25 September 2017

two new articles

Posted by admin @ 11:35 am    categories: Psychology

I’m pleased to note that two new journal articles were published in the past few months. They’re based on research that I worked on over the past year (or, actually, 2-3 years).

One is entitled “Sustained attentional engagement is associated with increased negative self-referent decision-making in major depressive disorder” (Dainer-Best, Trujillo, Schnyer, & Beevers, in press). In this work, we helped solidify the relationship between depression and negative information processing; finding that people who were depressed responded to a task about self-referential stimuli differently behaviorally and in EEG.

The second paper is called “Specificity and overlap of attention and memory biases in depression” (Marchetti, Everaert, Dainer-Best, Loeys, Beevers, & Koster, 2018). Dr. Igor Marchetti was the lead on this project. Here, we used a commonality analysis to begin to tease apart the relationship between measures of depression symptoms and two types of cognitive biases: attention bias and memory bias. In this study, we found that the memory bias in mood-relevant stimuli was reliably related to depressive symptoms but not anxiety symptoms—it was specific here.

24 January 2016

Podcasts II: Auditory Adventures; Recommendations

Posted by admin @ 0:19 am    categories: Uncategorized

(This is a continuation of a series of posts on podcasts and podcasting; the first can be found here.1 )

Obviously, I also listen to podcasts myself. I wanted to take a brief interlude and delve into my own experiences with podcasts, before talking about recommendations—how respondents to my survey recommend, and what they think about when making recommendations. (There are a lot of links in this post. You’re welcome.)

Over the past years, I’ve gradually moved into listening to quite a few podcasts on a regular basis. Perhaps in 2008 I was sold on the idea. Not long after that, I got an iPod, a tiny iPod Nano that had a scroll wheel and 16GB of memory. (It lasted me a good four years.) I have an email from late 2007 expressing my interest in getting started with podcast-listening, and not too long thereafter a request to a friend. I don’t remember my first podcast, but I think it was probably WNYC’s On the Media, whose name pretty much says it all, and which I still listen to pretty much every week today. (It’s one of my favorites.) Also in the early running: BBC Radio 4’s Friday Night Comedy, to which I’ve only ever really listened to the News Quiz; NPR’s All Songs Considered; NPR’s Wait Wait… Don’t Tell Me; and The Moth. You’ll note that all of these are radio shows, although The Moth wasn’t back in 2008. A slightly less serious type of podcast followed not too long afterwards; I subscribed to The Savage Lovecast, Dan Savage’s profane and occasionally profound advice call-in program, and Answer Me This!, an advice and variety podcast. (Both are certainly not radio shows. Although I no longer listen to the latter, I really enjoy the podcast one of the presenters2 (Helen Zaltzman) now produces for Radiotopia, The Allusionist, an amusing podcast about words and language.)

Over the years, as tends to happen, I’ve increased my number of podcasts, and the amount of time I listen to them. Somehow, I’ve found, I never quite get through all of my podcasts—and some are considerably more important to listen to when current. The number of unplayed episodes only rises, of course, and getting the balance of time-spent-listening to podcast-hours-to-listen is nigh on impossible. At some point, I began listening to podcasts at 1.5x speed (the iPod used to describe this as 2x, but I believe it was always actually a 50% speed increase), except for podcasts on music or in Spanish. There are a few podcasts where the presenters speak very quickly, but there’s a tendency to speak slowly and carefully; a slight increase makes for a perfectly comprehensible, speedier listen. When I first started, I used to slow down the speed for certain podcasts I enjoyed more (99% Invisible and The Memory Palace in particular), but for a variety of reasons I rarely do that anymore, with the exception again of podcasts that play music (All Songs Considered, or Hrishikesh Hirway’s Song Exploder) or are in Spanish, my second language (notably Radio Ambulante, although there are a few other podcasts I listen to in Spanish).

I have trouble picking any one or two podcasts to recommend. As I mentioned at the top, On the Media is still one of my favorite podcasts; I think the presenters are very good interviewers, and do an excellent job at teasing the week’s news apart. But I think podcasts can do so much more than just being on-demand versions of radio shows. As such, I often recommend shows from Radiotopia or Gimlet, which often let themselves be more esoteric. I’ve mentioned a number of Radiotopia podcasts above already, as that collective brought together a number of already-established small podcasts; Gimlet’s most notable shows, in my mind, are Reply All, a wonderful show about the internet (and the successor to WNYC’s tl;dr; the presenters moved to Gimlet) and StartUp, a podcast that began as a very-introspective look at the development of Gimlet, and has turned into a show that profiles other businesses as they begin. I also really appreciate Lore, an independent (I believe) show about spooky folklore that’s not breaking much new ground in each episode, but is always a fun listen.

And yet I have some hesitations about these recommendations. I like the idea of recommending podcasts that are doing something novel, or presenting something you can’t get elsewhere. (I tend not to recommend shows like Serial because by and large, I think everyone already knows of it.) I think Reply All does this, but I also have been listening to them for a long time—as a friend (L.A.) and I discussed the other day, a key feature of their show is the way that they bring themselves into the episodes, but some people may find that frustrating. Lore is a real niche podcast, but it also stays a little too firmly in that niche. Benjamen Walker’s Theory of Everything, a podcast that defies genres (philosophy with a touch of fiction and a touch of reporting?) has gone in so many directions that while I can point to favorite shows (e.g., “Artifacts“), I can also point to episodes I’ve explicitly not enjoyed. StartUp made me squirm so much when I heard a preview episode that it took me months to listen to a second.

Which is all to say that finding proper podcast recommendations is hard. A lot depends on the person asking for recommendations, on their interests, and so forth. There are a lot of people trying to perfect ways of recommending podcasts. NPR created Earbud.fm, which is a nice-looking website that provides podcast recommendations. Gimlet has a new show that’s just getting started called Sampler that’s designed to be just that, providing glimpses into a variety of podcasts. The Timbre seems to be devoted to cataloging and linking to great podcasts; the editors of that site wrote a list of the best podcasts of 20153, which has links to a lot of shows I listen to and quite a few I do not. I’ve slowly added to the shows I listen to by keeping my ears peeled to new podcasts that sound interesting, and being willing to experiment. Every week, I hear of new podcasts—and who doesn’t? The difficult thing is finding the time to listen, I think.

As it stands, there’s no equivalent to Netflix ratings, no Pandora for podcasts. One of the things that I’d love to be able to create is a ranking algorithm, an “if you liked this, you’ll like that.” But the complexity of these questions are pretty stunning, when it comes down to it. From the data this survey collected, we have a sparse matrix of data—many respondents who checked off which podcasts they listened to. We can presume that if people are subscribed, they generally like those shows (as opposed to movies, where you may watch something you dislike), but even so the ideas behind this are not simple. (Feel free to contact me if anyone who reads this has specific thoughts on how they would approach the problem.)

Regardless, the survey respondents were quite varied in their tastes, and quite willing to suggest podcasts that they recommend to friends. As I discussed previously, this was qualitative data; people wrote in their recommendations and their reasons for recommending these shows. We discussed last time how people reported learning about new shows, and the fact that 61% of people reported learning about new shows from friends—this is a pretty important question, then. The top-recommended podcasts are maybe not super striking, but they’re worth noting:

Podcast Number who recommend it
This American Life 21
Radiolab 17
99% Invisible 12
Reply All 12
Dan Carlin’s Hardcore History 8
Comedy Bang Bang 7
Call Your Girlfriend 6
Serial 6
How Did This Get Made? 5
Mystery Show 5
WTF with Marc Maron 5
My Brother, My Brother and Me4 5


I want to point out two things here: one, that the top three most-listened podcasts (Serial, This American Life, and Radiolab) all also top this list, although Serial has fewer recommenders. (My guess is that people assume, as I do, that most everyone who has interest has already listened to Seria, at least in its first season.) The second thing to note is that these recommended podcasts run the gamut in terms of genres and in terms of sources; some are independently-produced (Call Your Girlfriend) while others are from public radio or the bigger podcast networks.

The full list of podcasts people recommended is on this website; there are 94 different recommendations. One of the other things I asked was why: why would you recommend this? The most common response had to do with humor—it’s funny, or it makes me laugh, or I think it would make others laugh. This show is entertaining. It’s accessible. It’s unique; it’s clever. Here are some example responses:

  • “I recommend Call Your Girlfriend because it is female fronted, funny, and culturally informative.”
  • Lore scratches the itch for the mysterious and macabre.”
  • “I really enjoy richly produced podcasts that teach me something new or allow me a new perspective on a topic.”
  • “I really enjoy them [My Brother, My Brother and Me and Lore] and think that they would interest a broad group of people.”
  • These shows have “compelling story telling (sic) and excellent quality in content and sound.”
  • “They’re the best of the best, you know? Also, I think both these pods [You Must Remember This and Death, Sex & Money] represent novel experiences that are specific to podcasts…”
  • These shows (The Read & The Champs) have a “focus on black culture”
  • “Less people know of them – the first [Home of the Brave] is incredible personal journalism, the second [Twisting the Wind] is a just a crazy dude”
  • Doughboys is funny and unique (and I can’t imagine someone disliking it). Reply All is well researched and produced. It is also engaging. However I think it is more niche.”
  • “Tech journalism is often correct at the expense of being fun. The Theory of Everything is fun.”
  • “I didn’t answer … because what I recommend depends so much on the person I’m recommending to… I don’t necessarily think other people will like them as much as I do. For example, for a lot of people the New Yorker fiction podcast might be boring and Love+Radio might be weird. So I guess I usually recommend the more normal ones (e.g. This American Life or RadioLab) if they’re not used to listening to podcasts.”
  • Limetown is a really well-produced fiction, serialized podcast, which has become my favorite genre. I think it’s a good intro to the series. Reply All is interesting and the hosts are charming and it’s short enough that I feel like most people will give it a shot.”

I’ve tried to give a taste of what these responses are like. One of the most difficult things, as I think is obvious when you look through these responses, the previous post, and even my own recommendations, is figuring out just what you really need to make a podcast that you’ll want to listen to regularly. It’s a surprisingly difficult thing to pin down, ain’t it?

  1. I’ve updated this post to be consistent, following a conversation with J.H., as of May 16, 2016. Previously, podcasts were named in quotation marks; I’ve now changed them to be italicized. I view podcasts as similar to magazines, and individual episodes their stories—you italicize the title of the publication, and put the story in quotation marks. []
  2. I prefer to use the term “presenter” here because I don’t love the word “host,” but obviously that’s all I mean here. []
  3. Standley, L.J., Taylor, D., & McQuade, E. (2015). “The 50 Best Podcast Episodes of 2015“. The Atlantic. Accessed January 21, 2016. []
  4. What do they have against a serial comma, huh? []

14 January 2016

Podcasts I: Everyone Loves a Good Podcast

Posted by admin @ 15:17 pm    categories: Uncategorized

A short while ago, I posted a survey I had created about podcasts. A number of friends filled it out (I have 78 responses who filled out some amount). I then opened it up (with some few additions) to a wider audience, and collected another hundred responses from this sample. To be clear, a podcast (which wiktionary defines as “an audio program … delivered over the internet in a compressed digital format and designed for playback on computers or portable digital audio players”) is a pretty new concept—the term comes from combining “broadcast” and “iPod”, and we can date it to a 2004 article in The Guardian1. That all said, many of the podcasts people listen to regularly are also radio programs, many broadcast in that way as well. Most of what I’m focused on here are shows that are listened to as podcasts, but certainly the lines between the two are blurry.

There is a lot of data2 from the surveys we’re discussing here. I have some thoughts of things I’d like to do with it beyond what you’ll see below. However, I’ve gone over everything in a preliminary way at this point, and I can start sharing some of the results.

A lot of these results aren’t going to be very surprising to people who are involved in podcasting, or have been following it as a medium for some time. Not surprising: over half of the respondents to both surveys reported being subscribed to Serial, the podcast that made waves last year and has just begun its second season; almost as many also subscribed to This American Life, the PRX show long-produced by WBEZ Chicago from which Serial sprung. (A close third in both samples was Radiolab, from PRX’s WNYC.)

Subjectively, what most struck me was just how many podcasts there are, and how many different ones people listen to. In the first survey, among friends, I provided 196 options for people to select; 133 of those (68%) were selected, and people wrote in another 150. That is to say: among 78 respondents, there were 283 podcasts listened to. In the second survey, I included most of that 150 on top of the original 196; people reported listening to 220 of the podcasts I listed, and wrote in an additional 329. So among that sample of 101 individuals, they subscribed to 549 podcasts. That’s pretty crazy. In total, there were approximately 468 unique write-ins across both surveys. (I say approximately because it’s totally possible I’ve missed some duplicate that was titled differently by two entrants.)

A few notes about methodology: The data described herein was collected during November and December of 2015. The respondents from both surveys came from facebook, reddit, or twitter; this is not going to be a sample representative of anything except people who are members of those communities. After consenting to participate, and being told that they were completing this for fun (i.e., there was no recompense beyond the results of these analyses and the relative interest of filling out the survey), all further questions were entirely optional. As such, many respondents left items blank (especially in the demographics section). At least one participant (the only participant entirely excluded) seems to have gone through every page without answering a single question. Because I figured more data was better than no data, I included data from indivudals who consented but did not complete the survey. As such, we have 78 respondents from among the “friends” survey (62 of whom finished the survey), and 101 respondents from the “external” survey (81 of whom finished it). Almost every question that had multiple possible options used checkboxes; as such, responses should not add up to 100.

My experience is largely in working with quantitative data. A lot of the questions I asked were open-ended, which I think is appropriate for these topics. As such, I’m hard at work “coding” those responses as best as I can. I’ll try and make note of some interesting responses for those discussions.

On demographics, looking at only those who provided responses to these questions: Gender-wise, we have a reasonable spread: 28/35 male/female among friends, and 49/27 male/female among the latter group. (Obviously, not everyone gave me a gender; there were also a few who responded in a non-gender-binary.) Many respondents were white (75% in friend sample; 90% in external sample); most were from the United States (98% of friend sample; 73% of external sample). This is a clear case where if I were doing this more thoroughly I’d want to collect data from a more diverse sample.

In any case, let’s look at some graphs. When do people report listening to podcasts? I would have guessed that most people indicated they listened while doing housework or cooking, but even more people (the largest number in both samples) said they listened to podcasts while community. Many also indicate that they listen while working. (Very few people seem to sit and listen to a podcast while not doing anything else.)

When do people listen to podcasts?

I then wanted to take a look at what people reported that they looked for in a podcast. Put another way: why would anyone listen to podcasts? It’s probably no surprise that the reasons people gave to this question are echoed elsewhere in the survey, especially when asked what podcasts respondents recommend to others, and why that was. As above, by and large the two categories of respondents reacted similarly. Essentially: everyone wants to learn and to be amused. Getting into complicated topics, or exploring human interest (the “humanity” was described as “This American Life-style stories”) were also high up there.

what people look for

Early on, respondents were asked to rate genres in three ways:

  1. Which genres do they listen to? (Here, they only picked a few.)
  2. Which genres are their favorites? (Here, they could select as many as they wanted.)
  3. Of those favorite genres selected in step 2, they then ranked them.

Culture/arts and comedy were definitively highest among the most commonly listened to genres. Religious podcasts were the least-most listened-to in this sample, although by all markers they were listened to by some.

Most Commonly Listened Genres

Genres Most Selected as Favorites

Ranking of Favorite Genres

Looking at those rankings, they’re pretty consistent across groups. (Remember that the best possible ranking here [as usual] is a ranking of 1 – so the item with the smallest bar, culture & arts, is of course the one that most people endorsed as their favorite kind of podcast.) I asked respondents to select the genres they listened to, and then drag them into order from favorite to least-favorite. There are a few surprises here to me, including the fact that we ended up with exactly the same ranking for technology podcasts in two different samples (a square 4.57). The fact that religion is so low-ranked could mean, to someone who was excited about the topic, that there’s a lot of room for a well-produced and interesting religion podcast. It could also mean that no-one in these samples was interested in listening to podcasts about religion. The data don’t speak to which interpretation is correct.

For a last image, we can take a look at one of the additions for the second survey, a question that asked: “Think about the last time (or last few times) you skipped to the next podcast, or turned a podcast off. Why did you?”

Why External Respondents Skipped Podcasts

The responses for the most part fit what I wanted to hear: assuming you like a podcast well enough to stay subscribed, why would you skip it? Surprisingly few people seem to skip podcasts because of the ads, especially the ones in the middle of the episode. (That said, I think maybe the term “back matter”, which I used to refer to the credits & terminal ads / requests for donations that often terminate a podcast, may have confused people). I forgot one option: reruns. A lot of people (me included) won’t listen to a re-broadcast of an episode, unless it’s really good. (Not saying I never have, though!) I understand, of course, why hosts do this: when I’ve never heard it before, I generally don’t care about whether it’s new. But for the most part, people skipped episodes – 62% of respondents do – when they’re boring. Shocking, I know. Sometimes it’s just a segment, and sometimes it’s the full episode. But bad editing wasn’t up there (maybe it’s a reason to just no subscribe).

I’ll close with a few more statistics, and the promise that more information is certainly forthcoming, including “best-of” lists, and an analysis of most-recommended podcasts. Here are some of the stats:

  1. Almost everyone says they learn about new podcasts from podcasts they already listen to (65%) or from friends (61%). That leaves a lot of room for better methods of getting people to learn about podcasts. I know there are lists on websites and articles and even probably an app or five for discovery, but only 42% of the sample had learned about podcasts from a website. That said, the old “web ring” concept works somewhat, with 28% indicating they’d heard about a podcast from a company or collective. (Many seem to wish there was a better way to discover new podcasts, although I’m sure I’m not the only one who wishes there was a better way to wean down the number we listen to.) And yes, okay, redditors learn about new episodes from reddit.

  2. Pretty much anyone subscribed to some sort of public radio podcast (NPR, PRX, PRI). After public radio, Gimlet and Radiotopia were close behind in terms of collectives/groups. (They were followed by Panoply, Nerdist, and Maximum Fun; a few others lagged behind including the BBC, Rooster Teeth, and Infinite Guest. A few people did indicate that they didn’t know what I was talking about, but I think it’s fairly clear that these are collectives formed that help produce and advertise shows.) I neglected to include an “other”" option, here, so I can’t speak to what other podcast collectives or national radio programs respondents might listen to. Judging again by that number I cite above (468 write-ins alone) there probably are others, no?

  1. Hammersley, Ben. (11 Feb 2004). “Audible revolution”. The Guardian. Accessed 03 January 2016. []
  2. I’m going to be following my prefered convention and referring to a singular “data” rather than plural. Many readers may be unaware of this continued debate, but in essence people argue that “data” is a plural form—the singular would be “datum” or “datapoint”—and therefore that the word “data” should have plural verb forms attached, e.g., “there are a lot of data”. This makes some sense, except that it’s just a bad, old convention. I never much cared for the convention, and then I read this piece some years ago, and it convinced me to completely stop bothering with the false plural unless it’s required. The piece’s title is straightforward: “Data is a singular noun”. In any case, I’ll leave you to it, if you’re curious. []

20 December 2015

Data Encryption for Psychologists

Posted by admin @ 23:55 pm    categories: PsychologyUncategorized

During yesterday’s debate, there was a discussion of encryption—which seemed to be characterized by a moderator as some sort of terrorist tool. That’s not a reasonable way of looking at encryption, though, although encryption does, of course, enable privileged communications. In fact, encryption is important and quite common. Encryption is about encoding a message so that only the people who are authorized to read it can read it; the OED defines “encrypt” as “to convert (data, a message, etc.) into cipher or code, esp. in order to prevent unauthorized access”. The simplest kind of encryption is a code: think substituting numbers for letters, A=1, B=2. Think the coded letters in an Agatha Christie novel, or a spy novel.

But of course we’ve come a long way from a basic cypher. Certainly, computer algorithms have made encryption a lot easier. Rather than needing to follow a complex code on your own, you can plug a coded message into a simple program, and it can output the deciphered message. That’s what’s going on in PGP email encryption; that’s what’s happening every time you send an iMessage with your iPhone. Those are encrypted. (How secure they are is up for some debate.)

Before we go any further, let me include a brief disclaimer: I am not a lawyer. I’m writing this based on my understanding of the laws and technology. Because of how complex some of this was, and how rarely it seems to be discussed in the context of psychologists and counselors, I’m writing it out here. But recognize that this is at best educated advice, and that if you’re unsure about best legal practices, you should check with a lawyer before following anything specific. I’m also not an IT professional. While I’ve used many of the services discussed below, and am familiar with some practices, there are always risks inherent to digital information—so back everything up, and use strong, secure passwords that you can remember. You are responsible for any lost data.

HIPAA and Encryption

I’ve been thinking about encryption some recently, because I’ve been reading about HIPAA and its requirements for storing PHI1. HIPAA most often affects most people when they go to a doctor’s office for the first time, and are handed—along with the demographic form, and the questions about their insurance—a several-page form that explains when the doctor’s office will share their information, and when they won’t. But it’s more far-reaching than that. As wikipedia puts it, “Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations”.

In essence, HIPAA says: “Hey healthcare providers, you need to keep identifiable information about your patients private, and only share it with other people if you need to or if you’re asked to by the patient. And if you do share it, you’ll need to let the patient know you’re going to do so.” As a clinician working in psychology, this is going to be boiled down essentially as: “There are a few ways in which I’m a mandated reporter, but otherwise everything we discuss is entirely confidential. I may tell someone [e.g., your insurance company] that you’re seeing me in order to receive payment, but otherwise I won’t release your records unless I’m subpoenaed or you ask me to do so in writing.”

There’s another side of this, though: what do you as a clinician do when you keep information about your patient? Traditionally, this was pretty damn easy: you kept paper notes. You kept their address and phone number in a file folder, and in that folder you took paper notes, kept everything together. If you saw someone for a long time, or if you ended up with documents, etc., you expanded your paper folder. It all went in a locked file cabinet, within your locked office or locked file room. There’s an ethical dimension to this, of course. Ethically, a psychologist is required to maintain accurate records and notes, and keep them private and confidentially. The APA explains that “psychologists protect electronic records from unauthorized access through security procedures (e.g., passwords, firewalls, data encryption and authentication). Consistent with legal and regulatory requirements and ethical standards, . . . psychologists employ procedures to limit access of records to appropriately trained professionals and others with legitimate need to see the records.”2 As you may have noticed, they also mention legal standards, so let’s check in: what does HIPAA mandate in terms of storing this kind of data:

Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.

Digital Information Security

Having that locked file cabinet was considered to be “reasonable and appropriate”. But what about digital information? More and more records have become digital these days. There are a couple of reasons for this; for one, it’s more space-efficient, since records often need to be stored for years even after a patient is no longer receiving services (in Texas, it’s seven years3 ). For another, it’s often easier to just type out a few notes in a patient’s digital file than it is to hand write them, especially if you’re not taking notes during the session. Moreover, billing is often carried out on computers, rather than by hand. (Someone probably still bills by hand, but it’s rare if so.) Hospitals buy expensive software, and tie providers to login IDs that they use to update patient charts. But when it comes to smaller clinics, or clinicians in private practice, although there are many record-keeping and payment-processing programs available4 , things are a lot more up in the air. There are some clear answers, but there’s also a fair amount that people seem very unsure about.

HIPAA is relatively clear about whether those digital records need to be encrypted: no, not necessarily 5 . Wikipedia puts it a slightly different way: “Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks6 are utilized, existing access controls are considered sufficient and encryption is optional.” Essentially, cloud networks, or data that’s being stored online in some way, needs to be encrypted. But if you’re saving patient data on your personal/work computer (and backing it up—it definitely needs to be backed up and that backup needs to be password-protected or stored behind lock and key, but I’m not going further into that here), so long as you’re doing that offline, it technically seems to be following the law.

If you’re emailing patients, that’s a little less clear. Guidelines are hard to find. Email is considered non-secure in most cases (barring encrypted email), but the obvious fact that patients often want to email with their providers makes things somewhat more complicated. This is also beyond the scope of this post, but a simple guideline is that additional PHI (beyond name and email address, which are already contained in any message) should be omitted from email wherever possible. The HIPAA guideline on emailing PHI states that “The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

Let’s put it this way: if you have a password on your computer, that’s a key. If that password is required any time you shut your computer, then that severely limits access to any stored data—it “prevent[s] intentional or unintentional use or disclosure of protected health information”.

Examples of Good and Bad Practices in Data Security

The good: sufficient, reasonable, and appropriate:

  1. You have a work computer on which you store patient information. Any time the computer is not used for more than 10 minutes, it requires a strong password7 to access your user account. You are the only user of this computer. ✓
    Unless someone steals your computer and uses a brute force hack to figure out your password, your data is secured. This seems like a prudent method of data security.
  2. You have a laptop that you use for work, but also use it at home to stream videos and email. Your child or partner uses the laptop too. Therefore, you have two accounts on the computer. You sign into one with a strong password, as above, and use that for work. Your personal account either has a short password everyone in your family knows, or is completely unsecured, but no-one else knows your work account’s password. You always sign out of your work account when you’ve finished. ✓
    Using two accounts means that your data is not going to be unintentionally affected by another user. Your data is secured on a password-protected account that is only used for work.
  3. You use a shared computer (or several shared computers) at work at a small clinic. You sign into a password-protected account to write notes and store those notes locally, on the computer on which you write them. Others who use the computer have their own, separate, password-protected accounts. Files are backed up regularly, in a password-protected backup, on an external hard drive. For billing purposes, you and your colleagues update a shared, password-protected database with client names and the sessions they have attended. This database is stored locally on an external hard drive, and never sent via email. (Alternatively, it is stored on an encrypted cloud service.) All passwords are only known to those who need access to files. ✓
    Keeping files stored locally provides good security, and using strong passwords means that clinicians don’t have access to files they don’t need. Keeping a database is of course often necessary when providing services, but keeping it password-protected means that it is as close to locked as possible. Emailing it might reduce security of this file, since email servers are often unencrypted. However, using an encrypted cloud service8, or keeping the file stored locally, seems sufficient.

The bad: insufficient protection:

  1. You have one laptop computer which you use for notes and billing. You only have one account which is password-protected. However, your child or spouse knows your password, and occasionally uses your computer. ✗
    Obviously, this is a parallel to the second example above. Why is it not secure? Because the family member has access to the PHI. Obviously, this situation is better than no password at all, but this is certainly not following best practices.
    How do we resolve this? This could be readily fixed in several ways: you could make a second account for your family members, and only use this account for work. You could also use a service that encrypts specific folders on your laptop so that only someone with an additional password is able to access those files.
  2. You have a desktop computer, or several computers, which is/are used by all staff at your work. There is one primary account on these computers. Clinicians sometimes enter PHI onto the shared account on these machines. Because the machines are shared, they are left logged in all day. ✗
    This is a more complex situation that’s harder to resolve. Why is it not secure? Because clinicians share credentials to access the machines. Moreover, although there may be a secure password, machines are left logged in at all times, and thus could be accessed by unauthorized users.
    How do we resolve it? With one computer only, creating individual accounts for every clinician might be best; a shared local drive could be used for storing information that needs to be shared between staff members (e.g., a database). With several computers, all used interchangeably by staff members, solutions may include individual accounts on every computer, web-based note / billing options, or individual accounts on an encrypted cloud service (see note 8) that users can sign into over the web.
  3. As in the third example above, you work in a small clinic and have shared computer(s). Users have their own accounts, with strong passwords. All users’ account passwords are kept in an spreadsheet by the clinic director. A database for billing and administrative purposes is kept online using an encrypted cloud storage service, and is password-protected. ✗
    This sort of situation is quite common. Why isn’t it secure? Because the passwords to all of the accounts are stored in plain text in a file somewhere. (Many real life situations are worse, and involve sticky notes with passwords placed next to computers.)
    The resolution is simple: don’t store passwords in print or in files on a computer. There are excellent and free password-managers which protected a number of passwords (i.e., here, the individual user accounts) by using a single, strong password9 . Alternatively, it’s possible to create a single computer admin account which has access to individual user’s accounts.
  4. You keep hand-written notes for all clients in a locked filing cabinet in your office; the key is kept on your key ring. You use a database with client PHI including names, addresses, and phone numbers. The database is stored on a password-protected account on Google Drive, or stored using email. ✗
    Why isn’t this secure? Although your paper files are secure, the client database is not secure. It’s easy to resolve, though. A database containing PHI either needs to be kept locally (not on the internet), or kept on a secure, encrypted cloud storage service (again, see note 8).

Recommendations for Good Data Security

Obviously, I’ve made some sort of recommendations above in discussing good and bad examples of data security. Nonetheless, below are some guidelines for storing electronic patient data ethically and legally.

  1. Anyone accessing a computer that they will use to store PHI should have an account on that machine with a strong password, that is only used for work purposes.
  2. If you have a private practice, use a work account for billing and notes. If you work in a clinic, create individual accounts for every clinician.

  3. Encrypt PHI whenever it is being sent or stored online.
  4. Databases or files that are sent via email should be password-protected, and stored on an encrypted cloud-based service, rather than sent via email. (For example, a password-protected database containing client information is stored on encrypted cloud service X. It needs to be shared with person B, and a link to that web service is emailed to them, but they then use their own credentials to sign into that web service to access the database.)

  5. Back up everything in a password-protected backup.
  6. Digital information should be backed up regularly, since it’s very easy to lose files, or have a problem with your hard drive. You can do this securely in a few ways:

    1. Back up to an external hard drive, and keep that hard drive locked in a filing cabinet.
    2. Make an encrypted backup to an external hard drive. (Unfortunately, full backups like Time Machine on the mac are not by default encrypted, or even protected by a password.)
    3. Back up your important files to an encrypted cloud-based service.

  7. Make sure patients know that email is unsecure, and use email as little as possible.
  8. Emailing with patients is definitely okay by HIPAA, but patients who want to email personal information need to be made aware of the fact that email is not confidential. (And no, adding a disclaimer at the end of your email doesn’t do much. Some quick web-searching will turn up plenty of articles explaining why not. An actual conversation with patients may be warranted.)

  9. Where possible, use file-level or disk-level encryption to encrypt even data stored locally.
  10. Newer Macs have FileVault and newer Windows computers have BitLocker, which are both system-level encryption (once you’ve logged in, your files are unencrypted). You can use software like VeraCrypt, DiskCryptor, or AxCrypt to encrypt files on a smaller level (you can read more about these applications here, or elsewhere on the web; these types of software bundle files together, much like putting them into a folder that needs a password to be opened (but a lot more secure). Either adds an additional layer of security, much like having a locked file cabinet inside of your locked office.

File encryption doesn’t appear to be strictly necessary when it comes to HIPAA-compliance, at this point. That may change, however. As encryption becomes easier—and more user-friendly—and as more of our lives is taken online, encrypting PHI and information relating to patient care may increase in importance, to keep more information secure. As a patient, I would want to know that my doctor or my psychologist was taking pains to not just keep my data relatively secure, but as well-protected as she or he knew how. As such, keeping such information encrypted, such that it can’t be hacked and certainly can’t be accidentally accessed, seems more and more important.

  1. There are 18 identifiers included under PHI, or Protected Health Information. These are (thanks, wikipedia): Names; geographical identifiers smaller than a state; dates (other than year) directly related to an individual; phone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health insurance beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; URLs; IP addresses; biometric identifiers; full face photographs; and any other unique identifiers. []
  2. American Psychological Association. (2007). “Record Keeping Guidelines.” American Psychologist, DOI: 10.1037/0003-066X.62.9.993 []
  3. Based on the DSHS website. []
  4. There are tons of online/software options for note-taking, billing, and client management. They’re often referred to as dealing with “mental health EHR” or “electronic health records”, and searching online for comparisons will provide lists. They provide such services as data/notes storage, encryption, and billing; some are definitely better than others. []
  5. The full text of that page from the HHS website is as follows: Is the use of encryption mandatory in the Security Rule?

    Answer: No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. []

  6. A closed system here doesn’t seem to mean a system that never accesses the internet, although that would be the ideal, but rather at least one where the files are stored locally and not accessed by anyone who doesn’t have physical access to the machines. []
  7. It seems like a lot of people have trouble understanding what a strong password is. If you’re interested in reading about the topic; a quick internet search for “strong password security” will bring up a bunch of articles, e.g., this one. There’s also the xkcd “password strength” webcomic, which has a pretty strong method that essentially involves stringing together words for password strength. []
  8. These days, more cloud services are encrypting data when it is sent to their servers, and while it “rests” on those servers. Google Drive continues to be entirely unencrypted (as of this day in December in 2015), and is thus not considered at all secure for patient data. Other services (e.g., Box.net, Dropbox) appear to have encryption, and there are also secondary services like BoxCryptor which encrypt files before they are uploaded to those cloud services. These services are relatively inexpensive. Their use with PHI requires signing a business associate agreement (BAA), presumably because they are storing data and metadata with PHI. Box.net officially describes themselves as HIPAA compliant, and Dropbox does as well. For someone in private practice, or a small clinic, the BAA requirement may be somewhat complex, but seems to be necessary for compliance.

    BoxCryptor, or other services that encrypt data locally, appear to side-step this problem, as they encrypt your data and never have access to it themselves. BoxCryptor’s website explains (minor modifications mine): “Boxcryptor encrypts the files locally on the user’s device. The encrypted files are only stored on the user’s device and then synchronized to the [cloud storage] provider of choice. Moreover, all sensitive user information (e.g. private keys etc.) is encrypted on the user’s device before [being] uploaded to our servers. So although BoxCryptor is optimized for cloud storage, it does does not hold any PHI on its servers. Despite this, we sign Business Associate Agreemets (BAA) at no additional cost.” As such, one could also use services like VeraCrypt, DiskCryptor, or AxCrypt, which can encrypt files or partitions, and then upload those encrypted drives to the cloud while complying with HIPAA. []

  9. PCMag has a summary of free password managers: Rubenking, N.J. (2015). “The Best Free Password Managers for 2015.” []

This is an online journal for Justin Dainer-Best. Immediately to the right are links to other parts of the site.

This blog is being re-developed. Many posts to come will relate to my work in psychology. Older posts are now private; please contact me if you have any questions.

To syndicate, use RSS