State and Federal Regulatory Issues

As a lawyer practicing in the telemedicine space, I am rarely surprised these days.  But every once in a while I will read or hear something that stops me in my tracks. That is exactly what happened when I read a blog post by an FTC Commissioner which, among other things, calls for government policies that help facilitate greater adoption of telemedicine.  The post was part of a broader piece about the FTC’s role in promoting competition and innovation in health care.

By way of quick background, the Federal Trade Commission is the federal agency charged with protecting consumers and promoting competition, which includes challenging anticompetitive business practices.  The agency has been active in the health care sector, challenging several hospital and physician practice mergers. In an effort to highlight some of the FTC’s non-enforcement efforts, one of the agency’s five commissioners, Maureen Ohlhausen, wrote a blog post touting the agency’s advocacy efforts in the health care arena, and specifically highlighted how the FTC’s competition policy could help facilitate greater proliferation of telemedicine.

Among the highlights in the post related to telemedicine:

  • Telemedicine can reduce costs and increase access to care, but such advantages often run afoul of state professional licensing schemes that were developed to regulate local medical practices.
  • The variation in state licensure and other requirements continues despite “the fact that the core entry requirements for physicians are essentially uniform across the U.S”.
  • Legacy statutes and regulations are barriers “to the efficient flow of health care information and expertise and, indeed, specialized labor — barriers that can be costly to public and private payers and, in the end, individual patients,” without necessarily offering better consumer protection benefits.
  • Lawyers and policymakers need to creatively address ways to lower barriers without sacrificing the good in state regulations.
  • It is critical that policymakers “approach new technologies with a dose of regulatory humility” and should educate themselves about technological innovation, and:
    • Understand its effects on consumers and the marketplace;
    • Identify benefits and likely harms, and;
    • If harms do exist, consider whether existing laws and regulations sufficiently address the issues before assuming that new laws would be required.

Ms. Ohlhausen goes on to call for the FTC to use its policy research and development tools to better understand innovative technology, new business models facilitated by the new technology, and the likely risks and benefits for consumers.  More significantly, Ms. Ohlhausen also challenges the agency to educate itself “about undue impediments to innovation and competition” while also using its authority to enforce against harm to consumers from the use of new health information technology vehicles.

I can only applaud Ms. Ohlhausen’s approach.  It is encouraging to see a policymaker acknowledge the role regulations may play in stifling innovation and call for government agencies to find creative ways to lower barriers while balancing consumer protection.  I only hope other regulators follow Ms. Ohlhausen’s lead.

 

On January 9, 2015, New Jersey Governor Chris Christie signed new legislation that will require health insurance carriers authorized to issue health benefits plans in the state—including insurance companies, health service corporations, hospital service corporations, medical service corporations, and health maintenance organizations—to encrypt personal information. Triggered by a series of data breaches involving the health information of almost a million residents, Senate Bill No. 562 (“SB 562”) was passed unanimously by both houses of the state legislature and will take effect on August 1, 2015.

Under SB 562, health insurance carriers will be prohibited from maintaining computerized records that contain personal information unless the information is “secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” The use of a password protection program that prevents general unauthorized access will not suffice to meet the encryption requirement. “Personal information” is defined as an individual’s first name or first initial and last name linked with at least one of the following: (1) Social Security number, (2) driver’s license number or state identification card number, (3) address, or (4) identifiable health information.

The law applies only to end user computer systems and computerized records transmitted across public networks. “End user computer systems” include desktop computers, laptop computers, tablets and other mobile devices, and removable media.

The requirement to encrypt makes the New Jersey law stricter in this regard than the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), under which encryption of electronic protected health information (“ePHI”) is an addressable specification. Nonetheless, given that encrypted ePHI is exempt from HIPAA’s breach notification requirements, it is considered a best practice to encrypt ePHI.

Violation of New Jersey’s encryption mandate will constitute a violation of the New Jersey Consumer Fraud Act, which imposes penalties of up to $10,000 for the first offense and up to $20,000 for any subsequent offense. The state Attorney General may also issue cease-and-desist orders to violators and award treble damages and costs to affected individuals. Given these potential penalties, health insurance carriers in New Jersey should carefully review their policies and procedures and ensure compliance with the new law.

There can be no question that telehealth has gone mainstream.  The numbers speak volumes. Telehealth companies have been able to raise almost $500 million since 2007 according to a noted venture capital analyst.  A recent study indicated that U.S. employers could save up to $6 billion a year through telehealth.  Per the American Telemedicine Association, more than half of all U.S. hospitals now offer some form of telehealth service.  Some leading analysts estimate that global revenue for telehealth will reach $4.5 billion by 2018, and the number of patients using telehealth services will rise to 7 million by the same year.   I can cite countless examples showing the bullish trajectory of telehealth.  But problems remain.

One of the issues I constantly deal with is the patchwork of state statutes and regulations governing various aspects of telehealth. Some of these issues are being addressed by stakeholders such as the Federation of State Medical Boards—which has released a draft model physician licensure compact that could go a long way in streamlining multistate licensure for physicians.  The Federation has also developed a  model telemedicine policy it hopes states will adopts.  Other leading organizations such as the American Medical Association, the American Academy of Pediatrics, the American Academy of Dermatology, and the American Telemedicine Association are addressing various issues in their own way.

These initiatives, however, cannot hide the fact that many state regulators are troubled by a number of issues when evaluating whether various direct-to-consumer telehealth models comply with state law. This is especially true in situations in which the telehealth provider does not have a pre-existing relationship with the patient.  Even beyond the legal issues, the state regulators I have spoken to express unease with various aspects of direct-to-consumer telehealth.  Essentially, their concerns can be boiled down to the following five:

  • Overprescribing.  E-visits drive over-prescription.  That is a view voiced by many state regulators.  Often cited is a study examining urinary tract infections among other things which showed significantly higher antibiotic prescriptions as a result of e-visits for UTIs when compared to in-person provider office visits.  Patients were also more likely to be prescribed an antibiotic for sinusitis if they were treated via an e-visit as opposed to an in-person visit—although that disparity was nowhere near as significant.  The CDC notes that the drivers of inappropriate antibiotic prescribing are more pronounced with telephone and e-visits.
  • Lack of Access to a Patient’s Medical Record.  State regulators also point out that providers in many direct-to-consumer telehealth models usually do not have access to a patient’s full medical record.  In the vast majority of cases, telehealth providers are making diagnoses and treatment recommendations relying on questionnaires the patients are required to complete immediately prior to obtaining services.  Critics believe providing health care without the full context of a patient’s complete medical record is simply not good medicine.
  • No Ability to Document E-Visit Into a Patient’s Medical Record.   Related to the last point, some state representatives voice concern that providers in direct-to-consumer models are unable to document the e-visit into a patient’s medical record—meaning that subsequent health care providers are unable to see the diagnosis, treatment recommendations, or medications prescribed to the patient from the e-visit.
  • No Follow-Up Care.  The nature of how direct-to-consumer telehealth is currently structured does not lend itself easily to follow up care as a normal course of practice.  And many medical board representatives I have spoken to believe that follow-up care is critical to sound medicine.
  • Quality of Care.  Perhaps the most troubling issue for many of the regulators I talk to is the belief that many of the models they see cannot deliver the same quality of care as patients walking into their doctor’s offices.  They point out that quality is compromised without: 1) direct in-person physical examination of the patient by the distant providers; 2) the lack of access to a patient’s full medical record; and 3) the general lack of follow up care.  Moreover, many regulators simply refuse to believe that conditions such as strep throat or ear infections, for example, can be treated via an e-visit—especially when no pre-existing provider/patient relationship exists.  These concerns, they emphasize, are exacerbated by the lack of highly developed protocols and guidelines governing telehealth.  While many recognize that organizations have been developing such guidelines, they warn a lot more work needs to be done.

No one can doubt that regulators raise very valid concerns.  In talking to various clinicians and providers, however, they indicate that many of the issues have been or are being addressed.  One of the problems is that the lines of communication between regulators and industry have not always been open.  In my next blog post, I will discuss what telehealth stakeholders have been doing to address the regulators’ concerns.

On September 5, 2014, the Federation of State Medical Boards, a nonprofit organization representing the 70 state medical and osteopathic boards nationwide, announced the completion of its drafting process for its Interstate Medical Licensure Compact (“Compact”). Finalizing the Compact is a critical step toward removing one of the major barriers preventing a greater proliferation of telehealth technologies and services. Under the Compact, a physician who is licensed in his or her principal state and who meets certain educational, certification, and disciplinary criteria would be eligible to apply for an expedited medical license in another state that has adopted the Compact. Adoption of the Compact by states not only will increase license portability for physicians by alleviating the traditional rigid state licensure requirements that impede the practice of telehealth, but also will help improve access to health care for patients across the nation who will benefit from greater adoption of telehealth.  You can read more here.

Earlier this week, a popular source of regulatory news published an article claiming FDA “finalized a new rule this week that prohibits manufacturers from using so-called “split-predicates”. However, it appears that the article may instead be referencing the Final Guidance for Industry and Food and Drug Administration Staff entitled “The 510(k) Program: Evaluating Substantial Equivalence in Premarket Notifications [510(k)]” that FDA published earlier this week.  Unfortunately, as often occurs on the Internet, the post was disseminated by several other popular sources of regulatory news.

This confusion comes a little less than three months after four Senator’s sent a letter to FDA raising concerns about FDA draft guidance “becoming the default FDA policy and position.”

Guidances and final rules carry different legal weight.  Final regulations are legislative rules that have the force of law. Whereas, guidances do not set new legal standards, impose legal requirements or have the force of law. Instead guidances are issued to help interpret or clarify an existing regulation.   

FDA certainly understands this difference.  As FDA notes, “FDA regulations are [] federal laws, [even though] they are not part of the [federal Food Drug & Cosmetic Act (FD&C Act)].”  Whereas, “FDA guidance describes the agency’s current thinking on a regulatory issue [but guidance] is not legally binding on the public or FDA.”

FDA also emphasizes this latter point in many of its guidance documents by including the following disclaimer:

This guidance represents the Food and Drug Administration’s (FDA’s) current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind FDA or the public. You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulations. If you want to discuss an alternative approach, contact the FDA staff responsible for implementing this guidance. If you cannot identify the appropriate FDA staff, call the appropriate number listed on the title page of this guidance.

Unfortunately, not everyone fully appreciates the difference between rules and guidance. The recent confusion suggests that there is a disconnect between FDA’s position on the difference between guidance and final rules and the understanding of at least some in industry.  Therefore, as FDA reviews its current guidance development practice, it is important that FDA look for ways to ensure (draft or final) guidance is just that, guidance.  For example,

  • FDA should make the guidance development process more efficient and so that there is a significant difference between the time it takes to publish a final guidance and the time it takes to implement a final rule;
  • If a manufacturer uses an alternative approach and provides reasonable support for taking such an approach, FDA should be required to provide a reasonably explanation as to why the alternative is insufficient;
  • FDA should include a process for quickly and efficiently incorporating alternative approaches into existing final guidance.

One of the largest hurdles to the growth of telehealth—the lack of a streamlined process for obtaining physician licensure in multiple states—is one step closer to being scaled. The Federation of State Medical Boards (“FSMB”) recently released a revised draft of its Interstate Medical Licensure Compact (“Compact”). This revised draft is a continuation of efforts by FSMB and its member boards to study the feasibility of an interstate license portability. Additionally, the revised draft of the Compact reflects changes based upon comments received from FSMB member boards and other stakeholders since the draft was released by FSMB earlier this year. Adoption of the Compact is critical to the interstate practice of telehealth.  You can read the full alert here.

By Brandon Ge and Alaap Shah

The Department of Health and Human Services (“HHS”) is taking laudable steps to improve notices of privacy practices (“NPPs”) and make them more clear, understandable, and user-friendly. Under the HIPAA Privacy Rule, individuals are entitled to a receive an NPP informing them of how their health information may be used and shared, as well as how to exercise their health privacy rights. Health plans and health care providers must develop and distribute NPPs that clearly explain these rights and practices. Unfortunately, to date NPPs have been poorly designed, hard to navigate and unclear with regard to patient rights or company obligations regarding use and disclosure of health information.

Privacy is just as much about protecting patients’ rights to data as it is about protecting data. The HIPAA Omnibus Rule, CLIA Rule, and others are designed to improve patient access to their medical records, empowering them to actively manage their health. The digitization of medical records, in the form of electronic health records, personal health records, patient portals, and the like, facilitates patient engagement in healthcare if used properly.  However, ineffective NPPs create barriers for patient understanding their rights.

NPPs that clearly convey patients’ privacy rights are critical in enabling patients to take a more active role in healthcare. Conversely, if patients do not understand NPPs, then they won’t have a good sense of their privacy rights, including their right to access their health information. Some critiques regarding NPPs include that they are frequently lengthy and include legalese that the general public has difficulty understanding.  To remedy these concerns, some suggest simplifying language and “layering” the notice—that is, including a short summary of the individual’s rights as a first layer and including a longer, more detailed explanation as a second layer—would go a long way toward improving the readability of NPPs.

In an effort to address criticisms of NPPs, last month, the Office of the National Coordinator for Health Information Technology (“ONC”) collaborated with the HHS, Office for Civil Rights (“OCR”) to develop model NPPs that clearly convey the required information to patients in an accessible format. Covered entities can customize these model NPPs and then display them and distribute them to patients.

ONC and OCR have also thrown down the gauntlet and established the Digital Privacy Notice Challenge, which will award $15,000 to the creators of the best online NPP (second place wins $7,000 and third place gets $3,000). The challenge calls for designers, developers, and privacy experts to use the model notices as a baseline and create an online NPP that is clear, effectively informs patients of their privacy rights, and is easily integrated online. Once submissions are finalized, the public will have two weeks to vote on the best submission.

The submission period ends on April 7, 2014, and winners will be announced in May or June of 2014.

Does your organization think it has what it takes to win this challenge?

 

Follow Alaap Shah on Twitter: @HealthITLawyers

A significant barrier to the interstate practice of telehealth is closer to being broken down. The Federation of State Medical Boards (FSMB) has completed and distributed a draft Interstate Medical Licensure Compact, designed to facilitate physician licensure portability that should enhance the practice of interstate telehealth.  Essentially, the compact would create an additional licensing pathway, through which physicians would be able to obtain expedited licensure in participating states.  As the FSMB notes in its draft, the compact “complements the existing licensing and regulatory authority of state medical boards, ensures the safety of patients, and provides physicians with enhanced portability of their license to practice medicine outside their state of primary licensure.”  This is a potentially significant development because burdensome state licensure requirements have been a major impediment to the interstate practice of telehealth. A physician practicing telehealth is generally required to obtain a medical license in the state where the patient—not the physician—is located.  As a consequence, physicians wishing to treat patients in multiple states need to obtain a license in each of those states in order to practice medicine lawfully, a lengthy and expensive process.

While the draft compact shares some of the same features as the Nurse Licensure Compact (NLC) (launched in 2000 to facilitate nurse mobility and improve access to care), a key difference is in the process for obtaining multistate licensure.  Under the draft compact physicians have to submit an application, register, and pay certain fees to obtain licensure in other participating states.  Nurses under the NLC, on the other hand, only need to declare that their home state is an NLC state, and the privilege to practice in other NLC states is automatically activated—no separate applications or fees are required.  You can read a more comprehensive analysis of the FSMB draft compact here.

By:  Alaap Shah and Marshall Jackson

 

With the New Year, come new protections for health care entities and individuals utilizing electronic health records (EHRs).  On December 27, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS), issued final rules regarding the Stark Exception and the Anti-Kickback Safe Harbor permitting certain health care organizations to subsidize up to 85% of the donor’s cost of certain EHR items and services (the “Final Rules”). The Final Rules amended the 2006 original rule (the “Original Rule”).  The Final Rules:

  • Extend the expiration of the protections from December 31, 2013 to December 31, 2021;
  • Exclude laboratory companies from the list of eligible “Protected Donors” that may donate EHR items and services;
  • Update the provisions under which an EHR donor or recipient can ascertain, with certainty, that EHR is interoperable;
  • Remove requirements that donated EHR include e-prescribing capabilities; and
  • Clarify the requirement prohibiting any action that limits or restricts the use, compatibility, or interoperability of donated EHRs.

SUNSET PROVISION

            Under the Original Rule, EHR donation regulations were set to expire on December 31, 2013.  The Final Rules extend the expiration of the protections until December 31, 2021.

LABORATORY EXCLUSION

            As a change from the Original Rule, the protections under the Final Rules no longer extend to laboratory companies as a type of entity that may donate EHR items and services.  However, this exclusion under the Final Rules does not apply to hospitals who furnish clinical laboratory services through a laboratory that is a department of the hospital.  It should be noted that a hospital-affiliated or hospital-owned company that furnishes laboratory services, which have a billing number assigned to the company as opposed to the hospital, would be excluded from the protections under the Final Rules.

INTEROPERABILITY

The Original Rule required that donated or subsidized software be “interoperable”.  The rule stated that software is interoperable if a certifying body recognized by the Secretary of the Department of Health and Human Services certified the software within 12 months of the time it was provided to a physician.  Under the Final Rules, software is deemed to be interoperable if, on the date it is provided to the physician, it has been certified by a certifying body authorized by the National Coordinator for Health Information Technology to an edition of EHR certification criteria.  Significantly, the protections under the Final Rules are not limited to donations to individuals and entities eligible to participate in the EHR Incentive Programs (the “Meaningful Use Program”), but also extend to other entities and individuals if the donations meet the conditions of the safe harbor.

DATA LOCK-IN AND EXCHANGE

In order to foster the free exchange of data, the Final Rules have made limited clarifications to require that a donor not take any action to limit or restrict the use, compatibility or interoperability of the items or services with other electronic prescribing or EHR systems.  The Final Rules included examples, making it clearer that this prohibition applies to any donor action that limits the use of donated software with any other health information technology.

ELECTRONIC PRESCRIBING

The Original Rule required that donated software contain an electronic prescribing capability.  However, under the Final Rules, effective March 27, 2014, the requirement that the donated software contain an electronic prescribing capability has been eliminated.

THE WINNERS AND LOSERS

The Final Rule attempts to strike the right balance between competing interests.  On the one hand, the Final Rule seeks to foster continued adoption of EHRs and increased interoperability, which are ongoing goals within CMS, ONC and much of the healthcare industry.  On the other hand, OIG has shifted its position to better control risks associated with misuse of EHR donation by certain entities that seek to secure kickbacks.  Recognizing these competing concerns, OIG has extended the safe harbor and improved alignment with ONC to ensure companies have better guidance to meet the interoperability requirements.  Therefore many organizations emerge as winners under the Final Rule, including EHR vendors, protected EHR donors and EHR recipients.  However, laboratory companies are at a significant loss as a result of OIG’s tightening of the definition of “Protected Donor”.

 

Follow Alaap Shah on Twitter: @HealthITLawyers

   By:  Alaap Shah and Ali Lakhani

Why is data breach such a rampant problem within the health care industry?

As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially.  To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards.  Health care companies also have resources to assist them with managing this risk.  Specifically, the Federal agency for oversight of the Health Insurance Portability and Accountability Act (“HIPAA”), the Department of Health and Human Services, Office for Civil Rights (“OCR”) is tasked with providing technical assistance to guide companies to achieve compliance with the HIPAA security rules.  Further, when companies fail to comply, OCR has enforcement authority to “obtain” compliance.

The responsibility for the oversight and enforcement of the Security Rule was delegated to OCR by DHHS in 2009 under the Health Information Technology for Economic and Clinical (“HITECH”) Act.  Nonetheless, anyone that reads the news is aware that data breaches within the health care sector are commonplace.  As such, it is becoming increasingly clear that health care companies systemically lack adequate security safeguards.  Additionally, it raises a concern regarding the effectiveness of OCR’s efforts to ensure compliance.

Lack of Insight into Industry Security Compliance

According to a recently released report by the Department of Health and Human Services (“DHHS”) Office of Inspector General (“OIG”), OCR’s compliance efforts reveal significant gaps in their oversight activities between 2009 and 2011.  Specifically, the report states that OCR “hasn’t performed required audits of how corporations handle patient information and failed to guarantee the security of its own records.”  As a result, OIG indicated that OCR’s periodic Security Rule compliance audits, which were made mandatory by HITECH, remain an outstanding objective.

OCR responded to the OIG’s report explaining their performance citing that “no funds [have] been appropriated . . . to maintain a permanent audit program.”  Going forward, however, Rodriguez said he expects that OCR “will leverage more civil penalties” and that OCR will be permitted to use collected penalties to fund enforcement actions and “to maximize funding [for] our auditing and breach analysis” activities.  OCR has already committed $4.5 million from monies it collected from prior enforcement actions.

Interestingly, this is not to suggest OCR has not been active in promoting security compliance.  For example, OIG indicated that OCR has provided guidance to covered entities to promote compliance and has established an investigation process for responding to reported violations.    Yet, OCR’s report card, although somewhat changed, is not materially improved since OIG’s 2011 report wherein a “need for greater OCR oversight and enforcement” was recommended.  In light of these findings, it is likely that OCR will turn its focus to increasing its oversight activities in an effort to gain further insight into security rule compliance.

OCR is Transforming into OIG

As early as May 2012, the Director of OCR, Leon Rodriquez, indicated that the agency is headed toward the Office of Inspector General enforcement model.  OCR director Leon Rodriguez has warned that “the same level of vigilance that providers have used to steer clear of OIG’s fraud enforcement now needs to be applied in the HIPAA environment.”  Coupling these comments with the findings of the recent OIG report suggest that OCR will be taking its oversight and enforcement activities even seriously moving forward.

Based on reinvigoration of the HIPAA Audit Program and signals from OCR, it appears that 2014 will be the year of heightened OCR enforcement.  According to federal regulators, the permanent HIPAA Audit program is planned to begin early in the new-year and that covered entities should identify and mitigate outstanding non-compliance.  Although Rodriguez has conceded that “the audits under this permanent program will be narrower in scope in comparison [to those] conducted during the pilot program,” the number of organizations that will be audited is expected to increase.

In short, the health care industry should expect even more audits and enforcements in the future.

Follow Alaap Shah on Twitter: @HealthITLawyers