Privacy in the Information Age Unique Issues for AAC Users Features
Features  |   November 01, 2002
Privacy in the Information Age
Author Notes
  • Sarah W. Blackstone, is the president of Augmentative Communication, Inc. and a project director of the AAC-RERC: Engineering Advances for Communication Enhancement in the New Millennium. Contact her by e-mail at
    Sarah W. Blackstone, is the president of Augmentative Communication, Inc. and a project director of the AAC-RERC: Engineering Advances for Communication Enhancement in the New Millennium. Contact her by e-mail at×
  • D. Jeffery Higginbotham, is an associate professor in the department of communicative disorders and sciences at the State University of New York at Buffalo and is the director of the Communicative and Assistive Device Laboratory. Contact him by e-mail at
    D. Jeffery Higginbotham, is an associate professor in the department of communicative disorders and sciences at the State University of New York at Buffalo and is the director of the Communicative and Assistive Device Laboratory. Contact him by e-mail at×
  • Arthur W. Williams, III, is president of AWW Associates, LLC, a health care management and information technology consulting firm. He assisted ASHA in the development of its member compliance strategies related to the HIPAA electronic data interchange and privacy rules. Contact him by e-mail
    Arthur W. Williams, III, is president of AWW Associates, LLC, a health care management and information technology consulting firm. He assisted ASHA in the development of its member compliance strategies related to the HIPAA electronic data interchange and privacy rules. Contact him by e-mail×
Article Information
Augmentative & Alternative Communication / Features
Features   |   November 01, 2002
Privacy in the Information Age
The ASHA Leader, November 2002, Vol. 7, 1-13. doi:10.1044/leader.FTR1.07202002.1
The ASHA Leader, November 2002, Vol. 7, 1-13. doi:10.1044/leader.FTR1.07202002.1
People everywhere are concerned about privacy issues and technology, and rightly so. Computer technology is an increasingly powerful tool, which can be used—or misused—for a myriad of purposes. Today, computer technologies manage our medical records, collect our credit reports, analyze our spending patterns, and sell these data to others (just look at the junk mail you receive every day). These technologies also can be used for more sinister purposes such as committing fraud and identity theft.
Unique privacy concerns, both ethical and regulatory, confront individuals who rely on augmentative and alternative communication (AAC) technologies and the speech-language pathologists and other practitioners who provide them with services. These clients and professionals need increased awareness of and information about the final Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule, which governs information that is stored and transmitted electronically.
Let’s consider some real-life scenarios. Each illustrates the privacy problems associated with AAC. SLPs need to be mindful of the ethical and regulatory issues at stake when working with people who rely on AAC devices to communicate.
  • “My personal aide scares me!” Spoken by an individual using her AAC device who was worried that her personal assistant might look at her log file or message buffer to learn what she had said about him or become privy to other private information. This may be a violation of HIPAA.

  • “When I looked into his buffer, I found out he was gay. I never knew that!” Stated by a professional who inadvertently read the message buffer on a device without permission and then reported that information. This is a violation of HIPAA.

  • “Please help me go to the bathroom.” Spoken by an individual using a device to his aide, and overheard by those around him. This represents unintended, device-mediated eavesdropping, but it is not a violation of HIPAA. It is an artifact of the design of speech-generating devices (SGDs).

  • “Now I can see if they are delivering therapy services.” Spoken by an administrator to express the notion that communication logs on an AAC device could be used by employers or supervisors to check on employee performance. This would be a violation of HIPAA.

Privacy, Confidentiality, and Informed Consent
The examples above illustrate violations of an individual’s privacy and breaches in confidentiality between the consumer and the practitioner. Privacy can be defined as the state of being free from unsanctioned intrusion (The American Heritage Dictionary of the English Language, 4th ed.). When information is taken from individuals without permission, their privacy has been violated. Confidentiality represents agreement between a practitioner and the consumer guaranteeing the privacy of the consumer’s personal information (Online Medical Dictionary). Informed consent is the confidentiality contract between the practitioner and the consumer. It establishes the ethical right of the patient to direct what happens to her body and the ethical duty of the practitioner to involve the patient in her health care. Based on the Nuremberg Code, voluntary consent means that the consumer should:
  • have legal capacity to give consent

  • be able to exercise free power of choice, without being forced, deceived, pressured, or intimidated

  • possess sufficient knowledge and comprehension of the subject matter to make an informed decision

Privacy, confidentiality, and informed consent are ethical and legal constructs that underlie the relationship between professionals and the individuals whom they serve.
The final HIPAA privacy rule covers all individually identifiable health care information in any form, electronic or nonelectronic, that is held or transmitted by a “covered entity” such as a health care provider, a third-party payer, or any of their “business associates” who come into contact with these data. A covered entity that collects, stores, or transmits data electronically, orally, in writing, or through any form of communication, including some forms of fax transmission, is subject to the HIPAA privacy regulation and must comply with all measures prescribed in the rule protecting patient/client privacy. Although HIPAA does not provide individuals who rely on AAC with privacy protection in all cases, it does regulate covered entities and provide protection in cases where a covered entity overhears a patient talking to someone else or happens to see something on the screen of an AAC device.
HIPAA excuses teachers and others in most school-age educational settings from compliance with its provisions because the Family Educational Rights and Privacy Act protects the privacy of educational information. Also, when state laws or regulations enforce an even higher privacy standard than HIPAA, these will supercede HIPAA.
Under HIPAA, there are legal penalties for covered entities that use unauthorized information received intentionally or unintentionally. All unintentional disclosures of protected data should be reported to the client through mechanisms stated in the rule. If it is not and the covered entity chooses to use the information (even though received unintentionally), that covered entity is subject to monetary fines or possible imprisonment if the use is for truly nefarious purposes.
Most SLPs collect and transmit some type of information about individuals in electronic form. Thus, they are a “covered entity” and, therefore, regulated by HIPAA. A covered entity is a health care provider who electronically collects, stores, or transmits protected personal health information (PHI). Under the “minimum necessary” rule of HIPAA, an SLP would not use a client’s buffer or log except as a component of the diagnosis or treatment of the individual under their care. The rule states that the information made available to a covered entity should be only that which is necessary for treatment purposes, payment, or to conduct normal operations within the covered entity’s practice.
HIPAA does not cover communications between noncovered entities. In most instances, the patient, the guardian, or that individual’s friends are not covered entities and are not covered by HIPAA. However, an independent person functioning in the capacity of a personal assistant would be considered a covered entity if, and only if, that person electronically stores or transmits protected health care information to another covered entity.
To the extent possible, when recommending equipment and developing AAC materials, the SLP will consider AAC devices that more readily facilitate the security of PHI. The SLP also will strive to protect PHI by providing essential design features, vocabulary, and training that emphasize the rights to privacy and informed consent of individuals who rely on AAC devices, strategies, and techniques. The SLP is responsible for protecting the confidentiality of the PHI and, therefore, the SLP is also responsible for making sure the PHI is not easily accessible to anyone who has no right to access it, covered entity or noncovered entity.
AAC Technologies
Although SGDs are used for conversational purposes, their construction puts users at risk for privacy violations. For example, voice-mediated communication is transitory, and natural speakers can easily modulate their speech to protect their privacy by whispering, directing, and timing their utterances. However, AAC users do not have adequate control over the acoustic characteristics of their talk, making it difficult to direct their communications to specific individuals. Augmented speakers also have limited control over the visual display and the message buffer of their devices. As illustrated in the privacy violation examples, an unprotected message buffer can be a major source of privacy problems.
New SGDs offer both text- and audio-data logging. Although this technology holds promise for better assessment and intervention practices, the logs of a person’s discourse history can be obtained, inspected, stored, and transmitted by one person to another, potentially putting the user at some risk.
Changes in Privacy Rule
The most notable change in the new final privacy rule involves the issue of a signed consent. Although the rule still permits providers to voluntarily require signed consent statements from patients prior to treatment, covered entities will no longer be required to obtain the consent in writing. Remaining in place, however, is the requirement that all patients receive a copy of the provider’s “Notice of Privacy Practices” and that the provider make a “good faith effort” to obtain written acknowledgment of its receipt. The Notice of Privacy Practices explains how the provider will use the patient’s PHI and outlines what steps are taken by the provider to protect confidentiality.
Other changes include clarification of the minimum necessary standard that now explicitly states that a covered entity can freely disclose PHI to another covered entity as long as it is for the purpose of treatment, payment, or in the conduct of performing routine health care operations (TPO). The major caveat is that disclosure of any PHI that is irrelevant to the purpose of the disclosure—such as information about an individual’s recent foot surgery that may be in the buffer of the AAC device—is prohibited. Thus, the SLP would not include information that the foot surgery took place, but would instead focus on the characteristics of the message and context in which these facts were communicated.
Considerations for Practitioners
To ensure the privacy of their consumers, those in private practice will have to conduct HIPAA compliance programs. To do this, they need to educate themselves on HIPAA regulations, conduct a gap analysis of their practice policies and procedures, and undertake a compliance implementation program. Easy-to-use compliance solutions specific to speech-language pathology practices are currently being developed and will be available soon. These products will help SLPs move from a state of noncompliance to full compliance with HIPAA’s privacy rule.
When placing information on communication boards and AAC devices, SLPs should give careful thought to the privacy and safety implications of including personal information (address, phone number, religion, political affiliation, etc.). This is particularly important when the individual does not understand basic privacy issues because that person is at higher risk for being taken advantage of.
It is also important to realize that it is easy to inadvertently violate the privacy of individuals who use AAC technologies. Eavesdropping is common because of the design and use of low-tech displays (e.g., communication partners typically speak aloud as the individual points to message components) and AAC devices (e.g., people will read what’s on the screen). SLPs can provide vocabulary and conduct training to help individuals protect their privacy (e.g., “Please don’t read my display.”).
SLPs also can provide training to assist augmented speakers in dealing with other characteristics of AAC technologies, such as precisely timing speech output to conform to public expectations of conversations. It is necessary to train practitioners, augmented speakers, and family members to be aware of and to operate the data-logging system. In addition, AAC manufacturers can consider future equipment design features that help people lower the volume of a device, protect private information, and prevent unsolicited viewing of previously spoken materials (e.g., password protection and encryption of the message buffer and data-logging system).
Even though the user and family are not covered by HIPAA, it is incumbent on the clinician to assure individuals’ privacy, even from family, when patients do not wish to share their PHI. HIPAA requires that any breaches of this confidentiality be reported to the owner of the PHI and that individuals have full access to records of who has received their PHI, either as a breach of protocol or for normal TPO. It is also important to be aware that, without familiarity with the technology and trust in the confidentiality agreement, family members and other communication partners may be reluctant to converse with someone using the data-logging features, for fear of being identified through the log files.
Device features that permit unsolicited viewing of previously spoken materials are in potential violation of HIPAA. This could include text buffers and log files if they are not built with provisions for password protection and data encryption. Ease of use for clinicians is important but not paramount to privacy concerns. Providing informed consent for data logging helps to ensure that individuals are informed, understand, and give their permission to take part in the collection of log files and that the resulting data will be used in the manner indicated by the professional.
Clinicians can incorporate effective informed consent procedures in their practices with regard to log filing. This may include disclosing information about:
  • the type of information being sought (speed and accuracy data, vocabulary)

  • the setting where data would be collected (clinic setting, class, home for the next three days)

  • expectations of the individual during the time data logging occurs (“Please communicate normally.”)

  • how confidentiality will be maintained (“Conversations will not be shown to any other individual.” “A summary of the data will be put into your clinical record; we will never see the content of the log file, only summary measures will be made.”)

  • security, intended use, and disposal of the data (“Logs will be stored on my computer system.” “We plan to share the results with the professional community.” “Transcripts will be stored in your folder for two years.”)

  • any other risks associated with the collection of the log file data

  • how the individual can terminate participation in the study/clinical trial.

Finally, log-filing features that provide password protection, encryption, and file deletion can help ensure the use of data logs only by authorized individuals.
Intentional violations of privacy occur infrequently. More prevalent today are the unintentional and less obvious privacy violations (e.g., looking at a device output display, speech broadcast to unintended listeners) that occur when individuals who rely on AAC technologies interact with others.
To protect the privacy of augmented speakers, steps can be taken that include modifying features of AAC devices, as well as modifying the way we conduct our practices. For example, to deal with issues related to the device buffer, short key codes can restrict access to the buffer while allowing display to authorized people. In addition, SLPs can use clinical procedures that limit unintended, unauthorized viewing of buffers and log files and ensure the informed and conscious use of this technology for authorized clinical and research purposes.
For more information about HIPAA, visit ASHA’s Web site or contact Ingrida Lusis through the Action Center at 800-498-2071, ext. 4482, or by e-mail at
The authors wish to acknowledge and thank Carole Krezman and Michael B. Williams. Their ability to advocate for and articulate the perspectives of individuals who rely on AAC devices and family members’ concerns about privacy issues underlie the true meaning of this article.
Submit a Comment
Submit A Comment
Comment Title

This feature is available to Subscribers Only
Sign In or Create an Account ×
November 2002
Volume 7, Issue 20