WebRTC in telehealth: More than just HIPAA compliance

When it comes to WebRTC in telehealth, there are quite a few use cases and a lot of things to consider besides HIPAA compliance.

A thing that comes up in each and every discussion related to telehealth & WebRTC is the value of the call in telehealth. We’ve seen video meetings and calls go down to zero in their cost/value for the user. Especially during the pandemic. So whenever we find a nice market where there is high value for a call, it is heartening. Healthcare is such a place where we can easily explain why calls are important.

But what exactly does WebRTC in telehealth mean? It isn’t just a patient calling a doctor. There is a lot more to it than that. Let’s dive in together to see what we can find.

My own experience with Telehealth

As a user

Like many others, my first real bump with telehealth took place during the COVID quarantines.

My son was sick with high fever for over a week, and the doctors didn’t help any.

My wife was worried, needing more comfort by knowing someone was looking at him. Really looking at him.

So we used a kind of a private service that a hospital near our vicinity was giving:

• You subscribe and pay a hefty price
• They send over a kit
• You install an app and take measurements multiple times a day (useless ones, but stay with me)
• They send over a radiologist to do an X-ray scan (need something to show they can)
• Then you get to talk to a doctor once a day. Over a video call. From the same app

What can I say? It worked as advertised.

As a consultant and a product manager

We have quite a few healthcare clients using our various WebRTC services at testRTC.

Other than that:

• Took part of an RFP of the ministry of health in Israel by assisting the vendor who approached me win the contract
• I assisted vendors during the pandemic to troubleshoot their architecture and scale their service rapidly

That and just from conversations with vendors, along with a review of this article by a few who work on telehealth products and integrating their comments as well.

Does that make me an expert in telehealth? No.

But I can fill in the WebRTC angle of telehealth, which is a rather big one.

Finding WebRTC in Telehealth

Telehealth for me is about the digital transformation of healthcare services.

It can start small, with things such as scheduling and viewing lab test results. And then it can grow towards virtualizing the actual patient-doctor interaction. Or any other interaction within the healthcare space between one or more people (emphasis on one here – not two).

I’ve listed here the main use cases that came to mind thinking of it in recent days.

Patients and doctors

The most obvious use case is the patient and doctor scenario.

In this, the doctor visitation itself is remote and virtual.

This can be useful in many situations:

• When the patient can’t get to the doctor’s office
• During the pandemic:
  • When healthcare providers didn’t want patients physically in the office
  • If doctors are sick, but their numbers are dwindling due to them being quarantined, while they can still be useful as doctors remotely
• If you don’t want to waste a patient’s time in coming over and waiting
• When it is truly urgent (an emergency)

For many of these situations, this is the setup that takes place:

1. Doctor – sitting in front of a PC or laptop. In a designated office or hospital (=managed network), or at home (=unmanaged network)
2. Patient – connecting from a smartphone or tablet, via a direct link or an installed application

More on that – later.

In general – here’s where you’ll see such solution types deployed:

🔶 Hospitals and large healthcare organizations

🔶 Clinics hosting multiple doctors

🔶 Private clinic of a single doctor

🔶 Insurance companies

Also remember that the word doctor is a broad definition of the caretakers involved. These can be nurses, doctors, dietitians and other practitioners offering the treatment/session to the patient remotely.

The other thing to remember is that this is also asymmetric in scarcity: there are a lot more patients than they are caregivers.

Group therapy and counseling

Then there’s group therapy.

One where one or more psychologists lead a larger group of patients. The same also applies to dietitians, speech therapists, smokers, cancer patients and other groups of practitioners.

Here again, the idea and intent is that the patients and the therapists can join remotely to a virtual meeting and conduct that meeting.

The main benefit? Not needing to drive and travel for the meeting and being able to conduct it from anywhere.

Notable here is the fact that this can be enhanced or taken to a slightly different perspective – this can encompass the allied health domain, where AA (Alcoholic Anonymous) groups for example fit in.

Nurse stations

The nurse station is slightly different from the doctor-patient in my mind.

Here, the patient is situated physically next to the nurse, so the call/meeting isn’t virtual or remote but rather in person. The “twist” is that there is another caregiver or external authority that can be joined remotely to the session if and when needed. Say a doctor with a specialization that might not be available where the patient is located – this can be viewed in a way to democratize the access to specialty care.

Envision a nurse moving inside a hospital ward. She has a mobile station moving around with her that can be used to conduct video meetings with doctors. It can also be used for other purposes such as adding a live translator into that interaction with the patient or the patient’s custodian.

The lack of specialized provider access in remote areas can be extremely critical, and here again, virtual meetings can assist. Taking this further, a nurse station of sorts can be placed inside an ambulance providing immediate care – even for cases of strokes or cardiac arrests.

Outpatients

Outpatients are clinics that belong to hospitals. These are designed for people who do not require a hospital bed or an overnight stay. Sometimes, this can be for minor surgeries. Mostly for diagnostics, treatments or as follow ups to hospital admissions.

These clinics are part of the overall treatment that patients get from the hospital or for things that are hard to obtain elsewhere due to scarcity of machinery and/or experience.

Some of the diagnostics done in an outpatient clinic can be done remotely. This reduces wait times and travel times for patients and also allows using doctors joining remotely and not physically inside the clinic.

While similar to the patients and doctors use case, there are differences. The main one being the organization behind it, the logistics and the network. Hospital networks are usually a lot more complex and limited to connectivity of WebRTC traffic, bringing with it a different set of headaches.

Taking care of the elderly

As the human population is aging in general and people live longer, we’re also getting to a point where elderly care is different from other areas of healthcare. Another aspect of it is the breakdown of the family unit into smaller pieces where elderly people move to assisted living, nursing homes and hospices.

Here, the telehealth solutions seen include also things like:

• The ability to easily communicate with family members and friends remotely to keep connected
• Remotely monitor and take care of the old via solutions that remind us of a surveillance use case
• Providing access to doctors remotely, especially for the less common health issues

Remote patient monitoring is another new field. Due to the scarcity of nurses, many hospitals are moving towards virtual patient monitoring for patients who are in hospitals or medical facilities that require 24×7 monitoring for critical patients.

Operating rooms

The operating room is at the heart of hospital care. It is where surgeons, anesthetics, nurses and other practitioners work together on a patient in an aseptic environment.

An obvious requirement here might be to have an expert join remotely to observe, instruct or consult during surgery. That expert can be someone who isn’t at the vicinity of the hospital, enabling to bridge the gap of knowledge and expertise existing between central hospitals in large cities to rural ones.

It can also be used to have an expert who is situated in the hospital join in – entering an operating room requires the caregiver to scrub before entering. This process takes several minutes. By having the expert join remotely from another room at the hospital, we can have him jump from one surgery to another faster. Think of the supervisor of multiple surgery rooms at a hospital or a specialist. Saving scrubbing times can increase efficiency.

Then there is the option of getting external observers into the surgery rooms without having them in the surgery room itself. They can be silent or vocal participants. Joining in as trainees for example, as part of their learning process to become surgeons.

As we advance in this area, we see AR and VR technologies enter the space, either to assist the doctor locally in the surgery or have the external experts join remotely.

Training

Learning in operating rooms is just part of training in the healthcare domain.

Training can take different shapes and sizes here, and in a way, it is also part of the education market.

Here are some of the examples I’ve seen:

• Remote training/education for various healthcare roles
• First aid training for civilians
• Medical equipment training

Machinery remoting

Healthcare is a domain that has lots and lots and lots of devices and machinery. From simple thermometers to CT scanners and surgical robots.

What we are seeing in many areas is the remoting of these devices and machines. Having the patient being diagnosed or treated use a device (or have a device used on him), while having the technician, specialist, nurse or doctor operate or access the data of the device remotely.

This has many different reasons – from letting patients stay at home, to getting specialists from remote areas, to increasing the efficiency of the caregivers (reducing their travel time between visitations).

Here are a few examples:

🔶 Stethoscopes, Thermometers, Ophthalmoscopes, Otoscopes, etc. These devices can be made smart – having the patient use them on his own and have their measurements sent to remote nurses or doctors

🔶 X-ray, CT, MRI – different type of scans that can be done in one place and have the operator or the person deciphering the results located elsewhere

🔶 Surgical robots, that can be observed or operated remotely

🔶 Robots roaming hospitals, taking care of menial tasks such as sanitizing equipment and rooms

There is an ongoing increase in adding smarts into devices and the healthcare space is part of that trend. When caregivers need to interact with these devices or access their measurements in real time, this can be done using WebRTC technology.

Simultaneous translation and/or scribes

Doctors are a scarce resource. As such, a critical part is having their time better utilized.

There are two telehealth solutions that are aiming to get that done in a similar fashion but totally different focus:

Translation – patients speaking a different language than that of a caregiver need a better way to communicate. Hospitals and clinics cannot always have a translator in hand available. In such cases, having a translator join remotely can be a good solution.

The purpose? Increase accessibility of doctors to patients who don’t speak the doctor’s language.

Scribes – doctors need to keep everything documented. The patient digital record (PDR) is an important part of treatment over time. The writing part takes time and is done in parallel to diagnosing the patient. It is quite common today to have a doctor sit in front of you, typing away on his PC without even looking at the patient (being on the receiving end of that treatment more than once, it does sometimes feel somewhat surreal). Remote scribes can alleviate that by taking part in the doctor visitation, taking care of filling in the PDR. A different approach making headway here is AI-based transcription and the automatic creation of the medical record entries – this alleviates the need for a human scribe.

The purpose? Increase efficiencies and enable doctors to treat more patients.

At the boundary between education and healthcare

Then there is the education part adjacent to healthcare. Think of children who are treated for long periods of time where they either need to stay in the hospital or at home for treatment and rest. How do you make sure they don’t lose too much of the curriculum during that time? That they stay connected with their friends in class?

There are solutions for that, in the form of providing a PC at school and a tablet or laptop to the kid to remotely join such sessions.

This is probably more suitable for the education market, but I just wanted to add it here for completeness.

A game of numbers

Telehealth is a relatively small WebRTC market.

If you take all physicians in the world, and try to figure out how many there are per the size of the population, you will get averages of 1:500 at most (see Wikipedia as a source for example).

Not all physicians practice telehealth. Of those who do, many do it seldomly. The size of the number here isn’t big when it comes to minutes or visitations conducted.

Compared to the number of minutes conducted every day on Facebook Messenger, the total telehealth minutes worldwide will be miniscule.

The difference here though, is the importance and willingness to pay for each such minute.

When trying to do market sizing or value – be sure to remember this –

👉 Total number of doctors, minutes and visits isn’t that large worldwide

👉 Telehealth minutes are more valuable than social media minutes

WebRTC telehealth and HIPAA compliance

Whenever telehealth is discussed, HIPAA compliance is thrown out in the air. At its heart, HIPAA compliance is about security and privacy of patients and their information, all wrapped up in a nice certification package:

• Vendors wanting to sell telehealth services to hospitals need to be HIPAA compliant – at least in the US
• In the EU, there’s GDPR, with different interpretation per EU country
• Then there are other countries outside of the US and the EU with their own regulations
• All in all, the requirements here are quite similar

Most countries have separate regulations for patient privacy which are generally more stricter than personal privacy. While there’s more to it than what I’ll share here, it usually boils down to encryption and all the management that goes around it.

WebRTC is encrypted, so all that is left is for the application to not ruin it… which isn’t always simple.

Sometimes, you will find vendors touting E2EE (End-to-End encryption), which in most WebRTC jargon means the use of media servers who can’t access the media. Oftentimes, these vendors actually mean the use of P2P (Peer-to-Peer), where no media server is used at all.

Oh, and if you are using a third party video conferencing solution (say… a CPaaS vendor), then you will need to obtain a BAA (Business Associate Agreement) from that vendor, indicating that he complies with HIPAA. You will then need to certify your own application on top of it.

Network and firewall restrictions

Hospitals and clinics usually end up with very restrictive internet networks. This stems from the need to maintain patient confidentiality and privacy. The increase in ransomware attacks on businesses and healthcare organizations is a source of worry as well.

To such a climate, adding WebRTC telehealth solutions requires opening more IP addresses and ports on the organizations’ firewalls.

A big challenge for vendors is to get their WebRTC applications to work in certain healthcare organizations. Usually because their services get blocked or throttled by deep packet inspection.

👉 Vendors who can make this process smoother and simpler for customers will win the day.

Quality of media

Not being able to see video well in a social interaction is acceptable.

Having a doctor not being able to see the mole on your skin is a totally different thing.

Quality of media can be critical in certain use cases of telehealth. Here, it might be a matter of resolution and sharpness of the image, but it can also be related to the latency of the session. Remote procedures conducted via WebRTC for telehealth might be a bit more sensitive to latency than your common meeting scenario.

Depending upon the use case, you have to prioritize resolution vs frame rate. A still patient needs higher resolution and surgery or any motion specific activity requires a higher framerate. The ability to switch between these two priorities is also a consideration.

At times, 4K requirements or specific color spaces and audio restrictions may be needed. Especially when dealing with analysis of sensor data from medical devices. These may require a bit more work to integrate properly with WebRTC.

Asymmetric nature of users and devices

One tidbit about telehealth is that sessions are almost always asymmetric in nature and for the majority, they are going to end up as a 2-way conversation.

By asymmetric I mean that the users have different devices:

• Doctors and caregivers will almost always be on devices that are known in advance – their location, their makeup, etc.
  • More likely, they will be accessing them from a laptop or a PC
  • They use the same application again and again. This means that they will learn to workaround issues they bump into
  • Often on a restricted device with older browser versions and/or low CPU power. Though not always and not everywhere
  • Sometimes, though less and less these days, old equipment used by doctors in their office means the introduction of interop requirements
• Patients will almost always join from a mobile device – a tablet or a smartphone
  • Many will do so via a URL they receive over SMS, joining from a mobile browsers
  • Browser use on mobile isn’t as stable, especially on iOS Safari. Device handling is trickier with the need to handle phone calls and assistants (Siri) interacting with the same microphone
  • Others will end up on a native application built for this specific purpose
  • Being unassuming consumers, they try to join from everywhere. Including elevators or moving cars
  • They are also not going to use the application much and won’t want to waste time mucking around figuring out things or troubleshooting them. This means telehealth apps need to relentlessly focus on UX and usability for the patient side

👉 This asymmetric nature affects how telehealth applications need to be designed and built, taking special care around permissions, privacy and the unique user experience of the various users.

Medical devices, sensors and telemetry

Modern healthcare has the most variety of devices and sensors out there from all industries (leaving out the defense industry). These devices are now being digitized and modernized. Part of this modernization is adding communication channels for them, and even more recently – being able to virtualize and remote their use – either partially or fully.

Medical devices sometimes generate images. Other times an audio stream. Or a video feed. Or other sensory data and information. WebRTC enables sending such data in real time, or the telehealth application can send this data out of band, via Websockets or HTTP messages.

It can be as simple as taking a measurement of a patient remotely, while he is holding the medical device and the nurse or doctor observes him and the results sent over inside the application.

That can progress passively overseeing a procedure and commenting on it in a video session. Think of a doctor or a nurse consulting remotely with a specialist while giving a treatment or operating a surgical procedure.

And it can go to the extreme of remotely giving the procedure. A radiologist operating the CT machine remotely for example.

How these get connected and where WebRTC fits exactly is a tricky challenge. There’s latency to deal with, connectivity to physical devices, oftentimes without the ability to replace them, regulatory issues – this space has quite a few obstacles, which are also great barriers of entry and motes against competitors if one invests the effort here.

SaaS, CPaaS & open source: Build vs Buy

Telehealth comes in different shapes and sizes.

Many of the CPaaS vendors have gone ahead and made themselves easy to use for telehealth, mainly by supporting HIPAA compliance requirements.

I’ve seen various telehealth solutions built on CPaaS while others build their own service from scratch using open source components. There is no single approach here that I can suggest, as each has its own advantages and challenges.

One of the biggest challenges in adopting CPaaS for telehealth is upholding the patient’s privacy. Functions of the CPaaS platform require it to know certain elements of PHI (Personal Health Information), especially if call recordings are implemented. At times, a telehealth platform may expose a patient name or other information to the CPaaS implementation. These invite additional security risks and may violate patient privacy laws. A BAA here helps, but may not be enough, since most patient privacy laws require to expose only the bare minimum that is needed to an external entity (in this case, the CPaaS vendor) when it comes to PHI.

Here. vendors should look at their core competencies and the actual requirements they have from their WebRTC infrastructure. And as always, my suggestion is to go with CPaaS unless there is a real reason not to.

🔸🔹🔸🔹🔸

Where can I help, if at all?

🎯 Online WebRTC courses, to skill up engineers on this technology

🎯 Consulting, mostly around architecture decisions and technology stack selection

🎯 Testing and monitoring WebRTC systems, via my role as Senior Director at Cyara (and the co-founder of testRTC)