The use of technology to provide healthcare has existed for decades; however, recent advances in technology and changes in reimbursement have increased the prevalence of telehealth for diagnosing and treating patients. Telehealth is an emerging and promising method of providing healthcare in areas where healthcare may be limited or unavailable. Telehealth provides quality, cost-effective healthcare and can reach individuals in remote or underserved locations. It has also been shown to increase patient satisfaction.

The Health Resources and Services Administration of the U.S. Department of Health & Human Services defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration, and may include non-clinical services.” The Centers for Medicare & Medicaid Services and all 50 states have regulations governing the use of and reimbursement for telehealth services, and commercial payers are increasingly covering these services. Reimbursement policies for telehealth services vary and may limit or restrict the type of facilities and providers who may seek reimbursement, setting geographical limitations on reimbursement for certain medical conditions. Because of the surge in the use of telehealth, healthcare providers need to be aware of the risks associated with the use of this technology and implement mitigation strategies to reduce these risks.

Telemedicine, which is a subset of telehealth, is defined by the Federation of State Medical Boards as “the practice of medicine using electronic communications, information technology, or other means between a licensee in one location and a patient in another location with or without an intervening health care provider.” Telemedicine can be delivered via real-time videoconferencing for (1) provider-patient consultations; (2) provider-to-provider consultations; (3) store-and-forward technologies; (4) direct to consumer upon demand; and (5) remote patient monitoring in which electronic devices transmit patient health information to providers.

With nearly all healthcare providers currently using some form of telehealth to care for patients, or planning to implement a telemedicine program, the laws and regulations surrounding the practice of medicine are extended to using telehealth technologies to deliver patient care. Legal issues surrounding telemedicine include:

  • Privacy and security
  • Provider state licensure
  • State scope-of-practice laws
  • Corporate practice of medicine
  • Credentialing of providers at the facility where the patient is located
  • Reimbursement
  • Medicare Conditions of Participation requirements for telehealth
  • The Joint Commission standards for telehealth
  • Establishing the provider-patient relationship with the use of telehealth technologies
  • Patient consent
  • Liability and malpractice insurance across state lines
  • Fraud and abuse
  • Regulatory requirements with the use of mobile apps and mHealth apps

Healthcare providers should develop a detailed telemedicine program that identifies the need for specific services and the available or required technologies and resources to implement such a program. Telehealth services should be incorporated into a provider’s overall health information technology structure to support the access to and exchange of health information between healthcare providers. This strategy includes an analysis of the associated risks and implementation of risk mitigation strategies and oversight in order to comply with various laws and regulations. Healthcare providers will also want to evaluate and revise their telehealth programs as new technologies, processes and services are developed and implemented.

Privacy and Security Considerations

Patients expect healthcare providers to protect their health information, and adoption of telemedicine by patients will be dictated, in part, by assurances that their health information will be secure and their privacy maintained. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act and the regulations promulgated apply to covered entities that use and disclose protected health information (PHI) in any medium, including electronic PHI (ePHI). Additionally, state privacy and security laws that protect personal information will also apply to telemedicine. The originating site where the patient is located and the distant site where the healthcare provider is located must coordinate implementation of the telemedicine program to ensure that the confidentiality, integrity and security of PHI are maintained. Privacy and security considerations include:

  • Use of authorized telehealth equipment.
    • What is the vendor providing – equipment, software, connectivity, or a third-party software license with limited support and maintenance? Does the vendor agreement contain representations and warranties that the equipment will function as warranted, and are there guaranteed uptimes and limited downtimes? Does the equipment have sufficient security features to meet HIPAA and state security requirements?
    • Is the vendor a business associate? If so, what are its responsibilities in the event of a breach of PHI? Does the agreement contain indemnification or limitation of liability provisions in the event of a breach? Does the vendor have cyber liability insurance and other insurance coverage, and are the amounts adequate?
  • Conducting a security risk analysis of the telehealth equipment to identify any security vulnerabilities and implementing a risk management plan to mitigate vulnerabilities. Each of the originating-site and distant-site parties should conduct its own security risk analysis.
  • Integration and interoperability of electronic data generated from telehealth services into the electronic health record and health information exchanges. How will the originating site and distant site use and disclose ePHI?
  • Identifying authorized users of the telehealth system and electronic health record and ensuring access controls are in place to restrict access to only authorized users.
  • Patient privacy and security during live videoconference between the patient and the distant provider.
  • Secure transmission of the videoconference between the patient and the distant provider.
  • Monitoring and auditing of access, use and disclosure of PHI with telehealth services, and responsibilities between the parties.
  • Revising privacy and security policies and procedures to include the use of telehealth.
  • Revising the Notice of Privacy Practices to include the use of telehealth for treatment, payment and operations purposes.
  • Responsibility between the parties in the event of a breach of unsecure PHI, and notification requirements.
  • Assessment of additional federal and state privacy laws, and protection of sensitive information such as substance abuse, mental health, STD, HIV and AIDS status.
  • Assessment of the Federal Trade Commission’s and the Food and Drug Administration’s regulations governing the use of mobile medical apps if mobile apps are being used to communicate with the patient.
  • Record retention laws for electronic recordings, secure storage, maintenance and transmission of ePHI, and responsibilities of the parties.

Provider state licensing requirements, scope of practice, credentialing and liability of providers using telehealth services will be discussed in the next blog post.