Digital transformation has changed the landscape of many businesses, and the healthcare industry is just one of many examples. Often referred to as “telehealth” or “telemedicine,” the ability to deliver health services remotely has increased in adoption, particularly during the coronavirus pandemic.

Amid this innovation, however, numerous questions have emerged about the appropriate scope of telemedicine services and regulatory compliance requirements with the Health Insurance Portability and Accountability Act (HIPAA).

Healthcare providers must be cognizant of the new risks involved with managing and delivering telehealth. In this guide we’ll review the federal and state risk management frameworks that practitioners can utilize to guide the development of their telehealth services.

What services fall under the scope of telehealth?

The Department of Health and Human Services (HHS) defines telehealth as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.”

The electronic communication that takes place between patient and practitioner must include audio and video-conferencing functionality that enables real-time, face-to-face communication.

The type of telehealth services that are permissible, and who is lawfully allowed to administer them, varies from state to state based on individual regulations and license and credentialing requirements. For Medicare and Medicaid services specifically, the Centers for Medicare & Medicaid Services are responsible for providing guidance on the scope of services.

What are the benefits of telemedicine?

Telemedicine services offer numerous benefits for patients and physicians alike. Some examples include: 

  • Patients in rural areas, who might not otherwise have convenient, local access to healthcare, can obtain quality care through telemedicine visits.
  • Practi­tioners can collaborate across specializations via authorized access to shared health records.
  • Specialists can collaborate with primary care physicians to evaluate test results, review diagnostic reports, and share other relevant information to provide a more holistic treatment for the patient. This results in improved patient outcomes, shorter treatment periods, and a reduction in healthcare costs.
  • In emergency situations, trauma specialists can confer with emergency personnel to provide potentially life-saving guidance and support.

How safe is telemedicine?

Telemedicine is a fairly new concept, so it’s still being evaluated for overall patient safety and appropriateness. Obviously there are many cases where a clinician and patient must meet in person. Typically telemedicine is used as a means for evaluation and follow-up, but it should never encompass the entirety of one’s medical services.

To safeguard professional liability, practitioners are required to obtain patient consent prior to participating in telehealth services. Additionally, the prescribing physician implementing e-health services is required to convey any potential risks, both technical and operational, that could disrupt telecommunications. These include:

  • Hardware failures including computer systems outages, fiber-optic line damage, satellite failure, and the like
  • Corruption of transmitted files due to issues during the sending process.
  • Security risks related to the unauthorized access of medical records accessed over unsecured networks.
  • Business interruption due to natural disasters, which can compromise or interrupt operations related to a telemedicine program.

What is telemedicine risk management?

Telemedicine risk management seeks to identify and mitigate the risks associated with the use of telemedicine, for both providers and their patients. Examples of potential risk include:

  • Claims of malpractice or poor standard of care
  • Unauthorized access of protected health information (PHI) 
  • Violation of federal or state laws regarding operating a telemedicine practice
  • Violation of standards put forth by HHS as well as HIPAA

What are the six main categories of telemedicine risk? 

All of the risk management considerations associated with providing virtual care services under a telehealth banner can be organized into the following six categories:

1. Vendor Risk

It is vital to scrutinize third-party vendors that provide telemedicine platforms, and assure that the proper protocols are in place to protect patient health information.

2. State Licensure and Credentialing Regulations

In addition to understanding licensure requirements, clinicians should be aware of requirements for practicing telemedicine across state lines. While healthcare providers can practice medicine at a distance, they must be licensed in the state where the patient resides — not where the clinician is. (The provider’s malpractice coverage can also be a concern, as we’ll see in risk No. 6, below.)

3. Reimbursements

Private insurers are required to reimburse for telehealthcare, but providers should be aware of payers’ rules surrounding reimbursement as they vary from one payer to another.

4. HIPAA Requirements

The HIPAA Privacy Rule, Security Rule, and all Administrative Simplification rules apply to “covered entities.” Covered entities include health plans, healthcare clearinghouses, and health care providers. Any of these entities that participate in a telemedicine practice must abide by HIPAA regulations.

5. Compliance Documentation for Providers

Telemedicine is regulated at the state level. While compliance requirements aren’t different for telemedicine, how your practice documents its compliance for telemedicine services might be. So, it’s recommended that practitioners maintain a defined scope for telehealth and understand its impact on your compliance stance.

6. Malpractice Insurance 

In general, a malpractice insurance policy covers telemedicine care. Some insurance carriers, however, have policy language that dictates the amount of care that’s required before a patient can receive telemedicine care, and whether or not care can be given across state lines. 

How can you assure that your telemedicine practice is safe and secure?

To assure that telehealth medical care is safe and secure, practitioners must implement risk-management protocols to assess their risk and mitigate as much potential risk as possible. Furthermore, practitioners are required to uphold the same standards of care and scope of services that they’re authorized to administer in a traditional setting.

The American Telemedicine Association and Telehealth Resource Center have provided some guidance and resources for developing a telehealth program. Here are a few guidelines your practice can use to assure that quality healthcare competencies extend to your telemedicine program.

Measure Outcomes

By measuring outcomes of telehealth services, practi­tioners can gain helpful insight into how their program is working and where improvement is needed. Key Performance Indica­tors (KPI) include clinical efficiency, health outcomes, diagnostic accuracy, patient satisfaction, program costs, wait times, and referral rates.

Standard­ize Appropriate Telehealth Protocols 

As your practice develops its telehealth services, you will learn what works well and what needs improvement. By documenting your telehealth processes and the proto­cols, you can have confidence that your program will continually improve and remain successful.

Report Incidents

Expect a learning curve as your telemedicine practice and regulations evolve. Providers are encouraged to document incidents and report them promptly to the appropriate supervisor. This will help to implement additional training where needed and improve the practice overall as it grows.

Perform Routine Equip­ment Testing and Mainte­nance 

Just as you would do with any medical equipment in your brick-and-mortar practice, telehealth professionals should assure their “tele-equipment” is evaluated and maintained regularly. This can prevent technical problems that degrade the patient experience. Moreover, documentation should indicate who is responsible for maintaining equipment. Include monitoring to enforce these responsibilities. 

Send Patients Satis­fac­tion Surveys 

Occasionally asking patients to complete satisfactions can help to capture crucial insight into how patients perceive your telemedicine program, reveal barriers to adoption, and improve the program.

How ZenGRC Can Help You Maintain HIPAA Requirements for Telemedicine

The surge of telehealth during the COVID-19 pandemic has created an exciting time for healthcare practitioners to expand their practice, improve their offerings, and enhance their ability to collaborate with other specialists across disciplines. At the same time, this shift has unearthed new challenges that must be addressed to assure that patients continue to receive the proper standard of care and that compliance with healthcare-related regulations like HIPAA is maintained. 

As healthcare continues to transform with the use of technology, practitioners must be aware of the legal, ethical, and regulatory implications to their practice.

Ultimately this can result in the need for new documentation, as well as new compliance requirements that healthcare organizations must manage — when they have many, many challenges and responsibilities already.

ZenGRC can help to assure that your telemedicine practice has done its due diligence to mitigate risk and meet all compliance requirements, whether those requirements are for HIPAA, NIST, HITECH, or any other healthcare-related compliance standard.

ZenGRC’s compliance templates help you to automate the process of procuring the necessary documentation, while our easy-to-use dashboard provides an integrated view of HIPAA-regulated data, compliance, and services- showing where your gaps are in your solution and how to fill them.

Worry-free HIPAA compliance is the Zen way! Learn how ZenGRC can help you achieve compliant software by booking a demo today.