Final Rule on Section 1557 of the ACA Has Implications for Digital Health Industry
On May 18, 2016, the Department of Health and Human Services ("HHS") issued a final rule implementing Section 1557 of the Patient Protection and Affordable Care Act ("ACA"), which prohibits discrimination on the grounds of race, color, national origin, sex, age, or disability in certain health programs and activities. Effective July 18, 2016, the final rule, "Nondiscrimination in Health Programs and Activities" ("Rule"), will require entities covered by the Rule to comply with certain accessibility requirements applicable to their use of technology in the provision of services.
The Rule applies to: (i) to every health program or activity, any part of which receives federal financial assistance provided or made available by HHS; (ii) health insurance plans and marketplaces; and (iii) HHS itself. The Rule defines "HHS financial assistance" broadly, to include almost all types of financial benefit transfers, among them grants, loans, credits, subsidies, or transfers of real or personal property (but excludes Medicare Part B payments). Key points of the Rule include the following:
First, the Rule requires entities covered by the Rule to make all programs and activities provided through electronic and information technology (e.g., a website) accessible for individuals with disabilities, unless doing so would impose undue financial or administrative burden. In addition, such entities must provide appropriate auxiliary aids and services when necessary to ensure an equal opportunity for persons with disabilities to participate in and benefit from the entity's health programs or activities. Auxiliary aids and services include qualified sign language interpreters, captioning, large print materials, screen reader software, text telephones, and video remote interpreting services, among other things. In short, entities covered by the Rule must take appropriate steps to ensure that communications with individual with disabilities are as effective as communications with others, in accordance with Title II of the Americans with Disabilities Act of 1990 and related regulations.
Second, entities covered by the Rule must take reasonable steps to provide meaningful access to individuals with limited English proficiency eligible to be served or likely to be encountered in their health programs and activities. This includes providing language assistance services, such as oral language assistance or written translation, free of charge and in a timely manner.
Third, entities covered by the Rule must comply with certain procedural requirements. Specifically, the Rule requires applicable entities with 15 or more employees to have a grievance procedure, to identify at least one individual accountable for coordinating the regulated entity's compliance, and to have a written process in place for handling grievances.
In addition, entities covered by the Rule that operate websites must post on the website notices of nondiscrimination and taglines that alert individuals with limited English proficiency to the availability of language assistance services. Such taglines must be posted in at least the top 15 non-English languages spoken in the state in which the entity is located or does business.
For health care providers operating in the digital health industry as well as for software and other technology vendors working with health care providers, the Rule may create a number of new challenges. Website accessibility has likewise been the focus of increasing litigation activity, and a number of high-profile settlements have emphasized the potential risks entities may face by failing to address technology-based accessibility issues. Providers would be well advised to review their websites and other customer-facing technology with counsel to determine the applicability of the Rule to their activities, as well as any broader accessibility considerations and exposure.
Joint Commission Temporarily Reinstates Texting Ban
The Joint Commission has temporarily reinstated a ban on any physician or licensed independent practitioner texting orders for care, treatment, and services until the Joint Commission and the Centers for Medicare & Medicaid Services ("CMS") collaborate to develop additional guidance. The Joint Commission rescinded the original five-year ban in May 2016 to allow texting via a secure text messaging platform, noting that advanced technology provided secure information transfer, but the recent announcement suggests that additional guidance, due late September 2016, will better ensure a safe implementation of secure texting orders. The Joint Commission expects this guidance will include a series of Frequently Asked Questions to "ensure congruency with the Medicare Conditions of Participation" and assist health care organizations as they incorporate text orders into their policies and procedures.
FBI Cyber Division Releases Ransomware Warning
Citing the increasing frequency and growing sophistication of attacks, the FBI Cyber Division recently released a statement describing common ransomware events and tactics, and recommending protective actions. After several notorious incidents in 2015, the FBI anticipates growing use of ransomware in 2016 and beyond. A single infection can cripple an organization by encrypting data on local drives, connected hardware and backup drives, and even other computers on the same network, all before users are aware of the attack. The FBI does not support paying ransom in response to an attack. The agency recommends that organizations focus on prevention and mitigation plans to protect themselves and their customers' data.
The risks of cyberattack are particularly prevalent in the context of digital health records. For example, in two recent ransomware attacks in the health care industry, at Hollywood Presbyterian Medical Center in February and MedStar Health in March, hackers disabled access to computer systems for several days. The question is when, not if, your organization will be a victim of a successful cyberattack. Organizations should review their protocols in light of this FBI statement and review and revise, as necessary, their protocols for avoiding and handling malware attacks.
AMA Considers Telemedicine for Second Time
At the 2016 annual meeting, the American Medical Association ("AMA") approved ethical guidelines for telemedicine interactions to "help physicians understand how their fundamental responsibilities may play out differently" in digital patient interactions. The guidance was developed over the past three years and emphasizes the need for in-state licensure and an established doctor-patient relationship before any telemedicine encounters may occur. The AMA's policy-making House of Delegates had declined to issue any policy guidance to doctors regarding telemedicine practice at the June 2015 annual meeting.
URAC Telemedicine Accreditation
Independent accrediting organization URAC recently launched a "third-party accreditation program to recognize top telehealth providers." According to URAC, the accreditation program will distinguish the high-performing, top-tier telehealth organizations for patients, employers, insurers, and others and will offer comprehensive oversight of the nation's telehealth programs, with the intention of setting high standards for organizations in the telehealth community. URAC's standards for verification of quality and performance benchmarking include risk management, regulatory compliance, information systems security, operations and infrastructure, clinical staff credentialing, quality management, performance oversight, and measures reporting. URAC has a guide explaining the program in detail, as well as a self-assessment tool to determine readiness, both available through their online application.
USDA Announces Telemedicine Funding to Combat Opioid Addiction in Appalachia
On June 30, 2016, the United States Department of Agriculture ("USDA") announced five Distance Learning and Telemedicine ("DLT") grant awards for the treatment of opioid addiction in rural central Appalachia. The project grants were awarded to organizations providing drug abuse treatment and focused on states with high opioid use, with $1.4 million awarded for projects in Kentucky, Tennessee, and Virginia. The projects, a result of President Obama's call for the USDA to focus on rural opioid use, will provide treatment for medical conditions and mental health and drug addiction treatment. The hope is that through telemedicine, addiction treatment will be able to reach rural America.
Maine Medical Board Proposes New Telemedicine Rule
On June 15, 2016, the Maine Board of Licensure in Medicine and Board of Osteopathic Licensure proposed a joint rule to establish standards for telemedicine practice in the state. The proposed rule, once effective, would broadly define telemedicine to include "electronic audio-visual communications and information technologies," including interactive audio with asynchronous store-and-forward transmission, remote monitoring, and real-time interactive services. The rule would hold a licensee using telemedicine to the same standard of care and professional ethics as a licensee conducting traditional in-person encounters with patients. Importantly, the rule would allow a valid physician-patient relationship to be established through telemedicine if the standard of care does not require an in-person encounter, something that is unclear under current Board policies. Specifically, the rule would allow a medical interview and physical examination to occur remotely if the technology utilized "is sufficient to establish an informed diagnosis as though the medical interview and physician examination had been performed in-person." A static internet questionnaire provided to a patient, to which the patient responds with a static set of answers, in contrast to an adaptive, interactive and responsive online interview, is not sufficient.
Comments on the proposed rule were due to the Boards on July 15, 2016. The Boards have 120 days to adopt the rule or, if substantial changes are made based on public comments, initiate another notice-and-comment period.
New Hampshire Law Clarifies Prescribing of Controlled Substances by Telehealth
Effective August 12, 2016, modifications to a New Hampshire telemedicine prescribing law allow providers delivering services by means of telemedicine to prescribe non-opioid controlled drugs classified in schedules II through IV, as long as they are treating a patient with whom the prescribers have an in-person practitioner-patient relationship and are monitoring and providing follow-up care. This expands the prior version of the law, which limited the prescribing of such medications by means of telehealth to providers treating patients at a state-designed community mental health center or substance abuse program, allowing for greater utilization of telehealth with existing patients.
Ohio Medical Board Clarifies New Telemedicine Rule
As discussed in our previous Update, the State Medical Board of Ohio proposed a new rule in April 2016 outlining the standards for a physician's prescribing of drugs to patients based only upon a remote encounter. Specifically, the proposed rule would allow a physician to prescribe a noncontrolled substance to a patient based on a telemedicine encounter if the physician uses "appropriate technology" that is "sufficient" for the physician to conduct the evaluation as if it had occurred in person. The Board received comments on the proposed rule from various stakeholders, made minor modifications, and submitted a Business Impact Analysis describing the purpose and impact of the proposed rule. While the rule's use of phrases like "appropriate technology" is vague, the Board clarified parts of the proposed rule in its Business Impact Analysis. For example, although there is no "real-time" element incorporated into the proposed rule, the Board's commentary indicates that store and forward may be appropriate only in the context of a provider-to-provider consultation and not for direct patient care. The commentary also suggests that an "examination via questionnaire" is not sufficient. In addition, several comments indicate than an audio-only encounter is not sufficient to meet the medical evaluation requirement in the proposed rule. Interestingly, the commentary specifically notes that the proposed rule does not apply to nurse practitioners or physician assistants, and the medical board expects to issue a separate rule to apply similar requirements to physician assistants. It is unclear as to whether the nursing board has any plans to propose a similar rule applicable to nurse practitioners.
The new rule would replace the current Rule 4731-11-09, which requires a physician to have personally and physically examined a patient before prescribing any drug to the patient, except in specific situations.
Legislative Recap: Final Action on Alaska and Louisiana Telemedicine Laws
Since our last Update, telemedicine bills in Alaska and Louisiana were approved by their respective governors and signed into law. Alaska SB 74, which enables out-of-state telehealth providers to provide services via telemedicine if the physician or another licensed health care provider in the physician's practice group is available to provide follow-up care, was signed into law on July 11, 2016. Similarly, Louisiana HB 570, a bill removing the state's current requirement that a physician providing services via telemedicine maintain an office or an arrangement with a physician who maintains an office within the state and expressly permitting audio-only telehealth, was signed by the governor on June 17, 2016.
CMS Proposes Expanded Coverage for Telehealth Services
On July 15, 2016, CMS issued a proposed rule expanding payment under the Medicare Physician Fee Schedule for telehealth services. The proposed rule would add eight CPT codes to the list of services eligible to be furnished via telehealth: (i) four codes for end-stage renal disease dialysis services (90967, 90968, 90969, 90970); (ii) two codes for advance-care planning services, including explanation and discussion of advance directives (99497, 99498); and (iii) two codes for critical care evaluation and management (GTTT1, GTTT2). As part of the proposed rule, CMS also responds to requests from stakeholders to establish a point of service ("POS") code that identifies services provided via telehealth. CMS proposes requiring the use of a telehealth POS code at the distant site to indicate that a service has been furnished via telehealth. The proposed rule is open for comment through September 6, 2016, and it would take effect for services beginning January 1, 2017.
Connecticut Legislature Addresses Medicaid Coverage for Telehealth Services
On June 7, 2016, the governor of Connecticut signed into law SB 298 concerning telehealth services for Medicaid recipients. Under the bill, the Connecticut Department of Social Services is required to provide coverage under Medicaid for telehealth services that are "clinically appropriate to be provided by means of telehealth," "cost effective for the state," and "likely to expand access to medically necessary services for Medicaid recipients for whom accessing appropriate health care services poses an undue hardship." The law took effect on July 1, 2016.
D.C. Issues Emergency Rule for Telemedicine Reimbursement
On June 23, 2016, the District of Columbia issued a Notice of Emergency and Proposed Rulemaking regarding reimbursement by D.C. Medicaid for telemedicine services. Effective immediately, the rule states that D.C. Medicaid will reimburse providers for eligible health care services rendered via telemedicine at the same rate as in-person consultations. The rule also establishes eligibility criteria for telemedicine recipients and conditions of participation for telemedicine providers under D.C. Medicaid. The emergency rules will remain in effect until October 21, 2016, unless superseded by a Notice of Final Rulemaking.
Hawaii Adopts Telehealth Parity Legislation
On July 7, 2016, the governor or Hawaii signed into law SB 2395 concerning Medicaid coverage for telehealth services. The law stipulates that state Medicaid managed care and fee-for-services programs "shall not deny coverage for any service provided through telehealth that would be covered if the service were provided through in-person consultation." The law also establishes payment parity, requiring reimbursement for services furnished via telehealth to be equivalent to reimbursement for "the same services provided via face-to-face contact between a health care provider and a patient." Expanding coverage for telehealth services is particularly important in Hawaii, where remote island locations can make patient access to physicians a significant challenge. The law goes into effect January 1, 2017.
Massachusetts Debates Payment Parity
Massachusetts lawmakers are debating the question of payment parity for telemedicine services in the wake of resistance from health insurers over HB 267. Earlier versions of the bill required telemedicine services to be reimbursed at the same rate as in-person services. Opponents of the payment parity language in the earlier versions of the Massachusetts bill contend that it undermines the ability of health insurers to negotiate rates with providers and, in turn, to pass those savings along to consumers. Health plan representatives argue that the cost of providing services through telemedicine is generally lower, and therefore reimbursement should be lower. In response to these concerns, the current version of the bill allows insurers and providers to negotiate the rate of reimbursement for telemedicine services. Supporters of the current bill note the need for legislative action regarding telemedicine, as Massachusetts continues to lag behind other states in developing telemedicine legislation. The House and Senate must complete their respective reviews of the bill no later than July 31.
New York Introduces Payment Parity Bill
New York is seeking to join a growing number of states that have adopted payment parity statutes for telehealth. On May 31, 2016, the New York legislature introduced SB 7953, which requires commercial health plans to reimburse providers for covered services delivered via telehealth at the same rate as those delivered in person. The bill also requires payment parity for reimbursement by New York Medicaid. New York's current telehealth law does not include payment parity language, which has led some insurers to pay only a fraction of the reimbursement rate for services provided through telehealth compared to the same services provided in person. The bill has been referred to the Health Committee of the New York State Assembly for review.
Rhode Island Enacts Commercial Telehealth Reimbursement Legislation
On July 28, 2016, the governor of Rhode Island signed into law HB 7160B, requiring health insurers to cover treatment delivered via telemedicine to the same extent that such treatment would be covered if delivered via in-person consultation. The law adopts a broad definition of "telemedicine," which includes two-way audiovisual communication and the use of store-and-forward technology while excluding audio-only, electronic mail, and facsimile transmissions. While Rhode Island's law requires "coverage" for services provided via telehealth, it does not require health plans to reimburse providers at the same rate for services delivered via telehealth as those delivered in person (i.e., "payment parity"). The law takes effect on January 1, 2018.
Russian Parliament Considers Telemedicine Bill
On May 30, 2016, a broad telemedicine bill was introduced in the Russian Parliament. The bill, which would amend two federal statutes on "The Basics of Protecting Health of the Citizens of the Russian Federation" and "Personal Information," explicitly authorizes remote provider-to-provider consultations and direct-to-consumer health services. Although the bill is silent with respect to technology-specific requirements, provider-patient relationship requirements, and location requirements, the bill would require proper identification of both the health care professionals and the patients (or a patient's representative) before services may begin. The bill would also authorize patients to sign forms consenting to telemedicine services and transmit the forms via electronic means.
China's New Regulation on Health Care and Medical Big Data Might Unlock Online Sales of Prescription Drugs
On June 21, 2016, the State Council of the People's Republic of China issued a circular titled Opinions on Promoting and Standardizing the Application and Development of Health Care and Medical Big Data ("Opinions"). The Opinions state that China aims to promulgate a regulatory framework for sharing and protecting health care and big data and to establish a cross-department data-sharing structure by the end of 2017. In addition, industry insiders believe that China might eventually lift the ban on online sales of prescription drugs in 2018.
The Opinions state that China will accelerate the establishment and consummation of a database that centers on electronic health records, medical records, and prescriptions; opening up the channels for data sharing and building such a data-sharing platform will have a profound impact on the digital health and telemedicine industry. Under the current structure of China's health care industry, hospitals hold most prescription information, and prescriptions can be issued only by licensed pharmacists. Selling prescription medicine has long been a "forbidden zone," beyond the reach of most telemedicine operators. According to the draft Measures Regarding the Administration of Drug Information Service over the Internet ("Draft") issued by the China Food and Drug Administration in 2014, telemedicine operators can sell prescription drugs by prescription only under the rules governing medicine classification. While the Draft is viewed by the industry as the legal authorization for selling prescription drugs online, the industry has failed to see a breakthrough since 2014.
The Opinions could be a green light to the industry to authorize selling prescription drugs online. The sharing of electronic prescriptions, if accomplished, would make it possible to release hospitals' prescription information to qualified recipients. This will benefit the digital health and telemedicine industry tremendously. How the Opinions would be implemented is unclear and remains to be seen.
European Commission Publishes Draft Code of Conduct on Privacy for mHealth Apps
On June 7, 2016, the European Commission published its final draft Code of Conduct on privacy for mobile health apps ("Code"). The Code aims to raise awareness of the data protection rules in relation to mHealth apps, facilitating and increasing compliance at the EU level for app developers. The issues covered by the Code are: user's consent, purpose limitation and data minimization, privacy by design and by default, data subjects' rights and information requirements, data retention, security measures, principles on advertising in mHealth apps, use of personal data for secondary purposes, disclosing data to third parties for processing operations, data transfers, personal data breach, and data gathered from children. The Code has been formally submitted for comments to the Article 29 Data Protection Working Party. Once approved by this independent EU advisory group, the Code will be applied in practice. App developers will be able to voluntarily commit to follow its rules.
The EU–U.S. Privacy Shield Approved
Designed to replace the Safe Harbor Program with a more robust and comprehensive trans-Atlantic data-transfer scheme, the much-anticipated EU–U.S. Privacy Shield has finally received approval from the European Commission. Every potentially interested company will need to evaluate the Privacy Shield and determine whether compliance with the new framework is the most effective option for accessing EU personal data in the United States. For more information, see the Jones Day Alert.
EU Commission Consults on App Safety
The European Commission has launched a consultation on the safety of apps and other non-embedded software (i.e., software and apps that are neither embedded nor contained in a tangible medium at the time of placement in the market, supplied to consumers, or when otherwise made available to consumers). Health and well-being apps that can be used on a mobile device are examples of such software. The purpose of the consultation is to gather input from various stakeholder groups, particularly consumers, businesses, and authorities, on their experience related to the safety of apps and other non-embedded software. The questions aim to obtain a better understanding of the possible risks and problems that non-embedded software may pose and how these problems could be addressed. The views gathered during the consultation will help to define potential next steps and future policies at the EU level, including, if appropriate, possible revisions of existing horizontal and/or sector-specific EU legislation. The consultation is open for comments until September 15, 2016.