Here we’ve summarized a few of the legal considerations for providing telehealth and provided resources for additional information.
During the COVID-19 Public Health Emergency, the federal government and many state governments have taken steps to make it easier to implement and access telehealth during this national emergency. Read about the COVID-19 related policy changes.
Privacy and security
Electronic health records are often targeted by malware and hackers. These resources can help you ensure that you’re taking the necessary steps to protect patients’ health information:
- How to improve your cybersecurity practices
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
- HIPAA Security Rule Cybersecurity Guidance Material
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ensures that health care professionals protect patients’ personal health information. When we’re not in a public health emergency, all of the telehealth services you provide need to be in compliance with HIPAA rules.
HIPAA flexibility during the COVID-19 Public Health Emergency
The HHS Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion to empower covered health care providers to use widely available communications applications without the risk of penalties imposed by OCR for violations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules for the good faith provision of telehealth services. For more information, read OCR’s FAQs on Telehealth and HIPAA or visit OCR’s webpage on HIPAA, Civil Rights, and COVID-19.
While OCR has issued a notice of enforcement discretion to waive HIPAA penalties, the State Attorney Generals have not issued the same notices. Under Sec. 13410(e) of the HITECH Act, State Attorney Generals are permitted to obtain civil money penalties on behalf of state residents for HIPAA violations. You should check with any applicable states to see if they have also waived these penalties.
While specific informed consent laws vary by state, these common sense actions are always a good idea:
- When you meet with a patient, explain what they can expect from the telehealth visit and what their rights are.
- Check in with the patient about their responsibilities during a telehealth visit — for example, they need to be aware of privacy on their end.
- If there’s anyone observing the visit, tell the patient and get their consent at the start.
For more about consent:
- Read this blog on consent from the Southwest Telehealth Resource Center.
Liability and malpractice
Before you offer virtual health care, check with your insurance company to make sure they cover telehealth. In some cases, liability insurance will already cover it, and in others, you may need to purchase supplemental coverage.
If you plan to offer telehealth in more than one state, you’ll also need to confirm that your insurance policy covers you for all locations.
You’ll also want to be aware of any state laws that regulate how you collect and store PHI. To find out more about the state laws where you practice, visit State Health Care Law.
For more information on legal considerations, read Legal Considerations for Implementing a Telehealth Program.
During the COVID-19 Public Health Emergency, there are additional liability protections in place for providers. See this update from the American Medical Association to learn about the changes in effect as well as ones in progress.
State laws, licensure, and actions
State laws and actions in response to COVID-19
States have been taking action to facilitate telehealth during COVID-19. These actions are different from state to state and may include:
- Waiving state licensure bans
- Providing onramps for recently retired physicians to practice telehealth
- Expanded scope of practice
- Expanding telehealth coverage for Medicaid recipients
Several states are modifying licensure requirements/renewals for physicians. See below resources from Federation of State Medical Boards (FSMB) on details:
- States waiving licensure requirements/renewals
- States waiving in-state licensure requirements for Telehealth
For emerging updates to information about state changes, see COVID-19 Related State Actions by the Center for Connected Health Policy or State Telehealth and Licensure Expansion COVID-19 Dashboard by the Alliance for Connected Care.
State laws prior to COVID-19 Public Health Emergency
Interactive map for state laws – the Center for Connected Health Policy, funded by HRSA, helps you stay informed about telehealth-related laws, regulations and Medicaid programs at the state level granularity using a map search option on this site. It covers laws and regulations for all fifty states and the District of Columbia.
Federation of State Medical Boards supports the Interstate Medical Licensure Compact, which is an agreement among 29 participating U.S. states to work together to significantly streamline the licensing process for physicians who want to practice in multiple states, particularly to help provide remote health care. It offers a voluntary, expedited pathway to licensure for physicians who qualify.
The Association of State and Provincial Psychology Boards supports PSYPACT (Psychology Interjurisdictional Compact), which is an interstate compact designed to allow licensed psychologists to practice of telepsychology and conduct temporary in-person face-to-face practice of psychology across state boundaries legally and ethically without necessitating that an individual become licensed in every state to practice.