Communicating Protected Health Information: Current Methods and Future Innovation
Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, protected health information (PHI) constitutes all “individually identifiable health information,” regardless of how it is held or transmitted [1]. The HIPAA Privacy Rule does not prohibit electronic transmission of PHI, but it requires that providers follow “reasonable safeguards” when doing so [2]. Empirical research supports these regulations and the importance of privacy and security with PHI. A study from 2017 surveyed 116 users of virtual health communities (VHCs), which are websites for people with a common interest in a specific health-related topic. The researchers found that people are willing to share PHI within their VHC, as long as they expect said sharing to promote positive personal or community outcomes. However, they also found that privacy concerns would hamper people’s willingness to share [3]. From legal and empirical perspectives, any form of PHI communication must come with privacy considerations.
One recent example of PHI communication comes from DirectTrust, a nonprofit firm specializing in the secure exchange of PHI. In July 2020, they released a standard called Trusted Instant Messaging+ (TIM+), which facilitates secure text communication and file sharing across “known, trusted entities both within and across enterprises” [4]. TIM+ relies on numerous Internet Standards, proven technologies that facilitate secure transmission and user authentication. With these technologies, DirectTrust and other providers of secure file sharing are making strides toward a future of widespread telehealth access.
Telehealth and protected health information are intrinsically intertwined. For example, during a virtual appointment, a doctor might refer to their patient by name, inquire about recent symptoms or conditions, and inform their patient of treatments and next steps. Under the HIPAA Privacy Rule, these routine points of discussion qualify as PHI. Due to the COVID-19 pandemic, the US Department of Health and Human Services has relaxed the guidelines for virtual appointments, permitting providers to use certain apps—FaceTime, Skype, Zoom, etc.—even if the app does not fully comply with HIPAA [5]. Although one cannot predict whether these apps will remain permissible for telehealth, one can envision that a fully HIPAA-compliant app will gain traction in the future.
The benefits of sharing protected health information go beyond individual patients. Healthcare providers might share or pool PHI to facilitate medical research. Under HIPAA, PHI can only be used or disclosed without restriction if it is “de-identified,” or stripped of identifying information [1]. However, research has shown that de-identification is not sufficient for true anonymity. By cross-referencing a dataset of de-identified Netflix reviews with publicly available Amazon reviews, researchers were able to identify some people in the former dataset [6]. To protect individual patients while serving the public interest, providers have several options for technologies to implement in the future.
One such technology is differential privacy (DP), the notion that “one’s risk to privacy should not substantially increase as a result of participating in a statistical database” [7]. DP generates a mathematical guarantee that analyzing the original dataset and the anonymized dataset will give similar results [8]. Another example is federated learning, a family of machine learning algorithms that can work with data across multiple decentralized servers. Like DP, federated learning comes with mathematical guarantees of privacy [9]. In contrast to DP, providers using federated learning do not need to transmit any kind of data; it suffices to store anonymized data on a server and allow queries from the federated learning algorithm.
In conclusion, protected health information has been and remains a key consideration of healthcare technologies and patient interactions. With the creation of technological and policy solutions, future technologies can leverage PHI to inform and benefit medical outcomes across populations.
References
[1] Summary of the HIPAA Privacy Rule. July 2013. Retrieved September 19, 2020 from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[2] Does the HIPAA Privacy Rule Permit Health Care Providers to Use Email to Discuss Health Issues with Patients? July 2013. Retrieved September 19, 2020 from https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html.
[3] Kordzadeh N and Warren J. Communicating Personal Health Information in Virtual Health Communities: An Integration of Privacy Calculus Model and Affective Commitment. Journal of the Association for Information Systems 2017; 18: 1. DOI: 10.17705/1jais.00446.
[4] DirectTrust. Trusted Instant Messaging (TIM+) Applicability Statement. July 2020. Retrieved September 19, 2020 from https://directtrust.app.box.com/s/stlhyofi4rg8o1nap7h8phup88cvs9ui.
[5] Telehealth: Delivering Care Safely During COVID-19. July 2020. Retrieved September 20, 2020 from https://www.hhs.gov/coronavirus/telehealth/index.html.
[6] Archie M, et al. Who’s Watching? De-anonymization of Netflix Reviews using Amazon Reviews. [Unpublished Manuscript] 2018. Computer Science and Artificial Intelligence Laboratory, Massachusetts Institute of Technology. https://courses.csail.mit.edu/6.857/2018/project/Archie-Gershon-Katchoff-Zeng-Netflix.pdf
[7] Dankar F and El Emam K. The Application of Differential Privacy to Health Data. Proceedings of the 2012 Joint EDBT/ICDT Workshops. 2012. DOI: 10.1145/2320765.2320816.
[8] Friedman A and Schuster A. Data Mining with Differential Privacy. Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2010. DOI: 10.1145/1835804.1835868.
[9] Yang Q, et al. Federated Machine Learning: Concept and Applications. ACM Transactions on Intelligent Systems and Technology. 2019. DOI: 10.1145/3298981.
