Upload
holland-hart-llp
View
316
Download
0
Embed Size (px)
Citation preview
Telehealth: Idaho Update
Idaho Medical Ass’n
Kim C. Stanger(8/15)
This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the speaker. This presentation is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel.
Telehealth: Issues for Discussion• Providing Care Through Telehealth– Idaho law re remote prescribing– Idaho Telehealth Access Act
• Licensure• Privacy and Security• Reimbursement• Liability Issues
Written Materials• Idaho Law re Prescribing Without an Exam, IC 54-
1733• Idaho Telehealth Access Act, IC 54-5701 et seq.• Proposed Board of Medicine Regulations, IDAPA
22.01.15• MedLearn, Telehealth Services (12/14)• Medicaid, Telehealth Policy (7/14)• Article, Idaho Law re Prescribing Without an
Examination• Article, HIPAA, E-mails and Texts to Patients or
Others• Idaho Board of Medicine, Guidelines for
Appropriate Regulation of Telemedicine
Restrictions on Remote Prescribing or Treating
Restrictions on Remote Prescribing• Early internet pharmacies were prescribing
based solely on online questionnaires or similar methods.
• In response, many states or medical boards required an in-person physical exam before allowing the practitioner to prescribe or render treatment.–Medical practices act– Statement of medical boards
See http://www.fsmb.org/pdf/InternetPrescribing-law&policylanguage.pdf.
Idaho Statute re Prescribing
Prescriber-Patient Relationship“(1) A prescription for a legend drug is valid only if it is issued by a prescriber for a legitimate medical purpose arising from a prescriber-patient relationship which includes a documented patient evaluation adequate to establish diagnoses and identify underlying conditions and/or contraindications to the treatment.”“(3) Treatment, including issuing a prescription drug order, based solely on an online questionnaire or consultation outside of an ongoing clinical relationship does not constitute a legitimate medical purpose.”“(5) [It is unlawful] to prescribe drugs to individuals without a prescriber-patient relationship, unless excepted in this section.”Prescriber is subject to Board discipline for violations.(IC 54-1733)
Idaho Statute re Prescribing
Exceptions: licensed prescriber may do the following even though they do not have prescriber-patient relationship: “(a) Writing initial admission orders for a newly hospitalized patient;“(b) Writing a prescription drug order for a patient of another prescriber for whom the prescriber is taking call; “(c) Writing a prescription drug order for a patient examined by a physician assistant, advanced practice registered nurse or other licensed practitioner with whom the prescriber has a supervisory or collaborative relationship;“(d) Writing a prescription drug order for a medication on a short-term basis for a new patient prior to the patient's first appointment”;(IC 54-1733(2))
Idaho Statute re Prescribing
Exceptions (cont.): licensed prescriber may do the following even though they do not have prescriber-patient relationship: “(e) Writing a prescription for an opioid antagonist per IC 54-1733B;“(f) In emergency situations where the life or health of patient is in imminent danger;“(g) In emergencies that constitute an immediate threat to the public health…;“(h) Epinephrine auto-injectors in the name of a school per IC 33-520A; and“(i) If a prescriber makes a diagnosis of a sexually transmitted disease in a patient, the prescriber may prescribe or dispense antibiotics to the infected patient's named sexual partner … for treatment of the sexually transmitted disease as recommended by the most current [CDC] guidelines.”(IC 54-1733(2))
Idaho Telehealth Access Act
• Allows providers to establish patient-provider relationship through use of telehealth, but– Must still be licensed or authorized to practice
in Idaho.– Must still satisfy community standard of care.– Must obtain informed consent.– Must maintain proper documentation.– Must be available for follow-up care.
(IC 54-5601 [54-5701]
Idaho Telehealth Access Act
(IC 54-5703)
Originating Site:Where the patient is
locatedDistant Site:
Where the remote practitioner is located
Telehealth
Idaho Telehealth Access Act
• "Telehealth services" means health care services provided by a provider to a person through the use of electronic communications, information technology, asynchronous store and forward transfer or synchronous interaction between a provider at a distant site and a patient at an originating site. Such services include, but are not limited to, clinical care, health education, home health and facilitation of self-managed care and caregiver support.
(IC 54-5703)
Idaho Telehealth Access Act
• “Asynchronous store and forward transfer" means the transmission of a patient's health care information from an originating site to a provider at a distant site over a secure connection that complies with state and federal security and privacy laws.– E.g., teleradiology
• "Synchronous interaction" means real-time communication through interactive technology that enables a provider and a patient … to interact simultaneously through two-way video and audio or audio transmission.– E.g., tele-ICU
(IC 54-5703)
Idaho Telehealth Access Act
Provider-Patient Relationship.• “If a provider offering telehealth services in
his or her practice does not have an established provider-patient relationship with a person seeking such services, the provider shall take appropriate steps to establish a provider-patient relationship by use of two-way audio and visual interaction;
• “The applicable Idaho community standard of care must be satisfied.”
(IC 54-5605 [54-5701])* See proposed regulations.
Idaho Telehealth Access Act
Exceptions: Does not apply to electronic communications:“(a) Between a provider and a patient with a preexisting provider-patient relationship;“(b) Between a provider and another provider concerning a patient with whom the other provider has a provider-patient relationship;“(c) Between a provider and a patient where the provider is taking call on behalf of another provider in the same community who has a provider-patient relationship with the patient; or“(d) In an emergency, i.e., an imminent threat of a life-threatening condition or severe bodily harm(IC 54-5701 et seq.)
Idaho Telehealth Access Act
Evaluation and Treatment. • “Prior to providing treatment, including a
prescription, a provider shall obtain and document a patient's relevant clinical history and current symptoms to establish the diagnosis and identify underlying conditions and contraindications to the treatment recommended.
• “Treatment through telehealth services shall be held to the applicable Idaho community standard of care that applies in an in-person setting.
• “Treatment based solely on an online questionnaire does not constitute an acceptable standard of care.”
(IC 54-5606 [54-5706])
Idaho Telehealth Access Act
Prescriptions. • “A provider with an established provider-patient
relationship may issue prescription drug orders using telehealth services within the scope of the provider's license and according to any applicable laws, rules and regulations.– Must comply with community standard of care; – Cannot prescribe controlled substance unless
prescribed in compliance with 21 USC 802(54)(A).
– “No drug may be prescribed through telehealth services for the purpose of causing an abortion.*
(IC 54-5607 [54-5707])* Iowa Supreme Court recently struck down similar law.
Idaho Telehealth Access Act
Medical Records. • “Any provider offering telehealth services
as part of his or her practice shall generate and maintain medical records for each patient using such telehealth services in compliance with any applicable state and federal laws, rules and regulations, including HIPAA and HITECH.
• “Such records shall be accessible to other providers and to the patient in accordance with applicable laws, rules and regulations.
(IC 54-5611 [54-5711])* See proposed regulations
Idaho Telehealth Access Act
Additional Requirements.• Must obtain informed consent.
* See proposed regulations• Must be available for follow-up care or to
provide info to patients who make use of such services.
• Must be familiar with and have access to available medical resources, including emergency resources near the patient's location, in order to make appropriate patient referrals when medically indicated.
(IC 54-5608 to -5610 [54-5708 to -5710])
Idaho Telehealth Access Act
Enforcement and Discipline.• “A provider is prohibited from offering
telehealth services in his or her practice if the provider is not in full compliance with applicable laws, rules and regulations, including this act and the Idaho community standard of care.
• “A provider who fails to comply with applicable laws, rules and regulations is subject to discipline by his or her licensing board.”
(IC 54-5612 [54-5712])
Draft Telehealth Regulations
• Public hearing on proposed regulations:
Tuesday, September 15, 2015 at noon Idaho Board of Medicine
1755 Westgate Drive, Suite 140.
Draft Telehealth Regulations
“Licensure. Any physician, physician's assistant, respiratory therapist, polysomnographer, dietician, or athletic trainer who provides any telehealth services to patients located in Idaho must hold an active Idaho license issued by the Idaho State Board of Medicine for their applicable practice.”(IDAPA 22.01.15.011)
Draft Telehealth Regulations
• “Provider-Patient Relationship. In addition to the requirements in IC 54-5705, during the first contact with the patient, a provider licensed by the Board of Medicine who is providing telehealth services shall:– Verify the location and identity of the patient; – Disclose to the patient the provider's identity,
their current location and telephone number and Idaho license number;
– Obtain appropriate consents from the patient after disclosures regarding the delivery models and treatment methods or limitations, including a special informed consent regarding the use of telehealth technologies; and
– Allow the patient an opportunity to select their provider rather than being assigned a provider at random to the extent possible.”
(IDAPA 22.01.15.012)
Draft Telehealth Regulations
• Standard of Care. – A provider providing telehealth services to
patients located in Idaho must comply with the applicable Idaho community standard of care.
– The provider shall be personally responsible to familiarize themselves with the applicable Idaho community standard of care.
– If a patient's presenting symptoms and conditions require a physical examination, lab work or imaging studies in order to make a diagnosis, the provider shall not provide diagnosis or treatment through telehealth services unless or until such information is obtained.
(IDAPA 22.01.15.013)
Draft Telehealth Regulations
• Informed Consent. In addition to requirements of IC 54-5708, appropriate patient informed consent for telehealth technologies must be obtained and maintained at regular intervals consistent with the community standard of care.
• Informed consent should, at a minimum, include the following terms:– Identification of the patient, the provider and the
provider's credentials;– Agreement of patient that provider will determine
whether the condition being diagnosed and/or treated is appropriate for telehealth services;
– Info on the security measures taken with the use of telehealth technologies (e.g., encrypting data, password protected screen savers and data files, or utilizing other reliable authentication techniques) and potential risks to privacy and notwithstanding such measures;
– Disclosure that information may be lost due to technical failures.
(IDAPA 22.01.15.014)
Draft Telehealth Regulations
• Medical Records. As required by IC 54-5711, any provider of telehealth services … shall generate and maintain medical records for each patient. – The medical record should include, copies of all
patient related electronic communications, including patient-physician communications, prescriptions, lab and test results, evaluations and consultations, relevant info of past care, and instructions obtained or produced in connection with the utilization of telehealth technologies.
– Informed consents re provision of telehealth services should also be documented in the medical record.
– The patient record established during the provision of telehealth services must be accessible and documented for both the physician and the patient, consistent with all established laws and regulations governing patient healthcare records.
(IDAPA 22.01.15.012)
Draft Telehealth Regulations
• Public hearing on proposed regulations:
Tuesday, September 15, 2015 at noon Idaho Board of Medicine
1755 Westgate Drive, Suite 140.
Board of Medicine Guidelines
“A physician using telemedicine technologies in the provision of medical services to a patient (whether existing or new) must• take appropriate steps to establish the
physician-patient relationship, and • conduct all appropriate evaluations and
history of the patient consistent with traditional standards of care for the particular patient presentation.
As such, some situations and patient presentations are appropriate for the utilization of telemedicine technologies as a component of, or in lieu of, in-person provision of medical care, while others are not.”(Idaho BoM, Guidelines for Appropriate Regulation of Telemedicine (12/14))
Board of Medicine Guidelines
Parallels proposed regulations re:• Licensure• Establishment of physician-patient relationship• Evaluation and treatment of the patient• Informed consent• Continuity of care• Referrals for emergency services• Medical records• Privacy and security of patient records and
exchange of info• Prescribing• Disclosures and functionality on online services(Idaho BoM, Guidelines for Appropriate Regulation of Telemedicine (12/14))
Board of Medicine Guidelines
Beware financial incentives to refer online services…• “Advertising or promotion of [online] goods or
products from which the physician receives direct remuneration, benefits, or incentives (other than the fees for the medical care services) is prohibited.”
• “The maintenance of preferred relationships with any pharmacy is prohibited. Physicians shall not transmit prescriptions to a specific pharmacy, or recommend a pharmacy, in exchange for any type of consideration or benefit form that pharmacy.”
(Idaho BoM, Guidelines for Appropriate Regulation of Telemedicine (12/14))• May also create Stark and Anti-Kickback
problems.
AMA Guidelines for Telemedicine
• American Medical Ass’n (“AMA”) developed recommended Ethical Guidelines for Telemedicine Services.– Suggested that patient-physician
relationship should be established through face-to-face examination by:• in-person contact, or• real-time audio and video technology.
– Excepts consultations, radiology, and pathology.
• However, AMA’s House of Delegates has currently tabled the resolution.
Licensure
Licensure• State laws generally require that providers be
licensed in state where patient resides.• States differ re telehealth licensure.– Some allow for limited license.– Most require full license.
• Consequences of practicing without a license:– Criminal and administrative sanctions for
engaging in the unauthorized practice of law.– Possible loss of liability insurance.– No reimbursement for services.• Medicare and Medicaid require licensure
Idaho Licensure• “Practice medicine” =– To investigate, diagnose, treat or prescribe for any
disease, ailment, injury, or other condition by any means.
– To apply principles or techniques of medical science in the prevention of any such conditions.
– To offer, undertake, attempt or hold oneself out as able to do any of the foregoing.
(IC 54-1803(1))• Unauthorized practice of medicine = felony– Up to $10,000 fine– 5 years in prison– Adverse action against license
Idaho Licensure• “Consultation” exception:– A person residing and licensed in another state or
country may practice medicine in Idaho if:• He consults with a physician licensed in Idaho,
and• He or she does not open an office or appoint a
place to meet patients or receive calls in Idaho. (IC 54-1804(b))
• Test: direct care v. consultation– Frequency?– Other physician involved?
• If telehealth provider contracts to provide services for hospital, practitioner must be licensed in Idaho.
Idaho Licensure• Board of Medicine Interpretation regarding
Reading of Radiologic or Imaging Studies (3/5/04)– “It is the interpretation of the Idaho State
Board of Medicine that a physician reading radiologic or imaging studies done in Idaho on Idaho patients by an Idaho physician must hold an Idaho license to practice medicine unless the radiologic or imaging studies are sent to an out-of-state physician directly by an Idaho licensed physician to obtain consultation on a patient.”
(Available on Board of Medicine website)
Idaho Licensure• Board of Medicine Interpretation regarding Reading
of Pathology Studies (Undated)– “It is the interpretation of the Idaho State Board of
Medicine that a physician performing pathology tests on samples taken in the State of Idaho on Idaho patients by an Idaho physician must have an Idaho license to practice medicine if the physician performing pathology tests is rendering a diagnosis for inclusion in the patient’s medical chart unless the pathology tests are sent to an out-of-state physician directly by an Idaho licensed physician to obtain consultation on a patient.”
(Available on Board of Medicine website)
Licensure
• Practitioners in military, VA, Public Health Service– May practice within their organization across states.
• Nurse Licensure Compact– Allows multistate licensure for nurses.
• Interstate Medical Licensure Compact– Developed by Federation of State Medical Boards
(“FSMB”).– Allows expedited licensure for physicians licensed in
another state that is a member of the compact.– Several states (including Idaho), have passed laws
to participate, but still a year or two away from implementing. (See IC 54-1842 et seq.)
Interstate Medical License Compact
LicensureTo summarize:• Telehealth provider in another state Idaho– Ensure outside practitioner has an Idaho
license, or– Make sure—• Outside practitioner consults with Idaho
practitioner, and• Outside practitioner does not open shop
in Idaho or contract with hospital to provide services in Idaho.
• Telehealth provider in Idaho another state– Check laws of the other state
Privacy and Security
HIPAA
Health Insurance Portability and Accountability Act of 1996
• Privacy Rules, 42 CFR 164.500– Must protect confidentiality of patient info– Gives patients certain rights concerning their
protected health info (“PHI”)• Security Rules, 42 CFR 164.300– Must implement specified administrative, technical
and physical safeguards to protect e-PHI.– Designed to protect• Confidentiality• Integrity• Availability
HIPAA Privacy• “Does the HIPAA Privacy Rule permit health care
practitioners to use e-mail to discuss health issues and treatment with their patients?
• “Answer: Yes. The Privacy Rule allows covered health care practitioners to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care practitioners and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of info disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of [e-PHI] is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.”
(OCR HIPAA Privacy FAQ dated 12/15/08)
HIPAA Security• Must implement specified physical, technical, and
administrative safeguards for e-PHI, including:– Transmission security. Implement technical
security measures to guard against unauthorized access to [e-PHI] that is being transmitted over an electronic communications network.
– Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted [e-PHI] is not improperly modified….
– Encryption (Addressable). Implement a mechanism to encrypt [e-PHI] info whenever deemed appropriate.
(45 CFR 164.312)
HIPAA Security• “Does the Security Rule allow for sending
electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?
• “Answer: The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
(OCR FAQ [undated])
HIPAA SecurityFrom HIPAA omnibus rule commentary:• “We clarify that covered entities are permitted to send
individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email…. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive [PHI] in that way, and covered entities are not responsible for unauthorized access of [PHI] while in transmission to the individual based on the individual's request.”
(78 FR 5634 (1/25/13))
HIPAA Business Associates• Other treatment providers are not business
associates while providing treatment. (45 CFR 160.103)
• May need business associate agreement with vendors or other outsiders who assist with telemedicine, including:– Entity that transmits PHI and has regular access
to PHI, not “conduit”.– Entity that stores PHI.
• Exceptions:– Members of workforce.• You have control over person while onsite.
– Members of organized health care arrangement (“OHCA”)• Integrated delivery of patient care.
Additional Regulations• FDA regulates medical devices, which may
include telemedicine equipment and software if used in the diagnosis or treatment of a disease or condition.
• On 9/23/13, FDA issued guidance on mobile medical apps. See http://www.fda.gov/medicaldevices/productsandmedicalprocedures/connectedhealth/mobilemedicalapplications/default.htm.
• Ryan Haight Online Pharmacy Consumer Protection Act places limits on internet pharmacies.
Reimbursement
Reimbursement• Reimbursement for telemedicine is
expanding … slowly– Medicare expanded coverage for FY2015,
but still limited.• Bills are regularly submitted to Congress.• CMS allows ACOs to provide telehealth
services.• Maybe concern that it will cost more
because services will be more accessible.– Medicaid programs generally provide some
coverage, but depends on states.– Private payers • 27 states have telehealth parity laws.• Some payers expanding services to
reduce other costs.
Liability Issues
Liability Issues
• Different laws and procedure if cross state boundaries.
• Provider-patient relationship may be established even if not intended.
• May be held to community standard of care for in-person treatment instead of some telehealth standard.
• Informed consent should address risks of telehealth.
• Beware abandoning patient after telehealth session.
• Malpractice liability insurance may not provide coverage, e.g., practice without license, practice in another state, administrative or criminal actions.
Additional Resources
Additional Resources?• Federation of State Medical Boards,
http://www.fsmb.org/grpol_telemedicine.html.– Summaries of state laws governing telemedicine.– Legislative update.
• Center for Telehealth & e-Health Law (“CTel”), http://www.fsmb.org/grpol_telemedicine.html.– Publications and guides.– News and information.
• American Telemedicine Ass’n, http://www.americantelemed.org/– Practice standards and guides.– News and information.