We greatly appreciate our readers continuing to turn to us for insight on the most critical legal, regulatory and transactional developments impacting digital health, and the innovative collaborations transforming health care. Over the past year, McDermott’s Health practice made headlines for our work on several of the most high-profile collaborative transformations that took place in 2018: We were one of several law firms to advise CVS Health Corp. on its approximately $70 billion cash and stock purchase of health insurer Aetna Inc. McDermott also assisted Air Medical Group Holdings in its $2.44 billion acquisition of American Medical Response (AMR), a medical transportation company, from Envision Healthcare Corporation. It is because of our role in ground-breaking transactions like these that—for the fifth time in 10 years—McDermott was recognized by Law360 as the Health Practice Group of the Year.

We’re passionate about the results our digital health clients are achieving and our role in helping them transform health care. We are equally passionate about what these results mean for the industry and health care consumers. Through our blogs, articles and health-focused events, we are committed to providing you with thought leadership that will help expand your field of vision as you navigate the rapidly changing health care landscape.

To read Law360’s profile of McDermott’s industry-leading health care practice, click here. McDermott was also named Practice Group of the Year in the Tax category. For more information about our approach to Collaborative Transformation, visit mwe.com/collaborativetransformation.

New digital health regulations arose at the federal and state level in 2018, bolstering the existing legal framework to further support and encourage digital health adoption in the context of care coordination and the move to value-based payment. McDermott’s 2018 Digital Health Year in Review: Focus on Care Coordination and Reimbursement report – the second in a four-part series – highlighted these developments within the digital health landscape. These efforts brought changes to coverage of telehealth and other virtual care services, as well as information gathering for regulatory reform, and can help bridge the gap between research, funding and implementation as regulations build a framework within which companies can deploy their products, receive reimbursement and demonstrate value to patients. Here we outline digital health developments from the second half of 2018 and how they can help drive digital health forward in 2019. For a closer look at key care coordination and reimbursement developments that shaped digital health in 2018, along with planning considerations and predictions for the digital health frontier in the year ahead, download our full report.

To view the first report in the series, 2018 Digital Health Year in Review: Focus on Data, click here.

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.

  1. EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
  2. California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
  3. US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
  4. Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.

Last week, President Trump signed the SUPPORT for Patients and Communities Act (SUPPORT Act), a bipartisan piece of legislation designed to tackle the opioid crisis by, among other approaches, increasing the use of telemedicine services to treat addiction. Several key provisions are summarized below.

The package includes provisions to expand public reimbursement for telemedicine services that focus on addiction treatment. Specifically, the legislation removes Medicare’s originating site requirement for substance abuse treatment provided via telemedicine, meaning that health professionals can receive Medicare reimbursement even if the patient is not located in a rural area. In addition, the Centers for Medicare and Medicaid Services (CMS) has been directed to issue guidance to states regarding possible ways that Medicaid programs can receive federal reimbursement for treating substance abuse via telemedicine. The legislation explicitly identifies services provided via a hub and spoke model and in school-based health centers, among others, as those that should be eligible for federal reimbursement.

In another development, the US Drug Enforcement Agency (DEA) is now required to implement regulations regarding a special registration process for telemedicine providers within one year of the passage of the SUPPORT Act. The aim of this process is to expand health providers’ ability to prescribe controlled substances to patients in need of substance use disorder treatment based on a telemedicine consultation, without having to conduct an in-person evaluation first. This special registration process was originally contemplated 10 years ago under the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (Ryan Haight Act) as one of the seven pathways through which a telemedicine provider could prescribe a controlled substance to his/her patient without having first conducted an in-person evaluation, but the DEA never issued any regulations to effectuate it. At present, the special registration process and requirements (e.g., registration costs, application processing timeline, provider qualifications) are still largely unknown. The answers to these open issues will determine how accessible this new registration pathway will be to substance use disorder providers and, therefore, how impactful it will be in connecting patients in need of substance use disorder treatment with qualified providers.

In addition to these policy reforms, the SUPPORT Act also directs government agencies to conduct additional research into the possible benefits of telemedicine technology for treating substance abuse. Both CMS and the Government Accountability Office (GAO) are tasked with publishing reports concerning the use of telemedicine technology for treating children: CMS is directed to analyze how to reduce barriers to adopting such technology, and GAO is directed to evaluate how states can increase the number of Medicaid providers that treat substance use disorders via telemedicine in school-based clinics. Furthermore, the Department of Health and Human Services must issue a report regarding the impact of using telemedicine services to treat opioid addiction within five years.

On November 1, 2018, the Centers for Medicare and Medicaid (CMS) issued final rules for updating the 2019 Medicare Physician Fee Schedule to implement recent telehealth-related legislative reforms. As reported in our Digital Health Mid-Year Report: Focus on Medicare, these changes are expected to have a material impact on the ability of providers to receive payment for delivering telehealth services. Certain key changes are highlighted below:

  • Qualified providers may be reimbursed when providing telehealth services for stroke and kidney disease—even when patients are located in their own homes.
  • Qualified providers may receive a small amount of reimbursement for holding “virtual check-in[s]” with patients and when they evaluate recorded video and images from an established patient. CMS noted that these changes are aimed at allowing providers to help determine whether an in-person visit or additional follow-up is needed. Doing so “increase[s] efficiency for practitioners and convenience for beneficiaries.”
  • CMS also issued an interim final rule related to the recently-signed SUPPORT for Patients and Communities Act, a bipartisan piece of legislation that was passed to combat the opioid crisis. Similar to the Bipartisan Budget Act, the SUPPORT Act removed the originating site requirement for substance abuse and related mental health treatments. There is a 60-day comment period before this rule will be finalized.

Together, these rules represent a substantial expansion of Medicare reimbursement for services provided via telehealth.  For additional guidance on how to interpret and implement these new changes, please contact your regular McDermott attorney.

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). Continue Reading GDPR 6 Months After Implementation: Where are We Now?

On October 26, 2018, CMS released a Notice of Proposed Rulemaking addressing expanded telehealth coverage in Medicare Advantage, extrapolation of RADV audit results, and updates to the Medicare Advantage and Part D Quality Star Ratings program, among other topics. If finalized, the regulations set forth in the Proposed Rule would impact not only Medicare Advantage and Part D plan sponsors but also a broad range of providers and health care companies, particularly those involved in the provision or delivery of telehealth services.

CMS is accepting comments on the Proposed Rule through December 31, 2018.

Access the full article.

As previously noted in our Digital Health Mid-Year Review, 2018 has seen greater acceptance of telemedicine within the Medicare program. Both regulatory and statutory changes have expanded reimbursement opportunities and, consequentially, opportunities for the deployment of telemedicine technologies. As we noted then, however, improvement in the Medicare reimbursement environment for telemedicine services has been tied to a policy goal of not increasing utilization unnecessarily. We noted in our Mid-Year Review that Congress appears to be following MedPac’s recent guidance that Congress “should take a measured approach to further incorporating telehealth into Medicare by evaluating individual telehealth services to assess their capacity to address. . . cost reduction, access expansion, and quality improvement.”

The recently introduced Reducing Unnecessary Senior Hospitalizations Act of 2018 (the RUSH Act), seems to deviate from MedPac’s suggested approach. The RUSH Act seeks to avoid hospitalizations through a program that creates financial incentives for providing certain nonsurgical services furnished by hospital emergency departments at skilled nursing facilities that are qualified to provide such services by the Secretary of Health and Human Services The RUSH Act specifically refers to the possibility that some of these services could be provided by licensed practitioners “through the use of telehealth.” Interestingly, the RUSH Act does not specify what telehealth services should be allowable or how they should be reimbursed; rather, the RUSH Act leaves these matters for agency determination.

According to Representative Diane Black (TN), one of the bill’s sponsors, “[t]here are companies who are ready and able to provide this innovative care. . . . These positive disruptors just need Medicare’s payment policies to catch up with the technology. . . giving [nursing homes] the technology-enabled tools needed to lower health care costs and, most importantly, save lives.”

As an observer of this industry, I tend to agree with this claim, but under the approach taken by this bill, that determination will need to be made by the Department of Health and Human Services. Digital health companies looking for a better reimbursement environment are well-advised to focus on the bottom line of federal health policy–lower cost, improved care and increased access.

Join us on November 8, 2018, for the third installment of McDermott’s live webinar series on digital health. In this installment, partners Bernadette M. Broccolo, Jiayan Chen and Vernessa T. Pollard will explore opportunities for accelerating biomedical research, development and commercialization through digital health tools and solutions, such as end-user license agreements (EULAs), wearables and mobile apps, telemedicine, and big data exchange and analytics. They will discuss tactics for overcoming challenges related to these new approaches, as well as evolving compliance issues, including:

  • Privacy and security
  • Human subject protection
  • The US Food and Drug Administration pre-market approval regime

They will also review alternative compliance and contracting strategies for managing risk while capturing opportunity from the perspective of key stakeholders, such as sponsors, investigators, research sites and digital health developers.

Click here to register for this event.

The Office of the National Coordinator for Health Information Technology (ONC) is one step closer to issuing its long-awaited proposed rule to implement various provisions of the 21st Century Cures Act, including proposed regulations distinguishing between prohibited health information blocking among health care providers and health information technology vendors and other permissible restrictions on access to health information. According to its website, the Office of Management and Budget (OMB) received ONC’s proposed rule for review on September 17, 2018. OMB review is one of the final steps in the process before a proposed rule is published in the Federal Register for public comments. OMB did not identify a deadline for completing its review. The agency generally has up to 90 days to complete its review, but can take less time than that.

In addition to defining the scope of prohibited information blocking conduct, the proposed rule is likely to address other issues of interest to health industry stakeholders. According to OMB, the proposed rule “would update the ONC Health IT Certification Program (Program) by implementing certain provisions of the 21st Century Cures Act, including conditions and maintenance of certification requirements for health information technology (IT) developers, the voluntary certification of health IT for use by pediatric healthcare providers, health information network voluntary attestation to the adoption of a trusted exchange framework and common agreement in support of network-to-network exchange, and reasonable and necessary activities that do not constitute information blocking. The rulemaking would also modify the Program through other complementary means to advance health IT certification and interoperability.”

Subscribe here to receive future updates from McDermott.