Skip to main content

Despite early high expectations for the role telehealth would play in the US health care delivery system, utilization of telehealth services has — until recently — been relatively modest. The COVID-19 crisis, however, is putting telehealth to the test, and patients and providers are endorsing its use in overwhelming numbers.1

Changes in federal and state regulations in response to the pandemic are expanding access to remote care, and there is a scramble to meet the demand. Health care suppliers and providers with existing telehealth networks are desperately trying to increase the volume of patients they can serve, and new entrants into this space are moving fast to establish remote patient care and diagnostic services.

Regulatory and Enforcement Considerations

All 50 states and the District of Columbia have laws, regulations and guidance applicable to telehealth. These policies concern requisite licensure, how to establish valid practitioner-patient relationships (e.g., via face-to-face examination), scope of practice for various clinician types, prescribing authority, and technology requirements.

Licensure and Scope of Practice

Most states require that practitioners engaging in telehealth must be licensed in the state in which the patient is located, but some have procedural mechanisms that enable interested practitioners to practice across state lines.

In response to COVID-19, state medical boards have begun implementing emergency waivers to practitioner licensure requirements. As of March 31, 49 states and the District of Columbia have issued state licensure requirement waivers. (Nevada is the only state that has made no changes to state licensing requirements.) Although the specifics vary by state, these waivers generally allow out-of-state practitioners to provide medical care in response to COVID-19. Practitioners intending to offer telehealth services across state lines should consult state waivers to assure compliance with state requirements.

Establishing Provider-Patient Relationships

Most states require that practitioners and patients have an established relationship as a precursor to treatment. While the American Medical Association's position is that a physician-patient relationship can be established via a face-to-face encounter that occurs either in-person or through real time audiovisual technology, state definitions of "physician-patient relationship" vary widely. Some states require an initial in-person physical examination to establish a physician-patient relationship.

Therefore, despite Medicare's announcement regarding the waiving of its existing relationship coverage criterion, state law may inhibit use of this flexibility in practice. Practitioners should consult state and federal law prior to providing the services, particularly if the practitioner has not conducted at least one in-person medical evaluation of the patient.

Hospital Credentialing

Conditions of participation in certain federal health care programs2 and some state laws3 and hospital based credentialing procedures require a distant-site practitioner's qualifications be evaluated via the originating-site's credentialing process before the health care provider may provide telehealth services at that hospital. To help streamline what can be a lengthy process, there have been changes in law and regulation effective during the COVID crisis.

  • Section 1135 waiver authority: Pursuant to subsection (b) of the Section 1135 waiver authority, the US Department of Health and Human Services has waived "certain conditions of participation, certification requirements, program participation or similar requirements" that apply to providers, including "a hospital or other provider of services" as well as "pre-approval requirements."4 This waiver appears broad enough to encompass credentialing requirements compelled by federal programs.
  • Exceptions for telehealth: Medicare regulations already permit an exception to normal credentialing for telehealth services from a distant-site hospital. Sometimes referred to as credentialing "by proxy," the regulations allow hospitals to rely on provider credentialing and privileging decisions made by distant-site hospitals as it relates to given physicians.5 Similarly, many states may provide for analogous exceptions permitting credentialing by proxy for telehealth services.6
  • State waivers: Additionally, some states permit the waiver of credentialing requirements in the face of health emergencies.7 So far, several states appear to have invoked such authorities.8

Diagnostic Testing

Many states have laws governing direct consumer access to laboratory testing, or DAT laws, which prohibit or restrict clinical laboratories from conducting diagnostic tests without an order from a licensed practitioner. For states with DAT laws, there may be regulatory requirements or guidance concerning whether a practitioner-patient relationship must be established, and whether the diagnostic test order must be generated based on a valid telehealth encounter, in order for the diagnostic test order to satisfy state DAT law requirements.

Practitioners intending to order clinical laboratory testing as part of a remote encounter should be mindful to comply with state telehealth requirements and any applicable DAT laws.

Informed Consent

There are a variety of contexts in which the sufficiency of informed consent in telehealth is an issue (e.g., Medicaid reimbursement9 and malpractice cases). Given the potential for telehealth to add an additional layer of complexity onto patients' understanding of their care, several states have implemented telehealth-specific informed consent laws.

These laws apply to physicians and other licensed professionals, and these laws run the gamut from generally directing that informed consent be obtained10 to mandating that patients be informed of specific concerns, such as that "[t]he quality of transmitted data may affect the quality of services provided by the provider" and that "[t]he knowledge, experiences, and qualifications of the consultant providing data and information to the provider of the telehealth services need not be completely known to and understood by the provider."11

Controlled Substance Prescribing

The federal Ryan Haight Act prohibits dispensing controlled substances via the internet without a "valid prescription." A valid prescription must be issued by either a practitioner who has conducted at least one in-person medical evaluation of the patient, or by a covered practitioner.12 Although there is an exception for prescriptions issued by a "practitioner engaged in the practice of telemedicine,"13 the definition of "practice of telemedicine" is difficult to satisfy, making the telemedicine exception very narrow.

In response to COVID-19, the US Drug Enforcement Administration issued guidance that, for the duration of the COVID-19 public health emergency, DEA-registered practitioners may issue prescriptions for controlled substances to patients without an in-patient medical evaluation, provided that certain conditions are met. The most notable of these conditions is that the telemedicine communication be conducted using an "audio-visual, real-time, two-way interactive communication system."

States have also implemented their own telemedicine controlled substance prescribing laws. Practitioners intending to prescribe controlled substances as part of a telehealth encounter should consult state and federal law prior to doing so, particularly if the practitioner has not conducted at least one in-person medical evaluation of the patient.

Cost-Sharing Obligations

The routine waiver of some or all of patient cost-sharing obligations can potentially implicate the federal Anti-Kickback Statute, the Beneficiary Inducement Statute, as well as state fraud and abuse laws.

Notably, on March 17, the HHS Office of Inspector General issued a policy statement notifying health care providers that, due to the unique circumstances resulting from the COVID-19 outbreak, the OIG will not subject providers to administrative sanctions under the AKS or BIS for reducing or waiving any cost-sharing obligations that federal health care program beneficiaries may owe for telehealth services, as long as (1) the services are furnished consistent with applicable coverage and payment rules, and (2) the services are furnished while the COVID-19 public health emergency declaration is in effect.

According to the policy statement, the OIG also "will not view the provision of free telehealth services alone to be an inducement or as likely to influence future referrals (i.e., OIG will not view the furnishing of subsequent services occurring as a result of the free telehealth services, without more, as evidence of an inducement)."

Software as a Medical Device: FDA Considerations

If entities are implementing software to support telehealth, and in particular software incorporating functionalities such as algorithms or artificial intelligence, to screen or triage patients or guide physician clinical decisions, it is important to bear in mind that certain types of software may constitute an US Food and Drug Administration-regulated medical device. Such device status can implicate FDA quality system, reporting and clearance or approval requirements.

Certain software functions are exempt from regulation as a medical device. These include, but are not limited to, a software function that is intended for (1) administrative support of a health care facility, including the processing and maintenance of records, including for population health management; (2) general wellness and that does not relate to a specific disease or condition, such as a device to manage stress; and (3) to serve as electronic patient records.

In addition, certain clinical decision support software functions are also excluded from the definition of device. For example, clinical decision support that is not intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device and clinical decision support that enables health care providers to independently review clinical decision support recommendations.

In practice, the latter requirement is particularly important. The FDA interprets the provision as requiring that the particular software functions be transparent to the clinician, i.e., described in plain language, including: (1) the purpose or intended use of the software function; (2) the intended user, (3) the inputs used to generate the recommendation; and (4) the basis for rendering a recommendation.

Relaxed HIPAA Regulatory Enforcement

In light of the critical need to provide health care without risking further infection during the COVID-19 public health emergency, on March 17, the HHS Office for Civil Rights announced that, effective immediately, it will waive penalties for violations of privacy and security regulations implementing the Health Insurance Portability and Accountability Act of 1996 for health care providers serving patients through "everyday communications technologies" during the emergency period. The waiver is not limited to telehealth services related to the diagnosis and treatment of health conditions related to COVID-19.

Under the HIPAA rules, health care providers may use a communications product (such as Skype) for telehealth only if the vendor of the product signs a business associate agreement with the health care provider that binds the vendor to strict data protection standards, such as for encryption, access limitations, backup and contingency measures. While some vendors of telehealth technology (e.g.,, Google G Suite Hangouts Meet, Skype for Business, Updox, VSee, and Zoom for Healthcare) offer to abide by the HIPAA standards, others do not purport to do so.

The new waiver permits health care providers to the latter group of vendors (including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype) to provide telehealth during the COVID-19 public health emergency. However, use of any public-facing communication product — e.g., Facebook Live, Twitch, TikTok — for the provision of telehealth is still expressly prohibited. And, regardless of the waiver, health care providers should warn patients of the privacy risks raised by the use of any non-BAA-bound vendors.

Transactional Considerations

The new regulatory flexibilities and coverage changes to address the current public health emergency are enabling health care providers to quickly use commonly available video platforms to deliver telehealth to their patients. Getting telehealth offerings launched quickly may be of paramount importance to protect patients and providers at this time, but consideration of the contractual terms with technology vendors may facilitate longer term success:

  • Make sure the nature of the application is suitable for your telehealth offerings — does it offer the features, functionality and privacy settings that you are seeking?
  • Confirm that everyone on the care team (e.g., physicians, nurses, educators) has access to the platform.
  • Make sure that privacy and encryption settings are configurable and easily enabled. Understand what types of information may be shared and/or retained by the technology provider and the uses of data being authorized.
  • Carefully consider the provider and patient implications of exclusive arrangements, and opt for nonexclusivity when possible.
  • Mitigate risks and misunderstandings regarding the functioning of the platform through clear disclaimers so that users are aware of privacy, technical or other limitations.
  • Understand how disaster recovery and platform issues will be managed during these challenging times.
  • Make sure that transitioning off the platform is available and easy, particularly given the potentially temporary nature of many of the current telehealth regulatory changes.

Nora Schneider is a senior associate, and Catherine Brinkley-Talley and Alana Reid are associates at Arnold & Porter.

Allison Shuren, Daniel Kracov, Susan Hendrickson, Murad Hussain and Vinita Kailasanath, partners at the firm, counsel Nancy Perkins, and associate Pari Mody contributed to this article.

  1. Erin Brodwin, Surge in patients overwhelms telehealth services amid coronavirus pandemic, StatNews (March 17, 2020),

  2. See, e.g., 42 C.F.R. §§ 482.12(a), 482.22(a).

  3. See, e.g., MD Code Regs.

  4. See

  5. 42 C.F.R. §§ 482.12(a)(8), (9), 482.22(a)(3), (4).'

  6. See, e.g., MD Code Regs.

  7. See, e.g., MD. Code. Ann., Health-Gen. § 18-903(c) (permitting alternative processes to credential practitioners in response to health emergencies).

  8. See, e.g., (permitting hospital-to-hospital credentialing of out-of-state physicians).

  9. For example, the California Medicaid program requires healthcare providers to obtain informed consent in order perform telehealth services. See Medi-Cal Telehealth Policy, available at

  10. See, e.g., Ky. Rev. Stat. Ann. § 311.5975.

  11. Md. Code Regs. (established by the Board of Examiners for Audiologists, Hearing Aid Dispensers, and Speech-Language Pathologists); see also La. Admin. Code tit.46 pt. XLV, § 7511 (requiring "informed of the relationship between the physician and patient and the respective role of any other health care provider with respect to management of the patient" and that the patient be "notified that he or she may decline to receive medical services by telemedicine and may withdraw from such care at any time.")

  12. 21 U.S.C. § 829(e)(2)(A).

  13. 21 U.S.C. § 829(e)(3)(A).