Voice over the Internet Protocol
(VoIP) Technologies:
How to Select a
Videoconferencing System for
Your Agency
Based on the work of
Watzlaf, V.M., Fahima, R., Moeini, S. & Firouzani, P. (2010). VOIP for
telerehabilitation: A risk analysis for privacy, security, and HIPAA
compliance. International Journal of Telerehabilitation, 3-14.
Selecting a Platform
Most VoIP technology systems provide a
very reliable, high quality, and competent
teleconferencing session with patients.
However, to determine if the VoIP
videoconferencing technologies are
private, secure, and compliant with HIPAA,
a risk analysis should be performed.
Watzlaf, et al., 2010
Skype, Vsee, or Other Vendors
•
Questions regarding 3 HIPAA requirements
Audit trails
– Chat box information stored on company’s computers
– VSee can track which accounts connect but does not
know the time or the content
–
•
For a review of vendors visit:
–
http://www.telementalhealthcomparisons.com/
(You will have to provide your email address to review the comparisons)
Let’s take specific vendors OUT of
the discussion
2 Choices
st
1
CHOICE
•
Use the HIPAA compliance checklist
(Watzlaf et al., 2010)
•
Compare it to the VoIP technology
software privacy and security policies
provided by the software vendor
•
Ask if they are willing to enter into a BAA
(Business Associate Agreement)
nd
2
CHOICE
Purchase HIPAA compliant software
specific to VoIP with vendors that
will walk you through each piece of
the HIPAA legislation to make
certain the software is private and
secure and be willing to enter into a
BAA (Business Associate Agreement)
HIPAA Compliance Checklist for VoIP
(located on NFAR website)
Example of Items on Checklist
•
Personal Information
‒
•
Retention of Personal Information
–
•
Will employees and other users of VoIP software be able
to listen in to video-therapy calls between patient and
therapist?
Are video conferencing sessions for therapy services
recorded?
Requests for Information from Legal Authorities etc
–
Will personal information, communications content,
and/or traffic data when requested by legal authorities
be provided by the VoIP software company?
Every potential user (therapist or healthcare
facility) should review the privacy and security
policies that are found on the VoIP software
system’s website to determine if they answer
the questions listed in this checklist.
If the question is not addressed in the policy,
then the user may want to contact the software
company and ask them how the company will
address a particular question(s).
Next Steps…
1. Form a team that will examine VoIP software
systems to determine if it meets federal
(HIPAA), state, local, and facility-wide privacy
and security regulations.
The team may consist of the
Provider attorney
• Risk management personnel
• Health information administrator or
privacy officer
• Security office (IT)
• Clinical directors/supervisors
• Counselors
•
2. Designate someone on
the team to stay on top
of all the changes
videoconferencing
software systems
(federal state and local)
3. Educate all staff (not just counselors)
on how to use software system for
videoconferencing
Training should include:
•
•
•
•
•
•
•
Privacy and Security related to HIPAA
Issues Related to PHI (Private Health
Information) Exchange
Encryption
Spyware
Password Security
Use of Equipment by Counselor/Client
ATA Guidelines
4. Develop Patient Informed Consent Form
•
What therapy will be provided using the VoIP
technology
•
How the technology will be used
•
Benefits associated with videoconferencing
•
Risks associated with videoconferencing
(privacy and security)
•
Informed Consent Form reviewed by team
attorney
5. Incident response is necessary and
should include…
•
documentation regarding the incident
•
response to the incident
–
any effects of the incident, as well as whether
policies and procedures were followed
–
if policies and procedures are not in place for
incident response, then these should be
developed with the security and privacy officers
Suggested General RULES for VoIP
(Kuhn, Walsh, & Fries, 2005, National Institute of Standards and Technology)
Do not use the username and
password for anything other than
videoconferencing; change it
frequently; and do not make it
easy to identify
RULES
Avoid getting computer viruses
on the computer used for video
conferencing
RULES
Never use it for emergency
services
RULES
Consistently authenticate
who you are communicating
with especially when used for
tele-therapy video sessions
RULES
Focus on:
• the transmission of data through
videoconferencing
• how that data is made private and
secure during the
telecommunication
• how private and secure it is stored
and released to internal and
outside entities
RULES
Provide audit controls for using
software applications so that they
are secure and private
RULES
There are three types of
information security risks:
•
•
•
Confidentiality
Integrity
Availability
Confidentiality refers to the
need to keep information secure
and private.
Integrity refers to information
remaining unaltered by
unauthorized users.
Availability includes making
information and services available for
use when necessary.
VoIP Risks and Recommendations
related to
Confidentiality, Integrity, and
Availability
List on NFAR Website
Information Security Risk &
Recommendation Example
Risk, Vulnerability,
or Threat
Confidentiality &
Privacy
Specific Area
Risk Level
Retention of
personal data &
information as well
as eavesdropping
on conversations
High
(increases in
VoIP because of
the many nodes
in a packet
network)
Recommendation
change default
passwords
disable remote
access to graphical
user interface
use authentication
mechanisms
(See VoIP Risks and Recommendations Checklist)
Thank you to Dr. Watzlaf and colleagues
for allowing us to use their article as the
basis for this presentation and to post the
HIPAA Compliance Checklist, and Risk and
Recommendations List on our Website
www.nfarattc.org