Regulatory Developments: COVID19 Disruption

megaphone-1381104_640The declaration of COVID19 as a pandemic and the United States declaring a national emergency to help contain and enhance treatment access have resulted in a number of changes to ease potential regulatory burdens or barriers in healthcare. Like so much happening as a result of the pandemic, the changes have the potential to fundamentally change the healthcare industry not just during the time of the emergency declaration.

Of particular note are coordinated announcements from various agencies within the federal Department of Health and Human Services connected to the provision of telehealth services. The advancement and relaxation of regulations are designed to increase access to telehealth services and make it easier to deliver the services.

The scope of telehealth services now available, as explained by the Centers for Medicare and Medicaid Services (CMS), can be broken into three main categories: (i) telehealth visits, (ii) virtual check-ins, and (iii) e-visits.

  • Telehealth Visits – For purposes of Medicare, a telehealth visit is between a patient and a clinician that uses interactive audio and video. The visits generally cover visits that could otherwise occur in person. As such, the telehealth visit is being structured as a replacement for an office visit for the time being. The telecommunication platform must provide real-time communication between the patient and the clinician. CMS will also turn a blind eye to the established patient requirement, which essentially means a telehealth visit can occur with both new and established patients. Additionally, a patient will be permitted to receive telehealth services while in their home, which reinforces the goal of maintaining social distancing.
  • Virtual Check-Ins – A virtual check-in is meant to be a brief discussion between a clinician and a patient, which can be audio-only. Further, CMS expects that in most instances the patient will be the one to initiate a check-in. The check-in cannot be related to an office visit from the previous 7 days or lead to a full visit within 24 hours after the check-in. Additionally, the patient must verbally agree to the check-in. Lastly, a check-in is only billable for an established patient, which follows from the description of the service as being focused on a quick interaction between a patient and their clinician.
  • E-Visit – An e-visit is similar to a virtual check-in, but must be patient-initiated and is expected to occur through the patient portal. Further, the service can cover up to a 7 day period between the communication initiated by the patient and interactions with the clinician. Before being able to bill for the e-visit, the patient must be established with the clinician and made aware of the fact that reimbursement will be sought for the services.

On top of opening up the scope and ability to provide telehealth based visits, a bigger change is to reimburse the telehealth visits at the same level as in-person visits. Arguably, one of the primary barriers to telehealth adoption up until this point has been a lack of or lower reimbursement. The incentivization of patient interactions through telehealth means not only with healthcare organizations potentially be able to somewhat mitigate the financial fallout from telling patients to remain home, but gives a good alternative that could stabilize access. Stabilizing access is important since reducing non-emergent issues cannot be put off indefinitely.

Along with trying to provide some financial relief to healthcare organizations enabling telehealth, the Office for the Inspector General (OIG) issued a policy statement acknowledging that patients may also be facing financial constraints. In particular, patients may not be able to afford all cost-sharing amounts. Accordingly, the OIG stated it will not pursue fraud-based enforcement actions if cost-sharing amounts are waived or reduced during the emergency period. Such a statement is necessary because widely waiving or reducing cost-sharing can be viewed as an inducement to patients that in turn encourages the patients to obtain services from that clinician, which in turn allows for more billing to government healthcare programs. It is a bit convoluted, but the bottom line is that such a chain of events is not generally permissible and is set out as a form of fraud. While the OIG does explicitly, and not unsurprisingly, reserve the right to change this policy statement at any time, a reversal would not be expected in light of the clearly extraordinary circumstances that currently exist.

The last major action to open up access on the telehealth front is a notification from the Office for Civil Rights (OCR) that it will not enforce HIPAA violations for the good faith provision of telehealth services during the course of the emergency. Good faith effort means still using a non-public service, but that can include general use applications, with FaceTime, Google Hangouts, Facebook messenger and Skype specifically called out. The implication is that none of these services would have been viewed as acceptable under HIPAA in normal times by OCR, which could end up being useful guidance once the emergency ends. The statement that services need to be non-public is contrasted with examples of public-facing services, which are identified to include Facebook Live, Twitch, and TikTok.

At the same time that OCR gives tacit permission to use general services, the last section of its announcement is to implicitly suggest that it would still prefer the use of services that do meet HIPAA standards. An exemplary list is provided of services that satisfy HIPAA requirements and ensure greater privacy. Some solutions have expressed a willingness to provide free access for at least some period of time during the emergency, which can mitigate concerns about cost. Given those factors, it seems a safer course for all would be to seek the use of a fully private and secure service.

A question left unasked and unanswered in the statement is what happens when the emergency ends. Once the privacy cat is let out of the bag, it cannot be put back in. That means patient data hosted or stored in a non-HIPAA compliant platform could end up being used for a number of unexpected or non-desirable purposes. Understanding that it is important essential to ensure a comprehensive ability to provide needed services to patients during this emergency, awareness of longer-term consequences cannot be completely ignored. Especially when immediacy does not need to be sacrificed to those considerations.

One final consideration that is left wholly unaddressed by the changes: what about malpractice protection? Not all professional liability policies will automatically cover services provided by telehealth. Physicians, clinicians, and organizations will need to assess coverage unless some sort of liability waiver is also introduced. As always, healthcare has multiple layers of complications and considerations.

The extraordinary nature of these times is completely unavoidable and cannot be stated often enough. The potential threat to the health of everyone is very real, but doors are being thrown wide open to help mitigate those dangers. Once the current emergency passes, it can only be hoped that the system has been transformed in better ways permanently.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Anti-kickback Statute, Business, CMS, Compliance, Health IT, Healthcare, HIPAA, Regulations and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s