Skip to main content

Legal Considerations for Implementing a Telehealth Program

Rural communities may need to address several legal considerations in the course of implementing, expanding, and sustaining telehealth programs.

Liability and Malpractice

Similar to in-person medical practices, telehealth services carry liability and malpractice risks. Some liability insurance policies include telehealth as a covered service, while others may require providers to pay for a supplemental telehealth insurance policy. Before expanding services, rural telehealth programs should contact their insurance carrier to ask questions about their coverage for telehealth. For example, programs should ask about coverage for services provided across state lines. States also have different minimum limits of insurance, which may affect a provider's ability to deliver care across state lines.

Consent

Several states require telehealth providers to obtain written or verbal consent from the patient prior to delivering the telehealth service. Informed consent for telehealth typically involves a discussion about the telehealth technology and an overview of privacy and security considerations, among other topics. Program planners can consult the Center for Connected Health Policy's interactive policy map to search for consent requirements by state. The American Telemedicine Association provides a sample written consent form from rural Marquette General Hospital Health System in Michigan.

Privacy and HIPAA

Patients and providers may have questions about safeguarding the privacy of their telehealth communications. All telehealth services need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which mandates protection of personal health information, as well as any state laws that regulate the privacy and security of health information. In order to protect personal health information, rural telehealth programs need to assess how patient data will be collected, transmitted, and stored and identify potential privacy concerns. Examples include:

  • Ensuring that data collected through a smartphone application will not be accessed by third-party advertisers
  • Enabling multi-factor authentication on mobile devices
  • Determining how to safely archive stored images and videos
  • Encrypting communications and data transmission between patients and providers
  • Designing telehealth workspaces to maximize privacy and minimize the potential of overhearing private conversations
  • Creating protocols that ensure only authorized personnel and patients have access to sensitive information
  • Providing information to patients about HIPAA and training to providers and other staff on safeguarding personal health information

Resources to Learn More

A Systematic Review of Research Studies Examining Telehealth Privacy and Security Practices Used by Healthcare Providers
Document
Describes a literature review examining current standards for privacy and security practices for telehealth technologies used by healthcare providers in the U.S.
Author(s): Watzlaf, V.J.M., Zhou, L., DeAlmeida, D.R., & Hartman, L.M.
Citation: International Journal of Telerehabilitation, 9(2), 39-59
Date: 2017

Considerations for Telehealth Providers When Negotiating for Malpractice Insurance
Video/Multimedia
Discusses risk, such as cyber liability exposures and medical professional liability issues, as well as insurance issues that affect telehealth programs.
Organization(s): National Consortium of Telehealth Resource Centers
Date: 3/2017

HIPAA and Telehealth: A Stepwise Guide to Compliance
Document
Describes considerations for complying with HIPAA, including questions for potential business associates. Covers information and potential consequences related to data breaches.
Organization(s): National Consortium of Telehealth Resource Centers
Date: 2/2017

Telemedicine Risk Management Considerations
Document
Describes the various forms of telemedicine, risk management concerns, and risk mitigation strategies. Outlines the enterprise risk management (ERM) framework for telemedicine and covers the future applications of telemedicine.
Organization(s): American Society for Health Care Risk Management
Date: 2018