Until the COVID-19 public health emergency, the incremental emergence of telemedicine and telehealth in the modern era of healthcare delivery has been primarily fueled by efforts to lower healthcare costs, coupled with the opportunity to better serve certain vulnerable populations, such as elderly patients, behavioral health patients and patients living in rural areas. However, the slow-moving gears of the health system have left much potential for telehealth still untapped.
“Telemedicine,” or the practice of medicine to provide care to a distant site using technology – as well as the broader category of using technology to provide a range of services and care at a distance, known as “telehealth”1 – have faced a number of obstacles to widespread adoption. Beyond some operational and clinical hurdles, widespread implementation of telehealth has been hindered by various legal and regulatory barriers.
Enter COVID-19. The response to the pandemic has brought about a flurry of state and federal emergency healthcare regulations and guidance across various areas, most of which will clearly be in place only for a limited duration (e.g., the issuance of state executive orders prohibiting elective surgeries or procedures). Telehealth, of course, has been one of the areas addressed, as the pandemic has imposed unprecedented limitations on in-person healthcare delivery. The temporary changes specific to telehealth, however, may actually accelerate long-lasting regulatory developments that encourage telehealth. As the telehealth landscape was already ripe with potential for more widespread implementation, the pandemic may create a springboard for telehealth delivery to “leave the station” with the engine roaring even after the pandemic – creating opportunities to improve patient care as well as create additional revenue streams for providers.
This Holland & Knight alert highlights 10 key regulatory considerations for telehealth providers to consider, describing the “normal” landscape (prior to the pandemic), as well as 1) the temporary landscape during the pandemic and 2) insights as to what the post-pandemic landscape might look like.
1. Data Privacy
Although Health Insurance Portability and Accountability Act (HIPAA) requirements are not specific to telehealth, telehealth can bring about unique issues for HIPAA privacy compliance, including the possibility of an increased number of personnel being exposed to protected health information (e.g., IT personnel being involved in a telehealth evaluation).
2. Data Security and Electronic Exchange
In addition to concerns about HIPAA privacy, OCR’s enforcement discretion extends, for now, to certain security issues relating to telehealth. Systems set up to facilitate telehealth during the pandemic will need to comply with the HIPAA Security Rule once the crisis abates. These regulatory and enforcement changes are occurring against the backdrop of a major push toward greater online activity as a response to the pandemic. The ability of many businesses to shift significant workload online has been important during this time of social distancing. On the other hand, the speed and scale of these changes have increased the “attack surface” where bad actors can try to obtain unauthorized access or otherwise harm systems. In addition to the greater volume of activity, many people are working remotely in ways they have not before, often over home networks or with personal devices that have not been subjected to the same level of security scrutiny as their office systems. While there are ways to mitigate the risks associated with these changes, they can still contribute to a heightened vulnerability. Cybercriminals are demonstrably ramping up their activity to try to take advantage of this dynamic, with the FBI and cybersecurity companies reporting dramatic spikes in cybersecurity complaints and hacking attempts as compared with pre-pandemic levels.3
On May 1, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published final rules (ONC Rules)4 addressing interoperability, information blocking and patient access to data. The ONC Rules require certified health IT developers to ensure that their application program interfaces (APIs) meet certain standards to help ensure that patients have seamless access to their electronic health record data. The ONC Rules define the kinds of “actors” to which information blocking provisions apply. These include healthcare providers, health IT developers of certified health IT, health information networks and health information exchanges. The ONC Rules implement the 21st Century Cures Act’s prohibition against information blocking, or engaging in practices that are likely to prevent, interfere with or materially discourage access to, the use of or the exchange of electronic health information. Although the ONC Rules do not address telehealth directly, it seems likely that certain telehealth platforms may have to conform to the ONC Rules, and these regulations may make it easier for telehealth platform developers to interface with a provider’s electronic health records. Patients will also be able to direct their providers to send medical records to third party apps, including telehealth apps.
3. Practitioner Licensure
Many types of practitioners may be permitted to deliver services through telehealth – not just physicians, but also physician extenders, nurses, psychologists, social workers and other types of healthcare professionals. This is increasingly true due to the general healthcare cost-cutting trend for midlevel practitioners to provide an increasing range of services with a higher degree of autonomy. Telehealth providers must ensure that their telehealth practices comply with the rules of the appropriate licensing board(s) for their practitioners delivering telehealth services (including, but not limited to, any rules specific to telehealth), including scope of practice rules.
Moreover, telehealth providers may need to comply with the laws of multiple states if the patient and provider are located in different states. To that end, practitioners delivering services to patients in multiple states may need to obtain and maintain licensure in each of those states, which can be a costly and time-consuming task. Some state licensing boards, however, have carve-outs to encourage telehealth delivery (e.g., allowing limited practice across contiguous state lines without additional licensure) or licensure compacts with certain other states that allow for a streamlined licensure process for practitioners already licensed in other states subject to the compact.5
4. Medicare Reimbursement: Rates and Conditions
Prior to the pandemic, Medicare telehealth reimbursement had several significant limitations, such as the types of services that may be reimbursed, the delivery methods or technology platforms used for providing such services, and the types of practitioners that may deliver such services. Moreover, Medicare generally provided reimbursement for telehealth services only if the patient was located in an “eligible originating site” – meaning, either a 1) designated rural area, or 2) clinic, hospital or other type of specified medical facility.7
These changes are not limited to patients being treated for COVID-19.
5. Medicaid Reimbursement: Rates and Conditions
States have significant flexibility with respect to providing Medicaid coverage of telehealth services, including whether telehealth is covered at all, the delivery methods and technology platforms that may be used, the types of telehealth services covered and the types of practitioners that may deliver telehealth services.17
6. Private Insurer Reimbursement: Rates and Conditions
Many states mandate private insurers to reimburse for telehealth services, but some do not.20 Moreover, some state laws that mandate coverage for telehealth services may limit mandated coverage to certain specialties and/or may not necessarily mandate parity in reimbursement amounts with the equivalent in-person services.21
7. Informed Patient Consents
Some states have statutory patient consent laws that are specific to telehealth services, such as Connecticut.22 Many states though, such as Florida, have statutory patient consent laws that apply to all healthcare services and are not specific to telehealth.23 The Federation of State Medical Boards’ model policy regarding telemedicine calls for obtaining and maintaining “[e]vidence documenting appropriate patient informed consent for the use of telemedicine technologies.”24 It is important to understand state requirements with respect to obtaining consents, including documentation of the consent, delivery of the consent and information included in the disclosures provided related to the consent.
There is limited precedent for telehealth malpractice cases. To that end, not all malpractice coverage covers telehealth services. Hawaii is an example of a state that requires malpractice carriers to cover telehealth services, but most states have no such requirement.25 Moreover, not all malpractice coverage will cover services provided in a different state.
In addition to practitioner licensure regulations providing general prescribing rules for practitioners, federal and state law often impose further limitations on prescribing in a telehealth setting. Factors include whether the prescribed drug is a controlled substance, the patient’s location, whether a physician-patient relationship has been sufficiently established, whether an emergency situation exists and whether the prescribed drug is used for medication-assisted treatment of an opiate use disorder.
Telehealth can be an effective option for providers with limited resources to utilize specialists on a less than full-time basis. As the credentialing process can be resource-consuming, especially for rural or otherwise small providers with limited resources, federal regulations allow certain types of providers to credential by proxy under certain conditions.27
Other Related Considerations
Healthcare regulatory agencies have issued, and continue to issue, other regulations that are not directed at telehealth specifically but may impact the telehealth landscape for the duration of the pandemic. For example, on March 30, 2020, CMS issued 18 waivers that exempt providers from sanctions for good faith noncompliance with specified provisions of the Physician Self-Referral Law (commonly referred to as the “Stark Law”). These broad waivers create flexibilities for the healthcare system generally that have applications to telehealth. For example, the guidance states the waivers may allow an entity to provide free telehealth equipment to a physician practice to facilitate telehealth visits.28 To the extent that hospitals and providers have relied on the March 30 CMS blanket waivers of certain provisions of the Stark regulations in setting up telehealth arrangements, telehealth entities should document carefully the regulatory guidance upon which they are relying, then unwind those arrangements promptly when necessary.
Undoubtedly, the current COVID-19 crisis has served as a catalyst for vast expansion of the use of telehealth, which will continue to change the landscape of healthcare delivery going forward.