Andrea Frey (afrey@health-law.com) is an associate in the San Francisco office, and Jeremy Sherer (jsherer@health-law.com) is an associate in the Boston office of Hooper, Lundy & Bookman PC.
While telehealth is an exciting and constantly developing area of health law, it also poses certain challenges to compliance professionals to keep up with the changes. This article outlines recent legal and policy developments in telehealth that are most important to compliance professionals. It also examines the various sources of regulation and enforcement actions involving telehealth and reviews some of the considerations and common pitfalls for compliance professionals to be aware of when providers use telehealth.
Legal and policy developments
As we detail below, the past year has seen a number of recent legal and policy developments focused on encouraging implementation of telehealth solutions at both the federal and state levels.
Expanded Medicare coverage of telehealth in 2020
The biggest change to Medicare’s financing of telehealth in 2020 is its expansion of telehealth services available to Medicare Advantage (MA) beneficiaries. Historically, MA plans have had the authority to cover and reimburse for telehealth services as supplemental benefits, meaning the capitated payments that MA plans received from the Centers for Medicare & Medicaid Services (CMS) did not factor in telehealth services. As of January 1, 2020, MA plans may elect to offer certain telehealth services as basic benefits paid through the capitated rate, as long as (1) the same service is covered by Medicare when it is provided in person and (2) the MA plan has determined that the service can be provided via telehealth. This presents a strategic opportunity for providers using telehealth to contract with MA plans.
New Medicare telehealth services
Medicare maintains a list of services that it will cover for fee-for-service beneficiaries and reimburse providers for when they are provided via telehealth. These services must satisfy the requirements set forth in 42 C.F.R. § 410.78, including that the patient be at a qualifying originating site and in a rural health professional shortage area (HPSA), unless an exception applies. Every year, Medicare reviews the list of Medicare telehealth services, seeks input from industry as to what services should be added, and ultimately decides whether to add any new services to the list.
For 2020, CMS introduced three new codes to allow office-based treatment of opioid use disorder, such as care coordination, development of a treatment plan, individual therapy, group therapy, and counseling, to be provided via telehealth. The new HCPCS codes are GYYY1, GYYY2, and GYYY3. These services became eligible for reimbursement January 1, 2020. As noted above, CMS normally requires patients receiving treatment via telehealth to be located at an approved originating site—typically a brick-and-mortar healthcare facility in a rural HPSA—for telehealth services to be covered (among other requirements). However, pursuant to the SUPPORT Act of 2018,[1] CMS waived those requirements for treatment of substance use disorder and correlated services. As a result, these services can be provided to patients regardless of their location.
New remote patient monitoring code and general supervision
Through 2019, CMS reimbursed providers for remote patient monitoring (RPM) services under CPT code 99457, which pays providers for 20 or more minutes of RPM services per month. For 2020, CMS introduced CPT code 99458, which is an add-on code that allows providers to obtain payment for an additional 20 minutes of RPM services each month.
CMS also tweaked its RPM requirements pertaining to supervision for 2020. Traditionally, CMS did not allow RPM services to be provided incident to a physician’s service, which meant that the physician and the non-physician practitioner needed to be in the same building when services were rendered for CMS to cover the RPM services. In the 2020 Physician Fee Schedule, CMS announced that it was redesignating RPM services as designated care management services. The significance of this change is that designated care management services can be provided under general supervision under 42 C.F.R. § 410.26(b)(5). This means that RPM services can be provided by non-physician practitioners under a physician’s general supervision, and that such supervision can now be provided via telehealth.
State law continues to evolve
No two states are alike in regulating telehealth. Even within states, there are often varying bodies of law and regulations governing telehealth; for example, many states have incorporated specific telehealth-related coverage requirements into law in addition to including separate, and sometimes even inconsistent, requirements in their Medicaid program guidelines. This variability among states creates an invariably confusing environment for compliance professionals counseling providers looking to use telehealth.
That said, there is an evident trend to refine and expand upon the telehealth laws and policies in a number of states. For example, California joined Connecticut last year in having its Medicaid program reimburse for at least one eConsult code. Other noteworthy trends include the broadening of what constitutes an eligible originating site, including the patient’s home or school. Several states have also passed new telehealth private payer legislation, including California and Georgia, which now require payment parity, and Florida, which allows plans and providers to negotiate reimbursement rates. Additionally, laws and regulations allowing practitioners to prescribe medications through live video interactions have increased, with a few states even allowing for the prescription of controlled substances over telehealth within federal limits.
Telehealth’s evolving enforcement landscape
As telehealth coverage, reimbursement, and utilization continue to grow, so does the scrutiny that telehealth arrangements face. Historically, the primary source of enforcement actions has been state medical boards. They often discipline clinicians using telehealth to deliver medical services that do not meet the applicable standard of care. Complaints lodged against physicians resulting in discipline often relate to prescribing medication without an appropriate prior examination of the patient, treating patients in a particular jurisdiction without being appropriately licensed in that state, or using nonsecure communications platforms to provide medical services via telehealth.
The courts are another arena in which enforcement actions may occur. In a case that could have implications for telehealth and medical malpractice, the Minnesota Supreme Court issued a ruling last April, Warren v. Dinter,[2] holding that the existence of a physician-patient relationship is not a prerequisite for a medical malpractice action. Rather, a person may sue a physician for malpractice—even if that person was not a patient of the physician—if the harm suffered by the person was a “reasonably foreseeable” consequence of the physician’s actions. The case centers around the care of a patient who sought treatment at a local health clinic and was treated by a nurse practitioner. The nurse practitioner suspected that the patient suffered from an infection and contacted a nearby medical center to arrange for hospitalization. A hospitalist from the medical center briefly spoke with the nurse practitioner by telephone and allegedly denied the request for hospitalization. The nurse practitioner did not make subsequent efforts to hospitalize the patient, who later died of a staph infection. Ultimately, the court’s holding significantly expands malpractice liability and has the potential to curtail physician collaboration and informal consultation in the state. And while it’s only precedential in Minnesota, the decision could certainly have a ripple effect as courts in other states review similar cases.
An additional source of enforcement action is the Department of Justice, which has increasingly been investigating and prosecuting telehealth platforms engaging in fraudulent behavior as private payers cover more and more services delivered via telehealth. The conduct at issue is not unique to telehealth and often involves billing for services not rendered or using call centers to scam vulnerable, elderly patients into ordering topical skin creams and other expensive treatments they don’t need. Particularly considering the ongoing opioid epidemic, enforcers are keeping a careful eye on pain creams prescribed via telehealth, as these topical treatments can serve as stand-ins for powerful opioid pain medication.
While Medicare historically pays for limited services via telehealth, the Department of Health and Human Services Office of Inspector General (OIG) has had its eyes on telehealth for years. The most visible action was its 2018 report on a post-payment audit of telehealth claims that CMS processed in 2014 and 2015.[3] OIG determined that 31% of the claims CMS paid failed to meet Medicare reimbursement requirements for Medicare telehealth services. However, fraud, waste, and abuse in telehealth has been in the OIG’s annual work report for years, and OIG specifically announced in August 2019 that it would focus particular attention on using telehealth in behavioral health services among beneficiaries of state Medicaid programs.
With this in mind, it is critical that compliance professionals remain vigilant in their work involving the use of telehealth.
Contracting pitfalls with telehealth arrangements
Bearing in mind the developments outlined above, compliance professionals must understand a core range of issues when working in and around telehealth contracting. Below is a brief discussion of many of those core concepts.
Corporate practice of medicine
The corporate practice of medicine (CPOM) doctrine broadly prohibits nonprofessionals from employing or, depending on the state, contracting with professional medical providers. The CPOM doctrine varies considerably on a state-by-state basis and can be a source of confusion for newer telehealth platforms, particularly those based in states that do not have a state-level CPOM prohibition. Before entering an arrangement with a group of providers that will be providing services via telehealth, compliance professionals should verify that the entity is properly structured under the laws of the state in which patients will be located.
Licensure
Provider facilities have long known to verify that a clinician is licensed in the state where they are providing services. However, in the context of telehealth, they are often providing services across state lines, which changes the licensure equation. For purposes of telehealth, the laws of the state where the patient is located dictate what licensure the clinician needs. While the most obvious question to ask is whether the clinician needs to be licensed in the patient’s state in order to provide treatment there, the inquiry does not end there. In limited situations, some states such as New York have exceptions for border states.
Proxy credentialing
The Medicare Conditions of Participation allow for a streamlined process to credential telehealth clinicians by permitting the originating site hospital (where the patient is located) to rely on the privileging and credentialing decisions made by the distant site hospital (where the clinician is located). This is referred to as proxy credentialing, and it allows hospitals to more efficiently provide healthcare services by a clinician via telehealth without incurring the full administrative burden associated with the traditional credentialing process. In order to take advantage of proxy credentialing, the originating site hospital must enter into a written agreement with the distant site hospital that sets forth requirements specified by CMS. There are also considerations around provisions that should be incorporated in the originating site hospital’s medical staff bylaws around proxy credentialing, including possibly creating a distinct category of telehealth staff with limited rights and responsibilities. The Joint Commission has also set forth its own standards around proxy credentialing, including requiring both the originating and distant site hospitals to be accredited.
Fraud and abuse issues
The importance of complying with federal fraud and abuse laws, including the physician self-referral prohibition (the Stark Law), the Anti-Kickback Statute (AKS), and the False Claims Act, is well-known to compliance professionals working with healthcare providers. However, vigilant compliance with the state-level counterparts of these authorities is equally important, and requirements can vary substantially by state. For instance, while some states explicitly permit any behavior that complies with the AKS and its safe harbors, other states have no AKS safe harbors, meaning that behavior permitted under federal law may be prohibited under state law.
Additionally, while telehealth offerings that do not deliver services to beneficiaries of public health insurance programs (e.g., Medicare and Medicaid) are not subject to federal fraud and abuse laws, they do remain subject to state-level fraud and abuse authorities in the state in which the patient is located when services are rendered.
Equipment maintenance and upkeep
Many agreements for telehealth services involve both clinical services that are provided by a clinician located at a distant site and the provision of technology equipment, such as video cameras with sophisticated technical capabilities, to be used in delivering telehealth services. Compliance professionals working with providers reviewing such agreements should ensure that the vendor providing telehealth technology is also responsible for ensuring that it functions properly and provides the training and support that a provider facility might require to use the technology most effectively. Conversely, compliance professionals working on a vendor’s behalf will want to ensure that the support and training the vendor is required to provide is not overly burdensome or broad in scope.
Informed consent
Most states place some sort of requirement on the provider or licensed clinician delivering telehealth services to inform the patient about the use and potential risks of telehealth and obtain the patient’s consent to proceed with such services. States vary in terms of the requirements around the type of information that must be disclosed and the form of consent. Compliance professionals should be sure that providers understand and comply with the specific requirements applicable in the state in which they practice and/or provide telehealth services. At a minimum, obtaining informed consent in accordance with the applicable state law or regulation—and maintaining documentation of it in the patient’s medical record—is highly recommended.
Takeaways
-
There have been many recent legal and policy developments in telehealth that are important for compliance professionals to be aware of, both at the federal and state level.
-
At the federal level, we saw changes by the Centers for Medicare & Medicaid Services around Medicare Advantage coverage and reimbursement of telehealth services; within the states, there is an evident trend to expand upon telehealth coverage and reimbursement, but no two states are alike.
-
Continued expansion in coverage and reimbursement by Medicare and commercial payers will likely push providers toward higher utilization of telehealth in the years ahead.
-
As telehealth coverage, reimbursement, and utilization continue to grow, so do the various sources of regulation and enforcement actions scrutinizing telehealth arrangements.
-
When evaluating telehealth arrangements, compliance professionals should be sure to understand a core range of considerations and common pitfalls that occur with telehealth contracting.