Telemedicine has been around longer than many realize. It first appeared on the April 1924 cover of Radio News magazine. Thirty years later, radiology images were shared over telephone, and in the 1970s and 1980s, teleradiology expanded to include neurological exam sharing and behavioral health treatment. In the 2000s, healthcare organizations and physician practices made a concerted effort to employ telemedicine as part of the standard practice of care and treatment. Still, reduced or no reimbursement from healthcare insurers have stifled a broad adoption of this treatment modality.

When the coronavirus pandemic hit in 2020, it significantly increased interest in and use of telemedicine. As news broke regarding the risks and preventative approaches to mitigating exposure to COVID-19, there was a dramatic reduction of in-person patient visits. Conversely, there was a marked increase in the use of telemedicine to care for and treat patients, by primary care physicians, specialists, clinics and hospitals.

While in-person visits have slowly rebounded to pre-pandemic levels, an increased use of telemedicine will remain. Most physician groups and hospitals adjusted technology and resources. Additionally, the Department of Health and Human Services (DHHS) expanded the public health emergency through April 2021, ensuring that telemedicine will continue to be leveraged as a tool to provide care and minimize risk of exposure to COVID-19.

Risks, such as crossing state lines, documentation and non-physician clinicians, have always existed. For the most part, they have been managed or eliminated. The increased use of telemedicine has created new and evolving risks, and has highlighted existing risks. Those risks, along with practical recommendations for addressing them, are presented here.

Emerging and Existing Risks of Using Telemedicine

Six main categories of risk exist for healthcare systems with the introduction and increased use of telemedicine.

1. Vendor Risk

It is important to carefully scrutinize vendors providing telemedicine platforms. As with all vendors, it is necessary to protect your patients’ health information. Vendors who are unfamiliar with HIPAA and Business Associate Agreements (BAA) should be regarded with concern.

Recommendation: Things to consider when looking for a telemedicine vendor partner include the following:

  • Secure solid BAA agreement
  • Ensure that vendors understand and are abiding by required and standard practices as relates to HIPAA privacy and security
  • Require good documentation protocols and processes
  • Ensure the ability to have direct interaction with a patient
  • Insist on a method to record patient interactions
  • Verify easy access to work and communicate with vendors as the need arises

Risks may be mitigated primarily through thorough research of any proposed telemedicine provider. Ensure the vendor can accommodate HIPAA requirements while providing a platform that maximizes interactions with patients. Vendors who are unfamiliar with HIPAA and BAAs should be regarded with concern. Contact multiple referrals to provide assurance that vendors are behaving in a professional, law-abiding manner. Ask questions such as: “What is your U.S. address?” “Are you publicly traded?” “Are you owned by a larger organization?” “How do you market your services?” and “Are you HIPAA-compliant (pre-COVID-19)?”

2. Advanced Practice Providers

State-based regulations govern oversight and required malpractice coverage of non-physician clinicians when using telemedicine. While compliance does not change with respect to telemedicine, the method used to show evidence of adherence could change.


  • Be aware of licensure requirements; have a defined scope of practice and know what is required with respect to oversight
  • Analyze how telemedicine may impact current compliance processes. For instance, if a state requires a specific percent of chart and/or care reviews of a physician’s assistant, document these practices as telemedicine care is being provided
  • Let compliance needs factor into vendor selection, choosing ones that can help facilitate documentation of oversight in accordance with states’ requirements
  • While some care restrictions may be temporarily lifted due to COVID-19, state-based requirements of what a medical assistant, nurse or advanced practitioner can and cannot perform when treating patients are not altered by telemedicine

3. State Licensure and Regulations

As is the case with the risks already covered, licensing requirements do not change with telemedicine. In general, clinicians must be licensed in the state where the patient, not the clinician, resides. Centers for Medicare & Medicaid Services (CMS) instituted a temporary waiver of in-state licensure requirements during the coronavirus pandemic, but practitioners should be aware that state requirements may still supersede CMS waivers.

Recommendation: The Federation of State Medical Boards regularly updates its document that outlines state requirements and includes links to relevant communications from each state.

4. Reimbursement

While commercial payors had been slow to accept and adopt telemedicine care, the dramatic increase of use brought on by the pandemic has forced them to adjust quickly. As a result, payors now reimburse for care. Providers must still be aware of payors’ rules surrounding reimbursement, and rules vary from one payor to another.

Recommendation: The Department of Health and Human Services (DHHS) created a one-stop resource that provides up-to-date guidance to aid compliance with both federal and payor-specific reimbursement requirements.


Privacy and security rules apply to telemedicine. Providers must safeguard protected health information (PHI) and supply required disclosures to patients. For example, notice of privacy practices should denote telehealth services. The DHHS Office of Civil Rights (OCR) has issued a Notification of Enforcement Discretion to empower covered health care providers to use widely available communications applications without the risk of penalties, which can be found here. Because of this ruling, non-public facing video chat applications such as FaceTime, Zoom and Skype may be used. Non-public facing applications like Facebook Live and Twitch are not approved for use with telemedicine care.

Recommendation: Use this time and relaxed enforcement discretion to perform a self-audit of telemedicine practices. The Federation of State Medical Board model policy can be helpful in this endeavor.

6. The Standard of Care and Malpractice Insurance Coverage

The same duty of care that applies to in-person care applies during telemedicine sessions. The potential exists for claims of delayed or missed diagnosis of conditions that would have been assessed during in-person visits. Potential situations illustrate the reality that telemedicine care is not always a substitute for in-person care.

Another area of potential concern is medical malpractice insurance coverage. In general, malpractice insurance carriers support telemedicine care. However, many carriers have policy language referencing the amount of care, whether an established patient relationship is required before providing telemedicine care, and whether or not care can be provided across state lines. Some carriers may even be silent with respect to telemedicine care.

Tort caps do not cross over state lines. It is essential to understand a state tort cap will not cover a provider who is based in a tort cap state, if they treat a patient via telemedicine in a state that does not have a tort cap. As a reminder, the provider must be licensed in the state where the patient resides

Recommendation: Ensure that thorough documentation of the telemedicine care is provided. The American Medical Association has a document that outlines each state’s definition and requirements of a physician-patient relationship via telemedicine. Institutions should review medical staff by-laws and credentialing processes with medical staff leadership and consider revising by-laws and processes to incorporate the use of telemedicine care.

Care should be taken to ensure that administration of medication and controlled substances maintains or improves upon in-person medication management. If evaluation of a patient through a telemedicine platform proves less effective than in-person care, mitigate the risk by arranging an in-person appointment.


The sudden and rapid adoption of telemedicine on a broad basis is a welcome event in the medical community, yet it is not without risks for medical providers and health systems. Vendor relationships, use of advanced practice providers, adherence to state licensure and regulations, reimbursement requirements, compliance with HIPAA regulation, and knowledge of standard of care and malpractice insurance coverage are essential steps providers should take to protect themselves and patients from risks inherent to the delivery of telemedicine care. With proper documentation, compliance and care practices in place, the move toward telemedicine care can be a positive development for all parties.

Our Leaders

Ellen Rensklev Headshot
Ellen Rensklev

Principal & Risk Consultant Edgewood Healthcare Advisors

Trent Sullivan Headshot
Trent Sullivan

Principal - Hartford, CT