How Can Healthcare Professionals Manage the Risks of Virtual Care?
November 26, 2020
What is virtual care?
What are the challenges of virtual care?
Best Practices for Healthcare Professionals
The COVID-19 pandemic has led to a surge in the demand, availability, and usage of telemedicine. Since March, Healthcare Professionals have been advised to avoid non-essential in-person care wherever possible. As a result, many have turned to online services as a channel of care to mitigate the spread of the virus.
What is virtual care?
What are the challenges of virtual care?
Best Practices for Healthcare Professionals
The COVID-19 pandemic has led to a surge in the demand, availability, and usage of telemedicine. Since March, Healthcare Professionals have been advised to avoid non-essential in-person care wherever possible. As a result, many have turned to online services as a channel of care to mitigate the spread of the virus.
Virtual care is an acceptable and necessary substitute for in-person services and when used appropriately, can be a powerful tool to connect with clients. But in a digital world, there are several professional, ethical, and legal factors that Healthcare Professionals must consider when providing online services. In fact, the very nature of telemedicine itself—the lack of non-verbal cues, reliance on third-party software, barriers to privacy, and more—exacerbates the existing challenges of medical practice and poses new risks to the security of confidential data.
To help you navigate this new frontier, we’ve put together a risk management guide to address the key risks of virtual care and best practices to mitigate them.
Disclaimer: The information presented herein offers guidelines only to present an understanding of the complexities of virtual care. It is not intended to be exhaustive or take the place of medical advice, nor will it apply to all individuals, situations or circumstances. Please consult a licensed insurance representative for information or advice on all insurance-related matters, or a lawyer for any legal matters.
What is virtual care?
Online services (also called virtual care, telemedicine, telepractice, telehealth, telecare, e-health, or e-services) refer to medical services than can be provided through any:
-
Electronic device (computer, tablet, smartphone, landline); or
-
Electronic format (Internet, text, video, online chat email, social media, or other communication technologies).
Virtual care can be used as a standalone remote service delivery model or in combination with in-person treatment for a wide array of healthcare services including: assessment, evaluation, intervention, monitoring, supervision, education, therapy, and consultation.
What are the Challenges of Virtual Care?
1. Continuity of Care
Healthcare Professionals must ensure that the welfare, safety, and best interest of the client remains a top priority throughout the provision of online services. Regardless of the channel or platform used, virtual care must meet the same professional, ethical, and legal obligations required for services delivered in-person, including any jurisdictional, institutional, and regulatory requirements governing the nature of practice.
Consider the following:
-
Communication: Do you know how to approach any cultural, environmental, economic, mental or physical ability, linguistic, or other issues that may affect the delivery or use of these services by clients?
-
Digital Literacy: How will you handle clients who have difficulty using technology? Do you need to develop orientation materials and instructions? What will you do if clients decline virtual services?
-
Quality Control: How will you determine if telehealth is effective and efficient in meeting the set outcomes and goals for each client? How will you address and resolve any potential issues that arise during online sessions?
If a client feels your services have fallen below the standard of care—even if you’ve done nothing wrong—you could face a claim for failure to render services or breach of professional duty.
PRO Tips:
-
Exercise your clinical judgement. Each situation is unique and must be carefully addressed on a case-by-case basis. Determine if virtual care is right for you and your client(s) and tailor your approach based on the context (e.g. location, access, equipment, condition). Remember, in-person services should only proceed if the anticipated benefits outweigh the risks to client, practitioner, staff, and general public safety.
-
Make sure you’re up-to-date on your College’s Standards of Practice for virtual care, including procedures for follow-up, transfer, or termination of care. If you must deviate from a Standard of Practice—even if it’s to act in the client’s best interest—confirm with your College first.
-
Be cognizant of cultural and social differences among clients and in their use of communication technologies. Assess cultural, environmental, and linguistic issues and provide relevant materials as needed.
-
For example, if clients require interpretation services, make arrangements to include a qualified interpreter in telehealth sessions. Family members and friends are only suitable in the event of an emergency.
-
-
Monitor your services. Consistently and critically re-evaluate your professional and technical competencies and services to ensure clients are receiving the best care possible.
-
Stay informed. Public health guidance is likely to change as the pandemic evolves. Keep current with any updates to legislation, regulations, standards, policies, and procedures related to virtual care.
2. Competence
With the swift transition to remote work and rapid influx of virtual clients, many Healthcare Professionals have jumped online without first considering whether or not they are truly qualified or knowledgeable to uphold the standard of care.
When assessing your ability to provide telemedicine services, ask yourself:
-
Skill: Are you professionally and technically competent enough to provide virtual care without compromising your Standards of Practice? Do you have the existing knowledge, training, or skills on telemedicine or the time to develop them? Can you instruct clients on how to operate and troubleshoot online platforms, if necessary?
-
Approach: Are you able to engage meaningfully and effectively with clients without direct physical contact?
PRO Tips:
Telemedicine requires both a theoretical and practical understanding of communication technologies for maximum efficacy. To reduce the risk of competence-related risks:
-
Be proactive. Keep up with emerging trends related to the delivery of online services. Review relevant literature related to specific telehealth modalities, their outcomes, and their suitability for different clients. Remember, not all clients or conditions will lend to the same service or platform.
-
Seek additional telemedicine education, training, and certifications to improve your services, such as text-only counselling techniques, coaching on ethical issues, best practices for different platforms, and the use of encryption technologies.
-
Be aware of the communication challenges associated with virtual care (e.g. the lack of non-verbal cues or body language, difficulty building rapport, the limitations of written communication, appearing disinterested or distracted). Establish reasonable strategies to address these cues.
3. Consent and Transparency
Although your clients may have consented to your services in the past, virtual care opens new gaps in communication and understanding that haven’t previously been addressed or encountered in in-person sessions. Are clients aware of:
-
The extent and nature, potential benefits and risks, and technology-related vulnerabilities of the virtual services available to them?
-
What electronic mediums are being used, why, and how often?
-
Whether or not their online correspondence may become part of their client record?
If members do not provide a clear understanding of telemedicine practices, clients cannot truly consent to virtual care or the use of their personal data, leaving members exposed to claims of negligence, misrepresentation, and miscommunication.
PRO Tips:
Telemedicine and virtual service policies, obtaining consent, and proper documentation are key to providing competent, ethical care.
Telemedicine Policies:
Develop and implement a written telemedicine policy that outlines:
-
Your professional obligations as a regulated professional, including which services you can virtually provide, benefits and limitations of care; and reasonable alternatives;
-
Crisis management procedures for all foreseeable emergency scenarios;
-
The specific tools and technology to be used and any materials or equipment required by the client to access telehealth services;
-
Confidentiality issues, any potential threats to the security of client data on each specific platform used, and the safeguards in place to combat these threats;
-
Data stewardship and how you will securely document, store, and dispose of client records (including all digital correspondence);
-
The process for notifying clients of a breach of confidential data;
-
Procedures for the coordination of virtual care with other professionals, if needed;
-
A clear and complete description of end-user costs and billing processes; and
-
How often, when, and under what circumstances you will correspond with clients.
Remember: a strong, thorough policy doesn’t just protect you and your clients; it’ll also boost your credibility as a professional, reputable Healthcare Professional.
Informed Consent:
Regardless of whether the service is an assessment, treatment, or consultation, be sure to:
-
Obtain verbal consent over the phone first and confirm with written consent via email through a secure, encrypted connection.
-
A paper form is not a substitute for a full discussion. Review your telemedicine policy at the outset of your work with clients and ensure they have a full understanding of all matters covered in the consent form, especially on:
-
The nature and duration of care provided, and any benefits, risks, limitations, potential outcomes, and alternatives to telehealth;
-
The collection, use, storage, transmission, and disclosure of their personal information and any limits to data security.
-
-
Inform clients they have the right to: information about the content of their records; revoke consent and refuse or discontinue telemedicine services at any time; and seek out alternative options.
-
Ensure all consenting procedures are compliant with your regulatory body, professional standards of practice and all organizational policies (especially for out-of-province clients).
-
Some clients may be unable to consent due to age, cognitive capacity, illness, or language barriers. In these cases, seek out a substitute decision maker (e.g. the appropriate relative or caregiver) in accordance with the appropriate legislation and organizational policies.
-
Ensure that clients have sufficient opportunity to ask questions and access to appropriate channels to report any concerns.
-
Provide information in a manner that is understandable and culturally appropriate for the client.
-
Document any consent-related discussions (and the client’s decision) within your records.
-
Consent is an ongoing process. Routinely revisit the policy with clients and continue to have clear conversations regarding confidentiality, documentation, and data storage throughout the duration of professional care.
Documentation:
-
Maintain a comprehensive clinical record of the client’s care in accordance with all applicable professional and legal regulations for the recordkeeping, confidentiality, and disclosure of health information, including your College’s guidelines.
-
Be aware of any additional recordkeeping standards or requirements in the jurisdiction(s) where services are provided.
-
Document all interactions with and services provided to clients, including your rationale for providing virtual care, how services are provided, and what technology platforms are used.
-
Describe any identity verification processes required for clients, other healthcare providers, support personnel, and any of the client’s family and/or caregivers involved in the session.
-
Inform clients that digital and electronic communications will be included in their records.
-
Record both you and your client’s location (province only) in your notes at the beginning of each session—this may be important in the event of a claim or emergency management protocol to determine which local regulations will apply.
4. Jurisdiction
Due to travel restrictions and quarantines, you and/or clients may be temporarily located outside of the province or country. While virtual care enables Healthcare Professionals to connect with clients across these distances, be sure to consider the risks of interjurisdictional practice before offering any services out-of-province.
Risks include:
-
Liability: When a Healthcare Professional and their client reside in the same province, location isn’t typically a factor in determining liability. But if they’re in different jurisdictions, generally speaking, the laws of the region in which care is provided or in which the client resides (even if temporarily) will prevail in the event of a claim.
-
License Portability: Depending on the province (or country), additional licensing, consent, or billing regulations may apply. For example, while some jurisdictions may allow Healthcare Professionals to provide e-services immediately, others may require clients to be examined face-to-face before telehealth is offered under any circumstances. In some cases, you may even need a license for both the jurisdiction where you are located AND where your client is located.
-
Insurance: Based on your Professional Liability Insurance policy, you may not automatically be covered for services provided out-of-province or outside of Canada. It’s also worth noting that Professional Liability Insurance doesn’t cover any intentionally wrongful, fraudulent, or illegal acts. So if you knowingly provide medical services without a license in a region that requires it, you could come under fire for unlawful or illegal practice, in which case your policy won’t apply.
PRO Tips:
Ethical practice includes staying atop of and adhering to relevant legal and licensing regulations. Remember to:
-
Confirm the identity and the physical location of the client receiving virtual care. Make sure your client is aware they need to inform you if they move to another province.
-
Contact the relevant College in your client’s jurisdiction to obtain relevant information and documents regarding regulatory and registration/licensing requirements.
-
Be aware of and institute practices that align with the legislation, standards, and guidelines for professional practice, virtual care, and privacy within the client’s jurisdiction. This includes matters such as: age of consent, definition of capacity to consent, documentation procedures, privacy restrictions, and mandatory reporting requirements.
-
Request an additional license from the appropriate regulatory or legal body if needed, or if possible.
-
Obtain legal advice and contact your broker to inquire about your insurance coverage, especially if you’re looking to offer services to clients who are residents of other countries. You may need separate coverage for lawsuits brought against you in a jurisdiction outside of Canada.
-
Ensure you have adequate information about the client’s jurisdiction to provide effective care and offer appropriate recommendations or referrals (e.g. availability of local resources, products, equipment). Make any limitations in knowledge clear to the client.
5. Use of Technology
The efficacy of virtual care may be hampered by clients’ access to, ability to use, and the availability of certain technology, equipment, connectivity/bandwidth speeds, and other requirements.
-
Access: Does your client have access to the technology supports necessary for virtual care (e.g. computer, webcam, or built in camera, functional speakers)?
-
Availability: How will you manage technology malfunctions or disruptions in internet service?
-
Ability: Will your client’s physical, cognitive, or mental health status impact their ability to use online platforms? Will they be able to manage independently or will they require assistance at home?
Remember, all technology used for online services must:
-
Be accessible to clients, the client’s family and/or caregivers, and any others involved in their care and be of sufficient quality;
-
Be aligned with the client’s diagnosis and/or impairment, cognitive capacity, therapeutic needs, cultural considerations, and any other specific factors or circumstances; and
-
Offer reliable, efficient, and high-quality audio and/or video to allow users to communicate effectively and providers to form accurate and appropriate healthcare decisions.
PRO Tips:
-
Ensure your client has access to technical support services during business hours.
-
Establish a process to quickly contact the client in case of technical difficulties. Book time buffers between appointments to allow for any unanticipated delays.
-
Develop and/or distribute virtual care education resources if necessary (pdf documents or links to guides on an external website).
-
Obtain feedback to enhance future virtual experiences.
-
If needed, consult with IT experts to identify the appropriate media for professional use which must be suitable for your technical skill, practice, and clients.
6. Crisis Response
As a Healthcare Professional, you’re trained to expect the unexpected. But are you prepared for any complications or crisis scenarios that might arise throughout the delivery of online services? How will you respond if your client suffers a behavioural or emotional outburst, poses a risk of harm to themselves or another person, or experiences a medical emergency?
PRO Tips:
-
Establish a contingency plan for all possible clinical, medical, technical, or environmental risks or scenarios, such as: disruptions in electronic communications (e.g. equipment breakdown, power outages, loss of Internet signal, medical emergencies; client poses a risk of self-harm, environmental hazards, etc.)
-
Collaborate with clients to identify appropriate community supports, qualified healthcare providers, and emergency personnel who can provide local back-up assistance for urgent needs.
-
Be aware of jurisdictional involuntary hospitalization laws for out-of-province clients.
-
Secure an emergency contact in case of the client’s unexplained absence.
-
Communicate all crisis procedures with clients prior to treatment and obtain consent.
-
Routinely review your contingency plans and update them as needed.
7. Client Relationships
While online communications like smartphone apps, online chat, and text messaging are client-centered, efficient, and quick, they are inherently more casual and increase the potential for more informal interaction. Be cautious about blurred boundaries in these situations. Although there may be a professional purpose, the nature and content of online communications on a particular platform can give the appearance of a personal relationship to the outside eye. Even minor boundary transgressions can send a mixed message, especially if youth are involved.
Consider the boundary implications of:
-
Accepting “friend” request from a client on a social networking site;
-
Communicating at hours that may not be ordinarily authorized by your agency;
-
Consulting on non-treatment related matters via text or video (e.g. a client needs help with a home repair or needs some “friendly” advice).
PRO Tips:
-
Establish clear and appropriate, professional boundaries with all clients just as you would for any in-person interactions.
-
Be transparent about the purposes of each communication technology used. Can clients share clinical reflections via text or email, or should they instead be reserved for administrative purposes, like scheduling appointments or billing?
-
Avoid communication with clients through online chat, text messages, or video for personal or non-work-related purposes.
-
Be mindful of the timing of your responses, the locations from which you reply, and the tone of the language used in texts and emails.
-
Have appropriately displayed backgrounds on video and be aware of warning signs for boundary crossings (e.g. excessive personal disclosure, development of personal relationships, etc.)
-
Manage client expectations regarding the immediacy of responses to all forms of communication. How will your services be organized in terms of appointment times and duration? Under what circumstances and how often will you respond? Will you be available at all times or within regular hours? What are the implications of a delay in response?
-
Document all communications according to the appropriate regulations.
-
Ensure you are adhering to school board policy rules if communicating with youth.
8. Privacy and Confidentiality
The expectations for protecting the privacy and confidentiality of client personal health information (PHI) during telehealth services is the same as when providing in-person care. However, working from home, particularly in a shared space, makes it difficult to guarantee a secure, private environment.
Consider the following:
-
Environment: Does your environment support delivery of virtual care in a confidential, private manner? Will others be in the room? How can you reduce or eliminate the risk of information being overheard by others?
-
Client End: How secure is the client’s end? Are there other people around the client that they may not consent to hearing their personal information? Are you and your client both using a password-protected, secure internet connection, not public unsecured WiFi?
-
Identity: How will you minimize the risk of someone impersonating a client, gaining access to health information, or influencing a member’s assessment or opinion of them?
PRO Tips:
All Healthcare Professionals using telepractice services are responsible for implementing procedures in their physical environment to reduce the risk of theft, loss, tampering, interference, and unauthorized access to information.
-
Be transparent about the limits to privacy and confidentiality, the risks of inadvertent disclosure when using communication technologies, and the steps you have taken to safeguard their privacy.
-
Ensure that all virtual care sessions take place in a private location where you cannot be overheard. Advise clients to do the same or consider an alternate platform if physical privacy cannot be guaranteed (e.g. online chat).
-
Obtain consent from the client to allow any additional participants and observers to be present during telepractice sessions.
-
Verify the identity of the client, other healthcare providers, and any support personnel involved to address imposter concerns. Use identity code words or numbers rather than personal information and document the verification process.
-
Ensure that virtual care technology and equipment are safely stored and secure when not in use to prevent unauthorized access.
-
If possible, use a headset to reduce the risk of being overheard.
-
If a camera is used, try to ensure your screen is concealed from others’ view (e.g. privacy screen protectors).
-
Refrain from disclosing information to anyone else without consent, including messages, photographs, videos, or any other materials—unless disclosure is necessary to prevent serious and imminent harm or comply with regulations and court orders.
9. Data Security
Telemedicine must meet all requirements for data stewardship under applicable provincial privacy legislations, such as: HIA in Alberta, PIPA BC in BC, PHIPA in Ontario, APPIPS in Quebec, and more. If a healthcare organization fails to safeguard, retain, or dispose of client PHI under their custody—if they’re found negligent in the event of a privacy breach—they could be liable for up to $1,000,000 in compliance violations ($200,000 for individuals).
Healthcare Professionals must ensure that all programs, platforms, and equipment used for telepractice are safe and secure in order to protect the privacy of PHI, while still being easily accessible and navigable for clients.
When selecting a platform, ask yourself:
-
Platforms: What applications and services will be used and are they compliant with applicable healthcare and privacy legislations? Are you able to use a telepractice system that ensures client confidentiality and privacy?
-
Devices: Are you using a personal computer, mobile, or other device? Do others have access to it? What kind of security measures do you have in place?
PRO Tips:
No matter what system or channel you use to provide virtual care, you need to take steps to minimize the chance of a privacy breach.
Security Safeguards:
-
Ensure that all security mechanisms, policies, and practices are compliant with the relevant institutional and professional regulations in the jurisdiction where services are provided, including the privacy, confidentiality, and security of client PHI.
-
Review your provincial privacy legislation and consult with your College or Privacy Commissioner early on to ensure your processes are aligned with legal requirements.
-
Educate yourself on the privacy and security settings of your selected technological tools. All Healthcare Professionals should have a basic understanding of how PHI is transmitted, collected, processed, and stored.
-
Create policies for data stewardship (how you store and transmit information to preserve privacy).
-
Implement processes that allow for privacy protection, such as: multi-factor authentication, encryption, security safeguards, and more. For practical, immediate steps on how to secure your personal devices, avoiding phishing campaigns, and generally stay cyber-safe, click here.
Virtual Platforms:
PROLINK cannot recommend or endorse any appropriate telehealth platforms or comment on their varying degrees of privacy, security, or encryption. It is up to the individual Healthcare Professional to determine what technology is most appropriate to use for their services, verify it meets legal requirements, and obtain informed consent from clients.
Here are some tips to keep in mind when navigating online platforms:
-
Not all platforms are uniformly accepted across jurisdictions. Research all platforms before use. Carefully review user agreements to ensure all programs and applications are compliant with applicable regulatory and provincial privacy legislation (e.g. PHIPA for Ontario), especially for out-of-province services. Additionally, inquire with the third-party software provider about who has potential access to the information.
-
Engage your IT department or consult with technology specialists to ensure test all devices and systems and ensure they are sufficiently secure to protect client PHI. Set up a schedule for software updates as needed.
-
Email communication should only be used if you can guarantee a secure and encrypted connection. If you do not have an encrypted connection, you should first communicate with clients through the phone and obtain consent to send the unencrypted email.
-
If you are using an unencrypted connection, never include personally-identifiable information in the email. This includes name, age, date of birth, address, and more—even if you have consent.
-
-
Stay informed on any updates to provincial legislation and virtual care guidelines.
-
Look for virtual platforms that offer end-to-end encryption and do not permit external access to private conversations (this is usually noted in privacy agreements).
-
In particular, Advanced Encryption Standard 128 (abbreviated as “AES 128”) encryption is recommended for healthcare providers.
-
-
Avoid using technology or platforms which record and/or capture data on the cloud or “offsite” without your College’s approval and client’s consent.
10. The Rising Threat of Privacy Breach
Even if you do everything in their power to safeguard client data, a third-party could still gain access to information through illegal means.
Before the outbreak of coronavirus, privacy breach was rising in frequency, intensity, and severity across the globe. According to the CIRA Cybersecurity Survey, 71% of Canadian businesses reported experiencing at least one cyber attack in 2018. And small businesses are just as vulnerable. Recent reports from the Ponemon Institute and Verizon show that despite their size, SMEs comprise roughly two-thirds of all data breaches.
With the majority of the world now working from home, opportunist hackers are capitalizing on global fears to prey on worried populations, disrupted workers, and struggling businesses. In fact, according to IBM’s 2020 Cost of a Data Breach Study, having a remote workforce has increased the average global cost of a data breach by nearly $137,000 for a total cost of $4 million USD.
As a Healthcare Professional, it’s not just the loss of data you have to worry about in the event of a breach; there’s also regulatory fines, legal fees, and business interruption costs. Even worse? Diminished goodwill, the loss of client trust and lasting damage to your reputation. Click here to learn more about the costs of a privacy breach in 2020—and how healthcare organizations are affected.
PRO Tips:
If you don’t have existing cyber coverage, consider Data Security & Privacy Breach Insurance. A comprehensive policy can help offset some of the potential financial loss from legal fees, damages, and associated expenses. To learn more, click here.
The Best Practice: Customized Coverage for Healthcare Professionals
As the effects of the coronavirus continue to be felt worldwide, we are witnessing an unprecedented shift towards digital health. And despite not necessarily choosing to do so, clients and providers alike are seeing the merits of telemedicine as an alternative service model that minimizes traditional barriers to healthcare like distance, disability, and financial constraints. While we don’t know what a post-pandemic world will look like just yet, one thing is clear: virtual care is here to stay for the foreseeable future and may even become a permanent part of our lives.
But as our reliance on mobile devices, digital platforms, and online solutions grows, so will our exposure to risk. For many businesses, this may be the first venture into working completely virtual. Infrastructure holes are bound to happen. And even if you do everything in their power to safeguard client information, a third-party could still gain access to information through illegal means.
That’s why the best practice of all, no matter what you do or who you work with, is insurance. With over 40 years of experience insuring hundreds of Healthcare Professionals nationwide, PROLINK understands the unique threats you face like no one else. Our Professional Insurance solutions are custom-tailored for the healthcare industry and will help you protect your practice from risk, even if the claims made against you are groundless.
Our comprehensive offerings include:
-
Professional Liability Insurance: Protects you (and your business) from allegations of errors, omissions, or negligence committed within the scope of your professional activities, including coverage for online and e-services. Click here to learn more!
-
Commercial General Liability (CGL) Insurance: Protects you from third-party claims of injury (including sickness or disease) and property damage caused by your professional activities or employee operations. Click here to learn more!
-
Data Security & Privacy Breach Insurance: Protects your digital assets and helps you get your business back online in the event of a privacy breach. Click here to learn more!
To learn more, connect with PROLINK or check here to see if you qualify as a member of a professional association or affinity group!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.