As local governments assess telehealth rules for 2022, it is essential to stay informed on what may be changing in your area.
Posted in Risk Management on Thursday, October 21, 2021
As 2022 draws near, it’s a good time to take note of any upcoming changes to telehealth rules. Changes vary by state - for example, effective December 31, 2021, Ohio will be going back to enforcing pre-COVID telehealth rules. Telehealth may not be as in-demand as it was at the peak of the pandemic, but it’s still important to remember some key points:
Staff and Environment
Telehealth and HIPAA
- Telehealth services are included in HIPAA Privacy policies and the Notice of Privacy Practices for your practice.
- Your telehealth technology is included in the HIPAA Security Risk assessment and policies.
- Telehealth providers and support staff members must receive HIPAA Privacy and Security Awareness training specific to the telehealthservices being provided. Their training should be documented in personnel files.
Comply with State Laws and Regulations
- The type of telehealth service(s) contemplated is (are) permissible/covered under state law. Contact the appropriate professional board for more information.
- The providers who will be used to deliver telehealth services must be permitted to do so under state law. Unsure? Contact the appropriate board for more information.
- The providers who will deliver telehealth services are licensed to practice in the state where the patient is located (directly or by interstate compact).
- Telehealth treatment, prescribing, and documentation comply with applicable state standards.
Assessments and Scopes
- A needs assessment must be conducted and should support the type(s) of telehealth services under consideration.
- A scope of service must be identified and documented for each type of telehealth under consideration/in use. The scope of service includes:
- The type of provider who will perform the services.
- What type(s) of patients will receive services.
- The clinical conditions, including severity, that will be covered by the service.
Privacy and Security
- The provider workspace must be private, soundproof, and have a door to prevent unauthorized people from entering during telehealth visits.
- Telehealth visits must be conducted over systems that provide “end to end” electronic security, such as encryption.
Telehealth Policies and Procedures
Telehealth policies and procedures include the following:
- Definition of when the provider/patient relationship begins
- Management of privacy and security of telehealth visits and protected health information
- Patient identification requirements
- Process for receiving and responding to patient messages
- Process for managing patient-provided health information
- Hours of operation, appointments, and scheduling
- Process for patient choice in provider assignment
Informed Consent and Refusal
Informed Consent must be obtained for telehealth services and includes:
- Any state-specific requirements.
- Patient identification
- The names and credentials of providers and staff members who will be involved in providing telehealth services
- Patient rights, including the right to stop or refuse treatment by telehealth
- The type(s) of telehealth service(s) being provided and the technology that will be used
- Potential privacy and security risks and measures taken to reduce the risks
- Technology-specific risks, such as interruption of the audio/video link, poor transmission quality, and/or electronic tampering
- Permission to bill insurance, as applicable
- Instructions for alternative care in case of an emergency or technology malfunction
- Billing and payment
- Complaint and grievance handling
- Telehealth clinical documentation expectations, including distant site, as applicable
- Archiving and retrieval of video, as applicable
- Quality measurement and monitoring
Informed Refusal is the term for when your patient refuses to sign an informed consent form. Make sure you and your staff are aware of the process to follow when a patient refuses to provide consent.