Healthcare Security on Clinicians-Exchange

2 readers
1 users here now

Internet security and healthcare security topics.

NO CASE CONSULTATIONS! PUBLIC FORUM! NO CONFIDENTIAL DETAILS ON CLIENTS ALLOWED!

This is NOT the place to ask for therapeutic help for yourself or a loved one. Nothing written in this community shall be construed to constitute the formation of a professional relationship between therapist and client.

( Counseling Therapy Psychology Mental Health Social Work Worker Psychologist Counselor Research therapist therapists ACA APA NASW CACREP NCC PsyD AMHCA NBCC ACAC ACES AMCD ACCA NCSW-C ARCA ASERVIC depression anxiety bipolar PTSD CBT trauma self esteem abuse mindfulness mood disorder coping skills cookies tracking hacking 3rdpartytrackers HIPAA BAA privacy dataprivacy webbeacons videoconference televideo telehealth databrokers )

founded 1 year ago
MODERATORS
1
3
Doxy.me Privacy Considerations (lem.clinicians-exchange.org)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
 
 

Here is a posting or two from April 2022 when I took a look at Doxy.me privacy policies in force at that time. I am of course not a lawyer and could misunderstand something. Maybe.

As you read this, please keep in mind: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html

This HHS and OCR guidance includes several sorts of 3rd party tracking technologies possibly in use by Doxy.

........................

To be crystal clear -- I am NOT accusing Doxy of breaking HIPAA or other laws, sharing PHI, or sharing video content. I am "accusing" them of doing exactly what they allow themselves to do in their "privacy" policy -- communicate "de-identified and anonymized" data to 3rd parties having little to nothing to do with the operation of the service. The huge problem is that "de-identified and anonymized" data can be easily reattached to client names by any data broker worth their salt with a big enough database.

-- Michael

On Thu, Apr 14, 2022 at 12:54 AM Michael wrote:

https://doxy.me/en/privacy-policy/

Picture me having an angry laugh (at Doxy, not you) as I read this "privacy"policy. It's ridiculous.

In summary: They give themselves permission to do quite a lot, and by using their product, you are consenting to it. They say they are "anonymizing" everything -- but what good is that if the data can be used to easily reconstruct client identity? They don't say they are sending along tracking cookie data to 3rd parties, but they give themselves permission to do it.

A few choice pointers:

"This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information—when You use the Doxy.me Service or visit this web site"

Your permission is granted...

............................

"Usage Data is collected automatically... Usage Data may include information such as Your Device’s Internet Protocol address, browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers, and other diagnostic data. However, this Usage Data is de-identified and anonymized and not linked to a particular data. As such, it is not considered personal information; it is incidental to providing the Service."

Several Internet security sources point out (sorry -- I don't have a reference immediately available) that when data brokers accumulate several data points on you (such as browser type, IP address, "other diagnostic data") that it can act as a unique fingerprint to figure out who you are. Keep in mind that data brokers track across several websites across time. This is exactly the sort of information that cookies are commonly used for to store and pass along.

Internet Protocol address -- If a user happens to have a static IP address, this is a unique identifier of the user. If its not static, it still serves to pinpoint the general geographic area the person is in (unless a VPN is used) and can be combined with other data to identify the person.

Unique device identifiers -- Each device (laptop, smart phone, etc.) has a unique serial code that identifies it. If this information is being passed along to 3rd parties, its a unique fingerprint of the person.

Let's take an easy fictional example -- let's say a client creates a Google account. In the process of creating the Google account, the client enters their name. Let's say Google also captures their unique device identifier at that time. Now then, if the unique device identifier is passed along to Google whenever that person visits a website (say doxy.me for example), Google knows the name of the person visiting the website because its already in Google's database.

"de-identified and anonymized" data -- Sure. Internet Protocol address, browser type, browser version, unique device identifiers, and other diagnostic data do not have the client's name attached -- or any other PHI data. But so what -- the data broker already has a database to readily reattach the client's name when/if this information is provided.

.............................

"We may also collect information that Your browser sends whenever You visit this Website "

Well, I don't know -- does this mean they can capture anything else your web browser is sending out at the time you are connected to their website?

.........................

Cookies: "Any use of Cookies – or of other tracking tools – by Us or by the owners of third-party services used by Us serves the purpose of providing the Service as requested by You."

Hmmm... Slippery. We are requesting/consenting to anything they do as defined earlier in the document.

From: https://doxy.me/en/cookie-policy/ " Please be aware that some Cookies are required to use the Doxy.me Service; some are useful but not mandatory to measure and improve performance; and some are used for advertising or marketing activities that customize information based on your interests."

So -- yes -- they ARE using cookies to advertise and market to our clients.

.............................

They do at least promise not to pass along PHI or name information.

They may or may not be passing along the above information to 3rd parties, but my September 2021 investigation showed that their servers WERE contacting 3rd parties (some known to be data brokers / ad networks). SOMETHING was passed along.

-- Michael

On 4/13/2022 5:24 PM, NAME REDACTED__ wrote:

Based on Michale's recent post, I contacted the legal office at doxy.me to ask whether doxy.me does the following:

"Doxy.me reports out cross-site tracking cookies to at least 10+ different services including Google, YouTube, Facebook, LinkedIn, and Hotbot."

The legal department directed me to their policies here:

https://doxy.me/en/privacy-policy/

Please look at this page, especially the sections labeled "If You are a Provider" and "If You are a Patient."

I could not find anything to indicate that doxy.me shares cookies or any other information with anyone.

If anyone can find specific information to the contrary in doxy.me's policies, please share.

Thank you-- NAME REDACTED

#psychology #neurology #socialwork #psychiatry @[email protected] @[email protected] @[email protected] #mentalhealth #psychotherapists @[email protected] #cookies #tracking #hacking #3rdpartytrackers #HIPAA #privacy #dataprivacy #webbeacons #telehealth #video #doxy #healthcare

2
 
 

Yeah... If it's going to be worth using it would have to listen to the whole visit given my own testing with typed prompts after a fake visit... But this needs more thought.

--Michael

+++++++++++++++++++++++++++ "Amazon Web Services announced Wednesday a new AI-powered service for healthcare software providers that will help clinicians with paperwork."

"AWS HealthScribe uses generative AI and speech recognition to help doctors transcribe and analyze their conversations with patients and drafts clinical notes, the company announced Wednesday at its AWS Summit New York."

https://www.fiercehealthcare.com/ai-and-machine-learning/aws-rolls-out-generative-ai-service-healthcare-documentation-software

3
 
 

A therapist on another list asked if anyone had experience with hipaalink.net televideo service.

This looks like a promising small company with some neat features at only $9.95 per month. See below first however. I really don't like that Facebook Connect is being contacted from the client's browser when they login!

I spent a lot of time fighting to sign-up (had to change my settings to see their Captcha challenges). More of a problem -- there was a very basic malfunction in the password selection process. Some "special characters" (you have to have one in the password) would not work (+ and #). I eventually got "-" to work. I got an almost immediate call-back when I sent a message about trouble picking a password (bug in our system, thank you for finding it, our programmers are fixing "special characters" this evening).

Did eventually set-up a 30-day free trial. So I can further tests later if I want to.

I noticed that https://hipaalink.net/ works, but https://www.hipaalink.net/ does not -- another simple thing for their programming team to fix. (Older people are very used to "www" in front of everything, so this redirect should function.)

I kinda feel like I ought to be charging for debugging services.

I have not actually tried out video sessions yet. I've just run Privacy Badger and Ghostery browser plug-ins in both Opera and Firefox. Results:

CLIENT LOGIN PAGE: Privacy Badger: www.googletagmanager.com -- cookies blocked fonts.gstatic.com -- cookies blocked

Ghostery: Facebook Connect -- BLOCKED! Google Tag Manager -- allowed

CLIENT IN-SESSION: Privacy Badger: www.googletagmanager.com -- cookies blocked fonts.gstatic.com -- cookies blocked

Ghostery: Facebook Connect -- BLOCKED! Google Tag Manager -- allowed

++++++++++++++++++++++++++++++++++++++++++++++++++

THERAPIST LOGIN PAGE: Privacy Badger:

www.googletagmanager.com -- cookies blocked
fonts.gstatic.co -- cookies blocked

Ghostery: Google Analytics -- "tracking not detected" it says Google Tag Manager -- allowed Google APIs -- allowed Google Static -- allowed

THERAPIST IN-SESSION: (The same) Privacy Badger: www.googletagmanager.com -- cookies blocked fonts.gstatic.co -- cookies blocked

Ghostery:

Google Analytics -- "tracking not detected" it says Google Tag Manager -- allowed Google APIs -- allowed Google Static -- allowed

++++++++++++++++++++++++++++++++++++++++++++++++

It's necessary for some cookies and tracking to the functioning of a website. Privacy Badger and Ghostery are both detecting some of this from Google libraries which they choose to allow. I don't have enough security engineering knowledge to know if these are harmless or not. I do know they are very common on most websites. Yet -- Privacy Badger says they are blocking some cookies...

Facebook should not be contacted on the client side! I don't know what Ghostery is blocking from being sent to Facebook, but this should not be on a HIPAA site. The connection between therapist and client seemed at first glance to work fine with Facebook blocked. I will discuss this with Hipaalink.net before I test it with actual clients. For now I give them the benefit of the doubt. I am told by a computer engineer that Facebook supplies some code libraries (like Google) which websites can use -- maybe this is not intentional tracking, just their developers needing to fix this?

There is more tracking taking place on the home page and more public sections of the website than inside the login and televideo areas. So some effort to decrease tracking has been made. I see different trackers on the public areas of the website today than I did when I first checked on 7/24/23.

It's a maybe... But at $9.95 per month hipaalink.net could be a nice option if they clean up minor tracking concerns. Again, I have not tested the video yet.

#psychology #neurology #socialwork #psychiatry @[email protected] @[email protected] @[email protected] #mentalhealth #psychotherapists @[email protected] #cookies #tracking #hacking #3rdpartytrackers #HIPAA #privacy #dataprivacy #webbeacons #telehealth #video #doxy #healthcare #dataprotection #hipaalink #hipaalinknet

4
 
 

The Federal Trade Commission (FTC) and Department of Health and Human Services (HHS) sent a joint letter to about 130 hospital systems and telehealth providers Thursday, warning of security risks posed by tracking technologies such as the Meta/Facebook Pixel and Google Analytics...

https://therecord.media/apps-website-tracking-healthcare-ftc-hhs-warning

5
 
 

https://healthitsecurity.com/news/security-flaws-found-in-software-development-kit-used-for-telemedicine-services

July 12, 2023 by Jill McKeon Claroty’s Team82 and Check Point Research (CPR) discovered critical vulnerabilities in the QuickBlox software development kit (SDK) and application programming interface (API), a framework that...

6
 
 

https://healthitsecurity.com/news/medcrypt-kansas-state-university-launch-medical-device-security-research-project

July 12, 2023 by Jill McKeon MedCrypt, a cybersecurity solution provider for medical device manufacturers, announced a partnership with Kansas State University (KSU) to drive medical device security research. MedCrypt provided a...

7
 
 

https://healthitsecurity.com/news/examining-the-health-data-privacy-hipaa-compliance-risks-of-ai-chatbots

July 13, 2023 by Jill McKeon AI chatbots, such as Google’s Bard and OpenAI’s ChatGPT, have sparked continuous conversation and controversy since they became available to the public. In the healthcare arena, patients...

8
 
 

https://healthitsecurity.com/news/veterans-affairs-oig-finds-cybersecurity-deficiencies-at-az-health-system

July 14, 2023 by Jill McKeon The US Department of Veterans Affairs (VA) Office of Inspector General (OIG) inspected the information security program at the Northern Arizona VA Healthcare System and discovered significant security... ___

9
 
 

https://healthitsecurity.com/news/imagine360-suffers-third-party-data-breach-112k-impacted

July 18, 2023 by Sarai Rodriguez Imagine360, a Pennsylvania-based provider of self-funded health plan solutions, alerted over 112,000 individuals about a third-party data breach from January 2023, which occurred on its Citrix...

10
 
 

https://healthitsecurity.com/news/lawmakers-ask-hhs-to-expand-proposed-hipaa-rule-require-warrant-for-phi

July 19, 2023 by Jill McKeon Spearheaded by United States Senators Ron Wyden (D-OR) and Patty Murray (D-WA), and US Representative Sara Jacobs (D-CA), lawmakers sent a letter to HHS Secretary Xavier Beccera urging the...

11
 
 

https://healthitsecurity.com/news/airansomware-remain-prevalent-in-evolving-cybersecurity-landscape

July 20, 2023 by Sarai Rodriguez Healthcare organizations face an uptick in cyber threats, as malicious actors turn to tools like ransomware, artificial intelligence (AI), and Internet of Things (IoT) attacks. These threats are...

12
 
 

https://healthitsecurity.com/news/hhs-ftc-warn-hospitals-and-telehealth-providers-about-third-party-tracking-tech

July 20, 2023 by Jill McKeon The HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to 130 hospitals and telehealth providers to emphasize the security and privacy risks of third-party...

13
 
 

(Very slightly sensitive content below mentioned by name but not described in any detail.)

As some may be aware, I’ve been playing with AI lately to see if there is a useful and ethical way to use it in the creation of psychotherapy progress notes. (See series of toots at https://mastodon.clinicians-exchange.org/@admin/110171203899758952 )

I have once again been caught in an insidious YouTube algorithm. The kind where a YouTube channel has one or two videos that you want to see, then a bunch of videos you have NO interest in seeing. This gets especially fun when you share your wife’s YouTube Premium account, and so she gets to see your suggested playlist.

[ Previous Example: "YouTube Pseudo-Psychology, Algorithm Traps, and How I Got Set-Up to Look Like I Cheat" -- https://mastodon.clinicians-exchange.org/@admin/109705551829241507 ]

Here’s how it goes this time:

STEP #1: Watch a video on how to download the #Vicuna AI to your desktop instead of running it in the cloud. (Why? Privacy of medical data if I choose to ever use this for real. )

STEP #2: Watch a video from the same channel on how to download an AI with all guards and filters unlocked. (Why? Because psychotherapy notes occasionally deal in tough topics like suicide and cutting/self-mutilation behaviors that might be deemed too sensitive in censored AI versions. Maybe. Have not tried it yet.)

STEP #3: Have the bad luck to have stumbled upon a channel where the video creator has an obsession with dirty sexy text chat with AI personas. Video after video on how to create sexy AI personas who will fulfill your wildest keyboard-typed fantasies. I don’t think I’m oversharing when I state that any fetishes or fantasies I might have do not include this. To each his own and its all cool – but now I have explaining to do…

STEP #4: Explain all the above to my (happily amused) wife as she sees the fetish AI suggestion videos appearing in our YouTube feed for days.#

14
1
AutoNotes.ai Progress Notes Tool Review (lem.clinicians-exchange.org)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
 
 

(This was written in early May 2023 – may have improved since then?)

This is for a new product called AutoNotes.ai that will create progress notes for you for about $14+ per month.

I am tentatively interested in this and signed up for a free trial.

I have concerns (below) but am hopeful this continues to improve.

The system has no BAA agreement for HIPAA because they claim not to collect any PHI.  This may be true. 

Their terms of service and privacy policy may be amended at any time and the only notification provided will be on their website.  I am wary of this now that I have been burned by such stealth changes by one of my own BAA subcontractors.

Information for each client will have to be entered from scratch each time as they do not store data about clients.  For the free demo, it takes about 60 seconds to generate each note.  You then cut and paste it into your EHR.

While they claim to collect no PHI, they do send SOME data of SOME sort to several tracking systems and data aggregators.  At best, they are tracking YOU -- the clinician.  At worst -- they may be sending some of the data you enter to data aggregators which -- hopefully -- do not have data from other sources to be able to pin down the individual clients you are describing.

DATA IS SEND TO THE FOLLOWING OUTSIDE TRACKING COMPANIES ON BOTH THEIR DATA INPUT PAGE & THE GENERATED NOTE PAGE:

**PRIVACY BADGER BLOCKED:**
connect.facebook.net
www.googletagmanager.com
s.gravatar.com
snap.licdn.com
i0.wp.com

**GHOSTERY BLOCKED:**
Google Tag Manager
LinkedIn Analytics
Facebook Connect
Gravatar

The following is an example of the note generated for a fake client with Acute Stress Disorder:

%GREEN = IN WHAT I REPORTED%
&RED = INVENTED BY AI, NOT REPORTED BY CLINICIAN&
BLACK = I HAVE NO STRONG OPINION

Subjective:
Client &reported increased levels of stress, particularly in the& %workplace. Described experiencing anxious mood and labile mood, but was able to demonstrate appropriate behavior and normal speech throughout the session. Client was self-reflective% and &engaged& %during the 45-minute video session%, %which allowed for a comprehensive exploration of the current challenges they face&. The client recognized the need to address these issues in order to improve their overall well-being.

Objective:
During the session, several areas were discussed. &Client was open and honest& about %feeling overwhelmed and stressed at work, further precipitating their anxiety. They were able to identify specific work situations that were particularly difficult for them to navigate. It was noted that the client was able to maintain self-reflective behavior during discussions,% which will be beneficial for making progress in therapy.

Assessment:
%The client is showing signs of progress in therapy, taking active steps to address and work through their challenges with stress and anxiety.% Their willingness to participate and self-reflect in session indicates a strong commitment to achieving their therapeutic goals. %Current therapeutic interventions, which are directed at helping the client build skills and coping strategies, are having a positive impact on the client's progress.%

Plan:
%In order to lower workplace stress and continue advancing in therapy, the client agreed to set specific objectives for themselves. They plan on talking to their manager about ways to manage their workload or address any outstanding concerns. Additionally, they will begin practicing meditation four times a week during their lunch breaks, as a means of managing stress and promoting relaxation.% &Continued exploration of these& and other stress reduction &strategies will be a focus in future sessions.&

Hmmm...  My take-away is that this needs more work (that's fine); I want to know why they have to report to LinkedIn, Facebook, Gravatar, and Word Press while I'm logged in and what they report; and the system IS inventing minor elements that I did not tell it to add.  For example, while I reported the client was overwhelmed and stressed, I did not say the client was open and honest about it.  I told the system the client was "progressing", but never said that increased levels of stress were reported in this session.

It occurred to me this morning that by the time I fill out the form and write two or three sentences, I've already done all the work that is needed for an official note (after adding start and end times, diagnosis, name, client age, and a few other elements to the form).  There is no need to convert it all to narrative -- it can stay in form factor mostly.

So -- while I want an AI I can trust to help with notes (and this one may grow into such) -- right now the effort of getting it to create a note is about exactly equal to the effort of just writing it myself anyway.

-- Michael
15
 
 

A few days ago I sent out an email on possible criteria for using AI to help write progress notes. To my way of thinking it boils down to three criteria:

  1. Security: Sending client data to an AI in the cloud is obviously not okay. Questionable even with a BAA agreement (or too expensive like Mentalyc – the first service I have seen for this purpose). It could work if the AI is downloaded to your computer and does not communicate with the Internet on its own.
  2. Creativity: AIs tend to add their own information beyond what you specify to whatever they write. This does not work in a progress note.
  3. Worth It: The effort of providing the AI with the information to write a progress note needs to be less than the effort of just writing it yourself.

So… I’ve been experimenting…

Obviously – I’m using fake client data. Vacuna is an AI that can be downloaded to your own laptop to run. I’m testing it online to see if that is worth doing.

Also – I’m not trying to write great progress notes right now – I’m just testing to see if a) the AI (Vacuna) is capable of not adding creative elements to what I want it to write, and b) can write a note without me spending more effort on it than just writing it myself.

ROUND #1: Trying to get Vacuna to understand not to create fake items in the progress note.**

PROMPT 1: Please write a paragraph with the following facts. Do not add additional facts or get creative. Marie is 32 years old. Has depression. Has anxiety. We practiced breathing exercises, CBT, and guided visualization.

VICUNA 1: Marie is a 32-year-old woman who has been struggling with depression and anxiety. As part of her treatment, we have been practicing various techniques, including breathing exercises, cognitive-behavioral therapy (CBT), and guided visualization. These techniques have helped Marie to better manage her symptoms and improve her overall well-being. By learning how to breathe more effectively and calm herself down when she feels anxious, Marie has been able to reduce her reliance on medication and feel more in control of her emotions. Through CBT, Marie has been able to identify negative thought patterns and challenge them, leading to a more balanced outlook on life. And through guided visualization, Marie has been able to visualize positive outcomes and increase her motivation and hope for the future. These techniques have played an important role in Marie's recovery and will continue to be useful tools for her as she continues her journey towards wellness.

PROMPT 2: Stick to only information provided in the prompt and try again please.

VICUNA 2: Marie is a 32-year-old woman who has depression and anxiety. We have been practicing breathing exercises, CBT, and guided visualization with her. These techniques have helped her manage her symptoms and improve her well-being. By practicing breathing exercises, Marie has been able to reduce her reliance on medication and feel more in control of her emotions. Through CBT, Marie has been able to identify negative thought patterns and challenge them, leading to a more balanced outlook on life. And through guided visualization, Marie has been able to visualize positive outcomes and increase her motivation and hope for the future. These techniques have played an important role in Marie's recovery.

PROMPT 3: Marie is not on medication and her symptoms remain stable. Please try again thanks.

VICUNA 3: Marie is a 32-year-old woman who has depression and anxiety. We have been practicing breathing exercises, CBT, and guided visualization with her to help manage her symptoms and improve her well-being. These techniques have helped Marie to better control her anxiety and depression symptoms without the need for medication. By practicing breathing exercises, Marie has been able to calm herself down when she feels anxious and reduce her stress levels. Through CBT, Marie has been able to identify negative thought patterns and challenge them, leading to a more balanced outlook on life. And through guided visualization, Marie has been able to visualize positive outcomes and increase her motivation and hope for the future. These techniques have played a significant role in Marie's recovery and will continue to be useful tools for her as she maintains her well-being.

PROMPT 4: Marie has not yet experienced improvement. Please try again thanks.

VICUNA 4: Marie is a 32-year-old woman who has been struggling with depression and anxiety. We have been practicing breathing exercises, CBT, and guided visualization with her in an effort to help manage her symptoms and improve her well-being. While these techniques have potential benefits for many people, unfortunately, Marie has not yet experienced any improvement. Despite our best efforts, we have not been able to help her reduce her symptoms or improve her overall well-being. We will continue to work with Marie and explore other treatment options to help her manage her symptoms and move towards recovery.

So, yeah, not working so far at all... [I do get it to work further down in the note.]

ROUND 2: Getting Vacuna to just rearrange what I write.**

While the main point of psychotherapy is for the client to get BETTER, sometimes they don't for awhile. Some clients with severe conditions need ongoing supportive therapy to simply maintain their highest level of functioning without backsliding.

When this happens, the clinician has to find new ways to write the same thing again, and again, and again...

Why? Because insurance auditors frown on cutting and pasting the same exact old text into multiple notes.

In this unfortunate situation, Vicuna actually does fairly well in this sample:

PROMPT: Please reword the following paragraph changing some words and sentence order, but using the exact same information facts and adding nothing: Pete is a 45 year old electrician reporting continuing depression. Symptoms remain unchanged from last session. Today we discussed his workplace frustrations at length. He continues to blame workplace stressors for his mood and problems with his family.

VICUNA: Pete, who is 45 years old and a electrician, reported continued symptoms of depression during his previous session. The symptoms have remained unchanged since the last time he visited. During this session, Pete and his therapist discussed in detail his workplace frustrations. Despite this, Pete continues to attribute his mood and problems with his family to workplace stressors.

Success!

ROUND #3: Retrying Round #1 (Trying to get Vacuna to understand not to create fake items in the progress note.)

Okay -- so now I may have the right wording to keep Vicuna from adding elements to the note! To make this worth it, I would need to be able to shorten/bullet-point my prompt. Maybe have the AI take data from a point and click tablet form I fill out.

Why not just use the point and click form? Some auditors require written text -- not just checkbox forms. Also -- this may just be best practice for notes to capture more of value.

Note how random the right "magic formula" is for getting an AI to understand. In Round #1 I clearly told Vicuna not to invent information not given to it (no luck). Below, I have stumbled upon the right word combination:

PROMPT 1: Please reword the following changing some words and order, but using the exact same information facts and adding nothing: Tom is 34 years old, a plumber, reports continuing depression, symptoms remain unchanged, we discussed his workplace frustrations, he blames workplace stressors for his mood and problems with his family.

VICUNA 1: Tom, a 34-year-old plumber, reported ongoing symptoms of depression during his latest session. The symptoms have remained unchanged since his last session. During the session, Tom and his therapist discussed his workplace frustrations in detail. Tom continues to attribute his mood and family problems to workplace stressors.

STARTING OVER TO SEE IF I CAN JUST LIST ELEMENTS WITHOUT WRITING MUCH:

PROMPT 2: Please reword the following changing some words and order, but using the exact same information facts and adding nothing: Tom, 34 years old, plumber, continuing depression, symptoms unchanged, discussed his workplace frustrations, he blames workplace stressors for mood and family problems.

[Note how I just listed data with commas between after the initial sentence.]

VICUNA 2: Tom, who is 34 years old and works as a plumber, has been experiencing ongoing depression with unchanged symptoms. He discussed his workplace frustrations, citing workplace stressors as the cause of his mood and family problems.

MOSTLY SUCCESSFUL!!

So now I have the AI not inventing garbage to add to the progress note. Would need to run this AI from a laptop computer making sure it sends nothing back out to Internet for medical data security HIPAA reasons. This might be useful for notes that are 100% written, and for point and click forms with a bit of text added.

It would be better if the AI could take information from a point and click form. It does seem to take 90% of the effort of just writing the note myself!

This was a quick demo, so I was not trying to write a beautiful note -- just test if the darn thing could write sentences from lists and NOT invent information not provided.

16
 
 

Signing away most all of your medical privacy rights in order to become a customer is way uncool and unacceptable:

https://wapo.st/3p1uTJG

To become an Amazon Clinic patient, first you sign away some privacy
You agreed to what? The ‘HIPAA authorization’ for Amazon’s new low-cost clinic offers the tech giant more control over your health data.
https://wapo.st/3p1uTJG

-- 
Michael Reeder, LCPC
Hygeia Counseling Services : Baltimore / Mt. Washington Village location

 #psychology #neurology #socialwork #psychiatry @[email protected] @[email protected] @[email protected] #mentalhealth #psychotherapists @[email protected] #pharmacy #medicationchecker #drugs #druginteractions #cookies #tracking #hacking #3rdpartytrackers #HIPAA #privacy #dataprivacy #webbeacons 
17
 
 

A therapist colleague of mine contacted Ring Central (a video and telephone platform that provides HIPAA BAA subcontractor paperwork upon request) with questions about their messaging capabilities and encryption. They were looking for a compliant way to text message with clients. The support staff directed them to this article:

https://support.ringcentral.com/article-v2/Intro-to-end-to-end-encryption-in-RingCentral-messaging.html?brand=RingCentral&product=MVP&language=en_US

At first glance, the article would seem to make messaging with clients golden as a good level of encryption is described and the therapist has a HIPAA BAA with Ring Central. Right?

Wrong.

A few different topics are getting confused here -- smart phone SMS text messaging, messaging within Ring Central apps and websites, and HIPAA BAA subcontractor agreements.

With SMS text messaging by phone it will never be HIPAA compliant (even if the therapist sends it from within Ring Central) because the client will get the SMS text message unencrypted on their smartphone.

Messaging within the Ring Central apps and website IS at an excellent level of encryption -- but won't be covered by the therapist's HIPAA BAA agreement unless the people messaged are also part of the therapist's company account or are other therapists with their own Ring Central accounts with HIPAA BAA subcontractor agreements. This will rarely if ever cover therapy clients.

This gets confusing. So -- for example -- when I go into my Ring Central account online and click on "Message" I'm invited to email a messaging link to anyone I choose. So far so good. But when that person (like a client for example) goes to that messaging link, Ring Central REQUIRES them to sign up for their own FREE Ring Central account. That FREE account WILL NOT be covered by a HIPAA BAA agreement. So the messages sent to them (inside a Ring Central app or website) will be encrypted but not HIPAA compliant.

Similar problem with Ring Central video conferencing. As long as the client DOES NOT sign in with their own free account -- and instead goes to my anonymous video link -- it will be covered under my BAA agreement with Ring Central. However, Ring Central invites clients to sign up for their own FREE account in order to video conference with me. If the client makes that mistake, then its no longer a HIPAA compliant video conference session because only one of our two Ring Central accounts is covered by BAA.

I sometimes wonder why this all is left in such a confusing state?

Of course, I'm not a lawyer, so do your own research too.

 #psychology #neurology #socialwork #psychiatry @[email protected] @[email protected] @[email protected] #mentalhealth #psychotherapists @[email protected] #pharmacy #medicationchecker #drugs #druginteractions #cookies #tracking #hacking #3rdpartytrackers #HIPAA #privacy #dataprivacy #webbeacons #RingCentral #VoIP #telephony
18
 
 

3rd party data aggregators can follow people across multiple websites. When they track browser cookies, pixels, beacons, mobile application identifiers, and Adobe Flash technology it is very possible for them to figure out specific people.

This sort of computing device data often qualifies as PHI according to HHS:

Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html

Thank you Dr. Pope for summary below.

Michael Reeder, LCPC

-------- Forwarded Message --------

Medpage includes an article: “Nearly All Hospital Websites Send Tracking Data to Third Parties — Most common recipients of data were Alphabet, Meta, Adobe, and AT&T.”

Here are some excerpts:

Third-party tracking is used on almost all U.S. hospital websites, endangering patient privacy, a cross-sectional observational study found.

Of 3,747 hospitals included in the 2019 American Hospital Association (AHA) annual survey, 98.6% of their website home pages had at least one third-party data transfer, and 94.3% had at least one third-party cookie.

"In the U.S., third-party tracking is ubiquitous and extensive," researchers led by Ari B. Friedman, MD, PhD of the University of Pennsylvania in Philadelphia, wrote in Health Affairs.

"The high number of entities engaged in tracking on hospital websites heightens potential privacy risks to patients."

The tracking data most commonly went to Google's parent company Alphabet (98.5% of homepages), followed by Meta (formerly Facebook), which was used in 55.6% of hospital homepages. Adobe Systems and AT&T collected data from 31.4% and 24.6% of hospital pages, respectively.

"What we found is that it's virtually impossible to look at any hospital website in the country without exposing yourself to some tracking," study coauthor Matthew McCoy, PhD, of the University of Pennsylvania, told MedPage Today.

"That's really significant, because even if you were a patient with privacy concerns and you wanted to avoid this kind of thing, what that means is you really don't have an option to do that."

Hospital website home pages had a median of 16 third-party transfers, with more third-party transfers from medium-sized hospitals as opposed to small and large ones (24, 17, and 13 transfers, respectively).

Of hospital characteristic factors, membership in a health system, having a primarily urban patient population, and having a medical school affiliation were all significantly associated with a greater number of third-party transfers on hospital website home pages.

On 100 randomly sampled hospital websites, searches for six "potentially sensitive" conditions turned up 30 patient-facing pages for those conditions -- and all had at least one third-party data transfer.

McCoy said the number of companies tracking data on any given website was alarming.

"Imagine you were browsing a hospital website for something related to your health, and you had one person looking over your shoulder and gleaning information about your health from a browsing session -- that would probably make you pretty uncomfortable," he said.

"Multiply that by 16, by 20, and you've got that many more people looking over your shoulder."

According to the study, "Many of the third parties to which data are transferred have business models built on identifying and tracking people for the purposes of targeting online advertisements.”

Some tracking companies, like Acxiom, sell the data to other companies or allow health-related profiling, like Adobe and Oracle.

Because of this tracking, patients might see more targeted advertising for drugs, supplements, or insurance based on their personal medical conditions.

Health-related information, the authors wrote, could even be used in risk scores that affect credit or insurance eligibility.

"Setting aside those kinds of questions about legal liability..., I think most healthcare providers would recognize themselves as having a responsibility to protect the interests of their patients, and that means also protecting their patients' interest in privacy," McCoy said.

Researchers used a tool called webXray to record third-party tracking from hospital home pages, count the data transfers that occurred when a page loaded, and linked individual tracking domains to their parent companies.

Ken Pope

~~ Merely forwarded by: Michael Reeder LCPC Baltimore, MD

#Ethics #EthicalAI #AI #CollaborativeHumanAISystems #HumanAwareAI #chatbotgpt #bard #security #dataanalytics #artificialintelligence #CopyAI #HIPAA #privacy #psychology #counseling #socialwork #psychotherapy #research

@[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] #EHR #mentalhealth #technology #psychiatry #healthcare #medical #doctor​ #healthcare #hospital

19
 
 

I am informed that a new product called #Mentalyc has entered the market. It's mission is to write psychotherapy notes for clinicians AND to gather a non-identifiable dataset for research into clinical best practices.

I have no firm opinion yet on Mentalyc, but it's expensive ($39-$69 per month per clinician) and I'd personally need to know a lot more about what's in that dataset and who is benefiting from it.

So I'm asking the community for thoughts on what acceptable ethical and practical criteria would be for an AI to write psychotherapy notes or medical notes.

Here are MY thoughts so far:

  1. REQUIRED: The AI either: 1a) Invents NOTHING and takes 100% of the information in the note from the clinician, or 1b) Prompts the clinician for additional symptoms often present in the condition before writing the note, or 1c) Presents a very clear information page before writing that lets the clinician approve, delete, or modify anything the AI got creative with and was not told explicitly to include. (So, for example, in an experiment with Bard a clinician found that Bard added sleep problems as an invented symptom to a SOAP note for a person with depression and anxiety. This is a non-bizarre symptom addition that makes lots of sense, is very likely, but would have to be approved as valid for the person in question.)

  2. OPTIONAL: The AI is on MY computer and NOT reporting anything back to the Internet. This will not be on everyone's list, but I've seen too many BAA subcontractors playing loose with the definition of HIPAA (medical privacy) and there is more money to be made in data sales than clinician subscriptions to an AI.

  3. OPTIONAL: Inexpensive (There are several free AI tools emerging.)

  4. OPTIONAL: Open Source

  5. Inputting data to the AI to write the note is less work than just writing the note personally. (Maybe a complex tablet-based clickable form? But then, a pretty high percentage of a note can be in a clickable form format anyway.)

  6. The AI does NOT record the entire session and then write a note based upon what was said. (It might accept dictation of note directions sort of like doctors dictate notes to transcribers today.)

I think I may be envisioning a checkbox and drop-down menu form along with a space for a clinician to write a few keywords and phrases, then the AI (on my laptop) takes this and writes a note -- possibly just a paragraph to go along with the already existing form in the official note. I think. It's early days in my thinking.

I have this same discussion set-up here: https://mastodon.clinicians-exchange.org/@admin/110153358784312024

You do not have to have a Mastodon account to read it -- only to post. This should also get the attention of computer science, AI researchers, and other technical folks as well as counseling professionals.

20
1
Threads (lem.clinicians-exchange.org)
submitted 1 year ago by [email protected] to c/[email protected]
 
 

TITLE: Threads, Meta’s Twitter competitor, is now live

"Information provided about the app’s privacy via mandatory disclosures required on iOS shows the app may collect highly sensitive information about users in order to profile their digital activity — including health and financial data, precise location, browsing history, contacts, search history and other sensitive information."

https://techcrunch.com/2023/07/05/threads-no-eu-launch/

TITLE: Meta will nuke your Instagram account if you delete Threads profile

"In a ‘Supplemental Privacy Policy,’ Meta says: “You may deactivate your Threads profile at any time, but your Threads profile can only be deleted by deleting your Instagram account.” "

https://techcrunch.com/2023/07/06/threads-delete-profile-instagram-meta/