June 9, 2023

Volume XIII, Number 160


June 08, 2023

Subscribe to Latest Legal News and Analysis

June 07, 2023

Subscribe to Latest Legal News and Analysis

June 06, 2023

Subscribe to Latest Legal News and Analysis

2018 Digital Health Year in Review: Focus on Care Coordination and Reimbursement


In 2018, even more than in recent years, federal lawmakers and regulators continued the push toward modernizing the existing legal framework to support and encourage digital health adoption in the context of care coordination and the move to value-based payment. These efforts brought changes to coverage of telehealth and other virtual care services, as well as information gathering for regulatory reform.

McDermott is pleased to bring you this review of key developments that shaped digital health in 2018, along with planning considerations and predictions for the digital health frontier in the year ahead.

Regulatory Sprint to Coordinated Care

In 2018, the US Department of Health and Human Services (HHS) launched the Regulatory Sprint to Coordinated Care, which, as described by the Centers for Medicare & Medicaid Services (CMS), is focused on “identifying regulatory requirements or prohibitions that may act as barriers to coordinated care, assessing whether those regulatory provisions are unnecessary obstacles to coordinated care, and issuing guidance or revising regulations to address such obstacles and, as appropriate, encouraging and incentivizing coordinated care.”

As we reported in 2018, as part of the initiative, CMS issued a broad request for information (RFI) related to potential changes in the federal physician self-referral law (Stark Law) with a goal of “reducing regulatory burden and dismantling barriers to value-based care transformation, while also protecting the integrity of the Medicare program.” Similarly, the HHS Office of Inspector General (OIG) issued an RFI on how to address regulatory provisions in the anti-kickback statute (AKS) and civil monetary penalties (CMP) law that may hamper coordinated care or value-based care, as well as information on novel financial arrangements implicated by the AKS (click here for our analysis). 

The HHS Office for Civil Rights (OCR) also issued an RFI to solicit comments and feedback from stakeholders on whether the HIPAA Rules should be modified to better facilitate the health care industry’s transformation to value-based health care and the coordination of care. We cover the OCR RFI in more detail in Digital Health Year in Review: Focus on Data.

Value-based payment models and the digital health tools on which they may rely often implicate all three laws—Stark, AKS and CMP. The RFIs were critical opportunities to address the need for clear pathways for leveraging digital health technologies to facilitate the development and implementation of alternative service and payment models, as well as the promotion of care coordination.

The Stark RFI particularly focused on the identification of Stark Law elements that create a potential barrier to coordinated care structures. A common strategy that larger health systems and other providers use to build coordinated care models is subsidizing the use of costly tools related to electronic health records (EHR), cybersecurity technologies and telehealth offerings by other providers. A number of the submitted comments noted that subsidization arrangements may be implicated by the Stark Law and that clearer protections should be added for such arrangements.

The AKS/CMP RFI, among other requests, solicited information regarding the donation or subsidization of cybersecurity-related items and services, perhaps in response to the Stark RFI comments. These arrangements typically are similar in design and purpose to the subsidization of EHR systems for providers by large health systems or other structures. Similar to the Stark RFI responses, a number of comments in response to the AKS/CMP RFI encouraged protections for the subsidization of infrastructure, including EHR technology, telehealth, and cybersecurity resources.  

The AKS/CMP RFI also sought comments on how to clarify a new exception to the definition of “remuneration” in the beneficiary inducement provisions of the CMP law enacted in Section 50302(c) of the Bipartisan Budget Act of 2018 (BBA). The exception applies to “telehealth technologies” provided on or after January 1, 2019, by a provider to individuals with end-stage renal disease (ESRD) receiving home dialysis. However, the act fails to define “telehealth technologies,” stating only that the term would be defined by the Secretary of HHS. The AKS RFI sought input on how “telehealth technologies,” as used in CMP law exception, should be defined, and whether “telehealth technologies” should be expanded to include telehealth services. The OIG further questioned whether any additional protections or safeguards should be implemented for the exception. Submitted commentary regarding telehealth technologies urged that the definition be expanded to include not only the technology itself but devices required for data transmission and services related to installing the technology.

Changes to Payment Laws and Rules

As reported in detail in our Digital Health Mid-Year Report: Focus on Medicare, 2018 opened with the expansion of Medicare coverage for certain telehealth and virtual services. This expansion permitted providers to bill separately for remote patient monitoring (RPM) services conducted in connection with chronic care management, transition care management and general behavioral health integration and included additional telehealth services codes covering health risk assessments, psychotherapy, chronic care management, and interactive complexity. This expansion was quickly followed by the enactment of the BBA on February 9, 2018, which set the stage for a wide-ranging expansion of telehealth and ended with a series of proposed and final rules aimed at implementing those expansions. In addition, CMS continued its evolutionary expansion of virtual and telehealth services.

Expansion of Medicare Coverage for Telehealth Services

Telehealth Stroke, ESRD and Other Services

On November 1, 2018, CMS issued a final rule updating the Medicare Physician Fee Schedule (PFS Final Rule) to implement recent telehealth-related legislative reforms enacted by the BBA. Beginning in 2019, patients presenting with stroke symptoms at hospitals or mobile stroke units may receive a timely telehealth consultation with a neurologist in order to determine the best course of treatment. In addition, patients with ESRD who receive home dialysis may choose to receive certain monthly ESRD-related clinical assessments via telehealth, provided that at least one visit in the first three months of home dialysis, and one visit every three months thereafter, occurs via an in-person face-to-face visit without the use of telehealth. Both the home of an individual with ESRD and an ESRD facility qualify as an originating site with respect to the monthly clinical assessments (but no facility fee will be paid when the originating site is a patient’s home).

Both the telehealth stroke and ESRD assessment provisions eliminate the current geographic restriction that limits originating sites to rural areas, meaning distant site providers delivering telestroke and ESRD assessment services could receive a professional fee for delivering the consultation to patients located anywhere in the United States, provided that the other Medicare telehealth coverage requirements are satisfied (e.g., type of provider, type of technology).

CMS also finalized changes to the list of telehealth services eligible for reimbursement to include codes related to certain prolonged preventive services.  

2018 opened with the expansion of Medicare coverage for certain telehealth and virtual services. This expansion permitted providers to bill separately for remote patient monitoring (RPM) services conducted in connection with chronic care management, transition care management and general behavioral health integration, and included additional telehealth services codes covering health risk assessments, psychotherapy, chronic care management and interactive complexity.

Expansion of Telehealth Services for the Treatment of Substance Use Disorders

In October 2018, Congress passed the Substance Use Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities (SUPPORT Act) to address the US-wide opioid epidemic. The SUPPORT Act, which we discuss on our Of Digital Interest blog, expands the use and coverage of telehealth services by eliminating certain requirements for substance-use disorder services under Medicare, such as geographic restrictions for telehealth. After July 1, 2019, Medicare beneficiaries may receive coverage for telehealth services related to substance use disorders in any location, including their homes, regardless of whether the location is in a geographic area experiencing provider shortages. The PFS Final Rule includes an interim final rule with comment period that implements the new originating sites and removal of geographic restrictions.

The SUPPORT Act also directs CMS to issue (1) guidance to states regarding reimbursement for substance-use disorder treatment services, including assessment, medication-assisted treatment, counseling and medication management, using services delivered via telehealth, and (2) a report to Congress identifying best practices and potential solutions to barriers related to the delivery of services to children via telehealth. In addition, the SUPPORT Act permits incentive payments to behavioral health providers for adoption of certified EHR technology, and includes the Special Registration for Telemedicine Act of 2018, which requires the Attorney General to promulgate, prior to October 2019, final regulations specifying circumstances in which certain providers may be issued special registrations to prescribe controlled substances via telehealth.

Opportunities for Accountable Care Organizations

On August 9, 2018, as part of CMS’s “Pathways to Success” overhaul of Medicare’s Accountable Care Organization (ACO) program, CMS released a proposed rule to implement changes mandated by the BBA and allow certain ACOs (i.e., those participating in performance-based risk under the prospective assignment method) the opportunity to expand telehealth services by removing various barriers to the provision of telehealth services. If adopted as proposed, the revisions would, beginning in 2020, allow certain ACOs to offer their assigned beneficiaries designated telehealth services in the patient’s home and eliminate the geographic component of the originating site requirement, permitting beneficiaries of eligible ACOs in urban areas to receive Medicare-covered telehealth services. Medicare reimbursement for the services would be contingent upon the telehealth services being delivered to a beneficiary at an appropriate approved originating site, such as a hospital or the beneficiary’s place of residence. The provision would not retain the separate payment for the originating site fee if the service is furnished in the patient’s home. Comments to the Pathways to Success proposed rule were due on October 16, 2018.

Opportunities for Medicare Advantage Plans: Telehealth Services for Chronically Ill

As we reported last year, on October 26, 2018, CMS released a proposed rule that would permit Medicare Advantage (MA) plans to provide medical care via telehealth technologies consistent with the BBA. If finalized as drafted, the telehealth regulations set forth in the MA proposed rule would affect a broad range of providers and health care companies involved in the provision or delivery of telehealth services. MA plans would be able to include in their basic benefit packages any health benefit covered by Medicare Part B that the plan identifies as “clinically appropriate” to be furnished electronically by a remote physician or other practitioner, as described in the plan’s Evidence of Coverage document. In a press release announcing the MA proposed rule, CMS noted that the “additional telehealth benefits in MA will increase access to patient-centered care by giving enrollees more control to determine when, where, and how they access benefits.” CMS accepted comments on the proposed rule through December 31, 2018.

Payment for Other Technology-Based Services

In addition to the revisions implementing BBA telehealth policy, the PFS Final Rule also finalized CMS’s proposal to recognize and provide payment for a discrete set of services that are “defined by and inherently involve the use of communication technology.” As described in our Digital Health Mid-Year Report with respect to then-proposed additions, these services include brief virtual visits by qualified providers to existing patients, review of patient images or videos, and certain provider-to-provider consultations. In establishing payment for these services, CMS acknowledges that recent innovations in health care have given rise to the development of services that inherently require the use of communication technology but do not necessarily fit into the telemedicine category. CMS also finalized policies to pay separately for new coding describing chronic care remote physiologic monitoring.

Remote Patient Monitoring in Home Health

On November 13, 2018, CMS issued a final rule to permit, as of July 1, 2019, the cost of RPM as an allowable operating cost on the cost report of a home health agency (HHA), and the allocation of the costs to the HHA’s cost per visit. The regulation defines RPM as “the collection of physiologic data (for example, ECG, blood pressure, glucose monitoring) digitally stored and/or transmitted by the patient or caregiver or both to the home health agency.” In announcing the revisions on its website, CMS recognized that studies have found that RPM “has a positive impact on patients as it allows patients to share more live-time data with their providers and caregivers, which will lead to more tailored care and better health outcomes.” CMS noted that this change could encourage more HHAs to adopt the technology.

Digital Health Oversight and Enforcement Activities

In 2018 enforcement agencies continued to focus on digital health, highlighting the need for digital health companies to continue to strengthen corporate compliance, risk management, and quality assurance programs to proactively identify and respond to issues.

Telehealth Payments

In April 2018, OIG issued a report containing findings from its audit of Medicare payments for telehealth services. OIG had previously announced its plan to review telehealth service claims where there was no corresponding claim submitted by the originating site, indicating that the originating site might not have met Medicare’s telehealth coverage requirements. OIG found that of the 100 claims it reviewed in its sample, 31 did not meet Medicare requirements. OIG estimated that over the two-year period covered by its audit, Medicare paid approximately $3.7 million for unallowable telehealth service claims. The focus on telehealth payments continues—according to its Work Plan, OIG is still reviewing Medicaid telehealth service payments. Effective compliance programs can help telehealth companies reduce the risk of negative findings should they find themselves on the other end of a government audit.

Cybersecurity of Networked Medical Devices

In late 2018, OIG issued two reports that, although focused on the US Food and Drug Administration  
(FDA), could have a significant impact on the digital health industry depending on how FDA responds. The first of these reports evaluated how FDA reviewed cybersecurity for networked medical devices in connection with premarket submissions. The second examined the effectiveness of FDA’s plans for responding to a device compromise in the postmarket context. OIG concluded in both reports that the FDA could do better and made recommendations for improvements.

Whether in response to OIG’s oversight or of its own accord, FDA was active in the cybersecurity space in late 2018, issuing a draft guidance document concerning cybersecurity and premarket submissions, as well as entering into relationships—within government and with the industry—to share threat and vulnerability information. OIG and FDA’s increased focus on the cybersecurity of networked devices likely will affect how manufacturers, purchasers, and users approach medical device cybersecurity moving forward.

DOJ Enforcement – Telemedicine and Compounded Medication

There was a flurry of activity from the US Department of Justice (DOJ) in 2018 in connection with an alleged nationwide telemedicine scheme that, according to the government, involved doctors prescribing unnecessary compounded medications for patients with whom they did not have an actual doctor/patient relationship or to whom they did not provide patient care.

One telemedicine company and its owner pleaded guilty for their roles, others were charged, and some were convicted and sentenced. In a recently filed criminal complaint, the federal government referenced but did not identify, five specific telemedicine companies involved in a similar scheme. We may see more enforcement activity surrounding telemedicine and compounded medications in 2019.

OIG’s Approval of Telemedicine Donation Arrangement

In 2018, OIG opined favorably on a proposed donation arrangement involving telemedicine items and services that was intended to facilitate HIV-prevention-related telemedicine encounters. Under the proposal, a nonprofit federally qualified health center look-alike would use state grant funds to provide certain telemedicine items (e.g., a computer, microphone and camera) and services (e.g., communication links/connectivity, training, maintenance and technical assistance) to a clinic operated by a county department of health approximately 80 miles away. In explaining why it concluded that the proposed arrangement would present a low risk of fraud and abuse, OIG highlighted safeguards that were designed to prevent inappropriate patient steering, the fact that the arrangement would be unlikely to result in inappropriate increases in federal health care program costs, and the fact that the clinic patients were the ones who would primarily benefit from the arrangement. Such factors are constant with those addressed in OIG’s previous reviews of telemedicine arrangements.

OIG found that of the 100 claims it reviewed in its sample, 31 did not meet Medicare requirements. OIG estimated that over the two-year period covered by its audit, Medicare paid approximately $3.7 million for unallowable telehealth service claims.

OIG Issues Stipulated Penalties for EHR-Related Corporate Integrity Agreement

In July 2018, OIG announced that eClinicalWorks, LLC (eCW) had paid more than $130,000 in stipulated penalties for its failure to comply with corporate integrity agreement (CIA) reporting obligations related to patient safety issues. As we reported here, eCW had entered into the novel CIA in 2017 as part of a DOJ settlement over allegations that eCW had caused its customers to submit false claims for Medicare and Medicaid EHR incentive payments in violation of the False Claims Act. The stipulated penalties demonstrate that OIG takes compliance with the terms of its CIAs seriously.

How Should Digital Health Companies Respond in 2019? Focus on Use-Cases and Invest in Compliance

Over the past few years, both Congress and CMS have clearly demonstrated their willingness to improve the economic environment for digital health solutions. It is equally clear, however, that neither has an interest in simply providing reimbursement for every digital health solution that might exist. At the same time, as digital health continues its march into the mainstream, regulatory oversight and enforcement are becoming a more pressing reality. Accordingly, digital health companies and programs need to be smart about growth and expansion.

Within the third-party payor system, digital health continues to be tied directly to specific payment programs. While the universe of reimbursable activity is expanding, it is not infinite and still must be matched to what the payment program recognizes. For reimbursement purposes, digital health continues to be use-case driven. And that is what digital health companies should be focused on, in terms of both immediate applications and advocacy for expanded reimbursement.

As demonstrated by the regulatory oversight and enforcement activity in 2018, digital health companies should continue investing in the design and implementation of effective compliance programs. Effective compliance programs:

  • Establish an overall framework of policies, procedures, and protocols that govern the company’s employees, contractors, and officers

  • Support a culture of integrity and accountability

  • Promote the prevention, detection, and correction of conduct that does not live up to the company’s policies and procedures, or does not conform to applicable laws, regulations, or federal, state or private payer health care program requirements (as applicable)

Digital health companies of all shapes and sizes should develop compliance programs that are responsive to the company’s specific needs, based on its size, activities, financial resources, areas of legal risk exposure and other relevant factors.

The OIG has published Compliance Program Guidance that includes seven fundamental and widely recognized elements of an effective compliance program that are aimed at accomplishing these rather lofty objectives.

Digital health companies of all shapes and sizes should develop compliance programs that are responsive to the company’s specific needs, based on its size, activities, financial resources, areas of legal risk exposure and other relevant factors. Digital health companies (even those providing similar or identical types of services, such as direct-to-consumer telehealth) each will have unique policies and procedures, auditing and monitoring practices, and governance oversight structures, as they are likely focused on different areas of compliance risk and have different financial resources to invest in compliance-focused oversight activities.

A compliance program also should take into account specific emerging areas of risk based on regulatory enforcement activity and anticipated or newly enacted changes to the law. For example, based on 2018 activity, a telehealth company’s compliance program should focus on the maintenance and enhancement of care quality, internal monitoring of compliance with telehealth state laws and regulations, and compliance with government payer billing and coding rules.

© 2023 McDermott Will & EmeryNational Law Review, Volume IX, Number 38

About this Author

James A. Cannatti III* practices at the intersection of today's most pertinent health care issues, including digital health, health IT policy, and fraud and abuse, including Anti-Kickback Statute/Stark Law matters. With more than 10 years of experience in the US Department of Health & Human Services’ (HHS) Office of Inspector General (OIG), most recently as Senior Counselor for Health Information Technology, James is well-attuned to the regulatory issues impacting the rapidly evolving digital health landscape, including:

  • Information...

Dana Dombey, McDermott, private equity funds lawyer, strategic investors attorney

Dana Dombey focuses her practice on representing private equity funds, strategic investors, ambulatory surgery centers and physician practices in a variety of transactional and regulatory matters.

Dana has assisted clients in connection with numerous transactions, including management and professional service arrangements, mergers and acquisitions, and joint ventures. She also regularly advises clients with respect to state licensure issues, compliance, Medicare and Medicaid reimbursement, corporate practice of medicine laws, the Anti-Kickback...

Amanda Enyeart Healthcare and Life Sciences Attorney Mcdermott WIll Emery Law Firm

Amanda Enyeart is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  Amanda focuses her practice on general regulatory health law matters. 

Previously, Amanda was an associate at a national law firm in its Chicago office where she provided guidance on regulatory issues, such as practitioner licensure; telehealth; Medicare and Medicaid reimbursement; and compliance with Stark Law and the Anti-Kickback Statute and state fraud and abuse laws.

Additionally, Amanda has...

312 984 5488
Lisa Schmitz Mazur, Health Law Attorney, McDermott Will Law Firm

Lisa Schmitz Mazur is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  Lisa maintains a general health industry practice, focusing on the representation of hospitals and health systems and other health industry providers.

Lisa’s representation of hospitals and health systems includes providing guidance on not-for-profit corporate governance matters, tax-exemption issues, conflict of interest compliance and overall corporate compliance effectiveness.  In addition, Lisa regularly assists hospital and health system clients to...

Dale Van Demark, health care, attorney, McDermott Will, law firm

Dale C. Van Demark is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Washington, D.C., office.  He focuses his practice on a broad array of merger, acquisition, investment, and strategic structuring transactions, with clients in the health industry. He has extensive experience in health system affiliation and restructuring transactions and regularly represents for-profit and tax-exempt clients in a variety of transactions, including strategic transactions with physicians and hospitals. He regularly advises clients regarding the opportunities...