, such as chatbots.

The Scope and Legal Implications of Tracking Technologies on Hospital Websites.

This Viewpoint analyzes the scope and legal implications of tracking on hospital websites, including potential HIPAA and state privacy law violations, and suggests that hospitals limit such tracking.

Return of Results in Genomic Research Using Large-Scale or Whole Genome Sequencing: Toward a New Normal.

Genome sequencing is increasingly used in research and integrated into clinical care. In the research domain, large-scale analyses, including whole genome sequencing with variant interpretation and curation, virtually guarantee identification of variants that are pathogenic or likely pathogenic and actionable. Multiple guidelines recommend that findings associated with actionable conditions be offered to research participants in order to demonstrate respect for autonomy, reciprocity, and participant interests in health and privacy. Some recommendations go further and support offering a wider range of findings, including those that are not immediately actionable. In addition, entities covered by the US Health Insurance Portability and Accountability Act (HIPAA) may be required to provide a participant's raw genomic data on request. Despite these widely endorsed guidelines and requirements, the implementation of return of genomic results and data by researchers remains uneven. This article analyzes the ethical and legal foundations for researcher duties to offer adult participants their interpreted results and raw data as the new normal in genomic research.

Privacy, Data Sharing, and Other Legal Considerations.

Data privacy in the United States is protected by a patchwork of Federal and state laws. Federal laws protect data based on the type of entity collecting and retaining the information. Unlike the European Union, there is no comprehensive privacy statute. Some statutes, such as the Health Insurance Portability and Accountability have specific requirements others like the Federal Trade Commission Act, only protect against deceptive and unfair business practices. Because of this framework, the use of personal data in the United States requires navigating through a series of complicated Federal and state statutes that are continuously being updated and amended.

Replacing conventional telecommunication with a freeform HIPAA compliant healthcare texting app: a survey of patient preference.

BACKGROUND: The ability to effectively communicate with patients continues to be a challenge for physician offices. Mobile healthcare applications have enhanced the accessibility of healthcare providers to their patients. However, the efficacy of unrestricted, personalized, bidirectional, freeform texting has not been previously evaluated. METHODS: We investigated patient preference and self-reported outcomes using a smartphone HIPAA compliant mobile healthcare texting app, compared to conventional telecommunication, in self-reported quality of care, and impact on preventing unnecessary emergency department visits. A retrospective cohort survey study of a single-surgeon hernia specialist's practice was utilized. Patients with access to a smartphone who received care between July 2017 and March 2020 were instructed to utilize the healthcare texting app as a replacement to calling/receiving calls from the physician's office. Messages to and from patients were delivered directly to their surgeon and the surgical team via non-automated, personalized, freeform text messages, and templates, available to patients at all hours of the day. A depersonalized online survey was then distributed to assess patient perceived quality of care using the app, compared to their past experiences calling physician offices, and whether they preferred using text or conventional telecommunication. Additional statistics were reported using the application's built-in software, including response times, adoption rates, and message volumes. RESULTS: 90 patients successfully completed the entirety of the survey, median age range 50-60 years old. 97% of respondents reported the texting app provided at least non-inferior quality of care compared to conventional telecommunication, with a majority (75%) experiencing a relatively improved quality of care. 9% reported an unnecessary ED visit being avoided after consulting their physician through the application. CONCLUSIONS: Unrestricted, freeform, non-automated communication via texting may be preferred by patients over conventional telecommunication. However, further research is warranted to assess the external validity and clinical impact of such results.

HIPAA and video recordings in the clinical setting.

ABSTRACT: The advent of cellular network technology has increased the use of photography in the clinical setting. This article reviews several areas regarding protected health information (PHI) and the use of video: the 1996 Health Insurance Portability and Accountability Act (HIPAA); The Joint Commission requirements for the use of images; areas of concern for exchanging PHI with law enforcement at the bedside, and the need for the development of formal guidelines regarding the use of video in the clinical setting.

Training undergraduate students in HIPAA compliance.

The Health Insurance Portability and Accountability Act (HIPAA) has radically changed the way healthcare is conducted, and its relevance continues to expand as healthcare technology evolves. This article describes a method for training inexperienced undergraduate students to become HIPAA-compliant clinical research volunteers in a pediatric traumatic brain injury (TBI) study. Volunteers are trained to use the hospital's electronic health records (EHR) system to identify potential study candidates for approach, and they develop this skill set through google classroom modules/quizzes along with routine zoom calls to solidify their consenting approach. Since the inception of this study in 2018, there have been over one hundred different undergraduate research volunteers involved, and there has not been a single HIPAA violation to date. This compliance success rate is indicative of the efficacy of this training protocol. This paper serves as a guide to implementing HIPAA compliance training and ensuring accountability in new and existing clinical research studies.

De-identification of free text data containing personal health information: a scoping review of reviews.

Introduction: Using data in research often requires that the data first be de-identified, particularly in the case of health data, which often include Personal Identifiable Information (PII) and/or Personal Health Identifying Information (PHII). There are established procedures for de-identifying structured data, but de-identifying clinical notes, electronic health records, and other records that include free text data is more complex. Several different ways to achieve this are documented in the literature. This scoping review identifies categories of de-identification methods that can be used for free text data. Methods: We adopted an established scoping review methodology to examine review articles published up to May 9, 2022, in Ovid MEDLINE; Ovid Embase; Scopus; the ACM Digital Library; IEEE Explore; and Compendex. Our research question was: What methods are used to de-identify free text data? Two independent reviewers conducted title and abstract screening and full-text article screening using the online review management tool Covidence. Results: The initial literature search retrieved 3,312 articles, most of which focused primarily on structured data. Eighteen publications describing methods of de-identification of free text data met the inclusion criteria for our review. The majority of the included articles focused on removing categories of personal health information identified by the Health Insurance Portability and Accountability Act (HIPAA). The de-identification methods they described combined rule-based methods or machine learning with other strategies such as deep learning. Conclusion: Our review identifies and categorises de-identification methods for free text data as rule-based methods, machine learning, deep learning and a combination of these and other approaches. Most of the articles we found in our search refer to de-identification methods that target some or all categories of PHII. Our review also highlights how de-identification systems for free text data have evolved over time and points to hybrid approaches as the most promising approach for the future.

AI Chatbots and Challenges of HIPAA Compliance for AI Developers and Vendors.

Developers and vendors of large language models ("LLMs") - such as ChatGPT, Google Bard, and Microsoft's Bing at the forefront-can be subject to Health Insurance Portability and Accountability Act of 1996 ("HIPAA") when they process protected health information ("PHI") on behalf of the HIPAA covered entities. In doing so, they become business associates or subcontractors of a business associate under HIPAA.

Sensitive Data Detection with High-Throughput Machine Learning Models in Electrical Health Records.

In the era of big data, there is an increasing need for healthcare providers, communities, and researchers to share data and collaborate to improve health outcomes, generate valuable insights, and advance research. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect sensitive health information by defining regulations for protected health information (PHI). However, it does not provide efficient tools for detecting or removing PHI before data sharing. One of the challenges in this area of research is the heterogeneous nature of PHI fields in data across different parties. This variability makes rule-based sensitive variable identification systems that work on one database fail on another. To address this issue, our paper explores the use of machine learning algorithms to identify sensitive variables in structured data, thus facilitating the de-identification process. We made a key observation that the distributions of metadata of PHI fields and non-PHI fields are very different. Based on this novel finding, we engineered over 30 features from the metadata of the original features and used machine learning to build classification models to automatically identify PHI fields in structured Electronic Health Record (EHR) data. We trained the model on a variety of large EHR databases from different data sources and found that our algorithm achieves 99% accuracy when detecting PHI-related fields for unseen datasets. The implications of our study are significant and can benefit industries that handle sensitive data.

The Patient Role in a Federal National-Scale Health Information Exchange.

The federal Trusted Exchange Framework and Common Agreement (TEFCA) aims to reduce fragmentation of patient records by expanding query-based health information exchange with nationwide connectivity for diverse purposes. TEFCA provides a common agreement and security framework allowing clinicians, and possibly insurance company staff, public health officials, and other authorized users, to query for health information about hundreds of millions of patients. TEFCA presents an opportunity to weave information exchange into the fabric of our national health information economy. We define 3 principles to promote patient autonomy and control within TEFCA: (1) patients can query for data about themselves, (2) patients can know when their data are queried and shared, and (3) patients can configure what is shared about them. We believe TEFCA should address these principles by the time it launches. While health information exchange already occurs on a large scale today, the launch of TEFCA introduces a major, new, and cohesive component of 21st-century US health care information infrastructure. We strongly advocate for a substantive role for the patient in TEFCA, one that will be a model for other systems and policies.

Nonspecific deidentification of date-like text in deidentified clinical notes enables reidentification of dates.

To facilitate the secondary usage of electronic health record data for research, the University of California, San Francisco (UCSF) recently implemented a clinical data warehouse including, among other data, deidentified clinical notes and reports, which are available to UCSF researchers without Institutional Review Board approval. For deidentification of these notes, most of the Health Insurance Portability and Accountability Act identifiers are redacted, but dates are transformed by shifting all dates for a patient back by the same random number of days. We describe an issue in which nonspecific (ie, excess) transformation of nondate, date-like text by this deidentification process enables reidentification of all dates, including birthdates, for certain patients. This issue undercuts the common assumption that excess deidentification is a safe tradeoff to protect patient privacy. We present this issue as a caution to other institutions that may also be considering releasing deidentified notes for research.