Telehealth Ethics, Best Practice, and the Law: What You Need to Know
As physical therapist practice expands to include telehealth, securing patients' protected health information (PHI) is more critical than ever before. In a webinar recorded in October 2018 (free to members), Kara R. Gainer, JD, and Matt Elrod, PT, DPT, MEd, revisited the Health Insurance Portability and Accountability Act (HIPAA) requirements and professional ethical considerations (.pdf) as they apply to remote patient communications. Here is a quick summary, but check out the full webinar.
This is not formal legal advice, and you should always check all state and federal laws regarding telehealth requirements.
When evaluating potential telemedicine solutions for your organization, make sure to consider who can access PHI and how, as well as how data is secured during storage and transmission.
What does HIPAA require?
HIPAA covers protected health information (PHI) and requires covered entities to maintain reasonable and appropriate administrative, physical, and technical security standards.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain, or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
Under HIPAA, providers should also make sure contracts with "business associates"—including telehealth software vendors—provide assurances that the information will be properly safeguarded and are HIPAA compliant. The contracts must state how the vendor is permitted and required to use PHI and that the vendor will not use or disclose PHI outside those parameters, as well as requirements for appropriate safeguards to prevent misuse of PHI. There are financial penalties for noncompliance of up to $50,000 per violation.
How do I know if a telehealth technology solution is HIPAA compliant?
Consider the need for encryption of data being transported as well as stored. Additionally, just because a vendor says it is HIPAA compliant doesn't mean that it is, and providers should do their due diligence. Choosing a solution that has undergone an independent audit by cybersecurity risk management advisors provides peace of mind that the solution truly is HIPAA compliant. This independent verification and asking the right questions during solution research are key, as many organizations have higher-level compliance that doesn’t necessarily trickle down to individual services, solutions, or products.
What are best practices for patient consent in telehealth?
Getting your patient’s consent could be a legal requirement in your state, or a condition of getting paid, depending on the payer you’re billing. Some states don’t have any requirements. Others require verbal consent. Still, others require providers to obtain written consent and store it in the patient's health record. (To learn the consent requirements in your state, check The National Telehealth Policy Resource Center's state map.)
Even if patient consent for telemedicine visits are not required in your state, it’s still best practice. According to the American Telemedicine Association, the consent form should:
- Inform patients of their rights when receiving telemedicine, including the right to stop or refuse treatment.
- Tell patients their own responsibilities when receiving telemedicine treatment.
- Have a formal complaint or grievance process to resolve any potential ethical concerns or issues that might come up as a result of telemedicine.
- Describe the potential benefits, constraints, and risks (like privacy and security) of telemedicine.
- Inform patients of what will happen in the case of technology or equipment failures during telemedicine sessions, and state a contingency plan.
In addition, you may want to outline some of your basic telemedicine program policies around billing, scheduling, cancellation, etc.
Can a provider use email or otherwise electronically exchange images, videos, and conversation?
Yes, but providers should use caution. Under the law, PHI should be "reasonably safeguarded." While encrypted email is not required, it is recommended and providers should take certain precautions, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message. However, under the HIPAA privacy rulean individual has the right to request that a provider communicate via alternative means, if reasonable.
Under HIPAA, a phone is no different than a computer. So even if you aren't taking photos or videos, even checking your email or texting patients could require you to ensure you phone is HIPAA compliant by using encryption tools, enabling firewalls, installing security software, and maintaining physical control of the device, among others.
Can I use FaceTime or Skype?
Any medium used to transmit PHI must be covered by a business associate agreement. Conduct a risk assessment and make sure the agreement covers all of the programs being used (eg, Skype, Skype for Business, any Microsoft application you use). Apple does not currently enter into business associate agreements. Providers should work with vendors that agree to sign business associate agreements.
Are the rules any different for consultation with a health care provider versus direct interaction with the patient?
A covered entity may use or disclose protected health information for its own treatment, payment, and health care operations activities.
What if there is a data breach or records are lost or destroyed?
A data breach is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. There are a few exceptions, such as if the wrong employee accidentally received the data.
If a true breach has occurred, "covered entities" must notify all affected individuals within 60 days by first class mail or by email (if the person has consented to electronic notices). The communication must include a brief description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; as well as contact information for the covered entity or business associate, as applicable.
Kara Gainer is APTA's director of regulatory affairs. Matt Elrod is a board-certified neurologic clinical specialist and was lead specialist in APTA's Practice Department.