Credentialing, peer review pose problems
There are many potential liability risks that come with the growing use of telemedicine. Mark Kadzielski, JD, an attorney with the law firm of Pepper Hamilton in Los Angeles, offers this summary:
• Physician credentialing and privileging: In July 2011, the Centers for Medicare and Medicaid Services (CMS) enacted its final rule on telemedicine credentialing and privileging and gave healthcare facilities and practitioners more flexibility to accomplish credentialing and privileging of practitioners by doing away with the need for an independent review. CMS' final rule provided processes by which hospitals may rely on the credentialing and privileging decisions of distant-site hospitals or the information provided by other telemedicine entities when making decisions on privileges for practitioners who provide telemedicine services, as long as certain conditions, such as a written agreement between the hospital and distant site, are met.
Soon after, The Joint Commission revised its standards and telemedicine requirements to align with CMS' requirements. Although many states have followed suit, hospitals, healthcare organizations, and healthcare systems must ensure that their credentialing and privileging processes are compliant with federal and state laws as well as the requirements of accreditation bodies to mitigate possible negligent credentialing claims and other risks.
When entering into written agreements with telemedicine entities that claim to credential and privilege their practitioners, hospitals, healthcare organizations, and healthcare systems must determine that any written agreement they receive from a telemedicine entity has been appropriately updated to reflect current legal requirements, clearly establish specific responsibilities of distant-site hospitals and other telemedicine entities, and ensure that written agreements include adequate representations and warranties with regard to the quality of services provided by the distant site and any entity with which the distant site subcontracts. Even then, there still will be risks.
"The risk management concern is that lots of people are pushing telemedicine contracts at you, offering to have doctors you don't know, whose credentials you don't know, practice telemedicine on your patients in your facility," Kadzielski says. "There is great risk when you have telemedicine providers rendering services to your patients and you have not verified that the doctor is up to par. You're relying on someone else's assessment."
• Medical staff bylaws: Under CMS' final rule, when a hospital intends to credential and privilege distant-site practitioners for telemedicine services, the hospital's medical staff bylaws must include criteria for determining the privileges to be granted to such practitioners and a procedure for applying the criteria to those practitioners. Hospitals that credential and privilege distant-site practitioners based on information received from a distant site must review and revise their medical staff bylaws and credentialing and privileging policies to include specific criteria that outline how privileges to distant-site practitioners will be granted in accordance with a written agreement with a distant site.
"Revisions should also be made to address what category of the medical staff certain distant-site practitioners will join, the level of involvement distant-site practitioners may have in medical staff committees, and what procedural rights distant-site practitioners may have," Kadzielski says.
• Physician peer review: As more hospitals, healthcare organizations, and healthcare systems rely on the decisions made by distant-site hospitals or the information provided by other telemedicine entities when making credentialing and privileging decisions, written agreements with the distant site detailing how peer review and internal review information will be shared between the hospital and distant site are required. Hospitals, healthcare organizations, healthcare systems, and telemedicine entities must develop procedures and policies for sharing such information to ensure that the privacy of physician peer review and patient information is appropriately protected while information needed to make accurate credentialing and privileging decisions is regularly shared.
Because information is being shared between two distinct entities, it is essential that any procedure or policy complies with federal privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), and is disclosed in a manner that preserves all peer review privileges under state law.
• Patient privacy: Although "HIPAA" and "HIPAA compliant" have become buzzwords among telemedicine entities and vendors, prior to relying on any telemedicine technology to collect and transfer patients' protected health information (PHI), hospitals, healthcare organizations, and healthcare systems should ensure that they have the appropriate secure communication channels in place; have implemented entity- and technology-specific business associate and other confidentiality and privacy agreements, as applicable; have created policies and educated all administrators, employees, and medical staff members regarding the appropriate use of telemedicine technologies; and clearly understand how and what patient information is being collected, communicated, and stored.
Where practitioners provide healthcare services through telemedicine entities, such as tele-radiology, tele-neurology, tele-psychiatry, and tele-dermatology services, written agreements should identify what patient health information may be shared and how telemedicine practitioners will use or maintain patient health records for patient care and healthcare liability purposes.
