In a fourth amendment to the March 17, 2020, Public Readiness and Emergency Preparedness Act (PREP Act), the US Department of Health and Human Services (HHS) has expanded access to COVID-19 Covered Countermeasures through telehealth and clarified the scope of liability protections provided by the PREP Act. In particular, the declaration is important to telehealth providers because it appears to preempt, under certain circumstances, state laws that have limited cross-border practice of medicine using telehealth. Healthcare providers should take note that the licensure exception and any immunity protections are limited to healthcare providers who are ordering or administering a Covered Countermeasure and there is no indication of intent to expand beyond these focused measures.
The Centers for Medicare & Medicaid Services (CMS) continues to loosen the conditions for participation in Medicare, as well as specific reimbursement requirements, to ensure facilities and practitioners are able to practice at the top of their license and across state lines without jeopardizing Medicare reimbursement. Unfortunately, as demonstrated when CMS took similar actions over the past few weeks in response to the Coronavirus (COVID-19) pandemic, headlines tend to overlook one fundamental component of the applicable regulatory regime: state law requirements.
Unlike the Veterans Affairs Administration’s (VA’s) action a few years ago, which preempted state licensing law for purposes of implementing a VA telemedicine program, the Department of Health and Human Services has limited its actions during the COVID-19 pandemic to modifications of federal regulations and rules. Secretary Alex Azar, in a letter to the Governors, instead encouraged the states to take action themselves to similarly loosen state laws to ensure maximum utilization of resources. The states have been doing so, in some instances since early March, with different approaches. These differences stem from a large number of variables that are implicated by state licensure laws.
Key Takeaways: The practical implication for the provider community is that new standards for Medicare need to be adopted in harmony with existing state laws requirements, which, unfortunately, are not uniform across the country. Nevertheless, nearly every state has taken action to loosen cross-border licensing restrictions for healthcare professionals and have modified other rules and regulations to help protect healthcare workers, maximize their numbers and help them practice at the highest level of their experience and training. There is a national movement in this direction, but it remains a patchwork.
For a deeper dive into telemedicine regulations during the COVID-19 pandemic, visit our Coronavirus Resource Center, which features articles, webinar recordings and videos on the telemedicine issues you need to know.
The federal government has offered substantial incentives to providers to adopt and use certified electronic health record (EHR) technology. As of October 2018, the federal government had paid over $38 billion in EHR incentive payments through the Promoting Interoperability Program (formerly, the Meaningful Use Program). Other federal health care program policies also encourage use of certified EHR technology through enhanced payments or avoidance of decreased reimbursement. These EHR-related payment policies, however, have triggered increased oversight and enforcement attention on EHR vendors who have allegedly misrepresented the capabilities of their EHR software and allegedly paid kickbacks to customers.
In 2017, DOJ announced a settlement with eClinicalWorks (eCW), an EHR vendor, to resolve an FCA lawsuit originally brought as a qui tam action by a whistleblower. DOJ’s complaint-in-intervention alleged that eCW made material false statements and concealed material facts about the capabilities of its software in connection with the government’s EHR certification process. It also alleged that eCW paid purported kickbacks in connection with certain marketing arrangements (i.e., a referral program, site visit program, and a reference program) with influential customers to induce them to recommend eCW’s EHR software, in violation of the federal Anti-Kickback Statute (AKS).
As part of the settlement, eCW agreed to pay $155 million and to enter into a novel, five-year Corporate Integrity Agreement (CIA) with the HHS OIG. Among other things, the CIA required eCW to engage an independent Software Quality Oversight Organization to assess eCW’s software quality control systems and to regularly report to OIG and eCW on its reviews and recommendations. Further, the CIA required eCW to offer free upgrades and data transfers to its current customers. This was a ground-breaking settlement that raised the question of whether this was the beginning of government and whistleblower attention on (and FCA actions against) EHR vendors. This question was seemingly answered in the affirmative when DOJ announced a second settlement with an EHR vendor in early 2019.
On February 6, 2019, EHR vendor Greenway Health LLC (Greenway) entered into a similar settlement to resolve an FCA case filed by the US Attorney’s Office in Vermont. Interestingly, a whistleblower did not initiate the Greenway case. Rather, DOJ pursued it directly. Like eCW, Greenway faced allegations that its EHR system did not function in the way it represented it during the certification process. One specific allegation was that Greenway provided some customers whose EHR software was improperly calculating certain meaningful use measures (which providers are required to achieve to be eligible for incentive payments) with incorrect calculations in order to enable them to receive incentive payments. According to DOJ, this allegedly caused some Greenway customers to submit false claims to HHS for payment under the Promoting Interoperability Program.
Like in the eCW case, the government complaint against Greenway also alleged that certain payments from Greenway to its customers pursuant to certain reference, referral, and site visit programs [...]
Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.
- EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
- California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
- US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
- Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.
This week, the Federal Trade Commission (FTC or Commission) released an interactive tool (entitled the “Mobile Health Apps Interactive Tool”) that is intended to help developers identify the federal law(s) that apply to apps that collect, create and share consumer information, including health information. The interactive series of questions and answers augments and cross-references existing guidance from the US Department of Health and Human Service (HHS) that helps individuals and entities—including app developers—understand when the Health Insurance Portability and Accountability Act (HIPAA) and its rules may apply. The tool is also intended to help developers determine whether their app is subject to regulation as a medical device by the FDA, or subject to certain requirements under the Federal Trade Commission Act (FTC Act) or the FTC’s Health Breach Notification Rule. The Commission developed the tool in conjunction with HHS, FDA and the Office of the National Coordinator for Health Information Technology (ONC).
Based on the user’s response to ten questions, the tool helps developers determine if HIPAA, the Federal Food, Drug, and Cosmetic Act (FDCA), FTC Act and/or the FTC’s Health Breach Notification Rule apply to their app(s). Where appropriate based on the developer’s response to a particular question, the tool provides a short synopsis of the potentially applicable law and links to additional information from the appropriate federal government regulator.
The first four questions cover a developer’s potential obligations under HIPAA. The first question explores whether an app creates, receives, maintains or transmits individually identifiable health information, such as an IP address. Developers may use the tool’s second, third and fourth questions to assess whether they are a covered entity or a business associate under HIPAA. The tool’s fifth, sixth and seventh questions help developers establish whether their app may be a medical device that the FDA has chosen to regulate. The final three questions are intended to help users assess the extent to which the developer is subject to regulation by the FTC.
Although the tool provides helpful, straightforward guidance, users will likely need a working knowledge of relevant regulatory principles to successfully use the tool. For example, the tool asks the user to identify whether the app is “intended for use” for diagnosis, cure, mitigation, treatment or disease prevention, but does not provide any information regarding the types of evidence that the FDA would consider to identify a product’s intended use or the intended use of a mobile app (e.g., statements made by the developer in advertising or oral or written statements). In addition, how specifically an app will be offered to individuals to be used in coordination with their physicians can be dispositive of the HIPAA analysis in ways that are not necessarily intuitive.
The tool provides a starting point for developers to raise their awareness of potential compliance obligations. It also highlights the need to further explore the three federal laws, implementing rules and their exceptions. Developers must be aware of the tool’s limitations—it does not address state laws and is not intended to provide [...]