The medico-legal issues strategies forteleradiology networks have rapidly evolved to ensure that such networks provide optimal medical care, while striving to minimize potential exposure to liability.¹

Some legal issues clearly appear to be more critical than others, including those relating to malpractice, insurance, licensure, privacy, and confidentiality, as well as storage, retention, and maintenance. This article will summarize the most salient risk management pointers with respect to these issues in order for the teleradiology network to operate successfully. It is by no means an exhaustive list and the reader is encouraged to obtain competent, individualized legal advice from a trusted professional before taking any action to develop or operate a teleradiology practice.

The Telemedical Record and Informed Consent.

1. As telemedicine becomes more widely used, the requirements of what constitutes an appropriate telemedical record will come into clearer focus. Until then, providers should comply with those federal and state laws that apply to traditional medical records.

2. State courts have consistently held that medical records are the property of the health care provider or the facility that created the records, not the patient. In general, the records of a professional service corporation are the property of the corporation and not the individual practitioner who provided the service to the patient.

3. Some states require that all medical information transmitted during the delivery of heath care via telemedicine or medical reports resulting from a telemedicine consultation become part of the patient's medical record. Other states simply require that physicians maintain complete, legible patient records in a written or readily retrievable electronic form, or that the patient record include a written opinion from the consulting physician providing the telemedicine consultation.

4. Most of the states that have addressed this issue require that the medical record include a written informed consent. The informed consent typically will consist of: (i) a description of the risks, consequences, and benefits of the telemedicine consultation; (ii) an explanation that confidentiality may be compromised by the electronic transmission of medical information; (iii) an assurance that existing confidentiality protections apply; and (iv) a statement that patient consent is required before dissemination of patient information to other entities. Furthermore, the patient should be informed that his or her consent can be withheld or withdrawn at any time without affecting the right to future care or treatment.

5. The physician or health care provider should be involved directly in the process of obtaining informed consent.

6. Generally, a physician's or other health care provider's duty to disclose does not extend to those risks that are generally obvious and known. On the other hand, those risks that are not well known or otherwise readily apparent should be the subject of disclosure.

7. It may be necessary to disclose information about the telemedicine systemthe potential risks, including those risks inherent in the equipment and telecommunications technology; the benefits; and alternatives to telemedicine.

8. If the telemedicine procedure is experimental in nature, the provider may be under an obligation to disclose this fact and any other uncertainties inherent in its utilization.

9. The referring provider may wish to engage in full disclosure to the patient as a matter of good medical practice.

MALPRACTICE LIABILITY RISK MANAGEMENT.

To reduce exposure to malpractice liability, the participants in the teleradiology network should consider creating written policies and procedures that address the following:

1. Have adequate and appropriate documentation. The local and consulting providers should document and record the patients' histories, examinations, diagnoses, treatments, and recommendations.

2. Providers should clarify and document the equipment to be used; the parties responsible for equipment maintenance; the format for transmitting medical information; the studies to be interpreted; the hours of coverage; the frequency and format of reports; quality assurance mechanisms; and important staffing issues. The duties and responsibilities of each party involved in a teleradiology arrangement should be clearly defined in a written contract. Indemnification provisions should also be included.

3. Practitioners providing medical services via teleradiology must meet the standard of care (arguably the national standard) associated with the type of services provided and the standard of care for providing those services via telecommunications.

4. Transmission verification procedures should be established at both the local and remote sites.

5. Create contingency plans. Every provider should have a written policy or guideline establishing a course of action for emergencies, including when there is a power outage, equipment malfunction, or other unforeseen incident that interferes with the teleradiology network.

6. The network should promulgate clinical guidelines and protocols. These guidelines and protocols should be realistic, for if the practitioner or entity fails to meet them, such failure may support a finding by the court that there was a deviation from the proper standard of care.

7. With respect to record storage, retention, and maintenance, the teleradiology business must comply with the federal and all state law requirements.

8. Each party should be required to carry insurance in the event of an error or malfunction. Teleradiology consultants should confirm whether their professional liability insurance policies cover liability in the patients' states for services provided from outside these states via teleradiology.

9. Teleradiology entities should ensure that their employees and independent contractors are properly credentialed, privileged, and accredited with respect to their abilities to provide medical care and to use telemedical equipment.

10. The providers should thoroughly investigate the vendors providing the hardware and software products and services to determine if they are sound and experienced and whether they honor their support and maintenance contracts and provide appropriate training. Since the practitioners will most likely be held liable for patient harm resulting from failing to use the teleradiology equipment reasonably, the practitioner should routinely inspect the equipment to make sure it functions properly; confirm that the vendor will service and maintain the equipment on an ongoing basis; and ensure that the system will permit the patients' records to be reasonably protected and allow the practitioner to obtain patient information during a system failure.

11. The vendor's responsibilities should be identified in writing and include what services are to be provided, upgrades, costs, training, maintenance, support, and indemnification.

Insurance-Related Risk Management.

1. Providers are obligated to fully disclose all relevant information in their insurance policy applications, including the use of teleradiology to provide services to patients.

2. Providers must determine whether their carrier is authorized to write insurance within the state or states where teleradiology services are to be provided.

3. Providers seeking coverage for telemedical activities (both intrastate and interstate) should carefully evaluate whether the terms, conditions, and limitations of their policies impact their activities.

4. Providers should, if appropriate, purchase additional policies to cover any gaps and confirm in writing their understanding that their current policies cover telemedical activities.

LICENSURE.

1. Providers engaging in teleradiology activity should consult the individual state licensing laws of each relevant state where they will provide services. Although there are exceptions to many states' licensure laws, a practitioner providing medical services via teleradiology will typically be required to obtain a license to practice medicine in the patient's state.

2. Careful attention should be paid to the particular nuances of each state's exceptions, exclusions, exemptions, and limitations, as well as each state's definition of the practice of medicine. For example:

   (a) whether the site of practice is where the patient is located or where the practitioner is located;

   (b) whether the remote physician or the local physician retains primary responsibility for the care of the patient;

   (c) whether the consultation is intended primarily as a second opinion or an informal consultation, or is used for actual diagnoses and/or treatments; and

   (d) how frequent are the contacts with the patient.

3. Providers should keep a close watch over federal and state legislative activity for subsequent changes in licensing requirements.

Privacy, Security, and Confidentiality.

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities, which include health care practitioners, health plans, and health information clearinghouses, to maintain the integrity and confidentiality of protected health information and keep the use and disclosure of such information to the minimum necessary. The effective date of HIPAA's privacy standards for most covered entities is April 14, 2003.

Health care providers, however, are given discretion in assessing what information must be provided to other providers for purposes of medical treatment since treating physicians may require access to the full record in order to provide the best quality care.

HIPAA's final security standards rule for protected health information applies to information in electronic form (both when stored and transmitted) and does not provide specific guidance for implementing the necessary administrative, physical, and technical safeguards to protect such information. The rule, which shall be effective for most covered entities on April 21, 2005, allows health care providers to determine their own level of compliance based on various factors including risk analysis, existing security measures, and cost.

The security system should be based on generally accepted existing security standards and should balance the desire to create a system that would offer reasonable protection with the need to create a system that will not result in significant inconvenience to the users. Inconvenience tends to promote circumvention of the system and ultimately render the security mechanism less effective.

For reasonable protection, the teleradiology providers should consider using:

(a) Encryption: the use of algorithms to scramble data so that the information cannot be viewed by an unauthorized user.

(b) Authentication: a mechanism by which a person ensures that he is the person that he represents to be. Mechanisms for authentication can include retinal or fingerprint scans, passwords and electronic signatures, and cards and badges.

(c) Access control: where the access to information is dependent on the user. Some users should be permitted restricted access, while others would have open access. Access control should include, but not be limited to, restricting the ability of users to read certain information, download and print data, and delete or add material. The system should utilize firewalls to limit outsider access to the medical information, and audit all users who accessed information to determine whether there was inappropriate usage.

(d) Physical security: physically restrict access to the equipment and information. For example, utilizing physical and electronic locks; prohibiting laptops from connecting to the network unless specifically authorized; and disposing of discarded computers appropriately so that individuals cannot use them to gain access to patient data.

(e) Administrative controls:  includes creating policies and standards regarding access to and disclosure of protected information, preparing orientation and ongoing security awareness and training programs for new and existing employees, respectively; utilizing confidentiality agreements; and ensuring that all security measures are being implemented, are effective, and are complied with. The final security standards specifically require covered entities to audit their own security plans and create measures to ensure the security of their protected health information; to develop policies for reporting and sanctioning security violations; to promulgate contingency and disaster backup and emergency recovery plans; to create implementation, testing, and revision procedures; and to enact guidelines addressing the storage and disposal of protected health information. Employees, independent contractors, and other third parties should be informed and trained (through a written contract) that if they breach security or misuse the information (both during the term of their business relationship as well as after the relationship is terminated for whatever reason), they will be disciplined and prosecuted.

STORAGE, RETENTION, AND MAINTENANCE.

Radiology networks must adhere to policies for the retention of medical records as defined by federal and state law.

Though many states do not have specific laws that govern the maintenance of electronic medical records, there are certain general maintenance and retention requirements applicable to all medical records that should be complied with.

1. Policies must be devised to direct: (1) where the medical information will be stored and who has the responsibility for its retention: (2) mechanisms of data protection; (3) responsibilities and procedures for system administration, maintenance, and disaster recovery; and (4) a requirement for maintaining a transaction log where all events relating to information retrieval are stored.

The increased use of imaging systems and computerized medical information creates new opportunities for errors in identification, authentication, and integrity. For example, the availability of highly sophisticated digital image editing systems may permit new means of image tampering. As a result, systems for the authentication of medical information and the determination of whether any unauthorized manipulation has taken place may be necessary.

The fact that the provider has the opportunity to deliver more services via expanded telecommunications channels increases the threat of possible malpractice exposure. As telemedicine becomes part of the standard of care, the failure not to provide additional services when such services are available (the underutilization of available technologies mentioned earlier in this section) may be considered a deviation from the accepted standard of care. As access to many new communications technologies expands further, certain telecare services will become routine and expected, on the parts of both clinicians and their patients.

Barry B. Cepelewicz, MD, JD, is a physician-attorney and partner in the Health Law Business Group of Meiselman, Denlea, Packman & Eberz PC in White Plains and New York, NY; bcepelewicz@mdpelaw.com; (914) 517-5000. Cepelewicz is Past-Chair of the American Bar Association's Medicine and Law Committee, and was on the American Health Lawyers Association's Health and Information Technology Substantive Law Committee.

References:

1. Cepelewicz BB, Berger SB. Medical-legal issues in teleradiology. AJR Am J Roentgenol. 1996;166:505-510.