Case study: Common data sharing practices among telehealth services

Telehealth service's commitment to responsible and ethical data practices builds trust with users and ensures that their personal and sensitive information remains confidential and protected from unauthorized access or misuse. Therefore, healthcare organizations that employ these services must understand the basic language within the privacy policy and terms of service. 

The four different forms of telehealth services

1. Synchronous Telehealth: This is like having a live video chat with your doctor using a computer or smartphone. You can see and talk to your doctor in real time. Services like Doxy.me primarily fall under this category.
2. Remote Patient Monitoring (RPM): With RPM, doctors can keep an eye on your health from a distance. They use special devices to check your heart rate and send the data to them. It's helpful for people with chronic illnesses.
3. Store-and-Forward Telemedicine: Your health information, like test results or images, is collected, stored securely, and then sent to another doctor for review. It's handy, especially in areas where specialists are not nearby.
4. Mobile Health (mHealth): Your smartphone or smartwatch becomes a health helper. They can track your vital signs, like your heart rate, and even remind you to stay healthy with apps.

See also: How does HIPAA apply to telehealth?

Common types of data collected 

Telehealth services typically collect several types of data to facilitate remote healthcare. These common types of data include:

1. Patient information: Basic information about the patient, such as their name, age, contact details, and medical history, is collected to create a patient profile.
2. Medical records: These include details about a patient's health conditions, medications, allergies, and past treatments. This data helps healthcare providers make informed decisions.
3. Vital signs: Telehealth often involves monitoring vital signs like blood pressure, heart rate, and temperature. Devices can transmit this data in real time for remote assessment.
4. Symptom description: Patients provide information about their current symptoms, how long they've experienced them, and any changes. This helps doctors diagnose and treat the issue.
5. Diagnostic images: X-rays, MRIs, and other diagnostic images may be shared electronically for review by healthcare professionals.
6. Video and audio: During telehealth consultations, video and audio data enable real-time communication between patients and healthcare providers.
7. Chat and messaging: Patients and doctors can exchange text-based messages for non-emergency inquiries, prescription refills, or follow-up questions.
8. Appointment records: Data about scheduled appointments, cancellations, and rescheduling help manage patient-provider interactions efficiently.
9. Billing and payment information: Patient billing and insurance details are collected for payment processing and claims.
10. Prescription records: If medications are prescribed, data on the medication name, dosage, and instructions are recorded.
11. Treatment plans: Information about recommended treatments, referrals to specialists, and follow-up care is documented for reference.
12. Feedback and surveys: Patients may be asked to provide feedback or complete surveys to assess the quality of care and improve services.

See also: HIPAA Compliant Email: The Definitive Guide

How is data used by telehealth services?

A general theme can be found across the various types of telehealth services in how their Privacy Policy outlines the use of data. Doxy.me, as a reference, explicitly mentions that users bear full responsibility for the data they share on the platform, and telehealth services like Doxy.me do not assert any rights or interests in this content. While Doxy.me typically doesn't regularly review user-generated content, it retains the right to monitor, edit, or remove submissions. Users are solely accountable for their content, and Doxy.me assumes no liability for third-party content. 

MeMD, on the other hand, claims ownership of various intellectual property rights associated with their digital assets. This shows the difference an "intellectual property rights" provision can make in how a patient's data can be altered and controlled once they sign onto a service. This includes rights related to content, design elements, trademarks, and more. This is in addition to the common disclosures and uses of user data, which include: 

1. Medical treatment: Healthcare providers, including telemedicine platforms like MEMD and Doxy.me, use patient data to provide medical treatment. This includes diagnosing medical conditions, prescribing medications, and offering medical advice based on the information provided by the patient.
2. Research and analysis: De-identified patient data may be used for medical research and analysis. Researchers can use this data to identify trends, develop treatments, or improve existing ones.
3. Quality improvement: Healthcare organizations use patient data to assess and improve the quality of care. They may analyze data to identify areas for improvement in patient outcomes and patient satisfaction.
4. Billing and insurance: Patient data is used for billing purposes, including submitting claims to insurance companies. This ensures that healthcare services are accurately billed and paid for.
5. Communication: Healthcare providers may use patient data to communicate with patients, schedule appointments, provide test results, and send reminders for follow-up care.

Common practices for data sharing

1. Third-Party service providers: Telehealth services may use third-party service providers (Service Providers) to facilitate and improve their services. These providers are expected to adhere to data protection standards.
2. Cookies and usage data: Telehealth websites may use cookies and collect usage data to enhance user experience and gather insights. Users are often informed about these practices.
3. Virtual waiting rooms: Some telehealth services offer virtual waiting rooms where patients can access information and wait for appointments. Providers and patients must ensure no protected health information (PHI) is shared in these public spaces.
4. Data retention policies: Telehealth services have data retention policies in compliance with relevant laws. Patient data is typically retained for a specific period and securely deleted when no longer needed.
5. Compliance with legal requirements: Telehealth services must comply with applicable laws and regulations. In some cases, they may be legally obliged to share user data with law enforcement agencies or government authorities, particularly in public safety or national security matters.
6. De-identified or aggregated data: Telehealth services may de-identify or aggregate user data for research, analytics, or reporting purposes. De-identified data is stripped of personally identifiable information (PII), making it challenging to trace back to individual users.

Standard provisions that telehealth services utilize to provide additional legal protection

Updates and changes

Telehealth services reserve the right to update their terms, conditions, and privacy policies, and users are expected to review and accept these changes periodically.

Indemnification:

This provision holds users of the digital assets must protect MEMD HEALTHTECH and its owners from any losses, expenses, damages, or costs if they misuse the content and services on the platform. This includes paying for reasonable attorney's fees. Users need to be responsible for their actions and the outcomes that result from them on the platform.

Independent professional judgment and indemnification

Users have an independent and sole responsibility for using the Site and Services, providing services to patients and releasing telehealth services from any potential claims. Doxy.me offers an example of this specifying that users agree to defend, indemnify, and hold Doxy.me harmless from any claims brought by patients or third parties, arising from the use of the Site and Services, regardless of the cause.

Accuracy and integrity of information

MEMD and Doxy.me disclaim responsibility for inaccuracies or errors in the information on their platforms. They encourage users to report any inaccuracies for correction. This protects them from liability for unintentional errors.

Electronic communications

Users consent to receive communications electronically. This provision allows the platforms to communicate with users electronically, a common and efficient way to deliver notices and updates.

Site access and security

Both platforms have rules regarding site access, security, and passwords. Users are prohibited from attempting to breach security measures or engage in unauthorized access. Violations of these rules may result in legal action.

Key terms to look out for

1. License and access: Granting users a limited license to access and use the services, subject to compliance with terms of use.
2. Termination of account: The process by which users can terminate their accounts.
3. Usage data: Data collected automatically, including page visit duration and IP addresses.
4. Provider link: A unique URL for patients to enter a Provider's Waiting Room for a telehealth session.
5. User security: Guidelines and responsibilities for users to maintain the security of their accounts and data when using digital assets.
6. Affiliate: An entity connected to a party through ownership or control.
7. Service provider: A third-party entity or individual assisting in data processing and service provision.
8. Intellectual Property Rights: Ownership and protection of rights related to copyrights, patents, trademarks, trade names, service marks, designs, trade secrets, and inventions.