We institute strict procedures to maintain confidentiality and will adhere to the 2021 HIPAA Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule). No personally identifiable information will be collected from the user when using Ditti. Each user will be assigned a unique user ID. The user ID contains no personal identifiers. A database will be created in AWS DynamoDB and managed by AWS AppSync, both affiliates of Amazon Web Services, and maintained by UPenn staff. All data will be anonymous. No pseudonyms or other identifiers will be used except for a randomly assigned user identification number maintained in the aforementioned Amazon Web Services and exported to a CSV (comma-separated values) file for further analysis. There will be no paper forms. Release of patient information to other parties not affiliated with the UPenn team will be governed by the HIPAA Privacy Rule guidelines.
Database Security/Protection against Risk: Only UPenn staff will have access to the data in this database. Once a participant is in this system, they will be given a user ID. The user ID will be used on all analytical files. No results will be reported in a personally identifiable manner. Each staff member has participated in required HIPAA privacy compliance training. The use of password protection programs for all computerized records will be in effect. In no instances will identifying information be publicly disclosed. Results from the Ditti app will be reported in aggregate. All data will be stored in a single relational database. Datasets are stripped of all personally identifiable information when exported for analysis. The user will log into the mobile application using their User ID assigned by the UPenn team to ensure that the user does not create a User ID that includes protected health information (PHI) by accident (i.e. passwords reflecting a date of birth or address). AWS AppSync is used to add, edit and delete users from the Ditti application and synchronize this data with the mobile application. AWS DynamoDB stores this information and allows for staff to export data generated by Ditti when user use the app. The only data sent to this database for analysis are the assigned User IDs and timestamps associated with opening the app and engagement with the app.
The University of Pennsylvania Health System (UPHS) also has guidelines in place for mobile devices and software. These include documentation of information security controls, incident response program, compliance certifications (OWASP, etc.), privacy practices, physical data security, and subcontractors. This plan has been reviewed and approved by the University of Pennsylvania IRB. Additionally, these approaches have been used previously by our group for mobile device projects to successfully maintain user confidentiality.