mobcon dh 2015 - ryan johnson - digital health key legal and regulatory considerations
TRANSCRIPT
Digital HealthKey Legal and Regulatory Issues
Ryan S. Johnson, Esq.
(612) 492-7160
© 2015 Fredrikson & Byron, P.A.
Today’s Presentation
Digital Health• Virtual Medicine
– Business Model
– Legal Issues
• mHealth (time permitting)
• Q&A
____________
Background
• Consumer-driven demand for accessible, affordable, quality health care
• Convenience Care– Retail Clinics
– Virtual Medicine• Telemedicine
• On-Line Consultations
• mHealth• Many Common Legal Issues
• Evolving Regulatory Landscape
____________
Virtual Medicine: Business Model
• Online Diagnosis, Treatment, and Prescriptions–Virtuwell
–Zipnosis
• Telemedicine/Telehealth
____________
What is Telehealth?
• “The use of telecommunications and information
technology to provide access to health diagnosis,
assessment, intervention, consultation, supervision
and information across a distance.” (CMS)
– Includes telephones, fax machines, e-mail systems,
and remote patient monitoring devices used to
collect and transmit patient data for monitoring and
interpretation.
• “Telemedicine” is included within this definition.
© 2015 Fredrikson & Byron, P.A.
What is Telemedicine?
• “The provision of clinical services to patients by
practitioners from a distance via electronic
communications.” (CMS)
– Distant-site practitioner provides services to patient
simultaneously (e.g., teleICU) or non-simultaneously
(e.g., teleradiology).
• “The use of medical information exchanged from
one site to another via electronic communication
to improve patient health.” (Joint Commission)
© 2015 Fredrikson & Byron, P.A.
What is Telemedicine?
• Informal consults between practitioners at
different locations are NOT telemedicine.
– Distant-site practitioner is providing an opinion to
attending practitioner, not providing services
directly to the patient.
– Consider:
• Patient present during consult?
• Distant-site practitioner interacting with patient?
• Which practitioner is ordering the treatment?
© 2015 Fredrikson & Byron, P.A.
Virtual Medicine
Legal and Regulatory Issues
• Licensing and Scope of Practice
• Supervision/Collaboration Requirements
• Prescriptive Authority
• Federal and State Privacy Laws
• Reimbursement
• Corporate Practice of Medicine
• Malpractice Risk
© 2015 Fredrikson & Byron, P.A.
Licensure
• Practitioners must meet licensing requirements in
the state where the patient is located.
• Key issue in any telemedicine arrangement.
• State laws regarding telemedicine vary:
– Some state licensing laws directly address telemedicine
and explicitly define the practice of telemedicine.
– Some states laws indirectly address telemedicine by
defining the practice of medicine to include diagnosing or
recommending treatment through electronic means.
– Some states are silent.
© 2015 Fredrikson & Byron, P.A.
Licensure
• Some states require full licensure of practitioners
providing telehealth services to patients in state.
– “Active” or in-state practice requirements
• Some states have special telemedicine licenses
(e.g., MN, MT).
• State Licensure Exceptions:
– Physician-to-physician consults
– “Infrequent” or “occasional” consultations (e.g.,
fewer than 10 consults per year)
© 2015 Fredrikson & Byron, P.A.
Scope of Practice
• Use of non-physician practitioners increasing
– In telemedicine context, this raises issues
regarding scope of practice, supervision, and
prescriptive authority.
• Other considerations:
– Written collaborative agreement requirements
– Protocols
© 2015 Fredrikson & Byron, P.A.
Physician Supervision
• Levels of Supervision:
– General supervision: Procedure must be
furnished under physician’s direction and
control, but physician’s presence not required.
– Direct supervision: Physician must be present
in office suite and immediately available.
– Personal supervision: Physician must be in
attendance in room during procedure.
© 2015 Fredrikson & Byron, P.A.
Physician Supervision
• Direct supervision/on-site requirements can
significantly impact telemedicine
arrangements.
• Is remote supervision acceptable?
– Non-physician practitioner and patient in same
location, but supervising physician off-site.
• Must review state requirements
– Physician/non-physician practitioner practice ratios
© 2015 Fredrikson & Byron, P.A.
Prescriptive Authority
• Issues surrounding prescribing medication
electronically in connection with telehealth
encounters.
• Permissibility of remote prescribing varies
significantly across states
– State pharmacy statutes and regulations
– Licensing board policy
– Medicaid reimbursement policies
© 2015 Fredrikson & Byron, P.A.
Privacy and Security
• HIPAA’s Applicability
– Covered Entities: plans, providers, clearinghouses
– Business Associates
• Business associate (“BA”) = any person or entity
that creates, receives, maintains, or transmits
PHI on behalf of a CE
– Examples: outside billing company, EHR vendor,
and medical director.
© 2015 Fredrikson & Byron, P.A.
Business Associates
• Mere “conduits” are not BAs– transport data but do not access PHI “other than on a random or
infrequent basis as necessary to perform the transportation service or as
required by other law.”
– narrow exception
• USPS, ISPs, etc.
• Cloud Computing /Data Storage Companies are
BAAs if create, receive, maintain, or transmit PHI
on behalf of CE• can be BA even if the entity doesn’t view the information (!):
transient vs. persistent nature of the opportunity.
• document storage companies are BAs, even if they don’t view
the information they hold© 2015 Fredrikson & Byron, P.A.
Business Associates
• For example, a data storage company that has access to
protected health information (whether digital or hard
copy) qualifies as a business associate, even if the entity
does not view the information or only does so on a
random or infrequent basis. Thus, document storage
companies maintaining protected health information on
behalf of covered entities are considered business
associates, regardless of whether they actually view the
information they hold.
© 2015 Fredrikson & Byron, P.A.
Business Associates
• Subcontractors
– Can’t let subcontractor do something the BA
can’t do
• If BA doesn’t have the right to deidentify, then the
subcontractor doesn’t, either
– Each agreement in the chain must be as
stringent or more stringent as the agreement
above with respect to permissible uses and
disclosures
© 2013 Fredrikson & Byron, P.A.
Business Associates• Direct liability for BAs, and person is BA by definition, not
by contract
• “Any Privacy Rule limitation on how a covered entity may
use or disclose protected health information automatically
extends to business associates.”
– Impermissible uses and disclosures
– Failure to notify CE of breach
– Failure to provide access to ePHI (to CE or individual as specified
in BAA)
– Failure to disclose PHI when required for investigation
– Failure to provide accounting
– Failure to comply with Security Rule
© 2013 Fredrikson & Byron, P.A.
Business Associates: Practical
tips• Make sure you have a BAA in place
– If you don’t have one, get one!
• Review what info may be accessed by BA
– minimum necessary!
• Indemnification provision—CEs should
insist on these
© 2013 Fredrikson & Byron, P.A.
Privacy and Security
• Protected Health Information
– Individually identifiable information (written, electronic,
or oral) created or received by a provider;
– Relating to an individual’s health, provision of health
care to an individual, or payment for health care;
– That identifies the individual or provides a reasonable
basis to identify the individual.
© 2015 Fredrikson & Byron, P.A.
Privacy Rule Basics
• HIPAA permits these Uses and
Disclosures:
– Disclosure to the client/personal representative
– Treatment, payment, and health care operations
– Required by law
– Business associates
– As authorized by the client
– Other
© 2013 Fredrikson & Byron, P.A.
Other Permitted Disclosures – HIPAA**
• Disclosure to Family/Friends
• Public Health Activities – To public health authority
– To report child abuse/neglect
– To FDA
• Law Enforcement Purposes
• Abuse, Neglect, and Domestic Violence
• Workers’ Compensation
• Judicial and Administrative Proceedings
• The Notice of Privacy Practices (“NPP”) provided to clients describes how PHI may be used and disclosed.
Other Permitted Disclosures –
Disclosure to Family and Friends
• Disclosure to family/friend is permitted when the client is present
(and has capacity) and:
– Agrees or has previously agreed to the disclosure; or
– Has had the opportunity to object and does not; or
– It can be reasonably inferred from the circumstances that the person
does not object
• Disclosure to family/friend is permitted when the client is unable to
consent in an emergency:
– The disclosure is related to treating the client and the family/friend’s
involvement in the treatment;
– The client has not prohibited disclosure to such person; and
• Best practice: At the beginning of the service relationship and
periodically thereafter, obtain the client’s consent to release
information to certain family members/friends.
Incidental Disclosures
• Incidental Uses and Disclosures
– Allowed if a byproduct of another permissible
or required use or disclosure
– CE must have “reasonable safeguards” to
protect against impermissible uses and
disclosures
– Must also use “minimum necessary” policies
and procedures
Minimum Necessary
• Use and disclose only the minimum
amount of PHI necessary to accomplish
the purpose of the request, use, or
disclosure
– Internal uses: use/disclosure should be
consistent with job responsibilities.
– E.g., redact names and addresses when
sending charts to external consultant for a
coding review.
Minimum Necessary
• Minimum necessary standard does not
apply to the following:– Disclosures to or requests by a provider for treatment purpose
– Uses and disclosures by or to a client of his or her own PHI
– Disclosures made under a valid authorization
– Disclosures to public officials when disclosure is required by law
and the official represents that the information requested is the
minimum required for the purpose
Marketing, fundraising or sale of PHI
• Use of PHI to make a subsidized
marketing communication requires an
authorization.
• Sale of PHI requires an authorization.
• Use of limited PHI for fundraising purposes
is okay.
• Take away: Tread carefully!!
© 2013 Fredrikson & Byron, P.A.
Definition of Marketing
• “Marketing” means to make a
communication about a product or service
that encourages recipients of the
communication to purchase or use the
product or service.
© 2013 Fredrikson & Byron, P.A.
Exceptions to Marketing
Definition• Communications for the treatment of an
individual by a health care provider, including
case management or care coordination, or to
direct or recommend alternative treatments,
therapies, health care providers, or settings of
care to the individual,
– UNLESS the CE receives financial remuneration
in exchange for making the communication (more
later).
© 2013 Fredrikson & Byron, P.A.
Subsidized communications
= marketing• If a CE or a BA receives “financial
remuneration” from a third party in
exchange for making a communication
about a product or service, the
communication = marketing.
– Need a valid authorization from the individual.
– “Financial remuneration” does not include in-
kind benefits, or payment for treatment of the
individual.
© 2013 Fredrikson & Byron, P.A.
Exceptions to Marketing
Definition• Refill reminders or other communications
about a drug/biologic currently being
prescribed for the individual (e.g., info re
generic equivalents).
– Any financial remuneration received by the
covered entity for making the communication
must be reasonably related to the cost of
making the communication.
© 2013 Fredrikson & Byron, P.A.
No authorization required
• The following communications are still
considered “marketing,” but HIPAA does
not require an authorization:
– Face-to-face communication by CE to an
individual;
– Promotional gifts of nominal value provided by
the CE.
© 2013 Fredrikson & Byron, P.A.
Practical tips
• If the marketing communication is subsidized,
the authorization must state that remuneration
is involved.
• The authorization may apply to subsidized
communications generally (i.e., it does not
have to be specific to a single product or
service, or the products or services of one
third party) so long as it describes the scope
of the authorization.
© 2013 Fredrikson & Byron, P.A.
De-identification
• Once information has been de-identified, it
is no longer considered PHI
• “De-identified Information” = NOT PHI
– Doesn’t identify an individual AND
– No reasonable basis to identify individual
• Two ways to accomplish de-identification
– Qualified statistical expert OR
– Safe harbor
De-identification – Safe Harbor
• Name
• Geographic subdivisions –including zip code
• Elements of dates (except year)
• Telephone number
• Fax number
• SSN
• Medical record number
• Any other unique identifying characteristic or code
• Health plan beneficiary number
• Account number
• Certificate or license number
• License plate number
• Device identifiers
• URLs
• IP address
• Biometric identifiers including fingerprints and voice prints
• Full face photographic images
Privacy and Security
• HIPAA Security Rule
– Requires implementation of administrative, physical,
and technical safeguards to protect electronic PHI.
– Covered entities and business associates must:
• Ensure the confidentiality, integrity and availability of
ePHI that it creates, receives, maintains or transmits;
• Protect against reasonably anticipated threats or
hazards to the security or integrity of ePHI;
• Protect against impermissible uses or disclosures; and
• Ensure compliance by all workforce members.
© 2015 Fredrikson & Byron, P.A.
Privacy and Security
• Important to consider the following issues:
– Organization size, complexity, and capabilities;
– Organization’s technical infrastructure, hardware, and
software security capabilities;
– Costs of security measures; and
– Probability and criticality of potential risks to ePHI.
• Examples:
– Encryption
– User authentication
– Secure network
© 2015 Fredrikson & Byron, P.A.
Privacy and Security
• Must also consider state laws that apply to
telemedicine arrangements.
• Applicable state laws may be more
stringent than HIPAA.
• Some states have recordkeeping and
privacy laws relating specifically to
telehealth encounters.
© 2015 Fredrikson & Byron, P.A.
Penalties
Basic Penalties for Violations:– Did not know: $100-$50,000 violation
– -Reasonable cause: $1,000-$50,000/violation
– Willful neglect-corrected: $10,000-$50,000/violation
– Willful neglect-not corrected- $50,000/violation
– Maximum of $1,500,000 for violations of same
requirement in same calendar year
– No private right of action, but violations could lead to
actions under state law by State Attorneys General
© 2013 Fredrikson & Byron, P.A.
Prescriptive Authority
• State prescribing requirements that create
biggest hurdles in telemedicine context:
– Face-to-face encounter
– Physical examination
– Existing physician-patient relationship
– Controlled substances
• Efforts to clarify requirements/change law and
accommodate online consultations.
© 2015 Fredrikson & Byron, P.A.
Telemedicine Agreements
Key Considerations:
• Clearly identify all parties involved.
– Are any subcontractors involved?
– What types of practitioners will be involved?
– What types of facilities will be involved?
– In what states will parties and patients be located?
• Will the arrangement involve remote
prescribing?
© 2015 Fredrikson & Byron, P.A.
Telemedicine Agreements
Key Considerations (cont’d):
• Are there any applicable state telemedicine
requirements (e.g., recordkeeping)?
• What written agreements are needed?
• What equipment is needed and who is
providing/maintaining the equipment?
– Consider fraud and abuse laws
• Identify payors and reimbursement issues.
© 2015 Fredrikson & Byron, P.A.
Reimbursement
• Employers and Individuals
• Private/Commercial Payors
• Government Payors
– Medicare
– Medicaid
– Other
© 2015 Fredrikson & Byron, P.A.
States and Private Payors
• Wide range of telemedicine reimbursement
policies among state Medicaid and private
payors.
– 46 states and D.C. offer some form of Medicaid
reimbursement for telemedicine services.
– 9 states pay for store-and-forward technology.
– 14 states pay for remote patient monitoring.
– 19 states and D.C. mandate that private payers
cover telemedicine services.
© 2015 Fredrikson & Byron, P.A.
State Coverage of Telemedicine
© 2015 Fredrikson & Byron, P.A.
Source: National Conference of State Legislatures
Medicare Reimbursement
• Medicare reimbursement for services
delivered via telemedicine or telehealth
covers:
– Remote patient face-to-face services seen via
live video conferencing.
– Non face-to-face services conducted through
live video conferencing or via asynchronous,
store and forward telecommunication services.
© 2015 Fredrikson & Byron, P.A.
Medicare Reimbursement
• Asynchronous (Store and Forward): Transfer of
data from one site to another through use of a
camera or similar device that records (stores) an
image that is sent (forwarded) via
telecommunication to another site.
© 2015 Fredrikson & Byron, P.A.
Remote Face-To-Face Services
• Medicare reimbursement is available only
if certain requirements are met regarding:
– Geographic location of originating site,
– Type of services provided,
– Type of institution delivering the services, and
– Type of health provider.
© 2015 Fredrikson & Byron, P.A.
Remote Face-To-Face Services
• Originating site must be:
– Rural Health Professional Shortage Area
(HPSA);
– County that is not a Metropolitan Statistical
Area (MSA); or
– Approved demonstration project.
• No limitation on location of distant-site health
professional delivering the service.
© 2015 Fredrikson & Byron, P.A.
Remote Face-To-Face Services
• New for 2015: “Rural HPSA” is a HPSA
located in a rural census tract as determined
by Office of Rural Health Policy.
• Based on status of HPSA as of December 31
of prior calendar year.
• CMS website tool:
– http://www.ers.usda.gov/data-products/rural-urban-
commuting-area-
codes/documentation.aspx#.UcsKfZwzZke
© 2015 Fredrikson & Byron, P.A.
Remote Face-To-Face Services
• Eligible Originating Sites:
– Office of a physician or practitioner
– Hospital
– Critical access hospital
– Rural health clinic
– Federally qualified health center
– Skilled nursing facility
– Hospital-based dialysis center
– Community mental health center
© 2015 Fredrikson & Byron, P.A.
Remote Face-To-Face Services
• Eligible Distant Site Practitioners
– Physician;
– Nurse practitioner;
– Physician assistant;
– Nurse midwife;
– Clinical nurse specialist;
– Clinical psychologist,
– Clinical social worker; and
– Registered dietitian or nutrition professional.
© 2015 Fredrikson & Byron, P.A.
Remote Face-To-Face Services
• Eligible Medical Services
– Consultations, office visits, individual psychotherapy
and pharmacologic management delivered via a
telecommunications system.
– Interactive audio and video telecommunications
system must be used that permits real-time
communication between distant site practitioner and
patient.
– Fee schedule includes list of Medicare telehealth
covered services by CPT or HCPCS code.
© 2015 Fredrikson & Byron, P.A.
Remote Face-To-Face Services
• Eligible Medical Services
– Reimbursement to professional delivering service
via telecommunication is same as current fee
schedule amount.
• Submit CPT code for professional services with GT
modifier (“via interactive audio and video
telecommunications system”).
– Originating site is eligible to receive a facility fee.
• Q3014 (“telehealth originating site facility fee”)
© 2015 Fredrikson & Byron, P.A.
Remote Face-To-Face Services
• CPT codes 99495 and 99496 (Transitional
Care Management Services) recently
added as telehealth-covered services.
• Limit of one telehealth visit every 3 days
for subsequent hospital care services.
• Limit of one telehealth subsequent nursing
facility care service every 30 days.
© 2015 Fredrikson & Byron, P.A.
Remote Non-Face-to-Face Services
• Services delivered via telecommunications
may be covered as physician services.
– “A service may be considered to be a physician’s
service where the physician either examines the
patient in person or is able to visualize some aspect
of the patient’s condition without the interposition of
a third person’s judgment.” Medicare Benefit Policy
Manual, Ch. 15, § 30.
– Direct visualization is possible by means of x-rays,
electrocardiogram, tissue samples, etc.
© 2015 Fredrikson & Byron, P.A.
Corporate Practice of Medicine
• Corporate practice of medicine (“CPM”)
doctrine prohibits corporations from
employing medical professionals or
owning/controlling medical practices.
• Intended to prevent lay persons from exerting
control or influence over physician medical
decision-making.
• CPM prohibition has been widely criticized.
© 2015 Fredrikson & Byron, P.A.
Corporate Practice of Medicine
• Based on state statute, case law, attorney
general opinions, board policies, etc.
• Enforcement of CPM prohibition varies
– Some states are more active (e.g., CA, NY)
• Exceptions vary by state
– Hospitals
– Entities owned solely by licensed
professionals
© 2015 Fredrikson & Byron, P.A.
Corporate Practice of Medicine
• Potential ramifications of CPM violations:– Refusal to pay claims
– Injunction against continued operation of clinic
– Criminal prosecution for engaging in unauthorized
practice of medicine
– Entire arrangement could be declared void
– Violation of fraud and abuse laws (e.g., False Claims Act)
– Loss of “private practice”, “physician office” and similar
exceptions from state licensing requirements (CON, lab
license, etc.)
© 2015 Fredrikson & Byron, P.A.
Corporate Practice of Medicine
• Potential solutions to CPM problem:– If state CPM prohibition applies to telemedicine
arrangement, management company model
may be an option.
– Professional corporation is responsible for
clinical functions.
– Management company is responsible for non-
clinical functions under management services
agreement.
© 2015 Fredrikson & Byron, P.A.
Management
Company
“MC”
Professional
Corporation
“PC”
MD, NP or PA Owner(s)
Administrative Services
Management Fee
© 2015 Fredrikson & Byron, P.A.
Corporate Practice of Medicine
• Management Services Agreement:
– Long-term
– Restrictions on termination
– Restrictive covenant
– Management fee
– Management company handles all non-clinical
matters
© 2015 Fredrikson & Byron, P.A.
Corporate Practice of Medicine
• Risks with management company model:
– Owners may seek to void the management
services agreements
– May be viewed as a sham
– Licensing board issues
© 2015 Fredrikson & Byron, P.A.
Fee-Splitting
• Many States Prohibit Fee-Splitting
– Perceived danger of allowing professionals
and non-professionals to share in income
from professional services:
• Temptation to maximize profit through
medically unnecessary services.
• Temptation to limit medically necessary
services to maximize income.
© 2015 Fredrikson & Byron, P.A.
Federal Anti-Kickback Statute
• Prohibits offering, paying, soliciting or
receiving any remuneration in return for
– business for which payment may be made under
a federal health care program; or
– inducing purchases, leases, orders or arranging
for any good or service or item paid for by a
federal health care program.
• Remuneration includes kickbacks, bribes and
rebates, cash or in kind, direct or indirect.
© 2015 Fredrikson & Byron, P.A.
Federal Anti-Kickback Statute
• Potential penalties for violations of anti-
kickback statute:
– Criminal and civil penalties
– Imprisonment
– Civil Monetary Penalties
– False Claims Act exposure
© 2015 Fredrikson & Byron, P.A.
Federal Anti-Kickback Statute
• Telemedicine relationships requiring anti-
kickback analysis:
– Relationships with supervising/collaborating
physicians
– Relationships with other entities
(management company, telemedicine
entity, etc.)
© 2015 Fredrikson & Byron, P.A.
Federal Anti-Kickback Statute
• No issue if federal health care program
reimbursement is not involved.
– BUT remember to consider state anti-
kickback prohibitions.
• Safe harbor protection
• Advisory opinions
© 2015 Fredrikson & Byron, P.A.
Establishing Patient/Physician
Relationship• Face-to-face requirements
• Use of disclaimers and consents
© 2015 Fredrikson & Byron, P.A.
Malpractice Risks
• Telemedicine/Online Consultations
– What is the standard of care?
– One example: Hageseth v. The Superior Court
of San Mateo County, 59 Cal. Rptr.3d 385
(Cal. Ct. App. 2007).
• Must consider malpractice coverage
© 2015 Fredrikson & Byron, P.A.
Risk Management
• Peer Review
– Robust physician supervision/chart review
• Monitor developments in clinical practice
guidelines
– Use evidence-based treatment guidelines
• Check with insurance carrier
• Limit scope of practice/services offered online
• Address continuity of care
© 2015 Fredrikson & Byron, P.A.
Recent Telemedicine Guidelines
• Federation of State Medical Board (FSMB)
recently adopted new model policy on use of
telemedicine.
• AMA also released new guidelines regarding
telemedicine services in June, 2015.
– Unlike FSMB policy, AMA guidelines do not
address standards for prescribing, patient
informed consent, or financial conflicts of interest.
© 2015 Fredrikson & Byron, P.A.
FSMB Model Policy
• Defines “telemedicine”
– “The practice of medicine using electronic
communications, information technology or
other means between a licensee in one
location, and patient in another location with or
without an intervening health care provider.”
• Outlines “direct-to-consumer” approach
© 2015 Fredrikson & Byron, P.A.
FSMB Model Policy
• Identifies requirements for establishing a
physician-patient relationship.
• Emphasizes need for continuity of care
and referral for emergency services.
© 2015 Fredrikson & Byron, P.A.
AMA Recommendations
• Divides telemedicine into three categories:
– Real-time interaction through an online portal;
– Remote monitoring through devices; and
– Store-and-forward practices.
• Recommends telemedicine services be covered and
paid for if certain conditions are met (physician-patient
relationship, state licensure, compliance with evidence-
based guidelines, patient history, care coordination,
emergency referral protocol, transparency, etc,.)
© 2015 Fredrikson & Byron, P.A.
Questions?
© 2015 Fredrikson & Byron, P.A.