FTC Weighs-in on Telehealth, Comments on Delaware’s Occupational Therapy Practice Rule

On August 3, 2016, the Federal Trade Commission (FTC) staff submitted public comments regarding the Delaware Board of Occupational Therapy Practice’s proposed regulation for the provision of occupational therapy services via telehealth in Delaware (the Proposed Regulation).  The FTC’s comments to the Proposed Regulation follow its comments to Alaska’s telehealth legislation earlier this year and evidence its continued focus on telehealth’s ability to foster flexibility in health care delivery by increasing practitioner supply; encouraging competition; and improving access to affordable, quality health care.

By way of background, in 2015, Delaware amended its Insurance and Professions and Occupations Code (the Code) to include the regulation of telehealth and telemedicine services, including the delivery of occupational care remotely under existing, in-person standards of care.  Consistent with the Code, the Delaware Board of Occupational Therapy Practice (the Board) revised its rules and regulations to address telehealth services.  The Proposed Regulation defines telehealth as “the use of electronic communications to provide and deliver a host of health-related information and health care services, including occupational therapy related information and services, over electronic devices. Telehealth encompasses a variety of occupational therapy promotion activities, including consultation, education, reminders, interventions, and monitoring of interventions.”

The Proposed Regulation gives Occupational Therapist and Occupational Therapist Assistant licensees’ (Licensees) discretion in assessing and determining the appropriate level and type of care for an individual patient, provided that certain requirements are satisfied. Specifically, under the Proposed Regulation, Licensees that provide treatment through telehealth must have an active Delaware license in good standing to practice telehealth in the state of Delaware.  In addition to obtaining informed consent and complying with confidentiality requirements, the licensee must also: (1) be responsible for determining and documenting that telehealth is an appropriate level of care for the patient; (2) comply with the Board’s rules and regulations and all current standards of care requirements applicable to onsite care; (3) limit the practice of telehealth to the area of competence in which proficiency has been gained through education, training and experience; (4) determine the need for the physical presence of an occupational therapy practitioner during any interactions with patients, if he/she is the Occupational Therapist who screens, evaluates, writes or implements the plan of care; (5) determine the amount and level of supervision needed during the telehealth encounter; and (6) document in the file or record which services were provided remotely. (24 Del. Admin. Code § 2000-4.2.)

Staff of the FTC’s Office of Policy Planning and its Bureaus of Competition and Economics, responding to the Board’s request for public comments, stated that by not imposing rigid and unwarranted in-person care and supervision requirements, the Proposed Regulation could have various positive impacts, including: (1) improving access to cost-effective, quality care, especially for patients with limited mobility; (2) reducing Medicaid’s transportation expenditures as well as individuals’ pecuniary and time costs; (3) addressing anticipated workforce shortages in the health care sector by increasing practitioner supply and facilitating care of an aging population; and (4) enhancing competition, consumer choice and access to care.

The FTC did recommend the clarification of the Proposed Regulation on the scope of practice of Occupational Therapist Assistants.  The determination of the appropriateness of remote care and decisions about the amount and level of supervision during a telehealth encounter are expressly restricted to Occupational Therapists, while all other requirements also apply to Occupational Therapist Assistants.  The FTC noted that the ambiguities regarding the role of Occupational Therapist Assistants in telehealth evaluations and the determination of whether to use telehealth could discourage their participation in telehealth care.

The Privacy Shield: September 30, 2016, Deadline for Early Self-Certification Offers Compliance Opportunity and Risk

The European Commission recently determined that the Privacy Shield Framework is adequate to legitimize data transfers under EU law, providing a replacement for the Safe Harbor program. The Privacy Shield is designed to provide organizations on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Organizations that apply for Privacy Shield self-certification by September 30, 2016, will be granted a nine-month grace period to conform their contracts with third-party processors to the Privacy Shield’s new onward transfer requirements.

Read the full article here.

Augmented Reality

If you haven’t heard about newest gaming craze yet, it’s based on what is called “augmented reality” (AR) and it could potentially impinge on your home life and workplace as such games allow users to “photograph” imaginary items overlaid with objects existing in the real world. An augmented reality game differs from “virtual reality” in that it mixes elements of the real world with avatars, made up creatures, fanciful landscapes and the like, rather than simply presenting a completely fictional scenario. Whether you play such games yourself or are merely existing in nearby surroundings, here are few things to think about as an active participant, and some tips regarding Intellectual Property and confidentiality issues that arise from others playing the game around you.

Augmented reality games are typically played on a smartphone app and some of them allow the user to capture images of the player’s experience and post it on social media, text it to friends or maintain it on the phone’s camera roll. However, special glasses could be used or other vehicles could deliver the augmented reality experience in different contexts—not just gaming. For example, technology in this area is rapidly advancing which will allow users to link up and “experience” things together way beyond what exists in the real world, i.e., in a “mixed world” experience, if you will. These joint holographic experiences are just one facet of the direction that augmented reality is taking.

As always, with new technological advancements, there are some caveats to using AR that you should be aware of.

Trademarks

If a company’s trademark is visible in the photo of your AR experience, you need to be mindful that you do not run afoul of trademark laws. For the same reasons that some trademarks are blurred out on TV shows, you should not be publishing such photos in any fashion that might draw negative attention from the trademark owner on social media accounts. Even if you are not selling competing goods, you could potentially be liable for trademark infringement. There is another, more important reason not to post such photos that is discussed below and can lead to a second cause of action against you arising from the same photo—the right of publicity, which is a personal right and is treated in vastly different ways in each state.

Right of Publicity

The Right of Publicity (ROP) protects everyone from misappropriation of his/her name, likeness, voice, image or other recognizable element of personal identity. It is protected by state law and many states vary greatly in their treatment of ROP. For example, some states protect a person’s ROP post-mortem, whereas others have no protection whatsoever. Due to the ease with which still or moving images can be reproduced and posted on the Internet, it is critical that you consider your postings from a ROP standpoint before you upload that image to a social media account. For instance, if your photo features your best friend taken in a shared AR experience, she may not object to you posting her photo to one of your social media accounts. However, if a brand name clothing manufacturer reposts it and somehow uses the momentum of the AR craze to show how game players and/or the avatars and creatures within the game are attracted to their brand of clothing, it could result in not just an issue with the game developer, but also your best friend, who may now be the unwitting spokesmodel for that brand of clothing. Basically, the manufacturer would be receiving an unfair free endorsement deal without ever having to negotiate with your best friend. In many states, she would have a ROP cause of action against the clothing manufacturer for commercial use of her image without her permission. This is exponentially dangerous if the best friend is a minor and her parents have not consented to this use of her image. As you can see, the landscape is fraught with potential pitfalls unless you are a news reporting agency or the like and your actions clearly fall under the First Amendment/free speech exception.

Confidential Information

One very important aspect of an AR game is a player’s ability to capture a photograph of the scene being explored or the personal experience of the user in a real world setting (e.g., it could show your desk at work, but in an outer space setting, or your car dashboard with the view from the driver’s perspective out the windshield showing a fairyland with mythical creatures in the distance). However, in taking these mixed virtual/real world photos, it is essential to be mindful of your surroundings. Doctors, lawyers, mental health professionals, bankers, and others with a much higher level of fiduciary duty to their clients must ensure that if they are taking such photos, no confidential information that would breach such duties is captured in the photos. Whether taken in the app itself or in screenshot form, these photos could prove to be problematic if they are automatically uploaded to the cloud or captured in the app. For example, a judge recently tweeted that defense counsel had beenplaying an AR game in the courtroom while court was in session. Setting aside the appropriateness of such behavior, query whether such actions violate confidentiality rules.

For all such professionals there are governing rules about the treatment of certain types of confidential information (The Gramm-Leach-Bliley (GLB) Act, The Health Insurance Portability and Accountability Act (HIPAA), etc.). If the game is set to capture images of the AR characters or scenes in the real world then anything within the player’s view or in the surrounding area is captured in the photograph with the character. To the extent that confidential personal information or trade secret information is being captured, this is a problem. The quick fix is to set the game to have a fully virtual background, rather than an AR one, a feature that some AR games already have. Although this is arguably less fun, it mitigates the danger of capturing sensitive data on your camera roll, in the cloud, or accidentally posting it, all of which could have very serious consequences.

In summary, the new AR games are wildly popular and likely are here to stay. Given that, it’s best to be mindful of your surroundings and make sure that you, and those around you, are playing responsibly.

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.

Guidance on Low Risk General Wellness Devices Is Finalized

On July 29, 2016, the US Food and Drug Administration (FDA) finalized General Wellness: Policy for Low Risk Devices Guidance (Final Guidance) detailing its risk-based regulatory approach to relax certain regulatory requirements for low risk products that promote a healthy lifestyle—coined “general wellness products.” In the Final Guidance, the FDA makes minimal substantive changes to the policies articulated in its January 2015 draft guidance. Notably, however, the Final Guidance added and refined several examples to illustrate the products that are subject to FDA’s enforcement discretion and ultimately outside FDA’s intended scope of regulatory oversight.

Read the full article, FDA Finalizes Guidance on Low Risk General Wellness Devices here.

Brexit Update: The Effect of Brexit on Data Transfers between the United Kingdom and the European Union

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Even though Brexit will likely have the biggest impact on the financial sector, businesses in the United Kingdom that rely on the free flow of personal data to and from EU nations will also be affected. In particular, should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data protection laws, transfers to data processors in the United Kingdom would have to be based on an adequacy decision of the European Commission, standard contractual clauses (model contracts) or binding corporate rules.

Read the full article here.

Digital Health: An Improving Environment for Investors

The integration of technology into health care delivery is exploding throughout the health industry landscape. Commentators speculating on the implications of the information revolution’s penetration of the health care industry envision delivery models rivaling those imagined by celebrated science fiction authors, and claim that the integration of information technology into even the most basic health care delivery functions can reduce cost, increase access, improve quality and, in some instances, fundamentally change the way health care is delivered.

These visions are difficult to refute in the abstract; the technology exists or is being developed to achieve what just a few years ago seemed the idle speculation of futurists. But delivering this vision in an industry as regulated as health care is significantly harder than it may seem. While digital health models have existed for many years, the regulatory and reimbursement environment have stifled their evolution into fully integrated components of the health care delivery system.

Continue Reading

The Rocky Road of Evaluation for Digital Health Tools

Recent comments linking digital health tools to so-called “snake oil” has the channels of social media atwitter.  (Add this post to the noise!)  While some may decry the comparison, there is a lot we can learn from that perspective.

One of the challenges of broad digital health adoption is the simple fact that digital health encompasses such a broad array of technologies, usages and purposes.  There is no one tonic that will cure a list of ailments; rather we are presented with shelves of solutions to even more shelves of challenges waiting to be addressed.  Digital health includes, by my definition, the application of social media tools to preventative health and chronic disease management measures, as well as highly sophisticated data analytics applied to massive amounts of population health data to identify important health trends.  It also includes home monitoring devices that keep health care providers informed of their patient’s at-home health condition, as well as telestroke programs that allow physicians to access needed expertise.  The list is potentially endless, as new technologies created to address health issues and existing technologies are being put to use in the health care context. Continue Reading

AMA Approves New Ethical Guidance Policy and Encourages Telemedicine Training for Students and Residents

New Ethical Guidelines

On June 13, the American Medical Association (AMA) adopted a new ethical guidance policy governing the practice of telemedicine that will be published in the coming months. The policy is based on a report from the AMA Council on Ethical and Judicial Affairs and builds upon the AMA’s 2014 telemedicine guidance.

Consistent with past guidance from AMA and other professional organizations, the AMA notes that the ethical responsibilities of physicians are the same – regardless of whether the physician communicates with a patient in-person or remotely – and encourages providers to recognize the potential uses and limitations of technology when delivering care. “Telehealth and telemedicine are another stage in the ongoing evolution of new models for the delivery of care and patient-physician interactions,” said AMA Board Member Jack Resneck, MD. “The new AMA ethical guidance notes that while new technologies and new models of care will continue to emerge, physicians’ fundamental ethical responsibilities do not change.”

The 2016 policy recommends that once a patient-physician relationship is established, physicians who engage in telemedicine by responding to individual health queries electronically or providing clinical services through telemedicine:

  • Must disclose financial or other interests in certain telemedicine applications or services
  • Must protect patient privacy and confidentiality
  • Should inform patients of the limitations of the telemedicine encounter
  • Should encourage patients to inform their primary care doctor about the encounter
  • Should advise patients how to arrange follow-up care
  • Should, when necessary, recommend the use of a telepresenter or other health care professional at the originating site (e., the patient’s physical location)

Notably, the 2014 guidance required that a patient-physician relationship be established prior to the provision of telemedicine services. The relationship could be established during a face-to-face examination, through a consultation with another physician, or by meeting the evidence-based practice guidelines developed by major medical specialty societies. While the 2014 guidance did not specify whether the face-to-face examination must occur in-person, rather than digitally, many interpreted this requirement to be satisfied via an interactive telemedicine encounter.

In addition, the 2016 policy formally recognizes the importance of a “coordinated effort across the profession,” which includes clarifying standards and promoting access to technology. That said, the 2016 policy still requires the licensure of physicians in the state in which the patient is located. (As a general rule, physicians that practice telemedicine are subject to the licensure rules of both the state in which their patient is physically located and the state in which the provider is practicing.)  One potential avenue for facilitating multi-state licensure is the Federation of State Medical Boards’ Interstate Medical Licensure Compact, which offers a streamlined licensure process in each Compact state. The Compact has been adopted by 17 states thus far and more are expected to join this year and in 2017.

In sum, the AMA’s new ethical guidance should help physicians to better understand how their fundamental ethical responsibilities may play out differently when patient interactions occur through technology, and how this technology can be used to deliver more accessible, efficient and effective care.

Telemedicine Training for Students and Residents

Two days after adopting the ethical guidelines above, the AMA adopted a second telemedicine policy encouraging the inclusion of telemedicine training into undergraduate and graduate medical programs.

Since the vast majority of medical students are not learning about the potential benefits and appropriate uses of telemedicine technologies during medical school and residency, they are learning about telemedicine “on the job,” which may create missed opportunities for its use.  “As innovation in care delivery and technology continue to transform health care, we must ensure that our current and future physicians have the tools and resources they need to provide the best possible care for their patients,” said AMA immediate past president Robert M. Wah, MD  “In particular, exposure to and evidence-based instruction in telemedicine’s capabilities and limitations at all levels of physician education will be essential to harnessing its potential.”

In sum, the hope is that integrating formal telemedicine training into medical education programs will better prepare future physicians to appropriately and effectively integrate telemedicine into their clinical practices.

MaryKathryn Hurd, summer associate in McDermott’s Chicago office, co-authored this post.

Louisiana Joins its Peers in Removing In-State Barriers to Telemedicine

Last week, Louisiana legislators approved the removal of certain restrictions on the delivery of telemedicine services to residents of Louisiana to encourage the provision of telemedicine services in the state.  H.B. No. 570 was signed by the President of the Senate on June 5, 2016 and sent to Governor John Bel Edwards on June 6, 2016.

Notably, the Bill modifies the telemedicine requirements under La. Stat. Ann. § 37:1271, and R.S. 40:1223.3(5) and 1223.4(A) as follows:

  • A physician practicing telemedicine in the state who does not maintain a physical practice location within the state of Louisiana (but who is licensed in the state and has access to the patient’s medical records) is no longer required to first conduct an in-person patient history or physical examination of the patient before engaging in a telemedicine encounter.
  • In sum, La. Stat. Ann. § 37:1271 now requires that telemedicine providers hold an unrestricted license to practice medicine in Louisiana; obtain access to the patient’s medical records upon consent of the patient; create a medical record on each patient and make it available to the Louisiana State Board of Medical Examiners upon request; and, if necessary, provide a referral to a physician or arrange follow-up care in the state, as indicated.
  • The definition of “synchronous interaction” found in S. 40:1223.3(5) is now broadened to allow providers to use audio (without video) for telemedicine encounters if the same standard of care as in-person encounters is maintained.
  • This means that patients will be able to use a phone for telemedicine purposes, which is especially useful for patients who may not have: access to video-based technology, the know-how to connect with a provider using video-based technology, or an appropriate data plan/wireless connection for the simultaneous transmission of video.
  • Each state agency and each professional or occupational licensing board or commission authorized to adopt rules and regulations specific to the practice of telemedicine pursuant to S. 1223.4(A) is now prohibited from adopting any rules or regulations that are more restrictive than the provisions of the present law.

Like Alaska’s recent modifications to its telemedicine requirements, the Louisiana Bill broadens the base of available health care providers through the removal of the in-state restriction, which helps to increase the supply of physicians and competition from lower-cost providers, reduces transportation costs and improves access to quality care.  In addition, this Bill expands the types of technologies that may be used to deliver telemedicine services, which will better accommodate the significant portion of health care consumers who prefer phone consultations to access care.

LexBlog