Kimberly Gillespie (kimberly.gillespie@troutman.com) is Counsel at Troutman Pepper in Richmond, VA, and Henry C. Fader (henry.fader@troutman.com) is Counsel at Troutman Pepper in Philadelphia, PA.
In response to the COVID-19 pandemic in the first half of 2020, the healthcare industry responded on many levels to help communities and save lives. To support this extraordinary effort, federal and state governments released numerous guidelines, directives, rules, Q&As, and regulations to remove barriers standing in the way of patient care at a time of national crisis. Many of these initiatives relaxed or countermanded policies, procedures, and accrediting standards, in all levels of care, including hospitals, skilled nursing facilities, and telehealth. Over time, however, we expect many of these initiatives to further morph and/or unwind. This will be challenging for the healthcare industry, and compliance officers will play a critical role in guiding their organizations through this change.
Background
President Trump declared a national state of emergency in response to the coronavirus pandemic on March 13, 2020.[1] This action, in conjunction with the declaration of a public health emergency (PHE) issued by the secretary of the Department of Health and Human Services January 31, 2020, authorized the secretary to take action under section 1135 of the Social Security Act. Specifically, the secretary was authorized to temporarily waive or modify certain Medicare, Medicaid, and state Children’s Health Insurance Program requirements when such changes were designed to (1) ensure sufficient healthcare items and services were available to meet the needs of beneficiaries, and (2) appropriately reimburse healthcare professionals acting in good faith to provide needed items and services.[2]
Pursuant to this authority and within the context of the COVID-19 pandemic, the secretary authorized an unprecedented number of waivers during the PHE.[3] These waivers provided needed regulatory flexibility for hospitals, healthcare professionals, and patients and helped reduce patient and caregiver exposure to the coronavirus while increasing or stabilizing access to care for patients. Agencies allowing regulatory flexibility during the PHE included the Centers for Medicare & Medicaid Services (CMS), the Office of Inspector General (OIG), and the Office for Civil Rights (OCR).
While the waivers provided welcomed help to healthcare providers struggling to serve patients during the pandemic, how and when they might come to an end is not known. When that time comes, an organization’s compliance officer, with the assistance of legal counsel, will be vital to navigating the proper pathway forward and helping their organizations return to “normal”—or perhaps to a “new normal.”
Five areas that were affected during the PHE were (1) telehealth, (2) Stark Law and Anti-Kickback Statute (AKS) enforcement, (3) scope of practice laws, (4) billing, and (5) Health Insurance Portability and Accountability Act (HIPAA) enforcement. Each is discussed below.
Telehealth
The Coronavirus Preparedness and Response Supplemental Appropriations Act of 2020 changed the landscape of telehealth by increasing funding and allowing CMS to expand telehealth coverage.[4]
CMS exercised this authority shortly thereafter and expanded the number of telehealth services to be paid during the COVID-19 emergency.[5] Healthcare providers can now bill Medicare for a broad range of services and payment was equivalent to an in-person visit. Further, Medicare beneficiaries can now receive telehealth services from their home or another facility, and smartphones (or similar devices) can be used if they have two-way audio/video capability in real time.[6] Finally, CMS eliminated frequency limitations and other requirements that applied to some services.[7] States also took action to waive or modify certain provider licensing requirements through emergency declarations or executive orders.
Other agencies took actions to remove regulatory barriers for telehealth. The Drug Enforcement Administration allowed registered healthcare professionals to issue prescriptions for controlled substances to patients with whom they had not previously had an in-person visit.[8] The Food and Drug Administration (FDA) allowed manufacturers of certain FDA-cleared noninvasive devices to “expand the availability” of remote monitoring devices to assist with patient monitoring such as measuring their body temperature, respiratory rate, heart rate, and blood pressure.[9] OIG announced that it would not enforce its prohibition on routine reductions or waivers of co-payments or other cost-sharing requirements.[10] OCR agreed not to impose penalties on healthcare providers who used telehealth platforms or other remote communication technology that was previously deemed not HIPAA compliant.[11]
CMS Stark Law waiver/OIG policy statement
The Stark Law is a strict liability statute that prohibits (1) a physician from making referrals for designated health services payable by a federal healthcare program to an entity with which they, or an immediately family member, have a financial relationship, and (2) an entity from filing claims for designated health services furnished pursuant to a prohibited referral.[12] Given the scope of the Stark Law and its harsh penalties, the government developed a number of exceptions that allow certain types of relationships between physicians and providers. These relationships, however, must strictly comply with all of the exception’s requirements.
Such strict construction did not work well within the context of the PHE. Recognizing this, the secretary announced blanket waivers to protect arrangements entered into in good faith to meet a community’s COVID-19 needs during the PHE but which may not be in strict compliance with the Stark Law.[13]
The secretary’s blanket waivers applied to financial relationships and referrals that were related to the COVID-19 pandemic, and remuneration had to “be directly between the entity and: (1) the physician or the physician organization in whose shoes the physician stands under 42 C.F.R. § 411.354(c) ; or (2) the immediate family member of the physician.” The secretary also defined what constituted a “COVID-19 purpose.”
Eighteen types of remuneration, referrals, and claims were permitted during the COVID-19 outbreak if they arose due to a defined COVID-19 Purpose. Examples of protected activities included (1) remuneration to a physician not at fair market value or lease payments below fair market value; (2) loans from an entity to a physician with an interest rate below fair market value and/or on terms not readily available on the market; and (3) compensation paid to a physician who began working for a hospital without first having a signed agreement in place.
Shortly after CMS published its blanket waivers, the OIG issued a policy statement indicating that it would not impose administrative sanctions under the AKS with respect to some (but not all) of the Stark Law blanket waivers.[14]
Scope of practice
Prior to the pandemic, the scope-of-practice issue involved both state and federal law. Federal law set forth requirements for facilities and professionals to bill Medicare and other federal programs. State law controlled who was licensed to practice medicine, each one making its own rules and establishing individual practice guidelines for advanced practice nurses, physician assistants, pharmacists, and numerous other healthcare professionals. Some states permitted nonphysicians to diagnose disease, treat, and prescribe medications while others mandated tight supervision.
During the pandemic, CMS granted blanket waivers to permit payment for care delivered by healthcare professionals other than physicians.[15] Other federal waivers permitted medical residents, retired physicians, and others to provide care to federal beneficiaries.[16] Many states[17] requested federal Section 1135 waivers[18] to allow Medicaid patients to follow these new federal processes and asked their state medical and licensing boards to permit nonphysicians to treat without supervision. Some out-of-state physicians with appropriate credentials were also permitted to provide medical services outside of the state where they were licensed, especially when using telehealth.[19]
Billing
Prior to COVID-19, internal audit, finance, and compliance departments focused on questions of medical necessity, appropriate levels of coding, and billing documentation. Outside agencies with the authority of CMS, such as regional Medicare administrative contractors, regularly audited providers. Compliance officers were charged with overseeing identified areas of risk and facilitating recoupments and repayments when required. Whistleblower-induced investigations by the U.S. attorney and the OIG were always of concern. Compliance officers, with the assistance of legal counsel, conducted investigations of the billing practices to determine the level of culpability alleged and to negotiate settlements. Compliance officers also provided education on proper billing and documentation practices to providers and worked with colleagues to increase rates of compliance in a highly detail-oriented atmosphere of rules and regulations.
In response to the COVID-19 pandemic, normal provider operations were drastically altered. CMS guidelines suggested that all voluntary procedures and visits be limited;[20] facilities were required to spend an extraordinary amount of time and money to prepare for the COVID-19 “surge”; and personnel, including physicians,[21] were pulled from normal practice settings to be part of the treatment teams for COVID-19.[22] One immediate concern recognized early was the need to focus on supplementing lost revenues as a result of the pandemic. One part of the answer for providers was the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which accelerated payments from the Medicare program.[23]
At the same time, CMS announced that COVID-19 tests would be covered by Medicare,[24] co-pays and deductibles could be waived if connected to COVID-19, and new codes were implemented for COVID-19 treatment and telehealth.[25] The three-day rule for transfers to nursing homes was eliminated[26] and observation status, if any, is not an exclusion from payment to the hospital.[27] CMS also announced that funds designated for hospitals from the CARES Act could pay for indigent care.[28] Added to the list of waivers being issued on a blanket, state-wide, and individual basis, conditions of participation and granting of new provider status were facilitated for retired individual providers, students, and volunteers who had never entered the Medicare program or had given up their previous status. Keeping up with applicable waivers and rule changes left many traditional admission and processing procedures in turmoil.
Privacy
The HIPAA Privacy Rule sets national standards to safeguard personal health information (PHI). Generally, it requires covered entities and business associates to establish safeguards to protect the privacy of PHI and set limits on how PHI can be used and/or disclosed.[29]
OCR issued several guidance documents throughout the COVID-19 PHE but generally remained steadfast that the Privacy Rule allowed for adequate flexibility in an emergency situation like the COVID-19 PHE. OCR referred providers to discretion previously permitted within the context of treatment and disclosures to a public health authority; family, friends, and others involved in the individual’s care; and to prevent serious and imminent threat. OCR also reaffirmed its commitment that the “minimum necessary” standard should apply to any such disclosure.[30]
There were three situations, however, where OCR agreed to exercise enforcement discretion and not impose penalties. The first was for providers who, during the PHE, used telehealth platforms or other remote communication technology that was not HIPAA compliant, or engaged vendors who may not have had a business associate agreement (BAA) in place. Applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype were deemed acceptable.[31] OCR also granted flexibility to providers when they participated in the operation of community-based testing sites.[32] While OCR provided examples of what might constitute reasonable safeguards for community-based testing sites, it agreed not to impose sanctions for noncompliance. Finally, OCR granted a covered entity’s business associate the ability to use and disclose PHI to public health agencies for health oversight activities.[33] Typically, business associates can only use and disclose PHI as permitted by the terms of their BAA, or as otherwise required by law.
Returning to a new normal
Many of these regulatory actions were welcomed during the COVID-19 PHE, but there is a great deal of uncertainty around when and how they might be rolled back or modified. Compliance officers will need to closely monitor when changes are made to these regulatory concessions on a federal or state level and have a transition plan ready. Below are suggestions for the five areas discussed above.
Telehealth
Most experts believe that telehealth will continue to grow in the future. With this in mind, providers should expect a new normal in the area of telehealth and consider the following potential next steps:
-
Develop and engage a telehealth committee with senior leadership representation to develop a plan for transition after the PHE concludes.
-
Identify which regulatory changes remain and/or are modified in the aftermath of the COVID-19 PHE; be careful to factor in state regulatory requirements (e.g., licensure requirements).
-
Review telehealth policies and procedures and update them according to new and developing federal and state requirements.
-
Review commercial contracts and assess how telehealth is covered in these agreements; prioritize telehealth in your upcoming negotiations.
-
Audit telehealth billing to ensure compliance with guidance provided by CMS during the PHE.
-
Identify all providers who were credentialed and privileged to provide telehealth services and determine their ongoing status. Note which providers, if any, were loaned telehealth equipment or given access to systems and develop and communicate a transition plan for these providers following the PHE.
-
Consider a communication strategy for patients who used telehealth during the PHE and may need to make adjustments after the PHE concludes.
CMS Stark Law waiver/OIG policy statement
CMS and OIG leeway is anticipated to sunset with the PHE. The following are actions that compliance and/or legal may want to take to prepare their organization for an eventual rollback.
-
Inventory all arrangements—written and verbal—entered into during the PHE.
-
Note which arrangements fit within a Stark Law blanket waiver and OIG policy and which do not.
-
Ensure that any arrangement not already in writing is memorialized, signed by the parties, and documents the time period for which it was (or will be) in effect.
-
Ensure that every arrangement documents the COVID-19 purpose that drove the need for the arrangement.
-
Where an arrangement was not at fair market value, note whether the arrangement was less than or more than fair market value and the rationale for making this concession.
-
Start planning for how to terminate these arrangements at the end of the PHE. Particular attention should be paid to how below-market loans will be managed.
-
Inventory items and services provided to your healthcare professionals like day care, meals, laundry services, transportation, electronic health records expense waivers, etc.
-
Provide as much notice as possible to physicians, internal teams, vendors, or other parties so they can plan for the transition.
-
Report results of your inventory to your leadership and board. Develop an action plan for any potential cleanup that might be necessary.
-
Monitor the Explanatory Guidance being provided by CMS to help further define the scope and application of the blanket waivers.[34]
Scope of practice
Once the waivers and declaration of national emergency have been lifted, you should revisit the credentialing files of personnel who provided services during the PHE and for whom bills were submitted. To the extent the state emergency orders have also expired, be sure to change the status of those who may now be unauthorized to provide certain services such as ordering lab tests, seeing patients in person or by telehealth, and issuing prescriptions. It is possible, however, in the jurisdictions where your facility is located, that the expansion of the scope of practice has been made permanent. Confirm with legal counsel before allowing nonphysicians to bill for services under any government program.
Billing
-
Take steps to monitor the repayment requirements under the Advance Payment Program either through recoupment of new billings or a final cost report with the fiscal intermediary and other CARES Act provider relief fund payments.
-
Address issues that will arise under medical necessity requiring documentation of decisions made for emergency room treatment or at newly established off-site locations, use of the intensive care unit, hospice, and home care.
-
Catalog waivers that your organization relied upon during the PHE to include both blanket and specific provider or supplier waivers.
-
Sample records and provider documentation prior to billing to ensure that claims are appropriately coded and indicate that services were provided under the PHE. Note waivers that were relevant to a particular diagnosis and treatment.
-
Conduct a review of claims to verify that co-pays and deductibles for COVID-19 treatment were waived during the PHE or other period established by a blanket or individual waivers.
-
Partner with counterparts in finance who prepare the hospital’s cost reports to ensure compliance with filing deadlines, especially where extensions were allowed.
-
Audit telehealth billing. Ensure medical documentation, such as patient consents, has been provided. Ensure that you have proper credentialing information for out-of-state providers and providers credentialed by other facilities, including copies of licenses, National Provider Identifier numbers, and approvals to serve patients in the Medicare and Medicaid programs.
Privacy
In comparison to the other areas discussed herein, OCR privacy concessions were fairly limited, and we expect most to return to their pre–COVID-19 PHE status.
-
Prepare a list of all telehealth modalities used during the PHE and indicate whether they were HIPAA compliant. Assess which vendors had a BAA and get a BAA in place with any vendor you plan to continue to use.
-
Review telehealth privacy policies and update as needed given rule changes. Educate and train to these policies.
-
Conduct an audit of privacy concerns or violations reported during the COVID-19 PHE and assess whether they were appropriately reviewed and/or investigated. If the organization relied upon any of OCR’s concessions during the PHE, document this and the justification therefor.
Conclusion
This article primarily focused on regulatory flexibilities implemented on a federal level; however, there are state regulatory requirements that also must be analyzed and addressed. These state requirements should be specifically addressed in your COVID-19 transition plan.
In the end, compliance officers will play a key role in bringing their organizations successfully through this pandemic in a legal and regulatory compliant manner. We suggest communicating regularly with senior leadership and the board on regulatory and legal updates and developing a work plan for the post–COVID-19 transition. This will help to ensure transparency, clarity, and accountability throughout the process. Communication strategies with staff, physicians, patients, and the community will also be key. Each of us had to adjust to a new normal during the COVID-19 pandemic, and we will need to transition again when this crisis has subsided.
Takeaways
-
The COVID-19 public health emergency prompted an unprecedented amount of regulatory flexibility from federal and state governments, but these changes will not continue forever.
-
Compliance officers, with the assistance of legal counsel, will need to help navigate a safe pathway for their organizations to transition when these regulatory changes are rolled back.
-
The advancement of telehealth, scope of practice, and antifraud modifications fueled by the COVID-19 public health emergency will likely continue as patients and healthcare professionals realize their relative advantages.
-
Compliance officers should catalog the impacts of the COVID-19 public health emergency and develop a transition plan for the board, senior leadership, and others to track and manage the unwinding regulatory concessions.
-
Transparent communication regarding the impact of these changes on the operations and finances of the organization will be critical to a successful transition.