VoIP for Telerehabilitation: A Pilot Usability Study for HIPAA Compliance

Consumer-based, free Voice and video over the Internet Protocol (VoIP) software systems such as Skype and others are used by health care providers to deliver telerehabilitation and other health-related services to clients. Privacy and security applications as well as HIPAA compliance within these protocols have been questioned by practitioners, health information managers, and other healthcare entities. This pilot usability study examined whether four respondents who used the top three, free consumer-based, VoIP software systems perceived these VoIP technologies to be private, secure, and HIPAA compliant; most did not. While the pilot study limitations include the number of respondents and systems assessed, the protocol can be applied to future research and replicated for instructional purposes. Recommendations are provided for VoIP companies, providers, and clients/consumers.


Introduction and Background Studies
Consumer-based, free VoIP systems such as Skype and others are used by some providers using a telerehabilitation service delivery model since these systems provide the use of voice and video teleconferencing between patients and therapists. Privacy, security and HIPAA compliance across these systems were evaluated in previous studies ( Watzlaf, Moeini, & Firouzan (2010) developed a privacy and security checklist that was used to assess consumerbased, free VoIP systems. A summary of that checklist is shown in Table 1. Table 1: Checklist for privacy and security information provided by consumer-based, free VoIP systems.
The full 58-question checklist developed by Watzlaf, Moeini, and Firouzan, (2010) was used in a second study to assess the top ten consumer-based, VoIP systems in relation to privacy and security by examining their privacy and security policies, terms of use, and emailing the company for further information on these issues. This study demonstrated that many of these VoIP companies stated in their policies that personal information will be shared across countries, other websites, and to protect the companies' legal interests. Some privacy and security policies seemed to protect the company more than the user. For example, 90% of the companies' policies stated that personal information, communications content, and/ or traffic data will be provided to legal authorities when requested. Also, 70% of the companies allow a transfer of information outside of the country to a third party, and 90% of the companies contain links to other websites.
However, 60% of the companies claimed that they do not listen into videoconference calls unless maintenance is needed and 70% of the companies do not record the sessions, although 30% did not discuss this information in their policies. Only 50% indicated in their policies the use of encryption to protect personal information/data. Of those companies reporting the use of encryption, some did not specify what type of encryption was used. Only 30% of encryption levels used by the companies protect against eavesdropping by third parties.
Only 30% of the companies claimed they use some form of auditing (i.e., logs); 20% use an audit trail. Many companies did not discuss, in their policies, any form of auditing or audit trails on their servers. Seventy percent of the companies made no mention of a security evaluation. Because this assessment focused on the privacy and security policies and not on the actual use of the system, it was necessary to examine the privacy and security of the system in a usability study of providers simulating use of the top three, free, consumer-based VoIP systems for the delivery of therapeutic services.

Usability Study Methodology
Four respondents with graduate level education and professional certification in speech-language pathology, social work, physical therapy, and healthcare IT, were asked to use the top three, free, consumer-based VoIP systems, and answer questions similar to what was included in the privacy and security checklist. The checklist was adapted to include tasks and accompanying questions. Technical assistance was provided by the research team to the respondents as they performed the tasks and answered the questions. This study was submitted to the University of Pittsburgh Institutional Review Board and received approval at the exempt level.

Results
The tasks analyzed, accompanying questions, and results are summarized in Table 2. Taken together, the results suggest that while privacy and security for VoIP software systems are highly valued, the respondents expressed lower levels of confidence in the security and privacy of the three systems they examined.

Control of Personal Information
Determine your default settings for communicating.
Determine your online status.
Determine how much personal information may be transmitted to others.
How would you rank the privacy and security of your default settings when conducting a video therapy session? Likert scale, 1-5 (1= not at all private and secure; 5= very private and secure) Do you think a user from your contact list can see that you are online and choose to send you a message?
1.9 average across all systems; respondents had low confidence in the privacy and security of the default settings.
83% of respondents across all systems said a user from their contact list could see that they were online and choose to send them a message; but, they believed that users could change the settings to prevent this (e.g., "invisible" status option).

Retention of Personal Information
Determine how long your history will be kept and what it includes.
Take a picture of the person you are corresponding with (via screen shot) and save it.

Qualitative Comments:
Qualitative comments by the respondents are summarized below. In general, the following themes emerged: 1. More than a password should be used to enter the VoIP system. The providers did not believe that just a username and password is enough to keep the system secure.
Additional methods, such as asking for other information, biologic data, finger print, eye scan, or other verification methods should be used to maintain the confidentiality of information as it flows over the Internet. Also, a Virtual Private Network should be used to maintain privacy and security. 2. The respondents did not feel very confident that their video therapy session would be private. One respondent observed this may be no different than an in-person session with the patient where, sometimes, employees or other patients may be able to listen to a treatment session. 3. The respondents did not agree with VoIP companies' policies of sharing user information with other websites and foreign countries. The respondents believed information sharing could potentially lead to breakdowns in privacy and security of user information since many other countries do not have strict privacy and security policies such as HIPAA. Also, they did not understand why so much information sharing occurred with other websites and why the VoIP site did not take responsibility for the privacy and security policies on those websites. 4. All respondents felt that the privacy and security policies were very difficult to read and understand and were not certain that the policies were followed. 5. The respondents were critical of the encryption policies.
Not all of the consumer-based, free VoIP systems investigated in this usability study indicated the use of encryption within their systems. Respondents had to search for the information in the systems' policies; once it was found it was difficult to tell if the video stream was encrypted. Personal information, email, and other data seemed to be encrypted, but some of the policies did not specify methods of encryption for video streams.

Limitations:
There are several limitations to the pilot study design; they include the following: 1. Only four respondents completed all tasks across systems. If more respondents were used to assess the VoIP systems many different opinions and answers to the questions may have emerged and may have changed the conclusions. 2. Only three consumer-based, free VoIP systems were included in the study. Even though only three systems were included, they are the most popular, free VoIP systems available currently. However, expanding the types and numbers of systems would allow for results that may better represent the population under study. 3. The study was not deployed in simulated or authentic client and provider telerehabilitation environments. A future study may include use of the VoIP systems in a client/provider environment and obtain comments from both clients and providers on the perceived security and privacy of the treatment session.

Recommendations
There are several recommendations that if implemented, could lead to improved privacy and security for consumer-based VoIP systems.

Recommendations for VoIP Companies
The first set of recommendations is for the VoIP companies. They should provide a more secure entrance into the system. A username and password is not enough when health related information is being transferred across the Internet and across different countries and websites. As mentioned by the respondents, further security upon entering the system may include finger prints, eye scans, or biological data. Additionally, the system should be maintained across a Virtual Private Network (VPN). Impersonation of the system should be prevented. Some of the sites may be impersonated so that it looks like a user is logged into the real system but is actually in an impersonation system/website. When this occurs, impersonators can use some of the personal information collected for the wrong purpose. This happened to one of the systems researched. Each of the systems should have clear policies that describe the privacy and security of the video conferencing session and address in clear terms how they will: • Restrict employees from listening for purposes other than to address technical problems • Restrict information to other users • Restrict retention of the session • Provide a consent for disclosure to all users • Prevent sharing of information with other websites, countries, and other third parties. • Insure HIPAA compliance and enter into a business associate agreement with the provider or covered entity.

Recommendations for Providers
It is recommended that providers: • Form a team (e.g., provider, risk manager, IT specialist) and use the checklist developed by Watzlaf, Moeini, & Firouzan, (2010) to review HIPAA compliance before using any videoconferencing system. • Review the privacy and security policies of each system before use. • Ask questions of the company that are not addressed in the policies. • Develop clear, understandable privacy and security policies and incorporate the policies into a client consent form. Address questions as they pertain to HIPAA and the US Office of Civil Rights (OCR) requirements.

Recommendations for Clients/ Consumers
Clients/consumers can play an important role in advocating for security and privacy. It is recommended that they: • Advocate for a readable, clear privacy and security policy either within the system consent/agreement of use or as part of the system policies. • Ask questions about privacy and security when using any videoconferencing system. • Know their privacy rights as they pertain to HIPAA and other US Office of Civil Rights requirements.

Conclusions
It is important to examine the privacy and security of any software system that is used to transmit or store health related information. With the new rules from the American Recovery and Reinvestment Act of 2009 (ARRA) and Title XIII of ARRA: Health Information Technology for Economic and Clinical Health Act (HITECH) in relation to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, breaches of protected health information must be disclosed to the covered entity upon 60 days after discovery from the Business Associate.
Are VoIP consumer-based, free software systems considered Business Associates? Some believe they are if they handle protected health information, and some believe they are no more than a conduit transmitting health information similar to the US postal service transporting the mail. However, if the VoIP companies are storing the video conferencing session between a client and provider, even for a short period of time, and if those sessions are linked to personal information about the client, the company should be considered a business Associate and should comply with HIPAA requirements. This relationship should be stated in their policies in clear, understandable terms. Also, it is important for the provider who is considering using these systems to realize that they were not developed to provide video therapy sessions for healthcare purposes.
In a recent presentation, Dr. David Blumenthal, 1 expressed the need for developing an "Internet for Healthcare" to achieve a higher level of privacy and security across the Internet. The same could be said for the VoIP systems used over the Internet. There should be "VoIP for Healthcare," with a higher level of privacy and security for any type of health information being exchanged across the Internet, but especially for services delivered via telerehabilitation.
Systems designed specifically for telehealth purposes (e.g., VISYTER 2 ; VidyoHealth 3 ) assure providers that the services provided through these systems meet HIPAA requirements.