First thing that comes to mind is to check out the indemnity clause in any contract. The clause manages and apportions risk between contracting parties. It should specify under what conditions each party must compensate the other party for unintentional harms, claims, or other liability. It’s often a boring and arcane provision but it’s very important! The clause can manage and minimize your risk by limiting your overall or total liability to a manageable amount through a specific dollar cap or the amount of your investment. Also, limiting liability to actions conducted within the confines of the contract and for actions that are within your own control.

Another way to minimize risk is to make sure your outside vendors are legitimate. Knowing who you are doing business with, identifying what risks they pose, and successfully managing those risks are important. Things to check for are financial viability, what internal controls they have in place to protect sensitive health data, and relationships with past clients.

To help avoid pitfalls and minimize risk, I always recommend conferring with an attorney to determine what is needed for your specific situation.

Agree with Paul entirely that you're going to want to a take a hard look at the contract itself. Another arcane clause to look at it going to be the choice of laws piece. It's easy to skim over, but if something goes wrong and suddenly you find out the contract is operating under the laws of, say, Ireland (that really happened to a client of mine), you're going to find yourself off-balance in how to resolve resulting issues. Related, different states have different warranty statutes, statutes of limitations, and even non-competes that are going to underpin the contract. Local counsel can make a big difference in making sure you know what is going in that contract that you don't "see."

I would also point out that many of the same questions of risk allocation and mitigation that you may be looking at when you're working with a technology vendor are also going to apply if you're the clinician being contracted by a digital health service. The terms vary widely between organization these days so simply because you've worked your way through one agreement, don't assume that those lessons are going to apply to the next.

While everyone wants a plan to go off well and a relationship to start positively and not adversarial, putting in some effort and resources on the front end will save a lot of grief on the back.

You've nailed a few up front. Data privacy, inside of HIPAA or outside, is going to be important. See some discussion below about cybersecurity hardening. Thankfully, HIPAA-secure technologies are readily available and affordable for most telemedicine and telehealth services a practice would be looking to provide, so don't let those concerns be a deterrent.

Also as discussed below, you'll want to be sure you're delivering services, mostly medicine, to the standard of care. A classic example is not trying to diagnose a rash based off of a patient's verbal description alone.

Following your state's licensing laws and telemedicine statutes is going to be important, with a lookout for particular prohibitions that may exist for some types of services such as prescribing controlled substances. Generally speaking, advice from one state is going to have limited applicability to another. That said, there is remarkable work being done in pilots around the country that are absolutely worth looking into to see how they can be adapted for your practice or program.

Definitely agree with Andrew. Outside of HIPAA is state privacy laws which may have more stricter standards than HIPAA (e.g., HIV status) and also the Genetic Information Nondiscrimination Act.

Another potential area is product liability. Digital health products and services may, by reason of defective hardware or software, or incorrect input data, result in harm being caused to their users and recipients. Being aware of potential defects and having a plan of action to contact patients can help decrease liability with defective products.

All of the above! Just wanted to highlight cybersecurity. Network-connected devices and data are vulnerable to attack, exploitation, and unintended loss. Digintal health tools should be assessed as much on their cybersecurity as on performance in randomised trials.

There are no courses or training required before using digital health solutions, per se. That said, there is certainly value in courses and training as both a practitioner and a practice manager to achieve a level of comfort, to see how it may fit into your practice workflow, and how to appropriately bill for services.

There are wonderful resources with the AMA, your local medical society, your specialty society, as well as resource centers like the American Telehealth Association, the Center for Telehealth and e-Health Law, and regional centers like the Mid Atlantic Telehealth Resource Center, if you're over my way. I wouldn't be shy of reaching out to any regulators you work with as well like your local insurance department to learn about payment tools. Many states also have coalitions like Delaware's Telehealth Coalition where you can find local partners and resources.

Generally speaking, there's a strong community of telehealth ambassadors who try hard to dispel rumors and assuage fears.

Clinical evidence and validation play a positive role in limiting risk and liability. From a malpractice perspective, demonstrating that a digital health solution is backed by clinical evidence or has been validated to demonstrate reliability, sensitivity, and specificity can help establish that a provider’s actions were reasonable in using a digital health solution and fit within the standard of care.

Shameless Plug: AMA has several initiatives looking into validating digital health innovations and attempting to answer the question “Does it work?” For more, visit: ama-assn.org/delivering-care/v...

Physicians in particular are also encouraged in the burgeoning market to direct their natural entrepreneurship skills to bringing products, technology platforms, and strategies such as patient adherence to the conversation. The clinical background of the physician theirself can be invaluable in making sure that the tools that are proliferating are actually useful in a practice setting and are impactful to a patient's health outcome. In other words: don't be afraid to be first!

Using digital health tools inconsistent with clinical evidence would probably increase liability exposure.

Great question! I can't find any court decisions referencing HIEs and can't come up with any empirical evidence. The risks and liability of joining an HIE is an evolving legal field and you definitely highlighted some concerns. Physicians may face complex questions and uncertainties related to liability.

Primary liability concerns related to HIEs include:
• Liability for data storage and management
• Liability for data accuracy and completeness
• Liability for decisions made with inaccurate data
• Duty to review
• Reproducibility of data available in the HIE at a particular moment in time
• Availability of audit and access logs

Before joining an HIE, it's important to research any potential HIE partner and clarify special liability protection issues related to
participation prior to signing a contract. Of course, make sure to consult with legal counsel before signing an HIE contract. Physicians should also discuss the malpractice coverage in relationship to HIE participation with their insurance agent.

HIEs obviously involve the sharing of data, so making sure you comply with a variety of federal and state laws relating to both what types of information may be shared and who may share with whom. It can get tricky!

Thank you for the question, Dr. Sneider. My first reaction was to discuss the liability concerns about HIE's and the liability stemming from the security of the data, raised during the implementation of Meaningful Use. However, it sounds like this is more a medmal question.

The extent of any medmal liability is going to be rooted in any harm the patient suffered. An HIE being available or not is probably not going to be a factor in the damage as to raise or lower the harm, per se. Having access to relevant information and choosing not to examine it could be a factor in an overall assessment by the courts, however. Certainly case-by-case will vary dramatically, but it would be the rare instance that failure to check an HIE would lead to a negligence suit directly. Practically speaking, a physician should be able gather relevant information pre-treatment with the patient.

That said, I would advocate for your latter framework. Patients are notoriously forgetful when they're sitting in your exam room and their real history is spread out between urgent cares, hospital systems, walk-ins, and now your office. Access to an HIE, especially during intake, can ensure the best decreased liability tool which is a healthy patient by getting the best look possible.

The persistence of misguided concerns about HIPAA requirements is striking in light of the dearth of private litigation and federal enforcement actions that would signal that a real liability threat exists.

MedMal is exactly my concern, or rather the concern of other physicians I have spoken with about HIE. I agree that access to patient information BEFORE a visit would be helpful, but the current laws concerning consent only allow the doctor access to information with the patient's consent which is usually obtained at the time of a visit. there are workarounds, like having a referring doctor get the consent, or having the patient sign a consent before the visit.

As noted in the first response, there is no case law to refer to, yet, as to whether using an HIE increases or decreases medmal risk. I think the net change will be to improve patient care and reduce risk for the doctor.

Malpractice Insurance: Checking to see if your malpractice carrier covers (or not) digital health practices under your current policy. Some carriers may require disclosure of these practices in order to receive coverage.

Communication: Determining whether you need to update any informed consent forms. Any conversation with patients regarding digital health should be a two-way discussion about the benefits, risks, alternatives, and the consequences of using and potentially declining the use of digital health solutions. In addition, providing help in setting up any digital health solution in the home can help overcome any patient fears or lack of understanding on how the technology works.

Documentation: Using digital health tools may involve transmission across multiple time zones, the receipt of a report that is time and date stamped a day before or after the interpretation of the data or a patient e-visit could raise flags from payers and governmental oversight agencies. Thus, having a standardized documentation protocol can be beneficial to set up when implementing any digital health solutions.

Back-up plan? As I stated below in a related question, digital health solutions can be impacted adversely by interrupted transmission, software incapability, loss of internet or power, and more. Delays in care without proper back-up plans can result in serious consequences for patients. To reduce potential liability, it’s beneficial to have a plan in place in case the digital health solution fails and to discuss the plan and alternatives with patients.

Cybersecurity: Technology has increased connectivity and collaboration in all facets of the healthcare delivery system. Unfortunately, adversaries now have more potential entry points to exploit than ever before and more data to access when they do. These adversaries will target the weakest link in the chain, which may be a new digital health tool.

To piggyback on cybersecurity - many think of cybersecurity has hardening against outside threats, and that's important, but it's internal weaknesses as well that often lead to breaches. For instance, staff using public wifi networks on equipment that has PHI. Staff not being trained in recognition of phishing attempts is also all-too-common and can lead to the perpetuation of the ransomware threat.

Professional Guidelines - Many of the specialty societies now have telehealth and digital health related guidance. The guidance is not law, but for purposes of professional liability and best practices, it's good to be aware of the guidance as it may relate to your patient population. Plus, you may get good ideas on how to implement digital health in your practice's workflow.

Less from a legal liability standpoint and more from a billing liability standpoint, payment for much digital health and telehealth is still a patchwork. Medicare alone, for instance, still links a substantial portion of billing eligibility to rural geography (although this is loosening up somewhat with the advent of new "remote patient monitoring" pathway and codes). It will take a little extra time with the patient's insurer to know what will be reimbursed, but as medicine moves towards fee-for-value, telemedicine is here to stay as it will be an indispensable link between care providers and their panels.

One of them is the use of unauthorized patient data which could give rise to increased privacy-based litigation; also there could be a failure to adequately capture and report adverse events in timely manner.

Along with the issues Prof. Yang has highlighted, I would also add local licensing, local regulatory schemes, and standards of care.

As to local licensing, local laws are important to follow and are disparate. Different states have different requirements and restrictions. A universal is that the medicine follows the patient and the licensing has to be where that patient is located when the services are delivered. It's an easy trap to fall into to say "I'm licensed in State X and I'm in State X, so I can deliver telemedicine services to Patient Y." But Patient Y may not be in State X, they could be in State Y. Additionally, a physician may have different rules than, say, an audiologist, even in the same state.

Similarly, different states have different statutory and regulatory schemes on the use and delivery of telemedicine services (and potentially other digital health like mHealth). For instance, several states require that a physician-patient relationship be formed before diagnosis. That formation may have limitations such as prohibitions on phone-only contact.

Lastly, the standard of care does not change with the technology. To appropriately deliver services via telemedicine, the service must be delivered to the same standard as though the patient were present in the office.

In addition to the above great answers, I'll add:

Consent: Related to state and local laws being different, some states set forth requirements for informed consent in telemedicine and telehealth. There's additional exposure when a care provider fails to engage a patient in a two-way discussion about the benefits, risks, alternatives, and the consequences of refusing to utilize telemedicine.

Delays in Care: Technology-dependent resources can be impacted adversely by slowed transmission, DNS, software incapability, loss of power, and more. Delays in care without proper back-up plans can result in serious consequences for patients.

Privacy and Security: To add on to Prof. Yang's thoughts, digital medicine inherently involves the transmission of protected health information. The potential for unauthorized use, data breaches, and lack of proper security practices in handling this data are definite liability risk exposures.

To avoid a Medicare payment adjustment or receive a Medicaid incentive payment, eligible professionals and hospitals must use an electronic health record (EHR) that is certified for the Promoting Interoperability programs (formerly known as the meaningful use program). That said, these individuals and entities can use a separate, non-certified (or uncertified) systems to calculate numerators and denominators in generating reports on the measured objectives. More importantly, many other types of health care providers in the care continuum are not subject to the Promoting Interoperability programs (e.g., behavioral health professionals).

I’m unaware of any consensus or best practices of non-certified EHR; however, the 2014 and 2015 Edition EHR certification criteria can be generally applicable to EHR technology developed in any setting. Specifically, focusing on the requirements surrounding interoperability, privacy, and security.

Interoperability can open critical communication lines between eligible and “ineligible” health care providers to support broad health care goals, such as care coordination and reduced hospital readmissions. Demonstrating that non-certified products can integrate and are interoperable with certified EHRs could potentially lower risk and liability concerns surrounding information blocking.

The privacy and security criteria can help assure that electronic health information is protected when it is stored and transmitted and that only authorized personnel can access the information. Generally speaking having good privacy and security controls built into any EHR system may help prevent cyberattacks and other breaches of protection health information.

As far as to ONC’s oversight, ONC is focused on certified EHRs. Any consideration of uncertified capabilities or products would be secondary to its review of certified capabilities or products.