Capitol BuildingAs requested by Congress as part of an appropriations bill signed into law late last year, this month, the Department of Health and Human Services (HHS) released a report highlighting its e-health and telemedicine efforts.  The report makes for interesting reading, and while there are no significant surprises in the report, it offers a clear snapshot of some of the agency’s thinking regarding virtual care.

The first thing I noted in the report is the agency’s view that “telehealth holds promise as a means of increasing access to care and improving health outcomes.”  This is important because it has not always been clear whether the agency views telehealth quite in the same favorable way as other stakeholders increasingly do.  The other thing I noted was the agency’s view that the various alternative payment methods currently being tested may facilitate expansion of telehealth.

Among other things, the report details some of the policy challenges faced by telehealth stakeholders:

  • Significant variability in telehealth coverage from one payer to another.
  • State licensure requirements for clinicians and the administrative burden such requirements impose on clinicians.
  • Credentialing and privileging.
  • Gaps in access to affordable broadband.

HHS indicates that many reforms are currently being tested or implemented to address these challenges. For example, in the area of reimbursement, the agency notes that it is currently testing more expansive telehealth coverage through its Next Generation ACO Demonstration, and highlights MACRA’s incentives for physicians to use telehealth.  The report references the agency’s new rule that permits the use of telehealth modalities to provide Medicaid home health services.

The report also provides an overview of telehealth-related federal activity including:

  • The number of telehealth grants administered by HRSA and SAMHSA.
  • The establishment of the Federal Telemedicine Working Group (comprised of 26 agencies and departments such as USDA and the FCC) to facilitate telehealth education and information sharing.
  • ONC developing an inventory of federal telehealth activities.
  • AHRQ providing an evidence map of the available research regarding telehealth.
  • The continued great telehealth work being done within the VA and reasons why that model may not be scalable.

Overall, the report is an illuminating but relatively unsurprising take on agency thinking.  In particular, two nuggets stood out. First, the agency appears to view chronic disease management as a particularly good fit for telehealth.  In recounting that almost half of all adults have at least one chronic illness and that chronic disease accounts for 75 percent of all health expenditures, the report concludes that telehealth “appears to hold particular promise for chronic disease management.” It goes to reason that any expansion of telehealth under Medicare will probably first focus on chronic disease management. Second, HHS signaled the importance of Medicare Advantage in any telehealth expansion effort, by including a proposal in the President’s budget request for FY 2017 to expand the ability of MA organizations to provide telehealth by eliminating otherwise applicable Part B requirements that certain services be provided only in-person.

Telemental health seems to be emerging, even booming.  Also referred to as telebehaviorial health, e-counseling, e-therapy, online therapy, cybercounseling, or online counseling, for purposes of this post, I will define telemental health as the provision of remote mental health care services (usually via an audio/video secure platform) by psychiatrists, psychologists, social workers, counselors, and marriage and family therapists.  Most services involve assessment, therapy, and/or diagnosis.   Over the last few years, I have seen a wider variety of care models—from hospitals establishing telepsychiatric assessment programs in their emergency departments to virtual networks of mental health professionals providing telemental health services to underserved areas to remote substance abuse counseling being provided to inmates in state prisons.VA telehealth

Even the federal government is in on the act.  For example, in 2010, the Veterans Health Administration established a National Telemental Health Center. In 2013, the center provided almost 3,000 video encounters to 1,000 patients at 53 sites in 24 states.  The scope of the services the center provides includes all mental health conditions with a focus on post-traumatic stress disorder, depression, compensation and pension exams, bipolar disorder, behavioral pain and evidence-based psychotherapy.

There are many reasons for the recent boom.  First, telehealth is a good fit for providing mental health services because providers rarely have to lay hands on the patient in conventional face-to-face encounters.  Second, telemental health is accepted by a large number of payers as a legitimate use for telehealth—more so than other telehealth disciplines. As an example, most Medicaid programs and many private insurers cover and reimburse for telemental health services.  Finally, patients surveyed have consistently stated that they believe telemental health to be a credible and effective practice of medicine, and studies have found little or no difference in patient satisfaction as compared with face-to-face mental health consultations.

The Need for Telemental Health

In essence, we are stuck in a vortex of sorts with millions of Americans suffering from mental illness or substance abuse disorders combined with a shortage of qualified mental health providers to address these issues.  The numbers speak for themselves.

In addition to the high numbers described above, there is a critical mental health provider shortage creating significant access to care issues.  Here is a snapshot:

You get the idea.  And even with mental health parity laws, cost of care remains an issue—not to mention the social stigma and mistrust of mental health providers that exists in many communities.Mobile phone

Telemental health is bridging the gap.  Numerous studies have shown the effectiveness of telemental health services.  For example, a recent study showed that providing telemental health services to patients living in rural and underserved areas significantly reduced psychiatric hospitalization rates.  Another study concluded that the effects of telemental health on low-income homebound older adults were sustained significantly longer than those of in-person mental health services. Many other studies arrive at the same conclusion.  Note, however, obstacles remain, including how to properly assess non-verbal cues by video, technical difficulties, and the lack of proper training of many providers regarding telehealth.

Practice Guidance

There is also good news in that, unlike other telehealth subspecialties, there is a well-developed library of practice guidelines available regarding telemental health.  The American Psychiatric Association, American Psychological Association, National Association of Social Workers, Association of Social Work Boards, TeleMental Health Institute, for example, all have guidelines or statements related to telemental health.  The American Telemedicine Association has developed a series of practice guidelines over the years related to telemental health, including its latest regarding using real-time videoconferencing to provide online mental health services. There are also other resources such as the telehealth resource centers that provide guidance on telemental health.

Legal & Regulatory Issues

As with all things telehealth, however, there are a number of significant legal and regulatory issues implicated by the use of telemental health, including privacy and security, follow-up care, emergency care, treatment of minors, and reimbursement. While telemental health touches on some federal laws and regulations (e.g., HIPAA), most of the significant issues involve state law.  And as you might imagine, the result is an inconsistent patchwork of laws and regulations that vary widely by state.

We recently completed a 50-state survey of laws and regulations that may be implicated by the use of telemental health services to assess a variety of issues such as privacy, follow-up care, treatment of minors, and provider scope of practice.  Here are a few nuggets:

  • Psychiatrists, as practicing physicians, must comply with all the obligations that apply to physicians practicing telehealth generally. Very few states exempt mental health from physician requirements despite the fact that many psychiatrists never lay hands on patients. Ironically, Texas is one of the few states that explicitly carves out mental health services from other telehealth requirements.
  • In Delaware, an individual practicing “telepsychology” must conduct a risk benefit analysis and document findings specific to issues such as whether a patient’s presenting problems and Skype 4apparent condition are consistent with the use of telepsychology to the patient’s benefit; and whether the patient has sufficient knowledge and skills in the use of technology involved in rendering the service or can use a personal aid or assistive device to benefit from the service.
  • Kansas requires psychologists and social workers providing telemental health services to obtain the informed consent of the patient before services are provided.
  • In Maryland, physicians (psychiatrists) are required to develop a procedure to prevent access to data by unauthorized persons through password protection, encryption, or other means; and develop a policy on how soon an individual can expect a response from the physician to questions or other requests included in transmission.
  • Montana psychologists can initially establish a “defined professional relationship” electronically so long as the means of communication involves a two-way, real-time, interactive platform providing for both audio and visual interaction.
  • To regulate marriage and family therapy therapist, South Dakota relies on the American Association for Marriage and Family Therapy’s Code of Ethics which provides that therapists evaluate whether electronic therapy is appropriate for individuals and inform them of the potential risks and benefits associated with electronic therapy.

As I look over the telehealth landscape, I predict that telemental health will continue its significant growth.  Demand for mental health services will not recede, and coupled with the mental health provider shortage, telemental health will be viewed as a viable solution by more and more clinicians, payers, and policymakers.  There are, however, significant legal and regulatory considerations—especially at the state level— with which stakeholders must wrestle.

medicare1As many of you know, reimbursement for telehealth services is a mixed bag.  On the one hand, private payers generally seem ahead of the curve.  Many leading private insurers reimburse for telehealth.  Generally these coverage policies provide reimbursement for telehealth services when they involve the use of real-time interactive audio, video, or other electronic media for diagnosis and consultation.  Just as significantly, more than half the states and the District of Columbia have passed telehealth parity statutes which require health insurers to provide coverage for services provided via telehealth if those services would be covered if provided in-person.  The picture for private insurer telehealth coverage is generally good and getting better.

On the other end of the scale is Medicare.  I think it is fair to say that no payer lags further behind in reimbursing for telehealth than Medicare.  The numbers tell the story.  The Center for Telehealth and eHealth Law reports that in calendar year 2014, Medicare reimbursed approximately $14 million under its Part B telehealth benefit—or about .0023 percent of total Medicare spending in 2014—a mere pittance.  The real reason for this is that the Medicare telehealth benefit was primarily intended for rural patients.  In addition:

  • The definition of “telehealth” is limited to real-time audio visual communication between provider and patient (in other words, there is no coverage for so-called asynchronous or “store and forward” technology).
  • Fewer than 100 codes are reimbursable under the telehealth benefit.
  • Other restrictions exist related to type of facility where a patient may present, and what kind of provider may deliver services (e.g., physicians, nurse practitioners).

Medicare Advantage offers more opportunities for telehealth coverage, but overall the current Medicare telehealth reimbursement picture is relatively bleak.

medicaidMedicaid Reimbursement for Telehealth

Medicaid telehealth reimbursement exists somewhere in the space between private payers and Medicare.  As you know, Medicaid provides health coverage to about 70 million low-income adults, children, pregnant women, and others.  The program is administered by states who are required to cover certain mandatory services (such as hospital and physician services, home health), but is funded jointly by the states and the federal government.  States do have flexibility to decide what optional services (such as telehealth) to cover beyond the mandatory services.  This has resulted in a patchwork of different coverage policies that vary by state.

Fortunately, there a number of stakeholders that closely track Medicaid telehealth coverage policies by state.  One of these is the Center for Connected Health Policy, which issues a quarterly report reviewing various telehealth legal and regulatory issues for all states.  In its last report (July 2015), the Center found the following regarding Medicaid telehealth coverage:

  • 47 states and the District of Columbia provide some coverage for telehealth (Iowa, Massachusetts, Rhode Island do not according to the report).
  • In many Medicaid programs, the definition of “telemedicine” or “telehealth’ for purposes of reimbursement is limited to services that take place in real time—thereby excluding asynchronous or remote patient monitoring from coverage.
  • Live video is the most predominantly reimbursed form of telehealth with almost all of the states that cover telehealth offering some type of live video reimbursement in their Medicaid programs.
  • Services provided via telephone, e-mail, or fax are seldom covered unless they are used along with other forms of care delivery.
  • Only 9 states (including Illinois, New Mexico, and Virginia) currently reimburse for store-and-forward services. Even in states that do cover store-and-forward, covered services may be iStock_000043291394_Smalllimited—such as in California, where only store-and-forward services related to teledermatology, teleophthalmology and teledentistry are reimbursable under Medicaid.
  • 16 states (including Colorado, Maine, and South Carolina) provide Medicaid coverage for remote patient monitoring although many restrictions exist. For example, in some states, coverage for remote patient monitoring is limited to home health agencies. There are also restrictions regarding the conditions which may be monitored and the type of monitoring devices that may be used.
  • 29 states reimburse a transmission and/or facility fee.
  • 29 states (including Connecticut, Kansas, and Maryland) require some form of informed consent prior to the use of telehealth.

All in all, the picture for Medicaid reimbursement for telehealth is far better than it has been in the past. Each state Medicaid program is different, so stakeholders need to carefully analyze each state’s telehealth coverage policies. My sense is that given the serious fiscal and clinical (e.g., provider shortages, network inadequacy) issues faced by many Medicaid programs, telehealth will increasingly be viewed as a means to seriously address these challenges. We are starting to see this play out in the Medicaid managed care space.

Medicaid Managed Care Coverage

By way of quick background, a majority of states contract with managed care organizations to provide services to certain Medicaid beneficiaries. Generally, these managed care plans receive a monthly premium from the states for each enrollee, and have greater flexibility to cover more services and allows the states to better target and customize services. As the American Telemedicine Association noted in its report on telehealth and Medicaid managed care published last year, “states have increasingly used [Medicaid managed care] to create payment and delivery models involving capitated payments to provide better access to care and follow-up for patients, and also to control costs.” Because of this flexibility, a number of leading Medicaid managed care plans are either already covering telehealth or are developing telehealth initiatives and pilots—especially related to telemental health and teledermatology. In my view, the future looks bright when it comes to Medicaid managed care and telehealth.

As stakeholders, legislators and policymakers wrestle with the myriad of issues related to the provision of remote health care, clinical and technological advancements continue apace. What was once an industry focused primarily on the provision of primary care through existing remote platforms is morphing into a highly sophisticated brew of clinical and technological innovation.  In that regard, several trends have caught my attention. While these trends may not squarely fall within the accepted definitions of “telehealth”, they are worth noting because they raise many of the same legal and clinical issues with which we currently wrestle in the telehealth space.  I am limiting my discussion to three of these trends and will address others in a separate post.

iStock_000062830618_SmallWearable Devices

The wearables industry is projected to significantly increase in the next few years. Generally speaking, wearables are devices (which usually include microchips or sensors) that, among other functions, collect data, and track fitness and wellness.  A leading research firm projects that the global wearable devices market will reach $37 billion in 2020—a significant jump from $1 billion just a year ago. Moreover, wearable device shipments are projected to grow from about 20 million shipments last year to 135 million by 2018.  Wearables are part of a greater trend in which everything is connected to a network—the so-called Internet of Things.  There are about 12 billion Internet-connected devices currently in existence worldwide—the equivalent of 1.7 devices for every person.  That number will increase to a ratio of 4.3 by 2020 when 33 billion devices will be in use.

Many believe wearables are part of a continuum which will lead to wider use of nanotechnology and implantable medicine. As these devices become more sophisticated, they will be better able to integrate collected data into an individual’s EHR and perform more than basic diagnostic testing.

While wearables are essentially in early development, many legal and regulatory issues may be implicated.  Here are a few:

  • Data privacy and security (who has access to the data, who owns the data, how long the data will be used, etc.).
  • Potential changes to malpractice liability (clinicians having access to more information regarding a particular patient, providers ability to review the voluminous data, etc.).
  • Employer issues (wellness programs, ADA concerns, etc.).

These and other legal issues will become more relevant as the wearables sector grows and more sophisticated technological products are developed and deployed.  The real lesson here is that the healthcare ecosystem needs to be prepared to balance clinical and legal concerns with clinical and technological innovation.  That is a tall order especially given how legislators and regulators have approached the regulation of telehealth over the past few years.  Based on that experience, I find it unlikely that policymakers will adjust quickly to the wider use of wearables and the attendant clinical and legal implications that will be brought to bear.

Artificial Intelligence

AI, which uses complex computer algorithms to organize unstructured data, is increasingly being used in the healthcare space. Advocates of AI note that it will enable clinicians and researchers to make full use of the voluminous amounts of data that exists in databases (e.g., cancer registries), EHRs, journal articles, diagnostic images, and wearable devices. Through the use of AI, providers may be able to obtain real-time clinically useful information. For example, included among the more popular uses of AI are:

My sense is that the use of AI in healthcare will increase exponentially in the next few years.   Many of the same legal and regulatory issues implicated by wearables are relevant here. What may be different, however, is that AI presents a myriad of complex and novel issues that are deserving of more discussion and fall outside the scope of this post.

Text Therapy

The Department of Health & Human Services has concluded that only about 40 percent of all adults in need of mental health care actually receive the services. While many are referred for treatment, many barriers exist including costs. It has been estimated, for example, that the median cost of a psychologist’s session is $75.iStock_000019221924Medium

Text therapy is a recent trend that attempts to address the shortfall. Text therapy, through smartphone apps or websites, allows users to connect to a variety of mental health professionals (such as psychologists, social workers, counselors) via text-based or messaging sessions. While models vary, there are some similarities among the offerings:

  • A $25-45 per week subscription fee for unlimited chat.
  • Users must complete and submit a questionnaire.
  • A mental health professional is assigned to the user (some companies use a mental health professional to essentially triage and match the user with a fellow professional).
  • Users can request a different mental health professional than the one who has been assigned.
  • Phone sessions are available for additional fees.

Among the legal and regulatory issues raised by the use of text therapy are licensure, scope of practice (minors, emergencies, follow-up care, etc.), data privacy and security, and reimbursement (many plans do not reimburse for the use of this type of therapy). As these types of services evolve, so too will the laws and regulations, albeit slowly.

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see,

The State of the Union Address, scheduled for January 20, 2015, will contain new initiatives related to privacy, White House officials say. The known initiatives are the introduction of a data breach reporting bill, a bill restricting the sale of student information, and a Consumer Privacy Bill of Rights.


President Obama is planning on introducing a data breach bill that would standardize the reporting period nationwide at 30 days. The proposed Personal Data Notification and Protection Act would require direct customer notification. The law would also criminalize selling consumer identities overseas.

Presently, most states have their own consumer data protection laws requiring customer notification in the event of a breach. The new bill may preempt stricter state laws such as California’s 5-day window for reporting.


The White House will also propose the Student Digital Privacy Act, based on a California law passed last September. The main purpose of the bill is to restrict the sale of student data for use unrelated to education as well as restricting targeted advertising based on school-collected data. The bill seeks to restrict commercial uses while at the same time ensuring that outcome-based studies are allowed to continue.


In 2012, the White House revealed plans for a Consumer Privacy Bill of Rights. This white paper laid out a set of seven guiding principles for consumer privacy (see Appendix A of the linked PDF). After receiving and incorporating suggestions during the last three years, the President will reportedly ask Congress to enact a revised Consumer Privacy Bill of Rights into law. The bill would ensure more control over personal data for individuals, more closely in line with the rules in place in the European Union.


As more information is released regarding the President’s privacy and security plans, we will cover it here, so check back in the coming days.

By Marshall Jackson and Alaap Shah

If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.

There is no doubt that a primary concern raised by these data breaches is risk to consumers’ financial wellbeing. Chiefly, hackers that seek out personal information tend to sell or use the data to commit identity theft and credit card fraud. Yet, an often overlooked concern involves risk to the medical wellbeing of individuals. It is commonplace for retail chains to operate pharmacies within their facilities where electronic protected health information (“e-PHI”) is received, used, stored and transmitted. Although current information regarding known breaches does not indicate that pharmacy files were accessed, the vulnerability of e-PHI stored by these entities is a serious concern in the field of health care privacy. To manage these risks, entities should take heed of the privacy and security concerns raised in the most recent data breaches, and proactively craft comprehensive and sophisticated approaches to data security.

Historically, data security is reactive in nature: corporations store data on their systems; hackers break into the systems (or the systems of their business partners); companies, if aware of the breach, modify their security to prevent a similar data breach; hackers find a different weakness and again breach the system. This cycle continues ad infinitum.

While there is definitely value in defensive security, as cybersecurity risks grow and lead to increasing volume of data breach, healthcare entities may want to consider strategies to remain on the offensive when it comes to data security of e-PHI. The laws applicable to the security of e-PHI provide a flexible framework to address these risks, but most entities have not designed effect risk management programs to address risk proactively. Nevertheless, the HIPAA Security Rule requires entities to implement a number of technical safeguards which can be used proactively. For example, HIPAA requires audit controls to ensure entities have sufficient awareness about system activity (and specifically malicious activity). If reasonable and appropriate controls are put in place relative to these safeguards, companies can thwart hackers from gaining unauthorized access to e-PHI.

Offensive security requires a proactive mindset and approach to protecting computer systems, networks, and protected information from attack. While proactive security can take several forms, some liken the proactive approach to purchasing insurance. Assets are invested and measures are taken to protect against the risk that something will occur resulting in liability or loss. In the modern digital world it is often not a question of “if” but rather “when” a company will experience a data breach. According to a 2012 independent study by the Ponemon Institute, a staggering 94 percent of health care organizations have had at least one data breach in the last two years alone. The same study estimated that overall economic impact of a breach has risen six-fold over the last few years and now costs millions. With this in mind, here are just a few reasons why proactive data security should be a priority for health care entities:

1) Rapid & Continuous Evolution of Cyber Security Threats. Hackers are not only more sophisticated, they are more prevalent; threats to cyber security do not remain static in nature or volume. This unrelenting growth may be a result of the success rate of the illicit activity. Merely reacting to hackers’ successful attempts puts the industry at a major disadvantage because hackers are incentivized to evolve.

2) Ignorance. It is a common misconception that data security breaches are rare—more often data breaches go undetected or unreported. The simple truth is that no organization is immune, and may be an unwitting victim of a breach at any moment.

3) Monetary & Reputational Damage. Data breaches have a reverberating effect on a company. Damages are not limited to fines or sanctions, and they exceed the cost of mitigating the breach for consumers. Frequently, the greatest damage done is that to the company’s reputation. Consumers may second-guess their choice of providers based on an organization’s perceived failures, and the company’s reputation across the industry may diminish their competitive advantage for years to follow.

What Your Company Can Do

The prevalence of data breaches has led many to ask the question “Is proactive data security the solution?” There are many proactive measures that healthcare entities can implement to combat data breaches, the following summarizes just a few.

Risk Assessment

A risk assessment is the first critical step a health care entity should take when implementing a proactive data security plan. The HIPAA Security rule requires conducting risk assessments. Further, The National Institute of Standards and Technology (NIST) have placed great emphasis on conducting risk assessments as the foundation for data security. Risk assessments systematically identify vulnerabilities that even the most sophisticated organizations may not have anticipated. Identification of vulnerabilities can help a company stay ahead of hackers by knowing where to utilize security resources.

Invest in Data Security

Depending on the size of the company, data security may be a dual function for the company’s IT Department. Based on the severity of the potential risk, security should not be just one of many tasks for the IT department. According to a 2013 Ponemon Study, the average cost of a data breach exceeds $5 million without even considering reputational harm. Studies show that each year U.S. hospitals alone incur costs of an estimated $1.6 billion each year for security incidences. Although certain actions might initially seem redundant, measures such as establishing a dedicated data security team or department, appointing specific data-security personnel within an IT department, or investing in robust data security software and hardware, are all worthwhile investments which will likely prove less costly than a data breach.

Improve Audit Controls

HIPAA requires organizations to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. Audit controls must be sufficient to examine system activity comprehensively. NIST audit control standards provide substantial guidance on conducting proactive system monitoring and activity logging. Audit controls give a company visibility into their own system, allowing them to recognize suspicious activity early in order to limit exposure and ultimately prevent full-blown data breach.

Conduct Breach Drills

Preparation is the key to mitigating damage that cannot be prevented. Similar to a fire drill, companies should maintain a plan for implementation in case of a data breach, and that plan should be put to practice regularly. HHS has teamed with HITRUST to launch CyberRx, an industry-wide effort to simulate cyberattacks. Twelve organizations will participate in these simulated cyber-attacks. The goal of CyberRx is to help industry participants identify ways to better prepare for, and respond to cyber-attacks. This is an exercise of great value and can be done independent of HHS. By preparing to respond to a breach, companies can ensure that damage will be contained as efficiently and effectively as possible when one occurs.


For updates on Health Privacy and Security follow Marshall Jackson on Twitter: @MJacksonJr_ESQ

Follow Alaap Shah on Twitter: @HealthITLawyers

By:  Alaap Shah

Most health care companies are aware of their central repositories of electronic protected health information (“e-PHI”).  Unfortunately, e-PHI often leaks out of central repositories and exists in a variety of “hidden” places.  This data leakage can create real headaches for health care companies, and can lead to violations of privacy and security laws.

Recently, the Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) enforced against a health plan that failed to erase e-PHI from its photocopiers which were sold to a third party.  The third party discovered the PHI and notified the health plan, who in turn reported the breach to HHS.  The settlement included paying a resolution amount of $1,215,780 as well as a 120-day corrective action period requiring retrieval of photocopier hard drives, conducting a risk analysis of all health plan devices containing e-PHI, and developing a plan to mitigate the identified risks.  Failure of health plan to comply with the corrective action plan could result in further civil monetary penalties.

This enforcement effort by OCR raises a number of issues with regard to data leakage, and now OCR encourages all HIPAA covered entities and their business associates to safeguard sensitive data stored on digital devices.  To assist health care organizations, OCR also posted two guides on its website:

(1)   a National Institute of Standards and Technology guide on cleaning up digital storage media; and

(2)   an FTC guide on safeguarding sensitive data stored on copying machines.

Where Does e-PHI Reside?

For health care providers, e-PHI typically resides in electronic health records and billing systems. For health care insurers, e-PHI typically resides in claims processing databases.  Companies are usually aware of these central repositories of e-PHI and are vigilant to implement security safeguards to protecting the privacy of patient information in those central repositories.  By contrast, few health care companies are fully aware of all the places e-PHI may flow through digital systems.

The type of information that can leak out of central repositories can include sensitive individually identifiable information such as social security numbers, birth certificates, bank records, income tax forms, among others.  As such, these “hidden” e-PHI repositories can be a treasure trove of information for identity thieves.


To fully appreciate the data leakage problem, health care companies must first take stock of all the digital devices used within their organizations.  Here are some common, but disconcerting, places e-PHI may end up:

  • Smartphones
  • Tablets
  • Photocopiers
  • Laptops
  • USB devices
  • CDs and DVDs
  • Digital cameras
  • Email archives
  • Local computer hard drives
  • External hard drives
  • Digital video surveillance recordings
  • Cloud storage solutions
  • Mobile application databases
  • Digital dictation recordings

The list goes on, and will likely increase as technology transforms health care.  Fortunately, technical solutions exist that can help ferret out where this sensitive data resides.  Such solutions should be used to shed light on where e-PHI may be hiding.

Once, an organization recognizes the possible places e-PHI may reside, a risk analysis should be performed to determine the risk associated with those “hidden” repositories.

  • Does your organization have a sufficient “bring your own device” policy in place to ensure e-PHI does not commingle with an employee’s personal applications or accounts?
  • Does your organization monitor data accessed or copied by third party vendors servicing photocopiers?
  • Does your organization adequately sanitize digital devices before reuse or resale?
  • Does your organization prohibit users from syncing digital device contents with personal cloud backup solutions?

These are only a few questions to ask among many others when assessing risks.  Then comes the difficult part; determining “reasonable and appropriate” mitigating controls.

  • Can I employ encryption on the digital devices?
  • Do I need to revise policies and procedures?
  • Do I need to retrain employees on appropriate usage?
  • What other technical, administrative or physical safeguards can I use to manage these risks?

If your organization has not adequately addressing these issues, it is likely e-PHI resides somewhere other than central repositories and it is also likely adequate safeguards are not implemented.  This suggests your organization may not be complying with HIPAA privacy and security rules.  Further, it is only a matter of time until your organization will suffer a breach and all the financial and reputational damage associated with follow-on breach notification, government enforcement and private litigation.

To avoid these pitfalls, organizations should conduct a full and thorough risk analysis around all systems that could potentially contain e-PHI.

Follow me on Twitter: @HealthITLawyers

When evaluating the various legal and regulatory hurdles associated with telehealth—such as licensure, reimbursement, and privacy—one hurdle that often goes overlooked is the corporate practice of medicine.  Many states have enacted laws which directly or indirectly are viewed as prohibiting the “corporate practice” of medicine.  While variations exist among states, the doctrine generally forbids a person or entity, such as a general business corporation, other than a licensed physician, professional corporation (“PC”) or a professional limited liability company (“PLLC”), from owning an interest in a medical practice or employing physicians for the purpose of practicing medicine.  These laws against the corporate practice of medicine are generally designed to prevent non-clinicians from interfering with or influencing the physician’s professional judgment, and will affect the ability of business entities to enter into agreements with physicians and other health professionals.

Some states like Florida do not have a law specifically prohibiting physicians from engaging in the practice of medicine through a corporate structure.  The Florida Board of Medicine has stated that the statutory prohibition against the unlicensed practice of medicine does not prohibit the practice of medicine by physicians as employees of a Florida corporation or partnership.  California, on the other hand, prohibits the corporate practice of medicine, which among other things, requires that business or management decisions and activities resulting in control over a physician’ practice of medicine, be made by a licensed California physician and not by an unlicensed person or entity. In order to avoid the direct violation of state prohibitions on the corporate practice of medicine, many companies use the so-called “friendly PC” model.  Under the “friendly PC” model a PC, PLLC, or other legal entity permitted in the state, whose shareholders are all physicians, employs the licensed health care professionals and contracts with a Management Service Organization (“MSOs”) that provides management services to the PC.  The PC is kept “friendly,” or aligned through the use of a stock transfer restriction agreement and/or by the MSO employing the physician owner.

Generally, the restrictive stock transfer agreements prevent the member from transferring his or her shares without the consent of the MSO.  Additionally, these agreements usually require the member to transfer the shares in the PC to an individual selected by upon demand by the MSO. The combination of business management control and the threat of exercising its rights under the transfer agreement allow the MSO to maintain control over the administrative and management side of the entity without infringing on the professional judgment of the physicians.

We should note that enforcement by relevant authorities (e.g., state boards of medicine) regarding the prohibition against the corporate practice of medicine with respect to the “friendly PC” model generally is inconsistent.  As a practical matter, the most frequent forum in which the issue is asserted is in the context of commercial disputes between the MSO and the physician owners of the PC or PLLC it manages. Specifically, in these disputes the physician owners seek to invalidate all or part of the agreements between themselves and the MSO by arguing that the agreements are unenforceable as a matter of law because it creates a relationship that constitutes the corporate practice of medicine.

Although there is no hard and fast rule as to when a given arrangement may be deemed to constitute corporate practice, the focus in any enforcement action likely will be on the level of control the MSO exercises over the operation of the medical practice, specifically the professional judgment of licensed health care professionals. Where a high level of control exists, the arrangement may be found to be a sham intended to disguise the de facto practice of medicine by an unlicensed entity.  Factors that will be considered in evaluating whether a structure violates the prohibition on the corporate practice of medicine include the extent to which the MSO controls decisions or extracts revenue.

Telehealth companies, along with licensure and all the other regulatory issues we have written about in this blog, also need to take the corporate practice of medicine into consideration when developing their business models.  We advise that companies look into whether the states into which they are considering operating have a prohibition against the corporate practice of medicine, and if so, analyze how their model will need to be modified to fit within the law.  The good news is that many states (e.g., Hawaii, Mississippi, Ohio) have no such prohibition.

The rapid development and utilization of remote patient monitoring tools in health care exposes the limitations of state licensure laws that generally require physicians to be licensed in states where their patients are located.  These laws are predicated on the physician and patient being in the same jurisdiction.  However, when using mobile-devices to actively monitor patients (such as a device sensor with 4G chipset that can directly connect to cellular networks), there is no single geographic anchor or fixed moment in time from which to define the encounter, episode or point of service.

Rather, the encounter can be viewed as more continuous and spread out over time.  Even if one can break down the services into discrete units (e.g. each instance where a physician is reading and interpreting remote monitoring data, advising the patient, or adjusting prescriptions based on such data) it will be difficult if not impossible for the physician to ensure that during each such instance the patient is physically located in a state where the physician is licensed.  While the program of care may begin on site at a medical center or physician’s office, it may continue offsite for weeks or months during which the patient may be outside the state where the physician is licensed.

Imagine a situation where a patient travels to a medical center outside of his home state to enroll in a chronic disease management program that uses remote monitoring tools.  While at the medical center, the physician establishes a remote monitoring link with the patient at the medical center that will last for six months. Then the patient leaves the medical center and travels back to his home state.  Under state licensure laws, can the physician(s) at the medical center continue to provide services to this patient during the six month period?

There are many ways in which a state might respond to this scenario and others like it.

  1. Some states may enforce the law to the letter, requiring physicians to keep track of the location of their patients, and penalizing all remote monitoring and associated activities provided to patients physically located out-of-state.  To lawfully provide remote monitoring services to out-of-state patients under these circumstances, providers would need to continuously track patients by location and provide access to practitioners who are licensed in each of the states where the remote monitoring patients may be located during the monitoring period.  Although a literal interpretation of the existing laws in many states may support such an approach, due to the increased costs and administrative complications associated with tracking patients and establishing licensed practitioners in multiple states, many providers would find this to be unworkable.  Therefore, if states take this approach to enforcement, then many providers and technology developers are likely to abandon their efforts to develop innovative remote monitoring solutions.  Perhaps, for this reason, some medical boards will be reluctant to endorse this approach.
  2. Alternatively states may view an initial (and/or follow-up) in-person encounter(s) between the physician and the patient as the only relevant “encounters” for purposes of complying with the licensure requirements.  For example, states may see such activities as an extension of the custom that has traditionally been used to justify non-routine encounters between physicians and established patients while they are traveling or temporarily residing out-of-state. What is significant here is that such an approach would be an implicit acceptance of the practice of telehealth across state lines and if this lid is opened, it would be very hard for regulators to maintain the distinction between in-state and out-of-state telehealth.
  3. Lastly, some states may recognize that licensure restrictions need to be changed and begin the process of removing certain interstate practice restrictions.  A number of ideas on state licensure reform have been proposed over the years that states can draw from: e.g. entering compact agreements with other states (similar to the Nursing Licensure Compact); creating certain exceptions for remote monitoring and other telehealth practices; or seeking a national telehealth licensure framework under federal law.  For example, just last week, Representative Thomson from California introduced a Bill in Congress that, if enacted into law, would create a federal telehealth licensure standard for treating individuals enrolled in federal health plans.

One thing we can be sure of is that as telehealth continues to advance and the physical location of the patient becomes increasingly irrelevant, pressure on states to reform licensure requirements will only intensify.