Technology and Privacy
On This Page
Technology
States determine whether they will:
- require a common video conferencing application statewide;
- allow providers to choose from a list of state-approved applications; or
- allow local providers to select the videoconferencing application they will use.
Some factors to consider when selecting a video conferencing platform for tele-intervention and distance learning are:
- Affordability (no cost to families)
- Security to prevent hacking
- Accessibility through a variety of devices such as smart phones, tablets, laptops and desktop computers
- Ability to accommodate adequate number of users per session
- Low video and audio delay
- Low rate of dropped audio and video sessions
- Ease in use and installation
Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency
A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.
Clinician's Guide to Video Platforms
This Telehealth Technology Assessment Resource Center (TTAC) toolkit is designed to help readers learn more about how video can be used to support the delivery of healthcare and improve the customer care experience, we have included sections for consumers and those holding clinical, operational, or administrative positions. In addition to using online video for clinical services, some attention will be given to other customer support processes common to a clinical office.
Telehealth Technologies and Preparing to Select a Vendor (2016)
This brief from the National Organization of State Offices of Rural Health (NOSORH) Common types of telehealth technology, tips to help make an informed choice, and a list of some available vendors based on the common types of telehealth technology.
Privacy
States determine whether to publish guidelines or policy regarding privacy issues and the use of remote service delivery or whether to just inform providers of the recent guidance from the federal government regarding privacy.
See also: Procedural Safeguards
Family Educational Rights and Privacy Act (FERPA)
FERPA protects the privacy of student education records. The law addresses when recorded video is considered part of a child’s educational record however it does not address the use of "live" video.
The Student Privacy Policy Office (SPPO)
SPPO is tasked with enforcing FERPA regulations under 34 CFR Part 99.
- Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices (2014)
- Protecting Student Privacy While Using Online Educational Services: Model Terms of Service (2016)
- Letter to Mamas on Classroom Observation (2003)
- FAQs on Photos and Videos under FERPA
- Data Security: K-12 and Higher Education
Email and Student Privacy
Email is an easy way to communicate with students and parents. Prior to sending an email, it’s important to evaluate the risk associated with sending student information and recognizing if it is personally identifiable information (PII).
Understanding the Confidentiality Requirements Applicable to IDEA Early Childhood Programs FAQs (2016)
This document assists early childhood programs under the Individuals with Disabilities Education Act (IDEA) with addressing privacy and confidentiality questions about the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA).
Electronic Signature Guidance (2013)
This letter from the OSEP is a response to ITCA asking questions on behalf of its state members regarding:
- parental consent requirements;
- parental consent for the use of private insurance to pay for Part C services; and
- the SOP and fees provisions under the 2011 Part C regulations.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA impacts the exchange of health-related information and the provision of health/habilitative services, including tele-intervention services. There are two primary aspects of HIPAA for which tele-intervention providers must be familiar: privacy and security.
Just as you would obtain consent from families for students or other providers under Part C regulations to observe a traditional therapy session, informed consent must be obtained from families prior to anyone observing a tele-intervention session. Verbal consent may be sufficient if observers are students or other Part C providers who fall in the category of "participating agencies". Informed signed consent would be required for anyone else to observe a tele-intervention session.
The Department of Health and Human Services — Office of Civil Rights issued the following notification:
"OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately."
"A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients."
"Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs)..."
"Under this Notice… OCR will not impose penalties against covered health care providers for the lack of a BAA [Business Associates Agreement] with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency."
Combined Regulation Text of All Rules
The complete suite of HIPAA Administrative Simplification Regulations can be found at:
- 45 CFR §160 — General Administrative Requirements
- 45 CFR §162 — Administrative Requirements
- 45 CFR §164 — Security and Privacy
National Center for Hearing Assessment and Management (NCHAM)
- Tele-intrvention Guide: Privacy and Security Considerations when using Tele-Intervention: Applying Regulations to Tele-Intervention
- The Essential Elements of the HIPAA Security Law (35 minutes)
- Training and Implementation of Tele-Intervention Sessions
Additional Resources
- HIPAA and Telehealth (Center for Connected Health Policy)
- Watzlaf, V. R., & Ondich, B. (2012). VoIP for Telerehabilitation: A Pilot Usability Study for HIPAA Compliance. International Journal of Telerehabilitation, 4(1), 33–36. https://doi.org/10.5195/ijt.2012.6096