All legal and ethical requirements that apply for in-person treatment apply for the use of any technology.
Several organizations have released practice guidelines for telemental health therapy, which are available here:
- The American Psychological Association (APA) - Guidelines for the Practice of Telepsychology (2013)
- American Telemedicine Association (ATA) - Evidence-based Practice for Telemental Health Practice Guidelines for Videoconferencing Based Telemental Health (2018)
When utilizing Telehealth, providers should understand and comply with state/provincial/federal laws regarding informed consent, intake processes, progress notes, termination notes, mandated reporting (e.g., suicide risk, Tarasoff duty to warn, child abuse), telemental health training, supervision, and security and/or privacy laws.
To find licensing information regarding Telehealth:
- Visit your local licensing board website.
- Read licensure information with an eye to Telehealth, even if the word is not mentioned.
- If not sure, contact in writing the licensing board to get information on the requirements.
HIPAA and Privacy Issues
As a Telehealth provider, you need to be intimately familiar with the Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996.
HIPAA does the following:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs
- Reduces health care fraud and abuse
- Mandated industry-wide standards for health care information on electronic billing and other processes
- Requires the protection and confidential handling of protected health information.
While HIPAA has several different standards and rules that apply to different aspects of health care and insurance, the 2 relevant HIPAA rules include the privacy rule and security rule.
- Client names
- Geographical elements (such as a street address, city, county, or zip code)
- Dates related to health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a client older than 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers, such as website URLs
- IP addresses
- Biometric elements, including finger, retinal, and voiceprints
- Full face photographic images
- Other identifying numbers or codes
- With written consent of the client
- To protect from imminent harm or danger
- When the client brings any public charges against the licensee
- To report abuse, neglect, or exploitation
- To report or consult with colleagues or supervisors who share the responsibility
- Physical security – required to protect electronic systems, equipment, and data
- Administrative security – assignment of security responsibility to an individual
- Technical security – authentication and encryption used to control access to data
There are several safeguards that must be put into place when conducting Telehealth as a provider or organization. Some examples of administrative, physical and technical safeguards to develop and implement include:
- Establish Business Associate Agreements with third parties
- Have written procedures (e.g., policies and procedures manual) in place on what to do it there is a breach
- Conduct regular auditing and monitoring
- Provide security awareness and training
- Private space
- Sound machine
- Sign on the door when you are in session
- Not using personal cell phones for communication with clients
- Appointments when family is not home
- Shut the blinds
- Use two-factor authentication and secure passwords, including your phone due to client communication/PHI
- Ensuring that all passwords are secure
- Make sure that all video is encrypted and erased during transmission and storage
- Ensure that the network being used is secured (https means the website it secure; http means it is not secure
- Use a VPN, virtual private network. Install a VPN on any device that is potentially used to communicate with clients or access confidential information
- Install and update malware protection (antivirus, firewall)
- Use an encrypted cloud to store information
A HIPAA breach can occur when there an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI. The HIPAA Breach Notification Rule stipulates that organizations have up to 60 days to notify clients/individuals, the Health and Human Services (HHS) and sometimes the media of PHI data breaches.
An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is low probability that the PHI has been compromised based on a risk assessment of at least the following factors.
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the protected health information or to whom the disclosure was made
- Whether the protected health information was actually acquired or viewed
- The extent to which the risk to the protected health information has been mitigated
There are several state Telehealth guidelines and regulations that must be followed when conducting Telehealth. The American Telemedicine Association has published many of these guidelines:
The laws and regulations are not evolving fast enough to keep up with technological advances. Because of this, practicing across state lines is limited. The Department of Defense (DoD) and Veterans Affairs (VA) do allow practice across state lines. Traditionally, you can only provide services in the state where you are licensed or registered. More specifically, you need to be licensed or registered in the state of the client’s physical location at the time of contact – the originating site (not the client’s state of residence, which can be different from their physical location). Regardless of where the client resides, once they set foot in a particular state, that state’s licensing board takes on responsibility for their protection. That’s why it is important to require clients to attest to their location on every call.
Concerns often fade as clinicians gain experience doing Telehealth. In many cases, after a while, the content, process, and quality of the communication feels more comfortable for the provider as well as the client. Creative adaptations are sometimes required, for example, being flexible in the face of poor connectivity in rural areas. But the good news is that a wealth of research has shown that Telehealth is not inferior to face-to-face treatment. It is more accessible to clients but is not less powerful clinically.
- Some states openly allow clinicians licensed outside of their borders to offer Telehealth to clients in their jurisdiction, other states restrict and regulate it, and some states prohibit it altogether.
- You can get licensed in another state to solve this problem, especially if you live close to the border of another state and get many clients from out of state.
- If you need to temporarily work with a client while the client is in a foreign state, it would be wise to first confirm the temporary practice rules (or lack thereof) of that state’s board which regulates your profession. Temporary practice rules will usually be in the administrative rules of the licensing board. They could also, potentially, be in some general Telehealth or telemedicine law. They usually are in the board’s administrative rules, though.
- If the state discovers that a practitioner is offering services in their jurisdiction without the appropriate authorization, they might be able to bring penalties against the practitioner, which could include reprimand, fines, suspension or revocation of license, charges of criminal behavior, or, while unlikely, even incarceration.
- What if you are out of state? If the state where you are licensed (and where the client currently is) allows practice while the licensee is out of state, then permitted. But, it may be easier to just reschedule.
- In 2019, psychology joined other healthcare professions utilizing interstate compacts to address the regulation of interstate practice. PSYPACT is an interstate compact specifically designed to facilitate the practice of telepsychology and the temporary face-to-face practice of psychology across state lines without necessitating licensure in every state.
- An example of another interstate compact is a driver’s license that is recognized in all states even through you are only licensed in one state. Interstate Medical Licensure is another medical example.
- PSYPACT requires that a psychologist be licensed in their home state but allows a psychologist to practice telepsychology in a receiving state or conduct temporary in-person, face-to-face practice in a distant state. In‐person, face‐to‐face practice is limited to 30 days within a calendar year.
- Under PSYPACT, home state has jurisdiction and authority over psychologists licensed in their state (not the client’s originating/receiving state) when doing telepsychology (temporary in-person services are subject to the client’s state laws).
See this link to obtain more information about PSYPACT, including participating states:
While the provider may already have informed consent documents used for in-person delivery, there are some important aspects of Telehealth delivery that are recommended to be included or added to these procedures.
- Utilize teleservice platforms that provide encryption and data security, as well as follow state and federal privacy regulations
- Describe the encryption or privacy aspects of the teleservice platform during the informed consent process
- Recommend that clients use a private internet source, especially if there isn’t end-to-end encryption as part of the software
- If there are technical difficulties with video access, it may be difficult to confirm the client’s identity
- If the device is lost or stolen, it is important to know what personal information may be stored on the device (if any) and what risk that may be to the client’s privacy
- Since sessions often take place at home or at work, providers may have more access to the client than they would in office-based sessions. Because of this, it is important to remind clients of their right to privacy during sessions.
- Establish a contact plan, including how contact will be made (phone, text, email, etc), who will initiate contact, and whether a message can be left.
Check Your Knowledge
Question 1 of 3
HIPAA’s requires the protection and confidential handling of protected health information. It requires that the client provide written consent to allow clinicians to consult with experts in their agency about the client and the client’s treatment needs.
Question 1 of 3
Correct answer: False
One of the 5 exceptions to the HIPAA privacy rule is that clinicians are permitted to consult colleagues or supervisors who share the responsibility for the client’s needs. The other exceptions include (1) protecting the client from imminent harm or danger; (2) reporting abuse, neglect, or exploitation; (3) situations in which the client brings public charges against the clinician; and (4) when written consent is obtained from the client.
Question 2 of 3
Telehealth is similar to in-person services when considering confidentiality, privacy, and data security risks.
Question 2 of 3
Correct answer: False
Whereas there are many similarities, there are also many unique vulnerabilities that must be addressed in telehealth treatment, such as: (1) using teleservice platforms that meet appropriate security standards, (2) recommending that clients use a non-public internet source, (3) maintaining awareness of personal information stored on clients’ devices that may be a risk to their privacy, and (4) maintaining clear communication with the client about risks to privacy and best ways to make contact and leave messages.
Question 3 of 3
Which of the following is true?
Question 3 of 3
Correct answer: (a) It is generally okay for you to have a telehealth session with an established telehealth client while you are traveling out of state.
Different states have different rules and policies, so it is best to consult your state’s LLR board whenever you have uncertainty around your state’s policies. Generally, if you are licensed in a particular state, the client needs to be physically present in that state for any treatment sessions you have with them. Where you are physically located at the time is less important. But, again, these policies differ from state to state, so check your state’s policies!