The Doctor’s Advocate | Fourth Quarter 2014
An Ounce of Prevention
Telemedicine: Emerging Risks
by Richard Cahill, JD, Vice President and Associate General Counsel, The Doctors Company
In Hamilton County Hospital in rural Kansas, a human-size robot wanders the hall with cameras and a tablet mounted at eye level. By using this device, doctors from across the county can view and treat patients remotely.1 In another venue, the medical group has asked to use Skype to communicate and evaluate patients remotely. While these remarkable technologies hold great promise, they can also create significant liability risks. Do you understand the limits and possible risks of using these technologies?
The concept of telemedicine has evolved rapidly over the last 20 years and has now become part of everyday vocabulary. With the advent of the Internet, new platforms have expanded the use and effectiveness of telemedicine and enhanced the delivery of healthcare across the country. However, numerous federal and state statutes have been enacted that pose significant risks to medical practitioners who engage in any form of telemedicine.
Telemedicine involves the delivery of healthcare to patients in remote locations and to underserved patient populations through a variety of electronic modalities, including audio-visual, online, and wireless applications. Depending on the need, telemedicine can provide remote monitoring as well as real-time interactions with physicians and mid-level practitioners. The advantages of telemedicine include improved access to medical care and consultation in rural areas, more efficient treatment plan implementation, cost savings for patients, and increased patient satisfaction. Many medical specialties—including cardiology, pathology, psychiatry, and radiology, among others—have embraced the concept on a national basis.
Security and Privacy Issues
Despite the obvious advantages of using various forms of telemedicine, the medical community must become knowledgeable about federal and state regulatory policies and requirements that can affect its practices. For example, the Health Insurance Portability and Accountability Act (HIPAA) is particularly relevant. Enacted by Congress and subsequently signed into law by President Clinton in 1996, HIPAA has two principal components: Title I protects healthcare coverage for individuals when they change employment or lose their jobs. Title II established, for the first time, national standards for the electronic transmission of patient health information and the prevention of healthcare fraud and abuse.
The Privacy Rule, which became effective in 2003, regulates the use and disclosure of personal health information (PHI). PHI concerns health status, care, or payment and is very broadly interpreted to include such common identifiers as name, date of birth, Social Security number, and residence address. The Privacy Rule identifies certain types of authorized disclosures that are either mandatory (including patient requests and legally imposed duties to report) or permissive (including uses to facilitate treatment, healthcare operations, or payment). Under the United States Department of Justice, the Office of Civil Rights (OCR) is authorized to conduct investigations and impose monetary sanctions for violations.
Congress significantly expanded the scope of HIPAA in the American Recovery and Reinvestment Act of 2009. Title XIII, commonly referred to as HITECH (the Health Information Technology for Economic and Clinical Health Act), introduced government-mandated requirements for breach notification, authorized random audits by the OCR, imposed substantially enhanced penalties for statutory violations, and specified that all transmissions of PHI must be “secure.” Secure has been interpreted to mean that such communications will be encrypted. In the first year of enforcement, the OCR reported the recovery of more than $7 billion in penalties and fines.
With the advent of electronic health records (EHRs), the transmission of PHI between patients and providers, providers and payers, and among providers has significantly increased. Practices that engage in any form of electronic data transfers, including telemedicine, must strictly comply with the various statutory requirements of HIPAA and HITECH or risk an OCR investigation and potential fines.
Historically, physicians and other healthcare professionals have been licensed exclusively by state boards of practice. Physicians who engage in telemedicine across state lines, therefore, face a number of serious considerations. The scope of practice is generally determined by the location of the patient. Laws governing the practice of medicine vary significantly among the states.
Providing care, including the prescription of medication and other controlled substances, to a patient located in a different jurisdiction requires the practitioner to satisfy the licensing requirements of the state in which the patient is located. Without proper licensure, adverse consequences might include criminal prosecution for the unlicensed practice of medicine, disciplinary action by a medical board, and mandatory reporting to the National Practitioner Data Bank, as well as to CMS, professional medical societies, and private payers. Additionally, adverse findings or actions by any of these entities may require self-reporting to state boards or other entities on subsequent credentialing applications for staff privileges.
A physician who provides medical care across state lines through any form of telemedicine may also be subject to a potential malpractice suit in the event a claim is filed in the jurisdiction where the patient resides, rather than in the jurisdiction where the provider maintains his or her offices. Undoubtedly, the standard of care will be determined by experts familiar with the community practices in the jurisdiction where the patient is located. Arguably, any tort reform statutes that exist in the jurisdiction where the suit is filed may not be available to a provider who is not licensed in that state.
And finally, professional liability policies generally specify that indemnity coverage is only available for a claim that occurs in a specific territory or jurisdiction. A physician sued in a state other than the covered territory may find that no coverage is available to either defend the claim or pay indemnity if there is an adverse judgment.
Patient Safety Tips
- Comply with HIPAA, HITECH, and state-specific laws when transmitting all PHI.
- Ask your system vendor to provide training to you and your staff on how to protect and secure your data.
- Ensure robust and reliable high-speed broadband connectivity to support clinical functions.
- Check practice requirements and legal limitations in states where you anticipate providing care to patients. Understand reimbursement practices for telemedicine services.
- Use telemedicine carefully— and understand any limitations on the reliability and accuracy of the information.
- Communicate directly with your professional liability insurer to make certain that your policy extends coverage to all jurisdictions where you provide services.