There was a time when you could receive a home visit from your primary care physician when you were feeling ill. Well those days are long gone…or are they? Much like many other aspects of our lives, the delivery of medicine has evolved throughout the years and we are now being ushered back to the days when we didn’t have to travel to our physician’s office to receive medical treatment. This time around when the nurse says “The doctor will see you now” the “visit” will be very different.
The proliferation of Telemedicine has made the delivery of medical services more accessible to those who are unable or unwilling to travel to their physician’s office. Our busy schedules or physical disabilities resulting in immobility have increased our demands and usage of Telemedicine. Now more than ever, physicians and their patients are utilizing mobile health applications and wearable technology devices that collect, store, and transmit our protected health information (“PHI”) to our physician or any other health care provider or entity that the patient designates.
When the physician receives the patient’s PHI through the app the physician can interpret that information to provide her with a more accurate examination during the next Telemedicine appointment. In other words, Telemedicine and mobile health apps/devices when used in tandem allow a physician to provide a more precise diagnosis.
Technology is meant to simplify our lives, but at what cost? We’ve all seen and received advertisements that state “Stay focused this holiday season with the latest in wearable tech”, “Get real-time heart rate & calorie burn stats”. To the average consumer, wearing a smart watch or using a health tracker app on your phone seems harmless, but what happens when your PHI gets into the wrong hands? What if there is a data security breach and millions of PHI, including yours is stolen by hackers? What if a provider discloses your PHI to someone that you did not authorize them to disclose it to? The reality is that this occurs more often than we’d like to admit, and with the increase in the usage of Telemedicine and mobile health apps and wearable tech we are more susceptible to our PHI getting into the wrong hands.
The popularity of Telemedicine for health care providers is increasing rapidly because it allows providers to connect with and treat a larger population of patients that it otherwise wouldn’t have access to, and the result is an in increase profits. New laws are being enacted and existing laws are being revised or amended to facilitate the surge of Telemedicine.
Generally, telemedicine involves the use of interactive telecommunications for the delivery of health care services when a health care provider and patient are not in the same physical location. Engaging in this practice of remote health care allows providers to reach more patients and grow their businesses by providing health care services, such as primary and specialty care and remote patient monitoring, via videoconference rather than requiring patients to travel to an office or hospital. Although the use of telemedicine is utilized sparingly compared to face-to-face treatment by a health care provider its use is on the rise and laws and regulations are being enacted across the nation to govern the provision of telemedicine by health care practitioners.
Telemedicine in Florida
Telemedicine policies regarding reimbursement, licensure requirements, online prescribing, scope of coverage, and other issues vary greatly from state to state. Several states have or are in the process of enacting legislation that addresses several of these issues. Florida, like many other states has been slow to enact new laws or evolve existing laws and statutes to deal with the proliferation of telemedicine. On March 12, 2014, the Florida Administrative Code established standards for telemedicine practice. This Rule was adopted by the Florida Board of Medicine and the Florida Board of Osteopathic Medicine.
The Rule defines “telemedicine” as the practice of medicine by a licensed Florida physician or physician assistant where patient care, treatment, or services are provided through the use of medical information exchanged from one site to another via electronic communications. Florida does not have specific language within its statute, nor its administrative regulations, granting out-of-state physicians a limited license to enter the state remotely to practice medicine, but that may change if proposed legislation is passed. For example, an insurer using a provider that’s in-network in another state would also be allowed to treat a Florida patient if passed. The Rule prohibits the use of Telemedicine to administer health care services by using solely an audio only telephone, email messages, text messages, facsimile transmission, U.S. Mail or other parcel service, or any combination thereof. The Rule also states that the standard of care must remain the same regardless of whether a Florida licensed physician or physician assistant provides health care services in person or via telemedicine.
Florida licensed physicians and physician assistants providing health care services via telemedicine are responsible for the quality of the equipment and technologies employed and are responsible for their safe use. The Rule did not include a list of technologies that it deemed safe for use in telemedicine. This was done on purpose to allow the rule to be broad enough to permit the practitioner to use available technology sufficiently encrypted and compliant with HIPAA.
Physicians may not prescribe controlled substances through the use of telemedicine unless the patient is in a hospital facility. According to the Rule, prescribing medications based solely on an electronic medical questionnaire constitutes the failure to practice medicine with the level of care, skill, and treatment which is recognized by reasonably prudent physicians as being acceptable under similar conditions and circumstances, as well as prescribing legend drugs other than in the course of a physician’s professional practice.
Under the Rule, physicians and physician assistants cannot provide treatment recommendations, including issuing a prescription via electronic or other means, unless: (a) a documented patient evaluation, including history and physical examination to establish the diagnosis for which any legend drug is prescribed; (b) there has been a discussion between the physician or the physician assistant and the patient regarding treatment options and the risks and benefits of treatment; and (c) there exists proper maintenance of contemporaneous medical records.
Patient confidentiality obligations and recordkeeping requirements of physicians and physician assistants are not altered by the provision of health care services via telemedicine. In fact, a physician-patient relationship may be established through telemedicine.
This rule does not apply to emergency medical services provided by emergency physicians, emergency medical technicians (“EMTs”), paramedics, and emergency dispatchers. Additionally, the rule doesn’t apply where a physician or physician assistant is treating a patient with an emergency medical condition that requires immediate medical care.
While this rule accomplished a lot for establishing standards of care, listing licensure requirements, and online prescription prohibitions it did not mandate insurance coverage or reimbursement for telemedicine services provided in Florida. There are many factors that states use to determine the scope of coverage for telemedicine applications, such as the quality of equipment, type of services to be provided, and location of providers (e.g. remote rural sites). The American Telemedicine Association tracks recent changes to State telemedicine legislation, including those states that have enacted legislation mandating private insurance coverage for telemedicine services. While there are several bills before the Senate and House in Florida, there remains some skepticism by various parties in interpreting and expanding upon current telemedicine regulations. In Florida, if passed, there is a Senate bill which would require public and private insurers to reimburse for telemedicine services allowing doctors to negotiate payment rates with insurers. Supporters of this bill and others believe that in the long term, telemedicine will save money by reducing hospital and emergency room admissions.
According to Medicaid’s website, telemedicine includes such technologies as telephones, fax machines, and emails, which are used to collect and transmit patient data for monitoring and interpretation. Even though such technologies are not considered “telemedicine,” they may nevertheless be covered and reimbursed as part of a Medicaid coverable service, such as laboratory service, x-ray service or physician service. For a provider to be reimbursed for the delivery Medicaid covered services via telemedicine those services must meet federal requirements of efficiency, economy, and quality of care. Federal law affords Florida the flexibility to develop novel payment methodologies for telemedicine services. For example, states may reimburse the physician or other licensed practitioner at the distant site and reimburse a facility fee to the originating site. States are permitted to reimburse for technical support, transmission charges, and equipment. These add-on costs can be incorporated into the fee-for-service rates or separately reimbursed as an administrative cost by the state. If they are separately billed and reimbursed, the costs must be linked to a covered Medicaid service.
Medicaid guidelines require all providers to practice within the scope of their state practice requirements. Some states have enacted legislation that requires providers using telemedicine technology across state lines to have a valid state license in the state where the patient is located. A provider must have a Florida license to conduct telemedicine across state lines into Florida. The provision of health care services is generally held to be where the patient is located, so the standard of care in the patient’s community should, but may not always apply. Existing state malpractice case law, tort law and civil procedure will govern telemedicine issues in the absence of telemedicine specific statutes.
On July 7, 2015, the House introduced the Medicare Telehealth Parity Act of 2015, which if enacted, would increase the scope of telemedicine services covered by Medicare. Specifically, this bill would (a) lessen the “originating site” requirements for certain services; (b) expand the types of services that are covered to include services like respiratory services, audiology and outpatient therapy services; (c) expand the types of providers whose services are covered; (d) expand the geographic locations in which telemedicine services are covered; and (e) establish coverage for remote patient monitoring for certain chronic conditions. The bill would allow reimbursement under Medicare for certain services provided in a beneficiary’s home, regardless of locale.
As it stands today, Medicare Part B pays for office or other outpatient visits, subsequent hospital care services (with the limitation of one telemedicine visit every 3 days); subsequent nursing facility care services (not including the Federally-mandated periodic visits under §483.40(c) and with the limitation of one telemedicine visit every 30 days); professional consultations, psychiatric diagnostic interview examination, neurobehavioral status exam, individual psychotherapy, pharmacologic management, end-stage renal disease-related services included in the monthly capitation payment (except for one “hands on” visit per month to examine the access site); individual and group medical nutrition therapy services, individual and group kidney disease education services, individual and group diabetes self-management (“DSMT”) training services (except for one hour of in-person services to be furnished in the year following the initial DSMT service to ensure effective injection training); and individual and group health and behavior assessment and intervention services, and smoking cessation services furnished by an interactive telecommunications system if the following conditions are met:
- The physician or practitioner at the distant site must be licensed to furnish the service under State law. The physician or practitioner at the distant site who is licensed under State law to furnish a covered telemedicine service described in this section may bill, and receive payment for, the service when it is delivered via a telecommunication system.
- The practitioner at the distant site is a physician, physician assistant, nurse practitioner, etc. as defined in the appropriate section of the CFR.
- The services furnished to a beneficiary at an originating site, such as a physician’s or practitioner’s office, critical access hospital, rural health clinic, Federally qualified health center, hospital, skilled nursing facility, community mental health center, or critical access hospital-based renal dialysis center.
- Originating sites must be located in either a rural health professional shortage area or in a county that is not included in a Metropolitan Statistical Area.
- The medical examination of the patient is under the control of the physician or practitioner at the distant site.
Many private payor insurance plans do reimburse for telemedicine-delivered services; however, federal law does not require these payors to provide coverage for any type of telemedicine-delivered service. Some states have passed their own private payor laws, affecting private payor plans that operate in those states. Currently, twenty-eight states and D.C. have some private payor-related reimbursement laws. An additional four states have telemedicine private payor laws that have passed, but are not yet effective. Some states mandates some sort of reimbursement, while other mandate reimbursement at the same level as in-person care under certain conditions.
Mobile Health and Fitness Apps and Wearable Tech
Not all mobile health apps and wearable tech are created equally. If the health app or wearable tech electronically collects, stores, and shares PHI with covered entities (i.e. physicians) or business associates in connection with a transaction for which the Department of Health and Human Services (“HHS”) has adopted a standard, it must be HIPAA compliant. HIPAA privacy and security regulations extensively regulate the use and disclosure of individually identifiable health information and require certain covered entities, including most health app developers, and their business associates to implement administrative, physical, and technical safeguards to protect the security of such information. The HITECH Act promotes the adoption of meaningful use of health information technology. HITECH provides HHS with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT. HITECH addresses the privacy and security concerns associated with the electronic transmission of health information, partly through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Additionally, there are several federal agencies, including the Federal Communications Commission (“FCC”) that regulates the use of wearable tech.
PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment. Examples of PHI includes billing information, test results, doctor’s appointment scheduling, etc. HIPAA was drafted in an age when health apps and wearable tech were non-existent and therefore protecting PHI in health apps was not a consideration in drafters’ minds. As a result, it is difficult to determine which apps must be HIPAA compliant and which are exempt based on the current drafting of the law.
Mobile health apps are not required to be HIPAA compliant if they are only used for tracking or informational purposes, such as those that: (i) track daily diets; (ii) allow the user to covertly research various illnesses; (iii) provide access to medical reference materials; and (iv) permit users to record their weight and exercise routines. To determine whether an app falls under HIPAA, the developer should determine whether the user will be covered entity and if it will include PHI. If the app doesn’t involve PHI or involve a covered entity it doesn’t have to be HIPAA compliant.
Implementing the HIPAA Privacy and Security Rules are indispensable to operating these apps because they are highly susceptible to data theft and other security breaches. When we consider the frequency with which wearable tech and cell phones are lost and stolen we understand why it is so important to be HIPAA compliant. App developers who believe that their apps must be HIPAA compliant can protect and secure PHI by incorporating the following safety mechanisms into their apps: (i) require a password or other user authentication; (ii) allow users to enable built-in encryption capabilities; (iii) allow for remote wiping and/or remote disabling; (iv) restrict file sharing applications; (vi) enable security software to protect against viruses, malware, and spyware attacks; and (vii) make sure that security software is up to date. This is not an exhaustive list, but just some of the security measures that an app developer should consider when adopting policies and procedures to protect PHI on wearable tech.
App developers should require that all of their business associates to agree to sign a Business Associate Agreement. A business associate is a person or covered entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. This is true even if the app was not intended to be used in a manner that stores and transmits PHI. If an app collects and stores PHI intentionally or unintentionally, it must be HIPAA compliant. Stating that the app was not intended to collect or store PHI is not an adequate defense during a HIPAA audit.
Healthcare providers are increasingly incorporating wearable tech and mobile health apps into their telemedicine practice. They should not access unsecured or unknown Wi-Fi networks when using this tech if it contains PHI. Securing wearable tech that stores and transmits electronic PHI is required by the law.