7

Licensure, Privacy, and Security

Alan Lee, Mount St. Mary’s University, moderated the workshop’s final session, which explored licensure, privacy, and security issues. Speakers included Lisa Robin, Federation of State Medical Boards (FSMB); Marisa McGinley, Cleveland Clinic; and Ron Pulivarti and Nakia Grayson, National Institute of Standards and Technology (NIST).

FACILITATING THE PRACTICE OF MEDICINE ACROSS STATE LINES

Lisa Robin, Federation of State Medical Boards

Lisa Robin, chief advocacy officer for the Federation of State Medical Boards (FSMB), discussed her organization’s role and the role of FSMB and the Interstate Medical Licensure Compact (IMLC) in facilitating medical practice across state lines.

Robin explained that FSMB is a nonprofit organization of 70 U.S. state and territorial medical boards that license multiple health care professionals. FSMB develops policies and frameworks, conducts research, maintains a comprehensive practitioner database, and works to harmonize federal regulation and support license portability. She said one goal of these efforts is to enable telehealth across state lines to enhance patient and physician convenience without compromising safety. FSMB recently updated its telemedicine policy in response to the pandemic to address exceptions for interstate practice while maintaining the same standard of care and enabling continued clinician–patient relationships.

Robin said FSMB also advocates for the adoption of the IMLC, an agreement that streamlines medical licensing processes. The initiative, supported in part by a federal grant, became active in 2015, and as of 2022, 36 states and territories have adopted the compact and several more are considering adoption (see Figure 7-1). She noted that more than 80 percent of physicians are eligible to apply for IMLC licenses. IMLC license applicants are judged on nine rigorous quality and safety criteria. Robin said approximately 30,000 IMLC licenses have been issued since 2017, with a marked increase during the pandemic. She noted that similar compacts exist for other health professions, and states have also explored other approaches to license portability, such as license reciprocity, special licenses, and telemedicine licensing.

HIPAA COMPLIANCE AND PRIVACY CONCERNS

Marisa McGinley, Cleveland Clinic

Marisa McGinley is an assistant professor of neurology in the Cleveland Clinic Lerner College of Medicine and telehealth lead for the Neurological Institute at Cleveland Clinic. She discussed privacy issues related to HIPAA and the protection of personal health information (PHI).

McGinley explained that HIPAA was passed in 1996, before the era of widespread telehealth use; therefore, its rules can be difficult to apply to today’s technological environment. While it addresses many aspects of care, HIPAA’s

main focus was health insurance portability and patient privacy. Subsequent amendments have addressed emerging privacy concerns, workability, effectiveness, and flexibility (Berwick et al., 2018).

McGinley said that one particularly important amendment directed that health care plans and clinicians must use HIPAA-compliant technology to protect PHI, which is very valuable to hackers (Williams et al., 2020). PHI-targeted attacks, often via third parties, have risen steadily in recent years. She noted that to be HIPAA compliant, technology platform companies must sign an agreement stipulating how PHI will be protected. However, the onus is on the health care organization, not the platform creators, to ensure the platform is appropriately secure and compliant. McGinley noted that an additional challenge is that clinicians, who have little training in cybersecurity or digital privacy, often find HIPAA’s audit trail requirements incomprehensible. She noted that both clinicians and patients have reported concerns about security and data protections (Kruse et al., 2017).

The pandemic brought new challenges to protecting PHI. The Office of Civil Rights exercised enforcement discretion in response to the public health emergency, enabling clinicians to see patients via popular platforms such as FaceTime or Zoom. These platforms are easier to use than inefficient or expen-

sive electronic health record (EHR)-integrated platforms but may have fewer data protections, McGinley said. In addition, the lack of physical office space could lead patients to inadvertently share PHI when engaging in telehealth interactions in a public setting.

McGinley emphasized that telehealth adds tremendous value to health care but requires stronger PHI protections. She noted that maintaining the valuable gains made during the pandemic in terms of improving access to care via telehealth while also ensuring appropriate security and privacy safeguards will require finding a middle ground between care quality, care access, and PHI protection (Shachar et al., 2020). She pointed to a need to address administrative, physical, and technical issues through policies and procedures for PHI access and use, as well as the need for relevant training, secure and closed systems, and internal audits. She emphasized that overly onerous privacy restrictions do have a downside, as the fear of committing a HIPAA violation could compromise a clinician’s ability to provide timely patient care, suggesting the need for a balanced and practical approach.

SECURING TELEHEALTH REMOTE PATIENT MONITORING ECOSYSTEMS

Ronald Pulivarti and Nakia Grayson, National Institute of Standards and Technology

Ronald Pulivarti and Nakia Grayson from NIST’s National Cybersecurity Center of Excellence (NCCoE) discussed security guidelines for telehealth.

Pulivarti explained that NCCoE, part of the Applied Cybersecurity Division in NIST’s Information Technology Laboratory, is a place for government, industry, and academia to collaborate on solutions to securing complex information systems and protecting the nation’s critical infrastructure by improving prevention, detection, and responses to cyber vulnerabilities and threats. Collaborators create guidelines for standards-based, modular, repeatable, usable, and transparent commercially available solutions to improve the cyber protection landscape.

Grayson explained that the NIST report Securing Telehealth Remote Patient Monitoring Ecosystem (SP 1800-30) outlines frameworks for risk management, cybersecurity, and privacy controls for remote patient monitoring systems on the part of the patient, the clinician, and the health care delivery organization (Cawthra et al., 2022). The goal of SP 1800-30 is to provide practical, repeatable implementations and security capabilities that ensure patient safety and privacy during remote monitoring. She said the report and its associated resources can help health care delivery organizations learn how to identify and understand security risks, create appropriately secure partnerships with telehealth platforms, and consider future technology to augment data protections.

DISCUSSION

Participants discussed a range of issues related to licensing, security, and privacy concerns in telehealth.

Practicing Across State Lines

Marquita Sullivan, Social Security Administration, asked why some states had not yet adopted the IMLC and other interstate compacts. Robin replied that some may misunderstand the aim of the compacts or fear that such agreements violate their state sovereignty. She emphasized that they do not interfere with state sovereignty, as clinicians must still abide by the rules of the patient’s state and state medical boards are still responsible for investigating complaints related to telehealth. She suggested that cost may also be a perceived barrier, although there are no fees for states to join and these compacts can increase a state’s workforce.

In response to a question about clinician fees, Robin clarified that clinicians with multiple licenses must pay fees in every state in which they wish to practice, noting that some states have lowered their license fees as a result. She added that the multiple business models involved in telehealth delivery, as well as states’ differing licensing rules, could also affect fees for clinicians.

In response to a question about malpractice insurance for practicing across state lines, McGinley said that malpractice insurance would likely cover telehealth interactions with patients who have an established relationship with the clinical practice from previous in-person visits. She added that the answer is less clear if the physician is in one state, the patient is in another, and the patient has not already established the clinician–patient relationship in person in the physician’s state. She said this is likely an issue that is of particular importance to companies that focus exclusively on telehealth and do not provide any in-person services.

HIPAA Compliance Issues

McGinley stated that from a clinical perspective, verbal consent is sufficient for HIPAA compliance during a telehealth visit, but noted that clinicians often request written consent out of concern about HIPAA violations and privacy breaches. Robin added that FSMB encourages as much documentation as possible, whether for telehealth or in-person visits.

McGinley noted that one problem raised by the expansion of telehealth into platforms such as FaceTime and Zoom is that these third-party platforms cannot be audited the way integrated medical systems can. She explained that platforms with established Business Associate Agreements (BAAs) can

be audited and are therefore more likely to be fully compliant with all the relevant regulations, one reason why Cleveland Clinic moved away from more open platforms that were allowed during the pandemic. McGinley suggested that health care organizations’ legal and information technology departments should scrutinize the agreements they have with all of the telehealth platforms they use—including both legacy and newer systems—to ensure that the appropriate PHI security measures, encryption practices, liability sharing frameworks, and HIPAA compliances are in place. She said while there is no one set of rules to address every issue, it is important for institutions to balance telehealth access with PHI security.

Grayson noted that BAAs are not mentioned in SP 1800-30, but the NCCoE does have resources to address issues such as cyber hygiene, HIPAA compliance, and encryption in order to keep telehealth both secure and barrier free. Pulivarti added that when creating SP 1800-30, the NCCoE collaborated with Internet of Things (IoT) companies to identify and address security weaknesses at the health care delivery organization level so vulnerabilities could be mitigated at the source, before patients or clinicians use an IoT device. He added that the public has a growing awareness of the need for online privacy, and clinicians should take these security measures seriously.

Simon Robarts, VA Canada, asked if there were any examples of lawsuits stemming from breaches of confidentiality or failure to provide adequate care via telehealth. McGinley, Robin, and Lee said they were not aware of any directed at health care organizations, though there have been some involving third-party organizations.

The bottom line, McGinley stated, was that important elements such as portable licensure, HIPAA compliance, privacy, and cybersecurity must be addressed and balanced with the ultimate goal of caring for patients. She suggested that relevant rules and regulations in these areas need to be redefined to overcome barriers to patient access while addressing new and future technologies and the security challenges they will inevitably bring.