Skip to main content
Rural Health Information Hub

Legal Considerations for Implementing a Telehealth Program

Rural communities may need to address several legal considerations while implementing, expanding, and sustaining telehealth programs.

Liability and Malpractice

Similar to in-person medical practices, telehealth services carry liability and malpractice risks. Some liability insurance policies include telehealth as a covered service, while others may require providers to pay for a supplemental telehealth insurance policy. Before expanding services, rural telehealth programs should contact their insurance carrier to ask questions about their coverage for telehealth. For example, programs should ask about coverage for services provided across state lines. States also have different minimum limits of insurance, which may affect a provider's ability to deliver care across state lines.


Several states require telehealth providers to obtain written or verbal consent from the patient prior to delivering the telehealth service. Informed consent for telehealth typically involves a discussion about the telehealth technology and an overview of privacy and security considerations, among other topics. Program planners can consult the Center for Connected Health Policy's interactive policy map to search for consent requirements by state. The California Telehealth Resource Center provides a sample written consent form.

Privacy and HIPAA

Patients and providers may have questions about safeguarding the privacy of their telehealth communications. All telehealth services need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which mandates protection of personal health information, as well as any state laws that regulate the privacy and security of health information. In order to protect personal health information, rural telehealth programs need to assess how patient data will be collected, transmitted, and stored and identify potential privacy concerns. Examples include:

  • Ensuring that data collected through a smartphone application will not be accessed by third-party advertisers
  • Enabling multi-factor authentication on mobile devices
  • Determining how to safely archive stored images and videos
  • Encrypting communications and data transmission between patients and providers
  • Designing telehealth workspaces to maximize privacy and minimize the potential of overhearing private conversations
  • Creating protocols that ensure only authorized personnel and patients have access to sensitive information
  • Providing information to patients about HIPAA and training to providers and other staff on safeguarding personal health information

Resources to Learn More

Considerations for Telehealth Providers When Negotiating for Malpractice Insurance
Discusses medical professional liability and liability issues faced by healthcare providers offering telehealth services and negotiating malpractice insurance.
Author(s): Hansard, L.
Organization(s): National Consortium of Telehealth Resource Centers (TRC)
Date: 3/2017

HIPAA and Telehealth: A Stepwise Guide to Compliance
Discusses considerations for healthcare providers and their business associates on maintaining HIPAA compliance when using telehealth and transmitting personal health information. Covers potential consequences related to data breaches.
Organization(s): National Consortium of Telehealth Resource Centers (TRC)
Date: 2/2017

Obtaining Informed Consent
Provides information about how to obtain informed consent from patients for telehealth appointments. Includes a link to state laws and reimbursement policies, and offers a sample telehealth consent form.
Organization(s): Health Resources and Services Administration (HRSA)

A Systematic Review of Research Studies Examining Telehealth Privacy and Security Practices Used by Healthcare Providers
Reviews the literature examining current standards for privacy and security practices for healthcare providers using telehealth technologies.
Author(s): Watzlaf, V.J.M., Zhou, L., DeAlmeida, D.R., & Hartman, L.M.
Citation: International Journal of Telerehabilitation, 9(2), 39-59
Date: 2017

Telemedicine: Risk Management Considerations
Defines telemedicine and categories of risk associated with telemedicine: credentialing, standards of care, and documentation. Outlines the telemedicine enterprise risk management (ERM) framework as a tool for organizations when developing standards and strategies for mitigating risks of providing telemedicine services.
Organization(s): American Society for Health Care Risk Management (ASHRM)
Date: 2018