The Problem with Skype and the Telemedicine Solution

By: | Tags: | Comments: 0 | March 15th, 2015

Privacy and confidentiality issues are of equal importance when using a telemedicine platform as in that of conventional, face to face medical consultations. A telemedicine clinician has the same duty to safeguard a patient’s medical records, keep treatments confidential and to store electronic files, images, audio/video etc., with the same precaution and care as those mandated to paper documents.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of personal health data. The HIPAA Security Rule set national standards for the security of protected health information (PHI) that is created, stored, transmitted, or received electronically (ePHI). To ensure confidentiality, integrity, and availability of ePHI data, the HIPAA Security Rule requires organizations and individuals to implement a large series of administrative, physical and technical safeguards when working with ePHI data.

The Cost of Failure Depends on the Type of Failure

Failure to comply with HIPAA requirements can result in civil as well as criminal penalties. These civil and criminal penalties can apply to both covered entities and individuals. Section 13410(D) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act by establishing (1) four categories of violations that reflect increasing levels of culpability, (2) Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation and (3) A maximum penalty amount of $1.5 million for all violations of an identical provision

Civil Monetary Penalties

Tier

Penalty

1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.

$100 – $50,000 for each violation. Up to a maximum of $1.5 million for identical provisions during a calendar year.

2. HIPAA violation had a reasonable cause and was not due to willful neglect.

$1,000 – $50,000 for each violation. Up to a maximum of $1.5 million for identical provisions during a calendar year.

3. HIPAA violation was due to willful neglect but the violation was corrected within the required time period.

$10,000 – $50,000 for each violation. Up to a maximum of $1.5 million for identical provisions during a calendar year.

4. HIPAA violation was due to willful neglect and was not corrected.

$50,000 or more for each violation. Up to a maximum of $1.5 million for identical provisions during a calendar year.

Criminal Penalties

Tier

Potential jail sentence

Unknowingly or with reasonable cause.

Up to one year.

Under false pretenses.

Up to five years.

For personal gain or malicious reasons.

Up to ten years. 

Complex Rules, Simple Goal

Individual states have created a motley patchwork of telemedicine regulation now starting to gain greater uniformity through regional compacts. While there is some room to interpretation of these laws – the Federal laws are clear about a number of issues. For instance, Skype is not HIPAA-compliant and the perils of using it for telemedicine purposes are high.

As you read through all of the Federal government rules and regulations, you’ll learn that HIPAA really just requires businesses that use doctor’s files to do four things:

  1. Put safeguards in place to protect patient health information.
  2. Reasonably limit access to ePHI and sharing to the minimum necessary to accomplish your intended purpose.
  3. With all service providers (business associates) performing covered functions or activities for you, make agreements (Business Associate Agreements, or BAAs). These agreement are to ensure that these business associates only use and disclose patient health information properly and safeguard it appropriately.
  4. Have procedures to limit access to patient health information and implement a continuing education program for you and your employees covering how to properly protect patient health information.

Examples of Violations

Despite these rules being debate and discussed in the medical community prior to their mandate in 2009, a number of medical professionals have found themselves faced with large civil fines.  A small fraction of the many violations include some of the following headlines:

While some of these violations occurred at hospitals, private practices are also at risk. Especially so as a number of newcomers to the telemedicine market have been pitching other on non-HIPAA compliant messaging and videoconference solutions.

HIPAA Compliant Telemedicine Options

ClickAClinic is a HIPAA-compliant cloud based telemedicine platform that individual patients can use to book online doctors consultations, that individual doctors and practices – medical or psychological – can use to expand their range of services. Our EMR, like our videoconferencing and messaging solutions, is also customizable and is able to suit the needs of someone in the medical or mental health fields. We continue to abide by and exceed the HIPAA standards to ensure that our patients information is safe. If you have recently used a telemedicine platform that is not HIPAA compliant, know that your patients private health files are at risk and that if you are discovered you will face hefty fines.

References

 

Researched and composed by Ariel Sheen