By Paul Murphy, Sam Lippolis, and Clay Wortham
In recent years, and especially recently due to COVID-19, remote care (also known as telehealth and telemedicine) has gained popularity among providers and patients alike for its unparalleled opportunities to increase access to quality care while at the same time significantly reducing costs. As a result, organizations large and small, including technology companies, provider groups, hospitals and health systems, have successfully adopted and grown this “new” healthcare modality, with helpful “best practice” lessons learned along the way.
At the same time, however, there have been examples of the opposite, that is, remote care practices to avoid that may create unnecessary risk and compliance exposure for remote care providers and the businesses that serve them. The following are a few examples of remote care practices to avoid to help remote care / telehealth programs remain aligned with legal and regulatory factors.
Provider Telehealth Access Fraud and Abuse Concerns. It is important to remember that telehealth equipment and software, and access to telehealth equipment and software, may constitute remuneration under Federal and state fraud and abuse laws. As a result, organizations should assess proposed transactions to furnish telehealth equipment or access to providers for compliance with those rules. Below are two examples of how problems may arise:
Outside Access. Physician Outside has a colleague, Physician Inside, who works boots-on-ground (in-person) at a Hospital that maintains telemedicine equipment. The Hospital grants Physician Outside access to telemedicine equipment so that Physician Outside can provide a brief “curb-side” consult with Physician Inside. Later, it is discovered that Physician Outside did not sign an agreement with the Hospital for telehealth equipment access. The Hospital’s legal, compliance, and finance teams now begin a formal review to identify whether there may be fraud and abuse, privacy and other compliance issues in connection with the Hospital’s provision of free telehealth access to Physician Outside. The issues in this example are further complicated if the telehealth equipment access or “seat license” furnished to the provider may be used by the provider to furnish remote services at other facilities with the same telehealth equipment.
ER Physician Uses Hospital Computer for Remote Care. A provider has a contract to furnish in-person (boots-on-ground) services in a healthcare facility. The provider also furnishes telehealth services with a separate telemedicine company that is not involved with the healthcare facility. Near the end of the provider’s in-person shift, the provider realizes that they have several telemedicine consults pending with their telemedicine employer. The provider’s smart phone is nearly out of power and their phone charger is not available. After giving report at the in-person facility, the provider locates a computer at the facility and completes their telemedicine consults. Weeks later the hospital determines that the provider used a hospital computer on facility grounds for non-authorized telehealth consults to non-affiliated hospitals as well as direct to consumer consults.
Lesson learned: A telehealth compliance plan and effective access protocols can help providers and facilities avoid potential fraud and abuse, privacy and risk management pitfalls.
“Spoke Facility” Telehealth Access Fraud and Abuse Concerns. Some hospitals and health systems operate what is called a telehealth “hub – spoke” model where often larger “hub facilities” offer certain specialized care, such as neurology, acute stroke care, pediatric cardiology, for patients at other “spoke facilities” that may not be able to offer the same specialized care locally. It is important to assess hub-spoke arrangements for compliance with fraud and abuse laws to avoid the appearance of an improper referral relationship. Below is an example of how problems may arise in the hub-spoke facility context:
A hub hospital facility partners with a new spoke facility located in a rural area to help bring important services to the area to benefit the spoke facility’s patients. Hub-provided telehealth equipment is installed at the spoke facility and hub facility providers begin offering remote services to spoke facility patients. During the hub’s weekly contract review, it is identified that a telemedicine services contract with the spoke facility is not in place. In addition, the parties “back of the napkin agreement” is generic and does not include telemedicine service details such as pricing or service level agreements. A formal review process begins to determine the scope of the services that have been provided, the status of all provider licensure and credentials, the fees that should have been invoiced, and any potential legal and/or compliance factors, including the potential removal of the equipment.
Lesson learned: Involving compliance and legal teams early to review and structure a proposed hub-spoke telehealth arrangement can help to avoid costly compliance issues and operational delays.
Licensed, not credentialed. In the context of telehealth services furnished by a “hub facility” to a “spoke facility”, as well as arrangements whereby independent providers furnish telehealth services for a facility, there are programmatic and operational details to resolve before remote services commence. Elsewhere, we identify the dangers of commencing remote services without appropriate transactional safeguards. Below is an example of what can go wrong when operational stakeholders, including credentialing and reimbursement, are not engaged to ensure that provider and payor credentialing, information technology, and risk management bases are covered:
A hub facility’s new acute 24/7 remote care service line is being provided to several spoke site hospitals and clinics. Recently hired hub providers, licensed in the state where the spoke is located, are in the process of being on-boarded. Due to multiple schedule changes and a scheduling error, the hub facility’s scheduler added the new providers to the now active remote services schedule for the spoke sites. Multiple telehealth consults have been provided at the spokes. At the end of the month, while reconciling accounting and reviewing provider credentialing status, issues emerge. The new hub-side providers have the appropriate state license, however, they are not credentialed to furnish remote care services at the spoke sites nor with the spoke site payers. This impacts the hub/spoke invoicing as well as payer reimbursement. Emergency credentialing is requested while an urgent audit is conducted to determine the volume of consults that were performed for review by legal and compliance. Immediate efforts are started to resolve the payer credentialing and reimbursement issues.
Lesson learned: Engaging key team members, such as credentialing, reimbursement, and operational staff early will help to ensure that a new telehealth program and the process for onboarding new telehealth providers goes smoothly.
Remote Care Services: The Same As In-Person Care, but Different. In many ways, remote care services are the same as in-person services. The standard of care is consistent for remote and in-person services. Providers often offer both kinds of services and under the same professional license. And, with the exception of cyber liability, liability considerations are similar. But there are key nuances to watch for when contracting for or offering remote services as compared to in-person services:
It is important to keep in mind when contracting for remote care services to specify who will furnish the telehealth equipment, software and connectivity, and the expectations of the parties for the training and experience of providers who will furnish remote care. Contracts for remote care services should require cyber liability insurance coverage in the event of a breach of patient information transmitted from the provider to the patient and to other providers. And the parties should think about remote care response times, windows when the remote provider will be available to provide services, and what should happen in the event of technology disruptions and downtime.
Lesson learned: Invest in thoughtful planning around the expectations for remote care services, what will be expected of the providers, and effective response protocols for when things go wrong.
Plan for the Unique Nuance of a Remote Care Arrangement. Remote care services offer incredible capabilities to increase access to services and reduce costs, but as with in-person service lines, it pays to be knowledgeable and prepared to set up a successful telehealth program:
A virtual care technology vendor needed a draft contract for an upcoming technology focused demonstration for a hub and spoke hospital involving an acute service line. A member of the virtual care vendor’s management team created a draft contract using “boiler-template” content and forwarded it to both hospitals. When questioned by a colleague, the virtual care technology manager responded that the priority was to get the contract signed and that it could be amended later as needed. The technology demonstration did not go well. In addition, the terms, language, and overall structure of the draft telemedicine contract were questioned. The contract was not signed as significant deal-breaking items were identified throughout the contract. Equipment was never installed.
Lesson learned: Remote service models offer a lot of potential, but require careful planning to execute effectively. Engage appropriate compliance, legal and operational stakeholders to ensure that key resources and protocols are available to ensure seamless quality care.
Remote Care Patient Privacy Protection. Federal and state health information privacy and security rules apply to use and disclosure of patient information in the remote care context. Remote telehealth services may involve additional exposure to privacy compliance challenges because patient information may be shared through unencrypted means such as via unencrypted email and videoconference technology. Telehealth and remote care arrangements should specify responsibility for capturing and safely maintaining patient information, and if possible, should provide for cyber liability insurance coverage to help mitigate liability associated with the additional privacy risks posed by telehealth and remote care. For example:
A technology vendor receives an urgent last minute request for device utilization reports. A team member downloads the utilization file, scrubs the file, and forwards the file to the requesting entity. The requesting entity receives the file and shares the file through email with fellow employees as well as the external provider group. It is discovered that despite scrubbing the file, that device’s utilization file contains protected health information (PHI). The technology vendor is notified as are the various stakeholders that are involved. A review of the case is started including presenting the case review materials to legal and compliance. Additional review reveals that the disclosure of PHI triggers contractual conflicts that will require several action steps and corrective action plans for the incident to be resolved.
Lesson learned: The foregoing example presents a cautionary tale for any transfer of patient information, including arrangements that involve remote care. We encourage health care organizations and those who do business with them to develop, implement and maintain privacy compliance programs and safeguards to help protect against inadvertent mishandling of patient information and to clearly allocate responsibility to remediate problems when they occur.
Paul Murphy, MS, MA, Paramedic, has been involved in healthcare for 20+ years, including clinical and leadership roles. His clinical experience includes having worked as a Paramedic in high call volume urban systems. His virtual care experience includes having worked for a leading virtual care vendor as well as an AVP in a large healthcare system with a mature virtual care / telemedicine program. He has published articles in a variety of healthcare journals, is an Affiliate Faculty professor at Metropolitan State University (Denver, CO), and has consulted with the State of Colorado’s Office of eHealth Innovation’s Telehealth and Broadband committee, Prime Health (Colorado), and the State of Colorado Office of eHealth Innovation. https://www.paulmurphyconsulting.com/
Sam Lippolis, MPA is a virtual health expert creating telemedicine from the ground up for 10 years. She works with clinicians in private practice to start and grow telehealth programs. As a telehealth director for large health systems Sam implemented services across 19 specialties from Level 1 trauma centers to critical access hospitals to solo practices, she has a proven framework for success. She’s recruited and trained over 3000 clinicians from MA to physician. And holds a Master’s of Public Administration for the University from Colorado. Her weekly video blog Sam I Am Innovates covers the topics of video visits to remote patient monitoring. https://www.samlippolis.com/
Clay Wortham, Founder and Principal Attorney at Wortham LLP, is a business-focused healthcare transactional and regulatory lawyer with sophisticated experience structuring complex healthcare transactions. With a background of service in large law firms and as inhouse counsel with one of the Nation’s largest retailers, Clay is ideally suited to counsel healthcare organizations and those who do business with them on how best to achieve their objectives while mitigating the legal risks of operating in the heavily regulated healthcare environment. Clay’s current representations include diligence and guidance for health system acquisitions and joint ventures, negotiating telemedicine and telehealth provider arrangements and structuring pharmaceutical distribution and supply networks. Clay is a go-to resource for businesses seeking to comply with healthcare regulatory requirements, including Federal and state health information privacy and security laws, and fraud and abuse laws such as the Federal Anti-Kickback Statute, Stark Law and False Claims Act. Clay also helps clients navigate commercial payor and Medicare/Medicaid reimbursement issues. Clay is uniquely experienced with respect to pharmaceutical distribution and pharmacy regulatory matters, including state Board of Pharmacy requirements and DEA controlled substance compliance. Prior to founding Wortham LLP, Clay served as a member of the Dentons Health Law Group in Chicago and as senior corporate counsel for Walgreen Co. in Deerfield, Illinois.
U.S. Centers for Medicare & Medicaid Services, Medicare Telemedicine Health Care Provider Fact Sheet. Retrieved February 16, 2021: https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet
Abyde. Should I Share This? When Sharing PHI is HIPAA Approved. Retrieved February 16, 2021: https://abyde.com/when-sharing-phi-is-hipaa-approved/
Silverman, A. contractworks.com (2020) Why Telemedicine Companies Need Contract Management Software. Retrieved February 16, 2021: https://www.contractworks.com/blog/why-telemedicine-companies-need-contract-management-software
Concord. (2016). Healthcare Industry Contracts, Compliance, and Management Software. Retrieved February 16, 2021: https://www.concordnow.com/blog/healthcare-contracts-and-management/
American Medical Association. (2021). AMA Telehealth quick guide. Retrieved February 16, 2021: https://www.ama-assn.org/practice-management/digital/ama-telehealth-quick-guide
AHIMA Foundation (2021). Perspectives: Healthcare Fraud and Abuse. Retrieved February 24, 2021: https://perspectives.ahima.org/healthcare-fraud-and-abuse/