VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security and HIPAA Compliance: Part II
In a previous publication the authors developed a privacy and security checklist to evaluate Voice over the Internet Protocol (VoIP) videoconferencing software used between patients and therapists to provide telerehabilitation (TR) therapy. In this paper, the privacy and security checklist that was previously developed is used to perform a risk analysis of the top ten VoIP videoconferencing software to determine if their policies provide answers to the privacy and security checklist. Sixty percent of the companies claimed they do not listen into video-therapy calls unless maintenance is needed. Only 50% of the companies assessed use some form of encryption, and some did not specify what type of encryption was used. Seventy percent of the companies assessed did not specify any form of auditing on their servers. Statistically significant differences across company websites were found for sharing information outside of the country (p=0.010), encryption (p=0.006), and security evaluation (p=0.005). Healthcare providers considering use of VoIP software for TR services may consider using this privacy and security checklist before deciding to incorporate a VoIP software system for TR. Other videoconferencing software that is specific for TR with strong encryption, good access controls, and hardware that meets privacy and security standards should be considered for use with TR.
Keywords: Voice over the Internet Protocol (VOIP), telerehabilitation, HIPAA, privacy, security, evaluation
Callahan, J.D. (2010). Privacy: The Impact of ARRA, HITECH, and other Policy Initiatives. American Health Information Management Association (AHIMA).
Cason, J. (2009). A pilot telerehabilitation program: Delivering early intervention services to rural families. International Journal of Telerehabilitation, 1, 29-37.
Garfinkel, S. (2005). VoIP and Skype Security. Skype Security Overview-Rev., 1.6 Retrieved July 11, 2010 from http://www.tacticaltech.org/files/tacticaltech/Skype_Security.pdf
Herman, V., Herzog, H., Jordan, R., Hofherr, M., Leving, P., & Page, S. (2010). Telerehabilitation and electrical stimulation: An occupation based client-centered stroke intervention. The American Journal of Occupational Therapy, 64: 73-81. http://support.mitglobalnet.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=9
Ikelheimer, D. (2008). Letters to the Editor: Treatment of opioid dependence via home-based telepsychiatry. Psychiatric Services. 59: 1218-1220. Retrieved July 10, 2010 from http://psychservices.psychiatryonline.org/cgi/reprint/59/10/1219.pdf
Kuhn, D., Walsh T., & Fries S. (2005). Security considerations for voice over IP systems: Recommendations of the National Institute of Standards and Technology (NIST). Technology Administration, U.S. Department of Commerce Special Publication, 800-58.
Lazar, I. (Speaker). (2006). Debunking the Hype about Skype [Audio Recording]. Burton Group Inflection Point.
Lewis, N. (2010 June 30). Army using telemedicine for healthcare delivery. Information Week: Healthcare. Retrieved on July 12, 2010 from http://www.informationweek.com/news/healthcare/patient/showArticle.jhtml?articleID=225701968
Magic Island Technologies. Skype. (2008) Retrieved July 12, 2010 from http://support.mitglobalnet.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=9
Maheu, M. (2009a). Comments: Is Skype HIPAA compliant? Adventures in telepsychiatry: a psychiatrist in a solo private practice experiments with telepsychiatry. Retrieved July 20, 2010 from http://adventuresintelepsychiatryblog.patrickbarta.com/2009/10/is-skype-hipaa-compliant/
Maheu, M. (2009b). HIPAA and hijacked Skype passwords: Another security violation that brings viability of online counseling via Skype into yet more questioning. Telehealth.Net. Retrieved July 10, 2010 from http://telehealth.net/blog/hipaa-hijacked-skype-passwords-another-security-violation-that-bring-online-counseling-to-question/
Parmanto, B., Saptono, A., Pramana, G., Pulantara, W., Schein, R., Schmeler, M., McCue, M., & Brienza, D. (2010). VISYTER: Versatile and Integrated System for Telerehab. Telemedicine and E-Health. 16(9):1-6.
Skype Business Blog. (2009). Doctors using Skype to transform medical practice. Retrieved July 9, 2010, from http://blogs.skype.com/business/2009/05/doctors_using_skype_to_transform_medical_practice.html
Skype and HIPAA: Myth buster. (June 6, 2009). Voyager telepsychiatry: A forum on home-based telepsychiatry. Retrieved July 9, 2010 from http://voyagerllc.blogspot.com/2009/06/skype-and-hipaa-myth-buster.html
Vidyo Inc. 2010, Vidyo Telepresence- Secure VidyoConferencing: Protecting Your Communications. Retrieved April 19, 2011 from VidyoInfo@vidyo.com
Watzlaf, V., Moeini, S., & Firouzan, P. (2010). VoIP for telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance. International Journal of Telerehabilitation, 2(2), 3-14. doi: 10.5195/ijt.2010.6056
Wolinsky H. & Titus F. (Producer/Director), (2009). LA therapist helps clients relieve pain via Skype. YouTube Retrieved on July 12, 2010 from http://www.youtube.com/watch?v=eB5tZfZfabo
Zur, O. (2010). HIPAA Updates from Zur Institute: Innovative resources and online continuing education. Retrieved July 10, 2010 from http://www.zurinstitute.com/hipaa_updates.html
Copyright (c) 2011 Valerie J.M. Watzlaf, Sohrab Moeini, Laura Matusow, Patti Firouzan
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- The Author retains copyright in the Work, where the term “Work” shall include all digital objects that may result in subsequent electronic publication or distribution.
- Upon acceptance of the Work, the author shall grant to the Publisher the right of first publication of the Work.
- The Author shall grant to the Publisher and its agents the nonexclusive perpetual right and license to publish, archive, and make accessible the Work in whole or in part in all forms of media now or hereafter known under a Creative Commons Attribution 4.0 International License or its equivalent, which, for the avoidance of doubt, allows others to copy, distribute, and transmit the Work under the following conditions:
- Attribution—other users must attribute the Work in the manner specified by the author as indicated on the journal Web site;
- The Author is able to enter into separate, additional contractual arrangements for the nonexclusive distribution of the journal's published version of the Work (e.g., post it to an institutional repository or publish it in a book), as long as there is provided in the document an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post online a prepublication manuscript (but not the Publisher’s final formatted PDF version of the Work) in institutional repositories or on their Websites prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work. Any such posting made before acceptance and publication of the Work shall be updated upon publication to include a reference to the Publisher-assigned DOI (Digital Object Identifier) and a link to the online abstract for the final published Work in the Journal.
- Upon Publisher’s request, the Author agrees to furnish promptly to Publisher, at the Author’s own expense, written evidence of the permissions, licenses, and consents for use of third-party material included within the Work, except as determined by Publisher to be covered by the principles of Fair Use.
- The Author represents and warrants that:
- the Work is the Author’s original work;
- the Author has not transferred, and will not transfer, exclusive rights in the Work to any third party;
- the Work is not pending review or under consideration by another publisher;
- the Work has not previously been published;
- the Work contains no misrepresentation or infringement of the Work or property of other authors or third parties; and
- the Work contains no libel, invasion of privacy, or other unlawful matter.
- The Author agrees to indemnify and hold Publisher harmless from Author’s breach of the representations and warranties contained in Paragraph 6 above, as well as any claim or proceeding relating to Publisher’s use and publication of any content contained in the Work, including third-party content.
Revised 7/16/2018. Revision Description: Removed outdated link.