Risk Management Considerations in Telehealth and Telemedicine

As the provision of healthcare services via technology—commonly called telehealth or telemedicine—expands during the current COVID-19 emergency period, questions arise regarding the permitted scope of practice, licensure requirements and compliance with the Health Insurance Portability and Accountability Act (HIPAA), among other regulatory-based inquiries.

It is important for healthcare practitioners to understand the risks unique to the practice of telehealth, as well as risk management best practices, including:

• Verify authorization to legally practice telehealth.
• Safeguard patient/client data and comply with privacy regulations and disclosure protocols.
• Monitor outcomes for clinical care and technical support.
• Create and retain formal patient/client care records for all encounters.
• Engage in continuing education to ensure key competencies.

 
The information and regulatory guidance regarding COVID-19 is rapidly evolving and changing. The questions and responses below provide basic information to practitioners and are intended to serve as a catalyst for a practitioner’s further inquiry into the federal and state regulatory framework for telemedicine/telehealth. It is the responsibility of the qualified practitioner to know and meet the requirements necessary to provide telehealth services to their patients/clients. 
 
What qualifies as telehealth?
Telehealth involves the use of electronic communications and information technology to deliver health-related services at a distance. The electronic communication must have audio and video capabilities that are used for two-way, real-time interactive communication. States have different laws concerning when and how telehealth may be practiced, so it’s important to check state statutes, regulations and policies, as well as state licensure boards regarding practice limitations before initiating services. In addition, the Centers for Medicare & Medicaid Services provide information on the scope of Medicare telehealth services.
 
Who can provide care via telehealth?
It is essential to verify with relevant state professional licensing boards the practitioners (known as a ‘qualified provider’) who can legally provide telehealth services. Some states limit the types of providers that can provide services via telehealth. Practitioners must also be appropriately licensed/certified/credentialed to practice in the state where their patient/client is located, and work under that state’s scope of practice. Refer to professional associations, state and/or federal governments’ standards and requirements for more information. Depending on the state, authorized practitioners may include physicians, clinical nurse specialists, nurse practitioners, physician assistants and licensed counselors and therapists, among others.
 
Is it necessary to secure a license in both states when delivering telehealth across state lines?
Some states require practitioners who practice telehealth to be licensed in the state where the patient/client is located and abide by the licensure and practice requirements of that state. Before embarking on interstate telehealth, practitioners must review the state practice act of the state where the patient/client resides. If a state practice act is silent regarding telehealth or published opinions or interpretations regarding the subject of licensure have not been issued by recognized sources, then potential telehealth practitioners should contact their state professional licensing board for clarification with respect to interstate practice and their licensure status. Certain states and professions also have entered into interstate compacts, creating a new pathway to expedite the licensing of a practitioner seeking to practice in multiple states. For additional information, check the respective state licensing board to determine if the state has joined a compact.
 
What are the risks inherent to telehealth that patient/clients should be made aware of?
Patient/client consent is always required prior to participation in telehealth services. Practitioners often use existing consent and documentation processes for store-and-forward consultations. For more invasive procedures, a separate consent form is preferable, encompassing the following information:

• Names, credentials, organizational affiliations and locations of the various health professionals involved.
• Name and description of the recommended procedure.
• Potential benefits and risks.
• Possible alternatives, including no treatment.
• Contingency plans in the event of a problem during the procedure.
• Circumstances under which the patient needs to see a healthcare professional for an in-person visit.
• Explanation of how care is to be documented and accessed.
• Security, privacy and confidentiality measures to be employed.
• Names of those responsible for ongoing care.
• Risks of declining the treatment/service.
• Reiteration of the right to revoke consent or refuse treatment at any time.

 
In addition, clearly convey to the patient/client the inherent technical and operational hazards that may impede communication. These include:

• Fiber-optic line damage, satellite system compromise or hardware failure, which could lead to incomplete or failed transmission.
• File corruption during the transmission process, resulting in less than complete, clear or accurate reception of information or images.
• Unauthorized third-party access, which may lead to data integrity problems.
• Natural disasters, such as hurricanes, tornadoes and floods, which can potentially interrupt operations and compromise computer networks.

 
Prepare an emergency or contingency plan in case of technology breakdown, and be sure to communicate that information to the patient in advance of a telehealth encounter.
 
Should a special “Consent to Treat” form be utilized when performing telehealth?
Obtaining a patient’s/client’s consent to telehealth services is an essential step in the care process and is a recommended best practice of the American Telemedicine Association. A general consent-to-treat form lacks specificity regarding the potential benefits, constraints and risks unique to telehealth, including equipment failures and privacy and security breaches. In addition, a general form is lacking in standard language regarding patient/client rights and responsibilities relating to telehealth. Sample telehealth informed consent forms are available from the American Telemedicine Association.
 
During the informed consent process, describe the nature of telemedicine compared with in-person care (scope of service) as well as providing written information. Provide information about the encounter, prescribing policies (if applicable), communication and follow-up, record-keeping, scheduling, privacy and security, potential risks, mandatory reporting, provider credentials, and billing arrangements. Prior to initiating telehealth services, know when to recommend that the patient needs to see a healthcare professional for an in-person visit.
 
Who needs to abide by HIPAA regulations?
The HIPAA Privacy Rule, HIPAA Security Rule, as well as all Administrative Simplification rules, apply to “covered entities”, which include health plans, healthcare clearinghouses, and any health care provider who submits transactions electronically, like claims. Healthcare providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care. If unsure of covered entity status, please refer to the Centers for Medicare & Medicaid Services (CMS) for guidance.
 
How are practitioners expected to ensure the privacy and confidentiality of patients’/clients’ data during the novel coronavirus (COVID-19) national public health emergency?
The HHS Office for Civil Rights (OCR) announced on March 17, 2020, that it will waive potential HIPAA penalties for good faith use of telehealth during the nationwide public health emergency due to COVID-19. This applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. The notification and accompanying fact sheet explain how covered health care providers can use everyday communications technologies to offer telehealth to patients responsibly. Providers are encouraged to review the notification, and to routinely monitor the HHS Emergency Response page for more information about COVID-19 and HIPAA.
 
This notice means that covered health care providers may now use popular applications that allow for video chats, including Apple FaceTime, Google Hangouts video, or Skype, to provide telehealth during the COVID-19 nationwide public health emergency without risk of incurring a penalty for noncompliance with HIPAA Rules. If health care providers chose to use these applications to provide telehealth, providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
 
Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. There are many HIPAA-compliant telehealth solutions. While we do not endorse any specific brand here are names of a few options in no particular order: Doxy.me , thera-LINK,  TheraNest, SimplePractice, Zoom for healthcare, and VSee. We also recommend you contact your professional association to see what they may recommend to fit your needs.
 
How can practitioners ensure the care and treatment delivered via telehealth is high-quality?
Increased use of telehealth means that health care organizations and practitioners need to develop guidelines for monitoring telehealth practitioners and sharing internal review information. Federal law requires that, at a minimum, this shared information must include adverse events that result from a practitioner’s telehealth services and complaints a health care organization receives about a practitioner.
 
Practitioners must adhere to traditional clinical standards of care, and practice within the scope of practice authorized by law. The American Telemedicine Association has promulgated a variety of practice guidelines. The Telehealth Resource Center also provides resources for building and developing a telehealth program.
 
Outcome measurement offers practitioners useful information about how well a telehealth program is functioning, including further refinements that may be needed. Indicators should capture clinical, efficiency and satisfaction outcomes, including:

• Patient/client complication and morbidity rates.
• Compliance with provider performance criteria.
• Diagnostic accuracy.
• Adherence to clinical protocols.
• Referral rates.
• Patient/client satisfaction levels.
• Cost per case.
• Delays in accessing consultations, referrals or specialty practitioners.
• Average waiting times.

 
Complete basic training in the telehealth system in use at your practice and participate in all training updates. Conduct routine audits of equipment and software functionality and know how to respond to equipment malfunctions. Regular equipment testing and maintenance helps prevent potential technical and user problems. Equipment should be suitable for diagnostic and treatment uses, readily available when needed and fully functional during clinical encounters. Facility safety guidelines should specify who is responsible for maintenance- know who to contact for technological assistance. Utilize checklists or logs to facilitate documentation of post-installation testing, pre-session calibration, and ongoing quality checking of audio, video and data transmission capabilities.
 
Satisfaction surveys capture vital data regarding patient/clients and provider perceptions of the telehealth program, as well as utilization patterns and the overall quality of care. Surveys also can reveal unexpected barriers to care, including accessibility issues and cost. A sample survey format for telehealth encounters is available here.
 
How should telehealth be documented?
Telehealth sessions should be as thoroughly documented as all other patient/client encounters, with both partners to the telehealth agreement contributing to the process. According to the American Health Information Management Association, telehealth records minimally should include:

• Patient/client name.
• Patient/client identification number at originating site.
• Date of service.
• Referring practitioner’s name.
• Consulting practitioner’s name.
• Provider organization’s name.
• Type of evaluation to be performed.
• Informed consent documentation.
• Evaluation results.
• Diagnosis/impression of practitioners.
• Recommendations for further treatment.

 
The use of standardized intake and consultation forms can help practitioners achieve compliance with documentation parameters. Templates, such as those available from the American Telemedicine Association, offer a clear and consistent documentation format for evaluations and consultations.
 
All communications with the patient (verbal, audiovisual, or written) should be documented in the patient’s unique medical record (electronic medical record or paper chart) in accordance with documentation standards of in-person visits. Be sure to document follow-up instructions and any referrals to specialists. Also, fully document the specific interactive telecommunication technology used to render the consultation and the reason the consultation was conducted using telecommunication technology, and not face-to-face, in the patient’s medical record, in accordance with state and federal regulations.
 
Final thoughts
The emergence of telehealth capabilities during the current COVID-19 emergency period presents exciting opportunities to address some of the biggest challenges facing healthcare. Demand for telehealth services is expected to grow as connected devices proliferate and interoperability between healthcare providers expands. The provider-patient/client relationship will likely evolve as providers use telehealth to develop and maintain patient/client relationships over greater distances and patients/clients grow accustomed to new flexible, personalized care models. As healthcare continues to transform with the use of technology, it is essential for practitioners to be aware of the legal, ethical, and regulatory implications to their practice.
 
References/Additional Resources
The following additional sources offer a more detailed framework of guidelines, standards and tools for the safe practice of telemedical diagnosis and care:
 

• Healthcare Perspective: Telemedicine
• HHS: HIPAA for Professionals
• HHS: COVID-19 and HIPAA
• HHS: Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency
• CMS: Medicare Telemedicine Health Care Provider Fact Sheet
• American Telemedicine Association
• American Health Information Management Association
• Telehealth Resource Center
• Center for Connected Health Policy (CCHP)
• The Joint Commission
• Foley & Lardner: 50-State Survey of Telehealth Commercial Payer Statutes (December 2019)
• Center for Connected Health Policy (CCHP): State Telehealth Laws & Reimbursement Policies

 
Profession-Specific Resources

• American Nurses Association (ANA): ANA Core Principles on Connected Health/Telehealth
• American Association of Nurse Practitioners (AANP): Telehealth
• The Journal for Nurse Practitioners: Telehealth and Legal Implications for Nurse Practitioners
• American Physical Therapy Association: Telehealth
• American Pharmacists Association (APhA): Telehealth
• American Counseling Association (ACA): ACA Code of Ethics, Section H, Distance Counseling, Technology, and Social Media
• Counselor Risk Control Spotlight: Telebehavioral Health