Tip: Private payers may have different rules, too. Whether you realize it or not, many of the state privacy laws dealing with telehealth services are much more stringent than HIPAA. And that’s why it’s a good idea to review your state’s regulations before you write up your compliance plans during this COVID-19 expansion. Providers must also look to another authority which may have stricter requirements, remind attorneys Rebecca Schaeffer and Cheryl Choice with law firm K&L Gates in online analysis. “Telehealth is heavily regulated by state law, and providers should ensure that they are meeting all state requirements prior to initiating telehealth services.” “Many states impose licensure, technology, consent, or other procedural requirements. Unless waived by state agencies, these state laws must also be considered before launching telehealth services,” warns attorney Kim Stanger with Holland & Hart LLP in the firm’s Health Law blog. Also, don’t take the HHS Office for Civil Rights (OCR) statements on privacy and security as carte blanche to ignore HIPAA requirements. “While these OCR pronouncements give covered entities some additional flexibility, it is limited, and overall HIPAA requirements continue to apply,” Schaeffer and Choice caution. Heads up: Not only should you be checking in with your Medicare Administrative Contractor (MAC) and state boards, but you may want to revisit private payer telehealth policies, too, urges Stanger. “Absent state laws to the contrary, whether private payers will pay for the telehealth services generally depends on the payer contracts. Accordingly, just because a provider may render services via telehealth does not necessarily mean that the provider will be paid for such services,” he says.