Last Modified: 06/23/2023
V. Privacy and Security Considerations when using Tele-Intervention
The Health Insurance Portability and Accountability Act (HIPAA) impacts the exchange of health-related information and the provision of health/habilitative services, including tele-intervention services. There are two primary aspects of HIPAA for which TI providers must be familiar: 1) Privacy, and 2) Security. This section provides resources to ensure adherence to HIPAA.
On This Page
- The Health Insurance Portability and Accountability Act (HIPAA)
- IDEA and Part C Privacy Regulations
- Applying Regulations to Tele-Intervention
The Health Insurance Portability and Accountability Act (HIPAA)
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has developed an array of new tools to educate consumers and health care providers about the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule. With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule. These materials are available on OCR's website.
The fact sheets complement a set of seven consumer-facing videos released earlier this year on OCR’s YouTube channel. An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel.
OCR has also launched three modules for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org. Creation of a free MedScape account is required to take the courses:
- Patient Privacy: A Guide for Providers
- HIPAA and You: Building a Culture of Compliance
- Examining Compliance with the HIPAA Privacy Rule
Additional Resources
- ASHA info: HIPAA Security Rule: Frequently Asked Questions
- Ensuring Security, Access to Protected Health Information (PHI)
- Protected health information (PHI) is highly sought-after by cyber criminals. How can healthcare organizations ensure that they have strong data security protocols in place? Read more at Health IT Security: Ensuring Security, Access to Protected Health Information (PHI)
- What Does Increased Patient Access Mean for HIPAA Compliance?
- While patient/client access to their health data is increasing, organizations must continue to maintain HIPAA compliance. Read things to consider at Health IT Security: What Does Increased Patient Access Mean for HIPAA Compliance?
Security Rule Guidance Materials
Security Risk Assessment (SRA) Tool: Need help with the required HIPAA Security Risk Assessment of your health care practice? Not sure where to start? Feeling intimidated? The Security Risk Assessment (SRA) Tool application lets you take a self-directed tour of HIPAA standards and helps you conduct a risk assessment at your own pace. The tool is available for both Windows operating systems and iOS iPads.
The Health and Human Services Administration has a wealth of information about security on their website. One particular resource is their "Security Rule Educational Paper Series", a group of educational papers which are designed to give insight into the Security Rule and assistance with implementation of the security standards. The Series covers:
- Security 101 for Covered Entities [PDF]
- Administrative Safeguards [PDF]
- Physical Safeguards [PDF]
- Technical Safeguards [PDF]
- Organizational, Policies and Procedures and Documentation Requirements [PDF]
- Basics of Risk Analysis and Risk Management [PDF]
- Security Standards: Implementation for the Small Provider [PDF]
The International Journal of Telerehabilitation provides useful guidance to ensure privacy, security, and HIPAA compliance:
- VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance [PDF]
- VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security and HIPAA Compliance, Part II [PDF]
IDEA and Part C Privacy Regulations
The Essential Elements of the HIPAA Security Law
Dr. Valerie Watzlaf from the Department of Health Information Management in the School of Health and Rehabilitation Sciences at University of Pittsburgh discusses the essential elements of the HIPAA Security Law. She describes practical considerations for those engaged in telepractice. This presentation was made to the NCHAM tele-intervention learning community in December, 2011.
Strategies for Strengthening Security
Daniel Ladner, Senior Technology Systems Analyst at the National Center for Hearing Assessment and Management delineates the strategies used to strengthen security for Sound Beginnings' tele-intervention project. This presentation was made to the NCHAM tele-intervention learning community in December, 2011.
Federal privacy regulations, specifically the Health Information Portability Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and Part C regulations of the Individuals with Disabilities Education Act (IDEA) which incorporates confidentiality provisions under FERPA, must be followed when such information is exchanged. Key points pertaining to these regulations are provided in a White Paper on Privacy Regulations: How EHDI, Part C, and Health Care Providers can Ensure that Children and Families get the Services they Need [PDF].
Additional Resources:
- NECTAC Confidentiality, Disclosure and Records for FERPA and HIPAA
- U.S. Dept. of Education, Letter to Alabama Department of Education
Applying Regulations to Tele-Intervention
Observing “live” TI sessions
Just as you would obtain consent from families for students or other providers under Part C regulations to observe a traditional therapy session, informed consent must be obtained from families prior to anyone observing a T-I session. Verbal consent may be sufficient if observers are students or other Part C providers who fall in the category of “participating agencies”. Informed signed consent would be required for anyone else to observe a T-I session.
Recording TI sessions
It is recommended that providers obtain signed informed consent from the family to record T-I sessions. This ensures that the family is aware that recordings exist and that they can obtain copies of recordings under FERPA. It is important to abide by privacy regulations when sharing recordings of T-I sessions with other providers. For example, video recordings may be shared with other “participating agencies” without signed consent, such as another Part C early intervention provider. However, under Part C regulations, video recordings may not be shared with others, such as a physician, without signed informed consent.
Sharing Recordings with Families
Families may have access to their own child’s T-I records, including video recordings, without signed informed consent. In fact, video recordings are one of the benefits of T-I, allowing families to share their child’s progress and coaching strategies with other family members. It is important, though, to secure access to these recordings just as you secure access to written records or verbal communications. A password-protected, encrypted site should be used.
Sample consent forms
Explaining and obtaining informed signed consent is an important way to ensure that families you serve through TI understand the potential risks involved with receiving their services through TI, even though you work hard to limit the privacy and security risks.
- Download a sample consent form that can be personalized to meet the needs of your program [PDF]
- View a consent form pertaining to recording sessions from Colorado [DOCX]
Additional ways to Create Optimal Security
Below is a list of components that are important to ensure security in your TI efforts:
- An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem), ISPs offer their customers the capability to browse the web and exchange email with other people.
- Encryption: Encryption is the process of converting information in such a way that it is readable only by the intended recipient after they have converted the information back. It's important to review the security procedures employed by the videoconferencing platform you're considering. For example, "free" versions of the platforms may not have the requisite security, but a higher level version (such as a "business" version) will provide improved security for a nominal price. These advanced versions also typically have additional useful features, such as screen sharing.
- Firewalls: Most ISPs implement firewalls to block some portion of incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement. Although firewalls are an important tool, they can also pose a barrier to T-I. Many early intervention programs—particularly those affiliated with academic or large health institutions—have large firewalls that may prevent internet communications with the general public, including the families you wish to serve. Early intervention programs may need to work with their technical support staff people to make needed adjustments in firewalls. The United States Computer Emergency Readiness Team (US-CERT) has more information on firewalls.
- Anti-Virus Software: Anti-virus software can identify and block many viruses before they infect your computer. Once you install anti-virus software, it is important to keep it up to date. The United States Computer Emergency Readiness Team (US-CERT) has more information on Anti-Virus Software.
- A listing of “Good Security Habits” is provided by the United States Computer Emergency Readiness Team (US-CERT).