Last Modified: 02/13/2017
V. Privacy and Security Considerations when using Tele-Intervention
The Health Insurance Portability and Accountability Act (HIPAA) impacts the exchange of health-related information and the provision of health/habilitative services, including tele-intervention services. There are two primary aspects of HIPAA for which TI providers must be familiar: 1) Privacy, and 2) Security. This section provides resources to ensure adherence to HIPAA.
On This Page
- The Health Insurance Portability and Accountability Act (HIPAA)
- IDEA and Part C Privacy Regulations
- Applying Regulations to Tele-Intervention
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has developed an array of new tools to educate consumers and health care providers about the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule. With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule. These materials are available on OCR’s website.
The fact sheets compliment a set of seven consumer-facing videos released earlier this year on OCR’s YouTube channel. An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel.
OCR has also launched three modules for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:
- Patient Privacy: A Guide for Providers
- HIPAA and You: Building a Culture of Compliance
- Examining Compliance with the HIPAA Privacy Rule
- Facetime calls on ipad are HIPAA compliant
- HIPAA Security Rule: Frequently Asked Questions
- The following article conveys the message that HIPAA compliance is not an all or nothing stamp of approval. Rather, it is a process that involves assessing the risks to your organization, developing and implementing a plan to manage those risks, then monitoring those risks on an ongoing basis.
Security Rule Guidance Materials
Security Risk Assessment (SRA) Tool Released: Need help with the required HIPAA Security Risk Assessment of your health care practice? Not sure where to start? Feeling intimidated? The Security Risk Assessment (SRA) Tool application lets you take a self-directed tour of HIPAA standards and helps you conduct a risk assessment at your own pace. The tool is available for both Windows operating systems and iOS iPads.
The Health and Human Services Administration has a wealth of information about security on their website. One particular resource is their "Security Rule Educational Paper Series", a group of educational papers which are designed to give insight into the Security Rule and assistance with implementation of the security standards. The Series covers:
- Security 101 for Covered Entities [PDF]
- Administrative Safeguards [PDF]
- Physical Safeguards [PDF]
- Technical Safeguards [PDF]
- Organizational, Policies and Procedures and Documentation Requirements [PDF]
- Basics of Risk Analysis and Risk Management [PDF]
- Security Standards: Implementation for the Small Provider [PDF]
The International Journal of Telerehabilitation provides useful guidance to ensure privacy, security, and HIPAA compliance:
- VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance [PDF]
- VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security and HIPAA Compliance, Part II [PDF]
Dr. Valerie Watzlaf from the Department of Health Information Management in the School of Health and Rehabilitation Sciences at University of Pittsburgh discusses the essential elements of the HIPAA Security Law. She describes practical considerations for those engaged in telepractice. This presentation was made to the NCHAM tele-intervention learning community in December, 2011.
Daniel Ladner, Senior Technology Systems Analyst at the National Center for Hearing Assessment and Management delineates the strategies used to strengthen security for Sound Beginnings' tele-intervention project. This presentation was made to the NCHAM tele-intervention learning community in December, 2011.
Federal privacy regulations, specifically the Health Information Portability Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and Part C regulations of the Individuals with Disabilities Education Act (IDEA) which incorporates confidentiality provisions under FERPA, must be followed when such information is exchanged. Key points pertaining to these regulations are provided in a White Paper on Privacy Regulations: How EHDI, Part C, and Health Care Providers can Ensure that Children and Families get the Services they Need [PDF].
- NECTAC Confidentiality, Disclosure and Records for FERPA and HIPAA
- U.S. Dept. of Education, Letter to Alabama Department of Education
Just as you would obtain consent from families for students or other providers under Part C regulations to observe a traditional therapy session, informed consent must be obtained from families prior to anyone observing a T-I session. Verbal consent may be sufficient if observers are students or other Part C providers who fall in the category of “participating agencies”. Informed signed consent would be required for anyone else to observe a T-I session.
It is recommended that providers obtain signed informed consent from the family to record T-I sessions. This ensures that the family is aware that recordings exist and that they can obtain copies of recordings under FERPA. It is important to abide by privacy regulations when sharing recordings of T-I sessions with other providers. For example, video recordings may be shared with other “participating agencies” without signed consent, such as another Part C early intervention provider. However, under Part C regulations, video recordings may not be shared with others, such as a physician, without signed informed consent.
Families may have access to their own child’s T-I records, including video recordings, without signed informed consent. In fact, video recordings are one of the benefits of T-I, allowing families to share their child’s progress and coaching strategies with other family members. It is important, though, to secure access to these recordings just as you secure access to written records or verbal communications. A password-protected, encrypted site should be used.
Explaining and obtaining informed signed consent is an important way to ensure that families you serve through TI understand the potential risks involved with receiving their services through TI, even though you work hard to limit the privacy and security risks. Download a sample consent form that can be personalized to meet the needs of your program [PDF].
Below is a list of components that are important to ensure security in your TI efforts:
- An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem), ISPs offer their customers the capability to browse the web and exchange email with other people.
- Encryption: Encryption is the process of converting information in such a way that it is readable only by the intended recipient after they have converted the information back. Programs such as Skype report that they use standard internationally recognized and accepted encryption algorithms that have withstood the test of time over many years of analysis and attacks. This is designed to protect your communications from falling into the hands of others. Learn more about Skype’s encryption and general security.
- Firewalls: Most ISPs implement firewalls to block some portion of incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement. Although firewalls are an important tool, they can also pose a barrier to T-I. Many early intervention programs—particularly those affiliated with academic or large health institutions—have large firewalls that may prevent internet communications with the general public, including the families you wish to serve. Early intervention programs may need to work with their technical support staff people to make needed adjustments in firewalls. The United States Computer Emergency Readiness Team (US-CERT) has more information on firewalls.
- Anti-Virus Software: Anti-virus software can identify and block many viruses before they infect your computer. Once you install anti-virus software, it is important to keep it up to date. The United States Computer Emergency Readiness Team (US-CERT) has more information on Anti-Virus Software.
- A listing of “Good Security Habits” is provided by the United States Computer Emergency Readiness Team (US-CERT).