Telemedicine, the remote diagnosis and treatment of patients by means of telecommunications technology, has been around longer than many realize. In fact, it first appeared on the April 1924 cover of Radio News magazine, which depicted three children being evaluated by a physician over a video/radio communication tool. Thirty years later, radiology images were shared over telephone, and in the 1970s and 1980s, teleradiology expanded to include neurological exam sharing and behavioral health treatment. In the 2000s, healthcare organizations and physician practices made a concerted effort to employ telemedicine as part of the standard practice of care and treatment. Still, reduced reimbursements or no reimbursement at all from carriers have stifled a broad adoption of this treatment modality.
When the coronavirus pandemic hit in 2020, it significantly increased interest in and use of telemedicine. As news broke regarding the risks and preventative approaches to mitigating exposure to COVID-19, there was a dramatic reduction of in-person patient visits. Conversely, there was a marked increase in the use of telemedicine to care for and treat patients, by primary care physicians, specialists, clinics and hospitals.
While in-person visits eventually rebounded to pre-pandemic levels, an increased use of telemedicine will remain. Most physician groups and hospitals adjusted technology and resources. Additionally, the Department of Health and Human Services (DHHS) expanded the public health emergency through April 2021, ensuring that telemedicine will continue to be leveraged as a tool to provide care and minimize risk of exposure to COVID-19.
Risks, such as crossing state lines, documentation and non-physician clinicians, have always existed. For the most part, they have been managed or eliminated. The increased use of telemedicine has created new and evolving risks, and has highlighted existing risks. Those risks, along with practical recommendations for addressing them, are presented here.
Emerging and Existing Risks of Using Telemedicine
Six main categories of risk exist with the introduction and increased use of telemedicine.
1. Vendor Risk
It is important to carefully scrutinize vendors providing telemedicine platforms. Some individuals and vendors have leveraged telemedicine claims and platforms for their personal advantage. Vendors have been found to use providers’ information to submit fraudulent claims for treatment. Dishonest vendors will obtain lists of patients without their knowledge and then pay unsuspecting doctors to order unneeded equipment, testing or drugs with no patient interaction or only a brief call. Proceeds are then laundered through international shell corporations and banks.
Recommendation: Steps to minimize the risk of engaging with a fraudulent vendor include:
- Seek strong contract language
- Secure an appropriate Business Associate Agreement (BAA) agreement
- Assure that vendors understand and are abiding by required and standard practices as it relates to HIPAA privacy and security
- Require good documentation protocols and processes
- Ensure the ability to have direct interaction with a patient
- Insist on a method to record patient interactions
- Verify easy access to work and communication with vendor as the need arises
Risks may be mitigated primarily through thorough research of any proposed telemedicine provider. Ensure the vendor can accommodate HIPAA requirements while providing a platform that maximizes interactions with patients. Vendors who are unfamiliar with HIPAA and BAAs should be regarded with concern. Contact multiple referrals to provide assurance that vendors are behaving in a professional, law-abiding manner. Ask questions such as: “What is your U.S. address?” “Are you publicly traded?” “Are you owned by a larger organization?” “How do you market your services?” and “Are you HIPAA-compliant (pre-COVID-19)?”
2. Advanced Practice Providers
State-based regulations govern oversight and required malpractice coverage of advanced practice providers when using telemedicine. While compliance does not change with respect to telemedicine, the method used to show evidence of adherence could change.
Recommendation: Be aware of licensure requirements, have a defined scope of practice and know what is required with respect to oversight. Analyze how telemedicine may impact current compliance processes. For instance, if a state requires a specific percent of chart and/or care reviews of a physician’s assistant, document these practices as telemedicine care is being provided. Let compliance needs factor in to vendor selection as well, choosing ones that can help facilitate documentation of oversight in accordance with states’ requirements. While some care restrictions may be temporarily lifted due to COVID-19, state-based requirements of what a medical assistant, nurse or advanced practitioner can and cannot perform when treating patients are not altered by telemedicine.
3. State Licensure and Regulations
As is the case with the risks already covered, licensing requirements do not change with telemedicine. In general, clinicians must be licensed in the state where the patient, not the clinician, resides. Centers for Medicare & Medicaid Services (CMS) instituted a temporary waiver of in-state licensure requirements during the coronavirus pandemic, but practitioners should be aware that state requirements may still supersede CMS waivers.
Recommendation: The Federation of State Medical Boards regularly updates its document that outlines state requirements and includes links to relevant communications from each state. Reviewing the document on a regular basis will help ensure adherence to applicable state requirements and prepare a return to standard requirements once temporary modifications are lifted.
While commercial payors had been slow to accept and adopt telemedicine care, the dramatic increase of use brought on by the pandemic has forced them to adjust quickly. As a result, payors now reimburse for care. Providers must still be aware of payors’ rules surrounding reimbursement, and rules vary from one payor to another. Of note, CMS has waived the established patient/provider relationship mandate in light of the pandemic. Since rules can change at any time, it is critical for providers to remain informed of all developments and modifications.
Recommendation: The Department of Health and Human Services (DHHS) created a one-stop resource that provides up-to-date guidance to aid compliance with both federal and payor-specific reimbursement requirements.
Privacy and security rules apply to telemedicine. Providers must safeguard protected health information (PHI) and supply required disclosures to patients. For example, notice of privacy practices should denote telehealth services. The DHHS Office of Civil Rights (OCR) has issued a Notification of Enforcement Discretion to empower covered health care providers to use widely available communications applications without the risk of penalties, which can be found here. Because of this ruling, non-public facing video chat applications such as FaceTime, Zoom and Skype may be used. Non-public facing applications like Facebook Live and Twitch are not approved for use with telemedicine care.
Recommendation: Review and understand the DHHS/OCR enforcement discretion and check it regularly to ensure continued compliance both now and when a reversion to original practices occurs. Use this time and relaxed enforcement discretion to perform a self-audit of telemedicine practices. Start with a thorough review of individual policies and corporate procedures. The Federation of State Medical Board model policy can be helpful in this endeavor. Train staff on the risks and importance of adhering to HIPAA Privacy and Security Rules, including during their use of telemedicine care.
6. The Standard of Care and Malpractice Insurance Coverage
The same duty of care that applies to in-person care applies during telemedicine sessions. Telemedicine care can become potentially problematic in cases where the patient (plaintiff) alleges the provider should have evaluated the patient in-person and, as a result, there was a missed or delayed diagnosis. Potential situations such as this illustrate the reality that telemedicine care is not always a substitute for in-person care.
Another area of potential concern is medical malpractice insurance coverage. In general, malpractice insurance carriers support telemedicine care. However, many carriers have policy language referencing the amount of care, whether an established patient relationship is required before providing telemedicine care, and whether or not care can be provided across state lines. Some carriers may even be silent with respect to telemedicine care.
Recommendation: Review and understand malpractice carrier policies on telemedicine care. Know what is covered and what is not and ensure adherence with policy language. As it relates to duty of care, be vigilant when providing telemedicine care. For example, informed consent still applies. Patients should now understand (and providers should document) the purpose, risks and alternatives of telemedicine care.
When more effective evaluation of a patient can be performed in person, providers should find a way to do so safely. Ensure thorough documentation of telemedicine care is performed and that it supports reasoning, logic and differential diagnosis. Lastly, although dated, the American Medical Association has a document that outlines each state’s definition and requirements of a physician-patient relationship via telemedicine. Institutions should review medical staff by-laws and credentialing processes with medical staff leadership and consider revising by-laws and processes to incorporate the use of telemedicine care.
Care should be taken to ensure that administration of medication and controlled substances maintains or improves upon in-person medication management. If evaluation of a patient through a telemedicine platform proves less effective than in-person care, mitigate the risk of providing the incorrect medication or dosages by arranging an in-person appointment.
The sudden and rapid adoption of telemedicine on a broad basis is a welcome event in the medical community, yet it is not without risks for medical providers. Vendor relationships, use of advanced practice providers, adherence to state licensure and regulations, reimbursement requirements, compliance with HIPAA regulation, and knowledge of standard of care and malpractice insurance coverage are essential steps providers should take to protect themselves and patients from risks inherent to the delivery of telemedicine care. With proper documentation, compliance and care practices in place, the move toward telemedicine care can be a positive development for all parties.
Principal & Risk Consultant Edgewood Healthcare Advisors
Principal - Hartford, CT