By Erin Eiselein and Anna-Liisa Mullis
BROWNSTEIN HYATT FARBER SCHRECK
Among the plethora of changes brought about by the COVID-19 pandemic, the rapid adoption of telehealth has changed how Americans are receiving and want to receive their health care. As we now know, it took a pandemic to cut through the regulatory red tape, reimbursement challenges and implementation hurdles and make telehealth readily available to the American public. It did not take long for most everyone to realize that telehealth — in some capacity — is here to stay.
Despite the increased demand for telehealth services, the patchwork of state and federal regulations governing the provision of these services is unsettled. Colorado quickly made permanent some of the temporary measures that enabled the rapid implementation of telehealth. Other states have not done so, meaning critical issues like interstate licensing and payment parity remain in flux. And, at the federal level, the temporary waivers of certain statutes and regulations are set to expire along with the public health emergency (PHE) on April 20. On top of this precarious legal landscape, the federal government is reminding providers that significant oversight of telehealth is coming.
TELEHEALTH IN COLORADO
Here in Colorado, the telehealth legal landscape changed dramatically and permanently in just three short months. On April 1, 2020, Gov. Jared Polis issued an executive order greatly expanding the use of telehealth services in Colorado during the pandemic. The executive order not only largely removed the statutory barriers for providers to offer telehealth services, but also directed the Colorado Department of Regulatory Agencies’ Division of Insurance to issue emergency rules expanding the definition of “telehealth” and requiring health insurance companies to pay for telehealth services.
Polis renewed the executive order three times for consecutive 30-day periods. Then, on July 6, 2020, he signed into law SB20-212 making permanent a number of the temporary changes included in the executive order. Specifically, health insurance companies are now prohibited from imposing certain requirements or limitations on technology used to deliver telehealth services, from requiring an established provider-patient relationship prior to receiving telehealth services and imposing additional location or training requirements as a condition of reimbursement for telehealth services. The bill also made certain changes specific to the delivery of telehealth services in the state Medicaid program and appropriated over $5 million to expand telehealth services within the state. Finally, although Colorado’s telehealth landscape is relatively settled at the moment, new legislation has been proposed in the General Assembly to further refine Colorado’s telehealth laws.
TELEHEALH AT THE FEDERAL LEVEL
Lawmakers in Washington, D.C., also acted quickly to waive a number of statutory and regulatory limitations on the provision of telehealth services during the public health emergency. These waivers relate to a wide variety of issues including, for example, allowing patients to receive telehealth visits in their homes, through new technology, from providers outside of their state, to allow prescriptions to be written outside of a clinical setting and to ensure that providers are reimbursed for providing telehealth services. The problem is that these temporary waivers automatically disappear when the PHE ends. Although it is widely anticipated that the PHE will, again, be extended and the real question is for how long, we are perilously close to the expiration date.
The good news is that there appears to be a strong desire at the federal level to avoid an abrupt end to these waivers and make telehealth permanent in some way or another. To that end, on Jan. 19, a bipartisan group of House representatives re-introduced the “Protecting Access to Post-COVID–19 Telehealth Act of 2021” bill aimed at expanding use of telehealth services for Medicare patients. So far, this bill is sitting in the Subcommittee on Health of the House Committee on Energy and Commerce.
OVERSIGHT IS COMING
Irrespective of where the federal government lands on the permanent implementation of telehealth, for the foreseeable future, government efforts to prevent fraudulent billing in health care will focus closely on telehealth. Telehealth already had significant risk of fraud through, for example, the ability of providers to misrepresent (whether purposefully or inadvertently) the type of telehealth services provided when billing for such services. The U.S. Department of Health and Human Services Office of Inspector General has confirmed it will closely scrutinize telehealth for fraudulent activity. Indeed, OIG issued a statement on Feb. 26, that it is conducting “significant oversight work” assessing telehealth services provided during the PHE and will seek to ensure telehealth services are not compromised by fraud, abuse or misuse.
As with fraud, cybersecurity in health care was already a serious concern before the pandemic, and the volume and intensity of cyberattacks affecting health care providers unfortunately has only increased during the pandemic. Providers who rapidly implemented telehealth technologies may not have paused to put in place appropriate data security controls and safeguards. However, any time a provider implements a new technology that may introduce potential risks to the confidentiality, integrity or availability of its health data, the provider should conduct an appropriate analysis of risks to and safeguards of data pursuant to the Health Insurance Portability and Accountability Act Security Rule. To the extent providers are continuing to use non-HIPAA-compliant telehealth technologies or did not pause to analyze the security risks of doing so, now is the time to implement HIPAA-compliant technology as part of a robust compliance program.
The COVID-19 pandemic has taught us that while we may not always be able to control external circumstances, we can control our response to them. To that end, health care providers in the telehealth space will need to continue to be nimble and prepared to quickly respond to the ongoing evolution of the laws governing telehealth.
— Erin Eiselein is a shareholder and co-chair of the health care group at Brownstein Hyatt Farber Schreck. Anna-Liisa Mullis is a shareholder and litigator in the health care group at Brownstein.