The SUPPORT for Patients and Communities Act (“the Act” or “the SUPPORT Act”), signed into law by President Trump on October 24, 2018, is intended to combat the growing opioid crisis in the United States. The Act aims at preventing opioid addiction and misuse and enhancing access to care for those who have substance use disorders.

A key aspect of the Act is the expanded Medicare coverage of telehealth services to beneficiaries in their home (see Section 2001 of the Act). Currently, and historically, Medicare has restricted coverage of telehealth services to beneficiaries who reside within certain geographic rural areas and who seek such services at specific “originating sites” (patient beneficiary’s home is not included in the current Medicare definition for “originating site”). The Act amends 42 U.S.C. § 1395m(m) to eliminate these coverage restrictions for “an eligible telehealth individual with a substance use disorder diagnosis for purposes of treatment of such disorder or co-occurring mental health disorder, as determined by the Secretary [of Health and Human Services].” With this amendment in place, health care providers may now be reimbursed for providing eligible substance use disorder services to Medicare beneficiaries in their homes via telehealth. Although the Act does not provide for any “facility fee” reimbursement for telehealth services provided to beneficiaries in their homes, the Act requires reimbursement be provided to physicians and other health care practitioners furnishing these services at the same rate as they would otherwise receive if providing the same services in-person.

It is important to note that while Section 2001 of the Act takes effect on July 1, 2019, it authorizes the Secretary of the U.S. Department of Health & Human Services (“Secretary”) to implement these amendments immediately by creating a final interim rule.  The Act also mandates that the Secretary report on the impact of this legislation on: (1) the health care utilization (and in particular, emergency department visits) related to substance use, and (2) “health outcomes related to substance use disorders,” including opioid overdose deaths. The Act provides $3 million to the Centers for Medicare & Medicaid Program Management Account in order to carry out these reporting requirements, which must be completed within five years.

Another key aspect of the Act mandates that the U.S. Attorney General (“Attorney General”) promulgate final regulations that specify (1) “the limited circumstances in which a special registration under this subsection may be issued” and (2) “the procedure for obtaining a special registration.” Under 21 U.S.C. 831(h), as amended by The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (“Ryan Haight Act”), this special registration would allow health care providers to prescribe controlled substances via telemedicine when legitimately necessary, including when an in-person evaluation is not possible. As discussed in one of our recent TechHealth Perspectives blog posts, despite the statutory mandate in the Ryan Haight Act passed more than eight years ago, the Attorney General has not yet issued any regulations or guidance on how to obtain this special registration. The Drug Enforcement Administration (“DEA”), the federal agency delegated authority to promulgate these regulations by the Attorney General, has also not promulgated any regulation or other guidance addressing special registration. The SUPPORT Act gives the Attorney General until October 24, 2019, to promulgate its final regulations on this matter.

Epstein Becker & Green plans to discuss the Act’s numerous provisions in greater detail in future Client Alerts.

What will the telehealth landscape look like under the Donald J. Trump Administration?

The Trump Administration is likely to drive telehealth advancement in a positive direction. For example, President Trump’s plan to reform the Veteran’s Affairs Department includes improved patient care through the use of telehealth technology. There are also some indications that the newly confirmed Secretary of the Department of Health and Human Services (“HHS”), Tom Price, is “telehealth friendly.” Recently, during the congressional confirmation hearings, Price mentioned a tele-stroke program in Georgia as a model of success, and he said he thought there were many things that can be done to mirror that kind of technological expansion. Price also said he is interested in promoting telehealth because it “holds great promise, particularly for rural areas experiencing physician shortages and for patients with limited mobility.” Moreover, Trump’s pick to be the next Administrator of the Centers for Medicare and Medicaid Services (“CMS”), Seema Verma, said in her recent congressional confirmation hearings that she wants to work with Congress to promote the use of telehealth technology. Specifically, she said, “telehealth can provide innovative means of making healthcare more flexible and patient-centric. Innovation within the telehealth space could help to expand access within rural and underserved areas.” Finally, Maureen Ohlhausen, the recently appointed acting chair of the Federal Trade Commission (“FTC”), has in the past spoken favorably regarding the potential of telehealth and has said that the current professional licensure system needs to be rethought given telehealth technology’s potential.

Despite the current focus in Congress on repealing and replacing the Affordable Care Act, telehealth legislation continues to gain traction and bipartisan support on the Hill. In February, a bipartisan group of 37 Senators sent a letter to Tom Price encouraging HHS to support telehealth and remote patient monitoring. Congress also has embraced telehealth advancement with a consistent stream of proposed legislation seeking to enhance the provision of telehealth services. Most recently, Rep. Joyce Beatty (OH-03) and Rep. Morgan Griffith (VA-09) reintroduced the Furthering Access to Stroke Telemedicine (“FAST”) Act that would expand access to stroke telemedicine (also called “telestroke”) treatment in Medicare. Congress also recently introduced HR 766 which would establish a pilot program to expand telehealth options under the Medicare program for individuals living in public housing. Additionally, Congress is poised to consider at least two bipartisan pieces of legislation focused on telehealth. The first is known as the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (“CHRONIC”) Care Act of 2016, which seeks to modernize Medicare payment policies focused on improving the management and treatment of chronic diseases using telehealth technologies. The second is known as the Creating Opportunities Now for Necessary and Effective Care Technologies (“CONNECT”) for Health Act, which seeks to mandate Medicare reimbursement for telehealth services (beyond the current, limited reimbursement framework). Finally, Senator Orrin Hatch (R-UT), the Chairperson of the Senate Finance Committee, recently released his “innovation agenda for the 115th Congress” which encourages the promotion of the “internet of things,” greater broadband investment, and increased device-to-device communication and cross-border data flows.

Continue Reading Telehealth Outlook Under the Trump Administration

By:  Alaap Shah and Marshall Jackson


With the New Year, come new protections for health care entities and individuals utilizing electronic health records (EHRs).  On December 27, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS), issued final rules regarding the Stark Exception and the Anti-Kickback Safe Harbor permitting certain health care organizations to subsidize up to 85% of the donor’s cost of certain EHR items and services (the “Final Rules”). The Final Rules amended the 2006 original rule (the “Original Rule”).  The Final Rules:

  • Extend the expiration of the protections from December 31, 2013 to December 31, 2021;
  • Exclude laboratory companies from the list of eligible “Protected Donors” that may donate EHR items and services;
  • Update the provisions under which an EHR donor or recipient can ascertain, with certainty, that EHR is interoperable;
  • Remove requirements that donated EHR include e-prescribing capabilities; and
  • Clarify the requirement prohibiting any action that limits or restricts the use, compatibility, or interoperability of donated EHRs.


            Under the Original Rule, EHR donation regulations were set to expire on December 31, 2013.  The Final Rules extend the expiration of the protections until December 31, 2021.


            As a change from the Original Rule, the protections under the Final Rules no longer extend to laboratory companies as a type of entity that may donate EHR items and services.  However, this exclusion under the Final Rules does not apply to hospitals who furnish clinical laboratory services through a laboratory that is a department of the hospital.  It should be noted that a hospital-affiliated or hospital-owned company that furnishes laboratory services, which have a billing number assigned to the company as opposed to the hospital, would be excluded from the protections under the Final Rules.


The Original Rule required that donated or subsidized software be “interoperable”.  The rule stated that software is interoperable if a certifying body recognized by the Secretary of the Department of Health and Human Services certified the software within 12 months of the time it was provided to a physician.  Under the Final Rules, software is deemed to be interoperable if, on the date it is provided to the physician, it has been certified by a certifying body authorized by the National Coordinator for Health Information Technology to an edition of EHR certification criteria.  Significantly, the protections under the Final Rules are not limited to donations to individuals and entities eligible to participate in the EHR Incentive Programs (the “Meaningful Use Program”), but also extend to other entities and individuals if the donations meet the conditions of the safe harbor.


In order to foster the free exchange of data, the Final Rules have made limited clarifications to require that a donor not take any action to limit or restrict the use, compatibility or interoperability of the items or services with other electronic prescribing or EHR systems.  The Final Rules included examples, making it clearer that this prohibition applies to any donor action that limits the use of donated software with any other health information technology.


The Original Rule required that donated software contain an electronic prescribing capability.  However, under the Final Rules, effective March 27, 2014, the requirement that the donated software contain an electronic prescribing capability has been eliminated.


The Final Rule attempts to strike the right balance between competing interests.  On the one hand, the Final Rule seeks to foster continued adoption of EHRs and increased interoperability, which are ongoing goals within CMS, ONC and much of the healthcare industry.  On the other hand, OIG has shifted its position to better control risks associated with misuse of EHR donation by certain entities that seek to secure kickbacks.  Recognizing these competing concerns, OIG has extended the safe harbor and improved alignment with ONC to ensure companies have better guidance to meet the interoperability requirements.  Therefore many organizations emerge as winners under the Final Rule, including EHR vendors, protected EHR donors and EHR recipients.  However, laboratory companies are at a significant loss as a result of OIG’s tightening of the definition of “Protected Donor”.


Follow Alaap Shah on Twitter: @HealthITLawyers

There are many reasons a healthcare entity dealing with protected health information (“PHI”) should conduct a risk analysis.  First and foremost, if conducted properly, a risk analysis should identify PHI-containing systems, assess vulnerabilities of those systems, evaluate and prioritize risks to those systems, and assist in developing mitigation strategies to safeguard the systems.  These on-going efforts can help ensure adequate protection of patients’ health information.

Second, conducting a risk analysis has been required by HIPAA since issuance of the Security Rule.  While many healthcare entities did not take this requirement seriously, the passage of the HITECH Act in 2009 increased penalties and enforcement under HIPAA.  Based on enforcement data over the past few years, it is clear that the Office for Civil Rights (“OCR”), the arm of the U.S. Department of Health and Human Services (“HHS”) with enforcement authority under HIPAA, is taking this issue seriously by imposing severe civil monetary penalties on healthcare entities of all shapes and sizes.  In short, OCR’s position is that failing to conduct a HIPAA risk analysis is unreasonable.  The Office has issued guidance on conduct a risk analysis here.

Third, conducting a HIPAA risk analysis is an important process to help healthcare entities understand their security posture in order to prevent data breaches.  Data breaches are a common occurrence largely because healthcare entities are rushing to digitize PHI and adopt a cornucopia of health information technologies to improve efficiencies, reduce costs, and improve outcomes in the healthcare system.  Conducting a risk analysis can prevent the financial and reputational fallout that occurs from losing patient data.

Fourth, HITECH also created another incentive to conduct a risk analysis:  the Electronic Health Record (“EHR”) Incentive Payment program.  To qualify for payments under this program, healthcare providers need to attest to being meaningful users of EHRs.  Part of that attestation under Stage 1 was that an entity conducts a risk analysis.  Over $12.7 billion dollars have been paid to approximately 240,000 providers thus far.  Due to amount spent to date, the Federal government is now questioning program integrity and seeking to recoup payments from entities if they have falsely attested.  The Centers for Medicare and Medicare (“CMS”) has authority to conduct audits, which it began in 2012.  Thus, any entity that has not conducted a risk analysis, but has received payments under the EHR Incentive Payment program, is at risk of losing those payments.

Fifth, receiving EHR incentive payments without conducting a risk assessment may result in liability under the False Claims Act.  The HHS Office of Inspector General (“OIG”) has become equally wary of fraud and abuse relative to false attestations.  Accordingly, OIG has made this a top priority for 2013, and will likely start to open investigations against alleged false attesters.  This may become a real pain point for healthcare entities because liability can be up to three times the amount of the EHR incentive payment and can lead to exclusions from Medicare or Medicaid.

In short, failing to conduct a risk analysis can result in:

  • OCR enforcement including civil monetary penalties and resolution agreements;
  • Increased risk of suffering data breaches;
  • CMS enforcement to recoup EHR incentive payments; and
  • OIG enforcement under the False Claims Act including liability of up to 3 times the EHR incentive payment and exclusion from federally funded healthcare programs.

Follow me on Twitter: @HealthITLawyers



On January 25, 2013, the Department of Health and Human Services (“HHS”) published in the Federal Register the highly anticipated Omnibus Rule, which strengthens and amends existing regulations in the HIPAA Privacy and Security Rules. The rule will significantly affect health technology companies, including telehealth companies, data centers, and personal health record vendors, with an estimated total cost of compliance of 114 million to 225.4 million dollars. The rule will be effective on March 26, 2013, but affected parties have until September 26, 2013 to comply with most provisions.

As we have discussed on this blog, technology companies looking to provide health solutions must figure out early on whether they are regulated under HIPAA. While some provider-driven technology companies may qualify as HIPAA covered entities, most health technology companies that become subject to HIPAA do so because they engage in activities that make them business associates. Notably, the Omnibus Rule expands the definition of business associates to include the following:

  • Entities, such as data centers, that maintain protected health information (“PHI”) on behalf of covered entities;
  • Health information organizations, e-prescribing gateways, and other entities that provide data transmission services for PHI to a covered entity and that require access to PHI on a routine basis;
  • Entities that offer personal health records to individuals on behalf of a covered entity; and
  • Subcontractors that create, receive, maintain, or transmit PHI on behalf of another business associate.

Additionally, the Omnibus Rule increases liability for business associates. Guidance from HHS in the preamble to the rule clarifies that business associates are now directly liable for:

  • Impermissible uses and disclosures;
  • Failure to provide breach notification to the covered entity;
  • Failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement);
  • Failure to disclose PHI when required in an investigation of the business associate’s compliance with HIPAA;
  • Failure to describe when an individual’s information is disclosed to others; and
  • Failure to comply with the HIPAA Security Rule’s requirements, such as performing a risk analysis, establishing a risk management program, and designating a security official, among other administrative, physical, and technical safeguards.

Noncompliant business associates will be subject to civil monetary penalties ranging from $100 to $50,000 per violation, with the penalty for multiple violations of the same provision capped at $1.5 million. However, guidance from the preamble notes that with the way the Office of Civil Rights counts violations, one event could violate multiple HIPAA requirements, resulting in penalties exceeding $1.5 million. Noncompliant companies face other risks as well. Breach notification requirements (to upstream business associates, covered entities, the government, affected individuals, and the media) can cause significant reputational harm to an organization and result in the termination of contracts or business relationships.

The Omnibus Rule also amends requirements for business associate agreements, which must now include certain additional provisions. These changes will require many covered entities and business associates to update existing business associate agreements. Due to the administrative burden of implementing these new business associate agreement provisions, the Omnibus Rule provides for a one-year transition period, during which covered entities and business associates, as well as business associates and subcontractors, may continue to operate under contracts that were in effect as of January 25, 2013. HHS has provided a model business associate agreement online.

For more information on the Omnibus Rule and what entities must do to comply with the new provisions, consult the following Epstein Becker Green client alerts:

The Patient Protection and Affordable Care Act has an awful lot in it.  But at its core, the legislation is an attempt to achieve a few key goals:

  1. Improve access to healthcare,
  2. Increase healthcare quality, and
  3. Bend the cost curve to make healthcare more affordable.

There is little debate that each of these goals is worthy of achievement – but beyond that there is little agreement.  Debate around the “individual mandate”, accountable care organizations, health insurance exchanges and the myriad other care delivery and payment reforms adopted in the ACA have grabbed the headlines of mainstream media and trade publications.  There is some good (and some bad) debate going on about these provisions, many of which come from the experiences of payers and providers, private and public, that have been trying to improve healthcare for years.

But when it comes to the triple aim, not enough has been said about the possibilities of telemedicine in achieving those laudable goals.

Telemedicine is beginning to receive media attention, and increasingly serious thought is being given to telemedicine as something more than a way to address only one of the triple aims.

Certainly, telemedicine has proven itself to be effective in spreading access; but increasingly telehealth, telemedicine, mhealth, and connected health (a rose by any other name . . . . ) are being seen as providing solutions to achieve the other two of the triple aim – reducing cost and improving quality.  In addition, telemedicine (generally) has the additional advantage of engaging the patient directly, unlike many ACA reforms which focus on the healthcare infrastructure.

Will technology save healthcare?  Unlikely, I believe; but it certainly can be a part of the solution.  It is easy to get ahead of ourselves; and there is a need to proceed carefully in order to avoid the pitfalls that invariable appear whenever innovation is near.

But proceed we will.  I am no historian, but I cannot think of a time in the history of humans when we turned our back on technological advancements.  Instead, we put it to use wherever we can, and in so doing, constantly evolve and advance our relationship with technology.

There is simply no reason to think technology (including social media) will not increasingly be used by hospitals, physicians and patients – regardless of the efforts of the luddites among us.

Which brings me back to the main point of this post.

With little change in regulatory, reimbursement or delivery structures from on high, telemedicine efforts are proving, in some cases, that they can help achieve the triple aim.  A case in point is the effort of Saint Vincent Health System in Erie, PA.  According to a report by HealthCare Finance News, Saint Vincent has:

  •  reduced readmissions,
  •  expanded access multi-specialty teams,
  •  expanded medical education opportunities,
  •  realized a nearly 100% ROI over a two month period with respect to one telehealth initiative, and
  •  reduced patient and payer costs.

Not every telemedicine project has such a striking impact; and proceeding cautiously is warranted.  Nonetheless, the experiences of Saint Vincent are not unique.

While the adoption of the ACA may be a watershed moment – signifying a shift in the goals of our regulated healthcare infrastructure – in years to come, we may point to telemedicine as the most significant factor in improving access, increasing quality and reducing the costs of healthcare.