A bill just introduced in Congress proposes that Dept. of Veterans Affairs physicians be allowed to practice across state lines when treating patients through telemedicine. While I believe telemedicine can facilitate many great services to patients seeking care from hard-to-find specialists, the bill does shine a spotlight on many unanswered data privacy and security questions.
For instance, what happens if there's a data breach and doctors and patients are in different states? If one of those states has privacy laws (such as breach notification) that are stricter than federal HIPAA rules, which laws trump?
Physicians who begin serving patients in other states will need to be sensitive to privacy and security restrictions that other states may impose.
I've spoken to several experts about this issue, and the potential legal and security issues are fascinating.
In the case of the House proposal for VA patients and docs, it's likely that federal HIPAA rules would prevail, since the VA is a federal agency, says Timothy Rider, a legislative assistant to Rep. Charles Rangel (D-NY) who introduced the Veterans E-Health & Telemedicine Support Act of 2012 (H.R. 6107) with Glen Thompson (R-PA) and 11 other bipartisan co-sponsors.
However, this bill aside, there's also been a push underway for some time among organizations promoting the use of telehealth, including the American Telemedicine Association, to loosen up state laws that currently prevent healthcare providers in the private sector from treating patients across state lines via telemedicine.
For instance, there have been industry and legal discussions about changing state laws governing the practice of medicine so that doctors can provide care via telemedicine technologies to patients in other states, especially where some specialists, like dermatologists or radiologists, are in short supply, says Jonathan Linkous, CEO of the American Telemedicine Association.
In fact, one of the key drivers for the proposed telemedicine bill is to make it easier for veterans suffering post-war mental trauma and stress disorders to connect from their homes with VA mental health professionals, says Rider.
Currently, doctors who provide telecare for patients across state lines need to have medical licenses in the states where the patients are located. Linkous says that approximately 20-25 percent of U.S. doctors have licenses in more than one state, costing U.S. healthcare providers about $300 million annually for those credentials. National medical licensing of physicians is among the ideas floated to address those issues, he says.
Still, whether state medical licensing issues get resolved anytime soon, legal experts eventually will be forced to tackle questions about applicable data privacy and security laws. Whether it's a data breach involving telemedicine, or even a breach related to the sharing of patient data across state lines via a multi-state health information exchange organization, privacy and security legal debates are unavoidable.
"Physicians who begin serving patients in other states will need to be sensitive to privacy and security restrictions that other states may impose," says Adam Greene, formerly of the Department of Health and Human Services' Office of Civil Rights, and now a partner at law firm Davis, Wright Tremaine.
For instance, in Massachusetts, laws require that any person who owns or licenses personal information on a resident of the state - regardless of where the owner/licensor is based - must comply with a laundry list of data security requirements, including encryption of transmitted data. While that's not a federal HIPAA requirement, out-of-state-based healthcare providers involved with patients in Massachusetts better be aware of the state's stipulation.
As for telemedicine, those technologies - including remote patient monitoring, web-conferencing, and digital medical imaging - aren't any more susceptible to hacking and intrusions than other forms of health IT, Linkous says.
Perhaps so. But even a telemedicine doc could potentially lose an unencrypted mobile device containing protected health information of telemedicine patients.
"In general, before providing telemedicine services in a state, it may be worth reviewing whether that state's privacy and security laws, for example release of medical information laws, are limited to healthcare professionals licensed in that state, or are broader in scope," suggests Greene.
If medical licensing laws get expanded to allow doctors to treat patients across state lines via telemedicine, state privacy laws and HIPAA regulations will eventually get tested. Regulators, privacy advocates and lawyers should be prepared, and telemedicine doctors and patients must also be aware of the potential privacy risks.
It's too soon, of course, to tell if the VA telemedicine bill will ever get signed into law, but I suspect the topic of cross-state telemedicine will remain a hot issue - especially as e-health services such as remote monitoring of the chronically ill and e-consultations with medical specialists grow in popularity and technologies improve. Questions about patient privacy and data security requirements need to be thought through before - not after - states contemplate making changes to their medical licensing laws.