Privacy and Internet-Based Telepractice Speech-language pathologists and audiologists have historically been attuned to protecting the privacy of their clients. The recent proliferation of Internet-based communication for telepractice has resulted in new and constantly evolving threats to client privacy. This article provides an overview of key legal protections to privacy. With a focus on Voice ... Article
Free
Article  |   September 2011
Privacy and Internet-Based Telepractice
Author Affiliations & Notes
  • Ellen R. Cohn
    Department of Communication Science and Disorders, School of Health and Rehabilitation Sciences, University of Pittsburgh, Pittsburgh, PA
  • Valerie J. M. Watzlaf
    Department of Health Information Management, School of Health and Rehabilitation Sciences, University of Pittsburgh, Pittsburgh, PA
  • © 2011 American Speech-Language-Hearing Association
Article Information
Practice Management / Telepractice & Computer-Based Approaches
Article   |   September 2011
Privacy and Internet-Based Telepractice
SIG 18 Perspectives on Telepractice, September 2011, Vol. 1, 26-37. doi:10.1044/tele1.1.26
SIG 18 Perspectives on Telepractice, September 2011, Vol. 1, 26-37. doi:10.1044/tele1.1.26

Speech-language pathologists and audiologists have historically been attuned to protecting the privacy of their clients. The recent proliferation of Internet-based communication for telepractice has resulted in new and constantly evolving threats to client privacy. This article provides an overview of key legal protections to privacy. With a focus on Voice over Internet Protocol (VoIP; e.g., Skype), the authors present an approach to risk assessment that includes a HIPPA Compliance Checklist (Watzlaf, Moeini, & Firouzan, 2010) and a team approach to oversight. Upholding Internet-based privacy within the current environment is an ongoing and challenging responsibility.

Introduction and Purpose
The speech-language pathology and audiology professions are highly sensitized to their responsibility to protect client privacy. It has long been part of our professional acculturation that information our clients reveal to us must not be knowingly divulged to others without explicit consent.
Prior to the advent of Internet-based e-mail, electronic health records, and videoconferencing, academic training programs and clinical facilities focused on the prevention of improper disclosures of a non-electronic nature. Graduate student clinicians were (and are still) cautioned to not talk about clients in elevators or other public places; to not share information about clients with family and friends; to not convey client information to unauthorized clinical personnel or others with no clear “need to know”; to not transport clinical records outside of secure environments; and to be certain clinical records are not unduly accessible (i.e., on office desks, fax machines, printers, copiers, or in unlocked file drawers). Telepractice transactions are not immune to any of these privacy breaches.
Additionally, during the conduct of telepractice, client privacy can be physically violated on either side of a “live” (e.g., videoconference, teleconference, speaker phone) session. On the practitioner’s side, privacy would be breached if non-clinical personnel can hear part of a telepractice session due to a door ajar or the transmission of sound between rooms. A staff member or a delivery person unexpectedly entering the room would also compromise privacy, as would an unauthorized person entering an observation room. On the client’s side, privacy would be violated if a non-authorized person (e.g., family, staff, aide, etc.) hears and/or sees part of the teletherapy session.
Beyond these physical violations, current Internet-based communication fosters new and constantly evolving threats to privacy. The protection of client privacy has become increasingly difficult and complex.
Telepractice Privacy Violations
Consider the following hypothetical scenario for a telepractice session. (While based on a client with a fluency disorder, the scenario could apply to many speech, language and hearing disorders.)

Mr. Jones is a 37-year-old corporate executive with a lifelong fluency disorder. Because Mr. Jones travels often, requires evening treatment appointments, and is comfortable with electronic communication, he decides to seek a clinician who engages in telepractice. He locates a speech-language pathologist (Ms. Smith) through an Internet search. After reviewing Ms. Smith’s training and qualifications via her website, “TelefluencyServicebySmith.com,” Mr. Jones registers for services and selects a date and time of therapy.

As per the pre-meeting instructions, Mr. Jones calls a telephone number and relates his history of fluency problems and a brief medical history. Ms. Smith is out for the evening when Mr. Jones calls, so her home-based telephone answering machine records the message. (As the message is recorded, it is audible to her two children and a childcare provider.) The recorded narrative conveniently attaches to Ms. Smith’s personal e-mail account, so she can listen to the message on an iPhone’s “speaker” while she waiting for her friends at a restaurant. Mr. Jones also faxes a signed consent for treatment and financial agreement to Ms. Smith’s fax machine that is shared by her family.

Several days later, Mr. Jones and Ms. Smith “meet” for their first evening telepractice session. The therapy is conducted using a popular, free, Internet-based technology: Voice over the Internet Protocol (VoIP, much like Skype). Ms. Smith does not work at home due to the presence of her family and a frequently barking dog. Instead, she selects an isolated table at a local coffee shop and makes use of that venue’s free Internet connection, believing that the change in venue is both cost-saving to her practice and protective of the client’s privacy.

After the session, Ms. Smith types brief notes of the clinical contact and transmits them to herself via e-mail. She packs up her laptop computer, and upon return to her home, sets up the computer on her dining room table, for use by her family between telepractice sessions.

Billing and payment are managed electronically.

Beyond the family and childcare provider hearing the recorded message and reading faxed documents on the family machine, as well as the possibility of persons in the public venues (restaurant and coffee shop) hearing and/or seeing the client, perhaps the client privacy was adequately protected. However, the clinician could not know that unless she had:
  1. Established safeguards for the Internet technologies she might control (e.g., e-mail, website, and phone message encryption; strong password protections; dedicated use of the computer for telepractice; etc.), and,

  2. Conducted and acted upon a “risk analysis” to determine if privacy would be upheld by the Internet-based technologies she could not as easily control (e.g., third party Internet carriers).

This article briefly presents some of the most compelling protections of client privacy, and then presents a risk analysis protocol that examines the expressed privacy policies of Voice over the Internet Protocol (VoIP) carriers.
VoIP Videoconferencing Technologies and Security Concerns
Telepractice services are increasingly being conducted over the Internet via VoIP systems, such as Adobe ConnectNow, Skype, ooVoo, and others, that can provide voice and video teleconferencing between clinicians and clients. Though it is possible to select VoIP systems that are less expensive to operate than office telephone or teleconferencing systems, the use of VoIP videoconferencing technologies that are private, secure, and compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may not be without significant upfront and ongoing costs. Before speech-language pathologists and audiologists use a VoIP system, they should first consider whether the video and/or voice transmissions and any other health information that may be released via the VoIP system will be kept private and secure and will meet HIPAA requirements.
A recent study published by Watzlaf, Moeini, Matusow, & Firouzan (2011) examined the privacy policies of the ten most popular free VoIP videoconferencing software systems. Each privacy and/or security policy and/or terms of use, whichever was available on the site, was reviewed and analyzed for the 58 questions addressed on the HIPAA Compliance Checklist (see below). Some key findings are as follows:
  • Twenty percent of the VoIP companies stated that yes, it is a possibility that video content is accessible to employees and 30% did not specify this in their privacy policy or terms of use.

  • Seventy percent of the VoIP companies reported that they do not record video sessions, while 30% did not specify this information in their policies. Other personal information is retained by 60% of the companies, and deletion of past information by the user was expressed as available for only 30% of the companies.

  • Ninety percent of the VoIP company policies stated that personal information, communications content, and/or traffic data will be provided to legal authorities when requested. Eighty percent of the companies do not provide backgrounds on the employees who would be deciphering these requests, and do not indicate that they have a qualified individual with privacy and security experience analyze these requests.

  • Some of the VoIP companies reviewed are based outside of the United States. Seventy percent of the companies will allow a transfer of information outside of the country to a third party. This is problematic on several accounts. The use of VoIP products automatically provides consent to this transfer of personal information. There is the possibility of data storage outside of the United States, where U.S. federal privacy laws do not apply. None of the companies stated how different countries will maintain the confidentiality of personal health data and only 10% stated that companies in other countries do not release information more easily than in the United States, even though they do not need to abide by U.S. federal law.

  • Fifty percent of the VoIP companies will share personal information acquired during video conferencing to a third party that the company may buy or sell as part of its business agreements.

  • Fifty percent of the VoIP companies reported using some form of encryption, and only 30% said that their encryption could protect against eavesdropping by third parties. Some companies that use encryption did not specify what type of encryption is used.

  • Ninety percent of the VoIP companies do contain links to other websites that may have a different privacy and security policy than their own and none of the companies stated that they accept responsibility or liability for these other websites.

Of course, the information above may not present a totally accurate virtual snapshot of the actual safeguards in place, because a privacy policy may or may not be inclusive and/or truthful:
  • A VoIP company’s expressed protection(s) of privacy may not translate to their actual practice.

  • A VoIP company’s failure to express that a privacy safeguard exists does not mean the safeguard is absent.

We caution our readers that expressed privacy policies may not translate to actual practice, and thus, while reasonable precautions can be taken, there are no assurances that current technologies are 100% protective of client privacy. Clients and clinicians together need to be aware of any uncertainties and determine that the benefits of using telepractice outweigh any potential risks to their privacy.
Protection of Client Privacy: An Ancient and Basic Tenet
The ancient Oath of Hippocrates famously declared that physicians must protect their clients’ private information:

“Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.” (North [trans.], 2002)

The obligation to maintain patient privacy is no less important in 2011 and continues to stand as a basic operating principle for numerous health and rehabilitation professions. The American Speech-Language-Hearing Association (ASHA) declares and interprets this obligation in numerous documents, most importantly in the ASHA Code of Ethics of (2010).
  • Principle of Ethics I; Rule of Ethics M states: “Individuals shall adequately maintain and appropriately secure records of professional services rendered, research and scholarly activities conducted, and products dispensed, and they shall allow access to these records only when authorized or when required by law.”

  • Principle of Ethics I; Rule of Ethics N is also relevant: “Individuals shall not reveal, without authorization, any professional or personal information about identified persons served professionally or identified participants involved in research and scholarly activities unless doing so is necessary to protect the welfare of the person or of the community or is otherwise required by law.”

To “heighten sensitivity and increase awareness” of issues related to privacy, the ASHA Board of Ethics issued an Issues in Ethics Statement, “Confidentiality,” in 2001 and then revised in 2003 (ASHA, 2004). The Board specified:

Data and the personal identities of individual participants in clinical activities and research must be kept confidential. Some reasonable precautions to protect and respect the confidentiality of participants include:

  • dissemination of clinical service and research findings without disclosure of personal identifying information, if possible;

  • secure storage and limited access to clinical and research records by authorized personnel only;

  • removal, disguise, or coding of personal identifying information; and

  • written, informed consent from participants, parent, or guardian to disseminate findings observable from photographic/video images or audio voice recordings in which personal identifying information may be disclosed to others.

ASHA’s 2002  Technical Report, “Appropriate School Facilities for Students with Speech Language-Hearing Disorders,” addressed the need for privacy within the school environment.
Telepractice and Privacy
Following the emergence of advances in telecommunication technologies and associated new methods of practice, ASHA’s Principle of Ethics I, Rule L (J in the previous Code, version 2003), was added, stating that “[i]ndividuals may practice by telecommunication where not prohibited by law,” a mode of practice now labeled as “telepractice.”
Despite the obvious benefits of telepractice, new telecommunication technologies foster novel ways for users and providers of telecommunication technologies to knowingly or unknowingly violate client privacy. As early as 2005, ASHA addressed the nexus between telecommunications and privacy, publishing two parallel technical reports (one for audiologists [2005a] and one for speech-language pathologists [2005b]). Each report declared that telepractitioners are expected to:
  • “Obey laws and regulations of relevant jurisdictions governing professional licensing.

  • Be educated and trained in the models of telepractice delivery.

  • Inform clients how services via telepractice differ from services delivered face-to-face and disclose potential risks and limitations as well as benefits.

  • Evaluate the effectiveness of services rendered via telepractice to ensure that methods, procedures, and techniques are consistent with best available evidence and adhere to standards of best practices.

  • Create a safe environment within which to provide services.

  • Use transmission and recordkeeping methodologies that protect privacy and ensure confidentiality and security. Transmission and storage of electronic health information must also be consistent with federal and state regulations.”

The final bulleted requirement most directly declares the need to “protect privacy and ensure confidentiality and security.” The preceding five expectations arguably underlie and/or operate in synchrony the protection of patient privacy. For example, “a safe environment within which to provide services” is by definition one that is protective of patient confidentiality (ASHA 2005 a, b).
Legal Protections to Privacy
Transmission and storage of electronic health information must be consistent with federal and state regulations.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA, Public Law 104-191, specifically addresses the aforementioned expectation (articulated in the ASHA technical papers) that clinicians will “use transmission and recordkeeping methodologies that protect privacy and ensure confidentiality and security” (ASHA 2005a, b).
The Act’s Administrative Simplification provisions required that the U.S. Department of Health & Human Services (HHS) articulate national standards for the electronic transmission of health-care transactions. As part of the Administrative Simplification provisions, HHS created both a Privacy Rule and a Security rule; covered entities must comply with these and other HIPAA-related requirements. Examples of covered entities include a health-care provider that conducts specified transactions in electronic form; a health-care clearinghouse; or a health plan. The following are not covered entities: “life insurers; employers; workers compensation carriers; many schools and school districts; many state agencies like child protective service agencies, many law enforcement agencies, and many municipal offices.” The Centers for Medicare and Medicaid Services (n.d.) provides guidance on whether an individual or an organization is a covered entity in chart form, at www.cms.gov/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf.
How must covered entities perform? According to the HHS:
  • “Covered entities must put in place safeguards to protect your health information.

  • Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.

  • Covered entities must have contracts in place with their contractors and others ensuring that they use and disclose your health information properly and safeguard it appropriately.

  • Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.” (U.S. Department of Health and Human Services, n.d.a)

HIPAA’s Security Rule sets forth the security safeguards that covered entities must employ to protect personal health information (PHI).
HIPAA’s Privacy Rule details both patient rights and the obligation of covered entities to protect PHI. As part of this rule, health-care providers and health plans must provide written notice to a patient that details how the provider will make use of and share the patient’s health information, and how patients can choose to uphold the privacy of their information. The Privacy Rule also recognizes circumstances wherein PHI must be accessible to health-care providers for patient care.
Both the Security Rule and Privacy Rule govern the responsibilities of a business associate, defined as follows:

In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. (U.S. Department of Health and Human Services, n.d.b)

HITECH Act
The American Recovery and Reinvestment Act of 2009 enacted revisions of HIPAA, addressing the privacy and security concerns associated with the electronic transmission of health information under the HITECH Act (Health Information Technology for Economic and Clinical Health Act; Lazzarotti, 2009).
An uncertainty faced by current telepractitioners is as follows: Is the Voice over Internet Protocol (VoIP; e.g., Skype) used by the clinician and/or clinical practice considered a business associate of a covered entity (e.g., a health-care system or private practitioner)? If so, the covered entity must enter into a business associate agreement with the VoIP company and will need to have systems in place to meet HIPAA privacy and security regulations.
As per Watzlaf et al. (2011), while it is unclear if VoIP systems used for telepractice are business associates, it would seem that most would fall under the definition. If VoIP systems are considered to be business associates, they will need to prevent privacy breaches (e.g., unauthorized acquisition and use, access, disclosure and sale of health-care information).
Federal Enforcement of Privacy Breaches
Enforcement of the Security and Privacy Rules is the responsibility of the Office of Civil Rights (OCR), U.S. Department of Health & Human Services (HHS). Civil penalties may be assigned for violations. The HITECH Act revisions require increases in civil penalties for different categories of violations and legislated that penalties will apply even where the covered entity did not know (and, with the exercise of reasonable diligence, would not have known) of the violation. Therefore, the clinician, employing facility, and/or the VoIP could be considered culpable for such breaches.
If a privacy breach occurs, the managers of the VoIP system will need to notify those whose information has been compromised and complete a written incident response. This should document the incident and any of its effects, the response to the incident, and whether policies and procedures were followed in response to the incident (Watzlaf et al., 2011).
Risk Assessment in an Uncertain Environment
HIPAA Compliance Checklist
How can telepractice providers determine if a VoIP is private, secure, and HIPAA compliant? Experts in health information management (Watzlaf, Moeini, & Firouzan, 2010) developed a HIPAA Compliance Checklist to assist both independent clinician and health-care facilities in assessing a VoIP software system (reprinted with permission from the author1). These authors recommend that independent clinicians or health-care facilities visit the VoIP software system’s website and determine to what degree the following questions are addressed. They suggest that when information concerning a question is not present, the user might consider making a query to the software company. The user can thus decide if the benefits of using a VoIP videoconferencing system for telepractice outweigh the potential risks.
The HIPAA Compliance Checklist is as follows:
  1. Privacy: Personal Information.

    • Will employees and other users of VoIP software be able to listen in to video-therapy calls between patient and therapist?

    • Will video-therapy content of sessions between the therapist and patient be accessible to individuals within (employees) and outside of the software organization (other users/consumers)?

    • Will video-therapy content be shared further to protect the company’s legal requirements, interests, enforce policies or to protect anyone’s rights, property or safety?

    • Will video-therapy content be shared with distributors of the software or with analytical services or banking organizations etc.?

    • Will the VoIP software company provide the user 30-60 days to comply with a new privacy policy, if it has changed?

    • Will the user be able to amend personal information within a reasonable period of time and upon verification of their identity?

    • Can a user’s contact see that they are online and choose to send them an email during a video conferencing session?

  2. Privacy: Retention of Personal Information.

    • Are video conferencing sessions for Telerehabilitation (TR) therapy services recorded?

    • Will video conferencing TR therapy sessions be retained and for how long?

    • How long will other personal information be retained and what will this include?

    • If a patient requests that past information be deleted, does the privacy policy state how this will occur?

    • How long will other personal information be retained and what will this include?

    • Is the level of access (management) of the TR videoconferencing recording up to the user?

    • Does the user get the option of archiving their records offline on storage network devices?

  3. Privacy: Voicemail.

    • Will voicemail for another VoIP user be transferred to a third party service provider?

    • If a third party service provider is used to convert and analyze the voicemail, is the background and training of the third party provided?

    • Does the background include training related to privacy and confidentiality issues related to HIPAA and other privacy statutes?

  4. Privacy: Requests for Information from Legal Authorities etc.

    • Will personal information, communications content, and/or traffic data when requested by legal authorities be provided by the VoIP software company?

    • Is information on the educational backgrounds and experience of employees working at the VoIP software company who will decipher these requests provided?

    • Will a qualified individual who is a Registered Health Information Administrator (RHIA) with privacy, confidentiality, and HIPAA compliance experience analyze these requests?

    • Will a complete and accurate consent to patient disclosure be made?

    • Will appropriate processing of the personal data that is necessary to meet a valid request be made?

    • Will a subpoena or court order be requested from law enforcement and government officials requesting personal information?

    • Will an accounting of disclosures be made and provided to the user?

    • Are patients able to request a restriction of uses and disclosures?

  5. Privacy: Sharing of Personal Information in Other Countries.

    • Will a transfer of personal information outside of your country to a third party be made by the VoIP software company?

    • Will the use of any VoIP products automatically consent to the transfer of personal information outside of your country?

    • Since privacy and confidentiality regulations change across different countries, how will different countries maintain personal health related data and video?

    • Will other countries who may not abide by the HIPAA requirements, have the opportunity to release personal information more easily and without regard for legal requirements?

    • Should personal information that is acquired during video conferencing be transferred to a third party that the software company may buy or sell as part of its business agreements?

    • Should the patient have the right to consent to this transfer of personal information?

    • If the patient consents, with how many different countries will their personal information be shared, when participating in TR video conferencing therapy?

  6. Privacy: Linkage to Other Websites.

    • Will the VoIP software contain links to other websites that may have a different privacy policy than their policy?

    • Does the VoIP software company accept responsibility or liability for these other websites?

    • Is the VoIP considered a business associate with the tele-therapy site being the covered entity?

    • Will the covered entity need to have business associate agreements with each of the other websites in which personal information may travel?

    • Will the other websites need to comply with privacy and security (HIPAA) requirements on their own?

    • How will the VoIP software company handle privacy and security protections under the HITECH amendment of HIPAA rules?

  7. Security: Encryption.

    • Are voice, video, and instant message conversations encrypted with strong encryption algorithms that are secure and private during transmission?

    • Does the encryption protect video TR therapy sessions from potential eavesdropping by third parties during transmission?

    • Does the encryption implementation contain specific information to explain what it entails?

    • Can third parties be able to decode a recorded VoIP video and voice conversation by accessing encryption keys?

  8. Security: Anti-Spyware and Anti-Virus Protection.

    • Is it the user’s responsibility to make sure that appropriate anti-virus and anti-spyware protection is on their computer in order to prevent eavesdropping during videoconferencing TR sessions?

    • How secure are videoconferencing TR sessions and how much personal health information may be transmitted to other authorities?

    • Are patients informed of the security issues and is this included in their informed consent?

  9. Security: User’s Public Profile.

    • Is it optional for the user to enter information into their public profile?

    • Is the user required to enter any information into the public profile?

    • If the public profile information be seen by other users can the user determine which information can be seen by whom?

    • Is the public profile separated into the following three categories? 1. Information that everyone can see? 2. Information for only the user’s contacts to see? 3. Information for no one to see?

    • Is the user’s email address encrypted so no one can see it when looking at the profile?

    • Are there instructions on how users can update and change the profile information?

  10. Security: Allowing, Removing, and Blocking Callers.

    • Does the VoIP software system allow the user to determine if they want to contact a person in their contact list?

    • Are contacts easily removed by the user?

    • Can the user remove or revoke authorization by blocking the user on each computer that is used?

    • Does the VoIP software system provide instructions on how to block a user?

  11. Security: Audit System Activity

    • Are server logs generated to provide a record of the compliance settings that the user developed?

    • Do the logs also provide an audit trail to track who had access to TR videoconferencing sessions and which functions were enabled or disabled for the session?

  12. Security: Evaluation

    • Has a security evaluation of the VoIP software system been performed by an independent group?

    • Does the security evaluation include authentication, password management, data management etc. and verifies that the software system implements proper security measures?

An alternative approach is to purchase HIPAA compliance software specific to VoIP.
Recommendation: Employ a Team Approach to Oversight
Watzlaf, Moeini, & Firouzan (2010) recommend forming a team that will examine a VoIP software system to determine if it meets federal (HIPAA), state, local, and facility-wide privacy and security regulations, and to ensure that robust privacy policies and procedures are developed and followed. The team may consist of an attorney, risk management personnel, ethics or compliance officer, health information administrator/privacy officer, information security officer, and/or representative therapist stakeholders (e.g., speech-language pathologist, audiologist, occupational therapist, physical therapist). Since VoIP software systems and federal and state laws can change frequently, the team must regard their oversight as an ongoing process. Clinicians and other associated personnel who engage Internet-based telepractice should be cognizant of all aspects of privacy and security issues related to videoconferencing, including HIPAA security rules in relation to telepractice and software use, spyware, password security, and encryption.
Informed Consent
Clients should sign an informed consent form that explains the planned telepractice, how and why the VoIP technology software will be used, and any privacy and security risks. Since electronic health information is such a key part of any telepractice, the clinician’s methods or processes for storing and managing the patients’ electronic health information should be specifically delineated in the informed consent. Doing so will proactively address many issues relating to patients’ requests for electronic records at discharge or several years later, while also potentially minimizing the repercussions of a reported privacy breach or ASHA ethics complaint. (For more information on the filing of an ASHA complaint, see www.asha.org/uploadedFiles/Ethics-Violation-Complaint-Filing-Form.pdf). Watzlaf, Moeini, & Firouzan (2010) advise that an attorney review the informed consent form to ensure that it meets all federal (e.g., HIPAA), state, and local regulations.
Enact Safeguards
When using VoIP, policies and procedures that employ security safeguards should be in place, such as those recommended by the National Institute for Standards and Technology (NIST; Kuhn, Walsh, & Fries, 2005) and Garfinkel (2005). Examples include:
  • Strong password protection: Microsoft’s Safety and Security Center (2011) offers guidance on the construction of strong passwords (i.e., “an ideal password is long and has letters, punctuation, symbols, and numbers”) and a password checker. The Center advises using characters from the entire keyboard, not just the letters or characters that can be seen. The password should be at least 14 characters, with maximum variety. The password should never include recognizable words, the user’s personal information, sequences, or repeated characters. The chosen password should only be used for the videoconferencing system, and should be changed frequently (e.g., every 90-180 days).

  • Appropriate access: Users should not be provided with a higher level of access than is required for their need. (For example, do not allow users to gain access to PHI if it is not necessary for their level of work.) Authentication protection should be applied.

  • Dedicated use: Do not use the computer or VoIP system for any other use than telepractice.

  • Virus protection: Ensure that the computers used for videoconferencing are virus-free.

  • Prevent intrusions: Use of a wired network is better than WiFi alternatives. To discourage wiretapping, establish a good physical security policy, and develop an alarm system to notify an administrator when an IP phone is disconnected.

  • Audit controls: Audit controls can provide a record of how often the data is accessed by or released to internal and outside entities.

  • Encryption protocols: Employ encryption protocols that protect the transmission of video and audio data.

Conclusions
Clinicians should exercise due diligence before engaging in the use of VoIP systems for telepractice and recognize that claims made by a carrier that a system is private and secure may not always be valid. If the benefits offered by the VoIP system outweigh the risks for all and the system does not overtly violate HIPAA, the VoIP system may be a viable option. If not, then alternate methods of voice and video communication are needed. Clinicians might consider commercial or other proprietary VoIP systems that are built specifically to support telepractice, as some may be more secure and private than some freely available systems.
It is important to recognize that upholding Internet-based privacy within the current environment is an ongoing and challenging responsibility.
Acknowledgment
This effort was supported in part by the Rehabilitation Engineering and Research Center on Telerehabilitation; H133E090002, National Institute on Disability and Rehabilitation Research, U.S. Department of Education.
1 HIPAA Compliance Checklist reprinted from Watzlaf, V., Moeini, S., & Firouzan, P. (2010). VoIP for telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance. International Journal of Telerehabilitation, 2(2), 3-14. doi:10.5195/ijt.2010.6056
HIPAA Compliance Checklist reprinted from Watzlaf, V., Moeini, S., & Firouzan, P. (2010). VoIP for telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance. International Journal of Telerehabilitation, 2(2), 3-14. doi:10.5195/ijt.2010.6056×
References
American Speech-Language-Hearing Association. ( 2002). Appropriate school facilities for students with speech-language-hearing disorders [Technical Report]. Available from www.asha.org/policy
American Speech-Language-Hearing Association. ( 2002). Appropriate school facilities for students with speech-language-hearing disorders [Technical Report]. Available from www.asha.org/policy×
American Speech-Language-Hearing Association. ( 2004). Confidentiality [Issues in Ethics]. Available from www.asha.org/policy. doi:10.1044/policy.ET2004-00168
American Speech-Language-Hearing Association. ( 2004). Confidentiality [Issues in Ethics]. Available from www.asha.org/policy. doi:10.1044/policy.ET2004-00168×
American Speech-Language-Hearing Association. ( 2005a). Audiologists providing clinical services via telepractice: technical report [Technical Report]. Available from www.asha.org/policy. doi:10.1044/policy.TR2005-00149
American Speech-Language-Hearing Association. ( 2005a). Audiologists providing clinical services via telepractice: technical report [Technical Report]. Available from www.asha.org/policy. doi:10.1044/policy.TR2005-00149×
American Speech-Language-Hearing Association. ( 2005b). Speech-language pathologists providing clinical services via telepractice: Technical report [Technical Report]. Available from www.asha.org/policy. doi:10.1044/policy.TR2005-00152
American Speech-Language-Hearing Association. ( 2005b). Speech-language pathologists providing clinical services via telepractice: Technical report [Technical Report]. Available from www.asha.org/policy. doi:10.1044/policy.TR2005-00152×
American Speech-Language-Hearing Association. ( 2010). Code of ethics [Ethics]. Available from www.asha.org/policy. doi:10.1044/policy.ET2010-00309
American Speech-Language-Hearing Association. ( 2010). Code of ethics [Ethics]. Available from www.asha.org/policy. doi:10.1044/policy.ET2010-00309×
Callahan, J. D. ( 2010). Privacy: The Impact of ARRA, HITECH, and other policy initiatives. Chicago, IL: American Health Information Management Association (AHIMA).
Callahan, J. D. ( 2010). Privacy: The Impact of ARRA, HITECH, and other policy initiatives. Chicago, IL: American Health Information Management Association (AHIMA).×
Centers for Medicare and Medicaid Services. (n.d.). Covered entity charts. Retrieved August 2, 2011, from www.cms.gov/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf
Centers for Medicare and Medicaid Services. (n.d.). Covered entity charts. Retrieved August 2, 2011, from www.cms.gov/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf×
Garfinkel, S. ( 2005). VoIP and Skype security: Skype Security Overview-Rev 1.6. Retrieved July 20, 2011, from www.tacticaltech.org/files/tacticaltech/Skype_Security.pdf
Garfinkel, S. ( 2005). VoIP and Skype security: Skype Security Overview-Rev 1.6. Retrieved July 20, 2011, from www.tacticaltech.org/files/tacticaltech/Skype_Security.pdf×
Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, 104th Congress. ( 1996). Retrieved July 20, 2011, from Centers for Medicare and Medicaid Services, HIPAA General Information, www.cms.gov/HIPAAGenInfo/
Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, 104th Congress. ( 1996). Retrieved July 20, 2011, from Centers for Medicare and Medicaid Services, HIPAA General Information, www.cms.gov/HIPAAGenInfo/×
Kuhn, D. Walsh, T. Fries, S. ( 2005). Security considerations for voice over IP systems: Recommendations of the National Institute of Standards and Technology (NIST). Gaithersburg, MD: Technology Administration, U.S. Department of Commerce Special Publication, 800– 58.
Kuhn, D. Walsh, T. Fries, S. ( 2005). Security considerations for voice over IP systems: Recommendations of the National Institute of Standards and Technology (NIST). Gaithersburg, MD: Technology Administration, U.S. Department of Commerce Special Publication, 800– 58.×
Lazzarotti, J. ( 2009). HIPAA Enforcement Regulations Updated for Penalty Increases and Enhancements under the HITECH Act. Retrieved July 20, 2011, from www.workplaceprivacyreport.com/2009/11/articles/hipaa-1/hipaa-enforcement-regulations-updated-for-penalty-increases-and-enhancements-under-the-hitech-act/
Lazzarotti, J. ( 2009). HIPAA Enforcement Regulations Updated for Penalty Increases and Enhancements under the HITECH Act. Retrieved July 20, 2011, from www.workplaceprivacyreport.com/2009/11/articles/hipaa-1/hipaa-enforcement-regulations-updated-for-penalty-increases-and-enhancements-under-the-hitech-act/×
Microsoft Security and Safety Center. ( 2011). Retrieved July 20, 2011, from www.microsoft.com/security/online-privacy/passwords-create.aspx
Microsoft Security and Safety Center. ( 2011). Retrieved July 20, 2011, from www.microsoft.com/security/online-privacy/passwords-create.aspx×
North, M. (translated 2002). The Hippocratic Oath. National Library of Medicine, National Institutes of Health. Retrieved July 20, 2011, from www.nlm.nih.gov/hmd/greek/greek_oath.html
North, M. (translated 2002). The Hippocratic Oath. National Library of Medicine, National Institutes of Health. Retrieved July 20, 2011, from www.nlm.nih.gov/hmd/greek/greek_oath.html×
U.S. Department of Health and Human Services. (n.d.a). Health information privacy: HIPAA Administrative Simplification statute and rules. Retrieved August 26, 2011, from www.hhs.gov/ocr/privacy/hipaa/administrative/index.html
U.S. Department of Health and Human Services. (n.d.a). Health information privacy: HIPAA Administrative Simplification statute and rules. Retrieved August 26, 2011, from www.hhs.gov/ocr/privacy/hipaa/administrative/index.html×
U.S. Department of Health and Human Services. (n.d.b). Health information privacy: Summary of the HIPAA Privacy Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
U.S. Department of Health and Human Services. (n.d.b). Health information privacy: Summary of the HIPAA Privacy Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html×
Watzlaf, V. Moeini, S. Firouzan, P. ( 2010). VoIP for telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance. International Journal of Telerehabilitation, 2( 2), 3– 14. doi:10.5195/ijt.2010.6056 [Article]
Watzlaf, V. Moeini, S. Firouzan, P. ( 2010). VoIP for telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance. International Journal of Telerehabilitation, 2( 2), 3– 14. doi:10.5195/ijt.2010.6056 [Article]×
Watzlaf, V. Moeini, S. Matusow, L. Firouzan, P. ( 2011). VoIP for telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance, Part II. International Journal of Telerehabilitation, 3( 1), 3– 10. doi:10.5195/ijt.2011.6070 [Article]
Watzlaf, V. Moeini, S. Matusow, L. Firouzan, P. ( 2011). VoIP for telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance, Part II. International Journal of Telerehabilitation, 3( 1), 3– 10. doi:10.5195/ijt.2011.6070 [Article]×