2/10/2020

1

Telehealth in Hospitals: State and Federal Regulatory Frameworks Now and What’s Next

Jeremy Sherer, Hooper, Lundy & Bookman, PCAndrea Frey, Hooper, Lundy & Bookman, PC

Frey/Sherer - 2

Presentation Overview

• Telehealth as a clinical tool

• Telehealth and reimbursement

• Telehealth contracting

• Telehealth compliance checklist

• Health care technology and privacy in California

1

2

2/10/2020

2

Frey/Sherer - 3

Part 1: Telehealth as a Clinical Tool

As a general matter, the laws of the state in which the patient is located at the time of the encounter govern. Issues to consider include:• What modalities does the state allow?• Are there applicable licensure exceptions?• What documentation is needed?• Is e-prescribing allowed?• What are the state’s corporate practice rules?• Does the state have coverage or payment parity laws?

Frey/Sherer - 4

Part 1: Telehealth and Modalities

‘Telehealth’ means the mode of delivering health care services and public health via information and communication technologies to facilitate the diagnosis, consultation, treatment, education, care management, and self-management of a patient’s health care. Telehealth facilitates patient self-management and caregiver support for patients and includes synchronous interactions and asynchronous store and forward transfers. Cal. Business and Professions Code § 2290.5(a)(6).

Prescribing, dispensing, or furnishing dangerous drugs as defined in Section 4022 without an appropriate prior examination and a medical indication, constitutes unprofessional conduct. An appropriate prior examination does not require a synchronous interaction between the patient and the licensee and can be achieved through the use of telehealth, including, but not limited to, a self-screening tool or a questionnaire, provided that the licensee complies with the appropriate standard of care. Cal. Business and Professions Code § 2242(a)(emphasis added).

3

4

2/10/2020

3

Frey/Sherer - 5

Part 1: Modalities in California

• “Synchronous Interaction” means a real-time interaction between a patient and a health care provider located at a distant site

• “Asynchronous store and forward” means the transmission of a patient’s medical information from an originating site to the health care provider at a distant site

• Self-screening tool or questionnaire

• Remote patient monitoring

Frey/Sherer - 6

Part 1: Licensure in California

• To treat patients in California, providers must hold a California-issued license

• The Interstate Medical Licensure Compact (IMLC) provides an expedited path to licensure for physicians who are licensed in any of the 29 compact member states, the District of Columbia or Guam

• California is not an IMLC state

5

6

2/10/2020

4

Frey/Sherer - 7

Part 1: Documentation, Patient Identification, and Informed Consent

• Clinical services delivered utilizing health care technology are still clinical services, so documentation standards apply

• California requires verbal or written consent, which must be documented

• Patient identification is required by HIPAA

Frey/Sherer - 8

Part 1: E-Prescribing

• For non-controlled substances, look to state law (both medical and pharmacy laws)

• For controlled substances, the Controlled Substances Act generally prohibits prescribing via telehealth without a prior in-person examination of the patient

• However, there are exceptions

7

8

2/10/2020

5

Frey/Sherer - 9

Part 1: Controlled Substances and Telehealth

Practitioners may prescribe CS while the patient is being treated by, and physically located in, a DEA-registered hospital or clinic, and by a practitioner who is

• Acting in the usual course of professional practice• Acting in accordance with state law• Registered with the DEA in the state in which the

patient is located

Frey/Sherer - 10

Part 1: Coverage and Payment Parity Laws

• Coverage parity means that services a payer covers when delivered in person must also be covered when provided via telehealth

• Payment parity means that payers must reimburse providers at the same level for services rendered, whether they are provided in-person or via telehealth

9

10

2/10/2020

6

Frey/Sherer - 11

Part 1: Coverage and Payment Parity in California

• Payment Parity: Telehealth services must be reimbursed “on the same basis and to the same extent” as equivalent in-person services

Cal. Health and Safety Code § 1374.14

• Applies to agreements issued, amended, or renewed on or after January 1, 2021

Frey/Sherer - 12

Part 2: Medicare Telehealth Services

CMS has paid for “Medicare telehealth services” since 1997. To be eligible for reimbursement, telehealth services that hospitals provide must satisfy 5 requirements:

1. Geographic restrictions2. Provider restrictions3. Originating site restrictions4. Technological restrictions5. Services restrictions

11

12

2/10/2020

7

Frey/Sherer - 13

Part 2: Communication Technology and Remote Evaluation Based Services

Virtual check-ins and e-consults

• Synchronous or store and forward communication• Cannot be related to service provided within previous 7

days, next 24 hours, or soonest available appointment• Patient consent is required• For existing patients only

Frey/Sherer - 14

Part 2: Remote Patient Monitoring

99453: Pays for initial equipment set-up and patient education

99454: Pays for interpretation/monitoring of information from devices that communicate clinical information on a daily basis

99457: Remote physiological treatment management services. To bill using this code, the patient must receive at least 20 minutes of interactive treatment each month

13

14

2/10/2020

8

Frey/Sherer - 15

Part 2: Medicare Advantage and “Additional Telehealth Services”

• What changed? Medicare Advantage plans have long had flexibility to cover telehealth services as supplemental benefits. Now, MA plans can cover telehealth services as basic benefits.

• What can MA plans cover? Any services that Medicare covers, so long as the plan determines that it is “clinically appropriate” to provide the service via telehealth.

Frey/Sherer - 16

Part 2: Medi-Cal

Medi-Cal’s revised telehealth policy allows any services to be covered via telehealth, as long as:

1) The treating provider at the distant site believes it is clinically appropriate to deliver the benefits or services by telehealth, based upon evidence-based medicine and applicable best practices;

2) The benefits or services meet the procedural definition and components of the applicable CPT/HCPCS code associated with the service or benefit, and any extended guidelines in the telehealth policy; and

3) The benefits or services satisfy California law regarding the confidentiality of medical information and the patient’s right to access such information

15

16

2/10/2020

9

Frey/Sherer - 17

Part 2: Medi-Cal

Other issues:• E-consults• Provider groups• Defining “store-and-forward” and “telehealth”• Informed consent

Make sure to consider both the Medi-Cal Manual and California law.

Frey/Sherer - 18

Part 3: Telehealth Contracting

Scope of Practice Issues

Common Pitfalls

17

18

2/10/2020

10

Frey/Sherer - 19

Part 3: Telehealth Contracting Issues: Scope of Practice

• Licensure• Informed consent• Modalities• Patient/provider identification• E-prescribing• Documentation• Parity laws• Privacy

Frey/Sherer - 20

Part 3: Telehealth Contracting

• State fraud and abuse authorities• Corporate Practice of Medicine• Proxy credentialing• Ongoing support related to equipment

maintenance and upkeep• Response times (for clinical services)• Business Associate Agreements

19

20

2/10/2020

11

Frey/Sherer - 21

Part 3: Telehealth Contracting: Direct-to-Consumer (“DTC”) vs. Hospitals

Unlike hospitals, many DTC platforms don’t have to worry about Medicare statutes, regulations, or sub-regulatory guidance

Frey/Sherer - 22

Part 4: Telehealth Compliance Checklist

• Patient informed consent• Verification of patient identity• Licensure in the state where the patient is located• Sufficient establishment of physician-patient relationship• If e-prescribing, consider federal and applicable state requirements• Accurate coding, including place of service• Documentation in medical record to support claim, including medical necessity

of any referral/order• Use of a secure platform• Compliance of arrangements with federal (if applicable) and/or state fraud and

abuse laws, including anti-kickback and self-referral laws• Review of private payor contracts – is it clear if telehealth services are covered?• Policies and procedures • When appropriate, claims submitted for both originating and distant sites

21

22

2/10/2020

12

Frey/Sherer - 23

Part 4: Telehealth Compliance Checklist

• Periodic review of internal practices – compliance efforts are ongoing• Auditing – spot check of records, coding reviews• Inventory of vendor agreements• Corporate structure• Fees• Data privacy and security • Business protection – insurance, indemnification, termination rights• If it seems to good to be true…• Monitor regulatory developments – telehealth landscape is rapidly

changing• Work with legal/compliance teams, or consult with outside resources

Part 5: Telehealth Privacy and Security

Frey/Sherer - 24

When providing care via telehealth, providers are still responsible for protecting the confidentiality, integrity and security of ePHI in accordance with federal and state privacy and security laws, including:

• HIPAA• 42 CFR Part 2 • CMIA• LPS

23

24

2/10/2020

13

Frey/Sherer - 25

Telehealth provision or use does not alter a covered entity’s obligations under HIPAA, nor does HIPAA contain any special section devoted to telehealth. Therefore, if a covered entity utilizes telehealth that involves PHI, the entity must meet the same HIPAA requirements that it would for a service provided in person. The entity will need to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to PHI confidentiality, integrity and availability.

With most telehealth delivery models involving provider-to-provider communication, entities at both ends are required by HIPAA to implement reasonable and appropriate security safeguards

• Circumstances may arise in which an endpoint falls outside the controlled and supervised environment of a HIPAA-regulated clinical care setting

Part 5: Telehealth Privacy and Security

Part 5: HIPAA Tips

Frey/Sherer - 26

Authentication: Prior to any disclosure of PHI, a covered entity must “verify the identity of a person requesting PHI and the authority of any such person to have access to PHI”

Security: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

• E.g. data encryption for data being sent over an open network

25

26

2/10/2020

14

Part 5: HIPAA Tips

Frey/Sherer - 27

Business Associates: Further complications may arise in determining who would be considered a “business associate” for telehealth services, and therefore required to enter a business associate agreement in order to maintain the covered entity’s compliance

• Business Associate is defined as a person or entity that, “on behalf of a covered entity… creates, receives, maintains, or transmits protected health information”

• What about Zoom or Skype? • “Skype is not a business associate subject to HIPAA, nor have we entered into

any contractual arrangements with covered entities to create HIPAA-compliant privacy and security obligations. Instead, Skype is merely a conduit for transporting information, much like the electronic equivalent of the US Postal Service or a private courier.”

Part 5: HIPAA Tips

Frey/Sherer - 28

Whether a vendor of a patient-facing telehealth technology is a BA depends on whose interests are being served by the technology. Relevant questions include the following:

• Who provides technology to the patient (direct-to-patient transaction, or is technology provided by the doctor)?

• Who benefits from the technology being offered? • Who is responsible for the day-to-day operation of the

technology (an indication of who is ultimately responsible)? • And who controls the information generated by the

technology? Mere connectivity between a device and a health care provider does not render the device manufacturer a business associate of that provider.

27

28

2/10/2020

15

Part 5: HIPAA Tips

Frey/Sherer - 29

• Make sure you have a business agreement in place if the determination has been made that a vendor is a business associate, and ensure terms include:

• Negotiated liability for breaches • Breach disclosure process by BA• Cyber security insurance

Caution: be wary of “HIPAA-compliant” claims• Use of specific telehealth equipment or technology cannot

ensure that an entity is “HIPAA-compliant” since HIPAA addresses more than features or technical specifications

Part 5: Other Privacy Laws

Frey/Sherer - 30

• Be sure to keep state health information privacy and security laws in mind when developing a telehealth program.• In general, more restrictive law applies, but in practice,

providers should comply with both.• Reminder also that HIPAA treats all health

information the same, with the exception ofpsychotherapy notes• But special protections under state and

federal laws around certain types of sensitive health information (mental health, substance use)

29

30

2/10/2020

16

Questions?

Raise your hand or submit a question at www.menti.com and enter code 61 32 32

31

Thank You

Jeremy ShererHooper, Lundy & Bookman, PCjsherer@health-law.com

Andrea FreyHooper, Lundy & Bookman, PCafrey@health-law.com

32

31

32