Growth in Telemedicine Could Mean Trouble if You Are Not Careful

We can all agree that 2020 was a year filled with surprises. The emergence of COVID-19 brought restrictions, which made the business of healthcare even more challenging. But then came the saving grace: telemedicine!

Even though telemedicine has been around in some form since the 1900s, its popularity exploded during the midst of the pandemic. With millions of people stuck indoors due to government lockdowns, health care providers turned to telemedicine options to provide desperately needed health care.

According to Doximity, a social media networking service for medical professionals, only 14 percent of Americans utilized telemedicine before the pandemic. But since the outbreak, telemedicine usage skyrocketed by 57 percent. Among patients suffering from chronic conditions, the number of virtual care visits increased by a staggering 77 percent!

The increase in telemedicine accessibility also means healthcare providers can potentially face compliance issue pitfalls, which could land them in trouble with the United States government. Before COVID-19 became a household name, Medicare and Medicaid upheld strict rules regarding payment for telemedicine services. For instance, reimbursement for telemedicine services was limited to patients residing in areas of the country with limited healthcare.In an attempt to slow the spread of COVID-19, government payors loosened these restrictions.

Unfortunately, telehealth services’ widespread use brought an uptick in COVID-19 related scams that specifically target healthcare providers offering this service. Such illegal activity caught the attention of the Department of Justice (D.O.J.).

A primary focus of the D.O.J. is a government agency that mostly focuses on telehealth arrangements that implicate the Anti-Kickback Statute.  The statute forbids transactions designed to corrupt medical judgment by rewarding referrals for Medicaid and Medicare services. In the past year, more than $4.5 billion in false claims were connected to telemedicine. And over 100 healthcare professionals were charged with submitting fraudulent claims to Medicare, Medicaid, and private insurance companies.

New changes to the Stark and Anti-Kickback Statutes that were long in the works took effect on January 19, 2021. The regulation updates are designed to eliminate regulatory and administrative barriers that hindered movement towards a value-based health care system. The updated rules also offer healthcare providers more flexibility to coordinate and improve patient care while maintaining safeguards against overutilization and inappropriate incentives.

The Stark Exceptions finalized three new exceptions for value-based arrangements between healthcare providers and payor systems like Medicaid and Medicare. These exemptions are solely based on the quality of delivered patient care instead of the volume of services.  For example, healthcare providers face at least a 10 percent financial risk for failure to achieve value-based goals. In comparison, the Anti-Kickback Statute requires at least a 5 percent financial risk for value-based arrangements.

Physicians’ practices should express caution when offering telemedicine services to steer clear of trouble with the government. As with traditional in-person healthcare, it’s best to avoid doing business with third-party companies that give money in exchange for referrals.

Here are a few guidelines physicians should consider avoiding getting on the D.O.J.’s naughty list.

  1. Consult with counsel before entering into any outside business relationships.
  2. Establish guidelines for physical examinations and prescribing practices.
  3. Monitor the prescribing habits of their physicians and nurse practitioners.
  4. Adopt data analytic tools to identify any abnormal billing behavior.

Physicians considering telemedicine should also consider the following tips to stay compliant.

Practicing Telemedicine Across State Lines.

Usually, state governments require practicing physicians to conduct telemedicine sessions within the state they are licensed. But in some states, this stipulation is relaxed due to COVID-19 to make healthcare more accessible. But physicians must contact their state’s medical board for updated information concerning this topic.

Informed Consent.

Healthcare providers are still expected to obtain consent before providing telehealth services. Besides requesting written or verbal consent from patients, providers should make patients aware of the risks and benefits of receiving telehealth services.

Use Caution When Prescribing Medication.

Because of COVID-19, the Drug Enforcement Administration (D.E.A.) allows registered practitioners to use prescribed medication to patients via telemedcicine technology. Physicians must adhere to the following conditions:

  • Prescribed medication(s) must be for a legitimate medical purpose.
  • The telehealth session is conducted using a two-way, audio-visual, interactive communication system.
  • The practitioners must practice healthcare within Federal and State law.

Only time will tell whether or not telemedicine will continue to grow in the upcoming months. But doctors should continue to use caution when using this technology to serve the public.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Collaboration Between Compliance and Risk: What is Permissible?

Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits.  Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies.  Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?

Possible collaborations

  1. Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
  2. Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
  3. General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
  4. Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
  5. Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
  6. General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
  7. Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
  8. Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.

Collaborations to vet and evaluate permissibility

  1. Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
  2. Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
  3. Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
  4. Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
  5. Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.

Goal

All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.

PRACTICE TIP:

  1. Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
  2. Access youCompli to find resources which address required document and record retention requirements.

Denise Atwood, RN, JD, CPHRM

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Emergency Preparedness Revisited

Emergency preparedness has always been one of the top concerns of hospital administrators and medical staff, but never has it been more critical. As the the coronavirus pandemic continues to impact the United States, and facilities are struggling to maintain levels of personal protective equipment (PPE) and ventilators, administrators and compliance professionals should also review the updated federal emergency preparedness requirements, published by the Centers for Medicare and Medicaid Services (CMS) in the Federal Register on September 30, 2019.

We previously blogged about these requirements in 2017, but the requirements have changed in the past few years. Here are the four core elements of a hospital’s emergency preparedness plan to handle natural and man-made disasters — and a look at how they are impacted by last year’s final rule revision by CMS:

Risk Assessment and Planning

Commonly referred to as the emergency plan, CMS requires such a strategy to be developed and then updated at least once a year. It is based on certain risk assessments and uses an “all-hazards” approach that focuses on hospital capacities and capabilities, care-related emergencies, equipment and power failures, communication interruptions (including cyberattacks), and interruptions to water, food, and medication supply chains.

A major change to this element involves hospital climate control and power. Facilities are no longer required to heat and cool the building evenly. However, safe temperatures are to be maintained in areas deemed necessary to protect patients, other people in the facility, and provisions stored in the facility during the course of an emergency, as determined by a risk assessment. If a hospital is unable to maintain safe temperatures, it should follow an established plan for a timely relocation/evacuation that avoids patient exposure to harmful conditions. Additionally, hospitals are required to have an essential electric system with a generator that complies with the NFPA 99 – Health Care Facilities Code.

Like before, the plan must include strategies for addressing emergency events and include a process to work in conjunction with local, tribal, regional, state, and federal emergency preparedness officials. But the key change to the all-hazards approach — and this is crucial in light of recent events — is that all participating hospitals must be prepared for emerging infectious disease (EID) threats, such as the coronavirus. EIDs may require modification to standard facility protocols to protect the health and safety of patients and personnel, such as isolation and PPE usage.

Communication Plan

This element received additional fine-tuning. Participating hospitals still must develop a communication plan that complies with local, state, and federal laws and the plan must be reviewed and updated annually. It should now also include the names and contact information of key hospital personnel for local, tribal, regional, state, and federal emergency preparedness officials. And, it should detail how patient care is coordinated within the facility, across healthcare providers, and with local and state public health departments and emergency management systems.

Policies and Procedures

Hospital policies and procedures still must be based on the emergency plan, risk assessment, and the communication plan, and must be reviewed and updated at least once a year. They should address a broad range of topics and situations, including subsistence needs (water, food, medical supplies) of patients and staff, emergency staffing strategies, tracking the location of on-duty staff and patients during emergencies, sheltering-in-place plans, and patient relocation/evacuation plans.

Training and Testing Program

This revised element the result of an additive process. Program development is based on the emergency plan, the risk assessment, the communication plan, and the policies and procedures. As before, the final rule states the program must detail who needs to be trained, describe the frequency of training, how knowledge is assessed, and document how the training was conducted.

During the course of normal events, hospitals are required to annually conduct a mock disaster drill that is either a full-scale, community-based or individual facility-based exercise. In addition, hospitals must also hold a discussion-based tabletop exercise with its senior staff to discuss hypothetical emergency scenarios and reassess policies and procedures. But recent years have not been normal.

Along with the coronavirus outbreak, many parts of the country have suffered from an increase in natural disasters or mass shootings. The final rule revision acknowledges this wide spectrum of emergencies. If there is an event that activates a hospital’s emergency plan, that facility is exempt from holding its annual mock disaster drill for one year following the incident, provided it has written documentation. If a hospital activates its emergency plan twice in one year, it is exempt from both the mock disaster drill and tabletop exercise for one year following the actual events. Again, written documentation of these events and procedures is required.

Maintain Compliance with CMS

Being compliant with the September 30, 2019 final rule is a requirement for your facility’s Condition of Participation (CoP) / Condition for Certification (CfC) with CMS. Failure to comply, even during a pandemic, could thus have significant impact on your organization. The youCompli compliance management software is a powerful tool to help mitigate risk and enable your hospital to effectively implement these, and many other, regulatory requirements. The software is easy to use and quick to deploy, and can be a powerful means to drive efficiencies through your compliance department.

See YouCompli in Action

Easier, faster, more effective compliance is possible

COVID-19 Testing: New Federal Clarifications for Employers

You’ve probably heard of recent federal legislation affecting insurance coverage for COVID-19 testing and related services, such as the Families First Coronavirus Response (Families First) Act and the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

The federal government has taken steps to require certain kinds of insurance plans to provide coverage for testing (and related services) without cost-sharing, prior authorizations, or other medical management requirements.

New Guidance Issued

On June 23, three federal departments — the Department of Health and Human Services (HHS), the Department of the Treasury, and the Department of Labor — issued a second round of guidance on implementing these provisions.

The Centers for Medicare & Medicaid Services (CMS) has published an FAQ specifically related to the Families First Act which contains some useful information related to this guidance. (Click here to read the full document.)

CMS has confirmed that the Families First Act does not require employers and insurers to pay for COVID-19 testing that is not used for diagnostic purposes. This includes back to work purposes or general screening. And there are no exceptions for the uninsured or those receiving Medicaid coverage.

In the case of diagnostic testing, the law allows for quite a broad range of coverage. Tests must be approved by HHS (which includes tests approved by the Food and Drug Administration (FDA) on an emergency or temporary basis). But as long as one of these approved tests is ordered by an attending health care provider, “where medically appropriate for the individual,” then insurers must pay for it. And that’s even if there are multiple tests ordered.

COVID-19 Tests Not Covered

However, for tests that are not for diagnostic purposes, things get more complicated. If employers require their employees to have clean COVID-19 tests before returning to work, there are basically two options, neither of which insurance is required to help with under this legislation:

  1. Pick up the tab for testing themselves, or
  2. Ask employees to either cover it (which can be very expensive) or line up at one of the free public testing sites.

Implications for Compliance

As with most of the regulatory changes related to the pandemic, the devil is in the details here. Staying up to date on the latest guidance and clarification is the only way to be sure that you are providing the correct information to the rest of your organization.

See YouCompli in Action

Easier, faster, more effective compliance is possible

AHA and CMS to Keep Regulatory Flexibilities in Place

COVID-19 continues to create obstacles and challenges for healthcare compliance professionals. Thriving in this environment means being agile and adaptive.

The AHA’s Requests

Last week, the American Hospital Association (AHA) asked the Centers for Medicare & Medicaid Services (CMS) to keep relaxed regulations in place. Specifically, the AHA is interested in keeping flexibility around telehealth, quality and compliance measures, and bed capacity.

The telehealth changes are ones that have been on the horizon for some time. Essentially, the AHA is asking CMS to continue to allow hospitals to provide a wide range of telehealth services, without limitations as to profession or geographic location. The AHA is also asking for flexibility on billing and payments related to telehealth to be made permanent.
More interestingly, the AHA has also asked that CMS extend regulatory relief related to some quality and patient safety regulations. These include expanding the use of verbal orders, and extending the reuse of PPE.

The AHA has also asked that CMS provide hospitals with a transition period, to allow them to more easily move from pandemic response to ordinary practice. This includes a request for temporary waivers for sanctions and penalties related to HIPAA , and flexibility on audit requirements. And, it includes a request that certain rules and requirements be delayed or suspended.

The Response From CMS

Three days after the AHA released this letter, Michael Caputo, Assistant Secretary for Public Affairs at the Department of Health and Human Services (HHS), tweeted this :


The public health emergency is currently set to expire on July 25. However, as of this writing, HHS hasn’t officially announced how long the extension will be

This means that we don’t yet know what will happen when the emergency finally does end. Will HHS give a transition period, as the AHA has requested? Will HHS continue to allow flexibility about telehealth, which they have previously indicated they would?

Staying up to date on this fluid situation is going to be a key task for compliance in the coming weeks.

See YouCompli in Action

Easier, faster, more effective compliance is possible

The New Office of Burden Reduction and Health Informatics: Implications for Healthcare Compliance

You may have heard that, last week, the Centers for Medicare & Medicaid Services (CMS) announced the creation of a new office: the “Office of Burden Reduction and Health Informatics.”

What exactly is this new office supposed to do? According to the press release from CMS, the intent is “to unify the agency’s efforts to reduce regulatory and administrative burden and to further the goal of putting patients first.”

All well and good. But what does that actually mean?

Value-Based Care

Here’s one thing that CMS says clearly. They are “committed to leveraging the significant flexibilities introduced in response to the COVID-19 pandemic as we continue to lead the rapid transformation to value-based healthcare.”

We’ve all been hearing about value-based care for years. (Here’s a piece from 2016, for example.) The pace of change hasn’t been particularly speedy, and the pandemic has disrupted most big transformative plans, especially in healthcare.

That said, the Department of Health and Human Services (HHS) is still committed to value-based care. If reducing or streamlining the regulatory environment is necessary in order to make this change happen, you can bet that HHS and CMS will do it.

What specific regulations will CMS change in order to make this happen? That remains to be seen. Recently, CMS did announce that they will be maintaining at least some of the regulatory changes related to telehealth.

Which ones? We know of one rule change that CMS has announced: the proposed physician fee schedule rule, which should come out in July, will include proposals to permanently expand coverage for telehealth services. As of this writing, the rule has not been published, and CMS has not announced details.

With that exception, however, there hasn’t been a lot of movement on specific regulations that could be helpful. In fact, our observations suggest that most regulators are moving back to business as usual. If CMS has plans to streamline regulations to enable the transformation to value-based care, they are keeping those plans very close to the vest.

Improved Review

However, CMS commits clearly to increasing the number of stakeholders – including clinicians, providers and health plans – that it engages with when assessing the impact of new regulations.

This could be a welcome change for compliance professionals, as a more comprehensive assessment of regulatory impact could result in a regulatory environment that’s a lot easier to work within. Clearer regs with reduced expectations would mean less work required by the clinical and revenue cycle staff in your organization.

And that would mean less time spent following up and trying to get staff to do the work.

Health Informatics

CMS has also committed – as indicated in the second half of the new office’s name – to further implement health informatics. The idea here is to effectively use health data in order to provide better care.

CMS gives this as a specific example: “to create new tools that allow patients to own and carry their personal health data with them seamlessly, privately, and securely throughout the health care system.”

This proposal has obvious advantages for both patients and providers. But it could cause significant headaches for compliance.

Staying in compliance with an EHR system for just one health system is challenging enough. What CMS is proposing is an EHR system that applies across all Medicare and Medicaid beneficiaries. This would be much more complicated! The HIPAA implications alone could be staggering.

So, the use of health informatics could make the work of compliance much more challenging. We can all expect that there will be more data available and being used, and more complex tools to manage it. This trend exists across almost all industries, and healthcare is not going to be an exception.

In a highly regulated environment like healthcare, however, big data and big data tools will need to be monitored very carefully. There are a lot of ways that data tools could violate regulatory requirements. If compliance professionals aren’t careful, software and other tools could be put in place that expose the organization to high levels of risk.

Staying Up to Date

As of this writing, there is limited information as to what the Office of Burden Reduction and Health Informatics will be doing for the US healthcare system. It has a broad mandate, with unclear specifics.

There is a possibility that the office will make compliance easier, by more effectively assessing the impact of regulations before imposing them. There is also a (stronger) possibility that it may make compliance more challenging, by creating wide-ranging technological systems that compliance officers will need to monitor carefully.

As new regulations are issued, and new announcements are made, we’ll be keeping you updated. youCompli customers always have access to the latest regulatory changes as they come out and will be well-positioned to adapt to the environment created by his new office.

See YouCompli in Action

Easier, faster, more effective compliance is possible