Electronic Medical Records – WMA – The World Medical Association

Adopted by the 58^th WMA General Assembly, Copenhagen, Denmark, October 2007
amended by the 69^th WMA General Assembly, Reykjavik, Iceland, October 2018
and rescinded and archived by the 73^rd WMA General Assembly, Berlin, Germany, October 2022

DEFINITION

Telemedicine is the practice of medicine over a distance, in which interventions, diagnoses, therapeutic decisions, and subsequent treatment recommendations are based on patient data, documents and other information transmitted through telecommunication systems.

Telemedicine can take place between a physician and a patient or between two or more physicians including other healthcare professionals.

PREAMBLE

The development and implementation of information and communication technology are creating new and different ways for of practicing medicine. Telemedicine is used for patients who cannot see an appropriate physician timeously because of inaccessibility due to distance, physical disability, employment, family commitments (including caring for others), patients’ cost and physician schedules. It has capacity to reach patients with limited access to medical assistance and have potential to improve health care.
Face-to-face consultation between physician and patient remains the gold standard of clinical care.
The delivery of telemedicine services must be consistent with in-person services and supported by evidence.
The principles of medical ethics that are mandatory for the profession must also be respected in the practice of telemedicine.

PRINCIPLES

Physicians must respect the following ethical guidelines when practicing telemedicine:

1. The patient-physician relationship should be based on a personal examination and sufficient knowledge of the patient’s medical history. Telemedicine should be employed primarily in situations in which a physician cannot be physically present within a safe and acceptable time period. It could also be used in management of chronic conditions or follow-up after initial treatment where it has been proven to be safe and effective.

2. The patient-physician relationship must be based on mutual trust and respect. It is therefore essential that the physician and patient be able to identify each other reliably when telemedicine is employed. In case of consultation between two or more professionals within or between different jurisdictions, the primary physician remains responsible for the care and coordination of the patient with the distant medical team.

3. The physician must aim to ensure that patient confidentiality, privacy and data integrity are not compromised. Data obtained during a telemedicine consultation must be secured to prevent unauthorized access and breaches of identifiable patient information through appropriate and up to date security measures in accordance with local legislation. Electronic transmission of information must also be safeguarded against unauthorized access.

4. Proper informed consent requires that all necessary information regarding the distinctive features of telemedicine visit be explained fully to patients including, but not limited to:

explaining how telemedicine works,
how to schedule appointments,
privacy concerns,
the possibility of technological failure including confidentiality breaches,
protocols for contact during virtual visits,
prescribing policies and coordinating care with other health professionals in a clear and understandable manner, without influencing the patient’s choices.

5. Physicians must be aware that certain telemedicine technologies could be unaffordable to patients and hence impede access. Inequitable access to telemedicine can further widen the health outcomes gap between the poor and the rich.

Autonomy and privacy of the Physician

6. A physician should not to participate in telemedicine if it violates the legal or ethical framework of the country.

7. Telemedicine can potentially infringe on the physician privacy due to 24/7 virtual availability. The physician needs to inform patients about availability and recommend services such as emergency when inaccessible.

8. The physician should exercise their professional autonomy in deciding whether a telemedicine versus face-to-face consultation is appropriate.

9. A physician should exercise autonomy and discretion in selecting the telemedicine platform to be used.

Responsibilities of the Physician

10. A physician whose advice is sought through the use of telemedicine should keep a detailed record of the advice he/she delivers as well as the information he/she received and on which the advice was based in order to ensure traceability.

11. If a decision is made to use telemedicine it is necessary to ensure that the users (patients and healthcare professionals) are able to use the necessary telecommunication system.

12. The physician must seek to ensure that the patient has understood the advice and treatment suggestions given and take steps in so far as possible to promote continuity of care.

13. The physician asking for another physician’s advice or second opinion remains responsible for treatment and other decisions and recommendations given to the patient.

14. The physician should be aware of and respect the special difficulties and uncertainties that may arise when he/she is in contact with the patient through means of tele-communication. A physician must be prepared to recommend direct patient-doctor contact when he/she believes it is in the patient’s best interests.

15. Physicians should only practise telemedicine in countries/jurisdictions where they are licenced to practise. Cross-jurisdiction consultations should only be allowed between two physicians.

16. Physicians should ensure that their medical indemnity cover include cover for telemedicine.

Quality of Care

17. Healthcare quality assessment measures must be used regularly to ensure patient security and the best possible diagnostic and treatment practices during telemedicine procedures. The delivery of telemedicine services must follow evidence-based practice guidelines to the degree they are available, to ensure patient safety, quality of care and positive health outcomes. Like all health care interventions, telemedicine must be tested for its effectiveness, efficiency, safety, feasibility and cost-effectiveness.

18. The possibilities and weaknesses of telemedicine in emergencies must be duly identified. If it is necessary to use telemedicine in an emergency situation, the advice and treatment suggestions are influenced by the severity of the patient´s medical condition and the competency of the persons who are with the patient. Entities that deliver telemedicine services must establish protocols for referrals for emergency services.

RECOMMENDATIONS

Telemedicine should be appropriately adapted to local regulatory frameworks, which may include licencing of telemedicine platforms in the best interest of patients.
Where appropriate the WMA and National Medical Associations should encourage the development of ethical norms, practice guidelines, national legislation and international agreements on subjects related to the practice of telemedicine, while protecting the patient-physician relationship, confidentiality, and quality of medical care.
Telemedicine should not be viewed as equal to face-to-face healthcare and should not be introduced solely to cut costs or as a perverse incentive to over-service and increase earnings for physicians.
Use of telemedicine requires the profession to explicitly identify and manage adverse consequences on collegial relationships and referral patterns.
New technologies and styles of practice integration may require new guidelines and standards.
Physicians should lobby for ethical telemedicine practices that are in the best interests of patients.

Adopted by the 67^th World Medical Assembly, Taipei, Taiwan, October 2016

PREAMBLE

Advancements in modern information technology (IT) pave the way for improvements in healthcare delivery and help streamline physician workflow, from medical record keeping to patient care. At the same time, implementing new and more sophisticated IT infrastructure is not without its challenges and risks, including cyber-attacks and data breaches.

Cyber security threats are an unfortunate reality in an age of digital information and communication. Attacks on critical infrastructure and vital assets of public interest, including those used in the fields of energy, food and water supply, telecommunications, transportation and healthcare, are on the rise and pose a serious threat to the health and well-being of the general public.

With the proliferation of electronic medical records and billing systems, the healthcare sector is especially susceptible to cyber intrusions and has become a prime soft target for cyber criminals. Healthcare institutions and business partners, from the smallest of private practices to the largest of hospitals, are vulnerable not only to the theft, alteration and manipulation of patients’ electronic medical and financial records, but also to increasingly sophisticated system breaches that could jeopardise their ability to provide care for patients and respond to health emergencies. Especially disconcerting is the threat posed to a patient’s fundamental right to data privacy and safety. In addition, repairing the damage caused by successful cyber-attacks can entail significant costs.

Patient data also demands protection because it often contains sensitive personal information that can be used by criminals to access bank accounts, steal identities, or obtain prescriptions illegally. For this reason, it is worth far more on the black market than credit card information alone. Alterations to or abuse of patient data in the case of a breach can be detrimental to the health, safety and material situation of patients. In some cases, breaches can even have life-threatening consequences.

Current security procedures and strategies in the healthcare sector have generally not kept pace with the volume and magnitude of cyber-attacks. If not adequately protected, hospital information systems, practice management systems or control systems for medical devices can become gateways for cybercriminals. Radiology imaging software, video conferencing systems, surveillance cameras, mobile devices, printers, routers and digital video systems used for online health monitoring and remote procedures are just some of the many IT structures at risk of being compromised.

Despite this danger, many healthcare organisations and institutions lack the financial resources (or the will to provide them) and the administrative or technical skills and personnel required to detect and prevent cyber-attacks. They may also fail to adequately communicate the seriousness of cyber threats both internally and to patients and external business partners.

RECOMMENDATIONS

The WMA recognises that cyber-attacks on healthcare systems and other critical infrastructure represent a cross-border issue and a threat to public health. It therefore calls upon governments, policy makers and operators of health and other vital infrastructure throughout the world to work with the competent authorities for cyber security in their respective countries and to collaborate internationally in order to anticipate and defend against such attacks.
The WMA urges national medical associations to raise awareness among their members, health care institutions and other industry stakeholders about the threat of cyber-attacks and to support an effective, consistent healthcare IT strategy to protect sensitive medical data and to assure patient privacy and safety.
The WMA underscores the heightened risk of cyber intrusions and other data breaches faced by the healthcare sector and urges medical institutions to implement and maintain comprehensive systems for preventing security breaches, including but not limited to providing training to ensure employee compliance with optimal data handling practices and to maintain security of computing devices.
In the event of a data security breach, healthcare institutions should have proven response systems in place, including but not limited to notifying and offering protection services to victims and implementing processes to correct errors in medical records that result from malicious use of stolen data. Data breach insurance policies could be considered as a precautionary measure for defraying the costs associated with a potential cyber intrusion.
The WMA calls upon physicians, as guardians of patient safety and data confidentiality, to remain aware of the unique challenge cyber-attacks could pose to their ability to practice their profession and to take all necessary measures that have been shown to safeguard patient data, patient safety and other vital information.
The WMA recommends that undergraduate and postgraduate medical education curricula include comprehensive information on how physicians can use modern IT and electronic communications systems to full advantage, while still ensuring data protection and maintaining the highest standards of professional conduct.
The WMA acknowledges that physicians and healthcare providers may not always have access to the resources (including financial), infrastructure and expertise required to establish fail-safe defence systems and stresses the need for the appropriate public as well as private bodies to support them in overcoming these limitations.