As the United States is now more than one year into the COVID-19 pandemic and as life for many is returning to some sense of normalcy, this is a great time for healthcare organizations to evaluate their compliance with the legal and regulatory developments that happened at a rapid pace at the beginning of the pandemic, as well as to take steps to mitigate new legal risks that continue to unfold. This article is the third in a series of articles on healthcare-related legal and regulatory updates looking back to the beginning of the pandemic and looking forward to the hopeful end of the pandemic. For links to articles published by Dorsey on the business and legal implications of COVID-19 since the early days of the pandemic, see the Dorsey Coronavirus Resource Center.
The COVID-19 pandemic required health care providers of all sizes to make drastic changes to the mode of patient care delivery. Telehealth quickly emerged as a safe alternative to in-person patient visits, and many providers quickly transitioned to virtual services. The pandemic-initiated expansion of telehealth was rapid and significant, but the pandemic likely accelerated existing trends more than creating new ones.
The increased availability of telehealth has offered patients greater access levels and types of care that would otherwise be difficult to obtain due to geography, limited appointment availability, or affordability. Despite the increased access to care and positive experiences with telehealth over the past year and a half, many regulatory actions temporarily enabling the use of telehealth services have expired or will end in the coming months.
What does the post-COVID future hold for telehealth? Health care industry leaders are tracking the following developments:
State professional licensure laws are major obstacles for telehealth providers wanting to offer telehealth services as an option for patients who reside or are otherwise located in other states. State laws governing the practice of medicine, nursing, social work, and other health professions generally require the provider furnishing care to be licensed in the state where the patient is located.
At the beginning of the pandemic, the spike in demand for virtual care led states to quickly take action to loosen or waive professional licensure requirements. Many states allowed out-of-state health care providers of all types to provide telehealth services to their residents, including Hawaii, Idaho, and Vermont. States such as Illinois and Maryland permitted telehealth practice only where a provider had a pre-existing relationship with the patient, and others only relaxed requirements for physicians or mental health providers, such as in Minnesota.
Post-pandemic, we expect to see continued efforts to remove licensing barriers faced by telehealth providers. Several states have enacted the Interstate Medical Licensure Compact or have entered into cross-border licensure waiver agreements with neighboring states, but these waiver agreements may only apply to certain practitioners or involve slow, costly application processes. Some states may follow the approach taken in Florida and Georgia, where health care providers can obtain a “telemedicine license” with less burdensome requirements.
Action on the federal level is also possible. In response to COVID-19, the Centers for Medicare & Medicaid Services (“CMS”) temporarily waived the Medicare requirement that providers be licensed in the state they are delivering telemedicine services when practicing across state lines, subject to certain conditions. While this waiver does not exempt providers from licensure requirements under state law, subsequent action taken at the federal level may set a trend followed by state governments.
Providers should also be aware of existing state laws permitting the practice of telehealth across state lines when an existing patient is on vacation or attending college in another state. For example, in Minnesota, out-of-state physicians are exempt from licensure requirements if only providing telehealth services on an “irregular or infrequent basis” as defined in Minn. Stat. § 147.032. And Colorado allows non-Colorado-licensed health care providers to provide occasional services or consultation via telehealth to patients in Colorado as long as they meet certain requirements, such as maintaining certain levels of insurance, not maintaining an office in the state, and not informally or formally agreeing to provide care on a regular or routine basis. See Colo. Rev. Stat. § 12-240-107.
Before the pandemic, reimbursement options for telehealth were limited and low payment rates were a significant financial burden for providers seeking to provide telehealth services. As we described in a previous blog post, CMS implemented sweeping changes to Medicare reimbursement and coverage requirements at the start of the COVID-19 outbreak. Dozens of new services were added to the list of telehealth services covered by Medicare, restrictions on geography and originating sites were removed, and payment rates for telehealth services were raised to match the rates for the same in-person service.
On July 13, CMS released its annual proposed rule for payments under the Medicare Physician Fee Schedule, which would make many temporary Medicare flexibilities for mental and behavioral health services permanent. If finalized, the rule would allow beneficiaries to receive such telehealth services from home, reimburse providers for audio-only services, and keep certain recently added services on the Medicare telehealth list through December 31, 2023. The rule would require an in-person visit within six months prior to an initial telehealth service and at least once every six months thereafter, but CMS is seeking input on whether a different interval may be necessary or appropriate. The agency is also soliciting comment on:
- Whether additional documentation should be required in the patient’s medical record to support the clinical appropriateness of audio-only telehealth;
- Whether or not audio-only telehealth for particular high-level services should be covered; and
- What additional guardrails should be put in place in order to minimize concerns about program integrity and patient safety.
Several states have passed or proposed payment parity legislation that would permanently require insurance coverage and/or reimbursement for certain telehealth services at a level equal to in-person visits. For example, legislation was recently enacted in Oklahoma requiring payment parity for all telemedicine services. In states like Georgia and California, laws require equal coverage for both virtual and in-person services, but allow payers and providers to negotiate alternate payment rates. A recent Connecticut law requires payment parity for telehealth services under its state Medicaid program, and a Massachusetts law mandates payment parity for behavioral health services.
In response to the pandemic, the Office for Civil Rights (“OCR”) announced several telehealth flexibilities to allow providers to care for patients remotely during the pandemic. OCR announced it would not impose penalties on providers for noncompliance with certain HIPAA obligations in connection with their “good faith provision of telehealth” using any non-public communication platform, such as FaceTime or Zoom.
Given increasing concerns about cybersecurity and privacy risks, we expect continued discussions at the federal and state level about how to safeguard patient’s health information while allowing continued access to telehealth services. Providers should conduct a comprehensive risk assessment of its privacy and security protections and vendor agreements to ensure all telehealth technologies and IT systems comply with HIPAA standards.