Not only can you purchase items or vote in a national election through a smartphone, but you can also consult a doctor and receive treatment. 

That tech-fueled health care convenience is telemedicine, an industry with no specific data privacy or cybersecurity regulations governing it. But that doesn't mean it's completely under the radar—perhaps the opposite. Indeed, the telemedicine space is potentially under the scope of multiple federal and state laws that force service providers into a complicated compliance juggling act. 

"There's not a body of telemedicine laws, but for the vast majority of instances we are interpreting laws for face-to-face encounters to how they apply to the telemedicine space," said Hall, Render, Killian, Heath & Lyman attorney Michael Batt, whose practice includes advising clients on telehealth and telemedicine issues.

Those privacy and cybersecurity laws include the Health Insurance Portability and Accountability Act (HIPAA), although a telemedicine company doesn't automatically fall under HIPPA's scope.

For instance, if the telemedicine company is billing third-party insurance companies or Medicaid or Medicare, they would be directly regulated by HIPAA as a covered entity, said Foley & Lardner cybersecurity senior counsel Jennifer Hennessy.

Secondly, a telemedicine organization could fall under HIPAA's scope if "the actual technology platforms that often supports these [services] in telemedicine could be regulated as a business associate," she noted. Under the HIPAA Privacy Rule, covered providers and health plans can disclose protected health information to "business associates" that safeguard the information and meet other requirements, according to the U.S. Department of Health & Human Services.

Still, if a telemedicine provider can avoid HIPAA, Section 5 of the Federal Trade Commission Act could easily apply if the FTC finds the company's terms of use or privacy notices weren't followed through, Hennessy added.

But the federal regulations that can possibly entangle a telemedicine organization's data collection and safeguarding procedures doesn't end there. Epstein Becker & Green health care and life sciences member Alaap Shah noted if a telemedicine product is a medical device, it would fall under the U.S. Food & Drug Administration's purview.

Likewise, telemedicine's data privacy and cybersecurity habits are also targeted by state regulators. If patients are spread across the country, 50 different data breach laws could apply.

"If there's a data breach, you have to look at the requirements of each state. You can't just rely on the location of the provider but the location of every patient and what rights the patient has under each structure," Hall Render's Batt explained.

Staying compliant with various regulations can be complicated, lawyers said, and maintaining cybersecurity is also difficult for a practice that relies on an internet connection filled with potential bad actors.

"It's a challenge to make information easily accessible to providers while at the same time managing a cybersecurity infrastructure that protects that information, but that's general health care, it's not unique to telemedicine," Blatt said.