Voice over the Internet Protocol (VoIP) Technologies

1
Voice over the Internet Protocol (VoIP)
Technologies How to Select a Videoconferencing
System for Your Agency

• Based on the Work of
• Watzlaf, V.M., Fahima, R., Moeini, S.
  Firouzani, P. (2010).VOIP for telerehabilitation
  A risk analysis for privacy, security, and HIPAA
  compliance . International Journal of
  Telerehabilitation 3-14

2

Selecting a Platform
3
Most VoIP technology systems provide a very
reliable, high quality, and competent
teleconferencing session with their patients
However, to determine if the VoIP
videoconferencing technologies are private,
secure, and compliant with HIPAA, a risk analysis
should be performed.
Watzlaf, et al., 2010
4
Skype, VSee or Other Vendors

• Questions regarding 3 HIPAA requirements
• Audit trails
• Chat box information stored on companys
  computers
• VSee can track which accounts connect but does
  not know the time or the content
• For a review of vendors visit
• http//www.telementalhealthcomparisons.com/
• You will have to provide your email address to
  review these comparisons

5
Lets Take Specific Vendors OUT of the Discussion
6
2 Choices
7
1st CHOICEUse the HIPAA compliance checklist
(prepared by Watzlaf colleagues) and compare it
to the VoIP technology software privacy and
security policies provided by the software vendor
and ask if they are willing to enter into a BAA
(Business Associate Agreement)
8
2nd CHOICEPurchase HIPAA compliant software
specific to VoIP with vendors that will walk you
through each piece of the HIPAA legislation to
make certain the software is private and secure
and be willing to enter into a BAA (Business
Associate Agreement)
9
HIPAA Compliance Checklist for VoIP Checklist on
NFAR website
10
Example of Items on Checklist

• Personal Information- Will employees and other
  users of VoIP software be able to listen in to
  video-therapy calls between patient and
  therapist?
• Retention of Personal Information- Are video
  conferencing sessions for therapy services
  recorded?
• Requests for Information from Legal Authorities
  etc.- Will personal information, communications
  content, and/or traffic data when requested by
  legal authorities be provided by the VoIP
  software company?

11
Every potential user (therapist or healthcare
facility) should review the privacy and security
policies that are found on the VoIP software
systems website to determine if they answer the
questions listed in this checklist.If the
question is not addressed in the policy, then the
user may want to contact the software company and
ask them how the company will address a
particular question(s).
12
Next Steps
13
1. Form a team that will examine VoIP software
systems to determine if it meets federal (HIPAA),
state, local, and facility-wide privacy and
security regulations
14
The team may consist of the provider attorney,
risk management personnel, health information
administrator/ privacy officer, security officer
(IT), clinical directors/supervisors and
counselors
15
2. Designate someone on the team to stay on top
of all the changes videoconferencing software
systems(federal state and local)
16
3. Educate all staff (not just counselors) on how
to use software system for videoconferencing
17
Training should include

• Privacy and Security related to HIPAA
• Issues Related to PHI (Private Health
  Information) Exchange
• Encryption
• Spyware
• Password Security
• Use of Equipment by Counselor/Client
• ATA Guidelines

18
4. Develop Patient Informed Consent Form

• What therapy will be provided using the VoIP
  technology
• How the technology will be used
• Benefits associated with videoconferencing
• Risks associated with videoconferencing (privacy
  and security)
• Informed Consent Form reviewed by team attorney

19
5. Incident response is necessary and should
include.

• documentation regarding the incident
• the response to the incident, any effects of the
  incident as well as whether policies and
  procedures that were followed in response to the
  incident
• if policies and procedures are not in place for
  incident response, then these should be developed
  with the security and privacy officers

20
Suggested General Rules for VoIP
Kuhn, Walsh, Fries, 2005 National Institute of
Standards and Technology
21
Do not use the username and password for
anything else but videoconferencing, change it
frequently and do not make it easy to identify
22
Avoid having computer viruses on the computer
used for video conferencing
23
Never use it for emergency services
24
Consistently authenticate who you are
communicating with especially when used for
tele-therapy video sessions
25
Focus on the transmission of data through video
conferencing.. How that data is made private
and secure during the telecommunication.How
private and secure it is stored and released to
internal and outside entities.
26
Provide audit controls for using software
applications so that they are secure and private
27
There are three types of information security
risks Confidentiality, Integrity, and
Availability
28
Confidentiality refers to the need to keep
information secure and private.
29
Integrity refers to information remaining
unaltered by unauthorized users.
30
Availability includes making information and
services available for use when necessary.
31
VoIP Risks and Recommendationsrelated to
Confidentiality, Integrity, and
AvailabilityList on NFAR Website
32
Information Security Risk Recommendation Example
Risk, Vulnerability or Threat Specific Area Risk Level Recommendation
Confidentiality Privacy Retention of personal data information as well as eavesdropping on conversations High (increases in VoIP because of the many nodes in a packet network) Change default passwords disable remote access to graphical user interface use authentication mechanisms
See VoIP Risks and Recommendations Checklist
33
All credit for this presentation goes toDr.
Watzlaf and colleagues for allowing the use of
their article as the basis for this presentation
and allowing us to post the HIPAA Compliance
Checklist and the Risk and Recommendations List
on our Website
34
www.nfarattc.org