The need for speedy and more complete access to data is instrumental for healthcare providers, researchers, pharmaceutical, biotech and device companies and public health authorities as they work to quickly identify infection rates, disease trends, outcomes, including antibodies, and opportunities for treatments and vaccines for COVID-19.

A variety of data sharing and collaborations have emerged in the wake of this crisis, such as:

  • Requests and mandates by public health authorities, either directly or via providers’ business associates requesting real time information on infections and bed and equipment availability
  • Data sharing collaborations among providers for planning, anticipating and tracking COVID-19 caseloads
  • Data sharing among providers, professional societies and pharmaceutical, biotech and medical device companies in search of testing options, treatment and vaccine solutions, and evaluation of co-morbidities

CLICK HERE TO VIEW THE FULL INFOGRAPHIC.

We are pleased to announce that our Healthcare Group received a national Band 1 ranking for the eleventh year in a row in the 2020 edition of Chambers USA. After more than a decade at the top, we are once again the only one to rank Band 1 nationally. The Health team also earned Band 1 state-level rankings for its healthcare practices in California, Florida, Illinois, Massachusetts and Washington, DC. Additionally, the team also earned the national Spotlight Table ranking for the Privacy and Data Security: Healthcare category. In addition, nearly half of the Healthcare Industry Advisory group partners were individually ranked.

Click here to view the full announcement.

Background: Issuing Florida’s Emergency Order

On March 16, 2020, Florida Surgeon General Dr. Scott Rivkees signed, stamped and finalized Emergency Order 20-002. In doing so, Florida joined what would become the vast majority of states in modifying licensure requirements for physicians in response to the Coronavirus (COVID-19) emergency.

The surgeon general’s order waived licensing requirements for out-of-state healthcare professionals, advanced life support professionals and basic life support professionals so that they could render services in Florida for the purposes of preparing for, responding to and mitigating any effect of COVID-19. In addition to waiving licensing requirements for in-person services, the order exempted out-of-state physicians, osteopathic physicians, physician assistants and advanced practice registered nurses from licensing requirements governing the provision of telehealth. The order also impacted emergency medical services training programs, physical examination requirements for physician certifications, prescription drug distribution and controlled substance prescription renewals (including medical marijuana). The order was to expire 30 days after signing—April 15, 2020.

Continue Reading Florida’s Extension of its COVID-19 Out-of-State Provider Waiver: A Sign of the Times

On April 2, 2020, the Federal Communications Commission (FCC) launched the $200 million Coronavirus (COVID-19) Telehealth Program contemplated in the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The Telehealth Program is distinguishable from the broader Connected Care Pilot Program, which will make an additional $100 million in federal universal service funds available for telehealth over the next three years.

Telehealth Program

Notwithstanding telehealth’s advantages, most low-income Americans are unable to utilize telehealth services due to their lack of consistent, broadband internet connection. Furthermore, some providers are limited in their ability to treat patients via telehealth due to the substantial financial and IT investment in developing connected care programs (e.g., purchase of remote patient monitoring devices, telehealth software platforms). The purpose of the Telehealth Program is to support healthcare providers in urban and rural areas, that are responding to the ongoing coronavirus pandemic by maximizing their provision of connected care services and devices. The Telehealth Program will help eligible healthcare providers purchase telecommunications services, information services and devices necessary to provide critical connected care services.

For purposes of the Telehealth Program and Connected Care Pilot Program, “connected care services” are defined as a subset of telehealth that uses broadband internet access service-enabled technologies to deliver care to patients at their mobile location or residence. Only internet-connected devices are covered, not unconnected devices that require the patient to communicate the results to their provider.

Funding will be awarded on a rolling basis until funds are exhausted or the coronavirus pandemic ends. To maximize the $200 million, the FCC anticipates limiting each applicant to $1 million in funding. Further, the FCC has indicated an interest in prioritizing funding to areas especially hard-hit by the coronavirus.

Eligible Healthcare Providers

Continue Reading $200 Million of Funding for COVID-19 Telehealth Program

The Centers for Medicare & Medicaid Services (CMS) continues to loosen the conditions for participation in Medicare, as well as specific reimbursement requirements, to ensure facilities and practitioners are able to practice at the top of their license and across state lines without jeopardizing Medicare reimbursement. Unfortunately, as demonstrated when CMS took similar actions over the past few weeks in response to the Coronavirus (COVID-19) pandemic, headlines tend to overlook one fundamental component of the applicable regulatory regime: state law requirements.

Unlike the Veterans Affairs Administration’s (VA’s) action a few years ago, which preempted state licensing law for purposes of implementing a VA telemedicine program, the Department of Health and Human Services has limited its actions during the COVID-19 pandemic to modifications of federal regulations and rules.  Secretary Alex Azar, in a letter to the Governors, instead encouraged the states to take action themselves to similarly loosen state laws to ensure maximum utilization of resources.  The states have been doing so, in some instances since early March, with different approaches. These differences stem from a large number of variables that are implicated by state licensure laws.

Key Takeaways: The practical implication for the provider community is that new standards for Medicare need to be adopted in harmony with existing state laws requirements, which, unfortunately, are not uniform across the country.  Nevertheless, nearly every state has taken action to loosen cross-border licensing restrictions for healthcare professionals and have modified other rules and regulations to help protect healthcare workers, maximize their numbers and help them practice at the highest level of their experience and training.  There is a national movement in this direction, but it remains a patchwork.

For a deeper dive into telemedicine regulations during the COVID-19 pandemic, visit our Coronavirus Resource Center, which features articles, webinar recordings and videos on the telemedicine issues you need to know.

Government, media and industry have all pointed to the potential for telemedicine to assist in combating the COVID-19 pandemic. In addition, steps have been taken by the government to ease the burdens associated with the use of telemedicine during this crisis. Unfortunately, the complexity of the regulatory infrastructure has left a fair amount of confusion with respect to the extent to which rules have been, and may be, liberalized. At a time when our healthcare infrastructure is engaging with a health crisis that will get worse before it gets better, confusion about the requirements for care delivery needs to be reduced to a minimum.

Please join us on Monday, March 16 from 1 – 2pm ET for an update on:

  • Loosened Medicare reimbursement requirements
  • State emergency efforts
  • Related issues associated with the delivery of telemedicine services during the COVID-19 pandemic

CLICK HERE TO REGISTER

Since the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, “copycat” legislation has been introduced at a dizzying pace by state legislatures across the country. Taking their cues from CCPA, at last count 16 states have borrowed language from California’s watershed law regarding consumer notices, data subject rights requests, and definitions of “personal information, “sale” of data and other key items. The likely intent is to provide equal (or, in some cases, greater) protections to the residents of their states.

As a practical matter, however, none of the proposed laws is identical to CCPA (nor to each other); some look to the EU General Data Protection Regulation (GDPR), and each takes a complex approach that requires careful reading. The proposed Washington Privacy Act (SB 6281) has been touted as the most comprehensive data protection law in the United States and combines elements of CCPA and GDPR, adding specific protections for biometric information. Late last week, the Washington House added significant enforcement “teeth” by passing an amendment that would provide a private right of action under the Washington Consumer Protection Act for any violation of the Privacy Act.

Despite the lack of uniformity among the recently proposed bills across the country, three key trends are emerging:

Trend #1 – Increased Push for a Private Right of Action

In Washington, pending legislation would extend the private right of action beyond alleged harm arising from data breaches to any violation of the proposed Washington Privacy Act. While prior versions of the legislation vested exclusive enforcement authority in the Washington Attorney General—with penalties up to $7,500 per violation—late last week, the Innovation, Technology and Economic Development Committee in the Washington House approved an amendment to SB 6281 under which any violation of the Privacy Act would be deemed a per se violation of Washington’s Consumer Protection Act. While it is unclear exactly how damages will ultimately be calculated, a broad private right of action is a significant enforcement mechanism for Washington consumers. Supporters of the amendment argued that without a private right of action, companies would have little incentive to comply with the law because the Attorney General’s office lacks the resources to undertake many enforcement actions.

Recent bills propose legislation that closely tracks the CCPA’s private right of action for individuals who allege that they were harmed by data breaches caused by a business’ failure to implement “reasonable security” measures. Both the Illinois Data Transparency and Privacy Act (SB 2330) and New Hampshire’s proposed privacy law, HB 1680, provide consumers with private right of action where personal information is (i) unencrypted and unredacted; and (ii) subject to exfiltration, theft or disclosure due to failure to implement reasonable data security procedures. Consumers may seek damages the greater of $100 – $750 per consumer, per incident or actual damages.

If Washington or other states enact data privacy laws with such provisions, the potential liability for organizations affected by data breaches or failing to comply with sweeping new privacy obligations could rapidly become substantial, if not staggering. The private rights of action in the proposed state laws make it imperative for businesses to inventory the personal data they hold, practice data minimization principles, and invest in reasonable cybersecurity measures to mitigate exposure in the event of a data breach and implement comprehensive compliance programs.

Trend #2 – Data Controllers to Undertake Risk Assessments

Recently proposed legislation reflects not only provisions drawn from the CCPA, but also those based on the GDPR, most notably the definition of data controller and data processor roles and responsibilities. In addition, at least three states include a requirement for data controllers to perform risk assessments of their data. A data controller is an entity who, alone or jointly with others, determines the means and purpose of the processing of personal data. For example, in the Washington Privacy Act, data controllers must conduct and document data protection assessments for:

  1. Targeted advertising data processing;
  2. The sale of personal data;
  3. When profiling of data creates a foreseeable risk of injury (financial, physical or reputational), unfair impact or intrusion on the private affairs of consumers;
  4. For the processing of sensitive data; and
  5. Any processing activity that represents a heightened risk of harm to consumers. In addition, the assessments must weigh the benefits and risks of processing.

Similarly, both the Virginia Privacy Act (HB 473) and Illinois Data Transparency and Privacy Act require controllers to perform a risk assessment for each processing activity involving personal information, and an additional risk assessment each time there is a change in processing that “materially increases the risk to consumers.” The proposed Virginia and Illinois laws assert that if the privacy harm risks to consumers outweigh the interest of a controller, business or other stakeholder, then consumer consent is required for processing. If such consumer consent is sought by a controller, it should be easily given and withdrawn.

Of note, all three states include a provision that the risk assessments must be provided to the state’s Attorney General upon written request; however, the assessments are confidential and exempt from public disclosure. Businesses subject to GDPR will likely have already performed internal data privacy impact assessments (DPIAs), which are a demanding exercise. For organizations without EU-facing operations, the compliance burden is likely to increase should these laws pass in their current form.

Trend #3 – Increased Protection for Biometric Data

Likely a result of publicity surrounding litigation arising out of the Illinois Biometric Information Privacy Act (BIPA) and recent media attention regarding the increased prevalence of biometric technologies, a number of the newly proposed data privacy laws focus on strengthening protections for biometric data. Several states proposing recent legislation—Illinois, Nebraska, New Hampshire, Virginia and Washington—include biometric identifiers in the definition of either personal information or sensitive data.

Notably, the Washington Privacy Act would require controllers to obtain opt-in consent from consumers to process biometric data and would include a section devoted exclusively to the requirements for data controllers with respect to Facial Recognition Technology (FRT). Examples of such requirements include:

  1. Obtaining consent from consumers prior to enrolling a consumer’s image in FRT;
  2. Separating FRT databases from other databases and reviewing FRT databases annually;
  3. Ensuring that any FRT that may have a legal effect is subject to human review; and
  4. Requiring periodic training of those who operate a FRT service.

Due to the increased focus on these technologies, companies should carefully and thoroughly evaluate the privacy implications of any biometric or FRT product or service prior to launch. For example, facial recognition technology has reportedly been deployed in certain countries to identify those with elevated temperatures in order to prevent the spread of COVID-19. How these new laws in the United States will mesh with biometric technologies in the event of a public health crisis remains to be seen.

Conclusion

Time will tell as to whether the 2020 crop of CCPA-like proposed statutes will eventually become law—many similar CCPA copycat proposals failed in 2019—but it is apparent that there is a strong movement to enact stricter data privacy legislation. As Washington’s legislature approaches the end of its legislative session early this month, there is keen interest in the outcome of the Washington Privacy Act, which has a proposed effective date of July 31, 2021. While a similar measure failed in Washington last year, now that CCPA is in effect, the landscape has changed.

Businesses should closely monitor the developments in Washington and other states, particularly with respect to the trend of increased private rights of action and the resulting liability. While these state legislative proposals share a common goal, the lack of standardization among federal, state and international data privacy regimes is cause for significant concern in the business community, which bears the brunt of complying with competing and sometimes conflicting legal and regulatory obligations. These trends show no signs of abating, so stay tuned.

On March 4, 2020, the House passed the Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020, a bipartisan bill to aid in COVID-19 preparedness and response. The bill includes, among other things, provisions that waive certain telehealth requirements during the COVID-19 public health emergency to ensure Medicare beneficiaries can receive telehealth services at home to avoid placing themselves at greater risk of the virus.

Generally, Medicare beneficiaries may only receive telehealth services as a Medicare covered service if:

  • The beneficiary (patient) is located in a qualifying rural area;
  • The beneficiary is located at one of eight types of qualifying originating sites;
  • The services are provided by one of 10 categories of distant site practitioners eligible to furnish and receive Medicare payment for telehealth services;
  • The beneficiary and distant site practitioner communicate via an interactive audio and video telecommunications system that permits real-time communication between them—telephones, fax machines and email do not meet this requirement; and
  • The CPT/HCPCs code for the service is on the list of covered Medicare telehealth services.

The bill gives the secretary of the US Department of Health and Human Services (HHS) the authority to waive the originating site requirement for telehealth services provided to Medicare beneficiaries located in any identified emergency area during emergency periods by a qualified provider. An “emergency area” is a geographical area in which, and an “emergency period” is the period during which, there exists: (a) an emergency or disaster declared by the president pursuant to the National Emergencies Act or the Robert T. Stafford Disaster Relief and Emergency Assistance Act; and (b) a public health emergency declared by the secretary. The bill also allows telehealth services to be provided to Medicare beneficiaries via phone, but only if the phone allows for audio-video interaction between the provider and the beneficiary.

The bill takes important steps to allow healthcare providers to deploy telehealth resources in response to COVID-19 and other public health emergencies, and allows Medicare beneficiaries to receive telehealth services from the comfort of their home (even via their smart phone) without risk of exposure. While the bill represents a further step in the expansion of the availability of telehealth services, we should be careful not to overstate its impact. The waiver of the originating site requirement and expansion of telemedicine modalities is limited to emergency areas identified by the president and secretary during emergency periods. Accordingly, as a practical matter, this expansion of availability of telehealth reimbursement is very limited. In addition, healthcare providers must still comply with state laws and regulations that govern telehealth, including, but not limited to, professional licensure, scope of practice, standard of care, patient consent and other reimbursement requirements for non-Medicare beneficiaries.

The bill offers a welcome relaxation of the rigid Medicare requirements for telehealth reimbursement during a time of stress within the healthcare industry. It also represents another, albeit small, step in the gradual acceptance of telehealth within the healthcare reimbursement sector.

In our global economy, Coronavirus (COVID-19) raises serious concerns for employers in all industries. Workers may be on the front lines caring for patients and developing vaccines, travelling for business, or in close contact with individuals who travel or may have been affected. At this time, there is no vaccine or medication approved to prevent or treat the COVID-19 disease. Therefore, preparedness and prevention are crucial. Frontline responders must be especially vigilant as they deliver care and anticipate the challenges this uncharted territory presents.

McDermott’s Coronavirus Resource Center, brought to you by a multi-disciplinary team, will keep you informed of the latest developments and provide comprehensive insight to help you navigate this crisis with your employees, including:

  • Frequently asked questions for US and multi-national employers
  • Recent news updates
  • Podcasts
  • Upcoming events

Click here to access the Resource Center.

As the number of confirmed COVID-19 cases in the United States grows, healthcare providers are stepping up their response planning. To combat the spread of COVID-19, the Centers for Disease Control and Prevention (CDC) urged healthcare systems and providers to deploy all of the resources necessary to ensure health system preparedness. The CDC recommended the use of telehealth tools to help address COVID-19 preparedness and to assist in directing patients to the right level of healthcare for their medical needs.

Healthcare providers have a unique and pressing opportunity to offer telehealth services to potential COVID-19 patients. At the same time, healthcare providers’ response to the COVID-19 outbreak highlights some of the barriers to the provision of telehealth services. Providers considering using telehealth as part of their COVID-19 response efforts should take the following factors into consideration:

  • While healthcare providers cannot diagnose COVID-19 through a telehealth visit, they can perform a number of services without requiring a patient to visit crowded medical facilities where the virus might be present. These services include performing initial patient screenings, assessing and assigning risk categories to patients, determining if a patient needs to seek diagnostic testing, and answering patient questions and offering treatment recommendations.
  • Deploying telehealth services is not without its challenges. The varying reimbursement policies of private, state and federal payers, as well as differing state-based medical licensing requirements, may burden providers and patients with confusion, economic inefficiencies and onerous processes in a difficult engagement context.
  • As part of the COVID-19 response discussions, telehealth advocates propose that the Centers for Medicare and Medicaid Services reduce or eliminate its long-standing telehealth reimbursement restrictions. This change would allow Medicare to pay for virtual visits during national emergencies, regardless of originating site or geographic location. There is also a push to waive the lengthy enrollment process telehealth providers must undergo to be paid by Medicare.
  • While telehealth has the potential to assist in a healthcare system’s response to COVID-19, providers still must comply with state laws and regulations that govern telehealth, including but not limited to professional licensure, scope of practice, standard of care and patient consent, in addition to the reimbursement requirements and limitations put into place by third-party payers.
    • Typically, telehealth providers must be licensed in the state in which the patient is located, although certain states have exceptions that telehealth providers may leverage in response to COVID-19.
    • Telehealth providers must practice within the scope of practice of the profession in which they are licensed and within the standard of care set forth by the governing professional board in a given state.
    • State telehealth laws may require a specific modality for telehealth consultations (e.g., audio-visual consultations). Likewise, third-party payers may require a specific modality for telehealth consultations for purposes of reimbursement.