Publishing data from electronic health records while preserving privacy: A survey of algorithms

The dissemination of Electronic Health Records (EHRs) can be highly beneficial for a range of medical studies, spanning from clinical trials to epidemic control studies, but it must be performed in a way that preserves patients’ privacy. This is not straightforward, because the disseminated data need to be protected against several privacy threats, while remaining useful for subsequent analysis tasks. In this work, we present a survey of algorithms that have been proposed for publishing structured patient data, in a privacy-preserving way. We review more than 45 algorithms, derive insights on their operation, and highlight their advantages and disadvantages. We also provide a discussion of some promising directions for future research in this area.     

An innovative privacy preserving technique for incremental datasets on cloud computing

Cloud computing (CC) is a magnificent service-based delivery with gigantic computer processing power and data storage across connected communications channels. It imparted overwhelming technological impetus in the internet (web) mediated IT industry, where users can easily share private data for further analysis and mining. Furthermore, user affable CC services enable to deploy sundry applications economically. Meanwhile, simple data sharing impelled various phishing attacks and malware assisted security threats. Some privacy sensitive applications like health services on cloud that are built with several economic and operational benefits necessitate enhanced security. Thus, absolute cyberspace security and mitigation against phishing blitz became mandatory to protect overall data privacy. Typically, diverse applications datasets are anonymized with better privacy to owners without providing all secrecy requirements to the newly added records. Some proposed techniques emphasized this issue by re-anonymizing the datasets from the scratch. The utmost privacy protection over incremental datasets on CC is far from being achieved. Certainly, the distribution of huge datasets volume across multiple storage nodes limits the privacy preservation. In this view, we propose a new anonymization technique to attain better privacy protection with high data utility over distributed and incremental datasets on CC. The proficiency of data privacy preservation and improved confidentiality requirements is demonstrated through performance evaluation.     

Informed consent and patient videotaping.

PURPOSE: To determine whether videotaping consent forms used in family medicine residencies meet the criteria for informed consent, adhere to published guidelines for videotaping patients, and are written at a suitable reading level. METHOD: Three reviewers independently evaluated videotaping consent forms obtained from 20 family practice residencies to determine whether they included the elements of informed consent and conformed to published guidelines for ethical videotaping. The reading level of each consent form was also determined using a standardized assessment. RESULTS: Depending on the reviewer, only one to three of the 20 consent forms were judged adequate in providing a patient with enough information to make an informed choice. Specific aspects of voluntariness were absent from most of the forms. In addition, the reading level was, on average, well above recommended levels for patient comprehension. CONCLUSION: Most of the videotaping consent forms analyzed in this study did not provide adequate information to assist patients in making a voluntary, informed choice to be videotaped. The absence of this information raises the potential for violations of patient privacy and confidentiality.     

Dynamic consent: a patient interface for twenty-first century research networks

Biomedical research is being transformed through the application of information technologies that allow ever greater amounts of data to be shared on an unprecedented scale. However, the methods for involving participants have not kept pace with changes in research capability. In an era when information is shared digitally at the global level, mechanisms of informed consent remain static, paper-based and organised around national boundaries and legal frameworks. Dynamic consent (DC) is both a specific project and a wider concept that offers a new approach to consent; one designed to meet the needs of the twenty-first century research landscape. At the heart of DC is a personalised, digital communication interface that connects researchers and participants, placing participants at the heart of decision making. The interface facilitates two-way communication to stimulate a more engaged, informed and scientifically literate participant population where individuals can tailor and manage their own consent preferences. The technical architecture of DC includes components that can securely encrypt sensitive data and allow participant consent preferences to travel with their data and samples when they are shared with third parties. In addition to improving transparency and public trust, this system benefits researchers by streamlining recruitment and enabling more efficient participant recontact. DC has mainly been developed in biobanking contexts, but it also has potential application in other domains for a variety of purposes.     

Communications between volunteers and health researchers during recruitment and informed consent: qualitative content analysis of email interactions

Background

While use of the Internet is increasingly widespread in research, little is known about the role of routine electronic mail (email) correspondence during recruitment and early volunteer–researcher interactions. To gain insight into the standpoint of volunteers we analyzed email communications in an early rheumatoid arthritis qualitative interview study.

Objectives

The objectives of our study were (1) to understand the perspectives and motivations of individuals who volunteered for an interview study about the experiences of early rheumatoid arthritis, and (2) to investigate the role of emails in volunteer–researcher interactions during recruitment.

Methods

Between December 2007 and December 2008 we recruited 38 individuals with early rheumatoid arthritis through rheumatologist and family physician offices, arthritis Internet sites, and the Arthritis Research Centre of Canada for a (face-to-face) qualitative interview study. Interested individuals were invited to contact us via email or telephone. In this paper, we report on email communications from 12 of 29 volunteers who used email as their primary communication mode.

Results

Emails offered insights into the perspective of study volunteers. They provided evidence prospectively about recruitment and informed consent in the context of early rheumatoid arthritis. First, some individuals anticipated that participating would have mutual benefits, for themselves and the research, suggesting a reciprocal quality to volunteering. Second, volunteering for the study was strongly motivated by a need to access health services and was both a help-seeking and self-managing strategy. Third, volunteers expressed ambivalence around participation, such as how far participating would benefit them, versus more general benefits for research. Fourth, practical difficulties of negotiating symptom impact, medical appointments, and research tasks were revealed. We also reflect on how emails documented volunteer–researcher interactions, illustrating typically undocumented researcher work during recruitment.

Conclusions

Emails can be key forms of data. They provide richly contextual prospective records of an underresearched dimension of the research process: routine volunteer–researcher interactions during recruitment. Emails record the context of volunteering, and the motivations and priorities of volunteers. They also highlight the “invisible work” of research workers during what are typically considered to be standard administrative tasks. Further research is needed to fully understand the role of routine emails, what they may reveal about volunteers’ decisions to participate, and their implications for research relationships—for example, whether they have the potential to foster rapport, trust, and understanding between volunteer and researcher, and ultimately shift the power dynamic of the volunteer–researcher relationship.     

基于规则和机器学习的中文电子病历患者隐私保护算法

目的针对医疗数据发布和共享中患者隐私泄露风险以及人工去标识效率低的问题,本文提出了一种基于规则和机器学习结合的算法,以有效去除电子病历中的患者隐私信息。方法根据美国健康可携行与责任性法案和中文电子病历的表达习惯,将隐私数据分为数字、日期及命名实体三大类,利用正则表达式识别数字以及日期隐私数据,引入隐马尔科夫模型识别命名实体。最后使用上海市第六人民医院的出院小结作为测试数据,利用留出法测试了隐私数据识别的召回率和精确率。结果该模型总体得到了超过90%的召回率,其中数字和日期类型的隐私数据召回率都超过96%,中文人名的识别效果也超过了单人识别的效果。结论规则和机器学习结合的模型有效地识别了患者的隐私数据,有助于医疗数据的共享。     

Situation-Based Access Control: privacy management via modeling of patient data access scenarios

Access control is a central problem in privacy management. A common practice in controlling access to sensitive data, such as electronic health records (EHRs), is Role-Based Access Control (RBAC). RBAC is limited as it does not account for the circumstances under which access to sensitive data is requested. Following a qualitative study that elicited access scenarios, we used Object-Process Methodology to structure the scenarios and conceive a Situation-Based Access Control (SitBAC) model. SitBAC is a conceptual model, which defines scenarios where patient’s data access is permitted or denied. The main concept underlying this model is the Situation Schema, which is a pattern consisting of the entities Data-Requestor, Patient, EHR, Access Task, Legal-Authorization, and Response, along with their properties and relations. The various data access scenarios are expressed via Situation Instances. While we focus on the medical domain, the model is generic and can be adapted to other domains.     

Informed consent and knee arthroscopies: an evaluation of patient understanding and satisfaction

Fifty patients who had been admitted to a public hospital in Australia for an elective knee arthroscopy were asked to complete a detailed questionnaire prior to theatre, designed to evaluate patient understanding and satisfaction of the informed consent process. While patients generally felt that they received an appropriate amount of information on the nature of their injury and the actual operative procedure, little information was given on possible complications and post-operative care. This study clearly indicates that patients are dissatisfied when they perceive a lack of basic information being given. The findings are of some concern as they suggest that the majority of consents gained in this study were not truly 'informed'. However, recognition by medical staff of the areas that appear to be poorly explained to patients enables these issues to be addressed. This in turn is likely to improve patient understanding of and satisfaction with the consent process.     

Sperm and oocyte cryopreservation: comprehensive consent and the protection of patient autonomy

Sperm cryopreservation and increasingly oocyte cryopreservation are common forms of fertility preservation for oncology patients facing gonadotoxic therapy. Both procedures present challenging ethical issues with regard to informed consent, given that the context for these procedures is a disease that carries a significant risk of mortality. We argue that the current consent process does not allow for adequate collection of information about a patient's wishes for the custody of cryopreserved gametes in the case of premature death. After review of the European Society of Human Reproduction and Embryology and the American Society of Reproductive Medicine guidelines we propose that a new, comprehensive consent procedure for sperm and oocyte cryopreservation including a 'roll-down' option is imperative to protect the autonomy of these oncology patients. This 'roll-down' option should allow for the transfer of custody of gametes to a pre-selected alternative recipient(s) if the original recipient no longer intends to use the gametes to create a child. We also demonstrate that objections over non-spousal custody of gametes can be overcome with sound ethical arguments.     

Protecting patient privacy when sharing patient-level data from clinical trials

Background

Greater transparency and, in particular, sharing of patient-level data for further scientific research is an increasingly important topic for the pharmaceutical industry and other organisations who sponsor and conduct clinical trials as well as generally in the interests of patients participating in studies. A concern remains, however, over how to appropriately prepare and share clinical trial data with third party researchers, whilst maintaining patient confidentiality. Clinical trial datasets contain very detailed information on each participant. Risk to patient privacy can be mitigated by data reduction techniques. However, retention of data utility is important in order to allow meaningful scientific research. In addition, for clinical trial data, an excessive application of such techniques may pose a public health risk if misleading results are produced. After considering existing guidance, this article makes recommendations with the aim of promoting an approach that balances data utility and privacy risk and is applicable across clinical trial data holders.

Discussion

Our key recommendations are as follows:

1. 1.
   Data anonymisation/de-identification: Data holders are responsible for generating de-identified datasets which are intended to offer increased protection for patient privacy through masking or generalisation of direct and some indirect identifiers.
    
2. 2.
   Controlled access to data, including use of a data sharing agreement: A legally binding data sharing agreement should be in place, including agreements not to download or further share data and not to attempt to seek to identify patients. Appropriate levels of security should be used for transferring data or providing access; one solution is use of a secure ‘locked box’ system which provides additional safeguards.
    

Summary

This article provides recommendations on best practices to de-identify/anonymise clinical trial data for sharing with third-party researchers, as well as controlled access to data and data sharing agreements. The recommendations are applicable to all clinical trial data holders. Further work will be needed to identify and evaluate competing possibilities as regulations, attitudes to risk and technologies evolve.

     

Sources of patient uncertainty when reviewing medical disclosure and consent documentation

Objectives

Despite evidence that medical disclosure and consent forms are ineffective at communicating the risks and hazards of treatment and diagnostic procedures, little is known about exactly why they are difficult for patients to understand. The objective of this research was to examine what features of the forms increase people's uncertainty.

Methods

Interviews were conducted with 254 individuals. After reading a sample consent form, participants described what they found confusing in the document. With uncertainty management as a theoretical framework, interview responses were analyzed for prominent themes.

Results

Four distinct sources of uncertainty emerged from participants’ responses: (a) language, (b) risks and hazards, (c) the nature of the procedure, and (d) document composition and format.

Conclusions

Findings indicate the value of simplifying medico-legal jargon, signposting definitions of terms, removing language that addresses multiple readers simultaneously, reorganizing bulleted lists of risks, and adding section breaks or negative space.

Practice implications

These findings offer suggestions for providing more straightforward details about risks and hazards to patients, not necessarily through greater amounts of information but rather through more clear and sufficient material and better formatting.