chevron-down Created with Sketch Beta.
February 05, 2020

Physician Law Evolving Trends and Hot Topics: Telehealth

By Jeremy Sherer, J.D., LL.M. and Amy Joseph, J.D., Hooper, Lundy & Bookman, P.C., Boston, MA

I.  Introduction – What is Telehealth? Is it Different from Telemedicine?

This article introduces the range of legal issues that providing clinical services via telehealth may implicate. The purpose of this article is to set forth a framework for analysis of the practice of medicine through telehealth modalities in the United States.

This article is organized into five sections, including this introduction. Section II explores the state-specific regulatory and scope of practice issues that clinicians need to consider when providing services in various jurisdictions. Section III addresses coverage and reimbursement of clinical services delivered via telehealth, and the differences involved depending on who is paying for such services. Section IV discusses how federal and state fraud and abuse laws apply in the telehealth context. Finally, Section V includes a number of important, miscellaneous issues that arise in this context.

Please note that this article is meant to function as a guide to key issues, and does not attempt to comprehensively address all applicable telehealth laws for each state across the United States. 

A.  Telehealth vs. Telemedicine

As the utilization of “telemedicine” or “telehealth” has increased in recent years, what exactly these terms reference remains somewhat elusive, and more often than not they are used somewhat interchangeably. “Telemedicine” is traditionally used to reference the clinical services that are delivered via telehealth technology, while “telehealth” is a more expansive term which describes the range of healthcare services that can be delivered through this technology, including diagnosis and management, education, monitoring and other services. Because it is more expansive, this article uses  “telehealth”  instead of “telemedicine.”

B.  Telehealth Terminology

Certain terms are used throughout this article. . An “originating site” references the site where the patient is located during a telehealth encounter, while a “distant site” references the location of the clinician while he/she treats the patient. Under the “hub” and “spoke” model, an arrangement which describes a healthcare facility’s clinicians rendering services to patients at other facilities, the physician is located at the “hub” facility, while the patient is located at the “spoke” facility.

C.  Telehealth Modalities

Telehealth generally encompasses three different clinical modalities, or ways of delivering healthcare services to patients. “Synchronous audio-video” references a live, two-way, audio-video communication between a practitioner and a patient. In everyday terms, this looks like a “video chat” one might have through services like Skype, or the FaceTime feature on an iPhone. This most closely replicates the face-to-face interaction that is normally involved in establishing a practitioner-patient relationship.

In addition to synchronous, or live, communication, telehealth may also include “store and forward” communication, a type of “asynchronous” communication where a patient captures — and “stores” — clinical data, and then transmits — or “forwards” — such data to a practitioner to evaluate it remotely. Clinical services that commonly utilize “store and forward” technology include x-ray or CT image analysis, and pre-recorded photographs or videos highlighting a patient’s symptoms. From a clinical perspective, this type of communication is most widely utilized in disciplines like dermatology and ophthalmology, where an image may be sufficient to competently treat a patient.

A third type of telehealth technology is remote patient monitoring, or “RPM.” RPM involves using digital technology to collect medical and other forms of data from individuals in one location and electronically transmit that information securely to healthcare providers in a different location for assessment and recommendations. Typically, this involves monitoring data like a patient’s vital signs, blood pressure, weight, blood sugar, oxygen levels, or heart rate, and enables a clinician (or team of clinicians) to monitor a patient’s progress over an extended period of time.

D.  Online Questionnaires, Faxes, Artificial Intelligence, etc.

What about smart questionnaires, live “instant messaging,” faxing, email, texting, and the like? What constitutes “telehealth” varies. However, the Centers for Medicare & Medicaid Services (CMS) defines telehealth to include two-way, real-time, interactive communication between a patient at an originating site and a physician at a distant site, and specifically excludes communication through telephones, fax machines, and email.1 Many states’ definitions follow CMS’s lead in this definition of telehealth by explicitly including synchronous audio-video communication and excluding other, less interactive forms of communication.2 In particular, a number of states exclude online questionnaires from their definition of telehealth. As states continue to update their telehealth regulations, however, many are expanding the definition of “telehealth” to include store-and-forward and RPM.

II.  State-Specific Regulatory Issues

As a profession, medicine is regulated on a state-by-state basis, by a combination of state medical board standards and state law. As such, while the practices of a particular clinician likely will not vary from state to state, the rules surrounding such practices almost certainly will change, and in some situations quite materially. This is perhaps the most ubiquitous challenge facing providers delivering services to patients across state lines via telehealth and their counsel. This section outlines the primary issues that must be considered when crossing state lines to provide professional services.

A.  Licensure

When providing services via telehealth, a clinician generally needs to be licensed in the state in which the patient is located. There are exceptions to this statement, which is discussed below. However, as a general matter, for reasons related to states’ consumer protection interests, a state has an interest in maintaining oversight when a practitioner is providing services to residents of that state, via telehealth or otherwise.

Licensure requirements and the issues they address vary between states. Some states explicitly address telehealth in their state medical licensing laws and define the practice of medicine to include telehealth that reaches into their state. Some states indirectly address telehealth by deeming the act of diagnosing or recommending treatment through any “electronic” means to constitute practicing medicine in their state.3 Other states use broader language, such as “by any means or instrumentality,” to implicitly subject out-of-state physicians to their medical licensing laws.4 Still other states do not address telehealth, directly or indirectly, in their state physician licensing statutes or regulations. Most importantly, as a general rule, all state medical boards require a license granted by the board to practice medicine in their state. Therefore, in the absence of licensure exceptions for telehealth or special telehealth licensure requirements, all states’ medical boards require a physician to obtain a license to practice medicine in their state before allowing the physician to provide services via telehealth to a patient physically located in their state. Some of the exceptions to this general rule are addressed below.

B.  Licensure Exceptions

There are at least nine state medical or osteopathic boards that issue special licenses or certificates permitting clinicians to provide services via telehealth: Alabama, Louisiana, Maine, Minnesota, New Mexico, Ohio, Oregon, Tennessee (osteopathic board only), and Texas.5 There is also legislation pending in a 10th state, Georgia, to do the same.6 Some states waive licensure requirements for practitioners in neighboring states, such as New York and Maryland.7 Other states create exceptions for specific circumstances. Ohio, for instance, allows clinicians who have treated patients outside of Ohio to provide follow-up treatment when the patient returns to Ohio, as long as such treatment is for the same condition for which the physician last treated the patient outside of Ohio.8 There are also states that have exceptions for professional consults between clinicians, colloquially known as “curbside consults.” Such states generally require each physician to be licensed in the state in which the physician is physically located, and that the services provided be along the lines of a second opinion.9 Still other states exempt physicians from licensure requirements only when the services they provide are infrequent,10 and prohibit out-of-state physicians providing services to residents of the state from performing certain actions within the state.11

C.  Interstate Medical Licensure Compacts

Interstate Medical Licensure Compacts (IMLCs) provide an expedited pathway to licensure for qualified physicians who wish to practice in multiple states. If they satisfy certain requirements for eligibility for IMLC licensure, physicians who are licensed in one of the 29 states to have joined the IMLC as well as Washington, DC and Guam may be able to obtain a license to practice in another IMLC state faster than a physician from a non-IMLC state. Importantly, physicians in IMLC states do not automatically have licensure in other IMLC states. To be eligible for expedited licensure through the IMLC, physicians must:

  • Possess a full and unrestricted license to practice medicine in an IMLC state;
  • Either hold primary residence in one’s State of Principal Licensure (SPL), conduct at least 25 percent of one’s practice of medicine in the SPL, be employed by an entity in the SPL, or use the SPL as one’s state of residence for U.S. federal income tax purposes;
  • Have graduated from an accredited medical school, or a school listed in the International Medical Education Directory;
  • Have successfully passed each component of the United States Medical Licensing Examination (USMLE), Comprehensive Osteopathic Medical Licensing Examination of the United States (COMLEX-USA), or equivalent in no more than three attempts;
  • Hold a current specialty certification or time-unlimited certification by an American Board of Medical Specialties (ABMS)  or American Osteopathic Association/Bureau of Osteopathic Specialists (AOABOS) board;
  • Have no history of disciplinary actions toward one’s medical license;
  • Have no criminal history;
  • Have no history of controlled substance actions toward one’s license; and
  • Not currently be under investigation.12

D.  Establishing a Physician-Patient Relationship

After licensure, the next question that a physician should ask before providing clinical services in another state is what that state requires to establish a physician-patient relationship. Treating a patient without successfully establishing a physician-patient relationship as required by state law leaves physicians at risk of engaging in the unauthorized practice of medicine.

Historically, the question for physicians utilizing telehealth was whether a physician-patient relationship could be established via telehealth, or if such a relationship could only be established through an in-person consultation. This issue was litigated to great effect by the Texas Medical Board and telehealth services provider Teladoc, which ultimately resulted in the Texas Medical Board updating its telehealth regulations to enable providers to establish a physician-patient relationship via telehealth in late 2017.13 Today, a physician-patient relationship can be established via telehealth in all 50 states. However, it is often less clear whether a physician-patient relationship can be established, for instance, via store-and-forward communication, text message, or email. Many states specifically delineate the types of communication that are not sufficient to establish a physician-patient relationship. Arkansas, for instance, states that a professional relationship cannot be established through an internet questionnaire, email message, patient-generated medical history, audio-only communication (including interactive audio), text messaging, facsimile alone, or any combination thereof.14 Maryland, meanwhile, allows a physician-patient relationship to be established via interactive audio or audio-video communication.15 Other states, such as Missouri, defer to the applicable standard of clinical care, providing that a physician-patient relationship can be established via telehealth if the standard of care does not require an in-person encounter (while also stating that an online questionnaire is not sufficient to establish such a relationship).16 Maine allows a physician-patient relationship to be established via telehealth, but specifically states that such a relationship cannot be established through use of an online questionnaire.17

Finally, providers and counsel should note that establishing a physician-patient relationship involves more than the telecommunication modality utilized, and may implicate other regulatory requirements discussed herein. For instance, under New Jersey law, a physician-patient relationship can be established only if the provider verifies the patient’s identity, the provider informs the patient about the provider’s clinical qualifications, and the provider reviews the patient’s medical records before the interaction begins (with exceptions).18 These rules can also be discipline-specific. In Delaware, for example, while a physician-patient relationship typically requires interactive communication, the regulations specifically state that such standards do not apply to radiology or pathology.19

E.  Informed Consent

State laws involving informed consent require clinicians to educate their patients about the benefits, risks, costs, and limitations of a particular course of treatment. At least 38 states currently have telehealth informed-consent requirements,20 and both the Federation of State Medical Boards (FSMB) and the American Medical Association (AMA) have outlined guidelines for providers obtaining informed consent from patients before providing treatment via telehealth, focusing on a patient’s right to refuse services via telehealth without impacting the patient’s ability to receive other healthcare services and to validate and identify the provider’s credentials. The guidelines also address provider obligations, including identifying the patient’s location, disclosing financial interests they might have, informing the patient about how to obtain follow-up care, describing how the patient can obtain his or her medical records, disclosing privacy risks that may exist, highlighting the limitations that exist when providing treatment via telehealth, explaining fees and other payment matters, and obtaining the patient’s express informed consent.21

The rights of patients and obligations of providers are ultimately informed by applicable state law, which varies state by state, but often incorporates many of the concepts outlined in the FSMB and AMA guidelines. Many states specify whether informed consent must be in writing or can be obtained verbally, but the act of obtaining informed consent should always be documented, regardless of state.22 Other states, such as Mississippi, have specific requirements for informed consent when treatment is provided via telehealth, including that patients must be informed about the risks and benefits of telehealth and how they can obtain follow-up care, and must receive information about the treatment they will receive.23 Providers should note, however, that there is considerable variance among the states in how they approach this issue. Indiana, for instance, explicitly prohibits requiring healthcare providers to obtain a separate, written consent before providing services via telehealth.24

F.  Patient and Provider Verification/Validation

Telehealth technology advances seemingly by the day, yet there are still limitations involved with this technology when compared with in-person treatment. During in-person consultations, patients can fairly easily verify their provider’s qualifications, providers can verify the patient’s identity, and there are no questions about where the patient and the provider are located. In this sense, telehealth complicates matters; where the provider and the patient are located matters for purposes of state law, and there is increased risk of unlicensed or under-credentialed individuals misrepresenting their qualifications. For these reasons, states such as South Carolina require providers to disclose their name, location, and credentials to patients when providing services via telehealth.25 Some states, including Louisiana, Mississippi,  and South Carolina, also require clinicians to verify the patient’s identity and/or location before providing services via telehealth.26

G.  Medical Records and Patient Privacy

Numerous states expressly provide that any electronic records or other documents created during or as a result of a telehealth encounter become part of the patient’s permanent medical record and are subject to all other general requirements of patient medical records.27 Similarly, numerous states have taken care to ensure that any electronic records or other documents created during or as a result of a telehealth encounter are subject to all other medical record privacy and confidentiality requirements.28 As a general matter, healthcare providers and their counsel should assume that all federal and state privacy and security obligations, as well as medical record retention obligations, that apply to in-person encounters in the state in which the patient is located also apply to services provided via telehealth.

For example, when contracting with a telehealth vendor to provide the technology with which to connect with patients, physicians that are “covered entities” as defined under the Health Insurance Portability and Accountability Act (HIPAA) should require that the vendor sign a business associate agreement, and should perform due diligence as needed to confirm that the vendor employs reasonable and appropriate technical, administrative, and physical safeguards to protect the information.

H.  Remote Prescribing

Federal Law. In addition to state statutes and regulations governing telehealth, providers and their counsel must consult state pharmacy and prescribing laws to ensure that their remote- prescribing practices are legal. Historically, the regulation of controlled-substance prescribing practices is within the jurisdiction of the federal Drug Enforcement Administration (DEA), leaving states to primarily focus on regulating the prescribing of non-controlled substances. In recent years, however, states have begun to enact their own restrictions regarding practices in prescribing controlled substances, adding requirements beyond those imposed by the DEA. This intersection between state and federal law is one of the most complicated features of the telehealth regulatory landscape and requires significant attention from providers and their counsel.

In 2008, Congress enacted the Ryan Haight Online Pharmacy Consumer Protection Act (the Ryan Haight Act) following the death of Ryan Haight, an 18-year-old who overdosed on Vicodin that he obtained through an online pharmacy from a clinician he never met.29 In response to a growing number of rogue online pharmacies engaging in dangerous practices, Congress passed this law to prohibit any person from dispensing a controlled substance through the internet without a “valid prescription.”30 A “valid prescription” requires the prescribing practitioner to conduct at least one in-person evaluation of the patient, unless the prescribing provider is a “covering practitioner” who conducts a medical evaluation remotely at the request of a provider who is temporarily unavailable and has previously examined the patient in person.31

The Ryan Haight Act does not apply to the “practice of telemedicine.”32 However, the scope of the telemedicine exception is significantly limited, such that in most cases it will not allow a provider to prescribe controlled substances without performing a prior in-person examination. The practice of telemedicine exceptions allow a provider to prescribe controlled substances to a patient without personally performing an in-person physical exam of the patient if the following three conditions are met:

  • The patient is being treated by, and physically located in, a DEA-registered hospital or clinic during the telemedicine encounter;
  • The remote telemedicine provider is registered with the DEA in the state in which the patient is physically located during the telemedicine encounter; and
  • The telemedicine physician interacts with the patient using a two-way, real-time interactive audio and video communications system during the telemedicine encounter.33

Further complicating matters, one of the main elements of the Ryan Haight Act telemedicine exception — a special registration process through which clinicians could obtain training and permission from the DEA to prescribe controlled substances via telehealth without performing an in-person evaluation — was never promulgated by the DEA, despite receiving explicit instruction from Congress more than 10 years ago.34

In recent years, as the opioid epidemic has swept across the United States, lawmakers have become increasingly aware that many of the regions most impacted by this epidemic are rural, and that patients struggling with substance use disorder (SUD) have not been able to obtain necessary medication because of the Ryan Haight Act prohibition on prescribing controlled substances via telehealth without a prior in-person evaluation amidst nationwide physician shortages, particularly in behavioral health. In 2018, the SUPPORT for Patients and Communities Act was signed into law, introducing several reforms in this area.35 First, it added the home as an approved “originating site” for Medicare beneficiaries receiving treatment for SUD, thereby enabling physicians to provide SUD treatment to Medicare beneficiaries, including by prescribing controlled substances, when such patients are located in the home, as of July 1, 2019.36 Second, it instructed state Medicaid programs to develop guidance setting forth how they would allow for controlled substances to be prescribed to patients for purposes of SUD treatment via telehealth.37 Third, it reinforced the DEA’s obligation to develop the telemedicine registration process discussed above by October 2019.38

State Law. Many states have enacted their own restrictions on prescribing controlled substances, in addition to the limitations set forth under applicable federal law. For instance, in 2018 Connecticut passed a law allowing clinicians to engage in medication-assisted treatment via telehealth, but prohibiting them from prescribing opioids in the process.39 Thus, it is critical to consider both federal and state law when determining what practices are acceptable in a particular state concerning controlled substances and remote prescribing.

More broadly, state regulation of remote prescribing generally includes professional licensing rules for clinicians, as well as requirements imposed upon pharmacies and pharmacists regarding dispensing medication. In response to the “pill mills” that gave rise to the Ryan Haight Act at the federal level, many states enacted laws to curb the practices of rogue online pharmacies. As a result, many states, including without limitation Arkansas, Colorado, Delaware, Hawaii, Idaho, Iowa, Kansas, Kentucky, Mississippi, and Wisconsin, continue to explicitly prohibit prescribing medication pursuant to an online questionnaire.40 Some states go further, prohibiting prescribing if a provider has not treated the patient in person. Arkansas law governing the practices of pharmacies and pharmacists states that a “proper physician-patient relationship” must exist before a prescription is issued, and requires an in-person evaluation to establish a “proper physician-patient relationship.”41 Importantly, however, the fact that a state does not explicitly prohibit such conduct does not necessarily mean that it is permitted. For instance, while California law in this area does not explicitly state as much, the California Medical Board has disciplined medical professionals for prescribing medication pursuant to an online questionnaire.

With such laws in place, there is risk in prescribing medication pursuant to these types of communication, even when a clinician feels that he/she has gathered enough information to satisfy the applicable standard of care. As direct-to-consumer platforms grow, prescribing medication pursuant to online questionnaires, interacting with artificial intelligence tools, and text-message communication raise potential legal issues that an increasing number of clinicians and attorneys must navigate. The intersection between state telehealth and pharmacy law is a source of considerable confusion, particularly when such authorities conflict or impose additional requirements for telehealth.

III.  Reimbursement

Coverage and reimbursement for telehealth services (or the lack thereof) is one of the most complex and frustrating areas of telehealth law to navigate for providers and their counsel. Controlling legal authority and coverage policies vary significantly depending on how the services at issue are being financed, i.e., whether a third-party payor is paying for the services and, if so, what that payor requires in order for claims to be paid. This section contains a high-level overview of the issues that providers should understand when submitting claims for telehealth services to Medicare, state Medicaid programs, and commercial insurers.

A.  Medicare Reimbursement

Medicare coverage of telehealth services is historically restrictive, in part because CMS initially perceived telehealth as a way to help rural beneficiaries access care, but not necessarily as a clinical tool to be used more broadly. Congress amended the Social Security Act to cover telehealth services in 1997, and established the definition of “Medicare telehealth services” at that time.42 At a baseline level, in order for Medicare fee-for-service to cover services delivered via telehealth, those services must satisfy the following requirements (with certain exceptions): the originating site (i.e., where the patient is located) must be in a qualifying rural area, the beneficiary must be located at a qualifying originating site, the provider must be an eligible “distant site practitioner,” the interaction must be an interactive, real-time, audio-video communication, and the service must be included on the current year’s list of covered telehealth services.

What is a Qualifying Rural Area?
Qualifying areas must be health professional shortage areas, or HPSAs, with certain exceptions, including being outside of a “Metropolitan Statistical Area” in a rural census tract, or in a county outside of a Metropolitan Statistical Area.43 Conceptually, designation as a HPSA indicates that that there are healthcare provider shortages in primary care, mental health, or dental health.44 Geographic areas that qualify as HPSAs typically experience a shortage of a particular type of provider in the entire service area. In practice, this means that a patient located in an area sufficiently populated with behavioral health clinicians is unlikely to be eligible to receive behavioral health services via telehealth. It also makes it virtually impossible for facilities in urban areas to obtain reimbursement for telehealth services. Providers can determine whether or not they practice in a qualifying area by using the Medicare Telehealth Payment Eligibility Analyzer on the Health Resources and Services Administration (HRSA) website.45

What is a Qualifying Originating Site? For the most part, qualifying originating sites are limited to the following:

  • physician or practitioner’s office;
  • critical access hospital;
  • rural health clinic;
  • federally qualified health center (FQHC);
  • inpatient or outpatient hospital;
  • a hospital-based or critical-access hospital-based renal dialysis center (including satellites);
  • skilled nursing facility;
  • renal dialysis facility (for the purposes of certain monthly clinical assessments related to treatment for end-stage renal disease);
  • the patient’s home (for the purposes of certain monthly clinical assessments related to treatment for end-stage renal disease or treatment of substance use disorder or a co-occurring mental health disorder);
  • mobile stroke unit (for purposes of diagnosis, evaluation, or treatment of symptoms of an acute stroke); or a
  • community mental health center.46

Notably, Congress recently added several approved originating sites to this list through the Balanced Budget Act of 2018, including mobile stroke units, renal dialysis facilities, and the patient’s home for purposes of monthly assessments in the context of home dialysis. There have also been a series of waivers under which Medicare’s traditional telehealth reimbursement requirements have been waived for patients participating in certain value-based demonstrations, such as the Next Generation accountable care organization (ACO) telehealth waiver, and Medicare Advantage plans have had flexibility to offer additional telehealth services as “supplemental” benefits, which is discussed in part B of this section.47 Except under these very narrow circumstances, Medicare does not cover telehealth services rendered to patients in their homes as fee-for-service benefits. In addition to the reimbursement of the physician at the distant site, qualifying originating sites may also bill Medicare for a facility fee related to the provision of the telemedicine service.

Who is a Qualifying Distant-Site Practitioner?
In addition to requiring practitioners to be licensed to provide the services at issue, CMS only covers telehealth services delivered by the following types of practitioners: physicians; physician assistants; nurse practitioners; clinical nurse specialists; nurse-midwives; clinical psychologists; clinical social workers; registered dietitians or nutrition professionals; and certified nurse anesthetists.48

What Constitutes Qualifying Technology? Generally speaking, “Medicare telehealth services” must be provided using an “interactive telecommunications system.”49 “Interactive telecommunications system” means “multimedia communications equipment that includes, at a minimum, audio and video equipment permitting two-way, real-time, interactive communication between the patient and distant-site physician or practitioner. Telephones, facsimile machines, and electronic mail systems do not meet the definition of an interactive telecommunications system.”50 In other words, CMS requires these services to be provided via synchronous, audio-video communication between the practitioner and the patient, and explicitly excludes certain devices and methods of communication: telephones, facsimile machines, and e-mail communications.

What is a Qualifying Service?
To be covered by CMS, a clinical service must be included on that year’s “telehealth list,” which is available on the CMS website and includes the codes required to submit claims for such services.51 CMS typically adds a few new services each year. For instance, there were 97 for calendar year 2019, including newly added coverage for prolonged preventive services through HCPCS codes G0513 and G0514.52

B.  Telehealth Beyond “Medicare Telehealth Services

Most services provided utilizing digital health technology must satisfy the reimbursement standards outlined above to be covered by CMS. However, there are certain services that, despite being colloquially known as telehealth, are not considered “Medicare telehealth services” by CMS. As a result, these services do not need to satisfy the statutory reimbursement requirements for “Medicare telehealth services.” This means that, among other things, Medicare covers these services when they are provided to patients in the home, and regardless of whether or not the patient is located in a rural area.

Remote Patient Monitoring.
CMS has covered RPM since 2018.53 Officially called “Chronic Care Remote Physiological Monitoring,” CMS expanded RPM coverage in 2018 by implementing coverage of CPT Codes 99453, 99454, and 99457.54 CMS now provides broader coverage for the “remote monitoring of physiologic parameters (e.g., weight, blood pressure, pulse oximetry, respiratory flow rate) including initial patient set up and education on using the equipment (CPT 99453), data transmissions reviewed on a monthly basis (CPT 99454), and 20 minutes or more of a clinician’s professional time requiring interactive communication with the patient or caregiver each month (CPT 99547).55

Communication Technology Based and Remote Evaluation Services. Effective in 2019, CMS distinguished a number of services, which it calls “communication technology based and remote evaluation services,” from Medicare telehealth services.56 CMS explained that it has come to view Medicare telehealth services as specifically referencing the physician services listed on the “telehealth list” on the CMS website.57 Thus, CMS now covers “virtual check-ins,” “store-and-forward” communication, and interprofessional consults, regardless of where the patient is located geographically or whether the patient is at an approved originating site.

“Virtual check-ins” are "brief check-in services furnished using communication technology that are used to evaluate whether or not an office visit or other service is warranted.”58 Clinicians only receive separate payment for “virtual check-ins” if the patient does not have an office visit shortly after the virtual check-in, and the patient has not had an in-person visit for the same issue in the preceding week. If the patient does have an office visit shortly after (or before) the virtual check-in, the clinician’s payment is wrapped into payment for the in-office visit. Patient consent is required, and coverage is available only for existing patients.59

CMS describes store-and-forward services as "the remote professional evaluation of patient-transmitted information conducted via pre-recorded ‘store and forward’ video or image technology.”60 The same requirements regarding consent, pre-existing relationships, and reimbursement also apply. “Interprofessional consults” provide a method of paying clinicians who consult with originating-site clinicians from a distant site, but do not assume responsibility for the patient’s care, instead providing technical expertise to the originating-site physician.61

Additional Telehealth Services and Medicare Advantage. Beginning in 2020, Medicare Advantage plans will be authorized to cover “additional telehealth services” for their beneficiaries.62 “Additional telehealth services” are services that (1) do not meet the requirements for “Medicare telehealth services,” and (2) the Medicare Advantage plan has determined can be provided in a clinically competent manner via telehealth.63 Importantly, “additional telehealth benefits” will be covered as basic, not supplemental, benefits. While a detailed discussion is beyond the scope of this article, the importance of this distinction is that basic benefits are factored into the capitated payments that CMS makes to Medicare Advantage plans, while supplemental benefits are not. As a result, looking to 2020 and beyond, providers should note that certain Medicare beneficiaries will be eligible to receive additional treatment via telehealth, though the exact details of what those services are will vary from one Medicare Advantage plan to another. Additionally, providers should note that all Medicare Advantage requirements, such as provider credentialing and the coverage appeals process, will apply. As a result, even providers with deep experience in obtaining reimbursement from Medicare for telehealth services may face new requirements in obtaining coverage for “additional telehealth services” provided to Medicare Advantage beneficiaries.

C.  Medicaid Reimbursement

As of 2019, all 50 state Medicaid programs cover live, synchronous, audio-video interactions of some type; at least 11 states cover services provided via store-and-forward communication, and at least 20 state Medicaid programs cover RPM.64 MassHealth, the Massachusetts Medicaid program, was the last state to adopt reimbursement of telehealth encounters utilizing live audio-video technology when it expanded coverage of certain behavioral health services to include those delivered via telehealth in January 2019.65 As a federal-state partnership, there are certain requirements that the federal government imposes upon all state Medicaid programs regarding telehealth, including that states satisfy federal requirements of “efficiency, economy and quality of care.”66 States are free to select from a variety of HCPCS codes, CPT codes, and modifiers to identify, track and reimburse providers for services delivered via telehealth. Coverage policies and the coding required to obtain reimbursement vary considerably by state. Some state Medicaid programs limit the providers eligible to receive payment for services delivered via telehealth, and whether a state Medicaid program will pay a “facility fee” to the originating site varies state-by-state. The differences can be quite drastic, so it is critical to examine a state Medicaid program’s telehealth landscape before making any major decisions involving Medicaid patients. As a reminder, this means reviewing the law in every state where a patient will be located, not just where providers will be located.

D.  Private Payors

Private-payor reimbursement for telehealth must be determined on a patient-by-patient, plan-by-plan basis. There are, however, state-level legal requirements concerning reimbursement for telehealth services that apply to private payors in a majority of states. Generally known as “parity” laws, these laws address two questions: whether payors need to cover services when they are delivered via telehealth if the service is covered when provided in-person (known as “coverage parity” laws), and whether payors need to pay the same amount for a service when it is delivered via telehealth and when it is delivered in person (known as “payment parity” laws). More than 35 states currently have coverage parity laws in place, while just 10 have payment parity laws.

Importantly, determining that a state has parity laws in place does not necessarily mean one is “out of the woods.” Indeed, some states have parity laws which defer to the terms of contracts between payors and providers. For example, California has a coverage parity law which states that no payor “shall require that in-person contact occur between a health care provider and a patient before payment is made for the covered services provided through telehealth, subject to the terms and conditions of the contract entered into between the enrollee or subscriber and the health care service plan, and between the health care service plan and its participating providers or provider groups.67 Thus, in California, agreements between payors and providers carry the day, even if they provide that the payor will not cover any services rendered via telehealth. This underscores the importance of reviewing coverage documents with particular attention to provisions addressing telehealth.

When structuring a telehealth program, counsel should review the laws of every state in which program patients will be located, determine whether those states have payment and/or coverage parity laws in place, and consider whether there are any limitations on such laws (to the extent that they exist) in addition to reviewing the specific provisions of the payor contracts.

E.  Cash Pay

The newest trend in telehealth’s constantly evolving landscape is providing direct-to-consumer (or DTC) services, which seek to bypass payors, reimbursement restrictions, and the administrative complexity of the American healthcare system. The concept is simple — provide care directly to patients, and they pay for the services out-of-pocket. This allows telehealth platforms, and the providers rendering services through them, to avoid the headaches associated with  fraud and abuse issues. However, there is a common misconception that DTC operations are not subject to any regulatory oversight. As  discussed below, DTC operations, and the providers treating patients through them, remain subject to applicable state law, even if certain federal authorities that only apply to claims submitted for services billed to Medicare, Medicaid, and other public payors (with exceptions) — e.g., HIPAA, the physician self-referral prohibition (the Stark law) and the federal anti-kickback statute (the AKS) — do not.

IV.  Fraud and Abuse Issues Unique to Telehealth

As with any delivery method for the practice of medicine in the United States, a physician undertaking a telehealth endeavor is subject to a multitude of complex federal and state health-care fraud and abuse statutes, regulations, and case law. In general, the fraud and abuse laws applicable to other forms of healthcare delivery equally apply in the case of telehealth. In addition, fraud and abuse issues that arise specific to telehealth relate to the infrastructure, equipment, and support necessary to implement any effective telehealth endeavor. This section provides an overview of the key issues and arrangements that could arise in the telehealth context that pose particular healthcare fraud and abuse risks, but a discussion of the full range of possible fraud and abuse risks presented by telehealth arrangements is beyond the scope of this article.

A.  Federal Kickback and Beneficiary Inducement Restrictions

The AKS prohibits the knowing or willful offer, payment, solicitation, or receipt of remuneration (including any kickback, bribe, or rebate), directly or indirectly, overtly or covertly, in cash or in kind, as inducement for the referral of patients or arranging for the referral of patients to receive services for which payment may be made in whole or in part under a “Federal health care program” (defined to include Medicare, Medicaid and TRICARE, and state healthcare programs).68 However, the statute’s prohibition is not limited to payments for referrals; the statute also prohibits payments to induce the purchasing, leasing, or ordering of any good, facility, service, or item for which payment may be made under a federal healthcare program, or recommending or arranging for the purchasing, leasing, or ordering of any such item or service.69 Voluntary safe harbors apply, so if an arrangement meets the requirements of an applicable safe harbor, then the arrangement will not be prosecuted under the statute.70 Notably, meeting all components of a safe harbor is not required, as ultimately whether or not the AKS is implicated turns on intent.

There are two safe harbors to the AKS that specifically relate to healthcare technology, including technology used in the telehealth context. These safe harbors apply to situations in which a physician receives items and services necessary to engage in electronic prescribing (including hardware, software, information technology and training), as well as situations in which a physician receives items and services necessary to create, transmit, and receive electronic health records (including software, information technology and training), all subject to a number of conditions.71 Such arrangements between clinicians on the one hand, and hospitals or other healthcare facilities or technology providers on the other hand, where the clinician receives such items or services for free or a discounted cost, could potentially implicate the AKS, depending on the intent of the parties in entering into the arrangements. Structuring such arrangements to comply with the applicable safe harbors provides some certainty regarding avoidance of a finding of a violation. In addition, other safe harbors frequently looked to in the context of relationships with physicians or other referral sources, including the personal services and management contracts safe harbor and employee safe harbor, could equally apply in the telehealth context depending on the arrangement in question (e.g., where a health system contracts with a physician to provide services via telehealth).72

It is important to note that whether or not the services in question are reimbursed by a federal healthcare program do not necessarily impact risk of violation of the AKS. A telehealth arrangement could implicate the AKS by inducing other referrals for which governmental payor reimbursement is available. For example, the AKS could be implicated if a cardiologist provided free telehealth equipment to a general practitioner and offered free telehealth consultations to the general practitioner’s patients in return for the general practitioner’s referral of patients to the cardiologist for Medicare-covered cardiology services. In addition, various state anti-kickback laws may be implicated when private-payor reimbursement is available, or regardless of source of payment.

A provision under the Civil Monetary Penalties (CMP) statute  addressing beneficiary inducement often goes hand-in-hand with analysis under the AKS when items or services of value are provided to Medicare and Medicaid beneficiaries.73 In particular, the applicable provision prohibits the offer or transfer of remuneration that a person knows or should know is likely to influence a beneficiary’s selection of a particular provider for the provision of items or services payable under the Medicare or Medicaid program. The beneficiary inducement CMP could be implicated in the telehealth context when, for example, a Medicare patient is provided with a tablet or other device to facilitate consultations with a practitioner or to gather and transmit data for the purpose of RPM. A number of exceptions to the CMP apply, including an exception for items or services that improve a beneficiary’s ability to obtain items or services payable by Medicare or Medicaid (i.e., promoting access to care), and that pose a low risk of harm to both Medicare and Medicaid beneficiaries and the Medicare and Medicaid programs.74 In particular, the items or services offered pose a low risk of harm if: (1) they are unlikely to interfere with, or skew, clinical decision making; (2) they are unlikely to increase costs to federal healthcare programs or beneficiaries through overutilization or inappropriate utilization; and (3) they do not raise patient safety or quality-of-care concerns.75 Although broad in concept, commentary and guidance from the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services should be reviewed and analyzed closely to determine the scope of this exception and applicability to any particular scenario. The OIG has also stated that there is no violation of the CMP statute where the items or services provided to beneficiaries have a retail value of no more than $15 per item or $75 in the aggregate, per person on an annual basis, if such items are not cash or cash equivalents.76

The OIG is responsible for publishing advisory opinions interpreting the AKS and the beneficiary inducement CMPs. The OIG has published multiple advisory opinions addressing telehealth-related issues.

Advisory Opinion 98-18 addressed a proposed arrangement between an ophthalmologist and an optometrist for the sublease of certain telehealth imaging equipment, whereby the ophthalmologist leased the equipment pursuant to a written lease with a fair market value rental amount to the optometrist, and provided free telehealth consultations for the optometrist’s patients as to whether the patient required ophthalmology services. The optometrist also could use the equipment to provide other services to the patients independent of the telehealth consultations. The OIG determined that the arrangement did not implicate the AKS for the following reasons: (1) the lease agreement for the equipment complied with the equipment lease safe harbor requirements; (2) patients referred for ophthalmology services after the free telehealth consultation were allowed to choose any ophthalmologist to provide the recommended services; and (3) the ophthalmologist’s free telehealth consultations only resulted in minimal and incidental business benefits for the optometrist.

Advisory Opinion 99-14 involved a health system that operated a rural telehealth network under a federal grant, and wanted to fund and continue to administer the network after the grant expired, including compensation for practitioners and certain costs of equipment. The OIG found that although the health system’s ongoing financial support could implicate the AKS since it would confer benefits on both the practitioners and the “spoke” facilities, the OIG would not impose sanctions based on a number of factors, including the clear congressional intent favoring the study and development of rural telehealth networks and community benefit to rural citizens through increased access to care.

Advisory Opinion 04-07 analyzed an arrangement between a health system and school-based clinics in rural areas, where physicians at one of the health system’s “hub” facilities would consult with nurses at school-based clinics on appropriate follow-up care resulting from screening tests, including potential consultation via telehealth. Students who required a referral to another physician would be referred to their primary care provider. Those who did not have a primary care provider would be provided a list of primary care providers in their town. The health system paid for the telehealth equipment and the services of the physicians. The OIG concluded that although the health system conferred benefits on potential referral sources, and the AKS could be implicated, the OIG would not impose sanctions because the screening services were non-reimbursable services for purposes of federal healthcare programs, there were otherwise sufficient safeguards in place, and the OIG acknowledged the “obvious public benefit in facilitating better access to screening services for low-income children in rural areas."

Advisory Opinion 11-12 addressed a nonprofit health system’s proposal to provide neuroemergency clinical protocols, technological devices, and services to community hospitals to facilitate immediate consultations with stroke neurologists, and where the parties could use one another’s trademarks and service marks for some marketing activities, and each community hospital agreed not to participate in other neuroemergency telehealth services without the health system’s approval for the duration of the agreement. Under the arrangement, participation was based on access to care considerations, not volume or value of any actual or anticipated referrals. On its face, the arrangement implicated the AKS and did not satisfy any safe harbor because it involved the free provision of valuable items and services among hospitals, all of which had previously referred Medicare business to and from each other. However, the OIG concluded that the facts and circumstances adequately reduced the risk under the AKS. This opinion highlighted a common impediment to increased use of telehealth. Telehealth projects inherently require a large upfront investment to develop the technology infrastructure necessary to realize the much larger cost-reduction, efficiency, and quality of care benefits of telehealth for Medicare patients and private-pay patients alike. The OIG took a progressive step in this opinion by recognizing the AKS as a potential barrier to telehealth projects across the country. As such, the OIG permitted the proposed arrangement for the following reasons:

  • The objective of the telehealth project was to reduce the number of transfers of stroke patients to the funding hospital in circumstances where those patients can be managed at the local hospital if telehealth resources are available.
  • Neither the volume nor value of a hospital’s previous or anticipated referrals, nor the volume nor value of any other business generated between the parties, would be a condition of participation in the telehealth project.
  • The primary beneficiaries of the telehealth project would be the stroke patients who, with the funding hospital’s support, could be treated at the local hospital emergency departments, when treatment is most effective. It would also benefit the patients who need the more advanced level of care that the funding hospital can provide, but who might not otherwise have been able to receive it due to capacity issues.
  • The timely treatment of stroke patients would likely decrease the incidence of stroke-related disabilities, which, in turn, would likely decrease the costs associated with treating and supporting such patients.

Advisory Opinion 18-03 addressed a proposal by a FQHC look-alike to provide telehealth equipment at no cost to a rural health clinic to help provide HIV treatment services to patients. The FQHC look-alike proposed to use funds from a state grant dedicated to HIV treatment to fund the purchases involved in the proposed arrangement. The OIG concluded that the arrangement posed a low risk under the AKS for a few reasons. First, the OIG noted that there were anti-steering safeguards in place, since the rural health clinic advised its patients that they could use any provider for HIV treatment or consultation, and the FQHC look-alike permitted the rural health clinic to use the telehealth equipment to connect patients with other providers. Second, the risk of over-utilization was mitigated, since the rural health clinic would have performed preliminary tests and referred patients for consultations otherwise. Third, the OIG emphasized the benefit of increased access to preventive HIV treatment, which could “reduce the prevalence of HIV and promote public health.” Fourth, the OIG emphasized that although the FQHC look-alike could benefit from the arrangement, the primary beneficiaries would be the clinic patients who could receive HIV prevention services more conveniently and efficiently.

Most recently, OIG Advisory Opinion 19-02 addressed a proposed arrangement whereby a pharmaceutical company sought to loan a smartphone to low-income patients which would be stripped of all functionality except for an app which tracks data regarding use of a drug and other related data, as well as the ability to make domestic calls for purposes of reaching customer support with questions. The offer of the phone would not be advertised, would not have independent value since essentially all other functionality was removed, and would be loaned for 8-12 weeks for the duration of the drug therapy to patients who met financial need criteria and did not otherwise own a smartphone. The OIG found that this arrangement could potentially implicate the AKS as well as the beneficiary inducement CMPs, because by taking the device the patients would believe they needed to continue to work with the pharmacy in question. However, the OIG found that the arrangement met the access-to-care exception under the beneficiary inducement CMPs, and the OIG would not impose sanctions under the AKS under the circumstances. The device promoted access to care because it was necessary in order to receive the full scope of benefits of the drug therapy, which is payable by Medicare. The provision of the device for free posed a low risk of harm because it did not affect prescribing decisions, only certain eligible patients would receive the device, the offer would not be advertised, the use of the device was time-limited, and the device did not have real independent value (the OIG stated that if the phone had access to an internet browser or other functionality, the conclusion likely would be different). This opinion is noteworthy in that it addresses the RPM modality, as opposed to real-time audiovisual consultations between a patient and practitioner. As RPM grows in popularity, it is helpful to have an advisory opinion supportive of providing free or discounted technology to foster increased adoption of the modality, where certain safeguards are in place.

In summary, telehealth arrangements in which free telehealth equipment or services are provided should be analyzed for possible anti-kickback and beneficiary inducement risks. However, there has been steadily increased recognition of the value of telehealth in increasing access to medically necessary care, including in the RPM context, and if structured thoughtfully with appropriate safeguards in place, such arrangements may be permissible.

Another common anti-kickback potential issue that can arise relates to the scenario where a telehealth services vendor enters into arrangements with medical groups or individual physicians. Depending on certain factors, such as how the services are marketed, how the physicians are featured, and how the funds flow generally works, the AKS could potentially be implicated if federal healthcare program reimbursement is involved (for further discussion regarding such arrangements, see Section IV.E).

B.  Federal Self-Referral Prohibition

The federal physician self-referral law (the Stark law) prohibits physicians from referring Medicare beneficiaries for certain “designated health services” (DHS) reimbursable by Medicare to an entity with which the physician (or an immediate family member) has a financial relationship.77 The Stark law definition of a financial relationship includes almost any arrangement in which a physician receives something of value from an entity to which he or she makes referrals, including direct and indirect compensation and ownership interests.78

The Stark law is narrower in its scope than the AKS in certain respects, since it is limited to DHS (which includes, without limitation, lab, radiology and certain other imaging, and inpatient and outpatient hospital services), and since a physician (or his or her immediate family member) must have a financial relationship with the entity performing DHS. However, in other ways it is potentially broader, or is at least easier to run afoul of, because it is a strict liability offense (i.e., it does not require a threshold level of intent). It is also notoriously difficult to navigate and maintain all agreements in compliance with the requirements at all times. Similar to the safe harbors under the AKS, compliance with one of the exceptions to the Stark law protects a physician from liability under the self-referral prohibition.79 However, a critical difference is that while the AKS safe harbors are voluntary, meeting all requirements to a Stark law exception is mandatory to avoid violation, if the Stark law otherwise applies.

Applicability of the Stark law to various arrangements is nuanced and complex, and an in-depth summary is outside the scope of this article. However, as with the AKS, telehealth arrangements that involve free telehealth equipment or services, volume discounts, “per-click” payments, or advertisements on physician websites should be analyzed for possible self-referral risks and self-referral exceptions (in addition to analysis under the Stark law as applicable for all physician relationships, whether involving telehealth or not).

Similar to the AKS safe harbors discussed above, two exceptions under the Stark self-referral prohibition are relevant in the context of healthcare technology, including telehealth services. These exceptions apply specifically to financial arrangements in which a physician receives free electronic prescribing technology or training or free electronic health records software, information technology, or training.80 In addition, other exceptions frequently looked to, including the personal services and fair market value exceptions, could equally apply in the telehealth context, depending on the circumstances.81

C.  False Claims Act and Civil Monetary Penalties

Specific healthcare fraud and abuse violations, such as violations of the AKS and the Stark law, are often coupled with more general federal sanctions under the Federal False Claims Act (FCA) and the CMP authority of the OIG. The FCA prohibits, among other things, knowingly submitting or causing to be submitted false or fraudulent claims for payment or false statements or certifications to the federal government.82 CMPs are applicable if a person knowingly presents, or causes to be presented, to a state or federal government employee or agent any false or improper claims.83 Consequences under the FCA and CMP can be steep. For example, violations of the FCA are subject to treble damages and penalties.84

As adoption of telehealth continues to grow, there has been a corresponding uptick in attention by regulators. Some of this activity has focused on regulatory compliance and sound billing practices. In April 2018, the OIG published a report on a post-payment audit of telehealth claims that CMS processed in 2014 and 2015.85 Using a 100-claim sample, the OIG determined that 31 of the claims that CMS paid did not satisfy the “Medicare telehealth services” requirements.86 Most frequently, the claims failed to satisfy the “originating site” requirement. In the report, the OIG recommended that CMS continue to engage in post-payment audits of telehealth claims, a recommendation that the OIG had already made in its 2017 Work Plan, which called for further review of payments for telehealth services. This underscores the importance of ensuring that a telehealth program is in compliance with applicable regulatory and fraud and abuse authorities.

There has also been a corresponding increase in enforcement activity. Beginning in late 2018 and continuing into 2019, the Department of Justice (DOJ) issued several indictments targeting allegedly fraudulent telehealth endeavors. In October 2018, for instance, the DOJ took action in United States v. Roix, where the alleged scheme involved improperly solicited prescriptions for pain creams resulting in almost $1 billion in false claims.87 Then, in April 2019, the DOJ cracked down on an allegedly fraudulent arrangement involving dozens of durable medical equipment (DME) companies and practitioners delivering services via telehealth resulting in more than $1.2 billion in false claims, which the DOJ called “one of the largest health care fraud schemes investigated by the FBI and HHS-OIG and prosecuted by the DOJ.”88

Scrutiny is also increasing in the direct-to-consumer space, with several major newspapers publishing articles in 2019 questioning the prescribing and clinical practices of a number of  internet-based telehealth platforms.89 As telehealth utilization continues to grow across all markets, increased scrutiny is to be expected.90

D.  State Fraud and Abuse Laws

The federal Stark law and AKS are only the starting point for a telehealth program fraud and abuse analysis. Indeed, given the limited reimbursement available under Medicare, Medicaid, or other federal healthcare programs (although, as referenced earlier in this chapter, the reimbursement landscape is changing), many providers that provide services via telehealth do so on a cash-pay basis only, or by possibly contracting with private third-party payors as well. Such services may be subject to any self-referral and anti-kickback laws of the states into which the telehealth program may reach, depending on the specific state law.

State statutes and regulations can vary significantly in how they address fraud and abuse concerns. Certain states have chosen to integrate the federal fraud and abuse statutes into their state Medicaid statutes.91 Some apply where reimbursement for the item or service is payable by a healthcare insurer,92 and others apply regardless of reimbursement source.93 In addition, a state may create telehealth-specific fraud and abuse laws. For example, Texas specifically requires physicians practicing telehealth to establish certain protocols to reduce the additional fraud and abuse risks presented by telehealth activities.94

Thus, physicians should be aware that a federally compliant telehealth arrangement may still be subject to state fraud and abuse sanctions if the applicable state telehealth laws and fraud and abuse laws are not independently identified and addressed.

E.  Corporate Practice of Medicine and Fee-Splitting

Successful telehealth ventures are often composed of the three following players — technology experts, venture capitalists, and physicians or other practitioners. Whenever business ventures include the close alignment of licensed healthcare professionals and non-licensed individuals or entities, the arrangement should be reviewed carefully to identify any potential violation of a state’s fee-splitting rules or corporate practice restrictions, in addition to potential kickback and self-referral issues. A common scenario where this arises is where a technology vendor, backed by venture capital, develops a telehealth platform and otherwise provides related administrative services so that providers can utilize the technology platform to provide services.

Many states expressly prohibit the “corporate practice of medicine,” meaning an unlicensed individual or entity is prohibited from engaging in the practice of medicine.95 This means that, in some states, only licensed physicians or other healthcare providers may contract with other licensed physicians to provide healthcare services, unless an exception applies. Similarly, in many states, only licensed healthcare providers are allowed to own or control a company that is “practicing medicine.”96 The criminal act of aiding and abetting the unlicensed practice of medicine is potentially a concern that should be considered for all involved in a telehealth venture, depending on the state(s) of operation.97 Whether there is a violation may be a nuanced analysis, as the distinction between what is and is not the practice of medicine by a person (or corporation) varies from state to state, and often is not clearly defined. Prior to engaging in a telehealth venture, to the extent unlicensed individuals or entities are involved, a close review of the applicable state laws where patients will receive the services should be undertaken to determine if there is a corporate practice of medicine prohibition, and if so the scope of such prohibition, including any medical board guidance or prior enforcement actions.98

In addition to the corporate practice of medicine, many states prohibit physicians from “splitting” their fees with non-physicians.99 Therefore, although a “lay entity” technology company or venture capitalist may wish to receive a portion of the profits of the venture, either as an owner in the venture or by receiving a percentage of profits from the professional entity, in many states such arrangements could raise potential issues under applicable fee-splitting statutes (as well as potentially under corporate practice of medicine and/or anti-kickback statutes).

The variety in state laws and enforcement on these issues requires legal counsel to thoughtfully consider how best to structure the arrangement on a state-by-state basis. For example, if a patient pays for an online consultation by a physician, who is permitted to share in a portion of that payment and under what terms? Are there payments between the various parties to an arrangement that could be viewed as illegal kickbacks for generating healthcare business? Analyzing the applicable legal landscape and compliant structures by which the relevant parties can affiliate and receive compensation for their involvement should occur early in the planning process for any new telehealth venture.

V.  Miscellaneous

A.  Proxy Credentialing

CMS requires Medicare-participating hospitals to have an organized medical staff which operates under bylaws that are approved by the hospital’s governing body, and which is responsible for the quality of clinical care provided to hospital patients.100 The medical staff needs to examine the credentials of candidates for medical staff membership, and make recommendations regarding their candidacy in compliance with applicable state law.101 This presents operational challenges for originating site, or “spoke,” hospitals, whose patients are receiving treatment from clinicians located at other facilities. The credentialing process can be very labor-intensive, particularly if a clinician is simply providing coverage and not intending to be a long-term contributor to the originating site facility. Recognizing these difficulties, CMS and the Joint Commission have developed options for facilities to credential their providers. Specifically, the Joint Commission provides three options for credentialing providers treating patients via telehealth:

  • Originating site fully privileges and credentials the practitioner;
  • Originating site uses credentialing information from the distant site (if the distant site is Joint Commission-accredited); and
  • Originating site uses the credentialing and privileging decision from the distant site to make a final privileging decision pursuant to specific conditions being satisfied (i.e., “credentialing by proxy”).102

Credentialing by proxy is permitted only if the originating site hospital’s governing body establishes an agreement with the distant site hospital, or distant site telemedicine entity,103 ensuring that the distant site hospital is a Medicare-participating hospital; that the clinician providing services is privileged at the distant site hospital, and included on a list of the distant site clinician’s privileges to the originating site hospital; the distant site clinician is licensed to practice in the state in which the originating site hospital is located; and the originating site documents its internal review of the distant site clinician’s performance of clinical privileges and sends such information to the originating site to use in reviewing the performance of the distant site clinician, which must at least include reviewing all adverse events that result from the telehealth services provided by the distant site clinician to the originating site hospital’s patients, and complaints the originating site has received about the distant site clinician.104 Importantly, hospitals utilizing proxy credentialing must ensure that their hospital bylaws allow for this practice to avoid a scenario where non-credentialed clinicians are providing services via telehealth.

B.  Malpractice Insurance

When providing services via telehealth, providers must ensure that their medical malpractice coverage is effective. In particular, it is important to verify that the malpractice policy at issue applies to services provided via telehealth, and that it applies to services rendered in every state where a patient of the practitioner may be located.

VI.  Conclusion

Telehealth regulation is among the fastest-evolving areas of healthcare law.  This article is a helpful framework and starting point for legal analysis, but all stakeholders engaging in this exciting but unpredictable space should utilize experienced legal counsel.

This article is adapted from the ABA Health Law Section’s new book, 2019 Physician Law Evolving Trends and Hot Topics. The book represents the cutting edge of physician law, and is an excellent reference for clinicians and their counsel who want to stay abreast of current legal and regulatory issues impacting physician practice. For more information, go to:

  1. 42 U.S.C. § 1395m(m)(1); 42 C.F.R. § 410.78(a)(3).
  2. See, e.g., Cal. Bus. & Prof. Code § 2290.5(a).
  3. See, e.g., Ga. Comp. R. & Regs. § 360-3-.07.
  4. See, e.g., Wis. Stat. § 448.01(9)(a).
  5. Ala. Code § 34-24-502-507; La. Rev. Stat. 37:1276.1; Me. Reg. §. 02-373 Ch. 1; Minn. Stat. § 147.38; N.M. Stat. Ann. § 61-6-11.1; Ohio Rev. Code § 4731.296; Or. Admin. Rules § 847-025-0000 et seq.; 22 TAC § 172.12.
  6. See Ga. S.B. 115 (2019).
  7. See, e.g., Md. Code Health Occ. § 14-302.
  8. Ohio Rev. Code § 4731.41.
  9. See, e.g., Mass. Gen. Laws ch. 112, § 7 (providing that state licensure and registration requirements “shall not apply … to a physician or surgeon resident in another state who is a legal practitioner therein, when in actual consultation with a legal practitioner of the commonwealth”).
  10. See, e.g., Conn. Gen. Stat. § 20-9(d).
  11. See, e.g., Cal. Bus. & Prof. Code § 2060 (stating that practitioners eligible for limited licensure exceptions “shall not open an office, appoint a place to meet patients, receive calls from patients within the limits of this state, give orders, or have ultimate authority over the care or primary diagnosis of a patient who is located within this state.”).
  12. Interstate Medical Licensure Compact Eligibility Requirements,
  13. 22 TAC § 174.2; see Teladoc, Inc. v. Texas Medical Board, 112 F. Supp. 3d 529, 533 (W.D. Tex., 2015).
  14. Ark. Code § 17-80-403.
  15. Code of Md. Admin. Regs. §
  16. Mo. Rev. Stat. Ch. 191 § 191.1146.
  17. 02-373-006 Me. Code R. § 3 (2016).
  18. N.J. Stat. C.45:1-63(a).
  19. Del Code tit. 24, § 1769D.
  20. Center for Connected Health Policy, State Telehealth Laws and Reimbursement Policies: 2018; see, e.g., La Admin. Code 46:XLV.7511 (2012).
  21. Am. Med. Ass’n, 2016 Telemedicine Guidelines, § 1.1.3, Fed. St. Med. Boards, Model Policy for the Appropriate Use of Telemedicine Technologies (2014).
  22. See, e.g., Cal. Bus. & Prof. Code § 2290.5(b).
  23. Miss. Admin. Code tit. 30, § 2635, Rule 5.3.
  24. Ind. Code § 16-36-1-15.
  25. S.C. Code Ann. § 40-47-37.
  26. See S.C. Code 40-47-37(C); La. Admin. Code 46:XLV.7503; Miss. Admin. Code tit. 30, § 2635, Rule 5.4 & 5.5.
  27. See, e.g., Ariz. Rev. Stat. § 36-3602(C); Cal. Health & Safety Code § 123149.5(a); Colo. Rev. Stat. §§ 25-1-801, 25-1-802; 22 Tex. Admin. Code § 174.1 et seq.
  28. See, e.g., Ariz. Rev. Stat. § 36-3602(B), (D); Ky. Rev. Stat. § 311.5975(1)(B); (5); Tex. Occ. Code § 111.003.
  29. Pub. L. No. 110-425, 122 Stat. 4820 (Oct. 15, 2008); 21 U.S.C. §§ 802(54)(A), 829(e)(3); 42 U.S.C. § 1395m(m)(1); 42 C.F.R. § 410.78(a)(3).
  30. 21 U.S.C. § 841(h).
  31. 21 U.S.C. § 829(e).
  32. 21 U.S.C. § 829(e)(3).
  33. Id.
  34. See 21 U.S.C. § 831(h)(2).
  35. H.R. 6 (2018).
  36. SUPPORT for Patients and Communities Act (H.R. 6), § 2001; 42 U.S.C. § 1395m(7). The concept of an “originating site” is discussed in the Medicare reimbursement portion of this chapter.
  37. SUPPORT for Patients and Communities Act (H.R. 6), § 1009; 42 U.S.C. § 1396a.
  38. SUPPORT for Patients and Communities Act (H.R. 6), § 3232; 21 U.S.C. § 831(h)(2).  The DEA did not meet this deadline.
  39. Conn. Gen. Stat. § 19a-906(c).
  40. Ark. Code Ann. § 17-92-1003, 3 Colo. Code Reg. 719-1, Del. Code, tit. 16 § 4744, Haw. Rev. Stat. § 453-1.3, Idaho Code § 54-1733, Kan. Admin. Regs., § 68-2-20, Ky. Rev. Stat. § 311.597, Miss. Code § 41-29-137, Wis. Adm. Code Med 24.02.
  41. Ark. Code 17-92-1003(14)-(15).
  42. See 42 U.S.C. § 1395m(m); 42 C.F.R. § 410.78.
  43. 42 C.F.R. § 410.78(b)(4).
  44. See, e.g., Health Resources and Services Admin., “Health Professional Shortage Areas,” available at
  45. Available at HRSA, part of the Department of Health and Human Services, is the primary federal agency for improving healthcare to people who are geographically isolated or economically or medically vulnerable.
  46. 42 C.F.R. § 410.78(b)(3).
  47. See, e.g., 42 C.F.R. § 510.605 (waiving certain telehealth requirements for patients participating in the Combined Joint Replacement (CJR) model).
  48. 42 C.F.R. § 410.78(b)(2).
  49. 42 C.F.R. § 410.78(b).
  50. Id.
  51. 42 C.F.R. § 410.78(b);
  52. CMS’ MLN Matters MM11063, available at
  53. See 82 Fed. Reg. 52,976, 53,014 (Nov. 15, 2017).
  54. 83 Fed. Reg. 59,452, 59,492 (Nov. 23, 2018).
  55. Id.
  56. 83 Fed. Reg. 59,452, 59,482 (Nov. 23, 2018).
  57. “We have come to believe that section 1834(m) of the Act does not apply to all kinds of physicians' services whereby a medical professional interacts with a patient via remote communication technology. Instead, we believe that section 1834(m) of the Act applies to a discrete set of physicians' services . . . . For CY 2019, we are aiming to increase access for Medicare beneficiaries to physicians' services that are routinely furnished via communication technology by clearly recognizing a discrete set of services that are defined by and inherently involve the use of communication technology.” 83 Fed. Reg. 59483 (Nov. 23, 2018).
  58. Id.
  59. Id.
  60. 83 Fed. Reg. 59,482, 59,487.
  61. 83 Fed. Reg., 59,489.
  62. 42 C.F.R. § 422.135.
  63. Id.
  64. Center for Connected Health Policy, State Telehealth Laws and Reimbursement Policies, Fall 2018, available at
  65. See MassHealth All Provider Bull. 281, January 2019, available at
  66. See, Telemedicine,
  67. Cal. Health & Safety Code § 1374.13(c) (emphasis added).
  68. 42 U.S.C. § 1320a-7b(b).
  69. 42 U.S.C. § 1320a-7b(b).
  70. 42 C.F.R. § 1001.952.
  71. 42 C.F.R. § 1001.952(x), (y).
  72. 42 C.F.R. § 1001.952(d),(i).
  73. 42 U.S.C. § 1320a-7a(a)(5).
  74. 42 U.S.C. § 1320a-7a(i)(6)(F).
  75. 42 C.F.R. § 1003.110.
  76. See Office of Inspector General, Policy Statement Regarding Gifts of Nominal Value to Medicare and Medicaid Beneficiaries (Dec. 7, 2016), available at
  77. 42 U.S.C. § 1395nn.
  78. 42 C.F.R. § 411.354.
  79. Id.; 42 C.F.R. §§ 411.351 et seq. (setting forth relevant definitions, exceptions, and other applicable regulations).
  80. Id. at § 411.357(v), (w).
  81. 42 C.F.R. § 411.357.
  82. 31 U.S.C. § 3729.
  83. 42 U.S.C. § 1320a-7a(a).
  84. 31 U.S.C. § 3729(a); 28 C.F.R. § 85.5.
  85. Dep’t of Health and Human Services Office of Inspector General, CMS Paid Practitioners for Telehealth Services That Did Not Meet Medicare Requirements, A-05-16-00058 (April 2018), available at
  86. Id.
  87. No. 2:18-cr-00133 (E.D. Tenn. filed Sept. 14, 2018); U.S. Dep’t of Justice, Press Release, Four Men and Seven Companies Indicted for Billion-Dollar Telemedicine Fraud Conspiracy, Telemedicine Company and CEO Plead Guilty in Two Fraud Schemes (Oct. 15, 2018),
  88. U.S. Dep’t of Justice Press Release 19-341 (Apr. 9, 2019),
  89. See, e.g., Drug Sites Upend Doctor-Patient Relations: ‘It’s Restaurant-Menu Medicine’, The N.Y. Times, (Apr. 2, 2019).
  90. On October 9, 2019, CMS and OIG respectively issued highly anticipated proposed rules which would revise the current AKS safe harbors, Stark law regulations, and one of the beneficiary inducement civil monetary penalties exceptions, and include the addition of some new safe harbors and exceptions.  While this article reflects the current regulations only, it is worth noting that these proposed rules signal a recognition of the importance of telehealth, and technology innovation more generally, as a critical part of the promotion of coordinated care.  If finalized as written, the rules will provide additional flexibility related to utilization of telehealth by both patients and providers.  For example, participants in value-based enterprises would have a safe harbor which would expressly permit the provision of patient engagement tools and supports, which could include items to assist with access to services via telehealth.
  91. See, e.g., Ala. Code. § 22-1-11(c); Ala. Admin. Code r. § 560-x-4.04.
  92. See, e.g., Mass. Gen. Laws Ch. 175H § 3.
  93. See, e.g., Cal. Bus. & Prof. Code § 650.
  94. 22 Tex. Admin. Code § 174.3.
  95. See, e.g., Cal. Bus. & Prof. Code §§ 2052, 2400.
  96. See, e.g., Cal. Corp. Code § 13400 et seq.
  97. By analogy, in the context of dentistry, a large dental management company entered into a significant settlement upon a finding by the New York Attorney General that it was engaged in the unauthorized practice of dentistry and illegal fee-splitting. See
  98. See, e.g., California Medical Board guidance,
  99. See, e.g., N.Y. Educ. Law § 6509-a; 8 NYCRR § 29.1(b)(4).
  100.   42 C.F.R. § 482.22.
  101. 42 C.F.R. § 482.22(a)(2).
  102.  Joint Commission, MS 13.01.01.
  103.  An originating site can rely upon the credentialing of another Medicare-accredited hospital or a “distant site telemedicine entity,” per 42 C.F.R. § 482.12(a)(9).
  104.  42 C.F.R. § 482.22(a)(3). 
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

About the Authors

Jeremy Sherer is a healthcare attorney in the Boston office of Hooper, Lundy & Bookman, P.C., and co-chair of the firm’s Digital Health Task Force. Mr. Sherer counsels healthcare providers and technology vendors on matters involving regulatory compliance, transactions, and business arrangements, with particular emphasis on telehealth, healthcare technology, and fraud and abuse compliance. His clients include hospital systems, provider organizations, telehealth platforms, and digital health startups across the United States. Mr. Sherer received the American Bar Association Health Law Section’s “Emerging Young Lawyer in Healthcare” award in 2019, and was named one of “12 Health IT Attorneys You Should Know” by Health Data Management in 2017.  He may be reached at [email protected].

Amy Joseph
is a healthcare attorney in the Boston office of Hooper, Lundy & Bookman, P.C. Ms. Joseph advises health systems, academic medical centers, teaching hospitals, and a wide variety of other healthcare providers on business and regulatory matters. A significant portion of her practice is focused on fraud and abuse compliance, including counseling on compliance with federal and state anti-kickback and self-referral laws, and serving as lead deal counsel or regulatory counsel on mergers, acquisitions, and other strategic affiliations. In addition, Ms. Joseph frequently counsels both providers and health information technology companies in the digital health space. Ms. Joseph regularly presents and writes on these topics.  She may be reached at [email protected]