Following previous incremental advancements in telehealth, the COVID-19 pandemic thrust the technology to center stage during a public health emergency.
Virtually overnight, federal and state regulators relaxed regulations spanning multiple agencies that historically hindered the ability of providers to deliver — and for patients to receive — telehealth services. In the wake of these flexibilities, visits have skyrocketed.
We can’t put the genie back in the bottle. Our new normal is likely to involve fewer patient visits in order to support social distancing and increased sanitation, thus sustaining a strong demand for telehealth.
Although changes made during the pandemic are meant to be temporary, seismic shifts are in motion. The regulatory landscape will need to adapt to accommodate this evolution.
Forward-thinking companies should prepare now and remain flexible to quickly adapt their telehealth arrangements post-pandemic. Here are several scenarios to consider.
Heightened Data Privacy Laws Requiring Greater Security and Vigilance
On March 17, the Department of Health and Human Services issued a notice that it would not impose HIPAA penalties on providers for “good faith provision of telehealth during the COVID-19 nationwide public health emergency” and permitted the use of remote communication products that are not public facing.
However, it also cautioned providers that these technologies potentially introduce privacy risks.
With more people shifting to remote care and a simultaneous spike in cybercrime, regulators are poised to strengthen protections for personal information. Expect data privacy and security laws to return to normal following the pandemic and prepare for potentially more stringent privacy laws to follow.
With that in mind, providers should:
- Evaluate security controls of telehealth technologies and vendor HIPAA compliance
- Consider interoperability of platforms and connected devices with electronic health record systems
- Enter into or amend business associate agreements with vendors who have access to protected health information and ensure protections for breaches and security incidents — including strong indemnification, reporting obligations and cyber liability coverage
- Conduct a comprehensive security risk assessment of IT systems
READ MORE: Is your at-home workspace HIPAA compliant? Review our checklist.
Continued Debate Over Reimbursement and Coverage Expansion
Before the pandemic, Medicare coverage of telehealth services was extremely restrictive, with limitations for originating sites, geography, eligible practitioners and services, and qualifying technology.
The Coronavirus Aid, Relief and Economic Security Act allowed the Centers for Medicare and Medicaid Services to temporarily remove these requirements under broad waivers. Congressional action will be needed to permanently expand Medicare telehealth coverage, a measure that has long received bipartisan support.
The Congressional Budget Office has historically been forced to draw inferences from commercial health insurance programs in projecting telehealth expansion costs. However, it claimed this comparison was of limited use because private insurers have more tools to influence physician and patient choice over treatment decisions.
It’s a chicken-and-egg conundrum: The CBO needs data on telehealth in the Medicare fee-for-service program and Congress needs favorable scoring before legislation expanding Medicare coverage can be achieved. Interestingly, the COVID-19 pandemic may finally provide this needed data.
Medicare coverage of telehealth is likely to return to pre-pandemic levels but with the potential for future expansions through legislative action. Medicaid coverage expansion will vary by state. On the commercial side, watch for increased state actions for payment and coverage parity for telehealth.
A Long-Term Focus on Care Delivery and Fraud Detection
Generally, for a medical provider in one state to treat a patient in another state, a provider must be licensed in the state where the patient is located. During the pandemic, many states temporarily waived in-state licensure requirements or created emergency pathways to limited licensure.
We expect some states to continue this practice and to increase adoption of the Federation of State Medical Boards’ physician licensure compact that allows doctors to obtain licenses in multiple states at once. Similar actions may affect other disciplines.
When it comes to issuing prescriptions, regulatory changes from the Drug Enforcement Administration will be necessary going forward. The federal Ryan Haight Online Pharmacy Consumer Protection Act, passed in 2008, requires prescribers to conduct in-person examinations before prescribing controlled substances “by means of the Internet,” except when engaged in the practice of telemedicine.
But the telemedicine exemption is extremely narrow. For example, it doesn’t apply if the patient is at home. During the pandemic, however, prescriptions can be issued through telehealth under the act’s public health emergency exception.
A special registration would allow certain entities to register to prescribe controlled substances via telehealth without some of the more onerous limitations. This is currently in development by the DEA and likely at least one year away from fruition; expect federal prescribing laws to revert to pre-pandemic status, at least in the short term.
Finally, as billions of government dollars are redirected to telehealth, scrutiny will follow. The Department of Justice called out a $60 million telemedicine fraud scheme in Georgia and has urged the public to report suspected wrongdoing.
Government enforcers will be watching the telehealth space with interest, so providers should be cognizant of the federal Anti-Kickback Statute as well as the telemedicine billing rules to avoid potential trouble.