When you launch any virtual, electronic, online, mobile, or other non-physical telemedicine or telehealth venture, you have to navigate several interlocking, overlapping legal issues, from licensure to corporate practice of medicine and fee-splitting, to basic state law rules that govern any medical endeavor. If this seems daunting, have your robot call our robot.
Here are some broad descriptions of law to get you started.
Unlicensed Practice of Medicine
Unlicensed practice of “medicine” is a crime.
Non-medical doctors who are healthcare licensees have a defined scope of practice. However, if they practice beyond their scope of practice, then they are considered to be engaged in unlicensed medical practice. Companies that hire and direct such persons can be aiding and abetting unlicensed medical practice.
Corporate Practice of Medicine
The corporate practice of medicine (“CPM”) rule is a variation against the rule against unlicensed practice of medicine. For more information, see: Corporate Practice of Medicine & Anti-Kickback/Fee-Splitting Rules: Deep Down the Regulatory Rabbit Hole.
A management services organization (“MSO”) can provide administrative/management services such as: front desk/scheduling, advertising and marketing, sublease of space or equipment, book-keeping, and billing and collecting on behalf of the physician practice. These services must be provided at fair market value (“FMV”).
California aggressively enforces CPM prohibitions.
As indicated in Corporate Practice of Medicine & Anti-Kickback/Fee-Splitting Rules: Deep Down the Regulatory Rabbit Hole, the California Medical Board considers many activities by an MSO to intrude on clinical decision-making, and thereby violate CPM. Such activities include: selecting, hiring and firing the physician; approving the selection of medical equipment and supplies; owning or operating a business that offers patient evaluation, diagnosis, care and/or treatment; arranging for, advertising, or providing medical services rather than only providing administrative staff and services; and, a physician acting as “medical director.” See also: If Someone Asks You to Be Medical Director, Run.
Not all states are as tough on corporate practice of medicine. Check each state for its local laws – or, have your telemedicine lawyer check some representative states for your national telemedicine venture – for example, California, New York, Texas, New Jersey, Illinois, and Arizona.
Telemedicine; Internet Prescribing
We’ve posted a lot on telemedicine issues. See, for example: Daily Journal Publishes “Future of Medicine” is Just a Tap Away;”
Kickbacks and Fee-Splitting
These are informative posts: Quick Summary of Federal “Stark” Self-Referral & Anti-Kickback Law and California Self-Referral and Fee-Splitting Prohibitions; What Anti-Kickback and Fee-Splitting Legal Issues Arise When Physicians or Other Healthcare Providers Lease Space; Fee-Splitting 101 for Medical Doctors, Chiropractors, Acupuncturists, and Others.
Informed Consent, Standard of Care, and Other Issues
Where telemedicine is allowed, additional rules may apply, such as:
- That the physician must obtain a specific, telemedicine consent from the patient.
- That the telemedicine encounter must be documented as part of the patient’s medical chart.
- That the physician must maintain the same standard of care as for an in-person encounter.
Regarding the third point, standard of care violations can lead to both malpractice liability and Board discipline for the practitioner. Some states require an in-person visit and physical exam prior to a telemedicine encounter, as part of the standard of care.
Direct & Vicarious Liability
Direct liability refers to liability for one’s own negligent conduct, while vicarious liability means liability for the conduct of others.
For example, in the case of an individual practitioner, direct liability often involves malpractice (negligence), which is defined as deviating from the standard of care, and thereby injuring the patient. For individual practitioners, malpractice lawsuits based on standard of care violations can trigger disciplinary action by the Board, and the converse is also true. Inadequate informed consent is a second possible theory of malpractice liability against a practitioner. It is unclear research whether a company could be vicariously liable based on the practitioner’s failed informed consent. However, ensuring effective informed consent is part of good clinical practice.
These may or may not be effective. For example, what if, notwithstanding consents and disclaimers, a patient sues because the physician missed diagnosing a skin cancer that could have been detected had the exam been in person rather than online? Would the telemedicine company be vicariously liable? Because cases take years to wind through the courts, and many are settled (rather than resulting in a published opinion), there is little—if any—law directly on point (i.e., involving exactly these kinds of facts). The best answer may be to get insurance, although again, it may not be possible to insure against this exact risk and the telemedicine company may need to rely on an umbrella policy.
Other than malpractice, one of the less obvious sources of direct liability for the telemedicine company is an action based on a theory of negligent credentialing.
If the setting were a physical clinic where one has legal responsibility for other practitioners (for example, a physician supervising a nurse; or a company hiring massage therapists), then potentially we could explore direct liability for negligent supervision, and/or vicarious liability as a supervisor for the negligent acts of the supervisee; however, corporate practice of medicine rules would probably prevent a supervisory arrangement involving physicians.
Negligent credentialing is a theory of direct liability premised on a company putting forth to patients that the company has in fact vetted practitioners. The theory is that the company has been negligent in its quality assurance efforts, and that this lack of diligence has led to a patient injury.
To the extent an online company does more than provide a directory that merely links to practitioners, and holds itself out as having checked the qualifications and credentials of a provider, the company has likely created potential liability for negligent credentialing. For example, if a Contracting Physician has falsified credentials, the Company has not exercised reasonable due diligence to ferret out this fraud, and a patient is injured by the Contracting Physician’s negligent care, then the Company could conceivably face liability under a negligent credentialing theory.
As part of its risk management, the online entity should keep a file checking credentials, recheck the credentials on an annual basis, and have a term of use disclaimer that the entity is not making any representations or warranties about the providers who enroll and use the site.
Disclaimers regarding the entity’s limitations of liability will be important here as well, as depending on the business model, it may be possible to argue that the company has not held itself out as vetting practitioners on its site. However, any assertions the company makes with respect to credentials or quality of the practitioners on its site, may be used in a negligent credentialing act.
Whereas negligent credentialing involves direct negligence (failure to adhere to reasonable standards of care), vicarious liability refers to liability transferred up the chain, for the direct negligence of another. One of the forms of vicarious liability is liability simply by virtue of the appearance of agency—i.e., the practitioner reasonably appears from the patient’s perspective to be an agent of the online company.
Liability—Standard of Care
Medical malpractice is typically defined in terms of conduct that falls below the standard of care, and thereby injures the patient. Non-MD’s can also commit malpractice, with the standard of care typically being that of their profession.
Malpractice (negligence) can give rise to both civil liability in a lawsuit from the patient, and discipline of the physician by the state regulatory board (for example, the medical board).
On the civil side, entities can be vicariously liable if the physician appears to be their agent.
One standard of care issue is that prescriptions must be medically justified.
The Federal Trade Commission Act (“FTCA”) prohibits “unfair methods of competition” and “unfair or deceptive acts or practices.” 15 U.S.C. §45. In general, all advertising must be truthful and non-misleading.
State law also contains prohibitions against deceptive advertising—notably in unfair competition and consumer protection statutes—and, also prohibits false and misleading physician advertising.
California law, for example, prohibits any licensee from communicating to the public any: “false, fraudulent, misleading, or deceptive statement, claim, or image for the purpose of or likely to induce, directly or indirectly, the rendering of professional services or furnishing of products in connection with the professional practice or business for which he or she is licensed.” In addition, if physicians are distributing dietary supplements and making impermissible disease claims, this could raise Food and Drug Administration (FDA) issues as well. And, to the extent standard of care issues are prevalent, off-label use could raise concerns too.
To the extent the telemedicine company is providing marketing services to a physician practice, it should be aware of requirements for physician advertising. For example, in California, a communication can violate California law if it:
- Contains a misrepresentation of fact.
- Fails to disclose material facts.
- Creates a false expectation of favorable results (including through use of a photo or image).
- Uses a model without disclosing the same.
- Uses a “before” and “after” view of a patient in a misleading way.
- Refers to fees without fully disclosing all variables.
- Makes a claim of professional superiority.
- Makes a scientific claim that cannot be substantiated.
- Includes a misleading testimonial or endorsement.
- Contains misleading price information.
- Fails to disclose that the communication is a paid ad.
Violation of these rules is a misdemeanor and can subject the licensee to professional discipline.
The statute also specifies the kind of information a licensee can include in advertising (such as, for example, languages spoken fluently in the practitioner’s office other than English); and there are additional limitations regarding statements (for example, with respect to use of the term, “board certified”). And as noted, California law requires advertising to include the physician’s name or the name for which the PMC has a fictitious name permit.
Privacy & Security Issues
Stated in most basic terms, HIPAA applies to use and disclosure of protected health information (“PHI”), if transactions are billed electronically for third-party reimbursement.
Even if HIPAA does not apply, however, state rules can require privacy and security safeguards for PHI. For example, California has the Confidentiality of Medical Information Act (CMIA). This statute imposes certain obligations with respect to disclosure of patient medical information, and governs patient access to medical records.
State laws, including California’s, typically require some kind of consent/authorization from the patient for basic functions, such as treatment, payment, and health care operations. State laws also often govern disclosure of genetic information, information regarding HIV treatment, and other specialized kinds of medical information.
Other sections of state law also govern such matters as retention of medical records, and responsibility regarding reporting communicable diseases.
HIPAA will supersede relevant state law standards, unless state law is found to be more stringent. HIPAA does not preempt state requirements related to reporting of disease, child abuse, birth and death, or that authorize public health surveillance or public health investigation or intervention.
State and federal law, as well as hospital policies, may establish stricter standards than HIPAA.
Increasingly, states also regulate privacy breaches. For example, the California Department of Health Care Services has a webpage describing procedures that should be followed in the case of a privacy breach, or an unauthorized disclosure of personal confidential information that violates state or federal privacy laws. The Department also has a Privacy Office which conducts incident investigation, privacy training, and compliance audits. The Office has a power-point presentation entitled, Privacy Breach 101, which describes examples of privacy breaches, including:
- Loss or theft of documents containing PHI.
- Mailings to incorrect providers or beneficiaries.
- Stolen, unencrypted laptops, hard drives, thumb drives, or PCs with PHI
Ideally, a multi-state law analysis of privacy and security requirements would be part of vetting the business model, and, an information technology consultant would be retained to work on online security issues to protect PHI.
Because of the plethora of potential legal issues and liabilities, it is important to attempt to create defensive bulwarks in contracts with site users.
Someday robots may run our practice. In the meanwhile, contact our telemedicine, mobile medical app, wearable health tech, and FDA legal team for compliance counsel and strategic advice if you have a telemedicine venture, particularly if it involves prescribing online, or if you are doing a multi-state telehealth venture.