Department of Health and Human Services

The SUPPORT for Patients and Communities Act (“the Act” or “the SUPPORT Act”), signed into law by President Trump on October 24, 2018, is intended to combat the growing opioid crisis in the United States. The Act aims at preventing opioid addiction and misuse and enhancing access to care for those who have substance use disorders.

A key aspect of the Act is the expanded Medicare coverage of telehealth services to beneficiaries in their home (see Section 2001 of the Act). Currently, and historically, Medicare has restricted coverage of telehealth services to beneficiaries who reside within certain geographic rural areas and who seek such services at specific “originating sites” (patient beneficiary’s home is not included in the current Medicare definition for “originating site”). The Act amends 42 U.S.C. § 1395m(m) to eliminate these coverage restrictions for “an eligible telehealth individual with a substance use disorder diagnosis for purposes of treatment of such disorder or co-occurring mental health disorder, as determined by the Secretary [of Health and Human Services].” With this amendment in place, health care providers may now be reimbursed for providing eligible substance use disorder services to Medicare beneficiaries in their homes via telehealth. Although the Act does not provide for any “facility fee” reimbursement for telehealth services provided to beneficiaries in their homes, the Act requires reimbursement be provided to physicians and other health care practitioners furnishing these services at the same rate as they would otherwise receive if providing the same services in-person.

It is important to note that while Section 2001 of the Act takes effect on July 1, 2019, it authorizes the Secretary of the U.S. Department of Health & Human Services (“Secretary”) to implement these amendments immediately by creating a final interim rule.  The Act also mandates that the Secretary report on the impact of this legislation on: (1) the health care utilization (and in particular, emergency department visits) related to substance use, and (2) “health outcomes related to substance use disorders,” including opioid overdose deaths. The Act provides $3 million to the Centers for Medicare & Medicaid Program Management Account in order to carry out these reporting requirements, which must be completed within five years.

Another key aspect of the Act mandates that the U.S. Attorney General (“Attorney General”) promulgate final regulations that specify (1) “the limited circumstances in which a special registration under this subsection may be issued” and (2) “the procedure for obtaining a special registration.” Under 21 U.S.C. 831(h), as amended by The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (“Ryan Haight Act”), this special registration would allow health care providers to prescribe controlled substances via telemedicine when legitimately necessary, including when an in-person evaluation is not possible. As discussed in one of our recent TechHealth Perspectives blog posts, despite the statutory mandate in the Ryan Haight Act passed more than eight years ago, the Attorney General has not yet issued any regulations or guidance on how to obtain this special registration. The Drug Enforcement Administration (“DEA”), the federal agency delegated authority to promulgate these regulations by the Attorney General, has also not promulgated any regulation or other guidance addressing special registration. The SUPPORT Act gives the Attorney General until October 24, 2019, to promulgate its final regulations on this matter.

Epstein Becker & Green plans to discuss the Act’s numerous provisions in greater detail in future Client Alerts.

Throughout the campaign season and the first months of Donald Trump’s presidency, the current Administration has voiced a commitment to furthering telehealth advancement. For example, during the campaign, then-candidate Trump emphasized the importance of telehealth tools in reforming the U.S. Department of Veterans Affairs (“VA”). More recently, both U.S. Department of Health and Human Services Secretary Tom Price and Centers for Medicare and Medicaid Services Administrator Seema Verma stated in their confirmation hearings that they were interested in promoting the use of telehealth technology. On Thursday, August 3, 2017, VA Secretary Dr. David Shulkin, joined by President Trump, took steps towards fulfilling this commitment, announcing three telehealth initiatives aimed at improving access to and quality of care for veterans.

First is a forthcoming regulation that Secretary Shulkin referred to as “Anywhere to Anywhere VA Healthcare.” Under current law, VA practitioners may provide in-person health care services in any state, as long as they are licensed in one state, without needing additional professional licensure. This proposed regulation would expand the ability to engage in multistate practice to VA practitioners who are providing telehealth services. Anywhere to Anywhere VA Healthcare, if enacted, would authorize VA practitioners to serve veterans using telehealth technologies, regardless of the locations of the provider or the patient, as long as the VA practitioner maintains a valid professional license in good standing in at least one state.

The second telehealth initiative discussed during last week’s announcement is an app titled “VA Video Connect” that allows veterans to connect with health care providers via secure and web-enabled video on their smartphones or computers. Currently, VA Video Connect is being used by 300 VA providers in 67 hospitals, and the VA intends to roll-out the app nationwide over the course of the next year. The third telehealth initiative discussed is another app, titled “Veteran Appointment Request App” or “VAR App.” The VAR App enables veterans to use their smartphones, tablets, or computers to schedule or modify appointments at VA facilities. The VAR App is currently available at some VA locations, but now the VA has planned a nationwide roll-out.

Last week’s announcement of these telehealth-focused initiatives was met with praise from many, including leading telehealth advocacy organizations such as the American Telemedicine Association and Health IT Now. The VA has long been at the forefront of telehealth progress, including being an early adopter of telehealth technology, piloting telehealth programs as early as the 1990s, and pioneering much of the progress being made in telehealth care coordination. As the largest telehealth program in the country, the VA continues to be a leader in the telehealth space. Last year alone, 700,000 veterans received telehealth services through the VA. For more information about the VA Telehealth Program, visit VA Telehealth Services.

Updates to OIG FY 2017 Work Plan

The United States Department of Health and Human Services (“HHS”) Office of the Inspector General (“OIG”) recently updated its FY 2017 Work Plan. Traditionally, OIG’s annual Work Plan has given health care providers a preview of OIG’s enforcement priorities. With the OIG now making updates to its Work Plan on a monthly basis, providers stand to gain even more insight into how the focus of OIG is constantly shifting in order to assist in the identification of significant compliance risk areas.

In this most recent set of updates to the FY 2017 Work Plan, OIG announced that it will conduct a review of Medicare claims paid for telehealth services in FY 2017. Specifically, OIG is interested in reviewing claims for telehealth services provided at “distant sites” (i.e., the location of the provider of the telehealth service) that do not correspond with claims from an “originating site” (i.e., the location of the patient). By undertaking this review, presumably OIG seeks to verify that providers of telehealth services are: (1) appropriately rendering these services to Medicare beneficiaries based on current reimbursement rules under Medicare for provision of telehealth services (i.e., the beneficiary is at a valid originating site when receiving the telehealth service, which under current Medicare rules does not include a beneficiary’s home), and (2) not submitting fraudulent claims for telehealth services (i.e., services delivered outside of Medicare’s coverage and reimbursement scope). OIG’s review of these claims may demonstrate the need to update Medicare’s outdated coverage and reimbursement provisions for telehealth services.

Medicare’s Current Coverage of and Reimbursement for Telehealth Services

Compared to ever-expanding coverage of and reimbursement for telehealth services in individual states, as well as the private insurance market, Medicare Part B beneficiaries currently have limited access to telehealth services due to the following restrictions:

  1. Medicare beneficiaries only have access to telehealth services transmitted using an “interactive 2-way telecommunications system (with real-time audio and video).” This definition excludes three frequently used modalities used by providers to deliver telehealth services: (a) store-and-forward technology (with the limited exceptions of CMS demonstration projects ongoing in Alaska and Hawaii), (b) remote patient monitoring (“RPM”) services, and (c) mobile health / wearable technology.
  2. Medicare confines telehealth coverage to “rural health professional shortage area[s].” This geographic restriction is federally defined.
  3. Medicare beneficiaries only may receive telehealth services while physically situated at one of eight “originating site[s],” none of which include the patient’s home—those living in geographically-restricted areas are still obligated to access a medical originating site in order to activate Medicare coverage.
  4. Only eight types of practitioners may deliver the telehealth services to Medicare beneficiaries, and must do so from a qualified “distant site.”
  5. The Centers for Medicare & Medicaid Services (“CMS”) publishes a limited number of HCPCS and CPT codes for telehealth services, and while this universe of codes has gradually increased over time, most of these codes are geared towards reimbursement for behavioral health services delivered through telehealth.

Current Legislative Efforts in Congress

In recent years, federal lawmakers have been working to lessen the constraints on Medicare Part B coverage of and reimbursement for telehealth services.

In August 2016, HHS published a Report to Congress on “E-Health and Telemedicine.” In this report, HHS expressed its support for telehealth expansion and its importance in the health care industry: “[T]elehealth holds promise as a means of increasing access to care and improving health outcomes.” Congress has seemed to take note. In the 2017–2018 legislative session, four key bills have been introduced that, if passed, would improve coverage of and reimbursement for telehealth services under Medicare:

  • The CHRONIC Care Act of 2017 (S. 870) would make four key changes to Medicare: (1) provide coverage and reimbursement for RPM delivery of home kidney dialysis assessments; (2) provide nationwide coverage and reimbursement for “telestroke” consultations (not just those that occur in rural hospitals or other originating sites); (3) eliminate the geographic restriction of an originating site for Accountable Care Organization (“ACO”) beneficiaries, thus allowing patients to receive home telehealth services; and (4) allow Medicare Advantage plans to offer telehealth benefits in annual bid amounts, instead of using rebate dollars to pay for telehealth as a “supplemental service.” The CHRONIC Care Act recently received a favorable, budget neutral Congressional Budget Office (“CBO”) score—alleviating a traditionally difficult roadblock for telehealth legislation.
  • The Medicare Telehealth Parity Act of 2017 (H.R. 2550) would provide an incremental expansion of coverage for telehealth services under Medicare by expanding the number of acceptable geographic locations for telehealth coverage under three “phases.”
  • The CONNECT for Health Act of 2017 (H.R. 2556) includes provisions that would expand coverage and reimbursement of telehealth services for (1) ACO enrollees, (2) individuals receiving kidney dialysis therapy, (3) stroke patients, and (4) RPM services for beneficiaries needing chronic care and would lift restrictions on telehealth for mental health services.
  • The HEART Act (H.R. 2291) aims to increase Medicare coverage of telehealth services, including coverage and payment for store-and-forward services delivered to “any telehealth services that are furnished from a distant site, or to an originating site, that is a critical access hospital . . ., a rural health clinic . . ., or a sole community hospital” and for home-based monitoring of congestive heart failure and chronic obstructive pulmonary disease. These three bills have not yet been scored by the CBO.

While it remains to be seen whether any of these bills (or any others) will become law, the level of legislative activity still is promising—and particularly so in conjunction with HHS’s support for telehealth—that expansion of telehealth coverage and reimbursement under Medicare can make greater strides toward improving access to these services for Medicare beneficiaries.

Added to this, OIG’s recent updates to the FY 2017 Work Plan to include a review of telehealth reimbursement claims under Medicare may further accelerate this process if OIG identifies any pertinent potential risk areas related to provision of telehealth services.

This post was written with assistance from Matthew Sprankle, a 2017 Summer Associate at Epstein Becker Green.

On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA security.”

OCR officials and key industry leaders engaged in dialogue regarding developments and trends in data breach incidents with respect to health information as well as stakeholder responses and best practices to mitigate risk and respond to potential incidents.

VULNERABILITY AWARENESS: ASSESSING RISK

In her opening remarks, OCR Director Jocelyn Samuels highlighted the observation that information privacy compliance is poorly prioritized within organizations.  Specifically, Samuels identified the lack of widespread risk analysis and vulnerability assessment activities at the enterprise level as a key area meriting internal and agency prioritization.  Samuels reiterated that organizations dealing in protected health information (“PHI”) should, and in fact must, undertake to routinely assess and investigate vulnerability as part of an effective compliance program.

ENTERPRISE APPROACH

The aspiration of enterprise-wide security protocol for PHI, and adoption thereof, continues to be an ongoing work-in-progress.  This is especially true given the often divergent priorities within large provider systems and the endemic evolution of “local” IT systems that integrate with the sanctioned IT environment but often create network porosity and points of vulnerability.  Embracing comprehensive, end-to-end, privacy and security policies and procedures that serve the IT needs of the organization while operating within the security protocol established by the system is imperative to establish and maintain network integrity and compliance with the HIPAA Security Rule (“Security Rule”).

IF YOU LOOK FOR IT, YOU WILL FIND IT

OCR representative Linda Sanches proposed the thesis that “the question is not if you will have a breach, but more so when.”  To this end, the initial step to preparedness is the undertaking of a risk analysis as required by the Security Rule.  Stakeholders expressed frustration with the broadly stated requirements of the Security Rule that are non-specific as to what precise set of activities constitute compliance and how much is in fact enough.   This uncertainty adds to existing organizational tensions between resource allocations to business objectives versus compliance obligations with respect to the establishment and implementation of a reasonable compliance program.  Sanches indicated that a defensible and reasonable approach is what is required to establish compliance.

LESSONS FROM THE FIELD: REPORT FROM OCR

Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement at HHS OCR, reported on recent enforcement activities as well as OCR’s regulatory agenda.  With respect to reported incident activity, through August 31, 2014, theft and loss accounted for 51% and 9% of breach incidents, respectively followed by unauthorized access/disclosure at 18% among a total of 1176 reported breaches involving more than 500 people and in excess of 122,000 smaller breaches.

With respect to OCR’s regulatory agenda, Peters indicated that OCR is working on providing additional guidance and clarification to the Omnibus Final Rule including a breach safe harbor update, breach risk assessment tool, and clarification of the standards for minimum necessary. Peters also explained how the audit pilot program which is anticipated to go live in the near future will create a new enforcement channel for OCR outside of the breach response protocol.  She commented that although the audits will be mostly desk audits with shorter timelines than investigations, they will require covered entities and business associates to have their documents in order and respond quickly to requests.  Peters continued to state that “audits will be an enforcement tool which will result in compliance reviews and could result in enforcement actions up to and including civil monetary penalties. Peters stated “we may come to you because of an audit or a breach, but if we find gaps in the compliance program while there, we can’t walk away; it is our job to see it through”

RISK ELIMINATION: THE HOLY GRAIL

The global advice from OCR over the course of the conference was preparedness.  To that end, however, the best that healthcare stakeholders can aspire to is effective mitigation of risk.  OCR repeatedly stressed that “it is really important that covered entities and business associates prepare as much as possible” and take affirmative steps to protect their data.  A comprehensive and documented risk analysis is the key to identifying system vulnerabilities and stakeholders should undertake to conduct or update their risk analyses and work in concert with organizational management to prioritize security compliance.