TechHealth Perspectives

Posted on May 16th, 2013 by Ross Friedberg and Ophir Stemmer

Mobile Privacy & the FTC Act: Advice for Health Technology Companies

In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws. However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA. Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s privacy requirements should also be on your radar.

The means by which the FTC regulates privacy is the FTC Act, a consumer protection law that gives the FTC authority to go after “unfair or deceptive acts or practices” in or affecting commerce. An unfair practice is a practice that is likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The FTC is becoming more aggressive in its application of the FTC Act against mobile and information technology companies, wringing settlements from companies such as Google and Facebook, but also filing enforcement actions against smaller entities for data breaches and inappropriate privacy practices. In February 2013, for example, the FTC announced a settlement with Path, Inc. (“Path”), a social networking application available as an app. Path gave its users three options to search for additional friends to invite to join Path. One of these options was to allow Path to browse through the users mobile device contacts; the others were to search Facebook, or to allow the user to send SMS messages to friends. No matter which option the user selected, Path searched through the user’s mobile contacts and stored the information, which included names, addresses, birthdays, etc., on Path’s servers. By contrast, Path’s privacy policy stated that Path only collected its users’ IP addresses and assured users that Path protected their privacy. The FTC alleged that this discrepancy constituted an unfair and deceptive trade practice because Path’s users were not presented with any meaningful choice regarding how much information was collected and were deceived by the company’s practices which contradicted their privacy statement.

Also in February 2013, the FTC reached a settlement with HTC America, Inc. (“HTC”), a manufacturer of mobile phones. The FTC alleged that HTC engaged in unfair security practices when the modification it made to the operating systems of its devices created security vulnerabilities. Specifically, HTC’s modifications allowed certain applications already on a user’s device to download other applications without the user’s consent. HTC also failed to deactivate the “debug” code on its devices, which meant that HTC devices could record and make logs of each user’s internet activity and make those logs available to HTC, or to any application on the user’s device with permission to read the logs. Again, the FTC charged HTC with misleading representations because HTC’s user manuals and mobile device interfaces suggested that consumer data would not be disclosed to third parties without consumer permission.

Some insights on the FTC’s approach to privacy can be distilled from these two enforcement actions. First, the FTC expects companies to provide users with meaningful choices in the amount of sensitive information that is shared with the company. Default settings should maximize privacy protections. Second, the FTC appears to be taking the position that the FTC Act allows it to determine appropriate security standards for mobile devices, and that it expects companies to provide users with technically secure products. Applications or devices that are unreasonably susceptible to unauthorized third-party manipulation could be considered unfair trade practices. Finally, and perhaps, most importantly, the FTC may consider a company’s failure to comply with its stated privacy policies as misrepresentation and a deceptive trade practice.

If you are an mhealth company with access to personal information, at a minimum you should have privacy and security policies in place and be taking steps to ensure that you are not engaging in activities that violate your own policies.

Posted on May 13th, 2013 by Brandon Ge

Telehealth and Standards of Care

While telehealth technology advances, unresolved legal issues continue to deter wider adoption of telehealth as a means of delivering health care services. One issue that telehealth providers must consider is the standard of care that applies in telehealth encounters. Generally, a plaintiff in a medical malpractice suit must prove, among other things, that the provider breached the standard of care. Therefore, knowing what standard of care applies is critical for any telehealth provider that wishes to insulate itself from potential malpractice liability.

In traditional medical malpractice cases, the standard of care could be a local or national standard. Under the locality rule, provider liability is measured based on local customs. The locality to be used as a reference point could be the provider’s community or the entire state. Other states, on the other hand, compare the provider’s conduct to prevailing national practices instead. In telehealth encounters, where the provider and patient are in separate locations, an issue arises as to which community – that of the patient or the provider – should be used as a point of comparison. Moreover, under the locality rule, telehealth providers that provide health care to patients in multiple communities across the country (or even the world) would be burdened with having to adhere to multiple standards of care.

There is also a web of state law and guidance addressing telehealth standards of care. Many states, such as California and New York, see telehealth as a tool in medical practice, not a separate form of medicine, and clarify that the standard of care is the same whether the patient is seen in person or through telehealth technologies. Specific standards may also exist that affect the prevailing standard of care. For example, many states require verbal consent from the patient prior to a telehealth consultation.

Another development to keep in mind is that the use of available telehealth services could eventually become part of the standard of care. In recent years, patients have filed lawsuits against providers for not providing telehealth services. These patients claimed that they were harmed because the providers failed to use widely available telehealth technologies. As telehealth gains more widespread acceptance, we may see more and more providers held liable for not providing telehealth services.

Telehealth providers should become familiar with these issues to help limit liability. There is currently very little case law involving malpractice in the telehealth context, creating some uncertainty as to exactly what providers must do to limit their liability exposure. As the use of telehealth becomes more widespread, we will undoubtedly gain more guidance on what standards of care telehealth providers need to adhere to.

Posted on May 7th, 2013 by Alaap Shah

Fallout from Failing to Conduct a HIPAA Risk Analysis

There are many reasons a healthcare entity dealing with protected health information (“PHI”) should conduct a risk analysis. First and foremost, if conducted properly, a risk analysis should identify PHI-containing systems, assess vulnerabilities of those systems, evaluate and prioritize risks to those systems, and assist in developing mitigation strategies to safeguard the systems. These on-going efforts can help ensure adequate protection of patients’ health information.

Second, conducting a risk analysis has been required by HIPAA since issuance of the Security Rule. While many healthcare entities did not take this requirement seriously, the passage of the HITECH Act in 2009 increased penalties and enforcement under HIPAA. Based on enforcement data over the past few years, it is clear that the Office for Civil Rights (“OCR”), the arm of the U.S. Department of Health and Human Services (“HHS”) with enforcement authority under HIPAA, is taking this issue seriously by imposing severe civil monetary penalties on healthcare entities of all shapes and sizes. In short, OCR’s position is that failing to conduct a HIPAA risk analysis is unreasonable. The Office has issued guidance on conduct a risk analysis here.

Third, conducting a HIPAA risk analysis is an important process to help healthcare entities understand their security posture in order to prevent data breaches. Data breaches are a common occurrence largely because healthcare entities are rushing to digitize PHI and adopt a cornucopia of health information technologies to improve efficiencies, reduce costs, and improve outcomes in the healthcare system. Conducting a risk analysis can prevent the financial and reputational fallout that occurs from losing patient data.

Fourth, HITECH also created another incentive to conduct a risk analysis: the Electronic Health Record (“EHR”) Incentive Payment program. To qualify for payments under this program, healthcare providers need to attest to being meaningful users of EHRs. Part of that attestation under Stage 1 was that an entity conducts a risk analysis. Over $12.7 billion dollars have been paid to approximately 240,000 providers thus far. Due to amount spent to date, the Federal government is now questioning program integrity and seeking to recoup payments from entities if they have falsely attested. The Centers for Medicare and Medicare (“CMS”) has authority to conduct audits, which it began in 2012. Thus, any entity that has not conducted a risk analysis, but has received payments under the EHR Incentive Payment program, is at risk of losing those payments.

Fifth, receiving EHR incentive payments without conducting a risk assessment may result in liability under the False Claims Act. The HHS Office of Inspector General (“OIG”) has become equally wary of fraud and abuse relative to false attestations. Accordingly, OIG has made this a top priority for 2013, and will likely start to open investigations against alleged false attesters. This may become a real pain point for healthcare entities because liability can be up to three times the amount of the EHR incentive payment and can lead to exclusions from Medicare or Medicaid.

In short, failing to conduct a risk analysis can result in:

OCR enforcement including civil monetary penalties and resolution agreements;
Increased risk of suffering data breaches;
CMS enforcement to recoup EHR incentive payments; and
OIG enforcement under the False Claims Act including liability of up to 3 times the EHR incentive payment and exclusion from federally funded healthcare programs.

Follow me on Twitter: @HealthITLawyers

Posted on May 2nd, 2013 by Rene Quashie and Ross Friedberg

Telehealth: The Final Frontier (Q&A)

Telehealth is going mainstream. Once limited to rural or remote communities, the use of telehealth is increasingly being used to address critical shortages within many medical specialties (such as dermatology, neurology, radiology, critical care and mental health), and as a more efficient means to provide health care services. Many leading nationally-recognized health care providers, health plans and others have significant telehealth initiatives underway often in partnership with telecommunications vendors and government entities. And developments in this space tend to occur at a breakneck pace. In fact, since our discussion with the Advisory Board, two more states have passed telehealth statutes.

However, significant barriers exist to the use of telehealth, including a fragmented and often outdated regulatory regime (both at the federal and state levels) that prevents many providers, practitioners and health plans from using telehealth as a primary treatment vehicle. We discussed all of these issues and more in the Q&A with the Advisory Board.

Please click here to read the entire Advisory Board Q&A.

Posted on April 16th, 2013 by Ross Friedberg and Bonnie Scott

Physically Securing Electronic PHI in a Telehealth Environment

As the technologies used to deliver telehealth services become more complex, telehealth providers as well as other HIPAA “covered entities” have an increasingly demanding role to play in ensuring the security of protected health information (PHI). To fulfill this role, both telehealth providers and their business associates (such as the information technology companies and data storage providers that support telehealth platforms) must implement not only technical safeguards, but also physical security measures. From locks, to security guards, to alarm systems, physical security measures are a critical piece of the overall data protection equation. While physical security may be an obvious concern for organizations that store sensitive data on-site, this topic deserves renewed attention in light of the growing popularity of off-site, cloud-based storage; new regulations; and more aggressive enforcement of Health Insurance Portability and Accountability Act (HIPAA) and state health privacy laws.

Physical security is often overlooked when covered entities are assessing their own privacy and security practices and those of potential business associates. One factor that contributes to this oversight is the increasing number of providers that are choosing to store their PHI off-site (either with a vendor or a vendor’s subcontractor). However, regardless of where PHI is ultimately stored, telehealth providers should always factor physical security into their privacy and security assessments. Further, providers should consider conducting a physical security inspection of any facility where significant volumes of electronic PHI are stored (including, in some instances, the data centers where the information being hosted in the cloud is stored). Physical security inspections not only reveal the physical security controls that a facility has in place to protect PHI, they can also be a good indicator of an organization’s overall information security practices. Poor physical security management is often a signal of greater systemic problems, and should lead a provider to think twice about its choice in data storage vendor.

A physical security inspection generally consists of the following five elements:

1) Perimeter Security. Perimeter security serves as the outermost layer of physical site protection. Perimeter controls can be natural barriers, such as shrubs, rough terrain, or bodies of water, or artificial barriers, such as gates and fences. However, perimeter controls are not limited to physical barriers. For example, facilities may also utilize continuous lighting systems and surveillance cameras to help maintain perimeter security.

2) Facility Access Management. Important considerations in the area of facility access management include: (1) whether a facility uses a security guard or receptionist to control the flow of entrants into the building; (2) whether an additional guard or receptionist monitors entry into work areas; and (3) whether specific authentication methods (e.g., smart cards, passcodes, etc.) are required to access different areas of the building (e.g., elevators, the server room, work areas, etc.) during and outside normal business hours.

3) Server Room Security. A physical security assessment also requires an evaluation of the facility’s server room. As part of this evaluation, attention to the server room’s location is critical. Specifically, covered entities should note the floor where the server room is located and whether the room is adjacent to windows, water sources, or areas with high public traffic. Additional factors to consider include whether the server room has its own temperature and humidity controls, whether the servers themselves are kept inside locked racks or cages, and whether the room is equipped with a fire suppression system and/or emergency power shutdown controls. Along with server room controls, covered entities should also note whether any loose media containing PHI (in paper or electronic form) are kept elsewhere in the facility. If so, measures used to protect such media should be recorded.

4) Door and Window Security. Door and window controls can range from simplistic locks to sophisticated alarm systems. In assessing building doors, covered entities should identify which doors are open to the outside (and whether such doors automatically lock) and determine whether door frames are permanently mounted to adjoining wall studs. Door and window materials also warrant consideration (e.g., a window made of standard plate glass versus a glass-clad polycarbonate or laminated glass window). Additionally, if the facility has an alarm system, the covered entity should determine which doors and windows are alarmed and whether interior surveillance cameras are also used in these areas.

5) Facility Heating, Ventilation, and Air Conditioning (HVAC) and Electrical Systems. The physical security assessment should include an evaluation of the storage site’s HVAC and electrical systems. Particular HVAC considerations include whether the server room uses a HVAC system that is separate from the rest of the building (this is preferable), whether the server room has a positive pressure air system, and whether building ducts and vents were designed to prevent possible use by intruders. In terms of electrical systems, the physical security assessment should include an evaluation of whether the facility’s electrical closets are secured and whether the facility has back-up generators or battery systems that would allow it to operate without power.

Increasingly sophisticated threats to information security, new regulatory requirements, and ramped-up enforcement of HIPAA are prompting many health care providers and other covered entities (and their business associates) to revisit their security policies. As these policies are revisited, physical security should undoubtedly be part of the conversation. Whether a telehealth company stores its data in its own facilities or relies on a vendor or a downstream subcontractor for its storage needs, physical security controls provide a vital line of defense. While technical security measures do offer telehealth providers significant data protection, the value of a carefully designed and managed physical security plan should not be underestimated.

Posted on April 10th, 2013 by Rene Quashie and Colin McCulloch

Why Not Getting Paid Directly for Telehealth May Not Matter

During and after a recent presentation regarding telehealth before a health care executive group, we were inundated with the following question: Why should a hospital provide telehealth services when often times it will not get paid for those services? It is, on its face, a great question. After all, few of us would want to provide services we know will not be reimbursed. But, in many ways, the question misses the boat. While a hospital may not be paid directly for providing telehealth services, it nevertheless could significantly benefit in a number of ways that prove just as valuable to the hospital. This is especially the case as we transition from a fee-for-service system to one rewarding quality of care, patient outcomes, and clinical integration. In other words, measuring the value of telehealth services solely based on direct reimbursement is misguided.

The Indirect Benefits of Hospitals Providing Telehealth

The questions raised during our presentation, however, gave us an opportunity to organize our thoughts about telehealth’s “indirect” benefits. Here are four reasons why it may be worth providing telehealth even in circumstances in which a hospital or provider is not directly reimbursed for providing the service.

Penalty/Cost Avoidance: Providing telehealth is a great way to avoid certain future costs, especially those related to inpatient readmissions, ED admissions, and post-acute care management. Take readmissions—almost 20 percent of Medicare beneficiaries are readmitted to the hospital within a month of discharge. Many of the discharges are avoidable and the result of poor transitional care. And Medicare now reduces payments to hospitals with excess readmissions. Telehealth interactions are one effective way to better engage patients, more closely monitor disease states, and help reduce complications—all great tools in the fight against excess readmissions. So, in this context, using telehealth as a means to reduce readmissions (and not incur penalties) may outweigh the lack of direct reimbursement for those services. This is a scenario likely to play out repeatedly as we transition out of fee-for-service into a system in which hospitals and providers are rewarded for the value of care they provide—not the volume.
Branding/Geographic Reach: Telehealth may provide a great vehicle for a hospital to extend its brand further outside its market in ways previously inconceivable. In many of the programs I see being implemented around the country, the institution is often providing telehealth services to other hospitals (such as rural hospitals) and facilities (clinics, physician offices) it would otherwise have little opportunity to interface with. There are countless examples, many involving telestroke, teleICU, and telepsychiatry programs. What is increasingly becoming clear is that telehealth is a highly effective way to increase a hospital’s market footprint just in the course of normal business.
Short-supply specialists. Many hospitals and other health care facilities often lack specialty care. Some of the specialties suffering the most acute shortages include cardiology, critical care, oncology, psychiatry and neurology. Hospitals are now turning to telehealth as a means to provide specialty care to their patients who would otherwise not have access to such care. By leveraging the power of telehealth, many institutions are actually treating patients who would likely otherwise be unable to receive the care they need—thereby reducing further complications and potentially significant downstream costs.
Patient Satisfaction. Patient satisfaction with telehealth has always historically been high. Patients report that they appreciate: i) the ability to connect with health care professionals with the expertise to treat their conditions—regardless of the distance; and ii) as well as the individualized personal care they receive from telehealth interactions. A number of studies further confirm these conclusions. One such study showed that patient satisfaction from the use of telehealth increased by 85 percent. Patient satisfaction, in addition to being measured in many payers’ quality matrices, plays a significant role in how a hospital is viewed in the community.

More Payers Are Reimbursing Than You Think

As we have discussed, there are many “indirect” benefits for hospitals providing telehealth—but we cannot lose sight of the fact that many payers do indeed reimburse providers for telehealth. Many leading private insurers provide coverage and reimbursement for telehealth. Generally these coverage policies provide reimbursement for telehealth services involving the use of real-time interactive audio, video, or other electronic media for diagnosis and consultation. Note that an increasing number of the largest health plans have various telehealth initiatives underway that directly reimburse providers for services such as teleconsults.

There are also a growing number of states that have passed telehealth parity statutes which require health insurers to pay for services provided via telehealth the same way they would for services provided in-person. Almost a third of all states have enacted these statutes, and another dozen or so states are considering similar legislation. Additionally, about 44 Medicaid programs currently reimburse in some way for telehealth. Medicare, however, lags behind other payers in reimbursing given its many restrictions—but even Medicare provides some coverage for telehealth.

Posted on April 4th, 2013 by Dana Pirvu

Lessons from France: Successful French Telehealth Company Showcases Business Opportunities for Hospitals and Network Operators

Too often, companies try to re-invent the wheel. This is especially true in the telehealth sector where new models of care are constantly being tried and tested. Fortunately for U.S. hospitals, health systems, and companies, however, we have great examples of telehealth models from around the world that have built successful business models in telehealth.

Take the example of Calydial, a company based in Lyon, France, that specializes in remote dialysis. Launched in 2006, Calydial started with 25 patients with renal impairment who needed remote treatment and monitoring. Today, Calydial has 230 patients, and performs 30,000 dialysis acts per year. “When we started in 2006, there was no regulatory framework in France for telemedicine,” said Mr. Gérald Huguet, Chief Information Officer, “so we just had to learn on the job”.

What has driven the success of Calydial?

First, there is the benefit to patients who are monitored in their homes resulting in a better continuum of care, better treatment adherence, and less unnecessary readmissions.

Second, there is the return on investment. Although France has a publicly-funded healthcare system, hospitals and doctors are under pressure to better manage resources leading to more return on investment. In France, a significant portion of the dialysis treatments are completed at patients’ homes, especially for elderly patients. Calydial understood that payments made to doctors were bloated because many doctors travel to patient homes to provide consultation and dialysis treatment and are paid for the time they are commuting. Try driving in Lyon or Paris at rush hour! By eliminating this time, Calydial reduced the amount of monthly doctor hours by one week on average!

What lessons can U.S. companies learn from Calydial example?

You cannot always find an off-the-shelf product that will exactly match your needs. When it started its remote dialysis project, Calydial could not find network and software solutions that fitted its needs. So the company had to work with manufacturers and suppliers to develop a product specifically tailored to its needs—while also staying within budget. In other words, if you can’t find the perfect match, work with your existing partners to create one. Manufacturers are likely to work with you because this is also an opportunity for them to expand the functionalities of their products.
Telemedicine solutions might work when defined in the lab, but your success will be measured where the rubber meets the road. You have to be prepared to re-think your project and your strategies. It is tempting for new companies launching telehealth projects to cut corners. After all, most people think that if you have a computer and an internet connection you’re in business. Calydial learned this lesson early on. They had to find solutions that guaranteed the service (videoconferencing, network reliability) and ensured patient data privacy and security.
Put patients first. What if you have a blackout or a failure in the system? How do you ensure continuum of care? You need a back-up plan. And you have to prioritize the speed of intervention teams and the alternatives for care depending on the type of health care services you provide. For telesurgery you need a 24/7 back-up plan and immediate response. For intermediate risk consultations or telemonitoring, a reasonable intervention delay is acceptable, and for low risk consultations, you need to be able to contact the patients by phone, for example, to assess the level of emergency.
Look for ways to improve your product. In 2013, Calydial is launching a project with a new app that will be compatible with several platforms including smart phones, tablets, laptops, and home computers. Very often, patients suffer from several chronic diseases, and if telemonitoring came with a different device for each disease, patients’ homes would be a hub of devices, wires and connections. With this new app, patients will be able to use their phone or computer for all their needs.
Talk to experienced companies. This seems like an obvious approach, but it is particularly important here. Calydial sought the expertise of several major players in the telemedicine space including network operators and health information systems.
Find partners to split the work. For the 2013 project, Calydial will work with Cluster I-care, a public-private partnership developed to promote health technologies. Another partner will be in charge of privacy and security issues, and handle electronic health records (EHR), the hosting of personal health information, confidentiality, and many other related issues. From a business perspective, bringing in partners will allow you to focus on business development. From a compliance perspective, specialized partners are usually certified by the appropriate authorities. For example, in France, companies that host personal information must be certified by the French Agency for Interoperable EHR (Agence des Systèmes d’Information Partagés de Santé) and must comply with the privacy regulations of the French National Commission for Privacy (Commission Nationale de l’Informatique et des Libertés). Choose your data hosting vendor carefully. Not all vendors have a blanket certification; some of them have limited capacity to manage personal health information.
Get proposals from several vendors. This will help give you access to several options, and you may negotiate prices among competitors.
Get good counsel. If you are considering entering into an agreement or a joint venture with a network operator or a software developer, establish clear rules for liability and intellectual property. Each partner might develop one component of the final product. In the event one partner leaves the venture, it is important for the remaining parties to be able to continue the operations and market the products and services. In defining the products you buy, don’t lock in your products for only one pathology, but keep your options open for future add-ons and new functionalities.
Check your local rules for physician practice. In France, physicians may not need a special authorization to offer consultations remotely if they practice within the scope of their license and certification.
Check your reimbursement. In France, since October 2011, telemedicine services are reimbursed at the same levels as those for in-person visits, as long as the service appears as one of the services regularly reimbursed by French public health insurance under Article L162-1-7 of the Social Security Code. This includes teleconsultation (physicians conduct consultation remotely), teleexpertise (physicians solicit advice from peers), telemonitoring (physicians monitor remotely patient data), and teleassistance (physicians assist nurses or other medical personnel in the completion of medical acts).

The example of Calydial shows that telehealth can thrive in many environments, even when you start with a small investment.

Posted on March 21st, 2013 by Dana Pirvu and Rachel Snyder

E.U. Way Ahead of the Game on Telehealth

Telehealth is expanding rapidly outside of the U.S. in both developed and developing countries. Not surprisingly, the expanded use of telehealth presents many of the same regulatory and reimbursement challenges abroad that it does here in the U.S. One region in particular that has taken steps to expand telehealth across borders is Europe, where in an effort to confront the legal issues raised by telehealth, the E.U. has removed and revisited existing regulations. The E.U. has also issued guidance through the European Commission (an institution that is responsible for ensuring that E.U. law is applied and adhered to by all Member States and therefore a key player in regulating the use of telehealth), regarding how best to comply with the regulations in place. In order to provide timely and effective guidance on rapidly evolving technologies, the Commission publishes staff working documents which interpret the law and provide compliance guidance, but are not legally binding themselves. One such document is the “Commission Staff Working Document on the applicability of the existing E.U. legal framework to telehealth services”, dated June 12, 2012. The Document provides guidance on how to comply with E.U. law, but for those in the U.S., reading this guidance also brings to light where the E.U. and the U.S. diverge with respect to key legal issues such as licensure and reimbursement.

Licensure

Under the existing framework, the Europeans have done a good job providing expanded access to care and have accomplished this at least partially through their licensure rules. The licensing structure in the E.U. is similar to the one in the U.S., wherein each individual state is tasked with licensing requirements and enforcement. However, the E.U. system differs where cross-border healthcare, such as telehealth, comes into play because of what is called the “country-of-origin principle”. This principle, a component of the eCommerce Directive (enacted by the E.U. in 2000 to set up an Internal Market framework for electronic commerce and to provide legal certainty for business and consumers), is the key difference between the U.S. and the E.U. regarding licensure issues. Under the “country-of-origin principle” a service provider in the E.U. is practicing medicine legally if he or she complies with the licensure requirements in his or her own Member State and treats the patient from within his or her Member State. This is true regardless of whether the patient is located in another Member State and irrespective of the requirements in that other Member State.

The “country-of-origin principle” is the exact inverse of how licensure works in the U. S. Within the U.S., the doctor must be licensed in the same state as the patient he is treating regardless of whether the treatment is via telehealth. This restricts patients’ access to doctors who are not licensed in their states and impedes access to cutting-edge technology such as remote monitoring. To change the licensure requirements in the U.S. and make telehealth more accessible, there would need to be changes at the state level across the country, or a federal licensure law would need to be adopted.

Reimbursement

A clear formula for how a provider would get paid for telehealth services, how much he or she would be paid, and what procedures he or she would get paid for, is crucial to the development of new health technology and the future practice of telehealth in the U.S. and in the E.U. In the U.S., Medicare reimbursement has not kept up with the times. However, about a third of the states have adopted legislation known as telehealth parity statutes which require private insurers to cover telehealth services if they would otherwise cover in-person provided services. In these states, as well as states without telehealth parity statutes, many health plans are beginning to cover telehealth services.

In the E.U., there is a Directive (Article 3(d) of Directive 2011/24/EU) on the application of patients’ rights in cross-border healthcare stating that cross-border health care services utilizing telehealth or other types of eHealth services must be reimbursed if the individual or patient resides in a country that reimburses the eHealth service. This is extremely positive for individuals residing in countries that reimburse telehealth services, as they will be reimbursed if they decide to utilize telehealth services. However, those individuals whose home countries do not reimburse for telehealth are barred from access to these technologies or doctors in other countries unless they are willing to pay out of pocket. One example of this is Germany, where the costs of telehealth are only reimbursed by health insurers in exceptional cases. As a rule, patients have to pay for such health services out of their own pockets. Other countries like France reimburse several categories of telehealth services at the same levels as traditional in-person services. French Social Security will pay for some telehealth services including teleconsultation (physicians conduct consultation remotely), teleexpertise (physicians solicit advice from peers), telemonitoring (physicians monitor remotely patient data), and teleassistance (physicians can assist nurses or other medical personnel in the completion of medical acts). In the Netherlands, phone and e-mail consultations are reimbursed via fixed prices by health insurance companies. Although the E.U. has yet to present a harmonized reimbursement picture, in countries like Sweden and the U.K. small telehealth projects are publicly funded. It seems the authorities are still testing the waters before fully committing.

The different approaches taken by the E.U. and the U.S. partially reflect the different health care systems in place as well as the differences in legal structures between the two. On the one hand, the U.S. has struggled with its fragmented approach. On the other hand, Europe, known for its heavy regulation, has embraced a less regulated path in terms of licensure to make way for the expansion and adoption of telehealth into mainstream medical practice. Yet in terms of reimbursement, both the U.S. and the E.U. are struggling with limited reimbursement capability. Regulators, whether in the U.S. or in the E.U., are often criticized for not keeping up with rapid innovation. That is also true for payors.

Oftentimes when public authorities are slow to take action, the industry and the patients themselves will adopt innovative products and technologies. It will not be long before both the U.S. and the E.U. will be forced to see the value of telehealth and to understand that earlier development of health technology and improved incorporation of telehealth into accepted medical best practices is crucial to broader access and better health care.

Posted on March 4th, 2013 by Brandon Ge

What the HIPAA Omnibus Rule Means for Health Technology Companies

On January 25, 2013, the Department of Health and Human Services (“HHS”) published in the Federal Register the highly anticipated Omnibus Rule, which strengthens and amends existing regulations in the HIPAA Privacy and Security Rules. The rule will significantly affect health technology companies, including telehealth companies, data centers, and personal health record vendors, with an estimated total cost of compliance of 114 million to 225.4 million dollars. The rule will be effective on March 26, 2013, but affected parties have until September 26, 2013 to comply with most provisions.

As we have discussed on this blog, technology companies looking to provide health solutions must figure out early on whether they are regulated under HIPAA. While some provider-driven technology companies may qualify as HIPAA covered entities, most health technology companies that become subject to HIPAA do so because they engage in activities that make them business associates. Notably, the Omnibus Rule expands the definition of business associates to include the following:

Entities, such as data centers, that maintain protected health information (“PHI”) on behalf of covered entities;
Health information organizations, e-prescribing gateways, and other entities that provide data transmission services for PHI to a covered entity and that require access to PHI on a routine basis;
Entities that offer personal health records to individuals on behalf of a covered entity; and
Subcontractors that create, receive, maintain, or transmit PHI on behalf of another business associate.

Additionally, the Omnibus Rule increases liability for business associates. Guidance from HHS in the preamble to the rule clarifies that business associates are now directly liable for:

Impermissible uses and disclosures;
Failure to provide breach notification to the covered entity;
Failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement);
Failure to disclose PHI when required in an investigation of the business associate’s compliance with HIPAA;
Failure to describe when an individual’s information is disclosed to others; and
Failure to comply with the HIPAA Security Rule’s requirements, such as performing a risk analysis, establishing a risk management program, and designating a security official, among other administrative, physical, and technical safeguards.

Noncompliant business associates will be subject to civil monetary penalties ranging from $100 to $50,000 per violation, with the penalty for multiple violations of the same provision capped at $1.5 million. However, guidance from the preamble notes that with the way the Office of Civil Rights counts violations, one event could violate multiple HIPAA requirements, resulting in penalties exceeding $1.5 million. Noncompliant companies face other risks as well. Breach notification requirements (to upstream business associates, covered entities, the government, affected individuals, and the media) can cause significant reputational harm to an organization and result in the termination of contracts or business relationships.

The Omnibus Rule also amends requirements for business associate agreements, which must now include certain additional provisions. These changes will require many covered entities and business associates to update existing business associate agreements. Due to the administrative burden of implementing these new business associate agreement provisions, the Omnibus Rule provides for a one-year transition period, during which covered entities and business associates, as well as business associates and subcontractors, may continue to operate under contracts that were in effect as of January 25, 2013. HHS has provided a model business associate agreement online.

For more information on the Omnibus Rule and what entities must do to comply with the new provisions, consult the following Epstein Becker Green client alerts:

Posted on February 6th, 2013 by Daniel Gottlieb

Corporate Practice of Medicine: The Unseen Hurdle in Telehealth

When evaluating the various legal and regulatory hurdles associated with telehealth—such as licensure, reimbursement, and privacy—one hurdle that often goes overlooked is the corporate practice of medicine. Many states have enacted laws which directly or indirectly are viewed as prohibiting the “corporate practice” of medicine. While variations exist among states, the doctrine generally forbids a person or entity, such as a general business corporation, other than a licensed physician, professional corporation (“PC”) or a professional limited liability company (“PLLC”), from owning an interest in a medical practice or employing physicians for the purpose of practicing medicine. These laws against the corporate practice of medicine are generally designed to prevent non-clinicians from interfering with or influencing the physician’s professional judgment, and will affect the ability of business entities to enter into agreements with physicians and other health professionals.

Some states like Florida do not have a law specifically prohibiting physicians from engaging in the practice of medicine through a corporate structure. The Florida Board of Medicine has stated that the statutory prohibition against the unlicensed practice of medicine does not prohibit the practice of medicine by physicians as employees of a Florida corporation or partnership. California, on the other hand, prohibits the corporate practice of medicine, which among other things, requires that business or management decisions and activities resulting in control over a physician’ practice of medicine, be made by a licensed California physician and not by an unlicensed person or entity. In order to avoid the direct violation of state prohibitions on the corporate practice of medicine, many companies use the so-called “friendly PC” model. Under the “friendly PC” model a PC, PLLC, or other legal entity permitted in the state, whose shareholders are all physicians, employs the licensed health care professionals and contracts with a Management Service Organization (“MSOs”) that provides management services to the PC. The PC is kept “friendly,” or aligned through the use of a stock transfer restriction agreement and/or by the MSO employing the physician owner.

Generally, the restrictive stock transfer agreements prevent the member from transferring his or her shares without the consent of the MSO. Additionally, these agreements usually require the member to transfer the shares in the PC to an individual selected by upon demand by the MSO. The combination of business management control and the threat of exercising its rights under the transfer agreement allow the MSO to maintain control over the administrative and management side of the entity without infringing on the professional judgment of the physicians.

We should note that enforcement by relevant authorities (e.g., state boards of medicine) regarding the prohibition against the corporate practice of medicine with respect to the “friendly PC” model generally is inconsistent. As a practical matter, the most frequent forum in which the issue is asserted is in the context of commercial disputes between the MSO and the physician owners of the PC or PLLC it manages. Specifically, in these disputes the physician owners seek to invalidate all or part of the agreements between themselves and the MSO by arguing that the agreements are unenforceable as a matter of law because it creates a relationship that constitutes the corporate practice of medicine.

Although there is no hard and fast rule as to when a given arrangement may be deemed to constitute corporate practice, the focus in any enforcement action likely will be on the level of control the MSO exercises over the operation of the medical practice, specifically the professional judgment of licensed health care professionals. Where a high level of control exists, the arrangement may be found to be a sham intended to disguise the de facto practice of medicine by an unlicensed entity. Factors that will be considered in evaluating whether a structure violates the prohibition on the corporate practice of medicine include the extent to which the MSO controls decisions or extracts revenue.

Telehealth companies, along with licensure and all the other regulatory issues we have written about in this blog, also need to take the corporate practice of medicine into consideration when developing their business models. We advise that companies look into whether the states into which they are considering operating have a prohibition against the corporate practice of medicine, and if so, analyze how their model will need to be modified to fit within the law. The good news is that many states (e.g., Hawaii, Mississippi, Ohio) have no such prohibition.

STRATEGY, ANALYSIS, AND COMMENTARY ON CURRENT AND NEW HEALTH TECHNOLOGIES