On March 23, 2017, the New York Attorney General’s office announced that it has settled with the developers of three mobile health (mHealth) applications (apps) for, among other things, alleged misleading commercial claims. This settlement highlights for mHealth app developers the importance of systematically gathering sufficient evidence to support their commercial claims.
In an age where providers are increasingly taking the management of their patient’s health online and out of the doctor’s office, the creation of scalable and nimble patient engagement tools can serve to improve patient experience, health care outcomes and health care costs. While the level of enthusiasm for these tools is at an all-time high, there is a growing concern about the unexpected deterrent to the adoption of these tools from an unlikely source: the Telephone Consumer Protection Act of 1991 (TCPA).
Many professionals in the health industry have come to share two misconceptions about the TCPA: first, that the TCPA only applies to marketing phone calls or text message “spam,” and second, that the TCPA does not apply to communications from HIPAA covered entities to their patients/health plan members. These misconceptions can be costly mistakes for covered entities that have designed their patient engagement outreach programs without include a TCPA compliance strategy.
Compliance Challenges
As discussed in a previous post, the TCPA was originally intended to curb abusive telemarketing calls. When applying the law to smarter and increasingly innovative technologies (especially those that we see in the patient engagement world), the TCPA poses significant compliance challenges for the users of these tools that arguably threaten to curb meaningful progress on important public health and policy goals.
Despite its initial scope of addressing robocalls, the TCPA also applies to many automated communications between health care providers and their patients, and between plans and their members. There is a diverse array of technical consent requirements that apply depending on what type of phone call you make. For instance, most auto-dialed marketing calls to cell phones require prior express written consent, meaning that the caller must first obtain written consent before making the call. To make compliance more compliance, callers remain responsible for proving consent and the accuracy of the numbers dialed.
Indeed, the TCPA presents a serious challenge for patient engagement tools, especially when violations of the TCPA can yield statutory damages of up to $1,500 per call or text message. While Federal Communications Commission orders over the past several years have added some clarity and a “safe harbor” for HIPAA-covered entities to help entities achieve compliance, there is still no “free pass” from the TCPA’s requirements. Therefore, covered entities and the business associates who work for them should not assume that compliance with HIPAA offers any security of defense against a successful claim under the TCPA.
On December 7, 2016, the US Congress approved the 21st Century Cures Act (Cures legislation), which is intended to accelerate the “discovery, development and delivery” of medical therapies by encouraging public and private biomedical research investment, facilitating innovation review and approval processes, and continuing to invest and modernize the delivery of health care. The massive bill, however, also served as a vehicle for a variety of other health-related measures, including provisions relating to health information technology (HIT) and related digital health initiatives. President Barack Obama has expressed support for the Cures legislation and is expected to sign the bill this month.
The HIT provisions of the Cures legislation in general seek to:
Reduce administrative and regulatory burdens associated with providers’ use of electronic health records (EHRs)
Advance interoperability
Promote standards for HIT
Curb information blocking
Improve patient care and access to health information in EHRs
As public and private payers increasingly move from fee-for-service payments to value-based payment models, with a focus on maximizing health outcomes, population health improvement, and patient engagement, HIT—including EHRs and digital health tools—will be increasingly relied upon to collect clinical data, measure quality and cost effectiveness; assure continuity of care between patients and providers in different locations; and develop evidence-based clinical care guidelines.
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently posted guidance (OCR guidance) clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information (PHI) maintained by the vendor on behalf of the customer. Such “information blocking” could occur, for example, during a contract dispute in which a vendor terminates customer access or activates a “kill switch” that renders an information system containing PHI inaccessible to the customer. Many information vendors have historically taken such an approach to commercial disputes.
On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.
The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.
On July 29, 2016, the US Food and Drug Administration (FDA) finalized General Wellness: Policy for Low Risk Devices Guidance (Final Guidance) detailing its risk-based regulatory approach to relax certain regulatory requirements for low risk products that promote a healthy lifestyle—coined “general wellness products.” In the Final Guidance, the FDA makes minimal substantive changes to the policies articulated in its January 2015 draft guidance. Notably, however, the Final Guidance added and refined several examples to illustrate the products that are subject to FDA’s enforcement discretion and ultimately outside FDA’s intended scope of regulatory oversight.
On June 13, the American Medical Association (AMA) adopted a new ethical guidance policy governing the practice of telemedicine that will be published in the coming months. The policy is based on a report from the AMA Council on Ethical and Judicial Affairs and builds upon the AMA’s 2014 telemedicine guidance.
Consistent with past guidance from AMA and other professional organizations, the AMA notes that the ethical responsibilities of physicians are the same – regardless of whether the physician communicates with a patient in-person or remotely – and encourages providers to recognize the potential uses and limitations of technology when delivering care. “Telehealth and telemedicine are another stage in the ongoing evolution of new models for the delivery of care and patient-physician interactions,” said AMA Board Member Jack Resneck, MD. “The new AMA ethical guidance notes that while new technologies and new models of care will continue to emerge, physicians’ fundamental ethical responsibilities do not change.”
The 2016 policy recommends that once a patient-physician relationship is established, physicians who engage in telemedicine by responding to individual health queries electronically or providing clinical services through telemedicine:
Must disclose financial or other interests in certain telemedicine applications or services
Must protect patient privacy and confidentiality
Should inform patients of the limitations of the telemedicine encounter
Should encourage patients to inform their primary care doctor about the encounter
Should advise patients how to arrange follow-up care
Should, when necessary, recommend the use of a telepresenter or other health care professional at the originating site (e., the patient’s physical location)
Notably, the 2014 guidance required that a patient-physician relationship be established prior to the provision of telemedicine services. The relationship could be established during a face-to-face examination, through a consultation with another physician, or by meeting the evidence-based practice guidelines developed by major medical specialty societies. While the 2014 guidance did not specify whether the face-to-face examination must occur in-person, rather than digitally, many interpreted this requirement to be satisfied via an interactive telemedicine encounter.
In addition, the 2016 policy formally recognizes the importance of a “coordinated effort across the profession,” which includes clarifying standards and promoting access to technology. That said, the 2016 policy still requires the licensure of physicians in the state in which the patient is located. (As a general rule, physicians that practice telemedicine are subject to the licensure rules of both the state in which their patient is physically located and the state in which the provider is practicing.) One potential avenue for facilitating multi-state licensure is the Federation of State Medical Boards’ Interstate Medical Licensure Compact, which offers a streamlined licensure process in each Compact state. The Compact has been adopted by 17 states thus far and more are expected to join this year and in 2017.
In sum, the AMA’s new ethical guidance should help physicians to better understand how their fundamental ethical responsibilities may play out differently when patient interactions occur through technology, and how this technology can [...]
Last week, Louisiana legislators approved the removal of certain restrictions on the delivery of telemedicine services to residents of Louisiana to encourage the provision of telemedicine services in the state. H.B. No. 570 was signed by the President of the Senate on June 5, 2016 and sent to Governor John Bel Edwards on June 6, 2016.
Notably, the Bill modifies the telemedicine requirements under La. Stat. Ann. § 37:1271, and R.S. 40:1223.3(5) and 1223.4(A) as follows:
A physician practicing telemedicine in the state who does not maintain a physical practice location within the state of Louisiana (but who is licensed in the state and has access to the patient’s medical records) is no longer required to first conduct an in-person patient history or physical examination of the patient before engaging in a telemedicine encounter.
In sum, La. Stat. Ann. § 37:1271 now requires that telemedicine providers hold an unrestricted license to practice medicine in Louisiana; obtain access to the patient’s medical records upon consent of the patient; create a medical record on each patient and make it available to the Louisiana State Board of Medical Examiners upon request; and, if necessary, provide a referral to a physician or arrange follow-up care in the state, as indicated.
The definition of “synchronous interaction” found in S. 40:1223.3(5) is now broadened to allow providers to use audio (without video) for telemedicine encounters if the same standard of care as in-person encounters is maintained.
This means that patients will be able to use a phone for telemedicine purposes, which is especially useful for patients who may not have: access to video-based technology, the know-how to connect with a provider using video-based technology, or an appropriate data plan/wireless connection for the simultaneous transmission of video.
Each state agency and each professional or occupational licensing board or commission authorized to adopt rules and regulations specific to the practice of telemedicine pursuant to S. 1223.4(A) is now prohibited from adopting any rules or regulations that are more restrictive than the provisions of the present law.
Like Alaska’s recent modifications to its telemedicine requirements, the Louisiana Bill broadens the base of available health care providers through the removal of the in-state restriction, which helps to increase the supply of physicians and competition from lower-cost providers, reduces transportation costs and improves access to quality care. In addition, this Bill expands the types of technologies that may be used to deliver telemedicine services, which will better accommodate the significant portion of health care consumers who prefer phone consultations to access care.
After three government agencies collectively created an online tool to help developers navigate federal regulations impacting mobile health apps, McDermott partner Jennifer Geetter was interviewed by FierceMobileHealthcare on the need for mobile health development tools.
In March 2016, the US Federal Trade Commission (“FTC”) staff submitted public comments regarding the telehealth provisions of a proposed state bill in Alaska demonstrating the FTC’s continued focus on health care competition and general discouragement of anti competitive conduct in health care markets, with a renewed interest and focus on telehealth.