Telemedicine: Risk management issues, strategies and resources

Article origi­nally printed in Health Perspec­tives. Reprinted with permission.

Telemed­i­cine is the practice of electron­i­cally connecting geograph­i­cally discrete health care facil­i­ties and providers. It encom­passes numerous methods and technolo­gies, ranging from tradi­tional store-and-forward data appli­ca­tions, commonly utilized in diagnostic review and inter­ac­tive exams, to innov­a­tive telep­re­sent” methods, including robotic surgery and emergency services consul­ta­tions. Among other uses, telemed­i­cine appli­ca­tions permit:

  • Patients/​clients in under­served rural areas to enjoy improved access to quality care, and state-of-the-art settings. 
  • Practi­tioner networks to collab­o­rate via shared electronic medical records, digital imagery and data files. 
  • Specialty providers to commu­ni­cate with (or tele-assist”) primary care practi­tioners in diagnostic tasks, leading to enhanced outcomes, shorter treat­ment periods, decreased use of unnec­es­sary drugs and reduced costs. 
  • Emergency depart­ment personnel to video-link with trauma special­ists for instant access to life-saving infor­ma­tion and support. 

While telemedicine/​telehealth (TMH) can foster efficiency and conve­nience, its reliance on contin­uous, real-time trans­mis­sion of data over computer networks also creates risk. At every step of the process, adverse events may occur, including diagnostic errors, technical glitches, and patient/​client privacy and security violations. 

This edition of Health­care Perspec­tive outlines strate­gies designed to enhance clinical, opera­tional and technical processes associ­ated with the provi­sion of TMH. National standards are cited throughout this resource, serving as policy templates in the following key areas: network security, confi­den­tiality, quality improve­ment, informed consent, record mainte­nance and technical support. 


Safeguard patient/​client data on computer networks and during transmission 

Secure trans­mis­sion of clinical infor­ma­tion requires effec­tive safeguards at every point in the process, i. e., within the trans­mit­ting facility’s network, over the trans­mis­sion medium and at the distant site. Whether data are sent by satel­lite, through the Internet or over a virtual private network (VPN), the following security measures, among others, should be estab­lished and implemented: 

Authen­ti­ca­tion enables autho­rized users to enter the system and access data via such means as log-in passwords, biometric scans, voice pattern samples and smart cards. Authen­ti­ca­tion proce­dures also permit system admin­is­tra­tors to verify specific users and their means of inter­face. Outside access should be limited to those networks that fulfill organi­za­tional security requirements. 

Patient/​client identi­fi­ca­tion uses patient/​client integra­tion profiles to promote accurate verifi­ca­tion at multiple sites. These profiles enable the cross-refer­encing of patient/​client identi­fiers either from multiple domains or from a central patient/​client infor­ma­tion server. 

Data control ensures that patient/​client infor­ma­tion is stored and trans­mitted in a confi­den­tial manner through the creation of a VPN, use of encryp­tion technology and/​or file anonymiza­tion software. An increasing number of medical systems also require digital signa­tures to verify that data have not been modified by an unautho­rized user. Encryp­tion measures also should extend to stored data on portable devices or remov­able media, as theft and loss of laptops, tablets, smart­phones, discs and USB flash drives are a leading source of data breaches. 

Data tracking offers an audit trail of all exchanges involving medical infor­ma­tion, permit­ting the system admin­is­trator to verify who has used the system and/​or accessed patient/​client data. Related monitoring technolo­gies help identify and protect against technical glitches and hacking. 

Protected access systems safeguard telemed­i­cine appli­ca­tions on wireless networks. A variety of security mecha­nisms may be used to provide both logical and physical restric­tions, including firewalls and antivirus software that detects malicious programs and activity. 

Patient/​client confidentiality #

Draft a disclosure protocol to ensure compliance with privacy regulations 

Privacy is a paramount concern when trans­mit­ting electronic data. 

Unautho­rized network access, hardware tampering and inter­cep­tion of data may violate privacy require­ments imposed under HIPAA, as well as other governing federal and state laws and regulations. 

Both TMH partners should imple­ment a disclo­sure protocol incor­po­rating the following practices: 

  • Obtain written permis­sion from the patient/​client before trans­mit­ting any protected health information. 
  • Require all staff involved in TMH to execute confi­den­tiality agree­ments, including contract and vendor personnel. 
  • Allow only desig­nated profes­sionals to disclose health related infor­ma­tion, such as the telep­re­senter and consulting and refer­ring practitioners. 
  • Mandate HIPAA training for staff and providers, covering such topics as infor­ma­tion security, common sources of breaches and conse­quences of protocol noncompliance. 
  • Transmit patient/​client data on an as-needed basis and monitor staff for inappro­priate access to protected health information.

The privacy oblig­a­tions of health care practi­tioners extend to the environ­ment where inter­ac­tive consul­ta­tions occur. The following provi­sions can help safeguard patient confidentiality: 

  • Ensure that the patient/​client is aware of and grants approval for all personnel partic­i­pating in consul­ta­tions, including the telepresenter. 
  • Place a conspic­uous sign on the exam door, notifying others that a consul­ta­tion is in progress. 
  • Prohibit the use of unautho­rized cameras and cellular telephones in the exami­na­tion room, using a signed consent agree­ment if necessary. 
  • Schedule TMH sessions in a desig­nated area that is suitably enclosed and private, rather than in an admin­is­tra­tive suite or other public space. 

Quality improvement

Measure outcomes for clinical care and technical support 

Delivery of high-quality TMH services depends upon system­atic monitoring and ongoing improve­ment of key processes. The following basic measures can help business owners more effec­tively compile, evaluate and report on meaningful care-related data. 

Outcome measure­ment offers practi­tioners useful infor­ma­tion about how well a TMH program is functioning, including further refine­ments that may be needed. Indica­tors should capture clinical, efficiency and satis­fac­tion outcomes, including: 

  • Patient/​client compli­ca­tion and morbidity rates. 
  • Compli­ance with provider perfor­mance criteria. 
  • Diagnostic accuracy.
  • Adher­ence to clinical protocols. 
  • Referral rates.
  • Patient/​client satis­fac­tion levels. 
  • Cost per case. 
  • Delays in accessing consul­ta­tions, refer­rals or specialty providers. 
  • Average waiting times. 

Standard­ized clinical proto­cols, properly imple­mented, can enhance quality and efficiency. By outlining a step-by-step process, proto­cols help improve consis­tency of care and perfor­mance of staff, and also ensure that test results are deliv­ered in a timely, accurate and confi­den­tial manner. For inter­ac­tive consul­ta­tions, proto­cols minimally should advise providers on how and when to: 

  • Schedule a consultation. 
  • Arrange for a consulting room. 
  • Set up neces­sary equipment. 
  • Estab­lish network connections. 
  • Prepare and advise the consulting provider, patient/​client and telemed­ical presenter. 
  • Document consul­ta­tion findings. 
  • Secure and back up required data. 
  • Prepare reports.
  • Inform patients/​clients and other providers of test results. 

The American Telemed­i­cine Associ­a­tion has promul­gated a variety of practice guide­lines (http://hub.americantelemed.org In addition, the Telehealth Resource Center provides infor­ma­tion on protocol devel­op­ment (www​.telehealthre​source​center​.org/​t​o​o​l​b​o​x​-​m​o​d​u​l​e​/​c​r​e​a​t​i​n​g​-protocols).

Incident reporting helps providers identify and respond to patient/​client compli­ca­tions or other adverse events that may arise during telemed­i­cine care. Providers should be instructed to document occur­rences and forward reports promptly to the appro­priate individual per written policy. A thorough, timely review of events helps foster a culture of account­ability and contin­uous improvement. 

Regular equip­ment testing and mainte­nance helps prevent poten­tial technical and user problems. Equip­ment should be suitable for diagnostic and treat­ment uses, readily avail­able when needed and fully functional during clinical encoun­ters. Safety guide­lines should specify who is respon­sible for mainte­nance. Utilize check­lists or logs to facil­i­tate documen­ta­tion of post-instal­la­tion testing, pre-session calibra­tion, and ongoing quality checking of audio, video and data trans­mis­sion capabilities. 

Satis­fac­tion surveys capture vital data regarding patient/​clients and provider percep­tions of the TMH program, as well as utiliza­tion patterns and the overall quality of TMH care. Surveys also can reveal unexpected barriers to care, including acces­si­bility issues and cost. Sample survey formats for telehealth encoun­ters are avail­able at https://​healthit​.ahrq​.gov/​s​i​t​e​s​/​d​e​f​a​u​l​t​/​f​i​l​e​s​/​d​o​c​s​/​s​u​r​v​e​y​/​t​e​l​e​h​e​a​l​t​h​p​a​t​i​e​n​t​s​a​t​i​s​f​a​c​t​i​o​n​s​u​r​v​e​y_comp.pdf and www​.techandaging​.org/​T​e​l​e​h​e​a​l​t​h​_​P​a​t​i​e​n​t​_​S​a​t​i​s​f​a​c​t​i​o​n​_​Survey.pdf.


Employ interactive teaching modules to ensure key competencies 

Staff training should focus primarily on learning the skills neces­sary to conduct consul­ta­tions and other TMH services smoothly and efficiently. At a minimum, training sessions should aim to enhance the following competencies: 

  • Commu­ni­ca­tion skills, including video presen­ta­tion content, organi­za­tion and etiquette. 
  • Under­standing the scope of services that can be provided using TMH methods. 
  • Profi­ciency with the technology system in use, as well as the physical environment. 
  • Knowl­edge of opera­tional proto­cols and proce­dures, updated as necessary. 
  • Ability to respond to equip­ment malfunc­tions and manage unexpected occurrences. 

Optimally, staff should begin with separate training sessions at the origi­nating and distant sites, then progress to mock joint proce­dures before advancing to real-time provi­sion of care. A wide variety of training modules is avail­able, serving a range of proce­dures and existing profi­ciency levels. The Telehealth Resource Center offers guidance on devel­oping a training strategy (www​.telehealthre​source​center​.org/​t​o​o​l​b​o​x​-​m​o​d​u​l​e​/​d​e​v​e​l​o​p​i​n​g​-​t​r​a​i​n​i​n​g-strategy), as well as answers to commonly asked questions concerning training of TMH providers (www​.telehealthre​source​center​.org/​t​o​o​l​b​o​x​-​m​o​d​u​l​e/training).

Informed consent

Disclose risks unique to the practice of telemedicine 

Patient/​client consent is always required prior to partic­i­pa­tion in TMH services. Providers often use existing consent and documen­ta­tion processes for store-and-forward consul­ta­tions. For more invasive proce­dures, a separate consent form is prefer­able, encom­passing the following information: 

  • Names, creden­tials, organi­za­tional affil­i­a­tions and locations of the various health profes­sionals involved. 
  • Name and descrip­tion of the recom­mended procedure. 
  • Poten­tial benefits and risks. 
  • Possible alter­na­tives, including no treatment. 
  • Contin­gency plans in the event of a problem during the procedure. 
  • Expla­na­tion of how care is to be documented and accessed. 
  • Security, privacy and confi­den­tiality measures to be employed. 
  • Names of those respon­sible for ongoing care. 
  • Risks of declining the treatment/​service.
  • Reiter­a­tion of the right to revoke consent or refuse treat­ment at any time. 

In addition, clearly convey to the patient/​client the inherent technical and opera­tional hazards that may impede commu­ni­ca­tion with the distant site or other­wise prevent prompt, accurate diagnosis of patient/​client condi­tions. These include: 

  • Fiber-optic line damage, satel­lite system compro­mise or hardware failure, which could lead to incom­plete or failed transmission. 
  • File corrup­tion during the trans­mis­sion process, resulting in less than complete, clear or accurate recep­tion of infor­ma­tion or images. 
  • Unautho­rized third-party access, which may lead to data integrity problems. 
  • Natural disas­ters, such as hurri­canes, torna­does and floods, which can poten­tially inter­rupt opera­tions and compro­mise computer networks 

Consent form documen­ta­tion becomes part of the patient/​client health care infor­ma­tion record and is custom­arily maintained at the origi­nating site, where the patient/​client receives routine care. Sample telemed­i­cine informed consent forms are avail­able from the American Telemed­i­cine Associ­a­tion at https://​thesource​.ameri​can​telemed​.org/​r​e​s​o​u​r​c​e​s​/​t​e​l​e​m​e​d​i​cine-forms.

Record maintenance

Create and retain formal patient/​client care records for all TMH encounters 

Telemed­i­cine sessions should be as thoroughly documented as all other patient/​client encoun­ters, with both partners to the TMH agree­ment contributing to the process. According to the American Health Infor­ma­tion Manage­ment Associ­a­tion, TMH records minimally should include: 

  • Patient/​client name. 
  • Patient/​client identi­fi­ca­tion number at origi­nating site. 
  • Date of service. 
  • Refer­ring practitioner’s name. 
  • Consulting practitioner’s name. 
  • Provider organization’s name. 
  • Type of evalu­a­tion to be performed. 
  • Informed consent documentation. 
  • Evalu­a­tion results. 
  • Diagnosis/​impression of providers. 
  • Recom­men­da­tions for further treatment. 

The use of standard­ized intake and consul­ta­tion forms can help providers achieve compli­ance with documen­ta­tion parameters. 

Templates, such as those avail­able from the American Telemed­i­cine Associ­a­tion, offer staff a clear and consis­tent documen­ta­tion format for evalu­a­tions and consul­ta­tions (https://​thesource​.ameri​can​telemed​.org/​r​e​s​o​u​r​c​e​s​/​t​e​l​e​m​e​d​i​cine-forms).

Facil­i­ties also must select accept­able media for record keeping, such as electronic files, hard copy and/​or video or audio­tape. Protocol routinely dictates that the origi­nating site retains files and images, providing the distant site with access to data when needed. Record reten­tion policies should comply with profes­sional standards, federal and state laws and regula­tions and the reimburse­ment require­ments of public and private payers. 

Health care business owners can help stream­line the archiving process by assigning lifes­pans” to patient/​client data and medical documents stored in computer memories, based on such factors as last date of patient/​client treat­ment, provider access require­ments and record reten­tion policies. For many organi­za­tions, data are maintained on a locally desig­nated and protected server, with repli­ca­tion servers backing up files in the event of a disaster, computer problem or other type of business interruption. 

Technical support

Implement a robust, high quality telecommunication system 

Inter­ac­tive TMH encoun­ters depend upon a reliable and secure telecom­mu­ni­ca­tion system. Connec­tions are of the utmost impor­tance and should support business-grade video­con­fer­encing with clear sound. Avail­able options range from portable video confer­encing units to large screen, high-defin­i­tion consoles. Relying on the basic Internet for connec­tion, rather than a private network dedicated to health care appli­ca­tions, may compro­mise quality and inter­fere with effec­tive diagnosis or treatment. 

Health care business owners can stream­line the equip­ment selec­tion process by compiling a list of general require­ments and technical speci­fi­ca­tions for video­con­fer­encing systems, ancil­lary devices and post-purchase support needs. Choices are gener­ally guided by imaging needs, existing infra­struc­ture and budgetary realities. 

Regard­less of the specific equip­ment selected, TMH systems should: 

  • Comply with all relevant laws, regula­tions and codes regarding patient/​client safety and technical requirements. 
  • Provide redun­dant systems to help ensure uninter­rupted network connectivity. 
  • Utilize connec­tions exclu­sively desig­nated for telemed­i­cine, rather than local networks, which may be incom­pat­ible with TMH image trans­mis­sion and archiving appli­ca­tions and/​or lack suffi­cient bandwidth. 
  • Permit networks to connect through existing firewalls. 

It also is neces­sary to accom­mo­date the physical and environ­mental demands of TMH opera­tions. Patient/​client rooms must be suffi­ciently spacious to allow at least six feet between the patient/​client and the camera operator. In addition, adequate HVAC capabil­i­ties and acces­sible infec­tion control supplies – such as antibac­te­rial wipes, sterile plastic sleeves for probes and camera lens disin­fec­tant are essen­tial to patient/​client safety. 

As with any new venture, successful imple­men­ta­tion of a telemed­i­cine program requires careful planning and collab­o­ra­tion by multiple stake­holders, both inside and outside the business. The strate­gies presented in this resource can help health care business owners initiate and maintain a high quality TMH program, which maximizes efficiency and conve­nience while minimizing associ­ated risks.