Risk Management Considerations in Telehealth and Telemedicine

By Georgia Reiner, Senior Risk Specialist, Nurses Service Organization (NSO)
and Lynn Pierce, BSN, RN, CPHRM, Risk Control Consulting Director, CNA

Summary

As the provision of health care services via technology — commonly called telehealth or telemedicine — expands during the current COVID-19 emergency period, questions arise regarding the permitted scope of practice, licensure requirements and compliance with the Health Insurance Portability and Accountability Act (HIPAA), among other regulatory-based inquiries. It is important for nurse practitioners to understand the risks unique to the practice of telehealth, as well as risk management best practices, including:

• Verify authorization to legally practice telehealth. 
• Safeguard patient data and comply with privacy regulations and disclosure protocols.
• Monitor outcomes for clinical care and technical support.
• Create and retain formal patient care records for all encounters.
• Engage in continuing education to ensure key competencies. 

The information and regulatory guidance regarding COVID-19 is rapidly evolving and changing. The questions and responses below provide basic information to NPs and are intended to serve as a catalyst for an NP’s further inquiry into the federal and state regulatory framework for telemedicine/telehealth. It is the responsibility of the qualified practitioner to know and meet the requirements necessary to provide telehealth services to their patients.  

What qualifies as telehealth?

Telehealth involves the use of electronic communications and information technology to deliver health-related services at a distance. The electronic communication must have audio and video capabilities that are used for two-way, real-time interactive communication. States have different laws concerning when and how telehealth may be practiced, so it’s important to check state statutes, regulations and policies, as well as state licensure boards regarding practice limitations before initiating services. In addition, the Centers for Medicare & Medicaid Services provide information on the scope of Medicare telehealth services.

Is it necessary to secure a license in both states when delivering telehealth across state lines?

Some states require practitioners who practice telehealth to be licensed in the state where the patient is located and abide by the licensure and practice requirements of that state. Before embarking on interstate telehealth, NPs must review the state practice act of the state where the patient resides. Certain states and professions also have entered into interstate compacts, creating a new pathway to expedite the licensing of a practitioner seeking to practice in multiple states. For additional information, check the respective state licensing board to determine if the state has joined a compact. 

During the nationwide public health emergency due to COVID-19, some of these statutes and regulations may be waived. It is important for NPs to be aware of applicable state and/or federal government regulations both during and following the emergency period.

What are the risks inherent to telehealth that patients should be made aware of?

Patient consent is always required prior to participation in telehealth services. Practitioners often use existing consent and documentation processes for store-and-forward consultations. For more invasive procedures, a separate consent form is preferable, encompassing the following information:

• Names, credentials, organizational affiliations and locations of the various health professionals involved.
• Name and description of the recommended procedure.
• Potential benefits and risks.
• Possible alternatives, including no treatment.
• Contingency plans in the event of a problem during the procedure.
• Circumstances under which the patient needs to see a health care professional for an in-person visit.
• Explanation of how care is to be documented and accessed.
• Security, privacy and confidentiality measures to be employed.
• Names of those responsible for ongoing care.
• Risks of declining the treatment/service.
• Reiteration of the right to revoke consent or refuse treatment at any time.

In addition, clearly convey to the patient the inherent technical and operational hazards that may impede communication. These include:

• Fiber-optic line damage, satellite system compromise or hardware failure, which could lead to incomplete or failed transmission.
• File corruption during the transmission process, resulting in less than complete, clear or accurate reception of information or images.
• Unauthorized third-party access, which may lead to data integrity problems.
• Natural disasters, such as hurricanes, tornadoes and floods, which can potentially interrupt operations and compromise computer networks.

Prepare an emergency or contingency plan in case of technology breakdown, and be sure to communicate that information to the patient in advance of a telehealth encounter.

Should a special “Consent to Treat” form be utilized when performing telehealth?

Obtaining a patient’s consent to telehealth services is an essential step in the care process and is a recommended best practice of the American Telemedicine Association. A general consent-to-treat form lacks specificity regarding the potential benefits, constraints and risks unique to telehealth, including equipment failures and privacy and security breaches. In addition, a general form is lacking in standard language regarding patient rights and responsibilities relating to telehealth. Sample telehealth informed consent forms are available from the American Telemedicine Association. 

During the informed consent process, describe the nature of telemedicine compared with in-person care (scope of service) as well as providing written information. Provide information about the encounter, prescribing policies (if applicable), communication and follow-up, record-keeping, scheduling, privacy and security, potential risks, mandatory reporting, provider credentials, and billing arrangements. Prior to initiating telehealth services, know when to recommend that the patient needs to see a health care professional for an in-person visit.

How are practitioners expected to ensure the privacy and confidentiality of patients’ data during the novel coronavirus (COVID-19) national public health emergency? 

The HHS Office for Civil Rights (OCR) announced on March 17, 2020, that it will waive potential HIPAA penalties for good faith use of telehealth during the nationwide public health emergency due to COVID-19. This applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. The notification and accompanying fact sheet explain how covered health care providers can use everyday communications technologies to offer telehealth to patients responsibly. NPs are encouraged to review the notification, and to routinely monitor the HHS Special Topics page on HIPAA, Civil Rights, and COVID-19 for more information. 

This notice also means that covered health care providers may now use popular applications that allow for video chats, including Apple FaceTime, Google Hangouts video, or Skype, to provide telehealth during the COVID-19 nationwide public health emergency without risk of incurring a penalty for noncompliance with HIPAA Rules. If health care providers chose to use these applications to provide telehealth, providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. There are many HIPAA-compliant telehealth solutions. While we do not endorse any specific brand here are names of a few options in no particular order: Doxy.me , thera-LINK,  TheraNest, SimplePractice, Zoom for health care, and VSee. We also recommend you contact CANP colleagues to see what they may recommend to fit your needs. 

How can NPs ensure the care and treatment delivered via telehealth is high-quality?

Increased use of telehealth means that health care organizations and NPs need to develop guidelines for monitoring telehealth practitioners and sharing internal review information. Federal law requires that, at a minimum, this shared information must include adverse events that result from an NP’s telehealth services and complaints a health care organization receives about an NP.

NPs must adhere to traditional clinical standards of care, and practice within the scope of practice authorized by law. The American Telemedicine Association has promulgated a variety of practice guidelines. The Telehealth Resource Center also provides resources for building and developing a telehealth program. 

Complete basic training in the telehealth system in use at your practice and participate in all training updates. Conduct routine audits of equipment and software functionality and know how to respond to equipment malfunctions. Regular equipment testing, and maintenance helps prevent potential technical and user problems. Equipment should be suitable for diagnostic and treatment uses, readily available when needed and fully functional during clinical encounters. Facility safety guidelines should specify who is responsible for maintenance- know who to contact for technological assistance. Utilize checklists or logs to facilitate documentation of post-installation testing, pre-session calibration, and ongoing quality checking of audio, video and data transmission capabilities.

Satisfaction surveys capture vital data regarding patient and provider perceptions of the telehealth program, as well as utilization patterns and the overall quality of care. Surveys also can reveal unexpected barriers to care, including accessibility issues and cost. A sample survey format for telehealth encounters is available here.

How should telehealth be documented? 

Telehealth sessions should be as thoroughly documented as all other patient encounters, with both partners to the telehealth agreement contributing to the process. All communications with the patient (verbal, audiovisual, or written) should be documented in the patient’s unique medical record (electronic medical record or paper chart) in accordance with documentation standards of in-person visits. Be sure to document follow-up instructions and any referrals to specialists. Also, fully document the specific interactive telecommunication technology used to render the consultation and the reason the consultation was conducted using telecommunication technology, and not face-to-face, in the patient’s medical record, in accordance with state and federal regulations.

The use of standardized intake and consultation forms can help NPs achieve compliance with documentation parameters. Templates, such as those available from the American Telemedicine Association, offer a clear and consistent documentation format for evaluations and consultations.

Final thoughts

The emergence of telehealth capabilities during the current COVID-19 emergency period presents exciting opportunities to address some of the biggest challenges facing health care. Demand for telehealth services is expected to grow as connected devices proliferate and interoperability between health care providers expands. The provider-patient relationship will likely evolve as NPs use telehealth to develop and maintain patient relationships over greater distances and patients grow accustomed to new flexible, personalized care models. As health care continues to transform with the use of technology, it is essential for NPs to be aware of the legal, ethical, and regulatory implications to their practice. 

References and Additional Resources

• CNA and NSO: Health Care Perspective: Telemedicine.
• HHS: HIPAA for Professionals.
• HHS: HIPAA, Civil Rights, and COVID-19.
• HHS: Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency.
• CMS: Medicare Telemedicine Health Care Provider Fact Sheet.
• American Telemedicine Association.
• American Health Information Management Association.
• Telehealth Resource Center.
• Center for Connected Health Policy (CCHP).
• Foley & Lardner: 50-State Survey of Telehealth Commercial Payer Statutes.
• Center for Connected Health Policy (CCHP): State Telehealth Laws & Reimbursement Policies.
• American Association of Nurse Practitioners (AANP): Telehealth.
• Balestra, M. Telehealth and Legal Implications for Nurse Practitioners. The Journal for Nurse Practitioners.

This risk management information was provided by Nurses Service Organization (NSO), the nation's largest provider of nurses’ professional liability insurance coverage for over 550,000 nurses since 1976. CANP endorses the individual professional liability insurance policy administered through NSO and underwritten by American Casualty Company of Reading, Pennsylvania, a CNA company. Reproduction without permission of the publisher is prohibited. For questions, send an e-mail to service@nso.com or call 1-800-247-1500. www.nso.com.

The information, examples and suggestions presented in this material have been developed from sources believed to be reliable, but they should not be construed as legal or other professional advice or to establish appropriate or acceptable standards of professional conduct. Neither Affinity Insurance Services, Inc., NSO, nor CNA accepts responsibility for the accuracy or completeness of this material and recommends the consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations. Please note that Internet hyperlinks cited herein are active as of the date of publication but may be subject to change or discontinuation. This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice