In support of the American Telemedicine Association's Telehealth Awareness Week (September 19-25, 2021), Jones Day's Digital Health team shared key insights on various legal topics applicable to telehealth.
Unique State Compliance Considerations
While the jury is still out on whether the pandemic-related waivers related to state telehealth laws and regulations will be permanent, the last year and half has confirmed that delivery of at least certain clinical services via telehealth is highly effective. In that regard, the telehealth use-cases for both certain home-based care (palliative care services, for example) and behavioral and mental health services seem beyond debate. As telehealth companies continue to drive into these areas of care, state laws and regulations (both those applicable now and those likely following the public health emergency) concerning practitioner licensure and supervision, informed consent, and data/patient privacy, among others, must be carefully analyzed as entities seek to operate compliantly in an area of increasing regulatory enforcement.
State legislative and regulatory activity continues to normalize telehealth as an important tool for the delivery of health services. However, unsettled interpretations of traditional health regulations given telehealth use cases and rapidly evolving telehealth-specific requirements necessitate building compliance policies for on-going education, training, and periodic updates of applicable requirements. As an example, the last few months saw new legislation in at least 11 states modifying telehealth modality requirements and two states (Mississippi and New Jersey) implemented unique telehealth registration requirements for telehealth organizations.
Individual states continue to be concerned with health information regulation and the provision of telehealth. California's Attorney General issued a bulletin reminding health care providers of their duty to notify the Attorney General in the event of a "data breach" affecting 500 or more California residents. (Read more in this Jones Day Alert.) Likewise, many state laws such as the Illinois Biometric Information Privacy Act and the New York Shield Act define personal information to include biometric data, which telehealth companies may collect and use in connection with their services. It is imperative that the organizations operating in the telehealth space closely monitor and comply with evolving state regulations that govern their businesses, and implement the necessary technical and security measures to protect such data from loss, or authorized access, use, or disclosure.
The Federal Trade Commission (FTC) recently issued a policy statement reaffirming that health apps and connected devices that collect or use consumer health information must comply with the Health Breach Notification Rule, which requires personal health records and other related entities to notify consumers, the FTC and, in certain circumstances, the media, in the event of a breach of unsecured identifiable health information. This statement is a good reminder of the scope of legal requirements that holders of health information must consider. Carefully constructing a business model to avoid being subject to HIPAA does not exempt entities from other federal and state privacy and breach notification laws. Moreover, the FTC has indicated concerns about the personal and health data collection and use practices of technology companies, so enforcement of the Health Breach Notification Rule and further regulation may be forthcoming and should be monitored.
While various requirements of HIPAA have been eased during the COVID-19 pandemic and have allowed flexibility with respect to the technologies used to conduct telehealth visits, digital healthcare providers should expect these flexibilities to be phased out once the pandemic starts to come to end. Given the short-term nature of these flexibilities, telehealth providers currently using non-HIPAA compliant technology need to diligently monitor for when these flexibilities are ended or should otherwise ensure that they are following HIPAA requirements, including by using only vendors offering HIPAA-compliant technology solutions and who are willing to sign business associate agreements. Digital healthcare providers will, therefore, need to continue to carefully assess their technology platforms and vendor arrangements to ensure they are adequately complying with HIPAA and protecting their patient data when providing telehealth services.
Cross-Border Second Opinions & Health Services
As telehealth expands beyond our U.S. borders, the potential for improved health and wellness expands as well, bringing closer the possibility of access to health care services around the globe. The patchwork of law and regulations in countries around the world presents unique challenges, including licensure, registration, standard of care, local physician engagement, privacy (for example, see Jones Day's Commentary on privacy requirements in China), medical records maintenance, and others. In addition to the laws directly applicable to telehealth providers, some countries require telehealth technology companies to separately register as electronic services providers. With advice from local counsel and the thoughtful structure of the transaction and use of technology, these challenges can be managed to ensure the compliant delivery of telehealth services.
Evolving Federal Tax Considerations
Among the many lessons learned from the pandemic, one that stands out is how access to telehealth services can make a difference in patient care for countless communities breaking down geographic barriers to care. Although many state regulators and payors have stepped up to make expanded access possible during the public health emergency and ensure that payment follows—one of the two fabled certainties of life, taxes, remains something of a mystery for nonprofits. Until the IRS steps up, the best course available to ensuring that the increased revenues from telehealth do not become unrelated business taxable income for nonprofits is to develop standard documentation protocols to demonstrate the existence of a provider-patient relationship with as many of the same indicia in the virtual realm as for in-person visits as circumstances reasonably allow.
Government Program Reimbursement
Most reimbursement structures and policies were built for in-person care, not telehealth delivery models. Although reimbursement programs increasingly advance coverage for telehealth, especially among private payors, government programs are mired in traditional details for enrollment, coverage, and participation not yet adapted for telehealth. Further, government reimbursement programs often incorporate complex modality and location telehealth-specific limitations, in addition to limiting telehealth for only certain services and codes. In fact, the plethora of waivers necessary for reimbursement of services delivered via telehealth for Medicare and Medicaid patients during the public health emergency are just that, waivers or proposed areas for enforcement discretion, and not the significant legislative and regulatory action needed to sustain the current availability of these telehealth offering during the lingering effects of and after the PHE.
Evolving State Tax Considerations
The pandemic created the necessity to experiment with remote work, and telehealth gained popularity by providing an alternative to those concerned about in-office visits. State taxing authorities applied a soft approach for 2020, but that changed in 2021 as remote employee guidance has solidified in some states. Entities conducting telehealth businesses, as well as doctors, need to evaluate their corporate and personal income tax liabilities, which will be affected by their headquarters location and the location of doctors and their patients. In addition, states already expanding the jurisdictional reach of sales and use taxes are paying close attention to remotely accessed software platforms, and their integration with the services rendered, for the opportunity to apply their transactional taxes. It is essential for providers to identify potential multistate sales tax implications for telehealth services when designing telehealth service platforms.
Most but not all states have passed "parity" laws mandating coverage for telehealth services. State laws will continue to vary with respect to their specific requirements, including whether real-time videoconferencing or store-and-forward services are covered and whether reimbursement must be paid in the same amount as for in-person services. Medicare Advantage and other government plans are increasingly being encouraged by legislations and agency guidance to expand their telehealth offerings, but these plans will continue to be subject to very different regulatory frameworks from private payers. Given this complicated regulatory framework, payer and telehealth providers will need to continue carefully assessing benefits and reimbursement obligations on a state-by-state and product-by-product basis for the foreseeable future.
Federal Enforcement Keeps Pace with the Expansion of Telemedicine Services
As telemedicine services expand, federal government enforcement grows alongside. Even before the COVID-19 pandemic, federal enforcement in the telemedicine area was on the rise and focused largely on what HHS-OIG has described as "telefraud"—the leveraging of telehealth platforms to sell expensive items like durable medical goods and genetic testing. Federal enforcement agencies, however, have taken note of the COVID-related expansion in telemedicine services and have recently targeted not just "telefraud," but also the telemedicine consults themselves. So far, most of the activity has been in the criminal arena, but enforcement actions have also included False Claims Act settlements and, as HHS-OIG nears completion of its telemedicine audits, may also include administrative action as well. Given the upswing in scrutiny, telemedicine companies should take the opportunity to assess the robustness of their compliance programs, the accuracy and completeness of provider documentation, and, given the government's focus on kickback issues, the structure and purpose of their relationships with third parties. Read Jones Day's Commentary for more details.
Labor & Employment Considerations
Issues related to remote work are particularly salient in the telehealth industry, where employers may operate digital platforms that—by design—remotely connect patients and providers in different locations. For example, a provider may be physically located in one state, be engaged by a company in another state, and provide services to customers in multiple other states. It remains to be seen how increasing numbers of these arrangements will impact traditional notions of which state and local employment laws apply to a particular individual. This is one of many issues presented by remote work arrangements, which include wage and hour compliance, provision of employee benefits and leaves of absence, and hiring and termination practices, among others.
Telehealth companies engaging independent contractors should continue to monitor the evolving classification tests in different jurisdictions across the country. Multiple states have adopted a version of the "ABC test" which generally sets a higher bar than the traditional multi-factor tests for establishing that an individual is properly classified as an independent contractor. Whether certain health care providers (such as physicians) are exempt from the more stringent ABC tests also varies by state. Understanding the applicable test in jurisdictions where telehealth companies engage contractors remains an important part of evaluating compliance and risk. Telehealth companies should also assess factors that may increase the risk of a misclassification claim, such as a high degree of supervision and direction, or having employees and contractors performing the same job.
FDA Launches New Office of Digital Transformation
The United States Food and Drug Administration recently announced the creation of its new Office of Digital Transformation, with the stated mission of providing high quality, secure, and efficient information technology and data solutions that enable the agency to better promote and protect the public health. According to the agency, creation of the Office of Digital Transformation helps prioritize effective and efficient use of data by reorganizing IT, data, and cybersecurity functions across the entire agency and in support of the Technology and Data Modernization Action Plans. Launch of the reorganized and elevated Office reporting directly to the Commissioner illustrates the FDA's commitment to improving its own technological capabilities as the healthcare industry itself continues to shift toward an increasingly technology based sector.
The FDA has been actively implementing agency-wide technology modernization efforts in accordance with its 2019 Technology Modernization Action Plan, which set forth several specific action items the agency intended to take in order to better modernize and improve its use of technology across a wide array of regulatory categories. Launch of the Office of Digital Transformation helps further this initiative by advancing and implementing key technological improvements across the agency in order to better protect and advance the public health.
State Actions & Professional Boards
Telehealth is going mainstream. The pandemic accelerated the trend and brought it squarely into governor's mansions across the nation. As state legislators return to work, we're seeing more legislation permitting remote telehealth services, requiring payment by state public health benefit programs and directing professional boards to develop and publish supporting rules. Enforcement inevitably follows. We're in the early innings and expect increasing interest and activity by state AG's and professional boards.
Reimbursement for Digital Health in the Post-COVID World
Concurrent shifts in care delivery and care reimbursement are creating a myriad of challenges and opportunities. Without a doubt, needs precipitated by the pandemic have hastened the adoption and acceptance of digital health solutions, creating unprecedented prospects for telehealth and digital health providers. As those needs subside, and a new normal emerges, the focus will undoubtedly shift from "how do we continue to treat patients when the ability to provide in-person care is limited?" to "how should new care delivery modalities be reimbursed in the long-term?" As healthcare expenditures climb once again—not only as a function of the cost of COVID diagnosis and treatment but also as the release of pent-up demand for routine/elective care—there will very likely be a renewed focus on value-based reimbursement methodologies. Telehealth and digital health providers that understand how best to navigate value based payment systems—a skill set many currently lack—will be best positioned to be market leaders.
CINs, ACOs, & Value-Based Networks
The COVID crisis forced telehealth providers to mature reimbursement practices at an unprecedented pace. So many industry participants that just two years ago were mostly focused on point-of-service consumer payment now find themselves contracting with payors large and small. As a result, the reimbursement paradigm has changed—for many telehealth providers—to more closely follow the conventional provider payment model. For these telehealth providers, this has resulted in an outstanding opportunity to grow their revenue base and increase market participation. While Jones Day has helped a number of telehealth providers with commercial payer contracting strategy, we have seen few telehealth providers look to contract with clinically integrated networks, accountable care organizations, or similar sorts of value-based networks. There are at this point literally thousands of these networks in existence throughout the United States. They look to coordinate care, driving efficiencies in care while maintaining or improving quality and increasing provider and patient satisfaction—the "Triple Aim" of the Affordable Care Act. The Firm works with many of these networks as well. Yet, it seems to us that many telehealth providers (aside from brick-and-mortar health system and physician efforts) have not yet focused on joining these networks. And it seems equally clear that these networks haven't sought out entrepreneurial telehealth providers. There is a great opportunity being missed with this lack of coordination. These networks, when successful, spin off revenue-sharing gains to their provider participants—and so telehealth providers are missing the opportunity to share in that revenue opportunity. Networks are missing the opportunity to coordinate care in a thoughtful, organized way with telehealth providers, and better participation could lead to better quality and efficiency outcomes for the network. Isn't it time for your organization, as a telehealth provider, to consider a network participation strategy?