HIV Client Perspectives on Digital Health in Malawi

eHealth has strong potential to advance HIV care in low- and middle-income countries. Given the sensitivity of HIV-related information and the risks associated with unintended HIV status disclosure, clients' privacy perceptions towards eHealth applications should be examined to develop client-centered technologies. Through focus group discussions with antiretroviral therapy (ART) clients from Lighthouse Trust, Malawi's public HIV care program, we explored perceptions of data security and privacy, including their understanding of data flow and their concerns about data confidentiality across several layers of data use. Our findings highlight the broad privacy concerns that affect ART clients' day-to-day choices, clients' trust in Malawi's health system, and their acceptance of, and familiarity with, point-of-care technologies used in HIV care. Based on our findings, we provide recommendations for building robust digital health systems in low- and middle-income countries with limited resources, nascent privacy regulations, and political will to take action to protect client data.


INTRODUCTION
eHealth 1 initiatives, including computer-and tablet-based interventions, offer great promise for health systems to enhance human immunodeficiency virus (HIV) care, especially in low-and middleincome countries (LMICs) where HIV prevalance is high [43].eHealth is considered a key tool for addressing challenges across the HIV care cascade, including testing, diagnosis, adherence to antiretroviral therapy (ART), and viral suppression [6,13,88,97].Especially in HIV care, security and privacy 2 issues are of utmost importance, as eHealth applications, such as electronic medical record (EMR) systems, contain sensitive information and data exposure could leave people living with HIV (PLHIV) to the face of stigma and discrimination.While the urgency to address digital security concerns has garnered attention from researchers within HCI [15,40,49,60,66,68,77] and beyond [31,32,70,71], the privacy considerations of PLHIV are broad -extending beyond threats in the digital space to include concerns around disclosing positive HIV status and the health system's efforts to protect client confidentiality.As adoption of eHealth systems gains momentum, consideration of client preferences, perspectives, and experiences, including privacy concerns, should be prioritized [82] for making operational decisions in deploying client-centered technology and easing the adoption of eHealth interventions [44,50].However, consideration of, and amplification for, client perspectives is still lacking, including in LMICs where eHealth implementation is expanding rapidly [30].
To give voice to clients' perspectives in an LMIC context, we investigated how HIV positive clients on ART at one of Malawi's largest public service delivery partners for HIV care, Lighthouse Trust (hereafter referred to as Lighthouse), perceive data security and privacy in the context of electronic and mobile data collection.By exploring clients' views, we expand the understanding of how PLHIV navigate privacy, create opportunities for enhancing clientcentered eHealth care, and provide a forum for clients to express their recommendations for data privacy improvements in the health system.The motivation for this study is an effort by Lighthouse to test expanded use of its EMRs for client management with optimized tablet-based data collection in rural and low connectivity settings and to strengthen security processes for HIV care.Lighthouse is a public ART clinic that operates under the Malawi Ministry of Health (MoH) and serves as a testing ground for client care innovations.As such, Lighthouse is an ideal setting to inform privacy improvements within the broader MoH eHealth system.
We address the following research questions in this work: • RQ1: How do ART clients receiving HIV care in Malawi consider privacy?• RQ2: How do ART clients perceive the efforts of Malawi's health system to protect client privacy?• RQ3: How do ART clients understand the processes involved in eHealth initiatives at Malawi's HIV care program, including digital data collection tools and data management?
We conducted focus group discussions with ART clients who receive routine care from Lighthouse.Our findings highlight clients' broad concerns with privacy in the health system, their trust in Lighthouse and Malawi's MoH to protect privacy, and their understanding of the data pipeline and digital health system.With respect to RQ1, PLHIV have a broad privacy framework that centers around concerns and fears associated with unintended disclosure of positive HIV status, although these concerns carried less weight when disclosing within the HIV community.With respect to RQ2, clients' trust in Lighthouse's devices for data collection and their interests in contributing their data are an outgrowth of their trust in the broader healthcare that they receive.With respect to RQ3, clients' mental models of Lighthouse's point-of-care technologies indicate their familiarity with data flow and recognition of the value of devices for data collection and management, though there was uncertainty about the technologies' security mechanisms and exact usage practices.
More broadly, we illuminate ART clients' perceptions of Lighthouse's eHealth system and protection of client privacy, contributing recommendations and considerations that could inform both Malawi's MoH and other LMIC policies and practices as digital health systems are strengthened and scaled.

BACKGROUND
Sub-Saharan Africa has approximately 25.5 million PLHIV [2].Given Sub-Saharan Africa's high burden of HIV and increasing technology use, eHealth strategies have been employed to support HIV service delivery [67], including monitoring adherence to ART, managing patient data, and managing the ART supply chain [6,13,28,29,88,97].
This study was conducted in Lilongwe, the capital city of Malawi, a country in Southern Africa with over 50% of the population living in poverty [12].Malawi has over 900,000 PLHIV (approximately 8% of the adult population) [3].Lighthouse is a registered public trust and a WHO recognized center of excellence whose role is to support the Malawi MoH's HIV response.Lighthouse provides services spanning integrated HIV prevention, testing, treatment, and care across two large urban facilities in Lilongwe district in partnership with Malawi's MoH.All Lighthouse facilities employ Malawi's real-time point-of-care EMR system, launched in 2010, to ensure that ART services comply with HIV guidelines and to ease client-and clinic-level monitoring and evaluation [23,94].The computers at the facilities are stationed at the reception desk, vital signs station, laboratory, examination rooms, and pharmacy, to enter and access EMRs (Figure 1

left).
In 2016, Lighthouse introduced community-based care (CBC), a nurse-led community-based ART program where stable clients registered at facilities can access ART services at one of 120 communitybased distribution points within Lilongwe, including churches, schools, outdoor areas, and client homes.At CBC settings, community health nurses collect client data using an offline tablet-based application that operates in rural and low connectivity environments (Figure 1 middle).Due to restrictions in connectivity and automatic data synchronization, the current version of the tablet-based application locally stores client data until the tablets are returned to the facilities and the data is entered into the EMR system in the computers.With the increasing demand for CBC, Lighthouse is testing a new offline-first tablet-based application to expand the reach of EMRs to CBC settings for facilitating efficient data collection and making client history available to the providers.CBC clients are familiar with both computer-based data collection at the facilities and tablet-based data collection at the CBC settings.The services that are offered through CBC are the same as those at the facilities, which include, but are not limited to adherence monitoring (pill count), screenings, client side-effects and co-morbidity review, refill of prescriptions, documentation of current health status on clients' health passport booklets and on the tablet-based application, and issuing of next appointment date.
At both facilities and CBC settings, clients use portable, paperbased health passport booklets which are usually kept by clients (Figure 1 right).Each ART client is issued an ART barcode that is attached to the health passport.The barcode is scanned at facilities' computers and entered manually in CBC settings' tablets to confirm client identity and to facilitate longitudinal data capture.The health passport is used to check in the client for the appointment and for the provider to manually record information relevant to the client's health.

RELATED WORK 3.1 Fear of Inadvertent Disclosure of Positive HIV Status
Disclosure of positive HIV status is recognized as an important first step for preventing transmission, ensuring effective treatment, and receiving social support [20,21,41,85].However, disclosure risks leaving PLHIV vulnerable to financial and social ruin [54], posing a challenge for PLHIV to disclose to access clinical and social support [62].PLHIV consider various factors in the disclosure process, including disclosing to whom, for what purpose, and how.Often, PLHIV practice selective disclosure of positive HIV status, in which individuals disclose to some people, such as trusted partners, family members, and healthcare providers, but not to others [39,41,90].Some PLHIV view disclosure as a path to destigmatizing and normalizing HIV [93] and share stories of perseverance and hope to motivate other PLHIV to seek support and disclose to their sexual partners [62].For others, disclosure helps with securing a support system for when one falls ill [51].LMIC-based studies find that HIV stigma acutely influences PLHIV's decisions in their care, including accessing ART services far from their homes to avoid unwanted disclosure [18,51,72,79,101] and having difficulty with treatment adherence out of fear of being seen consuming pills [25,61].
In the HCI community, PLHIV's concerns of disclosure in datarelated activities have been examined through the usage of social media [9,10,54,[91][92][93] and technologies for supporting disclosure processes and coping with HIV-related stigma [48,53].The literature highlights PLHIV's values and needs for privacy and confidentiality in their concealment of HIV status [53,92,93] and fears of unintended disclosure of positive HIV status in privacyeffective environments [48].From a study in Ethiopia, Bezabih et al. [7] highlight disclosure as a process as opposed to a one-time event, in which positive HIV status is discreetly disclosed through a step-by-step approach of using indirect signals and cues or selective disclosure.However, much of the HCI literature focuses on disclosure and privacy considerations outside of the healthcare context.Accessing ART services carries a risk of inadvertent disclosure of HIV status due to the abundance of sensitive data that is collected and moved through the health system [86].Thus, fear of unintended disclosure is highly relevant to ART clients' privacy framework and the decisions they make within and beyond data-related activities in their care.

Clients' Trust in the Health System
Clients' perceptions towards the health system have been largely studied in the context of clients' willingness to share data with the health system.Clients want transparency in the data sharing process by knowing who accesses their data and by controlling the sharing of their data [11,44,59,80], including determining which data to share with whom [11,80].Clients are often willing to share their data to inform public health decision-making [46,96], but concerns around data privacy can contribute to their hesitancy to share data [24,100].Such concerns arise from clients' lack of awareness of the data sharing mechanism, which is induced by the distance between clients and healthcare organizations and clients' unfamiliarity with the technical mechanisms for electronic data sharing [26].To address such issues, researchers emphasize the importance of building trust between clients and the health system through clear, transparent, and comprehensible policies around data sharing and privacy [24,26].Client trust is critical for protecting client privacy and for creating buy-in from clients to participate in data sharing [38,96].
Given that healthcare providers are clients' closest contact in the health system, building client trust at the provider level could positively influence client trust in the larger health system [73].Providers in reputable healthcare organizations that develop robust privacy policies play a significant role in building client trust in projects for electronic data sharing [26].Trust in providers and security in the client-provider relationship also alleviate clients' concerns with technology security [83].Clients' trust in their providers simultaneously influence decisions about their own health.Nganga et al. [63] found that clients in Kenya followed their providers' recommendations regardless of whether or not they understood the advice and avoided openly asking questions.

Client Perspectives on Devices at the Point-of-Care
Clients' perceptions towards devices used at the point-of-care have been extensively studied in high-income countries to understand their impact on client-provider interactions [14,19,81,95,102].
Clients perceive computers at the point-of-care as physical barriers to client-provider engagement [14,19,81] that elevate providers' authority and medical expertise in front of clients [14].However, a gradual installation of computer-based EMR systems in examrooms can allow clients and providers to adapt to the interventions, help maintain healthy client-provider relationships, and encourage health information sharing [83].
The literature in HCI [47,58,66,98,99] and beyond [34,55,76,78] have noted the potential for successfully adopting mobile devices for health in LMICs.However, few focus on client perspectives towards devices used at the point-of-care.Most similar to this topic is the study of client perceptions towards devices used for conducting health surveys in LMICs [16,17,56,84].Device familiarity impacts survey respondents' device acceptability and hence their willingness to answer survey questions [16,45,57,89].Most notably, a study in Angola in 2011 found that the lack of introduction to handheld computers used for surveys contributed to respondents' apprehension to answer HIV-related questions and to disclose sexual behaviors to interviewers [16].However, in another study in Sri Lanka in 2014, in which respondents were familiar with handheld devices because of the wide availability of mobile phones, the devices were conducive to attracting interest to the survey [45].Even with the lack of familiarity with devices, concerns can be overcome with careful explanations of device purpose [45].Maintaining data confidentiality is also important to survey respondents.Computers were perceived to be more secure than paper for recording and storing personal data because limited technology literacy restricted access to data and because paper was more prone to misplacement or damage [16,57].More broadly, security and privacy views can derive from individuals' experiences with technologies, their health, and varying sensitivities around their health conditions [11,52].Especially in the context of sensitive or stigmatized topics such as HIV, respondents' acceptability of technology for health data collection is critical for obtaining accurate information [16].Although perspectives on technologies used for health surveys in LMICs have been thoroughly studied, the gap in literature on client perspectives on point-of-care devices in LMICs warrants further research.

METHODS
Our primary objective was to explore and understand the perceptions of Lighthouse's HIV positive clients on ART with regard to data security and privacy, electronic and mobile data collection, devices for data collection, and data management and sharing processes.The focus group discussions (FGDs) with ART clients were conducted in Lilongwe, Malawi during September and October 2022.This research received approval from the IRB at the University of Washington and the Malawi MoH IRB, the National Health Science Research Committee.

Setting
The study was conducted in urban and peri-urban areas of Lilongwe district.FGDs were conducted in participants' routine Lighthouse care settings, in either the facilities or CBC settings.

Participant Recruitment
Eligible PLHIV on ART from the Lighthouse facilities and the CBC settings were identified at clients' routine care settings by the Lighthouse or CBC study team using purposive sampling [87].Eligible participants were aged 18 and above, had at least a primary education, and consented to audio recording.In a private location, each eligible participant individually underwent an informed consent process.Appropriate information and explanation of the study goals and objectives were also provided in a consent form written in an accessible language level for improved comprehension.The process of obtaining informed consent was prepared by the local staff in Malawi, taking into account the average literacy level of their clients.The consent form highlighted two key points: 1) the voluntary nature of participation in the study, emphasizing that it is entirely up to the individuals to decide whether or not to take part, and 2) ensuring that their decision to participate or not will not have any negative impact on the ART care.The local study staff provided detailed information about the study procedure, including the use of audio recording.The risks and potential benefits of study participation were discussed and questioned answered.After signing the consent form, clients were still able to refuse to answer questions or withdraw from the study.
Lighthouse is the largest public provider of ART services, covering urban, peri-urban, and rural populations throughout the Lilongwe district.As such, participants were from a diverse client population.In general, 60% of ART clients in Malawi and at Lighthouse are female.We recruited 63 participants (51 females, 12 males) through Lighthouse's two urban facilities and four CBC settings.Participants ranged in age from 21 to 73 (mean=47, SD=11.61).Participants were compensated with 10310.00Malawian Kwacha (approximately $10 USD) for their participation.We refer to participants from the facilities as P#-Facility# and participants from the CBC settings as P#-CBC#.

Study Procedure
A total of eight FGDs were conducted: four in facilities and four in CBC settings.Each FGD was composed of 7-9 participants and was facilitated by a Malawian qualitative researcher with support from a notetaker.All FGDs were conducted in Chichewa, the main language used in Malawi.Each FGD began with a short introduction by the facilitator, including the background, purpose, and objectives of the study, and a review of confidentiality and consent guidelines.
Participants were first asked an ice-breaker question about their preferences for care settings to allow them to gain comfort in speaking.Next, participants were asked about the flow of their appointment visits, what information they shared with providers, and how providers used the devices for data collection at their routine care setting (computers at facilities, tablets at CBC settings) during appointments.Participants were also asked to compare the devices used in their routine care setting to other tools they see being used at Lighthouse, such as paper records (e.g., "In thinking about how your providers record your information in a computer or on paper, which do you prefer and why?").Participants were asked about their comfort with their health information being collected with devices, how they make sense of how the devices are used (e.g., "How do you know that the provider is entering your data into the tablets if you cannot see what they are doing?"),and how they think devices affect care (e.g., "How do you think the tablets affect the way your providers guide your care?").
The next set of questions aimed to understand participants' mental models of data flow and management.Participants were asked about data storage and transfer (e.g., "How do you think your health information moves from the computer that the provider uses to other people at Lighthouse?", "What do you think happens to the data in the tablet at the end of the day?").To understand participants' perceptions towards access to personal health information, participants were further asked to identify entities with whom they would and would not want their data shared with, explain views on data sharing with the MoH and authorized entities (e.g., "What do you think the MoH does with the data?"), and share concerns about sensitive information being seen by individuals outside of the health system (e.g., "How would you feel if your health information is accessed by your family or your neighbors?").After we informed participants of a Malawian policy that requires local data hosting for local partner digital health implementations, participants were asked about their views on the country's efforts to protect their data.
Lastly, participants were given time to share feedback for Lighthouse and to ask questions about data security and privacy and data management which were not addressed during the session.Each FGD lasted approximately one hour.

Data Analysis
Audio recordings of FGDs were transcribed in Chichewa and translated into English for analysis.We used a mixture of deductive and inductive thematic analysis [8] to code the transcripts.The first author developed a codebook while conducting a detailed reading of all transcripts and returned to the transcripts to apply the codes.The second author reviewed the code application and resolved disagreements through discussion with the first author.The second author did not add codes but helped refine the language and meaning in the initial codes.As a researcher with more than a decade working at and with Lighthouse, the second author also provided a larger view of the environment and history of the responses, helping add nuance and trustworthiness to the codes and their refinements.Similar codes were grouped into higher level themes, reflecting those suggested a priori from the FGD guide (deductive) and from reviewing participants' contributions (inductive).The themes and their alignment with quotes was discussed at three separate meetings with the Lighthouse study team -fine tuning the themes and illustrative quotes until all believed that the findings and discussion points reflected the diverse perspectives of clients.We tried to tread very carefully away from broad generalities as these opinions and perspectives are limited to these participantswho may not reflect larger norms from this larger ART setting.

Ethical Considerations
The first author worked closely with the in-country team on all aspects of the study design, refining of the study procedure, implementation, and interpretation of the findings.The first author worked closely and on-site with the lead, local qualitative interviewer to refine the FGD guide.The local interviewer is a seasoned qualitative researcher who is part of the Lighthouse team.She previously conducted similar sensitive research among this population.She does not routinely interact with clients but is well acquainted with the community, the clients, the sensitivities, and the clinic setting.

FINDINGS
We organize our findings into three sections.We begin with Disclosure and Privacy because unintended disclosure of positive HIV status is a major privacy concern for PLHIV.This section describes participants' views towards disclosing positive HIV status and the intrinsic relation between privacy and disclosure.Confidence in the Health System to Protect Client Privacy describes participants' trust in the health system, including healthcare providers and national efforts, to protect client privacy.Lastly, Perceptions towards Data Collection Tools and Data Management describes participants' understanding of computers, tablets, and health passports used during data collection and data management processes.

Disclosure and Privacy
HIV disclosure is a complex challenge and experience that PLHIV face.As such, we first elaborate on participants' perspectives towards disclosure to give context to their concerns around data privacy.
5.1.1Selective Disclosure.When explaining their discomfort with their data being accessed by individuals outside of the health system, participants referred to their fears of unintended disclosure of positive HIV status.Participants were concerned about having their positive HIV status known publicly, as there are "[people] who diminish our respect, they say bad things" (P4-CBC2).Participants agreed that publicly sharing or exposing personally identifiable information -name, phone number, address -would not only be "violating one's human rights" (P1-CBC1) but also severely impact PLHIV's well-being, in which "some may even lose their mind and die as they will be surprised" (P9-CBC4).The consequences of failing to keep data confidential will extend to the clients' family: "There is a lot that is being said about us who are HIV positive.Once a person knows that you are positive, they think everyone within your family, children inclusive, are positive.The children are not free, they are called names because the parent is positive" (P4-CBC2).
To avoid having their status wrongfully exposed, some participants engaged in selective disclosure, in which they "share the information with the person whom you trust" (P1-CBC1) and "consider which people to disclose to as well as the atmosphere if the people will be able to maintain confidentiality"(P6-Facility2).Disclosing to trusted individuals empowered clients to establish a support system that encouraged them to adhere to treatment.Participants said their friends or family help them take their medication, get medication refills from Lighthouse, or provide transportation money for appointments.Some participants emphasized the importance of disclosing their status to family, especially their children, because "children need to know how to protect you" (P4-CBC2) and they can become "my own doctor" (P1-CBC4).However, not all PLHIV were comfortable disclosing to their families: "I have young sisters and brothers, but I have never disclosed to them because of how they talk, discriminatory" (P8-CBC4).
5.1.2Disclose to PLHIV for Encouragement and Survival.Participants were not concerned about the consequences of data being shared within the HIV community.In CBC, clients rely on group leader clients for support with assisting when one is sick or retrieving medication.P4-CBC2 explained that they voluntarily "tell [group leaders] everything, including how you are feeling so that you are on the same page, " indicating that they share sensitive information with other CBC clients for medical support.
The HIV community was described as "one family" that PLHIV can rely on for unwavering support (P9-CBC4).Disclosure was viewed as a critical experience that can "lead [other PLHIV] to salvation" (P1-CBC2).As a result, participants wanted to "counsel those that are keeping [their status] to themselves" (P8-Facility1).Disclosure of positive HIV status was viewed as a path for creating hope for a healthy future for other PLHIV, as expressed by P2-CBC2: "I told [my acquaintance], 'have you seen how I am?I do take medication.I do not mean that you also take the medication but let's just go so that you can meet the providers.' We went together to [a clinic] where she tested HIV positive.She was counseled and I also encouraged her.I told her I am healthy, and I started taking medication in 2009.You cannot recognize her today.She is doing fine.She appreciates me whenever we meet." Participants also recognized that disclosure can help one improve health management: "I was comfortable disclosing to everyone because if I am to keep it to myself, I would have died by now.Because when you disclose to someone about your status, they tend to share with you some other ideas.You also motivate others who come and ask how you managed to open-up, in that case you are helping other people . . .But when I open-up and shared about my status, I noted some of them became comfortable and asked me how I take care of myself so that they can do the same." -P3-Facility4 5.1.3Obligation to Protect Fellow PLHIV.Participants expressed an obligation to protect fellow PLHIV from discrimination and stigma.One participant explained that a specific sticker on a client's health passport may indicate HIV treatment for an insider who is also on ART: "if we see that, we do not tell anyone as we were taught [by providers] that we need to maintain confidentiality" (P4-CBC2).
In another anecdote, one participant shared how they encouraged another PLHIV to join Lighthouse's CBC without revealing that they had accidentally come to know of this person's status: "I escorted my neighbor to maternity.She gave me the health passport and I happened to be playing with it in my hands.She didn't tell me that she is positive and on ART, but she saw me with her health passport.I just gave it back . . .She later opened-up [about her HIV status] when we got home . . .I told her that I am going to the clinic to get my medication since I am on treatment.That is when she asked me that you are on medication, she said that she is on treatment.She is also one of the CBC members.I had maintained confidentiality at the time and didn't tell anyone." -P5-CBC2

Confidence in the Health System to Protect Client Privacy
Here, we expand on participants' perspectives of the health system's efforts to protect client privacy in light of the recognition that client privacy protection is of utmost importance.

Trust in National Efforts.
Privacy Protection.After informing participants about the MoH policy to require local data hosting for local partner digital health implementations, participants responded optimistically saying that the policy protects clients, as summarized by P6-Facility2: "It is good, it is giving us a picture that [the MoH protects] the Malawians and that everyone has the right regarding their health.In addition to that, we are protected."P4-CBC2 also believed that the policy helps protect the image of Malawi as a country that is actively protecting client privacy.P7-Facility3 emphasized that Malawians' information should remain within the country and "other countries just provide the support" as opposed to being the main manager of Malawi's client data, implying how data ownership should be navigated.
At the same time, some participants were uncertain about or misunderstood the intention of the policy.P4-Facility3 worried that the policy would hinder data sharing to donors who help fund Malawi's HIV care.Another participant asked, "We hear that the drugs that are helping us are from the outside countries, so how do they keep the information confidential so that those outside Malawi wouldn't know?" (P2-CBC1), suggesting that they did not understand that aggregate data for sharing is deidentified and client-level data is confidential.
Request Assistance for HIV Care Programs.Participants stressed the importance of sharing data with other countries that assist Malawi's HIV care program to ensure that the support is "not one time but throughout" (P7-Facility3).ART clients rely on the MoH to acquire funding that sustains Malawi's HIV response (P8-Facility3).Participants expressed concern that the failure to share data and request funds "may affect the project" to support HIV care (P7-Facility3) and consequently "[the clients] may end up being affected" (P3-CBC4).At the same time, participants were firm in their belief that data gathered through research or shared through the media should only be general or aggregate data that "[makes] known the issue that the people are facing and not the person" (P6-CBC4).

Trust in Lighthouse.
Participants trusted that Lighthouse staff, especially healthcare providers execute their day-to-day work in a manner that respects and protects clients' privacy.Lighthouse was described as a caring organization that brought comfort to clients: "Lighthouse is the parent to those of us who have issues.As a parent is expected to provide care to the child at the right time, when we get here, we get what we want easily and properly.We appreciate the support that we get" (P7-Facility3).Participants trusted that Lighthouse took precautions to protect client records, as summarized by P7-Facility4: "This is the headquarters and I noticed that our records are kept safe.They have never given me a wrong file.They always give one their right file.This means our files are well protected and no one can know about another person." Trust that Healthcare Providers Maintain Confidentiality.Providers were believed to have good intentions to guard clients' health and privacy (P7-Facility4).Participants' confidence in their providers stemmed from their trust that providers have never broken confidentiality: "We have come a long way and have never heard anyone talking about our status, or that the providers disclose that they are coming to give us medication, I have never heard of anything like that.So, I plead that they should continue with that behavior, being respectful" (P7-CBC1).Participants trusted that providers will "just share with [my family] information but not necessarily regarding my status, " implying the expectation that private, identifiable data will not be shared (P6-Facility2).
Participants' trust in providers impacted client-provider interactions.Some participants avoided asking many questions during appointments to not appear as if they were questioning their providers' authority: "If we are to ask them questions and show that we are being suspicious then the provider is also a human being and might tell us to go to someone [else] since we don't trust them" (P6-Facility2).Providers were seen to have high status because of their exclusive knowledge of how to use at the point-of-care (P6-CBC4).

Perceptions towards Data Collection Tools and Data Management
Participants explained the purposes and benefits of the computers used at the facilities, tablets used at the CBC settings, and health passports, and shared their understanding of data flow and management in the continuum of care.

Purposes of Devices for Data Collection.
Carries Health Information.Participants recognized that the computers and tablets carry clients' health information such as when the client tested for HIV, the type of medication administered, when medication is collected, appointment dates, when the client is sick, and lab results that indicate viral load.One CBC participant described how providers enter information into the tablet during the appointment: "when they see us, they document in the tablet, words like "it's alright" (P1-CBC3).
Informs Providers' Decisions for Care.Participants agreed that client data in the computers and tablets aid providers with accomplishing important tasks for care, including calculating adherence to medication, monitoring appointment compliance, and reminding providers to take blood samples.Participants assumed that providers accessed client history in the computers and tablets, like a "bank where one can get the bank statement [to] show you your account activities" (P5-CBC2), which helps providers "follow the right procedure" (P2-CBC1) and "provide the right care" (P7-CBC4), such as prescribing new medication.Outside of appointments, participants believed that the devices were helpful for planning the number of drugs to bring to the CBC settings (P1-CBC1) and transferring data to another provider in case the primary provider is unavailable (P7-Facility4).
Uncertainty about Devices' Purposes.Participants made educated guesses about the usage of devices based on their observations: "the providers poke the tablet whenever we respond to their questions . . .about our health" (P7-CBC4).However, participants noted that there is little direct communication from the providers on how devices are used.P8-CBC3 said that "what we know is that the provider documents for us, whether they write what we told them or not, we don't know, " suggesting that there is no way for clients to confirm whether providers are correctly recording appointment-related content.P5-CBC3 responded immediately after saying, "some of us even wonder what they are doing on the tablet." How the data is used after the appointment remains a mystery: "after we leave, we do not know what they do" (P8-Facility1).

Comparing the Benefits of Data Collection Tools.
Device Benefits: Efficiency.Participants thought paper records placed a heavier work burden on providers than tablets do: "It will take [the providers] a lot of time to enter the information on paper unlike a tablet which has a lot of space" (P3-CBC4).Searching client information with devices was thought to take minimal effort because participants assumed that all of the important information was stored in them: "We registered during the first visit.When I reported for the second time, they just asked about my phone number and searched it on their tablet and they were able to find all the information, which shows that it is easy.If it was paper-based, then [my information] could have been lost" (P7-CBC1).
Device Benefits: Data Safety.Participants agreed that devices protected data better than paper records.Health passports, which are brought home, are easier to access whereas computer-based documentation is not accessible to most because "not everyone who comes [to the facility] knows [how to use] computers." (P7-Facility1).Four participants mentioned password protection as a security advantage that computers and tablets have over paper.For example, P1-Facility2 attributed the exclusivity of passwords as a strength of devices: "for someone like me who does not know computers, [they] cannot know the password."The most serious concern with paper was its susceptibility to damage, while "information that is kept in a computer stays for a long time.It can't be deleted" (P4-Facility3).Data loss was a minor concern with computers and tablets because participants assumed that there were multiple access points to client data and there were protection mechanisms in place.
Health Passport Benefits: Retention of Own Health Records.The most notable benefit of health passports was that clients maintained access to and control over their health information: "It is our right to access the information.There are others who do not have time to ask the providers about their viral load and that information is kept in the health passport.We can also see the information that has been documented in the health passport . . .One can lose the health passport, but when you report to the facility, they check and find your [client] ID.This shows that these two approaches are good.Health passports keep the information for themselves, and the other information is kept at the facility in the computers." -P8-Facility3 However, some clinical notes in health passports are difficult to interpret: "I would have liked it if [our providers] would tell us the diagnosis . . .Many are the times that we just receive the drugs, but they don't tell us what the diagnosis is.They even document in italicized format [in the health passports] and not everyone can be able to read" (P8-CBC3).Participants wanted a layperson's explanation of their health so that they "know the steps that we need to take" for health management (P7-CBC1).

Data Management and Data Flow.
Access to Client Data.Participants had a clear notion of who data should and should not be shared with, as PLHIV, providers, and LT program teams are all well aware that inadvertent disclosure has severe consequences for PLHIV's lives.Participants expressed that they want their data shared with providers, trusted family members, the MoH, program supervisor and coordinator, district health officers, NGOs, and other countries or donors.Participants agreed that client data should not be shared with non-medically trained personnel at Lighthouse, such as cleaners, guards, accountants, and other clients.Although these groups cannot access client data, participants were concerned about being seen walking in and out of Lighthouse, which is a widely-known provider of ART services: "[The cleaners and guards] are talkative . . .When you are passing by, they will say 'don't admire her hips, she was at Lighthouse'" (P7-Facility1).P3-Facility1 explained that "not everyone is supposed to know your status through the facility" and that client data should only be shared with staff that is relevant to data collection.In addition to stressing the importance of assigning data access levels to job responsibility, participants noted that access should not be based solely on position, but also "[having] a specific purpose [to] access the information whilst maintaining confidentiality" (P6-Facility2).
Data Consolidation and Transfer.Through personal experiences, participants made sense of the data flow in the continuum of care.During facility appointments, clients visit multiple stations to meet different staff and discuss various information.Participants observed that their information "gets to everyone who has a computer at Lighthouse" and can be accessed by entering client ID (P3-Facility4).Consequently, information was assumed to be shared between providers so that providers can ensure that important information is not missing or neglected during appointments (P5-Facility2).
In terms of storing data collected at CBC settings, although most participants thought the tablets stored data, participants also recognized that their data was transferred to the facilities' files or computers: "One time when I reported to the facility, I would just go and mention my name and the computer would be able to show all the information" (P8-CBC3).Transferring data to the facilities was considered important for continuing care because "whenever [we] get sick on a day that is not a CBC day, we can report to the facility and find the information in the file" (P3-CBC2).While only two participants discussed the transfer process, both participants alluded to the similarity between the tablets and personal mobile phones.P6-CBC4 described the way data is transferred from the tablet to the computer as "the way we do with our phones, by forwarding the information . . .like a message."

DISCUSSION
Our main findings are as follows: (1) When considering the consequences of data being shared to groups outside of the health system, participants referred to fears associated with unintended disclosure of positive HIV status.PLHIV are deliberate about to whom they disclose their status.Disclosing to other PLHIV, by choice, carried less worry as they trusted one another not to reveal anyone's status.
(2) Participants trusted Malawi's health system to responsibly manage and share sensitive client data.Participants also recognized the vital role Lighthouse plays in protecting their data, noting their expectation that healthcare providers must maintain confidentiality and minimize risks for unwanted disclosure.
(3) Participants understood how computers and tablets were used in their care, based on observations they made during appointments and personal experiences using technologies.
They expected computers and tablets to be more efficient and secure than paper records, although paper-based health passport booklets are important in that they provide clients with a record of their own health.
In this section, we discuss ART clients' broad privacy views and provide a framework for understanding Lighthouse's successful mobile device adoption.Lastly, based on our discussion points, we provide recommendations for building a strong digital health system that may be applicable to other LMICs.

Broad Privacy Concerns with Living with HIV
The health privacy discourse in HCI has highlighted digital security concerns around data management [5,15,60,65] and the security and privacy trade-offs made in online spaces [9,10,54,[91][92][93].Our work contributes a broader view of privacy held by PLHIV in the healthcare context and beyond that centers around the influences and impacts of disclosure-related decisions and concerns.
6.1.1Disclosure.By having a clear notion of who should and should not access their data, participants implied that they want to control how their data is shared [11,44,59,80] and more largely, control their disclosure processes.Participants were concerned about social rejection or discrimination that follows inadvertent disclosure of positive HIV status, echoing findings from prior work [53].
With respect to RQ1, PLHIV took control of their disclosure processes by practicing selective disclosure to minimize the chances of unintended disclosure.At the same time, they expected the health system to uphold confidentiality and manage the sensitive data that clients trust it with.However, participants were aware that there were unavoidable risks of unintended disclosure, including being seen visiting Lighthouse facilities.The ever-present risk of inadvertent and unwelcomed disclosure permeates ART decision-making among clients, from choosing where to start care to adhering to treatment.
Participants were not heavily concerned with the privacy risks of disclosing within the HIV community.Also, with respect to RQ1, PLHIV disclosed comfortably within the HIV community to gain and encourage communal and medical support, and respected other PLHIV's approaches to disclosure.Through the decision to disclose to other PLHIV, participants gained communal support and improved self-management.The inherent trust that bonds the HIV community centers around shared values around confidentiality -to respect each other's privacy and the expectation that their disclosure and hence status would be contained within the community -and was built into the HIV community, as observed in other contexts [9,42].By upholding the obligation to protect other PLHIV's status, PLHIV empower their peers to take control of their disclosure processes.understood that their data is used by donors in other countries to assess the overall HIV program and to inform global support levels for Malawi's ART activities.Although the concerns around data privacy have been seen as a contributor to data sharing hesitancy [24,100], participants in our study believed that data privacy and data sharing are compatible with one another, given that there are security assurances.With respect to RQ2, PLHIV's interests in contributing their data for HIV program assessment and global ART funding stem from PLHIV's trust in Malawi's health system to protect client confidentiality.We deduce that clients' trust in data sharing derives from their trust in national privacy protection efforts and their providers, who are the main users of digital and paper tools [26].As clients' closest point of contact in the health system, providers are responsible for ensuring that their work practices align with client privacy expectations and for enhancing client-provider relations.

Successful Mobile Device Adoption in an LMIC Health System
Our work adds to research that recognizes the viability of mobile devices for healthcare in LMICs and their potential for improving the quality of care despite weaknesses in infrastructure or management [34,55,66,76,78,99].With respect to RQ3, PLHIV not only accepted the integration of devices into care, but also recognized the value of digital health for enhancing care delivery, though some participants were uncertain about technical security mechanisms and exact usage practices.Participants understood that digital systems could enable quick access to laboratory results and client outcomes and enhance provider decision-making, which are features of realtime point-of-care technologies that are shown to contribute to promising results in HIV care [4,22,67,88].These findings stand in contrast to technology acceptability in LMICs from over a decade ago in which handheld devices used for health documentation and surveying were viewed with suspicion and confusion by respondents [16].Participants' understanding of and acceptance of tablets used in care illustrates an increased familiarity with digital systems in healthcare contexts and mobile devices at large [35].At the same time, some participants were uncertain about how devices were used especially outside of appointments, calling for continued efforts to inform clients of device purpose and security.As participants acknowledged, technologies do not function alone: providers and Lighthouse as a whole must continue to prioritize clients' needs in terms of privacy and quality of care.In CBC settings, the expansion of tablet-based care likely stemmed from prior, positive exposure to digital data collection at Lighthouse's facilities, allowing tablet adoption to be accomplished without creating friction or opposition from clients.With nearly seven years of tablet-based data collection and recent efforts to optimize the process, Lighthouse offers an example of successful integration of mobile devices in healthcare, contrary to many mobile device-based health projects in LMICs that do not venture beyond pilot studies due to the lack of follow-ups and rigorous evaluations [34,43].

Recommendations for Strong Digital Health Systems in LMICs
Lighthouse makes data privacy a priority.However, gaps remain and may be greater in contexts or settings where client concerns are not as widely recognized or prioritized.In First, clients should be communicated about their data and how it is used in accessible, non-technical language.Similar to previous research that notes that providing access to data is insufficient if clients are not able to understand their data [33,64,74,103], Lighthouse clients want help to translate health information from their health passports into accessible language.Health information should be presented to clients in layperson's terms [69] that enable clients to interpret their data for influencing everyday practices for health management.During clinical encounters, providers should leverage devices at the point-of-care as "common information spaces" for interactive conversation between clients and providers, not for one-way documentation of client responses [14,37,75].In terms of data sharing, while some participants understood the difference between aggregate data and client-level data, this distinction was not obvious to all.First and foremost, clients should be educated about aggregate vs. client-level data.To assuage privacy concerns, the health system should provide clients with a transparent disclosure of the way different data is used and educate clients about data protection strategies [38].Specifically, that aggregate data is beneficial for strengthening the health system and informing decision-making, while client-level data benefits client's individual care when shared across individuals involved with care.At the same time, clients should be ensured that client-level data is never publicly released.We also note that during the FGDs, we informed participants about Malawi's in-country policy on data hosting which opened up discussion.Echoing recommendations from prior work [24,26], we encourage such explanation of privacy protection policies and efforts in comprehensible language to build client trust in the health system.
Second, the health system should leverage clients' familiarity with technology to enhance the acceptability of devices used in care.As clients are one of the main beneficiaries of technologies at the point-of-care, their experiences and perspectives should be at the center of technology development and adoption efforts.Clients had a partial understanding of the role of digital data, the purposes of devices at the point-of-care, and the strengths of devices over paper records.Overall, because of their familiarity with computers at the point-of-care in facilities, CBC clients were comfortable with and accepted tablets in their care.Based on our findings, we recommend that in addition to considering the digital maturity of an environment -identifying the level of technology that an environment is prepared for, considering the sustainability of technology usage, and setting realistic expectations for technology use [27] the health system should build on clients' familiarity with technology to ensure that new technologies are accepted by clients.There should be continuous efforts to enhance client familiarity even after technology adoption, by providing clear explanations of the technologies' purpose and clarifying the technologies' value [45].
Third, technologies should be secure beyond client expectations by meeting global security standards.While some participants had an understanding of various security protocols, such as passwords and access controls, digital security was not a major concern.Rather, clients were more interested in the health system's efforts to protect client privacy, namely policies, execution of data sharing, and provider practices [83].This in turn may reflect an expectation that the health system and its governance will ensure robust, highlysecure technologies.Clients' trust in the health system urges a call to action to ensure that technical security is competently built, assessed, strengthened, and sustained by professionals.Those responsible for eHealth initiatives should ensure that global standards for security are met.These global standards include the Principles for Digital Development [1] which identify core tenets of addressing security and privacy, and the Health Data Governance Principles [36], which outline standards for the usage of data within and across health systems, promote learning from well-established policies and regulations, and outline limitations on data access.

Limitations and Future Work
While this study has a sufficient sample size of participants to reach data saturation, the findings of this study are not generalizable to all clients at Lighthouse.We also acknowledge that the recommendations we make for building strong digital health systems in LMICs may not necessarily be applicable to all health systems in LMICs, given different levels of maturity with digital health integration.Lastly, we aim to use these findings to support additional data security training for Lighthouse and similar LMICs, providing guidance for improved practices stemming directly from these lessons learned.

CONCLUSION
In LMICs, eHealth initiatives are increasing rapidly because of their potential to support comprehensive care, including across the HIV care continuum.Focusing on clients' data privacy perspectives and priorities is critical for enhancing security and confidence in eHealth systems.In an effort to elevate clients' voices, we explored ART client perspectives on data security and privacy in Malawi's HIV health system.Our findings suggest that PLHIV have a broad privacy framework that centers around concerns of how poorly managed or protected data could lead to unwanted disclosure of positive HIV status.Although disclosure considerations impact various decisions ART clients make, these clients trusted that Lighthouse and Malawi's health system will protect their data and themselves from unintended disclosure.This trust led PLHIV in this context to support digital data collection for client care management, with likely personal benefits, and for data sharing to secure more global health funding -a benefit for the ART program, overall.
Overall, this work highlights the importance of building strong digital health systems that can respond to clients' expectations and trust.PLHIV in our study understood the value of devices in their care, although some uncertainties remained.At the same time, technology-related threats to data privacy were not a major concern for PLHIV in this context, demonstrating their expectation of the health system to build and maintain secure technologies.Health systems should continue to make all efforts to ensure that digital health systems are reliably built, assessed, strengthened, and sustained.Especially in LMICs which are understudied and face resource challenges, ensuring a robust eHealth system with secure data protections from data collection through sharing of aggregate data is critical for client confidence and participation.We encourage HCI researchers to explore client perspectives in other LMICs to inform decisions for client data protections, develop secure and client-centered technologies, and smoothly integrate eHealth initiatives across data users, from clients to the MoH.

Figure 1 :
Figure 1: A computer at the facility used as an EMR access point at the reception desk by Lighthouse receptionists (left), a tablet used during a client's CBC appointment (middle), and health passport booklets that ART clients bring to appointments (right).

6. 1
.2 Client Trust in the Health System.Participants wanted their data to demonstrate Malawi's effective HIV response.Participants Malawi and other LMIC contexts, health systems face challenges with privacy regulation and mechanisms for redress.The existing state of health systems and the large population of PLHIV in LMICs call for continued interventions that can improve protocols, policies, training, and supervision.This agenda is further motivated by the nascent digital infrastructure of many LMICs that provides an early opportunity for data security interventions that can be built into health systems, as opposed to being retrofitted.With these considerations in mind and building on participants' inputs, we provide the following recommendations for building strong digital health systems in LMICs while advocating for continued consideration of clients' voices.