Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Covid-19 Makes Virtual Doctor Visits Tempting but Hazards Linger (1)

March 18, 2020, 10:32 AMUpdated: March 18, 2020, 11:56 AM

Hospitals using telehealth to combat the coronavirus still have legal pitfalls to avoid, even under relaxed guidelines just released by the Trump administration.

The Department of Health and Human Services Office for Civil Rights said Tuesday that it won’t enforce penalties under federal health privacy policies if covered entities use popular video chat apps, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth services.

Facebook Live, Twitch, TikTok, and other similar video communication apps, however, shouldn’t be used for telehealth by covered health-care providers, the OCR added.

Those systems could catch the eyes of hackers if the connections aren’t secure under health security laws still in place. Doctors also have to make sure they have the correct credentials to provide these virtual services, including diagnoses, treatments, and filling prescriptions, health IT professionals warn.

“If providers don’t already have a telemedicine platform in place, they should think twice before rolling out a hasty or informal solution, such as video chatting with generally-available apps on their personal devices,” Madison M. Pool, a health care associate with Arnall Golden Gregory LLP in Atlanta, said.

As of Monday, there were nearly 3,536 total confirmed cases of coronavirus in the U.S., according to the World Health Organization. Staying away from others, also known as social distancing, is the top way health leaders have recommended to stop the virus from spreading.

If patients use their phones and computers to talk to providers, it could keep them from showing up to hospitals unannounced, potentially exposing themselves and others to the Covid-19 infection.

Security at Forefront

While the HHS order loosens requirements around federal health privacy rules, it didn’t have any effect on security standards.

Hospitals and telehealth companies still have to comply with the HIPAA Security Rule when sharing protected health information, according to Sean Sullivan, a health care attorney at Alston & Bird LLP in Atlanta.

“Providers and patients alike are going to be interested in providing telehealth as easily as possible because in many cases remote medicine is preferable to having the patient visit a clinic or hospital and spread infection, but they should be cautious when providing services over unsecure methods, such as by unsecure video chat such as Facetime or by text message,” Sullivan said.

The security provision requires covered entities that create, receive, use, or maintain a patient’s protected electronic health information to protect it by using secure safeguards.

There are ways to reduce security concerns such as getting patient consent or conducting risk tests that weigh the pressing demand for telehealth against the potential risks, but security needs to be at the top of everyone’s minds, Sullivan added.

Virtual chats between patients and doctors could also leave hospitals and their telehealth platforms open to cyber threats, according to Mike Kijewski, CEO of health care security firm MedCrypt.

“It might seem like hackers would see the millions of patients using telemedicine systems as an opportunity to launch an attack,” Kijewski said. “But it’s more likely that attackers would take this opportunity to learn how these systems work and attempt to steal data in the weeks and months ahead.”

Ultimately, the federal government, telehealth companies, and health-care providers should use Covid-19 as an opportunity to make sure that secure systems are still available for use, Kijewski added.

Check Your Credentials

Some states require physicians to have a medical license in the same state that their patient is located in order to provide virtual healthcare.

While emergency declarations relax some of these requirements, doctors still have to look to the declaration itself for specifics, according to Jason Johnson, a partner in Moses & Singer’s healthcare, privacy & cybersecurity, and intellectual property practices.

“The New York laws require an actual relationship to be formed between the doctor and patient and that’s, in general, why it’s been hard to expand telehealth practices in New York. Because of the way the law is drafted, it doesn’t really help or accommodate these types of situations,” Johnson said.

Doctors also have to think about licensing requirements when it comes to prescribing medication, according to Lidia Niecko-Najjum, a healthcare associate at Polsinelli PC.

“For example, there are state requirements for establishing a physician-patient relationship that allows for treatment through telemedicine, but there’s the federal Ryan Haight Online Pharmacy Consumer Protection Act that generally prohibits prescribing controlled substances through telemedicine,” Niecko-Najjum said.

“States also have their Controlled Substances Acts that may do the same and also require state CSA licensing for prescribers. So, all of these requirements have to be taken into consideration when evaluating what treatment through telemedicine is permitted. During a national state of emergency, and with states declaring individual states of emergency, certain of these requirements are waived, but certainly not all. Therefore, we have to remain vigilant in our analysis.”

Changes in health care as the coronavirus pandemic progresses may force regulators to adjust barriers such as medical licensing and security provisions around telehealth.

“I do predict that telehealth is going to become an even more essential part of healthcare in the future once we get through the coronavirus crisis,” Carey Officer, the operational vice president for the Center for Health Innovation at Nemours Children’s Health System, said.

(Updates with latest number of U.S. coronavirus cases )

To contact the reporter on this story: Ayanna Alexander in Washington at

To contact the editors responsible for this story: Fawn Johnson at; Cheryl Saenz at