Published on

2011 Virginia Telehealth Summit presentation

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Virginia Telehealth Summit: Legal and Regulatory IssuesGreg Billings Rene Quashie, EsquireCTeL Drinker Biddle & Reath1500 K Street, NW 1500 K Street, NWSuite 1100 Suite 1100Washington, D.C. 20005 Washington, D.C. 20005202-230-5090 202-230-5161www.ctel.orgApril 5, 2011
  2. 2. Presentation Overview> Legal and regulatory issues facing telehealth - HIPAA Privacy and Security - Fraud and Abuse - Medical Liability/Malpractice - Credentialing/Privileging - Internet/Online Prescribing - Licensure 2
  3. 3. HIPAA Privacy and Security
  4. 4. HIPAA Generally> Health Insurance Portability and Accountability Act of 1996> The Privacy Regulations under HIPAA govern the use and disclosure of most health information held by Covered Entities.> The Security Regulations protect health information from unauthorized people.> Covered Entities are: - Health Plans (e.g., Medicare and Medicaid, Employer Health Plans, HMOs and other commercial plans, and CHAMPUS) - Health Care Clearinghouses (e.g., billing agent) - Health Care Providers who conduct certain electronic transactions (almost all physicians and hospitals) 4
  5. 5. Privacy Rule vs. Security RulePrivacy Standard(s) Security Standard(s)> Minimum use- payment & > Access control operations, not treatment > Authentication> Notice of Privacy > Network Controls Practices/Designated > Training Record Set > Reasonable safeguards> Incidental use and disclosure if and only if… > Workstation controls: use; location (physical and technical)> Verification of requestor > Authentication/ Authorization> Sanctions > Audit trails> Business Associate Contracts > Chain-of-Trust Agreements 5
  6. 6. HIPAA Privacy Rule> Permitted Uses and Disclosures - A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: - To the Individual (unless required for access or accounting of disclosures); - Treatment, Payment, and Health Care Operations; - Opportunity to Agree or Object; - Incident to an otherwise use and disclosure - Public Interest and Benefit Activities 6
  7. 7. HIPAA Privacy Rule (con’t)> Requires covered entities to: - Obtain authorization for special additional uses of PHI - Designate a privacy official - Develop policies and procedures (including receiving complaints) - Provide privacy training to their workforce - Develop a system of sanctions for employees who violate the entity’s policies - Meet documentation requirements - Implement appropriate administrative, technical, & physical safeguards to protect privacy 7
  8. 8. HIPAA Security Requirements> 3 Basic types of safeguards: - Administrative - How to deactivate access - When is activity logged - Physical - Where are devices located - How is physical access to systems and/or ePHI accomplished - Technical - What is electronic? - Encryption 8
  9. 9. HIPAA Security Rule> Ensure the confidentiality, integrity, and availability of all electronic PHI> ePHI - Any electronic protected health information created by a health care provider, health plan, public health authority, employer, life insurer, school or university. - It identifies who you are - Individually Identifiable Health Information - Examples: name, street address, social security number, zip code, condition/disease, etc. 9
  10. 10. HIPAA Security Rule (con’t’)> Covered entities are required to: - Assess potential risks and vulnerabilities - Protect against threats to information security or integrity, and against unauthorized use or disclosure - Implement and maintain security measures that are appropriate to their needs, capabilities and circumstances - Ensure compliance with these safeguards by all staff 10
  11. 11. HIPAA Issues Unique to Telehealth Services> Security of technology necessary in telemedicine - Use of Skype and similar technology to provide telehealth services> Distribution of the Notice of Privacy Practice to patient, if the health care provider is not a member of the patient site workforce> HIPAA privacy training/education if the health care provider is a member of the patient site workforce> Business associate agreements with technical providers (non-covered entities) who assist with the delivery of healthcare by telemedicine> Telehealth consultations may require additional non-clinical personnel, such as technicians and camera operators, who do not participate in traditional medical care 11
  12. 12. Fraud & Abuse
  13. 13. Anti-Kickback Statute> It is a crime to knowingly and willfully solicit, receive, offer, or pay remuneration of any kind (money, goods or services) for the referral of an individual to another for the purpose of supplying services that are covered by a Federal Health care Program; or purchasing, leasing, ordering, or arranging for any good, facility, service, or item that is covered by a Federal health care program (42 U.S.C. § 1320a-7b(b)) - Civil and criminal penalties - Safe harbors 13
  14. 14. Safe Harbors> Immunize certain payment and business practices that are implicated by the anti- kickback statute from criminal and civil prosecution under the statute> Most common safe harbors for telehealth - Space Rental Safe Harbor - Equipment Rental Safe Harbor - Personal Services and Management Contracts Safe Harbor - Bona Fide Employees Safe Harbor 14
  15. 15. Common Anti-Kickback Telehealth Issue> The provision of subsidized or free equipment - Does an originating site’s subsidization of the capital and/or operating costs result in referrals (directly or indirectly)? 15
  16. 16. Kickback Analysis> Did something of value get offered, requested, exchange hands?> If so, was the conduct willful?> Did the provider’s treatment pattern change?> Were patients switched because of the kickback?> If yes, were they consulted, told about the inducement?> Did the parties know about the anti-kickback statute?> If so, is there a safe harbor?> If so, was some or all of the expected/desired business paid for by a federal health care program? 16
  17. 17. STARK Self-Referral Law> The federal Stark physician self-referral law generally prohibits a physician from making referrals to an entity for any of eleven (11) designated health services if the physician (or an immediate family member) has a ―financial relationship‖ with the entity (42 U.S.C. § 1395nn) 17
  18. 18. Medical Malpractice & Liability
  19. 19. Medical Malpractice & Telehealth> Malpractice generally - Duty - Breach - Causation - Damages> Standard of care - Local v. state v. national v. international - Specialist v. generalist - Expert witnesses - Qualifying - Evidence-based guidelines? - A question of fact for the jury 19
  20. 20. Liability Concerns> Areas of main concern - Affirmative errors - Acts or omissions - Failure to treat - Treating physician at originating site does not use telemedicine services – can such failing lead to liability on the part of physician , originating site facility 20
  21. 21. Credentialing & Privileging
  22. 22. Credentialing & Privileging Overview> Credentialing - Reviewing and confirming a provider’s credentials and other documentation: - Education - Licensure - Certifications - Insurance - National Practitioner Data Bank - References - Third party verification organizations> Privileging - Scope and content of patient care services to be authorized for a provider by a health care organization. - Based on an evaluation of the providers credentials and performance - Peer review 22
  23. 23. Credentialing & Privileging: Issues for Telehealth> Who is responsible for conducting credentialing and privileging— - Originating site? - Distant site?> Joint Commission - Allowed credentialing & privileging by ―proxy‖. - Accredited JC hospital could rely on the credentialing and privileging conducted by the distant JC-accredited facility. 23
  24. 24. Credentialing & Privileging: Issues for Telehealth (continued)> CMS Original Position: - May use third party verification organizations for credentialing - Cannot use third parties for privileging - All hospitals who engage in telehealth must privilege each health care practitioner providing services to its patients as if the practitioner were on site> Final Rule - Expected clearance—mid April, 2011 - Proposed rule allowed for a ―remote‖ credentialing and privileging process 24
  25. 25. Online Prescribing
  26. 26. Online Prescribing Overview> States have different approaches - Two-thirds of states— - Require an in-person evaluation or physical examination before prescribing online; or - Permit physicians to prescribe online only if there is a preexisting patient relationship. - Many states prohibit online prescribing based solely on information from an online questionnaire. - Some states regulate online prescribing through pharmacy laws - Most pharmacy laws do not permit prescriptions based solely on an online questionnaire. Source: Preliminary data from CTeL: 50 State Internet Prescribing Legal Report 26
  27. 27. Virginia Statute> Permits a physician to prescribe medication to a patient as long as there is a bona-fide physician patient relationship - Bona-fide physician-patient relationship means the physician needs to conduct a physical exam of the patient - Exam can take place ―physically or by the use of instrumentation and diagnostic equipment through which images and medical records may be transmitted electronically‖> Language specifically applies to controlled substances - State board indicates applies to all substances 27
  28. 28. Licensure
  29. 29. Licensure> States required to monitor the practice of professionals within their boundaries - State medical boards responsible for regulating physicians and other health care providers within state.> Licensure is the process by which states validate providers’ credentials. - Confirm a provider competent to practice medicine. 29
  30. 30. Licensure (continued)> Licensure as applied to telemedicine - Regulations apply to physicians and other providers who practice telemedicine between health care facilities in different states> State licensure restrictions run counter to telemedicine, which transcends geographical boundaries - Patient to Doctor or Doctor to Patient?> Practitioners are often subject to the licensure laws of both states – state where they are located and the state where they are administering the care 30
  31. 31. Types of Licensure> 2 categories of licensure - Full license - 21 states require telehealth providers to seek a full medical license - Telehealth provider also required to meet other state requirements including: - Paying substantial licensure fees - Passing additional oral and written examinations, - 11-Limited/Special/Telemedicine license - Reciprocity between states for telehealth providers - Limited administrative requirements 31
  32. 32. Licensure Consultation Exception> Many states have consultation exception - Physician not licensed in that particular state can practice medicine in consultation with a referring in-state physician. - Scope varies from state to state - All states allow for consultations - Six states specifically limit consultation - Many consultation exceptions not developed with telehealth in mind. 32