TechHealth Perspectives

STRATEGY, ANALYSIS, AND COMMENTARY ON CURRENT AND NEW HEALTH TECHNOLOGIES

Telemedicine, State Boards and the Supreme Court

LinkedIn Tweet Like Email Comment

Supreme CourtI have examined on this blog the various legal and regulatory issues implicated by telemedicine.  Many of those issues involve the practice of medicine and how state medical boards interpret state laws and regulations impacting telemedicine, and how those boards enforce those laws.  Believe it or not, a recent Supreme Court case may have an impact on how state boards do their business.

On February 25, 2015, the Supreme Court of the United States held that the North Carolina Dental Board (“Board”) was not insulated from federal antitrust liability under the so-called “state action” doctrine when it engaged in anticompetitive conduct to restrain non-dentists from performing teeth whitening services.  While the North Carolina case involved a dental board’s attempt to restrict activities of non-dentists, the Court’s opinion has broader implications for how states regulate and supervise professional boards—such as state medical boards.  Ultimately, the Supreme Court decision illustrates how an individual or entity, subject to perceived over-regulation by a professional board, might mount a defense by scrutinizing whether the board meets the “state action” requirements to be insulated from liability for anticompetitive regulatory actions.  Please click here to read the full EBG Client Alert.

FTC Focus on Privacy

LinkedIn Tweet Like Email Comment

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.

Telemedicine and Employers: The New Frontier

LinkedIn Tweet Like Email Comment

As we have explored a number of times on this blog, telemedicine has gone mainstream.  The more recent development is that employers seem to be paying more attention now. The numbers speak for themselves. A recent Towers Watson study focusing on employers with at least 1,000 employees concluded that U.S. employers could save up to $6 billion per year if their employees routinely engaged in remote consults for appropriate medical problems instead of visiting emergency rooms, urgent care centers, and physicians’ offices.

Attitudes towards telemedicine more generally in the United States also have undergone a significant shift:handshake

  • 74 percent of consumers would use telehealth services given the opportunity;
  • 76 percent of patients prioritize access to care over the need for human interactions with health care providers; and
  • 70 percent of patients are comfortable communicating with their health care providers via text, e-mail, or video, in lieu of seeing them in person.

Just as significantly, telemedicine is increasingly viewed as an efficient and cost-effective care delivery vehicle, due to several factors: i) a health care system transitioning from fee-for-service to one where reimbursement is closely tied to quality and patient outcomes; ii) an increase in the use of integrated delivery models such as accountable care organizations and medical homes; and iii) the relative ubiquity of sophisticated health care technologies.

Employers, in particular, are paying close attention to developments in telemedicine for another reason: the looming “Cadillac Tax.”  Starting in 2018, a 40 percent excise tax will be imposed annually on health plans with premiums exceeding $10,200 annually for individuals and $27,500 annually for families. Given this impending tax, employers are looking for efficient ways to cut their employee health care costs. Telemedicine has become an extremely viable option for several reasons:

  • Many employees hesitate to take time off work and to pay the copayments associated with physicians’ visits, particularly for ailments perceived as minor.
  • Many employees forego physician visits entirely, causing relatively minor health issues to sometimes escalate into costly conditions.
  • Although some employers have established onsite clinics where employees can receive sick care and preventive care services, there are high costs associated with creating these clinics.

iStock_000016401740SmallAccording to the Towers Watson study, only about 20 percent of U.S. employers offer telemedicine services to employees today, but nearly 40 percent of employers surveyed said that they plan to offer access to such services in 2015, while 33 percent are considering offering access to telemedicine services within the next three years. It is clear to see why. Effective use of telemedicine services could eliminate 15 percent of physician office visits, 15 percent of emergency room visits, and 37 percent of urgent care visits. This all results in significant savings to employers that cover any part of the costs of their employees’ health care.   Employers considering the inclusion of telemedicine services in their employee benefit offerings should pay attention to some significant, but not insurmountable, legal and regulatory issues implicated by the use of telemedicine. In brief, those issues include:

  • Licensure: State licensure laws are a major stumbling block to the interstate practice of telemedicine. With limited exceptions, providers must be licensed in every state in which they intend to practice medicine (location of patient and the provider), and each state has its own licensure requirements. This tension creates a patchwork of inconsistent laws. The Federation of State Medical Boards has developed an Interstate Medical Licensure Compact that would facilitate license portability and the practice of interstate telemedicine. Mid-level practitioner organizations are working on their own compact proposals.
  • Physician-Patient Relationships: Among the factors required by states to establish a physician-patient relationship is an evaluation or examination of the patient by the treating physician. This is especially important when the treating physician is prescribing medications for the patient. States have different requirements that must be met in order for a proper examination to have occurred.
  • Privacy & Security: Numerous privacy and security issues are implicated by the use of telemedicine technologies, including compliance with federal and state privacy and security standards, data management, data sharing (and management responsibility for such sharing) with other providers, and data storage.
  • Medical Liability: Adapting existing principles of medical malpractice liability to telemedicine is a challenging task, especially regarding what constitutes the applicable “standard of care.”
  • Fraud & Abuse: Telemedicine arrangements must comply with federal and state health care fraud and abuse laws, including anti-kickback statutes and/or physician self-referral prohibitions.

Employers seeking to access the telemedicine market must carefully assess the legal and regulatory requirements, and limitations, of any potential arrangements.

The Lenovo/Superfish Scandal: What You Need to Know

LinkedIn Tweet Like Email Comment

superfishReports in the last week stated that the computer manufacturer Lenovo had preloaded software onto various lines of computers which critically compromised cybersecurity. The software in question is a product called Superfish Visual Discovery, a program generally designed to replace advertisements seen while browsing the Internet with ads provided by Superfish. However, the method of implementation opens up a universe of potential problems.

What Does Superfish Do?

Superfish is designed to replace Internet advertisements with advertisements provided by their sponsors. In order to do this, Superfish installs its own signed root certificate to the operating system. Furthermore, the Superfish certificate key being used is the same across all the affected systems.

What Does This Mean?

Secure browsing is based on a system of certificates. When you look up any website starting with https://, you are loading a secure website whose identity is verified using a certificate, usually validated by a third party. Normally, sites claiming to be secure that are not will trigger warnings from your browser. Superfish installs its own certificate and functions as a Man in the Middle, injecting its own content into the ostensibly secure connection between your computer and the secure website.

Because the certificate key used by Superfish is the same across all affected systems, it is easy to exploit that certificate to attack systems with the software installed. Reports indicate that people have been able to decrypt all data sent by HTTPS, including passwords, using this exploit.

Which Computers Are Affected?

Lenovo has published information containing a list of affected computers. The affected computers are laptops not in the ThinkPad series manufactured between September 2014 and February 2015. ThinkPad laptops, desktops, and smartphones are unaffected. Enterprise systems (e.g., servers and storage) are also safe.

Even if your organization has computers on the list of affected products, your organization may be safe. Generally, your IT department should be installing a clean version of Windows or an organizational system image on any new computer before it is brought into your network ecosystem. If your IT department does not do this, or your organization allows personal computers to perform work functions, you may be at risk.

Another potential issue is remote access. If anyone with remote access was using an affected computer, the user’s logon information potentially could have been compromised.

How Do We Remove Superfish from Affected Systems? 

The easiest and most secure way to ensure the removal of any issues is to install a clean copy of Windows on the affected computer. This should not be the backup copy provided by Lenovo, as that copy will still have Superfish. However, reinstalling Windows will cause you to lose any data on the computer. If you need to keep the data on the computer or otherwise cannot back up the data, a good guide on how to uninstall Superfish without reinstalling Windows can be found at ExtremeTech.

What Else Should We Do?

If your organization does not install a clean version of Windows or an organizational system image on new computers, you should put into place a procedure ensuring that all new computers get a fresh install of Windows or a fresh system image prior to introducing them to the network.

Because your employees may potentially have used an affected computer for remote access, you should identify any employees who have used Lenovo computers for remote access in the past six months. Those users should have their credentials changed as a precautionary measure.

CMS Hosts MLN Connects National Provider Call to Review New CCM CPT Code

LinkedIn Tweet Like Email Comment

CMSProviders, take note: the Chronic Care Management (CCM) CPT Code 99490 is now payable by the Centers for Medicare & Medicaid Services (CMS). Effective January 1, 2015, the Medicare program began making payments under the Physician Fee Schedule (PFS) for certain non-face-to-face management and care coordination services provided to beneficiaries covered under the traditional Medicare fee-for-service program. CCM services include, but are not limited to, development and maintenance of a plan of care, communication with other treating health care professionals, and medication management. In order to be eligible for CCM services, beneficiaries must have two or more chronic conditions, expected to last at least 12 months or until the death of the beneficiary. Claims for CCM services are payable on a monthly basis, must include at least 20 minutes of qualifying services, and are subject to beneficiary coinsurance and deductibles. Information on the availability of CCM services must be conveyed to the beneficiary through a face-to-face visit and the beneficiary must consent to receiving such services. Only one Medicare provider can provide and be paid for CCM services provided to an individual beneficiary during each calendar month.

CMS hosted an MLN Connects National Provider Call on February 18, 2015 to review the requirements for physicians and other practitioners to properly bill the new CCM CPT code. During the call, titled “Chronic Care Management Services: CY 2015 Medicare Physician Fee Schedule,” CMS provided an overview of the requirements for physicians and other practitioners to bill using CPT code 99490. CMS discussed the eligible beneficiary population for CCM services, the scope of CCM services, the Medicare providers who are eligible to provide CCM services (including on an “incident to” basis), and how CCM services might overlap with current demonstration and other initiatives by CMS. CMS noted that portions of the CCM requirements were finalized in two different PFS final rules, some in the CY 2014 final rule and the remainder in the CY 2015 rule. This overview was followed by a robust question and answer session, which provided some of the most interesting takeaways:

  • CMS has not established a specific list of chronic conditions that would be covered by the new CCM CPT code. CMS suggested referencing the Chronic Conditions Data Warehouse[1] to identify possible chronic conditions, but cautioned that use of the CCM CPT code would not be limited to the conditions identified therein. According to CMS, until such a time when more prescriptive restrictions could be established, the only limitations with regard to eligible chronic conditions are those outlined in the CPT code description itself.
  • Beneficiary consent to receive CCM services remains effective until withdrawn, even if the provider is not able to or otherwise does not bill for the CCM services for a period of time.Cash 5
  • CMS is deferring to the Medicare Administrative Contractors (MACs) many of the specific billing questions about which participants inquired during the call, including how to capture place and date of service details, how to document time spent performing CCM services, and whether time spent by Certified Medical Assistants can count toward the 20 minutes required per calendar month to bill for CCM services.

CMS recently published a new Fact Sheet regarding CCM services (ICN 909188). The Fact Sheet will be a helpful resource for providers seeking to utilize the CCM CPT code and other interested stakeholders, as it covers much of the detail discussed during the CMS call and includes a helpful table that illustrates the alignment between the CCM scope of service elements and billing requirements with the certified Electronic Health Record (EHR) or other electronic technology requirements.

So have the MACs weighed in yet regarding the use of new CPT code 99490? Stay tuned for our next post, in which we will “consult the MAC” to see what helpful guidance, if any, they have provided to date.

[1] Chronic Conditions Data Warehouse, https://www.ccwdata.org/web/guest/home.

 

Prescribing and Telemedicine: The “Physical” Exam

LinkedIn Tweet Like Email Comment

As so many of you know, the barriers to the wider adoption of telemedicine are numerous.  In listening to various stakeholders in the telemedicine space over the years, I consistently hear the same barriers being discussed:

One issue, however, that gets short shrift in my view is the issue of online prescribing—an issue that presents as formidable a barrier to the wider adoption of telemedicine as any other.  Before I take a deeper dive, I should mention that by online prescribing I do not mean e-prescribing, which generally refers to the issuance of a prescription electronically instead of in written form.  What I mean by online prescribing is physicians prescribing medications to patients via a telemedicine visit when the physician has never had an in-person encounter with the patient. Instead, the physician relies solely on information obtained through the telemedicine encounter.

Generally, and unless one of a very limited number of exceptions applies, states require that a physician first establish a valid physician-patient relationship before he or she may prescribe for the patient. In most states, a physical examination or evaluation of the patient is one of the requirements to be met in order to establish that relationship. But just what constitutes a valid “physical examination” varies from state to state? As you might imagine, this is critical in telemedicine because in many cases, telemedicine providers will be unable to physically examine or evaluate new patients in-person or face-to-face.  States address the issue in a variety of ways which has predictably led to a patchwork of sometimes inconsistent state laws. 

In- Person Physical Exam

Some states explicitly require an in-person examination or evaluation before a physician may engage in online prescribing for a patient. Under Arkansas law, for example, in the absence of a prior and proper patient-practitioner relationship, a physician must perform an in-person physical examination of the patient adequate to establish a diagnosis and to identify underlying conditions or contraindications to the treatment recommended or provided.

Physical Exam

Other states, while requiring a physical examination or evaluation, do not explicitly use terms such as “in-person” or “face-to face” to describe the exam.  Many have taken that to mean that the physician must have an in-person encounter with the patient—a very reasonable conclusion in my view—and one shared by most medical boards with which I speak.  Some observers, however, have concluded that because the requirement in these states is not as explicit as it is in other states (i.e., Arkansas), a reasonable argument can be made that a physical examination may occur by electronic means—especially if the examination results in the same information being obtained had the exam occurred in-person.  This is a gray area that will likely become clearer as many states re-examine their telemedicine standards.    

Physical Exam by Other Means

Significantly, there are a number of states that explicitly allow physical examinations or evaluations to be performed by electronic means or via telemedicine technologies. For example, in Maryland, if no prior in-person, face-to-face interaction with a patient has been done, a physician may “incorporate real-time auditory communications or real-time visual and auditory communications to allow a free exchange of information between the patient and the physician performing the patient evaluation.”  In Virginia, a physician must perform an examination of the patient “either physically or by the use of instrumentation and diagnostic equipment through which images and medical records may be transmitted electronically.”  Hawaii, New Mexico, and a handful of other states take a similar approach. 

Model Policy

Given the various approaches, what is a telemedicine provider to do? Some help is on the way.  The Federation of State Medical Boards, a national organization that represents 70 medical and osteopathic state medical boards in the United States, has developed the “Model Guidelines for the Appropriate Use of the Internet in Medical Practice” which among other things addresses the issue of prescribing head on:

  • Prescribing. If using telemedicine technologies, where prescribing may be contemplated, providers must implement measures—left to the discretion of the physician—to uphold patient safety in the absence of traditional physical examination. Measures should guarantee that the identity of the patient and provider is clearly established. To assure patient safety in the absence of physical examination, telemedicine technologies should limit medication formularies to those considered safe by the state medical board.

Some states have adopted the FSMB’s Model Policy in whole or in part. It is my hope that many more states will adopt the Model Policy as it represents a very positive step in the right direction toward harmonizing the disparate, inconsistent, and often confusing patchwork of state laws governing online prescribing. 

Telemedicine Has an Unlikely Ally: The FTC

LinkedIn Tweet Like Email Comment

As a lawyer practicing in the telemedicine space, I am rarely surprised these days.  But every once in a while I will read or hear something that stops me in my tracks. That is exactly what happened when I read a blog post by an FTC Commissioner which, among other things, calls for government policies that help facilitate greater adoption of telemedicine.  The post was part of a broader piece about the FTC’s role in promoting competition and innovation in health care.

By way of quick background, the Federal Trade Commission is the federal agency charged with protecting consumers and promoting competition, which includes challenging anticompetitive business practices.  The agency has been active in the health care sector, challenging several hospital and physician practice mergers. In an effort to highlight some of the FTC’s non-enforcement efforts, one of the agency’s five commissioners, Maureen Ohlhausen, wrote a blog post touting the agency’s advocacy efforts in the health care arena, and specifically highlighted how the FTC’s competition policy could help facilitate greater proliferation of telemedicine.

Among the highlights in the post related to telemedicine:

  • Telemedicine can reduce costs and increase access to care, but such advantages often run afoul of state professional licensing schemes that were developed to regulate local medical practices.
  • The variation in state licensure and other requirements continues despite “the fact that the core entry requirements for physicians are essentially uniform across the U.S”.
  • Legacy statutes and regulations are barriers “to the efficient flow of health care information and expertise and, indeed, specialized labor — barriers that can be costly to public and private payers and, in the end, individual patients,” without necessarily offering better consumer protection benefits.
  • Lawyers and policymakers need to creatively address ways to lower barriers without sacrificing the good in state regulations.
  • It is critical that policymakers “approach new technologies with a dose of regulatory humility” and should educate themselves about technological innovation, and:
    • Understand its effects on consumers and the marketplace;
    • Identify benefits and likely harms, and;
    • If harms do exist, consider whether existing laws and regulations sufficiently address the issues before assuming that new laws would be required.

Ms. Ohlhausen goes on to call for the FTC to use its policy research and development tools to better understand innovative technology, new business models facilitated by the new technology, and the likely risks and benefits for consumers.  More significantly, Ms. Ohlhausen also challenges the agency to educate itself “about undue impediments to innovation and competition” while also using its authority to enforce against harm to consumers from the use of new health information technology vehicles.

I can only applaud Ms. Ohlhausen’s approach.  It is encouraging to see a policymaker acknowledge the role regulations may play in stifling innovation and call for government agencies to find creative ways to lower barriers while balancing consumer protection.  I only hope other regulators follow Ms. Ohlhausen’s lead.


New Jersey Law Requires Encryption of Personal Information

LinkedIn Tweet Like Email Comment

On January 9, 2015, New Jersey Governor Chris Christie signed new legislation that will require health insurance carriers authorized to issue health benefits plans in the state—including insurance companies, health service corporations, hospital service corporations, medical service corporations, and health maintenance organizations—to encrypt personal information. Triggered by a series of data breaches involving the health information of almost a million residents, Senate Bill No. 562 (“SB 562”) was passed unanimously by both houses of the state legislature and will take effect on August 1, 2015.

Under SB 562, health insurance carriers will be prohibited from maintaining computerized records that contain personal information unless the information is “secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” The use of a password protection program that prevents general unauthorized access will not suffice to meet the encryption requirement. “Personal information” is defined as an individual’s first name or first initial and last name linked with at least one of the following: (1) Social Security number, (2) driver’s license number or state identification card number, (3) address, or (4) identifiable health information.

The law applies only to end user computer systems and computerized records transmitted across public networks. “End user computer systems” include desktop computers, laptop computers, tablets and other mobile devices, and removable media.

The requirement to encrypt makes the New Jersey law stricter in this regard than the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), under which encryption of electronic protected health information (“ePHI”) is an addressable specification. Nonetheless, given that encrypted ePHI is exempt from HIPAA’s breach notification requirements, it is considered a best practice to encrypt ePHI.

Violation of New Jersey’s encryption mandate will constitute a violation of the New Jersey Consumer Fraud Act, which imposes penalties of up to $10,000 for the first offense and up to $20,000 for any subsequent offense. The state Attorney General may also issue cease-and-desist orders to violators and award treble damages and costs to affected individuals. Given these potential penalties, health insurance carriers in New Jersey should carefully review their policies and procedures and ensure compliance with the new law.

A Telehealth Tutorial: The Promise of Telehealth

LinkedIn Tweet Like Email Comment

As telehealth grows and becomes more mainstream, all kinds of questions often arise.  They range from administrative to operational to legal issues. In conjunction with the American Hospital Association, my colleague Amy Lerman and I have co-written two white papers for the American Hospital Association Trendwatch series focusing on telehealth issues. Among other things, the white papers discuss telehealth, operational, legal, regulatory, and policy issues.  The first white paper entitled “The Promise of Telehealth for Hospitals, Health Systems and Their Communities,” focuses on the following:

  • How the terms “telehealth” and “telemedicine are defined by various stakeholders;
  • Telehealth market trends and drivers of future growth;
  • Various applications of telehealth by hospitals;
  • The benefits of telehealth for hospitals;
  • Payment for telehealth services provided by hospitals; and
  • Various hospital case studies involving telehealth.

The second part of the white paper series focuses on the legal and regulatory issues implicated by telehealth.  You can read the entire first white paper by clicking here. 

President Obama to Announce New Privacy Initiatives in SOTU

LinkedIn Tweet Like Email Comment

The State of the Union Address, scheduled for January 20, 2015, will contain new initiatives related to privacy, White House officials say. The known initiatives are the introduction of a data breach reporting bill, a bill restricting the sale of student information, and a Consumer Privacy Bill of Rights.

SETTING A NATIONAL DATA BREACH REPORTING STANDARD

President Obama is planning on introducing a data breach bill that would standardize the reporting period nationwide at 30 days. The proposed Personal Data Notification and Protection Act would require direct customer notification. The law would also criminalize selling consumer identities overseas.

Presently, most states have their own consumer data protection laws requiring customer notification in the event of a breach. The new bill may preempt stricter state laws such as California’s 5-day window for reporting.

RESTRICTING THE USE OF STUDENT DATA

The White House will also propose the Student Digital Privacy Act, based on a California law passed last September. The main purpose of the bill is to restrict the sale of student data for use unrelated to education as well as restricting targeted advertising based on school-collected data. The bill seeks to restrict commercial uses while at the same time ensuring that outcome-based studies are allowed to continue.

ENACTING THE CONSUMER PRIVACY BILL OF RIGHTS

In 2012, the White House revealed plans for a Consumer Privacy Bill of Rights. This white paper laid out a set of seven guiding principles for consumer privacy (see Appendix A of the linked PDF). After receiving and incorporating suggestions during the last three years, the President will reportedly ask Congress to enact a revised Consumer Privacy Bill of Rights into law. The bill would ensure more control over personal data for individuals, more closely in line with the rules in place in the European Union.

STAY TUNED FOR UPDATES

As more information is released regarding the President’s privacy and security plans, we will cover it here, so check back in the coming days.