JAMIA: PHI disclosure through file sharing will rise with increased digitization
There is a real risk of inadvertent disclosure of personal health information (PHI) through peer-to-peer file sharing networks, although the risk is not as large as for personal financial information (PFI), according to an article published online in  the March issue of the Journal of American Medical Informatics Association.

"Anyone keeping PHI on their computers should avoid installing file sharing applications on their computers, or if they have to use such tools, actively manage the risks of inadvertent disclosure of their, their family's, their clients', or patients' PHI," wrote lead author Khaled El Emam, of the Children’s Hospital of Eastern Ontario Research Institute in Ottawa, and colleagues.

“Between 15 and 17 percent of U.S. adults have changed their behavior to protect the privacy of their PHI, such as: going to another doctor, paying out-of-pocket when insured to avoid disclosure, not seeking care to avoid disclosure to an employer, giving accurate or incomplete information on medical history, self-treating or self-medication rather than seeing a provider or asking a doctor not to write down the health problem or record a less serious or embarrassing condition,” the authors wrote.

There has been a consistent concern about the inadvertent disclosure of personal information through peer-to-peer file sharing applications, such as Limewire and Morpheus, the report noted. The study examined the extent to which PHI is being disclosed through peer-to-peer file sharing networks in Canada and the U.S. by focusing on files that are likely to contain correspondence in various formats (word processing files, email files, PDF files and spreadsheet files) to estimate the extent to which PHI is being disclosed and compare that to the extent of disclosure of PFI.

“However, if documents containing PHI are being made available, that does not necessarily mean that anyone is actually finding these documents. Therefore, the second issue we address is the proportion of searches on the file sharing networks that return documents containing PHI,” the authors wrote.

After review and approval of protocol by the authors’ institutional research ethics board, files were downloaded from peer-to-peer file sharing networks and manually analyzed for the presence of PHI and PFI, the report noted, while the geographic region of the IP addresses was determined and classified as either USA or Canada.

According to the report, data files were downloaded from 807 Canadian IP addresses and 844 U.S. IP addresses. Approximately 1 percent of all downloaded files were viruses in Canada, as were 2.1 percent in the U.S. All of the viruses were Trojan horses opening back doors to the computer and allowing an external entity to drop potentially malicious files or control the machine, the authors wrote.

Approximately 0.4 percent of Canadian IP addresses had PHI, as did 0.5 percent of U.S. IP addresses. According to the report, there was more disclosure of financial information, at 1.7 percent of Canadian IP addresses and 4.7 percent of U.S. IP addresses. An analysis of search terms used in these file sharing networks showed that a small percentage of the terms would return PHI and PFI files (meaning there are people successfully searching for PFI and PHI on the peer-to-peer file sharing networks).

“During our data capture period, approximately 3.5 million search terms were logged,” wrote the authors. “Out of all the search terms, the proportion that returns PHI and PFI is relatively small. Most search terms were for music files and pornography,” the authors reported.

“As more health information gets digitized, it is expected that the amount of health information available to individuals on their personal computers will increase. Therefore, it is most likely that the rates of PHI disclosure through peer-to-peer file sharing networks that we obtained will rise over time,” the authors concluded.