Month: March 2020

Following President Trump’s declaration of a national emergency, the Secretary of the Department of Health and Human Services (HHS) announced on March 13, 2020 a “waiver” of certain laws and regulations related to Medicare, Medicaid, and other federal healthcare programs.  According to HHS, the waivers were issued:

To ensure that sufficient health care items and services are available to meet the needs of individuals enrolled in the Medicare, Medicaid and CHIP programs and to ensure that health care providers that furnish such items and services in good faith, but are unable to comply with one or more of these requirements as a result of the consequences of the 2019 Novel Coronavirus (previously referred to as 2019-nCoV, now as COVID-19) pandemic, may be reimbursed for such items and services and exempted from sanctions for such noncompliance, absent any determination of fraud or abuse.

While the March 13 waivers contained “blanket” exemptions from certain rules and requirements under laws such as HIPAA and EMPTALA, and from certain Medicare “Conditions of Participation” and rules regarding telehealth services (about which we previously written), it did not provide any “blanket” protection against enforcement and sanctions under the Physician Self-Referral law, better known as the “Stark” Law.  Instead, HHS waived sanctions under the Stark law only “under such conditions and in such circumstances as the Centers for Medicare & Medicaid Services determines appropriate.”  In other words, on a “case by case” basis upon submission of a request for an exemption for a specific arrangement (including justification for the waiver and the expected time needed for the waiver), and approval by CMS.  

Because HHS did not at that time adopt “blanket” Stark law waivers or offer additional guidance regarding how the “case-by-case” Stark law waivers would be applied during the crisis, providers were left confused and in the lurch as to whether (and how) they could pursue innovative arrangements meant to quickly and efficiently expand care delivery to patients without running afoul of the often cumbersome “technical” requirements of the Stark law governing such arrangements. Recognizing the severity of this problem, the American Hospital Association (AMA) wrote to HHS on March 20, 2020, urging that immediate steps be taken to suspend enforcement of the Stark law and the Antikickback Statute (AKS) in order to enhance hospital and providers ability to “engage in a wide array of transactions – from barter to short-term contracts and leases – without worrying about the niceties of complying with the technical requirements of a particular Stark Law exception or an Anti-Kickback Statute safe harbor.” In their letter, the AMA proposed multiple potential relief measures, including exceptions to the definition of “compensation arrangement” under the Stark law, exempting certain forms of “remuneration” from AKS liability, and directing that transactions between hospitals, physicians, and other referral sources with the primary purpose of delivering supplies and services in response to the COVID-19 crisis should not be subject to sanctions or prosecution. 

Yesterday, CMS answered the call to action and issued a number of “blanket” Stark law waivers designed to put “patients over paperwork” and permit providers to engage in certain transactions meant to aid in the fight against COVID-19 but which might otherwise run afoul of technical requirements of Stark law.  These waivers, include the following:

• Hospitals and other health care providers can pay above or below fair market value to rent equipment or receive services from physicians (or vice versa). For example, a physician practice may be willing to rent or sell needed equipment to a hospital at a price that is below what the practice could charge another party. Or, a hospital may provide space on hospital grounds at no charge to a physician who is willing to treat patients who seek care at the hospital but are not appropriate for emergency department or inpatient care.

• Health care providers can support each other financially to ensure continuity of health care operations. For example, a physician owner of a hospital may make a personal loan to the hospital without charging interest at a fair market rate so that the hospital can make payroll or pay its vendors.

• Hospitals can provide benefits to their medical staffs, such as multiple daily meals, laundry service to launder soiled personal clothing, or child-care services while the physicians are at the hospital and engaging in activities that benefit the hospital and its patients.

• Allowing the provision of certain items and services that are solely related to COVID-19 Purposes (as defined in the waivers), even when the provision of the items or services would exceed the annual non-monetary compensation cap.

• Physician-owned hospitals can temporarily increase the number of their licensed beds, operating rooms, and procedure rooms, even though such expansion would otherwise be prohibited under the Stark Law.

• Loosening some of the restrictions when a group practice can furnish medically necessary designated health services (DHS) in a patient’s home.

• Group practices can furnish medically necessary MRIs, CT scans or clinical laboratory services from locations like mobile vans in parking lots that the group practice rents on a part-time basis.

Additional details regarding these new Stark law waivers can be found here. As COVID-19 continues to test and strain national healthcare resources, we expect that the government will continue to issue waivers of certain fraud and abuse laws and regulations, to help providers expand care delivery to patients without having to worry about some of the burdensome technical limitations that could otherwise preclude such efforts.  We will of course keep you updated on any new developments in this area, and are available to answer any questions you may have about our rapidly changing healthcare regulatory environment.

Updates Regarding Telehealth Use and Reimbursement During the Coronavirus Pandemic

Following our March 17, 2020 update in which we discussed the federal government’s waiver of certain HIPAA restrictions for telemedicine services during the COVID-19 pandemic, many providers have had general questions regarding telehealth services and reimbursement during the current healthcare crisis.

Telehealth, telemedicine, and related terms generally refer to “the exchange of medical information from one site to another through electronic communication to improve a patient’s health. The remote nature of telemedicine makes it an ideal first-line tool for evaluation and management of COVID-19 without (1) the risks associated with in-person visits and (2) the threat of increased community exposure associated with traveling to in-person medical appointments. Because telemedicine is subject to myriad legal restrictions and limitations (in particular under Medicare), both federal and state government agencies have had to (and will likely continue to) issue emergency rules to waive regulatory barriers to telemedicine delivery and reimbursement. Below is a summary of notable developments to date regarding the use of telemedicine in the midst of the COVID-19 crisis:

HIPAA WAIVERS FOR PROVISION OF TELEMEDICINE

As discussed in our March 17 update, the HHS Office for Civil Rights (“OCR”) announced that, effective immediately, it would exercise “enforcement discretion” and waive penalties for HIPAA violations against healthcare providers that communicate with patients and provide telehealth services in “good faith” through “everyday” communications technologies such as Skype, Google Hangouts, Facebook Messenger, and FaceTime during the COVID-19 national emergency. As noted, this waiver applies to telehealth provided for any reason, not just services related to the diagnosis or treatment of health conditions related to COVID-19.

WAIVER TO EXPAND MEDICARE PAYMENTS FOR TELEHEALTH SERVICES

On March 16, 2020, CMS published a “blanket” waiver to allow Medicare payment for visits provided via telemedicine (prior to this waiver, Medicare only paid for telehealth services under limited circumstances). Under this new waiver, Medicare can now pay for office, hospital, and other visits furnished via telehealth across the country and including in patient’s places of residence starting March 6, 2020.  A range of providers, such as doctors, nurse practitioners, clinical psychologists, and licensed clinical social workers, will be able to offer and be reimburse by Medicare for three (3) types of “Virtual services”:

1. Medicare “telehealth visits” (which will be considered the same as in-person visits and will be paid at the same rates as regular, in-person visits);
2. Virtual Check-ins (Brief, patient-initiated communications via telephone call or information exchange via text, email, or patient portal, with practices they have an existing relationship with); and
3. E-visits (patient-initiated communications with their doctors via online patient portals).

There appears to be some overlap between these types of services, in particular “Virtual Check-ins” and “E-Visits.” Additional information can be found in the Medicare Telemedicine Health Care Provider Fact Sheet.

CMS ENCOURAGES EXPANDING TELEHEALTH FOR MEDICARE ADVANTAGE PATIENTS

On March 10, 2020, CMS issued guidance to Medicare Advantage (MA) plans informing them of their “obligations and permissible flexibilities” related to disasters and emergencies resulting from COVID-19. In the guidance, CMS advised that MA plans may provide enrollees access to Medicare Part B services via telehealth in any geographic area and from a variety of places, including beneficiaries’ homes.  CMS further advised that MA plans may waive or reduce enrollee cost-sharing obligations for COVID-19 related treatment delivered by telemedicine.  Such changes to MA plans can be implemented immediately by MA organizations without further approval from CMS.

DOJ CAUTIONS THAT FRAUD RELATED TO COVID-19 WILL BE PROSECUTED

In the wake of the Coronavirus pandemic, DOJ has cautioned the American public against emerging fraud schemes related to COVID-19 and has asked the public to report suspected fraud. On March 20, 2020, Attorney General William P. Barr directed all U.S. Attorneys “to prioritize the investigation and prosecution of Coronavirus-related fraud schemes,” and each U.S. Attorneys’ Office was mandated to appoint a lead prosecutor to coordinate prosecution of Coronavirus-related crimes as well as outreach and public awareness efforts. In recent years, telemedicine been an area rife for federal enforcement.  It was a focus of Department of Justice’s (DOJ) September 2019  Health Care Fraud Takedown — which included charges against 48 individuals submitting claims for more than $160 million involving fraudulent telemedicine companies. More recently, DOJ’s Medicare Fraud Strike Force announced charges against the owners of two telemedicine companies for their roles in a $56 million conspiracy to defraud Medicare.  DOJ has announced its first enforcement action related to COVID-19 fraud, and given AG Barr’s March 20, 2020 directive, we have no doubt that the federal government will vigorously investigate and prosecute fraud related to telemedicine during the COVID-19 crisis.

HHS-OIG WAIVES ADMINISTRATIVE SANCTIONS FOR REDUCING OR WAIVING PATIENT COST-SHARING OBLIGATIONS RELATED TO COVID-19 TREATMENT

In a Policy Statement issued on March 17, 2020, the HHS Office of Inspector General (“OIG”) notified physicians and other practitioners that they will not be subject to administrative sanctions for reducing or waiving any cost-sharing obligations (if they choose to do so) that federal healthcare program beneficiaries might otherwise owe for telehealth services furnished during the “time period subject to the COVID-19 Declaration.”  The Policy does not affect or waive providers’ responsibilities to bill only for services performed and to comply with all legal authorities related to proper billing, claims submission, and cost reporting, which, as noted above, will be still subject to investigation and possible prosecution.

NYS MEDICAID EXPANDS PERMISSIBLE USES OF TELEHEALTH SERVICES

In February 2019, NYS Medicaid expanded the permissible use of telehealth services. Under the NYS Insurance Law and Public Health Law, services that are covered under a comprehensive health insurance policy or contract cannot be excluded when the service is delivered via telehealth.  During the COVID-19 crisis, the NYS DOH is encouraging the use of telehealth for providing COVID-19 related services to Medicaid members.

NYS MEDICAID EXPANDS REIMBURSEMENT FOR TELEPHONE EVALUATIONS

Effective March 13, the New York State Medicaid Program will reimburse providers for telephonic evaluation and management (E&M) services for established patients where face-to-face visits are not recommended and it is medically appropriate for telephonic evaluation and management of the patient.  Where face-to-face visits are not possible due to the COVID-19 crisis, telephonic visits documents that are documented as clinically appropriate will be considered “medically necessary” for Medicaid reimbursement purposes.

NYS MEDICAID COST-SHARING WAIVER FOR COVID-19 RELATED SERVICES

To ensure that cost–sharing is not a barrier to testing, NYS Medicaid will cover services including testing for COVID–19 and for physician, clinic, and emergency visits without copays for members when the purpose of the visit is testing for COVID–19. Providers should follow CDC coding guidelines below when submitting claims to Medicaid.

COMMERCIAL REIMBURSEMENT EXPANSIONS FOR TELEHEALTH SERVICES

Many commercial payors have adopted temporary reimbursement policies that expand members access to telehealth services, including waiving cost-sharing and prior authorization requirements for COVID-19 testing and telehealth services.  Please check with the commercial payor networks in which you participate to determine what policies have been implemented to facilitate expanded telehealth services.

* * *

As the COVID-19 crisis worsens, we expect that government and commercial payors will take additional steps to expand and encourage delivery of healthcare services via telemedicine.  We will continue to provide updates as more information becomes available.

AEL Addresses Common Questions Regarding HIPAA Compliance Amidst the Global Pandemic

Amidst the damage and disruption COVID-19 is causing, businesses and individuals have many questions about HIPAA – – and specifically, about what health information they can share (and how) without express patient authorization. Below are some FAQs that we have assembled regarding HIPAA to help guide providers and employers during these extraordinary circumstances.

What is HIPAA?

Short for the Health Insurance Portability and Accountability Act, HIPAA was signed into law in 1996 by President Bill Clinton. HIPAA primarily concerns the privacy and security of patient health information, and requires healthcare organizations to implement controls to keep patients’ medical information safe.

Who does HIPAA apply to?

HIPAA applies to “covered entities” as well as their “business associates.” “Covered Entities” include healthcare providers (such as doctors, dentists, vision clinics, hospitals, and related health caregivers), health plans, and healthcare clearinghouses. “Business associates” are persons or entities, other than a member of the workforce of a “covered entity,” who perform functions or activities on behalf of, or provides certain services to, a HIPAA Covered Entity that involve access by the business associate to protected health information.

What are the HIPAA Privacy and Security Rules?

The HIPAA “privacy rule” establishes standards for protecting patients’ medical records and other “protected health information” (PHI), and restricts the uses and disclosures of PHI by covered entities and their business associates, absent patient authorization (i.e. “permission”), to treatment, payment, and healthcare operations purposes (sometimes called “TPO”).

The HIPAA “security rule” requires covered entities and their business associates to protect patients’ electronically stored protected health information (known as “ePHI”) by using appropriate administrative, physical, and technical “safeguards”, to ensure the confidentiality, integrity, and security of this information.

Must my company comply with the HIPAA Privacy Rule if it is not a Covered Entity or Business Associate?

Technically, no. The HIPAA Privacy Rule only applies to Covered Entities and their Business Associates, and thus, only restricts uses and disclosures of individuals’ health information by employees, volunteers, and other members of a covered entity or business associate’s workforce. Though there have been past situations where the government prosecuted non-Covered Entities/non-Business Associates for improper commercial uses of PHI, given the current emergent circumstances, we do not believe that a non-Covered Entity or non-Business Associates’ use or dissemination of PHI would result in such actions unless such use or dissemination were otherwise criminal or malevolent.

If HIPAA does not apply to my company, can we share and disseminate our employees’ or customers’ health data without their permission?

Not necessarily. While the HIPAA Privacy rule restrictions on use and dissemination of PHI may not apply to your company if it is not a “covered entity” or “business associate,” other federal and state confidentiality rules, as well as contractual obligations, may still restrict your ability to use or disseminate such information without permission. We encourage you to tread carefully before using or sharing individuals’ health information, even if HIPAA does not apply to you or your company, and to consult with counsel if you have any questions or concerns.

Can healthcare providers communicate with patients or perform “telehealth” services through everyday communications technologies (such as Skype or FaceTime) during the COVID-19 crisis?

Yes. On March 17, 2020, the Office for Civil Rights at HHS announced that, effective immediately, it would exercise “enforcement discretion” and waive penalties for HIPAA violations against health care providers that communicate with patients and provide telehealth services in “good faith” through “everyday” communications technologies such as Skype, Google Hangouts, Facebook Messenger, and FaceTime (which are not fully HIPAA-compliant and cannot ordinarily be used for telehealth services) during the COVID-19 national emergency. Importantly, this waiver applies to telehealth provided for any reason, not just services related to the diagnosis or treatment of health conditions related to COVID-19.

Do HIPAA and the Privacy and Security Rules still apply during a public health emergency such as the COVID-19 outbreak?

Yes, the HIPAA Privacy and Security rules still apply during a disease outbreak, including the COVID-19 pandemic, except as specifically exempted or waived by HHS (such as for telehealth services via “everyday” communications technologies as described above). That said, the HIPAA Privacy Rule always allows PHI to be shared for the following purposes and under the following conditions, which are particularly relevant now:

• Treatment Purposes: A patient’s PHI can be disclosed without patient authorization to treat that patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by health care providers, consultation between providers, and the referral of patients for treatment. See 45 C.F.R. § 164.502(a)(1)(ii), 164.506(c).

• Public Health Activities: During public health emergencies like the COVID-19 outbreak, PHI can be shared without patient authorization with: (1) public health authorities such as the CDC and state and local health departments; (2) at the direction of a public health authority, to a foreign government agency; and (3) to persons at risk of contradicting or spreading the disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or to carry out public health interventions.

• Disclosures to Prevent Serious and Imminent Threats: Covered entities may share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, consistent with all applicable laws and standards of ethical conduct. Thus, providers may disclose patient PHI to anyone in a position to prevent or lessen a serious and imminent threat, including family, friends, caregivers, and law enforcement, without patient authorization.

• Disclosures to Family, Friends, and Others Involved in an Individual’s Care and For Notification: A covered entity may, with verbal consent if possible, share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See 45 C.F.R. § 164.510(b).

What specific PHI can be disclosed in these emergency situations?

Other than disclosures made by healthcare providers for the purpose of providing treatment, HIPAA’s “minimum necessary” standard applies for disclosures of PHI. The “minimum necessary” standard requires covered entities and business associates to make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. Covered entities may rely on representations from a public health authority or other official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. For example, if the CDC requests from a hospital information about all patients exposed to or suspected to be exposed to COVID-19, a covered entity can safety conclude that the requested information is the “minimum necessary” for public health purposes.

How does the President’s recent declaration of a “state of emergency” impact our HIPAA Obligations?

Following President Trump’s March 13, 2020 declaration of a nationwide emergency concerning COVID-19, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar exercised his authority to “waive” sanctions and penalties against covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

• The requirement to obtain a patient’s (verbal) agreement to speak with family members or friends involved in the patient’s care. See 45 C.F.R. 164.510(b).  The requirement to honor a request to opt out of the facility directory (see 45 C.F.R § 164.510(a)).

• The requirement to distribute a notice of privacy practices (see 45 C.F.R. § 164.522(a)).

• Patients’ rights to request confidential communications (see 45 C.F.R. § 164.522(b).

Please note that these waivers only apply: (1) in the emergency areas identified in the public health emergency declaration (which would include all of the NYC Metropolitan area); (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours after the disaster protocols are implemented. Once those 72 hours expire, hospitals must then again comply with all of the requirements of the Privacy Rule for any patients still under their care.