Telehealth has taken the spotlight with the onset of the global COVID-19 pandemic, which rendered traditional, in-person health care visits potentially unsafe in the face of a highly communicable virus. Because many conditions can be adequately diagnosed and treated via telehealth, the use of this mechanism of health care delivery became palatable for telehealth providers, including those providing telerehabilitation, and patients alike. Concurrently, a myriad of laws and regulations governing health care practice were relaxed in an attempt to make use of telehealth easier for telehealth providers and patients. Nonetheless, there is a patchwork of varying standards governing the practice of telehealth, including telerehabilitation, across the globe and in the United States, which makes practicing telehealth potentially confusing for the newly initiated. This chapter will focus on discussing laws pertaining to the practice of telehealth in the United States; readers from other countries are reminded to ensure that including telerehabilitation they have followed the rulings of their particular country and region of practice.
Before a telehealth provider can treat a patient, they must be appropriately licensed. All telehealth providers, including telerehabilitation providers, must comply with the applicable licensure requirements in the jurisdiction in which they are licensed. In the United States, this means that a telehealth provider must comply with the licensure requirements of the state in which he or she is licensed. Telehealth adds a layer of complexity to licensure in the United States. Telehealth providers, including telerehabilitation providers, generally must be licensed in the state in which the patient is located. Licensure requirements vary from state to state and can be more or less onerous. In many cases, it can take upward of 1 year for a physician to obtain a license to practice in a given state. To the extent a telehealth statute does not address licensure requirements specifically, it is safe to assume that the telehealth provider needs to be licensed in the state in which the patient is located. Barring a telemedicine special purpose license or an exception, if a telehealth provider intends to provide services in multiple states, he or she must be licensed in those multiple states.
A number of states have implemented a telemedicine special purpose license, permit, or registration. For example, Florida recently enacted a telehealth law establishing a telehealth registration for out-of-state telehealth providers, including telerehabilitation providers; Florida-licensed health care providers are not required to register. The law prohibits an out-of-state telehealth provider from opening an office in Florida and providing in-person health care services to patients located in Florida. 1
1 See Fla. Stat. § 456.47(4).The Florida Department of Health publishes on its website a list of all out-of-state telehealth registrants. 2
2 See Fla. Stat. § 456.47(4)(h) (as enacted by HB 23, eff. July 1, 2019).As another example, Georgia’s Medical Practices Act requires a medical license of persons physically located in another state who, through the use of telecommunication, perform acts that are part of patient care services in Georgia, but the out-of-state physician may obtain a license if he or she has a full and unrestricted medical license in another state and with no disciplinary actions being taken against him or her by any other state jurisdiction. 3
3 See Ga. Code Ann § 43-34-31(a).
In addition to telemedicine special purpose license, permit, or registration, there are exceptions to the general rule that a telehealth provider must be licensed in the state in which a patient is located. For example, Virginia provides license reciprocity for physicians providing telemedicine services to patients in Virginia if the physician is licensed in a bordering state, which includes Maryland, Washington DC, North Carolina, Tennessee, Kentucky, and West Virginia. 4
4 Va. Code § 54.1–2901(A)(7).This exception is familiarly known as the bordering state exception.
Another exception, the peer-to-peer consultation exemption, allows for an out-of-state physician to consult with a physician in a given state without needing to be licensed in that state. Here, the out-of-state physician typically must be licensed in the state where he or she is located, and the in-state physician must be licensed in the state where he or she and the patient are located. The in-state physician is held responsible for maintaining the physician-patient relationship, whereas the out-of-state physician’s services are only for secondary consultation purposes. Although the in-state physician has primary responsibility for patient care, some states with peer-to-peer consultation exceptions enable the out-of-state physician to have direct contact with the patient provided that the contact is not frequent and/or is at the direction of the in-state physician.
The contours of the peer-to-peer consultation exception vary among the states that recognize this exception. In Minnesota, for example, an out-of-state physician providing telemedicine services is exempt from licensure in Minnesota if she is licensed in another state and (1) provides services less than once a month or to less than 10 patients per year or (2) provides services in consultation with a Minnesota-licensed physician who “retains ultimate authority over the diagnosis and care of the patient.” 5
5 Minn. Stat. §147.032.Contrast this with Iowa, where the state law specifically requires that a physician “practices in Iowa for a period not greater than 10 consecutive days and not more than 20 total days in any calendar year” to be exempt from licensure requirements. 6
6 Iowa Admin. Code § 653-9.1.
Over 20 states across the United States have joined the Interstate Medical Licensure Compact (the “IMLC”), which offers a voluntary expedited pathway for licensure for physicians seeking to practice in multiple states. 7
7 See Interstate Medical Licensure Compact, available at www.imlcc.org/ .In order to be eligible for the IMLC route, a physician must (1) hold a full, unrestricted medical license in a member state, and either live, work, or conduct at least 25% of their practice of medicine there; (2) have graduated from an accredited medical school or an eligible international medical school; (3) have successfully completed Accreditation Council for Graduate Medical Education- or American Osteopathic Association-accredited graduate medical education; (4) have passed each component of the United States Medical Licensing Examination, Comprehensive Osteopathic Medical Licensing Examination of the United States, or equivalent in no more than three attempts; (5) hold a current specialty certification or time-unlimited certification by an American Board of Medical Specialties or American Osteopathic Association/Bureau of Osteopathic Specialists board; (6) have no history of disciplinary action toward his medical license; (7) have no criminal history; (8) have no history of controlled substance actions toward his medical license; and (9) not currently be under investigation. Physicians who are not eligible for the expedited process can still seek additional licenses in member states using the traditional state-by-state process. In addition to the IMLC, a majority of states belong to Nurse Licensure Compact (“NLC”), which allows registered nurses and licensed practical nurses to practice in other NLC states without having to obtain additional licenses. 8
8 See National Council of State Boards of Nursing (“NCSBN”), www.ncsbn.org/compacts.htm .
It is worth noting that many states have, in response to the COVID-19 public health emergency, waived licensure requirements for a portion of or for the duration of the public health emergency. Many states accomplished this by governors issuing executive orders. For example, Minnesota authorized out-of-state health care professionals who hold an active, relevant license, certificate, or other permit in good standing issued by a state of the United States or the District of Columbia to render aid in Minnesota during the peacetime emergency declared in Executive Order 20-01, but only to the extent those health care professionals are engaged with a health care system or provider, such as a hospital, clinic, or other health care entity located in Minnesota. 9
9 See Emergency Executive Order 20-46 (Apr. 25, 2020), www.leg.mn.gov/archive/execorders/20-46.pdf . The Minnesota Medical Board issued a press release on April 27, 2020 announcing Executive Order 20-46, which currently remains posted on Minnesota’s Board of Medical Practice website. Minnesota Board of Medical Practice, Governor Tim Walz’ Emergency Executive Order 20-46 (Apr. 27, 2020), mn.gov/boards/assets/EO%2020-46%20Out%20of%20State%20Heatlhcare%20Workers%20-%20FINAL%20-%2004272020_tcm21-429904.pdf .The Minnesota state of emergency was extended through February 12, 2020, unless rescinded, terminated, or extended. 10
10 See Executive Order 20-100 (Dec. 14, 2020), www.leg.mn.gov/archive/execorders/20-100.pdf .Similarly, on December 16, 2020, Hawaii’s governor issued the Seventeenth Proclamation related to the COVID-19 emergency:
Section 453-1.3, HRS, practice of telehealth, to the extent necessary to allow individuals currently and actively licensed pursuant to Chapter 453, HRS, to engage in telehealth without an in-person consultation or a prior existing physician-patient relationship; and to the extent necessary to enable out-of-state physicians, osteopathic physicians, and physician assistants with a current and active license, or those who were previously licensed pursuant to Chapter 453, HRS, but who are no longer current and active, to engage in telehealth in Hawaii without a license, in-person consultation, or prior existing physician-patient relationship, provided that they have never had their license revoked or suspended and are subject to the same conditions, limitations, or restrictions as in their home jurisdiction. 11
11 See Seventeenth Proclamation Related to the COVID-19 Emergency (Dec. 16, 2020), governor.hawaii.gov/wp-content/uploads/2020/12/2012088-ATG_Seventeenth-Proclamation-Related-to-the-COVID-19-Emergency-distribution-signed.pdf .
The Proclamation further declared “that the disaster emergency relief period shall continue through February 14, 2021, unless terminated or superseded by a separate proclamation, whichever shall occur first.” 12
12 Id .
Not all states have licensure waivers in effect, however. For example, in Michigan, the governor authorized all “health care professionals” who are “licensed in good standing” in any US state or territory to practice in Michigan. This applied to health care professionals licensed under Articles 7 and 15 of Michigan’s Public Health Code, which specifically includes the categories of medicine, nursing, social work, psychology, counseling, and physical therapy and does not require individuals to apply for or be granted an exception. The Executive Order provided:
The restrictions of MCL 500.3476 requiring telehealth services to be provided by a health care professional who is licensed, registered, or otherwise authorized to engage in his or her health care profession in the state where the patient is located is hereby suspended to the extent necessary to allow a medical professional licensed and in good standing to practice in a state other than Michigan to use telehealth when treating patients in Michigan without a license to practice medicine in Michigan. A license that has been suspended or revoked is not considered a license in good standing, and a licensee with pending disciplinary action is not considered to have a license in good standing. A license that is subject to a limitation or restriction in another state is subject to the same limitation or restriction in this state. 13
13 See Executive Order 2020-138 (June 29, 2020), www.michigan.gov/whitmer/0, 9309, 7-387-90499_90705-533221–, 00.html .
However, on October 2, 2020, the Michigan Supreme Court held the governor did not have the authority to extend the state of emergency. 14
14 See Statement from Governor Whitmer on Michigan Supreme Court Ruling on Emergency Powers (Oct. 2, 2020), www.michigan.gov/whitmer/0, 9309, 7-387-90499-541283–, 00.html .The result is that the Michigan state of emergency is no longer in effect and Executive Order 2020-138 has been rescinded.
On a national level, before COVID-19, Medicare required that health care providers be licensed in the state in which the patient is located. In response to the COVID-19 pandemic, Centers for Medicare & Medicaid Services (CMS) waived Medicare’s requirement that physicians and nonphysician health care providers be licensed in the state where they are providing services when the following four conditions are met:
The health care provider is enrolled in the Medicare program.
The health care provider possesses a valid license to practice in the state that relates to his or her Medicare enrollment.
The provider furnishes services—whether in person or via telehealth—in a state in which the emergency is occurring in order to contribute to relief efforts in his or her professional capacity.
The health care provider is not affirmatively excluded from practice in the state or in any other state that is part of the 1135 emergency area. 15
15 See Department of Health and Human Services, Interim Final Rule, Medicare and Medicaid Programs; Policy and Regulatory Revisions in Response to the COVID-19 Public Health Emergency (Mar. 26, 2020), www.cms.gov/files/document/covid-final-ifc.pdf ; Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (Mar. 13, 2020), www.phe.gov/emergency/news/healthactions/section1135/Pages/covid19-13March20.aspx .
It is important for telehealth providers, including telerehabilitation providers, to continue to comply with state-specific licensure requirements regardless of the exceptions provided by CMS applicable to Medicare.
Provider-Patient Relationship Formation
A threshold issue for any telehealth provider, including telerehabilitation providers, is how something as basic as forming a valid provider-patient relationship may be done compliantly, which is a requirement before a provider may prescribe any drugs or render any medical treatment. Establishing a valid physician-patient relationship, for example, requires the physician to take a history and perform a physical examination adequate to establish the diagnoses and identify underlying conditions and/or contraindications to the treatment recommended or provided. Treating patients via telemedicine necessarily includes use of various communication technologies to facilitate patient consultation, diagnosis, education, treatment, and general patient management. The modality through which a physician may establish a valid physician-patient relationship depends on the language of the applicable jurisdiction, which in the United States is state law, and the specific clinical situation. These treatment modalities include, but are not limited to, live video with audio capabilities, store and forward, and mobile health, such as apps.
The treatment modality that may be used to create the physician-patient relationship varies by state. For example, Arkansas regulations provide, “For purposes of this regulation, a proper physician/patient relationship, at a minimum requires that: (a) The physician performs a history and an ‘in person’ physical examination of the patient adequate to establish a diagnosis and identify underlying conditions and/or contraindications to the treatment recommended/provided; or (b) The physician performs a face to face examination using real time audio and visual telemedicine technology that provides information at least equal to such information as would have been obtained by an in-person examination; or (c) The physician personally knows the patient and the patient’s general health status through an ‘ongoing’ personal or professional relationship”. 16
16 See Ark. R. 060.00.1-2(8).
Importantly, “‘Professional relationship’ does not include a relationship between a health care professional and a patient established only by the following: (1) An internet questionnaire; (2) An email message; (3) Patient-generated medical history; (4) Audio-only communication, including without limitation interactive audio; (5) Text messaging; (6) A facsimile machine; or (7) Any combination thereof.” 17
17 Ark. Code Ann. § 17-80-403(c).Moreover, “A pharmacist practicing within or outside Arkansas may not fill a prescription order to dispense a prescription-only drug to a patient if the pharmacist knows or reasonably should have known under the circumstances that the prescription order was issued on the basis of: (A) An Internet questionnaire; (B) An Internet consultation; or (C) A telephonic consultation.” 18
18 Ark. Code Ann. § 17-92-1004(c).These restrictions are aimed at prohibiting what is commonly referred to as internet prescribing.
The modality required to form a physician-patient relationship may or may not be the standard applied to other health care professionals. For example, real-time audio and visual telemedicine technology that provides information at least equal to the information that would be obtained in person, and appropriate follow-up provided or arranged, when necessary, at medically necessary intervals is the standard applied to advance practice registered nurses (APRNs). See Code Ark. R. 067.00.4-XIII(A), providing:
The APRN shall establish a proper APRN/patient relationship prior to providing any patient care.
A proper APRN/patient relationship, at a minimum requires that:
The APRN perform a history and an “in person” physical examination of the patient adequate to establish a diagnosis and identify underlying conditions and/or contraindications to the treatment recommended/provided; OR
The APRN perform a face-to-face examination using real-time audio and visual telemedicine technology that provides information at least equal to such information as would have been obtained by an in-person examination; AND
Appropriate follow-up be provided or arranged, when necessary, at medically necessary intervals.
The Board of Nursing’s Telemedicine regulations provide, “An APRN/patient relationship shall be established in accordance with Chapter 4 , Section XIII before the delivery of services via telemedicine. A patient completing a medical history online and forwarding it to an APRN is not sufficient to establish the relationship, nor does it qualify as store-and-forward technology.” 19
19 See Code Ark. R. 067.00.4-XIV(A).Further, the Arkansas Telemedicine Act, which applies to “health care professionals,” including NPs, states that in order to provide care to a patient located in Arkansas via telemedicine, either (1) a “professional relationship” must exist between a health care professional and the patient or (2) the health care professional otherwise meets the requirements of a professional relationship. 20
20 See Ark. Code Ann. § 17-80-403(a).For purposes of the Act, “health care professional” means a person who is licensed, certified, or otherwise authorized by the laws of this state to administer health care in the ordinary course of the practice of their profession, and would include NPs. 21
21 See Ark. Code Ann. § 17-80-402(2).As noted earlier, the Board of Nursing regulations allow a NP-patient relationship to be formed via telemedicine. 22
22 See Code Ark. R. 067.00.4-XIII(A)(2), (3).
Telehealth providers, including telerehabilitation providers, must always bear in mind that not all clinical situations are appropriate for telemedicine, regardless of what a given state law says, and it is incumbent on the physician to use his or her informed medical judgment to not only comply with the language of the applicable law, but to also meet the expected standard of care in the community in which care is being rendered.
After creating a valid physician-patient relationship, the telemedicine physician must also conduct an appropriate examination and assessment prior to issuing a medically necessary prescription. Some states, for example, require the use of interactive audio-video technology to establish a valid physician-patient relationship, but after the relationship has been created, the state’s law allows the use of interactive audio (e.g., a telephone) or store and forward (e.g., email) telerehabilitation for subsequent prescribing. For example, in Arkansas, “Once a professional relationship is established, a healthcare professional may provide healthcare services through telemedicine, including interactive audio, if the healthcare services are within the scope of practice for which the healthcare professional is licensed or certified.” 23
23 Ark. Code Ann. § 17-80-404(a)(2).Here, “telemedicine” means the use of electronic information and communication technology to deliver health care services, including without limitation the assessment, diagnosis, consultation, treatment, education, care management, and self-management of a patient.” 24
24 Ark. Code Ann. § 17-80-402(7)(A).Additionally, “telemedicine” includes store and forward technology and remote patient monitoring. 25
25 Ark. Code Ann. § 17-80-402(7)(B).
Finally, all medical practice via telemedicine (whether treatment, diagnosis, prescribing) must comply with the applicable standard of care similar to in-person services. The Arkansas Telemedicine Act provides, for example, “Healthcare services provided by telemedicine, including without limitation a prescription through telemedicine, shall be held to the same standard of care as healthcare services provided in person.” 26
26 Ark. Code Ann. § 17-80-404(c).If a physician does not have sufficient information available to render a diagnosis, treatment recommendation, or prescription, the physician should not continue with the telemedicine examination. Instead, the physician should instruct the patient to provide more information, laboratory test results, images, or schedule an in-person examination as appropriate.
Many US states, via licensing and practice statutes, administrative codes, medical board guidance, and/or Medicaid laws and policies, require health care providers to obtain an informed consent that is specific to telehealth. These states typically require the telehealth provider, including the telerehabilitation provider, to inform the patient concerning the treatment methods and limitations of treatment using a telehealth platform and, after providing the patient with such information, obtain the patient’s consent to provide telehealth services. Most consent procedures must also provide the patient with alternatives to receiving care via telehealth. Some states have explicit requirements that the telehealth provider instruct the patient concerning appropriate follow-up care in the event of needed care related to the treatment. Often, informed consent must be documented in the medical record. The content and format of such required consent can vary and must meet the prevailing standard of care.
In Delaware, for example, physicians who utilize telemedicine are statutorily required to obtain appropriate consent from requesting patients after disclosures regarding the delivery models and treatment methods or limitations, including informed consent regarding the use of telemedicine technologies, which includes discussing with the patient the diagnosis and the evidence for it, and the risks and benefits of various treatment options. 27
27 See Del. Code Ann. tit. 24, § 1769D.In contrast, Iowa’s regulations provide, “A licensee who uses telemedicine shall ensure that the patient provides appropriate informed consent for the medical services provided, including consent for the use of telemedicine to diagnose and treat the patient, and that such informed consent is timely documented in the patient’s medical record.” 28
28 Iowa Admin. Code r. 653-13.11(10).In Kentucky, the applicable statute provides that a treating physician who provides or facilitates the use of telehealth shall ensure that the informed consent of the patient, or another appropriate person with authority to make the health care treatment decision for the patient, is obtained before services are provided through telehealth. 29
29 See Ky. Rev. Stat. Ann. § 311.5975.The Kentucky Board of Medicine, however, has much more robust requirements. Here, an appropriate informed consent should, as a baseline, include the following terms:
Identification of the patient, the physician, and the physician’s credentials
Types of transmissions permitted using telemedicine technologies (e.g., prescription refills, appointment scheduling, patient education, etc.)
The patient agrees that the physician determines whether or not the condition being diagnosed and/or treated is appropriate for a telemedicine encounter
Details on security measures taken with the use of telemedicine technologies, such as encrypting data, password protected screen savers and data files, or utilizing other reliable authentication techniques, as well as potential risks to privacy notwithstanding such measures
Hold harmless clause for information lost due to technical failures
Requirement for express patient consent to forward patient-identifiable information to a third party 30
30 Kentucky Board of Medicine Opinion Regarding the Use of Telemedicine Technologies in the Practice of Medicine (June 19, 2014).
State informed-consent requirements evolve as telemedicine becomes integral to mainstream medical practice. It may happen that over time telehealth-specific informed consent will be done away with as telehealth becomes more mainstream. If this occurs, then the informed-consent requirements applicable to telehealth would be the same as those observed in in-person health care visits. In meantime, it is important for telehealth providers to understand and comply with applicable state informed-consent requirements.
Telehealth providers, including telerehabilitation providers, must comply with state laws relating to medical record documentation and retention requirements. Generally, telemedicine documentation retained in a patient’s medical record must be as detailed as an in-person office visit. In Texas, for example:
Patient records must be maintained for all telehealth services. Both the distant site provider and the provider or physician at the established medical site must maintain the records created at each site unless the distant site provider maintains the records in an electronic health record format.
Distant site providers must obtain an adequate and complete medical history for the patient prior to providing treatment and must document this in the patient record.
Patient records must include copies of all relevant patient-related electronic communications, including relevant provider-patient email, prescriptions, laboratory and test results, evaluations and consultations, records of past care, and instructions. If possible, telehealth encounters that are recorded electronically should also be included in the patient record. 31
31 Tex. Admin. Code § 279.16(g)(3).
Compare Texas’ standard with Iowa’s, which provides, “A licensee who uses telemedicine shall ensure that complete, accurate and timely medical records are maintained for the patient when appropriate, including all patient-related electronic communications, records of past care, physician-patient communications, laboratory and test results, evaluations and consultations, prescriptions, and instructions obtained or produced in connection with the use of telemedicine technologies. The licensee shall note in the patient’s record when telemedicine is used to provide diagnosis and treatment. The licensee shall ensure that the patient or another licensee designated by the patient has timely access to all information obtained during the telemedicine encounter. The licensee shall ensure that the patient receives, upon request, a summary of each telemedicine encounter in a timely manner.” 32
32 Iowa Admin. Code r. 653-13.11(14).Each state has its own way of managing record-keeping requirements with respect to telehealth. Knowing the nuances of these requirements in an applicable state is important for compliant telehealth practice.
Special Notice/Disclosures and Patient Identity Verification Requirements
There are a number of states that have requirements that go above and beyond the requirements typically observed in an informed consent and have patient identity verification requirements. For example, in Arkansas, “The following requirements apply to all services provided by physicians or physician assistants using telemedicine… Services must be delivered in a transparent manner, including providing access to information identifying the physician or physician assistant in advance of the encounter, with licensure and board certifications, as well as patient financial responsibilities.” 33
33 Ark. Admin. Code 060.00.1-38.In Kansas, when a patient consents to receiving care via telehealth and has a primary care or other treating physician, the person providing telemedicine services is required to send within 3 business days a report to such primary care or other treating physician of the treatment and services rendered to the patient in the telemedicine encounter. 34
34 See Kan. Stat. Ann. § 40-2, 212(2).
In addition to several nuanced state consent requirements, many states require some form of patient identity verification in advance of providing telehealth services. Maryland, for example, requires telehealth practitioners to develop and follow a procedure to verify the identification of the patient receiving telehealth services; confirm whether the patient is in Maryland and identify the practice setting in which the patient is located; and identify all individuals present at each location and confirm they are allowed to hear personal health information. 35
35 See Md. Code Regs. 10.32.05.04.The Oregon Medical Board states, “A licensee is expected to maintain an appropriate provider-patient relationship. At each telemedicine encounter, the licensee should: verify the location and identity of the patient, provide the identity and credentials of the provider to the patient, and obtain appropriate informed consents from the patient after disclosures regarding the limitations of telemedicine.” 36
36 Board’s Statement of Philosophy on Telemedicine (last rev. Oct. 2020), available at www.oregon.gov/omb/board/Philosophy/Pages/Telemedicine.aspx .
Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) 37
37 The Health Insurance Portability and Accountability Act of 1996 (HIPAA), P.L. No. 104-191, 110 Stat. 1938 (1996), Public Law 104-91.and its implementing regulations (the “Privacy Rule,” the “Breach Notification Rule,” and the “Security Rule”) 38
38 45 C.F.R. 164, Subparts A and C, D, and E.establish security and privacy standards to ensure the confidentiality and integrity of Protected Health Information (PHI). 39
39 The Privacy Rule protects all “individually identifiable health information” held or transmitted by a Covered Entity or its Business Associate in any form or media, whether electronic, paper, or oral, with exclusions for employment and educational records. The Privacy Rule calls this information “Protected Health Information.” 45 C.F.R. § 160.103.The HIPAA standards apply to “Covered Entities,” such as health plans, health care clearinghouses, and health care providers that “engage in electronic standard transactions,” and their “Business Associates.” “Electronic standard transactions,” generally speaking, means that the health care provider communicates electronically with health plans, such as to seek reimbursement from the health plan. Health care providers that do not seek reimbursement from health plans are generally not HIPAA Covered Entities.
A subsection of telehealth provider entities is not currently regulated by HIPAA as a Covered Entity. Moreover, if no PHI is being exchanged, then HIPAA does not apply. Many patients and telehealth providers use mobile technologies, such as smartphones or tablets, to communicate and share data. Developers of these applications frequently are not Covered Entities subject to HIPAA rules, that is, they are not health insurers or health care clearinghouses, and they also do not qualify as Business Associates of Covered Entities such that HIPAA would apply. However, even if HIPAA does not apply, telemedicine providers must ensure that they comply with applicable state law, as an increasing number of states have their own privacy and security statutes that can be broader than HIPAA. Additionally, it is best practice for every telehealth provider to respect the privacy of patient health information and to voluntarily comply with HIPAA as completely as is feasible.
Telehealth providers that do engage in electronic standard transactions must fully comply with HIPAA. An important HIPAA requirement is compliance with the administrative, technical, and physical security standards established by the Security Rule, which typically requires a provider organization to conduct a security risk analysis of the risks and vulnerabilities to the Electronic Protected Health Information (ePHI) that the organization creates, receives, maintains, or transmits. Moreover, the general rule is that a Covered Entity cannot use or disclose PHI without written patient authorization. There are, however, numerous exceptions, including for treatment, payment, and health care operations’ purposes. HIPAA also requires a Covered Entity to comply with various “patient’s rights” provisions (e.g., the right to provide access to PHI). Additionally, a Covered Entity may not disclose PHI to a Business Associate unless it enters into a Business Associate Agreement (BAA) that includes each requirement of 45 C.F.R. § 164.504(e).
The granular details of HIPAA compliance are beyond the scope of this chapter. It is important to appreciate that compliance with HIPAA and its implementing regulations generally includes conducting a HIPAA security risk analysis and developing written HIPAA Security Policies and Procedures, implementation of the HIPAA Privacy Policies and Procedures, appointing a HIPAA Privacy Officer and HIPAA Security Officer, workforce training on HIPAA, and negotiation and execution of BAAs with Business Associates.
Complying with The Telephone Consumer Protection Act Consent Requirements
The Federal Communications Commission (FCC) is responsible for overseeing both interstate and international communications and thus regulates communication devices transmitting medical data. The FCC also administers the Telephone Consumer Protection Act (TCPA), which was enacted to protect consumer privacy by restricting unsolicited contacts from automated telephone calls, fax machines, and automatic dialers. The TCPA generally restricts telephone calls to residential lines and cell phones under certain circumstances without first obtaining prior written consent. Telehealth providers, however, can place artificial/prerecorded voice and text messages to cellphones, without the patient’s prior express consent, written or otherwise, in order to convey important informational “health care messages” as defined and covered by HIPAA. These exemptions include the following health care–related messages:
appointments and examinations;
confirmations and reminders;
hospital preregistration instructions;
postdischarge follow-up intended to prevent readmission;
prescription notifications; and
home health care instructions.
These exceptions do have restrictions, however. For example, voice calls and text messages can only be sent to the telephone number provided by the patient and must not include any telemarketing, solicitation, advertising, accounting, billing, or financial content. Additionally, a telehealth provider, including a telerehabilitation provider, may only initiate one message per day (up to three per week) and each message must be concise in length. These messages must also include an easy way for patients to opt out of messages. Providers must honor these opt-out requests immediately.
Given the myriad of laws and regulations applicable to data privacy and security that affect the telemedicine industry, it is important that telehealth providers address privacy and security proactively by taking such steps as developing privacy policies to ensure that patient data are adequately protected. Telehealth providers, including telerehabilitation providers, are well advised to inform patients about what specific data are collected and the purposes for which the data are being used. Privacy policies also ideally inform patients about whether any patient-provided data are shared with third parties and the circumstances in which information may be disclosed. It is also wise to inform patients of the risks in using telemedicine services and provide patients with a mechanism for reporting suspected or actual breaches of security to the telemedicine provider.
Because of the number of state and federal laws and regulations applicable to data privacy and security in commerce, including in the health care context, it is important for those in the telehealth industry including telerehabilitation to stay up to date on the relevant laws affecting the areas in which they provide services.
Telehealth, including telerehabilitation, is expanding across the globe, especially in response to the worldwide COVID-19 pandemic. The US system is difficult for telehealth providers to navigate because the United States has a unique system of state and federal laws governing various aspects of practice. In other countries, barriers to entry can be as simple as lack of sufficient communication devices or broadband infrastructure to conduct telehealth on the one hand, or more onerous regulations, especially where privacy is concerned, on the other. Regardless of jurisdiction, it is critical that telehealth providers take time to understand the rules and regulations governing telehealth practice before practicing telehealth.