Technology and PrivacyUpdated January 28, 2021, 1:35 PM
States determine whether they will:
- require a common video conferencing application statewide;
- allow providers to choose from a list of state-approved applications; or
- allow local providers to select the videoconferencing application they will use.
Some factors to consider when selecting a video conferencing platform for tele-intervention and distance learning are:
- Affordability (no cost to families)
- Security to prevent hacking
- Accessibility through a variety of devices such as smart phones, tablets, laptops and desktop computers
- Ability to accommodate adequate number of users per session
- Low video and audio delay
- Low rate of dropped audio and video sessions
- Ease in use and installation
Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency
A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.
This updated video platform toolkit is designed to help readers learn more about how video can be used to support the delivery of healthcare and improve the customer care experience, we have included sections for consumers and those holding clinical, operational, or administrative positions. In addition to using online video for clinical services, some attention will be given to other customer support processes common to a clinical office.
As telehealth programs expand, health care organizations have begun to use off-the-shelf webcams/laptops, tablets, and even smart phones. While established vendors compete to create the most efficient end-to-end solution, many new entrepreneurs attempt to navigate the regulatory process. Innovators are developing new software (such as cloud-based video conferencing, enhanced workflow products, and a wide variety of mobile apps) and hardware (including smaller carts, high-definition cameras, all-in-one peripheral devices, and more). Throughout the industry, a major emphasis to connect the consumer at home or work continues to develop.
States determine whether to publish guidelines or policy regarding privacy issues and the use of remote service delivery or whether to just inform providers of the recent guidance from the federal government regarding privacy.
See also: Procedural Safeguards
Family Educational Rights and Privacy Act (FERPA)
FERPA protects the privacy of student education records. The law addresses when recorded video is considered part of a child’s educational record however it does not address the use of "live" video.
SPPO is tasked with enforcing FERPA regulations.
- Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices (2014)
- Protecting Student Privacy While Using Online Educational Services: Model Terms of Service (2016)
- Letter to Mamas on Classroom Observation (2003)
- FAQs on Photos and Videos under FERPA
- Data Security: K-12 and Higher Education
Email and Student Privacy
Email is an easy way to communicate with students and parents. Prior to sending an email, it’s important to evaluate the risk associated with sending student information and recognizing if it is personally identifiable information (PII).
Understanding the Confidentiality Requirements Applicable to IDEA Early Childhood Programs FAQs (2016)
This document assists early childhood programs under the Individuals with Disabilities Education Act (IDEA) with addressing privacy and confidentiality questions about the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA).
This letter from the OSEP is a response to ITCA asking questions on behalf of its state members regarding:
- parental consent requirements;
- parental consent for the use of private insurance to pay for Part C services; and
- the SOP and fees provisions under the 2011 Part C regulations.
Health Insurance Portability and Accountability Act (HIPAA)
The Department of Health and Human Services – Office of Civil Rights issued the following notification:
"OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately."
"A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients."
"Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs)..."
"Under this Notice… OCR will not impose penalties against covered health care providers for the lack of a BAA [Business Associates Agreement] with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency."
Privacy and Security Considerations when using Tele-Intervention: Applying Regulations to Tele-Intervention (NCHAM)
HIPAA impacts the exchange of health-related information and the provision of health/habilitative services, including tele-intervention services. There are two primary aspects of HIPAA for which tele-intervention providers must be familiar: privacy and security.
Just as you would obtain consent from families for students or other providers under Part C regulations to observe a traditional therapy session, informed consent must be obtained from families prior to anyone observing a tele-intervention session. Verbal consent may be sufficient if observers are students or other Part C providers who fall in the category of "participating agencies". Informed signed consent would be required for anyone else to observe a tele-intervention session.
Consumer-based, free Voice and video over the Internet Protocol (VoIP) software systems such as Skype and others are used by health care providers to deliver telerehabilitation and other health-related services to clients. Privacy and security applications as well as HIPAA compliance within these protocols have been questioned by practitioners, health information managers, and other healthcare entities. This pilot usability study examined whether four respondents who used the top three, free consumer-based, VoIP software systems perceived these VoIP technologies to be private, secure, and HIPAA compliant; most did not. While the pilot study limitations include the number of respondents and systems assessed, the protocol can be applied to future research and replicated for instructional purposes. Recommendations are provided for VoIP companies, providers, and clients/consumers.
Watzlaf, V. R., & Ondich, B. (2012). VoIP for Telerehabilitation: A Pilot Usability Study for HIPAA Compliance. International Journal of Telerehabilitation, 4(1), 33–36. doi: 10.5195/ijt.2012.6096
HIPAA and Telehealth (CCHP)
Compliance with HIPAA is more complex than simply using products that claim to be "HIPAA-compliant". HIPAA compliance entails an organized set of secure, monitored, and documented practices within and between covered entities. Though products cannot ensure compliance, some products may contain elements or features that allow them to be operated in a HIPAA-compliant way.