European Cloud in Health Advisory Council Calls For Review of eHealth Rules and Ethics of Medical Data Re-Use

On May 11, 2017, the European Cloud in Health Advisory Council (ECHAC) – a group of healthcare organizations, technology companies and patient representatives – launched its second whitepaper focused on use of data to improve health outcomes and delivery of care.

ECHAC launched the whitepaper at an eHealth Week 2017 session attended by ECHAC participants and members of the European Parliament, European Commission and several national health ministries.

The whitepaper identifies the advances that technologies like cloud computing and artificial intelligence are driving in areas such as telemedicine, clinical decision support software, carer productivity, health service optimization and research. The paper also highlights regulatory and policy “blockers” to the roll out of technology in the healthcare sector — including national rules that unduly restrict (or are perceived to restrict) processing or storage of patient data in the cloud.

The paper recommends that as EU Member States take measures to implement the new EU General Data Protection Regulation (“GDPR”), they consider whether there is an opportunity to update national laws that unnecessarily restrict cloud usage in the health sector, such as localization requirements for patient data and burdensome national certification regimes that do not map to international standards. The paper also points, as a best practice, to those national health services that are pioneering a “cloud first” IT strategy (Ireland being a leading example).

The whitepaper also considers appropriate regulatory frameworks for “secondary” re-use of patient data (i.e. use of data to improve health, care and services through research and planning). The whitepaper concludes that unlike use of data for primary purposes, where there is a broad consensus on the need for expanded data use, more dialogue is needed on the appropriate parameters for secondary uses.

Acknowledging the tremendous opportunities of health data re-use, but also the sensitivities, the whitepaper set out a “maturity model” that it proposes be used to begin a dialogue around the controls that should be in place for secondary re-use of patient data – for instance different opt-in/opt-out models. The whitepaper also backed calls for research into schemes that could encourage consensual, altruistic “data donation.”

Bipartisan Bill To Test Telehealth Services for Medicare Beneficiaries

By Liza Khan on April 7, 2017 Posted in Telehealth

Last week, Senators Cory Gardner (R-CO) and Gary Peters (D-MI) introduced new legislation to test expanded Medicare coverage of telehealth services. The Telehealth Innovation and Improvement Act requires the Department of Health and Human Services (HHS) to allow selected, eligible hospitals to offer telehealth services in cooperation with the Center for Medicare and Medicaid Innovation (CMMI), which develops and tests new service delivery models for cost, effectiveness, and improvement in quality of care. Models that are successful under the CMMI’s criteria could be expanded and covered by the Medicare program.

The stated goal of the Senators introducing the Telehealth Innovation and Improvement Act is to improve access to healthcare for rural Medicare beneficiaries, who sometimes live far away from hospitals and medical centers. The bill’s sponsors also believe the proposed legislation will lower health care costs and reduce emergency room visits, hospitalizations and readmissions.

Senators Gardner and Peters previously introduced similar telehealth legislation in 2015. That bill was referred to the Senate Finance Committee, but it was never given a hearing or voted on.

Vote on HHS Secretary Nomination Expected as Early as this Week; Nomination Hearings Included Little Discussion of Health IT

By Paige Jennings on February 7, 2017 Posted in EHR/EMR, Regulatory Incentives, Telehealth

The full Senate could vote as early as this week on the nomination of Rep. Tom Price (R-GA) to be Secretary of the U.S. Department of Health and Human Services (HHS). In January, two Senate Committees held hearings on Rep. Price’s nomination. These hearings focused largely on Rep. Price’s stance on repeal of the Affordable Care Act (ACA) and on reform of the Medicare and Medicaid programs. Senators asked few questions related to health information technology, and the limited discussion on this topic centered primarily on the burdens placed on providers by HHS initiatives to promote the “meaningful use” of electronic health records (EHRs). Continue Reading

Twenty-First Century Cures Act Includes HIPAA Provisions

By Dena Feldman on December 23, 2016 Posted in Health Data, HIPAA and Data Privacy

On December 13, 2016, President Obama signed the 21st Century Cures Act (“Cures Act”), Pub. L. 114-255, which aims to expand medical research and expedite the approvals of drug therapies for patients. The Cures Act also contains several provisions related to the HIPAA Privacy and Security Rules. None of these provisions make substantive changes to the HIPAA regulations at this time; in several instances, they direct the Secretary of Health and Human Services (“HHS”) to study whether the HIPAA regulations should be revised or clarified to remove any potential barriers to optimal patient care and communication or to the availability of patient information for medical research.

Incoming HHS Secretary Tom Price Brings Physician-Focused Perspective to Health IT

By Shruti Barker on December 16, 2016 Posted in EHR/EMR, Health Data, Regulatory Incentives

Tom Price, the Republican representative from Georgia, has been tapped by President-elect Trump as the new Secretary for the Department of Health and Human Services (HHS). Rep. Price is himself an orthopedic surgeon and comes from a family of doctors and, as a result, is focused closely on the ways in which government regulations burden the doctor-patient relationship. At an American Enterprise Institute event this past June, Rep. Price criticized the Affordable Care Act for allowing the government, rather than doctors and patients, to control the manner in which healthcare is offered.
Continue Reading

Update on Telemedicine Parity

By Jack Lund on December 6, 2016 Posted in Telehealth

We have followed (here and here) the adoption of the Interstate Medical Licensure Compact (“IMLC”) by various states and the subsequent formation of a commission under the IMLC. We believe that the IMLC presents one promising avenue for the proliferation of telemedicine. In this post, we explore another initiative designed to encourage the development of telemedicine; parity laws.

Telemedicine parity laws require reimbursement for telemedicine services in the same manner and at the same reimbursement amount as for analogous in-person medical treatment. According to the American Telemedicine Association, 7 States have proposed or pending parity legislation, 31 States have already enacted some kind of parity law and 48 States have implemented parity in their Medicaid programs through regulation or legislation.

While these laws have spread quickly, there are many important distinctions among them. Some of these distinctions are worth careful consideration. For example, some States have adopted laws or policies that apply only to Medicaid. Other States have passed legislation that binds private payers as well.

There are plenty of advocates on both sides of the private payer issue. Many telemedicine proponents argue that parity legislation ought to apply to private payers because parity requirements will spur development of cheaper and more effective delivery of services. Critics point out that market forces make such legislation unnecessary; if telemedicine is actually more effective, private payers would have their own incentives to pay as much or more for it, and if telemedicine services are not as effective but are attractive mainly for their cost-saving potential, private payers should be able to adjust the reimbursement and reap the savings accordingly. While this fight continues to rage, most States have concluded that parity, at least with respect to Medicaid, makes sense.

Some States have also adopted separate requirements for obtaining informed patient consent (Michigan is set to become the most recent). Since telemedicine is a relatively new way for patients to obtain care, some States have mandated that patients receive information about what to expect prior to treatment. Proponents of these laws describe them in terms of consumer protection and laud the transparency that they create. Critics tend to argue that state-wide disclosure requirements stifle innovation by implementing a one-size-fits-all regime that places telemedicine at a competitive disadvantage to in-person care, which does not have to meet additional informed consent requirements. They argue that creating this kind of advantage for in-person care might inappropriately slow the implementation of telemedicine solutions.

In March, Florida inched toward telemedicine parity by creating the Telehealth Advisory Council to recommend ways to “increase the use of accessibility of services provided by telehealth.” The Council, which has already begun to hold meetings, will base its recommendations on research conducted by the Agency for Health Care Administration and other regulators into the types, prevalence, cost savings, and reimbursement practices of telemedicine services. While Florida created a council to analyze the issue before enacting substantive legislation, many states adopted legislation without studying the issue or studied it more informally. Florida’s approach is not entirely new, as Indiana completed a one-year pilot program before enacting permanent legislation this year.

States also vary in their methods of regulation. Some States have treated the regulation of telemedicine as an element of preexisting medical regulations, while others have conceptualized it as wholly new and requiring its own regulatory paradigm. For example, while Indiana empowered its existing State Licensing Board to develop regulations to implement the legislation, Idaho created a new Telehealth Council for the same purpose. This example illustrates the difficult balance States will need to create as they integrate telemedicine regulation with preexisting practice rules and try to address the wholly new problems and opportunities that it presents.

Senate Unanimously Passes the ECHO Act

By Philip Peisch on December 2, 2016 Posted in Telehealth

On November 29, 2016, the Senate unanimously passed the Expanding Capacity for Health Outcomes Act (the ECHO Act). This legislation seeks to expand the use of technology to connect underserved communities with critical health care services.

New Developments in the Implementation of the Interstate Medical Licensure Compact (IMLC)

By Jack Lund on November 4, 2016 Posted in Telehealth

In July of 2015 we noted that nine states had enacted laws to join the Interstate Medical Licensure Compact. We described this cooperative program intended to allow physicians to obtain expedited licenses to practice in multiple states. This would facilitate the delivery of telemedicine across state lines; physicians are generally prohibited from practicing, even remotely, in states in which they are not licensed.

In our last post, we noted that enough states had approved the Compact for an Interstate Medical Licensure Compact Commission (Commission) to be formed to promulgate bylaws for licensure. Since then, nine more states have enacted legislation joining the IMLC including, most recently, Pennsylvania. As more states joined, a Commission was indeed formed.

Recently, the Commission issued a proposed rule for “expedited licensure” and met to set a target goal of January 2017 for the finalization and implementation of that rule. Although the Commission has not yet finalized the rule, because the implementation date is fast approaching, we have summarized the likely procedure for expedited licensure.

Most importantly, the Commission plans to create an online application for expedited licensure. The Commission will then transmit that information to the relevant state(s). In addition, the proposed rule describes the requirements to receive an expedited license, which include licensing and educational standards. Applicants who have been convicted of various kinds of misconduct will not be eligible for expedited licensure.

In order to apply for an expedited license from a new state, an applicant will simply submit an online application (including service fees) to the Commission and then submit a fingerprint packet or other biometric data sample and provide a sworn statement attesting to the truthfulness of all of the information provided to the state in which the applicant is currently licensed. The Commission will request that the state in which the applicant is licensed issue a letter of qualification to the applicant and the Commission. Upon receipt of the letter of qualification, the Commission will issue a full and unrestricted license to the applicant to practice in participating states.

Physicians who would like to engage in practice outside of the states where they are currently licensed should check to see if the IMLC applies in the states in which they are licensed and in the states where they would also like to practice. This procedure will probably be available soon and will probably make applications for licensing significantly easier. It is also worth noting that there are many states still considering adopting the IMLC, including Michigan which has active legislation on the topic.

HHS Issues Guidance on HIPAA and Cloud Providers

By Dena Feldman on October 28, 2016 Posted in Cybersecurity, Data Security, Health Data, HIPAA and Data Privacy, Medical Apps

The Department of Health and Human Services (HHS) recently published guidance on HIPAA requirements governing the use of cloud computing entities, specifically cloud services providers (CSPs).

In this guidance, HHS explains that CSPs that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or business associate are considered business associates under HIPAA, and are therefore subject to HIPAA’s requirements. HHS expressly rejects the idea that CSPs are analogous to “conduits”(such as internet service providers) that provide transmission-only services. Rather, HHS explains that CSPs store and maintain PHI and thus have ongoing and routine access.

We have discussed this guidance on the Inside Medical Devices blog. Covered entities and business associates that rely on CSPs should take steps to ensure that they are in compliance with HIPAA’s requirements.

ONC Releases New Guide on Buying EHR

By Covington eHealth on October 6, 2016 Posted in EHR/EMR

Last month, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) released a new guide for prospective buyers of Electronic Health Record systems (EHRs). ONC provides detailed information and suggestions that merit the serious consideration of anyone that contracts or plans to contract with an EHR vendor.

ONC begins with a broad introduction that explains what kinds of options exist and offers advice on how to select an appropriate system. Then, ONC provides detailed advice on a number of important topics, including safety and security, system performance, data rights, interoperability, IP, risk management, dispute resolution, and transitions. For each of these topics, ONC identifies common pitfalls and provides buyer friendly form contract language. Sprinkled throughout the guide are descriptions of common pitfalls and advice about how to avoid them. Some of these points are worth further emphasis.

ONC notes that some buyers have complained about inconsistencies between vendor demonstrations and their actual products. It is important to remember that marketing materials and demonstrations are not necessarily reliable. ONC suggests requiring that any such materials presented to a buyer be attached and incorporated into the final EHR contract. Furthermore, core service and performance obligations should be memorialized with express warranties. This should provide some security against falling victim to a bait and switch.