Telemedicine: Risk management issues, strategies and resources

While telemedicine/telehealth (TMH) can foster efficiency and convenience, its reliance on continuous, real-time transmission of data over computer networks also creates risk.

Article originally printed in Health Perspectives. Reprinted with permission.

Telemedicine is the practice of electronically connecting geographically discrete health care facilities and providers. It encompasses numerous methods and technologies, ranging from traditional store-and-forward data applications, commonly utilized in diagnostic review and interactive exams, to innovative “telepresent” methods, including robotic surgery and emergency services consultations. Among other uses, telemedicine applications permit:

  • Patients/clients in underserved rural areas to enjoy improved access to quality care, and state-of-the-art settings.
  • Practitioner networks to collaborate via shared electronic medical records, digital imagery and data files.
  • Specialty providers to communicate with (or “tele-assist”) primary care practitioners in diagnostic tasks, leading to enhanced outcomes, shorter treatment periods, decreased use of unnecessary drugs and reduced costs.
  • Emergency department personnel to video-link with trauma specialists for instant access to life-saving information and support.

While telemedicine/telehealth (TMH) can foster efficiency and convenience, its reliance on continuous, real-time transmission of data over computer networks also creates risk. At every step of the process, adverse events may occur, including diagnostic errors, technical glitches, and patient/client privacy and security violations.

This edition of Healthcare Perspective outlines strategies designed to enhance clinical, operational and technical processes associated with the provision of TMH. National standards are cited throughout this resource, serving as policy templates in the following key areas: network security, confidentiality, quality improvement, informed consent, record maintenance and technical support.


Safeguard patient/client data on computer networks and during transmission

Secure transmission of clinical information requires effective safeguards at every point in the process, i. e., within the transmitting facility’s network, over the transmission medium and at the distant site. Whether data are sent by satellite, through the Internet or over a virtual private network (VPN), the following security measures, among others, should be established and implemented:

Authentication enables authorized users to enter the system and access data via such means as log-in passwords, biometric scans, voice pattern samples and smart cards. Authentication procedures also permit system administrators to verify specific users and their means of interface. Outside access should be limited to those networks that fulfill organizational security requirements.

Patient/client identification uses patient/client integration profiles to promote accurate verification at multiple sites. These profiles enable the cross-referencing of patient/client identifiers either from multiple domains or from a central patient/client information server.

Data control ensures that patient/client information is stored and transmitted in a confidential manner through the creation of a VPN, use of encryption technology and/or file anonymization software. An increasing number of medical systems also require digital signatures to verify that data have not been modified by an unauthorized user. Encryption measures also should extend to stored data on portable devices or removable media, as theft and loss of laptops, tablets, smartphones, discs and USB flash drives are a leading source of data breaches.

Data tracking offers an audit trail of all exchanges involving medical information, permitting the system administrator to verify who has used the system and/or accessed patient/client data. Related monitoring technologies help identify and protect against technical glitches and hacking.

Protected access systems safeguard telemedicine applications on wireless networks. A variety of security mechanisms may be used to provide both logical and physical restrictions, including firewalls and antivirus software that detects malicious programs and activity.

Patient/client confidentiality

Draft a disclosure protocol to ensure compliance with privacy regulations

Privacy is a paramount concern when transmitting electronic data.

Unauthorized network access, hardware tampering and interception of data may violate privacy requirements imposed under HIPAA, as well as other governing federal and state laws and regulations.

Both TMH partners should implement a disclosure protocol incorporating the following practices:

  • Obtain written permission from the patient/client before transmitting any protected health information.
  • Require all staff involved in TMH to execute confidentiality agreements, including contract and vendor personnel.
  • Allow only designated professionals to disclose health related information, such as the telepresenter and consulting and referring practitioners.
  • Mandate HIPAA training for staff and providers, covering such topics as information security, common sources of breaches and consequences of protocol noncompliance.
  • Transmit patient/client data on an as-needed basis and monitor staff for inappropriate access to protected health information.

The privacy obligations of health care practitioners extend to the environment where interactive consultations occur. The following provisions can help safeguard patient confidentiality:

  • Ensure that the patient/client is aware of and grants approval for all personnel participating in consultations, including the telepresenter.
  • Place a conspicuous sign on the exam door, notifying others that a consultation is in progress.
  • Prohibit the use of unauthorized cameras and cellular telephones in the examination room, using a signed consent agreement if necessary.
  • Schedule TMH sessions in a designated area that is suitably enclosed and private, rather than in an administrative suite or other public space.

Quality improvement

Measure outcomes for clinical care and technical support

Delivery of high-quality TMH services depends upon systematic monitoring and ongoing improvement of key processes. The following basic measures can help business owners more effectively compile, evaluate and report on meaningful care-related data.

Outcome measurement offers practitioners useful information about how well a TMH program is functioning, including further refinements that may be needed. Indicators should capture clinical, efficiency and satisfaction outcomes, including:

  • Patient/client complication and morbidity rates.
  • Compliance with provider performance criteria.
  • Diagnostic accuracy.
  • Adherence to clinical protocols.
  • Referral rates.
  • Patient/client satisfaction levels.
  • Cost per case.
  • Delays in accessing consultations, referrals or specialty providers.
  • Average waiting times.

Standardized clinical protocols, properly implemented, can enhance quality and efficiency. By outlining a step-by-step process, protocols help improve consistency of care and performance of staff, and also ensure that test results are delivered in a timely, accurate and confidential manner. For interactive consultations, protocols minimally should advise providers on how and when to:

  • Schedule a consultation.
  • Arrange for a consulting room.
  • Set up necessary equipment.
  • Establish network connections.
  • Prepare and advise the consulting provider, patient/client and telemedical presenter.
  • Document consultation findings.
  • Secure and back up required data.
  • Prepare reports.
  • Inform patients/clients and other providers of test results.

The American Telemedicine Association has promulgated a variety of practice guidelines (http://hub.americantelemed.orghttp://hub.americantelemed.org/resources/telemedicine-practice-guidelines). In addition, the Telehealth Resource Center provides information on protocol development (www.telehealthresourcecenter.org/toolbox-module/creating-protocols).

Incident reporting helps providers identify and respond to patient/client complications or other adverse events that may arise during telemedicine care. Providers should be instructed to document occurrences and forward reports promptly to the appropriate individual per written policy. A thorough, timely review of events helps foster a culture of accountability and continuous improvement.

Regular equipment testing and maintenance helps prevent potential technical and user problems. Equipment should be suitable for diagnostic and treatment uses, readily available when needed and fully functional during clinical encounters. Safety guidelines should specify who is responsible for maintenance. Utilize checklists or logs to facilitate documentation of post-installation testing, pre-session calibration, and ongoing quality checking of audio, video and data transmission capabilities.

Satisfaction surveys capture vital data regarding patient/clients and provider perceptions of the TMH program, as well as utilization patterns and the overall quality of TMH care. Surveys also can reveal unexpected barriers to care, including accessibility issues and cost. Sample survey formats for telehealth encounters are available at https://healthit.ahrq.gov/sites/default/files/docs/survey/telehealthpatientsatisfactionsurvey_comp.pdf and www.techandaging.org/Telehealth_Patient_Satisfaction_Survey.pdf.


Employ interactive teaching modules to ensure key competencies

Staff training should focus primarily on learning the skills necessary to conduct consultations and other TMH services smoothly and efficiently. At a minimum, training sessions should aim to enhance the following competencies:

  • Communication skills, including video presentation content, organization and etiquette.
  • Understanding the scope of services that can be provided using TMH methods.
  • Proficiency with the technology system in use, as well as the physical environment.
  • Knowledge of operational protocols and procedures, updated as necessary.
  • Ability to respond to equipment malfunctions and manage unexpected occurrences.

Optimally, staff should begin with separate training sessions at the originating and distant sites, then progress to mock joint procedures before advancing to real-time provision of care. A wide variety of training modules is available, serving a range of procedures and existing proficiency levels. The Telehealth Resource Center offers guidance on developing a training strategy (www.telehealthresourcecenter.org/toolbox-module/developing-training-strategy), as well as answers to commonly asked questions concerning training of TMH providers (www.telehealthresourcecenter.org/toolbox-module/training).

Informed consent

Disclose risks unique to the practice of telemedicine

Patient/client consent is always required prior to participation in TMH services. Providers often use existing consent and documentation processes for store-and-forward consultations. For more invasive procedures, a separate consent form is preferable, encompassing the following information:

  • Names, credentials, organizational affiliations and locations of the various health professionals involved.
  • Name and description of the recommended procedure.
  • Potential benefits and risks.
  • Possible alternatives, including no treatment.
  • Contingency plans in the event of a problem during the procedure.
  • Explanation of how care is to be documented and accessed.
  • Security, privacy and confidentiality measures to be employed.
  • Names of those responsible for ongoing care.
  • Risks of declining the treatment/service.
  • Reiteration of the right to revoke consent or refuse treatment at any time.

In addition, clearly convey to the patient/client the inherent technical and operational hazards that may impede communication with the distant site or otherwise prevent prompt, accurate diagnosis of patient/client conditions. These include:

  • Fiber-optic line damage, satellite system compromise or hardware failure, which could lead to incomplete or failed transmission.
  • File corruption during the transmission process, resulting in less than complete, clear or accurate reception of information or images.
  • Unauthorized third-party access, which may lead to data integrity problems.
  • Natural disasters, such as hurricanes, tornadoes and floods, which can potentially interrupt operations and compromise computer networks

Consent form documentation becomes part of the patient/client health care information record and is customarily maintained at the originating site, where the patient/client receives routine care. Sample telemedicine informed consent forms are available from the American Telemedicine Association at https://thesource.americantelemed.org/resources/telemedicine-forms.

Record maintenance

Create and retain formal patient/client care records for all TMH encounters

Telemedicine sessions should be as thoroughly documented as all other patient/client encounters, with both partners to the TMH agreement contributing to the process. According to the American Health Information Management Association, TMH records minimally should include:

  • Patient/client name.
  • Patient/client identification number at originating site.
  • Date of service.
  • Referring practitioner’s name.
  • Consulting practitioner’s name.
  • Provider organization’s name.
  • Type of evaluation to be performed.
  • Informed consent documentation.
  • Evaluation results.
  • Diagnosis/impression of providers.
  • Recommendations for further treatment.

The use of standardized intake and consultation forms can help providers achieve compliance with documentation parameters.

Templates, such as those available from the American Telemedicine Association, offer staff a clear and consistent documentation format for evaluations and consultations (https://thesource.americantelemed.org/resources/telemedicine-forms).

Facilities also must select acceptable media for record keeping, such as electronic files, hard copy and/or video or audiotape. Protocol routinely dictates that the originating site retains files and images, providing the distant site with access to data when needed. Record retention policies should comply with professional standards, federal and state laws and regulations and the reimbursement requirements of public and private payers.

Health care business owners can help streamline the archiving process by assigning “lifespans” to patient/client data and medical documents stored in computer memories, based on such factors as last date of patient/client treatment, provider access requirements and record retention policies. For many organizations, data are maintained on a locally designated and protected server, with replication servers backing up files in the event of a disaster, computer problem or other type of business interruption.

Technical support

Implement a robust, high quality telecommunication system

Interactive TMH encounters depend upon a reliable and secure telecommunication system. Connections are of the utmost importance and should support business-grade videoconferencing with clear sound. Available options range from portable video conferencing units to large screen, high-definition consoles. Relying on the basic Internet for connection, rather than a private network dedicated to health care applications, may compromise quality and interfere with effective diagnosis or treatment.

Health care business owners can streamline the equipment selection process by compiling a list of general requirements and technical specifications for videoconferencing systems, ancillary devices and post-purchase support needs. Choices are generally guided by imaging needs, existing infrastructure and budgetary realities.

Regardless of the specific equipment selected, TMH systems should:

  • Comply with all relevant laws, regulations and codes regarding patient/client safety and technical requirements.
  • Provide redundant systems to help ensure uninterrupted network connectivity.
  • Utilize connections exclusively designated for telemedicine, rather than local networks, which may be incompatible with TMH image transmission and archiving applications and/or lack sufficient bandwidth.
  • Permit networks to connect through existing firewalls.

It also is necessary to accommodate the physical and environmental demands of TMH operations. Patient/client rooms must be sufficiently spacious to allow at least six feet between the patient/client and the camera operator. In addition, adequate HVAC capabilities and accessible infection control supplies – such as antibacterial wipes, sterile plastic sleeves for probes and camera lens disinfectant are essential to patient/client safety.

As with any new venture, successful implementation of a telemedicine program requires careful planning and collaboration by multiple stakeholders, both inside and outside the business. The strategies presented in this resource can help health care business owners initiate and maintain a high quality TMH program, which maximizes efficiency and convenience while minimizing associated risks.