Voice over the Internet Protocol
(VoIP) Technologies…
How to Select a Videoconferencing System
for Your Agency
Based on the Work of
Watzlaf, V.M., Fahima, R., Moeini, S. & Firouzani, P.
(2010).‘VOIP for telerehabilitation: A risk analysis for
privacy, security, and HIPAA compliance’ . International
Journal of Telerehabilitation: 3-14
Selecting a Platform
Most VoIP technology systems provide a very
reliable, high quality, and competent
teleconferencing session with their
patients………
However, to determine if the VoIP
videoconferencing technologies are private,
secure, and compliant with HIPAA, a risk
analysis should be performed.
Watzlaf, et al., 2010
Skype, VSee or Other Vendors
• Questions regarding 3 HIPAA requirements
– Audit trails
– Chat box information stored on company’s computers
– VSee can track which accounts connect but does not
know the time or the content
• For a review of vendors visit:
– http://www.telementalhealthcomparisons.com/
You will have to provide your email address to review these comparisons
Let’s Take Specific Vendors OUT of the
Discussion
2 Choices
st
1
CHOICE
Use the HIPAA compliance checklist
(prepared by Watzlaf & colleagues) and
compare it to the VoIP technology software
privacy and security policies provided by
the software vendor and ask if they are
willing to enter into a BAA (Business
Associate Agreement)
nd
2
CHOICE
Purchase HIPAA compliant software
specific to VoIP with vendors that will walk
you through each piece of the HIPAA
legislation to make certain the software is
private and secure and be willing to enter
into a BAA (Business Associate Agreement)
HIPAA Compliance Checklist for VoIP
Checklist on NFAR website
Example of Items on Checklist
• Personal Information- Will employees and other
users of VoIP software be able to listen in to videotherapy calls between patient and therapist?
• Retention of Personal Information- Are video
conferencing sessions for therapy services
recorded?
• Requests for Information from Legal Authorities
etc.- Will personal information, communications
content, and/or traffic data when requested by legal
authorities be provided by the VoIP software
company?
Every potential user (therapist or
healthcare facility) should review the
privacy and security policies that are found
on the VoIP software system’s website to
determine if they answer the questions
listed in this checklist….
If the question is not addressed in the
policy, then the user may want to contact
the software company and ask them how
the company will address a particular
question(s).
Next Steps……
1. Form a team that will examine VoIP
software systems to determine if it meets
federal (HIPAA), state, local, and facilitywide privacy and security regulations
The team may consist of the
provider attorney, risk
management personnel, health
information administrator/
privacy officer, security officer
(IT), clinical directors/
supervisors and counselors
2. Designate someone
on the team to stay on
top of all the changes
videoconferencing
software systems
(federal state and local)
3. Educate all staff (not just counselors) on
how to use software system for
videoconferencing
Training should include:
• Privacy and Security related to HIPAA
• Issues Related to PHI (Private Health Information)
Exchange
• Encryption
• Spyware
• Password Security
• Use of Equipment by Counselor/Client
• ATA Guidelines
4. Develop Patient Informed Consent Form
• What therapy will be provided using the VoIP
technology
• How the technology will be used
• Benefits associated with videoconferencing
• Risks associated with videoconferencing (privacy
and security)
• Informed Consent Form reviewed by team attorney
5. Incident response is necessary and
should include….
• documentation regarding the incident
• the response to the incident, any effects of the
incident as well as whether policies and procedures
that were followed in response to the incident
• if policies and procedures are not in place for
incident response, then these should be developed
with the security and privacy officers
Suggested General Rules for VoIP
Kuhn, Walsh, & Fries, 2005
National Institute of Standards and Technology
Do not use the username and
password for anything else but
videoconferencing, change it
frequently and do not make it
easy to identify
Avoid having computer viruses
on the computer used for video
conferencing
Never use it for emergency
services
Consistently authenticate who
you are communicating with
especially when used for teletherapy video sessions
Focus on the transmission of data through
video conferencing…..
How that data is made private and secure
during the telecommunication….
How private and secure it is stored and
released to internal and outside entities.
Provide audit controls for using
software applications so that
they are secure and private
There are
three types of
information security risks:
Confidentiality, Integrity, and Availability
Confidentiality refers to the
need to keep information secure and
private.
Integrity refers to information
remaining unaltered by unauthorized
users.
Availability includes making
information and services available for use
when necessary.
VoIP Risks and Recommendations
related to
Confidentiality, Integrity, and Availability
List on NFAR Website
Information Security Risk &
Recommendation Example
Risk,
Specific Area
Vulnerability
or Threat
Risk Level
Recommendation
Confidentiality
& Privacy
High
Change default
passwords
Retention of
personal data &
information as well
as eavesdropping
on conversations
(increases in VoIP
because of the
many nodes in a
packet network)
disable remote access to
graphical user interface
use authentication
mechanisms
See VoIP Risks and Recommendations Checklist
All credit for this presentation goes to
Dr. Watzlaf and colleagues for allowing the
use of their article as the basis for this
presentation and allowing us to post the
HIPAA Compliance Checklist and the Risk
and Recommendations List on our Website
www.nfarattc.org