telehealth - waivers, regulatory leniency and hipaa · opportunities and risks under the hipaa...
TRANSCRIPT
Telehealth - Waivers, Regulatory Leniency and HIPAA
May 12, 2020
PRESENTED BY:
Today’s Telehealth Webcast
2
Wayne LittleClinical Documentation and Coding Compliance Partner // DHG Healthcare
ModeratorWayne Little is a Partner in DHG Healthcare’s Regulatory Consulting practice with over 28 years of experience in healthcare. Wayne leads DHG Healthcare’s Clinical Documentation and Coding Compliance services. He also assists clients with their compliance programs, serves in the capacity of Independent Review Organization (IRO) and advises on financial quantifications and statistical sampling needs in support of investigations.
Agenda
1. Overview of HIPAA Waiver for Telehealth
2. Opportunities and Risks under the HIPAA Waiver
3. Strategies for Implementing the Waiver and Beyond
4. DHG Healthcare and Jones Day // Upcoming Webcasts
3
Collaboration with Jones Day
4
5
Introduction of Jones Day
6
Introduction of Jones Day
Speakers
7
Ryan Boggs is a Managing Director in DHG Advisory practice with extensive experience in the areas of compliance consulting, system and
controls (SOC), HITRUST and internal audit reporting. His experience encompasses working with federal regulations including Sarbanes-
Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), HIPAA, the Health Information Technology for Economic and Clinical Health Act
(HITECH), the Federal Financial Institution Examination Council (FFIEC) and the National Institute of Standards and Technology (NIST).
Ryan leads the development of the HITRUST practice for DHG.
Kristen McDonald is a Partner on the Health Care Life Sciences team in Jones Day’s Atlanta office. Kristen defends providers in False
Claims Act litigation brought by federal and state agencies and qui tam whistleblowers. Her civil fraud experience involves billing, coding,
medical necessity, kickbacks, eligibility, and documentation errors. Kristen also conducts internal investigations associated with
HIPAA/HITECH concerns and defends providers in OCR investigations of potential breaches. Additionally, Kristen routinely advises providers
and related investors on fraud and abuse analyses, telemedicine services and reimbursement, and compliance program development and
effectiveness reviews, among other legal issues.
David Kopans is an Of Counsel on the Health Care Life Sciences team in Jones Day’s Columbus office. In addition to advising health
insurance and health care clients on managed cared care and other regulatory and transactional matters, David advises clients in the health
care and life sciences industries on a variety of matters related to health information privacy and security compliance under state and federal
laws (including HIPAA). David's clients include health care providers, insurers and other payers, life sciences companies, and digital health
and telehealth companies offering mobile applications, online solutions, and data analytics.
Overview of HIPAA Waiver for Telehealth
8
Telehealth and common methods of communication
Regulatory considerations
Legal documents
Federal data privacy laws
State data privacy laws
Other privacy and security obligations
Primary risk? Varies from
jurisdiction to jurisdiction
Expect this to be an area of ongoing focus
Federal response to COVID-19
State response to COVID-19
Telehealth-related responses
OVERVIEW OF TELEHEALTH
US DATA PRIVACY LAWS
COMMON LAW CLAIMS
FEDERAL AND STATE RESPONSES TO COVID-
19
Overview of HIPAA Waiver for Telehealth
9
HIPAA Privacy Rule Security Rule Data Breach Rule
More Examples: GLB Act FCRA FTC Act COPPA Telephone Consumer
Protection Act CAN-SPAM Act Others
SAMHSA PART 2 RULE Applicability Consent requirements Limitations on uses and
disclosures More stringent than HIPAA
Overview of HIPAA Waiver for Telehealth
10
March 17, 2020
Effective immediately
No penalties in connection with “good faith” provision of health services during COVID-19 emergency
Even if unrelated to diagnosis and treatment of COVID-19
No BAA required
Technology need not be fully HIPAA compliant
“Good faith”?
Any non-public facing remote communication product
“More stringent” state law?
Opportunities and Risks under the HIPAA Waiver
11
Opportunity Use of non-compliant
technology Non-public facing remote
communications (audio, video, and/or texting applications)
No BAA required Expanded ability to reach
patients
Risk Express limitations of the
HIPAA waiver
States’ mixed approach
Other federal privacy laws
Common law claims and other privacy and security obligations
Opportunities and Risks under the HIPAA Waiver
12
Opportunity
OCR exercising enforcement discretion
Not pursuing penalties for violations of HIPAA privacy, security, and data breach rules
Risk Not “clean” waiver of all
activities during emergency
Using “facts and circumstances test” for “good faith” standard
Other laws
Opportunities and Risks under the HIPAA Waiver
13
Opportunity
Presents many of the opportunities discussed above
E.g., increases options, expands ability to reach patients, and speeds up implementation
Focus here is on the risks
Risk Express limitations of the
HIPAA waiver
Other laws and obligations
Vendor lack of HIPAA/privacy experience
Return or destruction of data
Unclear privacy risks for patients
Strategies for Implementing the Waiver and Beyond
14
Strategies for Federal Flexibilities
HIPAA-compliant technology or most secure option possible
Limit use of non-complaint tools
BAAs and HIPAA-experienced vendors
Disclosure
Consent
Compliance
Strategies for Government Enforcement
Document, document, document
Policies
Compliance
Education
Training
Consider other opportunities and risks discussed later
Telehealth Webcast Series: Upcoming Events
15
TOPIC DATE TIME
Are Patients, Employers and Payors Ready for Telehealth?Register Here
Thursday, May 14th, 2020 12:00 p.m. – 12:30 p.m. ET
Feasibility and Sustainability of a Telehealth Program & Technology in Post COVID-19 WorldRegister Here
Tuesday, May 19th, 2020 12:00 p.m. – 12:30 p.m. ET
Creating an Audit Plan for TelehealthRegister Here Thursday, May 21st, 2020 12:00 p.m. – 12:30 p.m. ET
16
Jones Day presentations should not be considered or construed as legal advice on any individual matter or circumstance. The contents of this document are intended for general information purposes only and may not be quoted or referred to in any other presentation, publication or proceeding without the prior written consent of Jones Day, which may be given or withheld at Jones Day's discretion. The distribution of this presentation or its content is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of Jones Day.
Disclaimer
Thank You