Browse/Search Our Article Library
Risk Management Considerations in
Telehealth and Telemedicine
provision of healthcare services via technology—commonly called telehealth or
telemedicine—expands during the current COVID-19 emergency period, questions
arise regarding the permitted scope of practice, licensure requirements and compliance
with the Health Insurance Portability and Accountability Act (HIPAA), among
other regulatory-based inquiries. It is important for healthcare practitioners
to understand the risks unique to the practice of telehealth, as well as risk
management best practices, including:
authorization to legally practice telehealth.
patient/client data and comply with privacy regulations and disclosure protocols.
outcomes for clinical care and technical support.
- Create and
retain formal patient/client care records for all encounters.
- Engage in
continuing education to ensure key competencies.
information and regulatory guidance regarding COVID-19 is rapidly evolving and
changing. The questions and responses below provide basic information to
practitioners and are intended to serve as a catalyst for a practitioner’s further
inquiry into the federal and state regulatory framework for telemedicine/telehealth.
It is the responsibility of the qualified practitioner to know and meet the
requirements necessary to provide telehealth services to their
What qualifies as telehealth?
involves the use of electronic communications and information technology to
deliver health-related services at a distance. The electronic communication
must have audio and video capabilities that are used for two-way, real-time
interactive communication. States have different laws concerning when and how telehealth
may be practiced, so it’s important to check state statutes, regulations and
policies, as well as state licensure boards regarding practice limitations
before initiating services. In addition, the Centers for Medicare &
Medicaid Services provide
information on the scope of Medicare telehealth services.
Who can provide care via telehealth?
essential to verify with relevant state professional licensing boards the
practitioners (known as a ‘qualified provider’) who can legally provide telehealth
services. Some states limit the types of providers
that can provide services via telehealth. Practitioners must also be
appropriately licensed/certified/credentialed to practice in the state where
their patient/client is located, and work under that state’s scope of practice.
Refer to professional associations, state and/or federal governments’ standards
and requirements for more information. Depending on the state, authorized
practitioners may include physicians, clinical nurse specialists, nurse
practitioners, physician assistants and licensed counselors and therapists,
Is it necessary to secure a
license in both states when delivering telehealth across state lines?
require practitioners who practice telehealth to be licensed in the state where
the patient/client is located and abide by the licensure and practice
requirements of that state. Before embarking on interstate telehealth,
practitioners must review the state practice act of the state where the
patient/client resides. If a state practice act is silent regarding telehealth
or published opinions or interpretations regarding the subject of licensure
have not been issued by recognized sources, then potential telehealth
practitioners should contact their state professional licensing board for
clarification with respect to interstate practice and their licensure status.
Certain states and professions also have entered into interstate compacts,
creating a new pathway to expedite the licensing of a practitioner seeking to
practice in multiple states. For additional information, check the respective
state licensing board to determine if the state has joined a compact.
What are the risks inherent to telehealth
that patient/clients should be made aware of?
consent is always required prior to participation in telehealth services. Practitioners
often use existing consent and documentation processes for store-and-forward
consultations. For more invasive procedures, a separate consent form is preferable,
encompassing the following information:
credentials, organizational affiliations and locations of the various health
- Name and
description of the recommended procedure.
benefits and risks.
- Possible alternatives,
including no treatment.
plans in the event of a problem during the procedure.
under which the patient needs to see a healthcare professional for an in-person
of how care is to be documented and accessed.
privacy and confidentiality measures to be employed.
- Names of
those responsible for ongoing care.
- Risks of
declining the treatment/service.
of the right to revoke consent or refuse treatment at any time.
clearly convey to the patient/client the inherent technical and operational
hazards that may impede communication. These include:
line damage, satellite system compromise or hardware failure, which could lead
to incomplete or failed transmission.
- File corruption
during the transmission process, resulting in less than complete, clear or
accurate reception of information or images.
third-party access, which may lead to data integrity problems.
disasters, such as hurricanes, tornadoes and floods, which can potentially
interrupt operations and compromise computer networks.
emergency or contingency plan in case of technology breakdown, and be sure to
communicate that information to the patient in advance of a telehealth encounter.
Should a special “Consent to
Treat” form be utilized when performing telehealth?
patient’s/client’s consent to telehealth services is an essential step in the
care process and is a recommended best practice of the American Telemedicine
Association. A general consent-to-treat form lacks specificity regarding the
potential benefits, constraints and risks unique to telehealth, including
equipment failures and privacy and security breaches. In addition, a general
form is lacking in standard language regarding patient/client rights and
responsibilities relating to telehealth. Sample telehealth informed consent forms are available from the
American Telemedicine Association.
informed consent process, describe the nature of telemedicine compared with
in-person care (scope of service) as well as providing written information.
Provide information about the encounter, prescribing policies (if applicable),
communication and follow-up, record-keeping, scheduling, privacy and security,
potential risks, mandatory reporting, provider credentials, and billing
arrangements. Prior to initiating telehealth services, know when to recommend
that the patient needs to see a healthcare professional for an in-person visit.
Who needs to abide by HIPAA
The HIPAA Privacy Rule, HIPAA Security Rule, as well as all Administrative
Simplification rules, apply to “covered entities”, which include health plans,
healthcare clearinghouses, and any health care provider who submits
transactions electronically, like claims. Healthcare providers include all
“providers of services” (e.g., institutional providers such as hospitals) and
“providers of medical or health services” (e.g., non-institutional providers
such as physicians, dentists and other practitioners) as defined by Medicare,
and any other person or organization that furnishes, bills, or is paid for
health care. If unsure of covered entity status, please refer to the Centers for Medicare &
Medicaid Services (CMS) for guidance.
How are practitioners expected to
ensure the privacy and confidentiality of patients’/clients’ data during the
novel coronavirus (COVID-19) national public health emergency?
Office for Civil Rights (OCR) announced on March 17, 2020, that it will waive
potential HIPAA penalties for good faith use of telehealth during the
nationwide public health emergency due to COVID-19. This applies to telehealth
provided for any reason, regardless of whether the telehealth service is
related to the diagnosis and treatment of health conditions related to
COVID-19. The notification and accompanying fact sheet explain how covered health care
providers can use everyday communications technologies to offer telehealth to
patients responsibly. Providers are encouraged to review the notification, and
to routinely monitor the HHS Emergency Response page for more information about
COVID-19 and HIPAA.
means that covered health care providers may now use popular applications that
allow for video chats, including Apple FaceTime, Google Hangouts video, or
Skype, to provide telehealth during the COVID-19 nationwide public health
emergency without risk of incurring a penalty for noncompliance with HIPAA Rules.
If health care providers chose to use these applications to provide telehealth,
providers are encouraged to notify
patients that these third-party applications potentially introduce privacy
risks, and providers should enable all available encryption and privacy modes
when using such applications.
health care providers that seek additional privacy protections for telehealth
while using video communication products should provide such services through
technology vendors that are HIPAA compliant and will enter into HIPAA business
associate agreements (BAAs) in connection with the provision of their video
communication products. There are
many HIPAA-compliant telehealth solutions. While we do not endorse any specific
brand here are names of a few options in no particular order: Doxy.me ,
thera-LINK, TheraNest, SimplePractice,
Zoom for healthcare, and VSee. We
also recommend you contact your professional association to see what they may
recommend to fit your needs.
How can practitioners ensure the
care and treatment delivered via telehealth is high-quality?
use of telehealth means that health care organizations and practitioners need
to develop guidelines for monitoring telehealth practitioners and sharing internal
review information. Federal law requires that, at a minimum, this shared
information must include adverse events that result from a practitioner’s telehealth
services and complaints a health care organization receives about a
must adhere to traditional clinical standards of care, and practice within the
scope of practice authorized by law. The American Telemedicine Association has
promulgated a variety of practice guidelines. The Telehealth Resource Center
also provides resources for building and developing a
measurement offers practitioners useful information about how well a telehealth
program is functioning, including further refinements that may be needed.
Indicators should capture clinical, efficiency and satisfaction outcomes,
complication and morbidity rates.
with provider performance criteria.
- Adherence to
- Cost per
- Delays in
accessing consultations, referrals or specialty practitioners.
- Average waiting
basic training in the telehealth system in use at your practice and participate
in all training updates. Conduct routine audits of equipment and software
functionality and know how to respond to equipment malfunctions. Regular equipment
testing and maintenance helps prevent potential technical and user problems.
Equipment should be suitable for diagnostic and treatment uses, readily
available when needed and fully functional during clinical encounters. Facility
safety guidelines should specify who is responsible for maintenance- know who
to contact for technological assistance. Utilize checklists or logs to
facilitate documentation of post-installation testing, pre-session calibration,
and ongoing quality checking of audio, video and data transmission
surveys capture vital data regarding patient/clients and provider perceptions
of the telehealth program, as well as utilization patterns and the overall
quality of care. Surveys also can reveal unexpected barriers to care, including
accessibility issues and cost. A sample survey format for telehealth encounters
is available here.
How should telehealth be
sessions should be as thoroughly documented as all other patient/client
encounters, with both partners to the telehealth agreement contributing to the
process. According to the American Health Information
Management Association, telehealth records minimally should include:
identification number at originating site.
- Date of
- Type of
evaluation to be performed.
for further treatment.
The use of
standardized intake and consultation forms can help practitioners achieve
compliance with documentation parameters. Templates, such as those available
from the American Telemedicine Association, offer a clear and consistent
documentation format for evaluations and consultations.
communications with the patient (verbal, audiovisual, or written) should be
documented in the patient’s unique medical record (electronic medical record or
paper chart) in accordance with documentation standards of in-person visits. Be
sure to document follow-up instructions and any referrals to specialists. Also,
fully document the specific interactive telecommunication technology used to
render the consultation and the reason the consultation was conducted using
telecommunication technology, and not face-to-face, in the patient’s medical
record, in accordance with state and federal regulations.
emergence of telehealth capabilities during the current COVID-19 emergency
period presents exciting opportunities to address some of the biggest
challenges facing healthcare. Demand for telehealth services is expected to
grow as connected devices proliferate and interoperability between healthcare
providers expands. The provider-patient/client relationship will likely evolve
as providers use telehealth to develop and maintain patient/client
relationships over greater distances and patients/clients grow accustomed to
new flexible, personalized care models. As healthcare continues to transform
with the use of technology, it is essential for practitioners to be aware of
the legal, ethical, and regulatory implications to their practice.
following additional sources offer a more detailed framework of guidelines,
standards and tools for the safe practice of telemedical diagnosis and care:
This publication is intended to inform Affinity Insurance Services, Inc., customers of potential liability in their practice. This information is provided for general informational purposes only and is not intended to provide individualized guidance. All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy. This information is not intended to offer legal advice or to establish appropriate or acceptable standards of professional conduct. Readers should consult with a lawyer if they have specific concerns. Neither Affinity Insurance Services, Inc., HPSO, nor CNA assumes any liability for how this information is applied in practice or for the accuracy of this information.
Healthcare Providers Service Organization is a registered trade name of Affinity Insurance Services, Inc., a licensed producer in all states (TX 13695); (AR 100106022); in CA, MN, AIS Affinity Insurance Agency, Inc. (CA 0795465); in OK, AIS Affinity Insurance Services, Inc.; in CA, Aon Affinity Insurance Services, Inc., (CA 0G94493), Aon Direct Insurance Administrators and Berkely Insurance Agency and in NY, AIS Affinity Insurance Agency.