Voice over the Internet Protocol (VoIP) Technologies:

How to Select a Videoconferencing System for

Your Agency

Based on the work ofWatzlaf, V.M., Fahima, R., Moeini, S. & Firouzani, P. (2010). VOIP for

telerehabilitation: A risk analysis for privacy, security, and HIPAA compliance. International Journal of Telerehabilitation, 3-14.

Selecting a Platform

Most VoIP technology systems provide a very reliable, high quality, and competent

teleconferencing session with patients.

However, to determine if the VoIP videoconferencing technologies are

private, secure, and compliant with HIPAA, a risk analysis should be performed.

Watzlaf, et al., 2010

Skype, Vsee, or Other Vendors

• Questions regarding 3 HIPAA requirements– Audit trails– Chat box information stored on company’s computers– VSee can track which accounts connect but does not

know the time or the content• For a review of vendors visit:

– http://www.telementalhealthcomparisons.com/(You will have to provide your email address to review the comparisons)

Let’s take specific vendors OUT of the discussion

2 Choices

1st CHOICE

• Use the HIPAA compliance checklist (Watzlaf et al., 2010)

• Compare it to the VoIP technology software privacy and security policies provided by the software vendor

• Ask if they are willing to enter into a BAA (Business Associate Agreement)

Purchase HIPAA compliant software specific to VoIP with vendors that

will walk you through each piece of the HIPAA legislation to make

certain the software is private and secure and be willing to enter into a BAA (Business Associate Agreement)

2nd CHOICE

HIPAA Compliance Checklist for VoIP(located on NFAR website)

Example of Items on Checklist

• Personal Information‒ Will employees and other users of VoIP software be able

to listen in to video-therapy calls between patient and therapist?

• Retention of Personal Information– Are video conferencing sessions for therapy services

recorded?

• Requests for Information from Legal Authorities etc– Will personal information, communications content,

and/or traffic data when requested by legal authorities be provided by the VoIP software company?

Every potential user (therapist or healthcare facility) should review the privacy and security

policies that are found on the VoIP software system’s website to determine if they answer

the questions listed in this checklist.

If the question is not addressed in the policy, then the user may want to contact the software company and ask them how the company will

address a particular question(s).

Next Steps…

1. Form a team that will examine VoIP software systems to determine if it meets federal (HIPAA), state, local, and facility-wide privacy and security regulations.

The team may consist of the• Provider attorney• Risk management personnel• Health information administrator or

privacy officer• Security office (IT)• Clinical directors/supervisors• Counselors

2. Designate someone on the team to stay on top of all the changes videoconferencing software systems(federal state and local)

3. Educate all staff (not just counselors) on how to use software system for videoconferencing

Training should include:• Privacy and Security related to HIPAA• Issues Related to PHI (Private Health

Information) Exchange• Encryption • Spyware• Password Security• Use of Equipment by Counselor/Client• ATA Guidelines

4. Develop Patient Informed Consent Form

• What therapy will be provided using the VoIP technology

• How the technology will be used• Benefits associated with videoconferencing • Risks associated with videoconferencing

(privacy and security)• Informed Consent Form reviewed by team

attorney

5. Incident response is necessary and should include…• documentation regarding the incident• response to the incident

– any effects of the incident, as well as whether policies and procedures were followed

– if policies and procedures are not in place for incident response, then these should be developed with the security and privacy officers

Suggested General RULES for VoIP

(Kuhn, Walsh, & Fries, 2005, National Institute of Standards and Technology)

Do not use the username and password for anything other than

videoconferencing; change it frequently; and do not make it

easy to identify

RULES

Avoid getting computer viruses on the computer used for video

conferencing

RULES

Never use it for emergency services

RULES

Consistently authenticate who you are communicating

with especially when used for tele-therapy video sessions

RULES

RULES

Focus on:• the transmission of data through

videoconferencing• how that data is made private and

secure during the telecommunication• how private and secure it is stored

and released to internal and outside entities

Provide audit controls for using software applications so that they

are secure and private

RULES

There are three types of

information security risks:

• Confidentiality• Integrity• Availability

Confidentiality refers to the need to keep information secure

and private.

Integrity refers to information remaining unaltered by

unauthorized users.

Availability includes making information and services available for

use when necessary.

VoIP Risks and Recommendationsrelated to

Confidentiality, Integrity, and Availability

List on NFAR Website

Information Security Risk & Recommendation Example

Risk, Vulnerability, or Threat

Specific Area Risk Level Recommendation

Confidentiality & Privacy

Retention of personal data & information as well as eavesdropping on conversations

High(increases in VoIP because of the many nodes in a packet network)

change default passwords

disable remote access to graphical user interface use authentication mechanisms

(See VoIP Risks and Recommendations Checklist)

Thank you to Dr. Watzlaf and colleagues for allowing us to use their article as the

basis for this presentation and to post the HIPAA Compliance Checklist, and Risk and

Recommendations List on our Website

www.nfarattc.org