Telemedicine Compliance Issues Other Than HIPAA: HIPAA & HITECH Act Blog by Jonathan P. Tomes

Jon Tomes

In what I suppose is a somewhat off-topic subject, I thought that I might remind readers that HIPAA compliance is not the only legal and regulatory issue that telemedicine  communications involve. Such issues include these:

  • Is telemedicine across state lines the unauthorized practice of medicine?
  • Does telemedicine require informed consent?
  • Does telemedicine comply with the Affordable Care Act (“ACA”)?
  • Does telemedicine comply with the Consolidation Omnibus Budget Reconciliation Act (“COBRA”)?
  • Does telemedicine comply with the Employee Retirement Income Security Act (“ERISA”)?
  • Does telemedicine involve fraud and abuse issues?

 Telemedicine is the diagnosis and treatment of a condition by a physician or other provider via technology, such as video conferencing, zooming, and so forth, rather than in a face-to-face encounter. Those involved in providing or regulating telemedicine have, however, had difficulty integrating telemedicine into our encounter-based health care delivery system.

Unauthorized Practice of Medicine

 Generally speaking, state laws govern the practice of medicine, except, of course, for HIPAA and the HITECH Act. Unfortunately, state laws are hardly uniform. Many states still enforce existing, and often old, laws governing the practice of medicine and related businesses, such as pharmacies.

 Some states have modernized their laws with regard to telemedicine. California, New Jersey, and Pennsylvania, for example, explicitly permit telemedicine, but each with different conditions.

A recent disciplinary action emphasizes the importance of not determining whether your state permits telemedicine. The Idaho Board of Medicine disciplined a doctor who provided services through a national telemedicine service. The patient had called into the telemedicine service complaining of flu-like symptoms, and the service referred the patient to the doctor. who was under contract with the company. After having interviewed the patient by phone, the physician prescribed medication if the patient’s symptoms were to worsen. The State Board ruled that because the physician had failed to establish a physician-patient relationship because she did not examine the patient in person, she was not authorized to prescribe a medication. The board fined the physician $10,000 and restricted her license. Her licenses to practice medicine in Idaho and other states are under review. With the current health emergency, one can only hope that she can continue to practice despite this delict, which hardly seems to rise to the level of Medicare fraud or representing oneself to be a doctor when one is not. The latter is the real unauthorized practice of medicine.

Informed Consent to Practice Telemedicine

 Although the law does not appear to require informed consent to practice telemedicine, good practice clearly does. An informed consent, as opposed to a consent generally, spells out the risks of the activity so that the patient can balance the risks against the benefits. The risks include those that HIPAA is intended to mitigate, such as hacking, unauthorized access, improper disclosure, and the like. See my sample informed consent for telemedicine at

Affordable Care Act

In the Affordable Care Act (“ACA”), the federal government moved toward encouraging telehealth services in health care coverage. The ACA, however, only implemented telehealth at the federal level through Medicare, in certain circumstances. The power to determine which, if any, telehealth services is covered by Medicaid still remains largely within the powers of individual states. Also, states can govern private payer telehealth reimbursement policies. This rule means that telehealth implementation varies from state to state in terms of what services providers will be reimbursed for delivering, as well as what sort of “parity,” defined as “equivalent treatment of analogous services,” is expected between in-person health services reimbursements and telehealth reimbursements. Thus, a practitioner must not only determine whether telemedicine is the unauthorized practice of medicine but also whether the particular encounter can be reimbursed.


The Consolidation Omnibus Budget Reconciliation Act (“COBRA”), clearly applies to telemedicine. COBRA generally requires that group health plans sponsored by employers with 20 or more employees in the prior year offer employees and their families the opportunity for a temporary extension of health coverage  in circumstances, such as job loss, where coverage under the plan would otherwise end.

Many employers add telemedicine as part of their existing group health plan. COBRA beneficiaries would be able to take advantage of telemedicine services on the same basis as active employees. The employer must ensure that adding telemedicine into the group health plan is clear in the plan documentation.

Offering telemedicine services on a stand-alone basis―that is, employees who are not enrolled in the group health plan are eligible to participate in the telemedicine program―is not so clear-cut. The telemedicine program would likely create a separate group health plan subject to COBRA and other federal laws. The employer would be required to offer COBRA to all individuals who were enrolled in the telehealth program on the day before a COBRA qualifying event.


The Employee Retirement Income Security Act (“ERISA”) is a federal law that sets minimum standards for most voluntarily established retirement and health plans in private industry to provide protection for individuals in these plans. Because ERISA’s definitions of “group health plan” and “medical care” are quite broad, most telemedicine programs would be considered as providing medical care and would therefore be subject to ERISA. Thus, unless another exception applies, a telemedicine program would be subject to ERISA’s requirements, including the written plan document, Summary Plan Description (“SPD”), and Form 5500 requirements.

Note that the Health Care at Home Act, H.R. 6644, is pending in Congress. Among other things, this legislation would do the following:

  • Ensure that all medically necessary benefits in ERISA plans are covered via telehealth for the duration of the COVID-19 public health emergency.
  • Establish parity between telehealth and face-to-face visits, including audio-only visits.
  • Bar restrictions on which conditions can be managed remotely.
  • Ensure that all cost-sharing for COVID-19 related treatment can be waived.

Fraud and Abuse Issues

In 2016, for example, the federal government prosecuted a mental health practice for a False Claims Act (“FCA”) violation for allegedly submitting false claims to Medicare for certain services provided to patients via telemedicine. In addition, providers may be subject to false claims liability in connection with telehealth services provided in contravention of state and/or federal law, such as not being licensed in the state in which the patient is located. The FCA also carries criminal penalties of incarceration for up to five years for each violation and a $250,000 fine. Further, the False Claims Act is not the only enforcement action that could result from misuse of telemedicine. It could also constitute Medicare Fraud or a violation of the Anti-Kickback Statute, both of which carry stiff criminal penalties under the federal sentencing guidelines.


Covered entities and their business associates who are involved in telemedicine must not only be compliant with HIPAA but also with the other issues specified above. This blog post is not intended to be a comprehensive guide to these areas, but rather to alert readers to consider which of them may apply to their practices and energize them to ensure compliance.

I am considering writing another book, “The Guide to Telemedicine Compliance.” If you have any comments, questions, or ideas or if you would like to contribute a chapter (for appropriate co-author credit), please contact me at Thank you.


seo by: k.c. seo