Jan Elezian (jan.elezian@sunhawkconsulting.com) is Director, SunHawk Consulting LLC, in Denver, Colorado. Kimulet Winzer (kimulet.winzer@sunhawkconsulting.com) is Director, SunHawk Consulting LLC, in Phoenix, Arizona.
The onset of the COVID-19 pandemic sent physicians and patients into a frenzy of needed direction, evaluation, and care. The risk of crowded emergency departments and waiting rooms with an inadequately understood, highly contagious virus provided an urgency for expanded telehealth services—and at a whirlwind pace. Virtual patient services, including telehealth, have been adopted with a speed and scale unprecedented in modern medicine. In the shadow of the prolific changes that have occurred, we want to take a closer look at the current telehealth arena. What should we keep? What’s working? What’s not working? Will past practices predict the future of telehealth? Will new technologies and innovations change the field? What is the compliance professionals’ role in expanding this seemingly popular method of healthcare delivery? Leaders in this space have shared that the genie will not go back in the bottle: The emergency protocols are being examined to determine what regulations and policies should be developed to move forward, and audits are close at hand to shape this mode of healthcare delivery.
Background
The “Medicare Telemedicine Health Care Provider Fact Sheet” of March 17, 2020,[1] through the use of the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act, provided a wider range of telehealth services to beneficiaries provided by their doctors without having to travel to a healthcare facility. An expanded use of technology was put in place to provide routine care and keep vulnerable patients with mild symptoms in their homes while providing access to the care they need. Prior to the waiver, Medicare could only pay for telehealth when the person receiving the service was in a designated rural area and traveled to a clinic, hospital, or certain other types of medical facilities to receive telehealth services from a distant healthcare facility. The waiver not only added home as a location of telehealth, but also added a range of providers to include doctors, nurse practitioners, clinical psychologists, and licensed clinical social workers as telehealth providers. In April of 2020, the Centers for Medicare & Medicaid Services announced that physical, occupational, and speech therapy practitioners could provide Medicare-covered telehealth services during the period of the federal coronavirus emergency declaration.[2]
Inherent risks of telehealth services
Despite the obvious advantages and necessity of remote care, telehealth has inherent risks. In its March 2020 news release,[3] the Office for Civil Rights announced its decision to exercise its enforcement discretion and not impose penalties for potential Health Insurance Portability and Accountability Act violations against healthcare providers that, in good faith, provide telehealth using non-public-facing audio or video communication products, such as FaceTime or Skype, during the declared nationwide public health emergency.
Once the public emergency ends, covered entities will no longer be protected by the Office for Civil Rights’ good faith provision. However, the timing of the end of the public health emergency does not fully equate with the resolution of the pandemic. Rather, the public health emergency ends when we are able to manage or operate in our respective arenas without the sense of urgency presented with the onset of the pandemic. We are seeing the end of the pandemic emerging as municipalities relax COVID-19 requirements and individuals return to work. As the emergency comes to an end, we will enter into our “new normal.” Now is the time to proactively review the actions taken thus far in order to ensure consistency with regulations and intended outcomes. It is also the time to be part of the conversations that will dictate how and when telehealth will be used in the future as well as how to account for reimbursement of these services in the future. If in fact there is less overhead, then it would seem logical that the reimbursement would be less; however, the skill expertise and risk involved for a practitioner arguably remains the same. Compliance professionals with an understanding of administrative, operational, and regulatory landscapes in their fields can help maneuver these uncertain paths.
Assessments should be done in all areas affected by the rapid rollout of telehealth services to ensure policies and procedures are reviewed to include the changes that were made and assess what additional risks present themselves that should be addressed. Consider what impact telehealth protocols have on your translation providers, or how accessibility standards are addressed. What additional training should be done within your organization to understand how interfaces between departments are affected by providing services through telehealth?
Privacy and security mismatches may be discovered by compliance professionals. One suggested review task is to revisit any new technology implemented for telehealth services. Providers should develop an inventory to assess whether any form of virtual public-facing platform communication that the U.S. Department of Health & Human Services expressly prohibited, such as Facebook Live, was chosen to accommodate patient demand during the pandemic.[4] And if so, the organization should assume that breach has occurred, and a breach risk assessment should be conducted. Other questions to ask include whether privacy and security policies have been developed to include telehealth visits. These policies should include consent management and limits on collections and include use and disclosure of health information to include only documentation minimally necessary to the specific transaction in question. Are security safeguards such as authentication and data encryption included in your telehealth platforms?[5]