facebook

Coronavirus (Covid-19) Creates Opportunities for Use of Telehealth in Florida

I. Introduction

For several years, we have discussed the practical benefits of using Telehealth or Telemedicine as a supplement to traditional medical care and not as a replacement. However, we are facing a moment in history where Emergency Rooms are becoming increasingly overwhelmed and don’t have the staff, resources, healthcare professionals, respirators, ventilators and other equipment necessary to adequately and expeditiously treat patients.  Telemedicine is becoming more essential now that countries around the world are paralyzed due to the spread of the Coronavirus which has resulted in a pandemic.

Telemedicine is useful for those individuals who are unable or unwilling to travel to their healthcare provider while allowing them to receive the same level of care and treatment through the use of medical technology. Telemedicine is particularly useful during times like this when individuals have to self-quarantine and when a State of Emergency has been issued as a measure to minimize the spread of the virus. Telemedicine may have the ability to assist healthcare professionals by remotely diagnosing conditions, such as the Coronavirus without putting the health of others in jeopardy. The Coronavirus can cause respiratory problems, among others, and the elderly and those with pre-existing conditions regardless of age are particularly susceptible to the effects of contracting the virus, including death.

II. Florida Law

Now is as good a time as any for those who are interested in incorporating Telehealth into their practice to become familiar with the Florida laws that govern its use. Prior to the passage of House Bill 23 (Chapter 2019 – 137), the Standards for Telemedicine practice were governed by Florida Administrative Code 64B8-9.0141 (for Medical Doctors) and 64B15-14.0081, which have since been repealed and replaced by this House Bill and Florida Statute §456.47.

          A. What is Telehealth under H.B. 23

“Telehealth” is defined as the use of synchronous or asynchronous telecommunications technology by a telehealth provider to provide healthcare services, including, but not limited to, assessment, diagnosis, consultation, treatment, and monitoring of a patient; transfer of medical data; patient and professional health-related education; public health services; and health administration. The term does not include audio-only telephone calls, email messages, or facsimile transmissions. A “Telehealth Provider” means any individual who provides healthcare and related services using telehealth and who is licensed or certified under the appropriate Florida Statute or who is licensed under a multi-state health care licensure compact of which Florida is a member state or is a registered out-of-state telehealth provider. A telehealth provider and a patient may be in separate locations when telehealth is used to provide healthcare services to a patient. It should be noted that it is not a violation for a non-physician telehealth provider using telehealth and acting within his or her relevant scope of practice.

          B. Telehealth Prescribing and Recordkeeping

A telehealth provider may not use telehealth to prescribe a controlled substance unless the controlled substance is prescribed for the following: (1) the treatment of a psychiatric disorder; (2) inpatient treatment at a hospital; (3) the treatment of a patient receiving hospice services: or (4) the treatment of a resident of a nursing home facility.

A telehealth provider must document in the patient’s medical record the healthcare services rendered using telehealth according to the same standard as used for in-person services. Medical records, including video, audio, electronic, or other records generated as a result of providing such services are confidential and must comply with HIPAA requirements.

          C. Out-Of-State Telehealth Providers

                1. Registration of Out-Of-State Telehealth Providers

A healthcare professional not licensed in Florida may provide healthcare services to a patient located in this state using telehealth if the healthcare professional registers with the applicable board and provides those healthcare services within the applicable scope of practice established by Florida law. In order for an out-of-state healthcare professional to be registered they have to prove or complete the following: (1) complete an application to provide telehealth services as an out-of-state provider; (2) have an unencumbered occupational license that was issued by another state, the District of Columbia, or a possession or territory of the United States and that is substantially similar to the license issued to a Florida-licensed provider. Foreign trained providers without a valid Florida-professional license are ineligible to register to provide telehealth services in Florida; (3) has not been the subject of disciplinary action relating to his or her license during the 5-year period immediately preceding the submission of their application; (4) designates a duly appointed registered agent for service of process in this state; and (5) demonstrates to the board that he or she maintains professional liability coverage or financial responsibility.

A healthcare professional may not register if his or her license to provide healthcare services is subject to a pending disciplinary investigation or action, or has been revoked in any state or jurisdiction. If you are a duly registered healthcare professional, you must notify the appropriate board of any restrictions placed on your license to practice, or any disciplinary action taken or pending against you, from any state or jurisdiction within 5 days after the restriction is placed or disciplinary action is initiated or taken.

               2. Insurance Coverage

As noted above, a registered provider must maintain professional liability coverage or proof of financial responsibility, that includes coverage or financial responsibility for telehealth services provided to patients not located in the provider’s home state.

               3. Physical Presence

An out-of-state healthcare professional may not open an office in Florida and may not provide in-person healthcare services to patients located in this state.

               4. Disciplinary Action Against Out-Of-State Telehealth Provider

The board may take disciplinary action against an out-of-state telehealth provider if the registrant: (1) fails to notify the applicable board of any adverse actions taken against his or her license; (2) has restrictions placed on or disciplinary action taken against his or her license in any state or jurisdiction; (3) violates any of the requirements of this section; or (4) commits any act that constitutes grounds for disciplinary action under the applicable practice act for Florida-licensed providers. Disciplinary action may include suspension or revocation of the provider’s registration or the issuance of a reprimand or letter of concern. A suspension may be accompanied by a corrective action plan the completion of which may lead to the suspended registration being reinstated according to the rules adopted by the board.

          D. Venue

Any act that constitutes the delivery of health are services is deemed to occur at the place where the patient is physically located at the time the act is performed or in the patient’s county of residence.

          E. Exemptions

A healthcare professional who is not licensed to provide healthcare services in this state but who holds an active license to provide healthcare services in another state or jurisdiction, and who provides healthcare services using telehealth to a patient located in this state, is not subject to the registration requirement if the services are provided: (1) in response to an emergency medical condition; or (2) in consultation with a healthcare professional licensed in this state who has ultimate authority over the diagnosis and care of the patient.

          F. Reimbursement for Telehealth Services

A contract between a health insurer issuing major medical comprehensive coverage through an individual or group policy and a telehealth provider must be voluntary between the insurer and the provider and must establish mutually acceptable payment rates or payment methodologies for services provided through telehealth. Any contract provision that distinguishes between payment rates or payment methodologies for services provided through telehealth and the same services provided without the use of telehealth must be initialed by the telehealth provider.

 

*****************************************************

It should be noted that I am not your lawyer (unless you have presently retained my services through a retainer agreement). This post is not intended as legal advice, it is purely educational and informational, and no attorney-client relationship shall result after reading it. Please consult your own attorney for legal advice. If you do not have one and would like to retain my legal services, please contact me using the contact information listed above.

 

All information and references made to laws, rules, regulations, and advisory opinions were accurate based on the law as it existed at this time, but laws are constantly evolving. Please contact me to be sure that the law which will govern your business is current. Thank you.

Do I need a Business Associate Agreement?

Your healthcare entity may need to enter into a signed Business Associate Agreement with certain vendors and contractors that you have contracted with depending on the type of services that will be provided to your healthcare entity. Failure to produce a signed Business Associate Agreement could lead to fines and/or penalties by the Office for Civil Rights (“OCR”) in connection with potential HIPAA violations.

 

What is a Business Associate?

A business associate is one that creates, receives, maintains or transmits protected health information (“PHI”). Companies that only store encrypted PHI are also considered Business Associates. Subcontractors may also have to sign a Business Associate Agreement if they create, receive, maintain, or transmit PHI on behalf of a business associate.

A healthcare provider is not considered a business associate if disclosure of PHI is required for treatment. A covered entity participating in an Organized Health Care Arrangement (“OHCA”) that performs a function or activity for or on behalf of the OHCA is not a business associate if it is acting on behalf of the OHCA as a whole.

 

Business Associates Restrictions and Requirements

Business associates may use or disclose PHI only as permitted or required by the Business Associate Agreement or as required by law. Business associates will be directly liable under the HIPAA Rules and subject to civil and criminal penalties for failing to comply with the Business Associate Agreement or the HIPAA Security Rule.

If a Business Associate becomes aware of a security incident they must report it. A “security incident” includes “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

Business Associates are governed by rules that provide specific guidance regarding the sale of patient information. For example, information can be sold for public health, treatment and payment, or for the sale of an entity. Additionally, information can be sold for research, but compensation must be reasonable and cost-based. Any information or data that is sold must be de-identified to remove any and all identifiers of the individual, relatives, employers, or household members.

 

Business Associate Agreement Requirements

The following is a list of items that must be addressed in a Business Associate Agreement:

  1. Establish the permitted and required uses and disclosures of PHI by the business associate.
  2. Provide that the business associate will not sue or further disclose the information other than as permitted or required by the contract or as required by law.
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the PHI, including compliance with the Security Rule for ePHI.
  4. Require reporting to the covered entity of any improper use or disclosures including breaches.
  5. Require the business associate to make PHI available for access and amendment and require information for accounting.
  6. Require Privacy Rule compliance to the extent applicable.
  7. Require business associates to make books and records available to HHS.
  8. Require the business associate to return or destroy PHI at termination if feasible.
  9. Require the business associate to ensure that subcontractors agree to the same restrictions and conditions.
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term.

 

Business Associate Agreement Regulatory Compliance

Periodically, Business Associate Agreements should be reviewed and updated as necessary to ensure that they are compliant with HIPAA and the HITECH Act or any other related laws.

OCR is responsible for auditing and only provide healthcare entities a narrow window to produce a list of its business associates. Therefore, it is critically important to maintain a list of business associates.

 

Things to consider

This is not an exhaustive list of a few things to consider when negotiating a BAA:

  1. Is this entity a Business Associate? If so, what will this BA be doing and does HIPAA allow for it?
  2. Do you want a stand alone BAA or will it be incorporated into other contracts?
  3. Has there been a discussion about indemnification and how much is required?
  4. Is a confidentiality agreement required for other information?
  5. Should we have a privacy official to design, implement and oversee privacy policy and procedure practices, including risk analysis and risk mitigation?

 

There are several other items to consider when drafting, negotiating and executing a Business Associate Agreement. If you have questions about Business Associate Agreements and how they work or whether yours incorporates the most recent legal requirements you should contact us today.

****

This post was authored by Jamaal R. Jones, Esquire  Jones Health Law, P.A. for more information contact me at (305) 877-5054; email me at JRJ@JonesHealthLaw.com, or visit our website at www.JonesHealthLaw.com.

 

It should be noted that I am not your lawyer (unless you have presently retained my services through a retainer agreement). This post is not intended as legal advice, it is purely educational and informational, and no attorney-client relationship shall result after reading it. Please consult your own attorney for legal advice. If you do not have one and would like to retain my legal services please contact me using the information listed above.

 

All of the information and references made to laws, regulations, and advisory opinions were accurate based on the law as it existed at this time, but laws are constantly evolving. Please contact me to be sure that the law which will govern your business is current. Thank you.

Does Blockchain Belong in Healthcare?

Healthcare providers have been slow to implement blockchain into their practice. Providers are hesitant due to: (1) unfamiliarity with this technology and how it works; (2) some don’t see its practical application to healthcare; (3) others are employing the wait and see approach to determine if it is financially rewarding; and (4) some are put off by the lack of regulation, which could expose their patient records to cybertheft.

 

What is Blockchain?

In 2009, blockchain stormed on the scene as the foundation for swapping digital currency. Blockchain is a permanent record of online transactions or exchanges that are logged publicly and in chronological order with corresponding time-stamps. A blockchain is comprised of a series of “blocks” or information that grows over time to create a chain. Blocks cannot be altered or deleted which allows users to follow the “crypto trail” or transaction record. Blockchain is appealing to many in the healthcare community because of its potential for data security.

Credentialed users can add to the transaction record, which can then be dispersed or shared across networks. Users on the network can validate and confirm each block of data in the chain. The key element of blockchain is that it is not housed in a central database and all transactions must be encrypted and verified by the network.

 

How will Blockchain revolutionize healthcare?

Data security and data interoperability are two of the most popular uses for blockchain in healthcare, but there is the potential for many other applications. Blockchain can be used to create a uniform database of protected health information (PHI) that is easily accessible by healthcare providers regardless of the type of electronic health systems that they use. Blockchain will provide greater security and privacy for patient records, it will reduce administrative processes which will allow for more time spent with patients, and it will facilitate the free flow of medical research from between providers in the treatment of diseases.

Blockchains do not have to be publicly available to everyone. A healthcare facility can limit its network to users that they authorize, such as HIPAA-covered entities and other trusted collaborators. To increase data security, a healthcare provider may place restrictions on what is on the blockchain while choosing to keep some data off the blockchain. Additionally, safeguards must be in place to protect personally identifiable information (PII) without significantly inhibiting the transfer of protected health information.

More functional data sharing between healthcare providers increases the likelihood of accurate diagnoses and better treatment while reducing the cost of delivery. Also, you can be sure that the information on the blockchain is accurate and secure. Blockchain will revolutionize health information exchanges by providing patients with direct continuous access to their records. Providers will be able to access healthcare databases on a large scale. It will also facilitate communication between primary care providers, specialists, and pharmacies who all coordinate care for a patient. All providers, payors, and pharmacies can record information about a specific patient, such as patient visits, prescribed treatment, and diagnosis onto the same ledger, which they all can access. This communication reduces abuse, misuse, and readmissions.

 

Is blockchain safe?

Transactions are conducted over several computers and not a single server, which makes it much more difficult to change, hack, or forge. Cybercriminals have already found a way to abscond with millions of dollars’ worth of coins in several creative ways, but experts believe that blockchain can be a much more secure method of storing patient records and other information. Blockchain wouldn’t eliminate data breaches but if the right procedures are implemented it could significantly reduce the occurrence on a large scale as we’ve seen in the past with companies like Target and Aetna.

However, many questions related to HIPAA and blockchain remain. For example, providers are unsure of how to incorporate patient bill of rights in HIPAA through blockchain and who would have right of access to records maintained on the blockchain. Many contracts will have to be amended to allow for blockchain before they can surmount many lingering legal obstacles.

As of today, federal and Florida legislators have not passed any laws that regulate blockchain in any meaningful way, but that will change as more providers adopt this technology.

 

You need an experienced healthcare attorney who understands blockchain and data privacy to ensure that your practice isn’t violating  HIPAA, HITECH and state/federal agency rules. For more information call or email Jamaal R. Jones Esq. at (305)877-5054 or jrj@joneshealthlaw.com

Representing the Physician: It Is Harder Than it Looks

Jamaal R. Jones is a Super Lawyer committed to representing the physician.

Mr. Jones recently attended a conference where Health Law attorneys from around Florida converged to discuss topics such as MACRA, HIPAA Audits, EMTALA, Medical Marijuana, Medicare and other Risk Contracts, and Structuring Medical Practices for Tax and Creditor Insulation.

If you would like to discuss any of these topics in greater detail contact us today!

Implementing Policies and Procedures into your Medical Practice

As a child, my mother always stressed the importance of being neat and organized. She told me that I should be able to walk into my house in the dark and find anything that I need because I know exactly where it is. At the time, I didn’t know how those values would apply to not only my personal life but also my business life. With that being said, life gets in the way and there are days when my office or my house is in disarray. This reduces my productivity because I have to spend time searching for important documents at my office or my car keys at home.

I place a lot of emphasis on maintaining a neat and organized medical practice for all of my clients because it will make their life easier for numerous reasons. The best way to maintain a neat and organized medical practice is to implement policies and procedures that you and your employees must strictly follow. These policies and procedures can range from physical security of the facility, security of HIPAA protected information, employee time-keeping, janitorial services, medical substances and pharmaceutical drug internal audits, etc.

Everyone on the staff should be held accountable for the tasks that they perform or fail to perform. As the owner of the practice, you should periodically review the procedural tasks to make sure that everyone is performing their duties adequately and on-time. It only takes one missed log entry for a crisis to arise. This brings me to my next point, you should implement a policy where everyone on your staff must sign off on or use a unique identifier and password that only they have. This is important so that you can trace most of the activities that occur in your practice. Providers have to play “big brother” and watch over their practice because as you let things slide so will your staff and certain policies and protocols will be abandoned.

It is not unusual for a provider to contact me after a regulatory authority, such as the Florida Department of Health (“DOH”) or the Centers for Medicare & Medicaid Services (“CMS”) has contacted them about a potential violation within their practice (i.e. billing). Typically, these regulatory bodies make certain requests for documentation in their correspondence. I am often surprised by how unorganized the medical practice’s files are and the lack of adequate policies and procedures within the practice. As I mentioned earlier, I understand that life gets in the way, but being organized and having policies and procedures in place to maintain organization should be a priority. Lack of time will not be a valid excuse for the regulators. In fact, there are several state and federal record-keeping requirements that a medical practice must strictly adhere to or run the risk of receiving fines and penalties. Take one day or weekend and work alongside your staff to clean up those files and perform an audit of your inventory.

The following is a sample of some of the steps that I would take to ensure that my medical practice is neat and organized:

  • Create a formal policy and procedure manual that every employee must sign and adhere to.
  • Document everything and save it on-site as well as off-site on a cloud-based service and limit employee access to those documents.
  • Maintain employee files, including, but not limited to, emergency contacts, termination letters with reason for termination, professional and drivers licenses, periodic drug test results, personal and medical history, progress reports, professional and academic performance evaluations etc.

In the event that you have to self-report or if any state or federal regulatory authorities contacts your practice for a potential violation of a law or rule you should be as prepared as possible. Implement policies and procedures into your medical practice that will protect you and will ensure that your practice runs efficiently and smoothly. A healthcare attorney can assist you in creating a fully functioning policy and procedure manual specific to your practice.

My DEA Number was Stolen by an Employee and Used to Buy Controlled Substances

Most doctors have various licenses that provide them with unique identification numbers. If any of these identification numbers find their way into the wrong hands it can be detrimental to the healthcare provider’s practice, their patients, and the public. Doctors hire support staff to run their practice efficiently by perform tasks that they don’t have time to do or don’t have the training to perform. This employer-employee relationship requires a certain level of trust from both parties because a bad act by either party can have a negative impact on the other party’s license, privileges, or reimbursement for services. Some of the support staff working in a doctor’s office may have access to HIPAA-protected information and a doctor’s unique identification numbers, such as his NPI and DEA numbers. What should you do if one of your employees steals your DEA number and uses it to self-prescribe controlled substance through e-prescribing or traditional prescription pads? What if they use your DEA number to order controlled substances for the practice without your knowledge or consent? Doctors should also be concerned with their potential liability for the unauthorized use of their DEA number.

Keys to Successfully Operating a Multi-Disciplinary Medical Practice

Throughout Florida, a healthy number of licensed healthcare practitioners and healthcare entrepreneurs are joining or investing in multi-disciplinary practices for numerous reasons. The primary reason for their foray into this modern approach to the delivery of medicine is usually due to the rising costs of administering treatment. They are attracted to the idea of increasing revenue, minimizing administrative duties, and partnering with like-minded individuals that may grow their individual practice. However, there are several business and legal challenges that members of a multi-disciplinary practice must consider prior to participating in the practice.

Join Us for a LIVE Masterclass


IV Hydration Masterclass: Legal Requirements of Starting an IV Hydration Business

This will close in 35 seconds