A unified framework for evaluating the risk of re-identification of text de-identification tools.

OBJECTIVES: It has become regular practice to de-identify unstructured medical text for use in research using automatic methods, the goal of which is to remove patient identifying information to minimize re-identification risk. The metrics commonly used to determine if these systems are performing well do not accurately reflect the risk of a patient being re-identified. We therefore developed a framework for measuring the risk of re-identification associated with textual data releases. METHODS: We apply the proposed evaluation framework to a data set from the University of Michigan Medical School. Our risk assessment results are then compared with those that would be obtained using a typical contemporary micro-average evaluation of recall in order to illustrate the difference between the proposed evaluation framework and the current baseline method. RESULTS: We demonstrate how this framework compares against common measures of the re-identification risk associated with an automated text de-identification process. For the probability of re-identification using our evaluation framework we obtained a mean value for direct identifiers of 0.0074 and a mean value for quasi-identifiers of 0.0022. The 95% confidence interval for these estimates were below the relevant thresholds. The threshold for direct identifier risk was based on previously used approaches in the literature. The threshold for quasi-identifiers was determined based on the context of the data release following commonly used de-identification criteria for structured data. DISCUSSION: Our framework attempts to correct for poorly distributed evaluation corpora, accounts for the data release context, and avoids the often optimistic assumptions that are made using the more traditional evaluation approach. It therefore provides a more realistic estimate of the true probability of re-identification. CONCLUSIONS: This framework should be used as a basis for computing re-identification risk in order to more realistically evaluate future text de-identification tools.

MyPath to Home Web-Based Application for the Geriatric Rehabilitation Program at Bruyère Continuing Care: User-Centered Design and Feasibility Testing Study.

BACKGROUND: When older adults return home from geriatric rehabilitation in a hospital, remembering the plethora of medical advice and medical instructions provided can be overwhelming for them and for their caregivers. OBJECTIVE: The overall objective was to develop and test the feasibility of a novel web-based application called MyPath to Home that can be used to manage the personalized needs of geriatric rehabilitation patients during their transition from the hospital to home. METHODS: This study involved (1) co-designing a patient- and clinician-tailored web-based application and (2) testing the feasibility of the application to manage the needs of geriatric rehabilitation patients when leaving the hospital. In phase 1, we followed a user-centered design process integrated with the modern agile software development methodology to iteratively co-design the application. The approach consisted of three cycles in which we engaged patients, caregivers, and clinicians to design a series of prototypes (cycles 1-3). In phase 2, we conducted a single-arm feasibility pilot test of MyPath to Home. Baseline and follow-up surveys, as well as select semistructured interviews were conducted. RESULTS: In phase 1, semistructured interviews and talk-aloud sessions were conducted with patients/caregivers (n=5) and clinicians (n=17) to design the application. In phase 2, patients (n=30), caregivers (n=18), and clinicians (n=20) received access to use the application. Patients and their caregivers were asked to complete baseline and follow-up surveys. A total of 91% (21/23) of patients would recommend this application to other patients. In addition, clinicians (n=6) and patients/caregivers (n=6) were interviewed to obtain further details on the value of the web-based application with respect to engaging patients and facilitating communication and sharing of information with the health care team. CONCLUSIONS: We were successful at designing the MyPath to Home prototype for patients and their caregivers to engage with their clinicians during the transition from geriatric rehabilitation to home. Further work is needed to increase the uptake and usage by clinicians, and determine if this translates to meaningful changes in clinical and functional outcomes. INTERNATIONAL REGISTERED REPORT IDENTIFIER (IRRID): RR2-10.2196/11031.

Development of a Path to Home Mobile App for the Geriatric Rehabilitation Program at Bruyère Continuing Care: Protocol for User-Centered Design and Feasibility Testing Studies.

BACKGROUND: As the population ages, the need for appropriate geriatric rehabilitation services will also increase. Pressures faced by hospitals to reduce length of stay and reduce costs have driven the need for more complex care being delivered in the home or community setting. As a result, a multifaceted approach that can provide geriatric rehabilitation patients with safe and effective person- and family-centered care during transitions from hospital to home is required. We hypothesize that a technology-supported person- and family-centered care transition could empower geriatric rehabilitation patients, engage them in shared decision making, and ultimately help them to safely manage their personalized needs during care transitions from hospital to home. OBJECTIVE: The purpose of this study is to design and test the feasibility of a novel Path to Home mobile app to manage the personalized needs of geriatric rehabilitation patients during their transitions from hospital to home. METHODS: This study will consist of (1) codesigning a patient- and provider-tailored mobile app, and (2) feasibility pilot testing of the mobile app to manage the needs of geriatric rehabilitation patients when leaving the hospital. In phase 1, we will follow a user-centered design process integrated with a modern agile software development methodology to iteratively codesign the personalized care transition Path to Home mobile app. In phase 2, we will conduct a single-arm feasibility pilot test with geriatric rehabilitation patients using the personalized care transition Path to Home mobile app to manage their needs during the transition from hospital to home. RESULTS: The project was funded in May 2018, and enrollment and data analysis are underway. First results are expected to be submitted for publication in 2019. CONCLUSIONS: Our findings will help validate the use of this technology for geriatric rehabilitation patients discharged from the hospital to home. Future research will more rigorously evaluate the health and economic benefits to inform wide-scale adoption of the technology. REGISTERED REPORT IDENTIFIER: RR1-10.2196/11031.

A Protocol for the secure linking of registries for HPV surveillance.

INTRODUCTION: In order to monitor the effectiveness of HPV vaccination in Canada the linkage of multiple data registries may be required. These registries may not always be managed by the same organization and, furthermore, privacy legislation or practices may restrict any data linkages of records that can actually be done among registries. The objective of this study was to develop a secure protocol for linking data from different registries and to allow on-going monitoring of HPV vaccine effectiveness. METHODS: A secure linking protocol, using commutative hash functions and secure multi-party computation techniques was developed. This protocol allows for the exact matching of records among registries and the computation of statistics on the linked data while meeting five practical requirements to ensure patient confidentiality and privacy. The statistics considered were: odds ratio and its confidence interval, chi-square test, and relative risk and its confidence interval. Additional statistics on contingency tables, such as other measures of association, can be added using the same principles presented. The computation time performance of this protocol was evaluated. RESULTS: The protocol has acceptable computation time and scales linearly with the size of the data set and the size of the contingency table. The worse case computation time for up to 100,000 patients returned by each query and a 16 cell contingency table is less than 4 hours for basic statistics, and the best case is under 3 hours. DISCUSSION: A computationally practical protocol for the secure linking of data from multiple registries has been demonstrated in the context of HPV vaccine initiative impact assessment. The basic protocol can be generalized to the surveillance of other conditions, diseases, or vaccination programs.

A secure protocol for protecting the identity of providers when disclosing data for disease surveillance.

BACKGROUND: Providers have been reluctant to disclose patient data for public-health purposes. Even if patient privacy is ensured, the desire to protect provider confidentiality has been an important driver of this reluctance. METHODS: Six requirements for a surveillance protocol were defined that satisfy the confidentiality needs of providers and ensure utility to public health. The authors developed a secure multi-party computation protocol using the Paillier cryptosystem to allow the disclosure of stratified case counts and denominators to meet these requirements. The authors evaluated the protocol in a simulated environment on its computation performance and ability to detect disease outbreak clusters. RESULTS: Theoretical and empirical assessments demonstrate that all requirements are met by the protocol. A system implementing the protocol scales linearly in terms of computation time as the number of providers is increased. The absolute time to perform the computations was 12.5 s for data from 3000 practices. This is acceptable performance, given that the reporting would normally be done at 24 h intervals. The accuracy of detection disease outbreak cluster was unchanged compared with a non-secure distributed surveillance protocol, with an F-score higher than 0.92 for outbreaks involving 500 or more cases. CONCLUSION: The protocol and associated software provide a practical method for providers to disclose patient data for sentinel, syndromic or other indicator-based surveillance while protecting patient privacy and the identity of individual providers.

The inadvertent disclosure of personal health information through peer-to-peer file sharing programs.

OBJECTIVE: There has been a consistent concern about the inadvertent disclosure of personal information through peer-to-peer file sharing applications, such as Limewire and Morpheus. Examples of personal health and financial information being exposed have been published. We wanted to estimate the extent to which personal health information (PHI) is being disclosed in this way, and compare that to the extent of disclosure of personal financial information (PFI). DESIGN: After careful review and approval of our protocol by our institutional research ethics board, files were downloaded from peer-to-peer file sharing networks and manually analyzed for the presence of PHI and PFI. The geographic region of the IP addresses was determined, and classified as either USA or Canada. MEASUREMENT: We estimated the proportion of files that contain personal health and financial information for each region. We also estimated the proportion of search terms that return files with personal health and financial information. We ascertained and discuss the ethical issues related to this study. RESULTS: Approximately 0.4% of Canadian IP addresses had PHI, as did 0.5% of US IP addresses. There was more disclosure of financial information, at 1.7% of Canadian IP addresses and 4.7% of US IP addresses. An analysis of search terms used in these file sharing networks showed that a small percentage of the terms would return PHI and PFI files (ie, there are people successfully searching for PFI and PHI on the peer-to-peer file sharing networks). CONCLUSION: There is a real risk of inadvertent disclosure of PHI through peer-to-peer file sharing networks, although the risk is not as large as for PFI. Anyone keeping PHI on their computers should avoid installing file sharing applications on their computers, or if they have to use such tools, actively manage the risks of inadvertent disclosure of their, their family's, their clients', or patients' PHI.