In this Series:
Introduction
Part 1: Practice Issues
Part 2: Licensing Issues
Part 3: e-Prescribing
Part 4: Standard of Care Issues
Part 5: HIPAA Issues
Part 6: Mobile Medical Apps
Part 7: Unlicensed Practice, Fee-Splitting, and other Legal Hazards
Conclusion
Stated in the most basic terms, HIPAA applies to use and disclosure of protected health information (“PHI”), if transactions are billed electronically for third-party reimbursement.
Given that there are more and more laws requiring reimbursement of telemedicine encounters, clinicians involved in telehealth need to understand HIPAA, as HIPAA may, in fact, apply. However, to the extent clinicians are in a cash practice and not billing insurance electronically, HIPAA does not apply.
Even if HIPAA does not apply, state rules can require privacy and security safeguards for PHI.
For example, California has the Confidentiality of Medical Information Act (CMIA). This statute imposes certain obligations with respect to disclosure of patient medical information, and governs patient access to medical records.
State laws, including, those of California, typically require that healthcare providers make reasonable efforts to maintain the privacy and security of medical information. In addition, these state laws usually entail consent/authorization from the patient for disclosure of information regarding genetics, HIV treatment, and other specialized medical documentation.
Other sections of state law govern such matters as retention of medical records, as well as responsibility regarding reporting communicable diseases.
Where HIPAA applies, it supersedes relevant state law standards, unless state law is found to be more stringent. HIPAA does not preempt state requirements related to reporting of disease, child abuse, birth and death, nor does it preempt state requirements that authorize public health surveillance, public health investigation, or intervention. In addition, state and federal law, as well as hospital policies, may establish stricter standards than HIPAA.
Enjoying this article? Subscribe and get our latest, delivered straight to your inbox.
Increasingly, states also regulate privacy breaches. For example, the California Department of Health Care Services has a webpage describing procedures that should be followed in the case of a privacy breach or unauthorized disclosure of personal confidential information that violates state or federal privacy laws. The Department also has a Privacy Office which conducts incident investigation, privacy training, and compliance audits. The Office describes examples of privacy breaches, including:
The bottom line is that practices need to demonstrate efforts regarding privacy and security compliance, regardless of whether HIPAA applies.
There is a danger in asserting that one is ‘HIPAA compliant’, in that this can constitute false advertising if the practice is, in fact, not making reasonable efforts to comply with all the requirements of HIPAA.
Reasonable legal compliance efforts—whether under HIPAA or state laws that often mirror HIPAA—should include:
The privacy and security practices manual should contain written policies and procedures and should be maintained for documentation, maintenance, and transmission of the records of encounters using telemedicine services. This should include addressing:
Policies and procedures should be periodically evaluated to ensure all are current. They should be accessible and readily available for review.
Importantly, HIPAA requires that business associates of a covered entity also comply with HIPAA. The healthcare provider is the covered entity; the business associate is anyone who creates, maintains, receives, or transmits PHI. This could be, for example, the billing company which the practice employs. These business associates must also put compliance measures into place, and the covered entity should ensure that the business associates are doing so.
Failure to have written arrangements in place for business associate compliance can result in liability to the covered entity.
Even if not technically under HIPAA, the organization should cover its liability exposure by having an agreement in place that obligates the business associate to reasonable compliance.
Increasingly, telemedicine is seen as an integral part of medicine with a seamless physician-patient relationship more virtual than physical. To ensure patients receive high quality treatment, state laws and medical board regulations require the standard of care in telemedicine reflect that of an in-person physician-patient encounter.
Contact the Michael H. Cohen Law Group for a telemedicine legal consult that fits your particular business model.
Reading this article does not create an attorney-client relationship with its author or with the Michael H. Cohen Law Group. This is an informational and educational piece; it does not constitute legal advice. If you’d like legal advice, consult an attorney for advice specific to your situation.
FON is a leading integrative health and medicine business development and strategy consulting firm. FON specializes in custom solutions for growing patient volume, developing programs, and increasing product sales. Our practical business models are driven by innovative marketing, clear messaging, and customer engagement via branded storytelling.
Contact us today to schedule a complimentary 30-minute consultation to discuss your business development or personal brand needs.
The Michael H. Cohen Law Group counsels health technology companies and providers on healthcare legal issues and FDA legal and regulatory matters. Legal counsel includes corporate and transactional healthcare matters, healthcare regulatory compliance, and healthcare litigation and dispute resolution. Attorney Michael H. Cohen is an internationally recognized author, speaker on healthcare law and FDA law, and expert in developing legal strategies for healthcare ventures, including integrative medicine, anti-aging and functional medicine, telemedicine and concierge medicine.
All information contained on this website is intended for informational and educational purposes only, and is not intended nor suited to be a replacement or substitute for professional medical treatment or for professional medical advice relative to a specific medical question or condition.
The Rise of Integrative Health & Medicine
By Glenn Sabin and Taylor Walsh
We will also send you the best of our blog—The Business of Integrative Health & Medicine.