Embed Size (px)
Citation preview
Legal and Ethical Issues Related to
Technology in Physical Therapy Practice
Louis D. Kelly, JDAttorney
Adams, Stepner, Woltermann & Dusing
Robert Latz, PT, DPT, CHCIO
Chief Information Officer
Trinity Rehabilitation Services
Disclaimer:
This presentation, and any ensuing discussion, does not constitute legal advice and does not establish an
attorney-client relationship.
Note: Many of the included references and information are from a 2018 CSM presentation with Aliya N. Chaudry, PT, MBA, DPT, JD, APTA/ELI Fellow, Professor; Kara Gainer, JD; and Robert Latz, PT, DPT, CHCIO.
Permission was received to include these items in our handouts.
Objectives
Upon completion of this presentation, participants will be able to:
1. Describe potential causes for conflicts resulting from fast
advancement of clinical technologies.
2. Discuss legal & ethical implications for several pertinent technology
applications in clinical practice.
3. Identify legal/ethical ways to utilize the technology in question in
each clinical situation.
4. Recognize need to address legal/ethical violations in technology
use in clinical practice.
Definitions
1. Technology
2. Mobile Phone Technology
3. Apps (Applications)
4. Mobile Medical App
5. Electronic Health Record (EHR)
6. The ‘Cloud’
7. TeleHealth
Examples of Current Legal-Ethical Guidance
• Laws
• Regulations
• Practice Guidelines
• Other Resources?
My Use of Technology In The Clinic:
Is it ethical?
Is it Legal?
Scenario 1: Cell Phone Pictures
Personal cell phone for
business use?
Smartphone Use & Legal/Ethical Concerns1
• Taking clinically related photographs of patients with personal smartphones raises concerns like:
– how to protect patient identity and privacy
• violation of Privacy Regulations of HIPAA
• violation of COE Principle 2E2/SOEC of PTA Standard 2D3
– how to keep patient information secure
• violation of Security Regulations of HIPAA
– how to ensure image is of a sufficient quality to assist in accurate physical therapy decision-making
• Places institution and the employee using the personal phone for business (patient) use at risk of:
– legal action/reprimand
– professional/institutional reprimand
Suggestions to Resolve Ethical Concerns4,5
• Eliminate use of personal mobile phone for gathering patient information
• Create institutional policy/procedures that educate employees about:– risks of using personal cell phone for business (patient) use – potential risk of third party access to patient information collected
via a personal cell phone– reiterate concern regarding inability to de-identify information
gathered on a personal cell phone– institutional guidelines for information gathering & storage
• Educate employees about institutional intolerance to violations of mobile cell phone policy
• employee ethical duty to report peer violations • institutional duty to discipline employees for violations
Scenario 2: Mobile AppsMobile Medical Apps
Can I use the App I just learned about?
Anything to be aware of with just recommending a fitness
tracker to increase their activity level?
Mobile App Use Ethical/Legal Concerns
• Uploading & using healthcare related apps for patient monitoring and/or clinical decision making
– how to ensure accuracy of app
– how to assure patient privacy; and
– how to assure security of patient information collected
– how to assure employee competency in use of app
• potential violation of APTA--COE Principle 6A & 6B2
Mobile Medical App Use Ethical Concerns4
• Individual privacy concerns:
– GPS & WLAN can disclose personal information such as individual’s address, & other non-deidentifiable personal information
– De-identifiable information may be at risk of being used by third parties who gain access through:• ‘hacking’ of data sent though the internet or Bluetooth• ‘subpoena’ by the government• ‘accidental’ through access to another’s phone• ‘intentional’ by telecommunication companies claiming ownership
of information transmitted through their network such as:–Google–Amazon–Internet Service Providers (ISPs)
– HIPAA unable to address all concerns – Others laws inadequate as well
Limits of HIPAA5
• Health Information Portability & Accountability Act of 1996:
– Privacy rule controls use of information in electronic health records but only by covered entities & those obligated by a business associate agreement
• does not cover information collected by health apps used solely by individuals
– Security rule created national standards for covered entities to protect patient’s electronic personal health information
• does not adequately address significant risks of information being stolen due to portability of information on mobile phones and tablets
Limits of Other Applicable Laws5
• Computer Fraud & Abuse Act of 1986:
– prohibits using a computer to gain “unauthorized access” to stored information
– N/A where a user voluntarily downloads software that in turn withholds extensive information about user without user knowing
• Electronic Communications Privacy Act of 1986
– also prohibits “unauthorized access” to stored information & intercepting communications illegally
• requires a third party needing information to get consent from user
• But does not require app developer needing information to get consent of user
Suggestions to Resolve Ethical/Legal Concerns4,5
• Inquire about patient’s extent of familiarity with mobile medical app:
– e.g. assess patient’s health literacy status
– e.g. assess patient’s skill level in manipulating medical mobile app for prescribed use
• Become informed so you can inform patient about for e.g.:– how a particular App stores & uses mobile data
– what is a mobile vault
• advantages & disadvantages of using Apps with a ‘vault’
• costs vs. flexibility/time constraints for access
• other available alternatives—like self-uploading option via WI-FI, insecure network vs. flexibility of access
• Decrease exclusivity and promote inclusivity by:– promoting inclusion of patients across all socioeconomic levels in studies using
mobile medical apps
• if patient does not have smartphone or app—make arrangements to get one
Suggestions to Resolve Ethical/Legal Concerns4
• Obtain Informed Consent prior to use of mobile phone app:
– inform patient about the risks along with the benefits of using cell phone apps in managing individual health care
– reiterate concern regarding inability to de-identify information gathered on a cell phone App
– educate patient about potential third party access to patient information collected via a cell phone App
– inform patient about varied types of information that may be collected by cell phone app at issue & whether patient will have opportunity to provide consent (e.g. via a pop-up of some sort) prior to allowing access
Suggestions to Resolve Ethical/Legal Concerns5
• Minimize privacy & security violations of collected patient data by:
– encouraging use of apps that have ‘secure vaults’ on the mobile phone
• decreases potential for accidental discovery of data by transferring data to clinician/researcher at preset times
– suggesting employer create policies & procedures and training for employee use of medical mobile apps to assist in:
• monitoring employee use of medical mobile apps
• ensuring employee inclusion of patients of all socioeconomic levels
• issuing & using passwords with medical mobile app use & safeguarding passwords
• reporting violations
• disciplining employees for violations
• informing patients of intended uses of information
Suggestions to Resolve Ethical/Legal Concerns5
• Advocate for:
– registration of healthcare professionals as interstate providers
– creation of a database of interstate providers
– issuance of a limited licensure status like special purpose, single patient, collaborative practice, time controlled, etc. to permit work across state lines
– development of standards of care by HCPs for use by HCP
– providing technology to patients unable to afford it to facilitate inclusion of all patients across all socioeconomic levels
Scenario 3: YouTube and PT
• YouTube is the 2nd largest search engine behind only Google.
– Processes more than 3 billion searches a month.
– Bigger than Bing, Yahoo, Ask, and AOL combined.
– 100 hours of video are uploaded every minute.
– Reaches more US adults ages 18-34 than any cable network.
Can I post video’s to YouTube
to market our PT Services?
This Photo by Unknown Author is licensed under CC BY-SA-NC
Scenario 3: YouTube and PT
• Dr. Sandra Lee
– Certified Dermatologist
– Skin cancer surgeon
– cosmetic surgeon
Scenario 3: YouTube and PT
In 2010, Lee began uploading videos of skin extractions under the moniker “Dr. Pimple Popper.”
She has over 4 million subscribers and averages 2.4 million views per day.
It is estimated that Lee makes $3,600.00 per day ($1.4 million per year) on Youtube revenue alone.
Scenario 3: YouTube and PT
Dr. Lee has also used her Youtube channel as a platform to advertise her own line of skincare products.
In 2018, she signed with TLC to her own reality television series, which has already been renewed for a second season.
Scenario 3: YouTube and PT
The Famous Physical Therapists
781,000 subscribers
Videos regularly exceed 2 million views
APTA Code of Ethics (COE)
• COE 1A
– Shall act in a respectful manner toward each person
• Take care with how person is dressed or how they might appear to someone watching the video
• COE 4A
– Shall provide truthful, accurate, and relevant information and shall not make misleading representations
• COE 7B and 7C
– Shall seek remuneration…and shall not accept gifts or other considerations that influence or give appearance of influencing professional judgment
Potential Risks
• Discount for services as a ‘trade off ’ for recording a patient?
– Transparency
• HIIPAA Concerns
– Get a signed release from each person that could be in the video
• Exaggeration of claims?
– Be honest
– Clarify that not everyone will benefit in the same way
Strategies to Overcome Potential Risks
• Agreement forms for patients to sign
• Be honest with any claims
• Policies/Procedures in place
Scenario 4: Telehealth Startup Tomorrow?
We were at a conference earlier today related to Telehealth in Physical Therapy. We learned a lot and we would like to start providing Telehealth in our clinic starting Monday morning…
Potential Risks—Patient related13
• Patient may make errors in:– noting readings correctly from the medical device; or
– obtaining correct values required from the medical device; or
• Patient may accidentally:– change settings on medical device yielding incorrect readings; or
– damage medical device causing malfunction; or
– cause undue interference in transmission of data; or
– interfere with collection of automated measurements
• Patient may have an accident/injury during telehealth session if:– no family member available to assist patient with injury
– no availability of EMS in patient area; or
– HCP lacks information on EMS in patient area
Potential Risks—HCP related13
• Outsourcing of services from local organizations to global agencies unfamiliar with local needs/regulations/language e.g.– radiographs taken in Delaware sent to Bangalore to be read– bills generated in Dallas sent to Mexico City to be processed – physician notes dictated in California sent to Chennai to be transcribed
• Outsourcing may raise privacy & safety concerns due to:– possibility of errors– privacy/informed consent violations– standard of care deviations– inconsistency in laws/regulations across country/state lines
• Insufficient:– patient education on use of medical devices by HCP– controls on limiting access to patient data
• Lack of HCP input into selection of technology for use in Telehealth
Potential Risks—Technology related16,17
• privacy & security at risk because of lack of interoperability of technology due to:17
– no compatibility between new & old technology– no availability of protocols or standardized processes– no guarantees to ensure data integrity– no safeguards against malfunction or interruption of service
• patient privacy violations16
– sensors on patient’s body for safety/emergency reasons like fall alarms may also transmit other private information like patient’s current location or activities
– medical device or app in use for routine monitoring like Insulin pump may provide information to 3rd party device manufacturers/advertisers financing device
• e.g. in 2011 Fitbit accidentally reported their user’s self-reported sexual activity when they failed to realize that sexual activity though a form of physical exertion was user sensitive information
Potential Risks—Laws/Regulations related13,16
• HIPAA regulations do not adequately cover Telehealth privacy & security concerns
– e.g. when data is violated by a non ‘covered entity’ like a patient. HIPAA protections will not cover data collected by tools given to patients
– e.g. HIPAA security regulations may control telehealth 2-way HCP
HCP communications when HCP are at both ends but will only control one-way communication between HCP Patient posing:
• confidentiality breaches when data is being collected or transmitted
• trust concerns related to provision of hardware/software to patient
• possibility of unauthorized access to patient data on medical device
– e.g. patient may not be able to request a copy of nor control use of data collected by an app or home monitoring medical device—unto manufacturer to provide or not
Potential Risks—Laws/Regulations related16
• HITECH Act does not cover some tools used in Telehealth like the medical devices that are enabled through the network
– why?—this Act [sec. 13407(1)(2)]only addresses notification requirements for breaches to personal health records; and
– data collected from a network enabled medical device does not meet definition of creating a ‘personal health record’ [sec. 13400(11)] because the data is not controlled by the patient nor is it gathered from multiple sources.
Potential Risks—Federal Agencies related16
Currently there is no single federal agency charged with power to guide use of Telehealth and control violations for e.g.
• Department of Health & Human Services (DHHS) – only partially addresses privacy & safety through HIPAA regulations impacting
covered entities; but – does not address consumer-facing commercial technologies
• Food & Drug Administration (FDA)– does not regulate telehealth technology unless it qualifies as a ‘medical device.’– if yes = will regulate security only & that too just to ensure ‘safety’ of use
• Federal Trade Commission (FTC) – not issued any privacy/security regulations for Telehealth technologies not
covered by HIPAA; and
– FTC only has limited powers to address:
• unfair medical device design causing resultant harm
• unfair security practices for sensitive data
• unfair default device settings
– ONLY when the harm > benefit
Strategies to Overcome Potential Risks13,16
1. Acknowledge patient’s right to have access to their EHR– revise existing informed consent policies to address this issue
– ensure outsourced Telehealth/EHR software and communication tools are configured to permit such access
2. Educate patient & caregivers on:– proper use of medical device in a face-to-face meeting with HCP19
– proper process to record and report data from medical device
– potential causes of error
– need to report errors immediately with contact information
– need to carefully read & understand medical device/app’s privacy policy prior to signing.
Strategies to Overcome Potential Risks16
3. Instill security controls for the Telehealth System through:
– data encryption at ‘rest, in transit, & end-to-end’
• “data are electronically ‘locked’ using complex mathematics and encryption ‘keys’ & can only be unlocked by a user with the correct ‘key.’
• may ensure that if attacker gains access to raw data either by by-passing access controls for data at ‘rest’ or by hacking data in ‘transit’, data will be meaningless .
• ‘rest & in-transit’ encryption done through operating systems or browsers that are external to the software being used for Telehealth
• ‘end-to-end’ encryption done via directly incorporating it into the Telehealth app; and
– user authentication measures prior to granting access
4. Institute organizational guidelines that restrict installation of software on organizational property without approval
Strategies to Overcome Potential Risks16
5. Advocate for single federal agency like FTC to assume responsibility for e.g.:
– enacting privacy and security regulations controlling use of Telehealth technology specifically for ‘patient & consumer-facing technologies’
– encouraging stakeholders like manufacturers to assist in developing telehealth codes of conduct for privacy of the consumer; and
– providing a safe harbor from enforcement actions for manufacturers assisting to develop the code
– monitoring use of Telehealth technology
– taking action against violations of privacy & security e.g.
• app companies relying on advertising within the app
• inability of patient to access own information
• lack of presence of sufficient security safeguards
• Follow your ETHICAL DUTY = APTA COE Principle 8B2
– “Physical therapists shall advocate to…….improve access to health care services…...”
Strategies to Overcome Potential Risks13
6. Ensure older technology being integrated with new Telehealth technology meets certification/integration requirements;
7. Generate licensing agreements that account for:– updating ‘old’ technology with ‘new’ closer in time to
technological advances– ensuring integration of older technology (databases &
operating systems) in to existing healthcare delivery system with the new technology; and
– providing trained personnel to address service integration issues with older technology; or
8. Create back-ups to protect against power loss, malfunctions, and unforeseen interruptions in service
Strategies to Overcome Potential Risks13
9. Abide by Fair Information Practice Principles (FIPPs) that include:
– practices that are commonly recognized
– guidelines to access own information & request correction of errors
– outline user limits on extent of collecting, using, & disclosing data
– insight on making informed decisions re: one’s health information
– ways to ensure sharing one’s information safely
Telehealth Resources
Center For Connected Health Policy (CCHP):
“a nonprofit, nonpartisan organization working to maximize telehealth ability to improve health outcomes, care delivery, and cost
effectiveness.”
State TeleHealth Laws & Reimbursement Policies—A Comprehensive Scan of 50 states & D.C.—Fall 2017
http://www.cchpca.org/sites/default/files/resources/Telehealth%20Laws%20and%20Policies%20Report%20FINAL%20Fall%202017%20
PASSWORD.pdf
Thank You!
Your Scenarios?
Our hope was to have started the discussion with these scenarios.
What else comes to YOUR mind?
Robert Latz, PT, DPT, CHCIO
859.802.7274
Louis D. Kelly, JD
859.394.6200
References
1. Sharp M. O’Sullivan D. Mobile Medical Apps and mHealth Devices: A framework to Build Medical Apps and mHealth Devices in an Ethical Manner to Promote Safer Use—A literature Review. Informatics For Health Journal. 2017: 363-367. doi: 10.3233/978-1-61499-753-5-363
2. ATA Code of Ethics. Available at APTA website located at http://www.apta.org/uploadedFiles/APTAorg/About_Us/Policies/Ethics/CodeofEthics.pdf accessed 02-07-18.
3. APTA Standards of Ethical Conduct of PTA. Available at APTA website located at: http://www.apta.org/uploadedFiles/APTAorg/About_Us/Policies/Ethics/StandardsEthicalConductPTA.pdf accessed 02-07-18.
4. Carter A. Liddle J. Hall W. Chenery H. Mobile Phones in Research and Treatment: Ethical Guidelines and Future Decisions. JMIR health health 2015;3(4):e95 doi: 10.2196/mhealth.4538
References
5. Yang TY. Silverman RD. Mobile Health Applications: The Patchwork of Legal and Liability Issues Suggests Strategies To Improve Oversight. Health Affairs Journal. 2014; 33(2):222-227 doi: 10.1377/hlthaff2013.0958
6. 10. Anderson JG. Social, ethical, and legal barriers to E-health. Internat. J. Health Informatics. 2007; 76: 480-483. doi: 10.1016/j.ijmedinf.2006.09.016
7. Nguyen L. Belluci E. Nguyen LT. Electronic health records implementation. International journal of medical informatics. 2014; 83: 779-796.
8. Kumar S. Aldrich K. Overcoming Barriers to EMR implementation in the US healthcare system. Sage Journal. 2011; 16(4): 306-318.
9. Blumenthal D. Tavenner M. The “Meaningful Use” Regulation for Electronic Health Records. N Engl J Med 2010; 363:501-504. Available at NEJM website located at http://www.nejm.org/doi/full/10.1056/nejmp1006114 DOI: 10.1056/NEJMp1006114.
References
10. Li J. Privacy Policies for health social networking sites. J. Am. Med Inform Assoc.
2013; 20: 704-707 doi: 10.1136/amiajnl-2012-001500.
11. Five Advantages of a Cloud-Based HER For Small Practices. Available at CareCloud website located at: http://www.carecloud.com/continuum/5-advantages-of-a-cloud-based-ehr-for-small-practices/ accessed 02-03-18.
12. Rodrigues JJPC. Torre IDL. Fernandez G. Lopes-Coronado M. Analysis of the Security and Privacy Requirements of Cloud-Based Electronic Health Record Systems. J Med Internet Res. 2013; 15(8): e186-e196. doi: 10.2196/jmir.2494
13.Kluge E-H W. Ethical and Legal challenges for health telematics in a global world: Thelhealth and the technological imperative. International journal of medical
informatics. 2014; 80(2): e1-e5. https://doi.org/10.1016/j.ijmedinf.2010.10.002
References
14. Shaver D. HL7 101: A Beginner’s Guide. For The Record Journal. 2007; 19(1): 22. Available at For The Record Website located at: http://www.fortherecordmag.com/archives/ftr_01082007p22.shtml accessed 02-07-18.
15. Risk Management : FISMA Background. Available at Computer Security Resource Center website located at: https://csrc.nist.gov/projects/risk-management/detailed-overview accessed 02-07-18.
16. Hall JL. McGraw D. For Telehealth To Succeed, Privacy and Security Risks Must Be Identified and Addressed. Health Affairs J. 2014; 33(2): 216-221. DOI: 10.1377/hlthaff.2013.0997
17. Hale TM. Cedar JC Privacy & Security Concerns in Telehealth. Amer Med Assoc J of Ethics. 2014; 16(12): 981-985
