In the United States, sensitive health information is protected under the Health Insurance Portability and Accountability Act (HIPAA). This act limits the disclosure of Protected Health Information (PHI) without the patient’s consent or knowledge. However, as medical care becomes web-integrated, many providers have chosen to use third-party web trackers for measurement and marketing purposes. This presents a security concern: third-party JavaScript requested by an online healthcare system can read the website’s contents, and ensuring PHI is not unintentionally or maliciously leaked becomes difficult. In this paper, we investigate health information breaches in online medical records, focusing on 459 online patient portals and 4 telehealth websites.
We find 14% of patient portals include Google Analytics, which reveals (at a minimum) the fact that the user visited the health provider website, while 5 portals and 4 telehealth websites con- tained JavaScript-based services disclosing PHI, including medications and lab results, to third parties. The most significant PHI breaches were on behalf of Google and Facebook trackers. In the latter case, an estimated 4.5 million site visitors per month were potentially exposed to leaks of personal information (names, phone numbers) and medical information (test results, medications). We notified healthcare providers of the PHI breaches and found only 15.7% took action to correct leaks. Healthcare operators lacked the technical expertise to identify PHI breaches caused by third-party trackers. After notifying Epic, a healthcare portal vendor, of the PHI leaks, we received a prompt response and observed extensive mitigation across providers, suggesting vendor notification is an effective intervention against PHI disclosures.
more »
« less
Patient-provider Engagement and its Impact on Health Outcomes: A longitudinal study of patient portal use
Hospitalization of patients with chronic diseases poses a significant burden on the healthcare system. Frequent hospitalization can be partially attributed to the failure of healthcare providers to engage effectively with their patients. Recently, patient portals have become popular as information technology (IT) platforms that provide
patients with online access to their medical records and help them engage effectively with healthcare providers. Despite the popularity of these portals, there is a paucity of research on the impact of patient–provider engagement on patients’ health outcomes. Drawing on the theory of effective use, we examine the association between portal use and the incidence of subsequent patient hospitalizations, based on a unique, longitudinal dataset of patients’ portal use, across a 12-year period at a large academic medical center in North Texas. Our results indicate that portal use is associated with improvements in patient health outcomes along multiple dimensions, including the frequency of hospital and emergency visits, readmission risk, and length of stay. This is one of the first studies to conduct a large-scale, longitudinal analysis of a health IT system and its effect on individual level health outcomes. Our results highlight the need for technologies that can improve patient–provider engagement and improve overall health outcomes for chronic disease management.
more »
« less
- Award ID(s):
- 1636933
- NSF-PAR ID:
- 10202429
- Date Published:
- Journal Name:
- MIS quarterly
- Volume:
- 44
- Issue:
- 2
- ISSN:
- 2162-9730
- Page Range / eLocation ID:
- 699-723
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Covid-19 outbreak represents an exceptional test of the flexibility and the efficiency of patient medical records transfer among healthcare providers which ended up in boundless interruption to the healthcare industry. This public crisis has pushed for an urgent innovation of the patient medical records transference (PMRT) system to meet the needs and provide appropriate patient care. Moreover, the drawback effects of Covid-19 changed the healthcare system forever, more patients are requesting more control, secure, and smoother experience when they want access to their health records. However, the problems stem from the lack of interoperability among the healthcare system and providers and the added burden of cyber-attacks on an already stressed system call for an immediate solution. In this work, we present a secured blockchain framework that ensures patients full ownership over their medical data which can be stored in their private IPFS and later can be shared with an authorized provider. The analysis of the proposed security and privacy aspects shows promising results in providing time savings and resulted in enhanced confidentiality and less disruption in patient-provider interactions.more » « less
-
The healthcare sector is constantly improving patient health record systems. However, these systems face a significant challenge when confronted with patient health record (PHR) data due to its sensitivity. In addition, patient’s data is stored and spread generally across various healthcare facilities and among providers. This arrangement of distributed data becomes problematic whenever patients want to access their health records and then share them with their care provider, which yields a lack of interoperability among various healthcare systems. Moreover, most patient health record systems adopt a centralized management structure and deploy PHRs to the cloud, which raises privacy concerns when sharing patient information over a network. Therefore, it is vital to design a framework that considers patient privacy and data security when sharing sensitive information with healthcare facilities and providers. This paper proposes a blockchain framework for secured patient health records sharing that allows patients to have full access and control over their health records. With this novel approach, our framework applies the Ethereum blockchain smart contracts, the Inter-Planetary File System (IPFS) as an off-chain storage system, and the NuCypher protocol, which functions as key management and blockchain-based proxy re-encryption to create a secured on-demand patient health records sharing system effectively. Results show that the proposed framework is more secure than other schemes, and the PHRs will not be accessible to unauthorized providers or users. In addition, all encrypted data will only be accessible to and readable by verified entities set by the patient.more » « less
-
more » « less
Abstract Objective Online patient portals become important during disruptions to in-person health care, like when cases of coronavirus disease 2019 (COVID-19) and other respiratory viruses rise, yet underlying structural inequalities associated with race, socio-economic status, and other socio-demographic characteristics may affect their use. We analyzed a population-based survey to identify disparities within the United States in access to online portals during the early period of COVID-19 in 2020.
Materials and Methods The National Cancer Institute fielded the 2020 Health and Information National Trends Survey from February to June 2020. We conducted multivariable analysis to identify socio-demographic characteristics of US patients who were offered and accessed online portals, and reasons for nonuse.
Results Less than half of insured adult patients reported accessing an online portal in the prior 12 months, and this was less common among patients who are male, are Hispanic, have less than a college degree, have Medicaid insurance, have no regular provider, or have no internet. Reasons for nonuse include: wanting to speak directly to a provider, not having an online record, concerns about privacy, and discomfort with technology.
Discussion Despite the rapid expansion of digital health technologies due to COVID-19, we found persistent socio-demographic disparities in access to patient portals. Ensuring that digital health tools are secure, private, and trustworthy would address some patient concerns that are barriers to portal access.
Conclusion Expanding the use of online portals requires explicitly addressing fundamental inequities to prevent exacerbating existing disparities, particularly during surges in cases of COVID-19 and other respiratory viruses that tax health care resources.
-
Patient-generated health data (PGHD), created and captured from patients via wearable devices and mobile apps, are proliferating outside of clinical settings. Examples include sleep tracking, fitness trackers, continuous glucose monitors, and RFID-enabled implants, with many additional biometric or health surveillance applications in development or envisioned. These data are included in growing stockpiles of personal health data being mined for insight via big data analytics and artificial intelligence/deep learning technologies. Governing these data resources to facilitate patient care and health research while preserving individual privacy and autonomy will be challenging, as PGHD are the least regulated domains of digitalized personal health data (U.S. Department of Health and Human Services, 2018). When patients themselves collect digitalized PGHD using “apps” provided by technology firms, these data fall outside of conventional health data regulation, such as HIPAA. Instead, PGHD are maintained primarily on the information technology infrastructure of vendors, and data are governed under the IT firm’s own privacy policies and within the firm’s intellectual property rights. Dominant narratives position these highly personal data as valuable resources to transform healthcare, stimulate innovation in medical research, and engage individuals in their health and healthcare. However, ensuring privacy, security, and equity of benefits from PGHD will be challenging. PGHD can be aggregated and, despite putative “deidentification,” be linked with other health, economic, and social data for predictive analytics. As large tech companies enter the healthcare sector (e.g., Google Health is partnering with Ascension Health to analyze the PHI of millions of people across 21 U.S. states), the lack of harmonization between regulatory regimes may render existing safeguards to preserve patient privacy and control over their PHI ineffective. While healthcare providers are bound to adhere to health privacy laws, Big Tech comes under more relaxed regulatory regimes that will facilitate monetizing PGHD. We explore three existing data protection regimes relevant to PGHD in the United States that are currently in tension with one another: federal and state health-sector laws, data use and reuse for research and innovation, and industry self-regulation by large tech companies We then identify three types of structures (organizational, regulatory, technological/algorithmic), which synergistically could help enact needed regulatory oversight while limiting the friction and economic costs of regulation. This analysis provides a starting point for further discussions and negotiations among stakeholders and regulators to do so.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Journal Article:
- https://doi.org/10.25300/MISQ/2020/14180
