|Home | About | Journals | Submit | Contact Us | Français|
The objective of this systematic review was to systematically review papers in the United States that examine current practices in privacy and security when telehealth technologies are used by healthcare providers. A literature search was conducted using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses Protocols (PRISMA-P). PubMed, CINAHL and INSPEC from 2003 – 2016 were searched and returned 25,404 papers (after duplications were removed). Inclusion and exclusion criteria were strictly followed to examine title, abstract, and full text for 21 published papers which reported on privacy and security practices used by healthcare providers using telehealth. Data on confidentiality, integrity, privacy, informed consent, access control, availability, retention, encryption, and authentication were all searched and retrieved from the papers examined. Papers were selected by two independent reviewers, first per inclusion/exclusion criteria and, where there was disagreement, a third reviewer was consulted. The percentage of agreement and Cohen’s kappa was 99.04% and 0.7331 respectively. The papers reviewed ranged from 2004 to 2016 and included several types of telehealth specialties. Sixty-seven percent were policy type studies, and 14 percent were survey/interview studies. There were no randomized controlled trials. Based upon the results, we conclude that it is necessary to have more studies with specific information about the use of privacy and security practices when using telehealth technologies as well as studies that examine patient and provider preferences on how data is kept private and secure during and after telehealth sessions.
When in-person meetings and paper-based health records are used, healthcare providers have a clear idea about how to protect the privacy and security of healthcare information. Providers see each patient in a private room and the patient records are locked in a secure office setting which is only accessible to authorized personnel. When the healthcare practice is moved to the Internet, as in the case with telehealth, and all information is electronic, the situation becomes more complex. Most healthcare providers are not trained in protecting security and patient privacy in cyberspace. In cyberspace, there are many methods that can be used to break into the electronic system and gain unauthorized access to a large amount of protected health information (PHI). Therefore, the information security and patient privacy in telehealth is at a higher risk for breaches of
PHI. For instance, from 2010 to 2015 it was found that laptops (20.2%), network servers (12.1%), desktop computers (13%), and other portable electronic devices (5.6%) made up 51 percent of data sources of all healthcare data breaches that affected more than 500 individuals (Office of the National Coordinator for Health Information Technology, 2016). PHI is highly regulated in the United States. The most familiar regulation impacting healthcare facilities and providers is the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (US Department of Health and Human Services, 2013). HIPAA is a federal law that provides privacy and security rules and regulations to protect PHI. The HIPAA Privacy Rule is an administrative regulation created by the Department of Health and Human Services (DHHS). It was developed after the US Congress passed HIPAA, and went into effect in 2003.
The HIPAA Privacy Rule only applies to healthcare providers that conduct electronic billing transactions but is effective for both paper and electronic health information. It is a set of national standards that addresses the use and disclosure of PHI by a covered entity such as a healthcare organization as well as establishing privacy rights for individuals on how their PHI is used and shared. Its major objective is to protect the flow of health information while at the same time providing high quality healthcare.
The HIPAA Security Rule went into effect in 2005 and regulates only electronic health information. It is a set of national standards that protects an individual’s electronic health information that is created, received, used or maintained by a covered entity such as a healthcare organization. It requires the administrative, physical, and technical standards to be adopted so that confidentiality and integrity of electronic PHI is protected.
In addition to HIPAA, there are many other federal and state laws that govern the use and disclosure of health information. Of these laws, HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 have provided the most specific regulations for the protection of privacy and security of health information in the United States. However, some state regulations may be even more stringent, such as requiring a consent form for disclosure of a patient’s own medical record when HIPAA does not require consent (Rinehart-Thompson, 2013). The HITECH Act includes changes to the HIPAA Privacy and Security rules that focus mainly on health information technology and strengthens standards for the privacy and security of health information. It went into effect in 2010 but some parts of the act have different compliance deadlines (Rinehart-Thompson, 2013).
For this article, we adopted the Health Resources and Services Administration’s (HRSA) 2015 definition of telehealth: “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the Internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications” (Health Resources and Services Administration, 2015). The HRSA definition was used because it aligns with our purpose, which is to provide a systematic review of published papers that pertain to privacy and security provisions used by healthcare providers when deploying telehealth technologies in the United States.
Our previous experiences in interacting with telehealth providers suggest that the providers do not always know the best practices to use to decrease the risk of privacy and security issues in telehealth (Cohn & Watzlaf, 2012; Watzlaf, 2010; Watzlaf, Moeini, & Matusow, 2011). Many of the features within the free, consumer-based video and voice communication systems that were evaluated did not demonstrate to the providers using them that the information was private and secure (Watzlaf & Ondich, 2012). Also, many of the telehealth providers did not know the best practices to use to educate consumers on privacy and security (Watzlaf, Moeini, & Firouzan, 2010; Watzlaf, Moeini, Matusow, & Firouzan, 2011).
Through our past work, audit checklists were developed to determine if a system supports HIPAA compliance (Watzlaf et al., 2010; Peterson & Watzlaf, 2014). The 58-question checklist is specific to Information and Communication Technologies (ICTs) (Watzlaf et al., 2010). There are already methods and tools available for healthcare providers to evaluate the security and privacy features of telehealth systems they are currently using. Now, it is necessary to conduct a systematic review on the status of privacy and security provisions that are used by healthcare professionals when deploying telehealth services to see if they are using the tools and guidelines available to them or if they incorporate new systems to evaluate privacy and security within telehealth systems.
A systematic literature search was performed on papers published between 2003 to 2016. The sources used in the search included PubMed (Medline via PubMed; National Library of Medicine, Bethesda, MD; started in 1966) CINAHL databases (indexing from nursing and allied health literature) and INSPEC (a scientific and technical database developed by the Institution of Engineering and Technology).
Briefly, our literature search strategy combined synonyms for telehealth with privacy and security across healthcare professionals. The list of synonymous terms was voluminous. Some examples of synonymous terms for telehealth included telemedicine, telepathology, telerehabilitation; synonymous terms for privacy and security included confidentiality, encryption, access control, authentication; synonymous terms for healthcare professionals included physicians, clinicians, nurses, occupation therapists. Language restrictions included those papers written in English only. In addition, reference lists were reviewed manually from relevant original research and review papers.
These searches returned 21,540 papers from PubMed and 4,785 papers from CINAHL, and 591 papers from INSPEC for a total of 26,916 papers, of which 1,512 were duplicates. After a review of titles and abstracts, 21 papers were reviewed in full text (Figure 1). After the first round of article selections, one third of the papers were found to be international. Papers were then restricted to those in the United States since HIPAA and HITECH are laws that are enforced in the United States only and these laws are a major influence in privacy and security in the US.
The protocol for this study was based on the Preferred Reporting Items for Systematic Review and Meta-Analysis Protocols (PRISMA-P). The PRISMA-P contains 17 items that are considered essential as well as minimum components to include in systematic reviews or meta-analyses. PRISMA-P recommends that each systematic review include detailed criteria using the PICOS (participants, interventions, comparisons, outcome(s) and study design) reporting system (Moher et al., 2015). Details of the full protocol have been previously published in Prospero and the International Journal of Telerehabilitation (Watzlaf, DeAlmeida, Zhou, & Hartman, 2015; Watzlaf, DeAlmeida, Molinero, Zhou, & Hartman, 2015).
To be eligible for this systematic review, published papers had to meet all the following criteria:
Papers were reviewed and excluded in different phases:
In the initial title/abstract review the major reasons for exclusion were:
In the full text review the major reasons for exclusion were that the papers did not include both telehealth and a major aspect of privacy and security related to telehealth use.
All search results were exported into EndNote libraries. EndNote is a bibliographic management system. De-duplications were performed by using the method described by Bramer et al (Bramer, Giustini, de Jonge, Holland, & Bekhuis, 2016). Studies were removed if they were found to be duplicated. The PDFs of the papers reviewed were stored in a shared Box account (i.e., a secure cloud content platform in which users can share large documents as well as collaborate, Redwood City, CA).
Each article meeting the inclusion criteria was reviewed and its characteristics documented using a standardized pre-tested data extraction form. The data extraction form captured the following data items: the three large goals of privacy and security (confidentiality, integrity, and availability); the specific techniques for achieving these goals (authentication, encryption, access control, physical security, policy, database backup, error detection, anti-virus, software patches, secure system design, intrusion detection); and the methods in each system (study designs, settings, and outcomes).
The reference librarian performed the search and only provided the title, abstract and year to the reviewers. The two reviewers (DD, VW) independently read the title and abstracts of the identified papers and determined eligibility based on the specified inclusion/exclusion criteria. To better know how to appropriately search the article titles and abstract, two of the reviewers (DD and VW) conducted a pilot study by using a small sample (n=100) of papers, made the selection and then discussed the results against the selection criteria. From this pilot study we could determine that we applied the same selection criteria for our search strategy.
Reviewers were blind to journals, study authors and institutions. Any disagreements between the reviewers were resolved by a third reviewer (LZ). Inter-rater reliability was measured using the Cohen’s kappa statistical test (k). An inter-rater Kappa score was assessed during the first round of the paper selection, to ensure a Kappa score at or above 0.8 as measured by Cohen’s Kappa (k) statistical test. Full-text of studies making this first cut were reviewed.
Three reviewers screened these for inclusion/exclusion criteria. Selection disagreements were resolved through discussion and reasons for excluding studies were recorded. A form, developed in Excel, was used to extract data from selected studies and included the author, year of publication, reference; study design and sample size; setting; privacy and security descriptions; primary outcomes; study limitations, HIPAA compliance, and best practices. Reviewers assessed the overall quality of evidence for every important outcome using the GRADE four point ranked scale: (4) High; (3) Moderate; (2) Low; (1) Very low (Balshem et al., 2011). Full papers were used as evidence for decisions about the quality of evidence and the strength of recommendations. Any differences in the grading were assessed and discussed in several meetings with investigators until full consensus was reached.
Quantitative analysis of the data from the papers was limited due to the lack of quantifiable data in the privacy and security literature. However, subcategories with similar characteristics received more in-depth comparisons. Investigators first broke the data into qualitative themes that related to privacy, security and administrative content. Each of those areas were broken down into subthemes such as patient rights, use, and disclosure for privacy; technical and physical for security; and organizational and education/training/personnel for administrative. Then, specific content within the 21 papers were reviewed closely and categorized across each of those themes and subthemes.
For the 25,404 entries reviewed by 2 reviewers the percentage of agreement was very good with the observed value of 99.04% and the 95% CI between 98.91 to 99.16 calculated per the Wilson efficient-score method. For the Cohen’s kappa, the observed kappa is 0.7331 and the 95% CI are 0.7009 to 0.7653. Although the kappa is lower than 0.8, this still suggests substantial agreement (Fleiss, Cohen, & Everitt, 1969).
A total of 21 papers (Watzlaf & Ondich, 2012; Watzlaf et al., 2010; Watzlaf, Moeini, Matusow, et al., 2011; Peterson & Watzlaf, 2014; Paing et al., 2009; Cason, Behl, & Ringwalt, 2012; Daniel, Sulmasy, & for the Health and Public Policy Committee of the American College of Physicians, 2015; Naam & Sanbar, 2015; American Telemedicine Association, 2009, 2011, 2014a, 2014b, 2016; Hall & McGraw, 2014; Garg & Brewer, 2011; Brous, 2016; Mullen-Fortino et al., 2012; Nieves, Candelario, Short, & Briscoe, 2009; Putrino, 2014; Demiris, 2004; Demiris, Edison, & Schopp, 2004) were selected for this systematic review. These selected papers were published between 2004 to 2016, in which 29 percent of them were published between 2011–2012. The papers included several telehealth specialties such as telerehabilitation, telepsychiatry, teletrauma, telenursing and tele-diabetes. Sixty-seven percent were guideline/policy/strategy type studies, with three using a survey or interview method (14%). Other studies included a usability study, a systematic review, a pilot study and an opinion piece. There were no randomized controlled trials found that focused on privacy and security in telehealth (Table 1).
A quantitative analysis of the privacy, security, and administrative areas that were discussed in the papers is summarized in Table 2. All studies discussed some aspect of privacy and security. Sixty-seven percent addressed patient rights to include informed consent, accessibility, confidential communications, or the patient’s ability to amend their information. Thirty-eight percent addressed use and disclosure to include how video sessions are retained, authorizations for release of information to other countries, websites, and third parties, accounting of disclosures, purging and/or deletion schedule of files on mobile devices and audio and video muting to maintain privacy. Sixty-seven percent of the studies addressed the technical aspects of security to include encryption, two-factor authentication, data backup, storage and recovery to meet HIPAA requirements, National Institute of Standards and Technology (NIST) and Health Level-7 (HL7) recommendations. However, only 38 percent addressed the physical aspects of the telehealth session to include a secure server location, back-up generator and maintaining a secure physical environment for where the telehealth session is held. One of the studies contained a systematic review of telemedicine security and found poor reporting of methodologies for telemedicine technologies and security measures. Fifty-two percent of the papers did not discuss the organization of privacy and security through policies, procedures, Business Associate Agreements (BAAs) or compliance audits, however, 67 percent addressed the need for education and training of providers, patients and technical support workforce.
Table 3 provides a detailed summary of all papers for privacy, security and administrative content. Most of the patient rights content dealt with providing verbal or written informed consent in simple, easy to understand language and to have providers discuss the risks of privacy and security when using telehealth. Use of audio/video muting and a secure physical environment was also discussed to be included in the consent for treatment so that the patient understands how their information during and after the telehealth session is private. Use and disclosure was not as clearly addressed, although several papers stated that access to patient information should only be granted with proper authorization, and there was a need to have this discussed with the patient so that they understood ownership of the data before the telehealth session begins. Encryption and two-factor authentication were other major areas addressed in the papers. Some papers did provide details as to the types of encryption to use as well as meeting HIPAA and NIST requirements and recommendations. Data backups, storage of the video files, and the ability to keep them secure was also discussed. Other areas addressed included a review of consumer-based free systems and the importance of healthcare providers’ understanding of which telehealth technologies meet federal, state, and local laws. Other areas mentioned included performing an overall privacy and security assessment of the telehealth system and to maintain security solutions specific to the telehealth system, making sure that confidentiality and security are a primary concern. Many of the papers expressed the need for overall provider and patient awareness, education and training and policies on keeping telehealth information private and secure, and policies that specify who can be included in the telehealth session. Other papers expressed the need for maintaining a BAA with the vendor providing the telehealth system. Some papers addressed the need for more research on the effectiveness of telemedicine to include telehealth security training, legal liability, HIPAA compliance and the importance of an independent assessment of overall privacy and security. Some of the papers described the lack of current scientific studies around privacy and security in telehealth and the need for more studies that demonstrate the effectiveness of best practices in privacy and security of telehealth (Table 3).
This systematic review of privacy and security practices that healthcare providers may use with telehealth technologies has shown that privacy and security is a concern across all types of specialties such as telerehabilitation, telenursing, teletrauma, and telepsychiatry. All providers need to make privacy and security of utmost concern when conducting a telehealth session.
The papers suggest that most of the work has been policy and strategy pieces with no experimental or quasi-experimental studies represented. In both survey research studies conducted, healthcare providers had concerns over privacy and security in telehealth and that it can be intrusive for the patient. In an interview study, it was found that providers did not believe that telehealth increased the risk of privacy or security concerns although some did not know enough to answer the question fully and thought there could be increased risk. These studies alone show that there is uncertainty on this topic.
Many healthcare providers may not know all the many aspects of privacy and security within telehealth and need more education and training as well as technical support personnel to help them in these areas. Many of the policy studies stated that policy and procedure (P&P) as well as education and training are needed for all healthcare providers and technical support personnel to prevent breaches of PHI.
These papers also stated that healthcare professionals need to know state, regional, and national laws and regulations, legal liability, HIPAA/HITECH and HL7 compliance, as well as measures used to ensure availability of PHI to the proper users. Methods were also discussed regarding how audio or video recordings are to be stored, maintained and accessed to protect patient privacy, and how mobile devices used in telehealth sessions are to be reinforced to protect the privacy and security of patient information.
The most detailed information surrounding informed consent for a telehealth session was found in the ATA guidelines and recommendations and discussed how maintaining privacy and security within the telehealth session must be included in the informed consent in easy to understand language especially when discussing encryption, authentication and other methods to maintain confidential communications between provider and patient. The use of audio and video muting as well as the ability to quickly change from public to private audio mode so that unauthorized users may not see or hear what is being communicated was also discussed throughout the ATA guideline papers.
If the telehealth sessions are recorded and kept with the electronic health record (EHR) then proper authorizations are necessary when PHI is requested. However, there is no standard method for how this is done. Some systems may convene a telehealth session and not store any of the information that was transmitted. Some may record the session but then destroy the recording after the session is over. Some may record and store the session or even transmit the session to a third party for additional treatment and consultation. Some type of standard process in this area is needed.
Security measures such as encryption and authentication were addressed, but not all papers provided a standardized description of the encryption methods used or the best methods for authentication. Very few papers addressed the importance of an independent audit on the telehealth system for privacy and security features by an outside entity.
There were some limitations to our systematic review. Due to time constraints the grey literature, such as dissertations and other unpublished reports, other databases listed in the protocol, vendors or authors (also mentioned in the protocol) were not searched. Also, as mentioned previously, only English language articles were reviewed.
In summary, more scientific research studies are needed to determine the best practices in privacy and security surrounding telehealth. Experimental studies that address the effectiveness of privacy and security evaluations of the telehealth system, proper informed consent that discusses the privacy and security aspects of the telehealth session with the patient as well as testing of access control, disaster recovery and risk analysis of the telehealth system are essential to improve the practices of the entire telehealth team.
Best practices that are consistent across all types of telehealth services for all healthcare providers are needed to address all privacy and security issues. Privacy and security aspects are just as important as providing a clear and trouble-free telehealth session and a privacy and security evaluation should be performed before the telehealth system is used with a patient. Tools used to assist healthcare providers on what they should look for when deciding on a telehealth system are needed. This systematic review results informed the need for and subsequently led to the development of a best practice tool that will enable healthcare providers to assess privacy and security features of the telehealth technologies they are planning to use. Hopefully, this tool will move healthcare providers one step closer to enabling best practices in privacy and security in telehealth.
This research was supported in part by the National Institute on Disability, Independent Living, and Rehabilitation Research (NIDILRR) grant #90RE5018 (RERC from Cloud to Smartphone: Empowering and Accessible ICT). Systematic Review Registration: PROSPERO: CRD42015020552