In the first 2 articles of this series, “” and “ ,” which appeared in the May and June issues of OBG Management, we discussed caring for patients without face-to-face visits and that virtual visits are an opportunity to provide good care in a world such as that created by COVID-19. We also discussed which patients are the most appropriate candidates for telemedicine, as well as how to properly code virtual visits so that you are paid for your time and service. This third article addresses the legal concerns and caveats of using telemedicine and makes a prediction for the future of virtual health care.
Legal issues surrounding telemedicine
There are numerous legal, regulatory, and compliance issues that existed before the pandemic that likely will continue to be of concern postpandemic. Although the recent 1135 waiver (allowing Medicare to pay for office, hospital, and other visits furnished via telehealth)1 and other regulations are now in place for almost every aspect of telemedicine, virtual medicine is not a free-for-all (even though it may seem like it). Practicing ethical telemedicine entails abiding by numerous federal and state-specific laws and requirements. It is important to be aware of the laws in each state in which your patients are located and to practice according to the requirements of these laws. This often requires consultation with an experienced health care attorney who is knowledgeable about the use of telemedicine and who can help you with issues surrounding:
- Malpractice insurance. It is an important first step to contact your practice’s malpractice insurance carrier and confirm coverage for telemedicine visits. Telemedicine visits are considered the same as in-person visits when determining scope of practice and malpractice liability. Nevertheless, a best practice is to have written verification from your malpractice carrier about the types of telemedicine services and claims for which your ObGyn practice is covered. Additionally, if you care for patients virtually who live in a state in which you are not licensed, check with your carrier to determine if potential claims will be covered.
- Corporate practice laws. These laws require that your practice be governed by a health care professional and not someone with a nonmedical background. This becomes important if you are looking to create a virtual practice in another state. States that prohibit the corporate practice of medicine have state-specific mandates that require strict adherence. Consult with a health care attorney before entering into a business arrangement with a nonphysician or corporate entity.
- Delegation agreement requirements. These laws require physician collaboration and/or supervision of allied health care workers such as nurse practitioners (NPs) and physician assistants (PAs) and may limit the number of allied health care providers that a physician may supervise. Many states are allowing allied health care workers to practice at the top of their license, but this is still state specific. Thus, it is an important issue to consider, especially for practices that rely heavily on the services of advanced practice registered nurses (APRNs), for example, who have a broad scope of practice and who may be qualified to care for many common ObGyn problems.
- Informed consent requirements. Some states have no requirements regarding consent for a virtual visit. Others require either written or verbal consent. In states that do not require informed consent, it is best practice to nevertheless obtain either written or oral consent and to document in the patient’s record that consent was obtained before initiating a virtual visit. The consent should follow state-mandated disclosures, as well as the practice’s policies regarding billing, scheduling, and cancellations of telemedicine visits.
- Interstate licensing laws. Because of the COVID-19 pandemic, federal and state licensure waivers are in place to allow physicians to care for patients outside the physician’s home state, but these waivers likely will be lifted postpandemic. Once waivers are lifted, physicians will need to be licensed not only in the state in which they practice but also in the state where the patient is located at the time of treatment. Even physicians who practice in states that belong to the Interstate Medical Licensure Compact2 must apply for and obtain a license to practice within Compact member states. Membership in the Interstate Medical Licensure Compact expedites the licensure process, but does not alleviate the need to obtain a license to practice in each member state. To ensure compliance with interstate licensure laws, seek advice from a health care attorney specializing in telemedicine.
- Drug monitoring laws. The Ryan Haight Online Pharmacy Consumer Protection Act of 20083 implemented a requirement that physicians have at least one in-person, face-to-face visit with patients before prescribing a controlled substance for the first time. Because state laws may vary, we suggest consulting with a health care attorney to understand your state’s requirements for prescribing controlled substances to new patients and when using telemedicine (see “Prescription drugs” at https://www.cdc.gov/phlp/publications/topic/prescription.html for more information).
- Data privacy and security. From a content perspective, health care data and personally identifiable information are extremely rich, which makes electronic health records (EHRs), or the digital form of patients’ medical histories and other data, particularly tempting targets for hackers and cyber criminals. We caution that services such as Facetime and Skype are not encrypted; they have been granted waivers for telemedicine use, but these waivers are probably not going to be permanent once the COVID-19 crisis passes.
- HIPAA compliance. Generally—and certainly under normal circumstances—telemedicine is subject to the same rules governing protected health information (PHI) as any other technology and process used in physician practices. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule includes guidelines on telemedicine and stipulates that only authorized users should have access to ePHI, that a system of secure communication must be established to protect the security of ePHI, and that a system to monitor communications must be maintained, among other requirements.4 Third parties that provide telemedicine, data storage, and other services, with a few exceptions, must have a business associate agreement (BAA) with a covered entity. Covered entities include health care providers, health plans, and health and health care clearinghouses. Such an agreement should include specific language that ensures that HIPAA requirements will be met and that governs permitted and required uses of PHI, strictly limits other uses of PHI, and establishes appropriate safeguards and steps that must be taken in the event of a breach or disallowed disclosure of PHI. Best practice requires that providers establish robust protocols, policies, and processes for handling sensitive information.
During the COVID-19 pandemic, however, certain HIPAA restrictions relating to telemedicine have been temporarily waived by the US Department of Health and Human Services (HHS). More specifically, HHS Secretary Alex Azar has exercised his authority to waive sanctions against covered hospitals for noncompliance with requirements: to obtain a patient’s consent to speak with family members or friends involved in the patient’s care, to distribute a notice of privacy practices, to request privacy restrictions, to request confidential communications, and the use of nonpublic facing audio and video communications products, among others.5 These are temporary measures only; once the national public health emergency has passed or at the HHS Secretary’s discretion based on new developments, this position on discretionary nonenforcement may end.
Continue to: Crisis creates opportunity: The future of telemedicine...