Hold the Phone —
HIPAA and Other Potential Pitfalls in Providing Telemedicine Services
By Michael M. Maddigan, JD
Telemedicine’s popularity continues to grow. Healthcare Finance recently reported that telemedicine patient “visits” grew by 261% between 2015 and 2017. Similarly, the number of physicians identifying telemedicine as a skill doubled between 2015 and 2018. Then there’s what’s happening during the pandemic—an unprecedented boon in telemedicine services.
As a result of this increasing popularity, a Global Insights market report estimated the value of the telemedicine sector at approximately $38.3 billion in 2018 and predicted that the industry’s worth would skyrocket to $130.5 billion by 2025.
Multiple factors are fueling this growth. Improved technology has made rendering telemedicine services easier. Physician shortages, particularly a dearth of primary care physicians, continue to drive demand for additional services. And private insurers, including Medicare Advantage plans, increasingly compensate for telemedicine services.
In addition, the coronavirus pandemic has underscored other potential advantages to telemedicine. Because there still are unknowns about the nature and ease of coronavirus transmission, the ability to treat a patient with nonserious symptoms in his or her own home provides a tool for potentially minimizing further infections of both other patients and health care workers.
Similarly, in an environment where patients suffering from nonserious symptoms may be concerned about additional risks posed by visiting a hospital or medical office, telemedicine offers an alternative method of providing care. For these reasons, among others, the legislation Congress passed on March 4 to fund the fight against coronavirus included provisions lifting restrictions on telemedicine for fee-for-service Medicare programs in order to assist with screening. (Restrictions previously had been relaxed for Medicare Advantage plans.)
Even though telemedicine appears to be having its proverbial “moment,” serious legal issues remain for those considering providing these services. Two of the biggest issues center around how telemedicine services may be provided and who may provide them.
The HIPAA Security Rule
HIPAA governs the treatment of confidential or protected health information (PHI). The Privacy Rule establishes national standards for the protection of individual medical records and other personal health information. It applies to health plans, health care clearing houses, and certain providers who conduct electronic transactions.
The HIPAA Security Rule, in turn, requires administrative, physical, and technical safeguards to ensure the confidentiality, security, and integrity of electronic health information. Under the Security Rule, only authorized individuals should have access to electronic PHI, the systems to communicate electronic PHI must be secure, and a covered entity must have a system in place for monitoring communications of electronic PHI to prevent accidental or malicious breaches.
The Security Rule squarely impacts telemedicine. While many patients and some providers assume that electronic communication of PHI between patient and provider is acceptable, that is not necessarily the case. In particular, many common forms of electronic consultation or communication, such as Skype, do not satisfy the Security Rule.
This may be true for a number of reasons, including their retention of patient PHI on their servers, their inadequate security, their inability or unwillingness to restrict access to that retained PHI, and their refusal or unwillingness to enter into business associate agreements. As a result, many physicians who seek to practice HIPAA-compliant telemedicine have chosen to use secure messaging applications or other solutions that provide encrypted communications and data, including data at rest.
Besides meeting the requirement of a secure communications system, these tools have built-in features that also help satisfy the requirement of having a monitoring system designed to prevent accidental or malicious breaches.
In addition to HIPAA, many states have separate state laws that protect the privacy of health information. For example, California’s Confidentiality of Medical Information Act (CMIA) provides for arguably even more robust protection of patient medical information than HIPAA. One illustration of the CMIA’s breadth is its application to “providers of medical care,” which the act defines expressly to include companies that offer “any mobile application or related device” that is designed to maintain medical information.
The CMIA also provides a private right of action for violations, creating potentially greater exposure for anyone who suffers a breach or otherwise fails to preserve the confidentiality of medical information.
In sum, the telemedicine sector has expanded rapidly over the past several years and, especially with the coronavirus onslaught, appears poised for even more substantial growth. Nevertheless, both individual physicians and technology-focused companies seeking to develop or expand telemedicine offerings should proceed with caution. HIPAA and related state statutes limit the manner in which telemedicine services can be provided, impose serious financial penalties and legal risk for noncompliance, and promise even more severe reputational penalties for any failure.
Licensing and Corporate Practice Restrictions
In addition to HIPAA’s restrictions on how telemedicine services can be delivered, a variety of federal and state regulations also affect who can provide telemedicine services. Many individuals and entities seeking to capitalize on the emerging opportunities in the telemedicine sector fail to understand or appreciate these regulations; they do so at their own peril.
For example, state licensing requirements limit who can provide telemedicine services. Specifically, most states require that physicians rendering services to patients in that state be licensed to practice medicine in that state. The Interstate Medical Licensure Compact—an agreement between 29 states, the District of Columbia, and Guam—permits physicians licensed in one state to render telemedicine services to patients in another state. However, several of the largest states, including California, Texas, Florida, and New York, do not currently participate in the agreement.
Apart from the licensure compact, several states permit and require physicians providing telemedicine services to patients in that state to obtain a limited license in order to provide such services and to follow up with a patient’s primary care provider. Therefore, for compliance purposes, it is essential that a physician seeking to provide telemedicine services has the appropriate license to render services in the state where the patient lives.
A second substantial limitation on who can provide telemedicine services is the corporate practice of medicine doctrine. This doctrine, a well-established principle that prohibits corporate entities from employing physicians or practicing medicine, continues to exist in more than 30 states, including large states such as New York and California. The corporate practice of medicine doctrine can raise serious issues for technology companies seeking to enter the telemedicine space. For example, a Silicon Valley start-up cannot simply hire physicians to provide telemedicine services to patients in California.
Therefore, breaking into the telemedicine space, or expanding a medical practice to include increased telemedicine services, requires creating a business model that is medically effective, legally compliant, and economically successful.
— A partner at Hogan Lovells US LLP, Michael M. Maddigan, JD, is a thought leader in the health care and privacy areas. He is the coauthor of Health Care Reform: Law and Practice, a publication that provides guidance on the Affordable Care Act’s impact on health plans, employers, and individuals. He is also coauthor and editor of Medical Records Privacy Under HIPAA.