Nasscom Community

What Should Healthcare Solution-Providers Know About Telemedicine Regulations?

4 Mins read

Despite being around for many years, it’s fair to say that hospitals widely started to use telemedicine proactively only in 2020. And the adoption was rapid. Telemedicine was used in less than 1% of primary care cases till February 2020. By April 2020, over 43.5% started using it. Doctors were able to continue treatment for their regular patients even during the pandemic with reduced risk of exposure to both patient and caregiver.

Even as vaccination drives have begun, hospitals are planning to continue using telemedicine as a part of their future treatment strategy as the benefits are hard to ignore. Some research reveals that the telemedicine market could grow at a CAGR of 25.8% by 2027.

Telemedicine has opened the doors for inclusive and ongoing treatment to patients who stay in remote locations or cannot come to the hospital. It enables chronic patients to receive ongoing treatment and prevent unnecessary hospitalization. It also reduces the burden on hospital systems as they can focus on cases that require critical attention.

While there is an air of optimism regarding the future of telemedicine, hospitals are concerned about the healthcare rules. In many cases, these rules were the reason why hospitals delayed their plans to undergo digital transformation.

Let’s look at these rules and understand what hospitals can do to strike a balance between complying with the regulations and widely using telemedicine to treat patients.

Why Must Hospitals Adopt A Telemedicine Platform Strategy Compliant With Regulations?

The telemedicine platform deals with a lot of patient data. Both the patients and the medical team exchange text, pictures, vital health parameters, etc., with each other over the platform. Information is also exchanged (and stored) through video conferencing. Given the large amount of data exchanged, hospitals have to comply with HIPAA regulations and the European legal framework to protect patient data.

In 1996, former US president Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) mandatory into law for healthcare companies. The act was developed to protect the patient’s sensitive medical data. Today, non-compliance to this act could attract massive fines of up to $1.5 million. The telemedicine platforms have to adhere to the following HIPAA rules:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • Omnibus Rule
  • Breach Notification Rule
  • Enforcement Rule

The European Commission defines telehealth as the provision of healthcare services through ICT. Hence, the European legal framework considers it as a combination of healthcare service and information service. So, both kinds of regulatory frameworks apply to telemedicine. Telemedicine also has to comply with the eCommerce directives, which removes obstacles to cross-border online services and protects businesses and citizens’ legal rights.  Apart from these laws, the telemedicine platforms also have to comply with GDPR provisions for data privacy.

So, what can hospitals do to ensure that their telemedicine platform strategy is compliant? To begin with, they can follow some basic best practices while developing their strategy. Of course, for the healthcare technology companies looking to build or enhance modern telehealth platforms, this means building in the capabilities for hospitals and caregivers to apply these practices with ease and transparency.

Best Practices To Follow While Developing Telemedicine Platform
  1. Data encryption – Data encryption must be the cornerstone of a compliant telemedicine platform. The telemedicine platform is used to exchange videos, images, and audio between the patient and doctors. It has to be encrypted to ensure that no data is left vulnerable. End-to-end encryption will make the data unreadable and unusable if it is intercepted over public Wi-Fi or when accessed by unauthorized personnel such as hackers. The platform must also store the data in an encrypted format while at rest to safeguard it from theft. Hospitals worry that data encryption could impact the platform’s performance. However, with proper implementation, the data encryption should have no adverse impact on the platform’s performance.
  2. Proper data storage – The first thing that every hospital must do is adopt a coherent and robust data protection strategy. This includes ensuring practices are adopted to store only that data that is relevant. For example, hospitals must periodically assess their data relevance and delete records of those who have passed away or who are no longer a patient of that hospital. This will help hospitals manage their data more efficiently and avoid any errors, bugs, or data duplication. It will make the platform robust and will safeguard the system by presenting fewer openings for hacking. If the hospital is partnering with a third-party entity to store data, it must sign a comprehensive and well-crafted Business Associate Agreement (BAA). The BAA must include methods that the third-party entity must follow to protect the data and to report on incidents and threats. Obviously, hospitals must ensure only authorized personnel have access to the stored data.
  3. Regular audits – Regular audits must be a part of the BAA with the third-party storing data. By running regular audits, hospitals will be able to identify the system’s weak-links. Hospitals will be able to identify the vulnerabilities in the system and take pre-emptive measures to resolve them before they pose a security challenge to the platform. This will help the hospitals to maintain the quality of data security on the telehealth platform. Failure to audit the platform could impact the payment that hospitals receive under the Meaningful Use Innovative Scheme – a scheme that encourages the healthcare sector to accelerate the adoption of Electronic Health Records (EHR).
  4. Secure in-app connection – Although data encryption protects the data by making it unreadable and unusable in public Wi-Fi, hospitals must ensure that the patient-hospital communication should be done over a secure in-app connection. This essentially means that hospitals cannot use emails, Skype, or SMS to communicate with patients. They must use a HIPAA-compliant platform that has a secure in-app connection to protect the data. Hospitals can either have full control over their in-app messaging platform, or they could use a third-party solution provided by a third-party vendor.
  5. Data backup – According to HIPPA, all healthcare entities must ensure that they have securely backed-up retrievable exact copies of the health records. This is not an option; it has to be done compulsorily. It helps to retrieve the data in case of a disaster. By frequently backing up the data, hospitals will be able to ensure continuity of care. Back-up and disaster recovery strategies must be comprehensive and deployable. Hospitals must also prepare a security policy to ensure that the data is backed up correctly and audited regularly

The pandemic has hastened the digital transformation of the healthcare industry. Governments have also realized the importance of emerging technologies such as telemedicine and have relaxed some rules to accelerate its usage. Platforms like telemedicine are patient-centric and provide cost-effective care to patients. They also provide convenience to patients and promote safety at this crucial time. Considering that telemedicine is here to stay, it’s time for hospitals to embrace it as a way to treat patients.

However, much depends on their ability to find and deploy a compliant and robust telemedicine platform. 


The blog was originally posted on GS Lab’s Website. 

Author: Mandar Gadre, Director of Engineering – Healthcare & Manufacturing at GS Lab