2. HIPAA
• The Health Insurance Portability and Accountability Act
(HIPAA) was enacted by the U.S. Congress in 1996
• From this legislation a set of security standards was
developed to keep electronic protected health information
(ePHI) safe
• These standards were outlined and described in the HIPAA
Security Final Rule published on February 20, 2003
4. Administrative Recommendations
1. Perform a risk assessment
2. Consider purchasing and distributing asset management
software to keep track of equipment licenses
3. Register for security release notices from the hardware
and software manufacturers used for televideo
4. Disable unnecessary ports on televideo hardware and
follow any device “hardening” procedures recommended
by the hardware and software manufacturers to prevent
hacking
5. Administrative Recommendations cont.
5. Ensure unique user identification by enacting a strong
password policy for televideo devices, including PC-based
video systems
6. Assign a security person and train remote site IT staff to
take on security responsibilities
7. Establish a schedule for re-evaluations: Elapsed time and
changes to the televideo environment will dictate this
schedule
8. Create a televideo acceptable use policy (AUP) and make
available to remote sites for use
6. Physical Recommendations
1. Place televideo equipment in a private location that can
be secured for a clinical visit. Doors to the room should
be closed during a consultation.
2. Video monitors should not be visible through any
windows. Audio should be set so that it is not heard
outside of the exam room.
3. Telemedicine providers should use the camera functions
to scan the patient room prior to a consultation to ensure
that only authorized persons are present during the visit.
7. Technical Recommendations
1. Video equipment used for telemedicine should be
networked behind the data firewall when placed on a
facility network
2. An H.323-protocol firewall can be used as a “video”
firewall for televideo that manages and protects the
consultation separate from the organization’s data
firewall
3. The IP connection between facilities in a televideo
network should ideally be a dedicated local area network
(LAN) connection, wide area network (WAN)
connection, or a virtual private network (VPN) connection
8. Technical Recommendations cont.
4. When available, utilize private, statewide networks that
have been developed for health care purposes and that
offer robust, secure network connections
5. Video equipment should offer encryption capability and
the encryption should be turned to the “on” position.
Encryption should always be used, but especially in the
absence of a LAN, WAN, VPN or state networks
6. The auto answer function of the televideo equipment
should be set at the “off” position so that video calls
cannot unintentionally be received during a telemedicine
consultation