TechHealth Perspectives

STRATEGY, ANALYSIS, AND COMMENTARY ON CURRENT AND NEW HEALTH TECHNOLOGIES

A Telehealth Tutorial: Legal & Regulatory Issues

LinkedIn Tweet Like Email Comment

2008_Fall_article_telemedicineHospitals and others are increasingly implementing telehealth programs as part of their service offerings. As health technology becomes more sophisticated and hospitals look to provide more services to more patients, telehealth technologies are being incorporated by hospitals by hospitals in diverse and innovative ways. As telehealth utilization continues to increase, however, hospitals should be aware that there are various significant legal and regulatory issues that must be closely analyzed to ensure that adoption of telehealth technologies is consistent and compliant with the various federal and state laws and regulations that may be implicated by telehealth. In conjunction with the American Hospital Association, my colleague Amy Lerman and I have co-written a white paper focusing on the some of the significant legal and regulatory issues implicated by telehealth including:

  • Provider licensure;
  • Online prescribing;
  • Medical malpractice;
  • Coverage and reimbursement;
  • Privacy and security; and
  • Fraud and abuse.

We also address the various federal and state legislative and other efforts underway. You can read the entire white paper by clicking here.

A Call to Comment for Telemedicine Stakeholders: The Cadillac Tax

LinkedIn Tweet Like Email Comment

DOTAs discussed previously on this blog, employers are increasingly turning to telemedicine as a way to cut employee health care costs and improve bottom lines. The trend will be accelerated by the impending Cadillac Tax, a 40 percent excise tax on the excess of the cost of an employee’s applicable coverage over the employee’s applicable dollar limit. In February, the Treasury and IRS released Notice 2015-16 (the “Notice”), kicking off the process of developing regulatory guidance regarding the Cadillac Tax. Specifically, the Notice addresses the following issues:

  • Defining “applicable coverage,”
  • Determining the cost of applicable coverage, and
  • Applying the annual statutory dollar limit to the cost of applicable coverage.

To limit liability, employers will favor rules that result in a lower cost of applicable coverage or a higher applicable dollar limit. The former can be accomplished through rules that exclude more types of coverage from the definition of applicable coverage. This is one area on which telemedicine providers may want to submit comments. Although the Cadillac Tax will encourage employers to lower health care costs and potentially turn to telemedicine to do so, there are nonetheless certain areas where telemedicine may be negatively impacted.

Notably, the definition of applicable coverage includes coverage for on-site medical clinics. To reduce costs and absenteeism, more companies are opening on-site medical clinics to offer a number of services to employees. Employers frequently partner with telemedicine providers to offer services at these clinics. However, providing a comprehensive set of services at on-site clinics can be expensive, and the Cadillac Tax may exacerbate those costs beginning in 2018.  I note that while the Notice does not specifically address direct-to-consumer telemedicine services, those services would be included in the definition of applicable coverage to the extent that they are covered under an employer’s group health plan.IRS

The Treasury and IRS anticipate that the definition of applicable coverage will exclude coverage provided by on-site medical clinics that provide “de minimis” care to current employees free of charge. Under the definition considered in the Notice, de minimis care is limited to first aid provided for treatment of a health condition, illness, or injury that occurs during working hours. Therefore, under this approach, the definition of applicable coverage would include coverage of telemedicine services at on-site medical clinics, making this a potential target for employers as they scale back their health offerings to minimize Cadillac Tax liability.

The IRS seeks comments on a couple related issues:

  • Whether on-site medical clinics that provide services besides first aid should also be exempt from the definition of applicable coverage; and
  • How the IRS should treat medical care provided by on-site medical clinics (for example, whether there should be a dollar limit on the cost of services provided). There are also unresolved issues that may be addressed in future notices.

Before issuing proposed regulations, the Treasury and IRS plan to issue another notice addressing potential approaches to other issues not described in Notice 2015-16, such as procedural issues relating to calculating and assessing the Cadillac Tax.

Telemedicine providers should consider submitting comments arguing for the exclusion of telemedicine services from the definition of applicable coverage, whether provided at on-site medical clinics or otherwise. Comments on the Notice, which are due on May 15, 2015, provide a valuable opportunity for stakeholders to participate in the rulemaking process.

Telemedicine, State Boards and the Supreme Court

LinkedIn Tweet Like Email Comment

Supreme CourtI have examined on this blog the various legal and regulatory issues implicated by telemedicine.  Many of those issues involve the practice of medicine and how state medical boards interpret state laws and regulations impacting telemedicine, and how those boards enforce those laws.  Believe it or not, a recent Supreme Court case may have an impact on how state boards do their business.

On February 25, 2015, the Supreme Court of the United States held that the North Carolina Dental Board (“Board”) was not insulated from federal antitrust liability under the so-called “state action” doctrine when it engaged in anticompetitive conduct to restrain non-dentists from performing teeth whitening services.  While the North Carolina case involved a dental board’s attempt to restrict activities of non-dentists, the Court’s opinion has broader implications for how states regulate and supervise professional boards—such as state medical boards.  Ultimately, the Supreme Court decision illustrates how an individual or entity, subject to perceived over-regulation by a professional board, might mount a defense by scrutinizing whether the board meets the “state action” requirements to be insulated from liability for anticompetitive regulatory actions.  Please click here to read the full EBG Client Alert.

FTC Focus on Privacy

LinkedIn Tweet Like Email Comment

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.

Telemedicine and Employers: The New Frontier

LinkedIn Tweet Like Email Comment

As we have explored a number of times on this blog, telemedicine has gone mainstream.  The more recent development is that employers seem to be paying more attention now. The numbers speak for themselves. A recent Towers Watson study focusing on employers with at least 1,000 employees concluded that U.S. employers could save up to $6 billion per year if their employees routinely engaged in remote consults for appropriate medical problems instead of visiting emergency rooms, urgent care centers, and physicians’ offices.

Attitudes towards telemedicine more generally in the United States also have undergone a significant shift:handshake

  • 74 percent of consumers would use telehealth services given the opportunity;
  • 76 percent of patients prioritize access to care over the need for human interactions with health care providers; and
  • 70 percent of patients are comfortable communicating with their health care providers via text, e-mail, or video, in lieu of seeing them in person.

Just as significantly, telemedicine is increasingly viewed as an efficient and cost-effective care delivery vehicle, due to several factors: i) a health care system transitioning from fee-for-service to one where reimbursement is closely tied to quality and patient outcomes; ii) an increase in the use of integrated delivery models such as accountable care organizations and medical homes; and iii) the relative ubiquity of sophisticated health care technologies.

Employers, in particular, are paying close attention to developments in telemedicine for another reason: the looming “Cadillac Tax.”  Starting in 2018, a 40 percent excise tax will be imposed annually on health plans with premiums exceeding $10,200 annually for individuals and $27,500 annually for families. Given this impending tax, employers are looking for efficient ways to cut their employee health care costs. Telemedicine has become an extremely viable option for several reasons:

  • Many employees hesitate to take time off work and to pay the copayments associated with physicians’ visits, particularly for ailments perceived as minor.
  • Many employees forego physician visits entirely, causing relatively minor health issues to sometimes escalate into costly conditions.
  • Although some employers have established onsite clinics where employees can receive sick care and preventive care services, there are high costs associated with creating these clinics.

iStock_000016401740SmallAccording to the Towers Watson study, only about 20 percent of U.S. employers offer telemedicine services to employees today, but nearly 40 percent of employers surveyed said that they plan to offer access to such services in 2015, while 33 percent are considering offering access to telemedicine services within the next three years. It is clear to see why. Effective use of telemedicine services could eliminate 15 percent of physician office visits, 15 percent of emergency room visits, and 37 percent of urgent care visits. This all results in significant savings to employers that cover any part of the costs of their employees’ health care.   Employers considering the inclusion of telemedicine services in their employee benefit offerings should pay attention to some significant, but not insurmountable, legal and regulatory issues implicated by the use of telemedicine. In brief, those issues include:

  • Licensure: State licensure laws are a major stumbling block to the interstate practice of telemedicine. With limited exceptions, providers must be licensed in every state in which they intend to practice medicine (location of patient and the provider), and each state has its own licensure requirements. This tension creates a patchwork of inconsistent laws. The Federation of State Medical Boards has developed an Interstate Medical Licensure Compact that would facilitate license portability and the practice of interstate telemedicine. Mid-level practitioner organizations are working on their own compact proposals.
  • Physician-Patient Relationships: Among the factors required by states to establish a physician-patient relationship is an evaluation or examination of the patient by the treating physician. This is especially important when the treating physician is prescribing medications for the patient. States have different requirements that must be met in order for a proper examination to have occurred.
  • Privacy & Security: Numerous privacy and security issues are implicated by the use of telemedicine technologies, including compliance with federal and state privacy and security standards, data management, data sharing (and management responsibility for such sharing) with other providers, and data storage.
  • Medical Liability: Adapting existing principles of medical malpractice liability to telemedicine is a challenging task, especially regarding what constitutes the applicable “standard of care.”
  • Fraud & Abuse: Telemedicine arrangements must comply with federal and state health care fraud and abuse laws, including anti-kickback statutes and/or physician self-referral prohibitions.

Employers seeking to access the telemedicine market must carefully assess the legal and regulatory requirements, and limitations, of any potential arrangements.

The Lenovo/Superfish Scandal: What You Need to Know

LinkedIn Tweet Like Email Comment

superfishReports in the last week stated that the computer manufacturer Lenovo had preloaded software onto various lines of computers which critically compromised cybersecurity. The software in question is a product called Superfish Visual Discovery, a program generally designed to replace advertisements seen while browsing the Internet with ads provided by Superfish. However, the method of implementation opens up a universe of potential problems.

What Does Superfish Do?

Superfish is designed to replace Internet advertisements with advertisements provided by their sponsors. In order to do this, Superfish installs its own signed root certificate to the operating system. Furthermore, the Superfish certificate key being used is the same across all the affected systems.

What Does This Mean?

Secure browsing is based on a system of certificates. When you look up any website starting with https://, you are loading a secure website whose identity is verified using a certificate, usually validated by a third party. Normally, sites claiming to be secure that are not will trigger warnings from your browser. Superfish installs its own certificate and functions as a Man in the Middle, injecting its own content into the ostensibly secure connection between your computer and the secure website.

Because the certificate key used by Superfish is the same across all affected systems, it is easy to exploit that certificate to attack systems with the software installed. Reports indicate that people have been able to decrypt all data sent by HTTPS, including passwords, using this exploit.

Which Computers Are Affected?

Lenovo has published information containing a list of affected computers. The affected computers are laptops not in the ThinkPad series manufactured between September 2014 and February 2015. ThinkPad laptops, desktops, and smartphones are unaffected. Enterprise systems (e.g., servers and storage) are also safe.

Even if your organization has computers on the list of affected products, your organization may be safe. Generally, your IT department should be installing a clean version of Windows or an organizational system image on any new computer before it is brought into your network ecosystem. If your IT department does not do this, or your organization allows personal computers to perform work functions, you may be at risk.

Another potential issue is remote access. If anyone with remote access was using an affected computer, the user’s logon information potentially could have been compromised.

How Do We Remove Superfish from Affected Systems? 

The easiest and most secure way to ensure the removal of any issues is to install a clean copy of Windows on the affected computer. This should not be the backup copy provided by Lenovo, as that copy will still have Superfish. However, reinstalling Windows will cause you to lose any data on the computer. If you need to keep the data on the computer or otherwise cannot back up the data, a good guide on how to uninstall Superfish without reinstalling Windows can be found at ExtremeTech.

What Else Should We Do?

If your organization does not install a clean version of Windows or an organizational system image on new computers, you should put into place a procedure ensuring that all new computers get a fresh install of Windows or a fresh system image prior to introducing them to the network.

Because your employees may potentially have used an affected computer for remote access, you should identify any employees who have used Lenovo computers for remote access in the past six months. Those users should have their credentials changed as a precautionary measure.

CMS Hosts MLN Connects National Provider Call to Review New CCM CPT Code

LinkedIn Tweet Like Email Comment

CMSProviders, take note: the Chronic Care Management (CCM) CPT Code 99490 is now payable by the Centers for Medicare & Medicaid Services (CMS). Effective January 1, 2015, the Medicare program began making payments under the Physician Fee Schedule (PFS) for certain non-face-to-face management and care coordination services provided to beneficiaries covered under the traditional Medicare fee-for-service program. CCM services include, but are not limited to, development and maintenance of a plan of care, communication with other treating health care professionals, and medication management. In order to be eligible for CCM services, beneficiaries must have two or more chronic conditions, expected to last at least 12 months or until the death of the beneficiary. Claims for CCM services are payable on a monthly basis, must include at least 20 minutes of qualifying services, and are subject to beneficiary coinsurance and deductibles. Information on the availability of CCM services must be conveyed to the beneficiary through a face-to-face visit and the beneficiary must consent to receiving such services. Only one Medicare provider can provide and be paid for CCM services provided to an individual beneficiary during each calendar month.

CMS hosted an MLN Connects National Provider Call on February 18, 2015 to review the requirements for physicians and other practitioners to properly bill the new CCM CPT code. During the call, titled “Chronic Care Management Services: CY 2015 Medicare Physician Fee Schedule,” CMS provided an overview of the requirements for physicians and other practitioners to bill using CPT code 99490. CMS discussed the eligible beneficiary population for CCM services, the scope of CCM services, the Medicare providers who are eligible to provide CCM services (including on an “incident to” basis), and how CCM services might overlap with current demonstration and other initiatives by CMS. CMS noted that portions of the CCM requirements were finalized in two different PFS final rules, some in the CY 2014 final rule and the remainder in the CY 2015 rule. This overview was followed by a robust question and answer session, which provided some of the most interesting takeaways:

  • CMS has not established a specific list of chronic conditions that would be covered by the new CCM CPT code. CMS suggested referencing the Chronic Conditions Data Warehouse[1] to identify possible chronic conditions, but cautioned that use of the CCM CPT code would not be limited to the conditions identified therein. According to CMS, until such a time when more prescriptive restrictions could be established, the only limitations with regard to eligible chronic conditions are those outlined in the CPT code description itself.
  • Beneficiary consent to receive CCM services remains effective until withdrawn, even if the provider is not able to or otherwise does not bill for the CCM services for a period of time.Cash 5
  • CMS is deferring to the Medicare Administrative Contractors (MACs) many of the specific billing questions about which participants inquired during the call, including how to capture place and date of service details, how to document time spent performing CCM services, and whether time spent by Certified Medical Assistants can count toward the 20 minutes required per calendar month to bill for CCM services.

CMS recently published a new Fact Sheet regarding CCM services (ICN 909188). The Fact Sheet will be a helpful resource for providers seeking to utilize the CCM CPT code and other interested stakeholders, as it covers much of the detail discussed during the CMS call and includes a helpful table that illustrates the alignment between the CCM scope of service elements and billing requirements with the certified Electronic Health Record (EHR) or other electronic technology requirements.

So have the MACs weighed in yet regarding the use of new CPT code 99490? Stay tuned for our next post, in which we will “consult the MAC” to see what helpful guidance, if any, they have provided to date.

[1] Chronic Conditions Data Warehouse, https://www.ccwdata.org/web/guest/home.

 

Prescribing and Telemedicine: The “Physical” Exam

LinkedIn Tweet Like Email Comment

As so many of you know, the barriers to the wider adoption of telemedicine are numerous.  In listening to various stakeholders in the telemedicine space over the years, I consistently hear the same barriers being discussed:

One issue, however, that gets short shrift in my view is the issue of online prescribing—an issue that presents as formidable a barrier to the wider adoption of telemedicine as any other.  Before I take a deeper dive, I should mention that by online prescribing I do not mean e-prescribing, which generally refers to the issuance of a prescription electronically instead of in written form.  What I mean by online prescribing is physicians prescribing medications to patients via a telemedicine visit when the physician has never had an in-person encounter with the patient. Instead, the physician relies solely on information obtained through the telemedicine encounter.

Generally, and unless one of a very limited number of exceptions applies, states require that a physician first establish a valid physician-patient relationship before he or she may prescribe for the patient. In most states, a physical examination or evaluation of the patient is one of the requirements to be met in order to establish that relationship. But just what constitutes a valid “physical examination” varies from state to state? As you might imagine, this is critical in telemedicine because in many cases, telemedicine providers will be unable to physically examine or evaluate new patients in-person or face-to-face.  States address the issue in a variety of ways which has predictably led to a patchwork of sometimes inconsistent state laws. 

In- Person Physical Exam

Some states explicitly require an in-person examination or evaluation before a physician may engage in online prescribing for a patient. Under Arkansas law, for example, in the absence of a prior and proper patient-practitioner relationship, a physician must perform an in-person physical examination of the patient adequate to establish a diagnosis and to identify underlying conditions or contraindications to the treatment recommended or provided.

Physical Exam

Other states, while requiring a physical examination or evaluation, do not explicitly use terms such as “in-person” or “face-to face” to describe the exam.  Many have taken that to mean that the physician must have an in-person encounter with the patient—a very reasonable conclusion in my view—and one shared by most medical boards with which I speak.  Some observers, however, have concluded that because the requirement in these states is not as explicit as it is in other states (i.e., Arkansas), a reasonable argument can be made that a physical examination may occur by electronic means—especially if the examination results in the same information being obtained had the exam occurred in-person.  This is a gray area that will likely become clearer as many states re-examine their telemedicine standards.    

Physical Exam by Other Means

Significantly, there are a number of states that explicitly allow physical examinations or evaluations to be performed by electronic means or via telemedicine technologies. For example, in Maryland, if no prior in-person, face-to-face interaction with a patient has been done, a physician may “incorporate real-time auditory communications or real-time visual and auditory communications to allow a free exchange of information between the patient and the physician performing the patient evaluation.”  In Virginia, a physician must perform an examination of the patient “either physically or by the use of instrumentation and diagnostic equipment through which images and medical records may be transmitted electronically.”  Hawaii, New Mexico, and a handful of other states take a similar approach. 

Model Policy

Given the various approaches, what is a telemedicine provider to do? Some help is on the way.  The Federation of State Medical Boards, a national organization that represents 70 medical and osteopathic state medical boards in the United States, has developed the “Model Guidelines for the Appropriate Use of the Internet in Medical Practice” which among other things addresses the issue of prescribing head on:

  • Prescribing. If using telemedicine technologies, where prescribing may be contemplated, providers must implement measures—left to the discretion of the physician—to uphold patient safety in the absence of traditional physical examination. Measures should guarantee that the identity of the patient and provider is clearly established. To assure patient safety in the absence of physical examination, telemedicine technologies should limit medication formularies to those considered safe by the state medical board.

Some states have adopted the FSMB’s Model Policy in whole or in part. It is my hope that many more states will adopt the Model Policy as it represents a very positive step in the right direction toward harmonizing the disparate, inconsistent, and often confusing patchwork of state laws governing online prescribing. 

Telemedicine Has an Unlikely Ally: The FTC

LinkedIn Tweet Like Email Comment

As a lawyer practicing in the telemedicine space, I am rarely surprised these days.  But every once in a while I will read or hear something that stops me in my tracks. That is exactly what happened when I read a blog post by an FTC Commissioner which, among other things, calls for government policies that help facilitate greater adoption of telemedicine.  The post was part of a broader piece about the FTC’s role in promoting competition and innovation in health care.

By way of quick background, the Federal Trade Commission is the federal agency charged with protecting consumers and promoting competition, which includes challenging anticompetitive business practices.  The agency has been active in the health care sector, challenging several hospital and physician practice mergers. In an effort to highlight some of the FTC’s non-enforcement efforts, one of the agency’s five commissioners, Maureen Ohlhausen, wrote a blog post touting the agency’s advocacy efforts in the health care arena, and specifically highlighted how the FTC’s competition policy could help facilitate greater proliferation of telemedicine.

Among the highlights in the post related to telemedicine:

  • Telemedicine can reduce costs and increase access to care, but such advantages often run afoul of state professional licensing schemes that were developed to regulate local medical practices.
  • The variation in state licensure and other requirements continues despite “the fact that the core entry requirements for physicians are essentially uniform across the U.S”.
  • Legacy statutes and regulations are barriers “to the efficient flow of health care information and expertise and, indeed, specialized labor — barriers that can be costly to public and private payers and, in the end, individual patients,” without necessarily offering better consumer protection benefits.
  • Lawyers and policymakers need to creatively address ways to lower barriers without sacrificing the good in state regulations.
  • It is critical that policymakers “approach new technologies with a dose of regulatory humility” and should educate themselves about technological innovation, and:
    • Understand its effects on consumers and the marketplace;
    • Identify benefits and likely harms, and;
    • If harms do exist, consider whether existing laws and regulations sufficiently address the issues before assuming that new laws would be required.

Ms. Ohlhausen goes on to call for the FTC to use its policy research and development tools to better understand innovative technology, new business models facilitated by the new technology, and the likely risks and benefits for consumers.  More significantly, Ms. Ohlhausen also challenges the agency to educate itself “about undue impediments to innovation and competition” while also using its authority to enforce against harm to consumers from the use of new health information technology vehicles.

I can only applaud Ms. Ohlhausen’s approach.  It is encouraging to see a policymaker acknowledge the role regulations may play in stifling innovation and call for government agencies to find creative ways to lower barriers while balancing consumer protection.  I only hope other regulators follow Ms. Ohlhausen’s lead.


New Jersey Law Requires Encryption of Personal Information

LinkedIn Tweet Like Email Comment

On January 9, 2015, New Jersey Governor Chris Christie signed new legislation that will require health insurance carriers authorized to issue health benefits plans in the state—including insurance companies, health service corporations, hospital service corporations, medical service corporations, and health maintenance organizations—to encrypt personal information. Triggered by a series of data breaches involving the health information of almost a million residents, Senate Bill No. 562 (“SB 562”) was passed unanimously by both houses of the state legislature and will take effect on August 1, 2015.

Under SB 562, health insurance carriers will be prohibited from maintaining computerized records that contain personal information unless the information is “secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” The use of a password protection program that prevents general unauthorized access will not suffice to meet the encryption requirement. “Personal information” is defined as an individual’s first name or first initial and last name linked with at least one of the following: (1) Social Security number, (2) driver’s license number or state identification card number, (3) address, or (4) identifiable health information.

The law applies only to end user computer systems and computerized records transmitted across public networks. “End user computer systems” include desktop computers, laptop computers, tablets and other mobile devices, and removable media.

The requirement to encrypt makes the New Jersey law stricter in this regard than the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), under which encryption of electronic protected health information (“ePHI”) is an addressable specification. Nonetheless, given that encrypted ePHI is exempt from HIPAA’s breach notification requirements, it is considered a best practice to encrypt ePHI.

Violation of New Jersey’s encryption mandate will constitute a violation of the New Jersey Consumer Fraud Act, which imposes penalties of up to $10,000 for the first offense and up to $20,000 for any subsequent offense. The state Attorney General may also issue cease-and-desist orders to violators and award treble damages and costs to affected individuals. Given these potential penalties, health insurance carriers in New Jersey should carefully review their policies and procedures and ensure compliance with the new law.