Skip to main content
U.S. flag

An official website of the United States government

For providers

Legal considerations

Here we’ve summarized a few of the legal considerations when providing telehealth visits and resources for additional information.

During the COVID-19 public health emergency, the federal government and many state governments took steps to make it easier to implement and access telehealth. Many telehealth flexibilities have been extended through December 31, 2024. Read more about the COVID-19 related policy changes and the Guidance on Nondiscrimination in Telehealth: Federal Protections to Ensure Accessibility to People with Disabilities and Limited English Proficient Persons.

Protecting patient health information


Electronic health records are often targeted by malware and hackers. These resources can help you ensure that you are taking the necessary steps to protect patients’ health information:

HIPAA compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ensures that health care providers protect patients’ personal health information. When we are not in the COVID-19 public health emergency, all of the telehealth services you provide need to be in compliance with HIPAA rules.

HIPAA flexibility during the COVID-19 public health emergency

The U.S. Department of Health and Human Services Office for Civil Rights issued a Notification of Enforcement Discretion to empower covered health care providers to use widely available communications applications without the risk of penalties imposed by the U.S. Department of Health and Human Services Office for Civil Rights for violations of HIPAA rules for the good faith provision of telehealth services. For more information, read FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency or visit HIPAA and COVID-19.

While the U.S. Department of Health and Human Services Office for Civil Rights has issued a notice of enforcement discretion to waive HIPAA penalties, the State Attorney Generals have not issued the same notices. Under Sec. 13410(e) of the HITECH Act, State Attorney Generals are permitted to obtain civil money penalties on behalf of state residents for HIPAA violations. You should check with any applicable states to see if they have also waived these penalties.

HIPAA flexibility after the COVID-19 public health emergency

The U.S. Department of Health and Human Services Office for Civil Rights released guidance to help health care providers and health plans bound by HIPAA and HIPAA rules understand how they can use remote communication technologies for audio-only telehealth post-COVID-19 public health emergency. Information in the guidance includes the ability to comply with HIPAA when using remote communications to provide audio-only telehealth services, the need to meet HIPAA rules for electronic protected health information transmitted over electronic media, and when a business associate agreement with a telecommunication service provider is not necessary.

Read more about HIPAA compliance and telehealth exit disclaimer icon  (PDF).

Protecting yourself from liability and malpractice

Before you offer telehealth:

  • Check with your insurance company to make sure they cover telehealth. In some cases, liability insurance will already cover it, and in others, you may need to purchase supplemental coverage.
  • If you plan to offer telehealth in more than one state, you will need to confirm that your insurance policy covers you for all locations.
  • You will also want to be aware of any state laws that regulate how you collect and store protected health information. To find out more about the state laws where you practice, visit State Health Care Law exit disclaimer icon .

For more information on legal considerations:

Last updated: January 23, 2023

Sign up for email updates

Get updates on telehealth
delivered to your inbox.