Digital Health 101: OCR Issues Resources to Educate Patients on Telehealth, PHI


On October 18, 2023, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) issued two resource documents to help explain the privacy and security risks to patients’ protected health information (PHI) when using telehealth services, along with ways to reduce these risks. In a press release announcing the guidance, OCR Director Melanie Fontes Rainer stated that “[t]elehealth is a wonderful tool that can increase patients’ access to [healthcare] and improve [healthcare] outcomes. [Healthcare] providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices, so patients are confident that their health information remains private.”

These new resources exemplify the trend of increased scrutiny in the digital health environment, aimed at ensuring that patient data is protected, secured and confidential (including with respect to pixel technology disclosures, artificial intelligence usage guidelines, state-level data privacy laws and medical board guidelines).


Resource #1: Outlining the Risks of Telehealth

With the release of this educational resource, developed on a recommendation from the Government Accountability Office (GAO) in a September 2022 report, OCR intends to help healthcare providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications for telehealth.

OCR notes that the Health Insurance Portability and Accountability Act Privacy, Security and Breach Notification Rules (HIPAA Rules) do not require covered healthcare providers to educate patients about privacy and security risks. However, the OCR’s educational resource is intended to assist providers who would like to 1) explain the privacy and security risks to patients’ PHI when using telehealth services and 2) share ways to reduce these risks. This information may also be helpful to a patient’s family or personal representative. HHS encourages and reminds providers to be mindful of inclusionary mechanisms when communicating with individuals with disabilities (e.g., providing auxiliary resources, using language assistance services or providing written translations of materials).

The educational resource provides suggestions for discussing the following:

  • What telehealth is, and which technologies will be used during the telehealth encounter
  • The importance of PHI privacy and security
  • Risks and mitigation strategies when PHI is shared, stored or transferred using remote communication technologies
  • Which communication technology vendors are used in delivering the services and how to view their privacy and security policies
  • The right to file a privacy complaint with OCR under HIPAA

Resource #2: PHI Security Tips for Patients

OCR’s patient tips resource provides recommendations that patients can implement to protect their privacy, security and confidentiality when interacting via telehealth technologies, including the following:

  • Conducting the telehealth appointment in a private location (e.g., a private room or a parked car), wearing headphones and avoiding using a speakerphone
  • Turning off nearby electronic devices that may overhear or record information
  • Avoiding using a [...]

    Continue Reading

Trending in Telehealth: October 11 – 16, 2023

Trending in Telehealth highlights state legislative and regulatory developments that impact the healthcare providers, telehealth and digital health companies, pharmacists and technology companies that deliver and facilitate the delivery of virtual care.

Trending in the past week:

  • Reproductive Health
  • Telehealth Practice Standards
  • Disciplinary Guidelines
  • Behavioral Health
  • Regulatory Licensing


Finalized Legislation and Rulemaking

  • In California, the governor signed the Nursing Facility Resident Informed Consent Protection Act of 2023. The new legislation amends the bill of rights for patients in skilled nursing facilities and establishes that healthcare professionals must disclose all material information regarding the administration of psychotherapeutic drugs to the patient to obtain the patient’s informed consent. Under the law, healthcare professionals may use remote technology, including telehealth, to obtain consent. The willful or repeated violation of these provisions will be punishable as a misdemeanor. However, the State Department of Public Health, in consultation with interested stakeholders, will not penalize facilities until December 31, 2025, when the Department plans to publish its standardized informed consent form.

Legislation and Rulemaking Activity in Proposal Phase


  • Connecticut’s Department of Consumer Protection proposed a rule to expand the prescribing authority of pharmacists. The rule would authorize licensed pharmacists who undergo the necessary training to prescribe emergency and hormonal contraceptives to patients. The rule would require pharmacists to assist patients with a Department-issued and interactive “screening document,” which includes questions to determine whether a hormonal or emergency contraceptive is clinically appropriate for a patient, age-appropriate health screening information, and a treatment algorithm for hormonal or emergency contraceptives. The screening document’s “treatment algorithm” is generated based on the clinical history entered by the patient, and it sets forth the steps of a treatment pathway and outlines when a referral to a practitioner is recommended. Licensed pharmacy technicians who undergo the necessary training can assist with the screening process, but ultimately the prescribing pharmacist must decide whether to issue the prescription or refer to a practitioner.
  • In Pennsylvania, HB 1300 passed the second chamber. If signed by the governor, the bill would allocate additional funds to the state’s Behavioral Health Commission for Adult Mental Health. It would also increase access to behavioral health via telemedicine services by providing funds for providers to purchase equipment such as computers, tablets, webcams, mobile devices, and telemedicine carts and kiosks; securing funds to assist with training and technical assistance for telemedicine services; providing grants to primary-care practitioners and organizations using telemedicine to deliver behavioral health integration services; and allocating additional funds for providers to purchase or maintain Healthcare Insurance Portability and Accountability Act (HIPAA)-compliant software, platforms, secure Wi-Fi hotspots and increased broadband speed and training beyond what is offered by the Department of Human Services.

Why it matters:

  • Continued Demand for Mental Health Initiatives. Pennsylvania’s proposed rule highlights ongoing demand for behavioral and mental health services. Increasing resources and funding for telemedicine services will give more patients convenient access to behavioral health [...]

    Continue Reading

Trending in Telehealth: September 26, 2023 – October 10, 2023

Trending in Telehealth highlights state legislative and regulatory developments that impact the healthcare providers, telehealth and digital health companies, pharmacists and technology companies that deliver and facilitate the delivery of virtual care

Trending in the past two weeks:

  • Reproductive Health
  • Telehealth Practice Standards
  • Interstate Compact
  • Disciplinary Guidelines
  • Regulatory Licensing

Finalized Legislation and Rulemaking

  • California signed into law SB 345, which goes into effect on January 1, 2024. The legislation states that California law applies to any civil, administrative or criminal proceeding involving individuals (that is, patients) located inside and outside of California engaged in providing, receiving, supporting, or attempting to provide or receive reproductive health and gender-affirming healthcare services via telehealth or other means. This “shield law” also provides legal protections for healthcare practitioners located in California who provide or dispense medication or other services for abortion, contraception or gender-affirming care to out-of-state patients. These protections apply regardless of the provider’s location during the activity. This law also prohibits California law enforcement, government officials or government contractors from cooperating with out-of-state prosecutions related to abortion, contraception or gender-affirming care. The law prohibits California-based corporations, including social media and tech companies, from disclosing to law enforcement any private patient communication regarding healthcare that is legally protected in the state.
  • New Hampshire enacted legislation effective October 7, 2023, that amends the prior law to permit out-of-state healthcare professionals to treat patients in the custody of the Department of Corrections via telemedicine, without a New Hampshire license, as long as the professionals are licensed in the state where they provide services. The prior law required all out-of-state healthcare professionals providing telehealth services to be licensed in New Hampshire, regardless of the patient’s location.

Legislation and Rulemaking Activity in Proposal Phase

How Not to Lose $1 Million: Preparing for OIG’s Information Blocking Enforcement

OIG’s long-awaited final rule on investigating and imposing penalties for information blocking dropped in July 2023 and is effective as of Sept. 1, 2023 – almost three years after OIG released its proposed rule (April 2020) and two years after the start of information blocking compliance on April 5, 2021. The final rule codifies OIG’s authority to investigate information blocking complaints, including against developers of certified health IT and health information networks/health information exchanges (HIN/HIEs), and assess CMPs of up to $1 million per violation.

OIG defined a “violation” as a practice that constitutes information blocking as set forth in ONC’s information blocking regulations—a broad definition that is important because each distinct act or omission could be subject to a separate $1 million CMP. OIG also provided examples of what it would consider constituting a single violation versus multiple violations subject to multiple CMPs:

  • Single Violation: A certified health IT developer denies a single request by a healthcare provider to receive multiple patients’ EHI via an API and no legal requirement or information blocking exception applies. OIG would consider this a single violation even though it would result in preventing access to multiple patients’ EHI.
  • Multiple Violations: A certified health IT developer takes multiple separate actions to improperly deny multiple individual requests by a healthcare provider for EHI through an API. Each separate action would be considered a separate violation.

OIG has stated that while it does not intend to impose CMPs on conduct that occurred before Sept. 1, 2023, it may consider a regulated entity’s behavior from the April 2021 compliance date onwards in deciding if alleged information blocking conduct was part of a pattern of behavior. Other factors OIG anticipates considering when deciding penalty levels include the nature, circumstances, and extent of the information blocking and resulting harm, including the number of patients and/or providers affected and the number of days the information blocking persisted. OIG will also consider other factors, such as the degree of culpability, history of prior offenses, and other wrongful conduct.

When deciding whether to pursue a particular information blocking allegation, OIG indicated that it plans to prioritize enforcement for actions that:

  • Resulted in/had the potential to cause patient harm;
  • Significantly impacted providers’ ability to care for patients;
  • Are of long duration;
  • Caused financial loss to Medicare, Medicaid, or other federal healthcare programs or private entities; and
  • Were performed with actual knowledge.

Each allegation will require a facts and circumstances analysis, which OIG will conduct in coordination with ONC and other federal agencies as appropriate. Further, while OIG’s enforcement priorities may inform its decisions about which allegations to investigate, OIG states that the priorities are not dispositive, meaning it can investigate any allegations it chooses.


Weight-Loss Programs in Florida: State Law Considerations for GLP-1 Telehealth Providers

As more telehealth providers offer weight-loss programs, they should be aware of the potential impact of state laws and regulations. In this blog post, we take a closer look at Florida’s consumer protection laws regarding weight-loss programs.


While many providers are familiar with Florida’s Standards for the Prescription of Obesity Drugs (Fla. Admin. Code 64B8-9.012, see Final with ID: 26115424), providers may not be as familiar with the Florida Commercial Weight-Loss Practices Act. The Commercial Weight-Loss Practices Act, enacted in 2000 (Fla. Stat. 501.057Fla. Stat. 501.0581) broadly applies to weight-loss providers, which includes any person engaged in the business of offering services to consumers to assist them in losing weight and making oral or written statements, visual descriptions, advertisements or other representations that have the capacity, tendency or effect of leading consumers to believe that participation in a weight-loss program will result in weight loss. See Fla. Stat. 501.0571(5). Additionally, weight-loss providers are required to:

  1. Provide to a consumer a written, itemized statement of the fixed or estimated cost of the weight-loss program that is being recommended, including all additional products, services, supplements, examinations or laboratory tests the consumer may be required to purchase from the weight-loss provider as part of such program
  2. Disclose the actual or estimated duration of the recommended weight-loss program
  3. Provide, upon request, a copy of the educational and professional experience of the weight-loss provider’s staff
  4. Provide the name, address and qualifications of the person who has reviewed and approved the weight-loss program, according to section 468.505(1)(j)
  5. Produce and distribute to all consumers who inquire about their weight-loss program a palm-sized card with the Weight-Loss Consumer Bill of Rights printed on it
  6. Post conspicuously the Weight-Loss Consumer Bill of Rights at the front registration desk in each weight-loss program location and require every agent, representative, franchisee or independent contractor to post such a bill of rights in a prominent place in every room in which a presentation or sale of a weight-loss program is made or in which a product or treatment is offered for sale

See Fla. Stat. 501.0573.

Notably, the Weight-Loss Consumer Bill of Rights is a required, separate consumer-facing document that requires disclosure that “rapid weight loss may cause serious health problems,” among other safety disclosures and protections intended for disclosure before beginning a weight-loss program.


Florida’s Commercial Weight-Loss Practices Act is a reminder that telehealth providers should look beyond the telehealth and prescribing regulations in each state. For telehealth providers operating in a number of states, an in-depth review of all of the relevant state laws and regulations is critical to capture the framework of applicable laws and regulations across the spectrum of health and consumer protection. For providers without in-person practice locations, there are often other strategies that meet the relevant requirements and can ensure compliance with these laws.

Telehealth is an important development in care delivery, but the [...]

Continue Reading




2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law