Zhong, X., Li, S., et al. (2025).
Journal of Medical Internet
Research, 27, e76571.
Abstract
Background:
The application of large language models (LLMs) in health care holds significant potential for enhancing patient care and advancing medical research. However, the protection of patient privacy remains a critical issue, especially when handling patient health information (PHI).
Objective:
This scoping review aims to evaluate the adequacy of current approaches and identify areas in need of improvement to ensure robust patient privacy protection in the existing studies about PHI-LLMs within the health care domain.
Results:
This study systematically identified 9823 studies on PHI-LLM and included 464 studies published between 2022 and 2025. Among the 464 studies, (1) a small number of studies neglected ethical review (n=45, 9.7%) and patient informed consent (n=148, 31.9%) during the research process, (2) more than a third of the studies (n=178, 38.4%) failed to report whether to implement effective measures to protect PHI, and (3) there was a significant lack of transparency and comprehensive detail in anonymization and deidentification methods.
Conclusions:
We propose comprehensive recommendations across 3 phases—study design, implementation, and reporting—to strengthen patient privacy protection and transparency in PHI-LLM. This study emphasizes the urgent need for the development of stricter regulatory frameworks and the adoption of advanced privacy protection technologies to effectively safeguard PHI. It is anticipated that future applications of LLMs in the health care field will achieve a balance between innovation and robust patient privacy protection, thereby enhancing ethical standards and scientific credibility.
Here are some thoughts:
Of particular relevance to mental health care professionals, this scoping review on patient privacy and large language models (LLMs) in healthcare sounds a significant alarm. The analysis of 464 studies reveals that nearly 40% of research using sensitive patient health information (PHI) failed to report any measures taken to protect that data. For mental health professionals, whose clinical notes contain profoundly sensitive narratives about a patient's thoughts, emotions, and personal history, this lack of transparency is deeply concerning. The findings indicate that many LLM applications, which are increasingly used for tasks like clinical note-taking, diagnosis, and treatment recommendations, are being developed and deployed without clear safeguards for the uniquely identifiable and stigmatizing information found in mental health records.
Furthermore, the review highlights a critical gap in ethical reporting: nearly a third of the studies did not report whether patient informed consent was obtained. In mental health, where trust and confidentiality are the cornerstones of the therapeutic relationship, using a patient's personal story to train an AI without their knowledge or consent represents a fundamental breach of ethics. The report also notes a severe lack of detail in how data is de-identified. Vague statements about "removing PII" are insufficient for mental health text, where indirect identifiers and the context of a patient's unique life story can easily lead to re-identification.
