July 10, 2023

10 Things to Know About Telehealth Compliance

Holland & Knight Healthcare Blog
Shannon Britton Hartsfield | Jennifer Rangel
Healthcare Blog

Providing care via electronic communication when patients and providers are in separate locations, known as telemedicine or telehealth, has been possible for decades. The exigent circumstances sparked by the COVID-19 pandemic led to a telehealth boom. Pre-pandemic, telehealth was constrained by limited reimbursement, cross-border licensure requirements and access to technology. The coronavirus expedited the necessity to deliver care in new ways and, along with increased flexibility in reimbursement, led to explosive growth in these services. Eventually, telemedicine, telehealth, digital health, eHealth and similar terms are likely to become such a part of the fabric of the healthcare continuum that they will simply be referred to as "healthcare." For now, however, these methods of care delivery require special compliance considerations as they are subject to myriad state and federal health care regulations.

1. Make Sure Data Stays Private and Secure.

During the public health emergency (PHE), the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), temporarily waived certain data security requirements. For example, providers could use certain HIPAA-compliant communication platforms even without a HIPAA business associate agreement in place. OCR's decision to exercise enforcement discretion with respect to certain HIPAA requirements during the PHE expired on May 11, 2023, with a 90-day grace period. Therefore, after midnight on Aug. 9, 2023, telehealth providers will no longer be able to rely on that enforcement discretion in the event their telehealth platform fails to meet HIPAA standards.

2. Do You Know Where Your Patient Is? Adhere to State Licensure Laws.

Human physiology is the same across state lines, but licensure requirements are not. Telehealth practitioners servicing patients in other states or countries need to be aware of licensure laws in the jurisdictions where the patients are located. Under the law in most states, the practitioner must be licensed in the state in which the patient is located at the time the telehealth services are offered. A telehealth practitioner practicing in many states likely needs to be licensed in those states. Some states have a more limited license available but many require full licensure. Telehealth practitioners should be familiar and in compliance with state licensing laws. In response to the COVID-19 PHE, some state licensure restrictions fell by the wayside. With the end of the PHE on May 11, 2023, licensure restrictions have returned or are in the process of tightening once again.

3. Pay Attention to Corporate Structure.

A number of states prohibit the corporate practice of medicine, which impacts how a telehealth platform is structured as the platform itself is typically a lay entity and not permitted to directly employ or contract with practitioners to provide professional telehealth services in these states. Thus, consideration must be given to compliance with corporate practice of medicine laws including an affiliation with a physician practice or friendly physician entity to provide professional medical services in states that prohibit the corporate practice of medicine.

4. Beware of Risky Compensation Arrangements.

Certain compensation arrangements may create risks under state or federal law. If a telehealth app or online platform receives a percentage of the practitioner's professional fee as compensation, or a compensation arrangement is not fair market value, the arrangement could violate state and federal fraud and abuse laws, such as laws prohibiting kickbacks or fee splitting. A good place to learn more about potential fraud and abuse concerns in telehealth arrangements is the HHS Office of Inspector General (OIG) Special Fraud Alert dealing with "purported telemedicine companies" issued on July 20, 2022. This alert discusses how certain unscrupulous telemedicine companies pay kickbacks to practitioners to further fraudulent schemes. The OIG listed a number of suspect characteristics of these arrangements, such as:

  • recruiting patients by offering free or low out-of-pocket cost services or products
  • limited contact between the practitioner and the patient, including arrangements where the practitioner may only communicate with the patient using audio-only technology, regardless of the practitioner's or patient's preference
  • compensation to the prescriber based on the volume of items or services prescribed
  • focusing on only one product or class of products, which could restrict the prescribing practitioner's treatment options

Additional consideration should be given to state laws and regulations prohibiting fee splitting and kickbacks in the states in which the practitioner provides telehealth.

5. Consider Informed Consent.

Patients need to consent to the treatment they receive. For patients to provide informed consent, they must understand the potential risks of a potential course of treatment. To the extent that telehealth care could create risks, patients should understand the potential challenges and shortcomings if care is provided via telehealth technology. A number of states require consent to receive care by telehealth in addition to the general informed consent requirements.

6. Stay up to Date on Prescribing Laws.

The PHE also brought relaxed requirements for prescribing controlled substances. The Drug Enforcement Administration (DEA) and the Substance Abuse and Mental Health Services Administration have extended these flexibilities until Nov. 11, 2023, and may extend them further in certain circumstances. On March 1, 2023, the DEA issued proposed rules dealing with telehealth prescribing that may bring about more changes. Consideration should also be given to state law restrictions when prescribing controlled substances via telehealth, as well as state and federal laws regarding prescribing legend drugs via telehealth.

7. Examine Evolving Standards of Care.

In the not-too-distant past, doctors practicing exclusively through audio and video feeds, with no in-person examination, was something out of science fiction. Today, it is commonplace for many types of ailments and healthcare needs. Even so, standards of care for physicians can vary from community to community. Telehealth practitioners need to ensure that the telehealth environment provides sufficient information to make an appropriate diagnosis. In addition, each state has different laws and regulations governing telehealth, including the technological requirements such as whether two-way video is required or if store-and-forward technology is sufficient. It is important to understand and comply with the telehealth requirements in each state in which a patient is located.

8. Remember to Make a Record.

Providing care to patients via telehealth still requires physicians and other practitioners to maintain medical records in accordance with their particular licensure requirements. Detailed recordkeeping is important to justify the care provided, comply with applicable laws and support the reimbursement received.

9. The Payment Party May Be Ending.

Lack of reimbursement for telehealth impeded its growth for many years. During the PHE, payers were willing to pay for telemedicine care. If health plans and insurers see costs rise as a result of increased accessibility to care offered by telehealth, they may start to limit reimbursement under certain circumstances or restrict payment by increasing the requirements to bill and collect for telehealth.

10. Stay on Top of Legal Developments.

The only thing certain about the future of telehealth is that it will continue to evolve. Laws and regulations develop much more slowly than technology evolves. Telehealth practitioners must continue to keep abreast of regulatory requirements on a federal basis and in all states into which they provide telehealth services and make sure that they have robust policies and procedures to help them remain in compliance.

Related Insights