The Office of the Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) published the General Compliance Program Guidance (GCPG) on November 6, 2023. The GCPG provides updated descriptions of the seven elements of an effective compliance program that health care entities have long relied upon. The new guidance also includes recommendations to conduct annual internal risk assessments, to consider quality of care as a component of the compliance program, and to emphasize the importance of a board’s and executive leadership’s oversight of compliance.

Starting in 2024, OIG will publish industry segment-specific compliance program guidance (ICPGs) for different types of providers, suppliers, and other participants in health care industry subsectors. OIG emphasized that the purpose of the GCPG and ICPGs is to set forth voluntary compliance guidelines and tips and not to be one-size-fits-all or binding on organizations. We will discuss the implications of compliance with the GCPG in an upcoming alert.  

Health care entities should review this updated guidance and evaluate whether their organization should make changes to their compliance program consistent with the updates. While the guidance does not prescribe mandatory requirements, it helps organizations create effective health care compliance programs. Efforts to comply with this guidance are often viewed favorably by OIG should inadvertent noncompliance occur. Below we provide key summaries and notable takeaways from the GCPG.

Updating the Seven Elements of a Compliance Program

OIG’s discussion of the seven elements of an effective compliance program largely tracks prior guidance issued by OIG. However, this updated guidance provides new recommendations and addresses new healthcare business entrants, delivery arrangements, and technologies. OIG’s updated take on the seven elements is briefly summarized below.

(1) Written policies and procedures

Written policies and procedures should continue to include a code of conduct. Compliance policies should be developed under the direction and supervision of the compliance officer and compliance committee and should address the implementation and operation of an entity’s compliance program and processes. OIG’s key new recommendation in the GCPG is that the compliance committee should conduct annual risk assessments to identify and address risk areas, including through policies and procedures.

In the GCPG, OIG outlines the following common risk areas:  billing, coding, sales, marketing, quality of care, patient incentives, and arrangements with physicians, other health care providers, vendors, and other potential sources or recipients of referrals of health care business. OIG highlights that quality of care considerations should be included in a compliance program to mitigate patient harm and False Claims Act liability. OIG also specifically calls out the growing presence of private equity and other forms of private investment in health care and recommends that such investors scrutinize their operations and oversight to ensure compliance with fraud and abuse laws and the delivery of high-quality care for patients.

Policies and procedures should be updated regularly and easily accessible to relevant individuals.

(2) Compliance leadership and oversight

                        (a)  Compliance Officer

OIG reiterates that every entity should designate a compliance officer, who has the authority, stature, access, and resources necessary to lead an effective compliance program. The compliance officer should report directly to the CEO with access to the company’s board of directors and must have sufficient funding to properly run a compliance program. The compliance officer’s primary responsibilities are to advise the CEO, board, and other senior leaders on the compliance risks facing the entity. The compliance officer must have authority to review any pertinent documents, data and information, and must be able to interview anyone related to the organization with respect to any compliance investigation.

Importantly, OIG also outlines that the compliance officer should not: (i) lead, report to or advise the legal or financial departments; (ii) be responsible (directly or indirectly) for the delivery of health care items and services or billing, coding, or claim submission; or (iii) be involved in functions such as contracting, medical review, or administrative appeals.

Compliance leadership makeup may vary depending on the size of the entity.

                        (b) Compliance Committee

The compliance officer should be the chair of the compliance committee, which should include relevant leaders from both operational and supporting departments – for example, billing and coding, clinical and medical, finance, internal audit, IT, HIM, human resources, legal, quality, risk management, sales and marketing, and other operational managers. 

The main role of the compliance committee is to assist the compliance officer in implementing, operating, and monitoring the compliance program. This includes: (i) analyzing applicable legal and regulatory requirements; (ii) developing and updating policies and procedures; (iii) monitoring and recommending internal systems and controls; (iv) assessing training needs and effectiveness; (v) developing a disclosure program and promoting compliance reporting; (vi) assessing effectiveness of the disclosure program and other reporting mechanisms; (vii) conducting annual risk assessments; (viii) developing a compliance workplan; (ix) evaluating effectiveness of a compliance workplan and any action plans for risk remediation; and (x) evaluating the effectiveness of a compliance program. OIG underscores that compliance committee members sometimes mistakenly view their duties as overseeing the compliance officer and compliance program rather than supporting and working with the compliance officer on the compliance program.

OIG recommends that (i) the compliance committee meet once quarterly with an agenda circulated before each meeting; (ii) minutes of the compliance committee meetings are kept to record the Committee’s activities and accomplishments; (iii) individual committee members’ attendance and active participation are included in each member’s performance plan and compensation evaluation; and (iv) the compliance officer periodically report the committee’s performance to the board and examine how the entity implemented committee recommendations.

                                   (c)  Board Compliance Oversight

OIG underscores the importance of the board empowering the compliance officer, meeting with the compliance officer at least quarterly, understanding the entity’s compliance risks, overseeing and monitoring the compliance operation and its effectiveness, including with respect to the compliance officer and committee, and receiving an annual compliance report. OIG specifically references the United States Sentencing Commission’s Guidelines that require that an entity’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics effectiveness of the compliance and ethics program.” OIG also points out that corporate boards have a fiduciary duty of care to ensure that “information and reporting systems exist in the organization . . . to allow management and the board, each within its scope, to reach informed judgments concerning… the corporation’s compliance with the law….” In re Caremark, 698 A.2d 959, 970 (Del. Ch. 1996).

OIG provides the Practical Guidance for Health Care Boards on Compliance Oversight as a resource for specific suggestions for how boards can effectively exercise their oversight role.

(3) Providing Appropriate Training and Education

The compliance officer and compliance committee should develop (and review at least annually) (i) a training plan that includes the training topics discussed and the audience for each topic, and (ii) education and training materials that cover the entity’s compliance program, pertinent Federal and state standards and potential compliance risks, and board governance and oversight of a health care entity, including materials addressing concerns identified in audits and investigations. All board members, officers, employees, contractors and medical staff (if applicable) of the entity should receive training at least annually. An entity may waive training requirements for independent contractors that demonstrate a satisfactory compliance program but the compliance officer must ensure that those independent contractors are aware of how to report compliance concerns to the entity directly.

OIG recommends that an entity also develop targeted training for individuals based on their roles and responsibilities and risks specific to those roles and responsibilities, including board members and their compliance oversight responsibilities.

OIG states that there is no preference to whether the training materials are developed by the entity itself, purchased, or obtained through consultants; but emphasized that training must appropriately address the entity’s compliance program and compliance risks. The training must be accessible to all staff, including in several languages if needed due to culturally diverse staff. Finally, OIG recommends that participation in required training should be a condition of employment and a component of an annual performance evaluation.

(4) Maintaining Open and Effective Lines of Communication

OIG recommends that entities inform personnel about the ways they can report any concerns. First, personnel should be able to reach the compliance officer directly (e.g., via email, telephone, messaging) and the entities should explain how on commonly frequented physical and virtual spaces. Second, the compliance committee should develop several independent reporting paths for employees to report their concerns to the committee directly so that reports cannot be diverted by supervisors or other staff.

OIG continues to recommend that the entity have at least one reporting path that allows for anonymous reporting through a channel that is independent of the business and operational functions, such as a hotline, website, email address, or mailbox.

Policies and procedures should include confidentiality and nonretaliation policies. The entity should always strive to maintain the confidentiality of the reporting employee’s identity to the extent possible and always explain any limitations to the employee.

Finally, all disclosures of compliance concerns reported should be recorded in a log maintained by the compliance officer or their designee. The disclosure log should include: (i) the date the report was received; (ii) the individual or department responsible for review; (iii) a description of the investigation’s findings; (iv) any corrective actions taken; (v) any policy or process changes made as a result of the investigation; (vi) the date resolved; and (vii) any resulting referral or disclosure to Federal or state authorities. The compliance officer should regularly include information about concerns received and investigations conducted in communications with the compliance committee and in reports to the CEO and board.

(5) Establish and Enforce Appropriate Standards, Consequences, and Incentives

The organization should establish and publicize its procedures for identifying, investigating, and remediating noncompliance. OIG believes that corporate officers, managers, supervisors, health care professionals, and medical staff should be held accountable for failing to comply with the applicable standards, laws, policies and procedures, or for the foreseeable violations of subordinates where a responsible individual’s failure to detect a violation is attributable to their ignorance, negligence, or reckless conduct. Consequences should be consistently applied and enforced.

OIG also emphasizes the positive role that incentives can encourage participation in an entity’s compliance program. The compliance officer and committee should devote time, thought, and creativity to the compliance activities and contributions that the entity would like to incentivize.

(6) Compliance Risk Assessment, Auditing, and Monitoring

                        (a) Compliance Risk Assessment

OIG emphasizes the importance of at least annual compliance risk assessments. OIG defines compliance risk assessment for entities participating in or affected by government health care programs as a process for identifying, analyzing, and responding to risk stemming from violations of government health care program requirements and other actions (or failures to act) that may adversely affect the entity’s ability to comply with those requirements. A formal compliance risk assessment process pulls information about risks from a variety of external and internal sources, evaluates and prioritizes them, and then decides which risks to address and how. For example, OIG recommends that all entities use data analytics to highlight outliers or other data trends indicating potential noncompliance.

The compliance committee should be responsible for conducting and implementing the compliance risk assessment. Between compliance risk assessments, the compliance officer should continue to scan for unidentified or new risks, including based on changing or developing laws and regulations. New entrants to health care business must become familiar with the risks associated with their healthcare business operations while seasoned health care operators must ensure they keep up with risks presented by new and evolving lines of health care business.

                        (b) Auditing and Monitoring

The compliance work plan should include a schedule of audits to be conducted based on risks identified by the annual risk assessment and address routine monitoring of ongoing and known risks. Examples of routine monitoring to known risks include: (i) monthly screening of the LEIE and State Medicaid exclusion lists; (ii) regular screening of state licensure and certification databases; and (iii) annual review of the entity’s policies and procedures.

OIG advises that the compliance committee should ensure that the compliance officer has the capacity to conduct any necessary audits and monitoring, including the capacity to monitor the effectiveness of the monitoring. OIG states that the audits can be done by internal or external auditors, as necessary, and provides the Measuring Compliance Program Effectiveness resource.

Finally, the board should direct the entity to perform the compliance program effectiveness review and have reviewers report findings and recommendations directly to the board. Depending on circumstances, the board may consider outside experts for such a review.

(7) Responding to Detected Offenses and Developing Corrective Action Initiatives

OIG notes that no matter how effective an entity’s policies and procedures are, a compliance officer will inevitably receive a report or audit result that raises concerns. (And, in fact, expressly notes that if, over time, a compliance officer does not receive this type of information, the compliance officer should consider conducting a compliance program effectiveness review). The final element of an effective compliance program is ensuring the entity takes the proper steps to respond to concerns, including through investigation to identify the root cause of the conduct, government reporting of any identified misconduct as necessary, and implementing corrective actions to prevent recurrence in the future.           

                        (a) Investigation of Violations

Compliance officers should act promptly to notify appropriate leaders and coordinate with entity counsel as needed upon receipt of reports or reasonable indications of suspected noncompliance to determine whether a material violation of applicable law has occurred that requires corrective action and reporting. Most internal investigations require interviews and review of relevant documents, so the compliance officer or legal counsel should ensure documents and other evidence are not destroyed. OIG recommends that the compliance officer keep a contemporaneous record of the investigation, which should include: (i) documentation of the alleged violation; (ii) a description of the investigative process; (iii) copies of interview notes and key documents; (iv) a log of the witnesses interviewed and the documents reviewed; (v) the results of the investigation; and (vi) any disciplinary action taken or corrective action implemented.

                        (b) Reporting to the Government

If credible evidence of misconduct from any source is discovered and, after a reasonable inquiry, the compliance officer has reason to believe that the misconduct may violate criminal, civil, or administrative law, then the entity should promptly (not more than 60 days after the determination that credible evidence of a violation exists) self-report and notify the appropriate government authority of the misconduct. Prompt reporting demonstrates an entity’s good faith and willingness to work with the government to remedy the problem.

OIG also points out that the following types of violations may be so serious as to warrant immediate reporting to the government, before or simultaneous with an internal investigation: (i) clear violation of criminal law; (ii) has a significant adverse effect on patient safety or quality of care provided; and (iii) indicates evidence of systemic failure to comply with applicable laws, an existing corporate integrity agreement (CIA), or other standards of conduct, regardless of impact on federal health care programs.

                        (c)  Implementing Corrective Action Initiatives

Once an entity determines the nature of the misconduct, it should implement prompt corrective action, including (i) refunding overpayments; (ii) enforcing disciplinary policies and procedures; (iii) making any policy or procedure changes necessary to prevent recurrence of the misconduct; and (iv) determining whether misconduct exposed other systemic weaknesses.

Providing Compliance Program Adaptations for Small and Large Entities

OIG acknowledges how the needs, finances, and other resources of an entity vary significantly. The GCPG provides guidance and tips for how small entities can implement an effective compliance program that meets the seven elements even with limited resources. For large organizations, OIG emphasizes the need for significant compliance resources and expertise to develop and monitor a compliance program capable of addressing the breadth and complexity of compliance issues that a large organization faces.

Quality and Patient Safety

Although quality and patient safety considerations are typically treated as distinct from compliance, the GCPG integrates quality and patient safety oversight into existing compliance processes. OIG explains that implementing quality and safety considerations into a compliance program can help to prevent excessive or medically unnecessary services that can lead to overpayments. The GCPG recommends an entity’s compliance committee receive regular reports from senior leadership on quality, patient safety, and adequacy of patient care.

New Entrants in the Health Care Industry

OIG warns that many business practices that are common in other sectors create compliance risk in health care. This is particularly relevant given the increasing number of new entrants in the health care industry, including technology companies, new investors, and organizations providing non-traditional services. The GCPG is equally applicable to new entrants in establishing and operating effective compliance programs for healthcare lines of business.

Resources

Finally, the GCPG references various compliance and legal resources for the health care community to consult for additional assistance, including advisory opinions, compliance toolkits, trainings, and FAQs. Throughout the GCPG manual, OIG provides hyperlinks, practical tips, and helpful examples in easy to digest formats.

On November 2, Crowell hosted an in-person roundtable discussion, featuring government officials, industry experts and other stakeholders, to discuss the development of artificial intelligence (AI) and machine learning (ML) systems and tools in the healthcare sector as well as the government’s role in regulating such technology. Policy makers, thought leaders, healthcare innovators, and business executives came together for a lively and engaging conversation. 

Continue Reading Crowell Presents “AI and Health Care: Perspectives from Policymakers and Movers in the Industry” 

Last week, the Office for Civil Rights (“OCR”) announced a settlement with Lafourche Medical Group (“LMG”), a Louisiana medical group, for a 2021 phishing attack and breach that affected the protected health information (“PHI”) of 34,862 individuals. In addition to paying $480,000 to OCR, LMG agreed to a corrective action plan that will include implementing security measures to protect electronic PHI, developing written policies and procedures to comply with HIPAA rules, and training staff members.

Continue Reading OCR Takes Enforcement Action for Phishing Attack

On August 18, 2023, the World Bank issued a publication entitled, “Digital-in-Health: Unlocking the Value for Everyone (“World Bank Report”),” which recommends to governments a new digital-in-health approach where digital technology and data are infused into every aspect of health systems management and health service delivery to improve individuals’ health outcomes. The stated goal of the World Bank Report is to provide governments and other stakeholders with practical guidance on how to build digital health infrastructure, regardless of a country’s digital maturity or fiscal challenges.

Continue Reading World Bank Issues Digital Health Recommendations in Report

On November 8, 2023, the Senate Health, Education, Labor and Pensions (HELP) Committee Subcommittee on Primary Health and Retirement Security discussed the impact of artificial intelligence (AI) on the healthcare sector in the Committee’s second AI hearing in nine days. The hearing comes as the White House and Congressional leaders seek to quickly respond to AI threats, mitigate its dangers, and harness its potential for American industry. Senators discussed the recent Executive Order issued by the White House to guide AI regulation and innovation across all sectors, including in the health and human services sectors.

Continue Reading Avoiding a Cautionary Tale: Policy Considerations for Artificial Intelligence in Health Care

On October 11, the National Institutes of Health (“NIH”) issued a request for information (“RFI”), which proposes sample language regarding the use of digital health technologies in research for inclusion in informed consent documents and requests public feedback on the utility and usability of the proposed language. Comments on the RFI are due by December 12, 2023.

Continue Reading NIH Requests Information on Developing Consent Language for Research Using Digital Health Technologies

On October 17, 2023, CMS held their quarterly National Stakeholder Call to provide updates on recent accomplishments and how their initiatives advance CMS’ Strategic Plan. Administrator Chiquita Brooks-LaSure, kicked off the call by announcing the start of Medicare open-enrollment and how the entire agency is focused on educating beneficiaries on all 2024 benefits and encouraging people to renew their vaccinations which are available at no additional cost. Brooks-LaSure also revealed how for the first-time, high-cost prescription drugs will have a “catastrophic limit” in 2024. Dr. Meena Seshamani, the Director for the Center for Medicare explained that in 2024, Part D enrollees who reach what CMS calls “catastrophic fees” (the maximum threshold for paying out of pocket) will no longer have to pay a co-pay or out of pocket costs at the pharmacy. Dr. Seshamani also shared that beneficiaries taking insulin will not have to pay more than $35 for each supply of insulin products covered under part D and that people will not have to pay nothing out of pocket for recommended vaccines like shingles. CMS also spoke about the drugs selected for the Medicare Drug Price Negotiation program. CMS will have a patient-focused listening session on 11/15 for each selected drug to provide an opportunity for patients, beneficiaries, caregivers, and patient organizations can share relevant input for these selected drugs. Lastly, Dr. Seshamani shared that ACOs participating in the Medicare Shared Savings Program (MSSP) saved Medicare $1.8 billion in 2022. This is the 6th consecutive year that the program has generated overall savings, and the 2nd highest annual savings accrued for Medicare since the program’s inception.

Continue Reading Current CMS Policy Priorities and Initiatives in Quarter 4

The Centers for Medicare & Medicaid Services (CMS) published new changes to the ACO REACH model to increase predictability for participating ACOs, protect against inappropriate risk score growth, and to advance health equity starting in performance year 2024 (PY2024). The ACO REACH model was created to deliver high-quality and coordinated care to patients while improving costs and health outcomes. Patients in a REACH ACO get help to manage chronic conditions, to receive more preventative health services, to receive care in more convenient ways like telehealth, and to better navigate the health system. When ACOs in the program achieve these goals of providing higher-quality care at a lower cost, they may be eligible to share in those savings. There are currently 132 ACOs participating in this model.

Continue Reading CMS releases updates to the ACO REACH model to advance health equity and increase participation

On October 30, President Joe Biden signed an Executive Order (“EO”) 14110 entitled the, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” which establishes a policy framework to manage the risks of artificial intelligence (“AI”); to direct agency action to regulate the use of health AI systems and tools; and to guide AI innovation across all sectors, including in the health and human services sectors.

The EO outlines eight guiding principles and priorities to advance and govern the use of AI: (i) ensure safe and secure AI technology; (ii) promote responsible innovation, competition, and collaboration; (iii) support American workers; (iv) advance equity and civil rights; (v) protect American consumers, patients, passengers, and students; (vi) protect privacy and civil liberties; (vii) manage the federal government’s use of AI; and (viii) strengthen U.S. leadership abroad, safeguarding ways to develop and deploy AI technology responsibly.

The EO encourages independent federal agencies to leverage their current authorities and impose current applicable requirements to protect Americans from fraud, discrimination, threats to privacy, and other risks arising from AI in the health and human services, education, transportation and communication sectors. The EO contains a number of provisions aimed at the Secretary of the Department of Health and Human Services (“HHS”) to develop policies on the use of AI in health care. These policies will build on existing HHS efforts by the U.S. Food and Drug Administration (“FDA”) and Office of the National Coordinator for Health Information Technology (“ONC”) related to the use of AI in the health and human sector, but will provide a more comprehensive approach beyond their current jurisdictions. For example, we will likely see guidance regarding nondiscrimination and privacy of health data related to AI and patient safety reporting.

In addition, the Biden Administration stated it will work with Congress as it continues to develop legislation on AI. The Administration also highlighted the importance of protecting individuals’ privacy when deploying AI tools and technologies and calls on Congress to pass comprehensive data privacy legislation.

This summary focuses on the EO’s health and human sector provisions, but the EO covers policies to govern AI generally and includes provisions that have multi-sector impact, including health care. (Crowell’s client alert provides a summary of all of the EO’s provisions.) Specifically, the EO directs the Secretary of HHS as follows:

  • Establish an HHS AI Task Force and develop a Strategic Plan on responsible deployment of AI by January 27, 2025 in the health and human services sector, including in the following areas:
    • development, maintenance, and use of predictive and generative AI-enabled technologies in health care delivery;
    • long-term safety and real-world performance monitoring of AI-enabled technologies;
    • incorporation of equity principles in AI-enabled technologies used in the health and human services sector, including protecting against bias;
    • incorporation of safety, privacy, and security standards into the software-development lifecycle for protection of personally identifiable information;
    • development and availability of documentation to help users determine appropriate and safe uses of AI in local settings;
    • work with state, local, tribal, and territorial health and human services agencies to advance positive use cases and best practices for use of AI in local settings; and
    • identifying uses of AI to promote workplace efficiency and satisfaction.
  • Develop a quality strategy by April 27, 2024 to determine whether AI-enabled technologies in the health and human services sector maintain appropriate levels of quality, including in the areas described above. This work would include the development of AI assurance policy and infrastructure needs for enabling premarket assessment and post-market oversight of AI-enabled health care technology algorithmic system performance against real-world data.
  • Advance nondiscrimination compliance by April 27, 2024 by considering appropriate actions to advance the prompt understanding of and compliance with federal nondiscrimination laws by health and human service providers that receive federal financial assistance, as well as how those laws relate to AI. These include convening and providing technical assistance about the obligations and the potential consequences of noncompliance with federal nondiscrimination and privacy laws as they relate to AI; and issuing guidance, or taking other action as appropriate, in response to any complaints or other reports of noncompliance.
  • Establish an AI Safety Program by October 29, 2024 that, in partnership with voluntary federally listed patient safety organizations (“PSOs”) establishes a common framework for approaches to identifying and capturing clinical errors resulting from AI deployed in health care settings as well as specifications for a central tracking repository for associated incidents that cause harm to patients, caregivers, or other parties; analyzes captured data and generated evidence to develop informal guidelines aimed at avoiding these harms; and disseminates those informal guidance to appropriate stakeholders.
  • Develop a Strategy for regulating use of AI in drug development by October 29, 2024 that would, at a minimum: (i) define the objectives, goals, and high-level principles required for appropriate regulation throughout each phase of drug development; (ii) identify areas where future rulemaking, guidance, or additional legislative authority may be necessary to implement such a regulatory system; (iv) identify the existing budget, resources, personnel, and potential for new public/private partnerships necessary for such a regulatory system; and (v) consider risks identified by the actions undertaken to implement section 4 of this order.

The EO also included a number of other provisions that would apply to the health and human sector, including for the National Institutes of Health (“NIH”) to prioritize grantmaking and cooperative agreement awards to promote innovation and competition.

To implement its policies, the EO creates the White House Artificial Intelligence Council, which will coordinate the activities of agencies across the federal government to ensure the effective formulation, development, communication, industry engagement related to, and timely implementation of AI-related policies (including policies set forth in the EO). Following the release of the EO, the Office of Management and Budget (“OMB”) released companion guidance to establish AI governance structures in federal agencies, advance responsible AI innovation, increase transparency, protect federal workers, and manage risks from government uses of AI.

Takeaways

The wide-ranging, long-awaited EO establishes a comprehensive vision for the responsible use and governance of AI. By establishing principles and including health care-specific directives, the Biden Administration has created an overarching framework that will have a significant impact on health care stakeholders’ development and deployment of AI systems and technologies. In addition, the EO offers a number of opportunities for government engagement and grant funding. As outlined, the various health and human sector provisions will be operationalized within the next several months. Stakeholders should expect to see agency-level developments and continue to track updates from the White House and various agencies (i.e., FDA, ONC, CMS, OCR).

Crowell will continue to provide analysis as federal agencies work to implement the policies described in the EO. For more information about the EO, please contact the professionals listed below, or your regular Crowell contact.

Last week, the Office for Civil Rights (“OCR”) issued two pieces of guidance on the privacy and security of protected health information (“PHI”) when using telehealth services. One of the documents is intended to help health care providers explain to patients, in plain language, the privacy and security risks of using remote communication technologies for telehealth (the “Provider Telehealth Guidance”). The other provides tips to patients on how to safeguard their PHI when using video apps and other technologies for telehealth (the “Patient Telehealth Guidance”).

Continue Reading OCR Issues Guidance to Providers and Patients on Telehealth Privacy and Security