Telehealth Policy 101

The majority of existing telehealth policy in the United States centers around reimbursement — that is, the specific services that are covered by Medicare on the federal level, and by Medicaid and private insurance companies on the state level. We know: it’s complicated.

Learn the basics

The majority of existing telehealth policy in the United States centers around reimbursement — that is, the specific services that are covered by Medicare on the federal level, and by Medicaid and private insurance companies on the state level. We know: it’s complicated. CCHP is dedicated to providing the clearest picture of telehealth policy across the nation.

An update on where we stand with temporary federal telehealth policies, issues to look out for this year on both the state and federal levels, and what could possibly happen with telehealth in the first full year after the COVID-19 pandemic.

Watch all our policy explainers>

How to
approach
telehealth policy

Because so much of policy is based on reimbursement, an easy way to understand how it’s structured is through four questions:

  1. What specific services are eligible for reimbursement?
  2. Who can be reimbursed — for example, physicians, therapists, nurses?
  3. Where can the patient be when receiving services?
  4. How is the service being delivered — as in, which modality?

Different federal and state agencies can answer those questions in different ways, and no two states define or regulate telehealth the same way.


For example, one Medicaid program may only reimburse for live video (How) that delivers telemental or telebehavioral health services (What), while another Medicaid program reimburses all medically necessary telemedicine services (What) to any licensed provider who is enrolled with Medicaid (Who).

We regularly update every state’s current laws and regulations in our Policy Finder.

Look up a state >


It can also be helpful to understand federal Medicare policy as a baseline, as it often has a trickle-down effect to other payers.

Look up current federal policies >

A deeper dive into
telehealth policy

Telehealth policy intersects with or is impacted by a multitude of government programs, regulations, laws, and policies related to health. Let’s take a closer look at the most common and influential.

Medicare

Medicare is the federal health insurance program for people 65 or older, people with certain disabilities under 65, and people with end stage renal disease. Medicare will reimburse for a limited set of telehealth delivered services if certain parameters are met. The program is administered by the Center for Medicare and Medicaid Services (CMS).

Medicare telehealth policies during COVID-19 Continuing Until December 31, 2024

Following is a description of Medicare telehealth permanent policy — but please note that currently telehealth reimbursement within Medicare is more expansive as a result of the COVID-19 pandemic and continuation of flexibilities under the Consolidated Appropriations Act, 2023 until December 31, 2024. CMS reimbursement policies reflecting these flexibilities is available in CCHP’s Billing for Telehealth Encounters: An introductory guide on fee-for-service.  Additional updates and modifications made for Calendar Year 2024 through the Physician Fee Schedule is also available through the following resources:

Reimbursement

Medicare reimburses only for specific services when they are delivered via live video. Store-and-forward delivered services are prohibited, except for CMS telehealth demonstration programs in Alaska and Hawaii. 

(Medicare does reimburse for certain other kinds of services that are furnished remotely using communications technology but are not considered Medicare “telehealth services.” To learn more about those, jump here.)

Telehealth Services

The specific telehealth-delivered services eligible for reimbursement under Medicare are identified by Current Procedural Terminology (CPT) or Healthcare Common Procedure Coding System (HCPCS) codes. Each year, the US Department of Health and Human Services considers submissions for new telehealth-delivered services to be approved. Submissions are allowed from providers, advocacy organizations, and other interested parties.

In their 2024 Final Physician Fee Schedule, CMS announced that in CY 2025 they will move from a Category 1, 2 and 3 classification system to a binary ‘permanent’ or ‘provisional’ classification in an attempt to simplify the process.  In order to make the steps for getting a code accepted for inclusion in either the permanent or provisional telehealth lists more transparent, CMS outlines a five-step process.  CMS’ website section on requesting additional codes, describes the main elements required in submission requests as the following:

  • Name(s), address(es) and contact information of the requestor.
  • The HCPCS code(s) that describes the service(s) proposed for addition or deletion to the list of Medicare telehealth services.
  • A description of the type(s) of medical professional(s) providing the telehealth service at the distant site.
  • A detailed discussion of the reasons the proposed service should be added to the definition of Medicare telehealth.
  • An explanation as to why the requested service cannot be billed under the current scope of telehealth services, for example, the reason why the HCPCS codes currently on the list of Medicare telehealth services would not be appropriate for billing the service requested.
  • Evidence that supports adding the service(s) to the list on either a category 1 or category 2 basis (see further description of these categories below).

The new system will already apply to code submissions received for consideration for CY 2025 (which are being accepted through February 10, 2024).

CMS maintains a list of current CPT codes eligible for Medicare reimbursement for calendar year (CY) 2024, including those that can be delivered via the audio-only modality. For more information on changes made for CY 2024, see CMS’ calendar year final physician fee schedule or CCHP’s factasheet on the CY 2024 final physician fee schedule. Newly approved services typically become eligible for reimbursement on January 1 of the following year.

Eligible providers

Medicare limits the types of health care professionals who can provide telehealth-delivered services. The small group of eligible professionals are:

  • Physicians
  • Nurse practitioners
  • Physician assistants
  • Nurse midwives;
  • Clinical nurse specialists
  • Certified registered nurse anesthetists
  • Clinical psychologists and clinical social workers (these professionals cannot bill for psychotherapy services that include medical evaluation and management services)
  • Registered dietitians or nutrition professionals.
  • Marriage and family therapists and mental health counselors (newly eligible in CY 2024)

Geographic location

The patient’s location at the time services are received via telehealth is known as the “originating site.” Medicare treats telehealth almost exclusively as a tool for rural areas, and has narrowly restricted the geographic areas that are eligible to use telehealth. The originating site must be in a Health Professional Shortage Area (HPSA) as defined by Health Resources and Services Administration (HRSA), or in a county that is outside of any Metropolitan Statistical Area (MSA) as defined by the US Census Bureau. Some argue against this restriction because many underserved areas are still barred from receiving telehealth-delivered services, and those that are eligible may not have an adequate population base to maintain a telehealth network.

In 2019, there were some exceptions made from both the geographic and originating site requirements for the end stage renal disease (ESRD) services, treatment of acute stroke and treatment of substance use disorder and co-occurring mental health conditions. Additionally, the Consolidated Appropriations of 2021, which passed in December 2020, also provided an exception for mental health patients. Those exceptions are outlined in a subsequent section. 

Effective as of January 2014, CMS redefined rural HPSAs as areas located in rural census tracts as determined by the office of Rural Health Policy (ORHP). This allows eligible facilities located in rural census tracts that are within an MSA to be eligible telehealth originating sites. HRSA also maintains a Medicare telehealth payment eligibility search tool, where eligibility of an originating site may be checked.

Eligible facilities

In addition to the rural restriction, Medicare limits the originating sites (where the patient is located) eligible for telehealth-delivered services to the following facilities:

  • Provider offices
  • Hospitals
  • Critical access hospitals
  • Rural health clinics
  • Federally qualified health centers
  • Skilled nursing facilities
  • Community mental health centers
  • Hospital-based or critical access hospital-based renal dialysis centers
  • Rural emergency hospitals (new designation for 2023)

Note that there are certain exceptions to the facility requirement in the case of end stage renal disease (ESRD) services, treatment of mental health disorder, acute stroke and treatment of substance use disorder and co-occurring mental health conditions. These exceptions are outlined in the section below.

Exceptions from geographic and facility restrictions

Effective as of January 2019, CMS finalized their regulations to reflect required changes in telehealth reimbursements made by the Bipartisan Budget Act of 2018. These changes specifically relate to end stage renal disease (ESRD) services and the treatment of acute stroke.  

  • End Stage Renal Disease: For ESRD services, renal dialysis facilities and the home now qualify as eligible originating sites. If the site is the home, an in-person visit is required once a month for the first three months and once every three months thereafter. Additionally, the geographic limitation would not apply to these new sites or hospital-based or CAH-based renal dialysis centers for the treatment of ESRD. There would be no facility fee if the home were the originating site.
  • Acute Stroke Treatment: For the treatment of acute stroke, a mobile stroke unit along with any currently eligible originating site is eligible for telehealth reimbursement. The Secretary has the ability to designate additional sites, but has not done so at this time. Additionally, the geographic limitation would not apply for the treatment of acute stroke in any of the eligible originating sites (including mobile stroke units). However, originating sites that would not otherwise qualify for telehealth reimbursement (under Medicare’s geographic and originating site requirements) would not be eligible for the facility fee.
  • Treating Individuals with Substance Use Disorders (SUDs) or co-occurring mental health disorders: The 2018 SUPPORT for Patient and Communities Act required CMS to adjust their reimbursement policy of telehealth for treating individuals with SUDs or a co-occurring mental health disorder. Specifically, it removed the originating site geographic requirements for telehealth services on or after July 1, 2019 for any existing Medicare telehealth originating site (except for a renal dialysis facility). Additionally, the home was made an eligible originating site for purposes of treating these individuals, however the home would not qualify for the facility fee.

    The normal telehealth service code limitations still apply for services rendered under this exception. Practitioners would also be responsible for assessing whether individuals have a SUD diagnosis and whether it would be clinically appropriate to furnish the telehealth services for the treatment.
  • Diagnosis, Evaluation or Treatment of Mental Health Disorder once COVID-19 flexibilities ends: Due to the passage of the Consolidated Appropriations Act of 2021, eligible individuals under Medicare will be able to utilize telehealth for purposes of diagnosis, treatment or evaluation of mental health disorders without the geographic restrictions. This new rule will become permanent after the COVID flexibilities end, currently expected to fall on Jan. 1, 2025. This new law also permits beneficiaries to receive telehealth services from their home for purposes of mental health diagnosis, treatment or evaluation (in addition to substance use disorder treatment, which was previously allowed).

There are important stipulations regarding the scope of eligible tele-mental health services. Specifically, eligible patients must have an existing in-person relationship with a provider, as defined by 1 in-person visit with the provider within a 6-month period prior to the telehealth encounter and subsequent periods as determined by the Secretary. CMS has since stated that the subsequent visit requirement can be met by an in-person visit once every twelve months, or can be waived if the patient and practitioner agree that the benefits of an in-person, non-telehealth service are outweighed by the risks and burdens associated with the in-person service and the basis for that decision is documented in the patient’s record.  However, as written, the bill’s language appears to require the in-person visit regardless of where the patient is located (e.g., home, clinic, doctor’s office) if that location is newly-eligible under the provision (e.g., a doctor’s office in an urban area). This in-person requirement would not apply to any location that is eligible under the previous rules (e.g., eligible originating sites in rural areas).

Payment for communication technology-based services (CTBS)

Beginning in January, 2019, CMS reimburses for certain kinds of services furnished remotely using communications technology that are not considered “Medicare telehealth services.” Medicare has labeled these services communication technology-based services, or CTBS. Because they are not defined specifically as telehealth, the limitations and restrictions outlined previously applicable to telehealth would not apply. These services include the following categories:

  • Brief communication technology-based service (or “virtual check-ins”): A brief, non-face-to-face check-in with an established patient via communication technology to assess whether or not an office visit or other service is necessary. This service is only available to practitioners who furnish E/M services, and could take place via live video or telephone call.
  • Remote evaluation of pre-recorded patient information: Remote professional evaluation of patient-transmitted information conducted via pre-recorded video or image technology to determine whether or not an office visit or other service is necessary. This would only be available for established patients.
  • Interprofessional internet consultation: Interprofessional internet consultations between professionals performed via communications technology. This service is limited to practitioners that can independently bill Medicare for E/M visits. This could take the form of either a telephone call or a live or asynchronous internet consultation. Both the consulting and treating provider could be reimbursed for this service.
  • Online Digital/Medical Evaluations (E-Visit): Allows a patient to communicate with a provider through an online patient portal. 

In the 2021 Physician Fee Schedule, CMS clarified that clinical social workers, clinical psychologists, physical therapists, occupational therapists, and speech language pathologists can furnish brief online assessment and management services, virtual check-ins and remote evaluation.

There are other restrictions for when and how these services can be provided. For instance, when the brief communication technology-based service or remote evaluation of pre-recorded patient information originates from a related E/M service provided within the previous 7 days by the same physician or other qualified health care professional, the service would be considered bundled into the previous E/M service and would not be separately billable. 

Likewise, if the service leads to an E/M in-person service with the same provider within 24 hours or the next available appointment it would also be bundled into the pre-visit time. CMS is requiring verbal consent be obtained from the patient for all three of these services, in order to ensure they are aware of any costs they may incur from these services.

How does the remote communication technology services apply to FQHCs and RHCs?

CMS will allow RHCs and FQHCs to receive payment for brief communication technology-based services or remote evaluation of pre-recorded patient information services when at least 5 minutes of communications-based technology or remote evaluation services are furnished by an RHC or FQHC practitioner to a patient that has been seen in the RHC or FQHC within the previous year. They also have waived the RHC and FQHC face-to-face requirements for these services. RHCs and FQHCs, however, are not eligible to receive reimbursement for interprofessional internet consultations. For further details, see CCHP’s factsheet on the impact of Medicare’s CY 2019 changes on FQHC/RHCs.

Audio-only services

Although certain codes are designated as allowing audio-only delivery under the COVID flexibilities until Dec. 31, 2024, afterward, reimbursement will be more limited.  CMS will continue to allow audio-only reimbursement, but only for mental health disorder and under specific conditions.  These stipulations mandate an in-person visit within six months prior to the initial telehealth appointment, followed by another in-person consultation within 12 months, although this requirement may be waived in certain situations (see previous discussion of this topic).

Additional FQHC/RHC Exceptions

In the 2022 Physician Fee Schedule, CMS redefined the definition of a mental health visit for FQHCs/RHCs. In the new definition, mental health services provided by an FQHC/RHC will also include those that use live video or audio-only. This redefinition, in CMS’ eyes, does not mean FQHCs/RHCs are providing services via telehealth. By definition they are only providing a mental health service but due to the definition, the means of providing that service may now be via live video or audio-only. This will also mean that the FQHC/RHC will receive their typical rate for these services. Certain requirements in the use of audio-only would need to be met to qualify. This policy was delayed until January 1, 2025 due to the extension of the COVID-19 flexibilities.

Chronic care management and remote monitoring

In January 2015, CMS created a new chronic care management (CCM) code, which provides for non-face-to-face consultation. Since then, CMS has released several instructional documents on billing the CCM codes, added reimbursement for complex CCM as well as two add-on codes. FQHCs and RHCs are allowed to bill for CCM. In subsequent years, reimbursement has also been added for primary care management (PCM) and transitional care management (TCM).

Additionally, in the final calendar year 2018 Physician Fee Schedule, CMS unbundled code 99091 allowing providers to get reimbursed separately for time spent on collection and interpretation of health data generated remotely. As is the case with CTBS, by not defining these codes as a “telehealth” service, these services are not subject to the restrictions other telehealth services currently face, such as geographic and location limitations and prohibitions on the use of asynchronous technology in most cases. In the finalized CY 2019 Physician Fee Schedule, CMS added three additional remote physiological codes in order to align with those created by the CPT Editorial Panel. For more information, see CMS’ CY 2019 Physician Fee Schedule, and other resources on the chronic care management codes.

Medicare advantage, APMS, and ACOS

Medicare does offer some exceptions to its geographic and originating site requirements through special programs, including the Next Generation ACO; Shared Savings Program; Episode Payment Models; and Comprehensive Care for Joint Replacement Models. Beginning in 2020, all Medicare two-sided ACOs (including those in the Shared Savings Program) are able to be reimbursed for telehealth delivered services to the home and be exempt from Medicare’s geographic requirement.

Under the Bipartisan Budget Act of 2018, Medicare Advantage (MA) plans are able to (although not required to) offer additional telehealth benefits, without the geographic, site and services restrictions currently imposed by Medicare applying. The list of eligible providers of telehealth services still apply to MA as do state requirements specific to telehealth (for example, if a state requires informed consent prior to a telehealth interaction).

Medicaid & State Policy

Established by legislation in 1965, Medicaid is a medical assistance entitlement program for low-income families. Medicaid is America’s largest medical and health-related funding source for the poor. 

Though the program is jointly funded by federal and state governments, the federal government allows each state to set many features for their programs, including how to structure and adminitier Medicaid telehealth policy. States may reimburse for telehealth under Medicaid so long as the service satisfies federal requirements of efficiency, economy, and quality of care. States are not required to submit a state plan amendment (SPA) when deciding to reimburse for services delivered via telehealth if they are reimbursed the same way/amount as services delivered via face-to-face.

Fifty states, fifty approaches

No two states approach telehealth the same way. Much of CCHP’s work is dedicated to identifying how different Medicaid programs define telehealth, and cataloging the ways those varying definitions influence policies and regulation. Look up states >

Fall 2023 highlights

CCHP’s most recent fifty-state survey of state telehealth laws and Medicaid program policies was completed in Fall 2023. Note that historically, CCHP has provided these bi-annual summary reports in the Spring and Fall each year to provide a snapshot of the progress made in the past six months.  Moving forward, the summary report will transition to being released once per year in the Fall only, with three separate rounds of updates being made to each jurisdiction in the Policy Finder per year.

Key findings include:

  • Fifty states and Washington DC provide reimbursement for some form of live video in Medicaid fee-for-service. Both the jurisdictions of Puerto Rico and Virgin Islands do not explicitly indicate they reimburse for live video in their permanent Medicaid policies.
  • Thirty-three state Medicaid programs reimburse for store-and-forward. Florida, Montana, North Dakota, South Carolina and Utah are the states which added reimbursement for store and forward, although each in a limited capacity, and some only through specific communication technology-based service (CTBS) codes since the Spring update.
  • Thirty-seven state Medicaid programs provide reimbursement for remote patient monitoring (RPM). Three states, (Florida, Idaho, and Iowa) added reimbursement for RPM since Spring 2023.
  • Forty-three states and DC Medicaid programs reimburse for audio-only telephone in some capacity; however, often with limitations. Seven states including Alabama, Idaho, Kansas, Montana, Nebraska, Oklahoma, and Vermont added reimbursement for audio-only telehealth in some capacity since Spring 2023.
  • Twenty-five state Medicaid programs including Alaska, Arizona, California, Hawaii, Illinois, Iowa, Kentucky, Maine, Massachusetts, Maryland, Michigan, Minnesota, Missouri, New York, North Carolina, North Dakota, Ohio, Oregon, South Carolina, Texas, Utah, Vermont, Virginia, Washington, and Wisconsin reimburse for all four modalities (live video, store-and-forward, remote patient monitoring and audio-only), although certain limitations may apply.
  • Forty-three states, the District of Columbia and Virgin Islands have a private payer law that addresses telehealth reimbursement. Not all of these laws require reimbursement or payment parity. Twenty-four states have explicit payment parity. No new states have added a private payer law since Spring 2023, though a few states have made modifications to private payer law requirements.

You can get the easy-to-read fact sheet summarizing additional recent findings here.

Telehealth and private payers

Many private payer insurance plans do reimburse for telehealth-delivered services; however, federal law does not require these payers to provide coverage for any type of telehealth-delivered service. Some states have passed their own private payer laws, affecting private payer plans that operate in those states. Currently, forty-three states and DC have some private payer-related reimbursement laws. Some states mandate some sort of reimbursement, while others mandate reimbursement at the same level as in-person care under certain conditions.

Regulations governing telehealth also vary across states, with limitations on cross-state licensing of health professionals being the most restrictive. Additionally, state health professional boards are releasing special telehealth standards for practitioners in their state. 

Pending telehealth legislation

Each year, new federal and state legislation is introduced to address some of the barriers to telehealth use. On the state level, 170 telehealth-related bills were enacted in the 2023 legislative session, the majority of which addressed reimbursement in Medicaid programs and/or among private payers, established telehealth professional board standards (including those related to prescribing and consent), and addressed cross state licensing. Some legislation also sought to establish telehealth pilot programs to test the efficacy and/or cost effectiveness of telehealth in public programs.  Look up pending legislation >

Connectivity & Net Neutrality

Connectivity has always been a significant issue for telehealth. Without robust connectivity, telehealth would not be able to operate effectively and to its fullest capacity. COVID-19 made more apparent the significant impacts lack of connectivity can have on access to health services. A part of this discussion is lack of net neutrality as it could disrupt consumer access to telehealth-delivered services.

Under net neutrality, internet service providers would not intentionally slow down, block or charge more for access to specific websites or content; essentially everyone and everything is treated equal. Net neutrality is an issue in telehealth discussions because without a robust connection, telehealth would not work. There is debate that should net neutrality cease to exist, it could disrupt the use and growth of telehealth as connectivity may prove to be too costly for clinics, providers and consumers to access. However, others have argued that telehealth could benefit greatly if it was given priority status.

The Federal Communications Commission (FCC) adopted net neutrality principles in 2005. These principles were challenged in a lawsuit by Verizon and were struck down in January 2014. However, the ruling left it open for the FCC to decide on the next steps on net neutrality.

In May 2014, the FCC introduced proposals for net neutrality rules. The rules were passed on February 26, 2015 as the Open Internet Order. The rules were challenged in court but the DC Circuit Court of Appeals, the same court that ruled the 2014 case, upheld the FCC’s rules in June 2016.

In 2017, under the Trump administration, the Open Internet Order was rolled back.  The latest development occurred on October 19, 2023 when the FCC voted to go forward with re-establishing the rules.  As a result, the FCC issued a Notice of Proposed Rulemaking (NPRM) proposing the reclassification of broadband internet access service (BIAS) as a telecommunications service under Title II of the Communications Act. This move aims to reinstate the FCC’s authority over BIAS, providing a national regulatory approach to safeguard the open internet, enhance national security, and protect public safety.  In the notice, the FCC highlights the increased importance of BIAS, especially during the COVID-19 pandemic, and emphasizes the necessity of reviewing its classification to fulfill policy objectives and protect consumers’ privacy, data security, and access to BIAS. The FCC seeks public input on the proposed framework, its implications, and its impact on small businesses and entities.  After reviewing comments, the FCC is expected to finalize the rule in 2024.

Artificial Intelligence

Federal regulators have recently taken an interest in regulating Artificial intelligence.  For example, in October 2023, President Biden issued an executive order establishing new standards for AI safety and security.  Then in November 2023, a groundbreaking hearing was conducted by the House Energy and Commerce (E&C) Health Subcommittee to examine the role of artificial intelligence (AI) in healthcare. This session marked the first of its kind within the House E&C, setting a precedent for future discussions on AI in the healthcare sector.  The need for a cautious and considered approach to implementing AI in healthcare is a focal point for lawmakers.  They point out the inadequacies of existing regulations like HIPAA in the context of AI, emphasizing the necessity of addressing the use and sale of health-related data by third parties.  Other recent actions by federal lawmakers related to AI include:

  • Office of the National Coordinator for Health IT Final Rule:  The rule will require more transparency about AI used in clinical settings by requiring software developers to provide more data to customers with the aim of allowing providers to determine whether AI is fair, appropriate, valid, effective and safe.
  • OMB Guidelines Following Executive Order on AI: The Office of Management and Budget (OMB) has issued preliminary guidelines to federal agencies. These are in line with President Biden’s Executive Order on AI and focus on increasing AI expertise and transparency across federal agencies.
  • CISA’s AI Roadmap: The Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) has developed a Roadmap for AI, providing strategic direction for AI initiatives.
  • CRS Report on AI: The Congressional Research Service (CRS) has produced a comprehensive report detailing the use, safety, security, and oversight of AI in biological sciences.
  • Senate HELP Subcommittee Hearing on AI: The Senate Health, Education, Labor, and Pensions (HELP) Subcommittee conducted a hearing to explore the potential benefits and risks associated with AI in healthcare.

This continues to be a developing area in health care policy and we anticipate that there will be more activity in this realm in the coming years.

Credentialing & Privileging

Telehealth providers, despite not being physically located at the hospital they are providing services to, must also go through the credentialing and privileging process for that distantly located institution. To credential and privilege a physician can be a lengthy and expensive process, utilizing a good amount of resources. 

Before a practitioner may provide services in a hospital, he or she must have their qualifications evaluated and verified. This process, known as credentialing, ensures an individual possesses the necessary qualifications to provide medical services to patients. Once a practitioner is credentialed, the hospital engages in the privileging process, which will assess the practitioner’s competence in a specific area of care.

Telehealth providers, despite not being physically located at the hospital they are providing services to, must also go through the credentialing and privileging process for that distantly located institution. To credential and privilege a physician can be a lengthy and expensive process, utilizing a good amount of resources. However, hospitals that have limited access to specialists need to contract with practitioners in other locations to provide virtual care to their patients. The alternative is that their patients have to travel to receive that care or go without. Telehealth has helped these institutions provide such services while allowing a patient to remain in his or her community. In the past, hospitals relied on “privileging by proxy” standards that The Joint Commission (TJC), a hospital accrediting organization, have utilized to make the credentialing and privileging process less burdensome on facilities utilizing telehealth. The process allowed the hospital receiving services to accept the distant site (where the telehealth provider is located) hospital’s credentialing and privileging decisions. It cut down on time, duplicative work and expense.

The Centers for Medicare & Medicaid Services (CMS) identified TJC’s privileging by proxy standards as being in conflict with their Medicare Conditions of Participation (CoPs). In order to participate in and receive reimbursement from the Medicare or Medicaid programs, a hospital must be certified as complying with the Medicare CoPs. Therefore, TJC’s process was rendered invalid. This created a difficult situation for many hospitals, particularly small and rural entities who could not afford to hire exclusively on-site specialists to service their communities’ needs.

To resolve this conflict while still maintaining safeguards on quality and safety, CMS approved regulations in July 2011 that would allow hospitals (and other health care organizations) to use a similar credentialing-by-proxy process that the TJC had once utilized. TJC followed suit with similar standards that were approved in December 2011.

The approved process is optional for hospitals to use. Should an institution chose, it may still go through the complete credentialing and privileging process of verifying a practitioner’s qualifications. However, if a hospital wished to utilize the credentialing by proxy process, certain requirements must be met:

  • There must be a written agreement between the two parties;
  • The distant-site hospital is a Medicare-participating hospital or telemedicine entity;
  • The telehealth provider is privileged at the distant-site hospital;
  • A current list of the telehealth provider’s privileges is given to the originating-site hospital;
  • The telehealth provider holds a license issued or is recognized by the state in which the originating-site hospital is located;
  • The originating-site hospital has an internal review of the telehealth provider’s performance and provides this information to the distant-site hospital;
  • The originating-site hospital must inform the distant-site hospital of all adverse events and complaints regarding the services provided by the telehealth provider.

Hospitals do need to ensure that their bylaws meet the requirements of this process. Some organizations may find meeting these necessary requirements prohibitive in time and resources and choose not to utilize this optional process.

The applicable CMS regulations are:

TJC applicable standards:

  • Standard LD 04.03.09 — Care, treatment, and services provided through contractual agreement are provided safely and effectively.
  • Standard MS. 13.01.01 — For originating sites only: Licensed independent practitioners who are responsible for the care, treatment, and services of the patient via telemedicine link are subject to the credentialing and privileging processes of the originating site.
Cross State Licensing & Compacts

The introduction of technology-enabled health care over secure, high-speed broadband connections has made it possible for consultations to occur over distances. While this can contribute significantly to improving access to care, professionally licensed providers in most cases are limited to practicing in the state(s) where they are licensed.

Typically, during a telehealth encounter the originating site (the location of the patient) is considered the “place of service”, and the distant site provider must adhere to the licensing rules and regulations of the state in which the patient is located, even if the distant site provider is not a resident of the patient’s state. The policies governing telehealth and physician licensure vary widely across the country. Some states provide exceptions to allow for cross-border delivery of health care in limited circumstances, while others ban it entirely.

Many telehealth proponents have cited licensing as one of the most significant barriers to the ubiquitous use of telehealth. Currently, medical licensing falls under the purview of each state, leading to the need to secure individual state licenses for multi-state practices. This endeavor can not only be time consuming, but expensive. Providers may find themselves limiting their potential practice areas to a few states, possibly furthering unequal distribution of expertise in the nation.

Current Activities Related to the Cross-State Licensure Barrier

Federal Legislation: State licensing requirements have been identified as a key policy barrier in telehealth. Over the years, several pieces of federal legislation have been introduced to address this. Some legislation attempted to re-define the “place of service” from the originating site (site of the patient) to the distant site (site of provider delivering care). This would resolve the licensing barrier because a provider would then only need to be licensed in the state in which they are physically located in, as opposed to the state of the patient. However, none of these bills have successfully made it through the legislative process and into law.  Additionally, current cross-state licensing structures are beginning to be challenged in court.  For example, in December 2023 a New Jersey lawsuit is claiming that mandating of out of state telehealth providers to maintain a New Jersey medical license is burdensome and limits patients’ access to care.

Veterans Administration: In 2018, the Department of Veterans Affairs published its final rule to expand the ability of telehealth to more evenly distribute VA providers across regions by preempting state licensing requirements. Under the final regulation, VA health care providers may provide telehealth services, within their scope of practice to VA beneficiaries, irrespective of the State or location within a State where the health care provider or the beneficiary is physically located. The rule does not apply to VA contractors.

State-by-State Licensing Barriers: Following the end of COVID-19 emergency related temporary allowances to practices across state lines, some states have slowly developed alternatives to full licensure for out-of-state telehealth providers.  The majority of licensing exceptions or telehealth registrations still often require certain criteria be met, and sometimes still requires submission of an application and a fee.

CCHP tracks cross state licensing exceptions related specifically to telehealth via our policy finder’s cross state licensing section.

Interstate Compacts: In order to ease the burden of cross-state licensing, some professions have created interstate licensing compacts to make it simpler for professionals to practice across state lines. For a state to participate in a compact, they would need to enact standard legislative language that sets out the ground rules for the Compact. Each compact has its own rules and regulations. There are currently eleven compacts that CCHP is tracking:

  • Nurse Licensure Compact (NLC): Allows nurses to have one license viable in other compact member states, allowing for a nurse to practice in both
  • Interstate Medical Licensure Compact: This particular Compact creates an expedited medical licensure process with the goal of allowing physicians to become licensed in multiple states more easily, while protecting patient safety.
  • The Physical Therapy Compact: Under the Compact, a physical therapist or physical therapist assistant needs to obtain a “Compact Privilege” (the authorization to work in a Compact member state other than the PT or PTA’s home state) in each member state.
  • The Psychology Interjurisdictional Compact (PSYPACT): Gives psychologists in PSYPACT member states the authority to practice interjurisdictional telepsychology in other PSYPACT states.
  • The Recognition of EMS Personnel Licensure Interstate CompAct (REPLICA): A multi-state compact that extends a privilege for EMS personnel to practice on a short-term, intermittent basis in another member state under certain circumstances.
  • Audiology and Speech-Language Pathology Interstate Compact (ASLP-IC): Authorizes both telehealth and in-person practice across state lines in ASLP-IC states for audiologists and speech-language pathologists.
  • Occupational Therapy Licensure Compact: Allows licensed occupational therapists and occupational therapy assistants to practice across state lines.
  • APRN Compact: Allows an advanced practice registered nurse to hold one multistate license with a privilege to practice in other compact states. (Not yet adopted by enough states to be active.)
  • Counseling Compact: Allows counselors to apply for a privilege to practice in other Compact states beginning in 2024.
  • Social Work Compact: Provides a licensure pathway for social workers to practice in other member states. (Not yet adopted by enough states to be active.)
  • Physician Assistant Compact: An interstate occupational licensure compact for physician assistants. States joining the compact agree to recognize a valid, unencumbered license issued by another compact member state via a compact privilege. (Not yet adopted by enough states to be active.)

There are additional Compacts also in development including for Licensed Marriage and Family Therapists.

Federal Trade Commission: The Federal Trade Commission has also shown interest in examining whether the restrictions on telehealth providers by state licensing boards are anti-competitive. See this section on the Federal Trade Commission website for more information.

Health Information Technology

HIT is used by health care providers to manage patient care and population health through using and sharing health information in a secure system. Electronic health records (EHRs) are included under the umbrella of HIT.

EHRs automate access to information and have the potential to streamline clinician workflow and support other care-related activities, such as evidence-based decision support, quality management and outcomes reporting. The Office of the National Coordinator for Health Information Technology (ONC) leads the Administration’s HIT efforts.

Some common elements of Health Information Technology (HIT) include:

Electronic Health Records (EHRs): The Health Information Technology for Economic and Clinical Health Act (HITECH) provided the U.S. Department of Health and Human Services (HHS) with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records (EHRs) and a private and secure electronic health information exchange.

Additionally, the act worked to update and strengthen existing laws and HIPAA privacy protections to facilitate the secure movement of appropriate information through the health care system.

Under HITECH, eligible health care professionals and hospitals could qualify for Medicare and Medicaid incentive payments when they adopt certified EHR technology and use it to achieve specific objectives. If providers could show they have met a set of criteria, i.e., achieved “meaningful use,” they will receive incentive payments. Providers receiving Medicaid payments had until 2016 to achieve meaningful use or face penalties. Standards for structured data that EHRs must use to qualify for the incentive program were established by CMS and ONC. Providers must use a certified EHR to receive the incentive payment.

An EHR is an electronic version of a patient’s medical history. The EHR may include demographics, progress notes, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates access to information and has the potential to streamline the clinician’s workflow. The EHR also has the ability to support other care-related activities directly or indirectly through various interfaces, including evidence-based decision support, quality management and outcomes reporting.

Meaningful Use: Meaningful use is a set of specific objectives which eligible professionals and hospitals must achieve to qualify for the Centers for Medicare & Medicaid Services (CMS) incentive payments for electronic health records (EHRs). CMS issued specific qualifications that if met will allow providers to show they have achieved “meaningful use.” Each defined stage of achievement has a different focus that typically builds upon what was achieved in the previous stage. Failure to show “meaningful use” results in a reduction in Medicare reimbursement. Penalties began in 2015.

The three stages involved span over five years with a specific focus for each stage:

  • Stage 1 (2011-2012) Data Capture and Sharing
  • Stage 2 (2016) Advance Clinical Processes
  • Stage 3 (2017) Improved Outcomes

In 2018 CMS renamed the program the Promoting Interoperability Program and required reporting on Quality Payment Program (QPP) requirements. The shift moved the program beyond meaningful use into a new phase with an increased focus on interoperability and improving patient access to health information. The program objectives include:

  • Immunization Registry Reporting
  • Syndromic Surveillance Reporting
  • Electronic Case Reporting
  • Public Health Registries Reporting
  • Clinical Data Registries Reporting
  • Electronic Reportable Laboratory Test Reporting (for Hospitals only)

Office of National Coordinator:  In April 2023, the ONC proposed additional rules to advance interoperability, enhance health IT certification and reduce burden and costs.  Keep up to date on ONC regulatory Activities on their webpage.

mHealth Laws & Regulations: Mobile health, or mHealth, is a rapidly evolving aspect of technology-enabled health care.

Smart phones and portable monitoring sensors that transmit information to providers, as well as dedicated application software (apps) which are downloaded onto devices, are used in mHealth. Given its recent emergence into the telehealth field, policies governing the use of this technology are continually being shaped.

The Food and Drug Administration (FDA), the Federal Trade Commission (FTC), and the Federal Communication Commission (FCC) all share jurisdiction over some part of the federal regulation of mHealth.

Food and Drug Administration: The FDA has the responsibility of regulating equipment or software intended for use in the diagnosis or treatment of a disease or other condition. With passage of the Food and Drug Administration Safety and Innovation Act in 2012, the FDA was given approval to go forward with its regulatory work on medical apps.

If a device is classified as a medical device, FDA requires registration and listing, premarket notification and/or approval, good manufacturing practices, and post-market surveillance. FDA also regulates the software used in telehealth systems. The FDA does make a distinction and provides guidance on distinguishing what is considered a medical device and what is not.

In February 2015, the FDA issued guidance to provide clarity for mobile medical app manufacturers and other interested parties, which stated the FDA’s intent to exercise enforcement discretion on mobile medical apps that pose a low risk to patients’ safety. Additionally, in February 2015, the FDA also issued guidance stating that it would practice enforcement discretion on medical device data systems (MDDS) devices. MDDS is a device that is intended to transfer, store, convert or display medical device data without controlling or altering the functions or parameters of any connected medical devices. An MDDS may include software, electronic or electrical hardware, modems, interfaces, and a communications portal.

Notably, this definition does not include devices intended to be used in connection with active patient monitoring. For more information, see CCHP’s factsheet on the MDDS and Mobile App guidance.

Federal Trade Commission:  The FTC protects consumers from unfair or deceptive acts or practices as well as false or misleading claims. Where mHealth is concerned, it has focused on the claims companies have made about the effectiveness of their devices or apps. The FTC also has jurisdiction over health data breaches when the entities involved are not HIPAA-covered entities. The FTC has already been active, taking enforcement action against several mobile health app marketers that have not met the requirements of the FTC. The FTC collaborates closely with both the FDA and FCC on areas where there is jurisdictional overlap. In the wake of the COVID-19 public health emergency, FTC staff have submitted a letter to the Centers for Medicare and Medicaid Services in support of its Interim Final Rule that reduces or eliminates restrictive Medicare payment requirements for telehealth during the pandemic.

Federal Communications Commission:  And finally, the FCC regulates devices that utilize electromagnetic spectrum, or broadcast devices. FCC regulates the device as a communications device, not as a medical device. With potential overlapping jurisdictions, the FCC and FDA entered into a Memorandum of Understanding, where they would collaborate with each other within the areas of their respective agencies.

In 2012, the FCC approved its mobile body area network (MBAN), which allocates an electromagnetic spectrum for personal medical devices. The allocated spectrum would be used to form a personal wireless network, within which data from numerous body sensors could be aggregated and transmitted in real time. This dedicated spectrum would allow for faster and more reliable transmission of information from patient monitoring devices to practitioner.

The rapid pace of development of this field and the wide range of applications available on the market today have also been the source of a number of legal and ethical questions regarding their use. Questions are being raised regarding privacy protection. With the vast amount of individual health data being generated by remote monitoring and mHealth devices, determining what are actionable health data, who monitors the data, and where it gets stored are challenges that we will need to address as the field evolves.

The FCC also administers the Healthcare Connect Fund, which directs up to $571 million annually from the Universal Service Fund toward supporting high-capacity broadband services, designed to bring the benefits of telehealth to areas of the country in acute need of those services. Additionally, in August 2018 the FCC advanced a proposal for a $100 million pilot fund supporting remote monitoring programs.  During the COVID-19 pandemic, Congress provided funding for what eventually would be called the Affordable Connectivity Program which provided assistance for internet to low—income households. However, permanent funding for the program has not been secured as of January 2024 and the program may be forced to wind down.

Online Prescribing

Online prescribing, or internet prescribing, refers to a provider prescribing a drug to a patient based upon an interaction that has taken place online. A concern with online prescribing is that the patient-provider relationship may be solely established by an online encounter and whether there should be a patient-provider relationship before a prescription can be written.

By having all interaction occur online, questions are raised regarding whether the provider has enough information to make an informed decision regarding treatment. Questions include whether adequate information of the patient’s health status and history has been obtained and confirmation that the patient is accurately representing himself or herself. In some states, a patient-provider relationship based solely on internet interactions or questionaires is prohibited.

Please note: E-Prescribing is the act of a provider sending a prescription electronically to a pharmacy, such as through an EHR, and should not be confused with online or internet prescribing.

The background on internet prescribing

In 2008, the Ryan Haight Online Pharmacy Consumer Protection Act was passed by Congress, which prohibits dispensing controlled substances via the Internet without a “valid prescription.”

For a prescription to be valid, it must be issued for a legitimate medical purpose in the usual course of professional practice, meaning that, with limited exceptions, a doctor must conduct at least one medical evaluation of the patient in person or via telemedicine.

The Act provides a definition for the “practice of telemedicine,” which would allow prescribing to take place even if there was no physical encounter if certain conditions are met. The practice of telemedicine is defined as the practice of medicine by a practitioner who is at a location remote from the patient and is communicating with the patient or health professional treating the patient via a telecommunication system so long as the patient “is being treated by, and physically located in, a hospital or clinic” or “while the patient is being treated by, and in the physical presence of, a practitioner.”

The Drug Enforcement Agency (DEA) is the federal agency responsible for enforcement of the Controlled Substance Act (CSA). Among its duties is overseeing the distribution of controlled substances over the Internet. The Ryan Haight Act of 2008 added to the CSA and placed under DEA jurisdiction controlled substances prescribed via telemedicine.

The onset of the opioid epidemic and potential for telehealth to be used to deliver aspects of Medication Assisted Therapy (MAT) (which combines behavioral therapy and medication to treat opioid use disorder) has sparked some recent interest and legislation aimed at relaxing rules on controlled substances, specifically for methadone and buprenorphine, both controlled substances that can be used in MAT to treat opioid use disorder. In the 2018 legislative session, HR 6, the Support for Patients and Communities Act was signed into law, which requires the Attorney General (AG) to promulgate final regulations to specify the limited circumstances in which a telemedicine special registration may be issued to prescribe controlled substances and the procedure for obtaining a special registration within a year of enactment. The AG was previously required to promulgate regulations related to the telemedicine special registration process under the Ryan Haight Act, but had no deadline as to when a final rule must be issued.

State law & prescribing

States maintain a large amount of control over internet prescribing. Whether a prescription can be issued based solely on an internet or online interaction can be impacted in several different ways. One of the primary considerations is whether an online consultation is adequate enough to establish a patient-provider relationship when one did not exist before. Until that relationship is established, a prescription sometimes cannot be made. Other requirements that states may place on online prescribing is the need for an in-person physical examination prior to writing a prescription. There are also certain restrictions that have been carved out for the use of telehealth to prescribe such as in cases of medical marijuana or prescriptions related to hearing and vision. CCHP provides overview information on this topic per state. 

Exceptions to in-person requirement due to COVID-19

The declaration of a public health emergency (PHE) triggered one of the exceptions in the Ryan Haight Act for telemedicine. The DEA stated that:

For as long as the Secretary’s designation of a public health emergency remains in effect, DEA- registered practitioners may issue prescriptions for controlled substances to patients for whom they have not conducted an in-person medical evaluation, provided all of the following conditions are met:

  • The prescription is issued for a legitimate medical purpose by a practitioner acting in the usual course of his/her professional practice
  • The telemedicine communication is conducted using an audio-visual, real-time, two-way interactive communication system.
  • The practitioner is acting in accordance with applicable Federal and State law.

Additionally, the DEA had issued a letter to its registrants stating that a practitioner may conduct an initial evaluation via the use of a telephone for purposes of prescribing buprenorphine (commonly used in medication assisted treatment to treat substance use disorder).

In anticipation of the end of the COVID-19 emergency (May 11, 2023), the DEA and HHS released proposed regulations on how they plan to regulate controlled substance in March 2023.  However, they received a massive amount of feedback on their proposal (which would significantly limit controlled substance prescribing absent an in-person visit).  Consequently, they didn’t have enough time to revise their rule before the PHE ended on May 11, so they initially issued a temporary rule extending COVID-19 PHE flexibilities until November 11, 2023, with a grace period until Nov. 11, 2024 for practitioner-patient relationships established via telemedicine during the COVID-19 PHE.  In October 2023, the DEA then further delayed implementation of their in-person requirements until after Dec. 31, 2024 for all practitioner-patient telemedicine relationships (not just established relationships) to allow further time to revise their rules and potentially release the ‘telemedicine registration’ regulations required under the Ryan Haight Act, and in the SUPPORT for Patients and Communities Act.

Links to the proposed and temporary rules are provided below:

 

 

 

Informed Consent

While Medicare does not require that an informed consent be obtained from a patient prior to a telehealth-delivered service taking place, a majority of states either require informed consent be obtained within their Medicaid program or in their statute or rules regulating healthcare professionals. 

This may be due to concerns over health information security or ensuring whether the patient fully understands what is to take place. In telehealth, informed consent is used to explain what telehealth is, lay out the expected benefits and possible risks associated with it to a patient, and explain security measures. It often requires a written form which needs to be signed by the patient and/or oral acknowledgement that is noted in the patient’s record.

In many cases, each state has varying informed consent requirements depending on a given profession. Sometimes laws are written in such a way that can be interpreted to mean a healthcare professional must obtain informed consent each and every time telehealth is used, while other laws only require informed consent for the first telehealth visit in a series of visits for the same condition. 

Typically, prior informed consent is reserved for invasive procedures and experimental studies, and not required when a patient is offered a choice in how they wish to receive services. Requiring a prior written or verbal informed consent for any telehealth consultation and treatment misrepresents telehealth as a different form of service, rather than as a useful tool that enhances diagnostic and treatment services.

Sample telehealth informed consent forms can often be accessed by contacting your regional Telehealth Resource Center.

FTC & Professional Licensure Boards

The Federal Trade Commission protects consumers from unfair or deceptive acts or practices as well as false or misleading claims. The FTC has taken several actions in recent years that indicates their increased interest in the manner in which telehealth is being regulated at the state level. 

In March 2016 the FTC sent comments in support of Alaska Senate Bill 74 (now enacted) which allows Alaska licensed physicians located out-of-state to provide telehealth services in the same manner as Alaska licensed in-state providers and allows certain Alaska licensed behavioral health professionals to provide services remotely. The FTC wrote that it believes the bill “would likely increase the supply of telehealth providers, enhance competition, and reduce health care costs, thereby benefiting Alaskans, especially underserved populations with limited access to health care.” 

The FTC also raised concerns in the letter over another aspect of the bill requiring that relevant professional boards adopt regulations establishing special standards of care for physicians and behavioral health practitioners who provide services remotely. The FTC writes, 

“A telehealth provider who has not made a physical examination is already subject to the state’s licensure requirements, including an obligation to meet the state’s existing standard of care. The development of additional ‘safeguards’ solely for telehealth providers might lead to the adoption of unnecessary restrictions that would only serve to restrict competition, and thereby undermine SB 74’s goal of enhancing access to telehealth services.” 

These comments in particular raise the question of whether the actions by many state professional boards to create standards associated with providing care via telehealth could be considered anti-competitive by the FTC.

Additionally, it was an FTC Supreme Court case that became the basis of the argument in a lawsuit in Texas involving the Texas Medical Board and the telehealth provider company, Teladoc (Teladoc, Inc. et al, v. Texas Medical Board). Teledoc alleged that the TX Medical board’s face-to-face consultation requirement illegally limited competition from telemedicine companies, citing the Supreme Court decision in North Carolina Board of Dental Examiners v. Federal Trade Commission (FTC) which ruled that medical boards comprised of private professionals (active market participants) are not exempt from federal anti-trust laws unless there is direct supervision by the state. In response to the case, the FTC released a report in October 2015 clarifying the meaning of an “active market participant” and “active supervision”. Then in Sept. 2016, the FTC, in conjunction with the US Department of Justice, filed an amicus brief urging the U.S. Court of Appeals for the 5th Circuit to reject a motion made by the Texas Medical Board (TMB) to dismiss the suit, which argued that in fact there is direct supervision. Consequently, the TMB withdrew their appeal. The case has since been resolved by compromise legislation (SB 1107) enacted into law in Texas in 2017.

The FTC also commented in 2016 on regulations proposed by the Delaware Occupational Therapy Board.

In February 2018, the FTC submitted a comment letter in response to Washington Substitute Senate Bill 5411/HB 1473. The bill would require licensed ophthalmologist and optometrists to conduct an in-person, comprehensive eye exam before prescribing eyeglasses and contact lenses. The FTC argued that this would restrict a distant site practitioner from using information received via telehealth as the basis for a prescription for a corrective lenses, and raised concerns about it reducing competition, access and consumer choice for eye care as well as potentially raising costs for consumers in the state of Washington. The FTC letter goes into detail on the types of tests needed to issue a prescription for corrective lenses noting that many of them do not typically require an in-person element.

More recently, in June 2020 the FTC submitted a comment letter in response to an Interim Final Rule the Centers for Medicare and Medicaid Services (CMS) released that expanded reimbursement in Medicare during the COVID-19 Public Health Emergency. The comment letter supports the interim rule’s provisions reducing or eliminating restrictive Medicare payment requirements for telehealth and other communication technology-based services. The letter indicates that CMS should use the experience to develop empirical evidence on the effects of these policies to consider whether the changes should be made permanent.

Malpractice

Medical malpractice is the professional negligence by act or omission by a health care provider. Claims of malpractice liability involving telehealth have been few and most existing cases have been settled out of court with the final settlements sealed. However, as telehealth becomes more pervasive, it is likely the number of malpractice suits will increase. 

Malpractice liability

The basic premise of medical malpractice exists whether the service is delivered in-person or via telehealth. Regardless of the modality in which the services are delivered, a provider must be aware that he or she may be subject to the potential of a malpractice suit.

Malpractice insurance

Providers should confirm with their carriers that their current malpractice insurance covers those services provided via telehealth and if the provider is practicing across state lines, that their coverage extends into that other state.

While some malpractice insurance will cover services provided via telehealth, not all carriers operate in the same fashion. Additional coverage may need to be purchased. Providers should ascertain they are adequately covered by their carrier or seek out another if necessary.

Additionally, carriers may not extend their coverage to other states. Due to various reasons such as lack of ceilings to malpractice awards, a provider’s current malpractice carrier may not be able or willing to provide coverage across state lines. Providers should check with their carriers before embarking on providing services outside of their home state.

Providers may also want to consider seeking out some type of cyber liability coverage to protect against data breaches and hacking.

Federal Tort Claims Act

Healthcare providers employed by FQHCs specifically, are covered by the Federal Tort Claims Act (FTCA) coverage, which provides medical malpractice liability coverage to employees and those with a contract with the federal government. FTCA guidance does not directly address the use of telemedicine, but specifies that to meet the FTCA’s requirements for providing services, a patient-provider relationship must be established. This can only be established by an individual accessing care at an approved site, or if health center triage services are provided by telephone or in person (for example, scheduling the patient an appointment). Because it does not address a telemedicine situation directly, it is unclear if coverage applies when the patient is not at the health center when they receive services. The Health Resources Services Administration (HRSA) has indicated they will update this guidance to incorporate telehealth, but as of the writing of this report has not.

HIPAA

Telehealth provision or use does not alter a covered entity’s obligations under HIPAA, nor does HIPAA contain any special section devoted to telehealth. Therefore, if a covered entity is utilizing telehealth that involves personal health information, the entity must meet the same HIPAA requirements that it would if the service was provided in-person. 

Enacted August 21, 1996, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), protects personal health information (PHI). 

In 2000, the US Department of Health and Human Services (HHS) finalized the “Privacy Rule,” (with modifications made in 2002) which addresses the use and disclosure of individuals’ health information, and provides standards for individuals’ privacy rights under HIPAA. The Health Information Technology for Economic Clinical Health (HITECH) Act of 2009 created or clarified provisions that impacted HIPAA. 

Only certain parties, called “covered entities,” are subject to HIPAA. These entities include:

  • Health plans
  • Health care providers
  • Health care clearinghouses
  • Business associates 

Telehealth does often require consultation with technical personnel, independent of the medical team, who may be exposed to patient data. Therefore, providers may need to enter into business associate agreements with these technical personnel organizations, which obligate them to maintain the same confidentiality required of the provider under HIPAA. 

The entity will also need to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability, of PHI. While there are some specifications, each entity must assess what are reasonable and appropriate security measures for their situation.

Use of specific telehealth equipment or technology cannot ensure that an entity is “HIPAA compliant” because HIPAA addresses more than features or technical specifications. Nevertheless, certain features may help a covered entity meet its compliance obligations. For example, a telehealth software program may contain an encryption feature, or the technology might provide security through the use of passwords. However, these examples only provide elements or tools to help a covered entity meet its obligations under HIPAA; they do not ensure compliance and cannot substitute for an organized, documented set of security practices.

Check out our HIPAA fact sheet for more information.

During the COVID-19 public health emergency, the Office for Civil Rights (OCR) released guidance stating that they will exercise enforcement discretion and waive penalties for HIPAA violations that serve patients in good faith through everyday communication technologies, such as FaceTime or Skype, during the COVID-19 public health emergency (PHE).  However, this allowance expired 90 days following the official end of the PHE (May, 11, 2023).  A series of materials and guidance around the privacy issue for both patients and providers were created by OCR including the following:

  1. Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth
  2. Telehealth Privacy and Security Tips for Patients
  3. Guidance on How the HIPAA Rules Permit Remote Communication Technologies for Audio-Only Telehealth

Additionally, the question of privacy and technology has gotten more complicated as concerns about data sharing and tracking information particularly in the light of certain court cases related to reproductive rights have spurred both federal and state agencies to move towards adopting policies to protect this information. This continues to be a developing area, but one that the telehealth field should still keep abreast of any new policies.