Finally! Washington Has A Telemedicine Bill. But What’s In It?

After many years of effort, the Washington State Legislature has sent a telemedicine bill to the Governor for signature.

It is an exciting achievement, but now that the bill has passed, we need to answer an important question: “What is actually in the bill?”

Payment for Professional Telemedicine Services

The primary purpose of the bill is to require health insurance companies, Medicaid managed care plans, and health plans offered to Washington State employees to reimburse health care providers who provide professional services via telemedicine technology.

This is critical because, prior to the bill, insurance companies had no obligation to reimburse providers for telemedicine services.

One unfortunate aspect of the new law is that it does not set the specific reimbursement rate for telemedicine services. In other words, nothing requires health plans to pay for telemedicine services at the same rate as an in-person encounter.

Instead, the rate for telemedicine services will be whatever the health plan and provider agree upon in the negotiated provider agreement between the parties.

Additionally, in order to receive the negotiated rate, providers must pay special attention to the detailed reimbursement requirements of the bill:

Health Care Providers

The bill states that only “health care providers” are entitled to reimbursement for telemedicine services. Fortunately, “health care provider” is defined broadly and includes any of the licenses listed in Title 18 of the Revised Code of Washington.

A health plan need only reimburse health care providers that are contracted with the health plan.

“Out of network” reimbursement is not required.

Types of Technology

The bill applies to both real time “telemedicine” technology and “store and forward” services.

“Telemedicine” technology is a real-time, interactive, video and audio conference between a patient and a provider.  Think “Skype.”

“Store and forward” technology is a system by which information is sent to an intermediate location where it is kept and, at a later time, sent to the intended destination.

This type of technology is very common in the teleradiology and teledermatology fields in which specialists provide reads for digital images of patients.

Unlike telemedicine technology, the bill has some critical restrictions on the use of store and forward technology:

  • The bill requires an associated office visit between the patient and referring health care provider if store and forward technology is used. The use of “telemedicine” technology, as defined above, can meet the office visit requirement; and
  • A health plan only has the obligation to provide reimbursement for a service provided via store and forward technology if the service is specified in the negotiated agreement between the health plan and the provider.

The second restriction is a big deal.

Under this restriction, the bill does not require a health plan to pay a provider for services rendered via store and forward technology if such services are not explicitly covered in the provider agreement between the provider and health plan.

Therefore, it is critical that providers using store and forward technology pay close attention to their provider agreements with health plans.

Types of Telemedicine Services

The bill is clear that health plans only have the obligation to provide reimbursement for services that meet all of the following criteria:

  • Reimbursement is only required if the health plan provides coverage of the same service when it is provided in person;
  • The service must be an “essential health benefit” under the Affordable Care Act; and
  • The service is medically necessary.

Health plans have no requirement to provide reimbursement if these three requirements are not met.

Payment For Facility Fees

In discussing the facility fee issue, it is important to understand that there are always two different sites in a telemedicine encounter:

  • The Originating Site: This is the location where the patient is physically located. For reimbursement purposes, originating sites can be hospitals, rural health clinics, federally qualified health centers, health care provider offices, community mental health centers, skilled nursing facilities, or renal dialysis centers (except independent renal dialysis centers).
  • The Distant Site: This is the location where the health care provider is physically located at the time telemedicine services are rendered.

As described above, the bill requires health plans to reimburse providers for the professional services they perform at the distant site during a telemedicine encounter.

But what about the originating site facility where the patient is located? Are health plans required to reimburse these facilities?

The answer is no.

According to the bill, originating site providers are only entitled to facility fees if such fees have been negotiated in the provider’s contract with the health plan.

The bill does not require any health plan reimbursement to the originating site if a health plan refuses to include reimbursement for facility fees in its provider agreement.

This is unfortunate for rural providers who would have benefited from the requirement for health plans to pay facility fees for telemedicine.

Hospital Credentialing and Privileging of Telemedicine Physicians

Aside from reimbursement, another important part of the bill is the changes to the requirements for hospital credentialing and privileging of telemedicine physicians.

In the hospital world, a physician can only provide services at a hospital if the physician is properly credentialed and privileged.  Therefore, a physician that provides telemedicine services an originating site hospital technically must be credentialed and privileged by the hospital.

Prior to the bill, Washington law required hospitals to engage in a detailed credentialing process of requesting information from a physician who was applying for privileges.  The hospital also had to request information from hospitals and facilities that had granted privileges or employed the physician.

This cumbersome process could unnecessarily delay the provision of telemedicine services.

Under the bill, the credentialing requirements no longer exist for telemedicine physicians.

The bill states that an originating site hospital may rely on a distant site hospital’s decision to grant or renew privileges for a telemedicine physician if the originating site enters into a written contact with the distant site.

The contract must have the following provisions:

  • The distant site hospital providing the telemedicine services must be a Medicare participating hospital;
  • Any physician providing telemedicine services at the distant site hospital must be fully privileged to provide such services by the distant site hospital;
  • Any physician providing telemedicine services must hold and maintain a valid license to perform such services issued or recognized by the state of Washington; and
  • The originating site hospital must have evidence of an internal review of the distant site physician’s performance of the privileges and sends the distant site hospital performance information for use in the periodic appraisal of the distant site physician.

Conclusion

There is much to like in Washington’s new telemedicine bill.

For the first time, private health plans are required to pay for telemedicine services. Additionally, the process of hospital credentialing and privileging of telemedicine physicians has been streamlined.

But the bill is not perfect.

Without specific requirements on rates, health plans have the ability to reimburse telemedicine services at a much lower rate than in-person services.  Large health systems may have leverage to negotiate for higher reimbursement in provider agreements, but smaller and rural providers may not have this luxury.

Additionally, teleradiology and teledermatology providers must pay close attention to their negotiated provider agreements with health plans.  Under the bill, health plans have no requirement to pay professional services for services rendered via “store and forward” technology if the services are not explicitly covered in the provider agreement.

With that said, no bill is perfect, and the new Washington bill is a good first step into improving the prospects for telemedicine in Washington State.

For more information about telemedicine, please contact Casey Moriarty.

You’ve Been Sued: 4 Non-HIPAA Claims in Data Breach Cases

“There is no private right of action under HIPAA.”  This oft-repeated rule is a source of comfort for many health care entities.

Of course, patients can file complaints with the Office of Civil Rights or State Attorneys General, but a “HIPAA cause of action” does not exist.

So what is the basis for the many different class action lawsuits against health care entities that have been hit with data breaches? The recent class action lawsuit filed against Premera sheds some light on strategies of class action attorneys.

The Complaint alleges seven different causes of action.  This article will focus on four of the claims.

The Four Causes of Action in the Premera Complaint

  • Negligence: The first cause of action is negligence. To establish a claim for negligence, the plaintiff must show that an entity: (1) had a duty to the plaintiff, (2) the entity breached the duty, (3) the plaintiff suffered damages, and (4) the entity’s acts caused the damage.

    The Complaint states that Premera had a “duty” to keep the plaintiffs personal information secure as the provider of health coverage to the plaintiffs.  Premera breached this duty by failing to secure its IT systems and this failure directly caused the plaintiff’s damages related to improper disclosure of health information.

  • Bailment: The second cause of action is Bailment. A “bailment” arises when personal property is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled.

    In other words, “I’m giving you my stuff with the expectation that I’ll get it back in the same condition.”

    The Complaint alleges that the plaintiffs provided Premera with their personal information with the understanding that Premera would adequately safeguard it.  Premera breached its bailment by failing to protect the information which resulted in the data breach.

  • Breach of Contract: The third cause of action is breach of contract. My first question concerning this claim is: “Did Premera actually state in its beneficiary agreements that it would keep all data secure?”

    Based on the allegations in the Complaint, the answer appears to be no.

    However, the Complaint alleges that Premera’s Notice of Privacy Practices (NPP) states that Premera must take measures to protect each beneficiary’s health information. Whether or not an NPP is actually a contract between a covered entity and individuals, this allegation should motivate health care entities to be careful in drafting their NPPs.

  • Washington State Data Breach Claim: In emphasizing the “no private right of action under HIPAA” mantra. Many entities fail to take understand state laws concerning data breaches.

    In the Complaint, the plaintiffs allege that Premera violated the Washington State data breach notification requirements of RCW 19.255.010. Unlike HIPAA, affected individuals may bring claims for violations of this statute.

    Among the requirements of RCW 19.255.010 is to disclose data breaches in the most “expedient” time possible and without “unreasonable delay.” The Complaint alleges that Premera took far too long to notify beneficiaries of the data breach.

Conclusion

In light of these claims (and others) in the Premera breach complaint, the warning for health care entities is clear: You can be sued by your customers for data breaches.

Although HIPAA may not provide for a private right of action, there are many other ways for plaintiffs to recover compensation for the failure to keep health information secure.

For more information about data breaches, please contact Casey Moriarty.

FDA Releases Report on Health IT Oversight

On April 3, 2014, the Food and Drug Administration (“FDA”), in collaboration with the Office of the National Coordinator for Health Information Technology (“ONC”) and the Federal Communications Commission (“FCC”), released a congressionally mandated report which proposes to clarify oversight of health information technology (“health IT”) based on a product’s function and the potential risk to patients who use it. The full draft report can be viewed here.

Similar to the FDA’s September 2013 guidance on how it would regulate mobile medical apps, this report proposes a strategy based on the premise that risk and corresponding controls should focus on health IT functionality– not the platform(s) on which such functionality resides.  As such, the FDA has identified three categories of health IT: (1) administrative health IT functions (2) health management health IT functions, and (3) medical device health IT functions.  The following table provides examples of the three categories and describes the FDA’s regulatory approach for each:

 

Health IT Category Examples (includes but not limited to) Level of Oversight
Administrative functionality Billing and claims processing, practice and inventory management,  scheduling, general purpose communications, determination of health benefit eligibility, population health management, reporting of communicable diseases to public health agency, quality measure reporting No additional oversight necessary
Health management functionality (sometimes referred to as “clinical software”) Health information and data exchange, data capture and encounter documentation, electronic access to clinical results, most clinical decision support, medication management, electronic communication and coordination, provider order entry, knowledge management, patient identification and matching Not focus of FDA oversight given proposed risk-based framework for health management  health IT
Medical device functionality Computer aided detection/diagnostic software, remote display or notification of real-time alarms from bedside monitors, robotic surgical planning and control Focus of FDA oversight

 

A significant portion of the FDA’s report focuses on the proposed framework for health management health IT functionalities.  Instead of recommending a new or additional area of FDA oversight, the report recommends a limited, narrowly-tailored approach that primarily relies on ONC-coordinated activities and private sector capabilities.  Four key priority areas for health management health IT include: (1) promote the use of quality management principles (2) identify, develop, and adopt standards and best practices (3) leverage conformity assessment tools and (4) create an environment of learning and continual improvement.

The framework also  includes a recommendation for ONC to create a public-private Health IT Safety Center, in collaboration with FDA, FCC, and Agency for Healthcare Research and Quality (“AHRQ”) and other health IT stakeholders. This Center would work on best practices and provide a forum for the exchange of ideas and information focused on promoting health IT as an integral part of patient safety.

What do you think about the FDA’s health IT report?  The FDA is seeking public input on a number of specific questions related to the report’s recommendations– the report is open to public input/comment for 90 days.  For more information about the FDA report or health IT regulatory issues, please contact Jefferson Lin or David Schoolcraft.

 

 

PROTECT Act Seeks to Exclude Health IT Software from FDA Oversight

Last month, Senators Deb Fischer (R-Neb.) and Angus King (I-Maine) introduced proposed legislation, the PROTECT Act (Preventing Regulatory Overreach To Enhance Care Technology) of 2014 (full text available here), which seeks to remove the Food and Drug Administration’s (“FDA”) regulatory authority over certain health information technology (“health IT”) software.

Main Provisions of the PROTECT Act

Specifically, the bill proposes that “clinical software” and “health software” shall not be subject to regulation under the Federal Food, Drug, and Cosmetic Act (“FD&C Act”).  The bill defines “clinical software” as “clinical decision support software or other software (including any associated hardware and process dependencies)…that captures, analyzes, changes, or presents patient or population clinical data or information and may recommend courses of clinical action…and is intended to be marketed for use only by a health care provider in a health care setting.”

The term “health software” means “software (including any associated hardware and process dependencies) that is not clinical software and (a) that captures, analyzes, changes, or presents patient or population clinical data or information; (b) that supports administrative or operational aspects of health care and is not used in the direct delivery of patient care; or (c) whose primary purpose is to act as a platform for a secondary software, to run or act as a mechanism for connectivity, or to store data.”

Both “clinical software” and “health software” would not include software “(a) that is intended to interpret patient-specific device data and directly diagnose a patient or user without the intervention of a health care provider; (b) that conducts analysis of radiological or imaging data in order to provide patient-specific diagnostic and treatment advice to a health care provider; (c) whose primary purpose is integral to the function of a drug or device; or (d) that is a component of a device.”

The PROTECT Act also proposes that the National Institute of Standards and Technology (“NIST”) be the Federal agency that oversees technical standards used by clinical software.  In addition, the Act recommends that NIST, along with the Federal Communications Commission, the National Patient Safety Foundation, and the Office of the National Coordinator for Health Information Technology, collaborate with nongovernmental entities to develop certification processes and promote best practice standards for health IT.

PROTECT Act Supporters Cite FDA’s Overreach and Slow Process

Proponents of the bill argue that, given the FDA’s broad definition of “medical device”, the FDA’s authority to regulate health IT is too extensive and that the FDA’s slow safety review process hurts innovation.  Senator King explained to the Boston Globe, “While blood-glucose monitors, pacemakers, and other high-risk devices must remain under the current FDA regulations, low-risk software like wellness apps and electronic health records need not be subject to burdensome regulations.”

Although the FDA in September 2013 issued non-binding guidance on how the agency would regulate mobile medical applications, some in the health IT industry are uncomfortable with the uncertainty surrounding the FDA’s regulatory discretion.  Along with athenahealth, which issued a document called “In Defense of the PROTECT Act,” supporters of the bill include IBM, Verizon, McKesson, and Software & Information Industry Association.

Critics Raise Patient Safety Concerns

Critics contend that the PROTECT Act’s creation of a regulatory exception for health IT software undermines the FDA’s role in safeguarding the public’s health.  They warn that flaws with digital records systems can lead to dangerous, and even fatal, consequences.  A 2011 Institute of Medicine report found that “dosing errors, failure to detect life-threatening illnesses, and delaying treatment due to poor human-computer interactions or loss of data have led to serious injury and death.” A more recent study of medical malpractice claims confirms that electronic health record-related vulnerabilities such as faulty data entry, unexpected conversions, or incorrect files/fields can lead to medical errors.

PROTECT Act opponents argue that patient safety is an area that the FDA has experience with and should regulate, whereas NIST’s mission is to promote U.S. innovation and industrial competitiveness.  The mHealth Regulatory Coalition, along with other advocacy groups like the National Physicians Alliance, Public Citizen, and the Union of Concerned Scientists have voiced concerns about the PROTECT Act.

Conclusion

Those interested in the future policy and regulatory framework of health IT should keep an eye on this proposed legislation.  In the coming months, the Obama administration also plans to release recommendation on how health IT systems should be regulated for safety.  As the adoption of health IT and electronic health records systems expands and as health IT becomes more sophisticated, the proper role of the FDA in regulating the safety of health IT will continue to be a subject of intense debate.

For more information about the PROTECT Act, FDA regulation or health IT policy issues, please contact Jefferson Lin or David Schoolcraft.

OIG Approves Electronic Interface Arrangement

In a recent advisory opinion, the Office of Inspector General DHHS (“OIG”) approved an arrangement under which free access to an electronic computer interface is provided by a hospital to local physicians.  The opinion provides an important contemporary analog to earlier guidance published by the OIG as part of the preamble to the Federal anti-kickback statute safe harbor regulations (see 56 Fed. Reg. 35952, 35978, July 29, 1991).   At the same time, the OIG reinforced its long-standing position that in order for such arrangements to pass muster under the Federal anti-kickback statute, the parties must validate that the technology is limited to facilitating hospital-physician communications, and that it will not have independent value to the physicians. 

Please contact David Schoolcraft  (dschoolcraft@omwlaw.com or 206.447.7000) you have any questions about the scope and applicability of this OIG advisory opinion.

Impact of “Big Data” in Health Care

A Recent report from McKinsey & Company on the evolution of information technology focuses on health care as a sector to watch: “For instance, if US health care could use big data creatively and effectively to drive efficiency and quality, we estimate that the potential value from data in the sector could be more than $300 billion in value every year, two-thirds of which would be in the form of reducing national health care expenditures by about 8 percent.” Full report at http://www.mckinsey.com/mgi/publications/big_data/index.asp