SCM NEWS & OPINIONS

Telehealth and COVID-19

The adoption of Telehealth has exploded due to the lowering of regulatory barriers brought about by the COVID-19 pandemic and is likely to become permanent. The combination of the risk of severe illness from COVID-19, stay-at-home orders, restrictions on in-person healthcare visits and temporary relaxation of regulations has resulted in a dramatic uptick in the usage of telehealth services.  Whereas only 11% of patients used telehealth prior to the pandemic, 46% of patients are now using telehealth services. [1]  Just as importantly, healthcare providers have become more comfortable with telehealth.  Fifty-seven percent of providers view telehealth more favorably now than they did prior to the pandemic, and 64% of providers report being more comfortable using telehealth.[2]  Congress is now exploring more permanent regulatory changes to encourage long-term utilization of telehealth.  Two recent, short-term changes that may become permanent include (1) allowing Medicare and Medicaid reimbursement for telehealth appointments wherever the patient is physically located, including his or her home; and (2) expansion of the types of telehealth visits that are covered by Medicare and Medicaid.[3]

While utilization of telehealth appears to have made significant strides that will persist beyond the pandemic, certain legal requirements and restrictions must be considered by healthcare providers looking to provide telehealth services.  A few of those requirements are summarized below, including licensing, cybersecurity, establishing a provider-patient relationship and providing information and records to a patient’s designated healthcare provider.

Healthcare providers must be licensed in Utah to provide telehealth services to patients residing in Utah.[4]  The Utah Division of Occupational and Professional Licensing (“DOPL”) has eased the normal licensing requirement under statutory authority granted to DOPL during a declared public health emergency.  For example, physicians licensed without restriction in another state

may work exclusively as a volunteer at a qualified location in Utah under a delegation of services agreement with an actively licensed supervising physician through a time-limited emergency license.  Although other states have similarly eased or waived licensing requirements during the pandemic, the general rule is that a provider must be licensed in the state in which the patient is located to provide telehealth services.  Utah providers with patients who live in surrounding states will need to comply with those states’ licensing requirements as well as other statutes and regulations governing telehealth services before proceeding with telehealth encounters with those patients.

Utah’s Telehealth Act, Utah Code §§ 26-60-102 to -105, requires use of a method of communication that meets HIPAA security and privacy standards.[5]  By executive order, Utah Governor Gary Herbert suspended the enforcement of this requirement during the declared state of emergency and substituted in its place a requirement that a provider who offers telehealth services through a non-public facing platform that does not meet HIPAA standards must inform the patient of that fact, provide the patient with an opportunity to decline use of the telehealth service and take reasonable precautions to ensure security and privacy.  Regardless of this temporary executive order, it is highly recommended that healthcare providers use a HIPAA compliant platform for telehealth services.  HIPAA compliant options provided by vendors such as AZOVA and Doxy.me offer relatively low monthly subscription fees with no per patient encounter fees.[6]  Unfortunately, the increase in telehealth utilization during the pandemic has brought with it a corresponding increase in cybersecurity attacks.[7]  Providers should ensure that a business associate agreement is place with their telehealth platform vendor and be aware of disclosure and reporting requirements that apply in the event of a data breach.[8]  Providers should seek legal counsel if a data breach is suspected to ensure compliance with those legal requirements.

As a matter of convenience or necessity, patients may look to telehealth as a good option for resolving acute medical needs with no intention of establishing an ongoing relationship with the telehealth provider.  Providers, however, may not approach the relationship with a similar mindset.  They should treat a telehealth encounter just like an in-person encounter with a new or existing patient.  If a provider does not already have a provider-patient relationship with the patient, that must be established during an initial telehealth encounter.[9]  Before providing treatment or prescribing medication, the provider must obtain the patient’s relevant clinical history and symptoms and make a diagnosis.[10]  Additionally, the provider must be available for subsequent care related to the initial telehealth encounter and make referrals to other providers as appropriate.[11]  Also, the same medical record-keeping, storage and production requirements apply to telehealth encounters as to in-person visits.[12]  If a patient has a designated healthcare provider, a telemedicine provider is required consult with the patient about whether to provide the patient’s designated healthcare provider with records generated as part of the telehealth encounter or to otherwise provide a report of the encounter detailing the telehealth provider’s evaluation, diagnosis and treatment of the patient.[13]  Unless the patient expressly declines, the telehealth provider is required to provide the medical record or report of the telehealth encounter to the patient’s designated healthcare provider within two weeks of the telehealth encounter.[14]

The COVID-19 pandemic has accelerated the adoption of telehealth by both providers and patients.  As insurance coverage for telehealth services has expanded and likely to become permanent, patient demand for telehealth is unlikely to return to pre-pandemic levels after a vaccine for the COVID-19 coronavirus is widely available.  Providers have an opportunity to grow their practices by embracing telehealth but should be thoughtful in implementing this service delivery platform to maintain quality of care.

Contact Bradley R. Blackham if you have any questions about implementing or expanding your telehealth services or need any assistance with other health law issues.


[1] Bestsennyy, Oleg et al., Telehealth:  A quarter-trillion dollar post-COVID-19 reality? (May 29, 2020), https://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/telehealth-a-quarter-trillion-dollar-post-covid-19-reality#.

[2] Id.

[3] Robeznieks, Andis, How to maintain momentum on telehealth after COVID-19 crisis ends (June 30, 2020), https://www.ama-assn.org/practice-management/digital/how-maintain-momentum-telehealth-after-covid-19-crisis-ends?gclid=CjwKCAjwkoz7BRBPEiwAeKw3q5NSVNeKIpxKJETTrGnKECe0kWvnYe5BWXv6lmWHPymC2DblfyWLzhoCemEQAvD_BwE.

[4] Utah Code § 26-60-101(6) and § 26-60-103(1)(i).

[5] Utah Code § 26-60-102(9)(b).

[6] See Utah Medical Association COVID-19 Telehealth and Other Info webpage for more information on telehealth platform options and costs.  https://utahmed.org/WCM/COVID-19/Telehealth_and_Other_Info/wcm/ContentAreas/Landing_Pages/COVID/Telehealth_and_Other_COVID-19_Info.aspx?hkey=41b85f80-a9d6-4123-853a-252c6317ae71.

[7] Jerich, Kat, Telehealth is biggest threat to healthcare cybersecurity, says report, https://www.healthcareitnews.com/news/telehealth-biggest-threat-healthcare-cybersecurity-says-report.

[8] See United States Department of Health and Human Services, HIPAA for Professionals, Breach Notification Rule, https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

[9] Utah Code § 26-60-103(1)(b).

[10] Utah Code § 26-20-103(1)(c).

[11] Id.

[12] Utah Code § 26-20-103(f).

[13] Utah Code § 26-60-103(g).

[14] Id.

Bradley R. Blackham