sigmoid.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A social space for people researching, working with, or just interested in AI!

Server stats:

608
active users

#CollaborativeHumanAISystems

0 posts0 participants0 posts today
Continued thread

A quick follow-up to this. I eventually got a polite blow-off letter from them about how they strive to value customer privacy or some such. Very little I can do. Have to decide if a complaint to US government about possible HIPAA violations is worth it.

@psychotherapist @psychotherapists @psychology @socialpsych @psychiatry @infosec
#AI  #CollaborativeHumanAISystems #HumanAwareAI #artificialintelligence #psychology #counseling #socialwork #psychotherapy #EHR #medicalnotes #progressnotes @psychotherapist @psychotherapists @psychology @socialpsych @socialwork @psychiatry #mentalhealth #technology #psychiatry #healthcare #patientportal #HIPAA #dataprotection #infosec @infosec #doctors #hospitals #BAA #businessassociateagreement #coveredentities #privacy #HHS #OCR #fullscript

TITLE: Polite Example Letter to a Health-Related Website Endangering Your Privacy

*THIS* is the letter I wish more people would send to health-related websites and merchants when they observe a privacy problem!

fullscript.com is a service that dispenses non-pharma products to patients (like medical grade supplements) based upon doctor's orders. You have to be referred by a physician to get a patient account. They even have a way of integrating with EHR systems.

They need to get security right.

~~~~~~~~~~~~~
To: Fullscript Support <support@fullscript.com>

Dear Fullscript Team:

I have always appreciated being able to order from your excellent website.

Your service strives to supply patients with supplements and medicines ordered by doctors. As such, what is ordered can give insight into medical conditions that patients may have.

You may or may not be covered by HIPAA regulations, but I'm sure you will agree that ethically and as a matter of good business practice, Fullscript would want to maintain medical privacy of patients given that medical practices trust you.

This is why I'm concerned with the HIGH level of 3rd party tracking going on throughout your product catalogue. On your login page, the Firefox web browser displays a "gate" icon to let me know that information (I believe my email address) is being shared with Facebook. This is also the case with your order checkout page (see attached screenshot showing Facebook "gate" icon, as well as Privacy Badger and Ghostery plug-in icons in upper right-hand corner blocking multiple outbound data connections).

Privacy Badger is a web browser plugin that detects and warns of or stops (depending upon severity) outbound information from my web browser to 3rd party URLs. Directly below is Privacy Badger's report from your checkout page:

~~~~
Privacy Badger (privacybadger.org) is a browser extension that automatically learns to block invisible trackers. Privacy Badger is made by the Electronic Frontier Foundation, a nonprofit that fights for your rights online.

Privacy Badger blocked 23 potential trackers on us.fullscript.com:

insight.adsrvr.org
js.adsrvr.org
bat.bing.com
static.cloudflareinsights.com
script.crazyegg.com
12179857.fls.doubleclick.net
12322157.fls.doubleclick.net
googleads.g.doubleclick.net
connect.facebook.net
www.google-analytics.com
analytics.google.com
www.google.com
www.googletagmanager.com
fonts.gstatic.com
ad.ipredictive.com
trc.lhmos.com
snap.licdn.com
o927579.ingest.sentry.io
js.stripe.com
m.stripe.network
m.stripe.com
q.stripe.com
r.stripe.com
~~~

Please note that I was able to successfully checkout WITH Privacy Badger blocking protections on, so most of this outbound information was NOT necessary to the operation of your website.

There are several advertising networks and 3rd party data brokers receiving some kind of information.

I am aware that a limited amount of data sharing can be necessary to the operation of a website (sometimes). I am also aware that this all is not malicious -- web development and marketing does not usually talk to the legal department before deploying tools useful to gathering site usage statistics (Crazy Egg and Google Analytics). However, these conversations need to happen.

As for "de-identified" or "anonymized" data -- data brokers collect information across several websites, and so are able to reconstruct patient identities even if you don't transmit what would obviously be PHI (protected health information). As an example, if Google sees the same cookie or pixel tracking across multiple websites and just one of them sends a name, then Google knows my name. If Facebook is sent my email address (as looks to be the case), and I happen to have a Facebook account under that same email address, then Facebook knows who I am -- and can potentially link my purchases with my profile.

The sorts of computing device data that you are collecting and forwarding here may well qualify as PHI. Please see:

Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
hhs.gov/hipaa/for-professional

This HHS and OCR guidance includes many 3rd party tracking technologies.

What I would really like to see happen is:

a) A thorough look at what information your website is sending out to what 3rd parties, along with an understanding of how data brokers can combine information tidbits from multiple websites to build profiles.

b) Use of alternative marketing analysis tools that help your business. For example, there are alternatives to Google Analytics that do not share all that data with Google and still give your marketing team the data they need.

c) An examination if you are sharing information about what products patients are clicking on and/or purchasing with 3rd parties. This would be especially problematic. (Crazy Egg tracks client progress through a website, but I'm unclear if they keep the information or just leave it with you.)

d) Use of alternative code libraries that are in-house. For example, web developers frequently utilize fonts.gstatic.com, but you could likely get fonts and other code sets elsewhere or store them in-house.

I appreciate you taking time to read this and working on the privacy concerns of your patients and affiliated medical practices.

Thanks.

~~~~~~
#AI #CollaborativeHumanAISystems #HumanAwareAI #artificialintelligence #psychology #counseling #socialwork #psychotherapy #EHR #medicalnotes #progressnotes @psychotherapist @psychotherapists @psychology @socialpsych @socialwork @psychiatry #mentalhealth #technology #psychiatry #healthcare #patientportal #HIPAA #dataprotection #infosec @infosec #doctors #hospitals #BAA #businessassociateagreement #coveredentities #privacy #HHS #OCR #fullscript

HHS.gov · Use of Online Tracking Technologies by HIPAA Covered Entities and Business AssociatesThe Office for Civil Rights at the U.S. Department of Health and Human Services is issuing this Bulletin to highlight the obligations of Health Insurance Portab

@Niloufar Right!

Experimentation in is limited. The field doesn't even know how to evaluate intelligent systems with people. Worse, the development approach starts with data and not from understanding what humans do & what it means to support them.

At , drawing inspiration from , we are exploring a design process and human participant evaluation is a significant part of it.

But, socializing this research has been a challenge in our hype-y world.

Continued thread

Most , research assumes the first configuration in the figure below. We take it for granted that a human will fully delegate a task to the

That couldn't be further from reality. For a long time, humans and /#ML systems will have to work together in various configurations.

looks at what is typically overlooked in , - how do we bring humans in the loop.

Continued thread

3: , , - how can complex learn from humans? is large part of that puzzle.

Focus on , - what does it mean to 'understand' language for communication, collaboration, & teaching.

Not which research studies.

2021: arxiv.org/abs/2102.06755
2020: arxiv.org/abs/2006.01962
2014: arxiv.org/abs/1604.02509

Continued thread

studies 3 questions:

1. How do we model a human so that an can reason with it? How to find a _prescriptive_ model? Human-centered sciences have a starting point.

2. How do we design an ?

3. How to we measure progress? THE most critical question. As people, we are enamored byaccuracy, scale etc. But, in research, we have to study what humans care about.

The potential is interdisciplinary.

I was recently recognized by , as an .

I put forth an agenda of - that are designed to model, reason, and learn about their human partners -supporting them in their goals and pursuits.

It is , research but extremely . We start with studying what is the human trying to do and what intelligent support do they need.

A thread below -