During the COVD-19 pandemic, there has been tremendous growth in and use of telehealth offerings by patients and practitioners. Telehealth, a general term used to refer to a wide range of synchronous, remote interactions between patient and practitioner, has provided necessary flexibility and modifiability throughout the pandemic. However, this growth raises significant legal considerations that practitioners should be aware of as regulatory agencies and various governments continue to grapple with the unique challenges that arise during this Public Health Emergency (PHE). Additionally, the use of these telehealth services raises significant privacy and data management issues that practitioners must remain cognizant of.
At the most basic level, many of the regulatory issues that concern traditional healthcare services are equally applicable to telehealth offerings. Some examples of major legal and compliance considerations are:
- Licensure. The general rule is that care is considered to be rendered where the patient is located. Therefore, before initiating patient contact via telehealth services, practitioners must ensure they are licensed where their patient is located, not from where the practitioner is operating. Some states have required full licenses, while others have allowed more lenient special telehealth practice licenses.
- Supervision and Scope of Practice. Another concern for practitioners is supervision of individuals that might provide services incident to the practitioner’s service or under the practitioner’s supervision. Traditionally, practitioners could only “directly supervise” patient care by being in the office suite and immediately available to furnish assistance. However, last year CMS temporarily revised this definition to include the virtual presence of a supervising practitioner via the real-time audio/visual technology that has become prevalent during the COVID-19 pandemic. However, this revised definition is only effective until the end of the Public Health Emergency.
- E-Prescribing. Generally, prescription practices are regulated at both the federal and state level. During the PHE, the requirements for in-person medical evaluations were relaxed, more broadly permitting prescription of controlled substances that would otherwise have required in-person consults under Department of Justice Drug Enforcement Administration (DEA) rules. It is critical that practitioners remain aware of state rules as well, as states have significant control over the provision of healthcare. Many state agencies have rules that vary from, and are often stricter than, the federal requirements.
Quite possibly the most important issue practitioners need to remain aware of is privacy and the use of protected Personally Identifiable Information (PII). Because telehealth by nature relies on technology and the electronic transmission of data, patient privacy and security are paramount considerations for any telehealth model. This includes traditional PII such as social security numbers, driver’s license numbers, names, and addresses, as well as more specialized healthcare information. The key regulatory regime affecting telehealth providers is the Health Insurance Portability and Accountability Act (HIPAA). While the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCS) announced a great amount of enforcement discretion based on the good-faith provision of telehealth services during the PHE, the agency did not waive HIPAA’s requirements entirely. As referenced above, this discretion is temporary, and state law further complicates the protection of PII. Federal rules often provide a “regulatory floor,” a minimum level of compliance practitioners must meet. State rules in turn provide a “regulatory ceiling,” where the state is free to impose stricter and more onerous restrictions on top of the federal framework.
The theft of PII in the past two decades has been an ongoing concern for enforcement agencies across the board. Additionally, the rapid expansion of telehealth offerings raised new concerns about compliance with privacy-oriented regulations. Many providers expanded rapidly on, or implement entirely new, telehealth systems. While some leniency has been exercised, agencies have remained acutely aware of the potential for fraud, abuse, and theft of PII due to changing telehealth offerings. Compliance in this area is critical. For example, The HHS Office of Inspector General (OIG) released a 2021 Work Plan which outlined ongoing audits of Medicare Part B telehealth service to determine if Medicare requirements are met. The Work Plan also indicated that OIG planned to assess the provision of services for compliance with Medicare requirements. This Work Plan indicates compliance with healthcare regulations is an ongoing area of priority for OIG as they continue to assess telehealth offerings into 2022.
In sum, with the expiration of some PHE telehealth rules and resumption of agency enforcement, practitioners should be encouraged to analyze their telehealth practices. All providers need to comply with the rules and regulations that remain in effect as the PHE comes to an end, whether this means reverting to old methods for providing healthcare services or staying abreast of the new regulatory regime. Practitioners and their counsel need to fully understand their telehealth programs and which components may remain in place as rules change. Not least of all, practitioners need to take a conscious and active role in protecting patient information that is protected under federal and state privacy laws. Failure to conform to the new regulatory regime could result in extensive legal and compliance issues.
Revolution Law Group is located in Greensboro, NC, and serves individuals and small businesses throughout the Triad and surrounding areas. To contact us please visit Revolution.law or call 336-333-7907.
The information included here is for informational purposes only, is not exhaustive of all considerations when creating documents, is not intended to be legal advice, and should not be relied upon for that purpose. We strongly recommend you consult with an attorney and do not attempt to create your own documents.