A Systematic Review of Research Studies Examining Telehealth Privacy and Security Practices used by Healthcare Providers

The objective of this systematic review was to systematically review papers in the United States that examine current practices in privacy and security when telehealth technologies are used by healthcare providers. A literature search was conducted using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses Protocols (PRISMA-P). PubMed, CINAHL and INSPEC from 2003 – 2016 were searched and returned 25,404 papers (after duplications were removed). Inclusion and exclusion criteria were strictly followed to examine title, abstract, and full text for 21 published papers which reported on privacy and security practices used by healthcare providers using telehealth. Data on confidentiality, integrity, privacy, informed consent, access control, availability, retention, encryption, and authentication were all searched and retrieved from the papers examined. Papers were selected by two independent reviewers, first per inclusion/exclusion criteria and, where there was disagreement, a third reviewer was consulted. The percentage of agreement and Cohen’s kappa was 99.04% and 0.7331 respectively. The papers reviewed ranged from 2004 to 2016 and included several types of telehealth specialties. Sixty-seven percent were policy type studies, and 14 percent were survey/interview studies. There were no randomized controlled trials. Based upon the results, we conclude that it is necessary to have more studies with specific information about the use of privacy and security practices when using telehealth technologies as well as studies that examine patient and provider preferences on how data is kept private and secure during and after telehealth sessions.

and shared. Its major objective is to protect the flow of health information while at the same time providing high quality healthcare.
The HIPAA Security Rule went into effect in 2005 and regulates only electronic health information. It is a set of national standards that protects an individual's electronic health information that is created, received, used or maintained by a covered entity such as a healthcare organization. It requires the administrative, physical, and technical standards to be adopted so that confidentiality and integrity of electronic PHI is protected.
In addition to HIPAA, there are many other federal and state laws that govern the use and disclosure of health information. Of these laws, HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 have provided the most specific regulations for the protection of privacy and security of health information in the United States. However, some state regulations may be even more stringent, such as requiring a consent form for disclosure of a patient's own medical record when HIPAA does not require consent (Rinehart-Thompson, 2013). The HITECH Act includes changes to the HIPAA Privacy and Security rules that focus mainly on health information technology and strengthens standards for the privacy and security of health information. It went into effect in 2010 but some parts of the act have different compliance deadlines (Rinehart-Thompson, 2013).
For this article, we adopted the Health Resources and Services Administration's (HRSA) 2015 definition of telehealth: "the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the Internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications" (Health Resources and Services Administration, 2015). The HRSA definition was used because it aligns with our purpose, which is to provide a systematic review of published papers that pertain to privacy and security provisions used by healthcare providers when deploying telehealth technologies in the United States.
Our previous experiences in interacting with telehealth providers suggest that the providers do not always know the best practices to use to decrease the risk of privacy and security issues in telehealth (Cohn & Watzlaf, 2012;Watzlaf, 2010;. Many of the features within the free, consumer-based video and voice communication systems that were evaluated did not demonstrate to the providers using them that the information was private and secure (Watzlaf & Ondich, 2012). Also, many of the telehealth providers did not know the best practices to use to educate consumers on privacy and security (Watzlaf, Moeini, & Firouzan, 2010;Watzlaf, Moeini, Matusow, & Firouzan, 2011).
Through our past work, audit checklists were developed to determine if a system supports HIPAA compliance (Watzlaf et al., 2010;Peterson & Watzlaf, 2014). The 58-question checklist is specific to Information and Communication Technologies (ICTs) . There are already methods and tools available for healthcare providers to evaluate the security and privacy features of telehealth systems they are currently using. Now, it is necessary to conduct a systematic review on the status of privacy and security provisions that are used by healthcare professionals when deploying telehealth services to see if they are using the tools and guidelines available to them or if they incorporate new systems to evaluate privacy and security within telehealth systems.

OBJECTIVES:
1. Evaluate, from published papers, what privacy and security measures were addressed when healthcare providers used telehealth technologies.
2. Compile best practices and guidelines for healthcare professionals using telehealth technologies.

SEARCH STRATEGY
A systematic literature search was performed on papers published between 2003 to 2016. The sources used in the search included PubMed (Medline via PubMed; National Library of Medicine, Bethesda, MD; started in 1966) CINAHL databases (indexing from nursing and allied health literature) and INSPEC (a scientific and technical database developed by the Institution of Engineering and Technology).
Briefly, our literature search strategy combined synonyms for telehealth with privacy and security across healthcare professionals. The list of synonymous terms was voluminous. Some examples of synonymous terms for telehealth included telemedicine, telepathology, telerehabilitation; synonymous terms for privacy and security included confidentiality, encryption, access control, authentication; synonymous terms for healthcare professionals included physicians, clinicians, nurses, occupation therapists. Language restrictions included those papers written in English only. In addition, reference lists were reviewed manually from relevant original research and review papers.
These searches returned 21,540 papers from PubMed and 4,785 papers from CINAHL, and 591 papers from INSPEC for a total of 26,916 papers, of which 1,512 were duplicates. After a review of titles and abstracts, 21 papers were reviewed in full text (Figure 1). After the first round of article selections, one third of the papers were found to be international. Papers were then restricted to those in the United States since HIPAA and HITECH are laws that are enforced in the United States only and these laws are a major influence in privacy and security in the US.
The protocol for this study was based on the Preferred Reporting Items for Systematic Review and Meta-Analysis Protocols (PRISMA-P). The PRISMA-P contains 17 items that are considered essential as well as minimum components to include in systematic reviews or meta-analyses. PRISMA-P recommends that each systematic review include detailed criteria using the PICOS (participants, interventions, comparisons, outcome(s) and study design) reporting system (Moher et al., 2015). Details of the full protocol have been previously published in Prospero and the International Journal of Telerehabilitation Watzlaf, DeAlmeida, Molinero, Zhou, & Hartman, 2015).

STUDY ELIGIBILITY
To be eligible for this systematic review, published papers had to meet all the following criteria: 1. Published papers that included research, best practices, or recommendations on the use of telehealth and privacy or security. 2. Published papers that included any type of health care professional using any available telehealth for their clients with a focus on privacy and/or security, HIPAA and/or HITECH. 3. Published papers with full text in English. 4. Published papers where research or recommendations focused on the US only published between 2003-2016. 5. Existing solutions/best practices to privacy and security challenges, HIPAA compliance (qualitative and quantitative) in telehealth use.  . Arrow to box below: Articles after removing duplications (n=25,404); arrow to the box to the right: Duplicate records (n=1,512). Next arrow to box below: Articles after first round filtering (n=406); arrow to the box to the right: Articles removed by reviewing titles and abstracts (n=24,998). Next arrow to box below: Articles after second round filtering (n=50); arrow to the box to the right: Articles removed by reviewing full texts (n=356). Next arrow to box below: Articles included after ATA guidelines are added (n=61); arrow to the box to the right: Articles removed by evaluating the security and privacy contents (n=40). Last arrow to the box below: Articles included in systematic review (n=21).

EXCLUSION OF PAPERS
Papers were reviewed and excluded in different phases: • In the initial title/abstract review the major reasons for exclusion were: 1. Papers were published before HIPAA was enforced in 2003 2. Studies were not conducted in the US and therefore did not abide by HIPAA/HITECH In the full text review the major reasons for exclusion were that the papers did not include both telehealth and a major aspect of privacy and security related to telehealth use.

DATA EXTRACTION PROCESS AND QUALITY ASSESSMENT
All search results were exported into EndNote libraries. EndNote is a bibliographic management system. De-duplications were performed by using the method described by Bramer et al (Bramer, Giustini, de Jonge, Holland, & Bekhuis, 2016). Studies were removed if they were found to be duplicated. The PDFs of the papers reviewed were stored in a shared Box account (i.e., a secure cloud content platform in which users can share large documents as well as collaborate, Redwood City, CA).
Each article meeting the inclusion criteria was reviewed and its characteristics documented using a standardized pretested data extraction form. The data extraction form captured the following data items: the three large goals of privacy and security (confidentiality, integrity, and availability); the specific techniques for achieving these goals (authentication, encryption, access control, physical security, policy, database backup, error detection, anti-virus, software patches, secure system design, intrusion detection); and the methods in each system (study designs, settings, and outcomes).
The reference librarian performed the search and only provided the title, abstract and year to the reviewers. The two reviewers (DD, VW) independently read the title and abstracts of the identified papers and determined eligibility based on the specified inclusion/exclusion criteria. To better know how to appropriately search the article titles and abstract, two of the reviewers (DD and VW) conducted a pilot study by using a small sample (n=100) of papers, made the selection and then discussed the results against the selection criteria. From this pilot study we could determine that we applied the same selection criteria for our search strategy.
Reviewers were blind to journals, study authors and institutions. Any disagreements between the reviewers were resolved by a third reviewer (LZ). Inter-rater reliability was measured using the Cohen's kappa statistical test (k). An inter-rater Kappa score was assessed during the first round of the paper selection, to ensure a Kappa score at or above 0.8 as measured by Cohen's Kappa (k) statistical test. Full-text of studies making this first cut were reviewed.
Three reviewers screened these for inclusion/exclusion criteria. Selection disagreements were resolved through discussion and reasons for excluding studies were recorded. A form, developed in Excel, was used to extract data from selected studies and included the author, year of publication, reference; study design and sample size; setting; privacy and security descriptions; primary outcomes; study limitations, HIPAA compliance, and best practices. Reviewers assessed the overall quality of evidence for every important outcome using the GRADE four point ranked scale: (4) High; (3) Moderate; (2) Low; (1) Very low (Balshem et al., 2011). Full papers were used as evidence for decisions about the quality of evidence and the strength of recommendations. Any differences in the grading were assessed and discussed in several meetings with investigators until full consensus was reached.

DATA SYNTHESIS
Quantitative analysis of the data from the papers was limited due to the lack of quantifiable data in the privacy and security literature. However, subcategories with similar characteristics received more in-depth comparisons. Investigators first broke the data into qualitative themes that related to privacy, security and administrative content. Each of those areas were broken down into subthemes such as patient rights, use, and disclosure for privacy; technical and physical for security; and organizational and education/training/personnel for administrative. Then, specific content within the 21 papers were reviewed closely and categorized across each of those themes and subthemes.

REVIEWER AGREEMENT
For the 25,404 entries reviewed by 2 reviewers the percentage of agreement was very good with the observed value of 99.04% and the 95% CI between 98.91 to 99.16 calculated per the Wilson efficient-score method. For the Cohen's kappa, the observed kappa is 0.7331 and the 95% CI are 0.7009 to 0.7653. Although the kappa is lower than 0.8, this still suggests substantial agreement (Fleiss, Cohen, & Everitt, 1969).

DESCRIPTIVE ANALYSIS OF ALL STUDIES
A quantitative analysis of the privacy, security, and administrative areas that were discussed in the papers is summarized in Table 2. All studies discussed some aspect of privacy and security. Sixty-seven percent addressed patient rights to include informed consent, accessibility, confidential communications, or the patient's ability to amend their information. Thirty-eight percent addressed use and disclosure to include how video sessions are retained, authorizations for release of information to other countries, websites, and third parties, accounting of disclosures, purging and/or deletion schedule of files on mobile devices and audio and video muting to maintain privacy. Sixty-seven percent of the studies addressed the technical aspects of security to include encryption, two-factor authentication, data backup, storage and recovery to meet HIPAA requirements, National Institute of Standards and Technology (NIST) and Health Level-7 (HL7) recommendations. However, only 38 percent addressed the physical aspects of the telehealth session to include a secure server location, back-up generator and maintaining a secure physical environment for where the telehealth session is held. One of the studies contained a systematic review of telemedicine security and found poor reporting of methodologies for telemedicine technologies and security measures. Fifty-two percent of the papers did not discuss the organization of privacy and security through policies, procedures, Business Associate Agreements (BAAs) or compliance audits, however, 67 percent addressed the need for education and training of providers, patients and technical support workforce.  Table 3 provides a detailed summary of all papers for privacy, security and administrative content. Most of the patient rights content dealt with providing verbal or written informed consent in simple, easy to understand language and to have providers discuss the risks of privacy and security when using telehealth. Use of audio/video muting and a secure physical environment was also discussed to be included in the consent for treatment so that the patient understands how their information during and after the telehealth session is private. Use and disclosure was not as clearly addressed, although several papers stated that access to patient information should only be granted with proper authorization, and there was a need to have this discussed with the patient so that they understood ownership of the data before the telehealth session begins. Encryption and two-factor authentication were other major areas addressed in the papers. Some papers did provide details as to the types of encryption to use as well as meeting HIPAA and NIST requirements and recommendations. Data backups, storage of the video files, and the ability to keep them secure was also discussed. Other areas addressed included a review of consumer-based free systems and the importance of healthcare providers' understanding of which telehealth technologies meet federal, state, and local laws. Other areas mentioned included performing an overall privacy and security assessment of the telehealth system and to maintain security solutions specific to the telehealth system, making sure that confidentiality and security are a primary concern. Many of the papers expressed the need for overall provider and patient awareness, education and training and policies on keeping telehealth information private and secure, and policies that specify who can be included in the telehealth session. Other papers expressed the need for maintaining a BAA with the vendor providing the telehealth system. Some papers addressed the need for more research on the effectiveness of telemedicine to include telehealth security training, legal liability, HIPAA compliance and the importance of an independent assessment of overall privacy and security. Some of the papers described the lack of current scientific studies around privacy and security in telehealth and the need for more studies that demonstrate the effectiveness of best practices in privacy and security of telehealth (Table 3).  56.2% did not believe that security and privacy risks would be increased when using telemedicine; 31.2% said they did not know enough to respond to the question; and 12.5 % believed there could be increased risk.
9.3% said technical support not readily available; All providers were not influenced in their ability to ask questions due to concerns over security or privacy.
Further education is needed on this topic. (Demiris, 2004 providers to log in and access their patient's data. (Garg & Brewer, 2011)

Journal of Diabetes Science and Technology Systematic Review
Many telemedicine researchers are unfamiliar with the field of security in general. The authors found instances of poor encryption standards, designs of communication protocols with no proof of security, HIPAA or HL7 compliance. Reliability and availability of the systems are key since many provide critical life supporting systems for people with diabetes and other chronic illnesses. Data integrity, the quality of security research, network security and cryptography all need to be improved as well, per this systematic review of security of telemedicine systems.
Most of the papers in the systematic review of security in telehealth did not address training, legal liability, or HIPAA and HL7 compliance. Another area that was neglected was research on availability or the measures used to ensure availability of telehealth systems. (Hall & McGraw, 2014) No federal agency has authority to Form a team and use the HIPAA checklist to ensure compliance before using a telehealth system. Review the P&S policies of each system before use.
Ask questions of the telehealth company not addressed in the policy.

DISCUSSION
This systematic review of privacy and security practices that healthcare providers may use with telehealth technologies has shown that privacy and security is a concern across all types of specialties such as telerehabilitation, telenursing, teletrauma, and telepsychiatry. All providers need to make privacy and security of utmost concern when conducting a telehealth session.
The papers suggest that most of the work has been policy and strategy pieces with no experimental or quasi-experimental studies represented. In both survey research studies conducted, healthcare providers had concerns over privacy and security in telehealth and that it can be intrusive for the patient. In an interview study, it was found that providers did not believe that telehealth increased the risk of privacy or security concerns although some did not know enough to answer the question fully and thought there could be increased risk. These studies alone show that there is uncertainty on this topic.
Many healthcare providers may not know all the many aspects of privacy and security within telehealth and need more education and training as well as technical support personnel to help them in these areas. Many of the policy studies stated that policy and procedure (P&P) as well as education and training are needed for all healthcare providers and technical support personnel to prevent breaches of PHI.
These papers also stated that healthcare professionals need to know state, regional, and national laws and regulations, legal liability, HIPAA/HITECH and HL7 compliance, as well as measures used to ensure availability of PHI to the proper users. Methods were also discussed regarding how audio or video recordings are to be stored, maintained and accessed to protect patient privacy, and how mobile devices used in telehealth sessions are to be reinforced to protect the privacy and security of patient information.
The most detailed information surrounding informed consent for a telehealth session was found in the ATA guidelines and recommendations and discussed how maintaining privacy and security within the telehealth session must be included in the informed consent in easy to understand language especially when discussing encryption, authentication and other methods to maintain confidential communications between provider and patient. The use of audio and video muting as well as the ability to quickly change from public to private audio mode so that unauthorized users may not see or hear what is being communicated was also discussed throughout the ATA guideline papers.
There does not seem to be consensus about the use and disclosure of PHI in telehealth since some systems will allow sharing with certain groups as part of their privacy policy. HIPAA, however, states that proper authorizations are warranted when there are requests for information and an accounting of disclosures is necessary when PHI is shared. However, there still seems to be some uncertainty as to what parts of the telehealth session will be kept, for how long, how they will be maintained and where they will be stored.
If the telehealth sessions are recorded and kept with the electronic health record (EHR) then proper authorizations are necessary when PHI is requested. However, there is no standard method for how this is done. Some systems may convene a telehealth session and not store any of the information that was transmitted. Some may record the session but then destroy the recording after the session is over. Some may record and store the session or even transmit the session to a third party for additional treatment and consultation. Some type of standard process in this area is needed.
Security measures such as encryption and authentication were addressed, but not all papers provided a standardized description of the encryption methods used or the best methods for authentication. Very few papers addressed the importance of an independent audit on the telehealth system for privacy and security features by an outside entity.

LIMITATIONS
There were some limitations to our systematic review. Due to time constraints the grey literature, such as dissertations and other unpublished reports, other databases listed in the protocol, vendors or authors (also mentioned in the protocol) were not searched. Also, as mentioned previously, only English language articles were reviewed.