Compliance Today - August 2020

Telehealth

The Coronavirus Preparedness and Response Supplemental Appropriations Act of 2020 changed the landscape of telehealth by increasing funding and allowing CMS to expand telehealth coverage.^[4]

CMS exercised this authority shortly thereafter and expanded the number of telehealth services to be paid during the COVID-19 emergency.^[5] Healthcare providers can now bill Medicare for a broad range of services and payment was equivalent to an in-person visit. Further, Medicare beneficiaries can now receive telehealth services from their home or another facility, and smartphones (or similar devices) can be used if they have two-way audio/video capability in real time.^[6] Finally, CMS eliminated frequency limitations and other requirements that applied to some services.^[7] States also took action to waive or modify certain provider licensing requirements through emergency declarations or executive orders.

Other agencies took actions to remove regulatory barriers for telehealth. The Drug Enforcement Administration allowed registered healthcare professionals to issue prescriptions for controlled substances to patients with whom they had not previously had an in-person visit.^[8] The Food and Drug Administration (FDA) allowed manufacturers of certain FDA-cleared noninvasive devices to “expand the availability” of remote monitoring devices to assist with patient monitoring such as measuring their body temperature, respiratory rate, heart rate, and blood pressure.^[9] OIG announced that it would not enforce its prohibition on routine reductions or waivers of co-payments or other cost-sharing requirements.^[10] OCR agreed not to impose penalties on healthcare providers who used telehealth platforms or other remote communication technology that was previously deemed not HIPAA compliant.^[11]

CMS Stark Law waiver/OIG policy statement

The Stark Law is a strict liability statute that prohibits (1) a physician from making referrals for designated health services payable by a federal healthcare program to an entity with which they, or an immediately family member, have a financial relationship, and (2) an entity from filing claims for designated health services furnished pursuant to a prohibited referral.^[12] Given the scope of the Stark Law and its harsh penalties, the government developed a number of exceptions that allow certain types of relationships between physicians and providers. These relationships, however, must strictly comply with all of the exception’s requirements.

Such strict construction did not work well within the context of the PHE. Recognizing this, the secretary announced blanket waivers to protect arrangements entered into in good faith to meet a community’s COVID-19 needs during the PHE but which may not be in strict compliance with the Stark Law.^[13]

The secretary’s blanket waivers applied to financial relationships and referrals that were related to the COVID-19 pandemic, and remuneration had to “be directly between the entity and: (1) the physician or the physician organization in whose shoes the physician stands under 42 C.F.R. § 411.354(c) ; or (2) the immediate family member of the physician.” The secretary also defined what constituted a “COVID-19 purpose.”

Eighteen types of remuneration, referrals, and claims were permitted during the COVID-19 outbreak if they arose due to a defined COVID-19 Purpose. Examples of protected activities included (1) remuneration to a physician not at fair market value or lease payments below fair market value; (2) loans from an entity to a physician with an interest rate below fair market value and/or on terms not readily available on the market; and (3) compensation paid to a physician who began working for a hospital without first having a signed agreement in place.

Shortly after CMS published its blanket waivers, the OIG issued a policy statement indicating that it would not impose administrative sanctions under the AKS with respect to some (but not all) of the Stark Law blanket waivers.^[14]

Scope of practice

Prior to the pandemic, the scope-of-practice issue involved both state and federal law. Federal law set forth requirements for facilities and professionals to bill Medicare and other federal programs. State law controlled who was licensed to practice medicine, each one making its own rules and establishing individual practice guidelines for advanced practice nurses, physician assistants, pharmacists, and numerous other healthcare professionals. Some states permitted nonphysicians to diagnose disease, treat, and prescribe medications while others mandated tight supervision.

During the pandemic, CMS granted blanket waivers to permit payment for care delivered by healthcare professionals other than physicians.^[15] Other federal waivers permitted medical residents, retired physicians, and others to provide care to federal beneficiaries.^[16] Many states^[17] requested federal Section 1135 waivers^[18] to allow Medicaid patients to follow these new federal processes and asked their state medical and licensing boards to permit nonphysicians to treat without supervision. Some out-of-state physicians with appropriate credentials were also permitted to provide medical services outside of the state where they were licensed, especially when using telehealth.^[19]

Billing

Prior to COVID-19, internal audit, finance, and compliance departments focused on questions of medical necessity, appropriate levels of coding, and billing documentation. Outside agencies with the authority of CMS, such as regional Medicare administrative contractors, regularly audited providers. Compliance officers were charged with overseeing identified areas of risk and facilitating recoupments and repayments when required. Whistleblower-induced investigations by the U.S. attorney and the OIG were always of concern. Compliance officers, with the assistance of legal counsel, conducted investigations of the billing practices to determine the level of culpability alleged and to negotiate settlements. Compliance officers also provided education on proper billing and documentation practices to providers and worked with colleagues to increase rates of compliance in a highly detail-oriented atmosphere of rules and regulations.

In response to the COVID-19 pandemic, normal provider operations were drastically altered. CMS guidelines suggested that all voluntary procedures and visits be limited;^[20] facilities were required to spend an extraordinary amount of time and money to prepare for the COVID-19 “surge”; and personnel, including physicians,^[21] were pulled from normal practice settings to be part of the treatment teams for COVID-19.^[22] One immediate concern recognized early was the need to focus on supplementing lost revenues as a result of the pandemic. One part of the answer for providers was the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which accelerated payments from the Medicare program.^[23]

At the same time, CMS announced that COVID-19 tests would be covered by Medicare,^[24] co-pays and deductibles could be waived if connected to COVID-19, and new codes were implemented for COVID-19 treatment and telehealth.^[25] The three-day rule for transfers to nursing homes was eliminated^[26] and observation status, if any, is not an exclusion from payment to the hospital.^[27] CMS also announced that funds designated for hospitals from the CARES Act could pay for indigent care.^[28] Added to the list of waivers being issued on a blanket, state-wide, and individual basis, conditions of participation and granting of new provider status were facilitated for retired individual providers, students, and volunteers who had never entered the Medicare program or had given up their previous status. Keeping up with applicable waivers and rule changes left many traditional admission and processing procedures in turmoil.

Privacy

The HIPAA Privacy Rule sets national standards to safeguard personal health information (PHI). Generally, it requires covered entities and business associates to establish safeguards to protect the privacy of PHI and set limits on how PHI can be used and/or disclosed.^[29]

OCR issued several guidance documents throughout the COVID-19 PHE but generally remained steadfast that the Privacy Rule allowed for adequate flexibility in an emergency situation like the COVID-19 PHE. OCR referred providers to discretion previously permitted within the context of treatment and disclosures to a public health authority; family, friends, and others involved in the individual’s care; and to prevent serious and imminent threat. OCR also reaffirmed its commitment that the “minimum necessary” standard should apply to any such disclosure.^[30]

There were three situations, however, where OCR agreed to exercise enforcement discretion and not impose penalties. The first was for providers who, during the PHE, used telehealth platforms or other remote communication technology that was not HIPAA compliant, or engaged vendors who may not have had a business associate agreement (BAA) in place. Applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype were deemed acceptable.^[31] OCR also granted flexibility to providers when they participated in the operation of community-based testing sites.^[32] While OCR provided examples of what might constitute reasonable safeguards for community-based testing sites, it agreed not to impose sanctions for noncompliance. Finally, OCR granted a covered entity’s business associate the ability to use and disclose PHI to public health agencies for health oversight activities.^[33] Typically, business associates can only use and disclose PHI as permitted by the terms of their BAA, or as otherwise required by law.

Telehealth

Most experts believe that telehealth will continue to grow in the future. With this in mind, providers should expect a new normal in the area of telehealth and consider the following potential next steps:

• Develop and engage a telehealth committee with senior leadership representation to develop a plan for transition after the PHE concludes.

• Identify which regulatory changes remain and/or are modified in the aftermath of the COVID-19 PHE; be careful to factor in state regulatory requirements (e.g., licensure requirements).

• Review telehealth policies and procedures and update them according to new and developing federal and state requirements.

• Review commercial contracts and assess how telehealth is covered in these agreements; prioritize telehealth in your upcoming negotiations.

• Audit telehealth billing to ensure compliance with guidance provided by CMS during the PHE.

• Identify all providers who were credentialed and privileged to provide telehealth services and determine their ongoing status. Note which providers, if any, were loaned telehealth equipment or given access to systems and develop and communicate a transition plan for these providers following the PHE.

• Consider a communication strategy for patients who used telehealth during the PHE and may need to make adjustments after the PHE concludes.

CMS Stark Law waiver/OIG policy statement

CMS and OIG leeway is anticipated to sunset with the PHE. The following are actions that compliance and/or legal may want to take to prepare their organization for an eventual rollback.

• Inventory all arrangements—written and verbal—entered into during the PHE.

• Note which arrangements fit within a Stark Law blanket waiver and OIG policy and which do not.

• Ensure that any arrangement not already in writing is memorialized, signed by the parties, and documents the time period for which it was (or will be) in effect.

• Ensure that every arrangement documents the COVID-19 purpose that drove the need for the arrangement.

• Where an arrangement was not at fair market value, note whether the arrangement was less than or more than fair market value and the rationale for making this concession.

• Start planning for how to terminate these arrangements at the end of the PHE. Particular attention should be paid to how below-market loans will be managed.

• Inventory items and services provided to your healthcare professionals like day care, meals, laundry services, transportation, electronic health records expense waivers, etc.

• Provide as much notice as possible to physicians, internal teams, vendors, or other parties so they can plan for the transition.

• Report results of your inventory to your leadership and board. Develop an action plan for any potential cleanup that might be necessary.

• Monitor the Explanatory Guidance being provided by CMS to help further define the scope and application of the blanket waivers.^[34]

Scope of practice

Once the waivers and declaration of national emergency have been lifted, you should revisit the credentialing files of personnel who provided services during the PHE and for whom bills were submitted. To the extent the state emergency orders have also expired, be sure to change the status of those who may now be unauthorized to provide certain services such as ordering lab tests, seeing patients in person or by telehealth, and issuing prescriptions. It is possible, however, in the jurisdictions where your facility is located, that the expansion of the scope of practice has been made permanent. Confirm with legal counsel before allowing nonphysicians to bill for services under any government program.

Billing

• Take steps to monitor the repayment requirements under the Advance Payment Program either through recoupment of new billings or a final cost report with the fiscal intermediary and other CARES Act provider relief fund payments.

• Address issues that will arise under medical necessity requiring documentation of decisions made for emergency room treatment or at newly established off-site locations, use of the intensive care unit, hospice, and home care.

• Catalog waivers that your organization relied upon during the PHE to include both blanket and specific provider or supplier waivers.

• Sample records and provider documentation prior to billing to ensure that claims are appropriately coded and indicate that services were provided under the PHE. Note waivers that were relevant to a particular diagnosis and treatment.

• Conduct a review of claims to verify that co-pays and deductibles for COVID-19 treatment were waived during the PHE or other period established by a blanket or individual waivers.

• Partner with counterparts in finance who prepare the hospital’s cost reports to ensure compliance with filing deadlines, especially where extensions were allowed.

• Audit telehealth billing. Ensure medical documentation, such as patient consents, has been provided. Ensure that you have proper credentialing information for out-of-state providers and providers credentialed by other facilities, including copies of licenses, National Provider Identifier numbers, and approvals to serve patients in the Medicare and Medicaid programs.

Privacy

In comparison to the other areas discussed herein, OCR privacy concessions were fairly limited, and we expect most to return to their pre–COVID-19 PHE status.

• Prepare a list of all telehealth modalities used during the PHE and indicate whether they were HIPAA compliant. Assess which vendors had a BAA and get a BAA in place with any vendor you plan to continue to use.

• Review telehealth privacy policies and update as needed given rule changes. Educate and train to these policies.

• Conduct an audit of privacy concerns or violations reported during the COVID-19 PHE and assess whether they were appropriately reviewed and/or investigated. If the organization relied upon any of OCR’s concessions during the PHE, document this and the justification therefor.