Telehealth Ethics, Best Practice, and the Law: What You Need to Know
As physical therapist practice expands to include telehealth, securing patients' protected health information (PHI) is more critical than ever before. In a webinar recorded in October 2018 (free to members), Kara R. Gainer, JD, and Matt Elrod, PT, DPT, MEd, revisited the Health Insurance Portability and Accountability Act (HIPAA) requirements and professional ethical considerations (.pdf) as they apply to remote patient communications. Here is a quick summary, but check out the full webinar.
This is not formal legal advice, and you should always check all state and federal laws regarding telehealth requirements.
When evaluating potential telemedicine solutions for your organization, make sure to consider who can access PHI and how, as well as how data is secured during storage and transmission.
What does HIPAA require?
HIPAA covers protected health information (PHI) and requires covered entities to maintain reasonable and appropriate administrative, physical, and technical security standards.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain, or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
Under HIPAA, providers should also make sure contracts with "business associates"—including telehealth software vendors—provide assurances that the information will be properly safeguarded and are HIPAA compliant. The contracts must state how the vendor is permitted and required to use PHI and that the vendor will not use or disclose PHI outside those parameters, as well as requirements for appropriate safeguards to prevent misuse of PHI. There are financial penalties for noncompliance of up to $50,000 per violation.
How do I know if a telehealth technology solution is HIPAA compliant?
Consider the need for encryption of data being transported as well as stored. Additionally, just because a vendor says it is HIPAA compliant doesn't mean that it is, and providers should do their due diligence. Choosing a solution that has undergone an independent audit by cybersecurity risk management advisors provides peace of mind that the solution truly is HIPAA compliant. This independent verification and asking the right questions during solution research are key, as many organizations have higher-level compliance that doesn’t necessarily trickle down to individual services, solutions, or products.
What are best practices for patient consent in telehealth?
Getting your patient’s consent could be a legal requirement in your state, or a condition of getting paid, depending on the payer you’re billing. Some states don’t have any requirements. Others require verbal consent. Still, others require providers to obtain written consent and store it in the patient's health record. (To learn the consent requirements in your state, check The National Telehealth Policy Resource Center's state map.)
Even if patient consent for telemedicine visits are not required in your state, it’s still best practice. According to the American Telemedicine Association, the consent form should:
- Inform patients of their rights when receiving telemedicine, including the right to stop or refuse treatment.
- Tell patients their own responsibilities when receiving telemedicine treatment.
- Have a formal complaint or grievance process to resolve any potential ethical concerns or issues that might come up as a result of telemedicine.
- Describe the potential benefits, constraints, and risks (like privacy and security) of telemedicine.
- Inform patients of what will happen in the case of technology or equipment failures during telemedicine sessions, and state a contingency plan.
In addition, you may want to outline some of your basic telemedicine program policies around billing, scheduling, cancellation, etc.
Can a provider use email or otherwise electronically exchange images, videos, and conversation?
Yes, but providers should use caution. Under the law, PHI should be "reasonably safeguarded." While encrypted email is not required, it is recommended and providers should take certain precautions, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message. However, under the HIPAA privacy rulean individual has the right to request that a provider communicate via alternative means, if reasonable.
Under HIPAA, a phone is no different than a computer. So even if you aren't taking photos or videos, even checking your email or texting patients could require you to ensure you phone is HIPAA compliant by using encryption tools, enabling firewalls, installing security software, and maintaining physical control of the device, among others.
Can I use FaceTime or Skype?
Any medium used to transmit PHI must be covered by a business associate agreement. Conduct a risk assessment and make sure the agreement covers all of the programs being used (eg, Skype, Skype for Business, any Microsoft application you use). Apple does not currently enter into business associate agreements. Providers should work with vendors that agree to sign business associate agreements.
Are the rules any different for consultation with a health care provider versus direct interaction with the patient?
A covered entity may use or disclose protected health information for its own treatment, payment, and health care operations activities.
What if there is a data breach or records are lost or destroyed?
A data breach is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. There are a few exceptions, such as if the wrong employee accidentally received the data.
If a true breach has occurred, "covered entities" must notify all affected individuals within 60 days by first class mail or by email (if the person has consented to electronic notices). The communication must include a brief description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; as well as contact information for the covered entity or business associate, as applicable.
Kara Gainer is APTA's director of regulatory affairs. Matt Elrod is a board-certified neurologic clinical specialist and was lead specialist in APTA's Practice Department.
Hiding in Plain Sight: How You Can Fight Bacterial Contamination in Your Clinic
By David Levine, PT, DPT, PhD, FAPTA, June Hanks, PT, DPT, PhD, and Henry Spratt, PhD
As health care providers, we see multiple patients each day up close and personal. It's not uncommon to catch a cold from a patient's cough. But did you know your clinical surfaces could be spreading germs as well? Our research team, the Clinical Infectious Disease Control (CIDC) research unit at The University of Tennessee at Chattanooga has been investigating bacterial contamination in physical therapy equipment.
Here are the results of 3 studies, some takeaways, and some common-sense tips to limit potential infections for you and your patients.
Topical lotions can be a source of bacterial contamination. In one study, we sampled 81 containers of common lotions used for soft tissue mobilization, such as Deep Prep®, Palmer’s Cocoa Butter®, and Free Up®, from 22 outpatient rehabilitation centers. Sixteen of the containers sampled—20%—contained bacteria including Staphylococcus aureus, methicillin-resistant Staphylococcus aureus (MRSA), and enteric bacteria such as E. coli. The majority of the bacteria found were present on the threads on the tips of the containers.
Ultrasound equipment can harbor germs—a lot of them. In another study, we cultured 31 ultrasound heads and 55 ultrasound gel bottles in 9 rehabilitation centers. Tips of gel bottles had the highest contamination, with 52.7% positive for nonspecific bacterial contamination and 3.6% positive for MRSA. While no MRSA was detected on ultrasound heads, 35.5% had nonspecific bacterial contamination. Disinfecting the ultrasound heads removed over 90% of the bacteria.
In a third study, we found that Staphylococcus aureus placed on ultrasound heads can survive, if not cleaned, for extended periods of time. Nearly 80% of Staphylococcus aureus placed on ultrasound heads in gel survived for 1 hour, with survival of 3 days possible in other types of organic matter, such as skin cells, or even the gel itself.
The takeaway: We need better and standardized cleaning and storage protocols for lotions, gels, and ultrasound heads, as well as general infection prevention protocols.
What Practice Managers Can Do to Prevent the Spread of Infection
Surveillance data collection is more challenging in outpatient settings than in inpatient settings due to short and sporadic patient encounters and the potential use of multiple medical facilities by infectious patients, but practice managers can promote best practices for infection prevention through official policies and protocols. Practitioners working in outpatient settings should follow recommended Centers for Disease Control and Prevention (CDC) health care-associated infection prevention practices, which include:
- Adherence to standard precautions such as cleaning equipment between uses
- Use of appropriate personal protective equipment including masks, gloves, and gowns
- Routine cleaning and disinfection of environmental surfaces most likely to become contaminated
- Strict adherence to hand hygiene practices (more on that later)
To reduce microbe contamination, environmental surfaces should be routinely cleaned and disinfected with appropriate solutions and following manufacturer recommendations. The CDC recommendations for cleaning and disinfecting environmental surfaces are based on the potential of the surface to transmit microbes if contaminated before use. Environmental surfaces are considered to be those that do not routinely come in direct contact with the patient during patient care, such as walls, floors, and knobs or handles on medical devices.
Even if you are a staff PT or PTA who isn't in a position to make decisions about a facility-wide protocol, there are some easy actions you can take right away:
- Routinely clean ultrasound heads with appropriate disinfectants.
- Use a tongue depressor to remove lotions from the container.
- Don't leave gel or lotion jars open.
- Don't reuse disposable bottles of ultrasound gels.
- Practice appropriate hand hygiene.
For patients who have open wounds or are immunosuppressed or immunocompromised, providers should take extra precautions, such as using sterile packets of lotions or gels for soft tissue mobilization or ultrasound, ensuring that any equipment that comes into contact with the patient (such as a goniometer) has been disinfected, and wearing personal protective equipment as needed.
Some Notes on Hand Hygiene
Hand hygiene should occur before and after each patient encounter.
Proper hand hygiene using alcohol-based hand sanitizers (ABHS) or soap and water significantly impacts microbe transmission and should be incorporated into routine patient care.
ABHS are the most efficacious method to reduce bacteria on hands. ABHS should be used according to manufacturer recommendations, which generally include putting the product on the hands and rubbing all surfaces of the hands together for at least 20 seconds until dry.
Handwashing with soap and water is recommended after treating patients with known or suspected norovirus or Clostridium difficile, since ABHS are not effective against these pathogens. To wash hands with soap and water, place the hands under running water, apply the soap, and vigorously rub all surfaces of the hand together for 15-20 seconds, rinse the hands, use a disposable towel to dry, and use the towel to turn off the water faucet.
Fingernails should be kept less than ¼ inch long, and excessive jewelry should be avoided. Frequent use of hand lotions that do not interfere with hand sanitizing products may help reduce hand dryness from frequent cleansing.
Everyone Has a Role to Play
All personnel play a role in the prevention of health care-associated infections. Administrators should ensure that policies and procedures regarding infection control are developed and implemented by health care personnel. Supplies necessary for adhering to standard precautions (eg, gloves, masks) should be readily available for use, and providers must be trained in infection-control measures.
David Levine is professor in the department of physical therapy at The University of Tennessee at Chattanooga (UTC) and a board-certified clinical specialist in orthopaedic physical therapy. June Hanks is associate professor in the department of physical therapy at UTC. Henry Spratt is professor in the UTC department of biology, geology, and environmental science.
Looking Back, and Forward: PTJ Publishes Its 1,000th Issue
As APTA heads toward its centennial year, PTJ has reached its own milestone: August marks its 1,000th issue.
Like the association, previously known as the American Women's Physical Therapeutic Association (AWPTA), the journal—originally The P.T. Review—has evolved over time to elevate the importance of research-based evidence in practice.
In contrast to the current issue—which covers diverse research topics such as diagnostic imaging, Twitter discussions of physical therapy, and perspectives on population health—the inaugural issue's 16 pages included a greeting from Marguerite Sanderson, who created the US Army reconstruction aide program during World War I; a letter from Army orthopedic surgeon Joel E. Goldthwait on the value of physical therapy; articles on the formation of the association and its first election; and the first AWPTA constitution.
(Spoiler alert: The preliminary meeting to discuss the formation of the association was held at Keen's Chophouse on 36th Street in New York City—which still exists today as Keen's Steakhouse.)
Here's a look back at the 1921 issue, edited by Isabel H. Noble, who hoped "to make each copy an improvement over its predecessor."