CMS announced important changes to Medicare reimbursement for remote patient monitoring and telemedicine that can help accelerate adoption and use of these digital health tools. These changes are implemented through two rules released this week that will take effect January 1, 2018. Understanding these rules can help you incorporate these tools into clinical practice and can positively affect the business model for technology developers and innovators.

What are these new rules and do they affect me?

The 2018 Quality Payment Program Final Rule provides policy updates to the Quality Payment Program (QPP), which was established by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and will be entering its second year. MACRA offers two “tracks” for eligible clinicians to take as they move toward value-based care:

  • Participation in QPP and its scoring, or
  • Participation in an Advanced Alternative Payment Model (APM).

The majority of Medicare payments are still tied to fee-for-service, but HHS has set a goal of moving to 50 percent of Medicare payments for alternative payment models by 2018. For previous coverage of QPP proposals, visit our summary here.

The 2018 Physician Fee Schedule Final Rule addresses revised payment policies for the Medicare physician fee schedule. Any provisions in the PFS rule typically apply to fee-for-service type providers. Continue Reading New Reimbursement for Remote Patient Monitoring and Telemedicine

The FDA is focusing on safety and effectiveness of interconnected medical devices with the issuance of final guidance on medical device interoperability, released last week. As the FDA notes, medical devices are becoming increasingly connected to one another and to other technologies, and it is critical to address their ability to exchange and use information safely and effectively.

For device manufacturers, this guidance provides clarity on how the FDA is thinking about interoperability and patient safety in the premarket submission process and provides considerations for manufacturers in the development and design of interoperability medical devices. It demonstrates the FDA’s focus on the safety and effectiveness of devices as implemented in an interconnected environment and the expectations of FDA on manufactures to anticipate and design for anticipated uses and reasonably foreseeable misuses. Manufactures should consider this guidance in the design, development, and on-going monitoring of connected medical devices.

This guidance may be helpful for other audiences as well:

  • Care providers that frequently interact with medical devices in the course of patient care
  • Hospital IT teams who make device purchasing decisions
  • Vendors of health technologies that frequently exchange data with medical devices

Continue Reading Interoperability by Design: FDA Issues New Final Guidance for Connected Medical Devices

The Department of Health and Human Services, Office of the Inspector General (OIG), modified its Work Plan to announce that the agency will be conducting a nationwide audit of hospitals that participated in the Medicare Electronic Health Records (EHR) Incentive Program (also known as the Meaningful Use Program).  The OIG review is focusing on hospitals that received Medicare EHR incentive payments between January 1, 2011 and December 31, 2016.

The OIG’s modification to its Work Plan follows last month’s report that CMS improperly paid an estimated $729 million in Medicare EHR incentives. In our prior client alert, we flagged these findings as a potential area for significant overpayment recovery actions and noted that such actions could pose risks for incentive payment recipients. Read our entire client alert on the OIG’s nationwide audit on hospitals that participated in the EHR Incentive Program Here.

Congress is considering several adjustments to health IT policy which may have significant impact on the Centers for Medicare and Medicaid Services’ (“CMS”) electronic health records (“EHR”) incentives. On July 20th and 21st, Representatives met to discuss bipartisan legislation to improve the Meaningful Use program and introduced legislation that would authorize a CMS Innovation Center (“CMMI”) project to incentivize EHR adoption by behavioral health providers. The bills may be indicative of Congress’ attitude towards the Meaningful Use program, which has garnered criticism from providers for being burdensome.

On July 21, 2017, the House Committee on Energy and Commerce Subcommittee on Health held a hearing on H.R. 3120 and featured testimony from Cletis Earle, Chairman-Elect of the College of Healthcare Information Management Executives. The bill, sponsored by a group of bipartisan lawmakers, will allow CMS to modify the requirements of the Meaningful Use program in order to give the Secretary additional flexibility in implementing the program. Currently, providers and vendors must comply with the Stage 3 measures and objectives of the Meaningful Use program starting January 1, 2018 or be subject to Medicare reimbursement penalties. Earle argued that the implementation timeline for Stage 3 of the program is too rigorous for providers to meet and may lead to an increase in hardship exemption applications. Provider and vendor groups across the industry have suggested that the HHS Secretary Tom Price delay the Stage 3 obligations, noting that software implementation and cybersecurity issues have made the 2018 deadline unreasonable. Sponsors of H.R. 3120 note that the bill will reduce the burden on providers’ use of EHR systems, allowing providers to focus on care coordination and patient outcomes. In response, CMS noted that the proposed “Medicare Program; CY 2018 Updates to the Quality Payment Program,” which is open for comment through August 21, 2017, would give eligible providers an additional year to implement EHR technology that complies with the 2014 or 2015 edition of Certified Electronic Health Record Technology (“CEHRT”) and offers the opportunity to apply for hardship exemptions for the Advancing Care Information performance category of the Merit-based Incentive Payment System (“MIPS”). For more information, see our update on key proposals of the 2018 Proposed Rule here. Continue Reading Congress Remains Focused on Electronic Health Records

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed an investigation that OCR undertook in response to a breach report that MCPN filed on January 27, 2012. While OCR found that MCPN took necessary corrective action in response to the reported breach, OCR determined that MCPN had never conducted a security risk analysis to assess the potential threats to its ePHI environment and concluded that MCPN did not have appropriate risk management policies in place at the time of the breach. OCR further found that the security risk analyses that MCPN ultimately did undertake following the breach were insufficient to satisfy the requirements of HIPAA’s Security Rule. Violations of the Security Rule have been a consistent focus of the OCR within the past year. The OCR’s willingness to go after a federally qualified health center, a safety net health care provider, in this settlement further underscores the importance of conducting robust security risk analyses to identify, assess, and address potential threats and vulnerabilities to a covered entity or business associate’s ePHI environments.

If you are a technology company developing products for the health market, you have probably heard about and maybe even been “warned” about HIPAA (the Health Insurance Portability and Accountability Act). If you are asking, “How can I avoid complying with HIPAA?” you might be asking the wrong question. Health care is almost 20 percent of the U.S. economy and craving the kind of innovation that technology companies can bring. Leaders in the health care space, like those at AcademyHealth, are pushing for changes to the health system to achieve better care, smarter spending, and healthier people. And they can’t do it without your help.

Compliance with HIPAA opens up new business opportunities, and, in an age of data breaches and privacy concerns, it can set you apart as a company that cares about protecting the information you have about your customers and the patients/clients of those you work with.

Recently, AcademyHealth facilitated a Health Data Innovator Privacy and Security Workshop supported by the California Health Care Foundation. As a featured speaker at the workshop, I’ve pulled out some of the key insights around when and how HIPAA might apply to those working in digital health.

Does HIPAA Apply to My Work?

Maybe.  HIPAA does not apply to all health data.  It depends on who collects or maintains the data and the relationships with HIPAA covered entities or business associates.

Generally, HIPAA applies to health data collected or maintained by those in the traditional health care space, including health plans and most health care providers (such as doctors, hospitals, pharmacies, and labs) and those doing business on behalf of these entities (such as a billing company or a cloud storage provider (CSP)).  However, if the same data is held by the consumer or by a product or company that has a relationship only with the consumer, then it is not covered by HIPAA, although other federal laws may apply. Typically, technology companies will be business associates working with clients that are covered health care providers or health plans. Continue Reading Bringing Innovative Technology to Healthcare…What about HIPAA?

The AMA recently adopted a set of principles on mHealth applications (mHealth apps) and other similar digital health tools, to guide coverage and payment policies and the AMA’s advocacy efforts. While many have touted the potential health benefits of mHealth apps and digital devices, the AMA also raises concerns about the potential health and safety risks that these apps can pose to patients along with privacy and security risks.

In developing a set of principles to support the use of mHealth apps and devices, the AMA has demonstrated a willingness to adapt to such innovation while restating some of its long held positions on the roles of physicians, licensure laws, and the need for evidence. Digital health tools, including mHealth apps, can challenge some of these positions. The principles are:

  • Support the establishment or continuation of a valid patient-physician relationship;
  • Have a clinical evidence base to support their use in order to ensure mHealth app safety and effectiveness;
  • Follow evidence-based practice guidelines, to the degree they are available, to ensure patient safety, quality of care and positive health outcomes;
  • Support care delivery that is patient-centered, promotes care coordination and facilitates team-based communication;
  • Support data portability and interoperability in order to promote care coordination through medical home and accountable care models;
  • Abide by state licensure laws and state medical practice laws and requirements in the state in which the patient receives services facilitated by the app;
  • Require that physicians and other health practitioners delivering services through the app be licensed in the state where the patient receives services, or be providing these services as otherwise authorized by that state’s medical board; and
  • Ensure that the delivery of any services via the app be consistent with state scope of practice laws.

It is clear that as physicians are increasingly incorporating digital health tools such as mHealth apps into their practice and advice to patients, the AMA needed to state its position on these digital health tools.  The AMA’s focus on the impact and the role of the physician is not surprising; however, it may limit the usefulness of some new tools and services.

There are two important issues that the AMA addresses: data protection and safety.  First, the AMA publication serves as an opportunity to advise physicians about new privacy and security concerns that may arise from mHealth apps.  The principles encourage physicians to alert patients of the potential privacy and security risks for any mHealth apps that they recommend and document the patient’s understanding of these risks.  The AMA also advises physicians to consult with legal counsel to ensure that mHealth apps and devices meet privacy and security laws.

Second, the AMA focuses on safety, which is a key issue that will grow in importance, safety and effectiveness.  For example, with the passage of the 21st Century Cures Act, Congress limited FDA’s authority to regulate mHealth apps and related devices.  This could leave physicians with less clarity about the safety and effectiveness of these digital health tools.  An industry-based approach to review mHealth apps may be the only way to give some clarity in this uncertain market.

We will have to wait and see what impact this position has on future policy and industry action, but the publication serves as a reminder about the importance of these issues.

On September 26, 2016, the Office of the National Coordinator for Health Information Technology (ONC) released guidance, entitled EHR Contracts Untangled, to help providers navigate the complexities of electronic health record (EHR) vendor contracting. The guidance breaks down important considerations for selecting EHR systems, and provides strategic pointers – including sample contract language – to help facilitate the contracting process. While the guidance is largely an attempt to level the playing field for providers in the EHR arena, it also has broader applicability to contract negotiations for a variety of other digital health tools.

For the most critical “need-to-know” points from ONC’s new guidance, see our recent client alert.

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.

Continue Reading Blocking Access to Health Information May Violate HIPAA

On Thursday, September 8, 2016 from 1:00 PM to 2:00 PM ET Crowell & Moring’s Elliot Golding will be speaking as part of a 60-minute Bloomberg BNA Webinar on Healthy Data Management: Essential Strategies for Governing PHI, PII, and Highly Sensitive Data during an Acquisition or Divestiture.  The panel discussion will cover the information governance life cycle for health care, life sciences, and pharmaceutical companies, from identification of sensitive data to storing and protecting that data during mergers and divestitures.  The webinar is free and open to all.

Objectives:

  • Data management considerations for companies responsible for maintaining personally identifiable information (PII), protected health information (PHI), and confidential or sensitive data.
  • Unique issues that arise when highly sensitive data is involved during the merger and divestiture transaction process.
  • Strategies to develop effective policies and procedures for data life cycle management.