Recent events will significantly spur the use
of telemedicine. The last two decades have already seen a surge in the use of
telemedicine prompted by the advent of economical person-to-person video
transmissions. Telemedicine has been a revolution in medical examinations,
consultations, and treatment. For example, the Veteran’s Administration
recently expanded the use of telemedicine for veterans located in rural and
remote areas. See report here.
Telemedicine has two components. The first
involves video that allows a two-way, interactive transmission between doctor
and patient. An interaction that does not involve an interactive video does not
qualify under various state and federal legal definitions as
“telemedicine.” Non-conforming examples include telephone only,
email, or facsimile interactions. The second component involves use of
diagnostic and monitoring devices that transmit patient data and information
such as blood pressure, pulse rate, and the like.
So far, the main justifications for
telemedicine have been limited access to medical facilities and specialists.
That is, video conferencing has become an alternative for those too far from
facilities that are able to provide the needed care and for patients needing
access to a limited number of physicians who provide specialized care. Now,
with COVID-19 spreading across the nation, a new reason for using telehealth is
the protection of health care professionals and patients. As one headline
proclaimed, in the coming months, remote healthcare
might be as important as remote working.
As telemedicine services surge, it is crucial
that health care providers ensure that they are duly aware of and compliant
with cybersecurity and patient confidentiality protocols. Cybercriminals are
not taking a vacation, even in a pandemic. Like all forms of internet use,
there are known and foreseeable security risks. Unlike a face-to-face patient
examination, a teleconference video can be hacked in real-time and can be
easily recorded and stored. Further, medical monitoring devices are designed to
store information and then transmit the information at set times. These too can
be hacked. Likewise, once transmitted, the diagnostic data is again stored for
later retrieval by the health care professionals. There are known cybersecurity
risks to stored data. Under many new laws, healthcare businesses must provide a
robust security for those computer and transmission systems.
Compliance protocols fall into four broad
categories:
- Software and encryption — the device monitoring and person-to-person video
conferencing software must be state-of-the-art and be encrypted to ensure that
there is no real-time surveillance or theft of data; for example, for example,
basic FaceTime is nonconforming; Skype has several layers of available software
products, some of which are compliant with security protocols, some are not.
- Patient notices and
consents — patients must be given notice of what information is being
collected by remote monitoring devices, that the information will be stored and
what business use will be made of the stored information; likewise, if a
healthcare teleconference is recorded, patients must be alerted and told the
purposes for which the video will be used; verbal consent to those business used
should be obtained.
- Storage protocols — protocols must be
put in place for the systems that are used to store remote device data and any
recorded telehealth videos to prevent accidental or malicious breaches and data
loss and prevent ransom-attacks; mobile devices should also be considered as
part of these protocols.
- Access protocols — procedures and
rules must be established allowing only authorized medical providers access to
the videos and other patient information.
Obviously, in medical emergencies, these
protocols can be relaxed. But, being aware of the security requirements can
ameliorate potential security risks and minimize what information is at risk.
For example, if there is an emergency and if the only telemedicine software
that is available to the patient is FaceTime, then give the patient notice that
the teleconference is potentially not secure and try to avoid asking for
personally sensitive information like the patient’s social security number.
If you have legal questions about telemedicine,
data security or other legal issues related to internet law, contact the
trusted internet lawyers at Revision Legal at
231-714-0100.