10 Post-Pandemic Regulatory Considerations for Telehealth Providers
Highlights
- Telehealth has long faced a number of obstacles to widespread adoption. Beyond a number of operational and clinical hurdles, widespread implementation of telehealth has been hindered by various legal and regulatory barriers.
- The COVID-19 pandemic and the unprecedented limitations on in-person healthcare delivery, however, have led to a flurry of state and federal emergency healthcare regulations and guidance specific to telehealth. Although temporary, many of these changes may actually accelerate long-lasting regulatory developments that encourage telehealth.
- This Holland & Knight alert highlights 10 key regulatory considerations for telehealth providers to consider and provides insights as to what the post-pandemic landscape might look like.
Until the COVID-19 public health emergency, the incremental emergence of telemedicine and telehealth in the modern era of healthcare delivery has been primarily fueled by efforts to lower healthcare costs, coupled with the opportunity to better serve certain vulnerable populations, such as elderly patients, behavioral health patients and patients living in rural areas. However, the slow-moving gears of the health system have left much potential for telehealth still untapped.
“Telemedicine,” or the practice of medicine to provide care to a distant site using technology – as well as the broader category of using technology to provide a range of services and care at a distance, known as “telehealth”1 – have faced a number of obstacles to widespread adoption. Beyond some operational and clinical hurdles, widespread implementation of telehealth has been hindered by various legal and regulatory barriers.
Enter COVID-19. The response to the pandemic has brought about a flurry of state and federal emergency healthcare regulations and guidance across various areas, most of which will clearly be in place only for a limited duration (e.g., the issuance of state executive orders prohibiting elective surgeries or procedures). Telehealth, of course, has been one of the areas addressed, as the pandemic has imposed unprecedented limitations on in-person healthcare delivery. The temporary changes specific to telehealth, however, may actually accelerate long-lasting regulatory developments that encourage telehealth. As the telehealth landscape was already ripe with potential for more widespread implementation, the pandemic may create a springboard for telehealth delivery to “leave the station” with the engine roaring even after the pandemic – creating opportunities to improve patient care as well as create additional revenue streams for providers.
This Holland & Knight alert highlights 10 key regulatory considerations for telehealth providers to consider, describing the “normal” landscape (prior to the pandemic), as well as 1) the temporary landscape during the pandemic and 2) insights as to what the post-pandemic landscape might look like.
1. Data Privacy
Although Health Insurance Portability and Accountability Act (HIPAA) requirements are not specific to telehealth, telehealth can bring about unique issues for HIPAA privacy compliance, including the possibility of an increased number of personnel being exposed to protected health information (e.g., IT personnel being involved in a telehealth evaluation).
- Temporary COVID-19 Developments: The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has indicated that it will use enforcement discretion during the crisis to the extent that providers deliver services through telehealth without complying with all of HIPAA’s requirements. OCR has indicated that it will not penalize providers for good faith use of telehealth during the pandemic. Healthcare professionals may use a variety of non-public-facing remote communication methods, even without complying with all of HIPAA’s requirements. Notably, this guidance refers only to the use of telehealth by providers, rather than by health plans.2
- Post-Pandemic Predictions: Expect things to go back to “normal” after the pandemic with respect to HIPAA enforcement. Thus, data privacy and security will continue to be important as the telehealth landscape continues to develop, including with respect to the security of service locations and emerging new technology platforms. Once the crisis has passed, covered entities and business associates involved in telehealth encounters will need to make sure they have complied with all of HIPAA’s requirements, including making sure that business associate agreements are in place with third parties that are creating, receiving, maintaining or transmitting protected health information on behalf of a covered entity or another business associate.
2. Data Security and Electronic Exchange
In addition to concerns about HIPAA privacy, OCR’s enforcement discretion extends, for now, to certain security issues relating to telehealth. Systems set up to facilitate telehealth during the pandemic will need to comply with the HIPAA Security Rule once the crisis abates. These regulatory and enforcement changes are occurring against the backdrop of a major push toward greater online activity as a response to the pandemic. The ability of many businesses to shift significant workload online has been important during this time of social distancing. On the other hand, the speed and scale of these changes have increased the “attack surface” where bad actors can try to obtain unauthorized access or otherwise harm systems. In addition to the greater volume of activity, many people are working remotely in ways they have not before, often over home networks or with personal devices that have not been subjected to the same level of security scrutiny as their office systems. While there are ways to mitigate the risks associated with these changes, they can still contribute to a heightened vulnerability. Cybercriminals are demonstrably ramping up their activity to try to take advantage of this dynamic, with the FBI and cybersecurity companies reporting dramatic spikes in cybersecurity complaints and hacking attempts as compared with pre-pandemic levels.3
On May 1, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published final rules (ONC Rules)4 addressing interoperability, information blocking and patient access to data. The ONC Rules require certified health IT developers to ensure that their application program interfaces (APIs) meet certain standards to help ensure that patients have seamless access to their electronic health record data. The ONC Rules define the kinds of “actors” to which information blocking provisions apply. These include healthcare providers, health IT developers of certified health IT, health information networks and health information exchanges. The ONC Rules implement the 21st Century Cures Act’s prohibition against information blocking, or engaging in practices that are likely to prevent, interfere with or materially discourage access to, the use of or the exchange of electronic health information. Although the ONC Rules do not address telehealth directly, it seems likely that certain telehealth platforms may have to conform to the ONC Rules, and these regulations may make it easier for telehealth platform developers to interface with a provider’s electronic health records. Patients will also be able to direct their providers to send medical records to third party apps, including telehealth apps.
- Post-Pandemic Predictions: HIPAA compliance for telehealth platforms requires, among other things, updated risk analyses and risk mitigation plans. The ONC Rules are likely to encourage new telehealth vendors to enter the market, and HIPAA-covered entities and business associates will likely be required to transmit data to platforms requested by patients. Telehealth providers should be prepared to exchange data in a secure manner that complies with the prohibitions on information blocking. As providers and patients get used to the convenience and other advantages of certain kinds of remote activity, it is likely that demand for telehealth platforms will persist even as the crisis abates. In this way, there is a high probability that expanded telehealth activity will be “sticky,” like many other remote working innovations that have recently come to greater prominence. That stickiness will probably be accompanied by an even greater regulatory interest in cybersecurity matters, especially if the trend of sharply increasing cybercriminal activity does not reverse.
3. Practitioner Licensure
Many types of practitioners may be permitted to deliver services through telehealth – not just physicians, but also physician extenders, nurses, psychologists, social workers and other types of healthcare professionals. This is increasingly true due to the general healthcare cost-cutting trend for midlevel practitioners to provide an increasing range of services with a higher degree of autonomy. Telehealth providers must ensure that their telehealth practices comply with the rules of the appropriate licensing board(s) for their practitioners delivering telehealth services (including, but not limited to, any rules specific to telehealth), including scope of practice rules.
Moreover, telehealth providers may need to comply with the laws of multiple states if the patient and provider are located in different states. To that end, practitioners delivering services to patients in multiple states may need to obtain and maintain licensure in each of those states, which can be a costly and time-consuming task. Some state licensing boards, however, have carve-outs to encourage telehealth delivery (e.g., allowing limited practice across contiguous state lines without additional licensure) or licensure compacts with certain other states that allow for a streamlined licensure process for practitioners already licensed in other states subject to the compact.5
- Temporary COVID-19 Developments: A number of states have modified their rules to make it easier for providers to practice across state lines during the pandemic, including allowing out-of-state licensed practitioners to practice without in-state licensure or providing a streamlined process for out-of-state licensed practitioners to attain in-state licensure.6
- Post-Pandemic Predictions: The trend of increased portability of practitioner licenses may take place in some states on a temporary basis for the duration of the pandemic, but is also likely to take place incrementally on a permanent basis, particularly with respect to more states joining various licensure compacts. Providers and entities involved in telehealth should take steps to ensure that they remain in compliance with potentially changing state licensure requirements going forward.
4. Medicare Reimbursement: Rates and Conditions
Prior to the pandemic, Medicare telehealth reimbursement had several significant limitations, such as the types of services that may be reimbursed, the delivery methods or technology platforms used for providing such services, and the types of practitioners that may deliver such services. Moreover, Medicare generally provided reimbursement for telehealth services only if the patient was located in an “eligible originating site” – meaning, either a 1) designated rural area, or 2) clinic, hospital or other type of specified medical facility.7
- Temporary COVID-19 Developments: The Centers for Medicare & Medicaid Services (CMS) has implemented several waves of regulatory changes to improve flexibility with respect to Medicare coverage for telehealth during the pandemic. In summary of the collective guidance, some of the significant changes include:
- elimination of limitations on where patients may be located when receiving telehealth services, allowing telehealth services to be provided in all settings, such as a patient’s home8
- forgoing enforcement of requirements for in-person establishment of a physician-patient relationship for some types of telehealth services, allowing providers to serve new patients through telehealth9
- expansion of the list of services that can be provided via telehealth, including that CMS will now add new telehealth services on a “sub-regulatory” basis during the pandemic to expedite changes, in comparison to the rulemaking process normally used10
- expansion of the types of practitioners that may deliver telehealth services11
- allowing providers to waive Medicare copayments12
- removal of certain frequency limitations for telehealth services13
- elimination of the requirement that a practitioner must be licensed in the state where the service is provided14
- elimination of the video requirement for certain telephone evaluation and management services15
- increased reimbursement rates for certain telehealth services16
These changes are not limited to patients being treated for COVID-19.
- Post-Pandemic Predictions: Generally, these changes are expressly intended to be implemented only on a temporary basis for the duration of the pandemic. However, these sweeping temporary changes may serve an unintended experimental purpose for various measures that encourage telehealth. Look for some of these measures to prove to be successful throughout the duration of the pandemic and to perhaps be adopted on a permanent basis in some form. Although it is anyone’s guess which changes, if any, may become permanent in some form – look particularly at the loosening of patient location limitations, expansion of the list of telehealth services eligible for reimbursement and expansion of the types of practitioners that may provide reimbursable telehealth services. Providers should ensure, however, that they follow their compliance programs and carefully document the services provided.
5. Medicaid Reimbursement: Rates and Conditions
States have significant flexibility with respect to providing Medicaid coverage of telehealth services, including whether telehealth is covered at all, the delivery methods and technology platforms that may be used, the types of telehealth services covered and the types of practitioners that may deliver telehealth services.17
- Temporary COVID-19 Developments: States have adopted various measures. For example, Washington Medicaid is allowing providers to serve new patients (rather than only established patients) through telemedicine during the pandemic.18 Colorado Medicaid has expanded the types of practitioners that may provider telehealth services to include physical therapists, occupational therapists, hospice, home health providers and pediatric behavioral health providers.19
- Post-Pandemic Predictions: Similarly to Medicare, temporary Medicaid changes may serve an unintended experimental purpose, and lead to changes taking shape on a permanent basis in some form following the pandemic’s end. Any such developments will vary by state, and telehealth providers should monitor future changes in Medicaid requirements to ensure ongoing compliance.
6. Private Insurer Reimbursement: Rates and Conditions
Many states mandate private insurers to reimburse for telehealth services, but some do not.20 Moreover, some state laws that mandate coverage for telehealth services may limit mandated coverage to certain specialties and/or may not necessarily mandate parity in reimbursement amounts with the equivalent in-person services.21
- Post-Pandemic Predictions: Collectively, look for state-mandated coverage requirements imposed on private insurers to slowly increase in the coming years.
7. Informed Patient Consents
Some states have statutory patient consent laws that are specific to telehealth services, such as Connecticut.22 Many states though, such as Florida, have statutory patient consent laws that apply to all healthcare services and are not specific to telehealth.23 The Federation of State Medical Boards’ model policy regarding telemedicine calls for obtaining and maintaining “[e]vidence documenting appropriate patient informed consent for the use of telemedicine technologies.”24 It is important to understand state requirements with respect to obtaining consents, including documentation of the consent, delivery of the consent and information included in the disclosures provided related to the consent.
- Temporary COVID-19 Developments: Many providers that were not providing telehealth services prior to the pandemic are now looking to rapidly begin telehealth services, including obtaining telehealth consents from new or existing patients. Due to the pressures of commencing such services rapidly, some providers have temporarily adopted less stringent consent processes.
- Post-Pandemic Predictions: There are unique considerations for obtaining patient consents for telehealth services versus in-person services. Following the pandemic, providers should reevaluate their forms and processes adopted on a temporary basis during the pandemic.
8. Malpractice
There is limited precedent for telehealth malpractice cases. To that end, not all malpractice coverage covers telehealth services. Hawaii is an example of a state that requires malpractice carriers to cover telehealth services, but most states have no such requirement.25 Moreover, not all malpractice coverage will cover services provided in a different state.
- Temporary COVID-19 Developments: Several states, such as New York, Michigan, and New Jersey, have issued executive orders or enacted legislation that largely shield providers from liability for treating COVID-19 patients.26 Moreover, the federal Coronavirus Aid, Recovery, and Economic Security Act (CARES Act) provides limited liability protections.
- Post-Pandemic Predictions: The temporary COVID-19 developments with respect to shielding providers from liability are probably not here to stay – they almost certainly will ultimately be lifted after the pandemic. Malpractice exposure for telehealth, like in-person services, will vary based on the types of services provided and risk management measures taken by providers. Although there is limited precedent for telehealth malpractice cases currently, this is likely to gradually change as telehealth implementation expands – not only in terms of overall use but also with respect to the breadth of service types provided. Types of current telehealth services that could potentially create malpractice exposure include teleradiology, behavioral health services and controlled substance prescribing issues. As telehealth expands to new types of services, there could be new areas with heightened malpractice exposure.
9. Prescribing
In addition to practitioner licensure regulations providing general prescribing rules for practitioners, federal and state law often impose further limitations on prescribing in a telehealth setting. Factors include whether the prescribed drug is a controlled substance, the patient’s location, whether a physician-patient relationship has been sufficiently established, whether an emergency situation exists and whether the prescribed drug is used for medication-assisted treatment of an opiate use disorder.
- Post-Pandemic Predictions: Reasonable restrictions on prescribing of controlled substances in a telehealth setting are likely to remain largely intact. However, restrictions that inhibit the use of telehealth in medication for an opiate use disorder are likely to be incrementally addressed in the coming years to further encourage telehealth as a tool to combat the opiate epidemic holistically.
10. Credentialing
Telehealth can be an effective option for providers with limited resources to utilize specialists on a less than full-time basis. As the credentialing process can be resource-consuming, especially for rural or otherwise small providers with limited resources, federal regulations allow certain types of providers to credential by proxy under certain conditions.27
- Post-Pandemic Predictions: Look for eligible providers to continue to utilize credentialing by proxy as a means to provide specialized care with limited resources.
Other Related Considerations
Healthcare regulatory agencies have issued, and continue to issue, other regulations that are not directed at telehealth specifically but may impact the telehealth landscape for the duration of the pandemic. For example, on March 30, 2020, CMS issued 18 waivers that exempt providers from sanctions for good faith noncompliance with specified provisions of the Physician Self-Referral Law (commonly referred to as the “Stark Law”). These broad waivers create flexibilities for the healthcare system generally that have applications to telehealth. For example, the guidance states the waivers may allow an entity to provide free telehealth equipment to a physician practice to facilitate telehealth visits.28 To the extent that hospitals and providers have relied on the March 30 CMS blanket waivers of certain provisions of the Stark regulations in setting up telehealth arrangements, telehealth entities should document carefully the regulatory guidance upon which they are relying, then unwind those arrangements promptly when necessary.
- Post-Pandemic Predictions: Most of these measures will be in place temporarily only for the duration of the COVID-19 pandemic. Providers are encouraged to utilize these measures during the pandemic, but they should understand that continuing such arrangements after such measures are lifted is likely to create serious compliance problems. Thus, providers should reevaluate related practices after the pandemic for compliance, then unwind arrangements made in reliance upon such measures promptly when necessary.
Undoubtedly, the current COVID-19 crisis has served as a catalyst for vast expansion of the use of telehealth, which will continue to change the landscape of healthcare delivery going forward.