Hearken to the article
Editor’s word: Paul Schmeltzer is a member of business regulation agency Clark Hill and counsels shoppers on healthcare points like telehealth and regulatory issues.
As affected person care by way of telehealth continues to develop, suppliers face essential choices on whether or not to align with insurance coverage, and due to this fact meet the stringent necessities underneath HIPAA, or to function on a cash-only foundation and navigate advanced state-by-state information privateness legal guidelines.
Every selection comes with distinct benefits and challenges that form the operations and sustainability of telehealth practices.
Telehealth suppliers who choose to align with insurance coverage can faucet right into a wider affected person base, thereby doubtlessly growing their affected person quantity. Accepting insurance coverage additionally ensures a gentle circulate of reimbursements which could be a essential lifeline for the monetary stability of a telehealth observe.
Nevertheless, accepting insurance coverage signifies that the supplier should adhere to the necessities underneath HIPAA’s Privateness and Safety Guidelines that mandate, amongst different issues, strong requirements for safeguarding affected person data, necessitating substantial investments in safe communication platforms, superior information encryption and compliance measures, together with threat analyses and complete employees coaching.
Though HIPAA’s obligations could be onerous, it’s a regulation that has been refined over practically 30 years, and its established necessities make it simpler for telehealth suppliers to attain compliance. Non-compliance with HIPAA can lead to the HHS’ Workplace for Civil Rights issuing extreme penalties, together with hefty fines and corrective motion plans.
Conversely, some telehealth suppliers want to keep away from the rigorous necessities underneath HIPAA and as a substitute select to undertake a cash-only mannequin. This feature affords higher operational flexibility as suppliers can set their very own charges, doubtlessly resulting in increased earnings per telehealth encounter. The cash-only mannequin additionally gives a simplified billing course of that may mitigate administrative prices by reducing the complexities related to insurance coverage claims.
However the cash-only mannequin additionally presents important challenges. It could restrict entry for some sufferers, significantly those that rely upon insurance coverage to afford healthcare providers.
And till federal privateness laws — such because the just lately proposed American Privateness Rights Act of 2024 — is handed to determine a federal normal for information privateness and safety regulation, telehealth suppliers adopting the cash-only mannequin might want to navigate a fancy labyrinth of state-by-state information privateness laws. That is along with the problem of understanding how every state enforces their distinctive guidelines concerning licensure, reimbursement charges and telehealth observe requirements.
Over the previous few years, there was a proliferation of state complete information privateness legal guidelines that have been created partly to fill gaps in federal privateness legal guidelines.
Nevertheless, most have full or partial exemptions for companies and information regulated by HIPAA or sure different federal legal guidelines that shield the confidentiality of non-public information, just like the Gramm–Leach–Bliley Act. That is clearly a bonus for telehealth suppliers who’ve already achieved compliance with HIPAA.
A number of states have enacted well being information privateness legal guidelines or amended their present privateness legal guidelines to guard client well being information that’s not lined by HIPAA. These state well being information privateness legal guidelines create new compliance obligations for telehealth suppliers and grant shoppers new rights concerning their well being information.
Whereas Washington and Nevada wouldn’t have complete client privateness legal guidelines, they’ve enacted new well being information privateness legal guidelines which embrace lots of the similar privacy-related rights and obligations created by the great client legal guidelines in different states.
Legal guidelines in Washington and Nevada went into impact in March. Final yr, Connecticut’s Information Privateness Act was amended to incorporate further well being privateness components simply earlier than it went into impact, and New York established restrictions on geofencing client well being information.
Telehealth suppliers even have to think about how a lot authorized publicity they’re prepared to tolerate. HIPAA doesn’t afford people a personal proper of motion. Below HIPAA, people are prohibited from submitting a lawsuit in opposition to suppliers for compensation for an alleged violation.
In distinction, underneath the cash-only mannequin, suppliers face threat from a sophisticated net of compliance obligations underneath state privateness legal guidelines. The California Shopper Privateness Act and its subsequent modification, the California Privateness Rights Act, gives people with the appropriate to hunt the higher of statutory damages of $100 to $750 per client, per incident or precise damages.
Below Washington’s My Well being My Information Act, people can recuperate their precise damages, the prices of their lawsuit, together with affordable legal professional’s charges, together with as much as $25,000 in treble damages. The Washington legal professional basic’s workplace also can search civil penalties of as much as $7,500 per violation in addition to injunctive aid. Though telehealth suppliers may face costly litigation, plaintiffs might want to allege and show precise damages to recuperate damages underneath the Washington regulation.
The Connecticut, Nevada and New York legal guidelines don’t grant a personal proper of motion for violations of these legal guidelines. Nevertheless, as extra states undertake their very own distinctive well being information privateness legal guidelines, the likelihood that they embrace a personal proper of motion for shoppers continues to exist.
For instance, the Maine Senate just lately didn’t cross the Information Privateness and Safety Act, which might have been the nation’s strongest information privateness regulation. Earlier than the regulation died, an modification was added that eliminated its personal proper of motion. Though the Vermont legislature just lately handed the Vermont Information Privateness Act, which contained a personal proper of motion that will solely final from 2027 via 2029, the regulation was in the end vetoed by Vermont’s governor.
That isn’t to say that telehealth suppliers who’re compliant with HIPAA wouldn’t have their very own litigation dangers. Class motion lawsuits over healthcare information breaches have been on the rise in recent times. This development is predicted to proceed, particularly with latest high-profile ransomware assaults.
Telehealth suppliers adopting the cash-only mannequin ought to fastidiously think about their resolution. Not solely does a cash-only observe restrict its base of potential sufferers, and due to this fact its enterprise alternatives, it additionally should cope with an more and more sophisticated net of state privateness legal guidelines.
And a cash-only telehealth observe can’t totally escape the enforcement attain of the Federal Commerce Fee and the HHS’ OCR relating to compliance priorities exterior the present purview of HIPAA, like the usage of on-line monitoring applied sciences.
On this evolving panorama, telehealth suppliers should strategically stability the complexities of insurance coverage alignment, HIPAA compliance and the potential advantages of cash-only fashions to efficiently navigate the intricate net of state information privateness laws and proceed delivering accessible, high quality care.
