Ask An Attorney: Digital Health Legal Considerations

Q: What is digital health and what are some benefits for my practice?

A: Digital health includes the use of various electronic technologies to enhance patient care, streamline clinical workflows, improve patient engagement, and predict and improve health outcomes. It includes multiple means for furthering these objectives, including electronic health records (EHRs), telehealth/telemedicine, patient portals, digital diagnostic tools, clinical decision support systems (CDSS), mobile health (mHealth) apps, electronic wearables/monitors, and artificial intelligence and predictive analytics tools. 

Use of digital health technology can improve internal efficiency in a health care provider’s office by creating less paperwork and quick access to data, enhancing communication between the provider and patient, enhancing care coordination where a patient treats with multiple providers, and can result in greater patient engagement because patients can track their health and interact with their care team conveniently. 

Q: What are some legal issues with digital health?

A: While digital health has many benefits, it presents a few legal issues for consideration. The list of issues outlined below is not exhaustive but serves as a starting point for providers. 

Privacy: HIPAA, New York SHIELD Act, and the NY HIPA

First, providers must still comply with HIPAA and the New York SHIELD Act. Under HIPAA, providers must safeguard protected health information (PHI). However, telehealth, EHRs, and mHealth apps create more endpoints for potential data breaches. Health care providers must be careful to ensure that these platforms are secure. If a provider does business with third parties, the provider must have a Business Associate Agreement (BAA) in place if there is reason to believe that PHI may be disclosed to the Business Associate (BA). Further, HIPAA still requires providers to obtain informed consent before disclosing PHI.

Similarly, the New York SHIELD Act applies to any business, including health care providers, that keep personal information of any New York residents. The Act requires providers to maintain reasonable administrative, technical, and physical safeguards for data, and to notify patients in the event of a data breach.

In 2025, the New York Legislature passed NY HIPA (General Business Law Article 42), which awaits the Governor’s signature and is not law (yet). The bill imposes restrictions on the use and storage of consumer health data and is intended to cover businesses that collect consumer information but are not covered under HIPAA.

Telehealth

Licensing and Scope of Practice. New York law generally requires telehealth providers to be licensed in the state if they are treating New York residents, and providers are required to adhere to a standard of care as if the visit were conducted in person. 

Reimbursement. Public Health Law § 2999-dd requires insurance companies and Medicaid to reimburse providers at the same rate as in-person services, even if the appointment or service is conducted remotely. Additional legislation to expand coverage is pending.

Prescription of Controlled Substances. In May 2025, new rules went into effect to preserve the in-person requirement for the prescription of controlled substances, with a few exceptions, including where a recent in-person examination was conducted in the 12 months prior, where another provider in the same practice is temporarily covering and the provider consults with the original prescriber, or where there is an emergency. The prescriber, however, must still comply with DEA and DOJ rules governing controlled substances.

Unauthorized Practice of Medicine

New York law expressly prohibits corporations from practicing medicine, except where providers form a professional corporation or professional service limited liability company. If a digital health company offers its services in New York, the care must be delivered by a licensed professional under the appropriate corporate structure; non-clinicians cannot control or make clinical decisions.

Billing and Fraud

Telehealth and remote services must adhere to strict documentation and billing rates.  Overbilling and upcoding are heavily monitored. Providers must comply with Medicaid and telehealth rules, and any insurance panel policies.

Employment and Workplace Privacy Issues

If digital health tools are used, such as to monitor staff health through COVID questionnaires or biometric scanners, the practice must comply with the New York Civil Rights Law, Labor Law § 203-c (which protects employee privacy and prohibits employers from making video recordings of employees in private areas absent court order), and the Electronic Monitoring Disclosure Law (requiring employers to notify employees about any electronic monitoring of their internet, email, or telephone usage).

Reprinted with permission from the August/September 2025 issue of The Bulletin from the Monroe County Medical Society and available as a PDF file here.

Ericka B. Elliott is a Partner in Underberg & Kessler LLP’s Health Care and Litigation Practice Groups. She helps health care providers navigate the ever-changing world of health care compliance and can be reached at eelliott@underbergkessler.com or 585.258.2830.