Legal and Ethical Aspects of Telehealth

All legal and ethical requirements that apply for in-person treatment apply for the use of any technology.

Ethical Considerations

Several organizations have released practice guidelines for telemental health therapy, which are available here:

When utilizing Telehealth, providers should understand and comply with state/provincial/federal laws regarding informed consent, intake processes, progress notes, termination notes, mandated reporting (e.g., suicide risk, Tarasoff duty to warn, child abuse), telemental health training, supervision, and security and/or privacy laws.

To find licensing information regarding Telehealth:

  • Visit your local licensing board website.
  • Read licensure information with an eye to Telehealth, even if the word is not mentioned.
  • If not sure, contact in writing the licensing board to get information on the requirements.

HIPAA and Privacy Issues

As a Telehealth provider, you need to be intimately familiar with the Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996.

HIPAA does the following:

  • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs
  • Reduces health care fraud and abuse
  • Mandated industry-wide standards for health care information on electronic billing and other processes
  • Requires the protection and confidential handling of protected health information.

While HIPAA has several different standards and rules that apply to different aspects of health care and insurance, the 2 relevant HIPAA rules include the privacy rule and security rule.

  • Client names
  • Geographical elements (such as a street address, city, county, or zip code)
  • Dates related to health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a client older than 89)
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health insurance beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers
  • Device attributes or serial numbers
  • Digital identifiers, such as website URLs
  • IP addresses
  • Biometric elements, including finger, retinal, and voiceprints
  • Full face photographic images
  • Other identifying numbers or codes

  • With written consent of the client
  • To protect from imminent harm or danger
  • When the client brings any public charges against the licensee
  • To report abuse, neglect, or exploitation
  • To report or consult with colleagues or supervisors who share the responsibility

  • Physical security – required to protect electronic systems, equipment, and data
  • Administrative security – assignment of security responsibility to an individual
  • Technical security – authentication and encryption used to control access to data

Safeguards

There are several safeguards that must be put into place when conducting Telehealth as a provider or organization. Some examples of administrative, physical and technical safeguards to develop and implement include:

  • Establish Business Associate Agreements with third parties
  • Have written procedures (e.g., policies and procedures manual) in place on what to do it there is a breach
  • Conduct regular auditing and monitoring
  • Provide security awareness and training

  • Private space
  • Sound machine
  • Sign on the door when you are in session
  • Not using personal cell phones for communication with clients
  • Headphones
  • Appointments when family is not home
  • Shut the blinds

  • Use two-factor authentication and secure passwords, including your phone due to client communication/PHI
  • Ensuring that all passwords are secure
  • Make sure that all video is encrypted and erased during transmission and storage
  • Ensure that the network being used is secured (https means the website it secure; http means it is not secure
  • Use a VPN, virtual private network. Install a VPN on any device that is potentially used to communicate with clients or access confidential information
  • Install and update malware protection (antivirus, firewall)
  • Use an encrypted cloud to store information

A HIPAA breach can occur when there an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI. The HIPAA Breach Notification Rule stipulates that organizations have up to 60 days to notify clients/individuals, the Health and Human Services (HHS) and sometimes the media of PHI data breaches.

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is low probability that the PHI has been compromised based on a risk assessment of at least the following factors.

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
  • The unauthorized person who used the protected health information or to whom the disclosure was made
  • Whether the protected health information was actually acquired or viewed
  • The extent to which the risk to the protected health information has been mitigated

There are several state Telehealth guidelines and regulations that must be followed when conducting Telehealth. The American Telemedicine Association has published many of these guidelines:

Practicing Out-of-State

The laws and regulations are not evolving fast enough to keep up with technological advances. Because of this, practicing across state lines is limited. The Department of Defense (DoD) and Veterans Affairs (VA) do allow practice across state lines. Traditionally, you can only provide services in the state where you are licensed or registered. More specifically, you need to be licensed or registered in the state of the client’s physical location at the time of contact – the originating site (not the client’s state of residence, which can be different from their physical location). Regardless of where the client resides, once they set foot in a particular state, that state’s licensing board takes on responsibility for their protection. That’s why it is important to require clients to attest to their location on every call.

Concerns often fade as clinicians gain experience doing Telehealth. In many cases, after a while, the content, process, and quality of the communication feels more comfortable for the provider as well as the client. Creative adaptations are sometimes required, for example, being flexible in the face of poor connectivity in rural areas. But the good news is that a wealth of research has shown that Telehealth is not inferior to face-to-face treatment. It is more accessible to clients but is not less powerful clinically.

  • Some states openly allow clinicians licensed outside of their borders to offer Telehealth to clients in their jurisdiction, other states restrict and regulate it, and some states prohibit it altogether.
  • You can get licensed in another state to solve this problem, especially if you live close to the border of another state and get many clients from out of state.
  • If you need to temporarily work with a client while the client is in a foreign state, it would be wise to first confirm the temporary practice rules (or lack thereof) of that state’s board which regulates your profession. Temporary practice rules will usually be in the administrative rules of the licensing board. They could also, potentially, be in some general Telehealth or telemedicine law. They usually are in the board’s administrative rules, though.
  • If the state discovers that a practitioner is offering services in their jurisdiction without the appropriate authorization, they might be able to bring penalties against the practitioner, which could include reprimand, fines, suspension or revocation of license, charges of criminal behavior, or, while unlikely, even incarceration.
  • What if you are out of state? If the state where you are licensed (and where the client currently is) allows practice while the licensee is out of state, then permitted. But, it may be easier to just reschedule.

Interstate Regulations

  • In 2019, psychology joined other healthcare professions utilizing interstate compacts to address the regulation of interstate practice. PSYPACT is an interstate compact specifically designed to facilitate the practice of telepsychology and the temporary face-to-face practice of psychology across state lines without necessitating licensure in every state.
  • An example of another interstate compact is a driver’s license that is recognized in all states even through you are only licensed in one state. Interstate Medical Licensure is another medical example.
  • PSYPACT requires that a psychologist be licensed in their home state but allows a psychologist to practice telepsychology in a receiving state or conduct temporary in-person, face-to-face practice in a distant state. In‐person, face‐to‐face practice is limited to 30 days within a calendar year.
  • Under PSYPACT, home state has jurisdiction and authority over psychologists licensed in their state (not the client’s originating/receiving state) when doing telepsychology (temporary in-person services are subject to the client’s state laws).
  • See this link to obtain more information about PSYPACT, including participating states:
    https://psypact.site-ym.com/page/psypactmap

Informed Consent

While the provider may already have informed consent documents used for in-person delivery, there are some important aspects of Telehealth delivery that are recommended to be included or added to these procedures.

Check Your Knowledge