After a physician in Oklahoma was disciplined for, among other things, using non-HIPAA compliant technology to treat patients, the Oklahoma Medical Board has adopted a new rule (the “Oklahoma Telemedicine Rule”) regarding the practice of telemedicine in the state. The Oklahoma Telemedicine Rule (Okla. Admin. Code. § 435:10-7-13) sets forth multiple requirements regarding the practice of telemedicine, including that “telemedicine encounters must comply with HIPAA (Health Insurance Portability and Accountability Act of 1996) security measures to ensure that all patient communications and records are secure and remain confidential.” Specifically, audio and video equipment must permit “interactive, real-time communications” and “technology must be HIPAA compliant.” If approved by the Oklahoma Legislature and the Governor, the Oklahoma Telemedicine Rule is expected to go into effect later this year.
The Oklahoma Telemedicine Rule defines ‘telemedicine’ as “the practice of healthcare delivery, diagnosis, consultation, treatment, including but not limited to, the treatment and prevention of conditions appropriate to treatment by telemedicine management, transfer of medical data, or exchange of medical education information by means of audio, video, or data communications. Telemedicine is not a consultation provided by telephone or facsimile machine.”
The Oklahoma Telemedicine Rule is notable because it clarifies requiements regarding the practice of telehealth, and it would also make health care providers responsible for HIPAA compliance to both the state Medical Board and the U.S. Department of Health and Human Services. Each entity would be able to discipline providers separately for non-compliance. Given the recent uptick in both the practice of telemedicine and scrutiny of physicians’ privacy and security practices, other states may consider passing similar rules. To prepare for potential changes and ensure compliance with current law, health care providers who practice telemedicine should confirm that their practices are appropriately secure, and providers of programs that facilitate telehealth should ensure the security of their technology.