Last Modified: 04/09/2012
V. Privacy and Security Considerations
The privacy rights of individuals served by the early intervention program are equally important when providing services via tele-intervention. As with the provision of any early intervention service, privacy procedures must be in accordance with federal regulations. Federal privacy regulations, specifically the Health Information Portability Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and Part C regulations of the Individuals with Disabilities Education Act (IDEA) which incorporates confidentiality provisions under FERPA, must be followed when such information is exchanged. Key points pertaining to these regulations are provided in Tables 1-3. In addition, NCHAM has a comprehensive report titled: The Impact of Privacy Regulations: How EHDI, Part C, & Health Providers Can Ensure That Children & Families Get Needed Services [PDF].
On This Page
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Family Educational Rights and Privacy Act (FERPA)
- IDEA Part C Privacy Regulations
- Applying Privacy Regulations to Tele-Intervention
Table 1: The Health Insurance Portability and Accountability Act (HIPAA)
Title I of HIPAA establishes conditions for protected health information use and disclosure, impacting how the various stakeholders involved in providing health care services - including therapists - are able to exchange information. In 2002, modifications to the privacy rule of HIPAA were made to ensure privacy without hindering access to health care. For current information, go to the U.S. Department of Health & Human Services website.
- HIPAA allows for covered entities, such as hospitals and audiologists, to share personal information to public health authorities such as EHDI without written prior authorization of the patient for the sake of surveillance, investigations, and interventions.
- "Signed consent" must be obtained to use personal information for (a) marketing purposes, such as selling lists of patients to third parties, and (b) research.
- Signed consent is NOT required for health providers to exchange information with other health care providers for routine health care delivery purposes, which is defined as treatment, payment, and health care operations. (One exception is the required signed consent to disclose psychotherapy notes, which may be part of a family’s treatment record.) HIPAA requires that patients be informed of their rights and the intention of the health care provider to share personal information with other health care providers, though this can be via verbal exchange.
- Signed consent is NOT required for covered entities to share personal information if it is for public health purposes (such as surveillance of newborn hearing screening and follow up).
- Providers must keep a record of any personal information that is shared with others.
- Signed consent is NOT required if there are state laws that mandate the exchange of information, such as required reporting of newborn hearing screening to the child’s primary care provider.
Table 2: The Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) of 1974, also known as the Buckley Amendment, is a federal law that protects the privacy of student education records. An education agency, institution, or program that receives funds under a program from the U.S. Department of Education (which includes Part C Early Intervention Programs) must abide by the provisions of this law. FERPA specifies that students and guardians have a right to know about the information kept as a part of their educational records; in other words, content of records cannot be kept a secret. In general, "education records" cannot be shared with others unless parents give permission for such information to be shared. School nurse or other health information records on children served under IDEA are also considered "educational records" and require signed consent before it can be shared. Therefore, under FERPA, schools must obtain signed consent to provide any screening, diagnostic, or treatment information they possess to EHDI or other health providers.
In general, FERPA says that:
- Signed consent is needed for school officials to share with EHDI or other providers personal information from a child’s educational records (e.g., transcripts, grades, services provided, etc.) as well as personally identifying information such as the child’s social security number or student identification number; race, ethnicity, and/or nationality; or gender.
- Signed consent is NOT needed to share a child’s general contact information (name, address), enrollment status, dates of attendance at school, honors and awards. This information can be shared with (a) other education programs (b) media, (c) financial aid parties, (d) appropriate officials in cases of health and safety emergencies, and (e) juvenile justice systems to comply with judicial orders.
- Schools or early intervention programs must inform parents at least annually of their intent to share such information and give parents the opportunity to object to such information being shared.
- Signed consent is NOT required when personal information is shared directly with the student or other school officials within the same institution where there is a legitimate educational interest. A legitimate educational interest may include enrollment or transfer matters, financial aid issues, or information requested by regional accrediting organizations.
- Signed consent is NOT needed when it is necessary to protect the health or safety of the student or other person, such as circumstances of abuse or neglect.
Table 3: IDEA Part C Privacy Regulations
Under Part C of the IDEA, the U.S. Department of Education provides funds to the lead agency in each State to establish a state-wide system of early intervention services for children ages birth to three years with disabilities (including developmental delays as defined by the individual state) and, at the State’s option, children under three who are at risk of developmental delays. The Part C privacy regulations incorporate the privacy protections of the IDEA Part B regulations and the protections and exceptions under FERPA.
Part C’s confidentiality provisions do not apply until a child is referred to Part C and thus, signed consent provisions do NOT apply to EHDI or any other entity that refers a child to the Part C program. Under Part C regulations, these individuals or entities are "primary referral sources" and generally not subject to Part C’s confidentiality requirements.
In general, under Part C, once a child is referred to the Part C early intervention service program, a "participating agency" (which includes the lead agency, early intervention service (EIS) providers, and any other individual agency or institution that "collects, maintains, or uses personally identifiable information" as part of the Part C service system) must obtain signed consent before disclosing personal information about the child or his or her family. Part C privacy regulations have the following stipulations related to sharing of personal information:
- Signed consent is needed for Part C participating agencies to share personal information with any individuals or entities that are not a part of the Part C system.
- When obtaining signed consent, the lead agency or early intervention service provider is required to ensure that the consent is "informed." In other words, the consent must: (1) describe the activity for which consent is sought (e.g. initial evaluation or disclosure of specific records from the child’s early intervention record) (2) specifically identify the information that will be released (e.g. evaluation to determine eligibility); and (3) identify to whom the record(s) shall be disclosed (e.g. the EHDI program).
- If the consent is being obtained to share the results of an evaluation before such an evaluation has been conducted, the consent must confirm that the parent has not yet received or reviewed the evaluation report.
- Signed consent is NOT needed for Part C to share individual child information with an individual or entity that is considered a "participating agency".
- Signed consent is NOT needed when disclosure of personally identifiable information is necessary to protect the health or safety of a child or other individual, such as circumstances of child abuse.
Applying Privacy Regulations to Tele-Intervention
Currently, there is no federal agency for the Internet that regulates privacy. "Net Neutrality" means Internet use is unrestricted, and privacy is controlled via secure websites. However, TI providers must abide by HIPAA, FERPA, and Part C regulations in the provision of TI services, be it the exchange of written reports, observations of TI sessions by others, or actual video recordings of TI sessions.
Observing "live" TI sessions
Just as you would obtain consent from families for students or other providers under Part C regulations to observe a traditional therapy session, informed consent must be obtained from families prior to anyone observing a TI session. Verbal consent may be sufficient if observers are students or other Part C providers who fall in the category of "participating agencies". Informed signed consent would be required for anyone else to observe a TI session.
Recording TI sessions
It is recommended that providers obtain signed informed consent from the family to record TI sessions. This ensures that the family is aware that recordings exist and that they can obtain copies of recordings under FERPA. It is important to abide by privacy regulations when sharing recordings of TI sessions with other providers. For example, video recordings may be shared with other "participating agencies" without signed consent, such as another Part C early intervention provider. However, under Part C regulations, video recordings may not be shared with others, such as a physician, without signed informed consent.
Sharing Recordings With Families
Families may have access to their own child’s TI records, including video recordings, without signed informed consent. In fact, video recordings are one of the benefits of TI, allowing families to share their child’s progress and coaching strategies with other family members. It is important, though, to secure access to these recordings just as you secure access to written records or verbal communications. A password-protected, encrypted site should be used.
Security
Security is often raised as a concern in regard to someone else being able to “hack” or access the two-way teleconferencing exchange. Security issues include someone else being able to view a TI session either live or via a recorded link on a website or computer. Hacking, viruses and worms are all threats to security. While some technologies may be less susceptible to security issues, none are immune. Home locations are likely to be more susceptible to security issues than locations that invest heavily in Information Technology (IT) support. Firewalls (software and/or hardware) limit unauthorized access to computers or networks and are designed to prevent such security threats. Firewalls are included in some computer operating systems (e.g., Windows), can be added as additional software (e.g., internet security programs), or can involve extra hardware/software placed between a computer and an internet connection. Cyber security involves protecting information by preventing, detecting, and responding to attacks.
How to Create Optimal Security
The Essential Elements of the HIPAA Security Law
Dr. Valerie Watzlaf from the Department of Health Information Management in the School of Health and Rehabilitation Sciences at University of Pittsburgh discusses the essential elements of the HIPAA Security Law. She describes practical considerations for those engaged in telepractice. This presentation was made to the NCHAM tele-intervention learning community in December, 2011.
Strategies for Strengthening Security
Daniel Ladner, Senior Technology Systems Analyst at the National Center for Hearing Assessment and Management delineates the strategies used to strengthen security for Sound Beginnings' tele-intervention project. This presentation was made to the NCHAM tele-intervention learning community in December, 2011.
Below is a list of components that are important to ensure security in your TI efforts:
- An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem), ISPs offer their customers the capability to browse the web and exchange email with other people.
- Encryption: Encryption is the process of converting information in such a way that it is readable only by the intended recipient after they have converted the information back. Programs such as Skype report that they use standard internationally recognized and accepted encryption algorithms that have withstood the test of time over many years of analysis and attacks. This is designed to protect your communications from falling into the hands of others.
- Firewalls: Most ISPs implement firewalls to block some portion of incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement. Although firewalls are an important tool, they can also pose a barrier to TI. Many early intervention programs - particularly those affiliated with academic or large health institutions - have large firewalls that may prevent internet communications with the general public, including the families you wish to serve. Early intervention programs may need to work with their technical support staff people to make needed adjustments in firewalls.
- See this link from the United States Computer Emergency Readiness Team (US-CERT) for more information on firewalls.
- Anti-Virus Software: Anti-virus software can identify and block many viruses before they infect your computer. Once you install anti-virus software, it is important to keep it up to date.
- For more information on anti-virus software, see the United States Computer Emergency Readiness Team (US-CERT) website.
- A listing of “Good Security Habits” is provided by the United States Computer Emergency Readiness Team (US-CERT).
Additional Security Resources
- NECTAC Confidentiality, Disclosure and Records for FERPA and HIPAA
- U.S. Dept. of Education, Letter to Alabama Department of Education
- Facetime calls on ipad are HIPAA compliant
- HIPAA Security Rule: Frequently Asked Questions
Security Rule Guidance Materials: the Health and Human Services Administration has a wealth of information about security on their website.
One particular resource is their "Security Rule Educational Paper Series", a group of educational papers which are designed to give insight into the Security Rule and assistance with implementation of the security standards. The Series covers:
- Security 101 for Covered Entities [PDF]
- Administrative Safeguards [PDF]
- Physical Safeguards [PDF]
- Technical Safeguards [PDF]
- Organizational, Policies and Procedures and Documentation Requirements [PDF]
- Basics of Risk Analysis and Risk Management [PDF]
- Security Standards: Implementation for the Small Provider [PDF]
The International Journal of Telerehabilitation provides useful guidance to ensure privacy, security, and HIPAA compliance:
