Telemedicine: the high cost of breaching patient privacy regulations

In recent years, we've seen a rapid uptake of telemedicine services across a range of medical conditions, offering convenience for patients and efficiency for practices.

Karen Castle, Risk Adviser, Risk Advisory Services, Avant.

Tuesday, 30 July 2024

telemedicine-the-high-cost-of-breaching-patient-privacy-regulations

In recent years, we've seen a rapid uptake of telemedicine services across a range of medical conditions, offering convenience for patients and efficiency for practices. However, providing this type of service requires careful consideration of the regulations to safeguard patient privacy and avoid breaching privacy laws, which can carry hefty penalties.

The following case demonstrates the extent to which taking advantage of newer technologies can potentially expose a practice and its employees to situations where strict compliance with privacy and data protection laws is necessary.

Patient enquiry exposes data integrity risk

A seemingly simple enquiry from a patient triggered a series of revelations that a practice was not meeting many privacy requirements. The patient, who had read media reports on patient information being sold to third parties and was concerned about the potential for misuse of their data, had called the practice and requested a copy of their privacy policy.

On realising they didn’t have one, the practice, which had been newly established to provide dedicated telemedicine services, contacted Avant for assistance.

After talking to the practice about their policies and procedures, the medico-legal adviser realised that, in addition to needing advice on the wording of a privacy policy, there were potentially several other areas of the business where the integrity of data they handled was at risk of being compromised. The case was promptly referred to Avant’s Risk Advisory Service (RAS) to work with the practice to identify and rectify any deficiencies.

Identifying key risks and challenges

An assessment conducted by RAS revealed several vulnerabilities within the practice's operations:

  • Insecure communication platforms: Practitioners were using channels such as Skype and FaceTime for their patient consultations, without realising these video conferencing services did not provide a secure platform for discussion about sensitive medical matters.
  • Outsourced administration: For cost efficiency, the practice was using an external company to handle administration tasks. They had not checked what privacy training or protocols around handling data the staff from this virtual company had received. This posed a significant risk of sensitive medical information being mishandled.
  • Cross-border data transfer: The virtual administration service employed staff in other countries, which meant sensitive health data was being sent overseas. This raised concerns about compliance with Australian Privacy Principles (APP), particularly APP 8, which regulates disclosure of personal information outside of Australia, and stipulates that a practice must “ensure that any overseas provider takes relevant steps to protect the information from misuse, interference, loss and unauthorised access, modification or disclosure”.
  • Lack of centralised medical records: Individual practitioners were keeping records for their own patients, without making this information available through a secure centralised system. This limited the opportunity to provide continuity of care if one of the specialists were absent. Also, if a patient wanted to talk to someone else, they would have needed to provide their information all over again.

Assessing the issue and implementing change

Prioritising patient privacy and compliance isn't just good practice – it's essential for maintaining integrity and trust in an increasingly digital healthcare environment.

With the guidance of our advisers, the practice was able to navigate the privacy and data protection challenges they were facing in providing telemedicine consultations. Subsequently, with our support, they implemented a range of system enhancements necessary to ensure compliance, including:

  • Developing a robust privacy policy.
  • Establishing secure communication platforms compliant with privacy regulations.
  • Implementing privacy training for all staff members, particularly including anyone who handled patient information.
  • Exploring options for centralised medical records management to facilitate continuity of care.

To help them stay on top of the regulatory landscape around safeguarding patient privacy, they were also made aware of the ongoing support available to members through Avant Assist.

Penalties for breaching the Privacy Act can be severe. In addition to the substantial fines that can be imposed, a practice under investigation will have to deal with:

  • Cost and stress of defending the practice in a court case.
  • Compromised reputation for the business from bad PR.
  • Loss of trust for individual doctors from their patients.

Ask yourself these questions

Practices who have expanded their services to offer telemedicine consultations, or have set up to offer dedicated telemedicine facilities, need to make sure they are well-equipped to address privacy and compliance challenges.


Ask yourself these four questions to help identify whether your policies and procedures designed to safeguard patient privacy are robust:


  • Do you provide staff with training and ongoing supervision and controls to ensure that privacy regulations are understood and maintained?
  • Have you implemented policies, procedures and systems that reflect the relevant APPs?
  • Have you invested in secure encryption technology or other secure processes for transferring and storing sensitive health information?
  • Do you have a data breach response plan?

If you’ve answered 'no' to any of these questions, we suggest you take a proactive approach and seek expert support from our advisory services. They can identify and help resolve any areas of concern, which will allow you to operate with confidence and continue to deliver high-quality care to your patients.


You will also need to consider the Medical Board’s Code of Conduct and Guidelines: Telehealth consultations with patients, which emphasises that telehealth consultations should meet the same standards as care provided in a face-to-face consultation.

This article was originally published in Connect magazine issue 22.

References and further reading

Avant Assist: Resources and services to support you in delivering safe, best-practice care

Medical Board of Australia: Telehealth consultations with patients

More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

Disclaimers

The case discussed in this article is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality.

IMPORTANT: This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

To Top