International Journal of Telerehabilitation

International Journal of Telerehabilitation • telerehab.pitt.edu

International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)

A SYSTEMATIC REVIEW OF RESEARCH STUDIES EXAMINING TELEHEALTH PRIVACY AND SECURITY PRACTICES USED BY HEALTHCARE PROVIDERS VALERIE J. M. WATZLAF, PHD, MPH, RHIA, FAHIMA, LEMING ZHOU, PHD, DSC, DILHARI R. DEALMEIDA, PHD, RHIA, LINDA M. HARTMAN, MLS, AHIP DEPARTMENT OF HEALTH INFORMATION MANAGEMENT, SCHOOL OF HEALTH AND REHABILITATION SCIENCES, UNIVERSITY OF PITTSBURGH, PITTSBURGH, PA, USA

ABSTRACT The objective of this systematic review was to systematically review papers in the United States that examine current practices in privacy and security when telehealth technologies are used by healthcare providers. A literature search was conducted using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses Protocols (PRISMA-P). PubMed, CINAHL and INSPEC from 2003 – 2016 were searched and returned 25,404 papers (after duplications were removed). Inclusion and exclusion criteria were strictly followed to examine title, abstract, and full text for 21 published papers which reported on privacy and security practices used by healthcare providers using telehealth. Data on confidentiality, integrity, privacy, informed consent, access control, availability, retention, encryption, and authentication were all searched and retrieved from the papers examined. Papers were selected by two independent reviewers, first per inclusion/exclusion criteria and, where there was disagreement, a third reviewer was consulted. The percentage of agreement and Cohen’s kappa was 99.04% and 0.7331 respectively. The papers reviewed ranged from 2004 to 2016 and included several types of telehealth specialties. Sixty-seven percent were policy type studies, and 14 percent were survey/interview studies. There were no randomized controlled trials. Based upon the results, we conclude that it is necessary to have more studies with specific information about the use of privacy and security practices when using telehealth technologies as well as studies that examine patient and provider preferences on how data is kept private and secure during and after telehealth sessions. Keywords: Computer security, Health personnel, Privacy, Systematic review, Telehealth

BACKGROUND AND SIGNIFICANCE When in-person meetings and paper-based health records are used, healthcare providers have a clear idea about how to

protect the privacy and security of healthcare information. Providers see each patient in a private room and the patient records are locked in a secure office setting which is only accessible to authorized personnel. When the healthcare practice is moved to the Internet, as in the case with telehealth, and all information is electronic, the situation becomes more complex. Most healthcare providers are not trained in protecting security and patient privacy in cyberspace. In cyberspace, there are many methods that can be used to break into the electronic system and gain unauthorized access to a large amount of protected health information (PHI). Therefore, the information security and patient privacy in telehealth is at a higher risk for breaches of PHI. For instance, from 2010 to 2015 it was found that laptops (20.2%), network servers (12.1%), desktop computers (13%), and other portable electronic devices (5.6%) made up 51 percent of data sources of all healthcare data breaches that affected more than 500 individuals (Office of the National Coordinator for Health Information Technology, 2016).

PHI is highly regulated in the United States. The most familiar regulation impacting healthcare facilities and providers is the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (US Department of Health and Human Services, 2013). HIPAA is a federal law that provides privacy and security rules and regulations to protect PHI. The HIPAA Privacy Rule is an administrative regulation created by the Department of Health and Human Services (DHHS). It was developed after the US Congress passed HIPAA, and went into effect in 2003.

The HIPAA Privacy Rule only applies to healthcare providers that conduct electronic billing transactions but is effective for both paper and electronic health information. It is a set of national standards that addresses the use and disclosure of PHI by a covered entity such as a healthcare organization as well as establishing privacy rights for individuals on how their PHI is used

International Journal of Telerehabilitation • telerehab.pitt.edu

International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)

and shared. Its major objective is to protect the flow of health information while at the same time providing high quality healthcare.

The HIPAA Security Rule went into effect in 2005 and regulates only electronic health information. It is a set of national standards that protects an individual’s electronic health information that is created, received, used or maintained by a covered entity such as a healthcare organization. It requires the administrative, physical, and technical standards to be adopted so that confidentiality and integrity of electronic PHI is protected.

In addition to HIPAA, there are many other federal and state laws that govern the use and disclosure of health information. Of these laws, HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 have provided the most specific regulations for the protection of privacy and security of health information in the United States. However, some state regulations may be even more stringent, such as requiring a consent form for disclosure of a patient’s own medical record when HIPAA does not require consent (Rinehart-Thompson, 2013). The HITECH Act includes changes to the HIPAA Privacy and Security rules that focus mainly on health information technology and strengthens standards for the privacy and security of health information. It went into effect in 2010 but some parts of the act have different compliance deadlines (Rinehart-Thompson, 2013).

For this article, we adopted the Health Resources and Services Administration’s (HRSA) 2015 definition of telehealth: “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the Internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications” (Health Resources and Services Administration, 2015). The HRSA definition was used because it aligns with our purpose, which is to provide a systematic review of published papers that pertain to privacy and security provisions used by healthcare providers when deploying telehealth technologies in the United States.

Our previous experiences in interacting with telehealth providers suggest that the providers do not always know the best practices to use to decrease the risk of privacy and security issues in telehealth (Cohn & Watzlaf, 2012; Watzlaf, 2010; Watzlaf, Moeini, & Matusow, 2011). Many of the features within the free, consumer-based video and voice communication systems that were evaluated did not demonstrate to the providers using them that the information was private and secure (Watzlaf & Ondich, 2012). Also, many of the telehealth providers did not know the best practices to use to educate consumers on privacy and security (Watzlaf, Moeini, & Firouzan, 2010; Watzlaf, Moeini, Matusow, & Firouzan, 2011).

Through our past work, audit checklists were developed to determine if a system supports HIPAA compliance (Watzlaf et al., 2010; Peterson & Watzlaf, 2014). The 58-question checklist is specific to Information and Communication Technologies (ICTs) (Watzlaf et al., 2010). There are already methods and tools available for healthcare providers to evaluate the security and privacy features of telehealth systems they are currently using. Now, it is necessary to conduct a systematic review on the status of privacy and security provisions that are used by healthcare professionals when deploying telehealth services to see if they are using the tools and guidelines available to them or if they incorporate new systems to evaluate privacy and security within telehealth systems.

OBJECTIVES:

1. Evaluate, from published papers, what privacy and security measures were addressed when healthcare providers used telehealth technologies.

2. Compile best practices and guidelines for healthcare professionals using telehealth technologies.

MATERIAL AND METHODS

SEARCH STRATEGY A systematic literature search was performed on papers published between 2003 to 2016. The sources used in the search

included PubMed (Medline via PubMed; National Library of Medicine, Bethesda, MD; started in 1966) CINAHL databases (indexing from nursing and allied health literature) and INSPEC (a scientific and technical database developed by the Institution of Engineering and Technology).

International Journal of Telerehabilitation • telerehab.pitt.edu

International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)

Briefly, our literature search strategy combined synonyms for telehealth with privacy and security across healthcare professionals. The list of synonymous terms was voluminous. Some examples of synonymous terms for telehealth included telemedicine, telepathology, telerehabilitation; synonymous terms for privacy and security included confidentiality, encryption, access control, authentication; synonymous terms for healthcare professionals included physicians, clinicians, nurses, occupation therapists. Language restrictions included those papers written in English only. In addition, reference lists were reviewed manually from relevant original research and review papers.

These searches returned 21,540 papers from PubMed and 4,785 papers from CINAHL, and 591 papers from INSPEC for a total of 26,916 papers, of which 1,512 were duplicates. After a review of titles and abstracts, 21 papers were reviewed in full text (Figure 1). After the first round of article selections, one third of the papers were found to be international. Papers were then restricted to those in the United States since HIPAA and HITECH are laws that are enforced in the United States only and these laws are a major influence in privacy and security in the US.

The protocol for this study was based on the Preferred Reporting Items for Systematic Review and Meta-Analysis Protocols (PRISMA-P). The PRISMA-P contains 17 items that are considered essential as well as minimum components to include in systematic reviews or meta-analyses. PRISMA-P recommends that each systematic review include detailed criteria using the PICOS (participants, interventions, comparisons, outcome(s) and study design) reporting system (Moher et al., 2015). Details of the full protocol have been previously published in Prospero and the International Journal of Telerehabilitation (Watzlaf, DeAlmeida, Zhou, & Hartman, 2015; Watzlaf, DeAlmeida, Molinero, Zhou, & Hartman, 2015).

STUDY ELIGIBILITY To be eligible for this systematic review, published papers had to meet all the following criteria:

1. Published papers that included research, best practices, or recommendations on the use of telehealth and privacy or security.

2. Published papers that included any type of health care professional using any available eleheatlth for their clients with a focus on privacy and/or security, HIPAA and/or HITECH.

3. Published papers with full text in English. 4. Published papers where research or recommendations focused on the US only published between 2003-2016. 5. Existing solutions/best practices to privacy and security challenges, HIPAA compliance (qualitative and quantitative)

in telehealth use.

Figure 1. A flow diagram of the search and selection process.

International Journal of Telerehabilitation • telerehab.pitt.edu

International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)

Figure 1 description: Figure 1 depicts a flow diagram of the search and selection process. First box a top: Articles identified through database search (N=26,916), PubMed (n=21,540), CINAHL (n=4,785), INSPEC (n-591). Arrow to box below: Articles after removing duplications (n=25,404); arrow to the box to the right: Duplicate records (n=1,512). Next arrow to box below: Articles after first round filtering (n=406); arrow to the box to the right: Articles removed by reviewing titles and abstracts (n=24,998). Next arrow to box below: Articles after second round filtering (n=50); arrow to the box to the right: Articles removed by reviewing full texts (n=356). Next arrow to box below: Articles included after ATA guidelines are added (n=61); arrow to the box to the right: Articles removed by evaluating the security and privacy contents (n=40). Last arrow to the box below: Articles included in systematic review (n=21).

EXCLUSION OF PAPERS

Papers were reviewed and excluded in different phases:

• Phase I: Duplicates Removed. A total of 26,916 papers were found in the three databases and 1,512 were removed as duplicates to yield 25,404 papers.

• Phase II: Articles Removed by Reviewing Title and Abstract. A title/abstract review was conducted, first by two independent reviewers. A third reviewer was used to resolve disagreement (24,998 excluded, to yield a total of 406 papers).

• Phase III: Articles Removed After Reviewing Full Text. A full text review of 406 papers was conducted by all three reviewers (356 excluded, 50 papers remained).

• Phase IV: American Telemedicine Association Guidelines Added. Since the American Telemedicine Association (ATA) guidelines were not returned from the original search because they were guidelines and not peer-reviewed articles, they were added into the original list (50) because of their focus on telehealth, privacy and security (11 added. Total of 61 papers).

• Phase V: Articles Removed by Evaluating Security and Privacy Content. A review of these papers to examine security and privacy contents yielded 40 exclusions. And eventually, a total of 21 papers were included in the final systematic review.

In the initial title/abstract review the major reasons for exclusion were:

1. Papers were published before HIPAA was enforced in 2003 2. Studies were not conducted in the US and therefore did not abide by HIPAA/HITECH In the full text review the major reasons for exclusion were that the papers did not include both telehealth and a major

aspect of privacy and security related to telehealth use.

DATA EXTRACTION PROCESS AND QUALITY ASSESSMENT All search results were exported into EndNote libraries. EndNote is a bibliographic management system. De-duplications

were performed by using the method described by Bramer et al (Bramer, Giustini, de Jonge, Holland, & Bekhuis, 2016). Studies were removed if they were found to be duplicated. The PDFs of the papers reviewed were stored in a shared Box account (i.e., a secure cloud content platform in which users can share large documents as well as collaborate, Redwood City, CA).

Each article meeting the inclusion criteria was reviewed and its characteristics documented using a standardized pre- tested data extraction form. The data extraction form captured the following data items: the three large goals of privacy and security (confidentiality, integrity, and availability); the specific techniques for achieving these goals (authentication, encryption, access control, physical security, policy, database backup, error detection, anti-virus, software patches, secure system design, intrusion detection); and the methods in each system (study designs, settings, and outcomes).

The reference librarian performed the search and only provided the title, abstract and year to the reviewers. The two reviewers (DD, VW) independently read the title and abstracts of the identified papers and determined eligibility based on the specified inclusion/exclusion criteria. To better know how to appropriately search the article titles and abstract, two of the reviewers (DD and VW) conducted a pilot study by using a small sample (n=100) of papers, made the selection and then discussed the results against the selection criteria. From this pilot study we could determine that we applied the same selection criteria for our search strategy.

International Journal of Telerehabilitation • telerehab.pitt.edu

International Journal of Telerehabilitation • Vol. 9, No. 2 Fall 2017 • (10.5195/ijt.2017.6231)

Reviewers were blind to journals, study authors and institutions. Any disagreements between the reviewers were resolved by a third reviewer (LZ). Inter-rater reliability was measured using the Cohen’s kappa statistical test (k). An inter-rater Kappa score was assessed during the first round of the paper selection, to ensure a Kappa score at or above 0.8 as measured by Cohen’s Kappa (k) statistical test. Full-text of studies making this first cut were reviewed.

Three reviewers screened these for inclusion/exclusion criteria. Selection disagreements were resolved through discussion and reasons for excluding studies were recorded. A form, developed in Excel, was used to extract data from selected studies and included the author, year of publication, reference; study design and sample size; setting; privacy and security descriptions; primary outcomes; study limitations, HIPAA compliance, and best practices. Reviewers assessed the overall quality of evidence for every important outcome using the GRADE four point ranked scale: (4) High; (3) Moderate; (2) Low; (1) Very low (Balshem et al., 2011). Full papers were used as evidence for decisions about the quality of evidence and the strength of recommendations. Any differences in the grading were assessed and discussed in several meetings with investigators until full consensus was reached.

DATA SYNTHESIS Quantitative analysis of the data from the papers was limited due to the lack of quantifiable data in the privacy and

security literature. However, subcategories with similar characteristics received more in-depth comparisons. Investigators first broke the data into qualitative themes that related to privacy, security and administrative content. Each of those areas were broken down into subthemes such as patient rights, use, and disclosure for privacy; technical and physical for security; and organizational and education/training/personnel for administrative. Then, specific content within the 21 papers were reviewed closely and categorized across each of those themes and subthemes.

RESULTS

REVIEWER AGREEMENT For the 25,404 entries reviewed by 2 reviewers the percentage of agreement was very good with the observed value of

99.04% and the 95% CI between 98.91 to 99.16 calculated per the Wilson efficient-score method. For the Cohen’s kappa, the observed kappa is 0.7331 and the 95% CI are 0.7009 to 0.7653. Although the kappa is lower than 0.8, this still suggests substantial agreement (Fleiss, Cohen, & Everitt, 1969).

TIME PERIOD AND TYPE OF STUDIES A total of 21 papers (Watzlaf & Ondich, 2012; Watzlaf et al., 2010; Watzlaf, Moeini, Matusow, et al., 2011; Peterson &

Watzlaf, 2014; Paing et al., 2009; Cason, Behl, & Ringwalt, 2012; Daniel, Sulmasy, & for the Health and Public Policy Committee of the American College of Physicians, 2015; Naam & Sanbar, 2015; American Telemedicine Association, 2009, 2011, 2014a, 2014b, 2016; Hall & McGraw, 2014; Garg & Brewer, 2011; Brous, 2016; Mullen-Fortino et al., 2012; Nieves, Candelario, Short, & Briscoe, 2009; Putrino, 2014; Demiris, 2004; Demiris, Edison, & Schopp, 2004) were selected for this systematic review. These selected papers were published between 2004 to 2016, in which 29 percent of them were published between 2011-2012. The papers included several telehealth specialties such as telerehabilitation, telepsychiatry, teletrauma, telenursing and tele-diabetes. Sixty-seven percent were guideline/policy/strategy type studies, with three using a survey or interview method (14%). Other studies included a usability study, a systematic review, a pilot study and an opinion piece. There were no randomized controlled trials found that focused on privacy and security in telehealth (Table 1).