Managing the Risks of Practicing Telemedicine

Privacy, Security and Patient Confidentiality 

Privacy and security are the two biggest telemedicine-related concerns for professional liability insurers and patients, says Huben-Kearney. Patients need to be assured that whatever personal medical information they’re transmitting is going to the right person, she said. “I think people are concerned that their information is going to be hacked,” said Huben-Kearney. An important place to start is by ensuring that the patient and physician each have a unique, secure password to link up. “Otherwise, you don’t know who you’re actually talking to,” she said. “It could be anyone using a patient’s name going onto the site saying, ‘I have these questions and concerns.’ So we like to see passwords that aren’t shared with anyone.”

If your group practice implements an Internet-based telehealth platform, the vendor should set it up so that doctors have to be on a list of approved providers within the group to sign up, said Schoenberg.  He said there also needs to be a security infrastructure that ensures all live communication is completely encrypted. “The storage of any information generated must be accessible only to the actual patient and physician,” not even to the vendor or system operator, Schoenberg added.  “It must be encrypted at the database level.”

It’s also critical to remember that patient confidentiality regulations like HIPAA apply regardless of whether the communication takes place in person or via technology, said David Harlow, a health care lawyer and consultant in Newton, Mass. and author of HeathBlawg, a health law and policy blog. In fact, Harlow pointed out that amendments to HIPAA under the HITECH Act impose additional requirements on business associates of health care providers, including telemedicine vendors. “It’s no longer sufficient to get a vendor to say, ‘I understand the requirements and will keep information private,’” said Harlow. “There’s an affirmative obligation on the health care provider to be responsible for the privacy and security operations of the vendor.” In addition, any practice using telemedicine tools needs to update its HIPAA privacy notice to address how it protects privacy when engaging in telemedicine, Harlow advised.

Next: Informed Consent