Can Doctor’s Use Skype for Telemedicine? Not in Oklahoma

Can Doctor’s Use Skype for Telemedicine? Not in Oklahoma Can Doctor’s Use Skype for Telemedicine? Not in Oklahoma Can Doctor’s Use Skype for Telemedicine? Not in Oklahoma Can Doctor’s Use Skype for Telemedicine? Not in Oklahoma Can Doctor’s Use Skype for Telemedicine? Not in Oklahoma Can Doctor’s Use Skype for Telemedicine? Not in Oklahoma
Oklahoma Board of Medicine Suspends Doctor for Using Skype - During a hearing on September 12, 2013, the Oklahoma Board of Medical Licensure and Supervision suspended Dr. Thomas Edward Trow for, among other things, using Skype in his telepsychiatry practice. The information came to light based on a complaint filed by the Oklahoma Health Care Authority ("OHCA") in March 2012 alleging that Dr. Trow was "practicing Telemedicine via Skype on SoonerCare members and prescribing [controlled dangerous substances] without ever seeing the patients in person for initial evaluation." [1] Dr. Trow was suspended from practice for nine months, after which he is subject to a two year probationary period. Additionally, he must complete a drug prescribing course, must furnish a copy of the Board's Order to every state where he is licensed, may not supervise allied health professionals, and he must comply with a number of other restrictions.


[Jump to Take-a-Ways]

Similar to a number of other states, Oklahoma permits the practice of telemedicine so long as practitioners comply with the Oklahoma Telemedicine Act [2] and the rules and regulations set forth by the Oklahoma State Department of Health. Additionally, practitioners serving Oklahoma's Medicaid holders under the SoonerCare program must comply with the requirements set forth by the OHCA, the agency in charge of SoonerCare and responsible for providing the health insurance benefits for the Medicaid program.

Among other requirements, OHCA limits SoonerCare coverage for services provided via telemedicine to "consultations, office visits, individual psychotherapy, psychiatric diagnostic interview examinations and testing, behavioral health assessments, behavioral health service plan development, pharmacologic management, and services for medically high risk pregnancies." [3] Further, OHCA explicitly states that the following are non-covered services:
(1) Telephone conversation;
(2) Electronic mail message;

(3) Facsimile;

(4) Unencrypted, non-HIPAA complaint Internet-based communications;

(5) Video cell phone interactions;

(6) Outpatient surgical services;

(7) Home Health services;

(8) Well child checkups, and preventive visits;

(9) Laboratory services;

(10) Audiologist services;

(11) Care coordination services; and

(12) Physical, speech, or occupational therapy services.

Dr. Trow's Case

Dr. Trow was practicing telepsychiatry and pain management through his employer, the Hartsell Psychiatric Clinic. According to the Board's Order, Dr. Trow's "pharmacy record indicate[d] that a significant portion of his practice [was] pain management" and a review of twelve patients' pharmacy records showed that he prescribed a number of controlled dangerous substances ("CDS"), including morphine, fentanyl, oxycodone, hydrocodone, oxycontin and methadone. [4]

Dr. Trow was reported to the Board by three different parties. In October 2011, "SM, D.O. called to report his concerns that three (3) patients of Defendant's were receiving a large amount of Xanax." [5] In November 2011, "Complainant TL, daughter of a deceased patient, filed a complaint with the Board of Examiners of Psychologists against [Dr.Trow] stating he prescribed CDS to her father, a known addict, 62-year-old Patient RC, who eventually died." [6] Then, in March 2012, "Complainant AM with the . . . OHCA . . . reported that [Dr. Trow was] practicing Telemedicine via Skype on SoonerCare members and prescribing CDS without ever seeing the patients in person for initial evaluation."

The OHCA  notified Dr. Trow that his practices were questionable in an August 2012 letter, noting the following problems:
a) no approved contract with OHCA, using unapproved equipment and no patient consent forms authorizing telemedicine;

b) being able to only produce 8 out of 1 0 patient records they requested;

c) their physician reviewer had concerns about the quantity of CDS and lack of documentation such as pain contracts, random drug screens, pharmacy record monitoring;

d) limited physician documentation with no physical findings; and

e) no countersign by the doctor on verbal orders noted by tile LPN. [7]
OHCA sent another letter in November 2011 "describing their concerns in more detail such as
no initial contact with patients, no complete medical records at both ends of the telecommunication network, HIPAA violations by using unapproved network, nurses acting with little supervision, drug screens showing use of illicit drugs but no change in practice for prescribing, and admission by [Dr. Trow] that sometimes he didn't even see the patient on Skype but treated over the phone giving verbal orders to the LPN on the other end." [8]

In his defense, Dr. Trow argued, in part, that he believed that it was his employer's responsibility to obtain the contract with OHCA and to comply with equipment requirements and that he thought his employer took care of those tasks.

In addition to the use of Skype, an unapproved telemedicine enabling technology, a number of Dr. Trow's other practices violated the Oklahoma Telemedicine Act and OHCA rules and regulations governing telemedicine. The Board concluded that Dr. Trow was guilty of unprofessional conduct, primarily due to his prescribing practices-of the nine findings demonstrating unprofessional conduct, six involved the explicit mention of "prescribing" and/or "dispensing." [9]

Using Skype to Communicate with Patients

While the primary focus of the Oklahoma case was on Dr. Trow's prescribing practices, the Board did state unequivocally that "Skype is not an approved method of providing Telemedicine." [10]

The OHCA Telemedicine Rule ("Rule") requires that a "telemedicine encounter must comply with the Health Information Portability and Accountability Act ('HIPAA')." [11] Additionally, the Rule requires that the "medical or behavioral health related service must be provided by a distant site provider that is located at an approved HIPAA compliant site, or site in compliance with HIPAA Security Standards. A telemedicine approved site is one that has the proper security measures in place, the appropriate administrative, physical and technical safeguards should be in place that ensure the confidentiality, integrity, and security of electronic protected health information." [12] OHCA further specifies that "[a]ll communications must be on a secured Virtual Private Network (VPN) that complies with HIPAA Encryption and Redundancy requirements." [13]

But, according to Skype's Privacy Policy:
Skype may sometimes, if necessary, share your personal and traffic data with Skype's group companies, carriers, partner service providers and/or agents. . . .

In addition to Skype's cookies, Skype's analytics, ad-serving and affiliate partners may set cookies and access cookies on your computer, when you are using the Skype software client or visiting a Skype website and may collect information about your online activities across websites or online services. [14]
Moreover, while Skype does offer some level of encryption, [15] it does not purport to comply with the HIPAA Privacy, Security, and Breach Notification Rules. Skype does not sign business associate agreements, does not provide an audit trail, and does not offer notification in the event of a breach or a security incident.

Accordingly, based on the information provided in Skype's Privacy Policy, Skype does not meet the requirements set out in HIPAA and the HIPAA Privacy, Security and Breach Notification Rules.

  • Importantly, Dr. Trow's case was decided under Oklahoma law. Each state regulates telemedicine differently (if at all). Parties interested in opening a telemedicine based practice should work with counsel licensed in their state to be sure that their endeavor complies with all aspects of state law.
  • Physicians are responsible for their own license. Dr. Trow attempted to shift responsibility of his non-compliance to his employer. But, the Board disregarded this attempt. As such, physicians must keep abreast of legal and regulatory developments so as not to jeopardize their license.
  • As noted above, the primary issue in this case was Dr. Trow's prescribing practices. Prescribing physicians must be keenly aware and very carefully follow all federal and state laws and rules governing prescribing practices.
  • There are many HIPAA compliant video conferencing solutions available. Skype is not a HIPAA compliant option at this time (although it may be at some point in the future). Healthcare practitioners should carefully evaluate whether using Skype is the best means to communicate with their patients and discuss questions and concerns with counsel. Providers should also continue to monitor technical developments because telemedicine enabling technology is changing rapidly.

NOTE: Dr. Trow's case was an administrative matter decided by Oklahoma's Board of Medicine under Oklahoma law. Tatiana Melnik is not licensed to practice law in Oklahoma. Please contact counsel licensed in Oklahoma with questions related to Oklahoma law. For referrals, please check with the Oklahoma Bar Association at https://www.okbar.org.

------------------
[1] State of Oklahoma ex rel. The Oklahoma Board of Medical Licensure and Supervisions v. Thomas Edward Trow, M.D., State Board of Medical Licensure & Supervision, No. 11-11-4439 (Sept. 12, 2013). (PDF)

[2] 36 Okl. St. § 6801 (2013).

[3] OAC 317:30-3-27(a), Telemedicine (2013), available at https://www.okdhs.org/library/policy/oac317/030/03/0027000.htm.

[4] Id. at Agreements & Stipulations  8-9.

[5] Id. at Agreements & Stipulations  4.

[6] Id.

[7] Id. at Agreements & Stipulations  11.

[8] Id. at Agreements & Stipulations  13.

[9] Id. at Conclusion of Law  18.

[10] Id. at Agreements & Stipulations  8.

[11] OAC 317:30-3-27(a), Telemedicine (2013), available at https://www.okdhs.org/library/policy/oac317/030/03/0027000.htm.

[12] Id. at 317:30-3-27(f)(5).

[13] Oklahoma Health Care Authority, Telemedicine: PowerPoint Training 31 (2013), available at http://www.okhca.org/WorkArea/linkit.aspx?LinkIdentifier=id&ItemID=14974&libID=13957.

[14] Microsoft, Inc., Skype Privacy Policy, https://www.skype.com/en/legal/privacy/#disclosureOfInformation (last visited Jan. 19, 2014).

[15] Microsoft, Inc., Does Skype Use Encryption?, https://support.skype.com/en/faq/FA31/does-skype-use-encryption (last visited Jan. 19, 2014).

------------------

Posted on: January 24, 2014

By: Tatiana Melnik

September 2021
SuMoTuWeThFrSa
1234
567891011
12131415161718
19202122232425
2627282930

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
HIPAA (3)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)