U ntil recently, no viable economic model existed for the ongoing, profitable deployment of teledermatology systems. Consequently, most teledermatology systems had disbanded when the grants stopped. Without the incentives that adequate reimbursement brings, only those who are “true believers” in teledermatology have been willing to put in the hard work that facilitating a project requires. Previously, teledermatology projects were funded by government grants or operated in closed systems such as prisons or the military where insurance reimbursement for medical services does not occur. This situation has been evolving in recent years. The Balanced Budget Act of 1997 (TBBA) required payment for telemedicine services meeting set provision of care standards. Under TBBA, Medicare rules required the presence of a Medicare participating tele-presenter to qualify for Medicare reimbursement. This added much expense to the provision of teledermatology services without adding much value for the practice of store and forward teledermatology. Medicare rules also required that the tele-presenter participate in mandated fee sharing between the tele-presenter and the consulting physician. This requirement of “fee splitting is contrary to other Medicare rules that prohibit payment of remuneration in exchange for referrals. These existing Medicare requirements basically limited reimbursement to two-way video telemedicine services, which are rarely used to practice teledermatology. Moreover, because some hospitals and doctors feared criminal liability involved in such “fee splitting,” many didn’t want to be involved in telemedicine systems that sought Medicare reimbursement. The Rules Relax In December 2000, Congress passed an omnibus appropriations bill that liberalized the rules for reimbursement for telemedicine services. The omnibus appropriations bill (“OAB” [H.R. 5661]) wholly redid the Medicare rules for reimbursement for telemedicine services. The OAB, which came into effect on October 1, 2001, permits the use of telemedicine services to deliver care under the prospective payment system applicable to home care (Section 504). Moreover, (in section 223) it: • expanded the definition of originating sites to include physician and practitioner offices, critical access hospitals, rural health clinics, federally qualified health centers and hospitals (but not nursing homes) • expanded the geographic regions in which originating sites are located to include rural health professional shortage areas, any county not located in a MSA, and from any entity approved for a federal telemedicine demonstration project • permitted use of store and forward applications in Alaska and Hawaii • eliminated the provider “fee sharing” requirement • eliminated the requirement for a Medicare participating “tele-presenter” • allowed originating sites to be paid $20 per visit to recover facility costs, with increases in 2003 • expanded telemedicine services to include direct patient care, physician consultations and office psychiatry services • included payment for the physician or practitioner at the distant site at the rate applicable to services generally. How Has This Affected Reimbursement? It’s still unclear how much these changes have effected the provision of teledermatology services. And it’s clear that the full effect of this bill has yet to be felt. As changes such as the $20 facility cost fee, which is new, are utilized some believe that the use of services will increase. Private insurers, generally, don’t pay for teledermatology consultations. This might change in the near future. In this regard, it’s notable that on October 30, 2002, Blue Cross of California (Blue Cross) announced the implementation of store and forward telemedicine at the Sablan Medical Corporation primary care clinic in Firebaugh, CA, a rural community in Fresno County. Blue Cross purchased and installed the Second Opinion Professional Store and Forward software designed and produced by Second Opinion Software, LLP, for the Sablan Medical Clinic and more than 15 other telemedicine sites within its telemedicine network. Using this store and forward software, a primary care physician is able to create electronic patient folders to store patient data and images that are sent via encrypted e-mail to a receiving specialty location. The receiving specialist reviews the patient images and data offline, prepares a recommendation and sends it back to the primary care physician. When using the store and forward option, participating Blue Cross primary care physicians are reimbursed for a standard office visit while participating specialty physicians are reimbursed for a second opinion. This program originated in a granted funded program. Blue Cross launched the first-of-its-kind rural telemedicine program in July 1999. The program was made possible through an initial $1.8 million Rural Health Demonstration Project award the Company received in October 1998. The initial award and subsequent grants totaling more than $2.7 million were issued from the Managed Risk Medical Insurance Board (MRMIB) as part of the Healthy Families Program, the state-sponsored insurance program offering low-cost health, dental and vision coverage to children of low-income working families. Legal Considerations for Teledermatology All information recorded in the course of a medical examination is part of the medical record. Thus the images and data included in a teledermatology encounter are also part of a medical record. Many states have requirements that medical records be kept unaltered and intact for long time periods. So whereas the statute of limitations for medical malpractice is 2 years in New York, medical records must be kept intact for 7 years. If teledermatology is practiced via e-mail, then such e-mail must be kept unaltered for this full length of time. Such long-term backup of emails isn’t universal but apparently should be. The inability to access teledermatology records can have serious implications for physicians using the systems. If information from a medial record is lost and litigation ensues against a doctor, the presumption is often that the physician is liable. This could be compounded in teledermatology cases because the patient was examined in an untraditional fashion by video screen. How HIPAA Will Affect Teledermatology The Health Information Portability and Accountability Act (HIPAA) will affect all aspects of medical care, as you know. In short, HIPAA establishes national standards for electronic healthcare transactions and national identifiers for providers, health plans and employers. It also requires that digital health data be kept private and secure. Adopting these standards is meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care. HIPAA applies to so-called “covered entities.” A covered entity is akin to a provider under Medicare and includes doctors, hospital and health insurance clearing houses. Providers of teledermatology services are covered entities under HIPAA. Violation of HIPAA strictures on the dissemination of private digital medical data results in penalties. Any person who believes that an entity falling under the ambit of HIPAA violated its privacy requirements may file a complaint with the Health and Human Services Secretary. The Secretary has authority to investigate claims based on these complaints. The Secretary may also engage in compliance reviews and take informal or formal steps to gain compliance. There are two tiers of penalties — one for non-commercial non-willful violations of the law and another for commercialization of medical information. Luckily, the Secretary may reduce the amount of a fine or waive it entirely if the violation was not due to willful neglect of the requirements, and if the entity corrects it within 30 days of becoming aware of it. Non-willful non-commercial violations can command a $100 civil penalty, up to a maximum of $25,000 per year for each standard violation (Section 1176 of HIPAA). Congress has established criminal penalties for knowingly violating the patients’ right to privacy. These include the following: 1. penalties for as much as $50,000 and 1 year in prison for obtaining or disclosing protected health information 2. fines of up to $100,000 and 5 years in prison for obtaining protected health information under “false pretenses” 3. up to $250,000 in fines, and up to 10 years in prison for obtaining or disclosing protected health information with intent to sell, transfer, or use this information for commercial advantage, personal gain or malicious harm (Section 1177 of HIPAA). The implications of these legal standards for the practice will be discussed at the end of the HIPAA section. It would seem that HIPAA would result in the disappearance of teledermatology systems that are not secure. Specifically, because e-mail (efforts at encryption not withstanding) is not secure, teledermatology systems that simply involve the attachment of images to e-mails won’t be legally viable under HIPAA in the future. Other teledermatology systems that utilize large-scale databases must have integrated data protection, as I’ll discuss further. Any teledermatology system then will have to provide assurance to patients, the government, presenters and interpreters that the digital information in the databases is kept private and secure. HIPAA sets certain security standards to protect digital information. These standards apply to both data storage and to data communication. The digital images that teledermatology utilizes are covered by these standards. For large organizations, the data storage standards involve administrative procedures to ensure only those who care for patients have access to digital medical information and physical safeguards to ensure the protection of data. How to Protect Yourself To facilitate the security of data, you should should take the following steps: • appoint a privacy officer to oversee the privacy of medical data • institute information controls (formal, documented policies) • create physical access controls • create a policy on personal computer and workstation usage • secure the location of computers and workstation • provide security awareness training • institute data access control • document procedures for emergency access • implement audit controls • ensure data authentication • ensure entity authentication • institute auto logoff of inactive workstations and computers • create unique user identifiers for tracking • provide biometric, password or other personal identifiers • assign security responsibility. The transmission of data over open networks also benefits from the certification of digital certificates that authenticate data and data sources. Maintaining and authenticating digital certificates is a desirable activity for teledermatology providers. Specifically, biometric, password, or other personal identifier might utilize thumb-print, retinal printer readers, smart cards or passwords that can be traced to the user. These means of recording who views digital medical data are necessary so that those who access digital medical information can be identified. It also appears that technical security services will be available to ensure that the standards can be implemented and maintained. All teledermatology systems must integrate compliant security standards and procedures. Failure to do so would make a system fatally flawed under HIPAA. The communication security standards have important implications for teledermatology programs as well. HIPAA security standards require that communications over “open” network such as the Internet must be encrypted. It appears that 128-bit encryption is sufficient to satisfy the requirements of HIPAA. These encryption standards don’t apply to communications that occur over closed networks such as local area networks or Intranets. HIPAA requires that covered entities (e.g. teledermatology providers) make sure that those who they deal with directly, a so-called “business partner” — those who maintain computer systems — ensure that they keep digital medical information private. Certain other entities with access to digital medical information are termed trading partners. Trading partners must enter into “chain of trust partner agreement” with covered entities promising to keep data secure. If a covered entity is aware that a business or trading partner is violating its agreement, it must demand that it correct its violations and terminate its relationship if necessary. Certification that a covered entity is complying with these standards is foreseen under HIPAA. Covered entities would be required to evaluate their information technology system to certify that the appropriate security has been implemented. This evaluation could be performed internally or by an external accrediting agency. It’s most desirable to obtain certification for compliance “as part of, and in support of, the accreditation process” (e.g. JACHO). The form of such accreditation has yet to be determined. Non-willful violations of security standards or failures to enforce business and trading partner agreement would subject a teledermatology provider to penalties of fines but not jail time for violations of HIPAA. But, if the operator of a teledermatology system resold or intentionally disseminated patient information, then substantial fines and jail time could be a reality. Other Legal Considerations There are a variety of other legal considerations involved with deployment of teledermatology systems. To provide care for a patient in a state, a physician must have a license in that state — telemedicine and teledermatology still can’t be practiced across state lines. The malpractice coverage for the practice of teledermatology still has to be defined, although a physician must review his or her policy to see if he or she is covered for providing teledermatology care. Teledermatology can provide great benefit to patients. The potential and promise of this exciting new technology remain to be fully defined and realized.
Solving Issues in Teledermatology
U ntil recently, no viable economic model existed for the ongoing, profitable deployment of teledermatology systems. Consequently, most teledermatology systems had disbanded when the grants stopped. Without the incentives that adequate reimbursement brings, only those who are “true believers” in teledermatology have been willing to put in the hard work that facilitating a project requires. Previously, teledermatology projects were funded by government grants or operated in closed systems such as prisons or the military where insurance reimbursement for medical services does not occur. This situation has been evolving in recent years. The Balanced Budget Act of 1997 (TBBA) required payment for telemedicine services meeting set provision of care standards. Under TBBA, Medicare rules required the presence of a Medicare participating tele-presenter to qualify for Medicare reimbursement. This added much expense to the provision of teledermatology services without adding much value for the practice of store and forward teledermatology. Medicare rules also required that the tele-presenter participate in mandated fee sharing between the tele-presenter and the consulting physician. This requirement of “fee splitting is contrary to other Medicare rules that prohibit payment of remuneration in exchange for referrals. These existing Medicare requirements basically limited reimbursement to two-way video telemedicine services, which are rarely used to practice teledermatology. Moreover, because some hospitals and doctors feared criminal liability involved in such “fee splitting,” many didn’t want to be involved in telemedicine systems that sought Medicare reimbursement. The Rules Relax In December 2000, Congress passed an omnibus appropriations bill that liberalized the rules for reimbursement for telemedicine services. The omnibus appropriations bill (“OAB” [H.R. 5661]) wholly redid the Medicare rules for reimbursement for telemedicine services. The OAB, which came into effect on October 1, 2001, permits the use of telemedicine services to deliver care under the prospective payment system applicable to home care (Section 504). Moreover, (in section 223) it: • expanded the definition of originating sites to include physician and practitioner offices, critical access hospitals, rural health clinics, federally qualified health centers and hospitals (but not nursing homes) • expanded the geographic regions in which originating sites are located to include rural health professional shortage areas, any county not located in a MSA, and from any entity approved for a federal telemedicine demonstration project • permitted use of store and forward applications in Alaska and Hawaii • eliminated the provider “fee sharing” requirement • eliminated the requirement for a Medicare participating “tele-presenter” • allowed originating sites to be paid $20 per visit to recover facility costs, with increases in 2003 • expanded telemedicine services to include direct patient care, physician consultations and office psychiatry services • included payment for the physician or practitioner at the distant site at the rate applicable to services generally. How Has This Affected Reimbursement? It’s still unclear how much these changes have effected the provision of teledermatology services. And it’s clear that the full effect of this bill has yet to be felt. As changes such as the $20 facility cost fee, which is new, are utilized some believe that the use of services will increase. Private insurers, generally, don’t pay for teledermatology consultations. This might change in the near future. In this regard, it’s notable that on October 30, 2002, Blue Cross of California (Blue Cross) announced the implementation of store and forward telemedicine at the Sablan Medical Corporation primary care clinic in Firebaugh, CA, a rural community in Fresno County. Blue Cross purchased and installed the Second Opinion Professional Store and Forward software designed and produced by Second Opinion Software, LLP, for the Sablan Medical Clinic and more than 15 other telemedicine sites within its telemedicine network. Using this store and forward software, a primary care physician is able to create electronic patient folders to store patient data and images that are sent via encrypted e-mail to a receiving specialty location. The receiving specialist reviews the patient images and data offline, prepares a recommendation and sends it back to the primary care physician. When using the store and forward option, participating Blue Cross primary care physicians are reimbursed for a standard office visit while participating specialty physicians are reimbursed for a second opinion. This program originated in a granted funded program. Blue Cross launched the first-of-its-kind rural telemedicine program in July 1999. The program was made possible through an initial $1.8 million Rural Health Demonstration Project award the Company received in October 1998. The initial award and subsequent grants totaling more than $2.7 million were issued from the Managed Risk Medical Insurance Board (MRMIB) as part of the Healthy Families Program, the state-sponsored insurance program offering low-cost health, dental and vision coverage to children of low-income working families. Legal Considerations for Teledermatology All information recorded in the course of a medical examination is part of the medical record. Thus the images and data included in a teledermatology encounter are also part of a medical record. Many states have requirements that medical records be kept unaltered and intact for long time periods. So whereas the statute of limitations for medical malpractice is 2 years in New York, medical records must be kept intact for 7 years. If teledermatology is practiced via e-mail, then such e-mail must be kept unaltered for this full length of time. Such long-term backup of emails isn’t universal but apparently should be. The inability to access teledermatology records can have serious implications for physicians using the systems. If information from a medial record is lost and litigation ensues against a doctor, the presumption is often that the physician is liable. This could be compounded in teledermatology cases because the patient was examined in an untraditional fashion by video screen. How HIPAA Will Affect Teledermatology The Health Information Portability and Accountability Act (HIPAA) will affect all aspects of medical care, as you know. In short, HIPAA establishes national standards for electronic healthcare transactions and national identifiers for providers, health plans and employers. It also requires that digital health data be kept private and secure. Adopting these standards is meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care. HIPAA applies to so-called “covered entities.” A covered entity is akin to a provider under Medicare and includes doctors, hospital and health insurance clearing houses. Providers of teledermatology services are covered entities under HIPAA. Violation of HIPAA strictures on the dissemination of private digital medical data results in penalties. Any person who believes that an entity falling under the ambit of HIPAA violated its privacy requirements may file a complaint with the Health and Human Services Secretary. The Secretary has authority to investigate claims based on these complaints. The Secretary may also engage in compliance reviews and take informal or formal steps to gain compliance. There are two tiers of penalties — one for non-commercial non-willful violations of the law and another for commercialization of medical information. Luckily, the Secretary may reduce the amount of a fine or waive it entirely if the violation was not due to willful neglect of the requirements, and if the entity corrects it within 30 days of becoming aware of it. Non-willful non-commercial violations can command a $100 civil penalty, up to a maximum of $25,000 per year for each standard violation (Section 1176 of HIPAA). Congress has established criminal penalties for knowingly violating the patients’ right to privacy. These include the following: 1. penalties for as much as $50,000 and 1 year in prison for obtaining or disclosing protected health information 2. fines of up to $100,000 and 5 years in prison for obtaining protected health information under “false pretenses” 3. up to $250,000 in fines, and up to 10 years in prison for obtaining or disclosing protected health information with intent to sell, transfer, or use this information for commercial advantage, personal gain or malicious harm (Section 1177 of HIPAA). The implications of these legal standards for the practice will be discussed at the end of the HIPAA section. It would seem that HIPAA would result in the disappearance of teledermatology systems that are not secure. Specifically, because e-mail (efforts at encryption not withstanding) is not secure, teledermatology systems that simply involve the attachment of images to e-mails won’t be legally viable under HIPAA in the future. Other teledermatology systems that utilize large-scale databases must have integrated data protection, as I’ll discuss further. Any teledermatology system then will have to provide assurance to patients, the government, presenters and interpreters that the digital information in the databases is kept private and secure. HIPAA sets certain security standards to protect digital information. These standards apply to both data storage and to data communication. The digital images that teledermatology utilizes are covered by these standards. For large organizations, the data storage standards involve administrative procedures to ensure only those who care for patients have access to digital medical information and physical safeguards to ensure the protection of data. How to Protect Yourself To facilitate the security of data, you should should take the following steps: • appoint a privacy officer to oversee the privacy of medical data • institute information controls (formal, documented policies) • create physical access controls • create a policy on personal computer and workstation usage • secure the location of computers and workstation • provide security awareness training • institute data access control • document procedures for emergency access • implement audit controls • ensure data authentication • ensure entity authentication • institute auto logoff of inactive workstations and computers • create unique user identifiers for tracking • provide biometric, password or other personal identifiers • assign security responsibility. The transmission of data over open networks also benefits from the certification of digital certificates that authenticate data and data sources. Maintaining and authenticating digital certificates is a desirable activity for teledermatology providers. Specifically, biometric, password, or other personal identifier might utilize thumb-print, retinal printer readers, smart cards or passwords that can be traced to the user. These means of recording who views digital medical data are necessary so that those who access digital medical information can be identified. It also appears that technical security services will be available to ensure that the standards can be implemented and maintained. All teledermatology systems must integrate compliant security standards and procedures. Failure to do so would make a system fatally flawed under HIPAA. The communication security standards have important implications for teledermatology programs as well. HIPAA security standards require that communications over “open” network such as the Internet must be encrypted. It appears that 128-bit encryption is sufficient to satisfy the requirements of HIPAA. These encryption standards don’t apply to communications that occur over closed networks such as local area networks or Intranets. HIPAA requires that covered entities (e.g. teledermatology providers) make sure that those who they deal with directly, a so-called “business partner” — those who maintain computer systems — ensure that they keep digital medical information private. Certain other entities with access to digital medical information are termed trading partners. Trading partners must enter into “chain of trust partner agreement” with covered entities promising to keep data secure. If a covered entity is aware that a business or trading partner is violating its agreement, it must demand that it correct its violations and terminate its relationship if necessary. Certification that a covered entity is complying with these standards is foreseen under HIPAA. Covered entities would be required to evaluate their information technology system to certify that the appropriate security has been implemented. This evaluation could be performed internally or by an external accrediting agency. It’s most desirable to obtain certification for compliance “as part of, and in support of, the accreditation process” (e.g. JACHO). The form of such accreditation has yet to be determined. Non-willful violations of security standards or failures to enforce business and trading partner agreement would subject a teledermatology provider to penalties of fines but not jail time for violations of HIPAA. But, if the operator of a teledermatology system resold or intentionally disseminated patient information, then substantial fines and jail time could be a reality. Other Legal Considerations There are a variety of other legal considerations involved with deployment of teledermatology systems. To provide care for a patient in a state, a physician must have a license in that state — telemedicine and teledermatology still can’t be practiced across state lines. The malpractice coverage for the practice of teledermatology still has to be defined, although a physician must review his or her policy to see if he or she is covered for providing teledermatology care. Teledermatology can provide great benefit to patients. The potential and promise of this exciting new technology remain to be fully defined and realized.
U ntil recently, no viable economic model existed for the ongoing, profitable deployment of teledermatology systems. Consequently, most teledermatology systems had disbanded when the grants stopped. Without the incentives that adequate reimbursement brings, only those who are “true believers” in teledermatology have been willing to put in the hard work that facilitating a project requires. Previously, teledermatology projects were funded by government grants or operated in closed systems such as prisons or the military where insurance reimbursement for medical services does not occur. This situation has been evolving in recent years. The Balanced Budget Act of 1997 (TBBA) required payment for telemedicine services meeting set provision of care standards. Under TBBA, Medicare rules required the presence of a Medicare participating tele-presenter to qualify for Medicare reimbursement. This added much expense to the provision of teledermatology services without adding much value for the practice of store and forward teledermatology. Medicare rules also required that the tele-presenter participate in mandated fee sharing between the tele-presenter and the consulting physician. This requirement of “fee splitting is contrary to other Medicare rules that prohibit payment of remuneration in exchange for referrals. These existing Medicare requirements basically limited reimbursement to two-way video telemedicine services, which are rarely used to practice teledermatology. Moreover, because some hospitals and doctors feared criminal liability involved in such “fee splitting,” many didn’t want to be involved in telemedicine systems that sought Medicare reimbursement. The Rules Relax In December 2000, Congress passed an omnibus appropriations bill that liberalized the rules for reimbursement for telemedicine services. The omnibus appropriations bill (“OAB” [H.R. 5661]) wholly redid the Medicare rules for reimbursement for telemedicine services. The OAB, which came into effect on October 1, 2001, permits the use of telemedicine services to deliver care under the prospective payment system applicable to home care (Section 504). Moreover, (in section 223) it: • expanded the definition of originating sites to include physician and practitioner offices, critical access hospitals, rural health clinics, federally qualified health centers and hospitals (but not nursing homes) • expanded the geographic regions in which originating sites are located to include rural health professional shortage areas, any county not located in a MSA, and from any entity approved for a federal telemedicine demonstration project • permitted use of store and forward applications in Alaska and Hawaii • eliminated the provider “fee sharing” requirement • eliminated the requirement for a Medicare participating “tele-presenter” • allowed originating sites to be paid $20 per visit to recover facility costs, with increases in 2003 • expanded telemedicine services to include direct patient care, physician consultations and office psychiatry services • included payment for the physician or practitioner at the distant site at the rate applicable to services generally. How Has This Affected Reimbursement? It’s still unclear how much these changes have effected the provision of teledermatology services. And it’s clear that the full effect of this bill has yet to be felt. As changes such as the $20 facility cost fee, which is new, are utilized some believe that the use of services will increase. Private insurers, generally, don’t pay for teledermatology consultations. This might change in the near future. In this regard, it’s notable that on October 30, 2002, Blue Cross of California (Blue Cross) announced the implementation of store and forward telemedicine at the Sablan Medical Corporation primary care clinic in Firebaugh, CA, a rural community in Fresno County. Blue Cross purchased and installed the Second Opinion Professional Store and Forward software designed and produced by Second Opinion Software, LLP, for the Sablan Medical Clinic and more than 15 other telemedicine sites within its telemedicine network. Using this store and forward software, a primary care physician is able to create electronic patient folders to store patient data and images that are sent via encrypted e-mail to a receiving specialty location. The receiving specialist reviews the patient images and data offline, prepares a recommendation and sends it back to the primary care physician. When using the store and forward option, participating Blue Cross primary care physicians are reimbursed for a standard office visit while participating specialty physicians are reimbursed for a second opinion. This program originated in a granted funded program. Blue Cross launched the first-of-its-kind rural telemedicine program in July 1999. The program was made possible through an initial $1.8 million Rural Health Demonstration Project award the Company received in October 1998. The initial award and subsequent grants totaling more than $2.7 million were issued from the Managed Risk Medical Insurance Board (MRMIB) as part of the Healthy Families Program, the state-sponsored insurance program offering low-cost health, dental and vision coverage to children of low-income working families. Legal Considerations for Teledermatology All information recorded in the course of a medical examination is part of the medical record. Thus the images and data included in a teledermatology encounter are also part of a medical record. Many states have requirements that medical records be kept unaltered and intact for long time periods. So whereas the statute of limitations for medical malpractice is 2 years in New York, medical records must be kept intact for 7 years. If teledermatology is practiced via e-mail, then such e-mail must be kept unaltered for this full length of time. Such long-term backup of emails isn’t universal but apparently should be. The inability to access teledermatology records can have serious implications for physicians using the systems. If information from a medial record is lost and litigation ensues against a doctor, the presumption is often that the physician is liable. This could be compounded in teledermatology cases because the patient was examined in an untraditional fashion by video screen. How HIPAA Will Affect Teledermatology The Health Information Portability and Accountability Act (HIPAA) will affect all aspects of medical care, as you know. In short, HIPAA establishes national standards for electronic healthcare transactions and national identifiers for providers, health plans and employers. It also requires that digital health data be kept private and secure. Adopting these standards is meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care. HIPAA applies to so-called “covered entities.” A covered entity is akin to a provider under Medicare and includes doctors, hospital and health insurance clearing houses. Providers of teledermatology services are covered entities under HIPAA. Violation of HIPAA strictures on the dissemination of private digital medical data results in penalties. Any person who believes that an entity falling under the ambit of HIPAA violated its privacy requirements may file a complaint with the Health and Human Services Secretary. The Secretary has authority to investigate claims based on these complaints. The Secretary may also engage in compliance reviews and take informal or formal steps to gain compliance. There are two tiers of penalties — one for non-commercial non-willful violations of the law and another for commercialization of medical information. Luckily, the Secretary may reduce the amount of a fine or waive it entirely if the violation was not due to willful neglect of the requirements, and if the entity corrects it within 30 days of becoming aware of it. Non-willful non-commercial violations can command a $100 civil penalty, up to a maximum of $25,000 per year for each standard violation (Section 1176 of HIPAA). Congress has established criminal penalties for knowingly violating the patients’ right to privacy. These include the following: 1. penalties for as much as $50,000 and 1 year in prison for obtaining or disclosing protected health information 2. fines of up to $100,000 and 5 years in prison for obtaining protected health information under “false pretenses” 3. up to $250,000 in fines, and up to 10 years in prison for obtaining or disclosing protected health information with intent to sell, transfer, or use this information for commercial advantage, personal gain or malicious harm (Section 1177 of HIPAA). The implications of these legal standards for the practice will be discussed at the end of the HIPAA section. It would seem that HIPAA would result in the disappearance of teledermatology systems that are not secure. Specifically, because e-mail (efforts at encryption not withstanding) is not secure, teledermatology systems that simply involve the attachment of images to e-mails won’t be legally viable under HIPAA in the future. Other teledermatology systems that utilize large-scale databases must have integrated data protection, as I’ll discuss further. Any teledermatology system then will have to provide assurance to patients, the government, presenters and interpreters that the digital information in the databases is kept private and secure. HIPAA sets certain security standards to protect digital information. These standards apply to both data storage and to data communication. The digital images that teledermatology utilizes are covered by these standards. For large organizations, the data storage standards involve administrative procedures to ensure only those who care for patients have access to digital medical information and physical safeguards to ensure the protection of data. How to Protect Yourself To facilitate the security of data, you should should take the following steps: • appoint a privacy officer to oversee the privacy of medical data • institute information controls (formal, documented policies) • create physical access controls • create a policy on personal computer and workstation usage • secure the location of computers and workstation • provide security awareness training • institute data access control • document procedures for emergency access • implement audit controls • ensure data authentication • ensure entity authentication • institute auto logoff of inactive workstations and computers • create unique user identifiers for tracking • provide biometric, password or other personal identifiers • assign security responsibility. The transmission of data over open networks also benefits from the certification of digital certificates that authenticate data and data sources. Maintaining and authenticating digital certificates is a desirable activity for teledermatology providers. Specifically, biometric, password, or other personal identifier might utilize thumb-print, retinal printer readers, smart cards or passwords that can be traced to the user. These means of recording who views digital medical data are necessary so that those who access digital medical information can be identified. It also appears that technical security services will be available to ensure that the standards can be implemented and maintained. All teledermatology systems must integrate compliant security standards and procedures. Failure to do so would make a system fatally flawed under HIPAA. The communication security standards have important implications for teledermatology programs as well. HIPAA security standards require that communications over “open” network such as the Internet must be encrypted. It appears that 128-bit encryption is sufficient to satisfy the requirements of HIPAA. These encryption standards don’t apply to communications that occur over closed networks such as local area networks or Intranets. HIPAA requires that covered entities (e.g. teledermatology providers) make sure that those who they deal with directly, a so-called “business partner” — those who maintain computer systems — ensure that they keep digital medical information private. Certain other entities with access to digital medical information are termed trading partners. Trading partners must enter into “chain of trust partner agreement” with covered entities promising to keep data secure. If a covered entity is aware that a business or trading partner is violating its agreement, it must demand that it correct its violations and terminate its relationship if necessary. Certification that a covered entity is complying with these standards is foreseen under HIPAA. Covered entities would be required to evaluate their information technology system to certify that the appropriate security has been implemented. This evaluation could be performed internally or by an external accrediting agency. It’s most desirable to obtain certification for compliance “as part of, and in support of, the accreditation process” (e.g. JACHO). The form of such accreditation has yet to be determined. Non-willful violations of security standards or failures to enforce business and trading partner agreement would subject a teledermatology provider to penalties of fines but not jail time for violations of HIPAA. But, if the operator of a teledermatology system resold or intentionally disseminated patient information, then substantial fines and jail time could be a reality. Other Legal Considerations There are a variety of other legal considerations involved with deployment of teledermatology systems. To provide care for a patient in a state, a physician must have a license in that state — telemedicine and teledermatology still can’t be practiced across state lines. The malpractice coverage for the practice of teledermatology still has to be defined, although a physician must review his or her policy to see if he or she is covered for providing teledermatology care. Teledermatology can provide great benefit to patients. The potential and promise of this exciting new technology remain to be fully defined and realized.
