The onset of the COVID-19 public health emergency (“PHE”) led to a surge in the use of telehealth by health care providers. In addition, the PHE fueled a boom in the number of direct-to-consumer (“DTC”) telehealth platforms, many of which have relied upon COVID-19 regulatory waivers to launch and operate in multiple states across the nation. For the reasons discussed below, DTC telehealth platforms should re-visit their compliance plans and be prepared for increased state and federal regulatory scrutiny.
Concerns Proliferate for Telehealth Platforms
Recent reports by major newspapers and other health care media outlets have raised concerns about DTC platforms, particularly those platforms leveraging high patient-to-provider ratios to prescribe controlled substances. This kind of media attention has brought about increased scrutiny of these platforms by federal and state regulators. Moreover, allegations of improper care or non-compliance with applicable law may even spur ancillary service providers to cease doing business with the platforms, particularly where the ancillary providers receive prescriptions or orders resulting from telehealth encounters. Industry publications recently reported that: (i) federal prosecutors have begun investigating a behavioral telehealth platform, likely relating to the issuance of controlled substance prescriptions through the platform; and (ii) two major pharmacy chains have ceased filling controlled substance prescriptions issued by providers associated with certain behavioral telehealth platforms.
Regulatory Landscape & Waivers
Stakeholders should recognize that a multi-state telehealth platform will implicate the laws of every jurisdiction in which patients are located, including any federal laws that may apply. Therefore, a telehealth platform operating in all 50 states will, for example, need to comport with the laws governing corporate formation, provider licensure, scope of practice, and telehealth encounters in all 50 states.
In addition to applicable federal and state laws and regulations, providers or platforms reliant upon PHE-related waivers must similarly keep apprised of the status of any of the waivers that they rely upon. For example, New York continues to maintain a professional licensing waiver that enables certain providers, licensed out of state, to render care within the state, for the duration of the declared state of emergency. Similarly, with respect to Medicare, Congress extended certain Medicare telehealth flexibilities for 151 days following the conclusion of the PHE, as part of the Fiscal Year 2022 Omnibus appropriations bill. However, other states, including Florida, have not extended their declarations of a state of emergency, resulting in the rescission of emergency powers that previously enabled state agencies to relax or waive state health care laws or regulatory requirements.
Variety of Risks Present in Telehealth Arrangements
The severity and type of risk present in a telehealth business will vary—by jurisdiction, by provider type, by service offering, and by payor mix. For example, the Department of Justice has aggressively pursued health care fraud claims against individuals and entities involved in non-compliant telehealth models. Following a string of similar enforcement actions announced during the PHE, on April 20, 2022, the Department of Justice announced that it brought criminal charges against individuals involved in various non-compliant or impermissible telehealth models, including an arrangement whereby a provider allegedly ordered unnecessary genetic testing as a result of “sham” telemedicine encounters.
As such, it is important that telehealth platforms—and their investors, lenders, and other stakeholders—remain apprised of the regulatory pitfalls and risks associated with multi-state DTC platforms. Importantly, telehealth platforms should be prepared to modify their business models to reduce the risk of non-compliance with applicable laws or regulations, or in response to the rescission of COVID-19 waivers.
Notwithstanding the foregoing, and as evidenced by the waiver of numerous state-level licensing or telehealth requirements, there is increased awareness among elected officials, state regulators, and industry stakeholders, of the challenges posed by the regulatory regime facing health care providers and telehealth platforms who wish to render care across state lines. In light of this increased awareness, the waning of the PHE is an opportune time to advocate for the permanent adoption of PHE-related telehealth flexibilities or waivers. However, advocacy efforts may not timely address immediate or short-term business needs, given the breadth of the types of laws implicated by telehealth models, and given the number of jurisdictions serviced by many large telehealth platforms.
Key Legal Issues That Telehealth Platforms Should Consider
Identified below are some of the material health care regulatory concerns that should be visited, and revisited, by any DTC telehealth platform, as scrutiny of these platforms increases.
Corporate Practice of Medicine & Professional Entity Formation
- Does the state adhere to the corporate practice of medicine doctrine?
- Does the state require professional services to be rendered through a professional entity?
- What combination of entities will be required to effectuate the model in all of the states in which the telehealth platform operates?
Fee Splitting, Handling of Consumer/Patient Fees & Financial Relationships
- Does the state prohibit licensees, including physicians, nurse practitioners, or pharmacies, from sharing their professional fees with third parties?
- If so, how will patient fees be structured to comport with these restrictions?
- Do the financial relationships among the platform’s stakeholders comport with fraud, waste, and abuse laws, such as kickback or patient brokering prohibitions that may apply irrespective of payor source?
- What types of providers will render care via telehealth?
- Are all providers licensed or otherwise authorized to render care via telehealth to patients located in a given state?
- Are all nurse practitioners, physician assistants, or other licensees practicing within their respective scopes of practice? Are such licensees appropriately supervised, where supervision or oversight is necessary pursuant to applicable law in the jurisdiction(s) in which they practice?
Telehealth Encounter Requirements
- What type of telehealth encounters will take place on the platform?
- Do these encounters comport with telehealth encounter requirements set forth by applicable state laws, or government or private payor requirements? Does the state apply different standards, for example, to Medicaid encounters?
- Do these encounters comport with prevailing standards of care, particularly where a prescription is issued as a result of a telehealth encounter?
Prescriptions & Controlled Substances
- Does the state limit the types of products or drugs that may be prescribed via telehealth?
- Does the state impose any other requirements or restrictions upon the prescribing of controlled substances, beyond the requirements imposed by the Federal Controlled Substances Act?
- How will the platform market its services to consumers or patients and what will the marketing consist of?
- How will the marketing comply with the FDA rules regarding the marketing of prescription drugs and/or professional practice rules applicable to licensees?
- Does the platform treat certain data as consumer data? If so, at what point during the consumer’s interaction with the platform is the data generated governed exclusively by HIPAA? How is this disclosed to consumers?
- Were patients provided with appropriate consents, including a HIPAA Notice of Privacy Practices?
- Has the platform (whether in its role as a Covered Entity or Business Associate) adopted all necessary policies and procedures required by HIPAA?
- How will data be used for marketing, in compliance with applicable laws, including HIPAA?