Emerging Trends and Key Issues Relevant to Telehealth Solutions

Emerging Trends and Key Issues Relevant to Telehealth Solutions

May 26, 2022, Covington Alert

Although telehealth has long been on the health care horizon, the COVID-19 pandemic necessitated the rapid transition of many health services to a remote format, resulting in expanded utilization of telehealth virtually overnight. The widespread uptake of telehealth had lagged for many years prior to the pandemic as a result of uncertainty regarding how to handle reimbursement for telehealth services, navigate licensing laws across state lines, and ensure patient privacy, among other issues. But during the pandemic, federal and state regulators temporarily reduced many of these barriers through a variety of emergency actions, accelerating broader adoption of telehealth services. In response, there has been significant growth in the telehealth industry, as companies recognize the opportunities in the quickly evolving digital health marketplace.

As many emergency provisions begin to expire, companies across the health care spectrum are now evaluating how to integrate telehealth into a post-pandemic world, and they are developing new solutions to facilitate broad, convenient access to health care. While several pandemic-related changes to the telehealth regulatory landscape have become permanent, some telehealth offerings will require careful attention to various federal and state regulatory frameworks, most of which were developed for a world of in-person patient care. Regardless of whether a company is new to the telehealth industry or expanding its telehealth presence, the company should ensure that it is considering the broad patchwork of legal and regulatory frameworks affecting the telehealth industry. Below, we outline key considerations for companies utilizing or expanding telehealth solutions, whether directly or in partnership with other entities.

Fraud and Abuse

Telehealth solutions are attractive to patients because they offer integrated systems and quick, at-home visits. For example, a telehealth platform could offer patients the opportunity to consult with a physician about a prescription drug that, if prescribed by the physician, would be shipped directly to the patient from an affiliated pharmacy. However, these activities implicate federal and state fraud and abuse laws that govern financial relationships between the producers of products and services and those in a position to use or recommend those products and services. As the utilization of telehealth increases, the Department of Justice (“DOJ”) and the Department of Health and Human Services (“HHS”) Office of the Inspector General (“OIG”) have indicated that they view telehealth-related fraud and abuse enforcement as a priority. In September 2021, DOJ announced criminal charges against over 100 defendants, alleging $1.4 billion in losses due to health care fraud schemes, $1.1 billion of which involved telemedicine and alleged schemes such as ordering unnecessary services and sham consultations. As DOJ and OIG’s scrutiny of telehealth continues to grow, companies offering and partnering with telehealth solutions should consider questions related to the relevant fraud and abuse risks, such as:

• How are physicians selected, trained, and compensated by the platform, and could these activities interfere with independent clinical decision-making or be perceived as doing so?
• How is the physician-patient relationship established and how do providers and patients interact via the telehealth platform?
• Does the company have adequate controls in place to ensure that the telehealth solution does not drive overutilization or inappropriate utilization?

Privacy

Many telehealth platforms are regulated under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”), as well as a patchwork of other federal and state privacy, data security, and consumer protection laws.

Among other requirements, HIPAA mandates that telehealth platforms that operate as covered entities implement physical, technical, and administrative safeguards, as required by the HIPAA Security Rule. In early 2020, the Office for Civil Rights (“OCR”) at HHS issued a Notice stating that OCR would exercise discretion in enforcing noncompliance with certain HIPAA security requirements during the pandemic; most notably, OCR exercised enforcement discretion with respect to a covered entity’s communicating with patients and providing telehealth services using remote communications technologies that were not fully compliant with the HIPAA Security Rule. There is currently no expiration date for the Notice; rather, OCR has stated that it will issue a notice to the public when OCR is no longer exercising its enforcement discretion. Once enforcement discretion is rescinded, companies subject to HIPAA that adopted or expanded their utilization of telehealth while the Notice was in effect will risk enforcement action if their platforms are not fully compliant with the HIPAA Security Rule. 

Separately, there is increasing attention on wellness and telehealth offerings that are not regulated under HIPAA. In particular, there are many concierge and cash-pay direct-to-consumer telehealth offerings that are not subject to HIPAA because they do not seek reimbursement from health insurance. At the same time, there is increased concern among policymakers and consumer protection regulators about health data that is not regulated under HIPAA. Such data may nonetheless be subject to state medical privacy laws, like California’s Confidentiality of Medical Information Act, and other privacy, data security, and consumer protection laws. 

Moreover, asynchronous modalities of telehealth that facilitate access and convenience may raise questions under privacy and electronic communications laws. For example, the delivery of communications via text messages may require consideration of the Telephone Consumer Protection Act (“TCPA”), depending on the nature and content of the communication, as well as questions to whether the patient has consented to the delivery of protected health information (“PHI”) by unencrypted text messages.

Companies offering and partnering with telehealth solutions should consider relevant privacy issues, including:

• What data will be collected and shared throughout the patient journey and how will the data be protected?
• Which legal entities are collecting that data and what privacy frameworks are applicable to them? If data is shared among various entities, what authorizations are obtained?
• Will the use or sharing of any specific data require additional or specific patient authorization?

FDA Advertising and Promotional Rules

Many pharmaceutical manufacturers are now seeking to integrate telehealth solutions into their product marketing activities. For example, a patient may visit a manufacturer’s website that links directly to a telehealth platform where the patient can “learn more” or “find out if [the drug] is right” for them. This activity brings together the advertising and promotion of prescription drugs and the independent practice of medicine in novel ways. When a manufacturer’s website links to a telehealth platform, the platform should provide clear notice that the telehealth provider is an unaffiliated entity that is not required or induced to prescribe a certain product and that the provider is not speaking on behalf of the manufacturer. Similarly, the manufacturer should ensure that the telehealth platform is not offered in a manner that suggests that it is a vehicle for the prescribing of drugs off-label. As companies offering and partnering with telehealth solutions evaluate the risks relevant to FDA advertising and promotion, they should consider issues such as:

• Do the manufacturer and telehealth provider have contractual provisions in place to ensure that the prescribers maintain clinical independence?
• Is the distinction between the manufacturer’s promotional content and the telehealth provider’s clinical content clear?
• Are manufacturers ensuring there are no express or implied representations about the product in the link to the telehealth solution?

Coverage and Reimbursement

Reimbursement for telehealth services has historically been low, but, during the pandemic, many states required payment parity for telehealth services. Some, but not all, states have passed laws to make these parity requirements permanent. In addition, the Center for Medicare and Medicaid Services ("CMS") announced broad coverage for telehealth services for Medicare beneficiaries—a change that was extended through at least the end of 2023. Other payers have also expanded reimbursement for telehealth services. However, reimbursement challenges remain as federal reimbursement policies focus on Medicare, and Medicaid policies vary considerably, as do the private payer requirements. Companies developing and partnering with telehealth solutions should consider additional coverage and reimbursement issues such as:

• Are certain modalities (e.g., video and audio, audio-only) required for the visit to be reimbursable?
• To what extent will reimbursement support be provided as part of the patient's interaction with the telehealth solution?
• Will e-benefits checks be done prior to the patient entering a telehealth solution so the patient is aware of his or her coverage for telehealth visits?

State-Level Considerations: Professional Licensing, Corporate Practice of Medicine, and Telehealth Modalities

State licensure and telehealth laws vary by state, and companies offering and partnering with telehealth solutions to serve patients from multiple states must understand what activities are permitted under each states’ laws. Generally, states require out-of-state physicians to have an in-state license to practice medicine, though some states are part of interstate licensure compacts for certain health care professionals (e.g., nurses) or allow out-of-state practice by physicians (e.g., Georgia). Awareness of licensing laws is essential, as unlicensed practice can lead to sanctions, denial of reimbursement, and liability for medical services rendered while unlicensed in the jurisdiction. 

A number of states prohibit the corporate practice of medicine (“CPOM”). Generally, the CPOM doctrine prohibits corporations from practicing medicine or employing physicians to provide medical services. Some state CPOM laws require that entities providing medical services be owned and operated by licensed physicians or prohibit the splitting of professional fees between licensed medical professionals and non-licensed individuals or business entities. This requirement presents unique challenges for companies with telehealth solutions, as the company must consider whether its telehealth service is subject to CPOM restrictions. To manage CPOM risks, many telehealth platforms utilize professional corporations, with whom they contract for telehealth services (the so-called “friendly PC model”). However, this model is untested, and it is not clear how, for instance, a pharmaceutical or technology company’s ownership of the management entity would affect state regulators’ views of that model. Further, this model may be subject to increasing scrutiny. For example, an emergency medicine physician group in California recently sued a health care services company owned by a private equity firm, challenging the use of the friendly PC model as a violation of the state’s CPOM law and seeking to enjoin the private-equity-backed health care services company from operating several emergency departments.

State laws differ as to whether telehealth visits are required to take place via certain modalities. The majority of, but not all, states now allow “asynchronous” or “store-and-forward” telehealth, in which telehealth communications and services are provided through modalities such as a digital platform or text messaging instead of exclusively through live video conferencing with a provider. As state laws expand to allow the delivery of telehealth through additional modalities, companies offering and partnering with telehealth solutions should consider whether their activities implicate other regulatory frameworks and consider relevant state law issues, such as:

• Are there requirements for how the physician-patient relationship must be established?
• What is required to comply with a state’s CPOM law and are there relevant exceptions that may be leveraged by the company?
• Whose responsibility will it be to comply with all state-level telehealth regulations?

Other Issues to Watch

As companies’ offerings of telehealth solutions continue to expand and companies increasingly seek to engage in the telehealth industry through partnerships with other entities, the regulatory and legal framework governing telehealth will likely continue to evolve as well. There have been efforts on federal and state levels to make changes to telehealth laws, many of which have been successful on the state level. Further, the expansion of partnerships within the telehealth industry may result in far-reaching impacts to the legal landscape; for example, efforts by drug and device manufacturers to steer patients toward specific telehealth vendors could erode the availability of the learned intermediary defense in future product liability litigation.

While the expanded utilization of telehealth has created rapid growth in the digital health marketplace, many vendors are new entities, and those contemplating partnering with these new entities will want to conduct significant due diligence of the new entity’s operations and compliance infrastructure before entering into collaborations to manage the variety of legal risks presented by telehealth offerings. As your company develops and expands its telehealth solutions, whether directly or in partnership with other entities, Covington’s Digital Health team can guide you to ensure that you and your team are considering the right issues across the legal and regulatory landscape.

*           *           *

If you have any questions concerning the material discussed in this client alert, please contact the members of our Data Privacy and Cybersecurity and Health Care practices.