Editor’s note: Paul Schmeltzer is a member of commercial law firm Clark Hill and counsels clients on healthcare issues like telehealth and regulatory matters.
As patient care via telehealth continues to grow, providers face critical decisions on whether to align with insurance plans, and therefore meet the stringent requirements under HIPAA, or to operate on a cash-only basis and navigate complex state-by-state data privacy laws.
Each choice comes with distinct advantages and challenges that shape the operations and sustainability of telehealth practices.
Telehealth providers who opt to align with insurance plans can tap into a wider patient base, thereby potentially increasing their patient volume. Accepting insurance also ensures a steady flow of reimbursements which can be a crucial lifeline for the financial stability of a telehealth practice.
However, accepting insurance means that the provider must adhere to the requirements under HIPAA’s Privacy and Security Rules that mandate, among other things, robust standards for safeguarding patient information, necessitating substantial investments in secure communication platforms, advanced data encryption and compliance measures, including risk analyses and comprehensive staff training.
Although HIPAA’s obligations can be onerous, it’s a law that has been refined over nearly 30 years, and its established requirements make it easier for telehealth providers to achieve compliance. Non-compliance with HIPAA can result in the HHS’ Office for Civil Rights issuing severe penalties, including hefty fines and corrective action plans.
Conversely, some telehealth providers prefer to avoid the rigorous requirements under HIPAA and instead choose to adopt a cash-only model. This option offers greater operational flexibility as providers can set their own rates, potentially leading to higher earnings per telehealth encounter. The cash-only model also provides a simplified billing process that can mitigate administrative costs by cutting the complexities associated with insurance claims.
But the cash-only model also presents significant challenges. It may limit access for some patients, particularly those who depend on insurance to afford healthcare services.
And until federal privacy legislation — such as the recently proposed American Privacy Rights Act of 2024 — is passed to establish a federal standard for data privacy and security regulation, telehealth providers adopting the cash-only model will need to navigate a complex labyrinth of state-by-state data privacy regulations. This is in addition to the challenge of understanding how each state enforces their unique rules regarding licensure, reimbursement rates and telehealth practice standards.
Over the past few years, there has been a proliferation of state comprehensive data privacy laws that were created in part to fill gaps in federal privacy laws.
However, most have full or partial exemptions for businesses and data regulated by HIPAA or certain other federal laws that protect the confidentiality of personal data, like the Gramm–Leach–Bliley Act. This is clearly an advantage for telehealth providers who have already achieved compliance with HIPAA.
Several states have enacted health data privacy laws or amended their existing privacy laws to protect consumer health data that is not covered by HIPAA. These state health data privacy laws create new compliance obligations for telehealth providers and grant consumers new rights regarding their health data.
While Washington and Nevada do not have comprehensive consumer privacy laws, they have enacted new health data privacy laws which include many of the same privacy-related rights and obligations created by the comprehensive consumer laws in other states.
Laws in Washington and Nevada went into effect in March. Last year, Connecticut’s Data Privacy Act was amended to include additional health privacy elements just before it went into effect, and New York established restrictions on geofencing consumer health data.
Telehealth providers also have to consider how much legal exposure they are willing to tolerate. HIPAA does not afford individuals a private right of action. Under HIPAA, individuals are prohibited from filing a lawsuit against providers for compensation for an alleged violation.
In contrast, under the cash-only model, providers face risk from a complicated web of compliance obligations under state privacy laws. The California Consumer Privacy Act and its subsequent amendment, the California Privacy Rights Act, provides individuals with the right to seek the greater of statutory damages of $100 to $750 per consumer, per incident or actual damages.
Under Washington’s My Health My Data Act, individuals can recover their actual damages, the costs of their lawsuit, including reasonable attorney’s fees, along with up to $25,000 in treble damages. The Washington attorney general’s office can also seek civil penalties of up to $7,500 per violation as well as injunctive relief. Although telehealth providers could face expensive litigation, plaintiffs will need to allege and prove actual damages to recover damages under the Washington law.
The Connecticut, Nevada and New York laws do not grant a private right of action for violations of those laws. However, as more states adopt their own unique health data privacy laws, the possibility that they include a private right of action for consumers continues to exist.
For example, the Maine Senate recently failed to pass the Data Privacy and Protection Act, which would have been the nation’s strongest data privacy law. Before the law died, an amendment was added that removed its private right of action. Although the Vermont legislature recently passed the Vermont Data Privacy Act, which contained a private right of action that would only last from 2027 through 2029, the law was ultimately vetoed by Vermont’s governor.
That is not to say that telehealth providers who are compliant with HIPAA do not have their own litigation risks. Class action lawsuits over healthcare data breaches have been on the rise in recent years. This trend is expected to continue, especially with recent high-profile ransomware attacks.
Telehealth providers adopting the cash-only model should carefully consider their decision. Not only does a cash-only practice limit its base of prospective patients, and therefore its business opportunities, it also must deal with an increasingly complicated web of state privacy laws.
And a cash-only telehealth practice cannot fully escape the enforcement reach of the Federal Trade Commission and the HHS’ OCR when it comes to compliance priorities outside the current purview of HIPAA, like the use of online tracking technologies.
In this evolving landscape, telehealth providers must strategically balance the complexities of insurance alignment, HIPAA compliance and the potential benefits of cash-only models to successfully navigate the intricate web of state data privacy regulations and continue delivering accessible, quality care.
