mobcon dh 2015 - ryan johnson - digital health key legal and regulatory considerations

Digital HealthKey Legal and Regulatory Issues

Ryan S. Johnson, Esq.

[email protected]

(612) 492-7160

© 2015 Fredrikson & Byron, P.A.

mailto:[email protected]

Today’s Presentation

Digital Health• Virtual Medicine

– Business Model

– Legal Issues

• mHealth (time permitting)

• Q&A

____________

Background

• Consumer-driven demand for accessible, affordable, quality health care

• Convenience Care– Retail Clinics

– Virtual Medicine• Telemedicine

• On-Line Consultations

• mHealth• Many Common Legal Issues

• Evolving Regulatory Landscape

____________

Virtual Medicine: Business Model

• Online Diagnosis, Treatment, and Prescriptions–Virtuwell

–Zipnosis

• Telemedicine/Telehealth

____________

What is Telehealth?

• “The use of telecommunications and information

technology to provide access to health diagnosis,

assessment, intervention, consultation, supervision

and information across a distance.” (CMS)

– Includes telephones, fax machines, e-mail systems,

and remote patient monitoring devices used to

collect and transmit patient data for monitoring and

interpretation.

• “Telemedicine” is included within this definition.


What is Telemedicine?

• “The provision of clinical services to patients by

practitioners from a distance via electronic

communications.” (CMS)

– Distant-site practitioner provides services to patient

simultaneously (e.g., teleICU) or non-simultaneously

(e.g., teleradiology).

• “The use of medical information exchanged from

one site to another via electronic communication

to improve patient health.” (Joint Commission)


What is Telemedicine?

• Informal consults between practitioners at

different locations are NOT telemedicine.

– Distant-site practitioner is providing an opinion to

attending practitioner, not providing services

directly to the patient.

– Consider:

• Patient present during consult?

• Distant-site practitioner interacting with patient?

• Which practitioner is ordering the treatment?


Virtual Medicine

Legal and Regulatory Issues

• Licensing and Scope of Practice

• Supervision/Collaboration Requirements

• Prescriptive Authority

• Federal and State Privacy Laws

• Reimbursement

• Corporate Practice of Medicine

• Malpractice Risk


Licensure

• Practitioners must meet licensing requirements in

the state where the patient is located.

• Key issue in any telemedicine arrangement.

• State laws regarding telemedicine vary:

– Some state licensing laws directly address telemedicine

and explicitly define the practice of telemedicine.

– Some states laws indirectly address telemedicine by

defining the practice of medicine to include diagnosing or

recommending treatment through electronic means.

– Some states are silent.


Licensure

• Some states require full licensure of practitioners

providing telehealth services to patients in state.

– “Active” or in-state practice requirements

• Some states have special telemedicine licenses

(e.g., MN, MT).

• State Licensure Exceptions:

– Physician-to-physician consults

– “Infrequent” or “occasional” consultations (e.g.,

fewer than 10 consults per year)


Scope of Practice

• Use of non-physician practitioners increasing

– In telemedicine context, this raises issues

regarding scope of practice, supervision, and

prescriptive authority.

• Other considerations:

– Written collaborative agreement requirements

– Protocols


Physician Supervision

• Levels of Supervision:

– General supervision: Procedure must be

furnished under physician’s direction and

control, but physician’s presence not required.

– Direct supervision: Physician must be present

in office suite and immediately available.

– Personal supervision: Physician must be in

attendance in room during procedure.


Physician Supervision

• Direct supervision/on-site requirements can

significantly impact telemedicine

arrangements.

• Is remote supervision acceptable?

– Non-physician practitioner and patient in same

location, but supervising physician off-site.

• Must review state requirements

– Physician/non-physician practitioner practice ratios


Prescriptive Authority

• Issues surrounding prescribing medication

electronically in connection with telehealth

encounters.

• Permissibility of remote prescribing varies

significantly across states

– State pharmacy statutes and regulations

– Licensing board policy

– Medicaid reimbursement policies


Privacy and Security

• HIPAA’s Applicability

– Covered Entities: plans, providers, clearinghouses

– Business Associates

• Business associate (“BA”) = any person or entity

that creates, receives, maintains, or transmits

PHI on behalf of a CE

– Examples: outside billing company, EHR vendor,

and medical director.


Business Associates

• Mere “conduits” are not BAs– transport data but do not access PHI “other than on a random or

infrequent basis as necessary to perform the transportation service or as

required by other law.”

– narrow exception

• USPS, ISPs, etc.

• Cloud Computing /Data Storage Companies are

BAAs if create, receive, maintain, or transmit PHI

on behalf of CE• can be BA even if the entity doesn’t view the information (!):

transient vs. persistent nature of the opportunity.

• document storage companies are BAs, even if they don’t view

the information they hold© 2015 Fredrikson & Byron, P.A.

Business Associates

• For example, a data storage company that has access to

protected health information (whether digital or hard

copy) qualifies as a business associate, even if the entity

does not view the information or only does so on a

random or infrequent basis. Thus, document storage

companies maintaining protected health information on

behalf of covered entities are considered business

associates, regardless of whether they actually view the

information they hold.


Business Associates

• Subcontractors

– Can’t let subcontractor do something the BA

can’t do

• If BA doesn’t have the right to deidentify, then the

subcontractor doesn’t, either

– Each agreement in the chain must be as

stringent or more stringent as the agreement

above with respect to permissible uses and

disclosures


Business Associates• Direct liability for BAs, and person is BA by definition, not

by contract

• “Any Privacy Rule limitation on how a covered entity may

use or disclose protected health information automatically

extends to business associates.”

– Impermissible uses and disclosures

– Failure to notify CE of breach

– Failure to provide access to ePHI (to CE or individual as specified

in BAA)

– Failure to disclose PHI when required for investigation

– Failure to provide accounting

– Failure to comply with Security Rule


Business Associates: Practical

tips• Make sure you have a BAA in place

– If you don’t have one, get one!

• Review what info may be accessed by BA

– minimum necessary!

• Indemnification provision—CEs should

insist on these



• Protected Health Information

– Individually identifiable information (written, electronic,

or oral) created or received by a provider;

– Relating to an individual’s health, provision of health

care to an individual, or payment for health care;

– That identifies the individual or provides a reasonable

basis to identify the individual.


Privacy Rule Basics

• HIPAA permits these Uses and

Disclosures:

– Disclosure to the client/personal representative

– Treatment, payment, and health care operations

– Required by law

– Business associates

– As authorized by the client

– Other


Other Permitted Disclosures – HIPAA**

• Disclosure to Family/Friends

• Public Health Activities – To public health authority

– To report child abuse/neglect

– To FDA

• Law Enforcement Purposes

• Abuse, Neglect, and Domestic Violence

• Workers’ Compensation

• Judicial and Administrative Proceedings

• The Notice of Privacy Practices (“NPP”) provided to clients describes how PHI may be used and disclosed.

Other Permitted Disclosures –

Disclosure to Family and Friends

• Disclosure to family/friend is permitted when the client is present

(and has capacity) and:

– Agrees or has previously agreed to the disclosure; or

– Has had the opportunity to object and does not; or

– It can be reasonably inferred from the circumstances that the person

does not object

• Disclosure to family/friend is permitted when the client is unable to

consent in an emergency:

– The disclosure is related to treating the client and the family/friend’s

involvement in the treatment;

– The client has not prohibited disclosure to such person; and

• Best practice: At the beginning of the service relationship and

periodically thereafter, obtain the client’s consent to release

information to certain family members/friends.

Incidental Disclosures

• Incidental Uses and Disclosures

– Allowed if a byproduct of another permissible

or required use or disclosure

– CE must have “reasonable safeguards” to

protect against impermissible uses and

disclosures

– Must also use “minimum necessary” policies

and procedures

Minimum Necessary

• Use and disclose only the minimum

amount of PHI necessary to accomplish

the purpose of the request, use, or

disclosure

– Internal uses: use/disclosure should be

consistent with job responsibilities.

– E.g., redact names and addresses when

sending charts to external consultant for a

coding review.

Minimum Necessary

• Minimum necessary standard does not

apply to the following:– Disclosures to or requests by a provider for treatment purpose

– Uses and disclosures by or to a client of his or her own PHI

– Disclosures made under a valid authorization

– Disclosures to public officials when disclosure is required by law

and the official represents that the information requested is the

minimum required for the purpose

Marketing, fundraising or sale of PHI

• Use of PHI to make a subsidized

marketing communication requires an

authorization.

• Sale of PHI requires an authorization.

• Use of limited PHI for fundraising purposes

is okay.

• Take away: Tread carefully!!


Definition of Marketing

• “Marketing” means to make a

communication about a product or service

that encourages recipients of the

communication to purchase or use the

product or service.


Exceptions to Marketing

Definition• Communications for the treatment of an

individual by a health care provider, including

case management or care coordination, or to

direct or recommend alternative treatments,

therapies, health care providers, or settings of

care to the individual,

– UNLESS the CE receives financial remuneration

in exchange for making the communication (more

later).


Subsidized communications

= marketing• If a CE or a BA receives “financial

remuneration” from a third party in

exchange for making a communication

about a product or service, the

communication = marketing.

– Need a valid authorization from the individual.

– “Financial remuneration” does not include in-

kind benefits, or payment for treatment of the

individual.


Exceptions to Marketing

Definition• Refill reminders or other communications

about a drug/biologic currently being

prescribed for the individual (e.g., info re

generic equivalents).

– Any financial remuneration received by the

covered entity for making the communication

must be reasonably related to the cost of

making the communication.


No authorization required

• The following communications are still

considered “marketing,” but HIPAA does

not require an authorization:

– Face-to-face communication by CE to an

individual;

– Promotional gifts of nominal value provided by

the CE.


Practical tips

• If the marketing communication is subsidized,

the authorization must state that remuneration

is involved.

• The authorization may apply to subsidized

communications generally (i.e., it does not

have to be specific to a single product or

service, or the products or services of one

third party) so long as it describes the scope

of the authorization.


De-identification

• Once information has been de-identified, it

is no longer considered PHI

• “De-identified Information” = NOT PHI

– Doesn’t identify an individual AND

– No reasonable basis to identify individual

• Two ways to accomplish de-identification

– Qualified statistical expert OR

– Safe harbor

De-identification – Safe Harbor

• Name

• Geographic subdivisions –including zip code

• Elements of dates (except year)

• Telephone number

• Fax number

• E-mail

• SSN

• Medical record number

• Any other unique identifying characteristic or code

• Health plan beneficiary number

• Account number

• Certificate or license number

• License plate number

• Device identifiers

• URLs

• IP address

• Biometric identifiers including fingerprints and voice prints

• Full face photographic images


• HIPAA Security Rule

– Requires implementation of administrative, physical,

and technical safeguards to protect electronic PHI.

– Covered entities and business associates must:

• Ensure the confidentiality, integrity and availability of

ePHI that it creates, receives, maintains or transmits;

• Protect against reasonably anticipated threats or

hazards to the security or integrity of ePHI;

• Protect against impermissible uses or disclosures; and

• Ensure compliance by all workforce members.



• Important to consider the following issues:

– Organization size, complexity, and capabilities;

– Organization’s technical infrastructure, hardware, and

software security capabilities;

– Costs of security measures; and

– Probability and criticality of potential risks to ePHI.

• Examples:

– Encryption

– User authentication

– Secure network



• Must also consider state laws that apply to

telemedicine arrangements.

• Applicable state laws may be more

stringent than HIPAA.

• Some states have recordkeeping and

privacy laws relating specifically to

telehealth encounters.


Penalties

Basic Penalties for Violations:– Did not know: $100-$50,000 violation

– -Reasonable cause: $1,000-$50,000/violation

– Willful neglect-corrected: $10,000-$50,000/violation

– Willful neglect-not corrected- $50,000/violation

– Maximum of $1,500,000 for violations of same

requirement in same calendar year

– No private right of action, but violations could lead to

actions under state law by State Attorneys General


Prescriptive Authority

• State prescribing requirements that create

biggest hurdles in telemedicine context:

– Face-to-face encounter

– Physical examination

– Existing physician-patient relationship

– Controlled substances

• Efforts to clarify requirements/change law and

accommodate online consultations.


Telemedicine Agreements

Key Considerations:

• Clearly identify all parties involved.

– Are any subcontractors involved?

– What types of practitioners will be involved?

– What types of facilities will be involved?

– In what states will parties and patients be located?

• Will the arrangement involve remote

prescribing?


Telemedicine Agreements

Key Considerations (cont’d):

• Are there any applicable state telemedicine

requirements (e.g., recordkeeping)?

• What written agreements are needed?

• What equipment is needed and who is

providing/maintaining the equipment?

– Consider fraud and abuse laws

• Identify payors and reimbursement issues.


Reimbursement

• Employers and Individuals

• Private/Commercial Payors

• Government Payors

– Medicare

– Medicaid

– Other


States and Private Payors

• Wide range of telemedicine reimbursement

policies among state Medicaid and private

payors.

– 46 states and D.C. offer some form of Medicaid

reimbursement for telemedicine services.

– 9 states pay for store-and-forward technology.

– 14 states pay for remote patient monitoring.

– 19 states and D.C. mandate that private payers

cover telemedicine services.


State Coverage of Telemedicine


Source: National Conference of State Legislatures

Medicare Reimbursement

• Medicare reimbursement for services

delivered via telemedicine or telehealth

covers:

– Remote patient face-to-face services seen via

live video conferencing.

– Non face-to-face services conducted through

live video conferencing or via asynchronous,

store and forward telecommunication services.


Medicare Reimbursement

• Asynchronous (Store and Forward): Transfer of

data from one site to another through use of a

camera or similar device that records (stores) an

image that is sent (forwarded) via

telecommunication to another site.


Remote Face-To-Face Services

• Medicare reimbursement is available only

if certain requirements are met regarding:

– Geographic location of originating site,

– Type of services provided,

– Type of institution delivering the services, and

– Type of health provider.



• Originating site must be:

– Rural Health Professional Shortage Area

(HPSA);

– County that is not a Metropolitan Statistical

Area (MSA); or

– Approved demonstration project.

• No limitation on location of distant-site health

professional delivering the service.



• New for 2015: “Rural HPSA” is a HPSA

located in a rural census tract as determined

by Office of Rural Health Policy.

• Based on status of HPSA as of December 31

of prior calendar year.

• CMS website tool:

– http://www.ers.usda.gov/data-products/rural-urban-

commuting-area-

codes/documentation.aspx#.UcsKfZwzZke


http://www.ers.usda.gov/data-products/rural-urban-commuting-area-codes/documentation.aspx


• Eligible Originating Sites:

– Office of a physician or practitioner

– Hospital

– Critical access hospital

– Rural health clinic

– Federally qualified health center

– Skilled nursing facility

– Hospital-based dialysis center

– Community mental health center



• Eligible Distant Site Practitioners

– Physician;

– Nurse practitioner;

– Physician assistant;

– Nurse midwife;

– Clinical nurse specialist;

– Clinical psychologist,

– Clinical social worker; and

– Registered dietitian or nutrition professional.



• Eligible Medical Services

– Consultations, office visits, individual psychotherapy

and pharmacologic management delivered via a

telecommunications system.

– Interactive audio and video telecommunications

system must be used that permits real-time

communication between distant site practitioner and

patient.

– Fee schedule includes list of Medicare telehealth

covered services by CPT or HCPCS code.



• Eligible Medical Services

– Reimbursement to professional delivering service

via telecommunication is same as current fee

schedule amount.

• Submit CPT code for professional services with GT

modifier (“via interactive audio and video

telecommunications system”).

– Originating site is eligible to receive a facility fee.

• Q3014 (“telehealth originating site facility fee”)



• CPT codes 99495 and 99496 (Transitional

Care Management Services) recently

added as telehealth-covered services.

• Limit of one telehealth visit every 3 days

for subsequent hospital care services.

• Limit of one telehealth subsequent nursing

facility care service every 30 days.


Remote Non-Face-to-Face Services

• Services delivered via telecommunications

may be covered as physician services.

– “A service may be considered to be a physician’s

service where the physician either examines the

patient in person or is able to visualize some aspect

of the patient’s condition without the interposition of

a third person’s judgment.” Medicare Benefit Policy

Manual, Ch. 15, § 30.

– Direct visualization is possible by means of x-rays,

electrocardiogram, tissue samples, etc.


Corporate Practice of Medicine

• Corporate practice of medicine (“CPM”)

doctrine prohibits corporations from

employing medical professionals or

owning/controlling medical practices.

• Intended to prevent lay persons from exerting

control or influence over physician medical

decision-making.

• CPM prohibition has been widely criticized.



• Based on state statute, case law, attorney

general opinions, board policies, etc.

• Enforcement of CPM prohibition varies

– Some states are more active (e.g., CA, NY)

• Exceptions vary by state

– Hospitals

– Entities owned solely by licensed

professionals



• Potential ramifications of CPM violations:– Refusal to pay claims

– Injunction against continued operation of clinic

– Criminal prosecution for engaging in unauthorized

practice of medicine

– Entire arrangement could be declared void

– Violation of fraud and abuse laws (e.g., False Claims Act)

– Loss of “private practice”, “physician office” and similar

exceptions from state licensing requirements (CON, lab

license, etc.)



• Potential solutions to CPM problem:– If state CPM prohibition applies to telemedicine

arrangement, management company model

may be an option.

– Professional corporation is responsible for

clinical functions.

– Management company is responsible for non-

clinical functions under management services

agreement.


Management

Company

“MC”

Professional

Corporation

“PC”

MD, NP or PA Owner(s)

Administrative Services

Management Fee



• Management Services Agreement:

– Long-term

– Restrictions on termination

– Restrictive covenant

– Management fee

– Management company handles all non-clinical

matters



• Risks with management company model:

– Owners may seek to void the management

services agreements

– May be viewed as a sham

– Licensing board issues


Fee-Splitting

• Many States Prohibit Fee-Splitting

– Perceived danger of allowing professionals

and non-professionals to share in income

from professional services:

• Temptation to maximize profit through

medically unnecessary services.

• Temptation to limit medically necessary

services to maximize income.


Federal Anti-Kickback Statute

• Prohibits offering, paying, soliciting or

receiving any remuneration in return for

– business for which payment may be made under

a federal health care program; or

– inducing purchases, leases, orders or arranging

for any good or service or item paid for by a

federal health care program.

• Remuneration includes kickbacks, bribes and

rebates, cash or in kind, direct or indirect.



• Potential penalties for violations of anti-

kickback statute:

– Criminal and civil penalties

– Imprisonment

– Civil Monetary Penalties

– False Claims Act exposure



• Telemedicine relationships requiring anti-

kickback analysis:

– Relationships with supervising/collaborating

physicians

– Relationships with other entities

(management company, telemedicine

entity, etc.)



• No issue if federal health care program

reimbursement is not involved.

– BUT remember to consider state anti-

kickback prohibitions.

• Safe harbor protection

• Advisory opinions


Establishing Patient/Physician

Relationship• Face-to-face requirements

• Use of disclaimers and consents


Malpractice Risks

• Telemedicine/Online Consultations

– What is the standard of care?

– One example: Hageseth v. The Superior Court

of San Mateo County, 59 Cal. Rptr.3d 385

(Cal. Ct. App. 2007).

• Must consider malpractice coverage


Risk Management

• Peer Review

– Robust physician supervision/chart review

• Monitor developments in clinical practice

guidelines

– Use evidence-based treatment guidelines

• Check with insurance carrier

• Limit scope of practice/services offered online

• Address continuity of care


Recent Telemedicine Guidelines

• Federation of State Medical Board (FSMB)

recently adopted new model policy on use of

telemedicine.

• AMA also released new guidelines regarding

telemedicine services in June, 2015.

– Unlike FSMB policy, AMA guidelines do not

address standards for prescribing, patient

informed consent, or financial conflicts of interest.


FSMB Model Policy

• Defines “telemedicine”

– “The practice of medicine using electronic

communications, information technology or

other means between a licensee in one

location, and patient in another location with or

without an intervening health care provider.”

• Outlines “direct-to-consumer” approach


FSMB Model Policy

• Identifies requirements for establishing a

physician-patient relationship.

• Emphasizes need for continuity of care

and referral for emergency services.


AMA Recommendations

• Divides telemedicine into three categories:

– Real-time interaction through an online portal;

– Remote monitoring through devices; and

– Store-and-forward practices.

• Recommends telemedicine services be covered and

paid for if certain conditions are met (physician-patient

relationship, state licensure, compliance with evidence-

based guidelines, patient history, care coordination,

emergency referral protocol, transparency, etc,.)


Questions?


mobcon dh 2015 - ryan johnson - digital health key legal and regulatory considerations

Healthcare

care acos

costneed technology

medical information

increased demand

increased emphasis

increased collaboration

consumers transparency

average oecd