Legal Considerations for Implementing a Telehealth Program
Rural communities may need to address several legal considerations while implementing, expanding, and sustaining telehealth programs.
Liability and Malpractice
Similar to in-person medical practices, telehealth services carry liability and malpractice risks. Some liability insurance policies include telehealth as a covered service, while others may require providers to pay for a supplemental telehealth insurance policy. Before expanding services, rural telehealth programs should contact their insurance carrier to ask questions about their coverage for telehealth. For example, programs should ask about coverage for services provided across state lines. States also have different minimum limits of insurance, which may affect a provider's ability to deliver care across state lines.
Consent
Several states require telehealth providers to obtain written or verbal consent from the patient prior to delivering the telehealth service. Informed consent for telehealth typically involves a discussion about the telehealth technology and an overview of privacy and security considerations, among other topics. Program planners can consult the Center for Connected Health Policy's interactive policy map to search for consent requirements by state. The California Telehealth Resource Center provides a sample written consent form.
Privacy and HIPAA
Patients and providers may have questions about safeguarding the privacy of their telehealth communications. All telehealth services need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which mandates protection of personal health information, as well as any state laws that regulate the privacy and security of health information. In order to protect personal health information, rural telehealth programs need to assess how patient data will be collected, transmitted, and stored and identify potential privacy concerns. Examples include:
- Ensuring that data collected through a smartphone application will not be accessed by third-party advertisers
- Enabling multi-factor authentication on mobile devices
- Determining how to safely archive stored images and videos
- Encrypting communications and data transmission between patients and providers
- Designing telehealth workspaces to maximize privacy and minimize the potential of overhearing private conversations
- Creating protocols that ensure only authorized personnel and patients have access to sensitive information
- Providing information to patients about HIPAA and training to providers and other staff on safeguarding personal health information
Resources to Learn More
Considerations for Telehealth Providers When Negotiating for Malpractice
Insurance
Video/Multimedia
Discusses medical professional liability and liability issues faced by healthcare providers offering telehealth
services and negotiating malpractice insurance.
Author(s): Hansard, L.
Organization(s): National Consortium of Telehealth Resource Centers (TRC)
Date: 3/2017
HIPAA and Telehealth:
A Stepwise Guide to Compliance
Document
Discusses considerations for healthcare providers and their business associates on maintaining HIPAA compliance
when using telehealth and transmitting personal health information. Covers potential consequences related to
data breaches.
Organization(s): National Consortium of Telehealth Resource Centers (TRC)
Date: 2/2017
Obtaining
Informed Consent
Website
Provides information about how to obtain informed consent from patients for telehealth appointments. Includes a
link to state laws and reimbursement policies, and offers a sample telehealth consent form.
Organization(s): Health Resources and Services Administration (HRSA)
A Systematic Review of Research Studies Examining
Telehealth Privacy and Security Practices Used by Healthcare Providers
Document
Reviews the literature examining current standards for privacy and security practices for healthcare providers
using telehealth technologies.
Author(s): Watzlaf, V.J.M., Zhou, L., DeAlmeida, D.R., & Hartman, L.M.
Citation: International Journal of Telerehabilitation, 9(2), 39-59
Date: 2017
Telemedicine: Risk
Management Considerations
Document
Defines telemedicine and categories of risk associated with telemedicine: credentialing, standards of care, and
documentation. Outlines the telemedicine enterprise risk management (ERM) framework as a tool for organizations
when developing standards and strategies for mitigating risks of providing telemedicine services.
Organization(s): American Society for Health Care Risk Management (ASHRM)
Date: 2018