Nursing homework help
International Journal of Telerehabilitation • telerehab.pitt.edu
International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231) 39
A SYSTEMATIC REVIEW OF RESEARCH STUDIES
EXAMINING TELEHEALTH PRIVACY AND SECURITY
PRACTICES USED BY HEALTHCARE PROVIDERS
VALERIE J. M. WATZLAF, PHD, MPH, RHIA, FAHIMA, LEMING ZHOU, PHD, DSC,
DILHARI R. DEALMEIDA, PHD, RHIA, LINDA M. HARTMAN, MLS, AHIP
DEPARTMENT OF HEALTH INFORMATION MANAGEMENT, SCHOOL OF HEALTH AND REHABILITATION
SCIENCES, UNIVERSITY OF PITTSBURGH, PITTSBURGH, PA, USA
BACKGROUND AND
SIGNIFICANCE
When in-person meetings and paper-based health
records are used, healthcare providers have a clear idea
about how to protect the privacy and security of healthcare
information. Providers see each patient in a private room
and the patient records are locked in a secure office setting
which is only accessible to authorized personnel. When the
healthcare practice is moved to the Internet, as in the case
with telehealth, and all information is electronic, the situation
becomes more complex. Most healthcare providers are not
trained in protecting security and patient privacy in
cyberspace. In cyberspace, there are many methods that
can be used to break into the electronic system and gain
unauthorized access to a large amount of protected health
information (PHI). Therefore, the information security and
patient privacy in telehealth is at a higher risk for breaches
of PHI. For instance, from 2010 to 2015 it was found that
laptops (20.2%), network servers (12.1%), desktop
computers (13%), and other portable electronic devices
(5.6%) made up 51 percent of data sources of all healthcare
data breaches that affected more than 500 individuals
(Office of the National Coordinator for Health Information
Technology, 2016).
PHI is highly regulated in the United States. The most
familiar regulation impacting healthcare facilities and
providers is the Health Insurance Portability and
Accountability Act (HIPAA) of 1996 (US Department of
Health and Human Services, 2013). HIPAA is a federal law
that provides privacy and security rules and regulations to
protect PHI. The HIPAA Privacy Rule is an administrative
regulation created by the Department of Health and Human
Services (DHHS). It was developed after the US Congress
passed HIPAA, and went into effect in 2003.
The HIPAA Privacy Rule only applies to healthcare
providers that conduct electronic billing transactions but is
effective for both paper and electronic health information. It
is a set of national standards that addresses the use and
disclosure of PHI by a covered entity such as a healthcare
organization as well as establishing privacy rights for
individuals on how their PHI is used and shared. Its major
objective is to protect the flow of health information while at
the same time providing high quality healthcare.
ABSTRACT
The objective of this systematic review was to systematically review papers in the United States that examine current practices in privacy and security when telehealth technologies are used by healthcare providers. A literature search was conducted using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses Protocols (PRISMA-P). PubMed, CINAHL and INSPEC from 2003 – 2016 were searched and returned 25,404 papers (after duplications were removed). Inclusion and exclusion criteria were strictly followed to examine title, abstract, and full text for 21 published papers which reported on privacy and security practices used by healthcare providers using telehealth. Data on confidentiality, integrity, privacy, informed consent, access control, availability, retention, encryption, and authentication were all searched and retrieved from the papers examined. Papers were selected by two independent reviewers, first per inclusion/exclusion criteria and, where there was disagreement, a third reviewer was consulted. The percentage of agreement and Cohen’s kappa was 99.04% and 0.7331 respectively. The papers reviewed ranged from 2004 to 2016 and included several types of telehealth specialties. Sixty-seven percent were policy type studies, and 14 percent were survey/interview studies. There were no randomized controlled trials. Based upon the results, we conclude that it is necessary to have more studies with specific information about the use of privacy and security practices when using telehealth technologies as well as studies that examine patient and provider preferences on how data is kept private and secure during and after telehealth sessions.
Keywords: Computer security, Health personnel, Privacy, Systematic review, Telehealth
International Journal of Telerehabilitation • telerehab.pitt.edu
40 International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)
The HIPAA Security Rule went into effect in 2005 and
regulates only electronic health information. It is a set of
national standards that protects an individual’s electronic
health information that is created, received, used or
maintained by a covered entity such as a healthcare
organization. It requires the administrative, physical, and
technical standards to be adopted so that confidentiality and
integrity of electronic PHI is protected.
In addition to HIPAA, there are many other federal and
state laws that govern the use and disclosure of health
information. Of these laws, HIPAA and the Health
Information Technology for Economic and Clinical Health
(HITECH) Act of 2009 have provided the most specific
regulations for the protection of privacy and security of
health information in the United States. However, some
state regulations may be even more stringent, such as
requiring a consent form for disclosure of a patient’s own
medical record when HIPAA does not require consent
(Rinehart-Thompson, 2013). The HITECH Act includes
changes to the HIPAA Privacy and Security rules that focus
mainly on health information technology and strengthens
standards for the privacy and security of health information.
It went into effect in 2010 but some parts of the act have
different compliance deadlines (Rinehart-Thompson, 2013).
For this article, we adopted the Health Resources and
Services Administration’s (HRSA) 2015 definition of
telehealth: “the use of electronic information and
telecommunications technologies to support long-distance
clinical health care, patient and professional health-related
education, public health and health administration.
Technologies include videoconferencing, the Internet, store-
and-forward imaging, streaming media, and terrestrial and
wireless communications” (Health Resources and Services
Administration, 2015). The HRSA definition was used
because it aligns with our purpose, which is to provide a
systematic review of published papers that pertain to privacy
and security provisions used by healthcare providers when
deploying telehealth technologies in the United States.
Our previous experiences in interacting with telehealth
providers suggest that the providers do not always know the
best practices to use to decrease the risk of privacy and
security issues in telehealth (Cohn & Watzlaf, 2012; Watzlaf,
2010; Watzlaf, Moeini, & Matusow, 2011). Many of the
features within the free, consumer-based video and voice
communication systems that were evaluated did not
demonstrate to the providers using them that the information
was private and secure (Watzlaf & Ondich, 2012). Also,
many of the telehealth providers did not know the best
practices to use to educate consumers on privacy and
security (Watzlaf, Moeini, & Firouzan, 2010; Watzlaf, Moeini,
Matusow, & Firouzan, 2011).
Through our past work, audit checklists were developed
to determine if a system supports HIPAA compliance
(Watzlaf et al., 2010; Peterson & Watzlaf, 2014). The 58-
question checklist is specific to Information and
Communication Technologies (ICTs) (Watzlaf et al., 2010).
There are already methods and tools available for
healthcare providers to evaluate the security and privacy
features of telehealth systems they are currently using. Now,
it is necessary to conduct a systematic review on the status
of privacy and security provisions that are used by
healthcare professionals when deploying telehealth services
to see if they are using the tools and guidelines available to
them or if they incorporate new systems to evaluate privacy
and security within telehealth systems.
OBJECTIVES:
1. Evaluate, from published papers, what privacy and
security measures were addressed when healthcare
providers used telehealth technologies.
2. Compile best practices and guidelines for healthcare
professionals using telehealth technologies.
MATERIAL AND METHODS
SEARCH STRATEGY
A systematic literature search was performed on papers
published between 2003 to 2016. The sources used in the
search included PubMed (Medline via PubMed; National
Library of Medicine, Bethesda, MD; started in 1966) CINAHL
databases (indexing from nursing and allied health
literature) and INSPEC (a scientific and technical database
developed by the Institution of Engineering and
Technology).
Briefly, our literature search strategy combined
synonyms for telehealth with privacy and security across
healthcare professionals. The list of synonymous terms was
voluminous. Some examples of synonymous terms for
telehealth included telemedicine, telepathology,
telerehabilitation; synonymous terms for privacy and security
included confidentiality, encryption, access control,
authentication; synonymous terms for healthcare
professionals included physicians, clinicians, nurses,
occupation therapists. Language restrictions included those
papers written in English only. In addition, reference lists
were reviewed manually from relevant original research and
review papers.
These searches returned 21,540 papers from PubMed
and 4,785 papers from CINAHL, and 591 papers from
INSPEC for a total of 26,916 papers, of which 1,512 were
duplicates. After a review of titles and abstracts, 21 papers
were reviewed in full text (Figure 1). After the first round of
article selections, one third of the papers were found to be
International Journal of Telerehabilitation • telerehab.pitt.edu
International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231) 41
international. Papers were then restricted to those in the
United States since HIPAA and HITECH are laws that are
enforced in the United States only and these laws are a
major influence in privacy and security in the US.
The protocol for this study was based on the Preferred
Reporting Items for Systematic Review and Meta-Analysis
Protocols (PRISMA-P). The PRISMA-P contains 17 items
that are considered essential as well as minimum
components to include in systematic reviews or meta-
analyses. PRISMA-P recommends that each systematic
review include detailed criteria using the PICOS
(participants, interventions, comparisons, outcome(s) and
study design) reporting system (Moher et al., 2015). Details
of the full protocol have been previously published in
Prospero and the International Journal of Telerehabilitation
(Watzlaf, DeAlmeida, Zhou, & Hartman, 2015; Watzlaf,
DeAlmeida, Molinero, Zhou, & Hartman, 2015).
STUDY ELIGIBILITY
To be eligible for this systematic review, published
papers had to meet all the following criteria:
1. Published papers that included research, best practices, or recommendations on the use of telehealth and privacy or security.
2. Published papers that included any type of health care professional using any available telehealth for their clients with a focus on privacy and/or security, HIPAA and/or HITECH.
3. Published papers with full text in English.
4. Published papers where research or recommendations focused on the US only published between 2003-2016.
5. Existing solutions/best practices to privacy and security challenges, HIPAA compliance (qualitative and quantitative) in telehealth use.
Figure 1. A flow diagram of the search and selection process.
International Journal of Telerehabilitation • telerehab.pitt.edu
42 International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)
EXCLUSION OF PAPERS
Papers were reviewed and excluded in different
phases:
• Phase I: Duplicates Removed. A total of 26,916 papers were found in the three databases and 1,512 were removed as duplicates to yield 25,404 papers.
• Phase II: Articles Removed by Reviewing Title and Abstract. A title/abstract review was conducted, first by two independent reviewers. A third reviewer was used to resolve disagreement (24,998 excluded, to yield a total of 406 papers).
• Phase III: Articles Removed After Reviewing Full Text. A full text review of 406 papers was conducted by all three reviewers (356 excluded, 50 papers remained).
• Phase IV: American Telemedicine Association Guidelines Added. Since the American Telemedicine Association (ATA) guidelines were not returned from the original search because they were guidelines and not peer-reviewed articles, they were added into the original list (50) because of their focus on telehealth, privacy and security (11 added. Total of 61 papers).
• Phase V: Articles Removed by Evaluating Security and Privacy Content. A review of these papers to examine security and privacy contents yielded 40 exclusions. And eventually, a total of 21 papers were included in the final systematic review.
In the initial title/abstract review the major reasons for
exclusion were:
1. Papers were published before HIPAA was enforced in 2003
2. Studies were not conducted in the US and therefore did not abide by HIPAA/HITECH
In the full text review the major reasons for exclusion
were that the papers did not include both telehealth and a
major aspect of privacy and security related to telehealth
use.
DATA EXTRACTION PROCESS AND
QUALITY ASSESSMENT
All search results were exported into EndNote libraries.
EndNote is a bibliographic management system. De-
duplications were performed by using the method described
by Bramer et al (Bramer, Giustini, de Jonge, Holland, &
Bekhuis, 2016). Studies were removed if they were found to
be duplicated. The PDFs of the papers reviewed were
stored in a shared Box account (i.e., a secure cloud content
platform in which users can share large documents as well
as collaborate, Redwood City, CA).
Each article meeting the inclusion criteria was reviewed
and its characteristics documented using a standardized
pre-tested data extraction form. The data extraction form
captured the following data items: the three large goals of
privacy and security (confidentiality, integrity, and
availability); the specific techniques for achieving these
goals (authentication, encryption, access control, physical
security, policy, database backup, error detection, anti-virus,
software patches, secure system design, intrusion
detection); and the methods in each system (study designs,
settings, and outcomes).
The reference librarian performed the search and only
provided the title, abstract and year to the reviewers. The
two reviewers (DD, VW) independently read the title and
abstracts of the identified papers and determined eligibility
based on the specified inclusion/exclusion criteria. To better
know how to appropriately search the article titles and
abstract, two of the reviewers (DD and VW) conducted a
pilot study by using a small sample (n=100) of papers, made
the selection and then discussed the results against the
selection criteria. From this pilot study we could determine
that we applied the same selection criteria for our search
strategy.
Reviewers were blind to journals, study authors and
institutions. Any disagreements between the reviewers were
resolved by a third reviewer (LZ). Inter-rater reliability was
measured using the Cohen’s kappa statistical test (k). An
inter-rater Kappa score was assessed during the first round
of the paper selection, to ensure a Kappa score at or above
0.8 as measured by Cohen’s Kappa (k) statistical test. Full-
text of studies making this first cut were reviewed.
Three reviewers screened these for inclusion/exclusion
criteria. Selection disagreements were resolved through
discussion and reasons for excluding studies were recorded.
A form, developed in Excel, was used to extract data from
selected studies and included the author, year of
publication, reference; study design and sample size;
setting; privacy and security descriptions; primary outcomes;
study limitations, HIPAA compliance, and best practices.
Reviewers assessed the overall quality of evidence for every
important outcome using the GRADE four point ranked
scale: (4) High; (3) Moderate; (2) Low; (1) Very low
(Balshem et al., 2011). Full papers were used as evidence
for decisions about the quality of evidence and the strength
of recommendations. Any differences in the grading were
assessed and discussed in several meetings with
investigators until full consensus was reached.
DATA SYNTHESIS
Quantitative analysis of the data from the papers was
limited due to the lack of quantifiable data in the privacy and
security literature. However, subcategories with similar
International Journal of Telerehabilitation • telerehab.pitt.edu
International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231) 43
characteristics received more in-depth comparisons.
Investigators first broke the data into qualitative themes that
related to privacy, security and administrative content. Each
of those areas were broken down into subthemes such as
patient rights, use, and disclosure for privacy; technical and
physical for security; and organizational and
education/training/personnel for administrative. Then,
specific content within the 21 papers were reviewed closely
and categorized across each of those themes and
subthemes.
RESULTS
REVIEWER AGREEMENT
For the 25,404 entries reviewed by 2 reviewers the
percentage of agreement was very good with the observed
value of 99.04% and the 95% CI between 98.91 to 99.16
calculated per the Wilson efficient-score method. For the
Cohen’s kappa, the observed kappa is 0.7331 and the 95%
CI are 0.7009 to 0.7653. Although the kappa is lower than
0.8, this still suggests substantial agreement (Fleiss, Cohen,
& Everitt, 1969).
TIME PERIOD AND TYPE OF STUDIES
A total of 21 papers (Watzlaf & Ondich, 2012; Watzlaf et
al., 2010; Watzlaf, Moeini, Matusow, et al., 2011; Peterson &
Watzlaf, 2014; Paing et al., 2009; Cason, Behl, & Ringwalt,
2012; Daniel, Sulmasy, & for the Health and Public Policy
Committee of the American College of Physicians, 2015;
Naam & Sanbar, 2015; American Telemedicine Association,
2009, 2011, 2014a, 2014b, 2016; Hall & McGraw, 2014;
Garg & Brewer, 2011; Brous, 2016; Mullen-Fortino et al.,
2012; Nieves, Candelario, Short, & Briscoe, 2009; Putrino,
2014; Demiris, 2004; Demiris, Edison, & Schopp, 2004)
were selected for this systematic review. These selected
papers were published between 2004 to 2016, in which 29
percent of them were published between 2011-2012. The
papers included several telehealth specialties such as
telerehabilitation, telepsychiatry, teletrauma, telenursing and
tele-diabetes. Sixty-seven percent were
guideline/policy/strategy type studies, with three using a
survey or interview method (14%). Other studies included a
usability study, a systematic review, a pilot study and an
opinion piece. There were no randomized controlled trials
found that focused on privacy and security in telehealth
(Table 1).
Table 1. Overview of Reviewed Studies
Overview of Studies
Time Period # %
2004-2005
2009-2010
2011-2012
2013-2014
2015-2016
2 9.5
4 19.0
6 28.6
5 23.8
4 19.0
Total 21 100
Specialties # %
Telepsychiatry
Teletrauma
Telenursing
Telerehabilitation
Telepathology
Teleburn
Telediabetes
Telesurgery
General telehealth
2 9.5
2 9.5
2 9.5
5 23.8
1 4.8
1 4.8
2 9.5
1 4.8
5 23.8
Total 21 100
Type of Study # %
Guideline/policy/strategy
Survey/Interview
Usability
Pilot
Opinion
Systematic/literature review
14 66.7
3 14.3
1 4.8
1 4.8
1 4.8
1 4.8
Total 21 100
DESCRIPTIVE ANALYSIS OF ALL
STUDIES
A quantitative analysis of the privacy, security, and
administrative areas that were discussed in the papers is
summarized in Table 2. All studies discussed some aspect
of privacy and security. Sixty-seven percent addressed
patient rights to include informed consent, accessibility,
confidential communications, or the patient’s ability to
amend their information. Thirty-eight percent addressed use
and disclosure to include how video sessions are retained,
authorizations for release of information to other countries,
websites, and third parties, accounting of disclosures,
International Journal of Telerehabilitation • telerehab.pitt.edu
44 International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)
purging and/or deletion schedule of files on mobile devices
and audio and video muting to maintain privacy. Sixty-seven
percent of the studies addressed the technical aspects of
security to include encryption, two-factor authentication,
data backup, storage and recovery to meet HIPAA
requirements, National Institute of Standards and
Technology (NIST) and Health Level-7 (HL7)
recommendations. However, only 38 percent addressed the
physical aspects of the telehealth session to include a
secure server location, back-up generator and maintaining a
secure physical environment for where the telehealth
session is held. One of the studies contained a systematic
review of telemedicine security and found poor reporting of
methodologies for telemedicine technologies and security
measures. Fifty-two percent of the papers did not discuss
the organization of privacy and security through policies,
procedures, Business Associate Agreements (BAAs) or
compliance audits, however, 67 percent addressed the need
for education and training of providers, patients and
technical support workforce.
Table 2: Privacy, Security, and Administrative Content
Privacy, Security,
Administrative Content
# %
Privacy
Patient Rights
Yes, addressed
No, not addressed
Use and Disclosure
Yes, addressed
No, not addressed
14 66.7
7 33.3
8 38.1
13 61.9
Security
Technical
Yes, addressed
No, not addressed
Physical
Yes, addressed
No, not addressed
14 66.7
7 33.3
8 38.1
13 61.9
Privacy, Security,
Administrative Content
# %
Administrative
Organization (policies)
Yes, addressed
No, not addressed
Education/Training/
Personnel
Yes, addressed
No, not addressed
10 47.6
11 52.4
14 66.7
7 33.3
Table 3 provides a detailed summary of all papers for
privacy, security and administrative content. Most of the
patient rights content dealt with providing verbal or written
informed consent in simple, easy to understand language
and to have providers discuss the risks of privacy and
security when using telehealth. Use of audio/video muting
and a secure physical environment was also discussed to
be included in the consent for treatment so that the patient
understands how their information during and after the
telehealth session is private. Use and disclosure was not as
clearly addressed, although several papers stated that
access to patient information should only be granted with
proper authorization, and there was a need to have this
discussed with the patient so that they understood
ownership of the data before the telehealth session begins.
Encryption and two-factor authentication were other major
areas addressed in the papers. Some papers did provide
details as to the types of encryption to use as well as
meeting HIPAA and NIST requirements and
recommendations. Data backups, storage of the video files,
and the ability to keep them secure was also discussed.
Other areas addressed included a review of consumer-
based free systems and the importance of healthcare
providers’ understanding of which telehealth technologies
meet federal, state, and local laws. Other areas mentioned
included performing an overall privacy and security
assessment of the telehealth system and to maintain
security solutions specific to the telehealth system, making
sure that confidentiality and security are a primary concern.
Many of the papers expressed the need for overall provider
and patient awareness, education and training and policies
on keeping telehealth information private and secure, and
policies that specify who can be included in the telehealth
session. Other papers expressed the need for maintaining a
BAA with the vendor providing the telehealth system. Some
papers addressed the need for more research on the
effectiveness of telemedicine to include telehealth security
training, legal liability, HIPAA compliance and the
importance of an independent assessment of overall privacy
and security. Some of the papers described the lack of
current scientific studies around privacy and security in
telehealth and the need for more studies that demonstrate
the effectiveness of best practices in privacy and security of
telehealth (Table 3).
International Journal of Telerehabilitation • telerehab.pitt.edu
International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231) 45
Table 3: Detailed Summary of All Papers for Privacy, Security and Administrative Content
Privacy Security Administrative
Article Title, Year
Journal
Type of Study
Patient Rights
(access, amend, right to
confidential
communications,
informed consent etc.)
Use & Disclosure
(authorizations,
accounting of
disclosures, de-
identification of
data etc.)
Technical
(encryption, access
control, authentication,
data backup, storage,
recovery)
Physical
(secure server
location, backup
generator etc.)
Organizational
(policies, BAAs,
auditing)
Education/
Training/
Personnel
(American
Telemedicine
Association,
2009)
Evidence Based
Practice for
Telemental Health
Policy
Keep physical
surroundings private
using audio/video
muting; Considered
essential to easily
change from public to
private audio mode.
(American
Telemedicine
Association,
2014a)
Clinical
Guidelines for
Telepathology
Policy
Unauthorized persons
should not have
access to sensitive
information.
Use audio/video
muting, and easily
change from public to
private audio mode.
Consideration
should be given to
periodic purging or
deletion of
telepathology files
from mobile
devices.
Data transmission must
be secure through
encryption that meets
recognized standards.
Mobile device use
requires a passphrase
or other equivalent
security feature, multi-
factor authentication,
inactivity timeout
function with
passphrase or re-
authentication to access
the device after timeout
is exceeded (15
minutes).
Give providers the
capability to use
remote wiping if
device lost or stolen.
Back up or store on
secure data storage
locations. Do not
use cloud services if
they cannot comply
in keeping PHI
confidential.
Mobile devices
should be kept in
the provider’s
possession when
traveling or in an
uncontrolled
environment.
Those in charge of
technology should know
technology security.
Mobile devices should be
kept in the provider’s
possession when traveling
or in an uncontrolled
environment.
(American
Telemedicine
Association,
2016)
Practice
Guidelines for
Teleburn
Informed consent:
discuss with patient
about the telehealth
session and use simple
language especially
when describing all
privacy and security
If transmission data are stored on hard drive,
use Federal Information
Processing Standard
(FIPS) 140-2 encryption
AES as acceptable
levels of security.
Those in charge of the technology should educate
users with respect to all
privacy and security options.
Educate patients on the
potential for inadvertently
storing data and PHI;
International Journal of Telerehabilitation • telerehab.pitt.edu
46 International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)
Privacy Security Administrative
Article Title, Year
Journal
Type of Study
Patient Rights
(access, amend, right to
confidential
communications,
informed consent etc.)
Use & Disclosure
(authorizations,
accounting of
disclosures, de-
identification of
data etc.)
Technical
(encryption, access
control, authentication,
data backup, storage,
recovery)
Physical
(secure server
location, backup
generator etc.)
Organizational
(policies, BAAs,
auditing)
Education/
Training/
Personnel
Policy issues such as encryption, store-
forward transmissions
of data/images,
videoconferencing etc.
Key topics should
include confidentiality
and limits to
confidentiality in
electronic
communications; how
patient information will
be documented and
stored.
Pre-boot authentication
should also be used. intention to record services;
methods of storage; how
PHI will be shared with
authorized users and
encrypted for maximum
security; recordings will be
streamed to protect
accidental or unauthorized
file sharing or transfer.
(American
Telemedicine
Association,
2014b)
Core Operational
Guidelines for
Telehealth
Services Involving
Provider-Patient
Interactions
Policy
Healthcare providers
should provide to the
patient verbal/written
information related to
privacy and security;
potential risks and
confidentiality in easy
to understand
language, especially
when discussing
encryption or potential
for technical failures;
limits to confidential
communication,
documentation and
storage of patient
information.
Access to
recordings only
granted to
authorized users.
Stream to protect
from accidental or
unauthorized file
sharing/transfer.
Privacy Features
should include:
audio, video
muting, easily
change from
public to private
mode, privacy of
the mobile device.
Multi-factor
authentication; inactivity
timeout function; keep
mobile devices with
provider always; wipe or
disable mobile device if
lost or stolen.
Audio, video and all
other data transmission
should use encryption
(at least on the side of
the healthcare
professional) that meets
recognized standards.
Use software that has
appropriate verification,
All devices should
have up to date
security software,
device management
software to provide
consistent oversight
of applications,
device and data
configuration and
security, backup
plan for
communication
between sites and
discussed with the
patient. Only allow
one session to be
open at one time
and if there is an
Establish
guidelines for
periodic purging or
deletion.
Providers should give
guidance to patients about
inadvertently storing PHI
and how best to protect
privacy. Discuss recording of
services, how information
will be stored and how
privacy will be protected.
International Journal of Telerehabilitation • telerehab.pitt.edu
International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231) 47
Privacy Security Administrative
Article Title, Year
Journal
Type of Study
Patient Rights
(access, amend, right to
confidential
communications,
informed consent etc.)
Use & Disclosure
(authorizations,
accounting of
disclosures, de-
identification of
data etc.)
Technical
(encryption, access
control, authentication,
data backup, storage,
recovery)
Physical
(secure server
location, backup
generator etc.)
Organizational
(policies, BAAs,
auditing)
Education/
Training/
Personnel
Should also discuss a
policy for the patient
sharing portions of this
information with public
and written
agreements may be
needed to protect both
the patient and
provider.
confidentiality, and
security measures.
If services are recorded,
store in a secure
location and make
accessible to authorized
users only.
attempt to open an
additional session
the system will
automatically log off
the first session or
block the second
session from being
opened.
Session logs should
be secured in a
separate location
and only granted to
authorized users.
Back up to or store
on secure data
storage locations.
Do not use cloud
services if they
cannot comply in
keeping PHI
confidential. Brous, 2016)
American Journal
of Nursing
Policy
Nurses must meet
medical information
and patient privacy
requirements of
HIPAA, as well as
state privacy laws,
organizational policies,
and ethical standards.
Devices that contain PHI must meet security
requirements, and
wireless
communications must
have cybersecurity
protection; electronic
files must be stored in a
manner that ensures
privacy and
All providers should be educated on how to prevent
data breaches when
communicating information
via telehealth, transmitting
images or audio or video
files electronically and on
how to respond when they
do occur.
International Journal of Telerehabilitation • telerehab.pitt.edu
48 International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)
.awasam-promo3 {
background-color: #F5F9FF;
color: #000000;
text-align: center;
padding: 20px;
border-radius: 10px;
}
.button {
background-color: #4CAF50;
border: none;
color: white;
padding: 10px 20px;
text-align: center;
text-decoration: none;
display: inline-block;
font-size: 16px;
margin: 4px 2px;
cursor: pointer;
border-radius: 5px;
}
.button-whatsapp {
background-color: #41D07D;
border: none;
color: white;
padding: 10px 20px;
text-align: center;
text-decoration: none;
display: inline-block;
font-size: 16px;
margin: 4px 2px;
cursor: pointer;
border-radius: 5px;
}
.awasam-alert {
color: red;
}
Needs help with similar assignment?
We are available 24×7 to deliver the best services and assignment ready within 6-8 hours? Order a custom-written, plagiarism-free paper
Get Answer Over WhatsApp
Order Paper Now