Telehealth Rules and Best Practices

Disclaimer

This guide addresses some of the regulations governing telehealth, and best practices recommendations, for mental health professionals in New York. It does not include every consideration and there are many more resources on these topics. This guide was last updated on December 19, 2023 and some of the information may have since changed. The information in this guide is not legal advice and is not intended to be relied upon as legal advice. If you have a legal issue, you should not rely on this information and instead speak to an attorney.

This guide includes links to third party websites for access to information and resources. We do not control these websites. We have not reviewed all the content that appears on these websites, and are not responsible for the legality, accuracy, or appropriateness of their content. Content on these websites may change at any time, including after we decide to share their links on this site. For legal advice about your specific situation, you should consult with a qualified attorney.

Thank You to Person Centered Tech

This guide was created with substantial reliance on the excellent consults, resources, trainings, and materials provided by Person Centered Tech. Some of their materials are provided here by permission and courtesy of Person Centered Tech. They are part of the resources included in Person Centered Tech's comprehensive, standards-based Telemental Health Certificate Program. You can find these resources and access direct support and consultation from their exceptional team at personcenteredtech.com.

Defining Telehealth

For the purposes of this guide, “telehealth” (also referred to as “telepractice” in New York") is the use of electronic communication and information technologies - such as telephone, e-mail, and videoconferencing - to provide health services.

 In its guide to Telepractice, the New York State Education Department Office of Professions states that:

·      Telepractice includes the use of telecommunications and web-based applications to provide assessment, diagnosis, intervention, consultation, supervision, education and information across distance.

·      It may include providing non-face-to-face psychological, mental health, marriage and family, creative arts, psychoanalytic, psychotherapy and social work services via technology such as telephone, e-mail, chat and videoconferencing.

Telehealth Technology

Telehealth technology includes:

·      Telephone

·      Voicemail

·      Videoconference

·      Electronic messages: email, text messages, and instant messages through a patient portal or other website or application

·      “Remote patient monitoring technologies, such as a device to collect vital signs or a video monitoring system to help you keep track of the patient’s health, vital signs, and safety from a remote location” (as defined by the U.S. Department of Health and Human Services, in their guide HIPAA and Telehealth)

·      Apps designed to support healthcare-related activities performed by individuals independently

·      Virtual environments and avatars

 Telehealth Vocab

·      The “originating site” refers to the client’s location

·      The “distant site” refers to the provider’s location

·      “PII” is personally identifying information: contact information, name, phone number, home address, email address, etc.

·      “PHI” is protected health information: “all individually identifiable health information” held or transmitted by a HIPAA covered entity or its business associate, in any form or media, whether electronic, paper, or oral

·      “e-PHI” is electronic protected health information: “all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form” (From the CDC’s publication on HIPAA)

 ·      “Synchronous care” is a live interaction between a provider and a patient, and includes videoconferences and instant messaging*

·      “Asynchronous telehealth,” also called “store and forward,” is communication or information shared between providers, patients, and caregivers that occur at different points in time. Examples include messages with follow-up instructions or confirmations*

* As defined by the U.S. Department of Health and Human Service in its guide, Getting started with telehealth.

Advantages and Disadvantages of Telehealth

Some of the advantages of telehealth and, specifically, videoconferencing may include:

·      Enhanced access to care

·      Convenience and flexibility

·      Fewer barriers

·      Improved continuity of care

·      Reduced costs

·      Similar outcomes to traditional psychotherapies

Some of the disadvantages of telehealth may include:

·      Increased inequity (i.e., for those with limited access to quality devices or internet connections and experience with the technologies)

·      Limited choices or preferences

·      Comfort

·      Potential for breaches of confidential information

Read more in Virginia Commonwealth University School of Social Work’s article, The Benefits of Telehealth Social Work.  

Privacy Concerns

When engaging in telehealth, providers are responsible for the security of client communications and information as if the session was held in person and written communications and documentation were on paper.

Use of telehealth creates risks which include:

·      Unauthorized access by cyber-criminals to an individual’s device and health information

·      Exposure to viruses and other malware

·      Accidental disclosures if individuals are not in private locations while using telehealth

Read more in the Department of Health and Human Services guide, Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth.

Regulations and Ethical Guidelines

A number of regulations and ethical guidelines directly or indirectly govern telehealth use, including:

·      HIPAA

·      Guidance from the New York State Education Department’s Office of Professions (see their Telepractice Guidance)

·      Ethics Codes and Standards like the National Association of Social Workers’ Code of Ethics (sections 1.03 on informed consent, 1.07 on privacy and confidentiality)  and Standards for Technology in Social Work Practice

·      Medicare, Medicaid, and many private insurance companies have expanded coverage for telehealth but it is important for providers to understand the rules related to insurance plans they accept, including how they define telehealth, what delivery methods are covered, geographic limits, varied coding requirements, and additional credentialling processes

·      For New York State Office of Mental Health providers, see the New York State Mental Hygiene Law and the Office of Mental Health’s guide, Telehealth Services Guidance for OMH Providers

·      For addiction service providers, the New York State Office of Addiction Services and Supports regulations apply

·      Additional regulations, like the Controlled Substances Act, apply when providers are prescribing medication

·      Additional regulations, like the Anti-Kickback Statute, the Stark Law, and the False Claims Act, apply to situations of fraud and abuse

·      Malpractice insurance carriers may also institute their own rules on providers’ use of telehealth

Generally speaking, by following HIPAA’s specific standards and rules, providers can meet their legal and ethical responsibilities to clients to properly handle and maintain their information.  

HIPAA

As the CDC states: “The Health Insurance Portability and Accountability Act (HIPAA) is a national standard that protects sensitive patient health information from being disclosed without the patient’s consent or knowledge.”

Privacy Rule

The main goal of the Privacy Rule “is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.” The CDC’s Publication on HIPAA.

Security Rule

While the HIPAA Privacy Rule covers all PHI, the Security Rule specifically protects e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing.

Compliance with the HIPAA Security Rule

As the CDC states:

To comply with the HIPAA Security Rule, all covered entities must:

• Ensure the confidentiality, integrity, and availability of all e-PHI

• Detect and safeguard against anticipated threats to the security of the information

• Protect against anticipated impermissible uses or disclosures that are not allowed by the rule

• Certify compliance by their workforce

Covered Entities

·      Health care providers who “transmit any information in an electronic form in connection with a transaction which HHS has adopted standards” are “covered entities” who must comply with the law. See DHHS’s guide, Covered Entities and Business Associates, and CMS’s guide to determining who is a covered entity

·      In its article, Am I a HIPAA Covered Entity? (How Much Does it Matter if I am or Not), Person Centered Tech sums it up like this: “if your practice has never billed insurance, it is probably not a covered entity.” They go on to point out that although not all providers are covered entities, HIPAA provides a useful framework that helps all providers meet their ethical obligations.

Protected Health Information, the 18 Identifiers, and De-Identification

Common sources of health information:

·      Progress notes

·      Letters, referrals, and superbills

·      Emails and texts messages

·      Call and messaging logs

·      Voicemail transcriptions

HIPAA lists 18 identifiers that create PHI when linked to health information, including:

·      Names

·      Addresses

·      Birthdates

·      Phone numbers

·      Email addresses

·      Social Security numbers

·      Medical record numbers

·      Account numbers

·      Web universal resource locators (URLs)

·      Internet protocol (IP) addresses

De-identification, the removal of identifiers from health information, can be used to mitigate the risks to individuals.

Enforcement

The US Department of Health and Human Services reports that, as of October 31, 2023:

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 344,607 HIPAA complaints and has initiated over 1,179 compliance reviews.  We have resolved ninety-nine percent of these cases (341,304).

To date, OCR settled or imposed a civil money penalty in 138 cases resulting in a total dollar amount of $137,018,772.00.

Compliance with HIPAA

As the Department of Health and Human Services states:

compliance is different for each organization and no single strategy will serve all covered entities. Covered entities should look to § 164.306 of the Security Rule for guidance to support decisions on how to comply with the standards and implementation specifications contained in §§ 164.308, 164.310, 164.312, 164.314, and 164.316. In general, this includes:

1.     performing a risk analysis

2.     implementing reasonable and appropriate security measures;

3.     and documenting and maintaining policies, procedures and other required documentation.

Person Centered Tech has numerous resources to help providers maintain HIPAA compliance, including their simple guide, Mental Health Pros’ 3 Steps to (Actually) Be HIPAA Security Compliant

Business Associate Agreements

The HIPAA Privacy Rule allows providers to disclose protected health information to “business associates” - third-party service providers who handle a provider’s client information – if the providers get “satisfactory assurances that the business associate: ·   

1.     will use the information only for the purpose for which it was engaged by the covered entity,

2.     will safeguard the information from misuse and

3.     will help the covered entity comply with some of the covered entities duties under the Privacy Law.” From DHHS’s guide, Business Associates.

Business associate agreements (BAAs) are necessary to document these assurances. DHHS has information about the required provisions of Business Associate Agreements.

Business Associates include:

·      Billing companies and contractors

·      Accountants, attorneys and consultants with access to PHI

·      Cloud service providers (CSPs): data storage providers (electronic medical record programs)

·      Email hosts

·      Cellular phone and voice over internet protocol (VoIP) providers (note that HIPAA does not apply to landlines)

·      Messaging services

·      Other electronic communication services that use internet, cellular, Wi-Fi

·      Services that electronically record or transcribe a session

Person Centered Tech has helpful guidance in their article, What is a HIPAA Business Associate?

HIPAA-Compliant Platforms

Person Centered Tech has a list of Free HIPAA-Secure Online Teletherapy Software Platforms and the guide, How to Decide if a Cloud (or Other) Service Meets Your HIPAA Needs.

DHHS has a list of “vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.”

Practicing Across State Lines

·      Each state governs the practice of mental health professions in that state

·      Different states apply different rules for when providers must be licensed in the state – i.e., if the provider is located in the state and/or if the client is located in the state

·      Note that client location, and not client residence, is at issue

·      Some states offer limited permits, simple registration for telehealth practice, or exemptions from full licensure by the state

·      Holding licenses in both the state where the provider is located and the state where the client is located may resolve many issues, but providers must still consider whether any rules of their practice conflict between the two states

·      Person Centered Tech provides a cross-state permissibility to practice due diligence documentation worksheet

·      While most other nations do not govern mental health professions the way we do, it is important for providers to understand any rules that do apply in that nation and recognize that the absence of rules may still me they have exposure to legal risk (for instance, if other laws or standards apply, like negligence)

Practicing Across State Lines – New York

Section 6501 of Article 130 of the Education Law, Title VIII governs the “practice of a profession in” New York State.  

The New York State Education Department, Office of the Professions’ “Telepractice” guide states that:

“To the extent it involves providing professional services in a jurisdiction other than the one in which the practitioner is physically located, telepractice raises the issue of the jurisdiction or jurisdictions in which the practitioner must be licensed. In New York State, a practitioner must hold a New York license, or be otherwise authorized to practice, when providing professional services to a patient located in New York or when the practitioner is located in New York.” 

One interpretation of the Office of the Professions’ guidance is:

·      If the provider or the patient/client are in New York, the provider must be licensed in New York.

·      If the provider or the patient/client are in another jurisdiction, the provider must also follow the guidelines of that jurisdiction.

·      If a provider with a New York State license travels to another state and will provide professional services to clients located in New York remotely while in that state, the provider must determine if the state requires the provider to be licensed by that state or at least registered there.

BEST PRACTICES

Provider Best Practices

• Choose software that you are comfortable with and practice with it before using it with clients

• Perform risk analyses

• Implement reasonable and appropriate security measures

• Document and maintain policies and procedures

• Train staff on the practice’s security policies and procedures

• Get BAAs

• Evaluate whether the telehealth technology is appropriate for each client individually. Consider the client’s safety and environment, mental and physical health concerns, access to proper devices and stable internet, and ability handle tech access and problems

• Ensure that the standard of care for in-person sessions is applied to telehealth

• Be available to accommodate in-person sessions should the client have the clinical need

• Talk to clients about their understanding of privacy and confidentiality

• Obtain and document informed consent from clients

  • Clients have the right to make an informed decision about their care. To do so, they need to understand the purpose of each option and the risks and benefits of those options. They also need to know they can refuse or withdraw consent.

  • Discuss the advantages and disadvantages of any technology used with a client in the delivery of services

  • Obtain written informed consent for the use of videoconferencing

  • If clients will pay by credit or debit card, or receive email or text receipts for payments, advise them that this documentation can expose the client’s health information (i.e., that they receive treatment) to third-parties

  • Document informed consent conversations and the client’s decision

  • See the NASW’s Telemental Health Consent Form and Person Centered Tech’s Telemental Health Informed Consent Template

• Talk to clients about how you will communicate if the technology fails or the session is interrupted

• Talk to clients about who you should contact in case they have a medical emergency or mental health crisis

• Ask the client where they are located and document other telehealth considerations for teletherapy sessions (See Person Centered Tech’s Sample Telehealth Documentation Form)

• If you send electronic messages to clients, use encryption technology and obtain informed consent for use of those technologies (See Person Centered Tech’s Request For NonSecure Communications Form)

• See the Office of Professions’ guide to Telepractice and follow the Client Best Practices below

• Accommodations for Individuals with Disabilities. The Americans with Disabilities Act and other civil rights laws apply to telehealth. Among other measures, ensure that you:

  • accommodate individuals with disabilities by providing interpreters, captioning, and other assistive technologies

  • properly modifying your lighting, sound, the quality of your video, and more.

  • See the US Department of Justice’s Civil Rights Division’s guide, Telehealth.

• Safety of Survivors. Among other measures, providers should:

  • screen clients for intimate partner violence

  • develop strategies for optimizing safety

  • look out for red flags (like lack of eye contact and verbal cues)

  • Also see the American Psychiatric Association’s guide, Resource Document on Telehealth Services in the Context of Intimate Partner Violence (IPV), Addressing Potential Risks to Safety and Security and the Indian Journal of Psychological Medicine’s guide, Tele-Consultation for the Survivors of Intimate Partner Violence: Guidelines for Mental Health Professionals

• Working with Children. Among other measures, providers should:

  • Advise parents on how to prepare for a child’s telehealth session (remove distractions from the room, have comfort items, etc.) and review special considerations for teens.

  • See DHHS’s guide, Telehealth for families of children with special health needs and the Pediatric Health Networks’ guide, Teens and Telehealth: Consent & Confidentiality

Client Best Practices

• Create a confidential space

• Install anti-malware software

• Update your computer and apps frequently to “improve security by fixing vulnerabilities cyber-criminals are known to exploit”*

*as stated in DHHS’s guide, Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth)

Other Resources

·       The NASW’s guide, 8 Ethical Considerations for Starting a Telehealth Practice

·       The NASW’s guide to Telehealth

·       The NASW’s guide to Technology

·       Person Centered Tech’s guide, Understanding How HIPAA Applies to You

Consult an Attorney

An experienced attorney can help you determine your practice’s specific responsibilities and advise you about how to efficiently meet them. Contact Pepitone Law for a consultation.