At the outset of the Covid-19 pandemic, the Centers for Medicare and Medicaid Services and state governments waived many restrictions on the provision of telehealth services—but only for the duration of the public health emergency. Since that time, the demand for such services has increased exponentially.
There are new opportunities for physician groups who are able to provide telehealth services successfully and cost-effectively, telehealth technology providers that facilitate virtual visits, and investors in these entities. Providers and potential investors evaluating future telehealth opportunities should be aware of some critical legal and regulatory issues.
Does the provider organization offer—or plan to offer—telehealth services to a large volume of patients who are beneficiaries of government health-care programs, including Medicare and Medicaid?
If so, the size of the available market may depend in significant part on whether there are permanent changes made to the governing laws. Absent congressional action, after the pandemic ends, CMS will no longer reimburse telehealth services for the vast majority of Medicare beneficiaries because reimbursement is ordinarily limited by statute to rural beneficiaries receiving services from a remote facility. Many states similarly have limitations on the provision of care to Medicaid beneficiaries that will return after the pandemic.
Additionally, organizations that provide services to beneficiaries of government health-care programs are always subject to federal and state fraud and abuse laws. These laws prohibit practices that might be lawful in other industries, e.g., organizations cannot incentivize the use of telehealth by reimbursing telehealth physicians based on the volume of patients they treat or offering to waive co-payments. Non-compliance with these laws can result in criminal investigations and costly civil litigation.
Is the provider organization offering services likely to be covered by Medicare or commercial payors?
CMS telehealth coverage decisions have significance beyond Medicare beneficiaries because commercial insurers often follow the lead of CMS. The agency recently identified three issues that should be evaluated when assessing whether telehealth services should be continued after the pandemic:
- whether delivering the service via telehealth is safe and delivers outcomes that are equivalent to in-patient visits;
- the appropriate reimbursement level for telehealth services, i.e., whether adjustments should be made because costs incurred for patient hygiene are not incurred when a patient is treated remotely; and
- whether expanding telehealth results in additional fraud and abuse, e.g., by providers taking advantage of the telehealth medium to provide shorter visits or bill for more patients than can be seen in a day.
CMS, as well as commercial insurers, are likely to be receptive to reimbursing telehealth services for which proponents can present empirical data showing that telehealth yields clinically-similar—or better—results at comparable costs.
Is the provider organization compliant with physician licensing laws both in the jurisdictions where the organization operates and where patients are located?
Telehealth services can be provided only when they are authorized in both the states where the provider and beneficiary are located. Organizations should have surveys of the licensing laws in the state(s) in which they operate and the state(s) in which their patients reside; these surveys should be periodically updated to stay current, as requirements change frequently.
Further, they should have protocols to ensure that telehealth services are provided to patients only in jurisdictions in which physicians are authorized to provide telehealth services, and to ensure any additional requirements are met (e.g., that the physician must have met the provider in person before providing telehealth services).
Privacy, Data Security
Does the provider organization comply with applicable laws governing patient privacy and data security?
Although privacy and data security laws are applicable to all provider organizations, these issues are of particular concern where all physician-patient interactions are digital. In particular, organizations should be compliant with Health Insurance Portability and Accountability Act privacy and security rules.
Of note, although the federal government is currently permitting providers to use any non-public-facing remote communication product to communicate remotely with patients, potentially including applications such as FaceTime or Skype, which are generally not considered to be HIPAA-compliant technology platforms, the use of HIPAA-compliant platforms will be required again after the emergency.
Organizations should also consider applicable state privacy and data security laws in the jurisdictions where the organization and its patients are located as some state laws are more stringent than HIPAA rules. In addition, organizations that promote privacy practices should be prepared to substantiate their claims.
Do providers working for the organization prescribe prescription drugs?
Some telehealth organizations have financial interests in the sale of certain pharmaceutical products. It is important to ensure that providers have appropriate prescribing practices, e.g., any prescribed drugs are authorized by the Food and Drug Administration (whether as prescription or over-the-counter drugs) and are prescribed in medically appropriate circumstances pursuant to a valid patient-provider relationship.
Additionally, controlled substances should be prescribed by telehealth prescribers only under circumstances permitted by applicable federal and state regulation.
Does the organization offer telehealth services that involve remote monitoring?
If the organization that engages in remote patient monitoring utilizing hardware (e.g., a networked blood pressure monitor) or software (e.g., a mobile app), it is important to assess whether the hardware or software will be regulated by the FDA as a medical device and, if so, ensure that the product is compliant with applicable regulatory requirements.
Attentiveness to these issues will allow provider organizations and investors to make well-informed decisions about marketplace opportunities and to avoid unlawful conduct.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Paul D. Rubin is a corporate partner based in Debevoise’s Washington, D.C., office and is the Co-Chair of the firm’s Healthcare & Life Sciences Group and the Chair of the FDA Regulatory practice.
Jacob W. Stahl is counsel in Debevoise’s New York office and a member of the firm’s Litigation Department. He focuses on representing clients on healthcare-related issues, including commercial litigation, administrative disputes, and compliance and regulatory advice.
Melissa Runsten is a corporate associate and a member of Debevoise’s Healthcare & Life Sciences Group. She focuses on FDA/FTC regulatory matters and represents drug, device, food, cosmetic and other consumer product companies.
Kim Le is a corporate associate at Debevoise and a member of the firm’s Mergers & Acquisitions Group.