Telehealth Rules and Best Practices

Healthcare and Telehealth Law
Written By Dan Pepitone

Home > Guides > Telehealth Rules and Best Practices

Disclaimer

This guide addresses some of the regulations governing telehealth, and best practices recommendations, for mental health professionals in New York. It does not include every consideration and there are many more resources on these topics. This guide was last updated on December 19, 2023 and some of the information may have since changed. The information in this guide is not legal advice and is not intended to be relied upon as legal advice. If you have a legal issue, you should not rely on this information and instead speak to an attorney.

This guide includes links to third party websites for access to information and resources. We do not control these websites. We have not reviewed all the content that appears on these websites, and are not responsible for the legality, accuracy, or appropriateness of their content. Content on these websites may change at any time, including after we decide to share their links on this site. For legal advice about your specific situation, you should consult with a qualified attorney.

Thank You to Person Centered Tech

This guide was created with substantial reliance on the excellent consults, resources, trainings, and materials provided by Person Centered Tech. Some of their materials are provided here by permission and courtesy of Person Centered Tech. They are part of the resources included in Person Centered Tech's comprehensive, standards-based Telemental Health Certificate Program. You can find these resources and access direct support and consultation from their exceptional team at personcenteredtech.com.

Defining Telehealth

For the purposes of this guide, “telehealth” (also referred to as “telepractice” in New York") is the use of electronic communication and information technologies - such as telephone, e-mail, and videoconferencing - to provide health services.

 In its guide to Telepractice, the New York State Education Department Office of Professions states that:

·      Telepractice includes the use of telecommunications and web-based applications to provide assessment, diagnosis, intervention, consultation, supervision, education and information across distance.

·      It may include providing non-face-to-face psychological, mental health, marriage and family, creative arts, psychoanalytic, psychotherapy and social work services via technology such as telephone, e-mail, chat and videoconferencing.

Regulations and Ethical Guidelines

A number of regulations and ethical guidelines directly or indirectly govern telehealth use, including:

·      HIPAA

·      Guidance from the New York State Education Department’s Office of Professions (see their Telepractice Guidance)

·      Ethics Codes and Standards like the National Association of Social Workers’ Code of Ethics (sections 1.03 on informed consent, 1.07 on privacy and confidentiality)  and Standards for Technology in Social Work Practice

·      Medicare, Medicaid, and many private insurance companies have expanded coverage for telehealth but it is important for providers to understand the rules related to insurance plans they accept, including how they define telehealth, what delivery methods are covered, geographic limits, varied coding requirements, and additional credentialling processes

·      For New York State Office of Mental Health providers, see the New York State Mental Hygiene Law and the Office of Mental Health’s guide, Telehealth Services Guidance for OMH Providers

·      For addiction service providers, the New York State Office of Addiction Services and Supports regulations apply

·      Additional regulations, like the Controlled Substances Act, apply when providers are prescribing medication

·      Additional regulations, like the Anti-Kickback Statute, the Stark Law, and the False Claims Act, apply to situations of fraud and abuse

·      Malpractice insurance carriers may also institute their own rules on providers’ use of telehealth

Generally speaking, by following HIPAA’s specific standards and rules, providers can meet their legal and ethical responsibilities to clients to properly handle and maintain their information.  

HIPAA

As the CDC states: “The Health Insurance Portability and Accountability Act (HIPAA) is a national standard that protects sensitive patient health information from being disclosed without the patient’s consent or knowledge.”

Privacy Rule

The main goal of the Privacy Rule “is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.” The CDC’s Publication on HIPAA.

Security Rule

While the HIPAA Privacy Rule covers all PHI, the Security Rule specifically protects e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing.

Compliance with HIPAA

As the Department of Health and Human Services states:

compliance is different for each organization and no single strategy will serve all covered entities. Covered entities should look to § 164.306 of the Security Rule for guidance to support decisions on how to comply with the standards and implementation specifications contained in §§ 164.308, 164.310, 164.312, 164.314, and 164.316. In general, this includes:

1.     performing a risk analysis

2.     implementing reasonable and appropriate security measures;

3.     and documenting and maintaining policies, procedures and other required documentation.

Person Centered Tech has numerous resources to help providers maintain HIPAA compliance, including their simple guide, Mental Health Pros’ 3 Steps to (Actually) Be HIPAA Security Compliant.

BEST PRACTICES

Provider Best Practices

  • Choose software that you are comfortable with and practice with it before using it with clients

  • Perform risk analyses

  • Implement reasonable and appropriate security measures

  • Document and maintain policies and procedures

  • Train staff on the practice’s security policies and procedures

  • Get BAAs

  • Evaluate whether the telehealth technology is appropriate for each client individually. Consider the client’s safety and environment, mental and physical health concerns, access to proper devices and stable internet, and ability handle tech access and problems

  • Ensure that the standard of care for in-person sessions is applied to telehealth

  • Be available to accommodate in-person sessions should the client have the clinical need

  • Talk to clients about their understanding of privacy and confidentiality

  • Obtain and document informed consent from clients

    • Clients have the right to make an informed decision about their care. To do so, they need to understand the purpose of each option and the risks and benefits of those options. They also need to know they can refuse or withdraw consent.

    • Discuss the advantages and disadvantages of any technology used with a client in the delivery of services

    • Obtain written informed consent for the use of videoconferencing

    • If clients will pay by credit or debit card, or receive email or text receipts for payments, advise them that this documentation can expose the client’s health information (i.e., that they receive treatment) to third-parties

    • Document informed consent conversations and the client’s decision

    • See the NASW’s Telemental Health Consent Form and Person Centered Tech’s Telemental Health Informed Consent Template

  • Talk to clients about how you will communicate if the technology fails or the session is interrupted

  • Talk to clients about who you should contact in case they have a medical emergency or mental health crisis

  • Ask the client where they are located and document other telehealth considerations for teletherapy sessions (See Person Centered Tech’s Sample Telehealth Documentation Form)

  • If you send electronic messages to clients, use encryption technology and obtain informed consent for use of those technologies (See Person Centered Tech’s Request For NonSecure Communications Form)

  • See the Office of Professions’ guide to Telepractice and follow the Client Best Practices below

  • Accommodations for Individuals with Disabilities. The Americans with Disabilities Act and other civil rights laws apply to telehealth. Among other measures, ensure that you:

    • accommodate individuals with disabilities by providing interpreters, captioning, and other assistive technologies

    • properly modifying your lighting, sound, the quality of your video, and more.

    • See the US Department of Justice’s Civil Rights Division’s guide, Telehealth.

  • Safety of Survivors. Among other measures, providers should:

  • Working with Children. Among other measures, providers should:

Client Best Practices

  • Create a confidential space

  • Install anti-malware software

  • Update your computer and apps frequently to “improve security by fixing vulnerabilities cyber-criminals are known to exploit”*

*as stated in DHHS’s guide, Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth)

Other Resources

·       The NASW’s guide, 8 Ethical Considerations for Starting a Telehealth Practice

·       The NASW’s guide to Telehealth

·       The NASW’s guide to Technology

·       Person Centered Tech’s guide, Understanding How HIPAA Applies to You

Consult an Attorney

An experienced attorney can help you determine your practice’s specific responsibilities and advise you about how to efficiently meet them. Contact Pepitone Law for a consultation.

Dan Pepitone
Previous

Professional Wills and Preparing for Personal Emergencies
Next

Corporate Transparency Act Reporting for Small businesses