ABSTRACT
The rapid expansion of telemedicine in Nigeria, accelerated by technological advancement, healthcare accessibility demands, and medical brain drain, has introduced complex liability challenges that transcend traditional medical practice boundaries. This novel healthcare delivery system, operating primarily using technology, creates unique civil and criminal liability risks through its integration of internet service providers, practitioners, and patients across different jurisdictions. The operation of telemedicine in Nigeria is governed by an interplay of regulations covering business incorporation, licensing, data protection, and patient confidentiality. Unlike conventional medical practice where liability determination is typically straightforward, telemedicine presents intricate challenges in establishing practitioner-patient relationships and determining responsibility when adverse events occur. These complexities are further compounded by cross-border practice issues, digital documentation requirements, and the involvement of third-party technology providers. This paper examines the legal implications and regulatory challenges of telemedicine practice in Nigeria, analyzing existing frameworks and providing insights for regulatory compliance in this rapidly evolving healthcare landscape.
INTRODUCTION
Healthcare delivery has evolved significantly with technological advancement, leading to transformative innovations like telemedicine. This integration of information and communications technology in healthcare has revolutionized traditional medical practice, enabling remote diagnosis and treatment of patients. The COVID-19 pandemic particularly accelerated telemedicine adoption globally, with consumer usage increasing from 11% to 46% in 2020 alone, highlighting its crucial role during global health crises and the potential for future pandemic response.
In Nigeria, telemedicine emerged in the early 2000s as a solution to overcome persistent healthcare access barriers. The sector has experienced substantial growth driven by improved internet connectivity, technological advancement, and the critical need to address fundamental healthcare challenges. These challenges include limited access to medical services and facilities, uneven distribution of healthcare professionals, infrastructural inadequacies, and the rising healthcare demands of Nigeria's growing population. According to Statista, Nigeria's digital health market was projected to reach US$770.30m in 2024, highlighting telemedicine's significant impact and potential in bridging the healthcare accessibility gap between urban and rural areas.
The integration of artificial intelligence in healthcare delivery has further expanded telemedicine's capabilities. Modern telemedicine incorporates various technological innovations including machine learning, the internet of medical things, augmented reality, virtual reality, blockchain, data security, health-tracking apps, and therapeutic apps. These AI-driven technologies have transformed healthcare delivery mechanisms, progressing from traditional physical machinery to sophisticated digital solutions encompassing electronic health records, online patient monitoring, and remote diagnostic capabilities.
The recent surge in telemedicine platforms and start-ups in Nigeria, coupled with investments from both public and private sector stakeholders, demonstrates the growing recognition of telemedicine's potential to revolutionize healthcare delivery. However, despite these advancements and benefits, telemedicine practice in Nigeria remains in its early stages with limited regulatory frameworks. The absence of comprehensive legislation raises important concerns about consumer data protection, medical liability, and quality of care. As experts project artificial intelligence to dominate various aspects of human endeavour by 2030, including healthcare delivery, the need for proper regulation becomes increasingly critical.
MEANING OF TELEMEDICINE
Telemedicine is the delivery of healthcare services remotely using information and communication technologies which allow real-time audio or audio-visual patient-health provider communication, diagnosis and treatment through laboratory tests and drug prescriptions. With the expansion of internet penetration in Nigeria, telemedicine has become an emerging business and has begun to experience significant growth. Telemedicine also provides accessibility and thereby bridges the gap in healthcare access, especially in rural and underserved areas where medical facilities and professionals are scarce.
Telemedicine, as defined by the World Health Organization, involves the delivery of healthcare services remotely using information and communications technologies. This method supports the exchange of crucial information for diagnosis, treatment, prevention of diseases, research, and the education of healthcare professionals, aiming to improve the health of individuals and communities.
Under the Code of Medical Ethics, telemedicine was defined as the employment of telecommunication technology to give clinical attention to patients in locations remote from the doctor. It also enables clinicians from different parts of the globe to simultaneously exchange clinical views as if they were at the same location. It may involve audio, visual or audio-visual broadcast. This provision takes into cognizance the fact that telemedicine is the practice of medicine enabled by technology.
EVOLUTION OF TELEMEDICINE PRACTICE IN NIGERIA
Nigeria's journey with telemedicine began in 2007 with a pilot project launched by the National Space Research and Development Agency (NASRDA) and the Federal Ministry of Health. This initiative aimed to bridge the urban-rural healthcare gap by using technology to provide remote medical consultations and services. The project spanned two teaching hospitals, six federal medical centers across the country, and even incorporated mobile units with satellite receivers to enhance accessibility. Private organizations like Lagoon Hospital in Lagos and Igbinedion University Teaching Hospital in Benin also joined the movement, further expanding the reach of telemedicine.
The importance of this technology was further solidified in 2020 when NASRDA deployed mobile telemedicine units to combat the COVID-19 pandemic. These mobile clinics, equipped with modern facilities, connected patients directly to medical professionals and records, ensuring efficient healthcare delivery, especially in remote areas.
Telemedicine in Nigeria has grown to encompass various medical specialties, including telepsychiatry, teleradiology, tele-dermatology, and tele-neurology. These specialized areas fall under broader categories like teleconsultation, tele-education, telemonitoring, and telesurgery. Teleconsultation, the most common form of telemedicine, allows real-time interaction between healthcare providers and patients through video conferencing. This method aids in clinical decision-making by enabling remote consultations and second opinions, effectively overcoming geographical barriers.
REGULATORY FRAMEWORK FOR THE OPERATION OF TELEMEDICINE IN NIGERIA
Presently, there is no single substantive law regulating the operation of telemedicine in Nigeria. While there is no specific Nigerian legislation dedicated to regulating telemedicine practices, there are various existing legislation that incorporate provisions relevant to telemedicine, including aspects related to licensing, registration, data protection, insurance, quality standards, and ethics that telehealth providers must adhere to and to control the data security issues, that may arise in the course of the practice. A few of them are examined below:
Code of Medical Ethics, 2008
The Medical and Dental Council of Nigeria’s (MDCN) Code of Medical Ethics 2008, recognises the importance of telemedicine as a means of improving healthcare delivery in the country. The Code addresses telemedicine in Guideline 22 and provides guidelines for its use. The Code also acknowledges the risks attached to the use of technology and provides that practitioners should continuously assess and avoid medico-legal pitfalls in areas such as confidentiality, professional competence, legal and registration status of the specialist being consulted, equipment reliability, sustainable continuity of patient management and timely referral of patients. The Code further emphasises the need for practitioners to make appropriate arrangements for the security of personal information when it is stored, sent or received by fax, computer, e-mail or other electronic means.
Nigeria Data Protection Act 2023:
The Nigeria Data Protection Act, 2023, is the legislation which provides a legal framework for the protection of the personal data of Nigerian citizens. Being the main data protection legislation in Nigeria, it sets out guidelines and standards for the collection, processing, storage, and transfer of personal data in Nigeria. The Act applies to all data controllers and processors who collect, process or store personal data in Nigeria, including healthcare providers who engage in telemedicine. More particularly, the NDPR mandates all public and private organizations in Nigeria that control data of natural persons, to make available to the general public, their respective data protection policies, appoint a data protection officer and create a database management system. This is to ensure that the privacy rights as provided in the NDPR are guaranteed, and the data of the subjects, who in this case would constitute the users of the Telemedicine platforms.
The National Information Technology Development Agency (NITDA) Act 2007:
The NITDA Act 2007 plays a crucial role in the development and regulation of telemedicine services in Nigeria. The Act provides a legal framework for the development of ICT systems that support telemedicine, sets the standard for these systems and services, and also regulates their deployment and use. The Act further recognises the importance of ICT in the delivery of healthcare services and the need to develop and regulate ICT systems that support telemedicine services. Section 6 of the NITDA Act mandates NITDA to develop guidelines for the deployment of IT systems in all sectors of the economy, including healthcare.
Evidence Act, 2011:
The Evidence Act in Section 84(1) recognises the admissibility of all forms of electronic evidence, including evidence generated by telemedicine systems in legal proceedings. This means that medical records generated by telemedicine systems can be used as evidence in legal proceedings. Furthermore, it provides for the authentication of electronic evidence and also addresses the issue of confidentiality and privacy of electronic records.
The 1999 Constitution
In addressing privacy concerns, the Nigerian legal framework places a strong emphasis on the protection of patient confidentiality and data privacy in telemedicine. Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended) protects the privacy of citizens, homes, correspondence, telephone conversations, and telegraphic communications. This provision by implication places a duty on telemedicine providers to uphold the privacy and confidentiality of patient information.
Medical and Dental Practitioners Act
Rule 8 (b) of the Medical and Dental Council of Nigeria's (MDCN) Code of Medical Ethics 2008 mandates health practitioners to maintain utmost confidentiality of patient information. The MDCN's Code of Medical Ethics further requires practitioners to safeguard data security during electronic transmission, emphasizing the need to prevent unauthorised access or data interception.
Standard Organization of Nigeria (SON) Act 2015
In terms of service quality, telemedicine providers are expected to ensure that their medical devices and healthcare software meet ISO standards and comply with the provisions outlined in the Standard Organization of Nigeria (SON) Act 2015.
Additionally, healthcare organizations are expected to adhere to the standards set by the Health Insurance Portability and Accountability Act (HIPAA), a framework for protecting patient health information and ensuring data privacy and security.
The absence of comprehensive telemedicine-specific legislative framework introduces uncertainties for providers, with scattered requirements across various legal documents requiring navigation through multiple laws and regulations. The current health insurance system in Nigeria does not adequately cater to claims and reimbursements for telemedicine consultations, underlining the urgent need for regulatory reforms in the health sector to embrace and facilitate the growth of telemedicine.
CONFLICT OF LAWS IN TELEMEDICINE PRACTICE
The rules regarding jurisdiction are clear if both the patient and medical practitioner are residing in Nigeria, and the telemedicine service was performed in Nigeria. In such circumstances, Nigerian law would apply. The conundrum exists where the physician is in a different jurisdiction from the patient, which raises the question of what law would apply. Is jurisdiction based on where the patient resides or where the doctor is located? No special law exists yet that addresses these jurisdictional issues. This leaves the courts to apply the traditional principles and methods. Various solutions have been proposed to this dilemma, one of which is that the country of the physician has jurisdiction over the matter, while the patient is regarded as being electronically transported to the jurisdiction of the physician.
In the United States, the test in determining personal jurisdiction is the minimum contact test. The "minimum contacts test" in personal jurisdiction refers to a legal standard used by courts to determine whether they have the authority to hear a lawsuit against a defendant based on the defendant's connections to the state where the lawsuit is filed; essentially, it means the defendant must have had sufficient ties or interactions with the forum state to justify the court exercising jurisdiction over them. The Minimum Contact theory comes into the picture when either or both of the parties seem to be from outside the Court's territorial jurisdiction. The rule establishes that so long as a corporation has a degree of contact within the state bringing suit, they are subject to the laws of the state and can be sued by and within the forum state in court. The theory was laid down in a landmark case of International Shoe Co. v. Washington, 326 U.S. 310 (1945), where the Supreme Court of the United States held that a party, particularly a corporation, may be subject to the jurisdiction of a state court if it has "minimum contacts" with that state. The ruling has important consequences for corporations involved in interstate commerce.
The Nigerian courts have also adopted the minimum contact test in determining personal jurisdiction as seen in the celebrated case of Esso Exploration & Prod. Nig Ltd v Nigerian National Petroleum Corp 397 F. Supp. 3d 323 (S.D.N.Y. 2019). In this case, the court buttressed that the minimum contact test requires that the defendant must have purposefully connected himself to the forum state. It is noteworthy that the courts are enjoined to ensure that the jurisdiction in which the matter is brought is the most convenient (forum non conveniens) and for the end of justice. See also the case of Broad Bank of Nigeria Ltd v Alhaju Olayiwola & Sons Ltd 7 Ors (S.C. 288/2002) [2005].
In Bradley v Mayo Foundation, U.S. Dist. LEXIS 44771 (W.D. Ky. 2007), the plaintiff, a resident of Kentucky, sued Mayo Clinic, a clinic based in Minnesota. The plaintiff argued that Kentucky had jurisdiction because one Mayo subsidiary was in Kentucky, several telephone contacts between the plaintiff and Mayo Clinic, two Mayo websites were accessible to Kentucky residents and Mayo practiced telemedicine throughout the country. The case was dismissed as the court held that the calls and letters exchanged were inadequate to establish jurisdiction over the defendant. The court concluded that there was no specific evidence that telemedicine services were provided in Kentucky and that the telephone calls exchanged were part of the routine functions of medical practitioners. The courts later expanded this principle stating that the more the defendant interacts with the forum state, the more minimum contact is established. Hence, this means the plaintiff in such a scenario must go beyond establishing the virtual presence of the defendant in the forum state. The defendant must have voluntarily directed his activities to the forum state or be substantially connected with the forum state.
In foreign jurisdictions, the courts normally apply the principle of lex loci delicti in determining the choice of law. According to this principle, a court can decide an injured party's substantive rights based on the law of the state where the harm/damage occurred. The location of a wrong is the place in which the last occurrence required to hold an actor responsible for an alleged tort occurs. It is the best practice for healthcare providers to provide forum selection and choice of law clauses in international telemedicine contracts to escape liability in a foreign nation or under foreign law.
THE CURRENT STATE AND WHAT IT MEANS FOR NIGERIA
In Esso West Africa Inc v. T. Oyebola, (1969) NWLR 194 at 216-217 SC, the apex court emphatically stated that ‘the law cannot be and is not ignorant of the modern business method and must not shut its eyes to the mysteries of the computer.’ Thus, one may be forced to assume that the failure of the law to cater for e-health may be due to ignorance or a sheer underestimation of the technological risks that come with the advancements of telemedicine. The law is not static but dynamic, able to acclimatise itself with the changing scape of society. It should be proactive when dealing with societal factors and this is only when it can be a change agent. The absence of legislations, policies and regulatory bodies that cater for a unified telemedicine system is a central defect in the society that can further lead to a fundamental crisis in the healthcare system and other areas.
As earlier stated, there is currently no law in Nigeria that directly deals with telemedicine, rather what we have are laws that already exist that deal with various other matters that may relate to or arise in the course of telemedicine, they only address aspects of telemedicine practice and not the whole. These laws as their names imply only cater for different areas of human relations and if in the course of telemedicine, such situations arise, then the laws would extend to such scenarios. This is not enough, as telemedicine can stretch beyond the confines of these laws and matters that do not fall within the sphere of these laws would not be adequately catered for and may infringe the right of persons and where there is no law, there is no crime. An appropriate example would be in the case of AI and who would be held responsible when there is a breach, would it be the software developer or the organisation that uses that model? Also, when does a medical practitioner become liable or negligent for an action that was carried out over the phone or in the course of the use of an app or device for healthcare? When is consent established over a digital platform, especially when a contract is absent?
We can see that even though there are laws that cater for these aspects in the traditional healthcare setting, it cannot stretch enough to cover telemedicine as that is beyond its scope and limit. Another major setback will be that there are no decided cases in Nigeria that cater for telemedical issues directly. The absence of specific laws that deal with telemedicine can lead to issues such as licensing and registration challenges, data protection complexity, jurisprudential deficit on issues of cross-border footprint, insurance and reimbursement coverage, medical liability and malpractice, and a host of other issues.
STRATEGIES FOR IMPROVING REGULATORY COMPLIANCE AMONG TELEMEDICINE PROVIDERS
Development of Policies and Procedures: Providers should develop clear, comprehensive concise policies and procedures that reflect regulatory compliance requirements in telemedicine. These policies should cover all aspects of telehealth operations, ensuring that staff members are fully informed and adhere to these policies to maintain consistency and compliance across the organization.
Data Privacy and Security Solutions: Telemedicine providers must prioritize the implementation of technology solutions that meet or exceed regulatory standards concerning quality, privacy, and security. They should also invest in secure telehealth platforms with encryption features and user authentication features to protect patient information and ensure compliance with data protection laws.
Conduct Regular Compliance Audits and Assessments: To ensure ongoing compliance, telemedicine operators should conduct regular audits and assessments of telehealth practices, policies, and technology systems. This proactive approach helps to identify and address areas of non-compliance, including a review of security protocols, and adherence to evolving regulatory guidelines.
Education and Training Programs: Telehealth operators are advised to provide comprehensive training and continuing education programs to their practitioners and to enhance their understanding of telehealth regulations and best practices. This includes training on privacy rights, security protocols, patient engagement, consent procedures and nuances of delivering virtual healthcare services.
Additional Risk Mitigation Measures: Providers should also consider several other strategies to mitigate potential risks associated with telemedicine such as obtaining explicit patient consent prior to service delivery, delivering high-quality care in accordance with professional ethics and standards, securing comprehensive insurance coverage from third parties, and actively seeking feedback for continuous improvement.
DATA SECURITY IMPLICATIONS OF TELEMEDICINE
Telemedicine systems have become high-value targets for cyberattacks because they store a wealth of patients’ protected health information, and interface with a variety of networks and technologies, often with no centralized security policy or control. There are three major types of attacks against telemedicine systems:
Compromise of Confidentiality:
Confidentiality refers to the protection of sensitive information from unauthorized access and misuse. As a result, healthcare patients expect and demand that healthcare providers protect their privacy. Particularly, Rule 8 of the Rules of Professional Conduct for Medical and Dental Practitioners establishes the obligation of a health practitioner, to ensure the confidentiality of a patient’s personal health information, unless consent to release the information is provided by the patient, or on any other recognized legal basis. However, with Telemedicine, the concept of confidentiality is a little broader because it affects providers and claims processors as well as health practitioners. Telemedicine is typically carried out over an electronic network, such as a website or a smartphone app. With the addition of features such as electronic health records and filing systems, as well as physician-patient virtual conversations, the need to double-protect patients’ health information from unauthorized third parties becomes critical, as there is a significant risk that such information will be attacked by threat vectors.
Phishing:
This involves the use of emails, text messages and links to primarily trick a recipient into revealing sensitive information. Since many Telemedicine appointments begin with the patient clicking on a link or joining a call from an unverified source, it presents a new opportunity to take advantage of patients while they’re vulnerable. When healthcare providers use common, unsecured video conferencing platforms to conduct appointments, there is no way for patients to verify their identity. Attackers, may use phishing messages to send patients legitimate-looking links to a fake appointment or web page, and convince them to divulge sensitive information.
Misconfiguration:
Misconfiguration is an incorrect configuration of a system (Networks, and applications), that may lead to vulnerabilities. A misconfiguration will occur on a Telemedicine platform if the setup pages are enabled, or a user utilizes default usernames and passwords, leading to a breach as the hacker can determine hidden flaws, and thus, access sensitive information. Misconfigured devices and apps present an easy entry point for an attacker to exploit.
In 2018, Hova Health, a Telemedicine company based in Mexico, reported the online exposure of the personal data of about 2,373,764 of its patients, after the misconfiguration of its MongoDB database. The database was publicly available and could be accessed or changed by anyone, even without a password. The database allegedly contained patient names, personal ID codes for Mexican citizens and residents, insurance policy numbers and expiration dates, dates of birth, and addresses. There also were flags noting migrant status or disabilities.
The above goes to show that Misconfiguration issues are far too common for the healthcare sector, which already is being walloped by cyberattacks. One wrong click and tens of thousands to millions of patient records can be breached.
Other threat vectors include; Credential harvesting, data exfiltration, emailing sensitive information to the wrong recipient, publishing private data to public web servers, and leaving confidential information displayed on an unattended computer monitor etcetera.
Compromise of Availability
Availability guarantees that systems, applications and data are available to its owners when they need them. The most common attack that impacts availability is denial-of-service, in which the attacker interrupts access to information, system, devices or other network resources. A denial-of-service in an internal vehicular network could result in a server not being able to access the information needed to operate, and the server could become non-operational or even worse, bring the system to an unsafe state. An example is the ransomware attack. To avoid availability problems, it is necessary to include redundancy paths and failover strategies in the design stage, as well as to include intrusion prevention systems that can monitor network traffic pattern, to determine if there is an anomaly and to block network traffic when needed.
CHALLENGES OF TELEMEDICINE OPERATION IN NIGERIA
Lack of comprehensive regulations:
Nigeria lacks a focused set of legislation dedicated solely to telemedicine. This creates an air of uncertainty that continues to define the discourse of telemedicine in Nigeria. The resulting puzzle significantly inhibits the operators from framing a clear outlook for their legal and regulatory compliance, while users are presented with a hazy rights and reliefs matrix. To successfully navigate this terrain, players in this sector are tasked not only with searching through the litany of regulatory provisions scattered across various legislations but also with positioning themselves to take the best advantage of these provisions. The key to surmounting this arduous task is to seek prior guidance from qualified legal practitioners who can effectively balance the application of local laws with the emerging best international trends.
Data protection and privacy:
Telemedicine involves the collection, storage, and transmission of sensitive patient information and records. Ensuring the privacy and security of these data is crucial. Healthcare providers offering telemedicine services is expected to adhere to data protection regulations and take appropriate measures to safeguard patient information. A healthcare practitioner is a data processor within the context of the Nigeria Data Protection Regulation (NDPR), and its data protection obligations are clearly outlined in the extant regulation. However, following in the multi-territorial footprint of tele-medical activities, the data protection obligations and rights are likely to assume multi-jurisdictional dimensions, which require operators to seek ample guidance on the scope of their compliance and for users to understand the available rights and protection across the multiple locations of their operations.
Cross-border footprint:
The cross-border nature of telemedicine makes it difficult for operators to clearly define the specific ambit and scope of their relationships. Telemedicine facilitates seamless cross-border delivery of healthcare services, allowing patients located mainly in Nigeria to consult with healthcare providers located outside the country. This often gives rise to issues related to jurisdiction, professional accountability, and the standard of care, with varying implications and consequences in different jurisdictions. More advanced jurisdictions have made targeted regulatory attempts to address this challenge, but Nigeria still needs to cover this obvious jurisprudential deficit. In the meantime, every intending player within the tele-medical space should seek proper guidance on the prevalent uncertainties and the best ways to navigate them.
Reimbursement and insurance coverage:
Telemedical activities may occur across multiple zones and territories, introducing a wide range of insurance claim and reimbursement challenges. Despite the growth and improved adoption of health insurance in Nigeria, the Nigerian health insurance framework is yet to provide a suitable framework for the standardization of claims and reimbursement that caters to the complex diversities of telemedicine consultations. The complexities of typical telemedicine risks go beyond the current codes of Nigerian insurance laws and require creative solutions to adapt to emerging insurance and claims-related issues associated with the rapid acceptance of telemedicine in Nigeria.
Jurisdictional issues:
Telemedicine even in its simplest ramifications can pose complicated jurisdictional challenges along the diverse intersections of the chain of activities. Determining which jurisdiction’s laws apply, especially in cross-border scenarios, can be a complex task. Given the technical composition of the service delivery model and channels, this issue can often stretch the usual discourse on conventional conflict of law to its very limit. Therefore, in the absence of a clear-cut regulatory and licensing framework to harness the respective positions, both operators and users must rely on competent advisors to guide them through the murky waters of jurisdictional uncertainties. One way to best address this challenge is to develop agreements that address jurisdictional issues and harmonize legal requirements across regions in permissible circumstances.
Medical liability and malpractice:
Telemedicine like conventional medical practice, naturally raises questions about medical liability and malpractice in the event of adverse outcomes or negligence. Determining accountability and liability in this intricate overlap of roles, rights, and obligations can be challenging, particularly in cases where the healthcare provider and patient are physically separated. Telehealthcare delivery therefore suffers from the uncertainty of a legal framework and guidelines for related liability and malpractice issues. It is imperative for patients and service providers to seek help in navigating these complexities.
MEDICAL LIABILITY IN TELEMEDICINE PRACTICE
The tort of Negligence, in the generic sense, is the omission to do something which a reasonable man guided upon those considerations which ordinarily regulate the conduct of human affairs, would do or doing something which a prudent and reasonable man would not do (Blyth v. Birmingham Waterworks, 1856). It is not for every careless act that a man may be held liable in negligence as the tort relates to a breach of legal duty of care to the person to whom the defendant holds the duty and which results in legal injury.
Thus, for a claimant to make a case of negligence in law, the following elements must be established:
That the defendant owes the claimant a legal duty of care in the context in question.
That the defendant has been in breach of that duty.
That consequential to the defendant’s breach of the duty of care, the claimant has suffered harm or loss which flows from, or is caused by the breach of duty of care and not too remote from the causation/breach of duty of care.
It is trite that failure to appropriately establish any of these basic legal elements would be fatal in establishing liability for negligence against the defendant.
Telemedical liabilities refer to liabilities arising from the practice of telemedicine. Liabilities can either be civil or criminal or both. Criminal liability refers to responsibility for a crime and the penalty society imposes for the crime. Civil liability, on the other hand, is a legal obligation that requires a party to pay for damages or to follow other court-enforcements in a lawsuit. Different from criminal liability, which is often brought by the State to redress a public wrong, civil liability is usually brought by a private party to sue for damages, injunctions or other remedy.
Civil Liabilities in Telemedicine Practice
Oftentimes, the concept of liability with respect to doctor-patient relationships is usually considered in relation to the negligent actions or omissions of the medical practitioner. In telemedicine, an action for telemedical negligence requires the plaintiff to establish that:
the defendant (e.g., the teleconsultant) owes him or her a duty of care (established via the patient-doctor relationship);
and that the duty has been breached, i.e., the teleconsultant was negligent;
and that he or she suffered harm as a consequence of the negligence.
It is safe to say that the first question to be determined in any action for negligence is whether the defendant owed a duty of care to the plaintiff. In general, a duty of care will be owed wherever in the circumstances it is foreseeable that if the defendant does not exercise due care, the plaintiff will be harmed. This foreseeability test was laid down by Lord Atkin in the celebrated case of Donoghue v Stevenson [1932] AC 562 and it is known as “the neighbour principle.”
Specifically speaking, it remains the duty of the plaintiff who alleges that a defendant owes him a duty of care to establish facts upon which the duty is founded. The Supreme Court in ABC Transport Co Ltd. v Omotoye (2019) LPELR -47829 (SC) puts it this way “In an action for negligence, for a plaintiff to succeed he must, in addition to pleading and establishing the particulars of negligence relied on, also state and establish the duty of care owed to him by the defendant, the facts upon which that duty is founded and the breach of that duty by the defendant.” The fact upon which the duty of care is founded in medical negligence is ascertained from the doctor-patient relationship. In other words, for a medical malpractice case to be successful, a doctor-patient relationship must be established in order for the doctor to hold a duty of care toward the patient. This relationship is widely viewed as contractual in nature, either being established expressly by a written contract or implied through the conduct of the doctor and patient.
Without legislation determining the formation of the physician-patient relationship, the existence of the relationship is determined on a factual basis and will vary from case-to-case. In Hord v United States No. CA-96-3401-7-13, 1999 WL 249061, 4 (4th Cir. Apr. 28, 1999), it was held that the physician must offer some benefit to the patient in order for the relationship to be formed and that even an examination does not establish the relationship unless there was an agreement to benefit the patient. Physicians will not be able to escape malpractice liability by claiming that the lack of an in-person meeting or examination precludes the physician-patient relationship. The relationship is likely formed when the patient has sought medical care from a physician and both the physician and patient agree to that care, without the need for an in-person meeting. With current telemedicine technologies, the consulting physician may have the opportunity to be “virtually present” in the patient’s room, as opposed to simply speaking with the treating physician over the telephone. Despite this, it appears that doctors who provide anything more than a mere consultation may expose themselves to malpractice liability by establishing the relationship, even if they never spoke with the patient.
In McKinney v Schlatter No. CA96-05-100, 1997 WL 67702, 1 (Ohio App 12 Dist. Feb 18, 1997), appeal dismissed, a patient was admitted to the emergency room and examined by the emergency room physician who telephoned the cardiologist on call. After the cardiologist was briefed on the patient's condition, he told the emergency room physician that the patient's problem was not cardiac. Relying upon the cardiologist's diagnosis, the patient was released and died soon thereafter.
Once physician-patient relationship exists, a party would have established the duty of care against the medical practitioner. In addition, a party seeking to sue a physician for malpractice resulting from a telemedicine consultation must prove that the physician breached the duty of care by demonstrating that the actions of the medical practitioner fall below the requisite standard of care. What amounts to the requisite standard of care depends on the fact of the case, provided a physician or surgeon is held only to that degree of skill possessed by physicians and surgeons of his standing.
In telemedicine, liability may arise from patients’ self-monitoring gadgets, particularly where health professionals recommend that the patient use a certain mobile health product or where the health professional contributed to the development. Health professionals who use mobile health technologies directly in the context of patient care could be held liable for malpractice if a patient is harmed. Conversely, a health professional who declines to make use of data provided by a patient via mobile health technology (which is likely to be overwhelming in its volume) could be held liable if he or she misses important information, delaying diagnosis and harming the patient. But in either case, the physician will only be held liable. If a person suffers loss or damage as a result of defective hardware or software in the use of telemedicine, he or she is entitled to seek remedy either in contract, law of negligence, or product liability. However, the natural inclination of service providers (responsible for creating the telemedicine software and telemedicine platforms which connect patients with doctors) is to prevent, with the aid of contracts or click wraps, any liability that might be attributable to them. So, they tend to exempt themselves from liability over issues arising from consultations that take place on the platform or other issues arising from the use of their software.
Generally, as in other areas of law, it is a patient who is aggrieved by medical negligence that can initiate legal processes for redress or sanctioning of the offending doctor. However, where the patient is a minor, the proxy or surrogate of the child, such as a parent or legal guardian, can initiate complaint processes on the minor’s behalf as the next friend; same would operate where the patient lacks competence on the basis of any mental incapacitations. Where the negligent act results in death, any competent survivor or successor of the deceased can initiate action in respect of the “wrongful death” of the victim. See the Fatal Accidents Law of Lagos State, 1961). The processes initiated can be against the doctor individually, or by vicariously joining the master or employer of the doctor in appropriate situations.
CRIMINAL LIABILITIES IN TELEMEDICINE
Both the healthcare professional and the service provider could be held criminally liable. Under the Federal Competition and Consumer Protection Act, it is a crime for a service provider to contravene the rights of consumers. The law defines consumers inter alia as “any person to whom service is provided”, which invariably includes tele-patient. It is the duty of the service provider who is in possession of a patient’s health records to set up control measures to prevent unauthorized access to those records and to the storage facility in which, or, system by which, records are kept; and where it fails to do so, it commits an offence and is liable on conviction to imprisonment for a period not exceeding two years or to a fine of N250,000.00 or both. See Section 92 National Health Act, 2014.
All private health care providers shall establish and maintain a health information system as part of the National Health Information System, and any health care provider that neglects or fails to comply commits an offence and is liable on conviction to imprisonment for a term of six months or a fine of N 100.000 or both.
It is the duty of every person who, except in a case of necessity, undertakes to administer surgical or medical treatment to any person or to do any other lawful act which is or may be dangerous to human life or health, to have reasonable skill and to use reasonable care in doing such act. See Sevtion 38 of the National Health Act 2014. The Supreme Court in Medical and Dental Practitioners Disciplinary Tribunal v Dr John Emewulu Nicholas Okonkwo (2001) LPELR-1856(SC) stated that that section does not by itself create an offence but creates a duty where it would have been doubtful whether or not one existed in criminal law. It establishes liability for the consequences of the breach of that duty. In circumstances where it is applicable it makes negligence the basis of criminal liability for offences against the person (excluding murder) where the need to establish intention, knowledge and such mental elements as basis of liability would have been required.
On the other hand, any person who in a manner so rash or negligent as to endanger human life or to be likely to cause harm to any person either by giving medical or surgical treatment to any person who he undertakes to treat or by dispensing, supplying, selling, administering, or giving away any medicine or poisonous or dangerous matter, is guilty of a misdemeanor and is liable to imprisonment for one year. See Section 343 of the National Health Act 2014. In Akere v R [1942] 8 WACA 5 where the accused a qualified medical practitioner administered injections of a drug known as sobita to children as a cure for yaws; a number of children died, and he was charged with manslaughter of one of the children, he was found guilty of manslaughter and sentenced to imprisonment for 3 years. WACA upheld the conviction, but the accused further appealed to the Privy Council which held that the negligence of the accused did not amount to gross negligence and allowed the appeal.
CONCLUSION
The growth of telemedicine in Nigeria hinges on the establishment of a deliberate legal and regulatory framework, a sentiment echoed by all stakeholders involved. While awaiting government intervention, industry players must proactively position themselves to leverage the potential benefits and mitigate the risks posed by the current regulatory uncertainties. This necessitates the adoption of creative measures, including strategic contractual and legal structuring, that go beyond the capabilities of the average practitioner or user within the telemedical ecosystem. To optimize their positions within this evolving landscape, interested players should seek the guidance of qualified practitioners who can navigate them through the complexities and help them make informed decisions. By taking proactive steps and engaging expert assistance, stakeholders can position themselves for success in the burgeoning telemedicine sector in Nigeria. Telemedicine creates various liability risks. They include general negligence, criminal liability risks and product liability risks. Telemedicine software developers also face liability claims for design defect and breach of warranty. Even though users are forewarned and made to waive those rights once they accept and download the app, the law ensures that parties who have been injured are entitled to remedy. However, with respect to actions in medical negligence, even though similar principles that would ordinarily apply to conventional practice of medicine apply to telemedicine, there is a level of uncertainty as to when the doctor-patient relationship is established, for the purpose of determining duty of care, needed to establish telemedical negligence. There has to be clarity in the request for medical care via telemedicine and the treatment or advice that should follow. Such clarity could be achieved via consent forms approving the use of telemedicine to examine, consult, diagnose and treat the patient. It could be via email wherein the consent form is emailed to the patient who downloads it, reads it, fills it, signs, scans and sends back to the doctor. Where it is clear that a patient has sought medical care from a physician and both the physician and patient agree to that care, there will be no questions as to the duty of care, which is a prerequisite for establishing telemedical negligence.
RECOMMENDATION
Development of Policies and Procedures: Providers should develop clear, comprehensive concise policies and procedures that reflect regulatory compliance requirements in telemedicine. These policies should cover all aspects of telehealth operations, ensuring that staff members are fully informed and adhere to these policies to maintain consistency and compliance across the organization.
Data Privacy and Security Solutions: Telemedicine providers must prioritize the implementation of technology solutions that meet or exceed regulatory standards concerning quality, privacy, and security. They should also invest in secure telehealth platforms with encryption features and user authentication features to protect patient information and ensure compliance with data protection laws.
Conduct Regular Compliance Audits and Assessments: To ensure ongoing compliance, telemedicine operators should conduct regular audits and assessments of telehealth practices, policies, and technology systems. This proactive approach helps to identify and address areas of non-compliance, including a review of security protocols, and adherence to evolving regulatory guidelines.
Education and Training Programs: Telehealth operators are advised to provide comprehensive training and continuing education programs to their practitioners and to enhance understanding of telehealth regulations and best practices. This includes training on privacy rights, security protocols, patient engagement, consent procedures and nuances of delivering virtual healthcare services.
Additional Risk Mitigation Measures: Providers should also consider several other strategies to mitigate potential risks associated with telemedicine such as obtaining explicit patient consent prior to service delivery, delivering high-quality care in accordance with professional ethics and standards, securing comprehensive insurance coverage from third parties, and actively seeking feedback for continuous improvement.
REFERENCE
World Health Organization; Global strategy on Digital Health 2020-2025. Geneva, 2021. Available at https://www.who.int/docs/default-source/documents/gs4dhdaa2a9f352b0445bafbc79ca799dce4d.pdf.
Digital Health – Nigeria. https://www.statista.com/outlook/hmo/digital-health/nigeria
Medical and Dental Practitioners Act, Cap M8 Laws of the Federation of Nigeria 2004.
Pharmacists Council of Nigeria Act Cap P17 Laws of the Federation of Nigeria 2004.
National Health Act 2014
Jessica Davis, ‘Privacy & Security and Telehealth’ Health IT News (2018) < https://www.healthcareitnews.com/news/telemedicine-vendor-breaches-data-24-million-patients-mexico>
JE Dodoo et al., ‘The Development of Telemedicine Programs in Sub-Saharan Africa: Progress and Associated Challenges’ (2022) 12(1) Health and Technology 33-46.
AN Ikwu and others, ‘Advancement of telemedicine in Africa and the current laws: A case study of Nigeria’ (2021), 89(4), Medico-Legal Journal, 270–275.
World Health Organization. Telemedicine: opportunities and developments in Member States: report on the second global survey on eHealth. Global Observatory for eHealth Series, 2, World Health Organization. 2009.
Okoroafor J, Chukwuneke F, Ifebunandu N, et al. Telemedicine and biomedical care in Africa: prospects and challenges. Niger J Clin Pract 2016; 20: 1–5.
Adewale OS. Internet-based telemedicine system in Nigeria. Int J Inform Manag 2004; 24: 221–234.
