State and Federal Regulatory Issues

Earlier this week, a popular source of regulatory news published an article claiming FDA “finalized a new rule this week that prohibits manufacturers from using so-called “split-predicates”. However, it appears that the article may instead be referencing the Final Guidance for Industry and Food and Drug Administration Staff entitled “The 510(k) Program: Evaluating Substantial Equivalence in Premarket Notifications [510(k)]” that FDA published earlier this week.  Unfortunately, as often occurs on the Internet, the post was disseminated by several other popular sources of regulatory news.

This confusion comes a little less than three months after four Senator’s sent a letter to FDA raising concerns about FDA draft guidance “becoming the default FDA policy and position.”

Guidances and final rules carry different legal weight.  Final regulations are legislative rules that have the force of law. Whereas, guidances do not set new legal standards, impose legal requirements or have the force of law. Instead guidances are issued to help interpret or clarify an existing regulation.   

FDA certainly understands this difference.  As FDA notes, “FDA regulations are [] federal laws, [even though] they are not part of the [federal Food Drug & Cosmetic Act (FD&C Act)].”  Whereas, “FDA guidance describes the agency’s current thinking on a regulatory issue [but guidance] is not legally binding on the public or FDA.”

FDA also emphasizes this latter point in many of its guidance documents by including the following disclaimer:

This guidance represents the Food and Drug Administration’s (FDA’s) current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind FDA or the public. You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulations. If you want to discuss an alternative approach, contact the FDA staff responsible for implementing this guidance. If you cannot identify the appropriate FDA staff, call the appropriate number listed on the title page of this guidance.

Unfortunately, not everyone fully appreciates the difference between rules and guidance. The recent confusion suggests that there is a disconnect between FDA’s position on the difference between guidance and final rules and the understanding of at least some in industry.  Therefore, as FDA reviews its current guidance development practice, it is important that FDA look for ways to ensure (draft or final) guidance is just that, guidance.  For example,

  • FDA should make the guidance development process more efficient and so that there is a significant difference between the time it takes to publish a final guidance and the time it takes to implement a final rule;
  • If a manufacturer uses an alternative approach and provides reasonable support for taking such an approach, FDA should be required to provide a reasonably explanation as to why the alternative is insufficient;
  • FDA should include a process for quickly and efficiently incorporating alternative approaches into existing final guidance.

One of the largest hurdles to the growth of telehealth—the lack of a streamlined process for obtaining physician licensure in multiple states—is one step closer to being scaled. The Federation of State Medical Boards (“FSMB”) recently released a revised draft of its Interstate Medical Licensure Compact (“Compact”). This revised draft is a continuation of efforts by FSMB and its member boards to study the feasibility of an interstate license portability. Additionally, the revised draft of the Compact reflects changes based upon comments received from FSMB member boards and other stakeholders since the draft was released by FSMB earlier this year. Adoption of the Compact is critical to the interstate practice of telehealth.  You can read the full alert here.

By Brandon Ge and Alaap Shah

The Department of Health and Human Services (“HHS”) is taking laudable steps to improve notices of privacy practices (“NPPs”) and make them more clear, understandable, and user-friendly. Under the HIPAA Privacy Rule, individuals are entitled to a receive an NPP informing them of how their health information may be used and shared, as well as how to exercise their health privacy rights. Health plans and health care providers must develop and distribute NPPs that clearly explain these rights and practices. Unfortunately, to date NPPs have been poorly designed, hard to navigate and unclear with regard to patient rights or company obligations regarding use and disclosure of health information.

Privacy is just as much about protecting patients’ rights to data as it is about protecting data. The HIPAA Omnibus Rule, CLIA Rule, and others are designed to improve patient access to their medical records, empowering them to actively manage their health. The digitization of medical records, in the form of electronic health records, personal health records, patient portals, and the like, facilitates patient engagement in healthcare if used properly.  However, ineffective NPPs create barriers for patient understanding their rights.

NPPs that clearly convey patients’ privacy rights are critical in enabling patients to take a more active role in healthcare. Conversely, if patients do not understand NPPs, then they won’t have a good sense of their privacy rights, including their right to access their health information. Some critiques regarding NPPs include that they are frequently lengthy and include legalese that the general public has difficulty understanding.  To remedy these concerns, some suggest simplifying language and “layering” the notice—that is, including a short summary of the individual’s rights as a first layer and including a longer, more detailed explanation as a second layer—would go a long way toward improving the readability of NPPs.

In an effort to address criticisms of NPPs, last month, the Office of the National Coordinator for Health Information Technology (“ONC”) collaborated with the HHS, Office for Civil Rights (“OCR”) to develop model NPPs that clearly convey the required information to patients in an accessible format. Covered entities can customize these model NPPs and then display them and distribute them to patients.

ONC and OCR have also thrown down the gauntlet and established the Digital Privacy Notice Challenge, which will award $15,000 to the creators of the best online NPP (second place wins $7,000 and third place gets $3,000). The challenge calls for designers, developers, and privacy experts to use the model notices as a baseline and create an online NPP that is clear, effectively informs patients of their privacy rights, and is easily integrated online. Once submissions are finalized, the public will have two weeks to vote on the best submission.

The submission period ends on April 7, 2014, and winners will be announced in May or June of 2014.

Does your organization think it has what it takes to win this challenge?

 

Follow Alaap Shah on Twitter: @HealthITLawyers

A significant barrier to the interstate practice of telehealth is closer to being broken down. The Federation of State Medical Boards (FSMB) has completed and distributed a draft Interstate Medical Licensure Compact, designed to facilitate physician licensure portability that should enhance the practice of interstate telehealth.  Essentially, the compact would create an additional licensing pathway, through which physicians would be able to obtain expedited licensure in participating states.  As the FSMB notes in its draft, the compact “complements the existing licensing and regulatory authority of state medical boards, ensures the safety of patients, and provides physicians with enhanced portability of their license to practice medicine outside their state of primary licensure.”  This is a potentially significant development because burdensome state licensure requirements have been a major impediment to the interstate practice of telehealth. A physician practicing telehealth is generally required to obtain a medical license in the state where the patient—not the physician—is located.  As a consequence, physicians wishing to treat patients in multiple states need to obtain a license in each of those states in order to practice medicine lawfully, a lengthy and expensive process.

While the draft compact shares some of the same features as the Nurse Licensure Compact (NLC) (launched in 2000 to facilitate nurse mobility and improve access to care), a key difference is in the process for obtaining multistate licensure.  Under the draft compact physicians have to submit an application, register, and pay certain fees to obtain licensure in other participating states.  Nurses under the NLC, on the other hand, only need to declare that their home state is an NLC state, and the privilege to practice in other NLC states is automatically activated—no separate applications or fees are required.  You can read a more comprehensive analysis of the FSMB draft compact here.

By:  Alaap Shah and Marshall Jackson

 

With the New Year, come new protections for health care entities and individuals utilizing electronic health records (EHRs).  On December 27, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS), issued final rules regarding the Stark Exception and the Anti-Kickback Safe Harbor permitting certain health care organizations to subsidize up to 85% of the donor’s cost of certain EHR items and services (the “Final Rules”). The Final Rules amended the 2006 original rule (the “Original Rule”).  The Final Rules:

  • Extend the expiration of the protections from December 31, 2013 to December 31, 2021;
  • Exclude laboratory companies from the list of eligible “Protected Donors” that may donate EHR items and services;
  • Update the provisions under which an EHR donor or recipient can ascertain, with certainty, that EHR is interoperable;
  • Remove requirements that donated EHR include e-prescribing capabilities; and
  • Clarify the requirement prohibiting any action that limits or restricts the use, compatibility, or interoperability of donated EHRs.

SUNSET PROVISION

            Under the Original Rule, EHR donation regulations were set to expire on December 31, 2013.  The Final Rules extend the expiration of the protections until December 31, 2021.

LABORATORY EXCLUSION

            As a change from the Original Rule, the protections under the Final Rules no longer extend to laboratory companies as a type of entity that may donate EHR items and services.  However, this exclusion under the Final Rules does not apply to hospitals who furnish clinical laboratory services through a laboratory that is a department of the hospital.  It should be noted that a hospital-affiliated or hospital-owned company that furnishes laboratory services, which have a billing number assigned to the company as opposed to the hospital, would be excluded from the protections under the Final Rules.

INTEROPERABILITY

The Original Rule required that donated or subsidized software be “interoperable”.  The rule stated that software is interoperable if a certifying body recognized by the Secretary of the Department of Health and Human Services certified the software within 12 months of the time it was provided to a physician.  Under the Final Rules, software is deemed to be interoperable if, on the date it is provided to the physician, it has been certified by a certifying body authorized by the National Coordinator for Health Information Technology to an edition of EHR certification criteria.  Significantly, the protections under the Final Rules are not limited to donations to individuals and entities eligible to participate in the EHR Incentive Programs (the “Meaningful Use Program”), but also extend to other entities and individuals if the donations meet the conditions of the safe harbor.

DATA LOCK-IN AND EXCHANGE

In order to foster the free exchange of data, the Final Rules have made limited clarifications to require that a donor not take any action to limit or restrict the use, compatibility or interoperability of the items or services with other electronic prescribing or EHR systems.  The Final Rules included examples, making it clearer that this prohibition applies to any donor action that limits the use of donated software with any other health information technology.

ELECTRONIC PRESCRIBING

The Original Rule required that donated software contain an electronic prescribing capability.  However, under the Final Rules, effective March 27, 2014, the requirement that the donated software contain an electronic prescribing capability has been eliminated.

THE WINNERS AND LOSERS

The Final Rule attempts to strike the right balance between competing interests.  On the one hand, the Final Rule seeks to foster continued adoption of EHRs and increased interoperability, which are ongoing goals within CMS, ONC and much of the healthcare industry.  On the other hand, OIG has shifted its position to better control risks associated with misuse of EHR donation by certain entities that seek to secure kickbacks.  Recognizing these competing concerns, OIG has extended the safe harbor and improved alignment with ONC to ensure companies have better guidance to meet the interoperability requirements.  Therefore many organizations emerge as winners under the Final Rule, including EHR vendors, protected EHR donors and EHR recipients.  However, laboratory companies are at a significant loss as a result of OIG’s tightening of the definition of “Protected Donor”.

 

Follow Alaap Shah on Twitter: @HealthITLawyers

   By:  Alaap Shah and Ali Lakhani

Why is data breach such a rampant problem within the health care industry?

As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially.  To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards.  Health care companies also have resources to assist them with managing this risk.  Specifically, the Federal agency for oversight of the Health Insurance Portability and Accountability Act (“HIPAA”), the Department of Health and Human Services, Office for Civil Rights (“OCR”) is tasked with providing technical assistance to guide companies to achieve compliance with the HIPAA security rules.  Further, when companies fail to comply, OCR has enforcement authority to “obtain” compliance.

The responsibility for the oversight and enforcement of the Security Rule was delegated to OCR by DHHS in 2009 under the Health Information Technology for Economic and Clinical (“HITECH”) Act.  Nonetheless, anyone that reads the news is aware that data breaches within the health care sector are commonplace.  As such, it is becoming increasingly clear that health care companies systemically lack adequate security safeguards.  Additionally, it raises a concern regarding the effectiveness of OCR’s efforts to ensure compliance.

Lack of Insight into Industry Security Compliance

According to a recently released report by the Department of Health and Human Services (“DHHS”) Office of Inspector General (“OIG”), OCR’s compliance efforts reveal significant gaps in their oversight activities between 2009 and 2011.  Specifically, the report states that OCR “hasn’t performed required audits of how corporations handle patient information and failed to guarantee the security of its own records.”  As a result, OIG indicated that OCR’s periodic Security Rule compliance audits, which were made mandatory by HITECH, remain an outstanding objective.

OCR responded to the OIG’s report explaining their performance citing that “no funds [have] been appropriated . . . to maintain a permanent audit program.”  Going forward, however, Rodriguez said he expects that OCR “will leverage more civil penalties” and that OCR will be permitted to use collected penalties to fund enforcement actions and “to maximize funding [for] our auditing and breach analysis” activities.  OCR has already committed $4.5 million from monies it collected from prior enforcement actions.

Interestingly, this is not to suggest OCR has not been active in promoting security compliance.  For example, OIG indicated that OCR has provided guidance to covered entities to promote compliance and has established an investigation process for responding to reported violations.    Yet, OCR’s report card, although somewhat changed, is not materially improved since OIG’s 2011 report wherein a “need for greater OCR oversight and enforcement” was recommended.  In light of these findings, it is likely that OCR will turn its focus to increasing its oversight activities in an effort to gain further insight into security rule compliance.

OCR is Transforming into OIG

As early as May 2012, the Director of OCR, Leon Rodriquez, indicated that the agency is headed toward the Office of Inspector General enforcement model.  OCR director Leon Rodriguez has warned that “the same level of vigilance that providers have used to steer clear of OIG’s fraud enforcement now needs to be applied in the HIPAA environment.”  Coupling these comments with the findings of the recent OIG report suggest that OCR will be taking its oversight and enforcement activities even seriously moving forward.

Based on reinvigoration of the HIPAA Audit Program and signals from OCR, it appears that 2014 will be the year of heightened OCR enforcement.  According to federal regulators, the permanent HIPAA Audit program is planned to begin early in the new-year and that covered entities should identify and mitigate outstanding non-compliance.  Although Rodriguez has conceded that “the audits under this permanent program will be narrower in scope in comparison [to those] conducted during the pilot program,” the number of organizations that will be audited is expected to increase.

In short, the health care industry should expect even more audits and enforcements in the future.

Follow Alaap Shah on Twitter: @HealthITLawyers

By:  Alaap Shah and Ali Lakhani

 

The Good: 

“Hey Doc, just shoot me a text . . .”

The business case supporting text messaging in a health care environment is compelling – it is mobile, fast, direct, and increases dialogue between physicians and patients as well as streamlines the often inefficient page/callback paradigm that stalls workflows and efficiency in the supply chain of healthcare delivery.  As a growing percentage of the 171 billion monthly text messages in the U.S. are sent by healthcare providers, often containing electronic protected health information (ePHI), providers are potentially exposing themselves to regulatory liabilities arising under the Health Information Portability and Accountability Act (HIPAA).

 

Currently, there is a great deal of uncertainty around whether “HIPAA-compliant” texting of ePHI can be accomplished.  Even greater confusion exists around whether certain texting platforms themselves can be “HIPAA-compliant”.  Before you start to send ePHI via text message, there are a number of issues to consider.

The Bad:

Texting:  Done Two Ways . . .

“Texting”, in the colloquial sense, has become an umbrella term for the entire category of mobile, asynchronous, instant communication between two or more parties.  The first category of texting is what most people use today.  This category is the traditional, wireless carrier-based text messaging, known as Short Message Service (SMS) text messaging.  Here, users exchange messages between mobile devices over a cellular network.  Most cellphones and smartphones in the U.S. market have an SMS text message capability, and it is a relativity simple push technology that can be used by people who are not tech-savvy.  These benefits of SMS illustrate the broad reach of this technology.

The second category of texting is application-based instant messaging whereby users exchange messages over the internet between web-enabled devices.  In essence, users download stand-alone applications to their mobile devices, create accounts with unique login credentials, and then send and receive text messages between accounts using the application interface.  In light of challenges posed by HIPAA, many companies have developed application-based texting platforms, which are now branded as “HIPAA-compliant”.  A number of these texting platforms allow for encryption of messages as well as secure login at the application level.  However, the reach of these texting applications is somewhat narrower than traditional SMS text messaging for a few reasons.  First, these texting applications typically run on smartphones, but are not universally available on ordinary cellphones.  Second, use of the applications may be limited if the user is not tech-savvy.  Nonetheless, these application-based texting platforms provide powerful tools to share ePHI.

Before you choose to use SMS text messaging or even a “HIPAA-compliant” application-based texting platform to send or receive ePHI, proceed with caution.  First, note that no particular “texting” platform can be, in and of itself, “HIPAA-compliant.”  Second, text messaging presents a litany of privacy and security challenges which must be addressed before texting ePHI.

The Ugly:

The Trouble with SMS Texting . . .

By virtue of how it is generated, transmitted, stored, and viewed, traditional SMS texting presents several obstacles to HIPAA compliance.  Some of the key obstacles include the following and are explained below:

  • SMS text messages are transmitted in clear text;
  • SMS text messages are not encrypted;
  • Senders cannot authenticate recipients;
  • Recipients cannot authenticate senders; and
  • ePHI can remain stored on wireless carrier servers.

Of particular note, SMS text messages are currently not secured through encryption. This potentially allows unauthorized third parties to get access to and view the content of SMS text messages associated with certain individually-identifiable information.

It is also difficult to know who generated a text message or even whether it is ending up in the right place.  Recognizing some of these authentication issues prompted the Joint Commission to explicitly restrict text messaging.  Indeed, the Joint Commission stated that it is unacceptable for “physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting[s].” This, however, does not amount to a complete ban on text messaging of ePHI, and leaves open the possibility of other appropriate ways to utilize texting to share ePHI.

Finally, ePHI sent via SMS text message can end up being stored in places outside the control of the sender or the recipient.  This can create an unmanageable risk in the context of data breach.  For example, SMS text messages reside on telecommunications servers for some time before and after being transmitted to a recipient’s phone.  As such, a breach of the telecom servers could allow unauthorized individuals to access or view the ePHI.

These risks render SMS text messaging a difficult avenue for the transmission of ePHI.

 

Despite these obstacles, is there a way to leverage text messaging while complying with HIPAA?

First and foremost, HIPAA does not explicitly prohibit the use of SMS text messaging to transmit ePHI.  Rather, the HIPAA Security rule requires Covered Entities and Business Associates acting on their behalf to implement administrative, physical and technical safeguards if engaged in the transmission or storage of ePHI.  While HIPAA does not prescribe specific safeguards to use to protect ePHI sent via text message, it does provide a framework to assess and mitigate risks associated with such transmissions.  For example, key technical safeguards included within the HIPAA Security Rule that should be considered before texting ePHI include the following controls:

  • Unique User Identification;
  • Automatic Logoff;
  • Encryption/Decryption;
  • Auditing;
  • Integrity Management;
  • Authentication; and
  • Transmissions Security.

Further, to comply with HIPAA, those who want to send ePHI via text must conduct a risk analysis.  A risk analysis consists of “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”  Thus, prior to employing SMS or application-based texting, the risks associated with either should be addressed.

In short, HIPAA compliance is achieved by implementing reasonable and appropriate safeguards and conducting a risk analysis on a periodic basis.

Text messaging continues to offer a simple, attractive, and cost effective way to communicate ePHI.  As a result, text messaging solutions will continue to enter the market place.  Yet, text messaging solutions carry a great deal of risk stemming from various threats and vulnerabilities.  Before utilizing text messaging, these risks must be evaluated and effectively managed to ensure compliance with HIPAA and avoid the potential for unauthorized use or disclosure as well as data breach.

 

Follow Alaap Shah on Twitter: @HealthITLawyers

 

About two weeks ago, the Governor of Nevada signed into law new legislation that removes a number of barriers to the practice of telehealth within the state of Nevada.  Among the most significant changes, the Nevada legislation allows physicians to establish a physician-patient relationship (which is a precondition for prescribing drugs, rendering diagnoses, and performing other medical services) through a telehealth encounter.  In doing so, Nevada joins only a small number of states that have taken this step.  However the Nevada law is significant not only because it allows a physician to establish a physician-patient relationship through telehealth, but also because it broadly expands the state’s definition of telemedicine to include telephonic communications (in addition to electronic face-to-face).

This means that in Nevada, a physician will not need to see a patient, either in-person or through a video transmission, to prescribe medication or provide other treatment.   A telephone call will be sufficient.  For years, advocates of telehealth have been advocating states to relax their practice of medicine restrictions and allow physicians to establish a doctor-patient relationship through telehealth.  However, to date, most states have resisted, and continue to require that the physician physically examine the patient in-person in order to establish a doctor-patient relationship (for purposes of prescribing drugs, rendering diagnosis, etc.)   It is in the light of this backdrop, that Nevada’s law seems so remarkable.

There are, of course, many good reasons for expanding the range of activities that can be performed through telehealth, which I stand behind.  Telehealth increases access to physicians (who otherwise may not be local), offers individuals with more choices on where to go for care,  makes health care more convenient, and with regard to many telehealth applications, has been shown to improve health outcomes and lower costs of care.    But, as we continue to push for broader adoption of telehealth, and a removal of barriers to prescribing, diagnosing, and performing other forms of treatment through telehealth means, we also need to carefully consider where (and how) the new boundaries should be drawn.

  • Should physicians or advanced practice nurses be allowed to treat patients they have never seen in a face-to-face encounter through the telephone? If so, under what circumstances?
  • Should governments be making decisions regarding the specific ways telehealth can and cannot be practiced, or should medical boards, medical societies or the providers themselves be making these decisions on their own?
  • How do we make sure as an industry that, in our efforts to remove state law barriers to telehealth, we continue to act in the best interest of the patient or the individual?

Right now Nevada is an outlier, and the problem in the vast majority of states is too many restrictions on telehealth practice.   But if we don’t get the balance right, and instead go too far in the other direction, then bigger problems may surface.   There could be more accidents and injuries, and the public may begin to question the safety of telehealth as an alternative to conventional medicine.

Before initiating treatment, health care providers must generally obtain their patients’ informed consent. The purpose of the informed consent process is two-fold. First, it allows patients to gain an understanding of the risks and benefits of the proposed treatment, and alternative courses of action. Second, it helps shield providers from legal exposure.

A formal informed consent process is particularly critical for procedures that carry a high risk of patient injury. When considering such “high-risk” procedures, neurosurgery or radiation therapy may come to mind. However, in the practice of telehealth, reliance on imperfect technological tools, as well as the “distance” factor, can propel otherwise routine treatments into a higher risk category.

The Risks of Telehealth Practice

One important telehealth-specific risk is the possibility of technological hiccups and failures. Computers, tablets, cell phones, web cameras, and electronic health records represent just a sampling of the technology-based tools used by telehealth providers. While these technologies can improve and advance patient care, they can also falter, impairing the medical evaluation and treatment process and threatening patient safety. For example, transmission errors can occur when telehealth providers receive patient data electronically (such data may include patient records, x-rays, and medical device print-outs). These errors can delay patient treatment and even give rise to dangerous misdiagnoses.

Beyond transmission errors, the remote nature of telehealth practice can create additional risks. For instance, a patient being evaluated by a distant, off-site provider may not be able to tell who is present in the room at the distant provider’s site (i.e., medical or non-medical personnel may be present and within listening distance, but not captured by the camera’s view). This is a clear privacy concern for patients, who may not want such “hidden” third parties to have access to their personal health information.

The remote nature of telehealth practice can also increase patient risk because distant providers cannot perform comprehensive physical examinations. Without completing a hands-on examination, the distant provider’s ability to offer a complete and accurate evaluation of the patient’s condition may be limited.

State legislatures are starting to take note of these telehealth-specific risks. In fact, a few states have already passed laws that require providers to obtain a patient’s informed consent before delivering telehealth services.

State Implementation of Telehealth-Specific Consent Laws

To date, state approaches to telehealth-specific consent laws have varied. For example, in Nebraska, telehealth providers must obtain patients’ written informed consent prior to an initial telehealth consultation. Conversely, under both California and Arizona law, a patient’s verbal consent to the use of telehealth care satisfies the statutory informed consent requirement. In Texas, telehealth providers are required to obtain patients’ informed consent prior to delivering telehealth services, but the relevant statute does not specify the required form of the consent. In at least one state, Oklahoma, legislators have gone above and beyond simply requiring informed consent for telehealth services. The Oklahoma telehealth statute establishes a detailed consent framework, laying out the specific types of information that telehealth providers must give to patients.

Although telehealth-specific consent laws are currently confined to only a small minority of states, all telehealth providers should take heed. No matter the jurisdiction, failure to properly obtain a patient’s informed consent before initiating telehealth services can increase a provider’s risk of facing consent-based negligence claims (an explanation of the elements of an informed consent claim can be found here).

Mitigating the Risk of Consent-Based Claims

To prepare for the possibility of facing a consent-based claim (which will often accompany a medical malpractice claim), telehealth providers may consider incorporating a more thorough informed consent process into their overall risk mitigation strategy. For example, providers can improve their documentation of the informed consent process by drafting a telehealth consent form, or a telehealth addendum to a more traditional consent form that they might already use. While some providers, such as those practicing in Oklahoma, may need to adhere to specific state requirements regarding the content of these telehealth-specific forms, there are several general categories of information that all providers may consider including, such as:

  • Language introducing and explaining the telehealth process in a way that patients can easily understand;
  • Description of the expected risks and benefits of telehealth services; and
  • Other information necessary for the patient to have a complete understanding of the telehealth process (i.e., available alternatives, referral information for a local provider, etc.).

Although telehealth providers cannot possibly avoid all practice risks, they can limit their exposure by taking a proactive approach to the informed consent process. Key aspects of such an approach are likely to include disclosure of all material facts necessary for patients to make an informed decision about moving forward with telehealth care and careful documentation of the consent process. From a risk standpoint, providers who take these steps will be well positioned to adapt to emerging new technologies and the continuously expanding scope of services being offered via telehealth.

We all know that telehealth is going mainstream.  The numbers speak for themselves.  A leading research firm predicts that 2.8 million patients worldwide used home-based remote monitoring devices in 2012—expected to increase to 9.4 million connections globally by 2017.  Another firm projects that the number of patients using telehealth services in the United States will grow to 1.3 million in 2017, up from 227,000 in 2012.  Even less rosy projections predict growth to 2 million patients worldwide by 2017.  The news is even better in subspecialties like telepsychiatry   that are showing tremendous adoption rates all across the country.  And the federal government is voicing its support for telehealth adoption in a variety of ways including awarding millions of dollars in grant funding for telehealth projects under its Centers for Medicare and Medicaid Services Health Care Innovation Awards program.

All this good news notwithstanding, there are a number of issues and barriers that remain—many of which threaten to stifle the progress being made.  I have boiled these down to the few I think will keep the telehealth community awake at night because, in my view, they hold the greatest potential to stifle the greater adoption of telehealth.

Not Complying with State Licensure and Prescribing Laws.  I have seen a number of regional and national telehealth care models that don’t appear to be in compliance with the various state licensure and prescribing laws. This could have serious ramifications for telehealth as state regulators begin to focus more on telehealth enforcement.  Unfortunately, providing telehealth in more than one state will mean that providers need to comply with multiple state laws, which are often confusing and burdensome.  Nevertheless, telehealth providers should pay particular attention to state prescribing laws, the majority of which require a physical examination before a provider may prescribe drugs—a difficult requirement to meet for telehealth providers operating in multiple states.  Some providers seem unaware of these requirements or simply ignore them.  While I acknowledge that enforcement in this area has not historically been a priority for most state regulators, this is changing in many states as telehealth continues to blossom. As an example, I note the case of the Colorado doctor convicted in 2009 for prescribing an anti-depressant medication to a patient in California who later committed suicide.  The doctor had not performed a face-to-face evaluation nor established physician-patient relationship as required under California law.  It will only take a few similar high-profile cases to bring the kind of unwanted scrutiny that dogs other parts of the health care sector.

Lack of Highly Developed Protocols and Guidelines.  In my discussions with various state regulators and payers, there seems to be a consensus that telehealth lacks the robust, highly developed protocols, guidelines, and best practices to foster greater acceptance.  I applaud organizations such as the American Telemedicine Association for its continued work in developing a suite of protocols and guidelines for telehealth.  But a lot more needs to be done.  Physician and other health care professional organizations and trade associations need to take the lead in developing serious, well-conceived protocols and guidelines to provide the kind of uniform standards that regulators and payers rightly believe is lacking in telehealth.  Without such protocols, many regulators and payers will continue to view telehealth with skepticism—not to mention the potentially greater liability exposure that exists for practitioners operating in disciplines with no well-established protocols.

Lack of Greater Coverage and ReimbursementI have discussed before why providers not getting directly reimbursed for telehealth may not be as much of an issue as many providers believe.  Nevertheless, the lack of widespread coverage and reimbursement is preventing many providers who would otherwise consider providing telehealth from dipping their toes in the water.  To be sure, through so-called telehealth parity statutes, many more private payers cover telehelath than ever before.  But that is not enough.  Payers cite many reasons for failing to provide more telehealth coverage:

  • Not persuaded by clinical efficacy of telehealth for many indications.
  • Bias towards keeping telehealth benefit only available for rural beneficiaries in areas with shortage of health care professionals.
  • Fear of increased costs with expansion of telehealth benefit.
  • HIPAA privacy and security concerns.
  • Many studies have been inconclusive regarding efficiency, cost savings, preventable hospitalizations from the use of telehealth services.

Telehealth stakeholders have more power than they think—and should engage with regulators and payers in a coordinated way to help fashion a more coherent reimbursement approach to telehealth.  There are many developments     stakeholders could point to, including: 1) the number of newer studies showing the benefits of telehealth; and 2) the significant results achieved by the Veterans Health Administration (53% reduction in bed days of care; 30% reduction in hospital admissions), long a leader in telehealth adoption.  Absent a more coherent reimbursement approach, many providers will continue to sit on the sidelines—stalling the greater widespread adoption of telehealth.

HIPAA Privacy and Security. Telehealth HIPAA privacy and security issues are not necessarily different than those facing more conventional providers.  However, within telehealth, privacy and security issues take on greater significance given that telehealth is usually delivered by electronic means and that health information is often stored electronically.  In other words, there are ample more opportunities for unauthorized third parties to access patient health information.  Data breaches are becoming increasingly common with one study showing that 94% of healthcare organizations surveyed have experienced at least one data breach during the past two years, and 45 percent experiencing more than 5 data breaches each during this same period.  In my mind, nothing threatens the future viability of telehealth more than lax privacy and security.  We have written many posts regarding the kinds of privacy and security issues telehealth providers need to have top of mind.