Abstract

In this arena, several different legal frameworks apply, depending on the type of information involved with the telehealth services being provided, and by whom, including: * the Health Insurance Portability and Accountability Act of 1996 (HIPAA); * the Family Educational Rights and Privacy Act (FERPA); * the Telephone Consumer Protection Act (TCPA); * federal laws and regulations governing the confidentiality of alcohol and drug abuse treatment records (42 C.F.R. Part 2); * state laws and regulations related to the confidentiality of health information (including mental health, HIV/AIDS, and genetic information); and * international laws and regulations, including those regarding data transfers. In other words, just by nature of being held by a HIPAA covered entity or business associate, an email address, IP address, Social Security number, account number, phone, address, etc., is protected health information.1 Covered entities and business associates must facilitate individual rights to their protected health information and must implement privacy and security controls to ensure the confidentiality, integrity, and availability of such information. According to the FCC: 1. [...]communications to individuals without express written consent under the TCPA should be limited to those specifically related to their treatment by health care providers, and those related specifically to COVID-19 issues identified by health care providers and for public health purposes. 42 C.F.R. Part 2_ The 42 C.F.R. Part 2 regulations ("Part 2") protect patient information created by federally assisted programs for the treatment of substance use disorders ("Substance Use Disorder Programs").