Here we’ve summarized a few of the legal considerations for providing telehealth and provided resources for additional information.
During the COVID-19 Public Health Emergency, the federal government and many state governments have taken steps to make it easier to implement and access telehealth. Read about the COVID-19 related policy changes.
Protecting patient health information
Electronic health records are often targeted by malware and hackers. These resources can help you ensure that you’re taking the necessary steps to protect patients’ health information:
- Cybersecurity 101: What You Need to Know (PDF) — from the American Medical Association
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (PDF) — from the Health Sector Coordinating Council
- Cyber Security Guidance Material — from the U.S. Department of Health and Human Services
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ensures that health care providers protect patients’ personal health information. When we’re not in the COVID-19 Public Health Emergency, all of the telehealth services you provide need to be in compliance with HIPAA rules.
HIPAA flexibility during the COVID-19 Public Health Emergency
The U.S. Department of Health and Human Services Office for Civil Rights issued a Notification of Enforcement Discretion to empower covered health care providers to use widely available communications applications without the risk of penalties imposed by the U.S. Department of Health and Human Services Office for Civil Rights for violations of HIPAA rules for the good faith provision of telehealth services. For more information, read FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency (PDF) or visit HIPAA and COVID-19.
While the U.S. Department of Health and Human Services Office for Civil Rights has issued a notice of enforcement discretion to waive HIPAA penalties, the State Attorney Generals have not issued the same notices. Under Sec. 13410(e) of the HITECH Act, State Attorney Generals are permitted to obtain civil money penalties on behalf of state residents for HIPAA violations. You should check with any applicable states to see if they have also waived these penalties.
Obtaining informed consent
While specific informed consent laws vary by state, these common sense actions are always a good idea:
- When you meet with a patient, explain what they can expect from the telehealth visit and what their rights are.
- Check in with the patient about their responsibilities during a telehealth visit — for example, they need to be aware of privacy on their end.
- If there’s anyone observing the visit, tell the patient and get their consent at the start.
For more about consent:
- Easy-to-Understand Telehealth Consent Form — from the Agency for Healthcare Research and Quality
- Telemedicine & Informed Consent: How Informed Are You? — from the Southwest Telehealth Resource Center
Protecting yourself from liability and malpractice
Before you offer telehealth:
- Check with your insurance company to make sure they cover telehealth. In some cases, liability insurance will already cover it, and in others, you may need to purchase supplemental coverage.
- If you plan to offer telehealth in more than one state, you’ll need to confirm that your insurance policy covers you for all locations.
- You’ll also want to be aware of any state laws that regulate how you collect and store protected health information. To find out more about the state laws where you practice, visit State Health Care Law .
For more information on legal considerations:
- Legal Considerations for Implementing a Telehealth Program — from the Rural Health Information Hub
- Liability protections for health care professionals during COVID-19 — from the American Medical Association
For information about state laws and licensing, see Licensing requirements and interstate compacts.