Bill Heller works on our operations team keeping all Cliniko accounts safe, so he knows a thing or two about telehealth security. Here's his take on the controversy surrounding Zoom and what you need to know to protect your patients and your business.
COVID-19 has transformed the way we live and work, perhaps changing the way we work in the healthcare industry most of all. Patients have had to seriously consider the risks of entering a clinic or medical facility at a time when they were being heavily encouraged to just stay home. It’s not hard to imagine that these patients may have felt like receiving treatment was almost impossible at times.
Enter – telehealth.
Telehealth quickly rose to popularity and prominence – practitioners, patients, practice managers and their team members all had to get their heads around what this meant for the present and future of how healthcare is practiced in Australia.
Many healthcare providers now offer a telehealth consultation when a physical examination isn’t essential. It’s not intended to replace essential visits to the doctor, but rather to be a convenient solution when you can’t see a practitioner face-to-face.
Of course, when commencing telehealth services, it’s important to consider and understand the legal risks and implications that telehealth exposes a practice to. Let’s have a look at a few steps you can take to alleviate risk to your practice.
1Assess appropriateness of a telehealth consultation.
This is on the top of our list for a reason. This is the first step, and it is a crucial one for risk avoidance. Not all healthcare services are appropriate for telehealth.
- Health providers should ask themselves whether telehealth is safe and clinically appropriate for the patient. Can a true diagnosis or treatment be completed without physical examination?
- Be aware of the limits of technology, and the impact it may have on providing a service to the same standard as an in-person consultation. Notify the patient or client if this is the case.
- Continue to evaluate whether direct physical examination is necessary to provide good care for the patient and their particular situation.
- Be prepared for the unexpected and ensure you can provide a quick response in case of any unforeseen occurrences, like system failures or a rapid change in patient condition.
A simple identity confirmation will alleviate a surprising amount of risk for a medical practice. This will help you to:
- prevent disclosing information to someone other than the patient.
- ensure that the medical practice or medical provider correctly identifies the patients and accurately matches them to their medical records in order to provide the correct service/treatment.
- prevent fraud.
- prevent medical identity theft.
- prevent medicines from falling into the wrong hands.
- prevent breaches of privacy laws.
- protect the reputation of the medical practice by fostering high levels of trust and patient confidence in the practice and services provided.
There have been examples where well-meaning Australian citizens have offered their Medicare cards to people in their communities that do not have Medicare cards due to their visa status. It is much easier for this to occur and hence all of these items to occur if the health professional is meeting via telehealth and perhaps has never met the patient in person.
During a telehealth consultation, a telehealth provider must identify him or herself and confirm the identity of their patient or client.
The telehealth provider should also provide an explanation to the patient or client of what to expect from a telehealth consultation. This can be done in advance with something as simple as a flysheet.
There are multiple legislations and cases which work together to make up Australian law surrounding Informed Consent. One of the clearest legislative statements comes from Victoria, whose charter of human rights and responsibilities states:
‘...a person must not be subjected to medical treatment without his or her full, free and informed consent.’
There is also a common law tort called ‘The Tort of Medical Trespass’. It states that if you inappropriately deal with a person, even if that person is your patient, you may be liable for damages. This is where informed consent comes into play—the defence to any form of trespass is full, free, and informed consent. Obtaining informed consent is therefore critical to reduce risk in your practice.
In a telehealth arrangement, a telehealth provider must ensure that
- the patient is provided with appropriate and adequate information.
- the given information is provided in a way that is understood.
- the patient or client is aware of the consequences of a decision made in relation to this information.
- informed consent is obtained, (particularly related to fees, proposed treatment, the sharing of information, and recording the consultation).
4Confidentiality, privacy, and cyber security—for practices & patients.
The Privacy Act 1988 (Cth) protects a patient’s right to privacy and requires that all health service providers observe the patient’s privacy and confidentiality.
In a telehealth setting, providers should
- be mindful that the patient’s right to privacy is being observed, especially if the telehealth provider is working from home.
- comply with the principles regulating the collection, use, disclosure, and storage of health information, whether providing face-to-face services via consultation or via telehealth.
- ensure that both the patient and the health service provider are somewhere that is private so that medical or sensitive information is not inadvertently disclosed to anyone whom the patient or the health provider doesn’t want to be sharing it with Avoid discussing private information in crowded areas, like a bus or train. In a room on your own with the door closed is ideal.
5Keep personal information safe.
Whether you’re an organisation or individual, it is essential to ensure that you keep your personal information and the personal information of others safe from potential threats or cyber-attacks which could compromise the safety of your sensitive information and damage the reputation of your organisation.
You can take the following steps to minimise risks to personal information being compromised:
- become cyber-security aware. Always double-check that the emails you receive legitimately belong to whom they pertain to, whether it be a healthcare provider or otherwise. Do not click on or download any attachments in emails that you are unsure of, as they can often contain viruses or phishing attacks.
- consider the pros and cons of cyber-security insurance. Inform patients that if an email looks suspicious, they should be advised to ring their health care provider to confirm if they have indeed sent the email or not.
- block and report any suspicious email senders, and don’t respond to unsolicited emails, calls or texts.
- healthcare organisations should invest in IT security to ensure that the safety of their patients’ information is not compromised. As this area is constantly evolving check with an IT expert regularly to ensure that your practice is adequately protected.
6Continuity of care and health record maintenance.
Ensuring continuity of care and maintaining clear and accurate health records of the consultation improves patient satisfaction. It can also increase your data and billing accuracy. You can cut back on duplicate patient records and reduce the risk of a medical inaccuracy, a misdiagnosis, or an ineffective treatment.
- ensure that regular notes and records are completed as usual, while also recording extra observations including appearance, body language, demeanour, patient understanding, and unexpected issues.
- record information relating to consent, explanations, risks, treatment, diagnosis, advice, and instructions given to the patient and plans for a follow-up.
This list is by no means exhaustive, but it can be a good start for protecting your clinic from the legal risks associated with telehealth. For further questions about governance, or if you’re interested in some advice about the vulnerabilities in your practice, feel free to get in touch with You Legal.
- Practice management tips
- How to
When it comes to telehealth, offering video appointments is only half the equation. There are new skills that you may need to help you market this service and create a great client experience. In this guest post, Peter Flynn shares his top tips and advice to get you started on the path to success.
- Practice management tips
Karen Finnin is a self-proclaimed accidental entrepreneur, but also a pioneer of the online healthcare movement. We talked to Karen to find out how she went from rural physiotherapist to telehealth pioneer.