Privacy and security law questions can become challenging in a telemedicine setting because of the nature of the data and the ways in which it is being used. Telemedicine is increasingly becoming a medium for generating, transmitting and storing large volumes of electronic health information, and as telemedicine platforms and delivery models continue to evolve, the ways in which providers are creating and using health information are constantly changing. Perhaps the first question that risk managers must consider is professional liability. The growth of telemedicine technology may increase malpractice claims by raising patient expectations and creating new medical procedures that physicians must use to stay current. One unique challenge for telemedicine is to balance the necessary expansion of manpower to manage an electronic system with the increased number of people who have potential access to a patient’s records.
Currently, telemedicine requires a technical staff to run the system that is completely independent from the medical team (Nohr, 2000). Additionally, because of technological constraints, the transmission of information over internet or web-based systems lends itself to hackers and other potential exposure. Protocols must be meticulously followed to ensure that patients are informed about all participants in a telemedicine consultation and that the privacy and confidentiality of the patient are maintained, as well as ensuring the integrity of any data/images transmitted (Erbetta, 1999). According to McCrossin (2003), verifying the entity on the other end of the data exchange or telemedicine appointment is of great concern. Is the provider truly a provider, and is the patient—especially when receiving or accessing information—the correct patient? Either could lead to unintentional breaches.
While standard healthcare practice is to confirm a patient’s name, date of birth, and other information multiple times, a person who has inappropriately accessed the patient’s information would be able to answer these questions. While this should not be a problem for patients and regular providers, it may be for doctors seeing new patients, since they would be unable to recognize the incorrect patient in a video-based session, as can be said for patients seeing a new provider. Telemedicine services often result in the creation of health information in formats that historically have not been part of the patient’s medical record such as audio recordings, videos and other forms of remote monitoring data (Erbetta, 1999).
While hospitals and other providers have some flexibility in determining the information that comprises the medical record, there are circumstances where an organization may want or the law may require that such information to be included in the record. For example, it may be necessary to include such information in the medical record in order to comply with state medical record laws or for risk-management purposes (McCrossin, 2003). As has been true with the transition from paper to electronic medical records, health care providers will need to adapt their privacy and security practices in response to the specific privacy risks and compliance challenges associated with various forms of telemedicine. Depending on the nature of the telemedicine services being provided, this may require updating policies and security risk analyses, and taking a more active compliance role in the coordination of telemedicine services with outside organizations (Nohr, 2000).
Erbetta, J. (1999, March). Security issues in telemedicine. Journal of telemedicine and telecare, 5(1), 123. McCrossin, R. (2003). Managing risk in telemedicine. Journal of telemedicine and telecare, 9(2), s36-9. Nohr, L.E. (2000). Telemedicine and patients’ rights. Journal of telemedicine and telecare, 6(1), S173-4.