Nick Merkin (nmerkin@compliagent.com) is CEO and Erin MacLean (emaclean@fandmpc.com, emaclean@compliagent.com) is Regional Compliance Director at Compliagent, located in Los Angeles, CA, as well as Attorney/Managing Shareholder at Freeman & MacLean PC, located in Helena, MT.
Even before many Americans were affected by the novel coronavirus and the resulting stay-at-home orders, school closures, and business shutdowns, telehealth was one of the fastest-growing segments of healthcare. Telehealth, a broadly defined term, includes the remote delivery of care by medical professionals, along with an array of services and technologies, such as artificial intelligence, virtual reality, and other interactive platforms.[1] Telehealth’s potential to expand access to care at reduced cost while maintaining high standards of quality is well suited for today’s value-based care models. Additionally, as a solution to overcrowded emergency rooms and expensive clinic space, many healthcare providers and patients can benefit from diagnostic modalities via remote platforms and technology-driven long-distance treatment options.
The COVID-19 crisis has created a more acute need for telehealth options where an in-person provider-patient encounter is impossible because of quarantine orders, childcare challenges, or transit restrictions. Indeed, the financial viability of many healthcare providers is now jeopardized because much necessary—but nonemergency—medical care has been postponed for lack of a safe way for providers to deliver needed services. Here, we identify several issues that compliance professionals should carefully consider when developing policies around a telehealth delivery system, as well as provide best practice considerations for maintaining a compliance program infrastructure.
Compliance challenges
Integrating telehealth care delivery into your healthcare organization’s compliance program can be an overwhelming prospect. Many technological questions exist concerning the right telehealth application to employ. Clinical concerns arise as to the efficacy of certain treatments delivered on a remote basis, as well as important programmatic questions in areas such as human resources and budgeting. Healthcare is one of the most regulated industries in the United States, and implementing any telehealth program increases the complexity of regulation related to treatment.
Provider-patient location requirements
Even during this time of increased regulatory flexibility and pandemic-related waivers, state laws related to licensing and telehealth regulations still present many of the biggest hurdles to implementing telehealth programs.[2] For example, many states require providers using telehealth technology across state lines to have a valid license in the state where the patient is located.[3] While many states still impose specific restrictions on the “originating site” (where the patient is located) and the “distant site” (the provider’s location) in the context of telemedicine care,[4] certain states (such as California[5] and Louisiana)[6] have eliminated these restrictions altogether. Allowing providers to conduct telehealth across state lines requires experienced compliance oversight regarding provider licensure and the implementation of related policies and training.
Reimbursement requirements
Although states are expanding reimbursement for telehealth services, reimbursement for telehealth does not yet have parity with in-person services.[7] As reimbursement evolves, providers and organizations need to make sure they meet payer-mandated documentation requirements for telehealth services. Compliance officers working in environments engaging in telehealth need to stay abreast of changes in state and federal law and ensure that their companies’ documentation and billing practices, as well as related policies and procedures, evolve in accordance with regulations.
Scope of practice and the provider-patient relationship
Telehealth providers are limited by scope-of-practice requirements. What services a healthcare professional is permitted to deliver is a function of state licensure requirements and guidance provided by professional organizations, such as the American Medical Association (AMA). In some cases, a provider’s scope of practice is deemed identical whether the medical care in question is provided in person or via a telehealth platform.[8] In other instances, states have imposed additional telehealth requirements regarding the establishment of the provider-patient relationship, informed consent, the location of the provider and patient, and the technological platform used to deliver care.[9]
The Federation of State Medical Boards’ (FSMB) Model Policy for the Appropriate Use of Telemedicine, for example, allows for the establishment of the provider-patient relationship without an initial in-person patient visit.[10] In contrast, some state laws have been interpreted as demanding an in-person patient encounter prior to subsequent treatment via telehealth.[11] In other states, the requirement of an initial face-to-face patient encounter is specialty-dependent. For example, West Virginia permits telehealth pathology and radiology services without an initial in-person evaluation but offers no such exception for other specialties.[12]
Telehealth-specific informed consents
Informed consent can be used to explain the nature of care by telehealth and communicate risks and benefits with the patient.[13] This process should also be used to address security measures pursuant to the provider’s security policies. Many times, such documentation includes a written form of receipt by the patient and agreement by the patient to comply with telehealth requirements. State laws vary regarding the requirement to obtain a telehealth-specific informed consent. At one extreme, Indiana law prohibits requiring a healthcare provider to obtain a telehealth-specific informed consent,[14] while most other states, such as Nebraska,[15] as well as the AMA and FSMB, mandate or recommend obtaining consents for treatment by telemedicine.
Medicare does not require that an informed consent be obtained from a patient prior to providing a telehealth-delivered service; however, many states either require obtaining informed consent within their Medicaid program or in statutes or rules regulating healthcare professionals.[16] Some states have varying informed consent requirements that depend on the type of provider. Regardless of the differences among state laws, obtaining informed consent is both a recommended best practice and, in some cases, a legally required step that providers must take to implement telehealth engagement with patients. Obtaining consent for patients and acknowledgment of a change in the way treatment is provided are important pieces of any telemedicine compliance program.
The format (e.g., paper or digital) and contents of your organization’s consent forms will depend on many factors, including the electronic medical record platform used by the organization and whether patients are able to review and acknowledge consents digitally; how or whether the patient is engaged by front-line administrative staff before seeing the provider; the provider type; the type of services to be provided; and additional considerations such as sensitivity of treatment information, confidentiality, and security. Again, compliance professionals need to know their state requirements and should take advantage of the tools available to them that provide real-time updates on telehealth policy.[17]
One helpful resource for compliance officers is The National Telehealth Policy Resource Center from the Center for Connected Health Policy, which provides updates and information about telehealth-related laws, regulations, and Medicaid programs for all 50 states and the District of Columbia. By staying informed of the changes that affect your organization, you can ensure that the organization continues to be on a course for success in the current environment.
Technological mandates and HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) modernized the flow of healthcare information and implemented many new rules related to the development and maintenance of telehealth.[18] To that end, many states also have detailed requirements pertaining to permissible technologies used by a telehealth platform, including specific camera resolution, display monitor size, audio clarity, and HIPAA compliance standards.[19]
HIPAA compliance also needs to be reviewed in light of changes in telehealth regulation. On March 30, 2020, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) released a notification for providers, stating that the OCR will exercise its enforcement discretion during the COVID-19 emergency.[20] The notification clarified that the OCR will not impose penalties for noncompliance with certain HIPAA rules against covered healthcare providers in connection with the good faith provision of telehealth during the pandemic.
Although providers may currently be permitted to use public platforms such as Skype, GoToMeeting, and Amazon Chime (in good faith, with an accompanying business associate agreement) for provision of some telehealth services and remain in compliance with HIPAA, organizations need to remember that such allowances may not remain when many COVID-19 allowances are lifted. Accordingly, compliance officers should continue to review risks related to platform telehealth usage within their organizations for HIPAA compliance questions and state-based healthcare information privacy requirements.
Fraud, waste, and abuse
Telehealth provides compliance officers with a new area of potential risk in relation to fraud, waste, and abuse laws. Three specific fraud and abuse triggers arising are improper coding, Anti-Kickback Statue violations, and free technology provided to patients.[21] The first telehealth False Claims Act case was settled in 2016.[22] The issues in that case revolved around psychiatric billing to Medicare for over-the-phone services. At the time, Medicare permitted some types of telehealth services for rural health in professional shortage areas; however, the coverage required interactive audio and video communication systems that permitted real-time communication between provider and patient. The telephone platform billed for was not permitted, and the patients treated were not located in a rural health professional shortage area. As a result, the provider billing was considered a false claim. A key part of compliance oversight in telehealth is ensuring that your organization’s telehealth platform(s) is/are covered for the service(s) being billed.
The current pandemic and response to crisis
In March, the Centers for Medicare & Medicaid Services released updated guidance regarding many of the areas discussed above in response to the COVID-19 crisis.[23] This guidance included, for example, eliminating payment for asynchronous medical care delivery in many instances and increasing the complexity of telehealth billing and payment requirements. The rapidly evolving climate surrounding COVID-19 continues to transform telehealth, with Centers for Medicare & Medicaid Services and other government agencies releasing new guidelines and updates on a near weekly basis. Those involved with maintaining telehealth program compliance will need to adapt to ongoing change well beyond the so-called “end” of the COVID-19 pandemic.
