Table 3.
Statements of the Telehealth Security Self-Assessment Questionnaire
| D1: Policies |
|---|
| Q1. Does the telehealth system (vendor) have privacy policies in place? Q2. Does the telehealth system (vendor) have security policies in place? Q3. Are the privacy and security policies easy to understand? Q4. Do the telehealth privacy and security policies include guidance on the best method to use to protect the security of patient information? Q5. Are business associate agreements (BAAs) in place between the telehealth system (vendor) and other entities that do business with the telehealth system (vendor)? Q6. If the vendor shares Protected Health Information (PHI) from the telehealth system (vendor) to other entities, are the privacy and security policies of those other entities checked before sharing? Q7. Are the privacy and security policies and procedures kept current to meet federal and multi-state regulations? Q8. Do the privacy and security features that are part of the telehealth system (vendor) meet federal and multi-state regulations? |
| D2. Storage |
| Q9. Will PHI generated between the provider and patient be stored in any capacity by the telehealth system (vendor)? Q10. Does the telehealth system (vendor) include guidance and information to clients on how best to store PHI which may include recordings of telehealth sessions? Q11. When considering cloud service for data storage, is the telehealth system (vendor) compliant in keeping PHI highly secure? Q12. Are clients discouraged from storing patient related information generated during the telehealth session offline on other storage devices? Q13. Do you monitor whether any of the transmitted data during a telehealth session is stored on the patient’s computer or other device’s hard drive? Q14. Is the telehealth system able to trigger remote erase of a mobile device used for telehealth sessions, if the mobile device is lost or stolen? |
| D3. Consent |
| Q15. Is the patient’s or representative’s informed consent obtained before the telehealth session begins? Q16. Does the patient informed consent include the privacy and security features of the telehealth system? Q17. Does the patient informed consent state that telehealth sessions may be recorded and pictures taken and stored? Q18. Does the patient informed consent include recommendations that the environment and surroundings be secure? Q19. Are patients provided the right to authorize a transfer of PHI outside of the existing system (e.g., to a biller, 3rd party payer, other entity)? Q20. Are patients informed of the potential security risks when PHI is transferred between the health care provider and the telehealth system (vendor)? |
| D4. Transmission/Accessibility |
| Q21. Is PHI generated during the telehealth session accessible to others outside of the organization (such as law enforcement, government officials, etc.) as long as they have proper authorization? |
| D5. Encryption |
| Q22. Does the telehealth system (vendor) include details about encryption algorithms (such as the length of the key, for example, AES-256, the key management approach, and what specific data are encrypted)? Q23. Do the encryption methods meet recognized standards from HIPAA, HITECH, the International Standards Organization (ISO) and the National Institute of Standards and Technology (NIST) as well as multi-state regulations? Q24. Are encryption keys periodically updated to meet the privacy and security policy? |
| D6. Data backup plan |
| Q25. If there was a technology breakdown, is there a data backup plan (e.g., be able to create and maintain exact copies of ePHI, establish what ePHI should be backed up, such as telehealth sessions/data) in place? Q26. Is the data backup plan reviewed and updated on a regular basis (at least yearly)? Q27. Are there appropriate redundant systems in place that ensure the availability of telehealth services even when one or a few components of the system are not working? |
| D7. Training |
| Q28. Is employee training provided on computer network privacy and security AND mobile device privacy and security? Q29. Is HIPAA training, which includes instructional material tailored for telehealth privacy and security, provided at least on an annual basis, for all staff that use the telehealth system? Q30. Are the risks of social media connections (e.g. risks of inadvertent linking of patients via social media as a result of using mobile devices with downloaded social media accounts on the device) discussed with all users of the telehealth system? |
| D8. Authentication/Access Control |
| Q31. Is proper user authentication (username, passwords, fingerprinting, PINs, and security questions) established before logging into the telehealth session? Q32. Do you use strong passwords (uppercase, lowercase, minimum length, special symbols, digits, etc.) to access the telehealth system? Q33. Is there an inactivity time out function available on the telehealth system that requires re-authentication to access the system after the timeout period has ended? Q34. Is unauthorized viewing of patient information prevented by applying access controls (e.g., role-based, user-based, context-based access controls)? Q35. Are all of the smart devices (smartphones, tablets, smartwatch etc.) that are used in telehealth sessions, password protected and encrypted? |
| D9. Authorization |
| Q36. Is prior written patient authorization required before any PHI content, developed as part of the telehealth session, is shared with other requestors? Q37. Do qualified individuals with proper certification and backgrounds in privacy, security, and HIPAA regulations evaluate all requests for PHI? Q38. Do patients receive an accounting of disclosures upon written request?Q39. Will a patient’s request for a restriction of uses and disclosures of PHI that is generated from the telehealth system be honored? |
| D10. Secure Networks |
| Q40. Do you connect only to secure networks (e.g., HTTPS, VPN, TLS, SSL) when using telehealth systems and avoid unsecure networks (e.g., public Wi-Fi)? Q41. Do you use a Virtual Private Network (VPN) to access important websites? Q42. Do you use Wi-Fi Protected Access-2 (WPA2) certification with AES-256 encryption for Wi-Fi? Q43. Are privacy and security features of mobile apps used in telehealth practice carefully researched before being downloaded? Q44. Is a disaster recovery plan (e.g., procedures in place to restore lost data, the types of data to be restored and copy of the disaster plan is readily available when needed) in place for the data collected during telehealth practice sessions? Q45. Is an incident response plan in place for your telehealth practice? Q46. Is there a security evaluation conducted by an independent party on the telehealth system to verify features such as Authentication, Encryption, Authorization, Wi-Fi settings, Data Management Plan, and all other proper privacy and security features? Q47. Do you verify the source and integrity of the data when sending or receiving data during the telehealth session? Q48. Are audit trails (a feature that records user activity in a telehealth system/vendor) used to track who has access to PHI that is collected during the telehealth session? Q49. Are there up-to-date anti-virus, anti-malware programs installed on all devices used for telehealth sessions? |