Congress Continues to Focus on Integrating Telehealth Solutions into Healthcare Delivery

On December 6, 2016, the House passed the Expanding Capacity for Health Outcomes Act (S. 2873) (the ECHO Act), which was unanimously passed by the Senate on November 29, 2016. The ECHO Act seeks to expand the use of health care technology and programming to connect underserved communities and populations with critical health care services.

The ECHO Act builds upon the University of New Mexico’s world-renowned Project ECHO by encouraging the broader development and use of technology-enabled collaborative learning and care delivery models by connecting specialists with multiple other health care professionals through simultaneous interactive videoconferencing for the purpose of facilitating case-based learning, disseminating best practices, and evaluating outcomes.

The ECHO Act requires the Secretary of the Department of Health and Human Services (HHS) to study technology-enabled collaborative learning and capacity building models, and the impact of those models on (1) certain health conditions (i.e., mental health and substance use disorders, chronic diseases, prenatal and maternal health, pediatric care, pain management, and palliative care), (2) health care workforce issues (e.g., specialty care shortages) and (3) public health programs.

Within two years of the enactment of the ECHO Act, the Secretary of HHS must submit a publically available report to Congress that:

  1. Analyzes the impact of technology-enabled collaborative learning and capacity building models, including, but not limited to, the impact on health care provider retention, quality of care, access to care and barriers faced by healthcare providers;
  2. Lists the technology-enabled collaborative learning and capacity building models funded by HHS over the past five years;
  3. Describes best practices used in adopting these models;
  4. Describes barriers to adoption of these models and recommends ways to reduce those barriers and opportunities to increase use of these models; and
  5. Issues recommendations regarding the role of technology-enabled collaborative learning and capacity building models in continuing medical education and lifelong learning, including the role of academic medical centers, provider organizations and community providers in such education and lifelong learning.

The recommendations made in HHS’s report may be used to integrate the Project ECHO model into health systems across the country.

Bipartisan Legislation Proposes Telehealth Solutions for Effective Chronic Disease Management

Collaborative efforts between congressional offices and various health care stakeholders, as well as the feedback provided in response to the Bipartisan CHRONIC Care Working Group Policy Options Document released in December of 2015, have driven the Senate Finance Committee to introduce a draft of bipartisan legislation known as the CHRONIC Care Act, which seeks to modernize Medicare payment policies to improve the management and treatment of chronic diseases using telehealth.

Read the full article.

OCR Guidance Underscores Importance of Authentication under HIPAA

In its tenth OCR Cyber Awareness Newsletter of the year (Newsletter), the Office for Civil Rights (OCR) reminded HIPAA-covered entities and business associates of the importance of selecting an appropriate authentication method to protect electronic protected health information (ePHI). Authentication is the process used to “verify whether someone or something is who or what it purports to be and keeps unauthorized people or programs from gaining access to information.” The Newsletter notes that the health care sector has been a significant target of cybercrime and that some incidents result from weak authentication methods.

Authentication methods can consist of one or more factors and are often described as: (1) something you know, such as a password; (2) something you are, such as a fingerprint; or (3) something you have, such as a mobile device or smart card. Single-factor authentication requires use of only one of the methods. Multifactor authentication requires use of two or more methods (for example, a password prompt followed by an additional prompt to a mobile device). Continue Reading

ECJ Confirms Dynamic IP Address May Constitute Personal Data But Can Be Logged to Combat Cyberattacks

On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of the Court, preventing cyberattacks may be a legitimate interest of a website operator in its effort to continue the operability of its website.

The ECJ’s ruling was based on two questions referred to it by the German Federal Court of Justice (BGH). In the underlying German proceedings, a member of the German Pirate Party challenged the German Federal Government’s logging and subsequent use of his dynamic Internet Protocol (IP) address when visiting their websites. While the government is a public authority, the case was argued on the basis of German provisions that address both public and private website operators, and is therefore directly relevant for commercial companies.

Continue Reading

Commercial Insurers Urge Congressional Budget Office to Consider their Telemedicine Data

In hopes of expanding reimbursement opportunities for telemedicine services in the Medicare program, representatives of eleven payers, including Aetna, Anthem, Blue Cross Blue Shield of Tennessee, Cambia Health Solutions and Humana, asked CBO director Keith Hall in a public letter to consider their data when evaluating the impact of Medicare coverage of telemedicine services.

Medicare reimbursement for telemedicine is currently limited to very narrow set of circumstances. Section 1834(m) of the Social Security Act provides that telehealth services are covered only if the Medicare patient is seen: (a) at an approved “originating site” (e.g., physician offices, hospitals, skilled nursing facilities) that is located within a rural Health Professional Shortage Area (HPSA) that is either outside of a Metropolitan Statistical Area (MSA) or in a rural census tract, or a county outside of a MSA; (b) by an approved provider (e.g., physicians, nurse practitioners, clinical psychologists); (c) for a defined set of services, including consultations, office visits, pharmacological management, and individual and group diabetes self-management training services; and (d) using certain telecommunications technologies.

There are bipartisan efforts currently underway to expand Medicare reimbursement for telemedicine services by easing or eliminating some of these requirements. One example is the CONNECT for Health Act. Because coverage of telemedicine services in Medicare’s fee-for-service program is limited, there is limited Medicare data available for the CBO to consider when reviewing the potential financial impact of such legislation. In light of this lack of data, the insurers advise that the CBO should consider the effects that telemedicine’s expansion in the commercial market. The insurers’ letter to the CBO also points out that new alternative, quality-based payment models rely upon telemedicine as a means of meeting certain performance measures, and other government agencies, such as the US Department of Defense and the Veterans Administration, are using telemedicine services to provide better quality care.

Earlier this year, the CBO and MedPAC received a letter from over 20 different health care providers similarly urging it to consider alternative data sources, such as data from the commercial sector, when analyzing the costs and benefits associated with the use of telemedicine in the Medicare program.

OCR Explains How Information Blocking Violates HIPAA

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently posted guidance (OCR guidance) clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information (PHI) maintained by the vendor on behalf of the customer. Such “information blocking” could occur, for example, during a contract dispute in which a vendor terminates customer access or activates a “kill switch” that renders an information system containing PHI inaccessible to the customer. Many information vendors have historically taken such an approach to commercial disputes.

Read full article here.

FTC Weighs-in on Telehealth, Comments on Delaware’s Occupational Therapy Practice Rule

On August 3, 2016, the Federal Trade Commission (FTC) staff submitted public comments regarding the Delaware Board of Occupational Therapy Practice’s proposed regulation for the provision of occupational therapy services via telehealth in Delaware (the Proposed Regulation).  The FTC’s comments to the Proposed Regulation follow its comments to Alaska’s telehealth legislation earlier this year and evidence its continued focus on telehealth’s ability to foster flexibility in health care delivery by increasing practitioner supply; encouraging competition; and improving access to affordable, quality health care.

By way of background, in 2015, Delaware amended its Insurance and Professions and Occupations Code (the Code) to include the regulation of telehealth and telemedicine services, including the delivery of occupational care remotely under existing, in-person standards of care.  Consistent with the Code, the Delaware Board of Occupational Therapy Practice (the Board) revised its rules and regulations to address telehealth services.  The Proposed Regulation defines telehealth as “the use of electronic communications to provide and deliver a host of health-related information and health care services, including occupational therapy related information and services, over electronic devices. Telehealth encompasses a variety of occupational therapy promotion activities, including consultation, education, reminders, interventions, and monitoring of interventions.”

The Proposed Regulation gives Occupational Therapist and Occupational Therapist Assistant licensees’ (Licensees) discretion in assessing and determining the appropriate level and type of care for an individual patient, provided that certain requirements are satisfied. Specifically, under the Proposed Regulation, Licensees that provide treatment through telehealth must have an active Delaware license in good standing to practice telehealth in the state of Delaware.  In addition to obtaining informed consent and complying with confidentiality requirements, the licensee must also: (1) be responsible for determining and documenting that telehealth is an appropriate level of care for the patient; (2) comply with the Board’s rules and regulations and all current standards of care requirements applicable to onsite care; (3) limit the practice of telehealth to the area of competence in which proficiency has been gained through education, training and experience; (4) determine the need for the physical presence of an occupational therapy practitioner during any interactions with patients, if he/she is the Occupational Therapist who screens, evaluates, writes or implements the plan of care; (5) determine the amount and level of supervision needed during the telehealth encounter; and (6) document in the file or record which services were provided remotely. (24 Del. Admin. Code § 2000-4.2.)

Staff of the FTC’s Office of Policy Planning and its Bureaus of Competition and Economics, responding to the Board’s request for public comments, stated that by not imposing rigid and unwarranted in-person care and supervision requirements, the Proposed Regulation could have various positive impacts, including: (1) improving access to cost-effective, quality care, especially for patients with limited mobility; (2) reducing Medicaid’s transportation expenditures as well as individuals’ pecuniary and time costs; (3) addressing anticipated workforce shortages in the health care sector by increasing practitioner supply and facilitating care of an aging population; and (4) enhancing competition, consumer choice and access to care.

The FTC did recommend the clarification of the Proposed Regulation on the scope of practice of Occupational Therapist Assistants.  The determination of the appropriateness of remote care and decisions about the amount and level of supervision during a telehealth encounter are expressly restricted to Occupational Therapists, while all other requirements also apply to Occupational Therapist Assistants.  The FTC noted that the ambiguities regarding the role of Occupational Therapist Assistants in telehealth evaluations and the determination of whether to use telehealth could discourage their participation in telehealth care.

The Privacy Shield: September 30, 2016, Deadline for Early Self-Certification Offers Compliance Opportunity and Risk

The European Commission recently determined that the Privacy Shield Framework is adequate to legitimize data transfers under EU law, providing a replacement for the Safe Harbor program. The Privacy Shield is designed to provide organizations on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Organizations that apply for Privacy Shield self-certification by September 30, 2016, will be granted a nine-month grace period to conform their contracts with third-party processors to the Privacy Shield’s new onward transfer requirements.

Read the full article here.

Augmented Reality

If you haven’t heard about newest gaming craze yet, it’s based on what is called “augmented reality” (AR) and it could potentially impinge on your home life and workplace as such games allow users to “photograph” imaginary items overlaid with objects existing in the real world. An augmented reality game differs from “virtual reality” in that it mixes elements of the real world with avatars, made up creatures, fanciful landscapes and the like, rather than simply presenting a completely fictional scenario. Whether you play such games yourself or are merely existing in nearby surroundings, here are few things to think about as an active participant, and some tips regarding Intellectual Property and confidentiality issues that arise from others playing the game around you.

Augmented reality games are typically played on a smartphone app and some of them allow the user to capture images of the player’s experience and post it on social media, text it to friends or maintain it on the phone’s camera roll. However, special glasses could be used or other vehicles could deliver the augmented reality experience in different contexts—not just gaming. For example, technology in this area is rapidly advancing which will allow users to link up and “experience” things together way beyond what exists in the real world, i.e., in a “mixed world” experience, if you will. These joint holographic experiences are just one facet of the direction that augmented reality is taking.

As always, with new technological advancements, there are some caveats to using AR that you should be aware of.

Trademarks

If a company’s trademark is visible in the photo of your AR experience, you need to be mindful that you do not run afoul of trademark laws. For the same reasons that some trademarks are blurred out on TV shows, you should not be publishing such photos in any fashion that might draw negative attention from the trademark owner on social media accounts. Even if you are not selling competing goods, you could potentially be liable for trademark infringement. There is another, more important reason not to post such photos that is discussed below and can lead to a second cause of action against you arising from the same photo—the right of publicity, which is a personal right and is treated in vastly different ways in each state.

Right of Publicity

The Right of Publicity (ROP) protects everyone from misappropriation of his/her name, likeness, voice, image or other recognizable element of personal identity. It is protected by state law and many states vary greatly in their treatment of ROP. For example, some states protect a person’s ROP post-mortem, whereas others have no protection whatsoever. Due to the ease with which still or moving images can be reproduced and posted on the Internet, it is critical that you consider your postings from a ROP standpoint before you upload that image to a social media account. For instance, if your photo features your best friend taken in a shared AR experience, she may not object to you posting her photo to one of your social media accounts. However, if a brand name clothing manufacturer reposts it and somehow uses the momentum of the AR craze to show how game players and/or the avatars and creatures within the game are attracted to their brand of clothing, it could result in not just an issue with the game developer, but also your best friend, who may now be the unwitting spokesmodel for that brand of clothing. Basically, the manufacturer would be receiving an unfair free endorsement deal without ever having to negotiate with your best friend. In many states, she would have a ROP cause of action against the clothing manufacturer for commercial use of her image without her permission. This is exponentially dangerous if the best friend is a minor and her parents have not consented to this use of her image. As you can see, the landscape is fraught with potential pitfalls unless you are a news reporting agency or the like and your actions clearly fall under the First Amendment/free speech exception.

Confidential Information

One very important aspect of an AR game is a player’s ability to capture a photograph of the scene being explored or the personal experience of the user in a real world setting (e.g., it could show your desk at work, but in an outer space setting, or your car dashboard with the view from the driver’s perspective out the windshield showing a fairyland with mythical creatures in the distance). However, in taking these mixed virtual/real world photos, it is essential to be mindful of your surroundings. Doctors, lawyers, mental health professionals, bankers, and others with a much higher level of fiduciary duty to their clients must ensure that if they are taking such photos, no confidential information that would breach such duties is captured in the photos. Whether taken in the app itself or in screenshot form, these photos could prove to be problematic if they are automatically uploaded to the cloud or captured in the app. For example, a judge recently tweeted that defense counsel had beenplaying an AR game in the courtroom while court was in session. Setting aside the appropriateness of such behavior, query whether such actions violate confidentiality rules.

For all such professionals there are governing rules about the treatment of certain types of confidential information (The Gramm-Leach-Bliley (GLB) Act, The Health Insurance Portability and Accountability Act (HIPAA), etc.). If the game is set to capture images of the AR characters or scenes in the real world then anything within the player’s view or in the surrounding area is captured in the photograph with the character. To the extent that confidential personal information or trade secret information is being captured, this is a problem. The quick fix is to set the game to have a fully virtual background, rather than an AR one, a feature that some AR games already have. Although this is arguably less fun, it mitigates the danger of capturing sensitive data on your camera roll, in the cloud, or accidentally posting it, all of which could have very serious consequences.

In summary, the new AR games are wildly popular and likely are here to stay. Given that, it’s best to be mindful of your surroundings and make sure that you, and those around you, are playing responsibly.

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.

LexBlog