What Laws Govern Telemedicine Applications?

Given that healthcare providers offer services in the most heavily regulated industry on the planet, it should come as no surprise that telehealth applications are governed by a number of rules. Most of these regulations are tied to reimbursement, although there are also regulations regarding how data should be shared and patient privacy maintained.

This article will look at the impact of HIPAA privacy and data sharing rules along with some of the state regulations impacting telemedicine reimbursement. When considering a telemedicine application for your practice, here’s what you need to know.

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996. It has become the de facto standard bearer for patient data privacy in healthcare. One of the most important pieces of the legislation tied to telehealth applications is the often-cited Privacy Rule.

The Privacy Rule in HIPAA sought to protect PHI or personal health information by requiring health plans, providers, vendors, or anyone who transmits patient data to disclose where they’re sending it — and receive authorization from the patient to do so.

Like all healthcare regulations there are caveats; in the case of HIPAA, there is the TPO rule (Treatment, Payment, and Operations), which makes the assumption that the healthcare provider will share their PHI in the normal course of administering their account and thus needs no privacy authorization.

However, healthcare lawyer Foley & Lardner LLP points out that the TPO conditional rule does not let a telehealth vendor or healthcare provider off the hook for obtaining patient authorization for sharing PHI:
Even if a provider shares PHI under the TPO exception, it must still comply with minimum necessary disclosure requirements, agreed upon patient restrictions to the use and disclosure of PHI, and other state laws which may be more stringent in how providers can share patient data.

HIPAA also does not allow what is called “compound authorizations” as part of TPO. Foley & Lardner LLP define this legal concept in the following way:

This means the provider cannot combine, into another agreement or document, the patient’s authorization to use or disclose their PHI for remuneration or marketing.

In layman’s terms, this means that telemedicine providers are prohibited from a cutting and pasting of an authorization from any document into another document. To be safe, each patient seeking care through a telemedicine visit should have a separate authorization on file. In the case of OrthoLive, the software app seeks and files this patient authorization as a standard part of the service. In fact, this authorization can be customized and branded to your practice.

The issue of access to patient data is an important point for telehealth vendors to consider, given that online privacy concerns have dominated the news this year in light of the Facebook-Cambridge Analytica scandal. As the U.S. healthcare industry relies more heavily on cloud-driven technologies to improve access to care, data mining of private patient information with third parties may become more of a concern.

The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the Quality Payment Program (QPP) had two reimbursement tracks and two different laws governing telehealth reimbursement:

• Advanced Alternative Payment Models (APMs), which cover large healthcare coalitions such as Accountable Care Organizations, will now indirectly reimburse for more efficient total care. Experts say telehealth reimbursement would fall under this new regulation.
• Merit-Based Incentive Payment System (MIPS) tracks care quality, improvement activities, advancing care information, and cost. There are 271 “quality” measures alone in this new system; but you only need six to qualify.

It should come as no surprise that there is a patchwork of telehealth laws on the books at the state level. The Center for Connected Health Policy (CCHP) says, “While many states are beginning to expand telehealth reimbursement, others continue to restrict and place limitations on telehealth delivered services.”

These laws impact reimbursement fairly heavily; for Medicaid, each state is different. However, CCHP has identified trends that seem to hold true across the country:

• Live video Medicaid reimbursement far exceeds reimbursement for remote patient monitoring or store-and-forward technologies.
• Some states have been creating exceptions for telehealth in certain situations such as allowing the home to be an originating site for the hearing impaired in Maryland.

According to CCHP, 49-states and the District of Columbia now have laws providing Medicaid reimbursement for live video visits.

Interestingly, the summer of 2018 saw a flurry of new laws enacted around the country, including:

• Connecticut just signed a new telemedicine law allowing prescription of controlled substances for the treatment of mental health and substance use disorders during virtual visits.
• Kentucky just passed payment parity for the coverage of telemedicine with private payers. The law states, “Telehealth coverage and reimbursement shall be equivalent to the coverage for the same service provided in person…”
• Iowa just passed similar legislation as Kentucky’s, however; it does not require that the reimbursement be the same as for an in-person visit. The law instead just requires that insurers provide reimbursement at a negotiated rate for telehealth services.

As consumers grow more interested in telehealth, it’s likely that additional state regulation will be passed.

Currently, only 16 of 24 states that have telemedicine parity laws also have regulations that “authorize state-wide coverage, without any provider or technology restrictions.” However, this is rapidly changing as more states recognize that patient access is crucial to quality outcomes.

Too, new federal laws are being introduced, such as the CHRONIC Care Act of 2017 that is currently pending in the Senate. The bill is expected to have a large impact on telehealth across the United States by allowing ACOs to offer telehealth as well as expanding access for chronic care.

As telemedicine becomes widely adopted by physicians and their patients in the coming years, it’s clear that some broad federal policies will likely be passed to modernize HIPAA privacy laws in light of data mining and data security concerns. Too, state parity in reimbursement laws are expected to expand. Given that the trends show telehealth adoption is rising exponentially, it’s clear that legislative trends will lean in favor of expanding this needed technology, not thwarting it’s potential.