Telemedicine Licensure and Data Security
Technology perennially introduces problems for compliance with law and regulation. But often technology can help alleviate those problems by fostering transparency and accountability.
Take for instance telemedicine, a promising family of technologies for making healthcare more affordable and accessible. Telemedicine allows, for example, a geographically remote physician to examine and treat a patient. It can do wonders for a patient in a rural clinic who needs attention from a specialist in a distant city. But telemedicine raises medical license issues for a physician in, say, Illinois who is treating a patient in Wyoming. If the Illinois specialist must become licensed in each state where her patients happen to be at the time she delivers care, then red tape will impede her practice of telemedicine.
Telemedicine also raises data security issues. On the Internet, data security law is bewilderingly confusing because authorities have recently issued a cacophony of new and very demanding laws, regulations and standards. Often these rules are poorly written and reflect expectations that are unrealistic in our networked society. Assorted guidance like HIPAA, state privacy regulations, breach notification laws, "20 Critical Security Controls", PCI-DSS and others purport to tell us how to protect data that might be involved in a telemedicine transaction. But full, strict compliance with all these requirements is sparse if not impossible in the real world, as demonstrated by the daily parade of stories about how private data has leaked out of hospitals, corporations, universities, government agencies (federal, state, local and foreign) and every other organization under the sun.
So do these legal problems mean telemedicine is doomed? No. Just as Internet technology looks like a dark cloud to anyone seeking literal compliance with all applicable laws, information technology itself provides a silver lining. Technology engenders the transparency and accountability that are favored in law.
The Internet allows a practitioner of telemedicine to explain to regulators – and to prospective patients – what she is doing, the value of it and the risks associated with it. It enables the specialist doctor in Illinois to publicize, via web postings, how she is helping patients
in numerous other states, how she is taking rational steps (such as involving local doctors) to avoid or limit any medical injury in target states, and how she is endeavoring (albeit imperfectly) to protect private data. Through the Internet, she can invite any regulators or members of the public who have reservations or constructive suggestions about her activities to contact her and discuss.
IT further allows the specialist's telemedicine system to store copious, detailed records of what care was provided, when and how, including the good faith methods used to minimize any unlicensed practice of medicine and to safeguard the patient’s private data. Good records could even include full recordings of interactive videoconferences between patient and doctor. Good records are the basis for third-party review and accountability to the public.
Together, electronic transparency and accountability avoid a core evil that regulations abhor: a cover-up. So often, it is deception or cover-up that transforms a legally ambiguous situation into a violation of law. Here are four examples:
1. When computer crime experts differentiate good “white hat” computer security research from bad “black hat” hacking, a decisive factor is whether the suspect engaged in any trickery or concealment.
2. Martha Stewart did not go to jail for insider trading, though she did have inside information at the time of making a stock trade. She went to jail for attempting a cover-up of that trade, that is, obstructing an investigation into whether she had traded on insider information.
3. Arthur Andersen was not criminally convicted for the audit work it performed for Enron. Rather, a jury convicted Andersen for a cover-up, that is, destroying records that might be needed to review the audit work.
4. Law normally does not require a mere witness to crime to report it. But if the witness takes any step to prevent others from uncovering the crime, then the witness is herself guilty of the crime known as “misprision of a felony.”
Let me say all this another way: When literal compliance with complex law is difficult, parties are wise to talk candidly about the problem in public and about their good faith effort to comply. Candid communication can diminish expectations for strict compliance and can soften the law’s interpretation and enforcement.
I’m not saying that public relations and record keeping are all that's necessary to comply with law on the Internet. But when a person makes a sincere attempt to comply with otherwise conflicting, unrealistic or outdated regulations, transparency and accountability can weigh heavily in favor of a conclusion that the person effectively did comply.
Update 1: The technologies to support telemedicine are advancing to include more than just microphones and video cameras. Biomedical, Inc. has created a digestible computer chip, which will can transmit medical information from inside a patient. Don Clark, "Take Two Digital Pills and Call Me in the Morning," Wall Street Journal, Aug. 4, 2009. Imagine a patient who ingests such a pill at home; the pill relays information to a device connected to the patient's home computer, which forwards it via the Internet to a remote physician.
Update 2: As cheap new technologies enable consumers at home to collect floods of data about their vital signs, issues will arise concerning the unauthorized practice of medicine. A person (possibly a remote physician who is not licensed in the consumer's state) or a software program may help the consumer interpret the data. Would this help constitute unauthorized practice of medicine, if the person or software explicitly disclaims giving medical advice or diagnosing disease and recommends that the consumer consult a licensed physician?
A few years ago, Texas lawyers questioned whether self-help software was engaged in the unauthorized practice of law. The legislature then enacted special legislation to declare that software is
not engaged in unauthorized practice -- so long as the software conspicuously states it is not a substitute for the advice of an attorney.
Some worry that healthcare reform in the US will lead to a shortage of doctors. Kirch, "How to Fix the Doctor Shortage," Wall St. J., Jan. 5, 2010. If a shortage does materialize, state regulators may be less inclined to conclude that help from software or remote physicians constitutes the unauthorized practice of medicine. Regulators may feel that software and remote physicians can help to reduce the wait times for people who really need an in-person visit with a doctor.
–-Benjamin Wright
Mr. Wright the law of data security and investigations at the SANS Institute.
Update: Interview of Mr. Wright regarding telemedicine regulation.
Recent Comments