In response to the COVID-19 pandemic in the first half of 2020, the healthcare industry responded on many levels to help communities and save lives. To support this extraordinary effort, federal and state governments released numerous guidelines, directives, rules, Q&As, and regulations to remove barriers standing in the way of patient care at a time of national crisis. Many of these initiatives relaxed or countermanded policies, procedures, and accrediting standards, in all levels of care, including hospitals, skilled nursing facilities, and telehealth. Over time, however, we expect many of these initiatives to further morph and/or unwind. This will be challenging for the healthcare industry, and compliance officers will play a critical role in guiding their organizations through this change.
President Trump declared a national state of emergency in response to the coronavirus pandemic on March 13, 2020. This action, in conjunction with the declaration of a public health emergency (PHE) issued by the secretary of the Department of Health and Human Services January 31, 2020, authorized the secretary to take action under section 1135 of the Social Security Act. Specifically, the secretary was authorized to temporarily waive or modify certain Medicare, Medicaid, and state Children’s Health Insurance Program requirements when such changes were designed to (1) ensure sufficient healthcare items and services were available to meet the needs of beneficiaries, and (2) appropriately reimburse healthcare professionals acting in good faith to provide needed items and services.
Pursuant to this authority and within the context of the COVID-19 pandemic, the secretary authorized an unprecedented number of waivers during the PHE. These waivers provided needed regulatory flexibility for hospitals, healthcare professionals, and patients and helped reduce patient and caregiver exposure to the coronavirus while increasing or stabilizing access to care for patients. Agencies allowing regulatory flexibility during the PHE included the Centers for Medicare & Medicaid Services (CMS), the Office of Inspector General (OIG), and the Office for Civil Rights (OCR).
While the waivers provided welcomed help to healthcare providers struggling to serve patients during the pandemic, how and when they might come to an end is not known. When that time comes, an organization’s compliance officer, with the assistance of legal counsel, will be vital to navigating the proper pathway forward and helping their organizations return to “normal”—or perhaps to a “new normal.”
Five areas that were affected during the PHE were (1) telehealth, (2) Stark Law and Anti-Kickback Statute (AKS) enforcement, (3) scope of practice laws, (4) billing, and (5) Health Insurance Portability and Accountability Act (HIPAA) enforcement. Each is discussed below.
The Coronavirus Preparedness and Response Supplemental Appropriations Act of 2020 changed the landscape of telehealth by increasing funding and allowing CMS to expand telehealth coverage.
CMS exercised this authority shortly thereafter and expanded the number of telehealth services to be paid during the COVID-19 emergency. Healthcare providers can now bill Medicare for a broad range of services and payment was equivalent to an in-person visit. Further, Medicare beneficiaries can now receive telehealth services from their home or another facility, and smartphones (or similar devices) can be used if they have two-way audio/video capability in real time. Finally, CMS eliminated frequency limitations and other requirements that applied to some services. States also took action to waive or modify certain provider licensing requirements through emergency declarations or executive orders.
Other agencies took actions to remove regulatory barriers for telehealth. The Drug Enforcement Administration allowed registered healthcare professionals to issue prescriptions for controlled substances to patients with whom they had not previously had an in-person visit. The Food and Drug Administration (FDA) allowed manufacturers of certain FDA-cleared noninvasive devices to “expand the availability” of remote monitoring devices to assist with patient monitoring such as measuring their body temperature, respiratory rate, heart rate, and blood pressure. OIG announced that it would not enforce its prohibition on routine reductions or waivers of co-payments or other cost-sharing requirements. OCR agreed not to impose penalties on healthcare providers who used telehealth platforms or other remote communication technology that was previously deemed not HIPAA compliant.
CMS Stark Law waiver/OIG policy statement
The Stark Law is a strict liability statute that prohibits (1) a physician from making referrals for designated health services payable by a federal healthcare program to an entity with which they, or an immediately family member, have a financial relationship, and (2) an entity from filing claims for designated health services furnished pursuant to a prohibited referral. Given the scope of the Stark Law and its harsh penalties, the government developed a number of exceptions that allow certain types of relationships between physicians and providers. These relationships, however, must strictly comply with all of the exception’s requirements.
Such strict construction did not work well within the context of the PHE. Recognizing this, the secretary announced blanket waivers to protect arrangements entered into in good faith to meet a community’s COVID-19 needs during the PHE but which may not be in strict compliance with the Stark Law.
The secretary’s blanket waivers applied to financial relationships and referrals that were related to the COVID-19 pandemic, and remuneration had to “be directly between the entity and: (1) the physician or the physician organization in whose shoes the physician stands under 42 C.F.R. § 411.354(c) ; or (2) the immediate family member of the physician.” The secretary also defined what constituted a “COVID-19 purpose.”
Eighteen types of remuneration, referrals, and claims were permitted during the COVID-19 outbreak if they arose due to a defined COVID-19 Purpose. Examples of protected activities included (1) remuneration to a physician not at fair market value or lease payments below fair market value; (2) loans from an entity to a physician with an interest rate below fair market value and/or on terms not readily available on the market; and (3) compensation paid to a physician who began working for a hospital without first having a signed agreement in place.
Shortly after CMS published its blanket waivers, the OIG issued a policy statement indicating that it would not impose administrative sanctions under the AKS with respect to some (but not all) of the Stark Law blanket waivers.
Scope of practice
Prior to the pandemic, the scope-of-practice issue involved both state and federal law. Federal law set forth requirements for facilities and professionals to bill Medicare and other federal programs. State law controlled who was licensed to practice medicine, each one making its own rules and establishing individual practice guidelines for advanced practice nurses, physician assistants, pharmacists, and numerous other healthcare professionals. Some states permitted nonphysicians to diagnose disease, treat, and prescribe medications while others mandated tight supervision.
During the pandemic, CMS granted blanket waivers to permit payment for care delivered by healthcare professionals other than physicians. Other federal waivers permitted medical residents, retired physicians, and others to provide care to federal beneficiaries. Many states requested federal Section 1135 waivers to allow Medicaid patients to follow these new federal processes and asked their state medical and licensing boards to permit nonphysicians to treat without supervision. Some out-of-state physicians with appropriate credentials were also permitted to provide medical services outside of the state where they were licensed, especially when using telehealth.
Prior to COVID-19, internal audit, finance, and compliance departments focused on questions of medical necessity, appropriate levels of coding, and billing documentation. Outside agencies with the authority of CMS, such as regional Medicare administrative contractors, regularly audited providers. Compliance officers were charged with overseeing identified areas of risk and facilitating recoupments and repayments when required. Whistleblower-induced investigations by the U.S. attorney and the OIG were always of concern. Compliance officers, with the assistance of legal counsel, conducted investigations of the billing practices to determine the level of culpability alleged and to negotiate settlements. Compliance officers also provided education on proper billing and documentation practices to providers and worked with colleagues to increase rates of compliance in a highly detail-oriented atmosphere of rules and regulations.
In response to the COVID-19 pandemic, normal provider operations were drastically altered. CMS guidelines suggested that all voluntary procedures and visits be limited; facilities were required to spend an extraordinary amount of time and money to prepare for the COVID-19 “surge”; and personnel, including physicians, were pulled from normal practice settings to be part of the treatment teams for COVID-19. One immediate concern recognized early was the need to focus on supplementing lost revenues as a result of the pandemic. One part of the answer for providers was the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which accelerated payments from the Medicare program.
At the same time, CMS announced that COVID-19 tests would be covered by Medicare, co-pays and deductibles could be waived if connected to COVID-19, and new codes were implemented for COVID-19 treatment and telehealth. The three-day rule for transfers to nursing homes was eliminated and observation status, if any, is not an exclusion from payment to the hospital. CMS also announced that funds designated for hospitals from the CARES Act could pay for indigent care. Added to the list of waivers being issued on a blanket, state-wide, and individual basis, conditions of participation and granting of new provider status were facilitated for retired individual providers, students, and volunteers who had never entered the Medicare program or had given up their previous status. Keeping up with applicable waivers and rule changes left many traditional admission and processing procedures in turmoil.
The HIPAA Privacy Rule sets national standards to safeguard personal health information (PHI). Generally, it requires covered entities and business associates to establish safeguards to protect the privacy of PHI and set limits on how PHI can be used and/or disclosed.
OCR issued several guidance documents throughout the COVID-19 PHE but generally remained steadfast that the Privacy Rule allowed for adequate flexibility in an emergency situation like the COVID-19 PHE. OCR referred providers to discretion previously permitted within the context of treatment and disclosures to a public health authority; family, friends, and others involved in the individual’s care; and to prevent serious and imminent threat. OCR also reaffirmed its commitment that the “minimum necessary” standard should apply to any such disclosure.
There were three situations, however, where OCR agreed to exercise enforcement discretion and not impose penalties. The first was for providers who, during the PHE, used telehealth platforms or other remote communication technology that was not HIPAA compliant, or engaged vendors who may not have had a business associate agreement (BAA) in place. Applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype were deemed acceptable. OCR also granted flexibility to providers when they participated in the operation of community-based testing sites. While OCR provided examples of what might constitute reasonable safeguards for community-based testing sites, it agreed not to impose sanctions for noncompliance. Finally, OCR granted a covered entity’s business associate the ability to use and disclose PHI to public health agencies for health oversight activities. Typically, business associates can only use and disclose PHI as permitted by the terms of their BAA, or as otherwise required by law.