Emerging Internet Telemedicine Issues

New Jersey Law Journal   December 24, 2007

Internet telemedicine is plagued by concern for patients whose physicians prescribe medication without a face-to-face examination. Consequently, state boards of medical examiners and state legislatures throughout the country have initiated disciplinary hearings and legislation to limit a physician’s ability to practice medicine without prior hands-on contact with a patient.

Emerging Internet Telemedicine Issues

Privacy and consent are two the many problems plaguing physicians’ use of the Internet

By Jonathan Bick -- Bick is of counsel to WolfBlock Brach Eichler of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law [Random House 2000].

            Internet telemedicine is plagued by concern for patients whose physicians prescribe medication without a face-to-face examination. Consequently, state boards of medical examiners and state legislatures throughout the country have initiated disciplinary hearings and legislation to limit a physician’s ability to practice medicine without prior hands-on contact with a patient.

            Emerging technology and medical advancements may be stifled by problems unique to Internet telemedicine. For instance, the next generation of pacemakers enables a doctor to audit and adjust the parameters of a pacemaker via the Internet. These devices face technological hurdles, such as communication privacy and device security. In addition, most states require pacemaker prescriptions for changes in pacemakers. Limiting Internet prescriptions, as is currently proposed in most states, would hobble or minimize the deployment of Internet adjustable pacemakers.

            Attorney generals throughout the United States are requesting legislation that would require people to have "face-to-face" examinations by a licensed medical practitioner before ordering prescription drugs over the Internet. These requests are based on the perceived need to close loopholes in the state law dealing with Internet pharmacies.

            In most states, prescription drugs can be ordered over the phone or on the Internet simply by answering a few basic questions. Internet sales have soared since the first online pharmacies appeared in 1999. The convenience of buying drugs online 24-hours-a-day appeals to most people, especially the disabled and housebound. Due in part to lower cost of doing business, medicines are often cheaper online and the Internet provides an element of privacy for those who are too embarrassed to discuss their conditions face to face.

            A patient fills out an Internet questionnaire, which is evaluated by a medical doctor who then authorizes the pharmacy to send the medication to the patient. There is no face-to-face consultation and no medical examination involved. Medical records are not required, and there are no lab tests or follow-ups. Some Web sites offer an online consultation, though most physicians are independent contractors who charge a fee for their service, separate from the prescription.

            In some instances, the use of such telemedicine has resulted in medical difficulties. These difficulties in turn have encouraged the call for more limitations on Internet telemedicine.

            Telemedicine has experienced numerous phases since the phrase was coined in the 1970s to refer to health care delivery where physicians examine distant patients through the use of telecommunications technologies. The use of video-conferencing equipment is one of the earliest forms of technologies used in telemedicine. Subsequently, peripheral devices were attached to computers or used in conjunction with the video-conferencing equipment for an interactive examination. For instance, a tele-otoscope allows a remote physician to 'see' inside a patient's ear; a tele-stethoscope allows the consulting remote physician to hear the patient's heartbeat.

            The initial phases of telemedicine incorporated traditional telephone lines, which have enjoyed historical privacy rights. The current phase uses Internet communications, either directly or via Voice Over Internet Protocol, to facilitate patient-physician interaction, including diagnosis, consultation and education, as is currently used by radiologists (tele-radiology) or by cardiologists (tele-cardiology). The future of telemedicine, such as the Internet linked pacemakers, will allow the transfer of medical data and instruction, which will result in changes in treatment.

            Currently, the Internet's primary role in telemedicine is to handle the data transmission needed for real-time applications. State medical boards have widely accepted Internet patient-physician interactions unless they involve treatment, such as the prescription of medication. When health-care providers use the Internet for patient communications, they must comply with a number of federal and state statutes. The Privacy Act of 1974 (5 U.S.C. 552a (1998)) and the Freedom of Information Act (codified at 5 U.S.C. 552 (1998)) limit Internet telemedicine use by health-care providers.

            In particular, these statutes prescribe protections for electronic medical records at Medicare and Medicaid programs maintained by a federal agency, at insurance companies acting as intermediaries for the Medicare program and at hospitals maintaining medical records under a government agency contract. Practice guidelines prepared by health-care provider associations have traditionally been recognized by the courts as a standard by which health-care providers' actions have been judged. The conservancy, privacy and confidentiality of electronic medical records are no exception.

            Internet telemedicine is complicated by jurisdictional issues, since a physician and patient are often in different states. Federal tort law generally holds that the laws of the patient’s state will determine the nature and basis for a claim. Thus, if a physician in New York has an Internet telemedicine consultation with a patient in New Jersey, the New Jersey "rules of patient engagement" govern the interaction. Due to the variability of rural and urban "community standards of care" unexpected legal liabilities may arise.

            A related, similarly unresolved issue is the question of licensure. If a physician has only a New York license, is he allowed to consult with a patient in New Jersey? Currently, the answer depends upon state law; consequently as states enforce laws that require face-to-face consultations, the potential use of Internet telemedicine diminishes.

            Another interesting issue associated with Internet telemedicine is the potential sharing of liability in medical malpractice cases. Certainly telemedicine involves many layers of expertise, and who will be legally responsible for the outcomes must be clearly defined.

            Internet telemedicine also gives rise to legal requirements for documentation. It is not clear which facility in an Internet telemedicine interaction should be required to have control of the corresponding medical record and in what format the record should be kept. The Electronic Signatures in Global and National Commerce Act (E-SIGN) (Public Law 106-229) enacted on June 30, 2000, suggests an answer. In particular, E-SIGN forbids the discriminatory treatment of an electronic signature for nearly every purpose. As per the law -- "a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form." E-SIGN eliminates legal barriers to the use of electronic technology to form and sign contracts, collect and store documents, and send and receive notices and disclosures.

            E-SIGN applies broadly to federal and state statutes and regulations governing private-sector activities. The act generally covers legal requirements that information be disclosed in private transactions. It also requires that agencies generally permit private parties to retain records electronically. The government may establish appropriate performance standards for the accuracy, integrity and accessibility of records retained electronically, to ensure compliance with applicable laws and to guard against fraud.

            Any widespread use of telemedicine over the Internet or other networks will necessitate the use of multiple codes to allow for variable levels of access to information, as well as great efforts to secure the systems against hackers. Nightmare scenarios include accidentally transmitting medical information to the wrong address (or to someone masquerading as a physician) and allowing hackers to break into medical information that they then broadcast over the Internet. A more likely and equally troublesome possibility is that medical information could become more readily available to non-clinical staff.

            The potential for unlawfully mishandling patient data is a significant concern when a health-care provider considers using the Internet. In particular, this concern gyrates around the abuse of personal information in a deceptive and misleading fashion. Such mishandling of patient data can give rise to remedial proceedings under most state consumer protection laws. For example, New Jersey could take action against providers who shared personal medical data with third parties (private practice medical groups) without disclosure to, or the consent of, affected patients, thereby violating state consumer protection laws.

            Prior to HIPAA, a comprehensive personal right to privacy in one's medical affairs did not exist. The Health Insurance Portability and Accountability Act directed the Department of Health and Human Services to implement regulations providing for the protection of personal medical records and information from disclosure without the affirmative consent of the affected individual. HIPAA thus required health-care providers to secure an individual's consent before using the Internet to communicate medical information.

            HIPAA does not require complete compliance, merely substantial compliance. Substantial compliance may be shaped by health-care provider associations. Health-care provider associations should provide education initiatives for their members regarding medical record privacy and health information security that explicitly address Internet communications between providers and patients. They should also develop legally appropriate guidelines for Internet communication systems and the preservation of patient-physician relationships.

            In particular, health-care associations might suggest that all health-care provider e-mails be copied to a patient's electronic file to address conservancy issues. To address privacy issues, they might suggest that e-mail from providers to patients be sent as attachments that require a password to open rather than as a message in the body of an e-mail. In addition, they might suggest limiting access to e-mail files to address confidentiality issues.

            Additionally, health-care associations could develop an informed e-mail-consent process, apprising patients of the privacy implications and inherent risks of e-mail communication. Also, health-care provider managers should provide their employees notice and training with respect to electronic records. Employee handbooks and annual training sessions should be employed to insure that the action of a rogue employee does not result in adverse legal consequences for the provider.

            Health-care providers should contact their malpractice insurers and specifically ask them to define the acceptable parameters of e-mail consultation practice that will be covered under their insurance contracts. Finally, as state medical boards continue to insist upon physical contact as a requirement for treatment, due in part to their desire to curb Internet facilitation of drug fulfillment, they must limit their rulings so as not to hamper the Internet's role in telemedicine.