The demand for reliable, accessible, and affordable health care services has never been greater, and the challenge of meeting it has forced the entire health care industry to reconsider its service model in recent years. Telemedicine, defined as the remote delivery of health care services over the Internet or other telecommunications infrastructure, has opened the door for providers to supply their patients with better, cheaper, and more personalized care no matter where they reside.

As the need for quality care continues to grow across the nation, telemedicine promises to empower consumers with more information and control over their health care decisions than ever before, while presenting providers with an ever-expanding menu of options for where and how they can treat their patients. These new options bring new opportunities, but they also carry new risks. If you’re thinking about expanding your business by adding a telehealth offering, then you’ll want to be proactive in identifying and mitigating your exposure.

Pay Attention to Regulation and Licensure

As an emerging practice, telemedicine is raising questions about the implications of allowing health care providers to offer medical advice or treatment across jurisdictions, especially across state lines. Most states are rushing to update their health care laws to address these issues, but there is little consistency in the way they’re going about it. Regulations are constantly changing as debates over the unique issues surrounding remote health care services continue.

It’s extremely important to understand the telehealth laws in your own state and in the state of every patient that you’re treating. You’ll want to rely on solid legal counsel as you make decisions regarding your telemedicine practice, while also consulting with your business insurance provider to protect yourself from liability.

While educating yourself about the regulations surrounding telemedicine, pay special attention to:

• Professional Licensure Portability – Generally speaking, a provider’s scope of practice is determined by the location of their patient. You’ll want to be sure that you’re properly licensed to practice in all of the jurisdictions where your patients reside.

• Informed Consent – What constitutes informed consent varies from state to state. Some require health care providers to get it from every patient in writing, while others allow patients to give it verbally. You need to know the requirements for every state whose residents you’re providing care for, and make sure that your procedure for obtaining a patient’s consent is consistent, clear, and comprehensive.

• Pre-existing Relationship Requirements – Does the state where your patient resides require you to have a pre-existing relationship with them before providing treatment? How do they define that? Some states require a face-to-face physical examination before telehealth services are offered. Can this exam be performed over a video feed? It’s a good idea to contact the board of medicine in each state for clarification on these issues before you proceed.

• Prescription Regulations – Some states ban the remote prescription of certain medications, even if you’re licensed to prescribe there. Others require an actual consultation with the patient before medication is prescribed, making it illegal to prescribe solely based on their answers to a medical questionnaire.

This list isn’t comprehensive, but it should provide you with a good place to start while visiting with your attorney.

Don’t Skimp on Infrastructure

Telemedicine isn’t something that you’re going to want to implement on a shoestring budget using legacy computer systems. If you’re going to meet the standard of care in most states, you’ll need to invest in business-grade videoconferencing equipment and an Internet connection that can support high-definition audio and imaging.

Telemedicine requires clear communication in real-time between you, your patients, and other medical professionals. Low-grade equipment can cause miscommunication or even misdiagnosis, resulting in poor patient outcomes and dangerous liability risks. It also tends to malfunction more frequently, which can be disruptive and expensive to deal with.

As you make your equipment and software selections, be sure to:

• Consult a qualified IT professional. Ideally, this will be someone familiar with telemedical systems and available to provide regular service and maintenance. They should also be able to respond to emergency calls if something goes wrong.

• Establish a maintenance schedule. Have your IT professional regularly examine and service your systems to keep them running smoothly and avoid disruptions to your daily operations.

• Train your staff. Everyone in your office should understand how to properly use your equipment and be able to address any common problems.

• Have redundant systems in place. Every minute that you can’t see your patients because your internet connection is down or your equipment isn’t working means lost revenue and lost trust. Make sure that you have redundant systems ready to go if something goes wrong.

• Have plenty of storage available and store your data offsite. You’ll be storing a lot of photos, videos, and documents with your patient records. Make sure that you’ve got plenty of storage to hold them all and that you’re backing up your files at least 250 miles away from your office.

• Comply with relevant laws. Patient privacy and data security is everything in the medical field. Make sure that security and compliance are part of the discussion while you’re building your infrastructure. You should be asking your hardware and software vendors if their products are HIPAA compliant. You should also find out if the states where you’re providing services have their own requirements.

Obsess Over Security and Compliance

With the medical industry setting records year after year for the size and severity of its data breaches, you need to become intimately familiar with your responsibilities under HIPAA regarding patient privacy and data security. Don’t ever make the mistake of assuming that your business is too small or too obscure to attract the attention of hackers, auditors, or government agencies. Protected Health Information (PHI) is the hottest commodity there is on the digital black market right now, and cybercriminals are using it to steal massive amounts of money from the health care system. As CMS and OCR scramble to stop the bleeding, they’re cracking down harder than ever on providers of all sizes.

It’s also becoming commonplace for providers, payers, and patient referral sources to conduct audits of their own, since HIPAA requires that they obtain reasonable assurances in writing that all of their business associates who handle PHI are compliant. You will want to be able to confidently fill out their lengthy questionnaires and supply them with any necessary supporting documentation upon request. We can’t emphasize enough how important this is. Even if you’re fortunate enough avoid a cyberattack, you could easily find yourself cut off by your referral sources and vendor partners if you fail to take security and compliance seriously.

Take care to address these items as you think about your security and compliance measures:

• Educate your employees. Hackers don’t just manipulate computers. They manipulate people. Just about every data breach that you’ve seen reported on the news started with a single mouse click by an individual who was tricked into helping a hacker get what they wanted. Your employees are your first and best line of defense against cyber threats. Make sure they’re equipped to do the job.

• Know and address your HIPAA responsibilities. Most health care providers are familiar with HIPAA’s Privacy Rule, but they are far less familiar with its Security Rule. In a recent audit of 200 random health care providers of varying sizes across the country, OCR found that only 14% of them were even close to being compliant. The fines and penalties for security violations have become so steep that smaller providers typically end up closing their doors after a failed audit or a data breach.

• Create effective policies and follow them. HIPAA requires, and auditors demand, that your company has effective administrative, physical, and technical safeguards in place to protect the PHI you store and transmit every day. These policies must exist in writing, and you’ll need to be able provide evidence that your employees are familiar and compliant with every single one of them.

• Consider your BYOD approach. BYOD stands for “Bring Your Own Device,” or the practice of allowing your employees to connect their personal phones or computers to your office network. This can be cost effective and convenient, but it also comes with a number of risks that you should understand. It’s wise to ban BYOD all together if you can, but there are steps that you can take to mitigate the risks if it’s necessary to allow it for your particular business. Make sure that you consult with your IT professional before allowing any device to access your network.

• Keep your hardware and software up to date. Making sure that your office is staying current with the latest tech ensures that you’re able to receive critical updates that will help to keep your systems secure.

• Install a firewall and test it often. A firewall is a software program that prevents intrusion into your computer network by unauthorized individuals. Your IT professional should be able to recommend and install a HIPAA-compliant firewall for you. Once they do, make sure that you have them test it regularly and document their findings for your auditors.

• Create frequent backups and store them off-site. Cloud-based backup solutions like Microsoft Azure are ideal, as they ensure that your data is safe, secure, and easy to access in the event of a data breach or natural disaster.

• Beware of connecting your patients to the “Internet of Things.” It’s becoming more and more common for the devices we use every day to be connected to the Internet so that we can monitor and control them remotely with our phones and computers. If you’ve ever started your car or adjusted your thermostat with an app on your cell phone, then you’re already making use of the IoT.

Unfortunately, any device that’s connected to a wireless network can be hacked. That can be bad news for your patients if their surgically-implanted heart monitor or pacemaker gets compromised. You’ll want to be very careful when selecting the equipment you provide to your patients. Always ask your vendors if their products are HIPAA compliant, and consult with your IT professional if you’re ever unsure. The data that certain devices constantly transmit to your office is PHI, and your patients’ health can be compromised right along with it if a hacker gains access to the controls for their pacemaker or insulin pump.

Update Your Insurance Policy

Before you start treating remote patients, you’ll want to make sure your policy includes the following for every jurisdiction where you’ll be providing services:

• Products Liability: Telemedicine typically requires the use of specialized equipment, and any piece of equipment can fail. You’ll want to be covered against issues of liability stemming from faulty or malfunctioning devices.

• Professional Liability: Telemedicine introduces some unique liability risks. Be sure to discuss your telehealth offerings in detail with your insurance agent or company so that they can provide you with any applicable coverage that your standard policy might not cover.

• Cyber Liability Insurance: A cyberattack against your business can cost hundreds of thousands or even millions of dollars. It costs around $400-600 per record just to notify your patients of a breach and provide them with identity theft protection. Then there are HIPAA fines, legal fees, and business interruption costs to consider.

You do not want to pay for any of these things out of pocket. In the event of a cybersecurity incident, this coverage could mean the difference between a quick recovery and going out of business.

While you’re visiting with your insurance provider, be sure to discuss coverage for all of your employees as well as any independent contractors that you’ll be working with. We typically recommend that you reserve coverage under your policy for those who will be receiving a W2 from you when tax season comes around. Anyone else should have their own insurance policy with appropriate coverage for the particular services that they’ll be providing to your patients.

Have Fun With It!

There’s a lot to think about and consider when it comes to telemedicine, but don’t let this discourage you from considering telemedicine as a profitable and enjoyable addition to your existing business. As long as you know and address the unique risks that come with taking your practice online, you’ll be in a great position to reap the rewards of this new frontier of the digital landscape.

If you enjoyed this blog, be sure to also check out Telehealth and the Risk Management Practices You Need to Consider

To learn more about the risks involved in Telemedicine, and to ensure you're covered, contact us today!