Telemedicine Needs Privacy Protections
OPINION -- Chair Greenlick and members of the Health Care Committee,
I have previously testified before the Senate Health Care Committee on this telemedicine bill.
I hope you amend SB 144 A before the 5/11 work session. Don't get me wrong. Both public and private health plans should cover the cost of telemedicine. With this bill, as it is currently written, telemedicine will not meet privacy and safety standards of face-to face healthcare.
Certainly Dr. Buehler must be concerned about the following:
- Physicians licensed here in Oregon will compete with doctors out-of-state. Silicon Valley investors (including Google Ventures) have invested in Doctor on Demand. This will allow doctors like Dr. Christopher Pederson, who the OBME just approved for a telemedicine license in Dec. 2014, to see patients in Oregon. No need to be connected to a facility here. No need for a face-to-face. No laws regulating this. Dr. Phil's video marketing this is startling!
- Dr. Buehler will be on the hook for meeting privacy standards with the HIPAA Privacy rule, but there are no standards to meet for the HIPAA Security rule. That means a teleconferencing company can say it is "HIPAA compliant" and have incredibly weak security. But if there is a breach... the provider will be liable. And since there is precedence for HIPAA lawsuits for negligence, a doctor should know that the telemedicine is on a secure platform.
The Telehealth Alliance of Oregon knows this. Zoomcare, which uses Skype, knows this. Click on this link: http://www.ortelehealth.org/content/privacy-and-security-0
How to fix the bill?
- Out-of-state physicians can perform telemedicine only with a formal contractual agreement with an in-state hospital or clinic to assure patients get urgent/emergent and follow-up care as indicated.
- For primary care providers delivering telemedicine, require a face-to-face appointment before any telemedicine services can be performed.
- Specify encryption standards for secure transmission to set a minimum bar for security standards in Oregon, even though the federal government does not require this.
- Establish how records will be maintained to assure patients can access them in accordance with HIPAA.
- Require a business associate agreement be signed between telemedicine videoconferencing company and the provider/clinic/hospital.
- Require a consent form be signed by a patient before any telemedicine is performed.