On April 21, 2020, the “Regulation on the Requirements and the Process for the Examination of the Eligibility of Digital Health Applications for Reimbursement by the State Health Schemes” (Digitale Gesundheitsanwendungen-Verordnung – „DiGAV“) came into force in Germany. It is accompanied by an extensive Guidance (Leitfaden) issued by the Medicines and Medical Devices Agency “BfArM”.
On April 21, 2020, the Department of Health and Human Services (“HHS”) announced that, as a response to the COVID-19 public health emergency, it will exercise enforcement discretion to “permit compliance flexibilities” regarding the implementation of the interoperability final rules issued on March 9th, 2020. This joint announcement was made by the Office of the National Coordinator for Health IT (“ONC”), the Centers for Medicare & Medicaid Services (“CMS”), and the HHS Office of Inspector General (“OIG”).
As we previously discussed, the final rules are intended to improve patient access to electronic health information (“EHI”) and to standardize the modes of exchanging EHI. These rules greatly affect hospitals and other healthcare stakeholders, who are working at the forefront of the COVID-19 pandemic. HHS considers the decision to exercise enforcement discretion as one of many steps “taken to ease [the] burden on the healthcare industry as it fights COVID-19.” HHS will continue monitoring implementation of the rules to decide if additional actions are necessary.
CMS’s Enforcement Discretion
CMS announced that it will be extending by six months the time periods for implementing certain aspects of the Interoperability and Patient Access Final Rule. Accordingly, the admission, discharge, and transfer notification Conditions of Participation rules, which were initially scheduled to take effect six months after the publication of the final rule, will now be effective 12 months after publication.
CMS will also exercise discretion for six months regarding the Patient Access API and Provider Directory API requirements for Medicare Advantage, Medicaid, and the Children’s Health Insurance Program (“CHIP”) under 42 C.F.R. Parts 422, 431, 438, and 457. The requirements, which were to become effective on January 1, 2021, will not be enforced until July 1, 2021. CMS will similarly defer enforcement of the new requirements for the Patient Access API for Qualified Health Plan (“QHP”) issuers under 45 C.F.R. Part 156 until July 1, 2021.
These are the only requirements for which CMS has announced it will exercise enforcement discretion. Other policies and requirements must be implemented as set out in the final rule, including the payer-to-payer data exchange deadline of January 1, 2022.
ONC’s Enforcement Discretion
ONC announced that it will exercise enforcement discretion for three months following the original compliance date for all new requirements in the ONC Final Rule. Therefore, ONC will not enforce such requirements, found at 45 C.F.R. Part 170, for three months after the initial date or time period provided in the final rule. A detailed list of the requirements and new compliance deadlines can be found here.
Senate Commerce Committee Chairman Roger Wicker is working on draft legislation that would regulate the collection and use of health and location information in connection with efforts to track and limit the spread of COVID-19. Some key highlights of the tentatively titled “COVID-19 Consumer Data Protection Act” include:
- For the duration of the public health emergency, the bill would regulate companies that collect, process, or transfer certain health and location information for any of the following purposes: (1) to track the spread, signs, or symptoms of COVID-19; (2) to measure compliance with social distancing guidelines or other government-imposed requirements related to COVID-19; or (3) to conduct contact tracing for COVID-19 cases.
- However, regulated companies would have certain new obligations. The most notable of these include the following:
- An obligation to provide individuals the ability to revoke their consent to the collection, processing, or transfer of covered data for COVID-19 purposes. There are limited exemptions to this requirement. For example, there is not an express exemption from opt-out obligations for medical information collected by or on behalf of employers in connection with efforts to maintain a safe workplace. The U.S. Equal Employment Opportunity Commission issued guidance on March 18 stating that employers are allowed to conduct body temperature checks due to the pandemic and issued guidance on April 23 stating that employers may conduct diagnostic testing for COVID-19.
- An obligation to delete covered data that is collected, processed, or transferred for COVID-19 purposes when it is no longer being used for such purpose. The draft does not expressly address a company’s obligations to delete covered data that is collected and processed for both COVID-19 and non-COVID-19 purposes.
- An obligation to issue public reports every 30 days with certain information, including the aggregated number of individuals whose data has been processed for COVID-19 purposes.
- Express data minimization requirements.
- There are specific exemptions for aggregated, de-identified, and publicly available information. Otherwise covered health and location information is defined to include the following:
- Personal health information, which is defined as either genetic information or information relating to the diagnosis or treatment of past, present, or future physical, mental, health, or disability of the individual that identifies or is reasonably linkable to an individual, but excluding information that is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Family Educational Rights and Privacy Act of 1974 (“FERPA”).
- Precise geolocation data, which is defined as technologically derived information capable of determining with reasonable specificity the past or present actual physical location of an individual at a specific point in time.
- Proximity data, which is defined as technologically derived information that identifies with reasonable specificity the past or present proximity of one individual to another.
The draft would rely on the Federal Trade Commission to enforce violations under Section 5 of the FTC Act, although common carriers and non-profit entities also would be regulated expressly even though they generally are not subject to Section 5 jurisdiction. In addition, state attorneys general would have the right to enforce the obligations, including to obtain civil penalties.
Artificial intelligence (AI) is burgeoning in many industries, including healthcare. As the legal landscape around AI continues to evolve, how can organizations operationalize trustworthy AI applications? Lee Tiedrich and Lala R. Qadir share ten steps in this article with Law360.
For more information about AI, please see our “AI Toolkit.”
Lee Tiedrich, B.J. Altvater, and James Yoon recently published an article summarizing recent developments in artificial intelligence law and policy on the University of Pennsylvania Law School’s Regulatory Review. The article primarily focuses on developments in the United States, including the National Artificial Intelligence Initiative Act introduced by members of the House Committee on Science, Space, and Technology on March 12, 2020. This development should interest the growing number of digital-health companies and other entities seeking to capitalize on the benefits of artificial intelligence (AI). The article also briefly discusses other federal, state, and local efforts to regulate AI.
To learn more about AI, please access our AI Toolkit.
As we anticipated in a previous blog post, on April 22, 2020, the European Data Protection Board (“EDPB”) issued new guidelines on the use of location data and contact tracing apps in the context of the present COVID-19 pandemic.
The EDPB’s close scrutiny over the use of mobile data and apps in the context of the ongoing public health crisis is unsurprising, as many EU Member States have launched—or are in the process of launching—contact tracing apps to fight the spread of the virus, and these initiatives are receiving great attention by data privacy authorities and the general public (see our blog post here).
The guidelines aim to clarify the data protection conditions and principles that should be followed when:
- using location data to model the spread of the virus to assess the overall effectiveness of confinement measures; and
- using contact tracing apps, which aim to notify individuals who may have been in close proximity to someone who is infected or confirmed as a carrier of the virus, in order to break the contamination chain as early as possible.
The EDPB stresses that EU data protection rules have been designed to be flexible and, as such, do not stand in the way of an efficient response to the pandemic. However, it notes that governments and private actors should be mindful of a number of considerations when they use data-driven solutions in response to the COVID-19 outbreak.
On April 9, 2020, U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding certain covered entities and business associates who choose to participate in the operation of a Community-Based Testing Site (“CBTS”) during the COVID-19 nationwide public health emergency. The Notification relaxes HHS’s enforcement of certain provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). More specifically, HHS will not impose penalties against covered health care providers and their business associates for violations of the HIPAA Privacy, Security, and Breach Notification Rules related to the “good faith participation” in a CBTS. The Notification is effective immediately but applies retroactively to March 13, 2020.
For the purpose of the Notification, a CBTS includes “mobile, drive-through, or walk-up testing sites that only provide COVID-19 specimen collection or testing services to the public.” Operation of a CBTS encompasses “all activities that support the collection of specimens from individuals for COVID-19 testing.”
Under the Notification, HHS’s enforcement discretion will apply only to covered health care providers and their business associates regarding activities connected to the operation of a CBTS. The Notification does not apply to non-CBTS activities performed by covered health care providers or their business associates. As such, there is still potential HIPAA liability for all other HIPAA-covered actions, unless otherwise determined by HHS. In addition, the Notification does not apply to health plans and health care clearinghouses when they are conducting health plan and clearinghouse operations. If a covered entity acts as both a health plan and health care provider, the Notification will apply only when the entity is acting in its role as a health care provider, and then only to the extent that it is participating in a CBTS.
Although covered health care providers and their business associates will not face penalties for HIPAA violations connected to the good faith operation of a CBTS, HHS still encourages them to implement reasonable safeguards for the privacy and security of individuals’ protected health information (“PHI”). According to the Notification, reasonable safeguards include:
- Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment;
- Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples;
- Controlling foot and car traffic to create adequate distancing at the point of services to minimize the ability of persons to see or overhear screening interactions at a CBTS — a six foot distance would service this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19;
- Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming;
- Using secure technology at a CBTS to record and transmit electronic PHI;
- Posting a Notice of Privacy Practices (“NPP”) or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.
On April 3, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) released an alert warning covered entities and business associates of an individual posing as an OCR Investigator to obtain protected health information. According to the alert, “[t]he individual identifies themselves as an OCR Investigator on the telephone, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.”
HIPAA covered entities and their business associates are encouraged to warn their workforce of potential scams and remind them of basic verification steps, such as asking for the Investigator’s email address (which will end in @hhs.gov) and asking for a confirmation email sent from the Investigator’s hhs.gov email.
Organizations can send questions and concerns to OCRMail@hhs.gov. Additionally, suspected incidents of individuals impersonating federal law enforcement should be reported to the Federal Bureau of Investigation (“FBI”). The FBI has also released a public service announcement regarding COVID-19-related fraud schemes.
On April 14, 2020, FDA issued a direct-to-final guidance outlining its “Enforcement Policy for Digital Health Devices for Treating Psychiatric Disorders During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency.” The guidance intends to “expand the availability of digital health therapeutic devices” – possibly the first time FDA has used such term in its written policies – to facilitate consumer and patient use and reduce potential exposure to COVID-19. The guidance applies to two groups of products: (1) computerized behavioral therapy devices and other digital health devices for psychiatric disorders; and (2) low-risk wellness and digital health products for mental health or psychiatric conditions. Like FDA’s many other COVID-19 enforcement policies, the policy will remain in effect “only for the duration of the public health emergency related to COVID-19.” Continue Reading
The rapid spread of COVID-19 has transitioned the telehealth debate from a matter of access, convenience, and cost-saving to a matter of absolute necessity on a large scale. A variety of barriers have traditionally stood in the way of broader adoption of telehealth including a lack of reimbursement by both state and private insurance, restrictions on prescribing across state lines, limitations to interstate malpractice coverage, and concerns related to privacy and security, licensure, credentialing, and privileging. Although CMS has temporarily alleviated some of the Medicare reimbursement limitations, the patchwork of state licensing regimes has been one of the most difficult barriers to overcome. This post highlights how some states have made temporary concessions with regard to their control over licensure in order to support patients during the COVID-19 pandemic. However, while these measures have helped, a uniform national mechanism for licensure for telehealth across state borders would be much more effective.
Licensure and Telehealth
Medical licensure in the United States is handled by states and the requirements can vary from state to state. Although there is some uniformity in the basic standards, many states require their own testing, interviews, background checks, and other steps to become licensed in that state. Initiatives such as the Interstate Medical Licensure Compact (IMLC) make it easier for providers to become licensed in multiple states, but the IMLC has not been adopted in every state, and the process for providers to take advantage of this reciprocity is not automatic. The licensing regime that applies to a particular encounter is typically based on the state of the “originating site” (i.e., the physician needs to be licensed in the state where the patient is located at the time of receiving the services). The limitations to the adoption of the IMLC and the originating site rule mean that it has been difficult for physicians to provide services across multiple states. There are various state-based exceptions that allow physicians to consult with out-of-state specialists on a limited basis, allow physicians from neighboring states to have their licenses recognized on a limited basis, or allow out-of-state physicians to provide certain types of telehealth services directly to patients, but the inconsistency of these exceptions creates risk and uncertainty for physicians and discourages broader use of telehealth.
Emergency Licensure and Licensure Waivers
Many state responses to the COVID-19 crisis have included the availability of temporary, emergency, or fast-tracked licensure or the temporary waiver of certain licensure requirements. Massachusetts has created an expedited “Emergency Temporary License Application” that allows physicians who hold “an active full, unlimited and unrestricted medical license in another U.S. state/territory/district” to obtain licensure, but only during the state declarations of emergency related to COVID-19. New York, has entirely waived NY licensure requirements for certain types of physicians, by allowing those who are “licensed and in current good standing in any state in the United States to practice in New York State without civil or criminal penalty related to lack of licensure.” Other requirements have also been waived by some states; for example, Delaware has waived the requirement that physicians see patients in-person before providing telehealth. These emergency measures not only allow physicians to travel to states where the need for medical professionals has sharply increased, it allows physicians to provide telehealth services to patients in those states where their ability to receive treatment in-person has significantly diminished.
A Unified Approach to Emergency Telehealth Licensure
Although individual state-based measures can help to increase the availability of physicians, a unified response would allow the healthcare community to be more responsive as the spread of COVID-19 effects different areas of the country at different times. One potential avenue for this is the Emergency Management Assistance Compact (EMAC). EMAC has been ratified by Congress and every U.S. state and territory, and it provides state emergency management agencies with broad powers to cooperatively respond to emergencies, including liability waivers, license reciprocity, and reimbursement for costs. The National Emergency Management Association supports the use of EMAC to implement uniform waivers to state licensure requirements for the provision of services via telehealth, and has released a form executive order that Governors can use to efficiently achieve this result. If adopted, this order includes a broad waiver of in-state licensure requirements for physicians who are licensed in another jurisdiction and allows them to provide any services they could provide in their home jurisdiction via any remote telecommunications technologies. Universal adoption of such an order would allow physicians to treat patients anywhere in the country via telehealth, and would facilitate the efficient implementation of nationwide telehealth networks.
Telehealth Licensure After COVID-19
Most of the measures discussed above apply only as long as the state emergency declarations continue. The same is true of the federal responses to the virus, such as the FCC’s COVID-19 Telehealth Program, which is part of the CARES Act and was discussed in an earlier post. Similarly, as also previously discussed, HHS is exercising enforcement discretion, having announced that it will not impose penalties for noncompliance with certain provisions of HIPAA, relating primarily to the security of transmission methods, in connection with the “good faith” provision of particular telehealth services during the COVID-19 nationwide public health emergency. Some of the current demand for telehealth is due to the fact that COVID-19 is so easily communicated via in-person interactions and the need for a national response to a pandemic that will peak at different times across the country. But the current crisis also highlights the access-to-care challenges the country faced before the crisis, and the hard lessons of the crisis response can create opportunities for the growth of nationwide telehealth services. As a significant number of new doctor-patient relationships are formed via telehealth, we may find that the benefits of this form of healthcare outweigh the concerns and argue for making some of these changes permanent, and support for this type of long-term change is already building.
Jon-Paul Berexa, Anna Kraus, Rebecca Yergin and Tara Carrier contributed to this post.