Telemedicine Meets Privacy & Free Speech

Anonymous, Asynchronous Patients?

Local laws such as state physician licensing rules have limited the adoption of telemedicine.    But the practical effect of some limitations is eroding under new technology and patient civil rights (privacy and free speech).

New Telemedicine Technologies

An online patient can retain increasingly sophisticated services from a physician outside the patient’s state, even outside the country.

The modern patient has a growing array of channels for interacting with a remote physician (or a team of physicians knit together via social media).  Webcams, mobile apps and monitoring devices that work with smartphones are collecting diagnostic data that can be transmitted to a physician anywhere in the world.  The patient can easily provide laboratory results to an online physician.

healthcare delivery
Clinical Patient Image
Patient and physician can engage a rich, extended relationship with little or no direct physical contact.  For example, a mobile app reliably evaluates skin moles by forwarding photographs to board-certified dermatologists.

New technologies are coming.  3D printers, for example, will make the creation of custom medical appliances easier for the patient at home. Apple Inc. is rolling out a smartwatch with many health and fitness sensors.

Telemedicine will marry up with medical tourism, the growing practice of traveling to another country to access medicine or health service that is either forbidden or more expensive in the home country.

Patient Privacy

Does a physician in Japan need to be licensed in Oklahoma to treat an online patient located in Oklahoma?  The answer is very possibly yes.  However, if the physician – out of respect for privacy – never inquires as to the patient’s location, how can the physician know he needs a license in Oklahoma?

Depending on the services being rendered, the physician need not (for purposes of care) know the identity or location of the patient.  The patient can be anonymous, or identified without location.

Patient privacy does matter.  Privacy is more than just an excuse to skirt local physician licensing laws. Privacy is a legal and ethical imperative, which is accorded growing importance today.  In the case described here the patient and the physician use technology in a way that promotes the socially-desirable goal of patient privacy.  The patient is getting treatment in a way that prevents outsiders from knowing about it.

Patient Data Security

Reducing the amount of patient identifying information also promotes data security.  Like patient privacy, data security is more than just an excuse for the physician to avoid being licensed in the patient's home location.

Like patient privacy, data security is a legal and ethical imperative, which is rising in priority in this age of computers.   Data security is very difficult and expensive for health care providers.  Chilling stories about data breaches at health care providers are abundant.

Demanding new laws require healthcare providers to protect patient data. The goals of those laws are achieved when a physician knows the patient only by a pseudonym or user ID and the physician is ignorant of the patient's location.  A data breach would not expose information that could identify the patient to the outside world.

Small Target for Local Authorities

If the online physician, licensed and operating from Japan, truly treats patients from around the world, he is probably not much of a target for investigation and enforcement by authorities in Oklahoma.*   He is likely not to have many patients in Oklahoma.

That’s not to say Oklahoma law does not apply.  It probably does.  Also, a Japanese physician who commits malpractice can probably be sued in Oklahoma courts.

Mitigation of Risk

The physician may be able to mitigate his risk with explicit terms of service accepted by the patient:   The physician is providing only information, like a second opinion, and assumes the patient will get direct care from a local physician.

Asynchronous Interaction

The physician might further mitigate his risk by interacting with the patient only through recordings, not real-time.  By making the interaction non-real-time (asynchronous), the physician emphasizes that his input is merely information, merely a second opinion.  And the physician de-emphasizes his responsibility for any emergency (e.g. the patient faints) that could arise if the physician were treating the patient in real-time.

Anonymity and Asynchronicity Influence Regulation

Physician interaction with an anonymous, asynchronous patient is different from traditional medical care.

When physician interacts with anonymous patient only through recordings, the physician-patient relationship becomes less emotional and more abstract, more intellectual.  It places more control into the hands of the patient, allowing the patient to shop around for input and opinions.  It allows the patient to shop among multiple physicians, or even non-physicians and artificial intelligence systems like IBM's Watson.

The justification for regulation of such interaction is different compared to that for traditional face-to-face medical care.

First Amendment Right to Freedom of Speech

Over regulation of anonymous, recorded interaction will bump against free speech, First Amendment rights.  Recorded interaction seems like patient telling a story and listening for a reply.  Telling a story and listening for a reply is the essence of free speech.  Our society reveres free speech and is reluctant to let government restrain it by regulation.

In other words, when an anonymous patient in Oklahoma is interacting through asynchronous recordings with a physician in Japan, the State of Oklahoma must clear a high burden to prove that it needs to regulate and restrain that interaction.  If the State cannot clear that burden, then its physician licensing regulation will violate the First Amendment and be unconstitutional.

What do you think?


Mr. Wright teaches the law of data security and investigations at the SANS Institute.  (As with all of Mr. Wright's public statements, the purpose of this post is public discussion and not legal advice.  If you need legal advice, you should consult your lawyer.)

*The exception is a case like that of Christian Hageseth.  He was a physician in Colorado who in association with an online pharmacy prescribed psychiatric medication for a California patient.  The physician’s contact with the patient was only an online questionnaire, filled out by the patient.  The patient committed suicide.  The physician was not licensed to write the prescription even in Colorado.  California prosecuted him for practicing in California without a license.

1 comment:

  1. As remote medicine becomes more feasible, the telemedicine doctor will have incentive to arrange payment so she and her office never know the patient's location, name or other significant personally-identifiable information.

    But this payment arrangement will have to be more than simply working out a patient pseudonym with the patient's health insurer. Health insurers will not take steps to help the doctor avoid being licensed in the jurisdiction where the patient is located. If an insurer did take such steps, the local authorities would take legal action against the insurer.

    Something like paypal might serve the telemedicine doctor's needs.