Results for ""
Subscribe to Results for ""'s Posts

Remote Care Providers Await Final New Jersey Registration and Reporting Regulations

In 2017, the New Jersey legislature passed the New Jersey Telehealth and Telemedicine Act (codified at N.J.S.A. 45:1-61 et seq.), which established registration and reporting requirements for “telemedicine and telehealth organizations.” After a multi-year wait for details regarding the registration process, the New Jersey Department of Health (NJ DOH) published a proposed rule in April 2020 that brought providers of telehealth services in New Jersey one step closer to the implementation and enforcement of the registration requirements. A final rule is expected by April 2021.

New Jersey providers are also expecting the publication of a proposed rule detailing the reporting requirements for registered organizations. While the coronavirus (COVID-19) public health emergency has led many states to implement waivers and other measures to allow for the expansion of remote healthcare services within their states, telehealth and telemedicine organizations operating in New Jersey should prepare to comply with additional requirements and the outlay of annual registration fees if the state finalizes the registration requirements as proposed.

Background: The 2017 Telemedicine and Telehealth Act

For purposes of the Act, a “telemedicine or telehealth organization” is defined as a corporate entity “that is organized for the primary purpose of administering services in furtherance of telemedicine or telehealth.” The Act differentiates telemedicine from telehealth: “telehealth” is the use of information and communications technologies (including telephones, remote patient monitoring devices or other electronic means) to support clinical healthcare, provider consultation, patient and professional health-related education, public health, health administration and other services, whereas “telemedicine” is the delivery of healthcare services using electronic or technological means (not including the use, in isolation, of audio-only telephone, electronic mail, instant messaging, phone text or facsimile transmission) to “bridge the gap” between a healthcare provider located at a distant site and a patient located at an originating site.

In addition to establishing requirements for providers’ use of telemedicine and telehealth, the Act requires telemedicine or telehealth organizations to register with the NJ DOH annually, and to submit annual reports to the NJ DOH that include data elements established by the NJ DOH commissioner and, at a minimum, the following de-identified encounter data:

  • The total number of telemedicine and telehealth encounters conducted
  • The type of technology utilized to provide services using telemedicine or telehealth
  • The category of medical condition for which services were sought
  • The geographic region of the patient and the provider
  • The patient’s age and sex
  • Any prescriptions issued.

The Act did not establish any enforcement mechanism for the registration and reporting requirements, and because the NJ DOH has not yet implemented criteria for registering or reporting, New Jersey providers of remote health services have generally operated without regard to these statutory requirements.

Implementation of the Registration Requirement

The April 2020 proposed rule would implement the registration requirement for telemedicine or telehealth organizations and establish enforcement mechanisms available to the NJ DOH against any telemedicine or telehealth organization that fails to comply.

The proposed rule would require telemedicine and telehealth organizations to register with the NJ DOH [...]

Continue Reading




read more

CMS Takes a Preliminary Step to Make Certain COVID-19 Waivers Permanent

On August 4, 2020, the Centers for Medicare and Medicaid Services (CMS) released a proposed rule to update its payment policies under the Medicare Physician Fee Schedule (PFS) for calendar year 2021. The proposed rule was issued in tandem with a presidential executive order, which directed the Secretary of the US Department of Health and Human Services (HHS) to propose regulations expanding telehealth services covered by Medicare. CMS stated that the proposed rule “is one of several proposed rules that reflect a broader Administration-wide strategy to create a health care system that results in better accessibility, quality, affordability, empowerment, and innovation.”

In response to the coronavirus (COVID-19) public health emergency (PHE), CMS has issued several temporary waivers and flexibilities that expand telehealth reimbursement under Medicare, Medicaid and the Children’s Health Insurance Program for the duration of the COVID-19 PHE. CMS issued these waivers under authorities granted pursuant to HHS’s public health declaration, as well as legislation passed in response to the pandemic. Many of these waivers have substantially altered the Medicare telehealth reimbursement landscape and, as we detailed in our prior On the Subject, many can be made permanent via regulatory action. The proposed rule represents the first official word that CMS will take such action to make certain of its waivers permanent. These policy changes have the potential to greatly increase the availability of telehealth to Medicare beneficiaries around the country.

CMS will accept comments, either electronically or by mail, on the proposed rule until 5 pm EDT on October 5, 2020.

Changes to Medicare Telehealth Services

CMS proposed to add several services, listed below, to its list of services that may be delivered via telehealth. Many of these were previously added on an interim final rule basis for the duration of the PHE. The proposed rule would keep them on the Medicare telehealth services list even after the PHE ends.

CMS also proposed a new method for adding or deleting services from the Medicare telehealth services list. Currently, CMS evaluates new services for inclusion based on two categories: Category 1 is for services that are similar to professional consultations, office visits and office psychiatry visits that are already on the Medicare telehealth services list, while Category 2 is for services that are not similar to those already on the list, but that would still be appropriate to include because the service is accurately described by the corresponding code when delivered via telehealth and providing the service via a telecommunications system results in clinical benefit for the patient. Because of the COVID-19 PHE, CMS has proposed to add a Category 3, which would include services that would be temporarily on the Medicare telehealth services list. CMS proposed this third category because, while CMS currently has the authority to waive or modify Medicare telehealth payment requirements during the PHE, that authority will expire once the PHE [...]

Continue Reading




read more

TREATS Act Aims to Expand Use of Telehealth to Treat Substance Use Disorder

A bipartisan pair of US senators have proposed legislation that would allow certain controlled substances to be prescribed via an initial telehealth encounter and—under certain conditions—expand Medicare reimbursement of audio-only substance use disorder treatment services. The proposed TREATS Act has been referred to the Senate Committee on Health, Education, Labor, and Pensions, and could significantly reduce the regulatory burdens associated with the remote prescribing of controlled substances.

For more than a decade, healthcare providers in the United States have been largely prohibited from prescribing controlled substances via telehealth without having previously performed an in-person medical evaluation of the patient. Although Congress created the framework for a “special registration” pathway that has the potential to more broadly permit the practice, the Drug Enforcement Administration (DEA) has not issued regulations to implement it. This has been a significant roadblock for the treatment of substance use disorder, which is often treated with controlled substances. Recently, Senators Rob Portman (R-OH) and Sheldon Whitehouse (D-RI) proposed the Telehealth Response for E-prescribing Addiction Therapy Services Act (the TREATS Act), which would allow certain controlled substances to be prescribed via telehealth. The TREATS Act also proposes to expand Medicare reimbursement of audio-only substance use disorder treatment services, if certain conditions are met. The TREATS Act was introduced on June 30, 2020, and has been referred to the Committee on Health, Education, Labor, and Pensions.

Remote Prescribing of Schedules III and IV Controlled Substances

The remote prescribing of controlled substances has been stymied by the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (the Ryan Haight Act), which typically requires providers to perform an in-person medical evaluation of the patient prior to prescribing controlled substances. The Ryan Haight Act does incorporate seven pathways by which practitioners can prescribe controlled substances via telemedicine without a prior in-person examination, but these exceptions are extremely narrow and it is difficult for most providers to meet their requirements. One of the pathways, however, called for a “special registration process” that had the potential to more broadly permit providers to prescribe controlled substances via telemedicine. Congress left the implementation of the special registration process up to the DEA—and the DEA never issued regulations to implement it. After ten years of silence, Congress again pushed the DEA to act, imposing a second deadline for the DEA to implement regulations regarding the special registration process by October 24, 2019, under the SUPPORT for Patients and Communities Act. While there were rumblings that the DEA was prepared to act in late 2019, it is still yet to issue a proposed rule regarding the special registration process.

As we explained in a prior On the Subject, the COVID-19 public health emergency ushered in a significant, albeit temporary, change to the Ryan Haight Act, permitting providers to prescribe controlled substances via telehealth without a prior in-person medical evaluation during the pendency of the public health emergency declared [...]

Continue Reading




read more

Schrems II Special Report: What Does the CJEU’s Decision Mean for Transfers From the EEA to the US?

For our Schrems II Practical Guidance special report, members of McDermott’s internationally recognized Global Privacy & Cybersecurity group have outlined practical guidance and next steps to ensure your business is prepared for what’s next following the final ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems.

As your organization navigates the post-Schrems II landscape following the CJEU’s recent decision, consider McDermott your first point of call. We have deep experience advising global clients on compliance with the complex array of privacy and cybersecurity obligations affecting data that crosses borders or relates to foreign employees and individuals.

Practical Guidance for Businesses (US Edition)

Practical Guidance for Businesses (Global – EEA/UK Edition)




read more

Preparing Your Data for a Post-COVID-19 World

The US healthcare system’s data infrastructure needs an overhaul to prepare for future health crises, streamline patient care, improve data sharing and accessibility among patients, providers and government entities, and move toward the delivery of coordinated care. With insights from leaders from Arcadia, Validic and McDermott, we recently discussed key analyses and updates on the interoperability and application programming interfaces (API) criteria from the 21st Century Cures Act, stakeholder benefits of healthcare data exchange and data submission facilitation for public health purposes. Click here to listen to the webinar recording, and read on for highlights from the program.

To learn more about the “Around the Corner” webinar series and attend an upcoming program, click here.

PROGRAM INSIGHTS

  • COVID-19 is reshaping healthcare through technology. Hospitals, clinicians and payors need to use digital health tools to address the challenges of the coronavirus (COVID-19) public health pandemic. How COVID-19 data and health information are captured, and then move through electronic systems, will form the foundation by which digital health tools can become effective in identifying cases, treating them and ensuring favorable outcomes.
  • API certification requirements under the 21st Century Cures Act are designed to enhance the accessibility of electronic health information. The 21st Century Cures Act’s purpose is to advance interoperability, address information blocking, support seamless exchange of electronic health information and promote patient access. Putting data from electronic health records (EHRs) into patients’ hands through consumer-facing apps will empower them to understand and take control of their health.
  • EHR vendors will be required to offer APIs that comply with the Fast Healthcare Interoperability Resource (FHIR) standard by May 1, 2022. The 21st Century Cures Act Final Rule will require EHR vendors to offer FHIR based APIs that make electronic health information more readily available to third-party applications (apps) of patients’ and providers’ choosing. API standardization will make it easier for third-party developers to build these apps, and for patients and providers wishing to use third-party apps to leverage their electronic health information for various purposes, including health information exchange and population health management.

 

  • Interoperability refers to the standards that make it possible for different EHR systems to exchange patient medical records and information between providers. Increased interoperability between EHR systems using harmonized standards allows for a more seamless transfer of patient data between providers. The interoperability requirements in the 21st Century Cures Act have the potential to advance patient access to their data and the use of information among physicians.
  • Both providers and patients can drive data exchange. One challenge impacting data exchange between patients and providers is that providers cannot always access or integrate data that patients have created with third-party tools (e.g., fitness trackers). However, there is emerging technology designed to aggregate and standardize consumer-generated health information, [...]

    Continue Reading



read more

NYDFS—First Enforcement Action under Cybersecurity Regulation

On July 21, 2020, the New York Department of Financial Services (NYDFS) announced that it had filed its first enforcement action under 23 NYCRR 500 (the “Cybersecurity Regulation”) against a large title insurance provider. Covered entities should closely monitor this enforcement action.

Access the article.




read more

Digital Delivery of Healthcare Services After COVID-19

The idea of keeping people healthy at home has become more relevant than ever during the COVID-19 public health emergency. The expansion of telemedicine during the pandemic is expected to serve as a catalyst that will permanently change the way providers deliver care and patients engage with their health. Joined by leaders from Cricket Health, Livongo and BehaVR, we discussed factors driving the shift towards expanding digital delivery of healthcare services and the challenges – technological, regulatory and cultural – that impact such expansion. Click here to listen to the webinar recording, and read on for highlights from the program.

To learn more about the “Around the Corner” webinar series and attend an upcoming program, click here.

Audience Perspective

This poll shows that 40% of digital health consider regulatory obstacles to be their biggest challenge.

Program Insights

  • A redoubled focus on preventative care will be key to bring about effective digital health delivery. The current US healthcare delivery system, built mainly on reimbursable, episodic care, is consistently indicted for being a “sick care” system, not a “healthcare” system. Patients, especially patients with chronic healthcare conditions such as diabetes, hypertension, behavioral health and acute kidney disease, need constant, real-time support and guidance, and need their providers to have access to accurate, actionable information to manage these conditions between real-time encounters. Digital health will play a vital role in this effort.
  • New care modalities open the door to structural changes, which will need to keep pace with the healthcare system. How emerging care modalities are integrated into and affect the healthcare system are still in development, and raise a variety of concerns, from staffing and technology needs to privacy safeguards. As the healthcare system adapts to these changes, the regulations that govern care delivery, licensing, and accreditation will need to adjust as well.
  • Positive regulatory changes have been implemented during the pendency of the national pandemic emergency, but those or similar regulatory changes must continue, and gain momentum and reach, for lasting changes to occur. The actions taken by regulators during the COVID-19 public health emergency show that the government can swiftly respond to new ideas and paths to care. However, these actions are temporary, and it will take time to implement lasting change. While there is an appetite to make some common-sense changes permanent, other areas, such as multi-state professional licensing, will likely take more time due to their complexity.
  • Reimbursement models based around episodic care are a major hurdle to the adoption of on-going remote monitoring and other digital health tools. Panelists agreed that when reimbursement structures are aligned with value-based care, such that providers are reimbursed for the outcomes and on-going care management they provide, digital health tools become a critical part of the provider’s toolbox. In [...]

    Continue Reading



read more

Key Issues We’re Tracking as CCPA Enforcement Nears

Although 2020 has already provided more than its share of surprises for businesses, one thing appears to remain unchanged: the California attorney general’s commitment to enforcing the California Consumer Privacy Act beginning July 1, 2020. As companies work to ensure compliance with this legislation, we explore several key issues.

No one will disagree that a lot has happened since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Despite the Coronavirus (COVID-19) pandemic, the invasion of murder hornets and a number of other not-entirely pleasant surprises that 2020 has brought us thus far, it appears that the California attorney general is still committed to enforcing the CCPA starting on July 1, 2020. As your business prepares for CCPA enforcement, there are a number of issues to keep in mind:

1. The CCPA regulations still have not been finalized and are unlikely to take effect until October 2020.

The attorney general’s regulations, which aim to interpret and implement the important provisions of the CCPA, still have not been finalized. March 27, 2020, marked the end of the comment period for the current draft regulations (which was the second set of modifications released by the attorney general). We are now waiting to see whether the attorney general will issue yet another set of proposed modifications, or submit the current version to the California Office of Administrative Law (OAL) for approval. For the regulations to take effect July 1, the OAL would need to receive and approve the final regulations by May 31, which appears to be an unlikely scenario. Accordingly, the regulations likely will not take effect until October 1, and could potentially be delayed until 2021. As a result, companies should be prepared for CCPA enforcement to begin before the regulations take effect.

2. We’ve started to see the effects of the private right of action.

California consumers have begun to file lawsuits seeking to enforce their (purported) rights under the CCPA. The cases present a first opportunity for courts to examine the private right of action created by the law. One case, in particular, presents a potentially unanticipated theory of harm, and could prove fundamental in establishing the extent of liability for businesses subject to the CCPA. We describe these lawsuits in greater detail here. Because these lawsuits will begin to define the contours and scope of the CCPA, businesses subject to the CCPA should keep a close eye on their progress.

3. The Office of the Attorney General lacks enforcement resources.

As we wrote in a previous article, despite significant enforcement expenditures by the Office of the Attorney General (OAG), it is still an agency with limited resources. This is even more true now that more of the OAG’s resources are likely devoted to COVID response and related urgent priorities. Many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if, as expected, it takes on large and well-funded companies. Media reports continue to indicate that the attorney [...]

Continue Reading




read more

Importance of CCPA Compliance Highlighted by First Round of Private Actions

The first wave of California Consumer Privacy Act litigation has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The actions assert a variety of claims under numerous theories and present a broad range of potential risks to businesses subject to CCPA. In light of the many questions that surround CCPA’s private right of action, the extent of possible liability from private litigation is still largely unknown and potentially significant.

The first wave of private lawsuits filed under the California Consumer Privacy Act (CCPA) has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The recent explosion in popularity of video conferencing and social media software in response to the COVID-19 pandemic—and the technical issues some of these products have experienced—has inspired its own wave of litigation, with several cases alleging violations of CCPA along with other laws. The flurry of litigation activity makes clear the importance of CCPA compliance, particularly in the current challenging business environment. Although it’s too early to tell how these lawsuits will play out, some themes are emerging.

Refresher on CCPA Private Right of Action

Businesses are now familiar with the long list of privacy obligations imposed by CCPA and enforceable by the California attorney general. Although CCPA contains a private right of action, that right is applicable only to CCPA’s sole data security provision. Cal. Civ. Code § 1798.150 authorizes consumers to institute a civil action against a business whose failure to implement and maintain reasonable security procedures resulted in the unauthorized access and exfiltration, theft or disclosure of the consumer’s nonencrypted and nonredacted personal information. The definition of “personal information” in the context of § 1798.150 is narrower than the expansive definition applicable to other CCPA provisions, applying only to an individual’s name together with an identifying data element, such as a Social Security number, driver’s license number or medical information. A plaintiff may seek injunctive or declaratory relief, actual damages or statutory damages in an amount not less than $100 and not greater than $750 per consumer, per incident. Before seeking statutory damages, however, the consumer must provide the business 30 days’ written notice to cure the alleged violation. The “notice and cure” provision is the subject of some controversy, because CCPA does not explain how a violation that resulted in a data breach can be “cured.” CCPA also explicitly prohibits consumers from using alleged violation of its provisions “to serve as the basis for a private right of action under any other law,” thus, in theory, prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. That hasn’t stopped plaintiffs from trying, as described below.

Theme #1: Suits Brought as Class Actions

Most, if not all, of the lawsuits brought under CCPA thus far have been brought as [...]

Continue Reading




read more

New California Privacy Ballot Initiative Would Expand the CCPA

A proposed ballot initiative in California known as the California Privacy Rights Act, which is likely to pass if placed on the 2020 ballot, would both clarify and expand the existing California Consumer Privacy Act. Companies doing business in the state should closely monitor these developments and prepare for compliance, as we outline in this article.

A California ballot initiative known as the California Privacy Rights Act (CPRA) would clarify and expand the California Consumer Privacy Act (CCPA), granting significant new rights to consumers and imposing additional liability risks on companies doing business in the state. The CPRA is an update to the California Privacy Rights and Enforcement Act (CPREA) ballot initiative, which was proposed in late 2019 by the Californians for Consumer Privacy, which also sought to broadly amend and prevent changes to the CCPA that would undermine its consumer protections.

The proposed ballot initiative, submitted by the architects of the CCPA, garnered 900,000 signatures, far more than the roughly 625,000 necessary for certification on the 2020 ballot. Early polling reportedly shows strong support for the measure, so assuming the signatures are approved and the CPRA is placed on the ballot, it is considered likely to pass and to take effect on January 1, 2023.

The CPRA proposes a myriad of changes, and this article will not address them all. What follows is a discussion of the most significant changes for businesses and consumers in California, followed by enforcement and implementation considerations.

New Clarifications, Rights and Responsibilities

In a number of areas, the CPRA would modify the current CCPA in ways that are likely to be welcomed by companies grappling with the often ambiguous and unclear obligations under the current law:

  • “Personal information” would no longer include information that is manifestly made public by the individual or the media.
  • Businesses that receive deletion requests would be expressly permitted to maintain records of these requests for compliance purposes.
  • Consumers could no longer require a business to generate a list of “the categories of personal information it has collected about that consumer” in response to access requests.
  • “Service providers” and “contractors” (a new term that appears to replace the “third party” contract provisions) would not need to respond directly to consumer requests to access or delete information.

However, these changes are largely overshadowed by the initiative’s imposition of significant new rights for consumers and responsibilities for businesses subject to the CCPA. These include the following requirements:

  • Businesses would need to contend with a new opt-out right to “Limit the Use of My Sensitive Personal Information,” which would require enhanced scrutiny of business practices involving certain “sensitive” categories of information. These sensitive categories of information are reminiscent of (but broader than) the categories of information typically regulated by US data breach notification statutes or are considered “special categories” under the EU General Data Protection Regulation. For purposes of the CPRA, “sensitive” categories will include certain government identifiers (Social Security number, driver’s license, state identification card or passport number); a [...]

    Continue Reading



read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law