US Department of Health and Human Services

As previously noted in our Digital Health Mid-Year Review, 2018 has seen greater acceptance of telemedicine within the Medicare program. Both regulatory and statutory changes have expanded reimbursement opportunities and, consequentially, opportunities for the deployment of telemedicine technologies. As we noted then, however, improvement in the Medicare reimbursement environment for telemedicine services has been tied to a policy goal of not increasing utilization unnecessarily. We noted in our Mid-Year Review that Congress appears to be following MedPac’s recent guidance that Congress “should take a measured approach to further incorporating telehealth into Medicare by evaluating individual telehealth services to assess their capacity to address. . . cost reduction, access expansion, and quality improvement.”

The recently introduced Reducing Unnecessary Senior Hospitalizations Act of 2018 (the RUSH Act), seems to deviate from MedPac’s suggested approach. The RUSH Act seeks to avoid hospitalizations through a program that creates financial incentives for providing certain nonsurgical services furnished by hospital emergency departments at skilled nursing facilities that are qualified to provide such services by the Secretary of Health and Human Services The RUSH Act specifically refers to the possibility that some of these services could be provided by licensed practitioners “through the use of telehealth.” Interestingly, the RUSH Act does not specify what telehealth services should be allowable or how they should be reimbursed; rather, the RUSH Act leaves these matters for agency determination.

According to Representative Diane Black (TN), one of the bill’s sponsors, “[t]here are companies who are ready and able to provide this innovative care. . . . These positive disruptors just need Medicare’s payment policies to catch up with the technology. . . giving [nursing homes] the technology-enabled tools needed to lower health care costs and, most importantly, save lives.”

As an observer of this industry, I tend to agree with this claim, but under the approach taken by this bill, that determination will need to be made by the Department of Health and Human Services. Digital health companies looking for a better reimbursement environment are well-advised to focus on the bottom line of federal health policy–lower cost, improved care and increased access.

As digital health innovation continues to move at light speed, both new and incumbent stakeholders find themselves on a new frontier—one that challenges traditional health care delivery and payment frameworks, in addition to changing the landscape for product research, development and commercialization. Modernization of the existing legal framework has not kept pace with the rate of digital health innovation, leaving no shortage of obstacles, misalignment and ambiguity for those in the wake.

What did we learn in 2017 and what’s to come on the digital health frontier in the year ahead? From advances and investments in artificial intelligence (AI) and machine learning (ML) to the increasingly complex conversion of health care innovation and policy, McDermott’s Digital Health Year in Review details the key developments that shaped digital health in 2017, along with planning considerations and predictions for the health care and life science industries in 2018.  Continue Reading On the Digital Health Frontier: Developments Driving Industry Change in 2018

President Trump declared the opioid addiction epidemic a public health emergency yesterday. The White House made it clear that this declaration would allow officials to remove barriers to the prescribing of controlled substances via telemedicine, which would permit DEA registered providers to prescribe anti-addiction medications, such as Naloxone, to patients in need without first performing an in-person exam.

As background, the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (the Haight Act) requires a telemedicine provider who is prescribing a controlled substance to a patient to perform an in-person medical evaluation of the patient prior to prescribing a controlled substance, unless one of the narrow telemedicine exceptions set forth in the Haight Act applies. Additional information on the Ryan Haight Act and the implications of this declaration can be found here.

There are many important questions remaining to be answered, including whether any funding will be available to support the implementation of this declaration and whether the declaration will be renewed upon its expiration in 90 days. The answers to these questions are important to healthcare providers who will need to invest resources and time into developing telemedicine programs to reach more substance use disorder patients, which may take longer than 90 days to implement.

On July 31, 2017, President Donald Trump’s Commission on Combating Drug Addiction and the Opioid Crisis recommended that he declare the opioid epidemic a national emergency. In August 2017 and again on October 16, 2017, the president indicated he would declare the opioid crisis a national emergency. While it is apparent that the nation is suffering a drug overdose and opioid-specific crisis, the question remains as to what effect such a declaration would have on combatting the crisis.

The president’s powers to declare a national emergency arise from the Stafford Act, and once a national emergency is declared, it enables 1) access to US Department of Homeland Security ‒ Federal Emergency Management Agency (FEMA) funding, with states able to request grants for the specific purposes of treating opioid addiction; 2) the ability to re-appropriate federal agency workers, such as those employed by the agencies under the US Department of Health and Human Services (HHS) umbrella, to specifically research and treat opioid addiction; and 3) waiver of federal Medicaid regulations to provide additional aid to beneficiaries, ensuring sufficient health care items and services are available to meet the needs of beneficiaries. Such a declaration would undoubtedly open up both federal and state governments to formulate a comprehensive, unified strategy to combat the opioid epidemic sweeping the nation. Continue Reading The Opioid Crisis: Declaring a National Emergency and the Effect on Remote Prescribing through Telemedicine

On May 31, 2017, the US Department of Justice announced a Settlement Agreement under which eClinicalWorks, a vendor of electronic health record software, agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to resolve allegations that it caused its customers to submit false claims for Medicare and Medicaid meaningful use payments in violation of the False Claims Act.

Read the full article.

The Electronic Health Records (EHR) Incentive Program run by Centers for Medicare and Medicaid Services (CMS) garnered attention again last week following the release of a report by the Office of Inspector General of the US Department of Health and Human Services (OIG) describing inappropriate payments to physicians under the program. The report follows on the heels of a high-profile settlement under the False Claims Act between the US Department of Justice and an EHR vendor related to certified electronic health record technology (CEHRT) used in the EHR Incentive Program (which we’ve previously discussed in-depth).

The OIG reviewed payments to 100 eligible professionals (EPs) who received EHR incentive payments between May 2011 and June 2014 and identified 14 inappropriate payments. OIG extrapolated the results of the review to the 250,470 total EPs who received incentive payments during that time period and estimated that CMS made approximately $729 million in inappropriate EHR incentive payments out of a total of just over $6 billion in such payments during the review period. Continue Reading OIG Reports More Than $731 Million in Inappropriate Medicare Meaningful Use Payments

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.

In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).

OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

Continue Reading Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers

On December 7, 2016, the US Congress approved the 21st Century Cures Act (Cures legislation), which is intended to accelerate the “discovery, development and delivery” of medical therapies by encouraging public and private biomedical research investment, facilitating innovation review and approval processes, and continuing to invest and modernize the delivery of health care. The massive bill, however, also served as a vehicle for a variety of other health-related measures, including provisions relating to health information technology (HIT) and related digital health initiatives.  President Barack Obama has expressed support for the Cures legislation and is expected to sign the bill this month.

The HIT provisions of the Cures legislation in general seek to:

  • Reduce administrative and regulatory burdens associated with providers’ use of electronic health records (EHRs)
  • Advance interoperability
  • Promote standards for HIT
  • Curb information blocking
  • Improve patient care and access to health information in EHRs

As public and private payers increasingly move from fee-for-service payments to value-based payment models, with a focus on maximizing health outcomes, population health improvement, and patient engagement, HIT—including EHRs and digital health tools—will be increasingly relied upon to collect clinical data, measure quality and cost effectiveness; assure continuity of care between patients and providers in different locations; and develop evidence-based clinical care guidelines.

Read the full article.

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.