Article

What are the regulatory risks of providing online healthcare services?

25 July 2023

Online Healthcare with a video chat

Given the increased cost of living, many healthcare providers may be considering moving their service online to reduce overheads. Whilst this is an option for some healthcare providers, such as pharmacies and doctors providing online consultations, it will not be feasible for others.

Moving a service online has distinct advantages, but a provider’s regulatory responsibilities remain firm, as some providers and healthcare professionals have learnt to their detriment. In fact the regulatory regime becomes more burdensome as greater safeguards are required to mitigate risks of providing online services.

CQC

The CQC has stated that “as with conventional GP surgeries, online companies and pharmacies are required to provide safe, high-quality and compassionate care and must adhere to exactly the same standards (as non-online providers). They must not cut corners.” The CQC defines online providers as those “transmitting information by text, sound, images or other digital forms to deliver care and treatment to patients and to follow this up”.

The CQC therefore treats online providers in exactly the same manner as those providing in-person or face-to-face services. This means that online providers carrying out regulated activity will still need to be registered with the CQC. From our experience these regulated activities tend to be:

  • Treatment of disease, disorder or injury
  • Transport services, triage and medical advice provided remotely
  • Diagnostic and screening procedures.

Alongside this, online providers will still be required to make the relevant notifications to the CQC and cooperate with inspections and monitoring visits.

In turn, the CQC will inspect the provider in the same manner they inspect in-person services and providers will still be able to challenge a draft inspection report via the factual accuracy comment (“FAC”) process. The only real difference, per se, being the ‘Additional prompts for online healthcare providers of primary care services’ which are to be read in conjunction with the assessment framework for healthcare services.

These additional prompts provide inspectors with further assessment criteria, specifically relating to online services, and include prompts such as:

  • Safe: what protocols are there to identify and verify the patient at the start of the first and subsequent consultations? How does the provider monitor and limit prescribing of medicines that have the potential to be misused?
  • Effective: How detailed is the patient’s medical history before the initial consultation? How does the provider ensure that clinicians work within their scope of practice?
  • Caring: What information is given to patients about the clinician they consult with? How does the provider ensure that consultations take place in appropriate environments to ensure confidentiality?
  • Responsive: How is a ‘not treated’ condition managed if it emerges during a consultation? How accessible is the service to people who are less able to use IT services and are alternatives available?
  • Well-led: How is the health and safety of remote employees maintained? Is all data encrypted, in transit and at rest?

From our own experience, we have seen online providers rated as ‘Requires Improvement’ or ‘Inadequate’ within the domains of ‘Safe’ and ‘Well-led’. In these cases, inspectors cited insufficient safeguards to ensure safe online prescribing, lack of management oversight of the service, and insufficient auditing of healthcare professionals’ credentials e.g., professional registration and adequate insurance.

Therefore, it is crucial that providers not only ensure they have sufficient safeguards in place to mitigate the additional risks but challenge any factual inaccuracies using the FAC process to ensure the production of an accurate inspection report. As providers will already be aware, obtaining legal advice and assistance with the FAC process, whether an online provider or not, can provide a level of objectivity which responding yourself does not always permit.

As a result of the themes seen by the CQC during inspections, the CQC has produced guidance entitled ‘Common themes from inspections of online providers of primary care’ ( “guidance”) which highlights the CQC’s concerns regarding from the provision of online healthcare services. These being, in very brief terms:

  • Identity: ensuring the patient is who they say they are
  • Capacity: being able to identify a patient’s lack of capacity
  • Consent: ensuring the consent process is thorough and involves tailored patient information
  • Communication with a patient’s NHS GP: prompting patients to provide consent to share information with their GP
  • Safeguarding: ensuring policies are in place relevant to the legislative and guidance expectations of the countries where patients are located.

From working with online providers, the CQC appears, like other professional regulators, to hold specific concern regarding the use of online questionnaires and healthcare professionals having limited access to patient records.

Thus, enabling patients to easily revise an online questionnaire, providing the ‘correct’ information and receive the required medication whether there is clinical need or not which raises patient safety concerns.

Professional regulators

Individual healthcare regulators share the CQC’s concerns and have produced guidance to their registered members regarding the provision of online services. In connection with doctors, the GMC has included guidance on their website entitled ‘Remote prescribing high-level principles’ and ‘Remote consultations flowchart and frequency asked questions’ which supplements ‘Good Medical Practice’. Meanwhile, the General Pharmaceutical Council (“GPhC”) has produced updated guidance entitled ‘Guidance for registered pharmacies providing pharmacy services at a distance, including on the internet’ and have confirmed their concerns to be as follows:

  • Poor guidance and oversight of prescribing high-risk medications e.g., controlled and ‘Z’ drugs
  • Prescribing transactionally using a questionnaire-based model with limited access to patient records
  • Prescribing medication repeatedly with no monitoring overview
  • Prescribing outside of scope of practice
  • Prescribing medication off-license
  • Prescribing with a financial incentive.

Online pitfalls

Whilst regulators have produced guidance and reaffirmed their expected standards of practice, some providers and registered healthcare professionals have fallen foul of the requirements. For example:

  • An online doctor’s service was fined £3,500 and ordered to pay £10,000 costs and a victim surcharge of £170 for dispensing medication to patients in the UK without being CQC registered
  • The GPhC having instigated 65 out of a total of 115 enforcement actions against online pharmacies since 2019
  • At least one GMC registered doctor’s Fitness to Practise was found to be impaired for transcribing and signing specialist prescriptions for patients not residing in the United Kingdom, without access to the patient’s medical records, and outside their scope of practice
  • Since August 2019, the GPhC has suspended two Superintendent pharmacists for failing to safely prescribe and quality assure the governance and audit mechanisms within their online pharmacies.

How can providers and professionals protect themselves?

If providers and registrants are to take one point away from reading this article, it would be that you cannot renege your responsibilities, whether imposed by the CQC or another healthcare regulator, just because you are providing a remote service.

If anything, regulatory obligations increase as a result of the increased potential risk of patient harm, owing to the remoteness of a consultation or prescription. However, balanced against this increased level of regulation are the benefits which providing an online service brings. These include decreased overheads, flexibility and increased convenience for patients.

Bearing in mind the detailed guidance above, the regulators’ concerns and the practical case examples provided, providers should review their service and satisfy themselves of the following at the very minimum:

  • Does the service have a sufficiently encrypted IT system to guard against the risk of a cyber-attack and preserve online patient confidentiality?
  • Does the service have sufficient procedures in place to confirm the patient’s identity – whether using a specific software application or asking the patient to show ID during a consultation by way of verification?
  • Does the service have access to the patient’s medical records to understand the patient’s medical history, capacity to consent, and can the service verify the information provided?
  • What safeguards, including risk assessments, audits and governance mechanisms are in place to ensure that medications are being safely prescribed?
  • Is the service meeting the additional prompts and does the service have solutions for the common themes identified by the CQC?

Additionally, registered healthcare professionals also need to protect their position and should:

  • Decline prescribing medication if they would not prescribe the same medication during an in-person consultation
  • Remember their professional standards at all times and review available guidance or contact their indemnity provider if they require professional advice
  • Not compromise their practice if asked to do something they are uncomfortable with.