Standard of care & prescribing—The American Medical Association (AMA) recommends a patient-physician relationship be clearly established before the provision of any telemedicine services to a patient, including teleprescribing. However, each state has different requirements.
Knowing when a physician-patient relationship forms is not only important, it is vital to avoid adverse treatment consequences and, ultimately, malpractice actions. Some states require initial face-to-face encounters prior to the commencement of telemedicine services, while other states permit a consultation with another physician who has an ongoing relationship with the same patient.
Regarding teleprescribing, certain states require a physical exam in person prior to authorizing prescribing, while others allow a telehealth exam before prescribing can occur.
Reported cases in which physician-patient relationships were not clearly established have resulted in patient lawsuits against physicians alleging neglect or abandonment. For this reason, many states also require the physician to agree to supervise the patient’s care, rather than merely to engage in isolated transactions.
Informed consent—The ATA recommends obtaining informed patient consent as a best practice, but it is actually required by law in 39 states, and often before a patient can begin a telemedicine treatment program. Some states require a standard form to be signed, but others permit a patient’s oral statement at the beginning of a telemedicine session.
Not only is failure to obtain proper patient consent a potential issue for malpractice, it is a requirement for reimbursement through some states’ Medicaid plans. Georgia is one state with a robust policy on telemedicine informed consent and provides a good example form in its Medicaid Telehealth Manual.
Federal Laws
HIPAA—Under HIPAA, telemedicine providers should permit only authorized users to have access to protected health information (PHI). This means using business associate agreements (BAAs) with medical billing services, information technology (IT) consultants or other vendors of healthcare services, such as pharmacy benefit managers.
Telemedicine providers are expected to use “reasonable and appropriate safeguards” to prevent PHI breaches, including data and cyber security software programs. Telemedicine providers should consider monitoring access through the use of an external IT company, because providers will engage in live or recorded treatment sessions and communication with patients, which could include the transmission of medical records, visual images, live or recorded video of the patient—all potentially subject to hacking through weak internet networks.
Note: On March 17, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights announced it would waive potential penalties for HIPAA violations against any healthcare providers treating patients through remote technology communication during the COVID-19 health emergency. This OCR penalty discretion permits physicians to use widely available applications, such as Skype, Facebook Messenger or Google Hangouts, to assess and treat patients with suspected COVID-19 symptoms or non-COVID-19 medical conditions for convenience and to help limit the spread of possible infections.
