Telehealth - Waivers, Regulatory Leniency and HIPAA

May 12, 2020

PRESENTED BY:

Today’s Telehealth Webcast

2

Wayne LittleClinical Documentation and Coding Compliance Partner // DHG Healthcare

ModeratorWayne Little is a Partner in DHG Healthcare’s Regulatory Consulting practice with over 28 years of experience in healthcare. Wayne leads DHG Healthcare’s Clinical Documentation and Coding Compliance services. He also assists clients with their compliance programs, serves in the capacity of Independent Review Organization (IRO) and advises on financial quantifications and statistical sampling needs in support of investigations.

Agenda

1. Overview of HIPAA Waiver for Telehealth

2. Opportunities and Risks under the HIPAA Waiver

3. Strategies for Implementing the Waiver and Beyond

4. DHG Healthcare and Jones Day // Upcoming Webcasts

3

Collaboration with Jones Day

4

5

Introduction of Jones Day

6

Introduction of Jones Day

Speakers

7

Ryan Boggs is a Managing Director in DHG Advisory practice with extensive experience in the areas of compliance consulting, system and

controls (SOC), HITRUST and internal audit reporting. His experience encompasses working with federal regulations including Sarbanes-

Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), HIPAA, the Health Information Technology for Economic and Clinical Health Act

(HITECH), the Federal Financial Institution Examination Council (FFIEC) and the National Institute of Standards and Technology (NIST).

Ryan leads the development of the HITRUST practice for DHG.

Kristen McDonald is a Partner on the Health Care Life Sciences team in Jones Day’s Atlanta office. Kristen defends providers in False

Claims Act litigation brought by federal and state agencies and qui tam whistleblowers. Her civil fraud experience involves billing, coding,

medical necessity, kickbacks, eligibility, and documentation errors. Kristen also conducts internal investigations associated with

HIPAA/HITECH concerns and defends providers in OCR investigations of potential breaches. Additionally, Kristen routinely advises providers

and related investors on fraud and abuse analyses, telemedicine services and reimbursement, and compliance program development and

effectiveness reviews, among other legal issues.

David Kopans is an Of Counsel on the Health Care Life Sciences team in Jones Day’s Columbus office. In addition to advising health

insurance and health care clients on managed cared care and other regulatory and transactional matters, David advises clients in the health

care and life sciences industries on a variety of matters related to health information privacy and security compliance under state and federal

laws (including HIPAA). David's clients include health care providers, insurers and other payers, life sciences companies, and digital health

and telehealth companies offering mobile applications, online solutions, and data analytics.

Overview of HIPAA Waiver for Telehealth

8

Telehealth and common methods of communication

Regulatory considerations

Legal documents

Federal data privacy laws

State data privacy laws

Other privacy and security obligations

Primary risk? Varies from

jurisdiction to jurisdiction

Expect this to be an area of ongoing focus

Federal response to COVID-19

State response to COVID-19

Telehealth-related responses

OVERVIEW OF TELEHEALTH

US DATA PRIVACY LAWS

COMMON LAW CLAIMS

FEDERAL AND STATE RESPONSES TO COVID-

19

Overview of HIPAA Waiver for Telehealth

9

HIPAA Privacy Rule Security Rule Data Breach Rule

More Examples: GLB Act FCRA FTC Act COPPA Telephone Consumer

Protection Act CAN-SPAM Act Others

SAMHSA PART 2 RULE Applicability Consent requirements Limitations on uses and

disclosures More stringent than HIPAA

Overview of HIPAA Waiver for Telehealth

10

March 17, 2020

Effective immediately

No penalties in connection with “good faith” provision of health services during COVID-19 emergency

Even if unrelated to diagnosis and treatment of COVID-19

No BAA required

Technology need not be fully HIPAA compliant

“Good faith”?

Any non-public facing remote communication product

“More stringent” state law?

Opportunities and Risks under the HIPAA Waiver

11

Opportunity Use of non-compliant

technology Non-public facing remote

communications (audio, video, and/or texting applications)

No BAA required Expanded ability to reach

patients

Risk Express limitations of the

HIPAA waiver

States’ mixed approach

Other federal privacy laws

Common law claims and other privacy and security obligations

Opportunities and Risks under the HIPAA Waiver

12

Opportunity

OCR exercising enforcement discretion

Not pursuing penalties for violations of HIPAA privacy, security, and data breach rules

Risk Not “clean” waiver of all

activities during emergency

Using “facts and circumstances test” for “good faith” standard

Other laws

Opportunities and Risks under the HIPAA Waiver

13

Opportunity

Presents many of the opportunities discussed above

E.g., increases options, expands ability to reach patients, and speeds up implementation

Focus here is on the risks

Risk Express limitations of the

HIPAA waiver

Other laws and obligations

Vendor lack of HIPAA/privacy experience

Return or destruction of data

Unclear privacy risks for patients

Strategies for Implementing the Waiver and Beyond

14

Strategies for Federal Flexibilities

HIPAA-compliant technology or most secure option possible

Limit use of non-complaint tools

BAAs and HIPAA-experienced vendors

Disclosure

Consent

Compliance

Strategies for Government Enforcement

Document, document, document

Policies

Compliance

Education

Training

Consider other opportunities and risks discussed later

Telehealth Webcast Series: Upcoming Events

15

TOPIC DATE TIME

Are Patients, Employers and Payors Ready for Telehealth?Register Here

Thursday, May 14th, 2020 12:00 p.m. – 12:30 p.m. ET

Feasibility and Sustainability of a Telehealth Program & Technology in Post COVID-19 WorldRegister Here

Tuesday, May 19th, 2020 12:00 p.m. – 12:30 p.m. ET

Creating an Audit Plan for TelehealthRegister Here Thursday, May 21st, 2020 12:00 p.m. – 12:30 p.m. ET

16

Jones Day presentations should not be considered or construed as legal advice on any individual matter or circumstance. The contents of this document are intended for general information purposes only and may not be quoted or referred to in any other presentation, publication or proceeding without the prior written consent of Jones Day, which may be given or withheld at Jones Day's discretion. The distribution of this presentation or its content is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of Jones Day.

Disclaimer

Thank You