A Telehealth Privacy and Security Self-Assessment Questionnaire for Telehealth Providers: Development and Validation
Background: Telehealth is a great approach for providing high quality health care services to people who cannot easily access these services in person. However, because of frequently reported health data breaches, many people may hesitate to use telehealth-based health care services. It is necessary for telehealth care providers to demonstrate that they have taken sufficient actions to protect their patients’ data security and privacy. The government provided a HIPAA audit protocol that is highly useful for internal security and privacy auditing on health care systems, however, this protocol includes extensive details that are not always specific to telehealth and therefore is difficult to be used by telehealth practitioners.
Objective: The goal of this study was to develop and validate a telehealth privacy and security self-assessment questionnaire for telehealth providers.
Methods: In our previous work, we performed a systematic review on the security and privacy protection offered in various telehealth systems. The results from this systematic review and the HIPAA audit protocol were used to guide the development of the self-assessment questionnaire. The draft of the questionnaire was created by the research team and distributed to a group of telehealth providers for evaluating the relevance and clarity of each statement in the draft. The questionnaire was adjusted and finalized according to the collected feedback and face-to-face discussions by the research team. A website was created to distribute the questionnaire and manage the answers from study participants. A psychometric analysis was performed to evaluate the reliability of the questionnaire.
Results: There were 84 statements in the draft questionnaire. Five telehealth providers provided their feedback to the statements in this draft. They indicated that a number of these statements were either redundant or beyond the capacity of telehealth care practitioners, who typically do not have formal training in information security. They also pointed out that the wording of some statements needed to be adjusted. The final released version of the questionnaire had 49 statements. In total, 31 telehealth providers across the nation participated in the study by answering all the statements in this questionnaire. The psychometric analysis indicated that the reliability of this questionnaire was high.
Conclusion: With the availability of this self-assessment questionnaire, telehealth providers can perform a quick self-assessment on their telehealth systems. The assessment results may be used to identify possible vulnerabilities in telehealth systems and practice or demonstrate to patients the sufficient security and privacy protection to patients’ data.
Cherry, C. O., Chumbler, N. R., Richards, K., Huff, A., Wu, D., Tilghman, L. M., & Butler, A. (2017). Expanding stroke telerehabilitation services to rural veterans: A qualitative study on patient experiences using the robotic stroke therapy delivery and monitoring system program. Disability and Rehabilitation: Assistive Technology, 12(1), 21-27. doi:10.3109/17483107.2015.1061613
Davidsson, N., & Sodergard, B. (2016). Access to healthcare among people with physical disabilities in rural Louisiana. Social Work Public Health, 31, 188-195. doi:10.1080/19371918.2015.1099496
European Union. (2018). GDPR key changes. Retrieved from https://eugdpr.org/the-regulation/
Georgeadis, A., Brennan, D., Barker, L., & Baron, C. (2004). Telerehabilitation and its effects on story telling by adults with neurogenic communication disorders. Aphasiology, 18, 639-652.
Hale, T. M., & Kvedar, J. C. (2014). Privacy and security concerns in telehealth. Virtual Mentor, 16, 981-985. doi:10.1001/virtualmentor.2014.16.12.jdsc1-1412
Hall, J. L., & McGraw, D. (2014). For telehealth to succeed, privacy and security risks must be identified and addressed. Health Affairs (Millwood), 33, 216-221. doi:10.1377/hlthaff.2013.0997
Hall, N., Boisvert, M., & Steele, R. (2013). Telepractice in the assessment and treatment of individuals with aphasia: A systematic review. International Journal of Telerehabilitation, 5(1), 27-38. doi:10.5195/ijt.2013.6119
Harper, D. (2003). Telehealth. In M. Roberts (Ed.), Handbook of Pediatric Psychology (3rd ed.). New York: Guilford Press.
He, D., Naveed, M., Gunter, C. A., & Nahrstedt, K. (2014). Security concerns in Android mHealth apps. AMIA Annual Symposium Proceedings, 2014, 645-654.
Health Resources and Services Administration. (2014). Distribution of U.S. health care providers residing in rural and urban areas. National Center for Health Workforce Analysis. Retrieved from https://www.ruralhealthinfo.org/assets/1275-5131/rural-urban-workforce-distribution-nchwa-2014.pdf
Iezzoni, L. I., Killeen, M. B., & O'Day, B. L. (2006). Rural residents with disabilities confront substantial barriers to obtaining primary care. Health Services Research, 41(4, Part 1), 1258-1275. doi:10.1111/j.1475-6773.2006.00534.x
Jones, C. A., Parker, T. S., Ahearn, M., Mishra, A. K., & Variyam, J. N. (2009). Health status and health care access of farm and rural populations. Retrieved from https://www.ers.usda.gov/webdocs/publications/44424/9371_eib57_1_.pdf?v=0
Kairy, D., Lehoux, P., Vincent, C., & Visintin, M. (2009). A systematic review of clinical outcomes, clinical process, healthcare utilization and costs associated with telerehabilitation. Disability and Rehabilitation, 31, 427-447. doi:10.1080/09638280802062553
Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. K. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and Health Care, 25(1), 1-10. doi:10.3233/THC-161263
Kruse, C. S., Krowski, N., Rodriguez, B., Tran, L., Vela, J., & Brooks, M. (2017). Telehealth and patient satisfaction: A systematic review and narrative analysis. British Medical Journal Open, 7(8), e016242. doi:10.1136/bmjopen-2017-016242
Meinert, E., Alturkistani, A., Brindley, D., Knight, P., Wells, G., & de Pennington, N. (2018). Weighing benefits and risks in aspects of security, privacy and adoption of technology in a value-based healthcare system. BMC Medical Informatics and Decision Making, 18(1), 100. doi:10.1186/s12911-018-0700-0
Pew Research Center. (2018a). Demographics of mobile device ownership and adoption in the United States. Retrieved from http://www.pewinternet.org/fact-sheet/mobile/ [Website: http://www.webcitation.org/6xDIpUN2z]
Pew Research Center. (2018b). Internet/Broadband fact sheet. Retrieved from http://www.pewinternet.org/fact-sheet/internet-broadband/
Ponemon Institute, & IBM Security. (2018). 2018 Cost of data breach study. Retrieved from https://www.ibm.com/security/data-breach
U.S. Census Bureau. (2016). New census data show differences between urban and rural populations. Retrieved from https://www.census.gov/newsroom/press-releases/2016/cb16-210.html
Wade, S. L., Wolfe, C., Brown, T. M., & Pestian, J. P. (2005). Putting the pieces together: Preliminary efficacy of a web-based family intervention for children with traumatic brain injury. Journal of Pediatric Psychology, 30, 437-442. doi:10.1093/jpepsy/jsi067
Watzlaf, V. J. M., Zhou, L., DeAlmeida, D. R., & Hartman, L. M. (2017). A systematic review of research studies examining telehealth privacy and security practices used by healthcare providers. International Journal of Telerehabilitation, 9(2), 39-59. doi:10.5195/ijt.2017.6231
Copyright (c) 2019 Leming Zhou, Robert Edward Thieret, Valerie Watzlaf, Dilhari DeAlmeida, Bambang Parmanto
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- The Author retains copyright in the Work, where the term “Work” shall include all digital objects that may result in subsequent electronic publication or distribution.
- Upon acceptance of the Work, the author shall grant to the Publisher the right of first publication of the Work.
- The Author shall grant to the Publisher and its agents the nonexclusive perpetual right and license to publish, archive, and make accessible the Work in whole or in part in all forms of media now or hereafter known under a Creative Commons Attribution 4.0 International License or its equivalent, which, for the avoidance of doubt, allows others to copy, distribute, and transmit the Work under the following conditions:
- Attribution—other users must attribute the Work in the manner specified by the author as indicated on the journal Web site;
- The Author is able to enter into separate, additional contractual arrangements for the nonexclusive distribution of the journal's published version of the Work (e.g., post it to an institutional repository or publish it in a book), as long as there is provided in the document an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post online a prepublication manuscript (but not the Publisher’s final formatted PDF version of the Work) in institutional repositories or on their Websites prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work. Any such posting made before acceptance and publication of the Work shall be updated upon publication to include a reference to the Publisher-assigned DOI (Digital Object Identifier) and a link to the online abstract for the final published Work in the Journal.
- Upon Publisher’s request, the Author agrees to furnish promptly to Publisher, at the Author’s own expense, written evidence of the permissions, licenses, and consents for use of third-party material included within the Work, except as determined by Publisher to be covered by the principles of Fair Use.
- The Author represents and warrants that:
- the Work is the Author’s original work;
- the Author has not transferred, and will not transfer, exclusive rights in the Work to any third party;
- the Work is not pending review or under consideration by another publisher;
- the Work has not previously been published;
- the Work contains no misrepresentation or infringement of the Work or property of other authors or third parties; and
- the Work contains no libel, invasion of privacy, or other unlawful matter.
- The Author agrees to indemnify and hold Publisher harmless from Author’s breach of the representations and warranties contained in Paragraph 6 above, as well as any claim or proceeding relating to Publisher’s use and publication of any content contained in the Work, including third-party content.
Revised 7/16/2018. Revision Description: Removed outdated link.