In addition to differences in payment and licensure, providers delivering health care services through telehealth may encounter different state laws regarding practice standards. Policymakers across the country continuously balance the rapid acceleration of the benefits of technology and telehealth with the responsibility to ensure safe and high-quality care for their constituents. States ensure patient safety by creating guidelines establishing a patient-provider relationship and mandating certain informed consent requirements. For example, there is some concern about fragmented care from different providers and ensuring that patients’ primary providers are aware of any services provided via telehealth. Ideally, telehealth is integrated into the health care delivery system and is coordinated with other providers. Other concerns about telehealth include ensuring that services provided remotely are as safe and as comprehensive as in-person care. Policies related to practice standards include applying the standard of care, establishing a patient-provider relationship and ensuring informed consent.
Standard of Care
The standard of care—what another similarly trained and equipped provider would do in a similar situation—applies to health care providers regardless of the method of service delivery and should similarly govern safety in telehealth. Some states, including Idaho, Louisiana, Missouri, New Jersey and Texas, have codified that the applicable standard of care that applies to in-person care also applies in telehealth. As it is further employed, the standard of care of telehealth is likely to evolve.
Privacy, Confidentiality and HIPAA
Policymakers may discuss other considerations such as privacy, confidentiality, data security and the federal Health Insurance Portability and Accountability Act (HIPAA) when developing telehealth strategies. Since HIPAA does not have specific requirements related to telehealth, providers must meet the same HIPAA requirements as in-person services. Additional steps may need to be taken that would otherwise be unnecessary for in-person visits. For example, a technology support person working on telehealth equipment could be more easily exposed to a patient’s personal health information.
Policymakers need to ensure that laws permitting and/or promoting telehealth still maintain patient privacy protections, as required by HIPAA. Some argue that privacy and security must be addressed to advance telehealth and ensure providers’ and patients’ trust in it.
States may also consider informed consent policies—a process by which a patient is made aware of any benefits and risks associated with a particular service or treatment, as well as any alternative courses of action. In the case of telehealth, it may be particularly beneficial for patients to know the potential risks and understand that a condition or treatment may require a provider to defer to in-person services.
Currently, 39 states and the District of Columbia have some type of informed consent policy for telehealth, which represents a growing trend. This requirement may apply to different arenas—e.g., all providers or just the Medicaid program, or even specific services, depending on the origination (statute, administrative code, Medicaid policy) and intent of the policy. States that require informed consent primarily require verbal consent but six states and the District of Columbia require written consent. Requiring written consent may create additional barriers to accessing telehealth because it can require an in-person encounter to sign a waiver prior to receiving telehealth treatment. Depending on the policy, this may lead to a paradox, where the potential benefits of telehealth are stifled by the requirements to receive it.
The relationship between a patient and health care practitioner, or the patient-provider relationship, is an important determinant of the quality of care a patient will receive. Establishing a high-quality patient-provider relationship will usually lead to better outcomes and more trust between the patient and the physician. As with other modes of care, patients receiving care through telehealth should expect to receive competent care, the assurance of privacy and confidentiality, and continuity of care. Differences in possible patient-provider interactions in telehealth have brought accountability and the patient-provider relationship to the forefront in discussions about telehealth safety.
As telehealth grew in popularity, many states initially required telehealth patient-provider relationships to be established in person. Requiring an initial in-person visit to a telehealth provider prior to treatment can create a barrier to access and perpetuates the problem that telehealth intends to solve. Patients who seek telehealth treatment because they are unable to access a health care facility may be disadvantaged by laws requiring patient-provider relationships to be established in person. However, as of 2017, all 50 states allow a patient-provider relationship to be established remotely, representing the desire of states to facilitate telehealth. In 2017, Texas became the last state to allow physicians to treat telehealth patients without prior face-to-face interaction under SB 1107, a bipartisan bill.
Despite loosening regulations on establishing telehealth relationships, some states, such as Georgia and Alabama, maintain requirements for patients to receive follow-up care from telehealth providers in person. Proponents of telehealth are wary of requiring follow-up in-person visits because of the additional burden placed on the patient to seek in-person care, which could potentially recreate some of the barriers telehealth seeks to remove.
The federal Ryan Haight Act, passed in 2008, prohibited practitioners from prescribing controlled substances without an in-person exam or meeting one of the seven “practice of telemedicine exceptions.” This act created barriers to treatment, particularly for individuals suffering from substance use disorders (SUDs), and restricted the use of telehealth to deliver medication-assisted treatment (MAT) to these patients.
As the opioid epidemic intensified, Congress responded by passing the SUPPORT for Patients and Communities Act in 2018. This act amended the Ryan Haight Act to require the Drug Enforcement Administration (DEA) to activate a special registration allowing physicians and nurse practitioners to prescribe controlled substances through telehealth and without a prior in-person exam, opening the door to MAT. While there are still barriers to providing MAT through telehealth, the passage of the SUPPORT Act is likely to bring changes at the state level.
State laws also govern a provider’s authority to prescribe medications, including provider board rules and regulations that set the standard of care for prescribing. Most states do not allow an online questionnaire to establish a patient-provider relationship, instead requiring real-time telehealth interactions before a provider can write prescriptions. Further, some states require an in-person exam before any prescription is written, eliminating the ability to use telehealth to prescribe medications. However, there are many exceptions to these policies, including MAT exceptions designed to address the opioid epidemic.
All states will need to adjust their prescriber policies related to telehealth to be in accordance with the SUPPORT Act. Most stakeholders agree that if providers can prescribe and dispense medications via traditional means, they should be able to do so via telehealth as well, provided they can gather the necessary information and maintain patient privacy rights.