Must Know Telehealth Rules To Keep Your Business Compliant
Patient PHI, HIPAA, marketing, e-prescribing rules, and more.
Due to its flexibility and convenience, telehealth technology allows virtual care providers to serve more patients and boost their bottom line. However, there are certain compliance rules all virtual care organizations must follow.
For virtual providers to properly scale their business, it’s important that leaders stay aware of the many and changing regulations involved in providing remote services. From e-prescribing and informed consent to marketing restrictions and treatment protocols, these are details leaders are expected to know.
Below, we’ll examine key regulations that all virtual care providers should be knowledgeable about so they can successfully expand into telehealth.
HIPAA: Patient privacy and virtual care
When it comes to privacy, the healthcare industry usually looks toward the 1996 Health Insurance Portability and Accountability Act (HIPAA). This act establishes national standards for safeguarding protected health information (PHI). While there currently isn’t a specific section in the HIPAA guidelines about telehealth, all virtual care is expected to be held to the same privacy and security standards as an in-person appointment.
HIPAA includes three primary rules
Privacy Rule
Security Rule
Breach Notification Rule.
These rules pertain to covered entities, such as health plans, healthcare providers and healthcare clearinghouses. They also apply to business associates, entities or individuals who perform functions on behalf of a covered entity and may have access to PHI.
The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for implementing and enforcing HIPAA rules. Noncompliance can have hefty repercussions. For example, one violation could cost between $127 and $63,973 and in some cases, lead to imprisonment.
The HIPAA privacy rule
The HIPAA Privacy Rule ensures that patient medical records and individually identifiable health information aren’t shared without a patient's consent or knowledge. It also minimizes unnecessary or inappropriate access to and disclosure of PHI. Yet, implementing this rule when delivering care virtually may be tricky, as it presents potential obstacles at different stages.
Businesses should create processes to handle the following scenarios:
Patient identity verification during initial consultation: Determine how to maintain privacy while verifying identity when a virtual appointment is held at a remote facility managed by a different healthcare provider.
Patient location during the consultation: If a translator will be present during a teleconsultation, ensure practitioners obtain patient consent. Encourage patients to avoid public areas during virtual visits to avoid violating the Privacy Rule.
Provider location during the consultation: Protocols should be in place for providers working at home or in a busy office with distractions.
Patient referrals: Establish company guidelines for accepting patient referrals from providers controlled by a different covered entity. Ensure strategies are in place to limit the PHI shared with other providers. It may make sense to enter a Business Associate Agreement with the other party.
The HIPAA security rule
This rule protects electronic PHI (ePHI) and requires that covered entities use appropriate administrative, physical and technical safeguards.
So, this might look like:
Preventing unauthorized access to certain devices
Conducting regular security audits to evaluate vulnerabilities
Maintaining data integrity.
HIPAA also instructs that all ePHI must be encrypted when it’s transferred.
Covered entities have to work with technology and telehealth vendors that abide by HIPAA rules. Those vendors must also be willing to enter into a business associate agreement, and within that agreement, include the methods they’ll use to protect the data and audit data security. Look for digital tools that are HIPAA-compliant.
Other patient privacy regulations
HIPAA isn’t the only privacy concern businesses should have. The Federal Trade Commission (FTC) Act forbids individuals and companies from engaging in deceptive or unfair practices that may affect commerce, such as invading consumer privacy. Virtual care providers must be careful not to deceive consumers about what’s happening with their health information.
In addition, the FTC sees health information as more than just treatments and diagnoses. Their Act views it as anything that discloses information or enables speculation about a consumer’s health. So, it’s crucial that you carefully review what’s considered health data and how to manage it properly.
Their FTC Act applies to:
HIPAA-covered entities
Business associates
Organizations that collect, use or share health information that isn’t required to comply with HIPAA
Virtual care providers should also review their state's legislation on data protection. Some states have privacy protection laws that apply to third-party vendors not covered by HIPAA
Virtual care and informed consent
When businesses serve patients remotely, it’s crucial to have processes in place for obtaining informed consent from patients.
At this time, Medicare doesn’t require this, but some states have statutes that make it mandatory for health professionals to do so. Also, most states require informed consent for telehealth-delivered services within their Medicaid programs.
The laws surrounding informed consent can be confusing to interpret. For instance, some might say informed consent must be obtained every time telehealth is used. In contrast, others might say that it’s only required for the first telehealth appointment in a series of visits for the same condition.
Telehealth prescribing practices (e-prescribing)
Trying to determine the correct protocol for e-prescribing can be daunting, as there are ever-changing federal rules and individual state regulations. We’ll share some details you should be aware of.
Federal e-prescribing regulations
Pre-COVID
The Drug Enforcement Administration (DEA) directs online pharmacies and telehealth in its Controlled Substances Act (CSA). The Ryan Haight Act amended the CSA in 2009, prohibiting the sale of controlled substances using the Internet without a valid prescription. At the time, for the prescription to be considered “valid,” practitioners prescribing a controlled substance had to conduct an in-person medical evaluation first.
Post-COVID
After the COVID-19 pandemic, temporary telemedicine flexibilities were put in place, allowing controlled medications listed under Schedules II to V to be prescribed through telemedicine without an in-person evaluation. Three extensions have been implemented so far, and the DEA recognizes that lifting these flexibilities would disrupt patient care. They’ve also taken measures to make some flexibilities permanent.
As of January 2025, the DEA has shared the following:
Opioid treatment (final rule): This rule authorizes practitioners to prescribe Food and Drug Administration (FDA)- approved Schedule III-V controlled substances via telemedicine without requiring an in-patient visit. The provider can prescribe up to a six-month supply of medication. If additional prescriptions are needed, an in-person visit is required unless otherwise permitted by the CSA.
Veteran Affairs patients (final rule): This rule allows U.S. Department of Veterans Affairs (VA) practitioners to prescribe controlled substances using telemedicine without completing an in-person patient evaluation if another VA practitioner has already done one.
Special registrations for telemedicine (proposed rule): This rule introduces three types of special registrations that will allow patients to obtain prescriptions via telemedicine visits without ever having an in-person medical evaluation from a practitioner.
State e-prescribing regulations
There are several nuances state to state that virtual providers need to think about when prescribing online. Executives should consider whether the state:
Requires that practitioners perform a physical examination before administering a prescription
Places limitations on prescriptive authority for certain types of providers
Allows questionnaires to be used to establish a professional relationship between the provider and patient for the sole basis of online prescribing
Mandates that practitioners have a preexisting relationship with the patient
Proper diagnosis and treatment protocols
The process of diagnosing and treating patients follows many of the same protocols used for in-person care. Both care delivery methods allow practitioners to take a medical history, inquire about the patient's symptoms, order tests, review results and recommend therapies.
Yet, companies should have guidelines in place for circumstances when a telehealth environment might not be an appropriate avenue for clinicians to make a proper diagnosis.
Plus, there may be legal requirements businesses must follow.
For instance, while telehealth allows patients to access providers nationwide, some states require that the patient be seen by a doctor in the same state. However, a few states have licenses permitting an out-of-state clinician to provide telemedicine services in a state they’re not in. Others may let providers render telehealth services in a different state if specific conditions are met.
Another factor is the technological requirements. Currently, Medicare provides payment for non-behavioral/mental telehealth services completed using audio-only communication platforms through March 31, 2025. However, some states, like Iowa, don’t define audio-only telephone communication as telehealth unless it’s an emergency. It’s imperative to determine if and how store-and-forward technology works for your state, too.
Marketing and advertising restrictions
As a virtual care provider, you naturally want to get the word out about your telehealth services. However, before you do, ensure you know the rules.
The FTC aims to ensure that marketing material is not misleading, so telehealth providers should exercise caution when making health claims, using influencers, sharing user health data with third parties for advertising and more. A non-compliant company could be fined up to $50,120 per violation.
The FDA also has some control over healthcare providers making claims about products for unapproved uses.
Other legal and regulatory considerations
In addition to the above telehealth compliance suggestions, consider the following:
Corporate structure: Some states don’t permit the corporate practice of medicine (CPOM), which means corporations are not allowed to practice medicine or employ a physician to provide professional medical services. Telehealth blurs the traditional boundaries of medical practice, making CPOM compliance complex.
Speculative compensation arrangements: A telehealth company taking a percentage of a practitioner's professional fee as compensation may violate state and federal fraud and abuse laws.
Get regulatory and legal support with OpenLoop
Being successful as a virtual care provider means understanding telehealth compliance rules regarding e-prescribing, privacy laws, state regulations and more. While keeping up with all of this can be overwhelming for corporations, it’s not something you have to do alone.
OpenLoop doesn’t just ensure you have the telehealth infrastructure to deliver quality virtual care. We also provide regulatory and legal services so you can stay compliant and avoid penalties.
Interested in learning more? Contact us today!
Our full suite of white-labeled telehealth support services include: