Documentation Requirements
Legal Requirements
Licensing required to provide care via telehealth varies by state. This is a brief description of the necessary requirements:
Licensure
Licensing refers to the process of securing the authority to practice medicine within a state. Health professionals must meet the licensing requirements of the state where they are located and be licensed or legally permitted to practice in the state where the patient is located. In response to the growing use of telehealth, many states are revisiting their licensure process to minimize barriers to access and ensure continuity of care, while also preserving state regulatory oversight.
Health care providers have offered telehealth in states where the provider was not licensed. This trend advanced with the COVID-19 public health emergency (PHE), when all 50 states and Washington, D.C. used emergency authority to waive some aspects of their state licensing requirements. As state PHE orders ended, some states discontinued cross-state licensing waivers; whereas other states enacted legislation to extend the waivers for a specified period of time or to make the waivers permanent. Several states passed legislation to permanently allow out-of-state physicians to practice telehealth in their state if they follow the state’s requirements. Other states require out-of-state telehealth license recipients to pass an exam. The Federation of State Medical Boards has information on each state’s protocol for patients who live out of the state in which the physician practices.
https://www.fsmb.org/siteassets/advocacy/pdf/states-waiving-licensure-requirements-for-telehealth-in-response-to-covid-19.pdf
Licensing compacts deliver a faster pathway to interstate telehealth practice. Compacts are created when a certain number of states agree upon a uniform standard of care and enact a state law to support that standard. Each state in the compact agrees that a telehealth appointment occurs in the state where the patient is located at the time of the appointment. This approach enables both the home and compact states to maintain their oversight over health care professionals practicing within their borders and ensure patient safety. The Interstate Medical Licensure Compact started onboarding states that have enacted the appropriate legislation in 2017 and currently involves 37 participating states. The pandemic underscored the need for non-particpating states to reconsider application to the compact.
Credentialing and Privileging
Credentialing is used by health care organizations to obtain, verify, assess, and validate a provider’s qualifications. This includes reviewing the provider's license, education, insurance, and other information to ensure they meet the standards of practice required by the healthcare facility and healthcare plans. Privileging defines a physician’s scope of practice he or she may provide. Granting privileges is based on competency as verified by credentialing and is a data driven process. These privileges may be general or refer to very specific services. Small and/or rural clinics may need certain specialists but do not have the resources or demand to hire one as a full-time staff member. Telehealth would be an option to these organizations. While telemedicine (TM) does not require formal academic training, credentialing for TM should verify that the provider knows how to use the equipment, understands the process of interacting with patients using the technology and is compliant with HIPAA. A provider could also use this credentialing to obtain TM privileges in institutions that require a separate TM privilege.
CMS changed the credentialing requirements for access hospitals to relieve them of the administrative liability involved when contracting for TM services. CMS approved regulations to allow hospitals and critical access hospitals (CAH) to credential by proxy. This allows a clinic (the originating site) to contract with another hospital, CAH or telemedicine entity (the distant site) to provide services via telehealth and credential those providers by relying on the credentialing work done by the distant site, if certain conditions are met. This creates a faster, more cost-effective method for clinics and hospitals to access needed specialty care. The Joint Commission created parallel guidelines to the federal regulations.
Malpractice
Like in-person medical practices, telehealth services carry liability and malpractice risks. Some liability insurance policies include telehealth as a covered service, while others may require providers to pay for a supplemental telehealth insurance policy. If a provider plans to offer telehealth in more than one state, the practitioner will need to confirm that the insurance policy covers him/her for all locations. Moreover, it is recommended to check into new and follow-up patient coverage. Clinicians should obtain written confirmation of the policy.
While inquiring into malpractice insurance, clinicians may want to investigate cyber liability insurance coverage. This is imperative to handling violations in patient data. Transgressions include data being hijacked, inappropriately distributed, or uncovered, or held for ransom. A lost tablet or laptop with unencrypted data visible, may also occur and can also result in a data breach.
Your institution/employer may also limit the provision of telehealth services to patients residing outside of the state you practice in. Please also review your organizational policies to ensure compliance prior to seeing patients cross state lines.
Prescribing
There are several differences across the states related to the use of technology and prescribing controlled substances. Establishing a patient-provider relationship is considered imperative to writing prescriptions in most states and using only an internet/online questionnaire is deemed to be unsatisfactory for this. Some states may also require that a physical exam be administered prior to a prescription being written, but not all states require an in-person examination, and some specifically allow the use of telehealth to conduct the exam. The Ryan Height Act was passed in 2008 to regulate online internet prescriptions, is enforced by the DEA (Drug Enforcement Agency) and also imposes rules around the prescription of controlled substances. The general requirement was that the prescribing practitioner must have conducted at least one in-person medical evaluation of the patient prior to prescribing. When the Public Health Emergency (PHE) was declared due to COVID-19, these restrictions were removed, and physicians were allowed to prescribe schedule II-IV controlled medications via TM. The DEA has extended these flexibilities until December 31, 2024 to allow time to develop permanent policy that ensures patient safety and access.
Other medications, such as inhaled steroids, epinephrine auto-injectors, antihistamines, etc can be prescribed similarly as with in-person visits provided that the prescriber is authorized to do so under state and federal law. Some states have very specific rules for the use of telehealth in prescribing while others are more vague or silent. Some of the rules center on whether telehealth is adequate to establish a patient-provider relationship which vary across the states.
Health Insurance Portability and Accountability Act (HIPAA) – Security
TM encounters should be held to the same privacy and security standards as applied in a standard in-person office visit.
HIPAA established standards to protect patients’ protected health information (PHI). All telehealth services provided by covered health care providers and health plans must comply HIPAA. Moreover, health care providers and health plans must use technology vendors that comply with HIPAA and enter into a business associated agreement (BAA). Frequently, they will encounter vendors who say their equipment or software is HIPAA compliant. The technology alone cannot make one HIPAA compliant. Human action is required in order to meet the necessary level of compliance that is required. Additionally, the technologies change frequently, so it is imperative to visit each vendor’s website for information on current products. It is also important to work with an IT security expert to ensure that the technologies are HIPAA compliant and offer secure data encryption. HIPAA does not have specific requirements related to telehealth. However, to meet those requirements an entity may need to take different or additional steps that may not have been necessary if the service was delivered in person.
Additionally, states may have their own privacy and security laws with which providers must be familiar.
These links are for research only. They are not endorsed by the American Academy of Allergy, Asthma & Immunology (AAAAI).
12/7/2023