Sensitive Information on Display: Using flexible de-identification for protecting patient privacy in (semi-) public hospital environments
MetadataVis full innførsel
In later years, the health care work in hospitals has become increasingly fragmented, in a sense where different people and professions are required for the treatment of every single patient. As a consequence, personnel should be assisted to greater awareness of what is happening, so that they can better plan where to put in their efforts. Making information about ongoing activities more accessible to its users is hence important, but this will in turn require increased distribution of sensitive data inside the hospital. The concept of flexible de-identification has been proposed as a solution for the privacy issues raised by this, but then again new issues emerge when it comes to how useful the de-identified data are to its authorized end users, in practice.A series of six rapid field tests was executed along with a literature review on de-identification. The purpose was to explore some ideas to how de-identification could be implemented for information screens located in public and semi-public hospital environments, such as hallways, where personnel are likely to see them. The appropriateness of several techniques for de-identification was hence evaluated for being used in real-time visualizations, in contrast to previous known applications of the concept. This input was in turn used to design a high-fidelity prototype for use in a series of four experiments in a usability laboratory. The experiments involved role-play sessions, where nurses from a university hospital used the prototype in a simulation of realistic ward work. In a focused interview directly afterwards, they each assessed the usefulness of having a system available in such locations, considering that the information was de-identified. Moreover, the nurses evaluated six alternative approaches to de-identification of the sensitive information, and ranked them with respect to which, if any, would be best suited for use in their regular work environment.The experiments indicate that users appreciate being notified via large screens when new information is available, but disagree on what is the preferred level of de-identification. Some would emphasize the legislative requirements and privacy issues raised, while others would put their own utility needs first. As a response to this, an interactive prototype was designed to demonstrate how users can be given interactive control over how identifiable the displayed information is. This idea of giving users flexible control over what is seen on a screen, depending on how they assess the context for access, is grounded in a framework for evaluation that considers the quality requirements of identification utility, legislation and usability.Useful applications of non-interactive de-identification to screens in public environments, are effectively disqualified by the legislative requirements regulating how personal health information can be disclosed. The de-identification can however be useful for enabling an intermediate security level, which can be accessed as long as there is a authorized user present. Appropriate techniques for achieving such de-identification, are found to be suppression of variables, coding, masking and generalization. With this overall approach, users may gradually authorize themselves until the required utility is reached, and hence be able to access useful information in public places. The information depth available must also be accordingly limited, so that the increased risk of abuse is mitigated. The result is possibly a security mechanism that is both legal to implement, it serves the utility needs of personnel, and it is more usable in practice than existing time-demanding login routines. Finally, these ideas have been included in the design of an interactive prototype, which still remains to see tested in practice.