Key Takeaways:

• Federal and state agencies are actively proposing and enacting health technology-related legislation and regulations.
• Trending telehealth topics include federal changes for prescribing opioid treatments, challenges presented by shifting state laws and expansions in veterinary telemedicine.
• The Centers for Medicare & Medicaid Services (CMS) updated guidance on permitted text messaging of orders, the National Institute of Standards and Technology (NIST) updated its Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule guidance, and the Department of Health and Human Services (HHS) plans to conduct a HIPAA Audit Review Survey.
• States are introducing laws targeting the regulation of artificial intelligence (AI) in clinical decision-making.

Federal and state agencies continue to remain active this year, particularly with regard to laws that impact healthcare technology. As part of our ongoing efforts to track health technology-related legislation and regulations, we have highlighted several legal developments below.

Trending in Telehealth

The Substance Abuse and Mental Health Services Administration (SAMHSA) Makes Permanent Some Telehealth Regulatory Flexibilities

SAMHSA in 2020 implemented several regulatory flexibilities in response to the COVID-19 pandemic, including relaxing some restrictions on the use of telehealth to initiate opioid treatment. After a period of regulatory stasis, SAMHSA in early February 2024 issued its final rule updating regulations impacting opioid treatment programs (OTPs). As part of its final rule, SAMHSA is now permanently permitting OTP practitioners to begin treatment involving the use of methadone or buprenorphine without an in-person visit in certain circumstances.

The final rule, however, draws a distinction between the two medications and what technology may be used to initiate the treatment. Specifically, an OTP physician, primary care physician or other authorized healthcare professional under the supervision of a program physician can initiate the use of buprenorphine via audio-only or audiovisual telehealth when the providers determine that a sufficient evaluation of the patient can be conducted via telehealth. The initiation of treatment for methadone, however, can only be initiated via audiovisual telehealth, since methadone presents a higher risk profile for sedation for patients with mild somnolence. SAMHSA clarified that the final rule does not permit the prescription of methadone via telehealth outside the OTP context and instead applies to the ordering of methadone by OTP practitioners and dispensing to the individual under existing OTP procedures.

The final rule is effective April 2, and the compliance deadline is October 2. Affected OTP practitioners should review their telehealth compliance program to determine whether their operations align with the now permanently permitted telehealth practices.

Providers Grapple with Recission of State Telehealth Waivers

The COVID-19 pandemic brought with it a sea change within the healthcare industry, albeit a temporary one, that shifted toward an embrace of telehealth to provide care. Federal as well as state laws were quickly reshaped to fit the virtual landscape, resulting in relaxed policies around state licensure requirements, in-person care restrictions, and permitted treatments over audiovisual and audio-only technology. As the federal COVID-19 public health emergency ended, so did similar state declarations, and resultantly, states retracted their once-flexible positions on telehealth care. Reports show that consumer use of telehealth is waning, though not for all specialties, as mental health services via telehealth remain popular.

Therefore, providers must now navigate myriad laws and regulations based on state law policy approaches to permitted telehealth licensure. Many states still require that a provider be licensed to practice within the state where the patient is located. Some states impose criminal charges for providers who practice telemedicine without a license; such a law in New Jersey is currently being challenged in a lawsuit bought by an oncologist licensed in Massachusetts who previously provided care via telehealth to a cancer patient located in New Jersey. That said, New Jersey recently took steps to address the ongoing mental health crisis by joining the interstate Counseling Compact. In passing the law, New Jersey is now a member state that, under the compact, permits licensed professional counselors to practice professional counseling in other member states via telehealth.

Some states provide a process for out-of-state providers to obtain a telehealth license when seeking to provide care via telehealth in a particular state. Other states permit out-of-state doctors to register or obtain a waiver from the state medical board to practice in specific states.

Other challenges for providers include understanding the permitted technology for certain care – synchronous versus asynchronous modalities, for example – permitted electronic prescribing, whether a doctor can establish a relationship with a patient via telehealth, and whether other healthcare practitioners (i.e., nonphysicians) can provide care via telehealth. Providers would be prudent to review the latest laws in the states in which they anticipate providing care via telehealth.

California Expands Access to Veterinary Telemedicine

A landmark California law expanded telehealth practices for veterinarians providing pet care via telehealth. As is the case with telehealth care for humans, state laws have historically required in-person visits to establish the “veterinarian-client-patient relationship.” Under the California law, veterinarians can now establish the veterinarian-client-patient relationship via telehealth, providing for increased access to care for pets. Veterinarians are required to inform clients of the potential limitations of telehealth and obtain consent from the client to use telehealth. Veterinarians are also permitted to prescribe via telehealth, subject to some restrictions regarding the type of prescriptions and the duration of the treatment. Stakeholders believe the law will streamline care sought by pet owners and simplify access to certain treatments for pets. Given the size of California and the permissions of the law, it may impact how other states approach their laws regarding veterinary telemedicine.

CMS Updates Guidance on Texting Orders

CMS updated its guidance to allow providers to text patient orders as long as the text messages are sent through a secure texting platform that complies with HIPAA and applicable program Conditions of Participation. This is a slight departure from its 2018 guidance, when CMS took the position that texting patient orders from a provider to a member of the care team would not be compliant with the relevant Conditions of Participation that require all providers to use and maintain secure and encrypted systems/platforms, ensure the integrity of author identification, and adhere to the HIPAA rules to minimize risks to patient privacy and confidentiality.

In the new guidance, CMS acknowledges the development of new technological improvements, including encryption and application interface capabilities of texting platforms that can send data directly to electronic medical records platforms. However, CMS reiterated that it still prefers that Computerized Provider Order Entry be the method used to enter an order by a physician or advanced practice provider because the order is dated, timed, authenticated and immediately placed in the medical record. Given the guidance, providers would be prudent to ensure that any platform used to send orders via text message is HIPAA compliant.

Notably, The Joint Commission, which has historically taken the position that healthcare providers could not text patient care orders, has updated its Frequently Asked Questions page on text messaging standards to indicate that the “practice of texting patient orders is currently under review.” We will continue to monitor for any additional guidance from The Joint Commission.

NIST Updates HIPAA Security Rule Guidance

Dovetailing with the recently published Cybersecurity Performance Goals – practices outlined by HHS that are aimed at protecting the healthcare industry from cyberattacks, as covered in a previous blog – NIST published a new version of its cybersecurity resource guide for complying with the HIPAA Security Rule, which aims to offer a practical tool for covered entities and business associates to safeguard electronic protected health information. Major changes to the updated cybersecurity resource guide include resources dedicated to smaller entities, such as updated tools, use cases and guidance tailored to smaller organizations. NIST also updated its appendices containing helpful tools and resources so that the Security Rule Standards and Implementation Specifications Crosswalk included in the guidance is available online and more clearly maps to the NIST Cybersecurity Framework.

State Laws Regulating AI in Decision-Making

Following the release of an executive order setting forth industry standards on the use of AI and an Office of the National Coordinator for Health Information Technology final rule that included certification updates aimed at algorithmic transparency – both covered in a previous client alert – there has been an increase in proposed legislation and other guidance aimed at the regulation of AI.

Several states have proposed legislation aiming to regulate the use of AI, including within the context of healthcare decision-making. California proposed a law that would prohibit healthcare service plans from discriminating on the basis of race, color, national origin, sex, age or disability through the use of clinical algorithms in its decision-making. Illinois proposed a law requiring hospitals, before using a diagnostic algorithm to diagnose a patient, to confirm that the algorithm was certified by the state’s Department of Public Health and Department of Innovation and Technology, that the algorithm’s accuracy is equal to that of other diagnostic means, and that the algorithm is not the only method of diagnosis available to patients. The Illinois law would require that patients be notified before the use of a diagnostic algorithm. Maine proposed a law prohibiting healthcare facilities from adopting policies for using algorithms that limit or substitute for direct care and judgment provided by a nurse. Additionally, Massachusetts, Rhode Island and Texas each proposed legislation that would regulate the use of AI in the provision of mental health services.

In January, Georgia introduced legislation that would amend the insurance laws to prohibit insurers from making coverage determinations based solely on results derived from AI or automated decision tools and require automated decision tools be reviewed “by an individual with authority to override said AI or automated decision tools.” The law would also prohibit any clinical decision-making based solely on results derived from the use or application of AI or utilizing automated decision tools and would require any clinical decision that resulted from the use or application of AI or automated decision tools to be reviewed “by an individual with authority to override said AI or automated decision tools.”

We will continue to monitor health technology-related legislation and regulations that could impact health technology stakeholder operations.

[View source.]