Patient Privacy and the “Virtual Hospital”
As telemedicine becomes increasingly prevalent as a mode of administering healthcare, several issues regarding patients’ information privacy emerge.1 Telemedicine enables healthcare providers to interact with patients online, rather than by traditional in-person appointments.2 While this practice provides numerous benefits to patients, such as providing increased access to patients who might not otherwise be physically able to see a physician, there is also increased virtual exposure of patient’s private medical records, appointments, and other personal information.3
Consider, for example, the special significance of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) in such a virtual clinical environment.4The patient-privacy components of HIPAA are designed to ensure that medical records and other personal information are not subject to unnecessary exposure to those other than the individual patient or the patient’s healthcare providers.5 HIPAA allows healthcare entities to disclose health records about a patient to other healthcare entities and to individual patients themselves; otherwise, the healthcare entity must ensure no unnecessary exposure.6 However, telemedicine introduces numerous steps at which a patient’s private medical information might be unnecessarily exposed, whether this is during the actual online interaction with the physician, or during the intra- or inter-hospital transfer of their medical records.
Yet, telemedicine is moving beyond single doctor-patient check-ups and interactions. In fact, the virtual online-based hospital has recently become a practice.7 For example, Mercy Hospital in Chesterfield, Missouri is entirely virtual-based, with patients and physicians connecting completely online.8 Mercy Hospital is unique, in that patient information can be communicated with other physicians and staff at the hospital regarding a particular patient.9 Thus, it is imaginable that in such a clinical environment, vast amounts of personal health-related information is shared between physicians, nurses, and staff of the hospital in order to properly diagnose and treat patients, not unlike traditional hospitals. However, because information is being virtually shared, there is an even greater privacy concern with patient’s medical and otherwise personal information. Moreover, Mercy Hospital’s patient care model is enabled by an artificial intelligence program, which draws healthcare providers’ attention to certain patients based on their health data.10
The treatment model of a “virtual hospital”, like those of physical hospitals, does not inherently violate HIPAA requirements so long as it discloses patient records in a statutorily compliant manner. However, healthcare providers with large virtual networks, whether virtually based or physical, need to be wary that patient information is not handled in ways that could unnecessarily expose sensitive information. Doctors and patients alike, not just hospitals per se, might also be extra vigilant in such a virtual environment. In fact, Mercy Hospital has taken several steps to mitigate this concern such as by ensuring that web cameras are turned away from patients if they are not currently interacting with the hospital.11
Still, privacy concerns in a “virtual hospital” setting extend beyond HIPAA’s disclosure rules. Telemedicine introduces an increased concern for network data breaches. HIPAA provides that healthcare entities must establish secure data systems.12 Additionally, many states have data breach notification standards, requiring entities to disclose whether there has been a breach of sensitive information.13 In that case, a “virtual hospital” would need to establish a protocol for notifying patients should such an event occur. There is also the issue of whether a virtual hospital is bound by the laws of the state it is based in, or those where its patients are located. Depending on the answer, the virtual hospital would need to comply with a different state breach notification standard.
Telemedicine has shown great potential for delivering healthcare in innovative and accessible ways. However, as with any innovation, there are new concerns, particularly with ensuring the privacy of patients. The virtual hospital proposes a significant, although not necessarily insurmountable, challenge to protecting patient privacy.
Kimberly Lovett Rockwell, The Promise of Telemedicine, 96-FEB Mich. B. J. 38, 38 (2017).↩
David L. Katz, Is Telemedicine the Future of Care?, AARP (Feb./Mar. 2018), https://www.aarp.org/health/conditions-treatments/info-2018/telemedicine-teleheath-online-doctors-appointment.html [https://perma.cc/2QL7-VB5E].↩
Karl A. Menninger II, Confidentiality of Medical and Other Treatment Records, 87 Am. Jur. Proof of Facts 3d, 259 (2006).↩
Id. at § 7.↩
Katz, supra note 3.↩
See Menninger, supra note 4, at § 12.↩
David L. Silverman, Data Security Breaches: The State of Notification Laws, 19 No. 7 Intell. Prop. & Tech. L.J. 5 (2007).↩