Privacy & Security Concerns in Telehealth: Ensuring Legal Compliance in Hospital-Based Practices

Below is a re-print of an article that we recently wrote for the Advisory Board Company’s 2013 third quarter General Counsel Agenda. To view the original publication in the General Counsel Agenda, click here.

For hospitals, the promise of telehealth has spurred innovation across multiple service lines and led to the emergence of a number of new delivery models such as telestroke, teleradiology, telepsychiatry, telepathology, teleICU and remote patient monitoring.  While many of these programs are leading to significant improvements in access to health care services, quality of care, and efficiencies, they often also raise their own distinct set of compliance challenges, particularly in the area of privacy and security.

Privacy and security law questions can become challenging in a telehealth setting because of the nature of the data and the ways in which it is being used.  Telehealth is increasingly becoming a vehicle for generating, transmitting and storing large volumes of electronic health information, and as telehealth platforms and delivery models continue to evolve, the ways in which providers are creating and using health information are constantly changing.  There are at least three categories of privacy and security law issues that can create heightened challenges in the telehealth setting.

I.    Data Management

Telehealth services often result in the creation of health information in formats that historically have not been part of the patient’s medical record (e.g. audio recordings, videos, remote monitoring data).  While hospitals and other providers have some flexibility in determining the information that comprises the medical record, there are circumstances where an organization may want or the law may require that such information be included in the record.  For example, it may be necessary to include such information in the medical record in order to comply with state medical record laws or for risk-management purposes.

Therefore, when reviewing information generated through telehealth operations, you may want to ask yourself the following:

• Should the data be maintained as part of the “medical record” (e.g. should video sessions be recorded? Should remote monitoring data be saved?).  Answering this question will require both an analysis of privacy law requirements as well as other considerations, such as whether maintaining the information is important for clinical reasons or risk management purposes.
• Does state law require the information to be maintained or included in the medical record or HIPAA designated record set? [1] If so, what obligations does the provider have with regard to providing patients with access to this information, maintaining accountings of disclosures, and record retention under both HIPAA and state privacy law?
• If the information is part of the medical record, or maintained for other reasons, how and where is it being maintained and secured?  This question goes to important operational issues such as whether the information can be tracked for purposes of complying with medical record access and other legal requirements relating to patient rights to their health information and whether it is properly secured.

II.   Sharing Data Management Responsibilities with Other Providers

When a telehealth program involves interactions with providers outside of the organization (e.g. a telestroke program bridging separately run hospitals or mental health services between a hospital and mental health professionals at a distant location), it is important to ensure that responsibilities for securing and managing the health information generated through these programs are clearly defined, and that each party is aware of its responsibilities and those of the other parties.  For example, the parties should have common understanding or an agreement as to who will be responsible for maintaining the information and the levels of access that will be given to each of the participating provider organizations.   It is also important to consider the extent to which the hospital could be found liable (under HIPAA or otherwise) for a security breach or unauthorized disclosure caused by another telehealth program participant.   In these types of arraignments your security may only be as strong as the weakest link in the chain.

III.   Privacy and Security Risks during the Telehealth Encounter

When communicating with patients through telehealth, there are also risks that the telehealth encounter itself could result in a privacy or security law violations.  Because these interactions, by definition, involve communications with patients who are not physically present, there is a heightened risk of disclosing information to the wrong person (i.e. somebody who is not the patient), which would likely be an unauthorized disclosure under the HIPAA Privacy Rule.  To minimize this risk (and also to meet authentication standards[2] under the HIPAA security regulations), telehealth providers should have in place reliable methods for verifying and authenticating the identities of the patient and practitioner(s) at the beginning of each telehealth encounter.

Telehealth encounters may also be vulnerable to third party interference, signal errors, or transmission outages.  These types of incidents can result in the loss of data, interrupted communications, or the alteration of important clinical information, which, in addition to other liability risks, could lead to HIPAA privacy and security violations.   For example, third party interference with an unsecure transmission may constitute a security breach under the HIPAA security regulations.  And transmission outages or the loss of important clinical data during transmission could be seen, in certain cases, as a failure to adequately maintain the integrity or availability of protected health information as required under the HIPAA security regulations.[3]

Recommendations

As has been true with the transition from paper to electronic medical records, hospitals will need to adapt their privacy and security practices in response to the specific privacy risks and compliance challenges associated with various forms of telehealth.  Depending on the nature of the telehealth services being provided, this may require updating policies and security risk analyses, and taking a more active compliance role in the coordination of telehealth services with outside organizations.  But perhaps most importantly, given how rapidly telehealth technologies and clinical models are evolving and the increasingly high volumes of health information generated through telehealth mediums, compliance teams should be actively monitoring and participating in the design and implementation of telehealth programs within the hospital.